Add support for MikroTik RB5009UG

I compared it with what is written in the Hard config for RB450GX4.
There is no crc32 (like in Soft Config)! The second 4 bytes are the same for my RB5009 and my RB450GX4 and your RB5009: 1A 00 04 00. And the next 4 bytes are all zeros.
The next bytes is a tags. So the Hard config format doesn't seem to have changed.
At offset 0x48 for both RB450 and RB5009 we find a tag with ID == 15h
RB450: 15 00 04 00 . 00 00 43 00
RB5009: 15 00 04 00 . 05 00 18 00
15h is HW_OPTIOS. 04 - 4 bytes len.
Then there are 32 bits: 05 00 18 00.
#define RB_HW_OPT_NO_UART BIT(0)
#define RB_HW_OPT_HAS_VOLTAGE BIT(1)
#define RB_HW_OPT_HAS_USB BIT(2)
#define RB_HW_OPT_HAS_ATTINY BIT(3)
#define RB_HW_OPT_PULSE_DUTY_CYCLE BIT(9)
#define RB_HW_OPT_NO_NAND BIT(14)
#define RB_HW_OPT_HAS_LCD BIT(15)
#define RB_HW_OPT_HAS_POE_OUT BIT(16)
#define RB_HW_OPT_HAS_uSD BIT(17)
#define RB_HW_OPT_HAS_SIM BIT(18)
#define RB_HW_OPT_HAS_SFP BIT(20)
#define RB_HW_OPT_HAS_WIFI BIT(21)
#define RB_HW_OPT_HAS_TS_FOR_ADC BIT(22)
#define RB_HW_OPT_HAS_PLC BIT(29)

180005h - 110000000000000000101b which means:
0 - NO_UART, 2 - HAS_USB, 19 - HAS_??, 20 - HAS_SFP. accordingly, for UART we need the value: 110000000000000000100b which corresponds to 180004h or "04 00 18 00"

Yes, /dev/mem is enabled.
It dump(to the moment when I get read error: Bad address) and my dhcp settings screen shot is here.

I just can't understand - why You can't boot RB5009 via bootp? I already boot my RB5009 via bootp from the modified elf kernel image(it is also in attached URL file). And it booted great!
On RB5009 I use this commands:

/system/routerboard/settings> pr
              auto-upgrade: no
               boot-device: nand-if-fail-then-ethernet
             cpu-frequency: 1400MHz
             boot-protocol: bootp
       force-backup-booter: no
               silent-boot: no
      protected-routerboot: disabled
      reformat-hold-button: 20s
  reformat-hold-button-max: 10m
[admin@RouterOS] /system/routerboard/settings> set boot-device=try-ethernet-once-then-nand 
[admin@RouterOS] /system/routerboard/settings> /system/reboot

Put the cable in regular 1Gb port then bootp will play nice. You have gotten to the point you realize you didn't do anything wrong but the 2.5Gb is failing on this somehow. And it seems you are or were using the 2.5Gb as shown in picture provided.

Received the device yesterday, only set admin pw and assigned IP and disabled DHCP as there is other DHCP server in the network. Then one host would not receive a ipv4 address, it received ipv6 though. Odd ..changed config, made lots of change to netplan (ubuntu) and such, restarts, reboots. Ended up to enabled wifi. Ok that got an ip of course. Concluded nothing is wrong with netplan and my actions and realized something else is amiss. Then i've put the utp cable in cheap unmanaged switch and immediately received ipv4 address. Ok then I put the UTP cable in 1Gb port on the RB5009 and then also an ipv4 address was received immediatly, consistently reboot after reboot, once connected on the 2.5Gb port however it consistently failed.

Not sure what the cause for this is though, but thanks mikrotik, wasted time here. Maybe I have some configuration to do in routeros. But I prefer openwrt though. Hope with this out of the way, I hope, things will a easy breeze from now on.

update: it is not an ethernet switch of course but router with fw enabled I noticed now and can interfere. Disabling fw is not so easy it seems... saving this for another day.

OK, I dissembled it again to reflash the NOR.
Changed the 05 00 18 00 to 04 00 18 00 but no luck, it just prints the BootROM text.

BootROM - 2.03                                                               
Starting AP IOROM 1.02                                                       
Booting from SPI NOR flash 0                                                 
Found valid image at boot postion 0x000                                      
lmv_ddr: mv_ddr-1.1.0-g8c6defd127 (Aug 03 2021 - 18:17:37)
mv_ddr: completed successfully          
BL2: Initiating SCP_BL2 transfer to SCP 
*/dHFοΏ½οΏ½

I am now trying bootp, it's really crazy that it won't work.
I can see that the ELF kernel wasn't transferred at all.
I have pretty much the same settings as you do.

Crazy thing is that with RouterBoot v6 it works just fine
Screenshot from 2021-12-29 21-29-45

Perhaps a packet capture from the dhcp server would help shed some light?

@adron So, I finally set up a secondary router (RB450Gx4), netinstalled the ROSv7.1.1 on it, setup just a DHCP server and boom, the same DHCP lease offered thing.
However, bootp appears to kinda work (I see the lease and TFTP hit) but I still cant get the root telnet.
I assume that this is because I uploaded the scripts/busybox in the wrong place.
Can you show me the exact hierarchy that works as I got bit by this on others when rooting as well but there I had UART at least

Yes, the location of files uploaded via FTP is of decisive importance and it is different on different Mikrotik models.

