Don't ignore what I said above!
Yes.
Let's all ask robimarko to make an analogue of the UBI_Cleaner.trx (It is possible to build a tiny 32-bit kernel with a initrd embedded in it)
1 Like
I saw this post ASUS AX4200 bootloop after upgraded from 23.05.4 to snapshot build and others that use ubi-cleaner,trx for Asus routers. It doesn't require the box to be opened.
Can you explain some more details about this
What do we need for it to be made - maybe only a developer (@robimarko) can write the code?
Why it can't be used on AX89X.
Thanks.
it's a long shot but try to find the initial ASUS firmware release. trust me and don't give up. things like these happened to me thousands of times...
I studied the stock bootloader code in disassembler. And there is no function to delete UBI_DEV volumes!
Download and run tftpd64 by Ph. Jounin. POST LOGS.
I've run tftpd64 by Ph. Jounin but unfortunately its log function doesn't work on Windows 11 and I know that since several years when I recovered an old TP-Link 1043ND. It works on Windows 10 (I know from personal experience) but I currently don't have Win 10.
The oldest one on Asus website is this one
Firmware version 3.0.0.4.384.81324
47.84 MB
2019/11/11
better try to push the latest stable openwrt image. try a win10 vm or better a linux vm (passthrough a nic to connect to the asus rt-ax89x). it is impossible tftp recovery on asus to fail. asus and no backdoors is...
I connected the serial cable.
So I get this at boot
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.3.1-00158
S - IMAGE_VARIANT_STRING=HAACANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x000002e5
B - 201 - PBL, Start
B - 2734 - bootable_media_detect_entry, Start
B - 3442 - bootable_media_detect_success, Start
B - 3447 - elf_loader_entry, Start
B - 6115 - auth_hash_seg_entry, Start
B - 6358 - auth_hash_seg_exit, Start
B - 68405 - elf_segs_hash_verify_entry, Start
B - 131248 - PBL, End
B - 143960 - SBL1, Start
B - 196450 - GCC [RstStat:0x10, RstDbg:0x600000] WDog Stat : 0x4
B - 202977 - pm_device_init, Start
B - 326075 - PM_SET_VAL:Skip
D - 122610 - pm_device_init, Delta
B - 328485 - pm_driver_init, Start
D - 5368 - pm_driver_init, Delta
B - 334859 - clock_init, Start
D - 2135 - clock_init, Delta
B - 338794 - boot_flash_init, Start
D - 8631 - boot_flash_init, Delta
B - 351207 - boot_config_data_table_init, Start
D - 3080 - boot_config_data_table_init, Delta - (575 Bytes)
B - 358680 - Boot Setting : 0x00000618
B - 362614 - CDT version:2,Platform ID:8,Major ID:1,Minor ID:0,Subtype:0
B - 369538 - sbl1_ddr_set_params, Start
B - 373350 - CPR configuration: 0x30c
B - 376797 - cpr_init, Start
B - 379572 - Rail:0 Mode: 5 Voltage: 808000
B - 384696 - CL CPR settled at 760000mV
B - 387594 - Rail:1 Mode: 5 Voltage: 880000
B - 391772 - Rail:1 Mode: 7 Voltage: 904000
D - 16500 - cpr_init, Delta
B - 398665 - Pre_DDR_clock_init, Start
B - 402691 - Pre_DDR_clock_init, End
B - 405985 - DDR Type : PCDDR3
B - 412085 - do ddr sanity test, Start
D - 1067 - do ddr sanity test, Delta
B - 416538 - DDR: Start of HAL DDR Boot Training
B - 421174 - DDR: End of HAL DDR Boot Training
B - 426969 - DDR: Checksum to be stored on flash is -972555000
B - 437278 - Image Load, Start
D - 224358 - QSEE Image Loaded, Delta - (1376448 Bytes)
B - 661728 - Image Load, Start
D - 30 - SEC Image Loaded, Delta - (0 Bytes)
B - 669414 - Image Load, Start
D - 10705 - DEVCFG Image Loaded, Delta - (26008 Bytes)
B - 680211 - Image Load, Start
D - 22051 - RPM Image Loaded, Delta - (86584 Bytes)
B - 702354 - Image Load, Start
D - 118614 - APPSBL Image Loaded, Delta - (736400 Bytes)
B - 821121 - QSEE Execution, Start
D - 61 - QSEE Execution, Delta
B - 826916 - USB D+ check, Start
D - 0 - USB D+ check, Delta
B - 833290 - SBL1, End
D - 691648 - SBL1, Delta
S - Flash Throughput, 6785 KB/s (2226015 Bytes, 328052 us)
S - DDR Frequency, 466 MHz
S - Core 0 Frequency, 1651 MHz
U-Boot 2016.01 (Mar 09 2023 - 16:32:42 +0800)
RT-AX89U bootloader version: 2.2.2.2
DRAM: smem ram ptable found: ver: 1 len: 4
ASUS RT-AX89U gpio init : buttons
1 GiB
NAND: Could not find nand_gpio in dts, using defaults
ONFI device found
ID = 1590aaef
Vendor = ef
Device = aa
SF: Unsupported flash IDs: manuf ff, jedec ffff, ext_jedec ffff
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
256 MiB
MMC:
*** Warning - bad CRC, using default environment
In: serial@78B3000
Out: serial@78B3000
Err: serial@78B3000
Check bootloader area ...
machid: 8010000
Net: MAC0 addr:0:aa:bb:cc:dd:e0
PORT0/5/6_PAD_CTRL 0x05080000/01000000/00000080
PORT0/5/6_STATUS 0x0000007e/00001280/00000230
8075 PHY ID1: 0x4d
8075 PHY ID2: 0xd0b1
switch_mac_mode: 0x5/ff/2
EDMA ver 1 hw init
Num rings - TxDesc:1 (0-0) TxCmpl:1 (7-7)
RxDesc:1 (15-15) RxFill:1 (7-7)
ipq807x_edma_alloc_rings: successfull
ipq807x_edma_setup_ring_resources: successfull
ipq807x_edma_configure_rings: successfull
ipq807x_edma_hw_init: successfull
eth0
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=2", size 252 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 2016, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 6, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 2057/1298, WL threshold: 4096, image sequence number: 777439194
ubi0: available PEBs: 0, total reserved PEBs: 2016, PEBs reserved for bad PEB handling: 40
UBI: vol_id reserved_pebs alignment data_pad vol_type usable_leb_size used_ebs used_bytes last_eb_bytes corrupted upd_marker name_len name
UBI: 0 3 1 0 dynamic 1f000 3 5d000 1f000 0 0 5 nvram
UBI: 1 3 1 0 dynamic 1f000 3 5d000 1f000 0 0 7 Factory
UBI: 2 3 1 0 dynamic 1f000 3 5d000 1f000 0 0 8 Factory2
UBI: 3 2d 1 0 dynamic 1f000 2d 573000 1f000 0 0 5 linux
UBI: 4 9f 1 0 dynamic 1f000 9f 1341000 1f000 0 0 5 jffs2
UBI: 5 6df 1 0 dynamic 1f000 6df d501000 1f000 0 0 b rootfs_data
UBI: 7fffefff 2 1 0 dynamic 1f000 2 3e000 2 0 0 d layout volume
UBI volume [linux] size 573000 smaller than 6406000!
Read 5d000 bytes from volume Factory offset 0 to 4a08270c
EEPROM set 0: OK (version 2395)
Read 5d000 bytes from volume Factory2 offset 0 to 4a08270c
EEPROM set 1: OK (version 2395)
Read 5d000 bytes from volume Factory offset 0 to 4a1025b8
Select EEPROM set 0 at offset 0x0.
Please choose the operation:
1: Load System code to SDRAM via TFTP.
2: Load System code then write to Flash via TFTP.
3: Boot System code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP. 0
3: Boot System code via Flash (default).
RT-AX89U bootloader version: 2.2.2.2
MAC Address: xxxxxxxxxxxxxxx
Read 40 bytes from volume linux offset 0 to 4b000000
Read 5542a8 bytes from volume linux offset 40 to 4b000040
## Booting kernel from Legacy Image at 4b000000 ...
Image Name: ARM64 OpenWrt Linux-6.6.80
Image Type: AArch64 Linux Multi-File Image (gzip compressed)
Data Size: 5587624 Bytes = 5.3 MiB
Load Address: 41000000
Entry Point: 41000000
Contents:
Image 0: 5531289 Bytes = 5.3 MiB
Image 1: 32 Bytes = 32 Bytes
Image 2: 56284 Bytes = 55 KiB
Verifying Checksum ... OK
CRC check good on phy fw file (0xDED4)
PHYFW:Loading IRAM...........done.
PHYFW:Loading DRAM..............done.
phy fw image load good CRC-16 matches (0x85F7)
AQR PHY ID1: 0x31c3
AQR PHY ID2: 0x1c42
## Booting kernel from Legacy Image at 4b000000 ...
Image Name: ARM64 OpenWrt Linux-6.6.80
Image Type: AArch64 Linux Multi-File Image (gzip compressed)
Data Size: 5587624 Bytes = 5.3 MiB
Load Address: 41000000
Entry Point: 41000000
Contents:
Image 0: 5531289 Bytes = 5.3 MiB
Image 1: 32 Bytes = 32 Bytes
Image 2: 56284 Bytes = 55 KiB
## Loading init Ramdisk from multi component Legacy Image at 4b000000 ...
## Flattened Device Tree from multi component Image at 4B000000
Booting using the fdt at 0x4b54670c
Uncompressing Multi-File Image ... OK
Loading Ramdisk to 4a0de000, end 4a0de020 ... OK
Loading Device Tree to 4a0cd000, end 4a0ddbdb ... OK
Using machid 0x8010000 from environment
Starting kernel ...
Jumping to AARCH64 kernel via monitor
[ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034]
[ 0.000000] Linux version 6.6.80 (ssss) (aarch64-openwrt-linux-musl-gcc (OpenWrt GCC 14.2.0 r29064+1-b999e91dcc) 14.2.0, GNU ld (GNU Binutils) 2.43.1) #0 SMP Fri Apr 11 13:20:51 2025
[ 0.000000] Machine model: Asus RT-AX89X
[ 0.000000] OF: reserved mem: 0x0000000040000000..0x0000000040ffffff (16384 KiB) nomap non-reusable nss@40000000
[ 0.000000] OF: reserved mem: 0x000000004a400000..0x000000004a5fffff (2048 KiB) nomap non-reusable tzapp@4a400000
[ 0.000000] OF: reserved mem: 0x000000004a600000..0x000000004a9fffff (4096 KiB) nomap non-reusable bootloader@4a600000
[ 0.000000] OF: reserved mem: 0x000000004aa00000..0x000000004aafffff (1024 KiB) nomap non-reusable sbl@4aa00000
[ 0.000000] OF: reserved mem: 0x000000004ab00000..0x000000004abfffff (1024 KiB) nomap non-reusable smem@4ab00000
[ 0.000000] OF: reserved mem: 0x000000004ac00000..0x000000004affffff (4096 KiB) nomap non-reusable memory@4ac00000
[ 0.000000] OF: reserved mem: 0x000000004b000000..0x0000000050efffff (97280 KiB) nomap non-reusable wcnss@4b000000
[ 0.000000] OF: reserved mem: 0x0000000050f00000..0x0000000050ffffff (1024 KiB) nomap non-reusable q6_etr_dump@50f00000
[ 0.000000] OF: reserved mem: 0x0000000051000000..0x00000000510fffff (1024 KiB) nomap non-reusable m3_dump@51000000
[ 0.000000] OF: reserved mem: 0x0000000051200000..0x00000000512fffff (1024 KiB) nomap non-reusable ramoops@51200000
[ 0.000000] Zone ranges:
[ 0.000000] DMA [mem 0x0000000040000000-0x000000007fffffff]
[ 0.000000] DMA32 empty
[ 0.000000] Normal empty
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000040000000-0x0000000040ffffff]
[ 0.000000] node 0: [mem 0x0000000041000000-0x000000004a3fffff]
[ 0.000000] node 0: [mem 0x000000004a400000-0x00000000510fffff]
[ 0.000000] node 0: [mem 0x0000000051100000-0x00000000511fffff]
[ 0.000000] node 0: [mem 0x0000000051200000-0x00000000512fffff]
[ 0.000000] node 0: [mem 0x0000000051300000-0x000000007fffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000040000000-0x000000007fffffff]
[ 0.000000] psci: probing for conduit method from DT.
[ 0.000000] psci: PSCIv1.0 detected in firmware.
[ 0.000000] psci: Using standard PSCI v0.2 function IDs
[ 0.000000] psci: MIGRATE_INFO_TYPE not supported.
[ 0.000000] psci: SMC Calling Convention v1.0
[ 0.000000] percpu: Embedded 19 pages/cpu s37800 r8192 d31832 u77824
[ 0.000000] Detected VIPT I-cache on CPU0
[ 0.000000] CPU features: kernel page table isolation forced OFF by mitigations=off
[ 0.000000] alternatives: applying boot alternatives
[ 0.000000] Kernel command line: console=ttyMSM0,115200n8 rootfstype=squashfs root=/dev/mtdblock4 mitigations=off root=/dev/mtdblock15 rootfstype=squashfs
[ 0.000000] Dentry cache hash table entries: 131072 (order: 8, 1048576 bytes, linear)
[ 0.000000] Inode-cache hash table entries: 65536 (order: 7, 524288 bytes, linear)
[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 258048
[ 0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
[ 0.000000] software IO TLB: SWIOTLB bounce buffer size adjusted to 1MB
[ 0.000000] software IO TLB: area num 4.
[ 0.000000] software IO TLB: mapped [mem 0x000000007eb00000-0x000000007ec00000] (1MB)
[ 0.000000] Memory: 884416K/1048576K available (8640K kernel code, 1010K rwdata, 2712K rodata, 896K init, 277K bss, 164160K reserved, 0K cma-reserved)
[ 0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[ 0.000000] rcu: Hierarchical RCU implementation.
[ 0.000000] Tracing variant of Tasks RCU enabled.
[ 0.000000] rcu: RCU calculated value of scheduler-enlistment delay is 10 jiffies.
[ 0.000000] NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0
[ 0.000000] Root IRQ handler: gic_handle_irq
[ 0.000000] GICv2m: range[mem 0x0b00a000-0x0b00affc], SPI[448:479]
[ 0.000000] rcu: srcu_init: Setting srcu_struct sizes based on contention.
[ 0.000000] arch_timer: cp15 and mmio timer(s) running at 19.20MHz (virt/virt).
[ 0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x46d987e47, max_idle_ns: 440795202767 ns
[ 0.000000] sched_clock: 56 bits at 19MHz, resolution 52ns, wraps every 4398046511078ns
[ 0.000475] Calibrating delay loop (skipped), value calculated using timer frequency.. 38.40 BogoMIPS (lpj=192000)
[ 0.000489] pid_max: default: 32768 minimum: 301
[ 0.005456] Mount-cache hash table entries: 2048 (order: 2, 16384 bytes, linear)
[ 0.005470] Mountpoint-cache hash table entries: 2048 (order: 2, 16384 bytes, linear)
[ 0.008720] spectre-v4 mitigation disabled by command-line option
[ 0.009723] RCU Tasks Trace: Setting shift to 2 and lim to 1 rcu_task_cb_adjust=1 rcu_task_cpu_ids=4.
[ 0.009954] rcu: Hierarchical SRCU implementation.
[ 0.009959] rcu: Max phase no-delay instances is 1000.
[ 0.011169] smp: Bringing up secondary CPUs ...
[ 0.011839] Detected VIPT I-cache on CPU1
[ 0.011946] CPU1: Booted secondary processor 0x0000000001 [0x410fd034]
[ 0.012653] Detected VIPT I-cache on CPU2
[ 0.012726] CPU2: Booted secondary processor 0x0000000002 [0x410fd034]
[ 0.013401] Detected VIPT I-cache on CPU3
[ 0.013467] CPU3: Booted secondary processor 0x0000000003 [0x410fd034]
[ 0.013537] smp: Brought up 1 node, 4 CPUs
[ 0.013546] SMP: Total of 4 processors activated.
[ 0.013551] CPU features: detected: 32-bit EL0 Support
[ 0.013556] CPU features: detected: CRC32 instructions
[ 0.013617] CPU features: emulated: Privileged Access Never (PAN) using TTBR0_EL1 switching
[ 0.013623] CPU: All CPU(s) started at EL1
[ 0.013625] alternatives: applying system-wide alternatives
[ 0.025802] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 0.025830] futex hash table entries: 1024 (order: 4, 65536 bytes, linear)
[ 0.027547] pinctrl core: initialized pinctrl subsystem
[ 0.029574] NET: Registered PF_NETLINK/PF_ROUTE protocol family
[ 0.030218] DMA: preallocated 128 KiB GFP_KERNEL pool for atomic allocations
[ 0.030261] DMA: preallocated 128 KiB GFP_KERNEL|GFP_DMA pool for atomic allocations
[ 0.030295] DMA: preallocated 128 KiB GFP_KERNEL|GFP_DMA32 pool for atomic allocations
[ 0.030702] thermal_sys: Registered thermal governor 'step_wise'
[ 0.030761] cpuidle: using governor menu
[ 0.030981] hw-breakpoint: found 6 breakpoint and 4 watchpoint registers.
[ 0.031070] ASID allocator initialised with 65536 entries
[ 0.095840] qcom,cpr4-apss-regulator b018000.cpr4-ctrl: CPR valid fuse count: 4
[ 0.100383] Modules: 29344 pages in range for non-PLT usage
[ 0.100393] Modules: 520864 pages in range for PLT usage
[ 0.105298] SCSI subsystem initialized
[ 0.105511] usbcore: registered new interface driver usbfs
[ 0.105546] usbcore: registered new interface driver hub
[ 0.105606] usbcore: registered new device driver usb
[ 0.106130] qcom_scm: convention: smc arm 64
[ 0.107988] clocksource: Switched to clocksource arch_sys_counter
[ 0.111701] NET: Registered PF_INET protocol family
[ 0.111853] IP idents hash table entries: 16384 (order: 5, 131072 bytes, linear)
[ 0.114453] tcp_listen_portaddr_hash hash table entries: 512 (order: 1, 8192 bytes, linear)
[ 0.114476] Table-perturb hash table entries: 65536 (order: 6, 262144 bytes, linear)
[ 0.114492] TCP established hash table entries: 8192 (order: 4, 65536 bytes, linear)
[ 0.114578] TCP bind hash table entries: 8192 (order: 6, 262144 bytes, linear)
[ 0.114854] TCP: Hash tables configured (established 8192 bind 8192)
[ 0.115358] MPTCP token hash table entries: 1024 (order: 2, 24576 bytes, linear)
[ 0.115541] UDP hash table entries: 512 (order: 2, 16384 bytes, linear)
[ 0.115578] UDP-Lite hash table entries: 512 (order: 2, 16384 bytes, linear)
[ 0.116030] NET: Registered PF_UNIX/PF_LOCAL protocol family
[ 0.116081] PCI: CLS 0 bytes, default 64
[ 0.116309] Unpacking initramfs...
[ 0.117832] workingset: timestamp_bits=46 max_order=18 bucket_order=0
[ 0.118663] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.118672] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 0.125352] qcom-qmp-usb-phy 58000.phy: supply vdda-phy not found, using dummy regulator
[ 0.125519] qcom-qmp-usb-phy 58000.phy: supply vdda-pll not found, using dummy regulator
[ 0.127052] qcom-qmp-usb-phy 78000.phy: supply vdda-phy not found, using dummy regulator
[ 0.127207] qcom-qmp-usb-phy 78000.phy: supply vdda-pll not found, using dummy regulator
[ 0.129274] qcom-qusb2-phy 59000.phy: supply vdda-pll not found, using dummy regulator
[ 0.129406] qcom-qusb2-phy 59000.phy: supply vdda-phy-dpdm not found, using dummy regulator
[ 0.129596] qcom-qusb2-phy 59000.phy: Registered Qcom-QUSB2 phy
[ 0.130014] qcom-qusb2-phy 79000.phy: supply vdda-pll not found, using dummy regulator
[ 0.130166] qcom-qusb2-phy 79000.phy: supply vdda-phy-dpdm not found, using dummy regulator
[ 0.130362] qcom-qusb2-phy 79000.phy: Registered Qcom-QUSB2 phy
[ 0.141311] Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
[ 0.142389] msm_serial 78b3000.serial: msm_serial: detected port #0
[ 0.142428] msm_serial 78b3000.serial: uartclk = 3686400
[ 0.142750] 78b3000.serial: ttyMSM0 at MMIO 0x78b3000 (irq = 20, base_baud = 230400) is a MSM
[ 0.142785] msm_serial: console setup on port #0
[ 0.142832] printk: console [ttyMSM0] enabled
[ 0.995497] msm_serial: driver initialized
[ 1.004842] loop: module loaded
[ 1.006227] nand: device found, Manufacturer ID: 0xef, Chip ID: 0xaa
[ 1.006802] nand: Winbond W29N02GZ
[ 1.013508] nand: 256 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
[ 1.016932] 10 fixed-partitions partitions found on MTD device qcom_nand.0
[ 1.024210] OF: Bad cell count for /soc@0/nand-controller@79b0000/nand@0/partitions
[ 1.031106] OF: Bad cell count for /soc@0/nand-controller@79b0000/nand@0/partitions
[ 1.038945] Creating 10 MTD partitions on "qcom_nand.0":
[ 1.046212] 0x000000000000-0x000000060000 : "sbl1"
[ 1.052705] 0x000000060000-0x0000000a0000 : "mibib"
[ 1.057129] 0x0000000a0000-0x000000280000 : "qsee"
[ 1.063101] 0x000000280000-0x0000002a0000 : "devcfg"
[ 1.066596] 0x0000002a0000-0x0000002c0000 : "apdp"
[ 1.071876] 0x0000002c0000-0x000000300000 : "rpm"
[ 1.076406] 0x000000300000-0x000000320000 : "cdt"
[ 1.081157] 0x000000320000-0x0000003e0000 : "appsbl"
[ 1.086241] 0x0000003e0000-0x000000400000 : "appsblenv"
[ 1.090875] 0x000000400000-0x000010000000 : "UBI_DEV"
[ 1.293006] ubi0: attaching mtd9
[ 1.937994] random: crng init done
[ 2.474942] ubi0: scanning is finished
[ 2.483265] ubi0: attached mtd9 (name "UBI_DEV", size 252 MiB)
[ 2.483313] ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[ 2.488024] ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[ 2.494863] ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
[ 2.501731] ubi0: good PEBs: 2016, bad PEBs: 0, corrupted PEBs: 0
[ 2.508498] ubi0: user volume: 6, internal volumes: 1, max. volumes count: 128
[ 2.514741] ubi0: max/mean erase counter: 2057/1298, WL threshold: 4096, image sequence number: 777439194
[ 2.521874] ubi0: available PEBs: 0, total reserved PEBs: 2016, PEBs reserved for bad PEB handling: 40
[ 2.531520] ubi0: background thread "ubi_bgt0d" started, PID 286
[ 2.531953] spmi spmi-0: PMIC arbiter version v2 (0x20010000)
[ 2.576237] i2c_dev: i2c /dev entries driver
[ 2.583849] sdhci: Secure Digital Host Controller Interface driver
[ 2.583896] sdhci: Copyright(c) Pierre Ossman
[ 2.588954] sdhci-pltfm: SDHCI platform and OF driver helper
[ 2.595327] remoteproc remoteproc0: releasing cd00000.q6v5_wcss
