Look this topic: ASUS AX4200 bootloop after upgraded from 23.05.4 to snapshot build
It is very likely that you router using a new version of the bootloader.
Therefore, you should have flashed my build of OpenWrt 24.10
My builds: https://drive.google.com/drive/folders/1c10G1LZuTiCo8dOItq3FV6A3-XK7-QfV
Thank you! The problem was this. After this accident, only your build could work on my router?
I recently bought an AX4200 as well, and immediately upgraded the software on the router. Sadly did not check what the initial version was, but my device was made in 2023 going by the box.
What are my options for switching to OpenWRT safely? I don't think I need anything from the snapshots.
Would the official wiki UI flash or TFTP method be safe with the updated bootloader (and would updates here be safe too?), or do I need 24.10 for everything to work? Any concerns with downgrading the bootloader through the firmware restoration tool, and then just installing like normal?
Thanks.
If you have flashed latest Asus firmware then almost certain the bootloader was also updated. Unfortunately official OpenWRT builds are not compatible, at the moment, with that updated bootloader.
Remittorās build, a few posts up, has the needed changes included and will work.
Hi all,
I recently acquired an AX4200 router (HW Version A) in non-working condition.
Upon powering it on, the only output I receive on the serial console is:
F0: 102B 0000
FA: 1040 0000
FA: 1040 0000 [0200]
F9: 3903 0041
F3: 1001 0000 [0200]
F3: 1001 0000
F6: 102C 0000
F5: 1026 0000
00: 1005 0000
FA: 1040 0000
FA: 1040 0000 [0200]
F9: 3903 0041
F3: 1001 0000 [0200]
F3: 1001 0000
F6: 102C 0000
01: 102A 0001
02: 1005 0000
BP: 2000 00C0 [0001]
EC: 0000 0000 [1000]
T0: 0000 00BA [010F]
System halt!
This output does not change even if I remove the NAND flash, suggesting the CPU halts early in the boot process, likely due to a corrupted bootloader.
Diagnostics so far
Flash Analysis: I dumped the contents of the NAND flash and ran binwalk. Here's the output:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
2184 0x888 Mediatek File Info File Type: ARM-Bootloader Flash Type: NAND Sequential Flash Signature Type: PHASH Load Address: 0x200D00 File Length: 203376 Maximum Size: 205424 Content Offset: 0x300 Signature Length: 32 Jump Offset: 768 POST_BUILD_DONE
178200 0x2B818 xz compressed data
216944 0x34F70 device tree image (dtb)
2213573 0x21C6C5 CRC32 polynomial table, little endian
2272437 0x22ACB5 LZO compressed data
2333641 0x239BC9 device tree image (dtb)
4456448 0x440000 UBI erase count header, version: 1, EC: 0x1, VID header offset: 0x800, data offset: 0x1000
If I understand this correctly the bootloader is located at 0x888, but I am unsure if this layout is correct.
Attempted to Replace Bootloader: I compiled a new U-Boot image from the GPL source code provided by ASUS and flashed it to address 0x888 but the size is much bigger than what the binwalk output suggests, and the router still fails to boot, producing the same serial console output.
Verifed flash Communication: Using a logic analyzer, I confirmed that the CPU communicates with the NAND flash during startup, suggesting hardware is at leats somewhat functional and the issue lies with the bootloader or its configuration.
Any insights or suggestions would be greatly appreciated!
Additionally, if someone could provide a complete dump of the flash, it would help me verify if the hardware is in good working condition. I would be extremely grateful for any assistance.
Try mtk_uartboot
Instruction: OpenWrt support for Xiaomi AX3000T - #420 by alexq
Bootloader dump: https://drive.google.com/drive/folders/124go63g85lrvlYBCx-GT7gF2xexZSEd5
The dump image contains BL2 and FIP (uboot).
Thanks for the instructions and file.
I'm just a bit confused by the instructions as there are multiple files mentioned, I have to confess I am a noob at this, since your dump includes BL2 and FIP, should this be the command?
mtk_uartboot -s COM5 --payload uboot.bin
this is the output I got:
mtk_uartboot - 0.1.1
Using serial port: COM5
Handshake...
hw code: 0x7986
hw sub code: 0x8a00
hw ver: 0xca01
sw ver: 0x1
Baud rate set to 460800
sending payload to 0x201000...
thread 'main' panicked at src\bootrom.rs:106:13:
send_da cmd status: 7442
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Or should I flash your dump directly to the flash chip?
Not sure if I remember correctly but try with BL2
Here is a map of the location of the images individually:
mtdparts=spi-nand0:1024k(BL2),512k(environment),2560k(FIP)
I isolated the fip part from the dump you provided and got some progress with this command:
mtk_uartboot -s COM5 --payload bl2-mt7986-ddr3-ram.bin --aarch64 --fip fip.bin && putty.exe -serial COM5 -sercfg 115200,8,n,1,N
so hopefully I will be able to flash the firmware now, just not sure exactly how... I tried using Asus' rescue tool and while it uploaded the firmware I got the same error as soon as the router rebooted 
Any tips? Is it possible that the firmware was only uploaded to RAM? Or I guess it just did not write the bootloader to flash
It looks like the bootloader was launched from memory, and the flash drive is empty.
Try writing the bootloaders to the flash drive using the uboot commands.
Show me full uart logs!
The first time I ran this command
mtk_uartboot -s COM5 --payload bl2-mt7986-ddr3-ram.bin --aarch64 --fip fip.bin && putty.exe -serial COM5 -sercfg 115200,8,n,1,N
It immediately tried to connect to tftp and I used the rescue tool to upload the official firmware, running the same command now it tries to boot from flash and these are the logs:
ubi0: scanning is finished
ubi0 warning: ubi_calculate_reserved: number of bad PEBs (169) is above the expe cted limit (40), not reserving any PEBs for bad PEB handling, will use available PEBs (if any)
ubi0: attached mtd4 (name "UBI_DEV", size 252 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 1847, bad PEBs: 169, corrupted PEBs: 0
ubi0: user volume: 6, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 2/1, WL threshold: 4096, image sequence number: 0
ubi0: available PEBs: 0, total reserved PEBs: 1847, PEBs reserved for bad PEB ha ndling: 0
UBI: vol_id reserved_pebs alignment data_pad vol_type usable_leb_size us ed_ebs used_bytes last_eb_bytes corrupted upd_marker name_len name
UBI: 0 1 1 0 dynamic 1f000 1 1f000 1f000 0 0 5 nvram
UBI: 1 8 1 0 dynamic 1f000 8 f8000 1f000 0 0 7 Factory
UBI: 2 8 1 0 dynamic 1f000 8 f8000 1f000 0 0 8 Factory2
UBI: 3 242 1 0 dynamic 1f000 242 45fe000 1f000 0 0 5 linux
UBI: 4 242 1 0 dynamic 1f000 242 45fe000 1f000 0 0 6 linux2
UBI: 5 29e 1 0 dynamic 1f000 29e 5122000 1f000 0 0 5 jffs2
UBI: 7fffefff 2 1 0 dynamic 1f000 2 3e000 2 0 0 d layout volume
Read 1015808 bytes from volume Factory to 000000005f707ac0
EEPROM set 0: OK (version 4)
Read 1015808 bytes from volume Factory2 to 000000005f707ac0
EEPROM set 1: OK (version 4)
Read 1015808 bytes from volume Factory to 000000005fb45590
Select EEPROM set 0 at offset 0x0.
Please choose the operation:
1: Load System code to SDRAM via TFTP.
2: Load System code then write to Flash via TFTP.
3: Boot System code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP.
You choosed 3
3: Boot System code via Flash (default).
TUF-AX4200 bootloader version: 1.0.0.2
MAC Address: 00:AA:BB:CC:DD:E0
Read 40 bytes from volume linux to 0000000046000000
FIT/FDT format image found at 0x46000000,size 0x277a154
Read 41394556 bytes from volume linux to 0000000046000000
## Loading kernel from FIT Image at 46000000 ...
Using 'config-1' configuration
Trying 'kernel-1' kernel subimage
Description: ARM64 OpenWrt Linux-3.0
Type: Kernel Image
Compression: lzma compressed
Data Start: 0x460000e4
Data Size: 3282880 Bytes = 3.1 MiB
Architecture: AArch64
OS: Linux
Load Address: 0x48080000
Entry Point: 0x48080000
Hash algo: crc32
Hash value: 7668cafc
Hash algo: sha1
Hash value: 3c2e2747fa4b53e70993d3420d532efbdb6f4578
Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading ramdisk from FIT Image at 46000000 ...
Using 'config-1' configuration
Trying 'rootfs-1' ramdisk subimage
Description: Root File System
Type: RAMDisk Image
Compression: Unknown Compression
Data Start: 0x46327354
Data Size: 38086923 Bytes = 36.3 MiB
Architecture: Unknown Architecture
OS: Unknown OS
Load Address: 0x00000000
Entry Point: 0x00000000
Hash algo: crc32
Hash value: 22aa7ab4
Hash algo: sha1
Hash value: fd796defdb99cc4ef8555a4544742f6325b7c268
Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading fdt from FIT Image at 46000000 ...
Using 'config-1' configuration
Trying 'fdt-1' fdt subimage
Description: ARM64 OpenWrt mt7986a-tuf-ax4200 device tree blob
Type: Flat Device Tree
Compression: uncompressed
Data Start: 0x463219e8
Data Size: 22648 Bytes = 22.1 KiB
Architecture: AArch64
Hash algo: crc32
Hash value: b6b7394f
Hash algo: sha1
Hash value: ca2f2da08197e56392c4e448500a7cd71fcc204c
Verifying Hash Integrity ... crc32+ sha1+ OK
Booting using the fdt blob at 0x463219e8
Read 40 bytes from volume linux2 to 000000005f7ffb90
Uncompressing Kernel Image
Loading Device Tree to 000000005f7f3000, end 000000005f7fb877 ... OK
volume linux seq: 4
Starting kernel ...
Booting Linux on physical CPU 0x0000000000 [0x410fd034]
Linux version 5.4.225 (root@asus) (gcc version 8.4.0 (OpenWrt GCC 8.4.0 r0-db7dd 77)) #1 SMP Wed Nov 6 08:00:56 CST 2024
Machine model: TUF-AX4200/TUF-AX4200Q
earlycon: uart8250 at MMIO32 0x0000000011002000 (options '')
printk: bootconsole [uart8250] enabled
On node 0 totalpages: 130062
DMA32 zone: 2048 pages used for memmap
DMA32 zone: 0 pages reserved
DMA32 zone: 130062 pages, LIFO batch:31
psci: probing for conduit method from DT.
psci: PSCIv1.1 detected in firmware.
psci: Using standard PSCI v0.2 function IDs
psci: MIGRATE_INFO_TYPE not supported.
