Belkin RT3200/Linksys E8450 WiFi AX discussion

For Developers
5108

Hard recovery of the Linksys e8450 / Belkin RT-3200

If the router's firmware has been damaged beyond the point of simple patching and operation, you can still restore the router to full function as long as you have previously taken a backup of your factory partition. The instructions for doing so are below. Be warned that if something goes wrong with the below, it could leave your router unable to boot and without data at all. Therefore, the steps below should only be followed if you know what you are doing or if you're sure the data has been corrupted beyond resolution by normal firmware installation process and the normal OKD recovery steps.

These instructions are based under the following assumptions:

  1. The router and your computer are connected to the same network and you can communicate between them.
  2. The router (through U-Boot) will default to the IP address 192.168.1.1.
  3. The router expects your computer to be located at IP address 192.168.1.254.
  4. Your computer must be configured with a TFTP server.
  5. You have a basic working knowledge of (and access to) the U-Boot prompt.

From your backups, place a copy of the backed-up factory partition for this router in the TFTP folder with the name factory.bin. The stock firmware stored this as mtd4, but retrieval from an unmodified router is not a procedure most people would have performed. If taken from the boot_backup during or following use of the UBI Installer with a version number prior to 1.1.0, the file you need is mtd2. If extracted from a live OpenWRT 23.05 or older installation, the data would be stored in mtd2. If extracted from a 2024+ snapshot or release 24.10 and newer, this data would have been within a UBI volume. In most cases, the factory data will be 1MiB in size.

Warning: Please pay close attention to the versions of the files specified in the instructions. The versions are different depending on the version of the firmware to which you are recovering. Use of the wrong (and incompatible) versions will result in a device that cannot boot on its own.

Recovery instructions - Reload OpenWRT 23.05 from scratch

From the OpenWRT firmware selector, select the e8450 UBI and firmware version 22.03.7. We need the following:

From the OpenWRT firmware selector, select the e8450 UBI and firmware version 23.05.4. We need the following:

Using the mtk_uartboot tool as per the serial recovery instructions on the wiki (https://openwrt.org/toh/linksys/e8450#serial_recovery), follow the steps for downloading the tool and its special mt7622-ram-1ddr-bl2.bin file as well as the steps for preparing the TFTP and the environment. When the environment is prepared, run the mtk_uartboot tool as listed in the wiki. When the terminal program loads, you will need to stop the boot process at the U-Boot menu and select option 0 for the console.

One at a time, run the below commands to restore data to the necessary partitions. If a step fails, you need to troubleshoot it. Do not proceed on to the next step unless you have received a confirmation message that the data has been written.
Restoring the preloader (BL2)

run boot_tftp_write_bl2

Restoring the fip (and U-Boot)

run boot_tftp_write_fip

Restoring the factory partition
The below instruction will restore your factory partition from the backup. If you are using the surrogate binary from below or a partition from a donor device and wish to retain your original MAC addresses, please instead skip the below command and use the factory restoration steps under the section "Recovery without factory partition".

tftpboot factory.bin && mtd erase factory && mtd write factory $loadaddr 0 $filesize

If you needed to use the alternate steps under "Rebuilding the factory data", you would now resume the recovery process here.

Formatting UBI and preparing the U-Boot Environment

ubi detach; mtd erase ubi && ubi part ubi
mw $loadaddr 0xff 0x1f000
ubi create ubootenv 0x100000 dynamic ; ubi write $loadaddr ubootenv 0x1f000
ubi create ubootenv2 0x100000 dynamic ; ubi write $loadaddr ubootenv2 0x1f000

Restoring the recovery environment

run boot_tftp_recovery

At the end of the final step, the router may automatically launch the OpenWRT recovery environment. If it does not, it is now safe to issue the reset command and the router will reboot. If all went well, you should now be in the 'initramfs' recovery environment and should upload the sysupgrade file either by web (luci) or by the command line, whichever you prefer. Once the sysupgrade file has been loaded, the router is restored and ready for use.

Recovery instructions - Reload OpenWRT 24.10 from scratch

From the OpenWRT firmware selector, select the e8450 UBI and firmware version 24.10.1. We need the following:

Using the mtk_uartboot tool as per the serial recovery instructions on the wiki (https://openwrt.org/toh/linksys/e8450#serial_recovery), follow the steps for downloading the tool and its special mt7622-ram-1ddr-bl2.bin file as well as the steps for preparing the TFTP and the environment. When the environment is prepared, run the mtk_uartboot tool as listed in the wiki. When the terminal program loads, you will need to stop the boot process at the U-Boot menu and select option 0 for the console.

One at a time, run the below commands to restore data to the necessary partitions. If a step fails, you need to troubleshoot it. Do not proceed on to the next step unless you have received a confirmation message that the data has been written.

Formatting UBI

ubi detach; mtd erase ubi && ubi part ubi

Preparing the U-Boot Environment

mw $loadaddr 0xff 0x1f000
ubi create ubootenv 0x100000 dynamic ; ubi write $loadaddr ubootenv 0x1f000
ubi create ubootenv2 0x100000 dynamic ; ubi write $loadaddr ubootenv2 0x1f000

Restoring the preloader (BL2)

run boot_tftp_write_bl2

Restoring the fip (and U-Boot)

run boot_tftp_write_fip

Restoring the factory partition
The below instruction will restore your factory partition from the backup. If you are using the surrogate binary from below or a partition from a donor device and wish to retain your original MAC addresses, please instead skip the below command and use the factory restoration steps under the section "Recovery without factory partition".

tftpboot factory.bin && ubi create factory $filesize static && ubi write $loadaddr factory $filesize

If you needed to use the alternate steps under "Rebuilding the factory data", you would now resume the recovery process here.

