Hacking COMPLETED Fusee-LEDE Dongle (6$ payload injector)

[Joshtech]

I did a similar thing. But for some reason, my frist device broke when I soldered the USB OTG adapter in place (maybe I soldered too hot?) so on my second try I just put a small dab of hot glue on the side without the contacts. Works just fine

If it works, it works XD haha. I've made 3 so far and the only issue I had was on the last one it came with a different firm that had a stripped down version of busybox. I just flashed OpenWRT to it then followed the normal procedure

 

[shawly]

I've been trying to get the GL-MT300N-V2 from GL.iNet to work, the problem is the sources from https://github.com/gl-inet/imagebuilder-lede-ramips require the ipk's to be precompiled.

So I've built a fusee-nano ipk with the LEDE 17.01 sources from here https://github.com/gl-inet/lede-17.01 which worked, I manually extracted the ipk to my MT300N, but when I connect my switch I get USB errors (device descriptor read/64 error, but I can't remember the error code right now, I think it was -62) and fusee-nano can't find the switch, but my compiled ramips ipk atleast seems to work.

I haven't recompiled the firmware with the EHCI patch from fusee-lede, because the firmware (https://github.com/gl-inet/imagebuilder-lede-ramips) won't fully compile and I couldn't figure out why.
Question is, is this EHCI patch specifically for A5-V11 devices or would the patch fix the issue I described above? Can anyone explain to me what this patch does?
Also, is anyone able to compile the imagebuilder, I linked above, successfully?

 

[cracker]

I would rather have a less messier solution. If try the update method and it fails, will it brick the router beyond repair? Because if that's not the case then I'm willing to try an easier way before getting messy.

For most of these devices, you have to install the bootloader for the firmware to work. There is a risk of bricking, but it is no higher than using telnet. Using TTL is a workaround for not being able to telnet into the router. The pads to solder to are pretty big and easy to put wire on. Even if you attach the wires in the wrong order, it won't harm it.

 

[KsAmJ]

This thing is the best cheap option to inject any payload as all other diy lile trinket m0 and Gemma is double the price to get up and running.

 

[charlieb]

This part of the guide would have been the ideal route:

https://wiki.openwrt.org/toh/unbranded/a5-v11#english_qualcomm_factory_firmware

The specific step is:

mtd_write write /mnt/uboot_usb_256_03.img Bootloader

Unfortunately I have no idea how to proceed from your position.

What I can suggest is a method for updating payloads.

You can upload the payload.bin you want to any website that allows direct linking, or use your own FTP/HTTP server if you prefer.

Let's say hypothetically the link to that payload is now "http://nemean.com/payload.bin"

Connect to your device, either by Ethernet or Wi-Fi, with your SSH client of choice, navigate to the payload directory with "cd /usr/share/fusee-nano"

Then type "rm payload.bin; wget http://nemean.com/payload.bin"

Where the hypothetical URL is your real URL.

This will update to your desired payload.

I tried this with ReiNX and it bricked the device

Thankfully I've flashed the bootloader so a recovery was trival. There is ample space free on the device when copying the file over. Have you had any luck copying over another payload?. Did you delete the intermezzo.bin or leave it?

 

[FGFlann]

I tried this with ReiNX and it bricked the device

Thankfully I've flashed the bootloader so a recovery was trival. There is ample space free on the device when copying the file over. Have you had any luck copying over another payload?. Did you delete the intermezzo.bin or leave it?

Switching payloads is easy and works fine, never had anyone report a problem with payload switching. intermezzo.bin should stay where it is.

 

[charlieb]

Switching payloads is easy and works fine, never had anyone report a problem with payload switching. intermezzo.bin should stay where it is.

i wget'd it perhaps something went wrong, I'll try copying it over via USB disk rather than wget. see if it helps, but thanks for confirmation it should work. Fusee works fine and i have the exact same h/w as you based on your pics


edit:

Copy the file ReiNX.bin over using a usb stick and rename it to payload.bin works fine.

 

[Gemah]

For most of these devices, you have to install the bootloader for the firmware to work. There is a risk of bricking, but it is no higher than using telnet. Using TTL is a workaround for not being able to telnet into the router. The pads to solder to are pretty big and easy to put wire on. Even if you attach the wires in the wrong order, it won't harm it.

