I recently got Telstra 5G Home Internet and along with that came an Arcadyan AW1000. I have noticed a few things about the modem and the service so I figured I would list what I have found so far. I would like to unlock some more features but I don't really know what I'm doing. My hope is that maybe people smarter than me may find some cool things to do with this modem.
1) If you can't order the service because Telstra says it's not available at your address, but you know you get fine 5G coverage, you may want to check addresses closer to your phone tower, if you find an eligible address you can then move there. As a side note, the online order form asks if you want a different billing/shipping address to the service address ;)
2) Telstra say the service is geo-locked, for me at least, this doesn't appear to be the case (yet). I was able to drive through multiple towns and have it work like any other 4G/5G service. The speeds I was getting were similar to what my iPhone could get.
3) It's 12v so it can be run from a battery easily. When testing it I have been running it from a USB-C power bank, I made a cable that plugs into the modem and has a USB-C PD spoof IC on the other end, the IC asks the power bank to provide 12v. In general, it uses about 1-2a @ 12v while I was using it for testing, as in not a house full of devices connected to it.
4) Serial console can be added with a little soldering and a 3.3v RS232 adapter. If you hit Esc while booting you get access to its boot menu. If you let it boot normally you get access to the console but it asks for an unknown username/password.
5) It has 2x SMA Female antenna jacks on the back. I have pulled the modem apart and looked at the cellular antennas / SMA jacks. The SMA jacks are connected inline with an internal antenna each, there is no way in software that I can think of for the modem to select between external and internal antennas. The modem has 6 internal cellular antennas. I think 3 are for 5G, 2 are for 4G and one of them I don't know what it does. My testing makes me think that the bottom SMA port is for 4G and the top port is for 5G, both need to be connected for it to work properly.
Video of me opening the modem & showing the antennas: https://youtu.be/zdhK0ypTaOM
6) You are behind CGNAT but get IPv6, the modems Web-UI gives you the option of remotely accessing the Web-UI however the option is greyed out when using cellular. I was able to change my internet to ethernet, turn on the setting, and go back to cellular. I could then remotely access the Web-UI using IPv6.
7) You can backup settings, the backed-up settings are a .cfg file, this is really an archive. I was able to open it with 7-Zip. Inside the archive, there is an unencrypted file that can be opened in a text editor. This may be of some fun to look into.
8) 5G, in general, is super directional a lot of signal strength doesn't mean you're getting the fastest speed available. In a few tests, I found that having the modem (or my iPhone for that matter) in my car, parked out front of the phone tower can get around 300Mbps, moving about 20m down the road away from the tower I found a spot getting over 700mbps. At home, on the window sill, I gained over 100mbps by finding the best way to have the modem face.
UART access, try username root, password $p$root
firmware dump
https://github.com/kylem
Unfortunately, that is not the password.
I have found the password hash in the firmware dump you linked me to...
root:FTB9x8bJkhUL6
I am not sure how to decrypt this but if someone can (if it even can be done) then we should have the root password (assuming I extracted the correct thing) [etc/shadow]
Looking through the firmware (above link) I have found the following pages in the modem, some we normally have access to and others we don't.
http://192.168.0.1/block_int
http://192.1
http://1
http://192.168.0.1
ht
http://192.168.0.1/cli
http://192.168.0.
http:/
http://192.168.0.1/dhcp_
http://192.168.
http://192
h
http://192.168.0.1/Fa
http://192.
h
http://192.168.
http:/
http://192.168.0.1/firewa
http://192.
h
http://192.168.0.1
htt
http://192.
http://192.168.0.
ht
http://192.168.0.1/hi
http:
http://192.168.0.1/home_
http://192.168.0.1
http://192.168.
http://192.16
http://
http://192.168.0.1/ipv6_
http://192
http://192.168.0.1/
http://192.1
http://192.
http://192.168.0.1/lan_dhc
http://1
ht
http://192.168.0.1
http://192
http:/
http://192.168.0.1
http:/
ht
h
http://192
http://192.16
http://19
http://192.168.0.1/owl_de
http://192.168.0
http://19
h
http://192.168.0
http://1
h
http://192.168.0.1
http://19
http://192.168.0.1/routin
http://19
http://192.168.0.1/securit
http://192.168.0
http
http://192.168.0.1/sms_rec
http://192.168.0.
http://192.
http://
ht
http://192.168.0.
http
http://192.168.
htt
http://192.168.0.
h
http://192.168.0.1/syst
http://192.168.0.
h
http://192.168.0.1
http://192.1
http:/
http
http://192.168.0.1/usb_m
http://192.168.0.
http:
http://192.168.0.1/usb_u
http://192.168.0.1
http://192.168.0.
http://192.1
http
http://192.168.0.1/wan_
http://19
htt
http://192.168.0.1/wlan_5g
http://192.168.0
http://192
http://192.168.0.
http://192.168.0.1/wla
http://192.168
h
http://192.168.0.1/wlan
http://192.168.0.1/wlan_wps.htm
Crack it with John the ripper or hashcat. Follow the guide as linked https://null-byte.wonderhowto
This firmware dump seems to be the old version. Your current firmware could have been updated recently as the previous hack does not work any more.
Next level of hack is to desolder the nand chip and dump the firmware straight from the chip plus minus downgrade to the previous dumped firmware. But this will certainly void the warranty.
I have had John the ripper running for the last few days, it may take a few years apparently. I have found how to reset the password to root, so I do have root now :)
I don't know much about Linux / OpenWRT but with trial and error, I have been able to get this far...
-------------------Getting Root Access-------------------
Connect UART
During boot, the option for failsafe boot appears for about a second.
When seeing this option push [F] then hit [ENTER]
In the failsafe boot menu type the following commands
mount_root
echo root:root | chpasswd
reboot
This will write over the default root password with the password of root, you can now get root access via UART.
To remove the root access just go to the web interface and do a factory restore.
-------------------Getting SSH / SCP Access-------------------
Login to UART as root
run the following commands
uci set dropbear.@dropbear[0]=dropbear
uci set dropbear.@dropbear[0].Enable='1'
uci set dropbear.@dropbear[0].Interface='lan'
uci set dropbear.@dropbear[0].Port='22'
uci set dropbear.@dropbear[0].PasswordAuth='1'
uci set dropbear.@dropbear[0].RootPasswordAuth='1'
uci set dropbear.@dropbear[0].RootLogin='1'
uci commit dropbear
/etc/init.d/dropbear restart
You can now SSH (Putty) or SCP (WinSCP) into port 22. After a reboot, this stops working, just login and run the following command to start the service again.
/etc/init.d/dropbear start
you can use the following command to see if SSH is running (look for something running on port 22)
netstat -tln
-------------------Disable CWMP (TR69)-------------------
I did not want Telstra pushing updates to the modem, I thank I have stopped them by doing the following...
Login to web interface -> Administration -> Restore/Save etc -> Backup Router
Open 5GCPE_backup.cfg with 7-Zip
Put 5GCPE_backup onto the desktop and open it with Notepad++
Open find, look for CWMP
Find settings such as ARC_TR69_EnableCWMP=1 change the =1 to =0
Save the file in Notepad++
Drag the updated file from the desktop to the open 7-Zip window & replace the file
Back in the web interface restore the config you have edited.
