New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for Technicolor TG799vac Xtream (VANT-W) from Etisalat in UAE #79
Comments
Has your device ever received an automatic firmware update? If yes, we have some known viable options for getting root on this. From your screenshot I see that firmware is handling an MGMT network, this means we have not enough info at this stage to determine if it could work (by prober vlan setup) or not, we need to sort this out differently to the goal, then we may go back discussing how to get tch-exploit working, whenever possibile.
Ok, did you try both Ping and DDNS forms? |
It doesn't allow you in the ping form, it says hostname is invalid. In DDNS in the domain field it says the same error also, username and password fields has no errors, but has no effect (command doesn't get executed)
I don't know, I wasn't aware of that. What can I send you to be able to know what do? |
The only way to understand which one of the two banks is being booted without attempting a blind firmware flash is to look at serial console bootlog. If you go with Type 3 instructions you will actually get Telia firmware on your Etisalat device. However, in the unlucky case your device has never been updated, the Telia firmware will overwrite the only copy of Etisalat firmware you have in bank_1 as bank_2 is empty when no firmware update occurred. So you really need to check the actual active bank before using TFTP flash. Did you try that already? |
Cool, that means we still have chances of getting a copy of the Etisalat fw. It is a good thing, because from the dump we will be able to understand if an how to root it too. |
I'm trying with Bootfail Procedure but no luck. Can you please advise me? Which method is the best? |
Any tutorial on how to monitor the serial? I have serial to usb board. |
This one https://hack-technicolor.readthedocs.io/en/latest/Recovery/#crazy-power-switching Serial is really helpful , here is a good hint on how to get serial configured: https://www.crc.id.au/hacking-the-technicolor-tg799vac-and-unlocking-features/#mozTocId446885 |
Be aware: there are smalle chances that after successful failboot you may encounter issues with Telia webui as it will run on top of old Etisalat bank_1 configs. In case, you need a factory reset and failboot again to get a clean Telia firmware running in bank_1. |
https://whirlpool.net.au/wiki/hack_technicolor_advanced The serial console at J5 on the board needs a connection soldered and the pads at R327 and R328 bridged with solder to pass the serial signals to the adaptor. See picture (shown zoomed – note strain relief tape), Black = Ground, Yellow = RX, and Green = TX. The soldering requires a fine tip, steady hands and 20/20 vision. Few tips for impossible soldering start here: get a mate, very fine wire over tip or Blue Tack. Try the Blue Tack, magnifying glass and $10 soldering iron. Don't forget with a serial connection RX goes to TX and TX goes to RX. |
Look at JPA1 right in the middle of the second photo. Note the notch. |
Note the notch - #79 (comment) |
But which ones should I bridge together? |
Who knows? Try RA11 and RA17 which go to RX and TX respectively. |
@fa1rid you need oscilloscope, multimeter or logic analyzer to find pin out. Its quite easy if you have any of it. GND is steady 0V, tx will be transmiting and should be somewhere around 3V, RX will be floating so it will be a little bit above zero. you have 4th pin, it is possibly vcc which is not needed for your purpose, but to ensure you don't make mistake with finding tx, you can check it should have steady 3.3V. On oscilloscope is much easier to see it. I have also this modem from etisalat, i was making just quick research 'to take care' of it when im back in dubai on thursday. so if you won't gonna find anything, most likely I will have some results on friday. I have all tools needed for this task :) |
@fa1rid it has possibly something to do with RA11, RA17 and RA50. I'm currently in europe so it is hard to guess. i'll check exactly when i'm back to dxb. Simple continuity test should answer this |
The pinout is almost always the same on tch devices, so it is almost 100% sure that the correct pinout and required bridges are these: No need for multimeter, you can also avoid soldering if your goal is to simply read some logs, just stick the GND wire to the metal shield of an USB port with tape, pick another single wire connected to RX pin of your serial adapter and firmly touch the TX pin on the board with the other side of that wire. It will be more then enough if you are not planning to do failboot on a daily basis. |
Hi Guys, I was able to get the log from the serial. I couldn't find where the Bank thingy is. @LuKePicci |
I had to guess which naming convention the original picture taker was using. He only said the yellow cable was RX but he didn't say on which side of the link. I assumed he was indicating where to connect TX and RX terminals from the serial adapter rather then which function implemented the pin on the board side. BTW to avoid ambiguity: adapter TX <--> board RX : yellow [not required for read-only operations] The log you captured is from the Quantenna Wireless SoC, you need to capture the output from the main OS SoC. |
Oh, I didn't notice that, you are right. |
Awesome! Now, you should follow me carefully. As you may know we found that the Telia and Telenor VANT-W boards had different OSKeys, which means they didn't accept the firmware of the other. The Telenor one is a VANT-W Rev 1 board, the Telia one is a VANT-W Rev 2. I see yours is a Rev 3, I don't know if Telenor and Telia firmwares would work on your Rev 3, but we can redo what we did for Telenor and luckily get into Etisalat as well. Trying to flash Telia and Telenor firmwares is a no go. Assuming they would work (I doubt) If you overwrite the old Etisalat firmware in Bank 1 you will loose the chance og grabbing a firmware image. Keep trying the failboot approach. It is not easy but it WILL work for sure. Let me know when you manage to boot from bank_1, keep it powered on and keep it connected to serial console. Be ready to save all you get from the serial log. |
