Here currently (2015-05-28) are some informations about my trials to get OpenWrt running on the EasyBox 904 xDSL. Note that the OEM's firmware is based on OpenWrt backfire, which has been strongly manipulated and both extended and mutilated. Important links, where I found valuable information --------------------------------------------------- Original firmware source (some parts missing) is here: http://www.astorianetworks.com/ http://www.astorianetworks.com/astoria/source/AT904X-03.10_source_20140310.tar.gz Firmware image from Vodafone: http://www.vodafone.de/business/hilfe-support/support-firmware-easybox-904-xdsl.html Some infos and pictures of board and chips can be found here: http://www.randomprojects.org/wiki/Vodafone_EasyBox_904_xDSL This box is similar to EasyBox 904 LTE: http://wiki.openwrt.org/toh/arcadyan/easybox_904_lte OpenWrt forum thread about both (!) Easybox 904 LTE and 904 xDSL: https://forum.openwrt.org/viewtopic.php?id=44676 A replacement u-boot, which accepts every password, is in the archive 904xdsl-uboot-maybe-no-passwd.zip. I found it here: https://forum.openwrt.org/viewtopic.php?pid=265327#p265327 Unbricking ---------- (me never needed to try this) http://wiki.openwrt.org/toh/arcadyan/easybox_904_lte chapter "Debricking" https://forum.openwrt.org/viewtopic.php?pid=206163#p206163 "Ok, if you want UART mode, just shortcut R148." ??? from https://forum.openwrt.org/viewtopic.php?id=44676&p=4 and https://forum.openwrt.org/viewtopic.php?pid=263439#p263439 Ways to get access ------------------ Original u-boot is password protected and no sshd/telnetd/console shell is normally running. I know of two ways to hack this box: 1.) Console or ssh access is achieved via extracting the squashfs/rootfs from a firmware image, some shell script manipulations in the rootfs, re-concatenating the firmware parts, and using the firmware recovering procedure (u-boot/tftp) of the box. No box opening required for ssh access. I successfully tried this with firmware versions 3.12 and 3.17. See below, "How to patch a Vodafone Firmware Image...". 2.) Use the UART-Method for unbricking (see above) and load and start a u-boot, which does not require a password. How to patch a Vodafone Firmware Image to get console or ssh access ------------------------------------------------------------------- Use 'binwalk' (e.g. contained in Debian) to find the position of some parts within the firmware: binwalk vodafone_firmware.bin Binwalk i.A. tells the position of a sqashfs file system. Split vodafone_firmware.bin in several parts. This can be done using 'dd bs=1 skip=... count=...' commands. Get: - The first part before the squashfs file system - The middle part containing the squashfs file system - The last part after the squashfs file system Examine the middle/squashfs part in a hex editor. There is a certificate (ASCII text) appended at the end. Note the certificate's position and split the middle part in the real squashfs part and the certificate part. Unpack the squashfs file using 'unsquashfs'. Ensure the unsquashfs tool understands LZMA compression, otherwise the operation is refused. You may use the unsquashfs from an OpenWrt build environment. You will get a directory tree 'squashfs-root'. You may now modify the unpacked squashfs-root tree. See "What to change..." below. Then a new squashfs image must be build via a 'mksquashfs' tool which knows LZMA: mksquashfs squashfs-root squashfs.img.new -comp lzma -b 131072 -no-xattrs -all-root If the new squashfs image is smaller than the old one, padding at the end is needed: dd bs=1 count=... if=/dev/zero of=padding Finally all parts can be recombined: cat firstpart squashfs.img.new padding certificate lastpart > new_firmware.img The new firmware must have the same size as the original vodafone_firmware.bin. How to flash the patched Vodafone firmware ------------------------------------------ Use the u-boot provided recovery procedure of the EasyBox 904: - Setup an tftp server listening at 192.168.2.100 - Have the tftp server provide the new firmware image. It must be named "firmware.img"!! - Switch on the EasyBox and hurry to press the reset button. Keep it down for 8 secs min. What to change in the squashfs-root tree ---------------------------------------- 1.) I appended following lines to squashfs-root/etc/init.d/rcS: stty -F /dev/ttyS0 115200 enable_console.sh (cd /tmp; nohup sh -c "sleep 200; exec dropbear" & ) Results: - Enables the serial console (seems to be effective after second reboot) - Ensures a dropbear server is always started some minutes after a reboot - Ensures this dropbear server allows password authentification After flashing, the EasyBox must be booted once with an USB stick containing an empty (!) file named "sesame.txt" in the root directory of its first partition. This is a secret signal that any missing ssh host key files should be initialized, and a dropbear (without password auth) should be startet. On later reboots the USB stick won't be needed, as we force a dropbear after 200 secs. The login password for root may be set via the web gui at http://192.168.2.1. 2.) You may also - unpack squashfs-root/etc/dftconfig.tgz - put your rsa2 public key in file config/cert/authorized_keys - repack squashfs-root/etc/dftconfig.tgz How to replace u-boot --------------------- The original u-boot is locked and requires a password in order to accept commands. With shell access to the EasyBox, I simply copied the hacked version u-boot.lq from 904xdsl-uboot-maybe-no-passwd.zip to /dev/mtd0. Update: Don't remember if this was possible with cp, or if program /sbin/mtd had to be used. How to connect a serial line for console access ----------------------------------------------- There is a 4 pin connector J8. Pin 1 is marked by an arrow/triangle RX/TX voltage levels are 0 to 3.3V (not RS-232 -15 to +15V), standard speed is 115200 8N1. Pin 1 x Probably 3.3V. Not needed. Can damage your box if improperly wired 2 x RX 3 x TX 4 x Ground This comes from the randomprojects web page. For me first it did not function as expected. As the meaning of RX and TX changes depending on from which direction you look, I simply swapped RX and TX wires, and then it worked.