Connor McMillan

connor@mcmillan.website – http://github.com/mibs510

OpenWRT for WL-WN575A3

The brother got one of these hoping to strengthen the wireless signal upstairs but it couldn’t connect to the original AP downstairs due to a weak signal at all outlet locations. Since he has no use I asked to use it for fun. I began by taking it apart and examining any signs for easy UART access but found no luck . Wavlink has no intentions of making their devices secure, a telnet port was found open on port 23, this is the same scenario for most of their other products. Some of Wavlink’s products are sold with heavily customized OpenWrt images already running, although this one isn’t the intention is that it will.

The guts

The software

Interesting web interface pages

EEPROM DUMP

The kernel type is uImage, since the first four bytes start with “0x27 0x05 0x19 0x56”

Github

My successful image can be found here.

rlt_wifi.ko module

I uploaded a copy here. The kernel version to which it originally belonged to was:

Linux version 2.6.36 (root@ubuntusvr1) (gcc version 4.6.3 (Buildroot 2012.11.1) ) #899 Mon Nov 7 17:37:34 CST 2016

# dmesg

major 254)
io scheduler noop registered (default)
gpiomode one 0000 = 0x55144410 
gpiomode 11111 = 0x0 
gpiomode 22222 = 0x55 
Ralink gpio driver initialized = 73
Ralink gpio driver initialized
Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x10000d00 (irq = 21) is a 16550A
serial8250: ttyS1 at MMIO 0x10000c00 (irq = 20) is a 16550A
brd: module loaded
flash manufacture id: c8, device id 40 17
Wavlink Encryption System...
Wavlink Encryption System is installing
GD25Q64B(c8 40170000) (8192 Kbytes)
mtd .name = raspi, .size = 0x00800000 (8M) .erasesize = 0x00010000 (64K) .numeraseregions = 0
Creating 5 MTD partitions on "raspi":
0x000000000000-0x000000800000 : "ALL"
0x000000000000-0x000000030000 : "Bootloader"
0x000000030000-0x000000040000 : "Config"
0x000000040000-0x000000050000 : "Factory"
0x000000050000-0x000001000000 : "Kernel"
mtd: partition "Kernel" extends beyond the end of device "raspi" -- size truncated to 0x7b0000
rdm_major = 253
GMAC1_MAC_ADRH -- : 0x0000803f
GMAC1_MAC_ADRL -- : 0x5dab46c5
Ralink APSoC Ethernet Driver Initilization. v3.1 512 rx/tx descriptors allocated, mtu = 1500!
GMAC1_MAC_ADRH -- : 0x0000803f
GMAC1_MAC_ADRL -- : 0x5dab46c5
PROC INIT OK!
my_net_link_3: create netlink socket ok.
PPP generic driver version 2.4.2
PPP MPPE Compression module registered
NET: Registered protocol family 24
PPTP driver version 0.8.5


=== pAd = c0147000, size = 1352880 ===

 RTMPAllocTxRxRingMemory, Status=0, ErrorValue=0x
 RTMPAllocAdapterBlock, Status=0
RtmpChipOpsHook(492): Not support for HIF_MT yet!
mt7628_init()-->
mt7628_init(FW(8a00), HW(8a01), CHIPID(7628))
e2.bin mt7628_init(1133)::(2), pChipCap->fw_len(63888)
mt_bcn_buf_init(218): Not support for HIF_MT yet!
mt7628_init()
GACT probability on
Mirror/redirect action on
Simple TC action Loaded
netem: version 1.2
u32 classifier
 Performance counters on
 input device check on
 Actions configured
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (887 buckets, 3548 max)
ctnetlink v0.93: registering with nfnetlink.
nf_conntrack_rtsp v0.6.21 loading
NF_TPROXY: Transparent proxy support initialized, version 4.1.0
NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
matchsize=264
xt_time: kernel timezone is -0000
IPVS: Registered protocols ()
IPVS: Connection hash table configured (size=4096, memory=32Kbytes)
IPVS: ipvs loaded.
GRE over IPv4 demultiplexor driver
gre: can't add protocol
nf_nat_rtsp v0.6.21 loading
ip_tables: (C) 2000-2006 Netfilter Core Team, Type=Restricted Cone
ipt_CLUSTERIP: ClusterIP Version 0.8 loaded successfully
arp_tables: (C) 2002 David S. Miller
TCP cubic registered
NET: Registered protocol family 17
L2TP core driver, V2.0
PPPoL2TP kernel driver, V2.0
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
Warning: unable to open an initial console.
Freeing unused kernel memory: 3140k freed
Algorithmics/MIPS FPU Emulator v1.5
The timer is still in use...
Wavlink Encryption System is unlocked.
register rt2860
PCI: Setting latency timer of device 0000:01:00.0 to 64


