Attempt to add support for a Belkin F9K1109V1

First off, I am a openwrt development noob and linux novice. I have some dev experience in other areas and use openwrt on a few routers, but will be stumbling around here. Somebody gave me a Belkin FK91109V1 so I attempting to add support. The main specs for this router at bottom of post.

I have figured out the serial pins and have console access. Also have the openwrt source down and can compile it. I have the Belkin firmware source for a similar, but not exact F9K1110V1 too. By the way as far as I can tell belkin made at least 3 or 4 routers in this space that are very similar like the F9K1103V1 and F9K1110V1.

I have been working through trying to take a hack at a minimal DTS and reading the developer guide materials and have run into several questions.

1. Can I work around the flash layout? Again I don't know what is reasonable. I have always assumed the partitions should be left as they are for the stock firmware so you can re-flash back. It looks like the kernel partition on this router is too small for the latest kernel and I saw post where it might be possible to change that. This is a 8MiB flash device. Here are the partitions.

# cat mtd
dev: size erasesize name
mtd0: 00800000 00010000 "ALL"
mtd1: 00030000 00010000 "Bootloader"
mtd2: 00010000 00010000 "Config"
mtd3: 00010000 00010000 "Factory"
mtd4: 0014d3e0 00010000 "Kernel"
mtd5: 00662c20 00010000 "RootFS"
mtd6: 007a0000 00010000 "Kernel_RootFS"
mtd7: 00010000 00010000 "UserCfg"

From bootlog

0x00000000-0x00800000 : "ALL"
0x00000000-0x00030000 : "Bootloader"
0x00030000-0x00040000 : "Config"
0x00040000-0x00050000 : "Factory"
0x00050000-0x0019d3e0 : "Kernel"
0x0019d3e0-0x00800000 : "RootFS"
0x00050000-0x007f0000 : "Kernel_RootFS"
0x007f0000-0x00800000 : "UserCfg"

Assuming my hex math is right it has 1332K for Kernel. Based on this Snapshot not available for certain supported devices recently that will be too small. Should I consider stretching the Kernel partition slightly and reclaiming from RootFS? This is a ramips unit and uses DTS. If it's possible to change, I know I will need to change the map in DTS, where else would I need to?

2. The last 4 partitions confuse me in the layering. I am new to this, but I thought each layer would nest into a single "upper layer". Does this layout make sense? Also how would it be represented in DTS?

Thanks in advance for any help. I am a such a noob at this is it possible I am missing several fundamentals.

Device specs
System on Chip - Ralink 3883 (MIPS 74Kc)
CPU chip: Ralink RT3883
CPU speed: 500Mhz
Target: ramips
Subtarget: rt3883
Package Architecture: mipsel_74kc
Bootloader: Ralink UBoot Version: 3.5.2.0
RAM Size: 64Mb
RAM chip: Winbond #? - F9K1110V1 has winbond W9751G6JB-25
Flash chip: Macronix MX25L6405D
Flash size: 8Mb
LAN Port count: 4
LAN Port speeds 10/100/1000
WAN Port count: 1
WAN Port speeds: 10/100/1000
Switch: chip Realtek RTL8367R-VB
Wireless #1: SoC-integrated : 2.4/5 GHz
Wireless #2: SoC-integrated : 2.4 GHz Ralink RT2860?
USB ports: 2 x USB 2.0
Serial: yes, 4-pin header, (57600,8,N,1), 3.3V TTL, J12
Serial: GND, RX, TX, V - J12 marking on board
JTAG - unknown

HW seems comparable to this:https://wikidevi.com/wiki/ASUS_RT-N65U

Link to some open source code at lower right of page.... not sure what you'd get if it worked either but may be of use: re dts/drivers etc....

Short story long..... that hardware might be painful..... It is fun too mess around with the hardware..... modding the build environment is super steep learning curve.... so it's good to have a supported / near supported device and a specific goal in mind before investing serious time me thinks....

