Fantastic!!!
Thanks again!!!
i set up a tftp server using atftpd and it says its serving the file to the router but nothing happens after that. not sure what im doing wrong though. it keeps repeating itself over and over again. here's the output of tcp dump
192.168.1.1.4060 > 192.168.1.254.tftp: [no cksum] TFTP, length 96, RRQ "openwrt-mediatek-mt7622-linksys_e8450-ubi-initramfs-recovery.itb" octet timeout 5 blksize 1468
18:24:02.834036 IP (tos 0x0, ttl 64, id 43810, offset 0, flags [DF], proto UDP (17), length 47)
192.168.1.254.45491 > 192.168.1.1.4060: [bad udp cksum 0x847c -> 0x78e1!] UDP, length 19
18:24:03.876772 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.254 tell 192.168.1.1, length 46
18:24:03.876787 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.254 is-at 6c:02:e0:82:5b:a0 (oui Unknown), length 28
18:24:03.876823 IP (tos 0x0, ttl 255, id 1074, offset 0, flags [DF], proto UDP (17), length 124)
192.168.1.1.2031 > 192.168.1.254.tftp: [no cksum] TFTP, length 96, RRQ "openwrt-mediatek-mt7622-linksys_e8450-ubi-initramfs-recovery.itb" octet timeout 5 blksize 1468
18:24:03.877257 IP (tos 0x0, ttl 64, id 44035, offset 0, flags [DF], proto UDP (17), length 47)
192.168.1.254.51948 > 192.168.1.1.2031: [bad udp cksum 0x847c -> 0x6795!] UDP, length 19
18:24:04.919467 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.254 tell 192.168.1.1, length 46
18:24:04.919482 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.254 is-at 6c:02:e0:82:5b:a0 (oui Unknown), length 28
18:24:04.919518 IP (tos 0x0, ttl 255, id 1075, offset 0, flags [DF], proto UDP (17), length 124)
192.168.1.1.3074 > 192.168.1.254.tftp: [no cksum] TFTP, length 96, RRQ "openwrt-mediatek-mt7622-linksys_e8450-ubi-initramfs-recovery.itb" octet timeout 5 blksize 1468
18:24:04.919918 IP (tos 0x0, ttl 64, id 44243, offset 0, flags [DF], proto UDP (17), length 47)
192.168.1.254.34327 > 192.168.1.1.3074: [bad udp cksum 0x847c -> 0xa857!] UDP, length 19
18:24:05.761626 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.1 tell 192.168.1.254, length 28
18:24:05.962462 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.254 tell 192.168.1.1, length 46
18:24:05.962478 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.254 is-at 6c:02:e0:82:5b:a0 (oui Unknown), length 28
18:24:05.962512 IP (tos 0x0, ttl 255, id 1076, offset 0, flags [DF], proto UDP (17), length 124)
192.168.1.1.1045 > 192.168.1.254.tftp: [no cksum] TFTP, length 96, RRQ "openwrt-mediatek-mt7622-linksys_e8450-ubi-initramfs-recovery.itb" octet timeout 5 blksize 1468
18:24:05.962906 IP (tos 0x0, ttl 64, id 44367, offset 0, flags [DF], proto UDP (17), length 47)
192.168.1.254.46001 > 192.168.1.1.1045: [bad udp cksum 0x847c -> 0x82aa!] UDP, length 19
18:24:06.781920 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.1 tell 192.168.1.254, length 28
18:24:07.005423 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.254 tell 192.168.1.1, length 46
18:24:07.005446 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.254 is-at 6c:02:e0:82:5b:a0 (oui Unknown), length 28
18:24:07.005490 IP (tos 0x0, ttl 255, id 1077, offset 0, flags [DF], proto UDP (17), length 124)
192.168.1.1.2088 > 192.168.1.254.tftp: [no cksum] TFTP, length 96, RRQ "openwrt-mediatek-mt7622-linksys_e8450-ubi-initramfs-recovery.itb" octet timeout 5 blksize 1468
18:24:07.006072 IP (tos 0x0, ttl 64, id 44518, offset 0, flags [DF], proto UDP (17), length 47)
192.168.1.254.32781 > 192.168.1.1.2088: [bad udp cksum 0x847c -> 0xb23b!] UDP, length 19
18:24:07.805838 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.1 tell 192.168.1.254, length 28