I have now come up with 2 methods to get root on the modem. One method requires just a Windows PC, the other requires UART access. Both methods will give SSH access, change the root password to root, and enable LuCI at http://192.168.0.1:8080
~~~~~~~~~~~~~Method 1 – UART~~~~~~~~~~~~~
#Boot with UART, During boot, at prompt push [F] then hit [ENTER]
#Type the following commands
mount_root
echo root:root | chpasswd
reboot
#Login to serial terminal with root root
#Type the following commands
sed -i 's/#START=50/START=50/' /etc/init.d/dropbear
uci set dropbear.@dropbear[0]=dropbear
uci set dropbear.@dropbear[0].Enable='1'
uci set dropbear.@dropbear[0].Interface='lan'
uci set dropbear.@dropbear[0].Port='22'
uci set dropbear.@dropbear[0].PasswordAuth='1'
uci set dropbear.@dropbear[0].RootPasswordAuth='1'
uci set dropbear.@dropbear[0].RootLogin='1'
uci commit dropbear
/etc/init.d/dropbear enable
/etc/init.d/dropbear start
sed -i 's/###START=50/START=50/' /etc/init.d/uhttpd
/etc/init.d/uhttpd enable
/etc/init.d/uhttpd start
~~~~~~~~~~~~~Method 2 – Backup File~~~~~~~~~~~~~
Requirements:
Windows PC
Notepad++
7-Zip
Go to modem webpage [http://192.168.0.1]
Login with admin Telstra
Go to Administration -> Restore/Save/Upload Setting
Select Backup Router, Save backup to PC
Go to Downloads folder, right-click '5GCPE_backup.cfg' select 7-Zip then Open Archive
Drag '5GCPE_backup' out from 7-Zip and place it on the Desktop.
Right-click '5GCPE_backup' and select edit with Notepad++
Using ctrl+F (Find) search for "# Copyright (C) 2020 Arcadyan" [Without Quotes]
you will see the following lines
-----------------------------------------------------
- Copyright (C) 2020 Arcadyan
- All Rights Reserved.
#
#
int_name=$(/usr/sbin/mngcli get ARC_VPN_0_Name)
run_list="/etc
run_l
run_status="/etc/o
i
-----------------------------------------------------
We want to add some commands in the gap, copy and paste the following commands
echo root:root | chpasswd
sed -i 's/#START=50/START=50/' /etc/init.d/dropbear
uci set dropbear.@dropbear[0]=dropbear
uci set dropbear.@dropbear[0].Enable='1'
uci set dropbear.@dropbear[0].Interface='lan'
uci set dropbear.@dropbear[0].Port='22'
uci set dropbear.@dropbear[0].PasswordAuth='1'
uci set dropbear.@dropbear[0].RootPasswordAuth='1'
uci set dropbear.@dropbear[0].RootLogin='1'
uci commit dropbear
/etc/init.d/dropbear enable
/etc/init.d/dropbear start
sed -i 's/###START=50/START=50/' /etc/init.d/uhttpd
/etc/init.d/uhttpd enable
/etc/init.d/uhttpd start
It should now look like this...
-----------------------------------------------------
- Copyright (C) 2020 Arcadyan
- All Rights Reserved.
#
#
echo root:root | chpasswd
sed -i 's/#START=50/START=50/' /etc/init.d/dropbear
uci set dropbear.@dropbear[0]=dropbear
uci set dropbear.@dropbear[0].Enable='1'
uci set dropbear.@dropbear[0].Interface='lan'
uci set dropbear.@dropbear[0].Port='22'
uci set dropbear.@dropbear[0].PasswordAuth='1'
uci set dropbear.@dropbear[0].RootPasswordAuth='1'
uci set dropbear.@dropbear[0].RootLogin='1'
uci commit dropbear
/etc/init.d/dropbear enable
/etc/init.d/dropbear start
sed -i 's/###START=50/START=50/' /etc/init.d/uhttpd
/etc/init.d/uhttpd enable
/etc/init.d/uhttpd start
int_name=$(/usr/sbin/mngcli get ARC_VPN_0_Name)
run_list="/etc
run_l
run_status="/etc/o
i
-----------------------------------------------------
Save the document (ctrl+S), Close Notepad++
Drag the file '5GCPE_backup' from the desktop and put it on top of the still open 7-Zip window, Save changes
Go back to Go to Administration -> Restore/Save/Upload Setting
Under Restore Configuration select the file '5GCPE_backup.cfg' from your download folder and hit restore
Great work you have done there! Thank you for sharing!
I found in /arc-lxc , there is AdGuardhome in there, you can run it by ./AdGuardHome
I guess you could just Disable dnsmasq and run AdGuard at startup for dhcp and dns services.
I wonder if you could install ipk packages to install extra software on it such as docker. I have tried to run arm64 based software on it. It runs. It would be nice if docker works as service.
come up with 2 methods to get root on the modem
Fantastic work. Thank you. I wonder if the first UART method would work on the LH1000. might have to take it apart to access the UART port. Unless there's a chance to do so via the USB.
I had no luck with the second backup file method. The file appears to be salted.
I soldered my serial adapter to the LH1000 yesterday and have the console running but that is as far as I have got.
@scotty3
To open the device, I need to undo the two screws under the label at the bottom? The screws appear to be under and to the left of the qrcode and under and to the right of the wifi password?
Were there any screws under the back panel face plate? Found one under there.
Where are the UART pins I wonder? Found them too.
Now what can we do to change the root password?
Apart from getting in to the CFE prompt I'm stumped.
@UncleSam
The only way from now is to try to interrupt the boot process with F key or ESC or Ctrl + C to see if that can give you a shell without the need for a root password. If the bootloader is patched that does not have this vulnerability then the next step would be to dump the firmware to see the hashed password in shadow file located in /etc. then try to crack it. the chance will be slim to be able to crack it within a reasonable timeframe.
decrypt the config file requires some tools I guess. I have been able to decrypt a config file for TP-link VR1600 with a tool shared in github.
I wish you good luck finding one for your router.
once obtained root access, I found out that you can edit the dhcp file in /etc/config/ to change the upstream DNS for dnsmasq to other port so that you could utilise AdGuardHome.
edit the first part of dhcp file as follows :
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
option ednspacket_max '4096'
option domain 'gateway'
list server '192.168.0.1#54'
just edit the list server bit, 54 is the port number, whichever port you like.
then install AdGuardhome server init script by /arc-data/AdGuardHome -s install
add the following line :
/etc/init.d/AdGuardHome start
into the file located in /etc/config/firewallExt/M1_99_openvpn.user
reboot the router, then in browser, access http://192.168.0.1:3000
change dns port number to 54 as you set above in file dhcp
set up the password for AdGuardhome. keep going for next step as indicated.
all done
I found that the lxc container software does not download template properly as it keeps accessing the http server instead of the HTTPS server address.
I have tried setup chroot environment for an alpine linux. it works.
I put the rootfs system in the usb drive alpine folder.
downloaded the minirootfs via https://dl-cdn.alpinelinux.or
tar -xvf alpine-minirootfs-3.15.4-armhf.tar.gz .
to extract the file
bind mount the system folders with the following command. remember to change the <my usb drive name> with yours.
mount -o bind /dev /tmp/usb/<my usb drive name>/alpine/dev
mount -o bind /proc /tmp/usb/<my usb drive name>/alpine/proc
mount -o bind /sys /tmp/usb/<my usb drive name>/alpine/sys
chroot /tmp/usb/<my usb drive name>/alpine /bin/bash
now you are in the alpine chroot environment.
apk update && apk upgrade
apk add nano wget curl htop lxc lxc-templates
I have upgraded the alpine and installed some software I like
I found that I can install lxc container inside to have it run as a virtual machine.
lxc-create -n archlinux -t download — -d archlinux -r current -a armhf
above command as an example to install archlinux as a containered system.
