R7000 / RT-AC68U (xwrt/merlin-assus) has arm arch and arm-brcm-linux-uclibcgnueabi toolchain

Question

R7000 / RT-AC68U (xwrt/merlin-assus) has arm arch and arm-brcm-linux-uclibcgnueabi toolchain

mihaiaka opened this issue 2 months ago · comments

I have a NetGear R7000 router. Is the same hardware inside as the Asus RT-AC68U, which made possible the porting of Asus-Merlin. The project name is Xwrt, documented here: https://www.linksysinfo.org/index.php?threads/asuswrt-merlin-on-netgear-r7000.71108

Long story short, I was trying to make use of this C++ implementation on it, but failed with the two types I've tried:

with "arm-linux-musleabi(cortex_a7)" i get "Illegal instruction"
with "mipsel-linux-musl" i get "./pppwn: line 1: syntax error: unexpected word (expecting ")")"

The dev over there mentioned that (on the last page):
R7000) / RT-AC68U has arm arch and arm-brcm-linux-uclibcgnueabi toolchain.
toolchains are here: https://github.com/RMerl/am-toolchains

Q? Would it be possible to get "nightlies" for this type of architecture? Or how can one make/built it to run on my device?

Any pointers would be appreciated.
Thank you, M.

xfangfang · Answer 1 · Wed May 15 2024 20:13:06 GMT+0800 (China Standard Time)

I think arm-linux-musleabi(cortex_a7) should work on your device.

According to Broadcom_BCM4708, R7000 / RT-AC68U use a cortex-a9 cpu. (The Cortex-A series CPUs all have backward compatibility, so the Cortex-A9 should be able to run)

try run uname -a on your router and see what output.

and run: cat /proc/cpuinfo

stanleyws · Answer 2 · Wed May 15 2024 21:06:29 GMT+0800 (China Standard Time)

I have the same problem too, managed to compile for my AC87U with cortex-a9 but won't run and returns 'Illegal instruction'. Looked it up and seems like the Broadcom BCM4709 SoC does not have VFP like this issue mentioned: openwrt/packages#10967

I tried to compile a simple hellow world with 'zig cc -target arm-linux-musleabi -mcpu=cortex_a9 -mfpu=none -o hello hello.c' and the compiled hellow world still won't run on the router and returns 'Illegal instruction'. Tried all possible options for 'mfpu' including 'softvpu' listed here https://developer.arm.com/documentation/dui0774/b/compiler-command-line-options/-mfpu but the compiled binary does not change at all (they have the same checksum):

user@user-virtual-machine:~/Documents$ sha256sum test_none
a27aaeab79d1d51d6b8ac73b224b1689ac7a8722469250b9a83298fcc831a24b  test_none
user@user-virtual-machine:~/Documents$ sha256sum test_softvfp 
a27aaeab79d1d51d6b8ac73b224b1689ac7a8722469250b9a83298fcc831a24b  test_softvfp
user@user-virtual-machine:~/Documents$ sha256sum test_vfpv3 
a27aaeab79d1d51d6b8ac73b224b1689ac7a8722469250b9a83298fcc831a24b  test_vfpv3

Seems like zig cc has some issues passing -mfpu option so I don't know what to do now

mihaiaka · Answer 3 · Wed May 15 2024 21:43:33 GMT+0800 (China Standard Time)

think arm-linux-musleabi(cortex_a7) should work on your device.

According to Broadcom_BCM4708, R7000 / RT-AC68U use a cortex-a9 cpu. (The Cortex-A series CPUs all have backward compatibility, so the Cortex-A9 should be able to run)

try run uname -a on your router and see what output.

uname -a
Linux R7000-EADE 2.6.36.4brcmarm #1 SMP PREEMPT Tue May 16 10:05:49 PDT 2023 armv7l XWRT-Vortex

and run: cat /proc/cpuinfo

cat /proc/cpuinfo
Processor : ARMv7 Processor rev 0 (v7l)
processor : 0 BogoMIPS : 1998.84
processor : 1 BogoMIPS : 1998.84

Features : swp half thumb fastmult edsp CPU implementer : 0x41 CPU architecture: 7 CPU variant : 0x3 CPU part : 0xc09 CPU revision : 0

Hardware : Northstar Prototype
Revision : 0000
Serial : 0000000000000000

xfangfang · Answer 4 · Thu May 16 2024 04:40:21 GMT+0800 (China Standard Time)

@mihaiaka @stanleyws

You can try this： https://github.com/xfangfang/PPPwn_cpp/actions/runs/9101996371

arm-linux-musleabi(cortex_a7_soft)

The latest build attempts to disable FP registers by adding -Xclang -target-feature -Xclang -fpregs to compile option, hoping it will work.