Restoring the recovery environment

run boot_tftp_recovery

At the end of the final step, the router may automatically launch the OpenWRT recovery environment. If it does not, it is now safe to issue the reset command and the router will reboot. If all went well, you should now be in the 'initramfs' recovery environment and should upload the sysupgrade file either by web (luci) or by the command line, whichever you prefer. Once the sysupgrade file has been loaded, the router is restored and ready for use.

Rebuilding the factory data

Edit: This section assumes you are in the process of following the above recovery process and do not have a valid backup of your factory data. The steps described here would replace the step for restoring the backed up factory data in said recovery process.

The below linked file is a rebuilt factory partition based around the documentation and data present in the wifi drivers. Please note that it does NOT contain any MAC addresses, and therefore, your router will still randomly assign them.

Since this surrogate is rebuilt from driver information and does not contain all of the data present in a true factory partition, there's a chance that some functionality might not be there or it might not work properly on your device at all. It might even break at some point in the future, should a new driver suddenly require data that isn't there. In other words, this surrogate is for an emergency recovery when all other options fail.

The good news is that it has been tested far enough to ensure it will make and allow connections from devices, and that it lists the same support as was present by the factory.

Place the following file on your TFTP server with the name factory.bin.
https://github.com/grauerfuchs/owrt_device_support/raw/main/e8450_factory_emergency.bin

You can use the file as-is with the recovery instructions above if you don't care about having stable MAC addresses or if you prefer to assign them directly in OpenWRT. However, if you do want to permanently restore your MAC addresses, you'll need to properly update and use the below commands to restore the factory partition instead.

To load the surrogate partition into memory on the router for editing:

tftpboot 0x48000000 factory.bin

Editing a MAC address in device memory through the U-Boot console
The editor commands listed below will set the MAC address byte by byte in an as-displayed order. The last parameter passed to each command is the data that will be set. The addresses are written and stored as hexadecimal values. Please don't forget this when computing the new values.

By default, the MAC address on the router's sticker is the WAN address. From there, increment each address' final value by one to get the LAN, then the 2.4GHz, then the 5GHz addresses.

Setting the WAN MAC address

mw.b 0x4807FFFA 0xe8
mw.b 0x4807FFFB 0x9f
mw.b 0x4807FFFC 0x80
mw.b 0x4807FFFD 0x00
mw.b 0x4807FFFE 0x00
mw.b 0x4807FFFF 0x00

Setting the LAN MAC address

mw.b 0x4807FFF4 0xe8
mw.b 0x4807FFF5 0x9f
mw.b 0x4807FFF6 0x80
mw.b 0x4807FFF7 0x00
mw.b 0x4807FFF8 0x00
mw.b 0x4807FFF9 0x01

Setting the 2.4GHz WiFi MAC address

mw.b 0x48000004 0xe8
mw.b 0x48000005 0x9f
mw.b 0x48000006 0x80
mw.b 0x48000007 0x00
mw.b 0x48000008 0x00
mw.b 0x48000009 0x02

Setting the 5GHz WiFi MAC address

mw.b 0x48005004 0xe8
mw.b 0x48005005 0x9f
mw.b 0x48005006 0x80
mw.b 0x48005007 0x00
mw.b 0x48005008 0x00
mw.b 0x48005009 0x03

Writing the updated factory partition to flash
This part of the process differs depending on the firmware you are restoring.

Restoring the factory data on 23.05 or older 
mtd erase factory && mtd write factory 0x48000000 0 0x80000
Restoring the factory data on 24.10 or newer 
ubi create factory $filesize static && ubi write $loadaddr factory $filesize

From here, continue with the above instructions for restoring the recovery environment.


-----------

Complications that you may encounter:

TFTP doesn't work (no ethernet address)

If you're recovering from a corrupted flash or a wiped chip, U-Boot may complain about not having an ethernet address. The end result is that it will refuse to allow TFTP access. If this is the case, you can assign a temporary address with the following command:

setenv -f ethaddr 00:11:22:33:44:55
saveenv

Please note that the fake MAC address above must be replaced with the real one listed on your router's sticker.

I can't get to the U-Boot menu (it keeps booting into OpenWRT)

The default U-Boot within the FIP supplied by OpenWRT has a timeout window of only 3 seconds. Some terminal programs (like PuTTY) are too slow to load and so the router has already continued on with booting before you get the chance to interrupt it in the boot menu. In order to get to the U-Boot menu, you will either need a faster-loading terminal application or you can try to boot with the following FIP instead:
For 23.05: https://github.com/grauerfuchs/owrt_device_support/raw/refs/heads/main/linksys-e8450-foxed-for-openwrt-23.05-noinit.fip
This FIP has been compiled specifically for debugging and restoration with OpenWRT 23.05. It will not boot normally, so it should not be burned to flash, but instead used only with mtk_uartboot.

Edit Notes: The links to the proper files for restoration have been updated as of 2024-05-24,

16 Likes