Hacking COMPLETED Fusee-LEDE Dongle (6$ payload injector)

[obtainr]

sorry but isn't there a android apk app floating around here that can push payloads and run executer already? I am sure atleast 50% people here have an android mobile.
Although I have not yet tested due to misplacing my OTG and cbf finding it right now and will probably just order one off ebay.

 

[Localhorst86]

sorry but isn't there a android apk app floating around here that can push payloads and run executer already? I am sure atleast 50% people here have an android mobile.
Although I have not yet tested due to misplacing my OTG and cbf finding it right now and will probably just order one off ebay.

yes, NXloader might be an option for a lot of people. But particularly older phones do not support OTG. For people who do not have access to an android phone with OTG, a ~$10 device might be a better option.

I myself am going to try this once the router arrives because my USB Type C port on my phone is blocked by a magnetic connector so I don't have to wear out the port over time. Having to pull that out every time I want to boot via RCM - especially on the go where the magnetic connector might get lost - not only defeats the purpose of the connector but it also is silghtly annoying. Other people often block their port with QI charging matts.

You see there are plenty of reasons why people might opt for a different solution.

 

[z10m]

Can you share the model of router you're trying this on?

I was able to flash standard openwrt through the web interface but now it doesn’t recognise usb drive.

 

[obtainr]

picture not big enough can you take a higher pixel count so i can work out your thumbprint.

 

[z10m]

picture not big enough can you take a higher pixel count so i can work out your thumbprint.

Picture taken from the guide. Mine is exactly the same.

 

[FGFlann]

Compiled my own image now. It has DHCP and Wifi on by default. The SSID is 3GWIFI_XXXX and the default password is 12345678.

It includes support for mounting flash drives and has Nano baked in for easier settings edits.

If anyone wants to write a script to automount sda/sda[1-4] and update payload.bin I can include that, too.

 

[FGFlann]

I have modified /etc/hotplug.d/usb/20-tegra_rcm

If it doesn't detect Switch RCM it will instead attempt to probe for a flash drive containing payload.bin on one of its partitions, and update the payload on the dongle with it.

The LED flashes blue twice to indicate success.

I have tested it with my own flash drives and it works consistently but I would appreciate it if anyone else would be willing to help test it with their own devices. The modified contents of 20-tegra_rcm are below:

#!/bin/sh

# OpenWRT hotplug script to be placed in /etc/hotplug.d/usb

BINARY="/usr/bin/fusee-nano /usr/share/fusee-nano/payload.bin"
APX_PRODID="955/7321/102"

if [ "${ACTION}" = "add" ]; then
   if [ "${PRODUCT}" = "${APX_PRODID}" ]; then
       ${BINARY}
       echo 0 > /sys/class/leds/a5-v11\:red\:Power/brightness
       for i in $(seq 1 4); do
           echo $(($i%2)) > /sys/class/leds/a5-v11\:blue\:system/brightness
           sleep 1
       done
       echo 255 > /sys/class/leds/a5-v11\:red\:Power/brightness
   elif [ "${DEVTYPE}" = "usb_interface" ]; then
       sleep 3
       for i in $(ls /dev/sd*); do
           umount /mnt
           mount $i /mnt/
           if [ -f /mnt/payload.bin ]; then
               echo 0 > /sys/class/leds/a5-v11\:red\:Power/brightness
               cp -f /mnt/payload.bin /usr/share/fusee-nano/
               umount /mnt
               for i in $(seq 1 4); do
                   echo $(($i%2)) > /sys/class/leds/a5-v11\:blue\:system/brightness
                   sleep 1
               done
               echo 255 > /sys/class/leds/a5-v11\:red\:Power/brightness
               break
           fi
       done
   fi
fi

 

[Huntereb]

I have modified /etc/hotplug.d/usb/20-tegra_rcm

If it doesn't detect Switch RCM it will instead attempt to probe for a flash drive containing payload.bin on one of its partitions, and update the payload on the dongle with it.

Awesome stuff! I've been waiting a hot minute for my device to arrive, I'll be certain to give your modifications a whirl!

If there isn't such a thing before I obtain mine, I'm going to write a script that probes the power button, and switches payloads based on its presses. Maybe that will give someone an idea and save me more time.

