Looking for info and possibility of (future) support of TP-Link Omada er605 Router

Anyone have any info on these?

This looks new-ish, and I'm not finding much info. It looks vaguely analogous to a Microtik Hex? As OpenWRT is running on many of the Omada APs (snapshot), I'm thinking of running the TP-Link software for now, with an eye toward migrating to OpenWRT later.

At $60, I'd consider purchasing a second one as a sacrificial guinea pig: I'm pretty new to low level hardware, but I can read part numbers and follow instructions. :slightly_smiling_face:

3 Likes

I would also love to use a low cost wired router like is one with OpenWRT

vevere

1 Like

appears to be a Mediatek / Ralink MT7621 - ER605(UN)_V1_20210113 FW.

1 Like

The Edgerouter X and the rb750gr3 are fully supported comparable hardware. ER-X (if you can find one) has more flash and RAM. RB750 has a USB port.

2 Likes

It seems that er605 is build with openwrt, see the GPL, it is the OpenWrt source : https://static.tp-link.com/resources/gpl/er605_gpl.tar.gz

Most chipset vendors base their proprietary SDK loosely on (typically ancient versions of-) OpenWrt, that doesn't mean it would build or retain any form of likelyness with OpenWrt, nor that it makes porting to OpenWrt proper any easier. Typically at least the kernel is replaced, proprietary/ binary kernel modules galore and a different webinterface thrown in, among countless other mutilations and very questionable licensing choices.

I am also waiting for an openwrt build for this device

Open it up, find the serial port, check if the boot loader's interruptable, and post the boot log.

I've opened up an ER605, and there appears to be space for a header (4 pins) no markings. I think i can see gnd at one end, any idea when the other pins would be , i.e rx and tx ? plus the serial settings 9600 ???

Just test, GND/RX/TX/+V, you never connect the +V.

speed's trial and error, but I'd start with 115200 and then 57600.

1 Like

I've just found this thread,
I had a look at the ER605 a while ago, but ran out of time and got stuck.
I connected to the serial port via the header and shorting some connections as the rx and tx are not connected.

I managed to connect to the serial console, and can see the router boot, but it asks for a password

looking in the firmware it looks like there should be no root password i.e. in the /etc/passwd

root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false

and /etc/shadow file

root::16800:0:99999:7:::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
nobody:*:0:0:99999:7:::

but no password for root does not work.

I tried to boot to single user mode, but this is where i got stuck
from the boot menu 3 is the default and works

Please choose the operation:
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial.
   9: Load Boot Loader code then write to Flash via TFTP.
default: 3                                                                                                                                                                                             4
You choosed 4

I tried 4 so i could single user boot to see if the passwd is updated later but don't know how to create the bootm command
everything i tried end up the same i.e Bad Magic Number

MT7621 # bootm 0x87f32f98
## Booting image at 87f32f98 ...
Bad Magic Number,001AB00C

I have tried addresses using info shown during option 3 boots

relocate code addr_sp:0x87f32f98;id:-2013974608;addr:0x87f94000relocate_code Pointer at: 87f94000

I have also tried addresses from binwalk

# binwalk --signature --term 'ER605(UN)_v1_1.2.0 Build 20220114.bin'

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
175652        0x2AE24         U-Boot version string, "U-Boot 1.1.3 (Mar 31 2021 - 23:14:27)"
194235        0x2F6BB         HTML document header
213083        0x3405B         HTML document footer
238972        0x3A57C         uImage header, header size: 64 bytes, header CRC: 0x10622B9A, created: 2022-01-14 13:21:03, image size: 1498445 bytes, Data Address: 0x81001000, Entry Point: 0x81001000, data CRC: 0x757B8873, OS: Linux, CPU: MIPS, image type: Multi-File
                              Image, compression type: lzma, image name: "MIPS OpenWrt Linux-3.10.108"
239044        0x3A5C4         LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 4454592 bytes
1737481       0x1A8309        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 12109173 bytes, 2977 inodes, blocksize: 16384 bytes, created: 2022-01-14 13:21:11
14191070      0xD889DE        Boot section Start 0x42424242 End 0x22313233
14191078      0xD889E6        Boot section Start 0x0 End 0x0

my question is how do I boot to single user mode? I know i can add some parameters but i cant even manually boot

It probably isn't necessary to break into the stock firmware here. The main thing that needs to be learned from the stock firmware is the partition table, and that should be printed out in the boot log. Then you can start building and booting initramfs OpenWrt images to test the rest of the hardware. Since this router is little more than a MT7621 chip it should be a simple port from similar devices.