Well then, good news are that I managed to disassemble the thing without damaging the casing. It's quite sturdy.
Bad news is that I'm not really confident in my soldering skills and I have no idea where to start.
Just in case, here are some photos. Now I'm pretty sure it's a Ralink based chip, but I'm not sure if it's an a5-v11,

 

[Wierd_w]

Well then, good news are that I managed to disassemble the thing without damaging the casing. It's quite sturdy.
Bad news is that I'm not really confident in my soldering skills and I have no idea where to start.
Just in case, here are some photos. Now I'm pretty sure it's a Ralink based chip, but I'm not sure if it's an a5-v11,

This one looks like the variant without serial debug breakouts.

 

[Gemah]

This one looks like the variant without serial debug breakouts.

If that's the case, what are my alternatives?

EDIT: I found out the same vendor I bought from also sold a rebranded TP-Link router with a specific header. Maybe I could compile a firmware update with the same header and try the update method?

EDIT2: Nevermind, updating is useless without uboot, am I out of alternatives then?

 

[0x64]

FYI this worked for me: https://www.ebay.ca/itm/282908565417

Look better than the no name usb stick IMO. Has multi-color LEDs and I managed to get them to work indicating boot status, rcm switch plugged in and payload injection status. Quite cool IMO. It also has a 5000mah(18.5Whr) battery that can be used as a powerbank.

Downside is 2 plastic feet on case is injected on top of 2 inaccessible screw holes so the case has to be pried open by force. So may leave a bit of cosmetic damage if you open the case. I also had to soldier on ttl serial pins and use a usb to serial cable to flash the uboot, and then lede 17.01.

 

[Wierd_w]

FYI this worked for me: https://www.ebay.ca/itm/282908565417

Look better than the no name usb stick IMO. Has multi-color LEDs and I managed to get them to work indicating boot status, rcm switch plugged in and payload injection status. Quite cool IMO. It also has a 5000mah(18.5Whr) battery that can be used as a powerbank.

Downside is 2 plastic feet on case is injected on top of 2 inaccessible screw holes so the case has to be pried open by force. So may leave a bit of cosmetic damage if you open the case. I also had to soldier on ttl serial pins and use a usb to serial cable to flash the uboot, and then lede 17.01.

That's a curious thing. It has two usb2.0 ports? Is the one marked "USB-OUT" special in some way?

This could be a rather interesting thing for a number of applications. (low-profile usb thumbdrive on one port, injector cable on the other-- and hosting a local media collection for other portable devices, or possibly running bittorrent (via transmission web interface) in public places, etc.)

Price is a bit high.. but meh.

I am quite happy with my A5-V11 though. I got lucky, and got one that is fairly easy to flash.

 

[0x64]

That's a curious thing. It has two usb2.0 ports? Is the one marked "USB-OUT" special in some way?

I assumed it was for charging as powerbank, didn't think too much about it and always used the usb-3g. However I do recall seeing usb1 and usb2 in /sys/bus/usb/devices


Yeah I also think this could potentially have othe useful applications. For one you could plug in a usb HDD and have it host the files on a simple web page. You can have your iphone connect to its wifi and have access the HDD on the go.

 

[Gemah]

I was able to update the firmware of my a5-v11 with a new version from the vendor, and unsurprisingly it's a chinese/english firmware that's not Qualcomm's.
But it's a img file that I'm able to open and navigate through with 7zip. What are the chances I can inject the bootloader on it or something?

 

[0x64]

I was able to update the firmware of my a5-v11 with a new version from the vendor, and unsurprisingly it's a chinese/english firmware that's not Qualcomm's.
But it's a img file that I'm able to open and navigate through with 7zip. What are the chances I can inject the bootloader on it or something?

If you have TTL pads on the board you can just solder pins on there and use a usb to serial cable to get to uboot. If not then you are SOL. Not all models can be flashed via telnet.

 

[Gemah]

If you have TTL pads on the board you can just solder pins on there and use a usb to serial cable to get to uboot. If not then you are SOL. Not all models can be flashed via telnet.

Well geez, so either give up or brick trying. whatever works I guess.

 

[Ank97]

Hello, I copied the steps from the first post and manged to boot into fusse. However I want to use sx os. IT mentions to force the ip adress which I have done but I can't connect. I have the same router as op.

 

[KsAmJ]

Can anyone provide a way of installing a battery to a5-v11 stick with no battery option ?

Rather than using a bully power bank. Something like the CR battery

 

[tonyo29]

after i flashed or unlock the kernel the router light is red and cannot detect by the bu putty of winscp pls help

 

[KsAmJ]

after i flashed or unlock the kernel the router light is red and cannot detect by the bu putty of winscp pls help

Flashing red means success
Go to page 19 of this thread and follow what mentioned to me. as I got the same result you have and managed by the help of the members to get it to work flawlessly

 

[annson24]

-snip-

nvm