Thanks and well said on the potential time sink. My primary goal is to get this router to run well enough to be a wired only router that can run a trunked VLAN to replace an ancient WRT54G / DD-WRT router I am using today. Secondary goals are to learn about the openwrt process on an expendable router and hopefully get it fully running and even PR it for support assuming it all goes well. I had looked at the RT-N56U DTS already, but not the RT-N65U I'll check it out.

Ok. So I have it booting my hacked openwrt build over TFTP.

N750 # bootm 8A100000
## Booting image at 8a100000 ...
   Image Name:   MIPS OpenWrt Linux-4.14.63
   Created:      2018-08-16   7:51:15 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    3347059 Bytes =  3.2 MB
   Load Address: 80000000
   Entry Point:  80000000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80000000) ...
## Giving linux memsize in MB, 64

Starting kernel ...

[    0.000000] Linux version 4.14.63 (kip@dev-ub-openwrt) (gcc version 7.3.0 (OpenWrt GCC 7.3.0 r7258-5eb055306f)) #0 Thu Aug 16 07:51:15 2018
[    0.000000] SoC Type: Ralink RT3883 ver:1 eco:5
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 0001974c (MIPS 74Kc)
[    0.000000] MIPS: machine is Belkin F9K1109V1
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 04000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000] random: get_random_bytes called from start_kernel+0x8c/0x474 with crng_init=0
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 16256
[    0.000000] Kernel command line: console=ttyS0,57600 rootfstype=squashfs,jffs2
[    0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] Memory: 58264K/65536K available (3383K kernel code, 165K rwdata, 832K rodata, 2012K init, 212K bss, 7272K reserved, 0K cma-reserved)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS: 256
[    0.000000] CPU Clock: 500MHz
[    0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041786 ns
[    0.000012] sched_clock: 32 bits at 250MHz, resolution 4ns, wraps every 8589934590ns
[    0.015471] Calibrating delay loop... 249.44 BogoMIPS (lpj=1247232)
[    0.097749] pid_max: default: 32768 minimum: 301
[    0.107168] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.120193] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.139580] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.159061] futex hash table entries: 256 (order: -1, 3072 bytes)
[    0.171247] pinctrl core: initialized pinctrl subsystem
[    0.182155] NET: Registered protocol family 16
[    0.218897] rt2880_gpio 10000600.gpio: registering 24 gpios
[    0.229937] rt2880_gpio 10000600.gpio: registering 24 irq handlers
[    0.242571] rt2880_gpio 10000638.gpio: registering 16 gpios
[    0.258357] clocksource: Switched to clocksource MIPS
[    0.269656] NET: Registered protocol family 2
[    0.279211] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[    0.292988] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[    0.305579] TCP: Hash tables configured (established 1024 bind 1024)
[    0.318422] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.329915] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.342663] NET: Registered protocol family 1
[    2.618369] random: fast init done
[    2.982859] rt-timer 10000100.timer: maximum frequency is 5065Hz
[    2.995612] Crashlog allocated RAM at address 0x3f00000
[    3.007912] workingset: timestamp_bits=30 max_order=14 bucket_order=0
[    3.026569] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    3.038076] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    3.158427] io scheduler noop registered
[    3.166072] io scheduler deadline registered (default)
[    3.177237] Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
[    3.191006] console [ttyS0] disabled
[    3.198005] 10000c00.uartlite: ttyS0 at MMIO 0x10000c00 (irq = 20, base_baud = 2500000) is a Palmchip BK-3103
[    3.217773] console [ttyS0] enabled
[    3.217773] console [ttyS0] enabled
[    3.231548] bootconsole [early0] disabled
[    3.231548] bootconsole [early0] disabled
[    3.248012] cacheinfo: Failed to find cpu0 device node
[    3.258290] cacheinfo: Unable to detect cache hierarchy for CPU 0
[    3.275791] spi spi0.0: force spi mode3
[    3.284331] m25p80 spi0.0: mx25l6405d (8192 Kbytes)
[    3.294159] 4 fixed-partitions partitions found on MTD device spi0.0
[    3.306828] Creating 4 MTD partitions on "spi0.0":
[    3.316385] 0x000000000000-0x000000030000 : "uboot"