@mk24 I've attached a boot log, but i would still like to know how to do a bootm.

[    0.000000]
[    0.000000]  The CPU feqenuce set to 880 MHz
[    0.000000] GCMP present
[    0.000000] CPU0 revision is: 0001992f (MIPS 1004Kc)
[    0.000000] Software DMA cache coherency
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 08000000 @ 00000000 (usable)
[    0.000000] @@----debug cmdline=[  board=OSGv1 console=ttyS1,115200 root=31:04 init=/sbin/init mtdparts=raspi:256k(u-boot)ro,192k(u-boot-fs),64k(extra-para),1472k(kernel),14400k(rootfs) ]
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone ranges:
[    0.000000]   DMA      [mem 0x00000000-0x00ffffff]
[    0.000000]   Normal   [mem 0x01000000-0x07ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x00000000-0x07ffffff]
[    0.000000] Detected 3 available secondary CPU(s)
[    0.000000] Primary instruction cache 32kB, 4-way, VIPT, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.000000] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[    0.000000] PERCPU: Embedded 7 pages/cpu @8156c000 s6336 r8192 d14144 u32768
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
[    0.000000] Kernel command line: console=ttyS1,115200n8 root=/dev/mtdblock4 rootfstype=squashfs,jffs2 noinitrd rootfstype=squashfs,yaffs,jffs2
[    0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[    0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Writing ErrCtl register=0006b106
[    0.000000] Readback ErrCtl register=0006b106
[    0.000000] Memory: 125296k/131072k available (3345k kernel code, 5776k reserved, 800k data, 264k init, 0k highmem)
[    0.000000] Hierarchical RCU implementation.
[    0.000000] NR_IRQS:128
[    0.000000] console [ttyS1] enabled
[    0.104000] Calibrating delay loop... 574.46 BogoMIPS (lpj=1148928)
[    0.132000] pid_max: default: 32768 minimum: 301
[    0.136000] Mount-cache hash table entries: 512
[    0.140000] launch: starting cpu1
[    0.144000] launch: cpu1 gone!
[    0.144000] Primary instruction cache 32kB, 4-way, VIPT, linesize 32 bytes.
[    0.144000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.144000] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[    0.144000] CPU1 revision is: 0001992f (MIPS 1004Kc)
[    0.176000] Synchronize counters for CPU 1: done.
[    0.180000] launch: starting cpu2
[    0.184000] launch: cpu2 gone!
[    0.184000] Primary instruction cache 32kB, 4-way, VIPT, linesize 32 bytes.
[    0.184000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.184000] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[    0.184000] CPU2 revision is: 0001992f (MIPS 1004Kc)
[    0.216000] Synchronize counters for CPU 2: done.
[    0.220000] launch: starting cpu3
[    0.224000] launch: cpu3 gone!
[    0.224000] Primary instruction cache 32kB, 4-way, VIPT, linesize 32 bytes.
[    0.224000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.224000] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[    0.224000] CPU3 revision is: 0001992f (MIPS 1004Kc)
[    0.252000] Synchronize counters for CPU 3: done.
[    0.256000] Brought up 4 CPUs
[    0.260000] NET: Registered protocol family 16
[    0.492000] release PCIe RST: RALINK_RSTCTRL = 7000000
[    0.496000] PCIE PHY initialize
[    0.500000] ***** Xtal 40MHz *****
[    0.504000] start MT7621 PCIe register access
[    0.956000] RALINK_RSTCTRL = 7000000
[    0.960000] RALINK_CLKCFG1 = 77ffeff8
[    0.964000]
[    0.964000] *************** MT7621 PCIe RC mode *************
[    1.348000] PCIE0 no card, disable it(RST&CLK)
[    1.352000] PCIE1 no card, disable it(RST&CLK)
[    1.356000] PCIE2 no card, disable it(RST&CLK)
[    1.360000] pcie_link status = 0x0
[    1.364000] RALINK_RSTCTRL= 0
[    1.384000] bio: create slab <bio-0> at 0
[    1.388000] Switching to clocksource Ralink Systick timer
[    1.396000] NET: Registered protocol family 2
[    1.400000] Clockevents: could not switch to one-shot mode:
[    1.400000] Clockevents: could not switch to one-shot mode:
[    1.400000] Clockevents: could not switch to one-shot mode:
[    1.400000]  MIPS is not functional.
[    1.400000]  MIPS is not functional.
[    1.400000] Clockevents: could not switch to one-shot mode: MIPS is not functional.
[    1.400000] Could not switch to high resolution mode on CPU 0
[    1.400000] Could not switch to high resolution mode on CPU 2
[    1.400000] Could not switch to high resolution mode on CPU 3
[    1.448000]  MIPS is not functional.
[    1.452000] Could not switch to high resolution mode on CPU 1
[    1.460000] TCP established hash table entries: 1024 (order: 1, 8192 bytes)
[    1.464000] TCP bind hash table entries: 1024 (order: 1, 8192 bytes)
[    1.472000] TCP: Hash tables configured (established 1024 bind 1024)
[    1.480000] TCP: reno registered
[    1.480000] UDP hash table entries: 256 (order: 1, 8192 bytes)
[    1.488000] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[    1.496000] NET: Registered protocol family 1
[    1.588000] 4 CPUs re-calibrate udelay(lpj = 1167360)
[    1.596000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    1.604000] jffs2: version 2.2. (NAND) (SUMMARY)  (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    1.612000] msgmni has been set to 244
[    1.616000] io scheduler noop registered (default)
[    1.624000] reg_int_mask=0, INT_MASK= 0
[    1.628000] HSDMA_init
[    1.628000]
[    1.628000]  hsdma_phy_tx_ring0 = 0x00c00000, hsdma_tx_ring0 = 0xa0c00000
[    1.636000]
[    1.636000]  hsdma_phy_rx_ring0 = 0x00c04000, hsdma_rx_ring0 = 0xa0c04000
[    1.644000] TX_CTX_IDX0 = 0
[    1.648000] TX_DTX_IDX0 = 0
[    1.652000] RX_CRX_IDX0 = 3ff
[    1.656000] RX_DRX_IDX0 = 0
[    1.656000] set_fe_HSDMA_glo_cfg
[    1.660000] HSDMA_GLO_CFG = 465
[    1.668000] Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
[    1.676000] serial8250: ttyS0 at MMIO 0x1e000d00 (irq = 27) is a 16550A
[    1.684000] serial8250: ttyS1 at MMIO 0x1e000c00 (irq = 26) is a 16550A
[    1.688000] Enable Ralink GDMA Controller Module
[    1.696000] GDMA IP Version=3
[    1.700000] flash manufacture id: c8, device id 40 18
[    1.704000] GD25Q128C(c8 40180000) (16384 Kbytes)
[    1.708000] mtd .name = raspi, .size = 0x01000000 (16M) .erasesize = 0x00010000 (64K) .numeraseregions = 0
[    1.716000] @@-----debug tplink flash parse--------
[    1.724000] 14 tp-link partitions found on MTD device raspi
[    1.728000] Creating 14 MTD partitions on "raspi":
[    1.732000] 0x000000000000-0x000000040000 : "bootloader"
[    1.740000] 0x000000040000-0x000000070000 : "bootloader-fs"
[    1.744000] 0x000000070000-0x000000080000 : "extra-para"
[    1.752000] 0x000000080000-0x000000200000 : "kernel"
[    1.760000] 0x000000200000-0x000000df0000 : "rootfs"
[    1.764000] mtd: device 4 (rootfs) set to be root filesystem
[    1.768000] 0x000000df0000-0x000000e10000 : "panic-oops"
[    1.776000] 0x000000e10000-0x000000e20000 : "partition-table"
[    1.784000] 0x000000e20000-0x000000e30000 : "device-info"
[    1.788000] 0x000000e30000-0x000000e40000 : "support-list"
[    1.796000] 0x000000e40000-0x000000e50000 : "firmware-info"
[    1.804000] 0x000000e50000-0x000000e60000 : "tddp"
[    1.808000] 0x000000e60000-0x000000e80000 : "log"
[    1.816000] 0x000000e80000-0x000001000000 : "rootfs_data"
[    1.820000] 0x000000000000-0x000001000000 : "firmware"
[    1.828000] GMAC1_MAC_ADRH -- : 0x0000000c
[    1.832000] GMAC1_MAC_ADRL -- : 0x432880bb
[    1.836000] Ralink APSoC Ethernet Driver Initilization. v3.1  1024 rx/tx descriptors allocated, mtu = 1500!
[    1.844000] GMAC1_MAC_ADRH -- : 0x0000000c
[    1.848000] GMAC1_MAC_ADRL -- : 0x43288059
[    1.856000] eth0: Found an MT7621
[    1.856000] PROC INIT OK!
[    1.860000] i2c /dev entries driver
[    1.868000] nf_conntrack version 0.5.0 (1957 buckets, 7828 max)
[    1.872000]  ## netfilter xt_connextmark loaded.