=== pAd = c0782000, size = 2190712 ===

 RTMPAllocTxRxRingMemory, Status=0
 RTMPAllocAdapterBlock, Status=0
pAd->CSRBaseAddress =0xc0680000, csr_addr=0xc0680000!
device_id =0x7662
==>rlt_wlan_chip_onoff(): OnOff:1, Reset= 1, pAd->WlanFunCtrl:0x0, Reg-WlanFunCtrl=0x20a
E2pAccessMode=0
cfg_mode=14
cfg_mode=14
wmode_band_equal(): Band Not Equal!
APSDCapable[0]=0
APSDCapable[1]=0
APSDCapable[2]=0
APSDCapable[3]=0
APSDCapable[4]=0
APSDCapable[5]=0
APSDCapable[6]=0
APSDCapable[7]=0
APSDCapable[8]=0
APSDCapable[9]=0
APSDCapable[10]=0
APSDCapable[11]=0
APSDCapable[12]=0
APSDCapable[13]=0
APSDCapable[14]=0
APSDCapable[15]=0
default ApCliAPSDCapable[0]=0
Key1Str is Invalid key length(0) or Type(0)
Key2Str is Invalid key length(0) or Type(0)
Key3Str is Invalid key length(0) or Type(0)
Key4Str is Invalid key length(0) or Type(0)
IF(ra0) The length of WAPI PSKPassPhrase is invalid(len=0). 
83:15:8a:03:a8:eb:1c:24:35:b8:09:55:16:ce:ff:74:
ed:64:14:28:cf:4a:9c:9e:89:05:b2:5a:a5:73:5b:09:

RtmpChipOpsEepromHook::e2p_type=0, inf_Type=5
RtmpEepromGetDefault::e2p_dafault=2
NVM is efuse and the information is too less to bring up the interface
Force to use Flash mode
NVM is FLASH mode (pAd->flash_offset = 0x48000)
get_dev_name_prefix(): dev_idx = 1, dev_name_prefix=rai
TX_BCN DESC a2992000 size = 320
RX[0] DESC a2994000 size = 2048
RX[1] DESC a2995000 size = 1024
E2pAccessMode=0
cfg_mode=9
cfg_mode=9
wmode_band_equal(): Band Equal!
AndesSendCmdMsg: Could not send in band command due to diable fRTMP_ADAPTER_MCU_SEND_IN_BAND_CMD
APSDCapable[0]=0
APSDCapable[1]=0
APSDCapable[2]=0
APSDCapable[3]=0
APSDCapable[4]=0
APSDCapable[5]=0
APSDCapable[6]=0
APSDCapable[7]=0
APSDCapable[8]=0
APSDCapable[9]=0
APSDCapable[10]=0
APSDCapable[11]=0
APSDCapable[12]=0
APSDCapable[13]=0
APSDCapable[14]=0
APSDCapable[15]=0
default ApCliAPSDCapable[0]=0
Key1Str is Invalid key length(0) or Type(0)
Key2Str is Invalid key length(0) or Type(0)
Key3Str is Invalid key length(0) or Type(0)
Key4Str is Invalid key length(0) or Type(0)
load fw image from fw_header_image
AndesMTLoadFwMethod1(2174)::pChipCap->fw_len(63888)
FW Version:20151201
FW Build Date:20151201183641
CmdAddressLenReq:(ret = 0)
CmdFwStartReq: override = 1, address = 1048576
CmdStartDLRsp: WiFI FW Download Success
MtAsicDMASchedulerInit(): DMA Scheduler Mode=0(LMAC)
efuse_probe: efuse = 10000002
RtmpChipOpsEepromHook::e2p_type=2, inf_Type=4
RtmpEepromGetDefault::e2p_dafault=2
RtmpChipOpsEepromHook: E2P type(2), E2pAccessMode = 2, E2P default = 2
NVM is FLASH mode
1. Phy Mode = 14
Country Region from e2p = ffff
tssi_1_target_pwr_g_band = 36
2. Phy Mode = 14
3. Phy Mode = 14
NICInitPwrPinCfg(11): Not support for HIF_MT yet!
NICInitializeAsic(651): Not support rtmp_mac_sys_reset () for HIF_MT yet!
mt_mac_init()-->
MtAsicInitMac()-->
mt7628_init_mac_cr()-->
MtAsicSetMacMaxLen(1241): Set the Max RxPktLen=1024!
mt_mac_init()
 WTBL Segment 1 info:
 MemBaseAddr/FID:0x28000/0
 EntrySize/Cnt:32/128
 WTBL Segment 2 info:
 MemBaseAddr/FID:0x40000/0
 EntrySize/Cnt:64/128
 WTBL Segment 3 info:
 MemBaseAddr/FID:0x42000/64
 EntrySize/Cnt:64/128
 WTBL Segment 4 info:
 MemBaseAddr/FID:0x44000/128
 EntrySize/Cnt:32/128
AntCfgInit(2892): Not support for HIF_MT yet!
MCS Set = ff ff 00 00 01
MtAsicSetChBusyStat(826): Not support for HIF_MT yet!
[PMF]ap_pmf_init:: apidx=0, MFPC=0, MFPR=0, SHA256=0
[PMF]RTMPMakeRsnIeCap: RSNIE Capability MFPC=0, MFPR=0
MtAsicSetRalinkBurstMode(2919): Not support for HIF_MT yet!
MtAsicSetPiggyBack(763): Not support for HIF_MT yet!
reload DPD from flash , 0x9F = [c600] doReload bit7[0]
CmdLoadDPDDataFromFlash: Channel = 11, DoReload = 0
MtAsicSetTxPreamble(2898): Not support for HIF_MT yet!
CmdSlotTimeSet:(ret = 0)
MtAsicAddSharedKeyEntry(1308): Not support for HIF_MT yet!
The 2-BSSID mode is enabled, the BSSID byte5 MUST be the multiple of 2
MtAsicSetPreTbtt(): bss_idx=0, PreTBTT timeout = 0xf0
Main bssid = 80:3f:5d:ab:46:c7
== rt28xx_init, Status=0
The 7628 UUID MacAddress = 80:3f:5d:ab:46:c7

The 7628 UUID MacAddress = 80:3f:5d:ab:46:c7

mt7628_set_ed_cca: TURN OFF EDCCA mac 0x10618 = 0xd7083f0f, EDCCA_Status=0
WiFi Startup Cost (ra0): 0.920s
build time = 
20141115060606a
rom patch for E3 IC

platform = 
ALPS
hw/sw version = 
ŠŠ
patch version = 

FW Version:0.0.00 Build:1
Build Time:201511101431____
fw for E3 IC
RX[0] DESC a2b4b000 size = 4096
RX[1] DESC a2b4c000 size = 4096
E2pAccessMode=0
cfg_mode=14
cfg_mode=14
wmode_band_equal(): Band Not Equal!
APSDCapable[0]=0
APSDCapable[1]=0
APSDCapable[2]=0
APSDCapable[3]=0
APSDCapable[4]=0
APSDCapable[5]=0
APSDCapable[6]=0
APSDCapable[7]=0
APSDCapable[8]=0
APSDCapable[9]=0
APSDCapable[10]=0
APSDCapable[11]=0
APSDCapable[12]=0
APSDCapable[13]=0
APSDCapable[14]=0
APSDCapable[15]=0
default ApCliAPSDCapable[0]=0
Key1Str is Invalid key length(0) or Type(0)
Key2Str is Invalid key length(0) or Type(0)
Key3Str is Invalid key length(0) or Type(0)
Key4Str is Invalid key length(0) or Type(0)
IF(ra0) The length of WAPI PSKPassPhrase is invalid(len=0). 
83:15:8a:03:a8:eb:1c:24:35:b8:09:55:16:ce:ff:74:
ed:64:14:28:cf:4a:9c:9e:89:05:b2:5a:a5:73:5b:09:

1. Phy Mode = 49
get_chl_grp:illegal channel (167)
get_chl_grp:illegal channel (167)
get_chl_grp:illegal channel (169)
get_chl_grp:illegal channel (169)
get_chl_grp:illegal channel (171)
get_chl_grp:illegal channel (171)
drivers/net/wireless/rlt_wifi_ap/../rlt_wifi/chips/mt76x2.c:2890 assert (ad->TxPower[choffset].Channel == 42)failed
Country Region from e2p = ffff
mt76x2_read_temp_info_from_eeprom:: is_temp_tx_alc=0, temp_tx_alc_enable=0
mt76x2_read_tx_alc_info_from_eeprom:: is_ePA_mode=1, ePA_type=0
mt76x2_read_tx_alc_info_from_eeprom:: [5G band] high_temp_slope=15, low_temp_slope=9
mt76x2_read_tx_alc_info_from_eeprom:: [2G band] high_temp_slope=13, low_temp_slope=16
mt76x2_read_tx_alc_info_from_eeprom:: [5G band] tc_lower_bound=-7, tc_upper_bound=4
mt76x2_read_tx_alc_info_from_eeprom:: [2G band] tc_lower_bound=-7, tc_upper_bound=5
mt76x2_get_external_lna_gain::LNA type=0x0, BLNAGain=0xffffff8c, ALNAGain0=0xffffff8c, ALNAGain1=0xffffff8c, ALNAGain2=0xffffff8c
2. Phy Mode = 49
3. Phy Mode = 49
andes_pci_fw_init
0x1300 = 00073200
AntCfgInit: primary/secondary ant 0/1
andes_load_cr:cr_type(2)
ChipStructAssign(): MT76x2 hook !
MCS Set = ff ff 00 00 01
mt76x2_bbp_adjust():rf_bw=2, ext_ch=3, PrimCh=40, HT-CentCh=38, VHT-CentCh=42
APStartUp(): AP Set CentralFreq at 42(Prim=40, HT-CentCh=38, VHT-CentCh=42, BBP_BW=2)
mt76x2_calibration(channel = 42)
@@@ ed_monitor_exit : ===>
@@@ ed_monitor_exit : <===
Main bssid = 80:3f:5d:ab:46:c8
mt76x2_reinit_agc_gain:original agc_vga0 = 0x48, agc_vga1 = 0x48
mt76x2_reinit_agc_gain:updated agc_vga0 = 0x48, agc_vga1 = 0x48
mt76x2_reinit_hi_lna_gain:original hi_lna0 = 0x33, hi_lna1 = 0x33
mt76x2_reinit_hi_lna_gain:updated hi_lna0 = 0x33, hi_lna1 = 0x33
original vga value(chain0) = 48
original vga value(chain1) = 48
== rt28xx_init, Status=0
get_dev_name_prefix(): dev_idx = 1, dev_name_prefix=apclii
RTMPDrvOpen(1):Check if PDMA is idle!
RTMPDrvOpen(2):Check if PDMA is idle!
Raeth v3.1 (Tasklet)

phy_tx_ring = 0x01d62000, tx_ring = 0xa1d62000

phy_rx_ring0 = 0x01d64000, rx_ring0 = 0xa1d64000
GMAC1_MAC_ADRH -- : 0x0000803f
GMAC1_MAC_ADRL -- : 0x5dab46c5
RT305x_ESW: Link Status Changed ======>>>>>
RT305x_ESW: Link Status Changed ======>>>>>
p0 = 0 
p1 = 0 
p2 = 0 
p3 = 0 
p4 = 0 
hotplug 0


