04 January, 2015

Custom firware on the MPR-L8 cheap Wireless Router


This post is about experiences with hacking into the MPR-L8 and my attempts to install modified firmware to the router. At the end of the post there will be links to the simply uploadable OpenWrt firmware along with the original firmware to be able to restore the router.




EDIT: This is a relatively old post, the process of hacking the router is well described here, but the provided images are not working very well. If you are planning to upload some special firmware I have written a newer post, which is exactly about that.

!!!WARNING!!! Do all of this at your own risk, there are high chances that you brick your router, do not blame me afterwards. Please read the comments before you continue.

The MPR-L8 is a cheap WiFi 3G mini router, with own built in battery, and the main purpose is to share the mobile internet from an USB 3G/4G modem. If you look it from a different angle it is a very cheap and nice mini computer with wired Ethernet, WiFi, USB and serial connection. If you can customize it's firmware you can do very nice things with it, like bandwidth controlling, remote access to industrial applications, or with an USB sound card a DLNA endpoint to convert your analogue HiFi to a smartphone controlled speaker system.

There are several HW and SW versions of the router, mine came with 4M ROM and 32M RAM. The original firmware (version 2.1.3.6) is a rather powerful, with very good functionality (3G USB modem handling, USB NAS functionality, advanced WAN, LAN and WiFi functionality, web interface), on the other side OpenWrt versions fitting into 4M ROM usually come without any WEB interface and with a very limited functionality. However the original firmware is very buggy, for example mine is not always able to handle the USB modems.


The goal was to keep the original firmware and make it extendable/modifiable, not just replace it with OpenWrt.

Most of the information I used during this process can be found on the OpenWrt forum under the HAME MPR-A1 topic. Actually the people on that forum built in full support for this router into OpenWrt, but somehow I felt that it is not fully documented everything what they did.

Hacking step 1 - Port scanning

Scanning with nmap gives the following open ports:
23/tcp open  telnet
53/tcp open  domain
80/tcp open  http

Telnet is interesting so let's telnet into the router.


Promising, but after looking around it has nothing really useful. It has no root command line possibility to let's try to make it, by accessing files.

Hacking step 2 - Accessing the file system trough Samba

The router is able to share the content of an USB flash or USB disk, we can misuse this and force it to share the full internal Linux file system. To do this on the Server/Permission setup page of the router enable sharing and add an account with the "Operation Directory" set to "/". It is important that an USB storage device has to be plugged in in order to start the sharing functionality.





Browsing the file system is interesting, however it is not possible to overwrite anything :-( and at least I did not found any weak point where I could hack into the system.

On the other side if not used for hacking it is possible to connect an USB hub to the router and then you can connect a 3G USB modem and a USB hard disk at the same time, and get internet access and file sharing parallel!

Hacking step 3 - Connecting to the serial port

After failing with the soft method the next step is to solder a serial connector to the router, and get into the boot loader to dump the contents of the ROM.

The position of the serial connectors are listed in this post. I have used a TTL serial to USB cable, the only specialty that I had to insert a 1K resistor between the adapters TXD line and the modems RX line to function properly.

Here again I had no luck, as the uBoot boot loader, which is a standard open source program, was modified in order not to dump the content of the ROM. Instead of the hexadecimal values it just displays BAAD - which is in some sense clever.

Hacking step 4 - Compliling an OpenWrt image

Dumping the ROM content was not possible, but it was possible to boot a different image from a TFTP server. The idea was to build an OpenWrt image which is loaded from a TFTP server and is running entirely in the RAM. With this image running it will be possible to save the contents of the ROM.

To do this I have set up a new Linux virtual machine with Ubuntu server 14.04, then following the instructions of the OpenWrt site installed a complete build environment and built the image. The important setting is that it should be in initramfs format. This device is a ramips/rt305x/mpr-a1 type device.

I was lucky, I could compile the image without mayor problems and even I could boot it up from the TFTP server.

After doing this I have used the dd Linux command to copy the mtd partitions and transferred them using scp to the OpenWrt development Linux virtual machine.

Structure of the original firmware

Binwalk is the tool to analyze and take out parts of binary firmware. I compiled a version of binwalk to the development machine and looked into the just obtained mtd partition.

1) uImage

The main container is an uImage header. This is a 64 byte header for the boot loader. Binwalk can extract the contents and mkimage -A mips -O linux -T kernel -C lzma -a 0x80000000 -e 0x80307000 -n "Linux Kernel Image" -d kernel_image_filename uImage_filename creates it back.

2) Decompress kernel image

The kernel image is stored lzma compressed, so first we need to decompress (or can let binwalk do it for us):

unlzma bzImage.lzma

To compress the lzma tool from the OpenWrt package is needed (standard lzma utilities produce archives that do not boot with the uBoot boot loader):

~/openwrt/staging_dir/host/bin/lzma e bzImage.cpio bzImage.lzma

3) Kernel image + initramfs

After extracting the kernel image it is actually a kernel image and an initramfs copied together. Again binwalk is doing a good job to extract the initramfs. To get the kernel itself, copy the beginning of the kernel image file, till the position of the beginning of initramfs, which is displayed by binwalk.

4) Initramfs

The initramfs is an lzma compressed cpio archive. For decompressing the lzma:

unlzma 32A000.lzma

To compress it back, the lzma tool from the OpenWrt package is needed:

~/openwrt/staging_dir/host/bin/lzma e initramfs.cpio initramfs.lzma

5) File system cpio

To extract the root file system from the cpio:

cpio -i --no-absolute-filenames < ../initramfs.cpio

To extract all files you need to use sudo and be very careful, because it can easily overwrite your main filesystem on the development machine. (Better to run first without sudo, to check if it is extracting to the right place and only the use it with sudo, when everything is ok.)

To archive back a subdirectory tree, the following command is needed:

sudo -s ; find . | cpio -H newc -o > initramfs.cpio

So the total process is as follows:

uImage -> bzImage.lzma->bzImage->kernel+initramfs.cpio.lzma->initramfs.cpio->initramfs

6) Patching initramfs size

Unfortunately the size of the initramfs is hard-coded into the kernel image. In order to change the initramfs the kernel has also to be patched. The calculation of the initramfs size is done by the following MIPS assembler code:

 30dde0 3c 04 80 33 lui a0,8033
 30dde4 3c 05 80 5c lui a1,805c
 30dde8 24 84 a0 00 addui a0,a0,a000
 30ddec 24 a5 fb b3 addui a1,a1,fbb3

In hex dump this looks like this:

30dde0: 33 80 04 3c 5c 80 05 3c 20 a0 84 24 b3 fb a5 24 

So after creating the new initramfs image, concatenating it to the original kernel image, you have to check the new size of the concatenated file and write it in to the bytes marked with red. If the most valuable bit in the lower 16 bits (word) of the address is 1 then you should add one to the higher word of the address. In the original image the end of the initrd was 5B fb b3.

Hacking step 4 - Looking into the WEB interface

The best way to customize the system would be to change the WEB scripts, however the router side processing of the asp files is compiled in to the http daemon httpd. this means, that only minor modifications can be done. What is interesting yet, that there is an apply.cgi which can be used to write any nvram parameter to the router and the updateNvram.cgi can be used to read any nvram parameter from the router. With some patience an "expert" web page can be created, where all the nvram parameters can be made available for the user.

I gave up this direction, it may be a next step to optimize the web interface.

Hacking step 5 - Adding root command line

After looking around it became obvious the there is no command line shell in the system, that's why even with telnet nothing useful could be done.

To add a command line I decided to compile the dash shell from source and add it to the image.

For the compilation I used the Ralink SDK 3.6.0.0 which can be found on the net under the name Ralink_ApSoC_SDK_3600_20110715.tar.bz2.

After decompressing an extra link had to be added to make it work:

/home/winfred/RT288x_SDK/toolchain/buildroot-gdb -> /home/laco/ralink/RT288x_SDK/toolchain/buildroot-gcc342-laco/

Probably it would had also helped if I create a winfred account on the Linux machine and extract the SDK there.

