Hello all,
I got the ASUS RT-AC58U with a corrupted NAND memory. After replacing it, the router recognizes it correctly but I can not upload OpenWRT through the bootloader. Restoring the original software via ASUS Firmware Restoration also does not work.
How can I do this?
(IPQ40xx) # help
? - alias for 'help'
base - print or set address offset
bootipq - bootipq from flash device
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
chpart - change active partition
cmp - memory compare
cp - memory copy
crc32 - checksum calculation
dhcp - boot image via network using DHCP/TFTP protocol
dumpipq_data- dumpipq_data crashdump collection from memory
echo - echo args to console
env - environment handling commands
exit - exit script
false - do nothing, unsuccessfully
fdt - flattened device tree utility commands
fuseipq - fuse QFPROM registers from memory
go - start application at address 'addr'
help - print command description/usage
i2c - I2C sub-system
imxtract- extract a part of a multi-image
loadb - load binary file over serial line (kermit mode)
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
md - memory display
mii - MII utility commands
mm - memory modify (auto-incrementing address)
mtdparts- define flash/nand partitions
mtest - simple RAM read/write test
mw - memory write (fill)
nand - NAND sub-system
nboot - boot from NAND device
nm - memory modify (constant address)
pci - list and access PCI Configuration Space
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
sf - SPI flash sub-system
showvar - print local hushshell variables
smeminfo- print SMEM FLASH information
source - run script from memory
test - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
tftpd - tftpd -load the data by tftp protocol
tftpput - TFTP put command, for uploading files to a server
true - do nothing, successfully
uartrd - uartrd read from second UART
uartwr - uartwr to second UART
ubi - ubi commands
usb - USB sub-system
usbboot - boot from USB device
version - print monitor, compiler and linker version
You need to set up the NAND partitions and change the bootcmd to one that will boot from flash.
Setting up the partitions may not be necessary if you boot an initramfs version of OpenWrt (which typically ignores bootloader partitions, instead having a hard coded partition map) then use its sysupgrade to write the flash. But you will still need to set a bootcmd to have it boot automatically out of flash from power on.
You need to set up a TFTP server which will serve up some bootable file (with the name that the bootloader asks for, here it would be 'RT-AC58U.trx')-- such as an initramfs build of OpenWrt. This is a one-time thing and you can't save any settings, since its filesystem is in RAM. But it is highly useful to install a regular build into flash, or otherwise manipulate the flash in ways that the bootloader CLI can't.
You said that selecting option 1 in the bootloader ("Load System code to SDRAM via TFTP", the default for a new installation) leads to a restart in recovery mode. Does it immediately restart, or is there some progress shown on the serial console?
Also, what do you mean by recovery mode?
Hm, I hope you still have the old nand around? Because you'll need to rescue the data in the Factory (or Factory2) partition and transfer it to your new chip, otherwise you'll have no wifi.
Well, I've corrupted my NAND multiple times during development. But I never had to replace the chip. What happens is that the NAND driver gets confused and every block gets marked as bad. However the NAND chip is still fine, but it needed a full/complete chip erase. (EDIT: However, do a backup of the Factory/Factory2 partition FIRST!)
Try the snapshot images, I know it boots:
Select EEPROM set 0 at offset 0x0.
Please choose the operation:
1: Load System code to SDRAM via TFTP.
2: Load System code then write to Flash via TFTP.
3: Boot System code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP.
You choosed 1
1: Load System code to SDRAM via TFTP.
Please Input new ones /or Ctrl-C to discard
Input device IP (192.168.8.99) ==:
Input server IP (192.168.8.7) ==:
Input Linux Kernel filename (RT-AC58U.trx) ==:
preferred nic: eth0
eth0 PHY0 Down Speed :10 Half duplex
eth0 PHY1 Down Speed :10 Half duplex
eth0 PHY2 Down Speed :10 Half duplex
eth0 PHY3 Down Speed :10 Half duplex
eth0 PHY4 up Speed :1000 Full duplex
switch prereq:0
Using eth0 device
TFTP from server 192.168.8.7; our IP address is 192.168.8.99
Filename 'RT-AC58U.trx'.