[    3.327098] 0x000000030000-0x000000040000 : "uboot-env"
[    3.338618] 0x000000040000-0x000000050000 : "factory"
[    3.349642] 0x000000050000-0x0000007f0000 : "firmware"
[    3.795670] rtl8367b rtl8367b: using GPIO pins 1 (SDA) and 2 (SCK)
[    3.809220] rtl8367b rtl8367b: RTL8367R-VB chip found
[    5.788178] libphy: rtl8367b: probed
[    5.795766] libphy: Fixed MDIO Bus: probed
[    5.805400] mtk_soc_eth 10100000.ethernet: generated random MAC address be:da:75:b5:b0:d9
[    5.821770] mtk_soc_eth 10100000.ethernet: port 0 - invalid phy mode
[    5.835197] mtk_soc_eth 10100000.ethernet eth0: mediatek frame engine at 0xb0100000, irq 5
[    5.852315] rt2880_wdt 10000120.watchdog: Initialized
[    5.863896] NET: Registered protocol family 10
[    5.877315] Segment Routing with IPv6
[    5.884820] NET: Registered protocol family 17
[    5.893764] 8021q: 802.1Q VLAN Support v1.8
[    5.918765] Freeing unused kernel memory: 2012K
[    5.927793] This architecture does not have kernel memory protection.
[    5.956303] init: Console is alive
[    5.963537] init: - watchdog -
[    6.000288] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[    6.028609] usbcore: registered new interface driver usbfs
[    6.039665] usbcore: registered new interface driver hub
[    6.050414] usbcore: registered new device driver usb
[    6.067429] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    6.082546] ehci-platform: EHCI generic platform driver
[    6.103353] phy phy-usbphy.0: remote usb device wakeup disabled
[    6.115162] phy phy-usbphy.0: UTMI 16bit 30MHz
[    6.124032] ehci-platform 101c0000.ehci: EHCI Host Controller
[    6.135522] ehci-platform 101c0000.ehci: new USB bus registered, assigned bus number 1
[    6.151445] ehci-platform 101c0000.ehci: irq 26, io mem 0x101c0000
[    6.188380] ehci-platform 101c0000.ehci: USB 2.0 started, EHCI 1.00
[    6.201959] hub 1-0:1.0: USB hub found
[    6.209974] hub 1-0:1.0: 2 ports detected
[    6.221922] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[    6.236341] ohci-platform: OHCI generic platform driver
[    6.247121] ohci-platform 101c1000.ohci: Generic Platform OHCI controller
[    6.260721] ohci-platform 101c1000.ohci: new USB bus registered, assigned bus number 2
[    6.276611] ohci-platform 101c1000.ohci: irq 26, io mem 0x101c1000
[    6.363395] hub 2-0:1.0: USB hub found
[    6.371420] hub 2-0:1.0: 2 ports detected
[    6.383236] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[    6.408214] init: - preinit -
[    6.591824] 8021q: adding VLAN 0 to HW filter on device eth0
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[    9.790173] procd: - early -
[    9.796023] procd: - watchdog -
[   10.387591] procd: - watchdog -
[   10.394256] procd: - ubus -
[   10.408819] random: ubusd: uninitialized urandom read (4 bytes read)
[   10.451086] random: ubusd: uninitialized urandom read (4 bytes read)
[   10.464412] random: ubusd: uninitialized urandom read (4 bytes read)
[   10.478257] procd: - init -
Please press Enter to activate this console.
[   10.710713] kmodloader: loading kernel modules from /etc/modules.d/*
[   10.730969] ip6_tables: (C) 2000-2006 Netfilter Core Team
[   10.755561] Loading modules backported from Linux version wt-2017-11-01-0-gfe248fc2c180
[   10.771581] Backport generated by backports.git v4.14-rc2-1-31-g86cf0e5d
[   10.790105] ip_tables: (C) 2000-2006 Netfilter Core Team
[   10.812054] nf_conntrack version 0.5.0 (1024 buckets, 4096 max)
[   10.903155] xt_time: kernel timezone is -0000
[   10.981697] PPP generic driver version 2.4.2
[   10.993495] NET: Registered protocol family 24
[   11.036928] ieee80211 phy0: rt2x00lib_request_eeprom_file: Info - Loading EEPROM data from 'soc_wmac.eeprom'.
[   11.057678] rt2800_wmac 10180000.wmac: Direct firmware load for soc_wmac.eeprom failed with error -2
[   11.075947] rt2800_wmac 10180000.wmac: Falling back to user helper
[   11.147923] firmware soc_wmac.eeprom: firmware_loading_store: map pages failed
[   11.162607] ieee80211 phy0: rt2x00lib_request_eeprom_file: Error - Failed to request EEPROM.
[   11.179517] rt2800_wmac: probe of 10180000.wmac failed with error -11
[   11.222652] kmodloader: done loading kernel modules from /etc/modules.d/*
[   12.369703] urandom_read: 5 callbacks suppressed
[   12.369714] random: jshn: uninitialized urandom read (4 bytes read)
[   12.483375] random: jshn: uninitialized urandom read (4 bytes read)