To compile dash to the mips target architecture, the compiling command in the dash makefile has to be changed to mipsel-linux-gcc and make this new compiler available in the path when compiling dash.

After successfully compiling and testing dash, I added it to the root filesystem, by replacing the link which pointed /bin/sh to busybox and created the image doing the extraction steps in the opposite order:

rootfilesystem->initramfs.cpio->initramfs.lzma->bzImage->patch initramfs length->bzImage.lzma->uImage

Making the images loadable with the original web interface

The guys at OpenWrt did a good job, because they also created a program to convert an uImage to a web interface loadable bin file. With the following command you can convert an existing mtd image to an uploadable image:

~/openwrt/build_dir/host/firmware-utils/bin/mkporayfw -B MPR-L8 -f sourceImage -o destnationImage

Ready uploadable images for download

Original 2.1.3.6 firmware

Modified 2.1.3.6 with command line shell on telnet

OpenWrt with SqashFS

Original 2.1.3.6 firmware in RAW (uImage) format to restore with openwrt


Restoring the original firmware from OpenWrt

  1. Connect to the router using a telnet client (e.g. Putty). The default address is 192.168.1.1. You have to setup your computer to be on the same network e.g. 192.168.1.2.
  2. Copy the firmware from the development machine to the router. On the router issue the following command: scp user@192.168.1.65:/home/user/mtd3 /tmp "user" is the user name on the development machine, the first path is the path to the image on the development machine, the second is the path on the router.
  3. Copy the firmware to the ROM, issue the following command: dd if=/tmp/mtd3 of=/dev/mtdblock3
  4. Restart the router: reboot

37 comments:

Bahaa Elsayed said...

Thanks for your effort.

What's the openwrt password ?

Lacó said...

The initial OpenWrt image do not need any password.

You can telnet to 192.168.1.1 and you get logged in without any password. Later you can set up a passord if you need it.

This OpenWrt immage do not have a web interface, so you have to do the configuration on the command line.

In addition after writing this article I have been testing the included Openwrt image, and the usb support is not working, so you may be better off by using one of the standard MPR-A1 images.

Bahaa Salama said...

I tried OpenWRT but this not what I was looking for.

When I restored the original firmware as you described, The device didn't boot again.

How could I restore the device ?

Anonymous said...

Hi!
Thanks for your job!

Can I upload your "modifid_2.1.3.6.bin" directly to the MPL-L8 with original 2.1.3.6 ?

Or have I to do all manipulations from step 1 to step 5 to do it?

- Sincerely, Alexander

Lacó said...

Hi Alexander!

In theory you can upload it and it should work. However at the moment it doesn't bring real benefit and there is some risk of bricking your device.

(Others already did it [the bricking].)

Vijyes Yechuri said...

I just bricked my wifi router as I ran out of patience after 5-10 minutes of upgrading and decided to switch it off. This was a new router- not even 1 day old. I just wanted to share my android internet which was not possible with my 2.1.2 interface and hence decided to upgrade. Is there any way I can correct it now?

Lacó said...

Hi Vijyes!

If you have enough time, you have good chances that you can restore it.

The easiest way to do it, is to use a HAME tool for upgrade, from this page:

https://github.com/JiapengLi/OpenWrt-RT5350 Look for section "Possible way to flash MPR-A1 (without using serial)" but instead of the OpenWrt.bin file try the "Original 2.1.3.6" from this post. If it is not working, ty to find other firmware on the net and install it the same way. But whatever is happening DO NOT upgrade the boot loader, because that will most probably finally brick your device.

Anonymous said...

Hi Laco
I have Mpr l8 with 2.1.2.1
It show same cpu as you have shown in screen capture but memory is only 16 mb.
Can I upload original 2.1.3.6 in it
Cpu usage 72%
Memory 94%
Thanks for helping

Aashish

Lacó said...

Hi Aashish!