Actually I tried now the method in this video and it worked: https://www.youtube.com/watch?v=BMT8AhA4qns 21:17:38.720 -> Entering BOOT-P mode (reason: NO_SW ) |
why bank_1 fails to boot? what it says? |
It's currently active on Bank 2 and it boots fine to the original software of Etisalat. Now, using the method to switch the bank works, but it fails to boot from Bank 1. Please see attached log. |
If you remember, before I flashed the software listed in the Wiki, Telia or Telenor, I don't remember. Seems like it's not compatible. What do you think? |
When you send an incompatible firmware via TFTP it doesn't allow you to flash it. You see TFTP sending the firmware, then the router checks for firmware compatibility and refuses to flash an invalid firmware. From the log, it appears like your bank_1 is either empty or contains corrupted firmware. An half successful flash via TFTP could be the cause. In that case, it means the firmware you was flashing (Telia I think), was indeed compatible. Redo TFTP flashing of Telia firmware, this time take a look at serial log in the meanwhile. PS It's safe to use TFTP because you have a copy of the Etisalat firmware on bank_2 |
I have USB WiFi (TL-WN823N V2) and (TL-WN822N V2). How do I know the WiFi chip inside of them? |
For ARM Linux 4.1 firmwares, look here: https://github.com/Ansuel/GUI_ipk |
Not all the packages are there. |
Those are tested ones, You can try compiling the others |
I'm trying to bridge WiFi to WAN and only 2G worked so far, the 5G WiFi signal disappeared and not visible in the UI as well. Here's my /etc/config/wireless
My Network file:
Note: Bridging Ethernet to WAN works fine. |
I'm reading this: https://openwrt.org/docs/guide-user/network/wifi/relay_configuration. I'm confused because they say:
Does this apply to relayd? And does this happen in "Layer 3" or "Layer 2"? |
Broadcom drivers can do wireless bridging at L2, other drivers cannot so the only alternative to L3 routing is relayd which is an application that forwards L2 to L2 like if it was a bridge
Wireless repeaters are a different story, usually the only have a single wifi interface with a special driver being capable of working as client and ap concurrently without any bridging required at OS level. Otherwise, creating two interfaces (a client and an AP) on the same radio would also allow you to join them together (either bridged, relayd' or routed) and achieve a similar result. In general it's way better to use different radios for upstream and downstream links, so such cheap repeaters you mentioned having only a single interface in repeater mode are quire poor in performance.
WDS and mesh are other two different special driver modes, similar to wireless repeater.
…________________________________
From: Farid <notifications@github.com>
Sent: Monday, April 20, 2020 4:07:47 AM
To: kevdagoat/hack-technicolor <hack-technicolor@noreply.github.com>
Cc: Luca Piccirillo <luca.piccirillo@gmail.com>; State change <state_change@noreply.github.com>
Subject: Re: [kevdagoat/hack-technicolor] Support for Technicolor TG799vac Xtream (VANT-W) from Etisalat in UAE (#79)
I'm reading this: https://openwrt.org/docs/guide-user/network/wifi/relay_configuration.
and this https://openwrt.org/docs/guide-user/network/wifi/atheroswds
As I understood there are multiple methods to do WiFi-to-WiFi bridge. "WDS" or "mesh networking" if the drivers support, or instead, "relayd" to do it using routing. Is that correct?
I'm confused because they say:
In some cases, the wireless drivers used in OpenWrt do not support “Layer 2” bridging in client mode with a specific “upstream” wireless system.
Does this apply to relayd? And does this happen in "Layer 3" or "Layer 2"?
Also I'm wondering what methods do Range Extenders usually use like the "TP-link RE305" for this?
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub<#79 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACCRPNQKZSFQPUACDOO7C3DRNOU7HANCNFSM4KRPDP3Q>.
|
Any help please regarding my WiFi bridging problem? |
I think the Quantenna 5GHz wireless interface is on eth5, so that's the interface name you need to include in bridge. I'm not sure about this as I have no Quantenna equipped devices here to test. |
Please check, you can ssh directly to the router through: |
Try now. Please note vlan_eth5 has now vid 2 for eth5 (switch port 5) and is no more part of vlan 'lansw' (vid 1), but moved to a new vlan 'wansw' (vid 2) |
Yes it worked. Thanks a lot. Yes I see that. I don't understand what is the eth5 can you please explain, why it's not wl0 or wla1? Why there are many devices and interfaces? Like why there's vlan_ethX and also ethX_databr at the same time?. Are these settings special to broadcom devices? And moreover why the "eth1_databr" is not on vid 2? |
the quantenna wireless chip is connected to an internal switch port, so you have switch port 0 1 2 3 and 5, ports 0 to 3 are lan rj45 sockets. As in every switch everything is bridged, unless you divide ports 0 1 2 3 into a separate vlan from port 5. Then, once lan ports and eth5 are from different vlan, you can bridge it like you did with wl0. It would have appeared as wl1 if it was a broadcom interface like the 2.4 GHz one. Still, it is called wl1 in /etc/config/wireless despite its real ifname is eth5, that's why it won't bridge it like it did with wl0 when you set network 'wan' in /etc/config/wireless, so I did it manually adding eth5 in interface wan from /etc/config/network (where you don't see wl0, because it manages to bridge it automatically because of network 'wan' from /etc/config/wireless). eth0 to eth3 are lan sockets, eth4 is the wan ethernet socket, eth5 is the quantenna 5GHz chip You also have some wl0_x and wl1_x , they are wireless guest interfaces Then there are a lot of interfaces like "databr", that Is Telenor stuff, they use all these interfaces to allow people using their routers in some kinf of bridged mod. You can also remove them all. |
After I rebooted the router, the 5G WiFi disappeared. What happened?
