Adding OpenWrt support for Arcadyan WE420223-99 (KPN Experia WiFi)

For Developers
1

Hi! I'm developing OpenWRT support for the Arcadyan WE420223-99 (KPN Experia WiFi). I've been testing it for about a week now at home and all seems well so far. Some questions:

  • How should I name this device? It is known and sold as KPN Experia WiFi, though the technical name is WG420223-99. This name was found in the filesystem as model name (but is nowhere to be found on the labels of the device). There is a device with the same case and almost the same model number, the WG420223-TC. We have no idea whether the internals are the same at all. Is WG420223 the model and are 99 and TC the versions? Or should the primary name be Arcadyan KPN Experia WiFi and the DEVICE_ALT0 information refer to the WG model number?
  • The device has 4 2-color LEDs: Power, WiFi, WPS and Followme(it has this name in the original firmware). How should they be configured?
    • The WiFi LED indicated whether WiFi is turned on. How to do this in OpenWRT? I have both a phy0 and phy1
    • I did not test WPS so I suppose that LED will be left unused
    • The Followme LED should turn on when a device is associated with either phy0 or phy1

My code is available at https://github.com/hberntsen/openwrt-experia-wifi

2 Likes
2

Some board pictures:

With MXC flash chip:

mxc_backf
mxc_backf1920×1744 319 KB

mxc_front
mxc_front1920×1827 454 KB

With Winbond flash chip:

winbond_backf
winbond_backf1920×1851 371 KB

winbond_front
winbond_front1920×1421 333 KB

winbond_antenna
winbond_antenna1920×1280 124 KB

This is the front of the case:

front
front1920×2075 182 KB

The label is at the bottom:

bottomf
bottomf1920×849 107 KB

The device can be opened by first unscrewing the 2 screws at the back:

back
back1920×1972 203 KB

Then, starting at the bottom, open it up. Pop the 2 clips on each side

side
side1920×1064 99.7 KB

At last, pop the internal clip at the top with a screwdriver:

internal clip
internal clip1920×1280 106 KB

2 Likes
3

Bootlog (MXC variant):

===================================================================
     		MT7621   stage1 code 10:33:55 (ASIC)
     		CPU=500000000 HZ BUS=166666666 HZ
==================================================================
Change MPLL source from XTAL to CR...
do MEMPLL setting..
MEMPLL Config : 0x11100000
3PLL mode + External loopback
=== XTAL-40Mhz === DDR-1200Mhz ===
PLL4 FB_DL: 0x7, 1/0 = 627/397 1D000000
PLL3 FB_DL: 0x12, 1/0 = 657/367 49000000
PLL2 FB_DL: 0x17, 1/0 = 595/429 5D000000
do DDR setting..[01F40000]
Apply DDR3 Setting...(use customer AC)
          0    8   16   24   32   40   48   56   64   72   80   88   96  104  112  120
      --------------------------------------------------------------------------------
0000:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0001:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0002:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0003:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0004:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0005:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0006:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0007:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0008:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0009:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
000A:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
000B:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
000C:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
000D:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    1
000E:|    0    0    0    0    0    0    0    0    0    1    1    1    1    1    1    1
000F:|    0    0    0    0    1    1    1    1    1    1    1    1    1    1    1    0
0010:|    1    1    1    1    1    1    1    1    1    0    0    0    0    0    0    0
0011:|    1    1    1    1    0    0    0    0    0    0    0    0    0    0    0    0
0012:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0013:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0014:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0015:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0016:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0017:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0018:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0019:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
001A:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
001B:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
001C:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
001D:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
001E:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
001F:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
rank 0 coarse = 15
rank 0 fine = 72
B:|    0    0    0    0    0    0    0    1    1    1    0    0    0    0    0    0
opt_dle value:8
DRAMC_R0DELDLY[018]=00001E1F
==================================================================
		RX	DQS perbit delay software calibration 
==================================================================
1.0-15 bit dq delay value
==================================================================
bit|     0  1  2  3  4  5  6  7  8  9
--------------------------------------
0 |    9 7 8 9 7 7 8 7 8 8 
10 |    9 10 9 12 9 10 
--------------------------------------

==================================================================
2.dqs window
x=pass dqs delay value (min~max)center 
y=0-7bit DQ of every group
input delay:DQS0 =31 DQS1 = 30
==================================================================
bit	DQS0	 bit      DQS1
0  (1~60)30  8  (1~59)30
1  (1~60)30  9  (1~58)29
2  (1~60)30  10  (1~60)30
3  (1~58)29  11  (1~56)28
4  (1~58)29  12  (1~58)29
5  (1~60)30  13  (1~59)30
6  (1~59)30  14  (1~60)30
7  (1~62)31  15  (1~59)30
==================================================================
3.dq delay value last
==================================================================
bit|    0  1  2  3  4  5  6  7  8   9
--------------------------------------
0 |    10 8 9 11 9 8 9 7 8 9 
10 |    9 12 10 12 9 10 
==================================================================
==================================================================
     TX  perbyte calibration 
==================================================================
DQS loop = 15, cmp_err_1 = ffff0000 
dqs_perbyte_dly.last_dqsdly_pass[0]=15,  finish count=1 
dqs_perbyte_dly.last_dqsdly_pass[1]=15,  finish count=2 
DQ loop=15, cmp_err_1 = ffff00a2
dqs_perbyte_dly.last_dqdly_pass[1]=15,  finish count=1 
DQ loop=14, cmp_err_1 = ffff00a0
DQ loop=13, cmp_err_1 = ffff0080
DQ loop=12, cmp_err_1 = ffff0000
dqs_perbyte_dly.last_dqdly_pass[0]=12,  finish count=2 
byte:0, (DQS,DQ)=(9,8)
byte:1, (DQS,DQ)=(8,8)
20,data:89
[EMI] DRAMC calibration passed

===================================================================
     		MT7621   stage1 code done 
     		CPU=500000000 HZ BUS=166666666 HZ
===================================================================


U-Boot 1.1.3 (Dec  4 2017 - 11:37:57) 0.00

Board: Ralink APSoC DRAM:  128 MB
relocate_code Pointer at: 87f94000

Config XHCI 40M PLL 
flash manufacture id: c2, device id 20 19
find flash: MX25L25635E
============================================ 
Ralink UBoot Version: 5.0.0.1
-------------------------------------------- 
ASIC MT7621A DualCore (MAC to MT7530 Mode)
DRAM_CONF_FROM: Auto-Detection 
DRAM_TYPE: DDR3 
DRAM bus: 16 bit
Xtal Mode=3 OCP Ratio=1/3
Flash component: 32 MBytes NOR Flash
Date:Dec  4 2017  Time:11:37:57
============================================ 
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:256, ways:4, linesz:32 ,total:32768 

 ##### The CPU freq = 880 MHZ #### 
 estimate memory size =128 Mbytes
#Reset_MT7530
set LAN/WAN LLLLW

Please choose the operation: 
   1: Load system code to SDRAM via TFTP. 
   2: Load system code then write to Flash via TFTP. 
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial. 
   9: Load Boot Loader code then write to Flash via TFTP. 
default: 3
 4  3  2  1  0 
   
3: System Boot system code via Flash[1].
## Booting image at bd000000 ...
cur glbcfg partition 1 is good!
   Verifying Trx ... OK
   Image Name:   Linux Kernel Image
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    2540670 Bytes =  2.4 MB
   Load Address: 81001000
   Entry Point:  814df880
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 814df880) ...
## Giving linux memsize in MB, 128

Starting kernel ...