Maybe no work, but you can try to add more options like: -Xclang -target-feature -Xclang -vfp2 (This will disable fp2)

stanleyws · Answer 5 · Thu May 16 2024 04:53:24 GMT+0800 (China Standard Time)

I managed to compile the code for 'mpcorenovfp' and it finally works:
cmake -B build -DZIG_TARGET=arm-linux-musleabi -DUSE_SYSTEM_PCAP=OFF -DZIG_COMPILE_OPTION="-mcpu=mpcorenovfp"

Maybe open a wiki page so we can document build target options for different platforms

stanleyws · Answer 6 · Thu May 16 2024 05:01:30 GMT+0800 (China Standard Time)

By the way the last build with -Xclang -target-feature -Xclang -fpregs still doesn't work, tried them on my AC87U router and it shows:

admin@RT-AC87U-E160:/tmp/home/root# ./pppwn_soft
Illegal instruction
admin@RT-AC87U-E160:/tmp/home/root# ./pppwn_softfp 
Illegal instruction

xfangfang · Answer 7 · Thu May 16 2024 06:38:12 GMT+0800 (China Standard Time)

I'm glad to hear that -mcpu=mpcorenovfp is working properly. But I think the best solution would be to reduce features on specific CPU models to achieve faster operation as much as possible.

According to ziglang/zig#4261 (comment) we can using -mcpu=cortex_a7-vfp4 to drop vfp4 feature in cortex_a7.

You can test it here: https://github.com/xfangfang/PPPwn_cpp/actions/runs/9103419502 (arm-linux-musleabi(cortex_a7_soft))

I'm not sure if removing only vfp4 is enough. You can view more features here and test them:
https://github.com/ziglang/zig/blob/efe06c5f31fe1e9ff02da1082367302b0a188a63/lib/std/Target/arm.zig#L2028-L2044

maybe we need: -mcpu=mpcorenovfp+has_v7clrex+has_v7+aclass ?

You can use: ./zig cc -### -target arm-linux-musleabi -mcpu=cortex_a7 main.c to get the default feature set

mihaiaka · Answer 8 · Thu May 16 2024 17:50:33 GMT+0800 (China Standard Time)

By the way the last build with -Xclang -target-feature -Xclang -fpregs still doesn't work, tried them on my AC87U router and it shows:
admin@RT-AC87U-E160:/tmp/home/root# ./pppwn_soft
Illegal instruction
admin@RT-AC87U-E160:/tmp/home/root# ./pppwn_softfp 
Illegal instruction

I get the exact outcome on my router with both.

I managed to compile the code for 'mpcorenovfp' and it finally works: cmake -B build -DZIG_TARGET=arm-linux-musleabi -DUSE_SYSTEM_PCAP=OFF -DZIG_COMPILE_OPTION="-mcpu=mpcorenovfp"

Maybe open a wiki page so we can document build target options for different platforms

can this be shared as an artifacts/nightly built?

Thank you.

xfangfang · Answer 9 · Thu May 16 2024 17:55:18 GMT+0800 (China Standard Time)

@mihaiaka ~~https://github.com/xfangfang/PPPwn_cpp/actions/runs/9109346620~~

https://github.com/xfangfang/PPPwn_cpp/actions/runs/9109346620/attempts/1

mihaiaka · Answer 10 · Thu May 16 2024 18:53:58 GMT+0800 (China Standard Time)

admin@R7000-EADE:/jffs/addons# ./pppwn
[+] PPPwn++ - PlayStation 4 PPPoE RCE by theflow
SYNOPSIS
pppwn --interface [--fw ] [--stage1 ] [--stage2 ] [-a]
pppwn list

OPTIONS
--interface network interface
--fw {750,751,755,800,801,803,850,852,900,903,904,950,951,960,1000,1001,1050,1070,1071,1100}
--stage1 stage1 binary
--stage2 stage2 binary
-a, --auto-retry
automatically retry when fails

Looks good! thank you very much sir. Are there any support/ko-fi links available?

xfangfang · Answer 11 · Thu May 16 2024 19:05:08 GMT+0800 (China Standard Time)

Thank you, it's just a little bit of work. Maybe you can take a look at https://github.com/TheOfficialFloW He is the hero in this scene