BusyBox v1.28.3 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 18.06.1, r7258-5eb055306f
 -----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:/# 

Lots of missing stuff I will likely have other questions about, but for now just these questions relating to flashing and the flash partitions.

I have only booted this using tftpboot/bootm from u-boot using a ramfs image, meaning it directly loaded into mem not flashed and then run from memory. This is a pretty basic question, but I am assuming if I reflash this the stock firmware/bootloader will flash this AFTER the uboot, uboot-env and factory partitions? Is there anything special I should check before I flash this thing? Will be fine if I have to use TFTP to flash back to stock for now, basically just don't want to overwrite the bootloader or something I can't get back.

In case any of this is helpful, here are the uboot env vars

N750 # printenv
bootargs=NoArg
bootcmd=tftp
bootdelay=5
baudrate=57600
ethaddr="00:AA:BB:CC:DD:10"
ipaddr=10.10.10.123
serverip=10.10.10.3
ramargs=setenv bootargs root=/dev/ram rw
addip=setenv bootargs $(bootargs) ip=$(ipaddr):$(serverip):$(gatewayip):$(netmask):$(hostname):$(netdev):off
addmisc=setenv bootargs $(bootargs) console=ttyS0,$(baudrate) ethaddr=$(ethaddr) panic=1
flash_self=run ramargs addip addmisc;bootm $(kernel_addr) $(ramdisk_addr)
kernel_addr=BFC40000
u-boot=u-boot.bin
load=tftp 8A100000 $(u-boot)
u_b=protect off 1:0-1;era 1:0-1;cp.b 8A100000 BC400000 $(filesize)
loadfs=tftp 8A100000 root.cramfs
u_fs=era bc540000 bc83ffff;cp.b 8A100000 BC540000 $(filesize)
test_tftp=tftp 8A100000 root.cramfs;run test_tftp
HW_BOOT_VER=1.7.4
HW_BOOT_DATE=Dec  7 2011 - 09:22:29
HW_WIFI_HIPOWER=0
ethact=Eth0 (10/100-M)
HW_LAN_MAC=XX:XX:XX:XX:XX:XX
HW_WAN_MAC=XX:XX:XX:XX:XX:XX
HW_WIFI_MAC=XX:XX:XX:XX:XX:XX
HW_WIFI_PIN=XXXXXXXX
HW_SN=XXXXXXXXXXXXXX
HW_VER=01C
HW_SKU_ID=1
stdin=serial
stdout=serial
stderr=serial

Do you have a link to your source? For the belkin and for custom firmware?

