Add support for Cambium Networks XE3-4 ipq6010

Hi. I'm trying to see if I can get some information with serial on a Cambium Networks XE3-4. I'm able to see the boot log and interact/login to cli login after booting, but at the start I want to stop autoboot. But it's going fast forward and no countdown or press a key is present.

This is what I see before it's loading kernel etc...

Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.XF.0.3-00098-IPQ60xxLZB-1
S - IMAGE_VARIANT_STRING=IPQ6018LA
S - OEM_IMAGE_VERSION_STRING=crm-ubuntu121
S - Boot Interface: SPI
S - Secure Boot: Off
S - Boot Config @ 0x000a602c = 0x000002e1
S - JTAG ID @ 0x000a607c = 0x0013a0e1
S - OEM ID @ 0x000a6080 = 0x00000000
S - Serial Number @ 0x000a4128 = 0x81ea16fa
S - OEM Config Row 0 @ 0x000a4188 = 0x0000000000000000
S - OEM Config Row 1 @ 0x000a4190 = 0x0000000000000000
S - Feature Config Row 0 @ 0x000a4130 = 0x0000000008000001
S - Feature Config Row 1 @ 0x000a4138 = 0x02c3e83383000009
S - PBL Patch Ver: 1
S - I-cache: On
S - D-cache: On
B -      3413 - PBL, Start
B -       592 - bootable_media_detect_entry, Start
B -      4339 - bootable_media_detect_success, Start
B -      4435 - elf_loader_entry, Start
B -      4607 - auth_hash_seg_entry, Start
B -     10853 - auth_hash_seg_exit, Start
B -     11350 - elf_segs_hash_verify_entry, Start
B -    357984 - elf_segs_hash_verify_exit, Start
B -    362178 - auth_xbl_sec_hash_seg_entry, Start
B -    362323 - auth_xbl_sec_hash_seg_exit, Start
B -    368873 - xbl_sec_segs_hash_verify_entry, Start
B -    368873 - xbl_sec_segs_hash_verify_exit, Start
B -    369803 - PBL, End
B -    296002 - SBL1, Start
B -    435875 - GCC [RstStat:0x10, RstDbg:0x600000] WDog Stat : 0x4
B -    438315 - clock_init, Start
D -      3812 - clock_init, Delta
B -    448289 - boot_flash_init, Start
D -      8082 - boot_flash_init, Delta
B -    458598 - sbl1_ddr_set_default_params, Start
D -       244 - sbl1_ddr_set_default_params, Delta
B -    465216 - boot_config_data_table_init, Start
D -      1891 - boot_config_data_table_init, Delta - (575 Bytes)
B -    474336 - CDT Version:2,Platform ID:8,Major ID:3,Minor ID:0,Subtype:2
B -    479887 - Image Load, Start
D -      6618 - OEM_MISC Image Loaded, Delta - (0 Bytes)
B -    489220 - Image Load, Start
D -      5063 - PMIC Image Loaded, Delta - (0 Bytes)
B -    497119 - sbl1_ddr_set_params, Start
B -    502091 - CPR configuration: 0x555
B -    505293 - Pre_DDR_clock_init, Start
D -       213 - Pre_DDR_clock_init, Delta
D -         0 - sbl1_ddr_set_params, Delta
B -    540399 - Image Load, Start
D -       549 - APDP Image Loaded, Delta - (0 Bytes)
B -    559248 - Image Load, Start
D -       518 - QTI_MISC Image Loaded, Delta - (0 Bytes)
B -    561749 - Image Load, Start
D -       854 - Auth Metadata
D -       640 - Segments hash check
D -     29188 - QSEE Dev Config Image Loaded, Delta - (36490 Bytes)
B -    592859 - Image Load, Start
D -      6496 - Auth Metadata
D -     10400 - Segments hash check
D -    814533 - QSEE Image Loaded, Delta - (1436620 Bytes)
B -   1407910 - Image Load, Start
D -       702 - Auth Metadata
D -       976 - Segments hash check
D -     64325 - RPM Image Loaded, Delta - (102800 Bytes)
B -   1473882 - Image Load, Start
D -       701 - Auth Metadata
D -      2958 - Segments hash check
D -    296521 - APPSBL Image Loaded, Delta - (530545 Bytes)
B -   1787910 - SBL1, End
D -   1492304 - SBL1, Delta
S - Flash Throughput, 1000 KB/s  (2107702 Bytes,  1120222 us)
S - Core 0 Frequency, 800 MHz
S - DDR Frequency, 466 MHz


U-Boot Jaguar 2016.01 v2.5.0d (May 22 2023 - 17:46:50 +0000), Build: jenkins-Enterprise_Wi-Fi-Official-6.x-83

DRAM:  smem ram ptable found: ver: 2 len: 4
1 GiB
NAND:  ONFI device found
ID = 1590aac2
Vendor = c2
Device = aa
SPI_ADDR_LEN=3
SF: Detected W25Q128FW with page size 256 Bytes, erase size 4 KiB, total 16 MiB
ipq_spi: page_size: 0x100, sector_size: 0x1000, size: 0x1000000
272 MiB
MMC:   sdhci: Node Not found, skipping initialization