Load address: 0x84000000
Loading: Got ARP REPLY, set eth addr (d4:3d:7e:bd:e9:6e)
#################################################################
#################################################################
#################################################################
#################################################################
##########################################################
done
Bytes transferred = 4658248 (471448 hex)
NetBootFileXferSize= 00471448
Automatic boot of image at addr 0x84000000 ...
## Booting kernel from FIT Image at 84000000 ...
Using 'config@1' configuration
Trying 'kernel@1' kernel subimage
Description: ARM OpenWrt Linux-4.14.105
Type: Kernel Image
Compression: lzma compressed
Data Start: 0x840000e4
Data Size: 4639606 Bytes = 4.4 MiB
Architecture: ARM
OS: Linux
Load Address: 0x80208000
Entry Point: 0x80208000
Hash algo: crc32
Hash value: 741a8de4
Hash algo: sha1
Hash value: c002feedbb5cecd6d93e64ae5c336a065015295d
## Flattened Device Tree from FIT Image at 84000000
Using 'config@1' configuration
Trying 'fdt@1' FDT blob subimage
Description: ARM OpenWrt asus_rt-ac58u device tree blob
Type: Flat Device Tree
Compression: uncompressed
Data Start: 0x8446cd94
Data Size: 16772 Bytes = 16.4 KiB
Architecture: ARM
Hash algo: crc32
Hash value: fde26937
Hash algo: sha1
Hash value: 9470f66be01cdf817c8c50b956ed7b3367d5cfd2
Booting using the fdt blob at 0x8446cd94
Volume linux2 not found!
Copy firmware from c009b000 to c30ae000, length 0
Uncompressing Kernel Image ... OK
Loading Device Tree to 86ed8000, end 86edf183 ... OK
ipq: fdt fixup unable to find compatible node
Using machid 0x8010100 from environment
Starting kernel ...
[ 0.000000] Booting Linux on physical CPU 0x0
[ 0.000000] Linux version 4.14.105 (buildbot@6167ddb9a6c5) (gcc version 7.4.0 (OpenWrt GCC 7.4.0 r9610-5e247f3)) #0 SMP Wed Mar 13 21:43:13 2019
[ 0.000000] CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c5387d
[ 0.000000] CPU: div instructions available: patching division code
[ 0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
[ 0.000000] OF: fdt: Machine model: ASUS RT-AC58U
[...]
It is a mode in which I can use ASUS Firmware Restoration Utility, but it does not work either.
When I received the router it did not start. After take out the NAND chip, he was just beginning to give life signs. Then I solder new one and now try to rescue.
I uploaded the latest snapshot and this is how looks log now. Oryginal ASUS firmware image also doesn't work.
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1.1-00096
S - IMAGE_VARIANT_STRING=DAABANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x00000021
S - Core 0 Frequency, 0 MHz
B - 261 - PBL, Start
B - 1339 - bootable_media_detect_entry, Start
B - 1678 - bootable_media_detect_success, Start
B - 1692 - elf_loader_entry, Start
B - 5068 - auth_hash_seg_entry, Start
B - 7210 - auth_hash_seg_exit, Start
B - 572126 - elf_segs_hash_verify_entry, Start
B - 686861 - PBL, End
B - 686886 - SBL1, Start
B - 775212 - pm_device_init, Start
D - 6 - pm_device_init, Delta
B - 776723 - boot_flash_init, Start
D - 54246 - boot_flash_init, Delta
B - 835156 - boot_config_data_table_init, Start
D - 3846 - boot_config_data_table_init, Delta - (419 Bytes)
B - 842375 - clock_init, Start
D - 7574 - clock_init, Delta
B - 854472 - CDT version:2,Platform ID:8,Major ID:1,Minor ID:1,Subtype:0
B - 857962 - sbl1_ddr_set_params, Start
B - 862949 - cpr_init, Start
D - 2 - cpr_init, Delta
B - 867441 - Pre_DDR_clock_init, Start
D - 4 - Pre_DDR_clock_init, Delta
D - 13148 - sbl1_ddr_set_params, Delta
B - 881143 - pm_driver_init, Start
D - 2 - pm_driver_init, Delta
B - 951667 - sbl1_wait_for_ddr_training, Start
D - 29 - sbl1_wait_for_ddr_training, Delta
B - 966894 - Image Load, Start
D - 134982 - QSEE Image Loaded, Delta - (262104 Bytes)
B - 1102374 - Image Load, Start
D - 1445 - SEC Image Loaded, Delta - (2048 Bytes)
B - 1112747 - Image Load, Start
D - 223552 - APPSBL Image Loaded, Delta - (457299 Bytes)
B - 1336722 - QSEE Execution, Start
D - 58 - QSEE Execution, Delta
B - 1342898 - SBL1, End
D - 658123 - SBL1, Delta
S - Flash Throughput, 2006 KB/s (721870 Bytes, 359846 us)
S - DDR Frequency, 537 MHz
U-Boot 2012.07-05763-g80e4eb4 [local,local] (Jul 06 2016 - 11:01:57)
RT-AC58U bootloader version: 1.0.0.3
smem ram ptable found: ver: 1 len: 3
ASUS RT-AC58U gpio init : wps / reset pin
DRAM: 128 MiB
machid : 0x8010100
Maximum malloc length: 4096 KBytes
mem_malloc_start/brk/end: 0x86ef0000/86ef0000/87300000
Relocation offset: 0
NAND: spi_nand: spi_nand_flash_probe SF NAND ID 0:ef:aa:21
SF: Detected W25N01GV with page size 2 KiB, total 128 MiB
SF: Detected MX25L1605D with page size 4 KiB, total 2 MiB
ipq_spi: page_size: 0x100, sector_size: 0x1000, size: 0x200000
130 MiB
In: serial
Out: serial
Err: serial
name : offset size
0:SBL1 : 00000000 00040000
0:MIBIB : 00040000 00020000
0:QSEE : 00060000 00060000
0:CDT : 000c0000 00010000
0:DDRPARAMS : 000d0000 00010000
0:APPSBLENV : 000e0000 00010000
0:APPSBL : 000f0000 00080000
0:ART : 00170000 00010000
machid: 8010100
Net: MAC0 addr:0:3:7f:ba:db:ad
PHY ID1: 0x4d
PHY ID2: 0xd0b1
ipq40xx_ess_sw_init done
eth0
Creating 1 MTD partitions on "nand1":
0x00000000-0x08000000 : "mtd=0"
UBI: attaching mtd2 to ubi0
UBI: physical eraseblock size: 131072 bytes (128 KiB)
UBI: logical eraseblock size: 126976 bytes
UBI: smallest flash I/O unit: 2048
UBI: VID header offset: 2048 (aligned 2048)
UBI: data offset: 4096
UBI: max. sequence number: 64
UBI: attached mtd2 to ubi0
UBI: MTD device name: "mtd=0"
UBI: MTD device size: 128 MiB
UBI: number of good PEBs: 1024
UBI: number of bad PEBs: 0
UBI: number of corrupted PEBs: 0
UBI: max. allowed volumes: 128
UBI: wear-leveling threshold: 4096
UBI: number of internal volumes: 1
UBI: number of user volumes: 6
UBI: available PEBs: 30
UBI: total number of reserved PEBs: 994
UBI: number of PEBs reserved for bad PEB handling: 10
UBI: max/mean erase counter: 27/1
UBI: image sequence number: 0
UBI: vol_id reserved_pebs alignment data_pad vol_type usable_leb_size used_ebs used_bytes last_eb_bytes corrupted upd_marker name_len name
UBI: 0 3 1 0 dynamic 1f000 3 5d000 1f000 0 0 5 nvram
UBI: 1 1 1 0 dynamic 1f000 1 1f000 1f000 0 0 7 Factory
UBI: 2 1 1 0 dynamic 1f000 1 1f000 1f000 0 0 8 Factory2
UBI: 3 18d 1 0 dynamic 1f000 18d 3013000 1f000 0 0 5 linux
UBI: 4 18d 1 0 dynamic 1f000 18d 3013000 1f000 0 0 6 linux2
UBI: 5 b5 1 0 dynamic 1f000 b5 15eb000 1f000 0 0 5 jffs2
UBI: 7fffefff 2 1 0 dynamic 1f000 2 3e000 2 0 0 d layout volume
Read 0x1f000 bytes from volume [Factory] offset 0x0 to 86ec0ce8
EEPROM set 0: OK (version 5)
Read 0x1f000 bytes from volume [Factory2] offset 0x0 to 86ec0ce8
EEPROM set 1: OK (version 5)
Read 0x1f000 bytes from volume [Factory] offset 0x0 to 86f04330
Select EEPROM set 0 at offset 0x0.
Please choose the operation:
1: Load System code to SDRAM via TFTP.
2: Load System code then write to Flash via TFTP.
3: Boot System code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP.
You choosed 1
1: Load System code to SDRAM via TFTP.
Please Input new ones /or Ctrl-C to discard
Input device IP (192.168.1.1) ==:192.168.1.1
Input server IP (192.168.1.70) ==:192.168.1.70
Input Linux Kernel filename (RT-AC58U.trx) ==:RT-AC58U.trx
preferred nic: eth0
eth0 PHY0 Down Speed :10 Half duplex
eth0 PHY1 Down Speed :10 Half duplex
eth0 PHY2 up Speed :1000 Full duplex
eth0 PHY3 Down Speed :10 Half duplex
eth0 PHY4 Down Speed :10 Half duplex
switch prereq:0
Using eth0 device
TFTP from server 192.168.1.70; our IP address is 192.168.1.1
Filename 'RT-AC58U.trx'.
Load address: 0x84000000
Loading: Got ARP REPLY, set eth addr (xx:xx:xx:xx:xx:xx)
#################################################################
#################################################################
#################################################################
#################################################################
##########################################################
done
Bytes transferred = 4661260 (47200c hex)
NetBootFileXferSize= 0047200c
Automatic boot of image at addr 0x84000000 ...
## Booting kernel from FIT Image at 84000000 ...
Using 'config@1' configuration
Trying 'kernel@1' kernel subimage
Description: ARM OpenWrt Linux-4.14.107
Type: Kernel Image
Compression: lzma compressed
Data Start: 0x840000e4
Data Size: 4642620 Bytes = 4.4 MiB
Architecture: ARM
OS: Linux
Load Address: 0x80208000
Entry Point: 0x80208000
Hash algo: crc32
Hash value: c545520f
Hash algo: sha1
Hash value: 5988dd18125ca939372a18be42aaa076c7f23fb5
## Flattened Device Tree from FIT Image at 84000000
Using 'config@1' configuration
Trying 'fdt@1' FDT blob subimage
Description: ARM OpenWrt asus_rt-ac58u device tree blob
Type: Flat Device Tree
Compression: uncompressed
Data Start: 0x8446d958
Data Size: 16772 Bytes = 16.4 KiB
Architecture: ARM
Hash algo: crc32
Hash value: fde26937
Hash algo: sha1
Hash value: 9470f66be01cdf817c8c50b956ed7b3367d5cfd2
Booting using the fdt blob at 0x8446d958
Read 0x28 bytes from volume [linux2] offset 0x0 to 86edfc00
Copy firmware from c009b000 to c30ae000, length 0
Uncompressing Kernel Image ... LZMA: uncompress or overwrite error 1 - must RESET board to recover
resetting ...
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1.1-00096
S - IMAGE_VARIANT_STRING=DAABANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x00000021
S - Core 0 Frequency, 0 MHz
B - 261 - PBL, Start
B - 1338 - bootable_media_detect_entry, Start
B - 1678 - bootable_media_detect_success, Start
B - 1692 - elf_loader_entry, Start
B - 5068 - auth_hash_seg_entry, Start
B - 7209 - auth_hash_seg_exit, Start
B - 572125 - elf_segs_hash_verify_entry, Start
B - 686842 - PBL, End
B - 686866 - SBL1, Start
B - 775184 - pm_device_init, Start
D - 6 - pm_device_init, Delta
B - 776693 - boot_flash_init, Start
D - 54251 - boot_flash_init, Delta
B - 835133 - boot_config_data_table_init, Start
D - 3847 - boot_config_data_table_init, Delta - (419 Bytes)
B - 842355 - clock_init, Start
D - 7551 - clock_init, Delta
B - 854427 - CDT version:2,Platform ID:8,Major ID:1,Minor ID:1,Subtype:0
B - 857916 - sbl1_ddr_set_params, Start
B - 862903 - cpr_init, Start
D - 2 - cpr_init, Delta
B - 867395 - Pre_DDR_clock_init, Start
D - 4 - Pre_DDR_clock_init, Delta
D - 13147 - sbl1_ddr_set_params, Delta
B - 881097 - pm_driver_init, Start
D - 2 - pm_driver_init, Delta
B - 951608 - sbl1_wait_for_ddr_training, Start
D - 29 - sbl1_wait_for_ddr_training, Delta
B - 967051 - Image Load, Start
D - 135011 - QSEE Image Loaded, Delta - (262104 Bytes)
B - 1102559 - Image Load, Start
D - 1443 - SEC Image Loaded, Delta - (2048 Bytes)
B - 1112924 - Image Load, Start
D - 223587 - APPSBL Image Loaded, Delta - (457299 Bytes)
B - 1336933 - QSEE Execution, Start
D - 59 - QSEE Execution, Delta
B - 1343195 - SBL1, End
D - 658332 - SBL1, Delta
S - Flash Throughput, 2005 KB/s (721870 Bytes, 359914 us)
S - DDR Frequency, 537 MHz
U-Boot 2012.07-05763-g80e4eb4 [local,local] (Jul 06 2016 - 11:01:57)
RT-AC58U bootloader version: 1.0.0.3
smem ram ptable found: ver: 1 len: 3
ASUS RT-AC58U gpio init : wps / reset pin
DRAM: 128 MiB
machid : 0x8010100
Maximum malloc length: 4096 KBytes
mem_malloc_start/brk/end: 0x86ef0000/86ef0000/87300000
Relocation offset: 0
NAND: spi_nand: spi_nand_flash_probe SF NAND ID 0:ef:aa:21
SF: Detected W25N01GV with page size 2 KiB, total 128 MiB
SF: Detected MX25L1605D with page size 4 KiB, total 2 MiB
ipq_spi: page_size: 0x100, sector_size: 0x1000, size: 0x200000
130 MiB
In: serial
Out: serial
Err: serial
name : offset size
0:SBL1 : 00000000 00040000
0:MIBIB : 00040000 00020000
0:QSEE : 00060000 00060000
0:CDT : 000c0000 00010000
0:DDRPARAMS : 000d0000 00010000
0:APPSBLENV : 000e0000 00010000
0:APPSBL : 000f0000 00080000
0:ART : 00170000 00010000
machid: 8010100
Net: MAC0 addr:0:3:7f:ba:db:ad
PHY ID1: 0x4d
PHY ID2: 0xd0b1
ipq40xx_ess_sw_init done
eth0
Creating 1 MTD partitions on "nand1":
0x00000000-0x08000000 : "mtd=0"
UBI: attaching mtd2 to ubi0
UBI: physical eraseblock size: 131072 bytes (128 KiB)
UBI: logical eraseblock size: 126976 bytes
UBI: smallest flash I/O unit: 2048
UBI: VID header offset: 2048 (aligned 2048)
UBI: data offset: 4096
UBI: max. sequence number: 64
UBI: attached mtd2 to ubi0
UBI: MTD device name: "mtd=0"
UBI: MTD device size: 128 MiB
UBI: number of good PEBs: 1024
UBI: number of bad PEBs: 0
UBI: number of corrupted PEBs: 0
UBI: max. allowed volumes: 128
UBI: wear-leveling threshold: 4096
UBI: number of internal volumes: 1
UBI: number of user volumes: 6
UBI: available PEBs: 30
UBI: total number of reserved PEBs: 994
UBI: number of PEBs reserved for bad PEB handling: 10
UBI: max/mean erase counter: 27/1
UBI: image sequence number: 0
UBI: vol_id reserved_pebs alignment data_pad vol_type usable_leb_size used_ebs used_bytes last_eb_bytes corrupted upd_marker name_len name
UBI: 0 3 1 0 dynamic 1f000 3 5d000 1f000 0 0 5 nvram
UBI: 1 1 1 0 dynamic 1f000 1 1f000 1f000 0 0 7 Factory
UBI: 2 1 1 0 dynamic 1f000 1 1f000 1f000 0 0 8 Factory2
UBI: 3 18d 1 0 dynamic 1f000 18d 3013000 1f000 0 0 5 linux
UBI: 4 18d 1 0 dynamic 1f000 18d 3013000 1f000 0 0 6 linux2
UBI: 5 b5 1 0 dynamic 1f000 b5 15eb000 1f000 0 0 5 jffs2
UBI: 7fffefff 2 1 0 dynamic 1f000 2 3e000 2 0 0 d layout volume
Read 0x1f000 bytes from volume [Factory] offset 0x0 to 86ec0ce8
EEPROM set 0: OK (version 5)
Read 0x1f000 bytes from volume [Factory2] offset 0x0 to 86ec0ce8
EEPROM set 1: OK (version 5)
Read 0x1f000 bytes from volume [Factory] offset 0x0 to 86f04330
Select EEPROM set 0 at offset 0x0.
