The NOR flash contains a base64 encoded RSA public key. I suspect the bootloader uses this to verify the signature of the image while uploading it in recovery mode (keep pressing the reset button for ~10s during boot to enter it). The web interface shows a pop-up with Checksum Error., at the same time the console shows [ERROR]lib/dkmgt/dkmgt_firmware.c:196 | firmware RSA verify failed
So my idea was to generate a new RSA key pair locally, sign the image with the private key, and overwrite the public key in the NOR flash, hoping that the bootloader will then accept the OpenWrt image. Unfortunately I keep failing to read the NOR flash with my Odroid XU4, and I have no other 1.8v SPI reader around, so I can't confirm this option works or not.
The other option explained by @svanheule is no easy task if you're not great at soldering.
For those who manage that, here's the procedure to boot via TFTP and flash OpenWrt to NAND.
- abort boot with ctrl-b
- configure a TFTP server on 192.168.0.101
- run
tftpboot - note the filename it's trying to download
-
binwalk bin/targets/mvebu/cortexa53/openwrt-mvebu-cortexa53-tplink_oc200-initramfs-kernel.binand note the offset of the DT at the end of the image - copy bin/targets/mvebu/cortexa53/openwrt-mvebu-cortexa53-tplink_oc200-initramfs-kernel.bin to your TFTP directory and give it the filename noted in the previous step
- run
tftpbootagain - run
bootefi 0x5000000 0x68DA200- to get the 2nd argument, add the offset of the DT you noted earlier to the first argument, e.g. 0x5000000 + 0x18DA200 = 0x68DA200 - wait for OpenWrt to finish booting, then scp bin/targets/mvebu/cortexa53/openwrt-mvebu-cortexa53-tplink_oc200-squashfs-sysupgrade.bin to /tmp
sysupgrade openwrt-mvebu-cortexa53-tplink_oc200-squashfs-sysupgrade.bin
I've just verified the above procedure with an image built from my oc200 branch which was just rebased on master + my gcc10 branch, and it's still working.