The Winbond variant U-Boot log has a different date:

U-Boot 1.1.3 (Nov 23 2017 - 16:40:17) 0.00

Board: Ralink APSoC DRAM:  128 MB
relocate_code Pointer at: 87f94000

Config XHCI 40M PLL 
flash manufacture id: ef, device id 40 19
find flash: W25Q256FV
1 Like
4

Linux bootlog (MXC variant running old firmware):

LINUX started...

 THIS IS ASIC

SDK 5.0.S.0
Linux version 3.10.14 (william_chen@sw1.2) (gcc version 4.6.3 (Buildroot 2012.11.1) ) #1 SMP Thu Aug 16 17:16:55 CST 2018

 The CPU feqenuce set to 880 MHz
GCMP present
CPU0 revision is: 0001992f (MIPS 1004Kc)
Software DMA cache coherency
Determined physical RAM map:
 memory: 08000000 @ 00000000 (usable)
Zone ranges:
  DMA      [mem 0x00000000-0x00ffffff]
  Normal   [mem 0x01000000-0x07ffffff]
Movable zone start for each node
Early memory node ranges
  node   0: [mem 0x00000000-0x07ffffff]
Detected 3 available secondary CPU(s)
Primary instruction cache 32kB, 4-way, VIPT, linesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
PERCPU: Embedded 7 pages/cpu @8186e000 s6528 r8192 d13952 u32768
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
Kernel command line: console=ttyS1,57600n8 root=/dev/mtdblock5 init=/sbin/preinit rootfstype=squashfs,jffs2
PID hash table entries: 512 (order: -1, 2048 bytes)
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Writing ErrCtl register=0006b811
Readback ErrCtl register=0006b811
Memory: 122216k/131072k available (5022k kernel code, 8856k reserved, 1523k data, 232k init, 0k highmem)
Hierarchical RCU implementation.
NR_IRQS:128
console [ttyS1] enabled
Calibrating delay loop... 574.46 BogoMIPS (lpj=1148928)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
launch: starting cpu1
launch: cpu1 gone!
CPU1 revision is: 0001992f (MIPS 1004Kc)
Primary instruction cache 32kB, 4-way, VIPT, linesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
Synchronize counters for CPU 1: done.
launch: starting cpu2
launch: cpu2 gone!
CPU2 revision is: 0001992f (MIPS 1004Kc)
Primary instruction cache 32kB, 4-way, VIPT, linesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
Synchronize counters for CPU 2: done.
launch: starting cpu3
launch: cpu3 gone!
CPU3 revision is: 0001992f (MIPS 1004Kc)
Primary instruction cache 32kB, 4-way, VIPT, linesize 32 bytes.
Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
Synchronize counters for CPU 3: done.
Brought up 4 CPUs
devtmpfs: initialized
NET: Registered protocol family 16
release PCIe RST: RALINK_RSTCTRL = 7000000
PCIE PHY initialize
***** Xtal 40MHz *****
start MT7621 PCIe register access
RALINK_RSTCTRL = 7000000
RALINK_CLKCFG1 = 77ffeff8

*************** MT7621 PCIe RC mode *************
PCIE0 no card, disable it(RST&CLK)
PCIE2 no card, disable it(RST&CLK)
pcie_link status = 0x2
RALINK_RSTCTRL= 2000000
*** Configure Device number setting of Virtual PCI-PCI bridge ***
RALINK_PCI_PCICFG_ADDR = 21007f2 -> 20107f2
PCIE1 enabled
interrupt enable status: 200000
Port 0 N_FTS = 1b105000
config reg done
init_rt2880pci done
bio: create slab <bio-0> at 0
PCI host bridge to bus 0000:00
pci_bus 0000:00: root bus resource [mem 0x60000000-0x6fffffff]
pci_bus 0000:00: root bus resource [io  0x1e160000-0x1e16ffff]
pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
pci 0000:00:00.0: bridge configuration invalid ([bus 00-00]), reconfiguring
pci 0000:00:00.0: BAR 0: can't assign mem (size 0x80000000)
pci 0000:00:00.0: BAR 8: assigned [mem 0x60000000-0x600fffff]
pci 0000:00:00.0: BAR 1: assigned [mem 0x60100000-0x6010ffff]
pci 0000:01:00.0: BAR 0: assigned [mem 0x60000000-0x600fffff 64bit]
pci 0000:00:00.0: PCI bridge to [bus 01]
pci 0000:00:00.0:   bridge window [mem 0x60000000-0x600fffff]
PCI: Enabling device 0000:00:00.0 (0004 -> 0006)
BAR0 at slot 0 = 0
bus=0x0, slot = 0x0
res[0]->start = 0
res[0]->end = 0
res[1]->start = 60100000
res[1]->end = 6010ffff
res[2]->start = 0
res[2]->end = 0
res[3]->start = 0
res[3]->end = 0
res[4]->start = 0
res[4]->end = 0
res[5]->start = 0
res[5]->end = 0
bus=0x1, slot = 0x0, irq=0x18
res[0]->start = 60000000
res[0]->end = 600fffff
res[1]->start = 0
res[1]->end = 0
res[2]->start = 0
res[2]->end = 0
res[3]->start = 0
res[3]->end = 0
res[4]->start = 0
res[4]->end = 0
res[5]->start = 0
res[5]->end = 0
Switching to clocksource Ralink Systick timer
NET: Registered protocol family 2
Clockevents: could not switch to one-shot mode:
Clockevents: could not switch to one-shot mode:
Clockevents: could not switch to one-shot mode:
 MIPS is not functional.
 MIPS is not functional.
Clockevents: could not switch to one-shot mode: MIPS is not functional.
Could not switch to high resolution mode on CPU 1
Could not switch to high resolution mode on CPU 2
Could not switch to high resolution mode on CPU 3
 MIPS is not functional.
Could not switch to high resolution mode on CPU 0
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP: reno registered
UDP hash table entries: 256 (order: 1, 8192 bytes)
UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
NET: Registered protocol family 1
4 CPUs re-calibrate udelay(lpj = 1167360)
squashfs: version 4.0 (2009/01/31) Phillip Lougher
msgmni has been set to 238
io scheduler noop registered (default)
reg_int_mask=0, INT_MASK= 0 
HSDMA_init