device eth2 entered promiscuous mode
device ra0 entered promiscuous mode
device eth2.1 entered promiscuous mode
device rai0 entered promiscuous mode
br0: port 3(rai0) entering learning state
br0: port 3(rai0) entering learning state
br0: port 2(eth2.1) entering learning state
br0: port 2(eth2.1) entering learning state
br0: port 1(ra0) entering learning state
br0: port 1(ra0) entering learning state
br0: port 3(rai0) entering forwarding state
br0: port 2(eth2.1) entering forwarding state
br0: port 1(ra0) entering forwarding state
The 2-BSSID mode is enabled, the BSSID byte5 MUST be the multiple of 2
MtAsicSetPreTbtt(): bss_idx=0, PreTBTT timeout = 0x0
MtAsicSetPiggyBack(763): Not support for HIF_MT yet!
tx_kickout_fail_count = 0
tx_timeout_fail_count = 0
rx_receive_fail_count = 0
alloc_cmd_msg = 39
free_cmd_msg = 39
br0: port 1(ra0) entering forwarding state
switch register base addr to 0xb0180000
write offset 0x400, value 0x1080
write offset 0x1204, value 0x8
write offset 0x1004, value 0x3
andes_pci_erasefw
==>rlt_wlan_chip_onoff(): OnOff:0, Reset= 0, pAd->WlanFunCtrl:0x20b, Reg-WlanFunCtrl=0x20b
RTMP_TimerListRelease: release timer obj c0899cdc!
RTMP_TimerListRelease: release timer obj c081cb78!
RTMP_TimerListRelease: release timer obj c081f4a0!
RTMP_TimerListRelease: release timer obj c081f534!
RTMP_TimerListRelease: release timer obj c081f5c8!
RTMP_TimerListRelease: release timer obj c081f65c!
RTMP_TimerListRelease: release timer obj c081f6f0!
RTMP_TimerListRelease: release timer obj c081f784!
RTMP_TimerListRelease: release timer obj c081f818!
RTMP_TimerListRelease: release timer obj c081f8ac!
RTMP_TimerListRelease: release timer obj c081f940!
RTMP_TimerListRelease: release timer obj c081f9d4!
RTMP_TimerListRelease: release timer obj c081fa68!
RTMP_TimerListRelease: release timer obj c081fafc!
RTMP_TimerListRelease: release timer obj c081fb90!
RTMP_TimerListRelease: release timer obj c081fc24!
RTMP_TimerListRelease: release timer obj c081fcb8!
RTMP_TimerListRelease: release timer obj c081fd4c!
RTMP_TimerListRelease: release timer obj c081cb4c!
RTMP_TimerListRelease: release timer obj c081cba4!
RTMP_TimerListRelease: release timer obj c081f474!
RTMP_TimerListRelease: release timer obj c081f508!
RTMP_TimerListRelease: release timer obj c081f59c!
RTMP_TimerListRelease: release timer obj c081f630!
RTMP_TimerListRelease: release timer obj c081f6c4!
RTMP_TimerListRelease: release timer obj c081f758!
RTMP_TimerListRelease: release timer obj c081f7ec!
RTMP_TimerListRelease: release timer obj c081f880!
RT305x_ESW: Link Status Changed ======>>>>>
RT305x_ESW: Link Status Changed ======>>>>>
p0 = 0 
p1 = 0 
p2 = 0 
p3 = 268435456 
p4 = 0 
hotplug 8