I think that it is not possible to use this firmware on a 16 mb modell.

Without having a backup of your original firmware it is very risky to upload this one, because even the bootloader will work after the update, if you don't have a working fw binary, you can not recover.

To do the backup, you need to follow the route described in this post, with serial connection, loading the openwrt image to RAM and then saving the mtd partitions.

BR Lacó

Anonymous said...

Hi Laco!

Thanks for replying!

LOL on me, I have already screwed my router. No Backup for old firmware :(
I was totally impatient that day to try out the firmware and had intution that it will brick the router.
Anyways I was OK to test it.
Checking if any procedure to restore it back

Anonymous said...

Its now just has RED LED ON, cant access with Telnet


On the other note, appreciate your work helping people!

Lacó said...

It seems that this is a good post, till now everybody following it has bricked his router :-(

One way to try to bring it back, if you push the reset button while booting, it should enter into tftp booting mode. In this mode it will assign ip address 192.168.1.2 to the router and will try to load a new firmware from the tftp server at 192.168.1.55.

The name for the file, which it is looking is the mac address shown on the label on the router, e.g mine is trying to load 00200c078f54.

Probaly the best way to try to fix it, download a firmware for HAME MPR-A2 and setup the tftp server on ip 192.168.1.55, rename the firmware to your MAC address and then try to do the forced boot.

I hope this will help.

Anonymous said...

Thanks for help!
So I should copy the firmware file to tftp 192.168.1.55 after renaming it to mac address. I will use a tftp client software.And then reboot the router againin tftp mode. And it should load the firmware.
Please let me know if I am missing anything.

Unknown said...

HI Laco

Hope you are doing good!

I booted the router in tftp mode
In Wireshark, I could see ip addresss, 192.168.1.2 and 192.168.1.55

I assigned my laptop 192.168.1.5, Gateway 192.168.1.2
LAN adapter shows connected to Network 10

However I could not ping both the ip addresses 192.168.1.2 and 192.168.1.55
I am using sourceforge Windows TFP
client
When I put or get the firmware file (after renaming in to .bin, it says timeout.

Telnet also does not work on both IP

And do I have to use port 69 for TFTP

Thanks for your help!

Lacó said...

Hi!

I think that you don't need to assign the gateway to 192.168.1.2, it may be better to assign it 192.168.1.1 or leave it empty. However according to my knowledge this should not be a problem.

In this mode there is no telnet available, so it is normal that it is not answering.

With Wireshark you could check, that what file the router is trying to get with tftp.

Instead of tftp client you should use a tftp server, because in this case the router is behaving like a client and is trying to get a file from the server.

I haven't tried, but this looks good: http://tftpd32.jounin.net/

Jimmy Tobia said...

Hi Laco,
I think I've bricked my device too and now it turns on with the red light. I used to log in the admin by the ip of 192.168.10.1 now I don't know the ip, can't connect . I've tried ipconfig it doesn't show any gateway ip but I used netcut to know it showed 127.0.0.1 and when I ping it, it responds. the issue is I don know what ftp client or software I may use and how to config the ports and if there is login user or password should I use. Please guide me step by step as I'm not experienced in such thing .
All I have done that I tried to upload one of your upgrade bin instead of my original one ( 中性英文V2.1.2.1.bin ) and that's what I got.
Thanks in advance

Lacó said...

Hi Jimmy!

I am sorry for that, but so far you have done only this, there are still chances that you can recover your router. However it is very difficult to provide step by step instructions, because this is a bit complicated when your router starts to die.

The 127.0.0.1 is a loop-back interface, it is internally in the computer it will not help.

I suppose that you are using a Windows machine. The first question is that which firmware have you uploade from my blog: OpenWrt or Modified 2.1.36. If openwrt, then it is normal that you don't get an assigned ip address, then you should set your Windows PC to the fixed address of 192.168.1.10 and try to login to 192.168.1.1.

If you see anything, then you are in luck, you managed to install openwrt.