I am also working on a similar router, the F9K1103V1.
The network hardware happens to be most similar to the Edimax BR-6475nD: https://wikidevi.com/wiki/Edimax_BR-6475nD, however I am using the Asus RT-N56U as my template. I may consider making an additional device based around the BR-6475nD, but I read somewhere that the firmware for those devices and similar do not build factory images. I'm not sure if that matters, but I seem to have at least bricked my F9K1103V1 a few times with my source found here: https://github.com/devinjdawson/OpenWRT-Legacy/tree/barrier_breaker.

The main issue i have is
Please append a correct "root=" boot option; here are the available partitions: Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)

... as well as rtl8367 issues. If I could see your DTS, it may help me with my own boot issues. Maybe the information on the Edimax will help you as well.

Sure. I just struggled through the error you are getting. See here for more information

https://forum.openwrt.org/t/somebody-please-school-me-on-mtd-partitions-and-dts/29503/14a.

The short version is it appears the stock firmware web upload corrupts or maybe doesn't uncompress the rootfs part of the image correctly. This causes openwrt not to find the squashfs header for rootfs and panic. I don't have it fixed for stock firmware upload yet what I have will only flash from u-boot. I am using a serial console. I am hoping to fix for the stock FW too.

I from what I can tell the F9K1109v1 and the F9K1103v1 are nearly identical although I don't have a 1103. From online specs the only differences are minor chip differences of the flash and memory, but they are the same sizes. Even the stock firmware for my 1109 has headers and variables marked as N750FK1103VB. I think the firmware will be very similar. I did refer to that edimax router and several others like DIR-645, CY-SWR1100, TEW-692GR and the RT-N56U.

I don't have the source out in a decent place yet. I will put it out somewhere decent tonight hopefully so you can track it as I make changes. The eventual goal is to PR it if I can get it decent. Here it is in current state. Note this is from master, there have been some changes around DTS so this will not run on 18.06 or earlier.
This code is not clean yet for sure. It runs the base stuff ethernet, wifi I have luci running.

Here are some known things and things I am planning to do/fix

• Will not flash from the stock web upload, need to fix
• This DTS has a "kernel" and "rootfs" partition, which means the image build is manually spacing "kernel" and is wasting some flash space. I did this trying to simplify and get rootfs to mount. Now that I realized the stock FW upload issue, I think there will be a way to only use a "firmware" partition and the openwrt will dynamically size a rootfs based on the kernel size in the image. I think this is the normal process.
• Leds are mostly there but there are some extra rt2800* coming from somewhere I have to clean up. Also will clean up the initial setup of some LEDs
• I think most of the MACs are set from env vars, but need to test
• Not sure if the USBs are working need to test
• Test stability of the whole thing

Here are snippets of the changes and the full DTS

target/linux/ramips/base-files/etc/board.d/01_leds

f9k1109)
	set_usb_led "$boardname:green:usb1"
	ucidef_set_led_switch "lan" "lan" "$boardname:blue:wps" "switch0" "0x0f"
	;;

target/linux/ramips/base-files/etc/board.d/02_network

f9k1109|\
	rt-n15|\
	wl-351)
		ucidef_add_switch "switch0" \
			"0:lan" "1:lan" "2:lan" "3:lan" "4:wan" "5@eth0"
		;;

and

	f9k1109)
		wan_mac=$(mtd_get_mac_ascii uboot-env HW_WAN_MAC)
		lan_mac=$(mtd_get_mac_ascii uboot-env HW_LAN_MAC)
		;;

target/linux/ramips/base-files/lib/ramips.sh

	*"F9K1109")
		name="f9k1109"
		;;

target/linux/ramips/dts/F9K1109.dts

https://pastebin.com/raw/rCPtgUCS

target/linux/ramips/image/rt3883.mk

define Device/f9k1109
  DTS := F9K1109
  BLOCKSIZE := 64k
  DEVICE_TITLE := Belkin F9K1109
  DEVICE_PACKAGES := kmod-usb-core kmod-usb-ohci kmod-usb2 swconfig
  IMAGE_SIZE := 7224k
  KERNEL := kernel-bin | patch-dtb | lzma -d16 | uImage lzma
  # Stock firmware checks for this uImage image name during upload.
  UIMAGE_NAME := N750F9K1103VB
  IMAGE/sysupgrade.bin := append-kernel | pad-to 2048K | append-rootfs | pad-rootfs | append-metadata | check-size $$$$(IMAGE_SIZE)
endef
TARGET_DEVICES += f9k1109

You can download the belkin source from here
https://www.belkin.com/us/support-article?articleNum=51238

Hope this helps you. I am a noob at this stuff. Feel free to ask questions if you have any.