psci: SMC Calling Convention v1.0
percpu: Embedded 23 pages/cpu s55512 r8192 d30504 u94208
pcpu-alloc: s55512 r8192 d30504 u94208 alloc=23*4096
pcpu-alloc: [0] 0 [0] 1 [0] 2 [0] 3
Detected VIPT I-cache on CPU0
CPU features: detected: GIC system register CPU interface
CPU features: kernel page table isolation disabled by kernel configuration
Built 1 zonelists, mobility grouping on. Total pages: 128014
Kernel command line: root_rfs=0x327354 rootfstype=squashfs ubi.mtd=UBI_DEV conso le=ttyS0,115200n1 loglevel=8 earlycon=uart8250,mmio32 ,0x11002000 root=/dev/mtdblock6
Dentry cache hash table entries: 65536 (order: 7, 524288 bytes, linear)
Inode-cache hash table entries: 32768 (order: 6, 262144 bytes, linear)
mem auto-init: stack:off, heap alloc:off, heap free:off
Memory: 491952K/520248K available (6590K kernel code, 488K rwdata, 1676K rodata, 448K init, 342K bss, 28296K reserved, 0K cma-reserved)
SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
Invalid signature of oopsbuf: FF-FF-FF-FF-FF-FF-FF-FF (len -1)
rcu: Hierarchical RCU implementation.
rcu: CONFIG_RCU_FANOUT set to non-default value of 32.
rcu: RCU calculated value of scheduler-enlistment delay is 25 jiffies.
NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0
GICv3: GIC: Using split EOI/Deactivate mode
GICv3: 640 SPIs implemented
GICv3: 0 Extended SPIs implemented
GICv3: Distributor has no Range Selector support
GICv3: 16 PPIs implemented
GICv3: no VLPI support, no direct LPI support
GICv3: CPU0: found redistributor 0 region 0:0x000000000c080000
arch_timer: cp15 timer(s) running at 12.98MHz (phys).
clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x2feb955e7, m ax_idle_ns: 440795202655 ns
sched_clock: 56 bits at 12MHz, resolution 77ns, wraps every 4398046511072ns
Calibrating delay loop (skipped), value calculated using timer frequency.. 25.97 BogoMIPS (lpj=51944)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 1024 (order: 1, 8192 bytes, linear)
Mountpoint-cache hash table entries: 1024 (order: 1, 8192 bytes, linear)
ASID allocator initialised with 65536 entries
rcu: Hierarchical SRCU implementation.
smp: Bringing up secondary CPUs ...
Detected VIPT I-cache on CPU1
GICv3: CPU1: found redistributor 1 region 0:0x000000000c0a0000
CPU1: Booted secondary processor 0x0000000001 [0x410fd034]
Detected VIPT I-cache on CPU2
GICv3: CPU2: found redistributor 2 region 0:0x000000000c0c0000
CPU2: Booted secondary processor 0x0000000002 [0x410fd034]
Detected VIPT I-cache on CPU3
GICv3: CPU3: found redistributor 3 region 0:0x000000000c0e0000
CPU3: Booted secondary processor 0x0000000003 [0x410fd034]
smp: Brought up 1 node, 4 CPUs
SMP: Total of 4 processors activated.
CPU features: detected: 32-bit EL0 Support
CPU features: detected: CRC32 instructions
CPU: All CPU(s) started at EL2
alternatives: patching kernel code
devtmpfs: initialized
clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645 041785100000 ns
futex hash table entries: 1024 (order: 4, 65536 bytes, linear)
pinctrl core: initialized pinctrl subsystem
NET: Registered protocol family 16
DMA: preallocated 256 KiB pool for atomic allocations
SCSI subsystem initialized
libata version 3.00 loaded.
rbus 18000000.wbsys: PCI host bridge to bus 0000:00
pci_bus 0000:00: root bus resource [mem 0x18000000-0x18ffffff]
pci_bus 0000:00: root bus resource [bus 00-ff]
pci_bus 0000:00: scanning bus
pci 0000:00:00.0: [14c3:7986] type 00 class 0x000280
pci 0000:00:00.0: reg 0x10: [mem 0x18000000-0x1800000f 64bit]
pci 0000:00:00.0: reg 0x18: [mem 0x00000000-0x0000000f]
pci 0000:00:00.0: reg 0x1c: [mem 0x00000000-0x0000000f]
pci 0000:00:00.0: reg 0x20: [mem 0x00000000-0x0000000f]
pci 0000:00:00.0: reg 0x24: [mem 0x00000000-0x0000000f]
pci_bus 0000:00: fixups for bus
pci_bus 0000:00: bus scan returning with max=00
clocksource: Switched to clocksource arch_sys_counter
thermal_sys: Registered thermal governor 'fair_share'
thermal_sys: Registered thermal governor 'bang_bang'
thermal_sys: Registered thermal governor 'step_wise'
thermal_sys: Registered thermal governor 'user_space'
thermal_sys: Registered thermal governor 'power_allocator'
NET: Registered protocol family 2
IP idents hash table entries: 8192 (order: 4, 65536 bytes, linear)
tcp_listen_portaddr_hash hash table entries: 256 (order: 0, 4096 bytes, linear)
TCP established hash table entries: 4096 (order: 3, 32768 bytes, linear)
TCP bind hash table entries: 4096 (order: 4, 65536 bytes, linear)
TCP: Hash tables configured (established 4096 bind 4096)
UDP hash table entries: 256 (order: 1, 8192 bytes, linear)
UDP-Lite hash table entries: 256 (order: 1, 8192 bytes, linear)
NET: Registered protocol family 1
PCI: CLS 0 bytes, default 64
workingset: timestamp_bits=62 max_order=17 bucket_order=0
squashfs: version 4.0 (2009/01/31) Phillip Lougher
mtk-pcie 11280000.pcie: host bridge /pcie@11280000 ranges:
mtk-pcie 11280000.pcie: Parsing ranges property...