PCI Link Intialized
In:    serial@78B1000
Out:   serial@78B1000
Err:   serial@78B1000
machid: 8030002
Jaguar Hardware ID: 0x3
cal_mcs: count 1
cal_mcs: count 1
cal_mcs: count 2
cal_mcs: count 3
cal_mcs: count 0
cal_mcs: count 2
cal_mcs: count 4
cal_mcs: count 7
cal_mcs: count 9
cal_mcs: count 3
cal_mcs: count 0
cal_mcs: count 2
cal_mcs: count 4
cal_mcs: count 7
cal_mcs: count 12
cal_mcs: count 1
cal_mcs: count 3
cal_mcs: count 0
cal_mcs: count 2
cal_mcs: count 4
cal_mcs: count 1
cal_mcs: count 2
cal_mcs: count 2
cal_mcs: count 3
cal_mcs: count 2
cal_mcs: count 2
cal_mcs: count 3
cal_mcs: count 0
cal_mcs: count 12
cal_mcs: count 1
cal_mcs: count 3
cal_mcs: count 0
cal_mcs: count 2
cal_mcs: count 4
cal_mcs: count 3
cal_mcs: count 0
cal_mcs: count 2
cal_mcs: count 1
cal_mcs: count 12
cal_mcs: count 1
cal_mcs: count 10
cal_mcs: count 1
cal_mcs: count 3
cal_mcs: count 0
cal_mcs: count 2
cal_mcs: count 4
cal_mcs: count 7
cal_mcs: count 12
cal_mcs: count 1
cal_mcs: count 3
cal_mcs: count 0
cal_mcs: count 2
cal_mcs: count 4
cal_mcs: count 7
cal_mcs: count 12
cal_mcs: count 1
cal_mcs: count 3
cal_mcs: count 0
cal_mcs: count 2
cal_mcs: count 4
cal_mcs: count 1
cal_mcs: count 2
cal_mcs: count 2
cal_mcs: count 1
cal_mcs: count 12
cal_mcs: count 1
cal_mcs: count 10
cal_mcs: count 1
mec_events: looped 16 times
Erasing SPI flash...Writing to SPI flash...done
Erasing SPI flash...Writing to SPI flash...done
ubi0: attaching mtd2
ubi0: scanning is finished
ubi0: attached mtd2 (name "mtd=0", size 96 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 768, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 2, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 10/9, WL threshold: 4096, image sequence number: 1343497044
ubi0: available PEBs: 443, total reserved PEBs: 325, PEBs reserved for bad PEB handling: 40
Read 0 bytes from volume kernel to 44000000
No size specified -> Using max size (4698112)
## Loading kernel from FIT Image at 44000000 ...
   Using 'config@cp01-c3-xv3-4' configuration
   Trying 'kernel@1' kernel subimage
     Description:  Jaguar Linux -1
     Type:         Kernel Image
     Compression:  gzip compressed
     Data Start:   0x440000d4
     Data Size:    4273272 Bytes = 4.1 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: 0x41208000
     Entry Point:  0x41208000
     Hash algo:    crc32
     Hash value:   0acc06e7
   Verifying Hash Integrity ... crc32+ OK
## Loading fdt from FIT Image at 44000000 ...
   Using 'config@cp01-c3-xv3-4' configuration
   Trying 'fdt@cp01-c3-xv3-4' fdt subimage
     Description:  Jaguar XE3-4 device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x4444a5f4
     Data Size:    75761 Bytes = 74 KiB
     Architecture: ARM
     Hash algo:    crc32
     Hash value:   1ad58626
   Verifying Hash Integrity ... crc32+ OK
   Booting using the fdt blob at 0x4444a5f4
   Uncompressing Kernel Image ... OK
   Loading Device Tree to 484ea000, end 484ff7f0 ... OK
Using machid 0x8030002 from environment

Starting kernel ...

[    0.000000] Booting Linux on physical CPU 0x0
[    0.000000] Initializing cgroup subsys cpuset
[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Initializing cgroup subsys cpuacct
[    0.000000] Linux version 4.4.60 (ubuntu@ip-10-200-21-136) (gcc version 5.4.0 (crosstool-NG crosstool-ng-1.23.0 - 2) ) #1 SMP PREEMPT Mon May 22 17:37:45 UTC 2023
[    0.000000] CPU: ARMv7 Processor [51af8014] revision 4 (ARMv7), cr=10c0383d
[    0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
[    0.000000] Machine model: Qualcomm Technologies, Inc. IPQ6018/AP-CP01-C3
[    0.000000] Ignoring memory range 0x40000000 - 0x41000000
[    0.000000] Reserved memory: created DMA memory pool at 0x52f00000, size 24 MiB
[    0.000000] Reserved memory: initialized node dma_pool0@52f00000, compatible id shared-dma-pool
[    0.000000] Memory policy: Data cache writealloc
[    0.000000] psci: probing for conduit method from DT.
[    0.000000] psci: PSCIv1.0 detected in firmware.
[    0.000000] psci: Using standard PSCI v0.2 function IDs
[    0.000000] psci: MIGRATE_INFO_TYPE not supported.
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 211748
[    0.000000] Kernel command line: console=ttyMSM0,115200n8 cnss2.bdf_pci0=0xab ubi.mtd=rootfs_1 root=mtd:ubi_rootfs rootfstype=squashfs rootwait swiotlb=1 coherent_pool=2M
[    0.000000] PID hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Dentry cache hash table entries: 131072 (order: 7, 524288 bytes)
[    0.000000] Inode-cache hash table entries: 65536 (order: 6, 262144 bytes)
[    0.000000] Memory: 836032K/856064K available (6316K kernel code, 457K rwdata, 2024K rodata, 1024K init, 457K bss, 20032K reserved, 0K cma-reserved, 0K highmem)
[    0.000000] Virtual kernel memory layout:
[    0.000000]     vector  : 0xffff0000 - 0xffff1000   (   4 kB)
[    0.000000]     fixmap  : 0xffc00000 - 0xfff00000   (3072 kB)
[    0.000000]     vmalloc : 0xbf800000 - 0xff800000   (1024 MB)
[    0.000000]     lowmem  : 0x80000000 - 0xbf000000   (1008 MB)
[    0.000000]     pkmap   : 0x7fe00000 - 0x80000000   (   2 MB)
[    0.000000]     modules : 0x7f000000 - 0x7fe00000   (  14 MB)
[    0.000000]       .text : 0x80208000 - 0x80b25108   (9333 kB)
[    0.000000]       .init : 0x80c00000 - 0x80d00000   (1024 kB)
[    0.000000]       .data : 0x80d00000 - 0x80d72458   ( 458 kB)
[    0.000000]        .bss : 0x80d75000 - 0x80de76f0   ( 458 kB)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[    0.000000] Preemptible hierarchical RCU implementation.
[    0.000000]  Build-time adjustment of leaf fanout to 32.
[    0.000000] NR_IRQS:16 nr_irqs:16 16
[    0.000000] Architected cp15 timer(s) running at 24.00MHz (virt).
[    0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x588fe9dc0, max_idle_ns: 440795202592 ns
...