[    1.876000] ip_tables: (C) 2000-2006 Netfilter Core Team
[    1.884000] Type=Linux
[    1.884000] TCP: cubic registered
[    1.888000] NET: Registered protocol family 10
[    1.896000] NET: Registered protocol family 17
[    1.900000] 8021q: 802.1Q VLAN Support v1.8
[    1.904000] Registered character driver slp_flash_chrdev
[    1.916000] VFS: Mounted root (squashfs filesystem) readonly on device 31:4.
[    1.924000] Freeing unused kernel memory: 264K
[    1.928000] Failed to execute ype=squashfs,jffs2.  Attempting defaults...
procd: Console is alive
procd: - preinit -
3.38 8.70 preinit_main  define_default_set_state
3.40 8.77 preinit_main  do_ramips
3.42 8.82 preinit_main  do_checksumming_disable
3.43 8.86 preinit_main  preinit_ip
3.44 8.87 preinit_main  pi_indicate_preinit
3.45 8.91 preinit_main  indicate_regular_preinit
3.46 8.94 preinit_main  initramfs_test
3.47 8.96 preinit_main  do_mount_root
----mtdblock:/dev/mtdblock12----
[    3.600000] jffs2: notice: (305) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
=========================USERCONFIG INITIAL======================
/etc/preinit: line 1: opkg: not found
Copy userconfig to memory
/etc/cfgsync.d/00_start_sync.sh: line 12: opkg: not found
cp: can't stat '/etc/config/openvpn-mgmt': No such file or directory
cp: can't stat '/etc/config/portal-mgmt': No such file or directory
cp: can't stat '/tmp/userconfig/etc/config/openvpn-mgmt': No such file or directory
cp: can't stat '/tmp/userconfig/etc/config/portal-mgmt': No such file or directory
=========================USERCONFIG DONE======================
no
4.96 13.15 preinit_main  run_init
procd: - early -
procd: - ubus -
procd: - init -
Please press Enter to activate this console.
cd /tmp && dkmgt_firmware_make -R -f /dev/mtdblock13 -p 0x00e10000 -n firmware-info -o firmware-info.json
{
"software-version":"1.2.0 Build 20220114 Rel.76871",
"firmware-id":"123AAAABBBBAAAABBBBAAAABBBBAAAABBBB321"
}######: Init Firmware version *SUCCESS* !!
cd /tmp && dkmgt_firmware_make -R -f /dev/mtdblock13 -p 0x00e10000 -n device-info -o device-info.json
######: Init model version *SUCCESS* !!
[    6.084000] mtdoops: Attached to MTD device 5
[    6.192000] liblogger: module license 'unspecified' taints kernel.
[    6.200000] Disabling lock debugging due to kernel taint
[    6.216000] NET: Registered protocol family 8
[    6.220000] NET: Registered protocol family 20
[    6.228000] Initializing XFRM netlink socket
[    6.232000] NET: Registered protocol family 15
[    6.240000] tun: Universal TUN/TAP device driver, 1.6
[    6.244000] tun: (C) 1999-2004 Max Krasnyansky <[email protected]>
[    6.276000] l2tp_core: L2TP core driver, V2.0
[    6.280000] l2tp_netlink: L2TP netlink interface
[    6.288000] sit: IPv6 over IPv4 tunneling driver
[    6.296000] gre: GRE over IPv4 demultiplexor driver
[    6.304000] ip_gre: GRE over IPv4 tunneling driver
[    6.320000] bonding: Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)
[    6.352000] PPP generic driver version 2.4.2
[    6.364000] ip6_tables: (C) 2000-2006 Netfilter Core Team
