Adding OpenWrt support for Netgear R6700AXv3

For Developers
1

I am trying to add support for the Netgear R6700AXv3. It uses a Mediatek MT7621AT CPU and Mediatek MT7915DAN WIFI chip. Both of which seem to be used in other supported routers. The stock router firmware from Netgear seems to be an old and hacked up version of LEDE / OpenWRT. I have gained access to the serial console and the current mtd layout from the kernel log from booting up is as follows:

[    3.468572] 10 ofpart partitions found on MTD device nmbm
[    3.473967] Creating 10 MTD partitions on "nmbm":
[    3.478681] add_mtd_partitions: split_firmware_name=firmware
[    3.484344] 0x000000000000-0x000000080000 : "Bootloader"
[    3.491134] 0x000000080000-0x000000100000 : "Config"
[    3.497483] 0x000000100000-0x000000180000 : "Factory"
[    3.503847] 0x000000180000-0x000004180000 : "firmware"
[    3.891815] 2 fit-fw partitions found on MTD device firmware
[    3.897516] 0x000000180800-0x000000500800 : "kernel"
[    3.903862] 0x000000500800-0x000004180000 : "rootfs"
[    3.910567] mtd: device 6 (rootfs) set to be root filesystem
[    3.916303] 0x000004180000-0x000008180000 : "firmware2"
[    3.923269] 0x000008180000-0x000008200000 : "PDATA"
[    3.929528] 0x000008200000-0x00000e800000 : "fixed_data"
[    3.936921] 0x00000e800000-0x00000e900000 : "Backup"
[    3.943212] 0x00000e900000-0x00000ef00000 : "pot_meter"
[    3.949899] 0x00000ef00000-0x00000f000000 : "Reserved"

It seems like right now there are two firmware (firmware and firmware2) partitions that may be simple clones of eachother. Is there any way to or advantage from combining the two together into one larger partition?

Also currently the overlay fs is placed in the fixed_data partition, is that something that is a good idea or possible to copy?

2

Check ASUS AX54 for that.

Try to netboot some netgear 7621 initramfs ?

3

I assume that what you mean me to look at with the ASUS AX54 is how the IMAGE_SIZE set in mt7621.mk is 51200k which is larger than any of the individual partitions listed in here. Is that correct?

I will try to get something running and netbooted.

4

I modified mt7621.mk to add

mt7621.mk 
define Device/netgear_r6700axv3
  $(Device/nand)
  DEVICE_VENDOR := NETGEAR
  DEVICE_MODEL := R6700AXv3
  DEVICE_PACKAGES := kmod-mt7915-firmware
  NETGEAR_ENC_MODEL := RAX5
  NETGEAR_ENC_REGION := US
  IMAGE_SIZE := 67108864
  KERNEL_LOADADDR := 0x81001000
  KERNEL := kernel-bin | relocate-kernel 0x81001000 | lzma | \
	fit lzma $$(KDIR)/image-$$(firstword $$(DEVICE_DTS)).dtb | \
	append-squashfs4-fakeroot
  IMAGES += factory.img
  IMAGE/factory.img := append-kernel | pad-to $$(KERNEL_SIZE) | \
	append-ubi | check-size | netgear-encrypted-factory
endef
TARGET_DEVICES += netgear_r6700axv3

and I added mt7621_netgear_r6700axv3.dts

mt7621_netgear_r6700axv3.dts 
// SPDX-License-Identifier: GPL-2.0-or-later OR MIT

#include "mt7621.dtsi"

#include <dt-bindings/gpio/gpio.h>
#include <dt-bindings/input/input.h>
#include <dt-bindings/leds/common.h>

/ {
	compatible = "netgear,r6700axv3", "mediatek,mt7621-soc";
	model = "Netgear R6700AX V3";

	aliases {
		led-boot = &led_power_green;
	};

	chosen {
		bootargs = "console=ttyS0,115200";
	};


	leds {
		compatible = "gpio-leds";

		led_power_green: power_green {
			function = LED_FUNCTION_POWER;
			color = <LED_COLOR_ID_GREEN>;
			gpios = <&gpio 4 GPIO_ACTIVE_LOW>;
		};
	};
};