If it was 2.1.3.6, the this is not compatible with your HW. Then you should try a TFTP recovery. For it you should follow the steps I described some comments above this.

What is important, that do not update/refresh the boot loader, because that will brick your router probably forever.

Jimmy Tobia said...

Hi again,
I know I'm probably causing a headache to you, but I've managed to tftp the original ver (中性英文V2.1.2.1.bin )) after renaming it to mac rebooted it nothing happened, pressed the reset button also nothing happened, Am I missing something here or the boot loader is damaged?
Thanks for your time and help.
ps. I monitored the process via wire shark

Lacó said...

Hi Jimmy!

If you managed to tftp it, that is a good sign, if the whole file was accepted, that is a good signal, then the boot loader is still working.

The problem is probably that the bin fimware is somehow encoded for the web upload and it has to be decoded for tftp upload. In the openwrt forum there are some more details and there is also a program to encode it (unfortunately not for decoding). Unfortunately now I have no time to deal with this, but you may try to figure it out.

You can also try to upload the RAW image from my blog, as far as I remember that is in the format needed for upload.

Or you can also try to download an openwrt uImage image and try to load that one, because if you have openwrt running at least you can run commands and have some hope to recover.

Lacó said...
This comment has been removed by the author.
Lacó said...

Hi Jimmy!

If you are still around there.

I have now tested the tftp flashing and it is not working the way I suggested. You should use the onekeyRouterUpgrade program from here JiapengLi . You can try first to upload the image, which is included there or you can try the last image from my post. onekeyRouterUpgrade needs an uImage format image to work. You can also try the openwrt image from here http://downloads.openwrt.org/barrier_breaker/14.07/ramips/rt305x/openwrt-ramips-rt305x-mpr-a1-squashfs-sysupgrade.bin it has a nice web interface and I just managed to get it work with my 4G USB dongle.
The reason why the simple tftp flashing is not working is that when you start the router in this recovery mode there is needed a header to the flash image which tells the router, that what to do with the image.

Be very carefull, not to flash the boot loader, that my really brick your device.

Jimmy Tobia said...

Hi Laco,
As I mentioned the firmware you mentioned was too heavy I tried one of these the same way you explained( http://www.hamedata.com/html/server/download.html)(http://www.hamedata.com/uploadfiles/download/201209070451555781.rar) but unfortunately it's in Chinese language , much lighter but don know how to turn it into English, could use some tips if you can.
Thanks in advance

Lacó said...

Hi Jimmy!

Try this:

http://www.3ptechies.com/hame-3g-wi-fi-modem-review-manual-settings-english.html

If it is not helping, I have found some other suggestions with google, you may try them out.

I just did some more experiments with openwrt (not the version which I have complied but the standard one), and it is very powerful, as soon as I will have a little time, I will publish new posts on it.

BR

Lacó

Eduardo Garcia said...

I have a device based on the exact same chip (Ralink RT5350F), but this is a Wireless HDD portable device (with internal battery) that i've bought on AliExpress recently. This has a RJ45 port, USB 3.0 port to connect to computer (and access files on hard disk) and a USB Output (for 3G modem and memory stick).

This is a good device and fulfills the basic functions very well: mirroring wireless internet connection to access files wirelessly and access internet, sharing files via FTP and SMB and a (limited) Telnet service.

Now i want to explore and see what could get more in terms of potential, perhaps OpenWRT, or even modifying the current firmware present on the device, replacing current dropbox binary with a more robust and adding a dropbear too.

Talking about backdoors: Telnet! But this give me a quite limited terminal, with about 10 commands (to check the status of router functions and reset configuration). It is a very limited shell.

Looking deep inside and researching a little more, I found the possibility of access it via UART, and when i was disassembled the device, i've found 4 free endpoints welding.

With multimeter and patience, I managed to find all three necessary pins and get everything prepared for connect the unit correctly:

- Access to UART (properly with the pins GND, TX, RX)
- USBtoUART device (Model CP210x)
- Installation and configuration of drivers and correct terminal app (CoolTerm) (8N1, Bauld rate 57600)


I got the access to interface. I can read the logs and interact in the terminal, but the case is that the UART shell is exactly the same as TELNET (about 10 commands, and none of them allows me to customizations).