[    6.376000] Netfilter messages via NETLINK v0.30.
[    6.384000] ip_set: protocol 6
[    6.424000]  ipset kmod ipauthlimit loading
[    6.432000] ---portal module open start
[    6.436000] ---portal module open ok[    6.448000]
[    6.448000]  module multinetdev loding
[    6.456000]  module xt_tplimit loding
[    6.460000]     xt_tplimit create cell_memcache OK!
[    6.464000]     xt_tplimit create cell_mempool OK, capacity 8192!
[    6.472000]  kmodule authlimit loding
[    6.476000]  add cdev authlimit ok, MAJOR 254, MINOR 0
[    6.484000]     create cell_memcache OK!
[    6.488000]     create cell_mempool OK, capacity 8192!
[    6.492000]     create authlimit hash table OK, spec 256  @0xffffffff86e32000
[    6.500000]  netfilter module authlimit loding
[    6.512000] balance route match init success!
[    6.580000] ctnetlink v0.93: registering with nfnetlink.
[    6.600000] NF_TPROXY: Transparent proxy support initialized, version 4.1.0
[    6.608000] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
[    6.616000] PPP MPPE Compression module registered
[    6.624000] NET: Registered protocol family 24
[    6.632000] PPTP driver version 0.8.5
[    6.636000] Ralink APSoC Hardware Watchdog Timer
[    6.640000] rdm_major = 253
[    6.656000] xt_connlimit: enable /proc/connlimit_stat for per-ip statistics 256.
[    6.684000] xt_time: kernel timezone is -0000
[    6.692000] l2tp_ppp: PPPoL2TP kernel driver, V2.0
Jan  1 08:00:07 crond[1069]: crond: crond (busybox 1.22.1) started, log level 5
[   10.124000] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[   11.148000] 3E:FFFFFF81:1C:1D: 6:FFFFFF81
[   11.152000] Raeth v3.1 (Tasklet)
[   11.156000] afterset CLK_CFG_0 = 0x40a00020!!!!!!!!!!!!!!!!!!1
[   11.168000] phy_free_head is 0xc08000!!!
[   11.172000] phy_free_tail_phy is 0xc09ff0!!!
[   11.176000] txd_pool=a0c10000 phy_txd_pool=00C10000
[   11.180000] ei_local->skb_free start address is 0x87e7a6e0.
[   11.184000] free_txd: 00c10010, ei_local->cpu_ptr: 00C10000
[   11.192000]  POOL  HEAD_PTR | DMA_PTR | CPU_PTR
[   11.196000] ----------------+---------+--------
[   11.200000]      0xa0c10000 0x00C10000 0x00C10000
[   11.204000]
[   11.204000] phy_qrx_ring = 0x00c0a000, qrx_ring = 0xa0c0a000
[   11.216000]
[   11.216000] phy_rx_ring0 = 0x00c0c000, rx_ring[0] = 0xa0c0c000
[   11.244000] MT7530 Reset Completed!!
[   11.252000] change HW-TRAP to 0x117c8f
[   11.256000] set LAN/WAN WLLLL
[   11.264000] GMAC1_MAC_ADRH -- : 0x0000000c
[   11.268000] GMAC1_MAC_ADRL -- : 0x43288059
[   11.272000] GDMA2_MAC_ADRH -- : 0x0000000c
[   11.276000] GDMA2_MAC_ADRL -- : 0x43288056
[   11.284000] eth1: ===> VirtualIF_open
[   11.288000] MT7621 GE2 link rate to 1G
[   11.292000] CDMA_CSG_CFG = 81000000
[   11.296000] GDMA1_FWD_CFG = 20710000
[   11.300000] GDMA2_FWD_CFG = 20710000
[   11.424000] device eth0 entered promiscuous mode
[   18.264000] mt7621_vtu_op op:1 vid:0, val:0, tagged:0
[   18.268000] mt7621_vtu_op op:2 vid:1, val:94, tagged:40
[   18.272000] mt7621_vtu_op op:2 vid:4094, val:33, tagged:20
tddpd_start
[tddp_flash_to_config,2439]:  read tddp flash valid size:668.