You definitely should put up your work on Github. I'd like to work with you on it, and cross reference what I am working on with you. I would definitely be willing to try your builds on my hardware. I'm not too worried about bricking anything.

I am currently modifying the archived version of OpenWRT. From what I read, you need to first flash the device with a factory build and then you can use the sysupgrade builds after. I believe Edimax similar models only creates sysupgrade images with the config utility with versions after 14.07, so I figured it would be best to start with the older code just to see if it's even possible to get it working (with either an Eidmax or ASUS template), and then make it compatible with the most recent versions of OpenWRT.

This is great. I hope to get this out on github tonight, but might end up being tomorrow. I will post up when it is there. I am happy to send you build images too if you want. I am sure you have figured the out already, but I am new to all this. My understanding is the factory bins are used to overwrite the factory FW (first flash) then use sysupgrades after that. I have had the image make files creating both images in a build (they aren't ATM), but I didn't vary the configs so they seemed the same. Neither image will flash over stock correctly. The assumption is the stock FW is looking for something in the image or maybe not decompressing it correctly. This is the main thing I have to figure out at this point.

Another forum member pointed me to this Belkin based image stuff for a different Belkin router

https://github.com/openwrt/openwrt/blob/master/target/linux/ar71xx/image/legacy.mk - starting at line 481

No idea if has anything to do with the F9K* routers, but might be a hint. The interesting part to make here is it is using the edimax_fw_header tool to build the image which is not what the default image building stuff does. Maybe this is a clue.

I pushed out my work in progress to github here

Hoping to put some changes in this weekend

Thanks for posting this. I utilized a lot of your work for reference. I still have not re-attempted to build an 18.06 firmware yet, but I have been having success with the 14.06 barrier breaker. I have managed to successfully flash the device, but it does not work perfectly yet. I am still working out the kinsk, with all my progress available on my github.

My one question for you is: have you managed to build "factory" firmwares for 18.06? This is the only reason I haven't tried building the newer firmware.

I am currently using Pats4Life alternative to Padavan's RT-N56U firmware for intermediate flashing of the firmare. It allows me to Factory flash devices with Belkin Model "F9K1103". This is the same thing as the PDTAG or UNAME. In 14.06, there's seems to be a character limit of 9 on the product id, truncating the PDTAG and making impossible to factory flash from the original Belkin firmware.

I have it where the flash through the stock FW UI will complete successfully and will boot openwrt but it seems to mangle the rootfs so openwrt will not create kernel / rootfs partitions correctly, doesn't mount rootfs and panics.

Here's a boot snippet.

...
[    2.380091] 5 fixed-partitions partitions found on MTD device spi0.0
[    2.392760] Creating 5 MTD partitions on "spi0.0":
[    2.402320] 0x000000000000-0x000000030000 : "uboot"
[    2.413074] 0x000000030000-0x000000040000 : "uboot-env"
[    2.424509] 0x000000040000-0x000000050000 : "factory"
[    2.435639] 0x000000050000-0x0000007f0000 : "firmware"
[    2.481147] 0x0000007f0000-0x000000800000 : "user-cfg"
...
[    4.470353] VFS: Cannot open root device "(null)" or unknown-block(0,0): error -6
[    4.485334] Please append a correct "root=" boot option; here are the available partitions:
[    4.501991] 1f00             192 mtdblock0
[    4.501997]  (driver?)
[    4.515018] 1f01              64 mtdblock1
[    4.515023]  (driver?)
[    4.528041] 1f02              64 mtdblock2
[    4.528046]  (driver?)
[    4.541064] 1f03            7808 mtdblock3
[    4.541069]  (driver?)
[    4.554096] 1f04              64 mtdblock4
[    4.554101]  (driver?)
[    4.567116] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)