I haven't got very far with the lxc container yet. I am more familiar with docker. I still need to keep working on lxc.
will update later regarding progress.
what else could it be good for?
I already have AdGuardhome running. good enough for now I guess. aria2 downloader can be considered next.
@Roy88 thanks for the tip about the shadow file. I believe I've located the shadow line of the root account and John is busy cracking.
@UncleSam
For dumping the firmware, first list the mtd partitions to get an idea about the nand partition structure with
cat /proc/mtd
Then you will see what each partition is mounted to.
To dump each partition, use
cat /dev/mtd0 >> /tmp/usb/<your usb name>/ mtd0.bin
Replace 0 with other partition numbers to dump all the partitions.
The one mounted as rootfs will be the one for you to dig around.
You can use binwalk to extract each image to see the files inside.
PM me if you need more help.
Aah. That would need me to have shell access, which I don't have as yet. John is still busy: going on 15 hours.
I did try F, Esc, Ctrl+C, Ctrl Pause Break, etc. to avail. Still stuck at the CFE prompt.
On the other hand I am able to list the following:
ROOTFS1 Seq#: 010
ROOTFS2 Seq#: 011
boot offset=[0x00000000], size=[0x00040000]
rootfs1 offset=[0x00040000], size=[0x06240000]
rootfs2 offset=[0x06280000], size=[0x06240000]
data offset=[0x0c600000], size=[0x10000000]
bbt offset=[0x1ff00000], size=[0x00100000]
And in the boot up sequence I see:
Booting from latest image (address 0x06280000, flash offset 0x06280000) ...
Which I guess is where I will need to extract the dump from.
Now I have worked out how to set up lxc containers.
create a container such as openwrt snapshot armhf one in this router by running:
{
lxc-create -n openwrt -t download — --no-validate
}
then it will download an index for available images, put in openwrt for distribution, snapshot as version, armhf as architecture.
before running the container, need to modify the config file for it by editing the file located in
{
/lxc/openwrt/config
}
with the following lines within the bracket added for network settings:
somehow it does not necessarily set up the right ip, it assigns randomly with dhcp instead.
{
lxc.net.0.type = veth
lxc.net.0.flags = up
lxc.net.0.link = br-lan
lxc.net.0.hwaddr = 4a:49:43:49:79:b3
lxc.net.0.name = eth1
lxc.net.0.ipv4.gateway = 192.168.0.1
lxc.net.0.ipv4.address = 192.168.0.2/24
lxc.net.0.veth.pair = veth1
}
also need to edit the line looks like below, remove the 'dir' bit, otherwise it will see the host root as it's root directory.
{
lxc.rootfs.path = /arc-data/lxc/openwrt/rootfs
}
to start the openwrt container, run
{
lxc-start -n openwrt
}
to go into it's shell, run
{
lxc-attach -n openwrt
}
you can install basic packages such as htop, nano, luci by opkg update && opkg install luci nano htop
but this openwrt version is a very basic one.
I personally recommend lean's version with more features and build in plugins and apps to run it as a virtual one-armed router to utilise it's functions.
To stop the container, run
{
lxc-stop -n openwrt
}
download from https://github.com/SuLingGG/O
remove the existing rootfs files in /lxc/openwrt/rootfs by running
{
rm -r /lxc/openwrt/rootfs/*
}
put downloaded archive tar.gz to /lxc/openwrt/rootfs/ and extract with tar -xvf immortalwrt-ipq40xx-generic-rootfs.tar.gz
edit /lxc/openwrt/rootfs/etc/config/firewall and add following lines into it.
{
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
}
run the container
{
lxc-start -n openwrt
}
use following to find out the container's ip address
{
lxc-info -n openwrt
}
use your browser to access that ip address you will get the full featured openwrt luci webui.
you can edit the host config file /etc/config/lxc-auto accordingly to configure auto-start on boot.
enjoy
I believe it can be done by manually running OpenWrt commands, I don't know them myself but I do believe this is how it could be done, or maybe somewhere in the LuCI web interface?
Here are a couple of examples:
uci set firewall.sip=userredirect
uci set firewall.sip.family='ipv4'
uci set firewall.sip.enabled='1'
uci set firewall.sip.target='DNAT'
uci set firewall.sip.src='wan'
uci set firewall.sip.dest='lan'
uci set firewall.sip.src_dport='5060'
uci set firewall.sip.dest_port='5060'
uci set firewall.sip.name='SIP'
uci set firewall.sip.dest_ip='192.168.0.x'
uci set firewall.sip.proto='tcpudp'
uci commit
or
uci set firewall.rtp=userredirect
uci set firewall.rtp.family='ipv4'
uci set firewall.rtp.target='DNAT'
uci set firewall.rtp.dest_port='10000:20000'
uci set firewall.rtp.name='RTP'
uci set firewall.rtp.src_dport='10000:20000'
uci set firewall.rtp.enabled='1'
uci set firewall.rtp.src='wan'
uci set firewall.rtp.dest='lan'
uci set firewall.rtp.dest_ip='192.168.0.x'
uci set firewall.rtp.proto='udp'
eci commit
Amazing work!
Any luck with bridge mode? I tried the /bridge.htm page as above and while it didn’t error it also didn’t seem to do anything.
The 5g is a great service, shame it’s so crippled in the firmware.
try going to http://192.168.0.1/ltedbg.htm and changing setting to LTE I think this will make it do 4G only
Is there a way to setup QoS with this router natively? If not, is there a way to bridge the damn thing so I can use a competent router? We're able to manually access the bridging page, but it seems like it's hard locked to off in the firmware or something
Go to Downloads folder, right-click '5GCPE_backup.cfg' select 7-Zip then Open Archive
Drag '5GCPE_backup' out from 7-Zip and place it on the Desktop.
Right-click '5GCPE_backup' and select edit with Notepad++
Anyone else getting the error "cannot open file as archive" for their downloaded backup? Does this suggest something is corrupted? It's the same error even with the factory backup
Looks like they forced an update to the modem that has patched this hole. I get the error now too. so maybe the only option now is via the UART
I just got root again. You cant edit a new downloaded config but it will accept an old config.
https://drive.google.com/fil
this is a config I downloaded a while ago, I have put the lines in to get root. Just apply this to the modem and u should have root
https://drive.google.com/fi
Update: This worked great, got root access! What a champ! Do you reckon there's anything in the system here, perhaps a startup process, which is resulting in my problem from here: /thread/3z4y5q17?
Okay so I've actually looked into the interfaces screen, and there is straight up no interface for the LTE/5G WAN connection now. Maybe I'm missing something, but all I did was restart the modem! What the hell, Telstra?!
I haven't seen anything that I think would help but have u had a look through the LuCI web interface? http://192.168.0.1:8080/
The firmware update probably updated both the router and the 5g modem firmware. I am assuming either the firmware update in the 5g modem failed so it went into diagnostic mode, or the router put the modem into diagnostics mode to do the firmware update and it didn't end up asking the modem to come out of it. Either way probably not a hell of a lot u can do except ask Telstra to replace it.