18:24:08.048389 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.254 tell 192.168.1.1, length 46
18:24:08.048400 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.254 is-at 6c:02:e0:82:5b:a0 (oui Unknown), length 28
18:24:08.048434 IP (tos 0x0, ttl 255, id 1078, offset 0, flags [DF], proto UDP (17), length 124)
192.168.1.1.3131 > 192.168.1.254.tftp: [no cksum] TFTP, length 96, RRQ "openwrt-mediatek-mt7622-linksys_e8450-ubi-initramfs-recovery.itb" octet timeout 5 blksize 1468
18:24:08.048770 IP (tos 0x0, ttl 64, id 44594, offset 0, flags [DF], proto UDP (17), length 47)
192.168.1.254.53888 > 192.168.1.1.3131: [bad udp cksum 0x847c -> 0x5bb5!] UDP, length 19
18:24:09.090270 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.254 tell 192.168.1.1, length 46
18:24:09.090290 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.254 is-at 6c:02:e0:82:5b:a0 (oui Unknown), length 28
18:24:09.090312 IP (tos 0x0, ttl 255, id 1079, offset 0, flags [DF], proto UDP (17), length 124)
192.168.1.1.1101 > 192.168.1.254.tftp: [no cksum] TFTP, length 96, RRQ "openwrt-mediatek-mt7622-linksys_e8450-ubi-initramfs-recovery.itb" octet timeout 5 blksize 1468
18:24:09.090633 IP (tos 0x0, ttl 64, id 44811, offset 0, flags [DF], proto UDP (17), length 47)
192.168.1.254.37914 > 192.168.1.1.1101: [bad udp cksum 0x847c -> 0xa209!] UDP, length 19
18:24:10.132278 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.254 tell 192.168.1.1, length 46
18:24:10.132301 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.254 is-at 6c:02:e0:82:5b:a0 (oui Unknown), length 28
18:24:10.132351 IP (tos 0x0, ttl 255, id 1080, offset 0, flags [DF], proto UDP (17), length 124)
192.168.1.1.2143 > 192.168.1.254.tftp: [no cksum] TFTP, length 96, RRQ "openwrt-mediatek-mt7622-linksys_e8450-ubi-initramfs-recovery.itb" octet timeout 5 blksize 1468
18:24:10.132963 IP (tos 0x0, ttl 64, id 44882, offset 0, flags [DF], proto UDP (17), length 47)
192.168.1.254.34161 > 192.168.1.1.2143: [bad udp cksum 0x847c -> 0xaca0!] UDP, length 19
18:24:11.154187 IP6 (flowlabel 0xb00c8, hlim 255, next-header ICMPv6 (58) payload length: 8) fe80::8115:1b49:4fa6:34d0 > ip6-allrouters: [icmp6 sum ok] ICMP6, router solicitation, length 8
18:24:11.175286 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.254 tell 192.168.1.1, length 46
18:24:11.175309 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.254 is-at 6c:02:e0:82:5b:a0 (oui Unknown), length 28
18:24:11.175353 IP (tos 0x0, ttl 255, id 1081, offset 0, flags [DF], proto UDP (17), length 124)
192.168.1.1.3186 > 192.168.1.254.tftp: [no cksum] TFTP, length 96, RRQ "openwrt-mediatek-mt7622-linksys_e8450-ubi-initramfs-recovery.itb" octet timeout 5 blksize 1468
18:24:11.175974 IP (tos 0x0, ttl 64, id 44931, offset 0, flags [DF], proto UDP (17), length 47)
192.168.1.254.58873 > 192.168.1.1.3186: [bad udp cksum 0x847c -> 0x4805!] UDP, length 19
once again thanks let me know what im doing wrong, my roomate is already pretty upset haha
This looks like your local TFTP server is sending a very short reply to the device asking for the image. Could be "File not found!" or "Permission denied!" or something like that...
ya thats exactly what it was i put the file in the wrong directory oops. hey thanks daniel i appreciate it. seems to be working just fine now. just gotta do that fix for the 5ghz not working.
The small pads make this approach hard for a beginner, along with the fact that a large number of those dongles have the wrong voltage going out on logic, threatening to fry your nand without a level changer or modifying your dongle.
