Skip to content

Instantly share code, notes, and snippets.

@ca0abinary

ca0abinary/jextream-fx20-root.md

Last active January 20, 2025 20:30
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save ca0abinary/c96fe2b1b3865ab5d21ed3cdaa649abe to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save ca0abinary/c96fe2b1b3865ab5d21ed3cdaa649abe to your computer and use it in GitHub Desktop.
Download ZIP
jextream fx20 root
Raw
jextream-fx20-root.md

Get root on a JeXtreme FX20 (Franklin Wireless)

Specs

Type Spec Notes
CPU 4-core Realtek 8198d arch: mips (interAptiv, 1, 16, 32r2)
RAM 256 MiB
Storage 128 MiB MTD layout
dev:sizeerasesizename
mtd0:000c000000020000"boot"
mtd1:0002000000020000"env"
mtd2:0002000000020000"env2"
mtd3:07c8000000020000"ubi_device"
mtd4:00a890000001f000"ubi_Config"
mtd5:00a0d0000001f000"ubi_k0"
mtd6:019110000001f000"ubi_r0"
mtd7:00a0d0000001f000"ubi_k1"
mtd8:019110000001f000"ubi_r1"
mtd9:0081d0000001f000"ubi_framework1"
mtd10:0081d0000001f000"ubi_framework2"
mtd11:0141a0000001f000"ubi_app"

Setup

  1. Open the unit by removing the 6 screws (two are hidden)
  2. Solder wires to the labelled pads near the WAN port
  3. Attach using a serial bridge (115200, 8N1)
  4. Power on and press any key within a few seconds to enter das u-boot

Boot to root shell

Enter the following commands to boot from das u-boot to a root shell:

set root_mtd 31:6
run process0 setmoreargs
setenv bootargs ${bootargs_base} init=/bin/sh ${more_args} ${mtdparts}
bootm ${freeAddr}

Bring up Linux environment in root

Once booted into Linux watchdog timer errors may be firing; to remove these enter the following command to retain root and bring up the system normally:

. /etc/init.d/rcS

Getting root without serial

  1. Generate a new root password
    • Run in the shell: 
      openssl passwd -1
    • Be sure to copy the resulting password hash
  2. Install the root password using the serial console 
    cp /var/passwd /var/passwd.bak
sed -i 's|root:x|root:$1...|g' /var/passwd
    • Where the $1... is replaced with the result from openssl passwd -l
    • This will overwrite the root password on the writable ramfs filesystem
    • For example the password password would be:

      sed -i 's|root:x|root:$1$D4gmG9Vf$iuilMi2XjHy5elD1zeFHr/|g' /var/passwd

  3. Start dropbear on the device via serial 
    dropbear
    • This command starts the dropbear ssh server
  4. Edit your client's ~/.ssh/config file to include exceptions for low security 
    Host 192.168.10.1
  KexAlgorithms +diffie-hellman-group1-sha1
  PubkeyAcceptedAlgorithms +ssh-rsa
  HostKeyAlgorithms +ssh-rsa
  Ciphers +3des-cbc
    • 192.168.10.1 is the default ip of the router
  5. Connect via SSH using the command ssh [email protected]

Persist root access

mib set PON_MODE 1
mib commit

cat <<EOF > /var/config/run_customized_sdk.sh
#!/bin/sh
# Set password as the root password
grep -v root /etc/passwd > /tmp/passwd
echo "root:$(openssl passwd -1 password):0:0::/tmp:/bin/sh" > /etc/passwd
cat /tmp/passwd >> /etc/passwd

# Start dropbear
dropbear
EOF

chmod +x /var/config/run_customized_sdk.sh
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment