Upon further inspection the OEM firmware is loading an FIT image:
Here is a snippet of the OEM boot process:
Trying to boot from image slot 1
Reading from 0x22880000 to 0x40000000, size 0x200 ... OK
Reading from 0x22880000 to 0x40000000, size 0x35e663 ... OK
## Checking hash(es) for FIT Image at 40000000 ...
Hash(es) for Image 0 (kernel-1): crc32+ sha1+
Hash(es) for Image 1 (fdt-1): crc32+ sha1+
Reading from 0x24880000 to 0x4035e664, size 0x200 ... OK
Reading from 0x24880000 to 0x4035e664, size 0x2a3f1c0 ... OK
Hash(es) for rootfs: crc32+ sha1+
Firmware integrity verification passed
## Loading kernel from FIT Image at 46000000 ...
Using 'config-1' configuration
Verifying Hash Integrity ... sha1,rsa2048:fit_key+ OK
Trying 'kernel-1' kernel subimage
Description: ARM64 OpenWrt Linux-5.4.203
Type: Kernel Image
Compression: lzma compressed
Data Start: 0x460000e8
Data Size: 3505797 Bytes = 3.3 MiB
Architecture: AArch64
OS: Linux
Load Address: 0x48080000
Entry Point: 0x48080000
Hash algo: crc32
Hash value: 454e21a0
Hash algo: sha1
Hash value: 433d4a929e5e6a78d29f06b64d5e88ff51e3ffdd
Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading fdt from FIT Image at 46000000 ...
Using 'config-1' configuration
Verifying Hash Integrity ... sha1,rsa2048:fit_key+ OK
Trying 'fdt-1' fdt subimage
Description: ARM64 OpenWrt mt7986a-ax7800-2500wan-emmc-rfb-sb device tree blob
Type: Flat Device Tree
Compression: uncompressed
Data Start: 0x463580c4
Data Size: 24376 Bytes = 23.8 KiB
Architecture: AArch64
Hash algo: crc32
Hash value: 2f8a324a
Hash algo: sha1
Hash value: 51b5403350d1f908082684a48280634329b9fe2f
Verifying Hash Integrity ... crc32+ sha1+ OK
Booting using the fdt blob at 0x463580c4
Uncompressing Kernel Image
Loading Device Tree to 000000007f7ed000, end 000000007f7f5f37 ... OK
Starting kernel ...
According to [Tutorial] Build, customize and use MediaTek open-source U-Boot and ATF the router has an 'snand' boot partition which is booted by 'mtkboardboot' where the OEM firmware is installed. 'mtkboardboot' is the first boot menu option on reboot.
Whereas our firmware is installed on the mmc and requires the 'mmc read' command to boot.
So some possible solutions: 1) rebuild the openwrt image to be installed on snand using the 'nand_do_upgrade' command. 2) Create a uboot image with an updated boot menu to boot from mmc as the default boot
- I noticed that if I am booted into the OEM image and I press the reset button for about 20secs it will go through this sequence:
F0: 102B 0000
FA: 1040 0000
FA: 1040 0000 [0200]
F9: 103F 0000
F3: 1006 0033 [0200]
F3: 4001 00E0 [0200]
F3: 0000 0000
V0: 0000 0000 [0001]
00: 0000 0000
BP: 2400 0041 [0000]
G0: 1190 0000
EC: 0000 0000 [2000]
T0: 0000 027B [010F]
Jump to BL
NOTICE: BL2: v2.6(release):de65b3e9d-dirty
NOTICE: BL2: Built : 15:22:40, Oct 28 2022
NOTICE: WDT: disabled
NOTICE: CPU: MT7986 (2000MHz)
NOTICE: EMI: Using DDR4 settings
NOTICE: EMI: Detected DRAM size: 1024MB
NOTICE: EMI: complex R/W mem test passed
NOTICE: Verifying BL Anti-Rollback Version ... bl_ar_ver:0=0+ OK
NOTICE: Verifying BL Anti-Rollback Version ... bl_ar_ver:0=0+ OK
NOTICE: Verifying BL Anti-Rollback Version ... bl_ar_ver:0=0+ OK
NOTICE: Verifying BL Anti-Rollback Version ... bl_ar_ver:0=0+ OK
NOTICE: Verifying BL Anti-Rollback Version ... bl_ar_ver:0=0+ OK
NOTICE: BL2: Booting BL31
NOTICE: BL31: v2.6(release):de65b3e9d-dirty
NOTICE: BL31: Built : 15:22:47, Oct 28 2022
U-Boot 2022.07-rc3 (Oct 28 2022 - 15:21:39 +0800), Build: jenkins-YX6_MT7986-AX7800-294
CPU: MediaTek MT7986
Model: mt7986-rfb
DRAM: 1 GiB
Core: 68 devices, 19 uclasses, devicetree: separate
MMC: mmc@11230000: 0
Setting bus to 0
Loading Environment from MMC... OK
In: serial@11002000
Out: serial@11002000
Err: serial@11002000
Net: eth0: ethernet@15100000
mtkautoboot gpio_reset:0
Saving Environment to MMC... Writing to MMC(0)... OK
*** Upgrading ATF BL2 ***
Available load methods:
0 - TFTP client (Default)
1 - Xmodem
2 - Ymodem
3 - Kermit
4 - S-Record
Select (enter for default): Input U-Boot's IP address: 192.168.1.1
Input TFTP server's IP address: 192.168.1.66
Input IP netmask: 255.255.255.0
Input file name: YX6-sb-bl2.img
Using ethernet@15100000 device
TFTP from server 192.168.1.66; our IP address is 192.168.1.1
Filename 'YX6-sb-bl2.img'.
Load address: 0x46000000
Loading: *
ARP Retry count exceeded; sta
Notice it is looking for a "'YX6-sb-bl2.img'" boot image, on not finding it it goes through the 'boot' command thus booting into our OpenWRT image.