 

[Nemean]

So I have managed to get this working using the battery powered device and the new file with wifi and SXOS on. To do this I just went to the router page and upgraded stock firmware to the one provided. My question now is how do I change what payload I use. Im not really sure what I'm doing or how I'm connecting to the dongle now.

 

[bajul]

just done upgrade fw with SX OS bin
but why not work after i am connect in switch?

 

[FGFlann]

This will be the last release from me for the time being. I had to dump Nano so I could squeeze in exFAT support, so you'll have to make do with Vi for text editing.

I've also made the configuration available on github, along with a simple script for building from source for the paranoid. https://github.com/ijuintekka/fusee-a5

This release supports, by default, the mounting of USB storage with FAT16, FAT32, exFAT and EXT4 partitions.

Upon insertion of a USB storage device, the root of each partition will be probed for a new payload.bin, and if found will replace the current payload with the discovered file.

This release has, by default, ethernet activated and set to be configured by DHCP, as well as Wi-Fi enabled by default with the SSID "3GWIFI_XXXX" and the WPA2 passkey "12345678".

These details can be changed at any time by editing /etc/config/network and /etc/config/wireless respectively.

Awesome stuff! I've been waiting a hot minute for my device to arrive, I'll be certain to give your modifications a whirl!

If there isn't such a thing before I obtain mine, I'm going to write a script that probes the power button, and switches payloads based on its presses. Maybe that will give someone an idea and save me more time.

Thank you. I hope you find it useful.

 

[Wierd_w]

But of course :-D
Man I love your dedication, russian hardware hacking sites are not your average Joe's source of info
If you end up finding the login, I'd be sooo grateful

I compared your image to the one found on the openwrt page for the a5-v11 hardware. Their teartdown pics show that there should be a serial interface that is covered up by the green lacquer on the other side of the PCB. Here is a hotlink to the image in question:

you would need to scrape off the lacquer on the TX and RX pads, and scrape off a portion on the ground plane, then prime the surfaces with a small dollop of solder, then attach some jumper wires.

Could you verify that those pads exist on your hardware?

 

[lufeig]

so i bought a battery powered clone of this router

the stock firmware wouldn't allow telnet login. i updated the firmware using the manufacturer provided file. still no telnet login.

both versions wouldn't allow to flash the openwrt firmware using the webpage upload.

so i found another firmware that allowed telnet login, but then i found it wouldn't recognize usb storage and, again, wouldn't accept the openwrt file using the webpage upload method.

finally i found another firmware that would be my final solution. the router accepted it, considered it valid, then... brick.

my only hope is to flash it using the serial/uart method.

i found ground and vcc (3.3v) points on the pcb.

could someone please point me tx and rx points? my pcb is a little different from the ones i found online.

 

[bajul]

This will be the last release from me for the time being. I had to dump Nano so I could squeeze in exFAT support, so you'll have to make do with Vi for text editing.

I've also made the configuration available on github, along with a simple script for building from source for the paranoid. https://github.com/ijuintekka/fusee-a5

This release supports, by default, the mounting of USB storage with FAT16, FAT32, exFAT and EXT4 partitions.

Upon insertion of a USB storage device, the root of each partition will be probed for a new payload.bin, and if found will replace the current payload with the discovered file.

This release has, by default, ethernet activated and set to be configured by DHCP, as well as Wi-Fi enabled by default with the SSID "3GWIFI_XXXX" and the WPA2 passkey "12345678".

These details can be changed at any time by editing /etc/config/network and /etc/config/wireless respectively.


Thank you. I hope you find it useful.

Thank you for your file i am success boot reswitch but how to change to SX OS?

 

[FGFlann]

Thank you for your file i am success boot reswitch but how to change to SX OS?

Put the SX OS payload.bin on a flash drive and insert it into the dongle. It will flash blue twice to indicate success.

 

[Nemean]

This will be the last release from me for the time being. I had to dump Nano so I could squeeze in exFAT support, so you'll have to make do with Vi for text editing.

I've also made the configuration available on github, along with a simple script for building from source for the paranoid. https://github.com/ijuintekka/fusee-a5

This release supports, by default, the mounting of USB storage with FAT16, FAT32, exFAT and EXT4 partitions.

Upon insertion of a USB storage device, the root of each partition will be probed for a new payload.bin, and if found will replace the current payload with the discovered file.