I was able to get fw_printenv from the cli with built in command:

fw_printenv
artsum=85f934d6c6077e0851963acd8bc6eda8
baudrate=115200
bootargs=console=ttyMSM0,115200n8 cnss2.bdf_pci0=0xab
bootcmd=bootipq
bootdelay=4
dump_to_flash=0x0f000000
dump_to_nand=1
eth1addr=b4:a0:5x:08:5b:23
ethaddr=b4:a0:5x:08:5b:22
fdt_high=0x48500000
fdtcontroladdr=4a473b60
flash_type=7
hwid=3
image=0
ipaddr=192.168.1.1
machid=8030002
nand256=1
netmask=255.255.255.0
nss=1
poe=802.3bt5
serverip=192.168.1.120
soc_hw_version=20170100
soc_version_major=1
soc_version_minor=0
stderr=serial@78B1000
stdin=serial@78B1000
stdout=serial@78B1000
ver=U-Boot Jaguar 2016.01 v2.5.0d (May 22 2023 - 17:46:50 +0000)
bootcount=0
curr_time=1684778769

I know, I know... it's a IPQ6018(LA), but I'm curious :slight_smile:

Happy to get any hint or tips, if there's anything that can be done.

As fw_printenv shows

bootdelay=4

There seems to be a way to interrupt the boot process.
The Dynalink WRX36 (with newer OEM firmware) needs some env. variables

console_enable=1
console_unlock=1

You might try to

setenv console_enable 1
setenv console_unlock 1
saveenv

followed by a reboot ...

Good luck

Thanks. I was looking at that post and tried it, but it did not work for me.
Do you know where I need to type this to make it work?
I've tried different "places" but unsure where's the correct "place" is. If I wait too long the CLI login is loaded, so then I need to reboot again.

Where did you type "fw_printenv" ?
This would be the right place to type setenv/saveenv.

That comes from a diagnostic function on the unit. They generate a file with that command. But for me while booting I don’t have any place to type any commands.

That's bad news ...
Do you have the possibility to save/export the configuration of the the device and take "a look insight" ?

I’m afraid I can’t. I’ve only done a binwalk on the firmware and extracted squash root and dts.
But I’m going to try to see if there’s any other way to set parameters.
If I remembered correctly a netgear ap used a ssh command to set active fw.

Will try that tomorrow :+1:

If you are able to enter the cli, ssh console?, you could then try using the fw_printenv and fw_setenv commands.

With the already mentioned dl-wrx36 the u-boot console is initially locked, but you can set those mentioned u-boot variables to "unlock" the u-boot console for the next boots. So, you first need SSH access for being able to config u-boot.

In the SSH console after normal login.
fw_printenv
fw_setenv console_enable 1
fw_setenv console_unlock 1

You should then see the set new variables with fw_printenv

Hello, and thanks for the input. I did try the commands in the CLI with ssh. Sadly the feedback is "uknown command". It's similar to Netgear and cli + ssh in a way.

So I have only cli access with ssh, and very limited functionality. :neutral_face:

As you have access to CLI, you should also be able to check the u-boot binary contents for hints.

you should be able to copy & look at all mtd partition contents, so that you could possibly find out which strings are mentions there. /proc/mtd gives hints, but /dev/mtd2 etc. should be viewable with hexdump. "dmesg" kernel log might also show the partition names.

You might try to find out if there are something like console_enable, console_lock, console_unlock etc. mentioned in u-boot, so that you might figure out what you need to change in the u-boot env (and only then figure out how to get write access to that).

If the firmware is based on an ancient OpenWrt with the exactly same libc version as OpenWrt, there is a remote possibility that u-boot env tools package from the similar OpenWrt might be compatible. That might give you the fw_printenv and fw_setenv.

Is there fw_printenv already? Your messages above are a bit unclear.

Hmm, I'll see if I can find out anything about console_enable etc. I'm looking at the clish that they have created to look for clues, but so far there's nothing.

Yeah, the thing is. In the web ui I can generate a diagnostic report. Inside this zip there's information about fw_printenv ifconfig etc.
So I'm able to see some information from the system.

However, I did find a command service start-shell that is only for Cambium. This is probably where they have root access and all the fun stuff.