 hsdma_phy_tx_ring0 = 0x00c00000, hsdma_tx_ring0 = 0xa0c00000

 hsdma_phy_rx_ring0 = 0x00c04000, hsdma_rx_ring0 = 0xa0c04000
TX_CTX_IDX0 = 0
TX_DTX_IDX0 = 0
RX_CRX_IDX0 = 3ff
RX_DRX_IDX0 = 0
set_fe_HSDMA_glo_cfg
HSDMA_GLO_CFG = 465
Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x1e000d00 (irq = 27) is a 16550A
serial8250: ttyS1 at MMIO 0x1e000c00 (irq = 26) is a 16550A
Ralink gpio driver initialized
flash manufacture id: c2, device id 20 19
MX25L25635E(c2 2019c220) (32768 Kbytes)
mtd .name = raspi, .size = 0x02000000 (32M) .erasesize = 0x00010000 (64K) .numeraseregions = 0
in find_rootfs_mtd_partitions  off=0x00050000 end=0x01000000
The  trx header  magic offset 0x0026c17c
raspi: squash filesystem found at offset 0x002bc17c
Found image1 partition off 0x002bc17c size 0x00d43e84
in find_rootfs_mtd_partitions  off=0x01000000 end=0x01fb0000
The  trx header  magic offset 0x0026c4dc
raspi: squash filesystem found at offset 0x0126c4dc
Found image2 partition off 0x0126c4dc size 0x00d43b24
Creating 12 MTD partitions on "raspi":
0x000000000000-0x000002000000 : "ALL"
0x000000000000-0x000000030000 : "Bootloader"
0x000000030000-0x000000040000 : "Config"
0x000000040000-0x000000050000 : "Factory"
0x000000050000-0x000001000000 : "Kernel"
0x0000002bc17c-0x000001000000 : "RootFS"
mtd: partition "RootFS" doesn't start on an erase block boundary -- force read-only
0x000001000000-0x000001fb0000 : "Kernel2"
0x00000126c4dc-0x000001fb0000 : "RootFS2"
mtd: partition "RootFS2" doesn't start on an erase block boundary -- force read-only
0x000001fb0000-0x000001fc0000 : "glbcfg"
0x000001fc0000-0x000001fd0000 : "board_data"
0x000001fd0000-0x000001fe0000 : "glbcfg2"
0x000001fe0000-0x000001ff0000 : "board_data2"
PPP generic driver version 2.4.2
PPP BSD Compression module registered
NET: Registered protocol family 24
register mt_drv


=== pAd = c0181000, size = 3788464 ===

<-- RTMPAllocAdapterBlock, Status=0
pAd->PciHif.CSRBaseAddress =0xc0080000, csr_addr=0xc0080000!
RTMPInitPCIeDevice():device_id=0x7615
DriverOwn()::Try to Clear FW Own...
DriverOwn()::Success to clear FW Own
mt_pci_chip_cfg(): HWVer=0x8a10, FWVer=0x8a10, pAd->ChipID=0x7615
mt_pci_chip_cfg(): HIF_SYS_REV=0x76150001
RtmpChipOpsHook(492): Not support for HIF_MT yet! MACVersion=0x0
mt7615_init()-->
Use the default ePAeLNA bin image!
Use the default /etc_ro/wlan/MT7615E_EEPROM1.bin bin image!
<--mt7615_init()
ChipOpsMCUHook
cut_through_token_list_init(): TokenList inited done!id_head/tail=0/4096
cut_through_token_list_init(): 875b6288,875b6288
cut_through_token_list_init(): TokenList inited done!id_head/tail=0/4096
cut_through_token_list_init(): 875b6298,875b6298
<-- RTMPAllocTxRxRingMemory, Status=0
rdm_major = 253
GMAC1_MAC_ADRH -- : 0x0000000c
GMAC1_MAC_ADRL -- : 0x432880a8
Ralink APSoC Ethernet Driver Initilization. v3.1  1024 rx/tx descriptors allocated, mtu = 1500!
GMAC1_MAC_ADRH -- : 0x0000000c
GMAC1_MAC_ADRL -- : 0x432880a8
PROC INIT OK!
TCP: cubic registered
Initializing XFRM netlink socket
NET: Registered protocol family 10
NET: Registered protocol family 17
Ebtables v2.0 registered
8021q: 802.1Q VLAN Support v1.8
Boot from /dev/mtdblock7
VFS: Mounted root (squashfs filesystem) readonly on device 31:7.
devtmpfs: mounted
Freeing unused kernel memory: 232K (81666000 - 816a0000)
Arcadyan the primary config checkout succeed.
Arcadyan the second config checkout succeed.
arca.dbus.mng: is ready
agent_handler(236):arca.dbus.misc: is ready
MD5=[2e9a0e55bd3587fc2d845b190837c07b]

Please press Enter to activate this console.  0: C:43:28:FFFFFF80:FFFFFFA8
Raeth v3.1 (Tasklet)
set CLK_CFG_0 = 0x40a00020!!!!!!!!!!!!!!!!!!1
phy_free_head is 0xc18000!!!
phy_free_tail_phy is 0xc19ff0!!!
txd_pool=a0c60000 phy_txd_pool=00C60000
ei_local->skb_free start address is 0x876da6cc.
free_txd: 00c60010, ei_local->cpu_ptr: 00C60000
 POOL  HEAD_PTR | DMA_PTR | CPU_PTR 
----------------+---------+--------
     0xa0c60000 0x00C60000 0x00C60000