RTMP_TimerListRelease: release timer obj c081f914!
RTMP_TimerListRelease: release timer obj c081f9a8!
RTMP_TimerListRelease: release timer obj c081fa3c!
RTMP_TimerListRelease: release timer obj c081fad0!
RTMP_TimerListRelease: release timer obj c081fb64!
RTMP_TimerListRelease: release timer obj c081fbf8!
RTMP_TimerListRelease: release timer obj c081fc8c!
RTMP_TimerListRelease: release timer obj c081fd20!
RTMP_TimerListRelease: release timer obj c081cb20!
RTMP_TimerListRelease: release timer obj c07963bc!
RTMP_TimerListRelease: release timer obj c0795fa0!
RTMP_TimerListRelease: release timer obj c079638c!
RTMP_TimerListRelease: release timer obj c0796734!
RTMP_TimerListRelease: release timer obj c0796484!
RTMP_TimerListRelease: release timer obj c07964b4!
RTMP_TimerListRelease: release timer obj c0796674!
RTMP_TimerListRelease: release timer obj c07966a4!
RTMP_TimerListRelease: release timer obj c081effc!
RTMP_TimerListRelease: release timer obj c081ebe0!
RTMP_TimerListRelease: release timer obj c081efcc!
RTMP_TimerListRelease: release timer obj c081f374!
RTMP_TimerListRelease: release timer obj c081f0c4!
RTMP_TimerListRelease: release timer obj c081f0f4!
RTMP_TimerListRelease: release timer obj c081f02c!
RTMP_TimerListRelease: release timer obj c081f05c!
RTMP_TimerListRelease: release timer obj c081f08c!
RTMP_TimerListRelease: release timer obj c0844a2c!
RTMP_TimerListRelease: release timer obj c0844b48!
RTMP_TimerListRelease: release timer obj c0844a58!
RTMP_TimerListRelease: release timer obj c0820e9c!
RTMP_TimerListRelease: release timer obj c0844adc!
RTMP_TimerListRelease: release timer obj c0793790!
RTMP_TimerListRelease: release timer obj c0820bb0!
RTMP_TimerListRelease: release timer obj c082ab98!
RTMP_TimerListRelease: release timer obj c082a240!
br0: port 3(rai0) entering forwarding state
switch register base addr to system register 0xb0000000
write offset 0x64, value 0x1

Thanks to who ever posted on openwrt’s wiki page. It would have been nice to have a source for the mentioned “generic MT7628 Evaluation Board image” to work with. We also know that there is a five second boot delay at startup that’s waiting for an tftp server response from the server’s ip address of 192.168.10.100 as shown below.

My attempt at this point will be to write the file “openwrt-15.05.1-ramips-mt7628-mt7628-squashfs-sysupgrade.bin” which has both the kernel and squashfs into the “Kernel” mtd partition via the uBoot firmware upgrade procedure. I used a Virtual machine with Windows XP bridged to my physical ethernet port with nothing assigned on it on my host OS (Ubuntu) and the IP given inside Windows XP was of course 192.168.10.100, I used /etc_ro/lighttpd/www/{tftpd32.exe,Tftpd32.ini} for my tftpd server. I set the directory to C:\tftpd drive in Windows XP with nothing else inside the folder besides firmware.bin renamed from “openwrt-15.05.1-ramips-mt7628-mt7628-squashfs-sysupgrade.bin”

And Voola!

OpenWRT on WAVLINK WL-WN575A3 AC 1200 WiFi AP/ROUTER

OpenWRT running on a WAVLINK WL-WN575A3 AC 1200 WiFi AP/ROUTER!

Whats next?

  • Get luci installed
  • Get 5 GHz working if possible (rlt_wifi.ko?)
  • Provide a ready-to-use binary file publicly

2.4 – 5 GHz Radios

This may be the limiting factor of having a usable image. I was really hoping to get it working by adding the missing function calls, and modifying the existing structures like here. I will also try to use the kernel and the driver but replace the file-system with OpenWrt’s rootfs. Further investigation has led me to conclude that using a hybrid OpenWrt root filesystem will not be possible with the original kernel and wifi kernel module (rlt_wifi.ko) since both firmwares have different approaches on how system management is implemented. OpenWrt uses *.conf text files for configuration, hostapd, and then the kernel module to interface with the radios. The original firmware doesn’t and instead uses a custom kernel driver (rlt_wifi.ko) which accesses the mtd (nvram) directly to obtain configuration parameters and is believed to have something similar to hostapd all inside the kernel module (rlt_wifi.ko) itself, so no hostapd daemon runs on the user level as shown in the output of ps below.