This release has, by default, ethernet activated and set to be configured by DHCP, as well as Wi-Fi enabled by default with the SSID "3GWIFI_XXXX" and the WPA2 passkey "12345678".

These details can be changed at any time by editing /etc/config/network and /etc/config/wireless respectively.


Thank you. I hope you find it useful.

Any idea how to change the firmware from the wifi and sxos one to this I have that installed but now can't access anything there is no router page that I can find and not sure what to do with the IP address thing. it loads SXOS fine but I can't figure out what to do next. Just thinking if they update the payload file in the future im stuck.

 

[FGFlann]

Any idea how to change the firmware from the wifi and sxos one to this I have that installed but now can't access anything there is no router page that I can find and not sure what to do with the IP address thing. it loads SXOS fine but I can't figure out what to do next. Just thinking if they update the payload file in the future im stuck.

If you flashed the bootloader as the guide tells you to, you can update firmware by putting firmware.bin on a FAT/32 formatted flash drive and inserting them into the powered off dongle, then hold reset as you turn the dongle on.

If you didn't flash the bootloader you will have to go through the process of upgrading through SSH. I've never done this myself however, so I have no advice to offer for that method.

 

[Nemean]

If you flashed the bootloader as the guide tells you to, you can update firmware by putting firmware.bin on a FAT/32 formatted flash drive and inserting them into the powered off dongle, then hold reset as you turn the dongle on.

If you didn't flash the bootloader you will have to go through the process of upgrading through SSH. I've never done this myself however, so I have no advice to offer for that method.

Switch the language to English from the drop down menu. It redirects to a wrong IP address, so type the correct one again in the URL field of the browser. Using the Administrator → Firmware menu, flash openwrt-15.05-ramips-rt305x-a5-v11-squashfs-factory.bin.

That is the part of the guide I used have I done this wrong? obviously I replaced openwrt with the sxos and wifi version.

As I say it works fine for booting SXOS but just wanted to be able to change the payload in the future so either manual change the payload or would be fantastic if I could use your method to do this.

 

[FGFlann]

Switch the language to English from the drop down menu. It redirects to a wrong IP address, so type the correct one again in the URL field of the browser. Using the Administrator → Firmware menu, flash openwrt-15.05-ramips-rt305x-a5-v11-squashfs-factory.bin.

That is the part of the guide I used have I done this wrong? obviously I replaced openwrt with the sxos and wifi version.

As I say it works fine for booting SXOS but just wanted to be able to change the payload in the future so either manual change the payload or would be fantastic if I could use your method to do this.

This part of the guide would have been the ideal route:

https://wiki.openwrt.org/toh/unbranded/a5-v11#english_qualcomm_factory_firmware

The specific step is:

mtd_write write /mnt/uboot_usb_256_03.img Bootloader

Unfortunately I have no idea how to proceed from your position.

What I can suggest is a method for updating payloads.

You can upload the payload.bin you want to any website that allows direct linking, or use your own FTP/HTTP server if you prefer.

Let's say hypothetically the link to that payload is now "http://nemean.com/payload.bin"

Connect to your device, either by Ethernet or Wi-Fi, with your SSH client of choice, navigate to the payload directory with "cd /usr/share/fusee-nano"

Then type "rm payload.bin; wget http://nemean.com/payload.bin"

Where the hypothetical URL is your real URL.

This will update to your desired payload.

 

[Nemean]

This part of the guide would have been the ideal route:

https://wiki.openwrt.org/toh/unbranded/a5-v11#english_qualcomm_factory_firmware

The specific step is:

mtd_write write /mnt/uboot_usb_256_03.img Bootloader

Unfortunately I have no idea how to proceed from your position.

What I can suggest is a method for updating payloads.

You can upload the payload.bin you want to any website that allows direct linking, or use your own FTP/HTTP server if you prefer.

Let's say hypothetically the link to that payload is now "http://nemean.com/payload.bin"

Connect to your device, either by Ethernet or Wi-Fi, with your SSH client of choice, navigate to the payload directory with "cd /usr/share/fusee-nano"

Then type "rm payload.bin; wget http://nemean.com/payload.bin"

Where the hypothetical URL is your real URL.

This will update to your desired payload.

Perfect thank you that sounds great however I am a bit of a noob with this. How do I connect to the device using SSH?