I'm going to make a small utility for writing an image from kernel2minor to take into account the possible presence of bad blocks on NAND.
Any reason, other than potentially wanting to go back to RouterOS, not to just get the u-boot support good enough to put on the NOR and then the NAND can go UBI? It looks like that might be easier for this platform than some of the other Mikrotik devices.
On this platform is actually not a bad idea as its well supported in mainline U-boot.
I mean, I have the U-boot working well enough to boot from NAND, SPI-NOR and USB are working as well.
But what I don't know is the SERDES config as I cant just read that from register space
But it means that one needs to somehow replace the bootloader first
1 Like
Replacing the bootloader is just very easy. /dev/mtdblock2 is available for writing from the RouterOS(when it is jailbroken).
1 Like
I guess the hard part is not the replacement by itself but coming up with the proper replacement to flash 
The hard part is reverse-engineering the mess that MikroTik did as they always but always have to have some custom logic for even the simplest of things.
It's not hard getting U-boot in good enough shape to give you access to USB, SPI-NOR and NAND, I already have that working.
No networking though, still need to figure out if the SERDES lane is wrong or the switch requires custom config
3 Likes
Well keeping the evil openwrters away is an art of its own it seems...
1 Like
Anyway, the current U-boot WIP is here:
I am still trying to jailbreak so that I can figure out the SFP pins as MikroTik being MikroTik is doing that from the switch driver itself and not using the generic SFP driver.
I can see that they are using I2C-GPIO when decompiling the switch driver with Ghidra.
I am honestly stupid or something as I just cant get the jailbreak to work, if we only had UART to see what was going on.
1 Like
I wonder if we can get the GPL source code of their kernel (5.6.3) somewhere? Then, by analogy with the 3.x kernel, it would be possible to inject hooks into interesting functions (MDIO and others).
I think you should first take a traffic dump from the port that serves RB5009. That would clarify a lot ...
They have refused to provide a ROS v7 GPL dump, I have asked a couple of times claiming that it was not a stable release, not that it matters when it comes to GPLv2.
I will ask them again since it's now the default version.
I am thinking whats the easiest way to capture traffic, but I doubt its networking related as it will load and boot the U-boot ELF which is larger then the ROS ELF just fine
I can try to upload files to your RB5009. Just setup vpn client.
Sure, its up and running
And what is the password for Mikrotik?
Yeah, I just saw the error.
I removed the password, user is the default admin
The files are uploaded. I sent it to reboot with launch via tftp.
Yeah, I saw it.
It fetched your ELF kernel and no telnet again.
Yes, all is right, but for some incredible reason it doesn't work!
My device does not have disk1 or disk3 directory. If I try to delete it, it reappears immediately.
Perhaps my device has some other markup of the file system, I initially brick it and restored through NetInstall.
1 Like
Those disk1 and disk3 are leftover from plugging in a USB drive.
I will try Netinstalling then 7.2rc1.
@adron And boom, after Netinstalling it worked on the first try.
Thanks a lot, now the real fun can start
1 Like