phy_qrx_ring = 0x00c1a000, qrx_ring = 0xa0c1a000

phy_rx_ring0 = 0x00c1c000, rx_ring[0] = 0xa0c1c000
MT7530 Reset Completed!!
change HW-TRAP to 0x17c8f
set LAN/WAN LLLLW
GMAC1_MAC_ADRH -- : 0x0000000c
GMAC1_MAC_ADRL -- : 0x432880ab
GDMA2_MAC_ADRH -- : 0x0000000c
GDMA2_MAC_ADRL -- : 0x432880ac
eth3: ===> VirtualIF_open
MT7621 GE2 link rate to 1G
CDMA_CSG_CFG = 81000000
GDMA1_FWD_CFG = 20710000
GDMA2_FWD_CFG = 20710000
device eth2 entered promiscuous mode
br0: port 1(eth2) entered forwarding state
br0: port 1(eth2) entered forwarding state
device eth2.1000 entered promiscuous mode
br1: port 1(eth2.1000) entered forwarding state
br1: port 1(eth2.1000) entered forwarding state
DriverOwn()::Return since already in Driver Own...
==> UserCfgInit: config_method=[0x780]
==> UserCfgInit: config_method=[0x780]
==> UserCfgInit: config_method=[0x780]
==> UserCfgInit: config_method=[0x780]
==> UserCfgInit: config_method=[0x780]
==> UserCfgInit: config_method=[0x780]
==> UserCfgInit: config_method=[0x780]
==> UserCfgInit: config_method=[0x780]
==> UserCfgInit: config_method=[0x780]
==> UserCfgInit: config_method=[0x780]
==> UserCfgInit: config_method=[0x780]
==> UserCfgInit: config_method=[0x780]
==> UserCfgInit: config_method=[0x780]
==> UserCfgInit: config_method=[0x780]
==> UserCfgInit: config_method=[0x780]
==> UserCfgInit: config_method=[0x780]
[wifi_fwd_set_cb_num] band_cb_offset=33, recv_from_cb_offset=34
multi-profile merge success, en:1,pf1_num:1,pf2_num:3,total:4
MacAddress1 = 00:00:00:00:00:00
RT_CfgSetMacAddress : invalid length (0)
RT_CfgSetMacAddress : invalid length (0)
E2pAccessMode=2
SSID[0]=my-ssid, EdcaIdx=0
SSID[1]=my-ssid, EdcaIdx=0
SSID[2]=KPN Fon, EdcaIdx=0
SSID[3]=KPN_Guest, EdcaIdx=0
RTMPSetProfileParameters(): DBDC Mode=1
TriBandChGrp=0/0/0/0
cfg_mode=15
cfg_mode=15
wmode_band_equal(): Band Equal!
cfg_mode=6
cfg_mode=6
cfg_mode=6
cfg_mode=6
cfg_mode=6
cfg_mode=6
BandSteering=1
BndStrgBssIdx=1;1;0;0
[TxPower] BAND0: 30, BAND1: 30 
[SKUenable] BAND0: 1, BAND1: 1 
[PERCENTAGEenable] BAND0: 1, BAND1: 1 
[BFBACKOFFenable] BAND0: 0, BAND1: 0 
CalCacheApply = 0 
APEdca0
Valid=1
APAifsn[0]=3
APAifsn[1]=7
APAifsn[2]=1
APAifsn[3]=1
APEdca1
Valid=1
APAifsn[0]=3
APAifsn[1]=7
APAifsn[2]=1
APAifsn[3]=1
APEdca2
APEdca3
BSSAifsn[0]=3
BSSAifsn[1]=7
BSSAifsn[2]=2
BSSAifsn[3]=2
BSSAifsn[0]=3
BSSAifsn[1]=7
BSSAifsn[2]=2
BSSAifsn[3]=2
BSSAifsn[0]=3
BSSAifsn[1]=7
BSSAifsn[2]=2
BSSAifsn[3]=2
BSSAifsn[0]=3
BSSAifsn[1]=7
BSSAifsn[2]=2
BSSAifsn[3]=2
APSDCapable[0]=0
APSDCapable[1]=0
default ApCliAPSDCapable[0]=0
default ApCliAPSDCapable[1]=0
DfsZeroWaitCacTime=255/255 
RTMPSetProfileParameters(): ACSCheckTime[0]=0 seconds(24 hours)
RTMPSetProfileParameters(): ACSCheckTime[1]=86400 seconds(0 hours)
[PMF]Set_PMFMFPC_Proc:: apidx=0, Desired MFPC=0
[PMF]Set_PMFMFPC_Proc:: apidx=1, Desired MFPC=0
[PMF]Set_PMFMFPR_Proc:: apidx=0, Desired MFPR=0
[PMF]Set_PMFMFPR_Proc:: apidx=1, Desired MFPR=0
[PMF]Set_PMFSHA256_Proc:: apidx=0, Desired PMFSHA256=0
[PMF]Set_PMFSHA256_Proc:: apidx=1, Desired PMFSHA256=0
cfg_mode=8
cfg_mode=9
AndesSendCmdMsg: Could not send in band command due to diablefRTMP_ADAPTER_MCU_SEND_IN_BAND_CMD
HT: WDEV[0] Ext Channel = BELOW
HT: WDEV[1] Ext Channel = BELOW
HT: WDEV[2] Ext Channel = BELOW
HT: WDEV[3] Ext Channel = BELOW
HT: greenap_cap = 0
IcapMode = 0
WtcSetMaxStaNum: MaxStaNum:88, BssidNum:4, WdsNum:0, ApcliNum:2, MaxNumChipRept:32, MinMcastWcid:122
Top Init Done!
Use alloc_skb
RX[0] DESC a0c14000 size = 16384
RX[1] DESC a0c12000 size = 8192
Hif Init Done!
ctl->txq = c0519d90
ctl->rxq = c0519d9c
ctl->ackq = c0519da8
ctl->kickq = c0519db4
ctl->tx_doneq = c0519dc0
ctl->rx_doneq = c0519dcc
mt7615_fw_prepare():FW(8a10), HW(8a10), CHIPID(7615))
mt7615_fw_prepare(2687): MT7615_E3, USE E3 patch and ram code binary image
AndesMTLoadRomMethodFwDlRing(1035), cap->rom_patch_len(11102)
AndesRestartCheck: Current TOP_MISC2(0x1)
AndesRestartCheck: (TOP_MISC2 = 1), ready to continue...RET(0)
20170809192718a

platform = 
ALPS
hw/sw version = 
8a108a10
patch version = 
00000010
Patch SEM Status=2
MtCmdPatchSemGet:(ret = 0)

Patch is not ready && get semaphore success, SemStatus(2)
EventGenericEventHandler: CMD Success
MtCmdAddressLenReq:(ret = 0)
MtCmdPatchFinishReq
EventGenericEventHandler: CMD Success
Send checksum req..
Patch SEM Status=3
MtCmdPatchSemGet:(ret = 0)