# From the clish file
/mnt/flash/config/last_startshell_password
something something danger zone %02X-%02X-%02X-%02X-%02X-%02X
/etc/allow_root
Last password on %02X-%02X-%02X-%02X-%02X-%02X was '%s'. Enter new password:
%%Error: Incorrect password
/bin/sh
something something danger zone %s

(I guess they like Family guy and Archer tho) :wink: I did try to set a new password and login to shell, but no luck there.

Here are some more details that I can see (remember this is from the generated file, I can't type any of these commands).

df -h
Filesystem                Size      Used Available Use% Mounted on
mtd:ubi_rootfs           27.1M     27.1M         0 100% /
devtmpfs                407.7M         0    407.7M   0% /dev
tmpfs                   408.2M         0    408.2M   0% /dev/shm
tmpfs                   408.2M    512.0K    407.7M   0% /tmp
tmpfs                   408.2M    296.0K    407.9M   0% /run
tmpfs                   408.2M    408.0K    407.8M   0% /var/log
ubi1:nvram               36.3M      3.9M     30.5M  11% /mnt/flash
overlay                  36.3M      3.9M     30.5M  11% /etc
dev:    size   erasesize  name
mtd0: 000c0000 00010000 "0:SBL1"
mtd1: 00010000 00010000 "0:MIBIB"
mtd2: 00020000 00010000 "0:BOOTCONFIG"
mtd3: 00020000 00010000 "0:BOOTCONFIG1"
mtd4: 001a0000 00010000 "0:QSEE"
mtd5: 001a0000 00010000 "0:QSEE_1"
mtd6: 00010000 00010000 "0:DEVCFG"
mtd7: 00010000 00010000 "mfginfo"
mtd8: 00040000 00010000 "0:RPM"
mtd9: 00040000 00010000 "0:RPM_1"
mtd10: 00010000 00010000 "0:CDT"
mtd11: 00010000 00010000 "0:CDT_1"
mtd12: 00010000 00010000 "0:APPSBLENV"
mtd13: 000a0000 00010000 "0:APPSBL"
mtd14: 000a0000 00010000 "0:APPSBL_1"
mtd15: 00080000 00010000 "0:ART"
mtd16: 06000000 00020000 "rootfs"
mtd17: 06000000 00020000 "rootfs_1"
mtd18: 03000000 00020000 "NVRAM"
mtd19: 01000000 00020000 "crashLog"
mtd20: 004b9000 0001f000 "kernel"
mtd21: 01b01000 0001f000 "ubi_rootfs"
mtd22: 0292c000 0001f000 "nvram"

Do anyone happen to know how to add:

------BEGIN MANIFEST
MANIFEST_VERSION=2
IMAGE_FORMAT=3
SUPPORTED_PRODUCTS=XV2-2:XE3-4
IMAGE_VERSION=6.4.1-r15
IMAGE_UBOOT_VERSION=v2.4.1e
IMAGE_SIZE=34603008
------END MANIFEST

to a image?

I have a .cimg with 2 ubi images inside, but stock use this manifest in the head, to validate the image. I have just extracted the squashfs-root image and changed some settings to be able to stop autoboot. Then I used ubinize to create a new image.

Thanks.

Edit:
@hnyman do you happen to know why Hit any key to stop autoboot doesn't show up on boot? I can see in the config bootdelay=2. Did they disable that option?

No idea about it.

So I got a little further. I have now access to the bootloader by shorting cs pin.

Anyway, now I'm stuck at this message with initramfs

Starting kernel ...

Jumping to AARCH64 kernel via monitor

What I've got so far is this data from the bootloader.

Stock image

Erasing SPI flash...Writing to SPI flash...done
Setting MAC Address from mfginfo to b4:a2:5c:02:5a:72
Erasing SPI flash...Writing to SPI flash...done
ubi0: attaching mtd2
ubi0: scanning is finished
ubi0: attached mtd2 (name "mtd=0", size 96 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 768, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 2, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 14/13, WL threshold: 4096, image sequence number: 1906192983
ubi0: available PEBs: 462, total reserved PEBs: 306, PEBs reserved for bad PEB handling: 40
Read 0 bytes from volume kernel to 44000000
No size specified -> Using max size (4952064)
## Loading kernel from FIT Image at 44000000 ...
   Using 'config@cp01-c3-xv3-4' configuration
   Trying 'kernel@1' kernel subimage
     Description:  Jaguar Linux -1
     Type:         Kernel Image
     Compression:  gzip compressed
     Data Start:   0x440000d4
     Data Size:    4530694 Bytes = 4.3 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: 0x41208000
     Entry Point:  0x41208000
     Hash algo:    crc32
     Hash value:   d1231bae
   Verifying Hash Integrity ... crc32+ OK
## Loading fdt from FIT Image at 44000000 ...
   Using 'config@cp01-c3-xv3-4' configuration
   Trying 'fdt@cp01-c3-xv3-4' fdt subimage
     Description:  Jaguar XE3-4 device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x44489b78
     Data Size:    76369 Bytes = 74.6 KiB
     Architecture: ARM
     Hash algo:    crc32
     Hash value:   3da1b6ba
   Verifying Hash Integrity ... crc32+ OK
   Booting using the fdt blob at 0x44489b78
   Uncompressing Kernel Image ... OK
   Loading Device Tree to 484ea000, end 484ffa50 ... OK
Using machid 0x8030002 from environment

Starting kernel ...