###

To "gain" free access, i had to improvise:

Merging FTP and SMB access, i've managed to replace the original router binary busybox for a version I've found on the net, and now when i try to login to the telnet, i got an truly shell access, again restricted, but with a little more possibilities.

What I have on the device:

# Free
       total used free shared buffers
  Mem: 29204 26184 3020 0 204
 Swap: 0 0 0
Total: 29204 26184 3020

# Cat / proc / mtd
dev: size erasesize name
mtd0: 00030000 00010000 "Bootloader"
mtd1: 00010000 00010000 "Config"
mtd2: 00010000 00010000 "Factory"
mtd3: 003b0000 00010000 "Kernel"
mtd4: 003b0000 00010000 "Romfs"
mtd5: 003b0000 00010000 "Firmware"

# Mount
proc on / proc type proc (rw)
ramfs on / var type ramfs (rw)
mdev on / dev type ramfs (rw)
sysfs on / sys sysfs type (rw)
usbfs on / proc / bus / usb type usbfs (rw)
/ dev / sda2 on / var / mnt / sda type vfat (rw, sync, uid = 65534, gid = 65534, fmask = 0000 = dmask 0000, codepage = cp950, iocharset = UTF8)


My doubts:

- Could i use a OpenWRT firmware on this device? If so, how? I need a starting point to begin researching and learning.
- The procedure and files available here are for me?
- There is a chance for, if i do some modification or attempt to upload a new firmware and bootloaders, letting me to an dead endpoint (permanently damaging and bricking with no chances to recovery it), even having access to UART port?

I'm totally noob in the firmware thing, but I have few experiences and a little knowledge on electronics and programming, any information to instruct and help me in this matter, will be very welcome!

( i have PCB photos if anyone wants to see the device)

Thank you!

Lacó said...

Hello Eduardo!

That is very interesting.

Before doing anything more I would recomend to save the content of the mtd partitions to the built in storage (even the cp command can do this)and copy it to your PC. This makes sure that if anything bad is happening then you have a possibility to revert to the original firmware.

From the log it seems that mtd3,mtd4 and mtd5 are the same, but better copy them all and compare. On the pc look into the files with some hex editor, to make sure you have really copied something meaningfull.

If you have time, you can check if the trick described here (http://networkingathome.blogspot.hu/2015/08/root-command-line-access-for-mpr-l8-a5.html) works on your device, because that means, that there is no need to change the busybox.

Next I would suggest to check if the "onekeyRouterUpgrade" way of upgrading the router is working, from my other post (onekeyRouterUpgrade). You can try it with the saved mtd3 binary file or an OpenWrt image file. If it works, then you are safe, because then even if you upload a non working firmware, you can revert to your original mtd3 backup.

Just one comment, do not try to upgrade the boot loader, because if you crash the boot loader, then it will be very difficult to get the device back to life.

Can you post the link of the device you have purchased?

Eduardo Garcia said...

Thank you Lacó Very much!

It's hard to find someone with good will to help today...

About the product link:
http://www.aliexpress.com/snapshot/6255200235.html?orderId=63903280977751
The seller (Cindy Ho) was totally helpful before, and after selling me this item, and i recommend her a lot.

About what you're posted, i will study carefully the steps that you're pointed to me. Thank you very much, because i'm really don't knew where to start.

One more doubt:

On last day i've read about a technique to obfuscate firmware contents by changing (maybe XOR method) the content of it, making unreadable (avoiding anyone like me, trying to use binwalk to analyze the firmware) on some similar chinese networking products. Could it be a fact? (i'm studding a lot about this possibility)

and of corse, thank you very much for the info, that will help me a lot!

best regards!
Cheers!