The "odd" things I did so the stock FW UI would get to the point of flashing it in the image creation

I tagged the uimage name

  UIMAGE_NAME := N750F9K1103VB

Otherwise you get this from a stock FW and it would not flash

/tmp/uploadq02CoS: Bad PDTAG/MAGIC header/type 27051956 ,MIPS OpenWrt Linux-4.14.63, 2

I also did this, note the lzma -d param. This makes the lzma dictionary size smaller than openwrt does by default matching the stock FW.

 KERNEL := kernel-bin | patch-dtb | lzma -d16 | uImage lzma

It would flash before I did that but u-boot would fail like this

3: System Boot system code via Flash.
## Booting image at bc050000 ...
.   Image Name:   N750F9K1103VB
   Created:      2018-08-16   7:51:15 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1472004 Bytes =  1.4 MB
   Load Address: 80000000
   Entry Point:  80000000
.......................   Verifying Checksum ... OK
   Uncompressing Kernel Image ... LZMA ERROR 1 - must RESET board to recover

The images I have at this point will flash and work fine from u-boot / TFTP flash, just not the stock FW UI upload/upgrade.

Thanks for posting these link. I have been attempting to figure out the next step going through stock source, but not getting very far. I am interested to look at these to see how they got rootfs to mount from a stock flash.

Also in case it helps, one other issue I am having, completely unrelated is the wired and wireless speeds are slow. Like 20 Mb max on wired. Haven't figured that out, but will not be shocked at all if I misconfiged something in the DTS.

Try using the parttion table from https://github.com/openwrt/openwrt/blob/master/target/linux/ramips/dts/DIR-620-D1.dts. It's a similar flash memory module. I used the same for 14.06 and it magically worked.

It should look like this:

&spi0 {
	status = "okay";

	m25p80@0 {
		compatible = "jedec,spi-nor";
		reg = <0>;
		spi-max-frequency = <10000000>;

		partitions {
			compatible = "fixed-partitions";
			#address-cells = <1>;
			#size-cells = <1>;

			partition@0 {
				label = "u-boot";
				reg = <0x0 0x30000>;
				read-only;
			};

			partition@30000 {
				label = "u-boot-env";
				reg = <0x30000 0x10000>;
				read-only;
			};

			factory: partition@40000 {
				label = "factory";
				reg = <0x40000 0x10000>;
				read-only;
			};

			partition@50000 {
				compatible = "denx,uimage";
				label = "firmware";
				reg = <0x50000 0x7b0000>;
			};
		};
	};
};

Interesting. I haven't tried this. I was attempting to not mess with the last stock "UserCfg" 64K partition. Looks like this expands "firmware" to cover all they way to the end of flash. I'll try it tonight.

Ok. I tried the partitions and no luck, but I did go download the pats4life image and it does flash from stock. So after much digging around, flashing, binwalking. Maybe this is something?

It looks like both images that will flash have the uImage size as the whole bin, but openwrt at least for my build is just the kernel size. I think the stock FW might only copy the amount in the uImage header size to MTD during the UI upgrade.

Stock FW - flashes from stock FW upgrade

$ binwalk F9K1109_WW_1.10.16.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             uImage header, header size: 64 bytes, header CRC: 0x2F896718, created: 2012-06-28 04:57:02, image size: 7398304 bytes, Data Address: 0x80000000, Entry Point: 0x8033E000, data CRC: 0x19D7A1A4, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "N750F9K1103VB"
64            0x40            LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 3526536 bytes
1364960       0x14D3E0        Squashfs filesystem, little endian, non-standard signature, version 3.0, size: 6030081 bytes, 1668 inodes, blocksize: 65536 bytes, created: 2012-06-28 04:56:57

