Adding OpenWrt support for Comfast CF-WA900 V2

Hi community,

I have this outdoor access point:

Comfast CF-WA900 V2

The firmware of the device can be downloaded from the following link.

Comfast CF-WA900 V2 firmware V2.4.0

I have captured the messages from the console when it boots. The following is a list of messages of console.

U-Boot 1.1.4-g83d43cb8-dirty (Mar  7 2018 - 09:36:08)

ap135 - Scorpion 1.0DRAM:
sri
Scorpion 1.0
ath_ddr_initial_config(200): (32bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x3, 0x1c)
Tap values = (0xf, 0xf, 0xf, 0xf)
256 MB
Unique Id0 0x00000000
Unique Id1 0xe46764d3
Unique Id2 0xc7425032
flash size 16MB, sector count = 256
Flash: 16 MB
*** Warning - bad CRC, using default environment

*** Warning *** : PCIe WLAN Module not found !!!
ath_gmac_enet_initialize...
athrs_sgmii_res_cal: cal value = 0xe
Fetching MAC Address from 0x8ffea7f0
ath_gmac_enet_initialize: reset mask:c02200
: cfg1 0x80000000 cfg2 0x7114
eth0: 40:a5:ef:6a:bc:60
ATHR_AUTONEG_ADVERT:1DE1
ATHR_1000BASET_CONTROL:200
ATHR_PHY_CONTROL:3100
ATHRSF1_PHY: Port 0, Neg Success
ATHRSF1_PHY: unit 0 phy addr 0 eth0 up

Setting 0x18116290 to 0x60c0214f
dup 1 speed 1000
Using eth0 device
ping failed;
Hit any key to stop autoboot:  0
## Booting image at 9f050000 ...
   Image Name:   MIPS OpenWrt Linux-3.10.44
   Created:      2018-07-16   7:46:10 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1124411 Bytes =  1.1 MB
   Load Address: 80060000
   Entry Point:  80060000
   Verifying Checksum at 0x9f050040 ...OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80060000) ...
## Giving linux memsize in bytes, 268435456

Starting kernel ...