Release patch semaphore, SemStatus(3)
AndesMTEraseRomPatch
WfMcuHwInit: Before NICLoadFirmware, check IcapMode=0
AndesMTLoadFwMethodFwDlRing(809), cap->fw_len(462376)
Build Date:_201711030345
Build Date:_201711030345
AndesRestartCheck: Current TOP_MISC2(0x1)
AndesRestartCheck: (TOP_MISC2 = 1), ready to continue...RET(0)
EventGenericEventHandler: CMD Success
MtCmdAddressLenReq:(ret = 0)
EventGenericEventHandler: CMD Success
MtCmdAddressLenReq:(ret = 0)
MtCmdFwStartReq: override = 1, address = 540672
EventGenericEventHandler: CMD Success
Build Date:_201707211524
EventGenericEventHandler: CMD Success
MtCmdAddressLenReq:(ret = 0)
MtCmdFwStartReq: override = 4, address = 0
EventGenericEventHandler: CMD Success
WfMcuHwInit: NICLoadFirmware OK, Check IcapMode=0
MCU Init Done!
e[41m MtCmdSetRlmPorCal: (ret = 0)e[m 
efuse_probe: efuse = 10000212
RtmpChipOpsEepromHook::e2p_type=2, inf_Type=5
RtmpEepromGetDefault::e2p_dafault=1
RtmpChipOpsEepromHook: E2P type(2), E2pAccessMode = 2, E2P default = 1
NVM is FLASH mode. dev_idx [0] FLASH OFFSET [0x0]
e[34mNICReadEEPROMParameters: EEPROM 0x52 b300e[m
e[34mNICReadEEPROMParameters: EEPROM 0x52 b300e[m
Country Region from e2p = 101
mt7615_antenna_default_reset(): TxPath = 4, RxPath = 4
mt7615_antenna_default_reset(): DBDC 2G TxPath = 2, 2G RxPath = 2
mt7615_antenna_default_reset(): DBDC 5G TxPath = 2, 2G RxPath = 2
rtmp_read_txpwr_from_eeprom(233): Don't Support this now!
RTMPReadTxPwrPerRate(1381): Don't Support this now!
RcRadioInit(): DbdcMode=1, ConcurrentBand=2
RcRadioInit(): pRadioCtrl=875b744c,Band=0,rfcap=1,channel=1,PhyMode=2 extCha=0xf
RcRadioInit(): pRadioCtrl=875b7538,Band=1,rfcap=2,channel=36,PhyMode=1 extCha=0xf
MtCmdSetDbdcCtrl:(ret = 0)
Band Rf: 1, Phy Mode: 2
Band Rf: 2, Phy Mode: 1
AntCfgInit(2807): Not support for HIF_MT yet!
MtSingleSkuLoadParam: RF_LOCKDOWN Feature OFF !!!
MtBfBackOffLoadTable: RF_LOCKDOWN Feature OFF !!!
EEPROM Init Done!
mt_mac_init()-->
mt_mac_pse_init(2750): Don't Support this now!
mt7615_init_mac_cr()-->
mt7615_init_mac_cr(): TMAC_TRCR0=0x82783c8c
mt7615_init_mac_cr(): TMAC_TRCR1=0x82783c8c
MtAsicSetMacMaxLen(1300): Not finish Yet!
<--mt_mac_init()
CmdRxHdrTransBLUpdateRsp::EventExtCmdResult.u4Status = 0x0
CmdRxHdrTransBLUpdateRsp::EventExtCmdResult.u4Status = 0x0
CmdRxHdrTransBLUpdateRsp::EventExtCmdResult.u4Status = 0x0
MAC Init Done!
MT7615BBPInit():BBP Initialization.....
	Band 0: valid=1, isDBDC=0, Band=2, CBW=1, CentCh/PrimCh=1/1, prim_ch_idx=0, txStream=2
	Band 1: valid=0, isDBDC=0, Band=0, CBW=0, CentCh/PrimCh=0/0, prim_ch_idx=0, txStream=0
MT7615BBPInit() todo 
PHY Init Done!
tx_pwr_comp_init():NotSupportYet!
MtCmdSetMacTxRx:(ret = 0)
MtCmdSetMacTxRx:(ret = 0)
CountryCode(2.4G/5G)=1/1, RFIC=25, PHY mode(2.4G/5G)=2/48, support 32 channels
WifiSysOpen(), wdev idx = 0
wdev_attr_update(): wdevId0 = re:da:ct:ed
MtCmdSetDbdcCtrl:(ret = 0)
radio_operate_init : Error! Check! wdev->channel=0
ApAutoChannelAtBootUp----------------->
ApAutoChannelAtBootUp: AutoChannelBootup = 0, AutoChannelFlag = 1
ApAutoChannelAtBootUp<-----------------
WifiSysClose(), wdev idx = 0
WifiSysOpen(), wdev idx = 0
wdev_attr_update(): wdevId0 = re:da:ct:ed
MtCmdSetDbdcCtrl:(ret = 0)
radio_operate_init : Error! Check! wdev->channel=0
MtAsicSetChBusyStat(840): Not support for HIF_MT yet!
[PMF]APPMFInit:: apidx=0, MFPC=0, MFPR=0, SHA256=0
[PMF]WPAMakeRsnIeCap: RSNIE Capability MFPC=0, MFPR=0
HcUpdatePhyMode(): Update PhyMode for all wdev for this band PhyMode:48,Channel=36
CountryCode(2.4G/5G)=1/1, RFIC=25, PHY mode(2.4G/5G)=2/48, support 32 channels
Enable 20/40 BSSCoex Channel Scan(BssCoex=1)
wtc_acquire_groupkey_wcid: Found a non-occupied wtbl_idx:127 for WDEV_TYPE:1
 LinkToOmacIdx = 0, LinkToWdevType = 1
bssUpdateBmcMngRate (BSS_INFO_BROADCAST_INFO),                 CmdBssInfoBmcRate.u2BcTransmit= 8192,                 CmdBssInfoBmcRate.u2McTransmit = 8196
MtCmdSetDbdcCtrl:(ret = 0)
e[1;33m [RadarStateCheck]Set into RD_NORMAL_MODE e[m 
MtCmdTxPowerSKUCtrl: fgTxPowerSKUEn: 1, BandIdx: 1
MtCmdTxPowerPercentCtrl: fgTxPowerPercentEn: 1, BandIdx: 1
MtCmdTxBfBackoffCtrl: fgTxBFBackoffEn: 0, BandIdx: 1
mt7615_bbp_adjust():rf_bw=2, ext_ch=1, PrimCh=36, HT-CentCh=38, VHT-CentCh=42
mt7615_apply_cal_data() : eeprom 0x52 bit 1 is 0, do runtime cal , skip RX reload
mt7615_apply_cal_data() : eeprom 0x52 bit 0 is 0, do runtime cal , skip TX reload
MtCmdChannelSwitch: control_chl = 36,control_ch2=0, central_chl = 42 DBDCIdx= 1, Band= 0 
BW = 2,TXStream = 2, RXStream = 2, scan(0)
ap_phy_rrm_init_byRf(): AP Set CentralFreq at 42(Prim=36, HT-CentCh=38, VHT-CentCh=42, BBP_BW=2)
[WrapDfsRadarDetectStart]: Band0Ch is 36
[WrapDfsRadarDetectStart]: Band1Ch is 0
LeadTimeForBcn, OmacIdx = 0, WDEV_WITH_BCN_ABILITY
MtAsicSetRalinkBurstMode(2605): Not support for HIF_MT yet!
MtAsicSetPiggyBack(777): Not support for HIF_MT yet!
MtAsicSetTxPreamble(2584): Not support for HIF_MT yet!
RTMPSetLEDStatus: before AndesLedEnhanceOP , status=1, LED_CMD=2!
AndesLedEnhanceOP: Success!
WifiFwdSet::disabled=0
ap_ftkd> Initialize FT KDP Module...
e[1;33mBndStrg_Init()
e[0mMain bssid = re:da:ct:ed
AsicRadioOnOffCtrl(): DbdcIdx=1 RadioOn
MtCmdSetMacTxRx:(ret = 0)
MtCmdSetMacTxRx:(ret = 0)
MCS Set = ff ff 00 00 01
<==== mt_wifi_init, Status=0
MtCmdEDCCACtrl: BandIdx: 0, EDCCACtrl: 1 
MtCmdEDCCACtrl: BandIdx: 1, EDCCACtrl: 1 
WtcSetMaxStaNum: MaxStaNum:88, BssidNum:4, WdsNum:0, ApcliNum:2, MaxNumChipRept:32, MinMcastWcid:122
red_is_enabled: set CR4/N9 RED Enable to 1.
cp_support_is_enabled: set CR4 CP_SUPPORT to Mode 2.
e[1;36mBndStrg_SetInfFlags(): BSS(re:da:ct:ed)e[0me[1;36m set 5G Inf ra0 ready.
e[0mCorrect apidx from 1 to 0 for WscUUIDInit
Generate UUID for apidx(0)
device ra0 entered promiscuous mode
br0: port 2(ra0) entered forwarding state
br0: port 2(ra0) entered forwarding state
WifiSysOpen(), wdev idx = 1
wdev_attr_update(): wdevId1 = re:da:ct:ed