[ 2.601052] hw perfevents: enabled with armv8_cortex_a53 PMU driver, 7 counters available
[ 2.606775] NET: Registered PF_INET6 protocol family
[ 2.613887] Segment Routing with IPv6
[ 2.618143] In-situ OAM (IOAM) with IPv6
[ 2.621726] NET: Registered PF_PACKET protocol family
[ 2.625691] Bridge firewalling registered
[ 2.630851] 8021q: 802.1Q VLAN Support v1.8
[ 2.662612] qcom,cpr4-apss-regulator b018000.cpr4-ctrl: CPR valid fuse count: 4
[ 2.663005] cpr4_ipq807x_apss_read_fuse_data: apc_corner: speed bin = 0
[ 2.668759] cpr4_ipq807x_apss_read_fuse_data: apc_corner: CPR fusing revision = 1
[ 2.675339] cpr4_ipq807x_apss_read_fuse_data: apc_corner: CPR misc fuse value = 0
[ 2.683008] cpr4_ipq807x_apss_read_fuse_data: apc_corner: Voltage boost fuse config = 0 boost = disable
[ 2.690528] cpr3_mem_acc_init: apc: not using memory accelerator regulator
[ 2.699657] cpr4_ipq807x_apss_calculate_open_loop_voltages: apc_corner: fused SVS: open-loop= 720000 uV
[ 2.706591] cpr4_ipq807x_apss_calculate_open_loop_voltages: apc_corner: fused NOM: open-loop= 856000 uV
[ 2.716586] cpr4_ipq807x_apss_calculate_open_loop_voltages: apc_corner: fused TURBO: open-loop= 920000 uV
[ 2.726398] cpr4_ipq807x_apss_calculate_open_loop_voltages: apc_corner: fused STURBO: open-loop=1032000 uV
[ 2.736253] cpr4_ipq807x_apss_calculate_target_quotients: apc_corner: fused SVS: quot[ 7]= 706, quot_offset[ 7]= 0
[ 2.746010] cpr4_ipq807x_apss_calculate_target_quotients: apc_corner: fused NOM: quot[ 7]= 961, quot_offset[ 7]= 255
[ 2.756861] cpr4_ipq807x_apss_calculate_target_quotients: apc_corner: fused TURBO: quot[ 7]=1067, quot_offset[ 7]= 105
[ 2.767797] cpr4_ipq807x_apss_calculate_target_quotients: apc_corner: fused STURBO: quot[ 7]=1258, quot_offset[ 7]= 190
[ 2.778974] cpr3_regulator_init_ctrl: apc: Default CPR mode = closed-loop
[ 2.784218] cpufreq: cpufreq_online: CPU0: Running at unlisted initial frequency: 800000 KHz, changing to: 1017600 KHz
[ 2.798247] remoteproc remoteproc0: cd00000.q6v5_wcss is ava▒[ 2.813810] /dev/root: Can't open blockdev
[ 2.813839] VFS: Cannot open root device "/dev/mtdblock15" or unknown-block(0,0): error -6
[ 2.816797] Please append a correct "root=" boot option; here are the available partitions:
[ 2.825062] 1f00 384 mtdblock0
[ 2.825066] (driver?)
[ 2.837446] 1f01 256 mtdblock1
[ 2.837449] (driver?)
[ 2.843957] 1f02 1920 mtdblock2
[ 2.843960] (driver?)
[ 2.850470] 1f03 128 mtdblock3
[ 2.850473] (driver?)
[ 2.856977] 1f04 128 mtdblock4
[ 2.856980] (driver?)
[ 2.863487] 1f05 256 mtdblock5
[ 2.863490] (driver?)
[ 2.870001] 1f06 128 mtdblock6
[ 2.870004] (driver?)
[ 2.876509] 1f07 768 mtdblock7
[ 2.876512] (driver?)
[ 2.883019] 1f08 128 mtdblock8
[ 2.883022] (driver?)
[ 2.889533] 1f09 258048 mtdblock9
[ 2.889536] (driver?)
[ 2.896040] List of all bdev filesystems:
[ 2.898476] squashfs
[ 2.898477]
[ 2.904806] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)
[ 2.906382] CPU: 2 PID: 1 Comm: swapper/0 Not tainted 6.6.80 #0
[ 2.914448] Hardware name: Asus RT-AX89X (DT)
[ 2.920263] Call trace:
[ 2.924772] dump_backtrace+0xb0/0x10c
[ 2.927031] show_stack+0x18/0x24
[ 2.930850] dump_stack_lvl+0x48/0x60
[ 2.934236] dump_stack+0x18/0x24
[ 2.937882] panic+0x2bc/0x308
[ 2.941179] mount_root_generic+0x1a0/0x2fc
[ 2.944132] mount_root+0x1ac/0x26c
[ 2.948210] prepare_namespace+0x58/0x290
[ 2.951685] kernel_init_freeable+0x280/0x2f4
[ 2.955852] kernel_init+0x28/0x1f0
[ 2.960190] ret_from_fork+0x10/0x20
[ 2.963490] SMP: stopping secondary CPUs
[ 2.967313] Kernel Offset: disabled
[ 2.971215] CPU features: 0x0,00000000,00000000,0000400b
[ 2.974430] Memory Limit: none
[ 2.979983] Rebooting in 1 seconds..
