Adding OpenWRT support for TP-LINK HC220-G5

Hi,
i got this device in my hands I try to get OpenWrt running on it.

Specs:
SOC: MT7621AT (2109-AMTH)
WLAN 2.4 GHz: MT7603EN (2108-BMAL) - to be checked
WLAN 5 GHz: MT7613BEN (2108-BZJAL) - to be checked
128 RAM
128MB NAND Flash (ESMT F59L1G81MB)
3 LEDs (red, green, blue) which can be controlled via GPIO. All LEDs are routed to the same indicator at the bottom front of the device.
2 Buttons: Reset (GPIO 8) and WPS (GPIO 16)

There are two hardware revision (1 and 1.6), looks like both use the same OEM firmware.

OEM bootlog: https://github.com/RolandoMagico/openwrt-misc/blob/HC220-G5/bootlog.txt

Disassembly:
The bottom plate is clipped to the case and can be removed with some "force" :slight_smile:

UART:
Accessible via 4 pin holes. If you turn the device to have them on the bottom, the pinout from left to rigth: VCC, GND, RX, TX. Settings 115200, 8N1.

GitHub: https://github.com/RolandoMagico/openwrt/tree/HC220-G5

Initramfs is booting and all three ethernet ports work.

Currently I have some issues with the wifi calibration data. There is no "facotry" partition which could contain the data. But there is a "misc-ro" partition which also includes the MAC adress of the device. But I cannot see the calibration data for wifi. Maybe a dump question: How can I find the wifi calibration data?

Please use forum search to find threads with others already trying to work on it.

I searched the forum before, just found one thread for HC220-G1, but not for the G5. Is there already a thread I missed?

1 Like

While at serial

  • if you have shell over serial try to enable dropbear in OEM sw if present.
  • A/B partitions - try to figure out bootooader variable to switch them (see advanced-reboot package)
  • backup all partitions and search offsets where 5 bytes of MAC address are present.
  • tplink routers need -safeloader- package that "blesses" image with info header about compatible models for upload via OEM web ui.

From birds eye view looks like boots alternatively between firmware1 and firmware2 based on bflag.
I would suggest updating to same OEM version twice to make both OEM partitions bootable.
The failover can be achieved by pulling power after kernel starts init (i think "rc5 is first usermode message, time now so you know how to glitch it right.
Disconnect WAN - it is calling home, may upgrade in your face.

I didn't find any settings in the OEM firmware to enable SSH. I have a serial connection but cannot log in (Login incorrect using root/admin with the set password).

There is a u-boot variable fw1_status (initially set to 31).

Done, the MAC address from the label is stored in partition misc_ro at offset 0x5c70bc. More info:

  • MAC of LAN is the one on the label
  • MAC of WAN is the one on the label + 1
  • MAC of wifi 2.4 GHz is the one on the label
  • MAC of wifif 5 GHz is the one on the label + 2

Thanks for the hint, I'll check it as soon as I start creating factory images.

I got an EU1 device, firmware for it is available on the Spanish site: https://www.tp-link.com/es/support/download/hc220-g5/#Firmware

After flashing the firmware again, I have new and updated u-boot variables:

fw1_status=36
fw2_checksum=5B63BE30336F2386F441900606F541BA
fw2_length=17694724
fw2_status=1
fw2_version=1
fw_index=2

And even more updates after flashing the OEM firmware again (directly after flashing in the u-boot console):

fw1_checksum=5B63BE30336F2386F441900606F541BA
fw1_length=17694724
fw1_status=0
fw1_version=2
fw2_checksum=5B63BE30336F2386F441900606F541BA
fw2_length=17694724
fw2_status=2
fw2_version=1
fw_index=2

And after booting the flash firmware again, I see the following changes:

fw1_status=1
fw_index=1

The bflag partition is not changed after all the flash cycles.

Any idea on that?

You figured the 2-partition switch method. Somebody smarter has to follow up around caldata.

Regarding the calibration data: Looks like there are calibration data files in the OEM firmware images: /etc/MT7603E_iPAiLNA.bin and /etc/MT7613B_iPAiLNA.bin. Seems to be the same files in the EU and US OEM images. Is it possible that TP-Link uses "generic" calibration data insead of device specific ones? I don't yet know if or how they can be used in OpenWrt.

Regarding the dual boot: Looks like the currently active partition is not passed to the kernel as command line argument, so something like openwrt,cmdline-match cannot be used in the DTS. Only option I currently see for migration to OpenWrt: Load the initramfs image using serial console, adapt the u-boot variables to start from a specific partition and perform sysupgrade to this partition. Would make sense to load the original firmware again via OEM web interface before, so the OEM firmware is present on both partitions. This makes reverting to OEM firmware easier. Flashing OpenWrt from OEM web interface won't be possible in this case.

In minimal case dualboot serves to boot oem , flash 2x oem and start again.
But the current boot is in firmware variable, if it helps to elect correct squash + overlay you can get a/b openwrt upgrades, but having instant revert might be more valuable for newbies.
Patience, wait for some mt76 pro to come by. Like @dnd

1 Like

Tried to flash the sysupgrade via initramfs to the first partition (firware1), what I know so far:
Before/during flashing:

  • U-Boot variable fw1_version must be set to fw2_version + 1
  • U-Boot variables fw1_checksum and fw1_length must be deleted to skip the checksum check in U-Boot
  • U-Boot variable fw1_status must be set to 0
  • U-Boot variable fw2_status must be set to 2

After flashing:

  • U-Boot variable fw_index must be set to 1
  • U-Boot variable fw_status must be set to 1

Using the default sysupgrade image doesn't work. U-Boot always complains that there is no image in the firmware1 partition.

Currently I have this in my target configuration:
KERNEL := kernel-bin | lzma | fit lzma $$(KDIR)/image-$$(firstword $$(DEVICE_DTS)).dtb | pad-to 64k

With this line, U-Boot at least finds an image but fails during decompression:

Loading FIT image at offset 0xd00000 to memory 0x80010000, size 0x3066f8 ...
Automatic boot of image at addr 0x80010000 ...
   Using 'config-1' configuration
   Trying 'kernel-1' kernel subimage
     Description:  MIPS OpenWrt Linux-6.6.30
     Type:         Kernel Image
     Compression:  lzma compressed
     Data Start:   0x800100e4
     Data Size:    3157821 Bytes = 3 MiB
     Architecture: MIPS
     OS:           Linux
     Load Address: 0x80010000
     Entry Point:  0x80010000
     Hash algo:    crc32
     Hash value:   912787ff
     Hash algo:    sha1
     Hash value:   6461bb427c64953e4109bfd7ed5a5e882070e5a3
   Verifying Hash Integrity ... crc32+ sha1+ OK
   Using 'config-1' configuration
   Trying 'fdt-1' fdt subimage
     Description:  MIPS OpenWrt tplink_hc220-g5-v1 device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x80313168
     Data Size:    12358 Bytes = 12.1 KiB
     Architecture: MIPS
     Hash algo:    crc32
     Hash value:   34f4b8f2
     Hash algo:    sha1
     Hash value:   45656bb98eb48e8f44aebf7a09b9b4ccfdb002f6
   Verifying Hash Integrity ... crc32+ sha1+ OK
   Booting using the fdt blob at 0x80313168
   Uncompressing Kernel Image ... lzma compressed: uncompress error 1

This is how the firmware1 partition looks in binwalk using the OEM image:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Flattened device tree, size: 3575720 bytes, version: 17
228           0xE4            LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 10387808 bytes
3563672       0x366098        Flattened device tree, size: 11237 bytes, version: 17
3670016       0x380000        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 13913904 bytes, 814 inodes, blocksize: 262144 bytes, created: 2020-04-17 06:18:44

This is how the firmware1 partition looks in binwalk using the sysupgrade image:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Flattened device tree, size: 3171976 bytes, version: 17
228           0xE4            LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 10524832 bytes
3158264       0x3030F8        Flattened device tree, size: 12358 bytes, version: 17
3488760       0x353BF8        Flattened device tree, size: 12358 bytes, version: 17
3563672       0x366098        Flattened device tree, size: 11237 bytes, version: 17
3670016       0x380000        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 13913904 bytes, 814 inodes, blocksize: 262144 bytes, created: 2020-04-17 06:18:44
17592428      0x10C706C       xz compressed data
17630668      0x10D05CC       xz compressed data
17694720      0x10E0000       UBI erase count header, version: 1, EC: 0x9, VID header offset: 0x800, data offset: 0x1000
17738844      0x10EAC5C       xz compressed data

Currently I don't know how to get a working sysupgrade image. Any help is appreciated.

Means either too strong compression or wrong offsets.

1 Like

Thanks for the hint, I fixed the kernel load address, now the kernel image is uncompressed successfully but it doesn't start. It stops after loading the device tree:

******** try booting from firmware1 count=0 ********
fw1_length is NULL, skip check firmware1
Loading FIT image at offset 0xd00000 to memory 0x80010000, size 0x306688 ...
Automatic boot of image at addr 0x80010000 ...
## Loading kernel from FIT Image at 80010000 ...
   Using 'config-1' configuration
   Trying 'kernel-1' kernel subimage
     Description:  MIPS OpenWrt Linux-6.6.30
     Type:         Kernel Image
     Compression:  lzma compressed
     Data Start:   0x800100e4
     Data Size:    3157712 Bytes = 3 MiB
     Architecture: MIPS
     OS:           Linux
     Load Address: 0x81001000
     Entry Point:  0x81001000
     Hash algo:    crc32
     Hash value:   94112af4
     Hash algo:    sha1
     Hash value:   bc83fc8242abe6ccf5ba761af848e9ed990fb2ce
   Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading fdt from FIT Image at 80010000 ...
   Using 'config-1' configuration
   Trying 'fdt-1' fdt subimage
     Description:  MIPS OpenWrt tplink_hc220-g5-v1 device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x803130f8
     Data Size:    12358 Bytes = 12.1 KiB
     Architecture: MIPS
     Hash algo:    crc32
     Hash value:   34f4b8f2
     Hash algo:    sha1
     Hash value:   45656bb98eb48e8f44aebf7a09b9b4ccfdb002f6
   Verifying Hash Integrity ... crc32+ sha1+ OK
   Booting using the fdt blob at 0x803130f8
   Uncompressing Kernel Image ... OK
   Loading Device Tree to 87e67000, end 87e6d045 ... OK

Edit: Probably similar issue as described here:

1 Like