Ok, I had the same hierarchy, but the issue is that I see that the execute permission was removed.
And I can't change it over FTP cause:
500 'SITE': command not understood

How did you deal with it?

Cause, bootp is for sure working as I can boot the U-boot ELF via bootp just fine.
In the meantime, I used U-boot to dump the CP0 pinctrl, AP dump doesn't look correct as it has 0xA which is not valid for its pins but I manually guessed the UART and SPI pins and those work.

Took some time to manually convert, but I think I have them all now.

I just use Linux and Midnight Commander(as FTP client), and upload a busybox file via ftp with 0700 permissions already set. No further actions is required.

Then I dont know what I am doing wrong, even used MC to copy the files and I see that it pulls the kernel ELF but no telnet.
Screenshot from 2021-12-31 17-17-37

I just want to see if it still passes the no-uart to cmdline

Yes, everything looks right!
Maybe, for some reason, it loads its own kernel and not what it is given through tftp?
And what version of the RouterOS? I am using 7.1-rc4.

Here are all necessary files for the latest RouterOS7.2rc1 and video instructions.

Well, it could be that it gives up before booting the actual kernel, though I don't see that it reboots.
ROS doesn't really offer a way to see if TFTP transfer actually completed.

Yeah, I downgraded the RB5009 to 7.1rc4 as well as it used 7.0.5 by default.

Thanks for the 7.2rc1, will give it a go today.

Ahh, it just refuses to work, I even moved the TFTP server to my desktop and it just wont open the telnet, switched to fixed IP on the RouterBoard as well but it just doesn't work.

I honestly don't know what am I doing wrong, I used your initrd hack on over a dozen of devices and it always worked just fine.

Magic... :grinning_face_with_smiling_eyes:
TFTP is a pretty primitive protocol. its work is easy to break with small losses. perhaps you have something on the network that breaks its work. My RB5009 is connected to an unmanaged gigabit switch(MT7530 chip), and from it to RB450Gx4. Moreover, about 20 other devices operate in the same network segment.
Try to check the work of your tftp server - by connecting to it from Linux and downloading the kernel file.

# tftp 172.20.1.77
tftp> bi
tftp> verb
Verbose mode on.
tftp> tra
Packet tracing on.
tftp> get /linux_t1.bin
getting from 172.20.1.77:/linux_t1.bin to linux_t1.bin [octet]
sent RRQ <file=/linux_t1.bin, mode=octet>
received DATA <block=1, 512 bytes>
sent ACK <block=1>
received DATA <block=2, 512 bytes>
sent ACK <block=2>
received DATA <block=3, 512 bytes>
sent ACK <block=3>
received DATA <block=4, 512 bytes>
sent ACK <block=4>
received DATA <block=5, 512 bytes>
....
received DATA <block=6944, 512 bytes>
sent ACK <block=6944>
received DATA <block=6945, 512 bytes>
sent ACK <block=6945>
received DATA <block=6946, 280 bytes>
Received 3556120 bytes in 1.7 seconds [16605163 bit/s]
tftp>

I updated my RB5009 bootloader to 7.2rc1. But there is still no uart!
I tried changing the 15th tag value and this is what I got:

05 00 18 00: Kernel command line: root=/dev/ram0 no-uart no-buzzer benand_no_swecc=2 yaffs.inband_tags=1 parts=1 boot_part_size=8388608 arm64=Y board=5009 ver=7.2rc1 bver=7.0.5 hw_opt=00180005 boot=1 mlc=11
04 00 18 00: Kernel command line: root=/dev/ram0 no-uart no-buzzer benand_no_swecc=2 yaffs.inband_tags=1 parts=1 boot_part_size=8388608 arm64=Y board=5009 ver=7.2rc1 bver=7.0.5 hw_opt=00180004 boot=1 mlc=11
00 00 43 00: Kernel command line: root=/dev/ram0 no-uart no-buzzer benand_no_swecc=2 yaffs.inband_tags=1 parts=1 boot_part_size=8388608 arm64=Y board=5009 ver=7.2rc1 bver=7.0.5 hw_opt=00430000 boot=1 mlc=11

As you can see, the value of the tag 15 is passed as parameters to the kernel. That is, they still use tag 15 for hw-options. So this is just hardcoding(bug) of the no-uart in the bootloader itself!

P.S: You can easily overwrite a RouterBoot(NOR) partition from a jailbroken RouterOS:

On Linux side: cat ./mtdblock2.bin | nc -l -p 1111 -q 1
On RB5009 side: nc 172.20.1.77 1111 > /dev/mtdblock2
3 Likes

Great, that is exactly what I wanted to see.
It's a shame to see that bug, unfortunately, RB5009 was always ROSv7 only so there isn't RouterBoot v6 available.

Since ARM64 only supports passing the DTB to the kernel, that means that RouterBoot is modifying the bootargs DT property on each boot.

Any luck updating kernel2minor too support bad blocks? That should allow the older Mikrotik units to be supported again.

You can't really do that, because it's just statically packing the FS, and to handle bad blocks you actually need access to the NAND device so that you can scan it and know if there are and which blocks are bad.

And to do that you need to running SW on the device itself which wouldn't be an issue if YAFFS was an upstream FS or if UBIFS wasn't a thing

What about tftp booting a kernel just enough to do the check and then do a sysupgrade?

And that is what basically every device with a NAND does, but you cant do it as there is no YAFFS support in the kernel.