No hostapd? Kernel module manages everything?

 DEAD END*

At this point there is no luck in getting at least the 2.4GHz radios working, I’ve tried compiling the drivers in mtk-wifi-gpl and had no luck, mt76.ko  and mt76x2e.ko from openwrt branch also failed to recognize any radio. I sincerely wished I had much more in depth knowledge regarding kernel driver development and the 802.11 stack in general.

*Possibly since the WS-WN529B3A is running OpenWrt from factory. More can be found here.

Continuing – OpenWrt 14.07 w/working 2.4 & 5.0 GHz!

As you may read on my other post, this device shares the same hardware and is at the moment running OpenWrt with a few exceptions.

Download OpenWrt testing image here.  Download the file openwrt-14.07-ramips-wn575a3-wn529b3-squashfs-sysupgrade.bin and upload it via tftp as instructed here.

19 Comments

    1. Osmar Gonzalez

      If it’s blocked no we will need to figure out the “magic number” or the specific vendor signing method. However on this router you can install any kernel whether its OpenWrt or custom.

      Reply
      1. Eric

        Can you please give a test because I am just ordered wn575a3 and then install LEDE 17.01.4. But after I read your test above I am afraid to do so…

        Reply
        1. Sam

          I upgraded from the FW pointed at on this page to LEDE 17.01.4 without any trouble although I do get occasional crashes at high load. The bug has been closed so I’m waiting for the next release.

          Reply
  1. SciLor

    Hi Osmal,

    thank you for your research. I am on a AUKEY WF-R8 AC1200 with RPTA3-75W.M4300.01.GD.2017Jun7 firmware.

    telnet is closed, but using webcmd.shtml and starting the telnetd service will open the port 2323 with telnet :).

    BUT the upload_bootloader.cgi is missing, so I am unable to upload the new bootloader.
    Could you extract it and provide it here? Or do you have a different idea?

    Reply
    1. SciLor

      I have extracted the upload_bootloader.cgi from my R7. The uboot was the same (except the timestamp). But it seems that I am unable to flash the uboot with it.
      Maybe you have got an older firmware for me?

      Reply
      1. Osmar Gonzalez

        I extracted the upload_bootloader.cgi here. Make sure that it’s inside the cgi-bin folder and that you’ve chmoded it to be executable. So `chmod u+x upload_bootloader.cgi`. upload_bootloader.cgi doesn’t really need anything special, it only requires that /bin/mtd_write exists and that your current kernel is allowing mtd write to the Bootloader partition. Also I don’t know if you know but upload_bootloader.cgi is written as an action to an http POST, meaning if you access upload_bootloader.cgi from http://router/cgi-bin/upload_bootloader.cgi it won’t work and it’ll give you a blank page as there was no data inputted into it. It works to take in data as “form-data” like shown in this tutorial. Hope this helps.

        Reply
        1. R.A

          Hi.

          Trying to download the upload_bootloader.cgi from the link you provided yields a 500 error 🙁

          Can you zip the file and provide a link?

          Thanks.

          Reply
  2. Saiful Alam

    Hi,
    Is there a tutorial for going back to original firmware? I am looking for the original stock firmware but could not find it anywhere. Do u happen to have it by any chance?

    Reply
  3. chris

    Great work!
    Do you know if the Wifi interfaces can be configured to run in STA instead of AP mode? By now, I can only select “Access Point” (for both interfaces).
    Would be great for creating repeaters / mesh nodes running OpenWRT…

    Reply
  4. stimmenhotel

    Well I have one of these units at home right now … Don’t know anything about these kind of “hacking”.

    One thing I know … The original firmware sucks!
    Every few minutes no more internet connection.

    So openwrt is working great on this device?
    I still can send it back to the big A, so I should be sure what I do.
    Or is it possible to reflash the original firmware?

    Reply

DROP A COMMENT

Your email address will not be published. Required fields are marked *