[    0.000000] Linux version 3.10.44 (wangqiuqiang@oracle.tecmint.com) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 unknown) ) #1 Mon Jul 16 15:44:52 CST 2018
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU revision is: 00019750 (MIPS 74Kc)
[    0.000000] SoC: Qualcomm Atheros QCA9558 ver 1 rev 0
[    0.000000] Clocks: CPU:720.000MHz, DDR:600.000MHz, AHB:200.000MHz, Ref:40.000MHz
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 10000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x00000000-0x0fffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x00000000-0x0fffffff]
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 65024
[    0.000000] Kernel command line:  board=COMFAST-CF-WA900V2 console=ttyS0,115200 mtdparts=spi0.0:256k(u-boot)ro,64k(art)ro,1536k(kernel),14400k(rootfs),64k(configs),64k(nvram)ro,15936k@0x50000(firmware) rootfstype=squashfs,jffs2 noinitrd
[    0.000000] PID hash table entries: 1024 (order: 0, 4096 bytes)
[    0.000000] Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
[    0.000000] Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] Memory: 255744k/262144k available (2425k kernel code, 6400k reserved, 689k data, 276k init, 0k highmem)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS:51
[    0.000000] Calibrating delay loop... 358.80 BogoMIPS (lpj=1794048)
[    0.060000] pid_max: default: 32768 minimum: 301
[    0.060000] Mount-cache hash table entries: 512
[    0.070000] NET: Registered protocol family 16
[    0.070000] MIPS: machine is COMFAST CF-WA900V2
[    0.300000] registering PCI controller with io_map_base unset
[    0.300000] ar724x-pci ar724x-pci.1: PCIe link is down
[    0.310000] registering PCI controller with io_map_base unset
[    0.320000] bio: create slab <bio-0> at 0
[    0.320000] PCI host bridge to bus 0000:00
[    0.330000] pci_bus 0000:00: root bus resource [mem 0x10000000-0x11ffffff]
[    0.330000] pci_bus 0000:00: root bus resource [io  0x0000]
[    0.340000] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[    0.340000] pci 0000:00:00.0: invalid calibration data
[    0.350000] pci 0000:00:00.0: BAR 0: assigned [mem 0x10000000-0x101fffff 64bit]
[    0.350000] pci 0000:00:00.0: BAR 6: assigned [mem 0x10200000-0x1020ffff pref]
[    0.360000] PCI host bridge to bus 0000:01
[    0.360000] pci_bus 0000:01: root bus resource [mem 0x12000000-0x13ffffff]
[    0.370000] pci_bus 0000:01: root bus resource [io  0x0001]
[    0.370000] pci_bus 0000:01: No busn resource found for root bus, will use [bus 01-ff]
[    0.380000] pci 0000:00:00.0: using irq 40 for pin 1
[    0.380000] Switching to clocksource MIPS
[    0.390000] NET: Registered protocol family 2
[    0.390000] TCP established hash table entries: 2048 (order: 2, 16384 bytes)
[    0.390000] TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
[    0.400000] TCP: Hash tables configured (established 2048 bind 2048)
[    0.400000] TCP: reno registered
[    0.410000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.410000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.420000] NET: Registered protocol family 1
[    0.440000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.440000] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.450000] msgmni has been set to 499
[    0.460000] io scheduler noop registered
[    0.460000] io scheduler deadline registered (default)
[    0.460000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[    0.490000] serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11) is a 16550A
[    0.500000] console [ttyS0] enabled, bootconsole disabled
[    0.500000] console [ttyS0] enabled, bootconsole disabled
[    0.510000] ath79-spi ath79-spi: master is unqueued, this is deprecated
[    0.520000] m25p80 spi0.0: found w25q128, expected m25p80
[    0.520000] m25p80 spi0.0: w25q128 (16384 Kbytes)
[    0.530000] 7 cmdlinepart partitions found on MTD device spi0.0
[    0.540000] Creating 7 MTD partitions on "spi0.0":
[    0.540000] 0x000000000000-0x000000040000 : "u-boot"
[    0.550000] 0x000000040000-0x000000050000 : "art"
[    0.550000] 0x000000050000-0x0000001d0000 : "kernel"
[    0.560000] 0x0000001d0000-0x000000fe0000 : "rootfs"
[    0.570000] mtd: device 3 (rootfs) set to be root filesystem
[    0.570000] 1 squashfs-split partitions found on MTD device rootfs
[    0.580000] 0x000000820000-0x000000fe0000 : "rootfs_data"
[    0.590000] 0x000000fe0000-0x000000ff0000 : "configs"
[    0.590000] 0x000000ff0000-0x000001000000 : "nvram"
[    0.600000] 0x000000050000-0x000000fe0000 : "firmware"
[    0.620000] libphy: ag71xx_mdio: probed
[    0.620000] eth0: Atheros AG71xx at 0xb9000000, irq 4
[    1.180000] ag71xx ag71xx.0: connected to PHY at ag71xx-mdio.0:00 [uid=004dd072, driver=Generic PHY]
[    1.190000] TCP: cubic registered
[    1.190000] NET: Registered protocol family 17
[    1.200000] Bridge firewalling registered
[    1.200000] 8021q: 802.1Q VLAN Support v1.8
[    1.210000] VFS: Mounted root (squashfs filesystem) readonly on device 31:3.
[    1.220000] Freeing unused kernel memory: 276K (8036b000 - 803b0000)
[    2.280000] init: Console is alive
[    2.280000] init: - watchdog -
[    4.290000] init: - preinit -
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[    8.810000] jffs2: notice: (364) jffs2_build_xattr_subsystem: complete building xattr subsystem, 3 of xdatum (1 unchecked, 1 orphan) and 15 of xref (0 dead, 13 orphan) found.
[    8.820000] mount_root: overlay filesystem has not been fully initialized yet
[    8.830000] mount_root: switching to jffs2 overlay
529+0 records in
529+0 records out
377+0 records in
377+0 records out
[    9.080000] procd: - early -
[    9.080000] procd: - watchdog -
[    9.730000] procd: - ubus -
[   10.750000] procd: - init -
Please press Enter to activate this console.
[   12.170000] natsemi dp8381x driver, version 2.1, Sept 11, 2006
[   12.170000]   originally by Donald Becker <becker@scyld.com>
[   12.170000]   2.4.x kernel port by Jeff Garzik, Tjeerd Mulder
[   12.200000] gre: GRE over IPv4 demultiplexor driver
[   12.200000] ip_gre: GRE over IPv4 tunneling driver
[   12.220000] i2c /dev entries driver
[   12.220000] Loading modules backported from Linux version master-2014-05-22-0-gf2032ea
[   12.230000] Backport generated by backports.git backports-20140320-37-g5c33da0
[   12.380000] PCI: Enabling device 0000:00:00.0 (0000 -> 0002)
[   12.380000] ath10k_pci 0000:00:00.0: pci irq legacy oper_irq_mode 1 irq_mode 0 reset_mode 0
[   19.260000] ath10k_pci 0000:00:00.0: qca988x hw2.0 target 0x4100016c chip_id 0x043202ff sub 0000:0000
[   19.270000] ath10k_pci 0000:00:00.0: kconfig debug 1 debugfs 1 tracing 1 dfs 0 testmode 1
[   19.290000] ath10k_pci 0000:00:00.0: firmware ver 10.2.4.70.12-2 api 5 features no-p2p,raw-mode crc32 cc3fb466
[   19.420000] ath10k_pci 0000:00:00.0: board_file api 1 bmi_id 0:0 crc32 94279137
[   20.460000] ath10k_pci 0000:00:00.0: htt-ver 2.1 wmi-op 5 htt-op 2 cal file max-sta 128 raw 0 hwcrypto 1
[   20.620000] u32 classifier
[   20.630000]     input device check on
[   20.630000]     Actions configured
[   20.640000] Mirror/redirect action on
[   20.660000] nf_conntrack version 0.5.0 (4000 buckets, 16000 max)
[   20.720000] Ebtables v2.0 registered
[   20.730000] ip_tables: (C) 2000-2006 Netfilter Core Team
[   20.770000] Netfilter messages via NETLINK v0.30.
[   20.810000] xt_time: kernel timezone is -0000
[   20.830000] ctnetlink v0.93: registering with nfnetlink.
[   20.840000] PPP generic driver version 2.4.2
[   20.850000] PPP MPPE Compression module registered
[   20.850000] NET: Registered protocol family 24
[   20.900000] ieee80211 phy1: Atheros AR9550 Rev:0 mem=0xb8100000, irq=47
[   31.120000] fast-classifier: starting up
[   31.120000] fast-classifier: registered
[   32.260000] device eth0 entered promiscuous mode
[   32.660000] eth0: link up (1000Mbps/Full duplex)
[   32.660000] br-wan: port 1(eth0) entered forwarding state
[   32.670000] br-wan: port 1(eth0) entered forwarding state
[   34.670000] br-wan: port 1(eth0) entered forwarding state
configs:/etc/changeconfig not found
configs:do update configs
[   40.640000] device wlan0 entered promiscuous mode
[   40.690000] device wlan8 entered promiscuous mode
[   48.150000] br-lan: port 2(wlan8) entered forwarding state
[   48.150000] br-lan: port 2(wlan8) entered forwarding state
[   50.150000] br-lan: port 2(wlan8) entered forwarding state
[   50.790000] br-lan: port 1(wlan0) entered forwarding state
[   50.790000] br-lan: port 1(wlan0) entered forwarding state
[   52.790000] br-lan: port 1(wlan0) entered forwarding state

