Nice job.
Do you think readding the bootargs-overide"ubi.mtd=UBI_DEV"; and removing the dummy partition entries would fix the issue?
Yes. That would solve the problem. But that would effectively revert commit NVMEM-on-UBI.
I came up with another solution, which can also be adapted for other platforms (for example ipq807x).
1 Like
Let me know when this is ready for review, or if you want me to join in and look at that newer ASUS loader in ghidra...
1 Like
it's not in Asus loader. The reason is in the u-boot code itself.
The Asus developers simply activated the call to function fdt_fixup_mtdparts.
This is how I fixed the dev tree:
&spi0 {
pinctrl-names = "default";
pinctrl-0 = <&spi_flash_pins>;
status = "okay";
spi_nand_flash: flash@0 {
compatible = "spi-nand";
#address-cells = <1>;
#size-cells = <1>;
reg = <0>;
spi-max-frequency = <20000000>;
spi-tx-bus-width = <4>;
spi-rx-bus-width = <4>;
_partitions_node = "mtd_part_list";
/*
* ASUS bootloader tries to replace ...
..... it's not the Asus that's the reason
..... it's the u-boot
*/
partitions: dummy {
//status = "disabled";
#address-cells = <1>;
#size-cells = <1>;
partition@0 {
reg = <0x0 0x0>;
label = "remove_me";
};
};
partitions_node_fake: partitions22 {
//compatible = "fixed-partitions";
#address-cells = <1>;
#size-cells = <1>;
partition@0 {
reg = <0x0 0x0>;
label = "remove_me";
};
};
fake_partitions: partitions {
compatible = "fixed-partitions";
#address-cells = <1>;
#size-cells = <1>;
partition@0 {
reg = <0x0 0x0>;
label = "ignore_me";
};
};
mtd_part_list {
compatible = "fixed-partitions";
#address-cells = <1>;
#size-cells = <1>;
partition@0 {
reg = <0x0 0x400000>;
label = "BootLoader";
read-only;
};
partition@400000 {
compatible = "linux,ubi";
reg = <0x400000 0xfc00000>;
label = "UBI_DEV";
volumes {
ubi_factory: ubi-volume-factory {
volname = "Factory";
};
};
};
};
};
};
I corrected a couple of c-files and when loading I get this:
[ 0.856824] spi-nand spi0.0: Winbond SPI NAND was found.
[ 0.862152] spi-nand spi0.0: 256 MiB, block size: 128 KiB, page size: 2048, OOB size: 128
[ 0.870532] mtd_part_of_parse: -------------------------------------
[ 0.876955] mtd_part_of_parse: target node name: 'spi0.0' idx: 0
[ 0.883099] mtd_part_of_parse: target node: /soc/spi@1100a000/flash@0
[ 0.889623] mtd_part_of_parse: root mtd node = /soc/spi@1100a000/flash@0
[ 0.896391] mtd_part_of_parse: mtd node = /soc/spi@1100a000/flash@0
[ 0.903170] mtd_part_of_parse: property '_partitions_node' founded in '/soc/spi@1100a000/flash@0'
[ 0.912111] mtd_part_of_parse: prop '_partitions_node' = 'mtd_part_list'
[ 0.918879] mtd_part_of_parse: mtd_is_partition is False
[ 0.924258] mtd_part_of_parse: child: /soc/spi@1100a000/flash@0/dummy = 'dummy'
[ 0.931727] mtd_part_of_parse: child: /soc/spi@1100a000/flash@0/partitions22 = 'partitions22'
[ 0.940406] mtd_part_of_parse: child: /soc/spi@1100a000/flash@0/partitions = 'partitions'
[ 0.948736] mtd_part_of_parse: child: /soc/spi@1100a000/flash@0/mtd_part_list = 'mtd_part_list'
[ 0.957590] mtd_part_of_parse: real partitions node = /soc/spi@1100a000/flash@0/mtd_part_list
[ 0.966185] mtd_part_of_parse: compat = 'fixed-partitions' prop.name = 'compatible' prop.value = (____ptrval____)
[ 0.976509] mtd_part_of_parse: parser: name = 'fixed-partitions' type = 0
[ 0.983363] parse_fixed_partitions: -------------------------------------
[ 0.990217] parse_fixed_partitions: target node name: 'spi0.0' idx: 0
[ 0.996723] parse_fixed_partitions: root mtd node = /soc/spi@1100a000/flash@0
[ 1.003928] parse_fixed_partitions: mtd node = /soc/spi@1100a000/flash@0
[ 1.011131] parse_fixed_partitions: property '_partitions_node' founded in '/soc/spi@1100a000/flash@0'
[ 1.020502] parse_fixed_partitions: prop '_partitions_node' = 'mtd_part_list'
[ 1.027709] 2 fixed-partitions partitions found on MTD device spi0.0
[ 1.034267] mtd_part_of_parse: added nr_parts = 2
[ 1.039043] mtd_part_of_parse: ERR = 0
[ 1.042861] Creating 2 MTD partitions on "spi0.0":
[ 1.047634] 0x000000000000-0x000000400000 : "BootLoader"
[ 1.056087] mtd_part_of_parse: -------------------------------------
[ 1.062550] mtd_part_of_parse: target node name: 'BootLoader' idx: 0
[ 1.068976] mtd_part_of_parse: target node: /soc/spi@1100a000/flash@0/mtd_part_list/partition@0
[ 1.077743] mtd_part_of_parse: root mtd node = /soc/spi@1100a000/flash@0
[ 1.084514] mtd_part_of_parse: mtd node = /soc/spi@1100a000/flash@0/mtd_part_list/partition@0
[ 1.093543] mtd_part_of_parse: property '_partitions_node' founded in '/soc/spi@1100a000/flash@0'
[ 1.102482] mtd_part_of_parse: mtd_is_partition is True
[ 1.107777] mtd_part_of_parse: ------ fixed-partitions ------
[ 1.113596] mtd_part_of_parse: Parser: name = 'fixed-partitions' type = 0
[ 1.120452] mtd_part_of_parse: PARSER: name = 'fixed-partitions' type = 0
[ 1.127304] parse_fixed_partitions: -------------------------------------
[ 1.134162] parse_fixed_partitions: target node name: 'BootLoader' idx: 0
[ 1.141018] parse_fixed_partitions: root mtd node = /soc/spi@1100a000/flash@0
[ 1.148219] parse_fixed_partitions: mtd node = /soc/spi@1100a000/flash@0/mtd_part_list/partition@0
[ 1.157679] parse_fixed_partitions: property '_partitions_node' founded in '/soc/spi@1100a000/flash@0'
[ 1.167053] mtd_part_of_parse: Added nr_parts = 0
[ 1.171828] mtd_part_of_parse: ERR = 0
[ 1.175649] 0x000000400000-0x000010000000 : "UBI_DEV"
[ 1.341532] ubi0: default fastmap pool size: 100
[ 1.346146] ubi0: default fastmap WL pool size: 50
[ 1.350926] ubi0: attaching mtd1
[ 2.118878] random: crng init done
[ 2.641301] ubi0: scanning is finished
[ 2.653691] ubi0: attached mtd1 (name "UBI_DEV", size 252 MiB)
[ 2.659529] ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[ 2.666383] ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[ 2.673151] ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
[ 2.680094] ubi0: good PEBs: 2016, bad PEBs: 0, corrupted PEBs: 0
[ 2.686167] ubi0: user volume: 8, internal volumes: 1, max. volumes count: 128
[ 2.693368] ubi0: max/mean erase counter: 24/17, WL threshold: 4096, image sequence number: 1864024255
[ 2.702650] ubi0: available PEBs: 0, total reserved PEBs: 2016, PEBs reserved for bad PEB handling: 40
[ 2.711937] ubi0: background thread "ubi_bgt0d" started, PID 259
[ 2.713605] block ubiblock0_6: created from ubi0:6(rootfs)
[ 2.723419] ubiblock: device ubiblock0_6 (rootfs) set to be root filesystem
[ 2.730473] mtd_part_of_parse: -------------------------------------
[ 2.736893] mtd_part_of_parse: target node name: 'UBI_DEV' idx: 1
[ 2.743059] mtd_part_of_parse: target node: /soc/spi@1100a000/flash@0/mtd_part_list/partition@400000
[ 2.752267] mtd_part_of_parse: root mtd node = /soc/spi@1100a000/flash@0
[ 2.759038] mtd_part_of_parse: mtd node = /soc/spi@1100a000/flash@0/mtd_part_list/partition@400000
[ 2.768496] mtd_part_of_parse: property '_partitions_node' founded in '/soc/spi@1100a000/flash@0'
[ 2.777434] mtd_part_of_parse: mtd_is_partition is True
[ 2.782730] mtd_part_of_parse: compat = 'linux,ubi' prop.name = 'compatible' prop.value = 0000000006639623
[ 2.792452] mtd_part_of_parse: ------ fixed-partitions ------
[ 2.798265] mtd_part_of_parse: Parser: name = 'fixed-partitions' type = 0
[ 2.805118] mtd_part_of_parse: PARSER: name = 'fixed-partitions' type = 0
[ 2.811972] parse_fixed_partitions: -------------------------------------
[ 2.818824] parse_fixed_partitions: target node name: 'UBI_DEV' idx: 1
[ 2.825418] parse_fixed_partitions: root mtd node = /soc/spi@1100a000/flash@0
[ 2.832625] parse_fixed_partitions: mtd node = /soc/spi@1100a000/flash@0/mtd_part_list/partition@400000
[ 2.842518] parse_fixed_partitions: property '_partitions_node' founded in '/soc/spi@1100a000/flash@0'
[ 2.851891] mtd_part_of_parse: Added nr_parts = 0
[ 2.856663] mtd_part_of_parse: ERR = 0
[ 2.990523] mtk_soc_eth 15100000.ethernet: generated random MAC address 65:74:68:25:64:00
[ 3.058953] Maxlinear Ethernet GPY211C mdio-bus:06: Firmware Version: 8.111 (0x886F)
You can see that the mtd driver uses the mtd_part_list node instead of the partitions node.
1 Like
So the fix is to add your changes to the devices .dts?
No. Need a patch for mtd driver. I'm working on it now. Will provide it soon. And a test image too.
1 Like
Test snapshot sysupgrade image (with mtd patch):
https://drive.google.com/drive/folders/1fE-KKEa-WH_bdRQjy-gmN40yMSElouqb
mtd driver patch:
DTS patch for Asus routers:
1 Like
Really appreciate all your hard work and time but I seem to have hard bricked my device, just get a system halt! over serial, think I've wiped the bootloader partition.
Probably jtag, which I don't have, is the only recovery solution now.
Hmm. I've already rewritten the bootloader 4 times while testing:
insmod mtd-rw i_want_a_brick=1
mtd unlock bootloader
mtd write /tmp/uboot.bin bootloader
All I get is:
F0: 102B 0000
FA: 1040 0000
FA: 1040 0000 [0200]
F9: 3903 0041
F3: 1001 0000 [0200]
F3: 1001 0000
F6: 102C 0000
F5: 1026 0000
00: 1005 0000
FA: 1040 0000
FA: 1040 0000 [0200]
F9: 3903 0041
F3: 1001 0000 [0200]
F3: 1001 0000
F6: 102C 0000
01: 102A 0001
02: 1005 0000
BP: 2000 00C0 [0001]
EC: 0000 0000 [1000]
T0: 0000 00BA [010F]
System halt!
Do you know if it's possible to reflash uboot with https://github.com/981213/mtk_uartboot?
Thanks
2 Likes
Yes, you will be able to attack it with mtk_uartboot. Probably what happened now is that you overwrote bl2 and not just U-Boot...
1 Like
Got this far
.\mtk_uartboot.exe -p bl2-mt7986-ddr3-ram.bin --aarch64
mtk_uartboot - 0.1.1
Using serial port: COM3
Handshake...
hw code: 0x7986
hw sub code: 0x8a00
hw ver: 0xca01
sw ver: 0x1
Baud rate set to 460800
sending payload to 0x201000...
Checksum: 0x19ce
Setting baudrate back to 115200
Jumping to 0x201000 in aarch64...
Waiting for BL2. Message below:
==================================
NOTICE: BL2: v2.10.0 (release):v2.10.0-mtk
NOTICE: BL2: Built : 13:17:11, Mar 1 2024
NOTICE: WDT: Cold boot
NOTICE: WDT: disabled
NOTICE: CPU: MT7986 (2002MHz)
NOTICE: EMI: Using DDR3 settings
NOTICE: EMI: Detected DRAM size: 512MB
NOTICE: EMI: complex R/W mem test passed
NOTICE: Starting UART download handshake ...
==================================
BL2 UART DL version: 0x10
Baudrate set to: 921600
I was able to boot latest stable initramfs.bin finally and got uboot flashed.
Now just got to figure out how to restore my ubi backups.
mtk_uartboot is an amazing tool.
Thank you all
Back online after restoring both Factory 1 and 2 backups.
Gonna test your build now.
Booted perfect
[ 0.858396] spi-nand spi0.0: Winbond SPI NAND was found.
[ 0.863721] spi-nand spi0.0: 256 MiB, block size: 128 KiB, page size: 2048, OOB size: 128
[ 0.872081] mtd_part_of_parse: property '_partitions_node' founded in /soc/spi@1100a000/flash@0
[ 0.880940] mtd_part_of_parse: property '_partitions_node' = 'mtd_part_list'
[ 0.888054] mtd_part_of_parse: real partitions node = /soc/spi@1100a000/flash@0/mtd_part_list
[ 0.896663] parse_fixed_partitions: property '_partitions_node' founded in /soc/spi@1100a000/flash@0
[ 0.905872] parse_fixed_partitions: property '_partitions_node' = 'mtd_part_list'
[ 0.913432] parse_fixed_partitions: real partitions node = /soc/spi@1100a000/flash@0/mtd_part_list
[ 0.922477] 2 fixed-partitions partitions found on MTD device spi0.0
[ 0.929041] Creating 2 MTD partitions on "spi0.0":
[ 0.933818] 0x000000000000-0x000000400000 : "BootLoader"
[ 0.941906] 0x000000400000-0x000010000000 : "UBI_DEV"
[ 1.108108] ubi0: default fastmap pool size: 100
[ 1.112735] ubi0: default fastmap WL pool size: 50
[ 1.117509] ubi0: attaching mtd1
[ 1.858961] random: crng init done
[ 2.405855] ubi0: scanning is finished
[ 2.418221] ubi0: attached mtd1 (name "UBI_DEV", size 252 MiB)
[ 2.424061] ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[ 2.430917] ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[ 2.437683] ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
[ 2.444625] ubi0: good PEBs: 2016, bad PEBs: 0, corrupted PEBs: 0
[ 2.450700] ubi0: user volume: 8, internal volumes: 1, max. volumes count: 128
[ 2.457899] ubi0: max/mean erase counter: 20/7, WL threshold: 4096, image sequence number: 81802094
[ 2.466920] ubi0: available PEBs: 0, total reserved PEBs: 2016, PEBs reserved for bad PEB handling: 40
[ 2.476209] ubi0: background thread "ubi_bgt0d" started, PID 260
[ 2.477890] block ubiblock0_6: created from ubi0:6(rootfs)
[ 2.487673] ubiblock: device ubiblock0_6 (rootfs) set to be root filesystem
Great work. Thank you
2 Likes
Well now try to persuade the OpenWrt maintainers to add this mtd driver hack to the main branch.
2 Likes
Will your changes also work with the old bootloader?
Anyhow, you should make a pr.
Thanks
Yes.
I won't make a pull request, because its approval will take a lot of time.
In my pull request, maintainers will find the following shortcomings:
- Too long lines in c-code
- The names in the code are not correct
- There are no comments in the code
- There is no description or author in the patch
- The pull request summary should describe the cause of the problem and when/why it occurs. A workaround should be described.
- etc
The process will be faster if the maintainer adds the changes to the repository.
1 Like
Well lets see what Daniel has to say.
The tested working solution for the updated Asus uboot are two patches that remittor has prepared.
Please take a look at them when you get the chance and possibly merge them or suggest another workaround.
Cheers
@blocktrron , you can probably quickly add this patch to the OpenWrt repository.
And you probably have this router, since you were the one who added support for it to the OpenWrt repository.
2 Likes
Great stuff going on here! Nice to know that there is a tool to unbrick your router in case you make a mistake.
As my router (AX6000) has the old bootloader (is there a better way to do this?):
root@OpenWrt:~# strings /dev/mtd0 | grep "U-Boot 20"
U-Boot 2022.04-rc1 (Mar 29 2023 - 14:23:46 +0800)
Is there any advantage in updating the bootloader?
Thanks,
Bas.
I would of thought that there is no advantage if using OpenWRT on it.