pats4life/padavan FW - flashes from stock FW upgrade

binwalk BN750DB_3.4.3.9-099_base.trx 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             uImage header, header size: 64 bytes, header CRC: 0x50CD3D6A, created: 2016-08-17 23:27:21, image size: 6955027 bytes, Data Address: 0x80000000, Entry Point: 0x802B6A00, data CRC: 0x4F336BEB, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "N750F9K1103VB"
64            0x40            LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3480724 bytes
1206480       0x1268D0        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 5748611 bytes, 1333 inodes, blocksize: 131072 bytes, created: 2016-08-17 23:27:20

openwrt - does NOT work from stock FW flash

binwalk openwrt-ramips-rt3883-f9k1109-squashfs-factory.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             uImage header, header size: 64 bytes, header CRC: 0xE8CBA90A, created: 2019-01-26 18:14:28, image size: 1355987 bytes, Data Address: 0x80000000, Entry Point: 0x80000000, data CRC: 0xC0F75C87, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "N750F9K1103VB"
64            0x40            LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 4248796 bytes
1356051       0x14B113        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2240580 bytes, 1234 inodes, blocksize: 1048576 bytes, created: 2019-01-26 18:14:28

Also note this which is console output from the stock FW during a UI upgrade/flash

pats4life/padavan FW

upload /tmp/upload9RdAXE done
find /dev/mtd6 "Kernel_RootFS"
size: [0x006a2053]
Kernel_RootFS: MTD write OK
!!!!!!!!!CGI upgrade rc=8

openwrt

upload /tmp/uploadCbblWv done
find /dev/mtd6 "Kernel_RootFS"
size: [0x001656f9]
Kernel_RootFS: MTD write OK
!!!!!!!!!CGI upgrade rc=8

Note the size in the openwrt one is the size in the uImage for the kernel but the whole thing bin is 3M+. Pretty sure the stock FW is just writing the 1355987 bytes in the kernel

So, next question .. anyone know how I can get the image build make files to hack the uImage size to be the full bin size for the factory image?

Ok so I have successfully upgraded from stock using the stock UI upgrade. Here are the things the stock FW needs to flash (and boot) the first image

• The uImage header must have the full size of the image. The stock FW only copied this much to MTD directly even if the bin file is larger.
• The lzma dictionary size must be 64K (maybe others would work, but the default doesn't)
• uImage name must be "N750F9K1103VB"

The first bullet is the issue with the standard sysupgrade image where the uImage size is only the size of the kernel and the squashfs/rootfs part of the binary is beyond that boundary. OpenWRT is completely happy with this and I think this is part of how it does dynamic partitioning but it results in the stock FW only writing to the image header size, so just the kernel then panics when it can't find rootfs to mount. After a lot of screwing around with other combinations, I ended up using the a initramfs image. It does have the full uImage size in the header and fully boots, then use the upgrade in luci to upgrade to the sysupgrade which has all the normal squash partitions.

From stock

• Upload the initramfs "factory" image through the stock upgrade web page
• After it boots to openwrt, upgrade with the sysupgrade image

So a couple of questions on this.

1. Is this ok as a factory then sysupgrade option? I know many don't have to do the factory step anymore. Also I have'nt seen any initramfs based "factory" images is that ok?
2. Is it possible to build the initramfs image as the "factory" in the make recipe? I am assuming this is possible somehow. At this point I set it as an option in the imagebuilder to build squash and initramfs.

Heads up... turns out there is another easier way to flash this router with openwrt from stock. I was surprised, but u-boot has a mini web server. This process is run from u-boot instead of the stock FW and does not check the uImage size so you can flash the normal sysupgrade image first.

• Hold reset button on the back of router when plugging in power (for at-least 10 seconds after plugged in)
• Connect to a Lan port
• Set computer IP to 10.10.10.3
• Go to http://10.10.10.123 in a web browser
• Click the Browse… Button and select the *squashfs.sysupgrade.bin file then click APPLY