&nand {
	status = "okay";
    
	partitions {
		compatible = "fixed-partitions";
		#address-cells = <1>;
		#size-cells = <1>;

		partition@0 {
			label = "Bootloader";
			reg = <0x0 0x80000>;
			read-only;
		};

		partition@80000 {
			label = "Config";
			reg = <0x80000 0x80000>;
		};

		partition@100000 {
			label = "Factory";
			reg = <0x100000 0x80000>;
			read-only;

			nvmem-layout {
				compatible = "fixed-layout";
				#address-cells = <1>;
				#size-cells = <1>;

				eeprom_factory_0: eeprom@0 {
					reg = <0x0 0xe00>;
				};

				precal_factory_e10: precal@e10 {
					reg = <0xe10 0x19c10>;
				};
			};
		};

		partition@180000 {
			label = "firmware";
			reg = <0x180000 0x4000000>;

			compatible = "fixed-partitions";
			#address-cells = <1>;
			#size-cells = <1>;

			partition@0 {
				label = "kernel";
				reg = <0x0 0x400000>;
			};

			partition@400000 {
				label = "ubi";
				reg = <0x400000 0x2200000>;
			};
		};

		partition@4180000 {
			label = "firmware2";
			reg = <0x4180000 0x4000000>;
			read-only;
		};

		partition@8180000 {
			label = "PDATA";
			reg = <0x8180000 0x80000>;
			read-only;
		};

		partition@8200000 {
			label = "fixed_data";
			reg = <0x8200000 0x6600000>;
			read-only;
		};

		partition@e800000 {
			label = "Backup";
			reg = <0xe800000 0x20000>;
			read-only;
		};

		partition@e900000 {
			label = "pot_meter";
			reg = <0xe900000 0x20000>;
			read-only;
		};

		partition@ef00000 {
			label = "Reserved";
			reg = <0xef00000 0x20000>;
			read-only;
		};
	};
};

&pcie {
	status = "okay";
};


&state_default {
	gpio {
		groups = "uart3", "uart2", "jtag";
		function = "gpio";
	};
};

&xhci {
	status = "disabled";
};

OpenWrt builds for the new target just fine, but when I load the image in U-Boot via TFTP and bootm it the FDT loads fine, but when it jumps to the kernel it nothing is printed to the serial terminal. If I load the stock firmware in the same manner it works just fine and boots the kernel. I have also tried flashing OpenWrt to the nand with the same result.

Any ideas about what I am doing wrong and how to get some output on the serial port? Or is there some way with leds or something else to tell if the kernel is running or not.

As to the previous question about extending / combining the partitions: it doesn't matter on this router as in the bootloader it only has knowledge of one big firmware partition that goes from the OS firmware partition to the end of the flash, so the OpenWrt could fill the rest of the flash so long as there is no important calibration or other stuff there.

5

If you binwalk oem firmware you usually see load and start addresses and kernel compression used.

6

Yes, binwalk extracts the FDT. It appears that the addresses and compression are set the same.
Here are the files. The binary data has been removed because it is too large.

Stock firmware fdt 
/dts-v1/;

/ {
	timestamp = <0x6732c9a9>;
	description = "MIPS OpenWrt FIT (Flattened Image Tree)";
	#address-cells = <0x01>;

	images {

		kernel@1 {
			description = "MIPS OpenWrt Linux-4.4.198";
			data = [ -- DATA CUT -- ];
			type = "kernel";
			arch = "mips";
			os = "linux";
			compression = "lzma";
			load = <0x81001000>;
			entry = <0x81001000>;
		};

		fdt@1 {
			description = "MIPS OpenWrt pega-ramips device tree blob";
			data = [ -- DATA CUT -- ];
			type = "flat_dt";
			arch = "mips";
			compression = "none";

			hash@1 {
				value = <0xb03557e5>;
				algo = "crc32";
			};

			hash@2 {
				value = <0x67610079 0x5b9a0e47 0xeeb0e6c7 0x668ea2bf 0xcef42a6b>;
				algo = "sha1";
			};
		};
	};

	configurations {
		default = "config@1";

		config@1 {
			description = "OpenWrt";
			kernel = "kernel@1";
			fdt = "fdt@1";
		};
	};
};
OpenWrt FDT 
/dts-v1/;

/ {
	timestamp = <0x68cdc8ea>;
	description = "MIPS OpenWrt FIT (Flattened Image Tree)";
	#address-cells = <0x01>;

	images {

		kernel-1 {
			description = "MIPS OpenWrt Linux-6.6.104";
			data = [ -- DATA CUT --];
			type = "kernel";
			arch = "mips";
			os = "linux";
			compression = "lzma";
			load = <0x81001000>;
			entry = <0x81001000>;

			hash-1 {
				value = <0x7d81d5b>;
				algo = "crc32";
			};

			hash-2 {
				value = <0xb9e38072 0x1b1a7810 0xd5139dcd 0xc512055e 0xfee37f1e>;
				algo = "sha1";
			};
		};

		fdt-1 {
			description = "MIPS OpenWrt netgear_r6700axv3 device tree blob";
			data = [ -- DATA CUT -- ];
			type = "flat_dt";
			arch = "mips";
			compression = "none";

			hash-1 {
				value = <0x539e46e3>;
				algo = "crc32";
			};

			hash-2 {
				value = <0x8bc7ccd4 0x1787c55e 0x421d8dd2 0x4e4b2af3 0x8893a913>;
				algo = "sha1";
			};
		};
	};

	configurations {
		default = "config-1";

		config-1 {
			description = "OpenWrt netgear_r6700axv3";
			kernel = "kernel-1";
			fdt = "fdt-1";
		};
	};
};

Also here are the logs from and commands sent to U-Boot when I try to boot from TFTP. I boot 0x800 into the stock image because there is a header that has to be skipped.

Stock Firmware log 
U-Boot SPL 2018.09 (May 12 2022 - 10:08:48 +0800)
Trying to boot from NAND

Initializing NMBM ...
Signature found at block 2047 [0x0ffe0000]
First info table with writecount 0 found in block 1920
Second info table with writecount 0 found in block 1923
NMBM has been successfully attached


U-Boot 2018.09 (May 12 2022 - 10:08:48 +0800)

CPU:   MediaTek MT7621AT ver 1, eco 3
Clocks: CPU: 880MHz, DDR: 600MHz (1200MT/s), Bus: 220MHz, XTAL: 40MHz
Model: MediaTek MT7621 reference board (NAND)
DRAM:  448 MiB
NAND:  256 MiB

Initializing NMBM ...
Signature found at block 2047 [0x0ffe0000]
First info table with writecount 0 found in block 1920
Second info table with writecount 0 found in block 1923
NMBM has been successfully attached

Loading Environment from NMBM... OK
In:    uartlite0@1e000c00
Out:   uartlite0@1e000c00
Err:   uartlite0@1e000c00
Net:   eth0: eth@1e100000
Start NMRP ...
Hit any key to stop autoboot:  0

=> tftpboot 0x83000000 192.168.1.2:stock.img
Using eth@1e100000 device
TFTP from server 192.168.1.2; our IP address is 192.168.1.1
Filename 'stock.img'.
Load address: 0x83000000
Loading: *#################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #######################################
	 3.9 MiB/s
done
Bytes transferred = 23463936 (1660800 hex)
=> bootm 0x83000800
## Loading kernel from FIT Image at 83000800 ...
   Using 'config@1' configuration
   Trying 'kernel@1' kernel subimage
     Description:  MIPS OpenWrt Linux-4.4.198
     Type:         Kernel Image
     Compression:  lzma compressed
     Data Start:   0x830008e4
     Data Size:    3639151 Bytes = 3.5 MiB
     Architecture: MIPS
     OS:           Linux
     Load Address: 0x81001000
     Entry Point:  0x81001000
   Verifying Hash Integrity ... OK
## Loading fdt from FIT Image at 83000800 ...
   Using 'config@1' configuration
   Trying 'fdt@1' fdt subimage
     Description:  MIPS OpenWrt pega-ramips device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x83379118
     Data Size:    11363 Bytes = 11.1 KiB
     Architecture: MIPS
     Hash algo:    crc32
     Hash value:   b03557e5
     Hash algo:    sha1
     Hash value:   676100795b9a0e47eeb0e6c7668ea2bfcef42a6b
   Verifying Hash Integrity ... crc32+ sha1+ OK
   Booting using the fdt blob at 0x83379118
   Uncompressing Kernel Image ... OK
   Loading Device Tree to 9be67000, end 9be6cc62 ... OK
[    0.000000] Linux version 4.4.198 (androidtest@androidtest-VirtualBox) (gcc version 5.4.0 (LEDE GCC 5.4.0 r0-6df3bae1) ) #0 SMP Tue Nov 12 02:12:28 UTC 2024
[    0.000000] SoC Type: MediaTek MT7621 ver:1 eco:3
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 0001992f (MIPS 1004Kc)
[    0.000000] MIPS: machine is MediaTek MT7621 PEGA Board (802.11ax, NAND with NMBM)
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 1c000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone ranges:
[    0.000000]   DMA      [mem 0x0000000000000000-0x0000000000ffffff]
[    0.000000]   Normal   [mem 0x0000000001000000-0x000000000fffffff]
[    0.000000]   HighMem  [mem 0x0000000010000000-0x000000001bffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x000000001bffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x000000001bffffff]
[    0.000000] VPE topology {2,2} total 4
[    0.000000] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.000000] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[    0.000000] PERCPU: Embedded 10 pages/cpu @82103000 s8544 r8192 d24224 u40960
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 114176
[    0.000000] Kernel command line:  console=ttyS0,115200 rootfstype=squashfs,jffs2
[    0.000000] PID hash table entries: 1024 (order: 0, 4096 bytes)
[    0.000000] Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
[    0.000000] Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Writing ErrCtl register=00014130
[    0.000000] Readback ErrCtl register=00014130
[    0.000000] Memory: 440932K/458752K available (7456K kernel code, 4044K rwdata, 1764K rodata, 228K init, 255K bss, 17820K reserved, 0K cma-reserved, 196608K highmem)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[    0.000000] Hierarchical RCU implementation.
[    0.000000] NR_IRQS:256
[    0.000000] clocksource: GIC: mask: 0xffffffffffffffff max_cycles: 0xcaf478abb4, max_idle_ns: 440795247997 ns
[    0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 4343773742 ns
[    0.000009] sched_clock: 32 bits at 440MHz, resolution 2ns, wraps every 4880645118ns
[    0.007779] Calibrating delay loop... 586.13 BogoMIPS (lpj=2930688)
[    0.070396] pid_max: default: 32768 minimum: 301
[ -- LOG CUT -- ]

The last line is printed out and then nothing. I waited for about five minute and nothing

OpenWrt log 
U-Boot SPL 2018.09 (May 12 2022 - 10:08:48 +0800)
Trying to boot from NAND

Initializing NMBM ...
Signature found at block 2047 [0x0ffe0000]
First info table with writecount 0 found in block 1920
Second info table with writecount 0 found in block 1923
NMBM has been successfully attached

U-Boot 2018.09 (May 12 2022 - 10:08:48 +0800)

CPU:   MediaTek MT7621AT ver 1, eco 3
Clocks: CPU: 880MHz, DDR: 600MHz (1200MT/s), Bus: 220MHz, XTAL: 40MHz
Reset: last reset was triggered by software reset
Model: MediaTek MT7621 reference board (NAND)
DRAM:  448 MiB
NAND:  256 MiB

Initializing NMBM ...
Signature found at block 2047 [0x0ffe0000]
First info table with writecount 0 found in block 1920
Second info table with writecount 0 found in block 1923
NMBM has been successfully attached

Loading Environment from NMBM... OK
In:    uartlite0@1e000c00
Out:   uartlite0@1e000c00
Err:   uartlite0@1e000c00
Net:   eth0: eth@1e100000
Start NMRP ...
Hit any key to stop autoboot:  0 

=> tftpboot 0x83000000 192.168.1.2:image.bin
Using eth@1e100000 device
TFTP from server 192.168.1.2; our IP address is 192.168.1.1
Filename 'image.bin'.
Load address: 0x83000000
Loading: *T #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 ######################################
	 1 MiB/s
done
Bytes transferred = 7223189 (6e3795 hex)
=> bootm 0x83000000
## Loading kernel from FIT Image at 83000000 ...
   Using 'config-1' configuration
   Trying 'kernel-1' kernel subimage
     Description:  MIPS OpenWrt Linux-6.6.104
     Type:         Kernel Image
     Compression:  lzma compressed
     Data Start:   0x830000e4
     Data Size:    7209162 Bytes = 6.9 MiB
     Architecture: MIPS
     OS:           Linux
     Load Address: 0x81001000
     Entry Point:  0x81001000
     Hash algo:    crc32
     Hash value:   07d81d5b
     Hash algo:    sha1
     Hash value:   b9e380721b1a7810d5139dcdc512055efee37f1e
   Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading fdt from FIT Image at 83000000 ...
   Using 'config-1' configuration
   Trying 'fdt-1' fdt subimage
     Description:  MIPS OpenWrt netgear_r6700axv3 device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x836e02f0
     Data Size:    11968 Bytes = 11.7 KiB
     Architecture: MIPS
     Hash algo:    crc32
     Hash value:   539e46e3
     Hash algo:    sha1
     Hash value:   8bc7ccd41787c55e421d8dd24e4b2af38893a913
   Verifying Hash Integrity ... crc32+ sha1+ OK
   Booting using the fdt blob at 0x836e02f0
   Uncompressing Kernel Image ... OK
   Loading Device Tree to 9be67000, end 9be6cebf ... OK