One thing that could work maybe (prob not) is to try letting the router half boot then quickly unplug and replug power, then let it half boot again then again unplug and replug. try doing that a few times, sometimes if a modem fails to boot it will load a backup firmware. so I guess it's worth a try to maybe kick the 5g modem back into a normal boot. This is the type of thing I'm trying to explain... https://youtu.be/BMT8AhA4qns
Cheers again mate. I fear you're totally bang on with this:
The firmware update probably updated both the router and the 5g modem firmware. I am assuming either the firmware update in the 5g modem failed so it went into diagnostic mode, or the router put the modem into diagnostics mode to do the firmware update and it didn't end up asking the modem to come out of it. Either way probably not a hell of a lot u can do except ask Telstra to replace it.
It's been such a pain to try and explain to Telstra what the problem is. They keep passing the buck to the back-end server team when all I want is a replacement unit to be sent. sigh.
I gave the half boot method a crack (btw I love your succinct videos, your video taking the 5G modem apart was part of the reason I decided to give Telstra 5G a shot) and I reckon it might actually work, it's just hard without being able to see the serial of the boot activity.
I wonder if I might be able to flash an older firmware on it to see if that'd work. Would you happen to know of any repository containing older firmwares I could try?
Might have been what happened to mine the day I got Covid. It just got stuck in a boot loop with no fix. Telstra support had no process to replace it, and alternated between saying they will replace, needing to take it into a store , and having a tech come and “fix” it.
Many many hours and a very helpful lady in a local Telstra call centre and they could only come up with cancelling my faulty service and recreating a new one for me. With 1 month free and free Disney plus. They of course then threatened me by billing me for the already returned faulty modem.
Great product (mostly and woeful support and billing. Telstra themselves still don’t understand that this product exists, isn’t a mobile phone but also isn’t NBN.
and they could only come up with cancelling my faulty service and recreating a new one for me.
Haha sorry to hear you had similar issues, but this made me laugh. I already beat them at their own game, it seems.
I have ordered another service to my house. So I've basically come up with an internal race for them. Either they fix my original modem first, or they just deliver a new one and I cancel the old service – whichever comes first.
It seems like it's a new enough/small enough service to them that they're still having teething issues when it comes to support. Doesn't excuse it, but I can understand the frustration of the support people who rarely deal with 5G issues.
Beat them at their own game? I think I got there, but don’t consider it a win. In the first 6 months of having the 5g service I got 2 free months as well as a $400+ credit. I have no idea how. But probably equates to minimum wage based on hours taken.
It's more that I am beating them to a solution before they even realise what to do lol
I just hope they pull their thumbs out and do something soon
Unfortunately, I don't have any access to any firmware. You could try to get the serial console and have a look, however, because it is the serial of the router and not the 5G modem it may not be of any help. (you will need a device like this https://www.jaycar.com.au/ard
Thanks for the work on this guys. Restored the config above – took me a few minutes to work out how to access the network after restore. Once I got past that hurdle, had a poke around the root settings and now have my port forwarding working successfully – I already had the extranet code applied to my service previously.
I figured out that you can port forward but only if the wan mode is set to Ethernet WAN. If anybody has a way of port forwarding on 5g wan mod please let me know.
I managed to get one of these modems. Anyone know how to unlock it or have myself use it on another network? I have gained root access to the modem.
I'm trying to use an Optus sim card. Thanks.
Call me sceptical, but 2 new single post users asking questions like that would seem to me to be fishing for answers to close the loopholes.
Call me sceptical, but 2 new single post users asking questions like that would seem to me to be fishing for answers to close the loopholes.
Haha I sniff a rat too.
On another note, just thought I'd update regarding my situation for anyone in a similar boat. I called and called and called Telstra searching for a solution to my bricked device. I even went to a Telstra store and emailed the dev team at Telstra for a firmware. No responses, a bunch of empty promises, and no support.
I ended up ordering a new service to my same address under a different name and sent the busted modem back.
So to anyone who has similar issues: do not freaking bother asking for a replacement. Telstra has basically no system in place to issue replacements or to send a tech to your house. Just order a new service completely and cancel your other one (returning the device when they tell you to). It's COMPLETELY backwards, but it's how it is.
Earlier it was found that the following Modem web pages are listed within the firmware that was uploaded to github
http://192.168.0.1/block_int
http://192.1
http://1
http://192.168.0.1
ht
http://192.168.0.1/cli
http://192.168.0.
http:/
http://192.168.0.1/dhcp_
http://192.168.
http://192
h
http://192.168.0.1/Fa
http://192.
h
http://192.168.
http:/
http://192.168.0.1/firewa
http://192.
h
http://192.168.0.1
htt
http://192.
http://192.168.0.
ht
http://192.168.0.1/hi
http:
http://192.168.0.1/home_
http://192.168.0.1
http://192.168.
http://192.16
http://
http://192.168.0.1/ipv6_
http://192
http://192.168.0.1/
http://192.1
http://192.
http://192.168.0.1/lan_dhc
http://1
ht
http://192.168.0.1
http://192
http:/
http://192.168.0.1
http:/
ht
h
http://192
http://192.16
http://19
http://192.168.0.1/owl_de
http://192.168.0
http://19
h
http://192.168.0
http://1
h
http://192.168.0.1
http://19
http://192.168.0.1/routin
http://19
http://192.168.0.1/securit
http://192.168.0
http
http://192.168.0.1/sms_rec
http://192.168.0.
http://192.
http://
ht
http://192.168.0.
http
http://192.168.
htt
http://192.168.0.
h
http://192.168.0.1/syst
http://192.168.0.
h
http://192.168.0.1
http://192.1
http:/
http
http://192.168.0.1/usb_m
http://192.168.0.
http:
http://192.168.0.1/usb_u
http://192.168.0.1
http://192.168.0.
http://192.1
http
http://192.168.0.1/wan_
http://19
htt
http://192.168.0.1/wlan_5g
http://192.168.0
http://192
http://192.168.0.
http://192.168.0.1/wla
http://192.168
h
http://192.168.0.1/wlan
http://192.168.0.1/wlan_wps.htm
For those of us who don't yet have this modem and are considering the Telstra 5G service which bundles this modem/router , would it be possible to post screen captures or PDF saves from every page listed above and post it in a public area online and are all of these links accessible using the default configuration shipped from Telstra or do you need to unlock the modem using the earlier described reverse engineering steps?
port forwarding on 5g wan mod please let me know
Won't do you any good as telephone networks don't have fixed IP's.
are all of these links accessible using the default configuration shipped from Telstra or do you need to unlock the modem using the earlier described reverse engineering steps?
From my experience, these pages are accessible with the default configuration. However, I have not found much use for these pages as some of them don't even do anything. I can post screen captures in a few days when I'm not so busy, but I can tell you pages like "http://192.168.0.1/bridge.htm" load no problem, but changing any setting doesn't actually do anything with the router/modem.
What I would suggest anyone do is instead install the config uploaded by azzaboy18 in order to gain root access. From there you can tinker with the openWRT directly, which is way easier and better than these pages dumped from the firmware.