COMFAST login: 

I tried to access it through the serial console login, through ssh and I couldn't in any case. Although I can through the web.

I also unpacked the original firmware, and I saw that it is a fairly old version of OpenWrt.

If I find more relevant information, I will post it in this request.

Thanks

Hey, can you break to u-boot and

help
printenv

Try to figure out how to back up mtd partitions from the bootloader from u-boot.
If you have tftpboot and bootm you can boot random (not totally radom - with same load address and jump offset and compression) ath79 initramfs kernel from a tftp server

Command help result:

?       - alias for 'help'
autoscr - run script from memory
base    - print or set address offset
bdinfo  - print Board Info structure
boot    - boot default, i.e., run 'bootcmd'
bootd   - boot default, i.e., run 'bootcmd'
bootelf - Boot from an ELF image in memory
bootm   - boot application image from memory
bootp   - boot image via network using BootP/TFTP protocol
bootvx  - Boot vxWorks from an ELF image
cmp     - memory compare
coninfo - print console devices and information
cp      - memory copy
crc32   - checksum calculation
dhcp    - invoke DHCP client to obtain IP/boot params
echo    - echo args to console
erase   - erase FLASH memory
ethreg  - Switch/PHY Reg rd/wr  utility
exit    - exit script
flinfo  - print FLASH memory information
go      - start application at address 'addr'
help    - print online help
start www server for firmware recovery
iminfo  - print header information for application image
itest   - return true/false on integer compare
loop    - infinite loop on address range
md      - memory display
mii     - MII utility commands
mm      - memory modify (auto-incrementing)
mtest   - simple RAM test
mw      - memory write (fill)
nfs     - boot image via network using NFS protocol
nm      - memory modify (constant address)
pci     - list and access PCI Configuration Space
ping    - send ICMP ECHO_REQUEST to network host
pll cpu-pll dither ddr-pll dither - Set to change CPU & DDR speed
pll erase
pll get
printenv- print environment variables
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
save new MAC address in FLASH
restore devicen
sleep   - delay execution for some time
test    - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
version - print monitor version

Command printenv result:

ath> printenv
bootcmd=bootm 0x9f050000
bootdelay=1
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
ipaddr=192.168.1.1
serverip=192.168.1.10
bootfile="firmware.bin"
loadaddr=0x80800000
dir=
lu=tftp 0x80060000 ${dir}u-boot.bin&&erase 0x9f000000 +$filesize&&cp.b $fileaddr 0x9f000000 $filesize
lf=tftp 0x80060000 ${dir}ap135${bc}-jffs2&&erase 0x9f1D0000 +$filesize&&cp.b $fileaddr 0x9f1D0000 $filesize
lk=tftp 0x80060000 ${dir}vmlinux${bc}.lzma.uImage&&erase 0x9f050000 +$filesize&&cp.b $fileaddr 0x9f050000 $filesize
uboot_addr=0x9F000000
uboot_name=uboot.bin
uboot_size=0x40000
uboot_upg=if ping $serverip; then tftp $loadaddr $uboot_name && erase $uboot_addr +$filesize && cp.b $loadaddr $uboot_addr $filesize ; else ERROR! Server not reachable!; fi
firmware_addr=0x9f050000
firmware_name=firmware.bin
firmware_upg=if ping $serverip; then tftp $loadaddr $firmware_name && erase $firmware_addr +$filesize && cp.b $loadaddr $firmware_addr $filesize ;else ERROR! Server not reachable!; fi
firmware_name_auto=firmware_auto.bin
firmware_upg_auto=tftp $loadaddr $firmware_name_auto && erase $firmware_addr +$filesize && cp.b $loadaddr $firmware_addr $filesize ;
art=tftp $loadaddr art-calibration-955x.bin && bootm
stdin=serial
stdout=serial
stderr=serial
bootargs=board= console=ttyS0,115200 root=31:03 rootfstype=jffs2 init=/sbin/init spi0.0:256k(u-boot)ro,64k(art)ro,1536k(kernel),14400k(rootfs),64k(configs),64k(nvram)ro,15936k@0x50000(firmware) rootfstype=squashfs,jffs2 noinitrd
ethact=eth0

Environment size: 1483/65532 bytes
ath>

First things first

setenv bootdelay=15
saveenv

It will add 15s delay for easier access to uboot prompt - you can change it back later....

Set up a tftp server on the address

Flash backup commands seem hidden or not available?

Too late CET to continue

Command result:

ath> saveenv
Saving Environment to Flash...
Protect off 9F040000 ... 9F04FFFF
Un-Protecting sectors 4..4 in bank 1
Un-Protected 1 sectors
Erasing Flash...Erasing flash...
First 0x4 last 0x4 sector size 0x10000                                         4
Erased 1 sectors
Writing to Flash... write addr: 9f040000
done
Protecting sectors 4..4 in bank 1
Protected 1 sectors
ath>

I already have the tftp server ready for what you need. Just give me the instructions of what you need, I've tried to execute it, and I'll pass you the result as before.

Tomorrow we continue with this.

It is just a an extra delay before kernreñ auto-boot,

Chevk what file tftpboot requests, try which ath79+comfast initramfs krernel boots "best" - wevwill still need to find a way to restore oem before programming anything permanent.