Eduardo Garcia said...

i've posted a link that is present on my purchase history and maybe not work. but this link is the actual product link:

http://pt.aliexpress.com/item/2014-New-Arrival-Wi-Drive-Wireless-Portable-Enclosure-Wifi-Storage-Hard-Disk-Drive-Enclosure-for-Mobile/1902708658.html


Thank you again.

Eduardo Garcia said...

UPDATE!

man, I have no words to thank you!!

The method described on first link "runshellcmd" worked like a charm!
I've tried A LOT of things and various kinds of test on this shell,I really did not think it would be so simple on gaining linux shell
thank you!

Now i'll check for "onekeyRouterUpgrade" and update if i have some success!

Eduardo Garcia said...

Update.

i managed to try copying a OpenWRT uImage that i have downloaded on your post about upgrading router to mtd3, and now i think that i've bricked my device :(

when it's try to boot, boot menu appears, and auto select option 3 (to auto boot from flash) and appears "Bad Header Checksum".

i have made a full backup of all mtd* partitions, now i want to recover it, with TFTP Server initialized and even everything configured, i can't establish TFTP connection! i tried to change default IP addresses from client and server to match same subnet ( client:10.10.10.123 and server 10.10.10.30, and tried 192.168.x on both to with no success ), when i try to ping client (the bricked device) i get no responses but i'm unsure if RT5350 eth config is ready to awnser pings.

So i've managed to install Wireshark to analyze network traffic, when i start monitoring i be able to see ARP requests coming from my device (with file name request) and my server offering connection with requested file, BUT the RT5350 appears to blind! it won't see the TFTP server.

In serial console i could see the arp response successful, but it keep displaying "T T T T " and then "Timed out" .

i managed to try it in same machine with virtualization in Linux, Windows and mac, with no success. tried different network cable with normal and cross over setting, again, no success.

now just left me transfer in Kermit way (via serial). and now i'm stuck on it.

initially i get various transfer errors due to an incorrect settings on my terminal client, but now i could transfer files to it successfully but i can't boot at uploaded address giving me same error "Bad Header Checksum".

Could you help-me to unbrick my device?

Thank you!

Lacó said...

Hi Eduardo!

That is bad :-(

Please send me an email on yubzmaai@boximail.com, so I can contact you on email.

From what you write, I understand that you have copied mtd3 under the busybox shell and now it is not starting. For the TFTP you are trying it in the boot loader menu. I suppose oneKeyUpgrade did not work.

If the boot loader is still working, there are chances to recover it.

With the MPR-L8 I was able to load different firmware using the TFTP method from the boot menu. After entereing I had to enter the file name and the address of the server and client and it worked without problem (I had 192.168.1.x network). If you have not done it, try to connect the router directly to your computer (without a router/switch).

If there is a successfull arp, there should be a trace in Wireshark. I used to use wireshark on Windows, and it used to give good results.

Ususally the boot loader is not fully functional, but you can try to dump the data in mtd3 to see if it has a correct uboot header.

It is strange that after a success full kermit upload it still says Bad Header Checksum, it is like the writing to the flash was not sucessfull.

vaibhav11788 said...

My also shows red led for some time after that no led shows but i can connect to router using static ip.but the thing is no open default ip for configuration

Lacó said...

Hi Vaibhav!

This is a relatively old post, the firmware files are not up to date here, please use them from this post: http://networkingathome.blogspot.hu/2015/08/mpr-l8-hame-mpr-a1-firmware-update-and.html

vaibhav11788 said...

I got ping but not connected via telnet

vaibhav11788 said...

My default gatway ip is blank. I cant open configuration please help

Lacó said...

Look at the other post mentioned in my previous comment and try to upload a different firmware with the onekeyRouterUpgrade. Do not upgrade the bootloader!

MR8X said...

Hello,
I have a cheap MR8X portable wifi.....I have searched all through the internet to find the manufacturers site but to no avail....Kindly help with a custom firmware that can work for this device.
N.B It works with cdma network.
Thanks

Intercel Aus said...

Buy GSM, GPRS, 3G and 4G industrial modems for machine-to-machine and IoT applications
https://www.intercel.com.au