Out of curiosity, does the device have a .glbcfg file under /etc/config? If so it could contain the complete config that could be managed by mng_cli almost like uci
AdGuard update:
Download onto a usb device or in tmp
curl -kLSO https://static.adguard.com/adguardhome/release/AdGuardHome_linux_armv7.tar.gz tar zxvf AdGuardHome_linux_armv7.tar.gz and mv the 'AdGuardHome' dir into '/arc-data/lxc'
copy your data file from old spot, that is /arc-lxc/data if you want to keep old stats
cd /arc-data/lxc/AdGuardHome ./AdGuard -s uninstall ./Adguard -s install /etc/init.d/AdGuard enable
reboot then go to url:3000 and set up.
You now have 600MB for the logs storage as opposed to just 10MB or such in old spot.
I cannot get it to run from the USB device itself so this will suffice for now....
Once you confirm its working, feel free to delete /arc-lxc/AdGuard files to release space on /
noticed that the usb device is autoloaded in the /tmp/ folder and was having issues with chmod stuff so i remounted it the normal way:
mkdir /mnt/usb vi /etc/config/firewallExt/M1_99_openvpn.user (add three lines of code below into it) umount /tmp/usb/Lexar-USBFlashDrive/partition1/ #(yours will be different here, adjust accordingly) mount /dev/sda1 /mnt/usb/ #(yours will be different here, adjust accordingly; running 'blkid' helps identify here) ln -s /mnt/usb/AdGuardHome/data /arc-data/lxc/data #(move data folder to usb; this is how i got the disk quota heavy data folder to sit on usb instead of system folders)
Be sure to add respective folders on the USB device and manually mount the usb device then:
mkdir /mnt/usb/AdGuardHome; mv /arc-data/lxc/data /mnt/usb/AdGuardHome
Now i can run stuff from the usb and also keep up to 90 days of disk hungry AdGuard stats flowing freely from the USB data folder
AdGuard folder should look like this:
root@mygateway:~# ls -la /arc-data/lxc/
drwxr-xr-x 2 root root 376 Jun 21 10:57 .
drwxr-xr-x 6 root root 424 Apr 6 20:16 ..
-rwxr-xr-x 1 root root 34013184 Jun 20 19:46 AdGuardHome
-rw-r--r-- 1 root root 2964 Jun 21 10:57 AdGuardHome.yaml
lrwxrwxrwx 1 root root 25 Jun 21 10:53 data -> /mnt/usb/AdGuardHome/data
FWIW, just under 24 hours and its already getting heavy:
root@mygateway:~# du -sh /mnt/usb/AdGuardHome/data/
105.4M /mnt/usb/AdGuardHome/data/
Great amount of detail in this thread guys, thanks for all the input.
Sorry to hijack the thread, but I've just ordered one of these to do a Solar+Battery+Inverter+Wireless bridge deployment in the corner of my property which has reasonable LoS to the local tower.
Can anyone confirm the power output details of the transformer and a picture of the connector to let me get a headstart before the unit arrives?
Thanks guys.
May I ask, when rooted, can I use this modem with other providers, like Optus/Vodafone?
Thanks.
Great breakdown, I also watched your YouTube teardown.
My NBN FTTN is only 30mbbs which hurts when someone is watching Netflix, but 5G through my iPhone is around 500mbbs so I've ordered this AW1000 and expect delivery this week.
I'm hearing that my CCTV server won't work through this 5G service. (YouTube video at timepoint 7m23s https://youtu.be/KqRA9A4wVmU)
I'll post an update once CCTV issues are confirmed or not, but does that sound logical ?
Most mobiles are on a CGNAT, Hence the inability to access your CCTV from the Internet. Unless you access it via a publically accessible server.
I just used azzaboy18's config, and I tried changing DNS providers on the device as torrents wouldn't start – were all stalled. Cloudflare/Google DNS wouldn't work on both the router and PC outside of a few websites inc google, now I'm using a different one on my PC directly in network settings and torrents finally started. The same provider didn't work directly in the modem/router. Is it something in the modem doing this or is it the Telstra service itself?
CGNAT is a fact of life in mobile networks particularly.
However my two CCTV cameras both worked fine within the wifi Lan created by the Telstra wifi modem and I could access them within the Lan or out and about on the mobile network away from the house. Similarly when I connected the cctv cameras to my portable 4G wifi modem, I could access them within and outside that portable 4G wifi modem, including being able to access them from with the Telstra 5G Arcadian wifi Lan.
I believe this was true only because the cctv cameras use reverse proxy gateways into the cloud and I was relying on the manufacturers’ cloud service. That said, it is possible to set up similar services on some of these Wifi cctv cameras and avoid the manufacturers’ cloud services ($$$).
Not really hacking but something interesting that isn't advertised:
Just thought I'd share my exciting findings for the Arcadyan AW1000 (Aka Telstra 5G Home Modem). I decided to trial 5G as a NBN replacement but was worried about the 5G modem not having the coverage. When mucking around bridging my Telstra Smart Modem Gen 3 I discovered that the AW1000 supports the EasyMesh Telstra Wifi Boosters Gen 3! Not advertised as supporting the boosters but seems to be working for me!
Process I followed paired the wifi boosters via the SMG3 but will confirm tomorrow if I can directly pair my last Wifi booster directly with the AW1000.
Previous network setup:
5G AW1000 (LAN port) <----> (LAN Port) NBN Telstra SMG3 <-ethernet cable for pairing---> Wifi Booster 1
|-ethernet cable for pairing------- Wifi Booster 2
Unplugged the Wifi Boosters after initial pairing and moved them to their spots around the house and they wirelessly paired to the 5G AW1000 as a preference. Was displayed as such via the network topology diagram in both the AW1000 settings and SMG3 settings.
Now running:
5G AW1000 <---wireless link----> Wifi Booster 1
|
|---wireless link----> Wifi Booster 2
Tomorrow I'll try pairing Wifi Booster 3 direct with the AW1000.
Nice!
My SMG3 died a few months ago and i replaced it then with the AW1000 – i figured with Wifi6 it would suit my apartment as an Access Point if they don't want it back. Tried recently to sign up again but they not taking on more peeps in my area atm. :-)
Have to do the network cables into both LAN and WAN to get it to work as a local AP, not sure if there's a simpler means of getting past the need to do that, but it works as expected.
Why do you need to plug cables into both the wan and the Lan ports? Isn't the Lan port enough? Turn off dhcp on the SMG3 and then just use dhcp from the AW1000. Also disable the 4g backup wan on the SMG3. Will have an orange light but gets internet via the AW1000
im using it as an wifi AP behind a pfsense router, unless i add the wan cord too it wont give me internet to the wifi devices. probably a scripting fix but i cbf'ed to dissect it.
"So to anyone who has similar issues: do not freaking bother asking for a replacement. Telstra has basically no system in place to issue replacements or to send a tech to your house. Just order a new service completely and cancel your other one (returning the device when they tell you to)."
Masterful... l
is there a way to get the current firmware pushed? im in WAN not 5G mode, tried factory reseting and such no dice.
Wondering if people have tried forcing it onto 5G only and it works?
The modem seems to preferentially locking onto LTE3 .... rather than previous Band78
For the HDCP restiction of no more than 10...:((
What I did was assigned the DHCP from 60 to 200
Using unknown smart wifi devices mac addy ... (Used "Fing")
I then got the devices into the one of the 10 spots.