mtk-pcie 11280000.pcie: MEM 0x20000000..0x2fffffff -> 0x20000000
phy phy-pcie-phy@11c00000.0: try to get sw efuse
phy phy-pcie-phy@11c00000.0: try to get sw efuse+
phy phy-pcie-phy@11c00000.0: u3 auto load valid efuse: ENABLE with value: 1
phy phy-pcie-phy@11c00000.0: u3 efuse - intr 28, rx_imp f, tx_imp e
phy phy-pcie-phy@11c00000.0: pcie auto load valid efuse: ENABLE with value: 1
phy phy-pcie-phy@11c00000.0: u3 lane1 efuse - intr 28, rx_imp f, tx_imp e
mtk-pcie 11280000.pcie: PCIe link down, ltssm reg val: 0x0
mtk-pcie: probe of 11280000.pcie failed with error -110
Serial: 8250/16550 driver, 3 ports, IRQ sharing disabled
printk: console [ttyS0] disabled
11002000.serial: ttyS0 at MMIO 0x11002000 (irq = 12, base_baud = 2500000) is a S T16650V2
printk: console [ttyS0] enabled
printk: console [ttyS0] enabled
printk: bootconsole [uart8250] disabled
printk: bootconsole [uart8250] disabled
11003000.serial: ttyS1 at MMIO 0x11003000 (irq = 13, base_baud = 1625000) is a S T16650V2
11004000.serial: ttyS2 at MMIO 0x11004000 (irq = 14, base_baud = 1625000) is a S T16650V2
mtk_rng 1020f000.trng: registered RNG driver
random: crng init done
cacheinfo: Unable to detect cache hierarchy for CPU 0
loop: module loaded
mt7986-pinctrl 1001f000.pinctrl: pin_config_set op failed for pin 36
mtk-spi 1100a000.spi: Error applying setting, reverse things back
Unable to handle kernel NULL pointer dereference at virtual address 000000000000 0010
Mem abort info:
ESR = 0x96000005
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
Data abort info:
ISV = 0, ISS = 0x00000005
CM = 0, WnR = 0
[0000000000000010] user address but active_mm is swapper
Internal error: Oops: 96000005 [#1] SMP
Modules linked in:
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.4.225 #1
Hardware name: TUF-AX4200/TUF-AX4200Q (DT)
pstate: 40000085 (nZcv daIf -PAN -UAO)
pc : mtk_spi_can_dma+0x0/0x30
lr : mtk_spi_interrupt+0x60/0x358
sp : ffffff801fe8efb0
x29: ffffff801fe8efb0 x28: ffffff800ffe0000
x27: 0000000000000060 x26: ffffffc0107ee8b8
x25: ffffffc0109818da x24: ffffff8003158000
x23: 0000000000000084 x22: ffffff801fe8f07c
x21: 0000000000000000 x20: ffffff80031a9800
x19: ffffff80031a9e00 x18: 0000000000020000
x17: 0000000087c69a9d x16: 0000000018bb2684
x15: 00000000fffffff0 x14: 6361622073676e69
x13: 6874206573726576 x12: 0140000000000000
x11: 0000000000000020 x10: 0000000000000040
x9 : ffffffc010929fe8 x8 : ffffffc010929fe0
x7 : ffffff801e4a9960 x6 : 0000000000000000
x5 : ffffff801e4a9918 x4 : ffffffc00f586000
x3 : ffffffc01044d7a0 x2 : 0000000000000000
x1 : 0000000000000000 x0 : ffffff80031a9800
Call trace:
mtk_spi_can_dma+0x0/0x30
__handle_irq_event_percpu+0x54/0x148
handle_irq_event_percpu+0x1c/0x60
handle_irq_event+0x40/0xb0
handle_fasteoi_irq+0xdc/0x190
generic_handle_irq+0x24/0x38
__handle_domain_irq+0x60/0xb8
gic_handle_irq+0xc0/0x158
el1_irq+0xb8/0x140
__setup_irq+0x454/0x858
request_threaded_irq+0xd4/0x180
devm_request_threaded_irq+0x74/0xe8
mtk_spi_probe+0x26c/0x6a0
platform_drv_probe+0x50/0xa0
really_probe+0xd8/0x300
driver_probe_device+0x54/0xe8
device_driver_attach+0x6c/0x78
__driver_attach+0x5c/0xe8
bus_for_each_dev+0x60/0x98
driver_attach+0x20/0x28
bus_add_driver+0x180/0x1f0
driver_register+0x60/0x110
__platform_driver_register+0x44/0x50
mtk_spi_driver_init+0x18/0x20
do_one_initcall+0x74/0x1c8
kernel_init_freeable+0x17c/0x234
kernel_init+0x10/0xfc
ret_from_fork+0x10/0x1c
Code: 2a0203e4 52800003 17ffffe6 d503201f (b9401041)
---[ end trace 629e1e2f92eac75d ]---
Kernel panic - not syncing: Fatal exception in interrupt
SMP: stopping secondary CPUs
Kernel Offset: disabled
CPU features: 0x00002,20002008
Memory Limit: none
Rebooting in 1 seconds..