Openwrt

Erasing SPI flash...Writing to SPI flash...done
Setting MAC Address from mfginfo to b4:a2:5c:02:5a:72
Erasing SPI flash...Writing to SPI flash...done
ubi0: attaching mtd2
ubi0: scanning is finished
ubi0: attached mtd2 (name "mtd=0", size 96 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 768, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 3, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 1/0, WL threshold: 4096, image sequence number: 1713778025
ubi0: available PEBs: 0, total reserved PEBs: 768, PEBs reserved for bad PEB handling: 40
Read 0 bytes from volume kernel to 44000000
No size specified -> Using max size (4952064)
## Loading kernel from FIT Image at 44000000 ...
   Using 'config@cp01-c3-xv3-4' configuration
   Trying 'kernel-1' kernel subimage
     Description:  ARM64 OpenWrt Linux-6.6.27
     Type:         Kernel Image
     Compression:  gzip compressed
     Data Start:   0x440000e8
     Data Size:    4864336 Bytes = 4.6 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x41208000
     Entry Point:  0x41208000
     Hash algo:    crc32
     Hash value:   9cc9669d
     Hash algo:    sha1
     Hash value:   f16f23f7924c3657bcc30f63c70afc11e6629fb4
   Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading fdt from FIT Image at 44000000 ...
   Using 'config@cp01-c3-xv3-4' configuration
   Trying 'fdt-1' fdt subimage
     Description:  ARM64 OpenWrt cambiumnetworks_xe3-4 device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x444a3b80
     Data Size:    36050 Bytes = 35.2 KiB
     Architecture: AArch64
     Hash algo:    crc32
     Hash value:   32dad2c0
     Hash algo:    sha1
     Hash value:   1c9aa63d88dd8d7a86bc877f0b0a6ef68e2c66db
   Verifying Hash Integrity ... crc32+ sha1+ OK
   Booting using the fdt blob at 0x444a3b80
   Uncompressing Kernel Image ... OK
   Loading Device Tree to 484f4000, end 484ffcd1 ... OK
Using machid 0x8030002 from environment

Starting kernel ...

Jumping to AARCH64 kernel via monitor

Here you can find my WIP https://github.com/skramstad/openwrt/commit/c5ce2cb42bd46eaa49d5a7e21eb3073b597a47b4

Some other data

(IPQ6018) # help
?       - alias for 'help'
aq_load_fw- LOAD aq-fw-binary
aq_phy_restart- Restart Aquantia phy
base    - print or set address offset
bdinfo  - print Board Info structure
bootelf - Boot from an ELF image in memory
bootipq - bootipq from flash device
bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
bootvx  - Boot vxWorks from an ELF image
bootz   - boot Linux zImage image from memory
canary  - test stack canary
chpart  - change active partition
cmp     - memory compare
coninfo - print console devices and information
cp      - memory copy
crc32   - checksum calculation
dhcp    - boot image via network using DHCP/TFTP protocol
dm      - Driver model low level access
echo    - echo args to console
editenv - edit environment variable
env     - environment handling commands
erase   - erase FLASH memory
exectzt - execute TZT

exit    - exit script
false   - do nothing, unsuccessfully
fdt     - flattened device tree utility commands
flash   - flash part_name
        flash part_name load_addr file_size

flasherase- flerase part_name

flinfo  - print FLASH memory information
fuseipq - fuse QFPROM registers from memory

go      - start application at address 'addr'
help    - print command description/usage
i2c     - I2C sub-system
imxtract- extract a part of a multi-image
ipq_mdio- IPQ mdio utility commands
is_sec_boot_enabled- check secure boot fuse is enabled or not

itest   - return true/false on integer compare
loop    - infinite loop on address range
md      - memory display
mec     - Power Event command
mfgrom  - mfgrom  - show/set manufacturing ROM parameters

mii     - MII utility commands
mm      - memory modify (auto-incrementing address)
mmc     - MMC sub system
mmcinfo - display MMC info
mtdparts- define flash/nand partitions
mtest   - simple RAM read/write test
mw      - memory write (fill)
nand    - NAND sub-system
nboot   - boot from NAND device
nm      - memory modify (constant address)
part    - disk partition related commands
pci     - list and access PCI Configuration Space
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect - enable or disable FLASH write protection
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
runmulticore- Enable and schedule secondary cores
saveenv - save environment variables to persistent storage
secure_authenticate- authenticate the signed image

setenv  - set environment variables
setexpr - set environment variable as the result of eval expression
sf      - SPI flash sub-system
showvar - print local hushshell variables
sleep   - delay execution for some time
smeminfo- print SMEM FLASH information
source  - run script from memory
test    - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
tftpput - TFTP put command, for uploading files to a server
true    - do nothing, successfully
tzt     - load and run tzt

uart    - UART sub-system
ubi     - ubi commands
usb     - USB sub-system
usbboot - boot from USB device
version - print monitor, compiler and linker version
(IPQ6018) # printenv
baudrate=115200
bootargs=console=ttyMSM0,115200n8 cnss2.bdf_pci0=0xab
bootcmd=bootipq
bootcount=0
bootdelay=4
dump_to_flash=0x07800000
dump_to_nand=1
ethact=eth0
ethaddr=00:03:7f:ba:db:ad
fdt_high=0x48500000
fdtcontroladdr=4a4736a0
flash_type=7
hwid=3
image=0
ipaddr=192.168.1.1
machid=8030002
nand256=1
netmask=255.255.255.0
poe=802.3bt5
serverip=192.168.1.120
soc_hw_version=20170100
soc_version_major=1
soc_version_minor=0
stderr=serial@78B1000
stdin=serial@78B1000
stdout=serial@78B1000
ver=U-Boot Jaguar 2016.01 v2.4.1e (Apr 07 2022 - 14:55:32 +0000)