I then changed the ip to be in the over 200 ip DHCP range from the assignment table , saved then deleted from the table.
I then moved onto the next one.
Seems to be holding ok.
Was a bit of fluffing around
Devices I could manually set ip I put in the lower unassigned group.
Wondering if anyone has managed to get a non telstra sim working in this modem ?
If so, could you kindly share what you did and settings on the modem ?
I already had the extranet code applied to my service previously.
Just helping a friend who is in the 30 day trial window. The Extranet code has been added to service and when we changed the APN in device it receives a public IP address but no traffic will flow. How did you get yours to work?
My AW1000 worked brilliantly for about 6 months. Then, like Lord Oots (whrl.pl/RgrlAa), it got stuck in a boot loop – I assume after a pushed firmware upgrade.
Have contacted Telstra multiple times but have hit the same brick wall. They cannot send out a replacement modem, it has to be a new order. The trouble is, my area has reached capacity, so if they cancel the existing order to make a new order, someone else at the 'top of the list' will take my slot. Crazy!
They can only offer 5G mobile – 400Gb at $85/month – i.e. less than half the data of my existing plan.
I think one option is to restore the firmware myself using the instructions here https://openwrt.org/docs/guid
Trouble is, I don't have a firmware file. Has to be something like ...sysupgrade.bin/img.gz
I did find a firmware file on the router -> fw.tgz – Not sure if that will work with "LuCI web interface System → Backup / Flash Firmware → “Flash new firmware image”. There is a file next to it "fw_auto" which contains the text "0.05.04r" – perhaps this is the downloaded firmware upgrade.
I'm a bit of a novice here. Anyone tried something like this?
The trouble is, my area has reached capacity, so if they cancel the existing order to make a new order, someone else at the 'top of the list' will take my slot. Crazy!
Sounds like the early days of ADSL and the DSLAM reaching capacity... Ah the memories...;D
I'm using an external panel antenae. I get slightly better latency, much better upload, but maybe 25% worse download. Any ideas?
What are you guys actually achieving by rooting/unlocking the aw1000? Just wondering if it's something I should be bothering with. If it's just for port forwarding I would probably give it a miss, but disabling throttling after 1tb, well I'd probably consider that lol.
Not sure if it's well known or not but there's an article out there referencing the config file that was shared on here and how to go about unlocking the aw1000 for all carriers.
https://eddiez.me/arcadyan-aw1000-unlock/
Dumb question, but how do you actually change the PLMN? Like where do you enter the command? Obviously for the config file you just import it to the aw1000 but to change the PLMN , what interface do you use to change the settings? Is it just attach a USB drive to the aw1000 or CMD or what?
That cfg root file doesn't work anymore either. Neither does backing up your own and adding the text in manually. It fails at about 10% in. If you don't add the text to root it , then it will load the cfgfile so Telstra have done something to detect it and stop it from proceeding.
I've loaded the backup configuration file here used for root access. It seemed to load but I can't reconnect to the wifi. It has changed the wifi ssid and I don't know what the password is. For those who have used it before what is the connection password? Or how do I find out using the config file? Thanks
Of course how simple. I was over complicating the solution. I'll give that a go. Thanks for the idea.
I've loaded the backup configuration file here used for root access.
How did you get the config file to work? When I load it it fails at 5% then the aw1000 power light on the modem keeps blinking until I restart the modem. Flashing power led is meant to signify an update happening but like I said it fails at 5% so I just have to restart it.
Whirlpool Illuminati writes...
Dumb question, but how do you actually change the PLMN? Like where do you enter the command? Obviously for the config file you just import it to the aw1000 but to change the PLMN , what interface do you use to change the settings? Is it just attach a USB drive to the aw1000 or CMD or what?
After getting SSH, open
/etc/config/.glbcfg
Find and change to
ARC_USB_DONGLE_LOCK_PLMN=*
And then reboot.
You can also change this for 160Mhz 5G wifi
ARC_WLAN_5G_ChannelBandwidth=3
I got a wifi connection of 2401Mbps displayed on my phone
Ha dthis in my inbox
https://www.linkedin.co
But I have closed my account when I stopped working.
Might be usefull?
I've managed to interface via UART/serial (very new to this) – however, after U-BOOT, I get absolutely nothing after:
"Starting kernel ..."
Am I doing this wrong?
The device continues to initialise, and the device appears to 'work' – eg: wifi is on, I can connect to the standard management on http://192.168.0.1 with admin/Telstra as credentials.
I can 'Hit any key to stop autoboot' and enter into some pre-boot / U-BOOT console, which gives me a prompt:
IPQ807x#
But I can't do as documented here:
~~~~~~~~~~~~~Method 1 – UART~~~~~~~~~~~~~
#Boot with UART, During boot, at prompt push [F] then hit [ENTER]
#Type the following commands
mount_root
echo root:root | chpasswd
reboot
#Login to serial terminal with root root
#Type the following commands
sed -i 's/#START=50/START=50/' /etc/init.d/dropbear
uci set dropbear.@dropbear[0]=dropbear
uci set dropbear.@dropbear[0].Enable='1'
uci set dropbear.@dropbear[0].Interface='lan'
uci set dropbear.@dropbear[0].Port='22'
uci set dropbear.@dropbear[0].PasswordAuth='1'
uci set dropbear.@dropbear[0].RootPasswordAuth='1'
uci set dropbear.@dropbear[0].RootLogin='1'
uci commit dropbear
/etc/init.d/dropbear enable
/etc/init.d/dropbear start
sed -i 's/###START=50/START=50/' /etc/init.d/uhttpd
/etc/init.d/uhttpd enable
/etc/init.d/uhttpd start
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Has this been patched in the most recent firmware on this device? As I notice I can't even download or upload a config to this thing anymore.
[ipq807x: add Arcadyan AW1000 support · openwrt/openwrt@fbcda36 · GitHub](https://github.com/op
Openwrt Snapshot firmware for this router is available now.
https://mirror-01.infra.open
Anyone have tried to flash the factory firmware straight away from command line using sysupgrade?
Many AW1000 units were shipped to China last year (because Telstra discounted the Gen1 and introduced the black Gen2) and were sold in the local second-hand market. On platforms like Xianyu (Chinese Gumtree), individual units pre-flashed with third-party firmware are generally sold for 500-700 CNY (110-150AUD).
Some third-party closed-source OpenWrt developers have adapted the uboot for AW1000 and an OpenWrt firmware that can utilize Qualcomm NSS hardware acceleration with the help of QSDK. The uboot and firmware are priced at 50 CNY (around 12AUD). This firmware not only enables the normal use of NSS for network switching and encryption/decryption acceleration (VPN, WireGuard, etc.) but also supports the Quetel RM500Q-EA 5G module inside. This allows for cellular data usage, including features like band locking and modifying IMEI.
There is a ROOter firmware as well.
Anyone has experience with this?
Is it possible to flash the factory firmware directly from the Luci gui on the AW1000? Or using sysupgrade?
I have now successfully flashed the snapshot OpenWrt firmware. You have to use UART to interrupt the booting process and tftpboot the initramfs then in ssh to force flash the factory ubi one, then in the ssh to flash the upgrade squashfs binary. After a while, May need to force reboot the make it work.
But I cannot use 5G , change APN to telstra.internet. Network Registration failed.
Any advice?