F0: 102B 0000
FA: 1040 0000
FA: 1040 0000 [0200]
F9: 0000 0000
L0: 8005 0000 [0001]
00: 1012 0000
F9: 0000 0000
L0: 8005 0000 [0001]
01: 102A 0001
02: 1012 0000
BP: 2000 00C0 [0001]
EC: 0000 0000 [1000]
T0: 0000 00B9 [010F]
System halt!
It should be like this:
mt7986-pinctrl 1001f000.pinctrl: pin_config_set op failed for pin 36
mtk-spi 1100a000.spi: Error applying setting, reverse things back
spi-nor spi0.0: unrecognized JEDEC id bytes: ff ef aa 22 00 00
spi-nor: probe of spi0.0 failed with error -2 spi-nand spi0.1: Winbond SPI NAND was found.
spi-nand spi0.1: 256 MiB, block size: 128 KiB, page size: 2048, OOB size: 64
2 fixed-partitions partitions found on MTD device spi0.1
Creating 2 MTD partitions on āspi0.1ā:
0x000000000000-0x000000400000 : āBootloaderā
0x000000400000-0x000010000000 : āUBI_DEVā
This means there are some difficulties with reading volumes of ubifs.
Your logs should contain the name of the flash drive. But you still haven't shown the full bootloader logs.
I am unable to catch the whole log because putty takes a while to open
Not sure if this has any other information you are looking for:
ubi0: scanning is finished
ubi0: attached mtd4 (name "UBI_DEV", size 252 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 2016, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 6, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 4/1, WL threshold: 4096, image sequence number: 2037501690
ubi0: available PEBs: 0, total reserved PEBs: 2016, PEBs reserved for bad PEB handling: 40
UBI: vol_id reserved_pebs alignment data_pad vol_type usable_leb_size used_ebs used_bytes last_eb_bytes corrupted upd_marker name_len name
UBI: 0 1 1 0 dynamic 1f000 1 1f000 1f000 0 0 5 nvram
UBI: 1 8 1 0 dynamic 1f000 8 f8000 1f000 0 0 7 Factory
UBI: 2 8 1 0 dynamic 1f000 8 f8000 1f000 0 0 8 Factory2
UBI: 3 242 1 0 dynamic 1f000 242 45fe000 1f000 0 0 5 linux
UBI: 4 242 1 0 dynamic 1f000 242 45fe000 1f000 0 0 6 linux2
UBI: 5 31f 1 0 dynamic 1f000 31f 60c1000 1f000 0 0 5 jffs2
UBI: 7fffefff 2 1 0 dynamic 1f000 2 3e000 2 0 0 d layout volume
Read 1015808 bytes from volume Factory to 000000005f707ac0
EEPROM set 0: OK (version 76)
Read 1015808 bytes from volume Factory2 to 000000005f707ac0
EEPROM set 1: OK (version 76)
Read 1015808 bytes from volume Factory to 000000005fb45590
Select EEPROM set 0 at offset 0x0.
Please choose the operation:
1: Load System code to SDRAM via TFTP.
2: Load System code then write to Flash via TFTP.
3: Boot System code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP.
You choosed 4
4: Entr boot command line interface.
U-Boot 2022.04-rc1 (Nov 14 2022 - 15:04:49 +0800)
MT7986> mtd list
List of MTD devices:
* spi-nand0
- device: spi_nand@1
- parent: spi@1100a000
- driver: spi_nand
- path: /spi@1100a000/spi_nand@1
- type: NAND flash
- block size: 0x20000 bytes
- min I/O: 0x800 bytes
- OOB size: 64 bytes
- OOB available: 24 bytes
- 0x000000000000-0x000010000000 : "spi-nand0"
- 0x000000000000-0x000000100000 : "BL2"
- 0x000000100000-0x000000180000 : "environment"
- 0x000000180000-0x000000400000 : "FIP"
- 0x000000400000-0x000010000000 : "UBI_DEV"
MT7986>
MT7986> mtdparts
device spi-nand0 <spi-nand0>, # parts = 4
#: name size offset mask_flags
0: BL2 0x00100000 0x00000000 0
1: environment 0x00080000 0x00100000 0
2: FIP 0x00280000 0x00180000 0
3: UBI_DEV 0x0fc00000 0x00400000 0
active partition: spi-nand0,0 - (BL2) 0x00100000 @ 0x00000000
defaults:
mtdids : spi-nand0=spi-nand0
mtdparts: mtdparts=spi-nand0:1024k(BL2),512k(environment),2560k(FIP),-(UBI_DEV)
I noticed that every time I try to write to nand I get a bad block error
Bad block at 0x0 ... aborted
but I believe the actual flash chip is fine because I can read/write/verify it using an external programmer with no issues so there might be another hardware issue after all, although I can see with a logic analyzer that the CPU communicates with the chip.
When I fully bricked mine, I was able to load the bl2-mt7986-ddr3-ram.bin with mtk_uartboot.
From there I was able to load the initramfs and boot from ram to OpenWRT.
From OpenWRT I was able to restore the bootloader then finally the factory partitions.
I actually tried that as well but it always crashes during boot. Have to continue trying tomorrow.
Not sure which build you tried but I would test an older one or the oneās posted by Remittor.
@remittor What do your trx files include that allows it to flash over Asus firmware? Does your image only load in RAM and only after the second flash is the firmware permanent?
Start reading from this post:
It always results in a kernel panic error for me
ubi0: scanning is finished
ubi0: attached mtd4 (name "UBI_DEV", size 252 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 2016, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 6, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 4/1, WL threshold: 4096, image sequence number: 2037501690
ubi0: available PEBs: 0, total reserved PEBs: 2016, PEBs reserved for bad PEB handling: 40
UBI: vol_id reserved_pebs alignment data_pad vol_type usable_leb_size used_ebs used_bytes last_eb_bytes corrupted upd_marker name_len name
UBI: 0 1 1 0 dynamic 1f000 1 1f000 1f000 0 0 5 nvram
UBI: 1 8 1 0 dynamic 1f000 8 f8000 1f000 0 0 7 Factory
UBI: 2 8 1 0 dynamic 1f000 8 f8000 1f000 0 0 8 Factory2
UBI: 3 242 1 0 dynamic 1f000 242 45fe000 1f000 0 0 5 linux
UBI: 4 242 1 0 dynamic 1f000 242 45fe000 1f000 0 0 6 linux2
UBI: 5 31f 1 0 dynamic 1f000 31f 60c1000 1f000 0 0 5 jffs2
UBI: 7fffefff 2 1 0 dynamic 1f000 2 3e000 2 0 0 d layout volume
Read 1015808 bytes from volume Factory to 000000005f707ac0
EEPROM set 0: OK (version 76)
Read 1015808 bytes from volume Factory2 to 000000005f707ac0
EEPROM set 1: OK (version 76)
Read 1015808 bytes from volume Factory to 000000005fb56c50
Select EEPROM set 0 at offset 0x0.
Please choose the operation:
1: Load System code to SDRAM via TFTP.
2: Load System code then write to Flash via TFTP.
3: Boot System code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP.
You choosed 1
1: Load System code to SDRAM via TFTP.
Please Input new ones /or Ctrl-C to discard
Input device IP (192.168.1.1) ==:
Input server IP (192.168.1.70) ==:
Input Linux Kernel filename (openwrt-24_tuf-ax4200-initramfs.bin) ==:openwrt-23_tuf-ax4200-initramfs.bin
switch prereq:0
Using ethernet0@15100000 device
TFTP from server 192.168.1.70; our IP address is 192.168.1.1
Filename 'openwrt-23_tuf-ax4200-initramfs.bin'.
Load address: 0x46000000
Loading: Got ARP REPLY, set eth addr (98:29:a6:9a:1e:df)
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
################################
5.4 MiB/s
done
Bytes transferred = 13828096 (d30000 hex)
Saving Environment to MTD... Erasing on MTD device 'spi-nand0'... OK
Writing to MTD device 'spi-nand0'... OK
OK
Automatic boot of image at addr 0x46000000 ...
## Loading kernel from FIT Image at 46000000 ...
Using 'config-1' configuration
Trying 'kernel-1' kernel subimage
Description: ARM64 OpenWrt Linux-5.15.162
Type: Kernel Image
Compression: lzma compressed
Data Start: 0x460000ec
Data Size: 13795740 Bytes = 13.2 MiB
Architecture: AArch64
OS: Linux
Load Address: 0x48000000
Entry Point: 0x48000000
Hash algo: crc32
Hash value: 509351ed
Hash algo: sha1
Hash value: a68bba8e85cfe69f4f2c74a49d27d063cd103a93
Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading fdt from FIT Image at 46000000 ...
Using 'config-1' configuration
Trying 'fdt-1' fdt subimage
Description: ARM64 OpenWrt asus_tuf-ax4200 device tree blob
Type: Flat Device Tree
Compression: uncompressed
Data Start: 0x46d283c8
Data Size: 20670 Bytes = 20.2 KiB
Architecture: AArch64
Hash algo: crc32
Hash value: 78e5c981
Hash algo: sha1
Hash value: 24aff548f48de6099175d5718ea4bbdc4fa384c3
Verifying Hash Integrity ... crc32+ sha1+ OK
Booting using the fdt blob at 0x46d283c8
Uncompressing Kernel Image
Loading Device Tree to 000000005f7f3000, end 000000005f7fb0bd ... OK
volume linux seq: 4
Starting kernel ...
[ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034]
[ 0.000000] Linux version 5.15.162 (user@debian) (aarch64-openwrt-linux-musl-gcc (OpenWrt GCC 12.3.0 r24012-d8dd03c46f) 12.3.0, GNU ld (GNU Binutils) 2.40.0) #0 SMP Mon Jul 15 22:14:18 2024
[ 0.000000] Machine model: ASUS TUF-AX4200
[ 0.000000] Zone ranges:
[ 0.000000] DMA [mem 0x0000000040000000-0x000000005fffffff]
[ 0.000000] DMA32 empty
[ 0.000000] Normal empty
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000040000000-0x0000000042ffffff]
[ 0.000000] node 0: [mem 0x0000000043000000-0x000000004302ffff]
[ 0.000000] node 0: [mem 0x0000000043030000-0x000000004fbfffff]
[ 0.000000] node 0: [mem 0x000000004fc00000-0x000000004ffbffff]
[ 0.000000] node 0: [mem 0x000000004ffc0000-0x000000005fffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000040000000-0x000000005fffffff]
[ 0.000000] psci: probing for conduit method from DT.
[ 0.000000] psci: PSCIv1.1 detected in firmware.
[ 0.000000] psci: Using standard PSCI v0.2 function IDs
[ 0.000000] psci: MIGRATE_INFO_TYPE not supported.
[ 0.000000] psci: SMC Calling Convention v1.2
[ 0.000000] percpu: Embedded 18 pages/cpu s33112 r8192 d32424 u73728
[ 0.000000] pcpu-alloc: s33112 r8192 d32424 u73728 alloc=18*4096
[ 0.000000] pcpu-alloc: [0] 0 [0] 1 [0] 2 [0] 3
[ 0.000000] Detected VIPT I-cache on CPU0
[ 0.000000] CPU features: detected: GIC system register CPU interface
[ 0.000000] CPU features: kernel page table isolation disabled by kernel configuration
[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 129024
[ 0.000000] Kernel command line: ubi.mtd=UBI_DEV
[ 0.000000] Dentry cache hash table entries: 65536 (order: 7, 524288 bytes, linear)
[ 0.000000] Inode-cache hash table entries: 32768 (order: 6, 262144 bytes, linear)
[ 0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
[ 0.000000] Memory: 488528K/524288K available (8384K kernel code, 906K rwdata, 1488K rodata, 10048K init, 300K bss, 35760K reserved, 0K cma-reserved)
[ 0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[ 0.000000] rcu: Hierarchical RCU implementation.
[ 0.000000] Tracing variant of Tasks RCU enabled.
[ 0.000000] rcu: RCU calculated value of scheduler-enlistment delay is 10 jiffies.
[ 0.000000] NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0
[ 0.000000] GICv3: GIC: Using split EOI/Deactivate mode
[ 0.000000] GICv3: 640 SPIs implemented
[ 0.000000] GICv3: 0 Extended SPIs implemented
[ 0.000000] GICv3: Distributor has no Range Selector support
[ 0.000000] Root IRQ handler: 0xffffffc008010090
[ 0.000000] GICv3: 16 PPIs implemented
[ 0.000000] GICv3: CPU0: found redistributor 0 region 0:0x000000000c080000
[ 0.000000] arch_timer: cp15 timer(s) running at 13.00MHz (phys).
[ 0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x2ff89eacb, max_idle_ns: 440795202429 ns
[ 0.000000] sched_clock: 56 bits at 13MHz, resolution 76ns, wraps every 4398046511101ns
[ 0.000107] Calibrating delay loop (skipped), value calculated using timer frequency.. 26.00 BogoMIPS (lpj=130000)
[ 0.000114] pid_max: default: 32768 minimum: 301
[ 0.000311] Mount-cache hash table entries: 1024 (order: 1, 8192 bytes, linear)
[ 0.000319] Mountpoint-cache hash table entries: 1024 (order: 1, 8192 bytes, linear)
[ 0.001350] rcu: Hierarchical SRCU implementation.
[ 0.001621] smp: Bringing up secondary CPUs ...
[ 0.001880] Detected VIPT I-cache on CPU1
[ 0.001901] GICv3: CPU1: found redistributor 1 region 0:0x000000000c0a0000
[ 0.001926] CPU1: Booted secondary processor 0x0000000001 [0x410fd034]
[ 0.002181] Detected VIPT I-cache on CPU2
[ 0.002192] GICv3: CPU2: found redistributor 2 region 0:0x000000000c0c0000
[ 0.002203] CPU2: Booted secondary processor 0x0000000002 [0x410fd034]
[ 0.002439] Detected VIPT I-cache on CPU3
[ 0.002448] GICv3: CPU3: found redistributor 3 region 0:0x000000000c0e0000
[ 0.002459] CPU3: Booted secondary processor 0x0000000003 [0x410fd034]
[ 0.002485] smp: Brought up 1 node, 4 CPUs
[ 0.002498] SMP: Total of 4 processors activated.
[ 0.002501] CPU features: detected: 32-bit EL0 Support
[ 0.002504] CPU features: detected: CRC32 instructions
[ 0.002527] CPU features: emulated: Privileged Access Never (PAN) using TTBR0_EL1 switching
[ 0.002579] CPU: All CPU(s) started at EL2
[ 0.002589] alternatives: patching kernel code
[ 0.004931] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 0.004951] futex hash table entries: 1024 (order: 4, 65536 bytes, linear)
[ 0.005094] pinctrl core: initialized pinctrl subsystem
[ 0.005714] NET: Registered PF_NETLINK/PF_ROUTE protocol family
[ 0.005938] DMA: preallocated 128 KiB GFP_KERNEL pool for atomic allocations
[ 0.005964] DMA: preallocated 128 KiB GFP_KERNEL|GFP_DMA pool for atomic allocations
[ 0.005982] DMA: preallocated 128 KiB GFP_KERNEL|GFP_DMA32 pool for atomic allocations
[ 0.006230] thermal_sys: Registered thermal governor 'fair_share'
[ 0.006233] thermal_sys: Registered thermal governor 'bang_bang'
[ 0.006236] thermal_sys: Registered thermal governor 'step_wise'
[ 0.006239] thermal_sys: Registered thermal governor 'user_space'
[ 0.006396] ASID allocator initialised with 65536 entries
[ 0.006708] pstore: Registered ramoops as persistent store backend
[ 0.006712] ramoops: using 0x10000@0x42ff0000, ecc: 0
[ 0.014473] cryptd: max_cpu_qlen set to 1000
[ 0.016220] SCSI subsystem initialized
[ 0.016298] libata version 3.00 loaded.