MtCmdSetDbdcCtrl:(ret = 0)
[PMF]APPMFInit:: apidx=1, MFPC=0, MFPR=0, SHA256=0
[PMF]WPAMakeRsnIeCap: RSNIE Capability MFPC=0, MFPR=0
HcUpdatePhyMode(): Update PhyMode for all wdev for this band PhyMode:8,Channel=13
CountryCode(2.4G/5G)=1/1, RFIC=25, PHY mode(2.4G/5G)=10/48, support 32 channels
Enable 20/40 BSSCoex Channel Scan(BssCoex=1)
MtCmdSetMacTxRx:(ret = 0)
MtCmdSetMacTxRx:(ret = 0)
mt7615_apply_cal_data() : eeprom 0x52 bit 1 is 0, do runtime cal , skip RX reload
mt7615_apply_cal_data() : eeprom 0x52 bit 0 is 0, do runtime cal , skip TX reload
MtCmdChannelSwitch: control_chl = 6,control_ch2=0, central_chl = 6 DBDCIdx= 0, Band= 0 
BW = 0,TXStream = 2, RXStream = 2, scan(1)
AP OBSS SYNC - BBP R4 to 20MHz.l
mt7615_apply_cal_data() : eeprom 0x52 bit 1 is 0, do runtime cal , skip RX reload
mt7615_apply_cal_data() : eeprom 0x52 bit 0 is 0, do runtime cal , skip TX reload
MtCmdChannelSwitch: control_chl = 7,control_ch2=0, central_chl = 7 DBDCIdx= 0, Band= 0 
BW = 0,TXStream = 2, RXStream = 2, scan(1)
AP OBSS SYNC - BBP R4 to 20MHz.l
:MtCmdPktBudgetCtrl: bssid(255),wcid(65535),type(0)
mt7615_apply_cal_data() : eeprom 0x52 bit 1 is 0, do runtime cal , skip RX reload
mt7615_apply_cal_data() : eeprom 0x52 bit 0 is 0, do runtime cal , skip TX reload
MtCmdChannelSwitch: control_chl = 8,control_ch2=0, central_chl = 8 DBDCIdx= 0, Band= 0 
BW = 0,TXStream = 2, RXStream = 2, scan(1)
AP OBSS SYNC - BBP R4 to 20MHz.l
mt7615_apply_cal_data() : eeprom 0x52 bit 1 is 0, do runtime cal , skip RX reload
mt7615_apply_cal_data() : eeprom 0x52 bit 0 is 0, do runtime cal , skip TX reload
MtCmdChannelSwitch: control_chl = 9,control_ch2=0, central_chl = 9 DBDCIdx= 0, Band= 0 
BW = 0,TXStream = 2, RXStream = 2, scan(1)
AP OBSS SYNC - BBP R4 to 20MHz.l
mt7615_apply_cal_data() : eeprom 0x52 bit 1 is 0, do runtime cal , skip RX reload
mt7615_apply_cal_data() : eeprom 0x52 bit 0 is 0, do runtime cal , skip TX reload
MtCmdChannelSwitch: control_chl = 10,control_ch2=0, central_chl = 10 DBDCIdx= 0, Band= 0 
BW = 0,TXStream = 2, RXStream = 2, scan(1)
AP OBSS SYNC - BBP R4 to 20MHz.l
mt7615_apply_cal_data() : eeprom 0x52 bit 1 is 0, do runtime cal , skip RX reload
mt7615_apply_cal_data() : eeprom 0x52 bit 0 is 0, do runtime cal , skip TX reload
MtCmdChannelSwitch: control_chl = 11,control_ch2=0, central_chl = 11 DBDCIdx= 0, Band= 0 
BW = 0,TXStream = 2, RXStream = 2, scan(1)
AP OBSS SYNC - BBP R4 to 20MHz.l
mt7615_apply_cal_data() : eeprom 0x52 bit 1 is 0, do runtime cal , skip RX reload
mt7615_apply_cal_data() : eeprom 0x52 bit 0 is 0, do runtime cal , skip TX reload
MtCmdChannelSwitch: control_chl = 12,control_ch2=0, central_chl = 12 DBDCIdx= 0, Band= 0 
BW = 0,TXStream = 2, RXStream = 2, scan(1)
AP OBSS SYNC - BBP R4 to 20MHz.l
mt7615_apply_cal_data() : eeprom 0x52 bit 1 is 0, do runtime cal , skip RX reload
mt7615_apply_cal_data() : eeprom 0x52 bit 0 is 0, do runtime cal , skip TX reload
MtCmdChannelSwitch: control_chl = 13,control_ch2=0, central_chl = 13 DBDCIdx= 0, Band= 0 
BW = 0,TXStream = 2, RXStream = 2, scan(1)
AP OBSS SYNC - BBP R4 to 20MHz.l
wtc_acquire_groupkey_wcid: Found a non-occupied wtbl_idx:126 for WDEV_TYPE:1
 LinkToOmacIdx = 11, LinkToWdevType = 1
bssUpdateBmcMngRate (BSS_INFO_BROADCAST_INFO),                 CmdBssInfoBmcRate.u2BcTransmit= 8192,                 CmdBssInfoBmcRate.u2McTransmit = 8196
MtCmdSetDbdcCtrl:(ret = 0)
e[1;33m [RadarStateCheck]Set into RD_NORMAL_MODE e[m 
MtCmdTxPowerSKUCtrl: fgTxPowerSKUEn: 1, BandIdx: 0
MtCmdTxPowerPercentCtrl: fgTxPowerPercentEn: 1, BandIdx: 0
MtCmdTxBfBackoffCtrl: fgTxBFBackoffEn: 0, BandIdx: 0
mt7615_bbp_adjust():rf_bw=0, ext_ch=0, PrimCh=13, HT-CentCh=13, VHT-CentCh=42
mt7615_apply_cal_data() : eeprom 0x52 bit 1 is 0, do runtime cal , skip RX reload
mt7615_apply_cal_data() : eeprom 0x52 bit 0 is 0, do runtime cal , skip TX reload
MtCmdChannelSwitch: control_chl = 13,control_ch2=0, central_chl = 13 DBDCIdx= 0, Band= 0 
BW = 0,TXStream = 2, RXStream = 2, scan(0)
ap_phy_rrm_init_byRf(): AP Set CentralFreq at 13(Prim=13, HT-CentCh=13, VHT-CentCh=42, BBP_BW=0)
e[1;36mBndStrg_SetInfFlags(): BSS(re:da:ct:ed)e[0me[1;36m set 2G Inf rax0 ready.
e[0mLeadTimeForBcn, OmacIdx = 11, WDEV_WITH_BCN_ABILITY
Generate UUID for apidx(1)
device rax0 entered promiscuous mode
br0: port 3(rax0) entered forwarding state
br0: port 3(rax0) entered forwarding state
==> WscBuildProbeRespIE: config_method=[0x780]
==> Set_AP_WscConfStatus_Proc: IsAPConfigured=2
==> WscBuildProbeRespIE: config_method=[0x780]
[00:00:33][main]Initialize bndstrg
[00:00:33][driver_wext_init]Initialize ralink wext interface
[00:00:33][bndstrg_nvram_read_all]
[00:00:33][bndstrg_run]e[1;32mbndstrg_run[4930]:start
e[0mstart syslog-ng...
Port[0]: up => down!
Port[1]: up => down!
WAN: Up => Down
start_upnp: wan_idx -1
Call Update Tr69 Rule.
[00:00:35][bndst
BndStrg_InfStatusRsp:INF [ra0]STATUS QUERY ON
rg_periodic_exec
BndStrg_InfStatusRsp:INF [rax0]STATUS QUERY ON
]e[1;32mbndstrg->state=BNDSTRG_INF_POLL 
e[0m[00:00:35][bndstrg_table_en_polling]bndstrg=0x429710,table=0x429a08,en=0
[00:00:35][bndstrg_inf_status_polling]
[bndstrg_inf_status_polling]inf_name:[ra0]
[00:00:35][bndstrg_inf_status_polling]
[bndstrg_inf_status_polling]inf_name:[rax0]
[00:00:35][bndstrg_ctrl_interface_update]Rx INF STATUS RSP for inf(ra0): 1
[00:00:35][bndstrg_ctrl_interface_update]Rx INF STATUS RSP for inf(rax0): 1
[00:00:37][bndstSend DISASSOC frame(3) with ra0
rg_periodic_execSend DISASSOC frame(3) with ra1
]e[1;32mbndstrg-Send DISASSOC frame(3) with ra0
>state=BNDSTRG_TSend DISASSOC frame(3) with ra1
BL_EN 
e[0m[00:00:37][bndstrg_table_en_polling]bndstrg=0x429710,table=0x429a08,en=1
[00:00:38][bndstrg_table_en_polling]bndstrg=0x429710,table=0x429a08,en=1
[00:00:39][bndstrg_periodic_exec]e[1;32mbndstrg->state=BNDSTRG_TBL_READY DUALBAND
e[0mTime out! You may increase DEFAULT_TIMEOUT_COUNT[10]!