|
Yes, I used nano to edit config Can't say why it disappeared. Probably a bit more work is needed to let it stick in the wan bridge. |
How do I know for which linux kernel version is this archive: https://archive.openwrt.org/snapshots/trunk/brcm63xx/generic/packages/base/ ? |
I think it has to do with (option ports) in (config switch_vlan 'lansw') and (config switch_vlan 'wansw') settings that you changed because I wasn't able to recover it back until I brought these settings back. Also I noticed this
I assume these refers to ethX, knowing that I bridged eth1 to wan but you added it there and maybe didn't notice. |
They are for mips, you need arm packages |
Those numbers are internal switch port numbers. 0 to 3 are Lan rj45 ports matching eth0 to eth3 interfaces, 5 is the 5G wifi matching the eth5 interface. 8 is the CPU. 8t means packets get tagged towards the CPU. There was something wrong in the bridging so I reverted most to defaults before moving 5 from vlan 1 to vlan 2 |
How do you know? |
https://openwrt.org/docs/techref/targets/brcm63xx As long as you look at official openwrt builds, the brcm63xx target is MIPS arch only. There is no upstream support into openwrt for broadcom 63xx ARM-based SoC's In Homeware, the brcm63xx-tch target might be for ARM or MIPS based SoC's depending on the board. In future, openwrt builds for ARM-based broadcom SoC's would probably go under a differently named target, such that brcm63xx would be only MIPS, and brcm63xx-arm would be only ARM. PS: brcm63xx openwrt target has been recently (finally! 🍾🎉) renamed to bcm63xx |
Thanks man for the excellent explanation . I'm learning now how to build and compile programs for the device using this: I have downloaded the |
Try the latest one |
I have an issue and I don't know if this is normal behavior or not. The "br-wan" interface on my device gets stuck with same DCHP address assigned even when you unplug the cable or connect to different source, where instead it should get new DHCP address or show not connected if unplugged. I found the solution is to run "ifconfig br-wan down && ifconfig br-wan up". Is this normal and how can I make it automatically detect change in the status. |
It is normal. It would automatically refresh its DHCP address when the entire bridge goes down, not only the single interface in there. You should ask openwrt guys about how to manage that situation as you want. |
Thanks man! |
Could u not use hotplug and watch for iface events on br-wan and run the up/down? |
He should watch for events on the port and act on the bridge, atm no events are triggered for the bridge when a single if of the bridge gets disconnected, that's why the if reup doesn't occur. |
I have very strange problem and it's driving me crazy in this device, please your opinion on that. The problem is in the WiFi connectivity. When I go to another room, I can see the signal is about -60dB however when I add any light barrier (like laptop screen or my hand) in-front of the phone which is connected to the to the WiFi I lose the ability to communicate with the gateway knowing that the signal is always ranging between -60to-70dB. |
This thread was great help when experimenting with my own router. I now have Telenor v17.1.7937 running in my bank_1 (confirmed via serial). However, I have not managed to get tch-exploit to work. My IP address is set to 58.162.0.1 and I am connected to the WAN port. I get the DHCP request and the router seems to get an assigned address but Should I try another rooting method (though #C is the only one listed in the docs) or another firmware version (could one for Telia work even though mine is Telenor?)? Sorry for necroposting EDIT: I just got it to work. I must have pressed reboot instead of factory reset when I was testing last night or something... Sorry |
Product Vendor Technicolor
Product Name MediaAccess TG799vac Xtream
Software Version 17.1
Firmware Version 17.1.7854-0001005-20180216002644-BS
Firmware OID 5a861734835b67358c78212a
Bootloader Version 15.38.724-0000000-20150917132051-d85c65bd2e219aab5422ce7f3366cf1ebe170059
Bootloader OID unknown
Hardware Version VANT-W
I tried to do webui expolit but nothing works. There's even validation which says for example "Enter correct domain name or ip address.
I tried to send reboot using AFG and nothing happened (router didn't reboot), here's screenshot
I also tried to flash it using the telnor firmware and also nothing happened.
I tired ::::::;reboot inside webui and didn't work.
Here's tch-exploit screenshot connected to WAN port with static ip as shown here:https://github.com/BoLaMN/tch-exploit
So what should I do now please?
Thanks a lot for your help.
The text was updated successfully, but these errors were encountered: