Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
inbox:toh:arcadyan:astoria:we420223-99 [2023/02/01 20:23] – Update flashing steps with snapshot download harminbox:toh:arcadyan:astoria:we420223-99 [2023/05/18 16:51] – [Flashing via the original web interface] Fix list harm
Line 23: Line 23:
  
 ===== Installation ===== ===== Installation =====
-Unfortunately, the official firmware's U-Boot is [[https://forum.openwrt.org/t/adding-openwrt-support-for-arcadyan-we420223-99-kpn-experia-wifi/132653/5?u=harm|password protected]]. Furthermore, the official firmware does not accept unsigned firmware versions through the web interface firmware upload. You might be able to [[https://7bits.nl/journal/posts/cve-2021-38703-kpn-experia-wifi-root-shell/|gain root]] on firmware 1.00.15 and flash from there. Unless another exploit is found, OpenWRT needs to be directly written to the flash chip. The upside of this is that you don't need to solder the serial port.+If you are running an old firmware version that is equipped with a firmware upload page, that is usable for upgrading to OpenWRTsee 'Flashing via the original web interface' below.
  
-==== Connecting the flash chip to a Raspberry Pi ====+Otherwise, we need to directly write to the flash chip since the official firmware's U-Boot is [[https://forum.openwrt.org/t/adding-openwrt-support-for-arcadyan-we420223-99-kpn-experia-wifi/132653/5?u=harm|password protected]]. The upside of this is that you don't need to solder the serial port. 
 + 
 +==== Flashing via the original web interface ==== 
 + 
 +The original firmware requires signed firmware. The code to do so is on GitHub: https://github.com/hberntsen/we420223-99-sign . You can download a signed OpenWRT initramfs image here: https://mega.nz/file/FjlgQKqD#23bEq46EiVqxMhGuwucYYpN4sbw2q1nLgmtimLORvFA . 
 + 
 +  - Flash the signed image via the web interface. OpenWRT should boot and start a DHCP server. 
 +  - Go to http://192.168.1.1/ and flash a new sysupgrade.bin file 
 +  - Profit! You might still want to unlock the U-Boot password for recovery in the future (see below) 
 +==== Writing directly to the flash chip ==== 
 +=== Connecting the flash chip to a Raspberry Pi ===
 A Raspberry Pi can be used to program the flash chip in-circuit (thanks FPSUsername for discovering). On the Raspberry Pi, install ''xxd libubootenv-tool mtd-utils'' using ''apt'' on Raspberry Pi OS. To access the flash chip we have a specially crafted overlay: https://gist.github.com/hberntsen/f37f5047a61c2cfeeaa1e3d0c2f7f033. Download this file and install it with ''sudo dtc -@ -I dts -O dtb -o /boot/overlays/we420223.dtbo  we420223-99_overlay.dts''. A Raspberry Pi can be used to program the flash chip in-circuit (thanks FPSUsername for discovering). On the Raspberry Pi, install ''xxd libubootenv-tool mtd-utils'' using ''apt'' on Raspberry Pi OS. To access the flash chip we have a specially crafted overlay: https://gist.github.com/hberntsen/f37f5047a61c2cfeeaa1e3d0c2f7f033. Download this file and install it with ''sudo dtc -@ -I dts -O dtb -o /boot/overlays/we420223.dtbo  we420223-99_overlay.dts''.
 Enable it in ''/boot/config.txt'' by adding a new line containing ''dtoverlay=we420223''. Enable it in ''/boot/config.txt'' by adding a new line containing ''dtoverlay=we420223''.
Line 46: Line 56:
 After connecting the flash chip and rebooting, the ''/dev/mtd*'' devices should be available. Run ''sudo apt install xxd libubootenv-tool mtd-utils'' to install the required software for flashing. After connecting the flash chip and rebooting, the ''/dev/mtd*'' devices should be available. Run ''sudo apt install xxd libubootenv-tool mtd-utils'' to install the required software for flashing.
  
-==== Creating a backup ====+=== Creating a backup ===
 For recovery, creating a backup of the flash is recommended. Run ''sudo dd if=/dev/mtd0 of=backup.bin'' to create one. It can be restored with ''sudo flashcp backup.bin /dev/mtd0''. For recovery, creating a backup of the flash is recommended. Run ''sudo dd if=/dev/mtd0 of=backup.bin'' to create one. It can be restored with ''sudo flashcp backup.bin /dev/mtd0''.
  
-==== Unlocking U-Boot ====+=== Unlocking U-Boot ===
 The password of U-Boot can be removed, though this step is optional. It is particularly useful for recovering the device through the serial port (i.e. booting an OpenWrt initramfs). The following script will unlock U-Boot: The password of U-Boot can be removed, though this step is optional. It is particularly useful for recovering the device through the serial port (i.e. booting an OpenWrt initramfs). The following script will unlock U-Boot:
  
Line 70: Line 80:
 </code> </code>
  
-==== Flashing OpenWRT ====+=== Flashing OpenWRT ===
 First we make sure the u-boot bootpartition is set to 0: First we make sure the u-boot bootpartition is set to 0:
 <code> <code>
Line 1516: Line 1526:
 ===== Tags ===== ===== Tags =====
 [[meta:tags|How to add tags]] [[meta:tags|How to add tags]]
-{{tag>EXAMPLETAG unsupported}} 
  • Last modified: 2024/03/20 17:28
  • by harm