I also ponder whether the vcc output from one of these adaptors would suffice if the component was still on the board, since might get voltage sagging under the min for that winbond spi-nand?
As for the ECC, I think you can get snander to dump the OOB as well, but calculating it would probably end up being up to one whipping something up.
Goes back to attempting to attach wires to said tiny pads without correct tools
It's 1.27mm pitch pins, so quite a challenge. If you want to avoid soldering, get one of those PCB probe clamps with pogo pins:
1 Like
Yes, the JTAG header is a much easier solution for most people.
I just flashed my RT3200 with the recovery installer built from v0.6.1 in Administration-> Firmware Upgrade. Now the router is unreachable (the computer doesn’t recognize anything is plugged into the Ethernet port) and the power light start flashing immediately upon turning on the router.
Is there anything I can do?
@dahser: did you use the binary from github releases or did you build the installer youself?
From your description I figure the device is new and was running stock firmware, right?
I built the installer myself and the device was running stock firmware
Most likely something went wrong in your build of the installer.
Or it can of course also be that flashing went wrong for other unknown reasons, like weirdness of this particular flash chip (ie. bad blocks) or the manufacturer having made changes to the design... Overall this is still a risky procedure, things can go wrong.
But first thing I'd like to take a look at the resulting installer image file you generated.
Does the file size (roughly) match the size of the binary available for download on Github?
1 Like
The size of the built binaries are 15,104 for the installer and 8,832 for the recovery, which roughly match the size of the binaries on Github.
Same symptom here. First flashed recovery.itb, worked fine, then saved mtd blocks per backup instructions. Saved four blocks:
mtd0 - bl2 - 512KB
mtd1 - fip - 784KB
mtd2 - factory - 0KB ?
mtd3 - ubi - 128KB
Afterwards, I flashed recovery-installer.itb with the currently flashed recovery.itb image. Router now appears bricked (blue light, blinks ~twice per second, no ethernet connection, can't ping). Did I flash the wrong image here? Is factory supposed to be 0 bytes? Damn.
EDIT: Cracked it open and got serial access with an old Arduino Nano clone. Boot log here: https://paste.sh/opfQJCX8#NDYYukVsImgJNLa3zxR4LPhX "Bad Magic Number." Will try flashing over serial/TFTP tomorrow.
1 Like
You cannot flash the installer using the running recovery. You need to power cycle the device which will make it return to stock firmware. Only then flash the installer.
However, in this case, you can still use TFTP recovery (even without opening the case afaik, just holding RESET button will trigger vendor bootloader to initiate TFTP server), so no biggie.
3 Likes
hi daniel I installed version 0.6.0 1 month ago, and I succeeded without any problem flashing 0.6.1 and reloading snapshot thank you for your work
Yes, but you were not running ubi recovery on top of stock bootchain (which is needed to take full flash backup) while flashing anything.
1 Like
ok if i get a new router with the original software the step remains the same first recovery installer 0.6.1 and snapshot?
1 Like
U-boot (the "vendor bootloader"?) doesn't seem to start a TFTP server if the reset button is held down during boot. I can, however, use the tftpboot command or other bootmenu options via serial to access a TFTP server on my computer. I'm not sure what to do from here. Specifically, which commands should I issue via serial and what images should I host to flash to stock or the installer? Sorry for my ignorance.
EDIT: Nevermind, boot menu->"System Load Linux Kernel then write to Flash via TFTP" option was what I needed. Thanks for all you do Daniel!
1 Like
This sounds a bit too involved for me, I think I will need to write the router off or buy another.
However, I do have to ask: is there any chance the non-UBI version could be supported in the latest snapshot? Or can I install the non-UBI version (in dual boot mode), and upgrade to latest snapshot?
How about main release (whenever it will go to main), would that include UBI and non-UBI layouts?
Thanks for the help!
I have submitted a patch to revive the non-UBI variant which will hopefully be integrated into the mt76 driver soon.
Once this got merged, you can just install an OpenWrt snapshot alongside the vendor firmware in dual-boot mode.
The next upcoming release is going to include both, UBI and non-UBI images (given that we get all issues on non-UBI image resolved which currently make it unusable).
2 Likes