The Winbond variant was running the current version of the firmware, Linux barely logs anything:

   Verifying Trx ... OK
   Image Name:   Linux Kernel Image
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    2949056 Bytes =  2.8 MB
   Load Address: 81001000
   Entry Point:  81519bb0
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 81519bb0) ...
## Giving linux memsize in MB, 128

Starting kernel ...


LINUX started...

 THIS IS ASIC

SDK 5.0.S.0
1 Like
5

U-Boot allows you to choose between different operations but they are protected with a password. Analysis of the code has shown that the expected password is hashed (hash 46947c0bc8d2803f511b5f1ae08cf819). The password evaluation code can be simulated through this script: https://gist.github.com/hberntsen/46936cb0fab7783209a4527843440cec .

The password check can be removed. I've done this by desoldering the flash and connecting it to the SPI pins of my Raspberry Pi 4. The flash can then be read through this dts overlay: https://gist.github.com/hberntsen/f37f5047a61c2cfeeaa1e3d0c2f7f033 (it also works fine for the Winbond flash chip).

  1. Install the dts through: sudo dtc -@ -I dts -O dtb -o /boot/overlays/mx25l25635f.dtbo mx25l25635f-overlay.dts
  2. Configure it in /boot/config.txt:
#dtparam=spi=on
dtoverlay=mx25l25635f

After a restart the chip should be accessible as /dev/mtd*. Make a backup of /dev/mtd0 to be able to restore things back to the original state later if needed.

The U-Boot can be patched with the following script(you need to apt install xxd libubootenv-tool mtd-utils first to install the required tools):

#!/bin/bash
sudo dd if=/dev/mtd1 of=bootloader_original.bin

# these winbond or mxc u-boot variants are known to work
echo '9127188445ee02811df8b642c90dc8188b422c392a5461db7fd71e46d1393dc4  bootloader_original.bin' | sha256sum -c - > /dev/null 2>&1 || \
  echo '394e5ae97197d112f1c5e99305be771a124ab65fc4d9ce9e69085b1cb993f201  bootloader_original.bin' | sha256sum -c - > /dev/null 2>&1

if [ $? -ne 0 ]; then
  echo "Unknown bootloader hash, patch might not be suitable. Exiting.."
  exit 1
fi

cp bootloader_original.bin bootloader_patched.bin
echo '00 00 02 24 08 00 e0 03  00 00 00 00 ' | xxd -r -p | dd conv=notrunc of=bootloader_patched.bin seek=$((0x1420)) bs=1
sudo flashcp bootloader_patched.bin /dev/mtd1

Subsequently, you can flash OpenWRT (note that with the unlocked bootloader it is also possible to start an initramfs and flash from there). After producing a build, flash it through:

echo '/dev/mtd2 0x0 0x1000 0x1000' > fw_env.config
sudo fw_setenv -c fw_env.config bootpartition 0
sudo flashcp wifi-squashfs-factory.trx /dev/mtd4

If you'd like to dual-boot the original firmware and OpenWRT, this will do it:

echo '/dev/mtd2 0x0 0x1000 0x1000' > fw_env.config
sudo fw_setenv -c fw_env.config bootpartition 1
sudo flashcp wifi-squashfs-factory.trx /dev/mtd6

The bootpartition environment variable of U-Boot will determine which will start :). When you install the uboot-envtools package in OpenWRT you can also change it from there.

1 Like
6

For development, booting through TFTP can be handy. The U-Boot can load and start a kernel through TFTP but the process is a bit annoying. The code tries to do some TRX verification but hangs/fails. Luckily, the function can be patched at runtime to skip the verification. I've made a ckermit script to easily boot it: https://gist.github.com/hberntsen/9bfd7e9c25948c796656fc0ab802d6c9
Just run a TFTP server at 192.168.11.2

If you want to play with the kernel arguments, the way OpenWRT compiles the Linux kernel prevents it from loading them from U-Boot. After changing that through make kernel_menuconfig you can set the bootargs U-Boot environment variable.

1 Like
7

I welcome you here :smiley:

It looks like this device is also with U-boot Arcadyan password, but the hash is different from MTS & Flash.

Can you describe in more detail the actions of LEDs on OEM firmware?) Based on this, I think it will be easier to offer solutions)

Can you post a spi-nor dump or mtd partition backup? Or you can send it in a private message.

1 Like
8

I've looked at the manual for the LEDs, it says:

  • Power: Green when on (I've got that working in OpenWRT ;))
  • WiFi: will blink green and turn blue when WiFi is available.
  • WPS: on when WPS is enabled
  • Followme: Lights up green when a device is connected.
9

It also has to do with your device)

10

Nice! Will definitely look into that.

I'd like to add a note that dual-booting also requires a change in the kernel bootargs (ubi.mtd=5 to ubi.mtd=7). Given that the default OpenWRT kernel configuration does not take arguments from U-Boot you'd need to change the .dts for this (or change the kernel config of course :))

11

I've tested this, it negatively affects using the device as a switch. See the 2gb branch in my repo.