I have now successfully flashed the snapshot OpenWrt firmware
Seems its still a very complicated process and not yet without issues. I have 2 of these devices both of which are running the modified config file so root access is aquired. I would like to get some use out of them but want to be able to forward ports which from what i know cant be done easily just yet. I was hoping with a firmware update with openwrt tha that i might be ble to start using them.
You may use frp to forward port under command line
No need to use CLI. FRP does have webUI.
opkg install frpc
opkg install luci-app-frpc
Just apply for a free server from Oracle or get a server from Binarylane for as low as $4.1 per month.
You can also use this script to install frps on the VPS. https://github.com/MvsCode/frps-onekey
Alternatively, if u have a Linux server or a NAS capable of running Docker, and the service you want to expose to the public is web-based, you can also set up cloudlfare tunnel which is free if you have a domain with CF.
Or if just want to be able to access from outside, Tailscale funnel is also a good free choice.
Hello creators, I do not understand this matter. Is there a solution to unlock this device so that it works on all networks?
nokia 5g gateway 2
model: 5G19-01W-A
IMEI: 356029830111893
I hope you can kindly provide a solution for my device
https://eko.one.pl/forum/vie
https://smalldev.tools/share-bin/CvxC6b0a
This is the script that fixes the usb only running on cpu0.
Is it possible to flash the factory firmware directly from the Luci gui on the AW1000?
I would like to know this too…
I have root but I’ve been unable to install any software, modem reports server address is invalid
I successfully installed AdGuard following Roy88's instructions but lost internet so did a factory reset to start again but AdGuardHome's disappeared (only lxc, sms and wwan_fw in the arc-data folder)
Any ideas?
I'm unable to refresh opkg as my certificates are not recognised and flashing to a vanilla firmware's beyond me at the moment...
I recently got a Telstra branded Arcadyan AW1000 on 03-Jun-2024 but only to discover it has firmware version 0.06.01r, hardware version: XCI35AX44Z-TA, I have an Optus sim which I can't use with this Telstra device.
As per azzaboy18's post on 2022-May-4 from [Arcadyan AW1000 Telstra 5G Home Internet Hacking](/thread/9qr1j570), unfortunately I have found both "Method 1 – UART" and "Method 2 – Backup File" methods have been patched with the firmware revision mentioned above, also confirmed by James Bertschik's post on 2023-Dec-22.
I have proceeded to replace the Telstra stock firmware with OpenWrt firmware as mentioned by [Arcadyan / Astoria AW1000](https://openwrt.org/toh/arcadyan/astoria/aw1000), using [factory.ubi](https://downloa
OpenWrt allows one to build snapshot via [Download OpenWrt firmware for your device](https://firmware-sele
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ath11k-firmware-ipq8074 base-files busybox ca-bundle dnsmasq dropbear e2fsprogs firewall4 fstools ipq-wifi-arcadyan_aw1000 kmod-ath11k-ahb kmod-fs-ext4 kmod-gpio-button-hotplug kmod-gpio-nxp-74hc164 kmod-leds-gpio kmod-nft-offload kmod-phy-aquantia kmod-qca-nss-dp kmod-spi-gpio kmod-usb-dwc3 kmod-usb-dwc3-qcom kmod-usb-serial-option kmod-usb3 libc libgcc libustream-mbedtls logd losetup luci mtd netifd nftables odhcp6c odhcpd-ipv6only opkg ppp ppp-mod-pppoe procd procd-seccomp procd-ujail uboot-envtools uci uclient-fetch uqmi urandom-seed urngd wpad-basic-mbedtls
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It appears luci package was included but how to check *offline* if it was actually included in the factory.ubi or sysupgrade.bin files before being used for flashing? Perhaps provide a manifest like [openwrt-armsr-armv8.manifest]
I have figured you can issue a "opkg list-installed" command to check for installed packages after it was flashed, so I have found luci package was not included in the factory.ubi file. Later on I found out in FAQ section about snapshots release.
[ FAQ: I can not connect via webbrowser](https://openwrt.o
Do I have to continue upgrading the firmware using [sysupgrade.bin](https://down
I have proceeded to upgrade the firmware sysupgrade.bin file, and this time it gave me an error as below:-
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
root@OpenWrt:~# free
total used free shared buff/cache available
Mem: 886992 45876 794148 40240 46968 772936
Swap: 0 0 0
root@OpenWrt:~# df
Filesystem 1K-blocks Used Available Use% Mounted on
tmpfs 443496 27840 415656 6% /
tmpfs 443496 12400 431096 3% /tmp
tmpfs 512 0 512 0% /dev
root@OpenWrt:~# ls -l /tmp
-rw-r--r-- 1 root root 4 Jan 1 00:01 TZ
-rw-r--r-- 1 root root 713 Jan 1 00:00 board.json
-rw-r--r-- 1 root root 0 Jan 1 00:01 dhcp.leases
drwxr-xr-x 2 root root 40 Jan 1 00:01 dnsmasq.d
drwxr-xr-x 2 root root 60 Jan 1 00:01 etc
drwxr-xr-x 2 root root 80 Jan 1 00:01 hosts
drwxr-xr-x 3 root root 60 Jan 1 00:01 lib
drwxrwxrwt 2 root root 340 Jan 1 00:01 lock
drwxr-xr-x 2 root root 80 Jan 1 00:00 log
-rw-r--r-- 1 root root 12482867 Jan 1 00:02 openwrt-qualcommax-ipq807x-arc
-rw-r--r-- 1 root root 47 Jan 1 00:01 resolv.conf
drwxr-xr-x 2 root root 60 Jan 1 00:01 resolv.conf.d
drwxr-xr-x 6 root root 240 Jan 1 00:01 run
drwxrwxrwt 2 root root 40 Jan 1 00:01 shm
drwxr-xr-x 2 root root 60 Jan 1 00:01 state
drwxr-xr-x 2 root root 80 Jan 1 00:00 sysinfo
-rw-r--r-- 1 root root 0 Jan 1 00:02 sysupgrade.meta
drwxr-xr-x 2 root root 40 Jan 1 00:00 tmp
root@OpenWrt:~# sysupgrade -n /tmp/openwrt-qualcommax-ipq807
Thu Jan 1 00:01:47 UTC 1970 upgrade: Image metadata not present
Thu Jan 1 00:01:47 UTC 1970 upgrade: Use sysupgrade -F to override this check when downgrading or flashing to vendor firmware
Image check failed.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If additional LuCI related packages such as luci-proto-qmi, luci-proto-mbim, luci-proto-modemmanager will be required for internet, what essential packages are actually needed to build the firmware at least par to the Telstra stock firmware with LuCI interface?
This is my very first time doing this hope someone can provide some insight?
I have made some progress, please review my further posts in OpenWrt forum [Arcadyan AW1000 Telstra 5G Home Internet install] (https://forum.openwrt.org/t/
apologies in advance, off the topic of hacking.
Would someone confirm.. can I use this modem out of the box on the Telstra 5G network (Telstra, not Boost or other MVNO) whilst NOT on a fixed wireless plan. Plan on using a data-only SIM bundled to a regular Telstra post-paid plan.
thanks
can I use this modem out of the box on the Telstra 5G network (Telstra, not Boost or other MVNO) whilst NOT on a fixed wireless plan
So long as the plan you are on is 5G then yes
Hi everyone,
I know I'm coming in late, but from what I have read above, the Telstra 5G Home Broadband modems (I'm assuming all of them) have an elevated root access level that provides access to all of the hidden settings. Is that right?