Please choose the operation:
1: Load System code to SDRAM via TFTP.
2: Load System code then write to Flash via TFTP.
3: Boot System code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP.
You choosed 1
1: Load System code to SDRAM via TFTP.
RT-AX89U bootloader version: 2.2.2.2
MAC Address: xxxxxxxxxxxx
Please Input new ones /or Ctrl-C to discard
Input device IP (192.168.50.1) ==:
This is the bootloop.
@robimarko @remittor What do you think about the reason for the bootloop.
What backdoors are we even talking about?
Here is the source code of the TFTPD64 utility: https://bitbucket.org/phjounin/tftpd64/src/master/
Then the recovery log when openwrt.trx is uploaded to the router in Rescue Mode.
RT-AX89U bootloader version: 2.2.2.2
MAC Address: xxxxxxxxxxx
reset button pressed!
## Enter Rescue Mode ##
ipq807x_eth_halt: done
eth0 PHY8 up Speed :1000 Full duplex
eth0 PHY11 up Speed :1000 Full duplex
ipq807x_eth_init: done
switch prereq:0
tftpd start
Our IP address is:(192.168.50.1)
Wait for TFTP request...
tftpd open
D D D D D D D D D D D Got ARP REQUEST, return our IP
Got ARP REPLY, set eth addr (xxxxxxxxxxx)
#
First block received
################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
##################################################
done
RAMtoFLASH
Chk trx magic
Download of 0xc9ec01 bytes completed
Check TRX and write it to FLASH
Solve TRX, ptr=0x4b000000
## Booting kernel from Legacy Image at 4b000000 ...
Image Name:
Image Type: AArch64 Linux Multi-File Image (gzip compressed)
Data Size: 13233089 Bytes = 12.6 MiB
Load Address: 41000000
Entry Point: 41000000
Contents:
Image 0: 13178706 Bytes = 12.6 MiB
Image 1: 4100 Bytes = 4 KiB
Image 2: 50265 Bytes = 49.1 KiB
Verifying Checksum ... OK
Erase kernel block !!
From c0517000 To c11b5c01 (13233153/h:c9ec01)
size > volume size! Aborting!
ra_flash_erase_write: write volume [linux] fail. (r = 22)
Write firmware fail. (r = 22)
rescue failed! (22)
ipq807x_eth_halt: done
resetting ...
and then the bootloop follows.
The immediate problem identified in your last log is size > volume size! Aborting!. The U-Boot/Rescue Mode flash routine is checking if the incoming firmware image fits into the existing linux UBI volume. Since that volume is apparently damaged or incorrectly sized (too small), the check fails, and the write process aborts before it even attempts to write data or potentially reformat things.
The Only Solution: Erase the UBI Partition via UART
I have recovered it via option 1 although it would have been a lot better if there was a way to do it without opening it. Probably I'll have to keep the cables just in case.
@robimarko As I have the serial cable connected, can I do anything for the B1 revision and 10G copper port. Run commands, tests, etc.
Currently I'm interested in what was the reason for the bootloop. As I wrote earlier I compiled a build with the @BrainSlayer changed DTS that was supposed to get the 10G copper port working on B1 revision.
wrongly sized partition
And what was the reason for it. It was a regular sysupgrade.
also:
Kernel command line: console=ttyMSM0,115200n8 rootfstype=squashfs root=/dev/mtdblock4 mitigations=off root=/dev/mtdblock15 rootfstype=squashfs
Notice there are two root= parameters and two rootfstype= parameters. The last ones usually take precedence. So the kernel is trying to mount root=/dev/mtdblock15 as a squashfs filesystem.
My guess it exceeded some max limit. That's what happened to me. If the image is too big - it will bork it. So putting too much stuff in the base image is problematic.
2 Likes