Hi Brada4,

I'm sorry I didn't reply sooner, but last night when I tried to restart the access point, it got stuck in a boot loop, repeatedly displaying the following message.

U-Boot 1.1.4-g83d43cb8-dirty (Mar  7 2018 - 09:36:08)

ap135 - Scorpion 1.0DRAM:
sri
Scorpion 1.0
ath_ddr_initial_config(200): (32bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x3, 0x1d)
Tap values = (0x10, 0x10, 0x10, 0x10)
256 MB
Unique Id0 0x00000000
Unique Id1 0xe46764d3
Unique Id2 0xc7425032


U-Boot 1.1.4-g83d43cb8-dirty (Mar  7 2018 - 09:36:08)

ap135 - Scorpion 1.0DRAM:
sri
Scorpion 1.0
ath_ddr_initial_config(200): (32bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x3, 0x1c)
Tap values = (0xf, 0xf, 0xf, 0xf)
256 MB
Unique Id0 0x00000000
Unique Id1 0xe46764d3
Unique Id2 0xc7425032


U-Boot 1.1.4-g83d43cb8-dirty (Mar  7 2018 - 09:36:08)

ap135 - Scorpion 1.0DRAM:
sri
Scorpion 1.0
ath_ddr_initial_config(200): (32bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x3, 0x1c)
Tap values = (0xf, 0xf, 0xf, 0xf)
256 MB
Unique Id0 0x00000000
Unique Id1 0xe46764d3
Unique Id2 0xc7425032


U-Boot 1.1.4-g83d43cb8-dirty (Mar  7 2018 - 09:36:08)

ap135 - Scorpion 1.0DRAM:
sri
Scorpion 1.0
ath_ddr_initial_config(200): (32bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x3, 0x1c)
Tap values = (0xf, 0xf, 0xf, 0xf)
256 MB
Unique Id0 0x00000000
Unique Id1 0xe46764d3
Unique Id2 0xc7425032


U-Boot 1.1.4-g83d43cb8-dirty (Mar  7 2018 - 09:36:08)

ap135 - Scorpion 1.0DRAM:
sri
Scorpion 1.0
ath_ddr_initial_config(200): (32bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x3, 0x1c)
Tap values = (0xf, 0xf, 0xf, 0xf)
256 MB
Unique Id0 0x00000000
Unique Id1 0xe46764d3
Unique Id2 0xc7425032


U-Boot 1.1.4-g83d43cb8-dirty (Mar  7 2018 - 09:36:08)

ap135 - Scorpion 1.0DRAM:
sri
Scorpion 1.0
ath_ddr_initial_config(200): (32bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x3, 0x1c)
Tap values = (0xf, 0xf, 0xf, 0xf)
256 MB
Unique Id0 0x00000000
Unique Id1 0xe46764d3
Unique Id2 0xc7425032


U-Boot 1.1.4-g83d43cb8-dirty (Mar  7 2018 - 09:36:08)

ap135 - Scorpion 1.0DRAM:
sri
Scorpion 1.0
ath_ddr_initial_config(200): (32bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x3, 0x1c)
Tap values = (0xf, 0xf, 0xf, 0xf)
256 MB
Unique Id0 0x00000000
Unique Id1 0xe46764d3
Unique Id2 0xc7425032


U-Boot 1.1.4-g83d43cb8-dirty (Mar  7 2018 - 09:36:08)

ap135 - Scorpion 1.0DRAM:
sri
Scorpion 1.0
ath_ddr_initial_config(200): (32bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x3, 0x1d)
Tap values = (0x10, 0x10, 0x10, 0x10)
256 MB
Unique Id0 0x00000000
Unique Id1 0xe46764d3
Unique Id2 0xc7425032


U-Boot 1.1.4-g83d43cb8-dirty (Mar  7 2018 - 09:36:08)

ap135 - Scorpion 1.0DRAM:
sri
Scorpion 1.0
ath_ddr_initial_config(200): (32bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x3, 0x1c)
Tap values = (0xf, 0xf, 0xf, 0xf)
256 MB
Unique Id0 0x00000000
Unique Id1 0xe46764d3
Unique Id2 0xc7425032

I'm trying to get the access point out of this loop.

Cold boot it?

Hi Branda4,

Yes, the loop also starts on a cold boot.

It's as if the device's partition table has been erased.