Environment size: 611/65532 bytes
(IPQ6018) # bdinfo
arch_number = 0x08030002
boot_params = 0x40000100
DRAM bank   = 0x00000000
-> start    = 0x40000000
-> size     = 0x40000000
eth0name    = eth0
ethaddr     = 00:03:7f:ba:db:ad
current eth = eth0
ip_addr     = 192.168.1.1
baudrate    = 115200 bps
TLB addr    = 0x4A490000
relocaddr   = 0x4A400000
reloc off   = 0x00000000
irq_sp      = 0x4A27FA90
sp start    = 0x4A27FA80
(IPQ6018) # smeminfo
ubi0: attaching mtd2
ubi0: scanning is finished
ubi0: attached mtd2 (name "mtd=0", size 96 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 768, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 2, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 14/13, WL threshold: 4096, image sequence number: 1906192983
ubi0: available PEBs: 462, total reserved PEBs: 306, PEBs reserved for bad PEB handling: 40
flash_type:             0x6
flash_index:            0x0
flash_chip_select:      0x0
flash_block_size:       0x10000
flash_density:          0x1000000
partition table offset  0x0
No.: Name             Attributes            Start             Size
  0: 0:SBL1           0x0000ffff              0x0          0xc0000
  1: 0:MIBIB          0x001040ff          0xc0000          0x10000
  2: 0:BOOTCONFIG     0x001040ff          0xd0000          0x20000
  3: 0:BOOTCONFIG1    0x001040ff          0xf0000          0x20000
  4: 0:QSEE           0x0000ffff         0x110000         0x1a0000
  5: 0:QSEE_1         0x0000ffff         0x2b0000         0x1a0000
  6: 0:DEVCFG         0x0000ffff         0x450000          0x10000
  7: mfginfo          0x0000ffff         0x460000          0x10000
  8: 0:RPM            0x0000ffff         0x470000          0x40000
  9: 0:RPM_1          0x0000ffff         0x4b0000          0x40000
 10: 0:CDT            0x0000ffff         0x4f0000          0x10000
 11: 0:CDT_1          0x0000ffff         0x500000          0x10000
 12: 0:APPSBLENV      0x0000ffff         0x510000          0x10000
 13: 0:APPSBL         0x0000ffff         0x520000          0xa0000
 14: 0:APPSBL_1       0x0000ffff         0x5c0000          0xa0000
 15: 0:ART            0x0000ffff         0x660000          0x80000
 16: rootfs           0x0100ffff              0x0        0x6000000
        ubi vol 0 kernel
        ubi vol 1 ubi_rootfs
 17: rootfs_1         0x0100ffff        0x6000000        0x6000000
 18: NVRAM            0x0100ffff        0xc000000        0x3000000
 19: crashLog         0x0100ffff        0xf000000        0x1000000
(IPQ6018) # is_sec_boot_enabled
secure boot fuse is not enabled

@robimarko Sorry to bother you, but do you have any insight on what can cause error
Jumping to AARCH64 kernel via monitor ?

I don't care for wifi etc now, just want it to boot, so If I should remove anything from my DTS or packages, to keep it clean and simple, please do share :+1:

You gotta enable earlycon for start to make sure the kernel is booting at all, cause if not then its probably an issue with the load address where your image is too large

Hmm, i tried earlycon but I gave me 20 seconds of pause, then the same result as before.

I've tried some different addresses earlier.
The only one that gave a different output is the one below.

bootm 0x41080000

Uncompressing Kernel Image ... Error: inflate() returned -5
Image too large: increase CONFIG_SYS_BOOTM_LEN
Must RESET board to recover
resetting ...

Did you pass earlycon=msm_serial_dm,<addr> via bootargs?

Off course you need to set the address to the UART being used.

I did this

bootargs-append = " earlycon=msm_serial,0x78b1000 ubi.block=0,1 root=/dev/ubiblock0_1 rootfstype=squashfs";

Here is the stock boot log https://gist.github.com/skramstad/20c65653528d187e859a5f41f92a779f

Since you are manually booting anyway, just set earlcyon via U-Boot bootargs env variable and that will then be directly passed to the kernel.

If you are still not seeing anything then you dont have enough space, and you will need to move the file load address as we all the kernel load address

Thanks @robimarko , we got some new data after adding this:
(my bad for trying msm_serial at first).

earlycon=msm_serial_dm,0x78b1000
(IPQ6018) # tftpboot init.itb
(IPQ6018) # bootm
## Loading kernel from FIT Image at 44000000 ...
   Using 'config@cp01-c3-xv3-4' configuration
   Trying 'kernel-1' kernel subimage
     Description:  ARM64 OpenWrt Linux-6.6.27
     Type:         Kernel Image
     Compression:  gzip compressed
     Data Start:   0x440000e8
     Data Size:    14029927 Bytes = 13.4 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x41208000
     Entry Point:  0x41208000
     Hash algo:    crc32
     Hash value:   78ad0cd6
     Hash algo:    sha1
     Hash value:   9e679d3f5e3d588dd6d1cd9e3645fc437c7eb0bf
   Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading fdt from FIT Image at 44000000 ...
   Using 'config@cp01-c3-xv3-4' configuration
   Trying 'fdt-1' fdt subimage
     Description:  ARM64 OpenWrt cambiumnetworks_xe3-4 device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x44d61698
     Data Size:    36082 Bytes = 35.2 KiB
     Architecture: AArch64
     Hash algo:    crc32
     Hash value:   1a68b4a0
     Hash algo:    sha1
     Hash value:   8dd42af83b791f985d5a2867ccbc467cad3611fe
   Verifying Hash Integrity ... crc32+ sha1+ OK
   Booting using the fdt blob at 0x44d61698
   Uncompressing Kernel Image ... OK
   Loading Device Tree to 484f4000, end 484ffcf1 ... OK
Using machid 0x8030002 from environment

Starting kernel ...

