TP-Link Deco: Difference between revisions

https://www.mbreviews.com/tp-link-deco-m9-plus-wifi-mesh-system-review/

Qualcomm IPQ4019 @717 MHz
512 MB of RAM (Nanya NT5CC256M16DP-DI)
4 GB of flash memory (Micron MTFC4GACAAAM-1M)
Qualcomm Atheros QCA8072 switch chip
Qualcomm IPQ4019 chip 2×2:2 for the 2.4GHz radio
IPQ4019 chip for the first 5GHz radio along with RFMD RFPA5542 power amplifier
Qualcomm Atheros QCA9886 5GHz radio
CSR8811 Bluetooth 4.2 SoC (Cambridge Silicon Radio)
Mighty Gecko EFR32 MG1B232GG SoC

https://www.tp-link.com/fi/support/download/deco-m9-plus/

https://blog.keane.space/tp-link-deco-m5-hardware-hacking.html

https://wikidevi.wi-cat.ru/TP-LINK_Deco_M9_Plus_V1

https://forum.openwrt.org/t/ipq4019-adding-support-for-tp-link-deco-m5/85061

Mesh

prplmesh
IEEE 1905.1 mesh

layer 2.5
intel beerocks controller / agent

PrplWRT
OpenWRT
Cisco Linksys WRT
WRT54G used Linux, FSF sued Cisco for copyright infringement
GPLv2 allows the use of opensource software, but only when code changes are shared.
WRT communities, OpenWRT, DD-WRT, Tomato-WRT

ETH0 internal connection, ETH1 and ETH2 for Wireless
Bridged and VLAN

Network ID

D807B664CB90

binwalk m9plus.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
 6164          0x1814          UBI erase count header, version: 1, EC: 0x0, VID header offset: 0x800, data offset: 0x1000
22824431      0x15C45EF       Boot section Start 0x57424257 End 0x42703857

/usr/src/deco/ubifs-root/m9plus.bin/img-876186469_vol-kernel.ubifs
/usr/src/deco/ubifs-root/m9plus.bin/img-876186469_vol-ubi_rootfs.ubifs

opnsense

monowall, pfsense, opnsense, forks

https://docs.opnsense.org/development/architecture.html

https://docs.opnsense.org/development/workflow.html

DCS-932L

https://eu.dlink.com/-/media/Consumer_Products/DCS/DCS%20932L/Manuals/DCS_932L_A1_Manual_v1_00_English.pdf

http://support.dlink.com.au/download/download.aspx?product=dcs-932l

http://files.dlink.com.au/products/DCS-932L/REV_B/Firmware/dcs932lb1_v2.14.04.bin

https://tsublogs.wordpress.com/2019/12/16/emulate-d-link-dcs-932l-camera-using-qemu/

https://www.youtube.com/watch?v=GIU4yJn2-2A

https://www.youtube.com/watch?v=oqk3cU7ekag

https://secure77.de/re-d-link-dc-932l-webcam-building-the-firmware/

MediaTek Ralink RT5350F, MIPS24KEc

uBoot, 57600 8N1, no hardware flow control

https://en.wikipedia.org/wiki/List_of_MIPS_architecture_processors

https://www.mips.com/products/architectures/mips32-2/

dd if=dcs932lb1_v2.14.04.bin count=327680 bs=1 of=uimage

dd if=uimage skip=105424 bs=1 count=1416 of=html

dd if=dcs932lb1_v2.14.04.bin skip=327680 count=327680 bs=1 of=image

binwalk -e dcs932lb1_v2.14.04.bin

binwalk -e 50040

binwalk -e 3AC000 DECIMAL       HEXADECIMAL     DESCRIPTION

DECIMAL       HEXADECIMAL     DESCRIPTION

0             0x0             uImage header, header size: 64 bytes, header CRC: 0x233C7C32, created: 2016-09-09 14:14:13, image size: 111116 bytes, Data Address: 0x80200000, Entry Point: 0x80200000, data CRC: 0xB7373BBA, OS: Linux, CPU: MIPS, image type: Standalone Program, compression type: none, image name: "SPI Flash Image"

91040         0x163A0         U-Boot version string, "U-Boot 1.1.3"

105424        0x19BD0-0x19D2A         HTML document

105780        0x19D34-0x19DF4         HTML document

106140        0x19E9C-0x1A151         HTML document

327680        0x50000         uImage header, header size: 64 bytes, header CRC: 0xAD9CC72B, created: 2016-09-09 14:14:09, image size: 3814485 bytes, Data Address: 0x80000000, Entry Point: 0x8038B000, data CRC: 0xE047CA99, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Linux Kernel Image"

327744        0x50040         LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 6476132 bytes

binwalk -e 50040

DECIMAL       HEXADECIMAL     DESCRIPTION

3256396       0x31B04C        Linux kernel version 2.6.21

3257408       0x31B440        CRC32 polynomial table, little endian

3285504       0x322200        SHA256 hash constants, little endian

3291456       0x323940        AES Inverse S-Box

3292224       0x323C40        AES S-Box

3339176       0x32F3A8        Unix path: /usr/gnemul/irix/

3341104       0x32FB30        Unix path: /usr/lib/libc.so.1

3350344       0x331F48        Copyright string: "Copyright (c) 2010 Alpha Networks Inc."

3355188       0x333234        Unix path: /var/run/udhcpc.pid

3437640       0x347448        Unix path: /usr/bin/killall

3447784       0x349BE8        Unix path: /etc/Wireless/RT2860STA/RT2860STA.dat

3447920       0x349C70        Unix path: /etc/Wireless/RT2860/RT2860.dat

3515079       0x35A2C7        Neighborly text, "neighbor %.2x%.2x.%.2x:%.2x:%.2x:%.2x:%.2x:%.2x lost on port %d(%s)(%s)"

3637728       0x3781E0        CRC32 polynomial table, little endian

3641200       0x378F70        AES S-Box

3850240       0x3AC000        LZMA compressed data, properties: 0x5D, dictionary size: 1048576 bytes, uncompressed size: 8464896 bytes

/_dcs932lb1_v2.14.04.bin.extracted/_50040.extracted/_3AC000.extracted$ file cpio-root/bin/busybox

cpio-root/bin/busybox: ELF 32-bit LSB executable, MIPS, MIPS-II version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped

qemu-system-mipsel -cpu 24KEc -m 64M -serial /dev/tty -drive file=3AC000,format=raw,index=0,media=disk

http://192.168.0.20 admin / b....

10.0.0.242 admin / admin

http://10.0.0.32//mjpeg.cgi

Current Firmware Version : 1.10.03 Current Firmware Date : 2015-02-03 Current Agent Version : 2.0.18-b61

Aktuelle Firmware 1.16b04 Aktuelle Firmware 26.10.2016

https://docs.qnap.com/application/qvr-center/qvrcenter1.3-ug-03-en-us.pdf

https://openwrt.org/toh/d-link/dcs-930l