Baseline, without the WE420223-99:

[ ID][Role] Interval           Transfer     Bitrate         Retr
[  5][TX-C]   0.00-20.00  sec  2.17 GBytes   931 Mbits/sec    0             sender
[  5][TX-C]   0.00-20.00  sec  2.17 GBytes   930 Mbits/sec                  receiver
[  7][RX-C]   0.00-20.00  sec  2.17 GBytes   931 Mbits/sec    0             sender
[  7][RX-C]   0.00-20.00  sec  2.17 GBytes   930 Mbits/sec                  receiver

With the WE420223-99 as NAT, no hw offloading and both ports in the switch (in the dts):

[ ID][Role] Interval           Transfer     Bitrate         Retr
[  5][TX-C]   0.00-20.00  sec   411 MBytes   172 Mbits/sec  1965             sender
[  5][TX-C]   0.00-20.00  sec   410 MBytes   172 Mbits/sec                  receiver
[  7][RX-C]   0.00-20.00  sec  1.11 GBytes   478 Mbits/sec  1511             sender
[  7][RX-C]   0.00-20.00  sec  1.11 GBytes   478 Mbits/sec                  receiver

Single direction:

[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-20.00  sec  1.49 GBytes   639 Mbits/sec  166             sender
[  5]   0.00-20.02  sec  1.49 GBytes   638 Mbits/sec                  receiver

With hw offloading we are indeed limited to 1Gb:

[ ID][Role] Interval           Transfer     Bitrate         Retr
[  5][TX-C]   0.00-20.00  sec   375 MBytes   157 Mbits/sec  5505             sender
[  5][TX-C]   0.00-20.00  sec   374 MBytes   157 Mbits/sec                  receiver
[  7][RX-C]   0.00-20.00  sec  1.75 GBytes   751 Mbits/sec  6735             sender
[  7][RX-C]   0.00-20.00  sec  1.75 GBytes   750 Mbits/sec                  receiver

[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-20.00  sec  2.15 GBytes   926 Mbits/sec  455             sender
[  5]   0.00-20.00  sec  2.15 GBytes   925 Mbits/sec                  receiver

With the WE420223-99 used as a switch (both ports in the switch (in the dts) and lan0 and lan1 in br-lan):

[ ID][Role] Interval           Transfer     Bitrate         Retr
[  5][TX-C]   0.00-20.00  sec  2.17 GBytes   931 Mbits/sec    0             sender
[  5][TX-C]   0.00-20.00  sec  2.16 GBytes   930 Mbits/sec                  receiver
[  7][RX-C]   0.00-20.00  sec  2.17 GBytes   933 Mbits/sec    0             sender
[  7][RX-C]   0.00-20.00  sec  2.17 GBytes   931 Mbits/sec                  receiver

So now with the 2Gb patches:

With NAT and no hw offloading:

[ ID][Role] Interval           Transfer     Bitrate         Retr
[  5][TX-C]   0.00-20.00  sec   888 MBytes   372 Mbits/sec  284             sender
[  5][TX-C]   0.00-20.00  sec   885 MBytes   371 Mbits/sec                  receiver
[  7][RX-C]   0.00-20.00  sec  1.26 GBytes   541 Mbits/sec  937             sender
[  7][RX-C]   0.00-20.00  sec  1.26 GBytes   540 Mbits/sec                  receiver

[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-20.00  sec  1.93 GBytes   830 Mbits/sec  216             sender
[  5]   0.00-20.00  sec  1.93 GBytes   829 Mbits/sec                  receiver

Enabling HW offloading makes NAT very fast:

[ ID][Role] Interval           Transfer     Bitrate         Retr
[  5][TX-C]   0.00-20.00  sec  2.16 GBytes   927 Mbits/sec  263             sender
[  5][TX-C]   0.00-20.00  sec  2.16 GBytes   927 Mbits/sec                  receiver
[  7][RX-C]   0.00-20.00  sec  2.13 GBytes   916 Mbits/sec    2             sender
[  7][RX-C]   0.00-20.00  sec  2.13 GBytes   914 Mbits/sec                  receiver

Unless you want to use it as a switch:

[ ID][Role] Interval           Transfer     Bitrate         Retr
[  5][TX-C]   0.00-20.00  sec  1.52 GBytes   651 Mbits/sec   92             sender
[  5][TX-C]   0.00-20.00  sec  1.51 GBytes   650 Mbits/sec                  receiver
[  7][RX-C]   0.00-20.00  sec  1.57 GBytes   676 Mbits/sec   21             sender
[  7][RX-C]   0.00-20.00  sec  1.57 GBytes   675 Mbits/sec                  receiver

[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-20.00  sec  2.13 GBytes   915 Mbits/sec  466             sender
[  5]   0.00-20.00  sec  2.13 GBytes   914 Mbits/sec                  receiver

This is now slower because all the data goes through the CPU instead of being directly switched as before:

  PID  PPID USER     STAT   VSZ %VSZ %CPU COMMAND
   26     2 root     RW       0   0%  24% [ksoftirqd/3]
   16     2 root     RW       0   0%  23% [ksoftirqd/1]
  398     2 root     RW       0   0%  21% [napi/mtk_eth-6]
  397     2 root     RW       0   0%  18% [napi/mtk_eth-5]
 4003   703 root     R     1332   1%   0% top
    5     2 root     IW       0   0%   0% [kworker/0:0-eve]
  243     2 root     IW       0   0%   0% [kworker/2:1-eve]
  423     2 root     IW<      0   0%   0% [kworker/0:1H-ev]

So somehow we can properly offload the NAT use case but not the switch use case with the 2Gb patch :frowning:

12

This is unrelated to your point but do you see high CPU usage like this between switch ports without my patch?

13

Without your patch I don't see any CPU from the traffic (tested this in both Linux 5.10 and 5.15, previous tests were 5.10 only).

Interestingly enough, I found that in 5.10 (without your patch) bridging two VLANs does allow traffic between the bridged interfaces. So:

# brctl show
bridge name	bridge id		STP enabled	interfaces
br-lan		7fff.bc30d90a8d18	no		lan0
							lan1.1000

A device sending out tagged frames to lan1 can ping OpenWRT but not a device on the lan0 side. After upgrading the kernel to 5.15 this works! Though at that point the CPU is busy again handling the packets with a hit in speed and a lot of CPU usage So without VLANs involved the traffic is switched through hardware on 5.15, otherwise in software.

14

Note that on 5.15, I only get 6.0 dBm power for every frequency and only one wiphy. This is similar to when I did not configure the mtd-eeprom in the device tree on 5.10. I'm not sure what is going on.

15

The same for Beeline SmartBox Flash. I suppose all mt7615 dbdc devices are affected.

16

Greetings,
Just wondering if there is a workable .bin yet for idiots like me to try :grimacing:

17

Sure! I've uploaded a build here.

18

Thanks mate but forgot KPN gestapo locks these via web interface.. little experiance with serial flash so to avoid turning this into a howto topic I'll wait for a release.

19

I'm still awaiting feedback on my patch series on the mailing list, after that I'll write some documentation on the OpenWRT wiki.

In order to flash without touching the hardware we'll need an exploit to do so. For old firmware versions there is this: https://7bits.nl/journal/posts/cve-2021-38703-kpn-experia-wifi-root-shell/ . As far as I know nobody is working on exploiting newer firmware versions. That means you'll need to directly modify the contents of the flash chip as I described earlier here.

1 Like
20

Unfortunately no response on my patches yet. I've written the wiki page: https://openwrt.org/inbox/toh/arcadyan/astoria/we420223-99 . Will post the OpenWRT bootlog later.