Please choose the operation:
1: Load System code to SDRAM via TFTP.
2: Load System code then write to Flash via TFTP.
3: Boot System code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP. 0
3: Boot System code via Flash (default).
RT-AC58U bootloader version: 1.0.0.3
MAC Address: 0C:00:0F:00:00:0C
Read 0x40 bytes from volume [linux] offset 0x0 to 84000000
No valid 1st firmware found at 0x0009b000
ERROR: can't get kernel image!
Read 0x40 bytes from volume [linux2] offset 0x0 to 84000000
No valid 2nd firmware found at 0x030ae000
ERROR: can't get kernel image!
Hello!! Enter Recuse Mode: (Check error)
preferred nic: eth0
eth0 PHY0 Down Speed :10 Half duplex
eth0 PHY1 Down Speed :10 Half duplex
eth0 PHY2 up Speed :1000 Full duplex
eth0 PHY3 Down Speed :10 Half duplex
eth0 PHY4 Down Speed :10 Half duplex
switch prereq:0
tftpd start
Our IP address is:(192.168.1.1)
Wait for TFTP request...
tftpd open
D D D D
Through the U-Boot prompt (Option 4). There you can issue a "nand erase.chip" command. This will wipe whatever chip is selected, so don't damage the SPI-NOR with the qualcommbootloader and u-boot and just the SPI-NAND chip. However, The SPI-NAND chip contains the calibration data and its backup and the nvram!), so don't issue the command willy-nilly, it's dangerous.
Thank you @chunkeey, I see. I've backuped the Factory and Factory2 partitions under the stock firmware. Does these partitions contain the ART data ? If it does, why the file is 124KB but not 64 KB? As I know, the ART of Qualcomm is only 64KB. After I update the firmware to the OpenWrt, I list the /proc/mtd file, and find an ART partition. After I dumped this partition, the file was full filled with FF. So this is not the real ART right? So what's the difference between these SPI-NAND devices and SPI only devices? I have only played with some simple devices like TP Link 841n. So I don't know about the layout of Nand devices.
If I erase the whole nand chip, I'll lost the partitions on it. So can I recovery the nand partiontions If I recovery the stock firmware by ASUS recovery tool?
I think I can tell you what's confusing here. This router was hasty slapped together by ASUS, since it was one of the first IPQ40XX devices you could get here. They borrowed from their other existing routers as well as from the QSDK. So the "0:ART" partition (which is on the 2MiB SPI-NOR chip) is almost 100% a leftover from the QSDK, there's nothing in it... But the u-boot still thinks it's 0:ART, that's why the partition stuck around. The calibration data resides in the Factory and Factory2 (Backup) UBI Volume on the SPI-NAND chip.
Yes, the Factory and Factory2 (which is the Backup) contains the radio calibration data at offset 0x1000 and 0x5000 for the 2.4GHz and 5GHz radio and some ASUS specifc bits further down below (like version and I think the serial number). The calibration datas are each around 12KiB big. As for the reason why the size is 124KiB, this has to do with UBI and the used SPI-NAND chip. A UBI-Volume has to be atleast one UBI-LEB (UBI Logical Erase Block) in size and for this particular chip it's that 124K. So yes, a lot of space is "wasted". But the SPI-NAND does have 128 MiB total.
Please also make a backup of the "nvram" partition!
I've never used ASUS Recovery Tool. I don't know if it can restore a deleted Factory(2) or nvram partition, but this would beg the question from where it gets that data.
Thank you for your reply @chunkeey. I'm very happy to get this device. I use your vlan patch on it. Although it needs to restart the lan interface to make it work correctly after the boot, I can tag vlan id on wan and lan.
I hope this problem can be solved in the furture development. The signal quality is very good and the performence is good also.
Thanks all and OpenWrt.