Jumping to AARCH64 kernel via monitor
[    0.000000] Booting Linux on physical CPU 0x0000000000 [0x51af8014]
[    0.000000] Linux version 6.6.27 (nuc@nuc) (aarch64-openwrt-linux-musl-gcc (OpenWrt GCC 13.2.0 r25996-e0363233c9) 13.2.0, GNU ld (GNU Binutils) 2.40.0) #0 SMP Mon Apr 22 09:27:05 2024
[    0.000000] Machine model: Cambium Networks XE3-4
[    0.000000] earlycon: msm_serial_dm0 at MMIO 0x00000000078b1000 (options '')
[    0.000000] printk: bootconsole [msm_serial_dm0] enabled
[    0.000000] [Firmware Bug]: Kernel image misaligned at boot, please fix your bootloader!
[    0.000000] OF: reserved mem: 0x0000000000060000..0x0000000000065fff (24 KiB) nomap non-reusable memory@60000
[    0.000000] OF: reserved mem: 0x000000004a100000..0x000000004a4fffff (4096 KiB) nomap non-reusable bootloader@4a100000
[    0.000000] OF: reserved mem: 0x000000004a500000..0x000000004a5fffff (1024 KiB) nomap non-reusable sbl@4a500000
[    0.000000] OF: reserved mem: 0x000000004a600000..0x000000004a9fffff (4096 KiB) nomap non-reusable memory@4a600000
[    0.000000] OF: reserved mem: 0x000000004aa00000..0x000000004aafffff (1024 KiB) nomap non-reusable memory@4aa00000
[    0.000000] OF: reserved mem: 0x000000004ab00000..0x000000004fffffff (87040 KiB) nomap non-reusable memory@4ab00000
[    0.000000] Zone ranges:
[    0.000000]   DMA      [mem 0x0000000040000000-0x000000007fffffff]
[    0.000000]   DMA32    empty
[    0.000000]   Normal   empty
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000040000000-0x000000004a0fffff]
[    0.000000]   node   0: [mem 0x000000004a100000-0x000000004fffffff]
[    0.000000]   node   0: [mem 0x0000000050000000-0x000000007fffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000040000000-0x000000007fffffff]
[    0.000000] psci: probing for conduit method from DT.
[    0.000000] psci: PSCIv1.0 detected in firmware.
[    0.000000] psci: Using standard PSCI v0.2 function IDs
[    0.000000] psci: MIGRATE_INFO_TYPE not supported.
[    0.000000] psci: SMC Calling Convention v1.0
[    0.000000] percpu: Embedded 18 pages/cpu s35240 r8192 d30296 u73728
[    0.000000] Detected VIPT I-cache on CPU0
[    0.000000] CPU features: detected: Spectre-v4
[    0.000000] alternatives: applying boot alternatives
[    0.000000] Kernel command line: console=ttyMSM0,115200n8 cnss2.bdf_pci0=0xab earlycon=msm_serial_dm,0x78b1000 ubi.block=0,1 root=/dev/ubiblock0_1 rootfstype=squashfs
[    0.000000] Dentry cache hash table entries: 131072 (order: 8, 1048576 bytes, linear)
[    0.000000] Inode-cache hash table entries: 65536 (order: 7, 524288 bytes, linear)
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 258048
[    0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
[    0.000000] software IO TLB: SWIOTLB bounce buffer size adjusted to 1MB
[    0.000000] software IO TLB: area num 4.
[    0.000000] software IO TLB: mapped [mem 0x000000007eb00000-0x000000007ec00000] (1MB)
[    0.000000] Memory: 908064K/1048576K available (7872K kernel code, 880K rwdata, 2348K rodata, 10304K init, 276K bss, 140512K reserved, 0K cma-reserved)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[    0.000000] rcu: Hierarchical RCU implementation.
[    0.000000]  Tracing variant of Tasks RCU enabled.
[    0.000000] rcu: RCU calculated value of scheduler-enlistment delay is 10 jiffies.
[    0.000000] NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0
[    0.000000] Root IRQ handler: gic_handle_irq
[    0.000000] GICv2m: range[mem 0x0b00a000-0x0b00affc], SPI[448:479]
[    0.000000] rcu: srcu_init: Setting srcu_struct sizes based on contention.
[    0.000000] arch_timer: cp15 and mmio timer(s) running at 24.00MHz (virt/virt).
[    0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x588fe9dc0, max_idle_ns: 440795202592 ns
[    0.000000] sched_clock: 56 bits at 24MHz, resolution 41ns, wraps every 4398046511097ns
[    0.010849] Calibrating delay loop (skipped), value calculated using timer frequency.. 48.00 BogoMIPS (lpj=240000)
[    0.018747] pid_max: default: 32768 minimum: 301
[    0.034349] Mount-cache hash table entries: 2048 (order: 2, 16384 bytes, linear)
[    0.034387] Mountpoint-cache hash table entries: 2048 (order: 2, 16384 bytes, linear)
[    0.045618] RCU Tasks Trace: Setting shift to 2 and lim to 1 rcu_task_cb_adjust=1.
[    0.049251] rcu: Hierarchical SRCU implementation.