And I'm assuming that there is no standard username/password combo for that, right?
Thanks team. Really interesting discussion.
i have root access — do i need to use a UART device (and pull this apart) to get non-telstra branded OpenWRT on here now?
Am assuming this can be done via tftpd now as one method right?
assuming this can be done via tftpd now as one method right?
Y might find there's already pins on the serial port (there was on mine). The tftpd method is the step after uboot interupt via terminal (root in the telstra firmware won't help you crossgrade to openwrt/rooter).
I couldn't get tftpd working but there's an initramfs.bin with luci included and you can just flash from the interface (doesn't have to be an update image)
okay i opened it up but having troubles finding these UART pins? Anyone got a photo to share on location of them? I see something labeled as J1003 i think? Def cannot see pins there.
^from what i understand that's the spot. not sure if i can get pins there though very tight spot.
I see something labeled as J1003
So if there are no pins you need to solder a header or you could solder the serial adapter wires direct given it looks like a fair bit of work getting to the back of the board.
There may be a clip-on header available but I’ve never used one
gonna have a think on that because i dont see my soldering skills doing it well. wonder if i could take it somewhere to get the pins put on properly like a local motherboard repairer.
have the header pins, solder iron etc but yeah tough job for me.
found my usb uart though
Is there a way to fix the repos for the telstra firmware?
I'm going to say no.
There was a Telstra Technicolour model from around 2012 running a similar chaos calmer build, one of the members here (nutterpc) worked out how to install vanilla openwrt but it was a pretty gruelling process. I got there in the end but it took me a few days.
uboot interupt's your best bet if you want to customise imo
uboot interupt's your best bet if you want to customise imo
not an option here – i tried getting it done from a repair shop and also had another look at it myself the other day and near on impossible for me to achieve getting the required pins there.
So uboot isnt an option, unless i can mail it to someone and have it mailed back (both of course at my expense) to sort this out by someone who has done it before.
near on impossible
It doesn't have to be pins, meaning you can just solder three wires to the bottom 3 tabs and work from there. It's really not a hard thing to achieve. Have a look here
Really good hardware, worth doing imo but mailing it return's a bit crazy, maybe see if you can grab another one for a good price and hope it has the headers installed. I got mine for $50 and there was another going a couple days later for 40
Looking for some help.
I have recently bought a X-POL2 version 3 external antenna to try and stabilise the strength of the AW1000 signal and limit drop outs.
Opening up the AW1000 UI i have noticed that there doesn't seem to be any 5G signal – even though my mobile devices are all connected to 5G within my house. The green light is illuminated but i wonder if there really is any activity coming through.
Does it look like the 5G antenna has malfunctioned or is not active?
4G 5G
ECGI/PCI/TAC 90A1E21/338/902F 0/51/0
Band/EARFCN/Bandwidth 7/2950/20 0/0/0
Signal 9RSRP/RSRQ/SINR) OK(-110.0 dBm/-10.0dB/6.0db) POOR(-150.0dBm/-150dB/-150.0db)
Any help is appreciated
my mobile devices are all connected to 5G within my house.
There's an easy point of confusion for a lot of people – these devices are 5G devices meaning they can connect to 5G mobile networks (meaning 5th generation). They also have wifi that operates at a 5Ghz frequency (sometimes abbreviated to 5G). Your devices may well be connected on the 5Ghz wifi network but that does not indicate anything about 5G from a mobile network point of view.
how do I install the dump posted here on my aw1000 router, or maybe someone has an old version of openwrt 15?
I have managed to get a hold of one of these modems and it still allows for the root access to be done via loading the old settings file.
How do i block this modem from updating the firmware as I do not wish to lose root access. Is there a command i can run to de-telstra this modem or block a url in my adguard home dns block list? Thanks.
How do i block this modem from updating the firmware
Install ROOter or OpenWRT
You’ll need a serial to USB cable to interrupt the boot loader but it’s a simple process
I dont currently have a serial to usb cable but im sure i could get one. What about blocking the telstra update url is this known and does it work as an alternative? Or given i have root access already there is the ability to upload firmware within the root pages already can this not be used to install th ROOter or OpenWRT firmware?
thanks.
What about blocking the telstra update
I guess it's possible, folks used to do it on the technicolours before full luci install was an option. You're limited to Telstra SIMs though at least I was unable to get the SIM hack working before installing something else.
I am actually just using it as a booster and so use the ethernet wan at the moment. So no need to get any sim working.
I have a telstra aw1000, that I have been trying to unlock to other networks. I have downloaded and tried the cfg file, but have not been able to get root access. Please help me unlock.
So I bought one of these from here last week:
https://www.jw.com.au/produc
On special for $269 AUD
It came with custom QWRT firmware as below:
QWRT
Model Arcadyan AW1000
Architecture ARMv8 Processor rev 4 (v8l) x 4 (2208MHz, 34.5°C )
Target Platform ipq807x/generic
Firmware Version QWRT R24.10.10 (QSDK 12.2 R7) / main (git-24.307.40431-ca2270f)
Kernel Version 5.4.250
I am finding that the firmware is a bit flaky, particularly when trying to band lock.
The checkboxes keep coming and going even after I remove the checkmarks.
Has anyone got any suggestions on what to do?
any suggestions
if you're finding it flaky you could try flashing ROOter which's where qwrt's band locking tools come from anyway and may be out of date or improperly implimented
there's another openwrt fork that's integrated the rooter toolset that i've found to be very stable but i've forgotten what it's called. post up here if you don't like rooter and i (or someone else) can show you where it is
Thanks Ojay for your reply
Can I flash ROOter from within the QWRT firmware or must I go the serial port route?
Can I flash ROOter from within the QWRT firmware
you can use the update/upgrade feature for both rooter and the hikari fork
upgrade or the factory file?
good rule of thumb is if you're switching between forks use the factory file
upgrade'll probly be ok but probly better to play safe
there's also an option to use vanilla openwrt tho i'm not sure if you can bandlock
ROOter has a substantial support thread where the lead developer is very approachable and there are several very knowledgeable folks who are always happy to help with issues and finer points of function
I used the upgrade file and now I have a problem.
Only the top two lights are on and the LUCI interface won't let me past the password reset :(
Just getting the following message and nothing happens:
There is no password set on this router. Go to System->Administration to create password.
LUCI interface won't let me past the password reset
you may've ticked keep existing settings
best to go to the rooter thread tbqh, my aw1000's a backup unit and i've not been in the rooter interface for quite sometime
probly better to play safe
rules of thumb are good things to follow
Unfortunately I read your recommendation afterwards :(
I unchecked the "keep settings" box.
Oh well – will have to go the long route now...
reset to factory settings should get you to a fresh state
think it's press and hold the reset button for ten seconds or similar
No good. Stuck on the change password page.
I better go over to the ROOter forum I think.
Thanks for your help Ojay
Can anyone kick in with some advice on where I might find a shairport-sync-mbedtls package that is built to airport 1 (classic)?
Ted's makefile states that the shairport-sync-mbedtls and shairport-sync-mini are built to classic airport but the current builds on the owrt repo are not
I'd be fine with learning about compiling but wont be in a position where I have time to cover that any time soon, seems as though a manual pkg install might be my best option
TIA