tddpd start success
Check signature OK, now will enable all ports
[   21.064000] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   21.084000] device veth0 entered promiscuous mode
[   21.088000] br-lan: port 1(veth0) entered forwarding state
[   21.092000] br-lan: port 1(veth0) entered forwarding state
[   21.164000] eth1: ===> VirtualIF_open
[   21.480000] device eth1 entered promiscuous mode
[   23.096000] br-lan: port 1(veth0) entered forwarding state
GMT+08:00
[   30.180000] iptvc v1.0.0 loading
[   34.516000] nbpt v1.0.1 loading
[   39.436000] arp_garp is loaded.
[   39.440000] narr=1
macAddr is XX:XX:XX:XX:XX:XX
ssh_port_switch is off
[   41.936000] eth1.4094 is offfree policy command: load
free policy command result: SUCCESS
stop sfe first ...
[   46.776000] fast-classifier: starting up
[   46.784000] fast-classifier: registered
Config SFE ipstat
[   46.796000] Update Subnet-> ip: 00000000, mask: 00000000
[   48.708000] Ralink HW NAT Module Enabled
[   48.716000] init PpeFoeBase = a0c80000
[   48.920000] Update Subnet-> ip: 00000000, mask: 00000000
[   49.484000] init special_route module finish, nf_conntrack_max=[25000].
[   49.500000] special route target init success!
generate ipsec_check_dns time:t2 - t1 is [0.0006401538848877]
ipsec_reload.lua time=[0.0035400390625]
session_limits_enabled_rule_num = 0,rmmod xt_tpconnlimit
{
"software-version":"1.2.0 Build 20220114 Rel.76871",
"firmware-id":"123AAAABBBBAAAABBBBAAAABBBBAAAABBBB321"
}{
"software-version":"1.2.0 Build 20220114 Rel.76871",
"firmware-id":"123AAAABBBBAAAABBBBAAAABBBBAAAABBBB321"
}[   56.244000] mt7621_vtu_op op:1 vid:0, val:0, tagged:0
[   56.248000] mt7621_vtu_op op:2 vid:1, val:94, tagged:40
[   56.252000] mt7621_vtu_op op:2 vid:4094, val:33, tagged:20
procd: - init complete -

ER605 login:

what do you mean by how to do ?

@frollic I want to single user boot

so from the following menu

Please choose the operation:
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial.
   9: Load Boot Loader code then write to Flash via TFTP.

I selected 4, but can't find the right boot string. Have i gone down the wrong path ? The question should perhaps be

How do i book into single user mode, so i can bypass the authentication?

Try adding s to the bootcmd?

For the most part OpenWrt kernels and likely related manufacturer builds, ignore boot strings.

That's a really messy partition table but I guess the first attempt at a port could declare 80000 - bf0000 as "firmware" and eventually find which of the other partition contains the factory assigned sticker MAC address.

1 Like

@frollic, can you help me with the exact instruction to single user boot, been at it hours and i just the bad magic number?

mk24, i manually removed the mac from the log and replaces with xx:xx:xx:xx:xx:xx if that confused you

Once at uboot prompt, run printenv.

Look for the bootcmd variable, and change it.

setenv...
saveenv

btw
the "bad magic number" number probably needs to be added to https://github.com/hyphop/openwrt/blob/master/tools/firmware-utils/src/tplink-safeloader.c

btw 2
since opened it up, please post photo of the PCB, plus a close up of where you did the soldering.