[    0.056518] rcu:     Max phase no-delay instances is 1000.
[    0.062006] smp: Bringing up secondary CPUs ...
[    0.067105] Detected VIPT I-cache on CPU1
[    0.067202] CPU1: Booted secondary processor 0x0000000001 [0x51af8014]
[    0.067882] Detected VIPT I-cache on CPU2
[    0.067950] CPU2: Booted secondary processor 0x0000000002 [0x51af8014]
[    0.068629] Detected VIPT I-cache on CPU3
[    0.068695] CPU3: Booted secondary processor 0x0000000003 [0x51af8014]
[    0.068765] smp: Brought up 1 node, 4 CPUs
[    0.102508] SMP: Total of 4 processors activated.
[    0.106583] CPU features: detected: 32-bit EL0 Support
[    0.111359] CPU features: detected: CRC32 instructions
[    0.116464] CPU features: emulated: Privileged Access Never (PAN) using TTBR0_EL1 switching
[    0.121523] CPU: All CPU(s) started at EL1
[    0.129765] alternatives: applying system-wide alternatives
[    0.141857] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.141915] futex hash table entries: 1024 (order: 4, 65536 bytes, linear)
[    0.152545] pinctrl core: initialized pinctrl subsystem
[    0.159224] NET: Registered PF_NETLINK/PF_ROUTE protocol family
[    0.163190] DMA: preallocated 128 KiB GFP_KERNEL pool for atomic allocations
[    0.168499] DMA: preallocated 128 KiB GFP_KERNEL|GFP_DMA pool for atomic allocations
[    0.175812] DMA: preallocated 128 KiB GFP_KERNEL|GFP_DMA32 pool for atomic allocations
[    0.183843] thermal_sys: Registered thermal governor 'step_wise'
[    0.183901] cpuidle: using governor menu
[    0.197585] ASID allocator initialised with 65536 entries
[    0.207889] OF: /soc@0/dp4: could not find phandle 35
[    0.207970] OF: /soc@0/dp5: could not find phandle 35
[    0.215844] Internal error: synchronous external abort: 0000000096000210 [#1] SMP
[    0.216964] Modules linked in:
[    0.224420] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.27 #0
[    0.227376] Hardware name: Cambium Networks XE3-4 (DT)
[    0.233191] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[    0.238402] pc : msm_gpio_get_direction+0x40/0x78
[    0.245257] lr : msm_gpio_get_direction+0x18/0x78
[    0.250117] sp : ffffffc08157b7d0
[    0.254800] x29: ffffffc08157b7d0 x28: 0000000000000002 x27: ffffff800003d320
[    0.258109] x26: 0000000000000320 x25: 0000000000000014 x24: 0000000000000000
[    0.265225] x23: 0000000000000000 x22: ffffffc0814d5560 x21: ffffff80000ea490
[    0.272344] x20: 0000000000000200 x19: 0000000000000014 x18: 0000000000000000
[    0.279462] x17: 000000002a83a5e3 x16: 000000007f71e81c x15: ffffffffffffffff
[    0.286581] x14: ffffff80003c74ea x13: 006c7274636e6970 x12: 2e30303030303031
[    0.293698] x11: 0000000e33539028 x10: 000000000002f818 x9 : 0000000000000004
[    0.300816] x8 : 0101010101010101 x7 : 0000000000736567 x6 : 0911040aade8efe7
[    0.307935] x5 : 676f682d0a041109 x4 : ffffffc081550688 x3 : 0000000000014000
[    0.315052] x2 : 000000000000006a x1 : ffffffc080814f60 x0 : ffffffc081814000
[    0.322172] Call trace:
[    0.329278]  msm_gpio_get_direction+0x40/0x78
[    0.331540]  gpiochip_add_data_with_key+0x75c/0xe3c
[    0.336055]  msm_pinctrl_probe+0x3ec/0x570
[    0.340741]  ipq6018_pinctrl_probe+0x18/0x28
[    0.344908]  platform_probe+0x68/0xc4
[    0.349333]  really_probe+0x148/0x2b0
[    0.352892]  __driver_probe_device+0x78/0x128
[    0.356540]  driver_probe_device+0x40/0x118
[    0.360880]  __device_attach_driver+0xb8/0x134
[    0.364872]  bus_for_each_drv+0x70/0xb8
[    0.369385]  __device_attach+0xa0/0x184
[    0.373119]  device_initial_probe+0x14/0x20
[    0.376938]  bus_probe_device+0xac/0xb0
[    0.381105]  device_add+0x580/0x738
[    0.384924]  of_device_add+0x54/0x64
[    0.388395]  of_platform_device_create_pdata+0x98/0xec
[    0.392219]  of_platform_bus_create+0xe8/0x308
[    0.397165]  of_platform_bus_create+0x130/0x308
[    0.401592]  of_platform_populate+0x50/0xcc
[    0.406019]  of_platform_default_populate_init+0xd0/0xf0
[    0.410187]  do_one_initcall+0x68/0x1f4
[    0.415740]  kernel_init_freeable+0x208/0x2e8
[    0.419301]  kernel_init+0x28/0x1dc
[    0.423812]  ret_from_fork+0x10/0x20
[    0.427116] Code: 92400442 9101a842 f8627800 8b030000 (b9400000)
[    0.430937] ---[ end trace 0000000000000000 ]---
[    0.436924] Kernel panic - not syncing: synchronous external abort: Fatal exception
[    0.441616] SMP: stopping secondary CPUs
[    0.448993] Rebooting in 1 seconds..