[ 0.017069] clocksource: Switched to clocksource arch_sys_counter
[ 0.017484] NET: Registered PF_INET protocol family
[ 0.017566] IP idents hash table entries: 8192 (order: 4, 65536 bytes, linear)
[ 0.017923] tcp_listen_portaddr_hash hash table entries: 256 (order: 0, 4096 bytes, linear)
[ 0.017934] Table-perturb hash table entries: 65536 (order: 6, 262144 bytes, linear)
[ 0.017939] TCP established hash table entries: 4096 (order: 3, 32768 bytes, linear)
[ 0.017960] TCP bind hash table entries: 4096 (order: 4, 65536 bytes, linear)
[ 0.018003] TCP: Hash tables configured (established 4096 bind 4096)
[ 0.018064] UDP hash table entries: 256 (order: 1, 8192 bytes, linear)
[ 0.018075] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes, linear)
[ 0.018182] NET: Registered PF_UNIX/PF_LOCAL protocol family
[ 0.018199] PCI: CLS 0 bytes, default 64
[ 0.029017] workingset: timestamp_bits=46 max_order=17 bucket_order=0
[ 0.031594] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.031607] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 0.053606] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 251)
[ 0.057350] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled
[ 0.059062] printk: console [ttyS0] disabled
[ 0.079217] 11002000.serial: ttyS0 at MMIO 0x11002000 (irq = 121, base_baud = 2500000) is a ST16650V2
[ 0.718140] printk: console [ttyS0] enabled
[ 0.722965] mtk_rng 1020f000.rng: registered RNG driver
[ 0.723018] hwrng: no data available
[ 0.728443] cacheinfo: Unable to detect cache hierarchy for CPU 0
[ 0.740299] loop: module loaded
[ 0.743444] Loading iSCSI transport class v2.0-870.
[ 0.749464] Unable to handle kernel read from unreadable memory at virtual address 0000000000000010
[ 0.749677] spi spi0.0: setup: ignoring unsupported mode bits a00
[ 0.758496] Mem abort info:
[ 0.758499] ESR = 0x0000000096000005
[ 0.758501] EC = 0x25: DABT (current EL), IL = 32 bits
[ 0.758505] SET = 0, FnV = 0
[ 0.758507] EA = 0, S1PTW = 0
[ 0.758509] FSC = 0x05: level 1 translation fault
[ 0.758511] Data abort info:
[ 0.758512] ISV = 0, ISS = 0x00000005
[ 0.758513] CM = 0, WnR = 0
[ 0.758516] [0000000000000010] user address but active_mm is swapper
[ 0.803355] Internal error: Oops: 0000000096000005 [#1] SMP
[ 0.808910] Modules linked in:
[ 0.811954] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.15.162 #0
[ 0.818028] Hardware name: ASUS TUF-AX4200 (DT)
[ 0.822541] pstate: 404000c5 (nZcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 0.829483] pc : 0xffffffc008582420
[ 0.832958] lr : 0xffffffc0085829b0
[ 0.836430] sp : ffffffc008003ec0
[ 0.839728] x29: ffffffc008003ec0 x28: ffffffc00939db00 x27: 00000000460000ec
[ 0.846845] x26: 000000005f7ffbc8 x25: 0000000000000000 x24: ffffff800005d200
[ 0.853960] x23: 000000000000007a x22: ffffffc008003f7c x21: 0000000000000000
[ 0.861077] x20: ffffff80008c0000 x19: ffffff80008c0600 x18: 0000000000000014
[ 0.868192] x17: ffffffc016b03000 x16: ffffffc008000000 x15: 000000004e8e68f3
[ 0.875307] x14: 0000000064773f1b x13: 000000008e5ca47d x12: 000000006dadd91b
[ 0.882424] x11: 0000000000000040 x10: ffffff8000004468 x9 : ffffff8000004460
[ 0.889540] x8 : ffffff80004426f0 x7 : 0000000000000000 x6 : 0000000000000000
[ 0.896656] x5 : ffffff80004426c8 x4 : ffffffc016b03000 x3 : ffffffc008582420
[ 0.903771] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffffff80008c0000
[ 0.910886] Call trace:
[ 0.913319] 0xffffffc008582420
[ 0.916445] 0xffffffc008089afc
[ 0.919570] 0xffffffc008089cbc
[ 0.922695] 0xffffffc00808ec10
[ 0.925820] 0xffffffc008089380
[ 0.928945] 0xffffffc0080100e0
[ 0.932070] 0xffffffc00801584c
[ 0.935195] 0xffffffc00801609c
[ 0.938319] 0xffffffc008835330
[ 0.941445] 0xffffffc008835ae4
[ 0.944571] 0xffffffc008011374
[ 0.947696] 0xffffffc0088360c4
[ 0.950820] 0xffffffc008069270
[ 0.953946] 0xffffffc008069484
[ 0.957070] 0xffffffc008836464
[ 0.960196] 0xffffffc0089c0954
[ 0.963320] 0xffffffc0089c0f2c
[ 0.966445] 0xffffffc0089c034c
[ 0.969574] Code: b9000043 17ffffeb d503201f d503201f (b9401041)
[ 0.975660] ---[ end trace 81f1d2c39c972a1e ]---
[ 0.980786] Kernel panic - not syncing: Oops: Fatal exception in interrupt
[ 0.987640] SMP: stopping secondary CPUs
[ 0.991550] Kernel Offset: disabled
[ 0.995022] CPU features: 0x0,00000000,20000802
[ 0.999536] Memory Limit: none
[ 1.003110] Rebooting in 1 seconds..
F0: 102B 0000
FA: 1040 0000
FA: 1040 0000 [0200]
F9: 0000 0000
L0: 8005 0000 [0001]
00: 1012 0000
F9: 0000 0000
L0: 8005 0000 [0001]
01: 102A 0001
02: 1012 0000
BP: 2000 00C0 [0001]
EC: 0000 0000 [1000]
T0: 0000 00B9 [010F]
System halt!