Belkin RT3200/Linksys E8450 WiFi AX discussion

daniel · February 28, 2024, 1:00am

Yes. It's worth waiting for a few more days, a tool to be released to the public is in the making by @981213.

farnwomt · February 28, 2024, 12:23pm

Is my error message actually different to yours? From your earlier posting I thought we both ended on the same error message ...

ERROR: BL2: Failed to load image id 3 (-2)

I am puzzled as to what can be done when I don't have the opportunity to interrupt the process over a serial cable, but I will be very interested to see if a tool comes along.

At the moment my main interest is in sourcing a clip that allows me to attach to the JTAG connector without soldering, does anybody know a good one to buy?

Thanks,
Michael

FanOfOpenWRT · February 29, 2024, 2:43am

Confirming that these are the current & valid steps to update from SNAPSHOT w/5.15 kernel to SNAPSHOT w/6.1 kernel?

Is there a simple way to preserve settings during this upgrade, or is that not recommended/not possible?

981213 · February 29, 2024, 3:12am

Actually, we do have the opportunity you mentioned.
The tool will be published tomorrow. You can wait for a day instead of purchasing anything for JTAG.

981213 · February 29, 2024, 3:15am

You should be able to backup the settings in Luci, restore it after updating the firmware, and manually fix compat_version in /etc/config/system.

hnyman · February 29, 2024, 6:17am

After the move to the new "fip in ubi" layout, I ran into bogus compatibility problem in the next sysupgrade:
I noticed at the next sysupgrade a few days later that it complained about the sysupgrade image compatibility. I had to manually add the compat_version '2.0' option to /etc/config/system.

The reason for the complaint is that although the first sysupgrade image uci-defaults had already set the compat_string, I had restored settings from backup after the fip/ubi change, and the restored old settings backup had naturally not contained the new string, and so the string "disappeared" from uci.

The string in the system section of the system config file can be added by editor, or by UCI commands.

uci set system.@system[0].compat_version="2.0"
uci commit system

ow89 · February 29, 2024, 1:30pm

I bricked my Belkin as I'd not used it for a bit and it randomly booted to stock firmware (even though I was on ubi), I tried to reflash and something went wrong and it no longer boots, I've not checked this thread for a bit, but will this new tool help me recover via serial (as jtag seems a pain and pricey). Thanks

jkdf2 · February 29, 2024, 4:31pm

This commit from yesterday,

Has the caveat "This may break sysupgrade, but a fresh
flash from initramfs works."

Has anyone tried upgrading snapshots after this commit?

_FailSafe · February 29, 2024, 5:10pm

I've just hit this issue for the second time in 24 hours--happening now on two of my four RT3200s.

F0: 102B 0000
F6: 0000 0000
V0: 0000 0000 [0001]
00: 0000 0000
BP: 0400 0041 [0000]
G0: 1190 0000
T0: 0000 02F1 [000F]
Jump to BL

NOTICE:  BL2: v2.9.0(release):OpenWrt v2023-10-13-0ea67d76-1 (mt7622-snand-ubi-1ddr)
NOTICE:  BL2: Built : 11:23:19, Feb 18 2024
NOTICE:  WDT: Cold boot
NOTICE:  CPU: MT7622
NOTICE:  WDT: disabled
NOTICE:  SPI-NAND: FM35Q1GA (128MB)
NOTICE:  UBI: scanning [0x80000 - 0x8000000] ...
NOTICE:  UBI: scanning is finished
NOTICE:  UBI: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
NOTICE:  UBI: VID header offset: 2048 (aligned 2048), data offset: 4096
NOTICE:  UBI: Volume fip (Id #0) size is 1019644 bytes
ERROR:   BL2: Failed to load image id 5 (-2)

Oddly, I let one of these RT3200s sit overnight unplugged from power, roughly 18 hours, and then powered it up and it booted normally (after appearing dead to the world). I tried to flash my latest snapshot build to it and then it failed to boot again.

Anybody have any more insight into this issue at this point? (cc @daniel)

daniel · February 29, 2024, 5:24pm

It is not related to the E8450/RT3200 device and doesn't change anything for it.

daniel · February 29, 2024, 5:25pm

Haven't seen this happening in weeks of torturing the new bootchain. Can you share the built image you flashed to the device so I can try to reproduce it?

Edit: I start to get the feeling we should check if the SPI-NAND parameters in TF-A, U-Boot and Linux for this exotic Fidelix chip are in-sync.

farnwomt · February 29, 2024, 6:13pm

Today is hopefully going to be an exciting day. Fascinated to see how this tool will work!

Thanks,
Michael

marioapardo · February 29, 2024, 8:50pm

I have tried to upload the new installer, and it could not run, when it tries to start it fails with the following error message.

Uncompressing Kernel Image ... LZMA: uncompress or overwrite error 1 - must RESET board to recover

Has anyone had this happen to them and do they know how to fix it?

Thanks

daniel · March 1, 2024, 1:22am

This usually means that the address range where the uImage.FIT has been loaded overlaps with the range used to decompress the kernel. Please share the complete log and also a dump of the U-Boot environment (printenv in U-Boot console).

I have not seen this happening, and I've tried the installer with all available versions of the stock firmware -- however, all my devices are rather old (from 2020 and 2021) and hence it can be that newer devices come with an updated stock bootloader (updating the stock firmware doesn't update the bootloader).

daniel · March 1, 2024, 1:45am

marioapardo · March 1, 2024, 2:09am

thanks for answering daniel !.

I have tried to install the image from stock firmware as well as from openwrt.

This is the log when you try to boot the installer image from the stock firmware.

[ 3101.648283] reboot: Restarting system

F0: 102B 0000
F6: 0000 0000
V0: 0000 0000 [0001]
00: 0000 0000
BP: 0000 0041 [0000]
G0: 0190 0000
T0: 0000 036D [000F]
Jump to BL

UNIVPLL_CON0 = 0xFE000000!!!
mt_pll_init: Set pll frequency for 25M crystal
RAM_CONSOLE preloader last status: 0x0 0x0 0x0 0x0 0x0 0x0
[PMIC_WRAP]wrap_init pass,the return value=0.
[pmic_init] Preloader Start..................
[pmic_init] MT6380 CHIP Code, reg_val = 0, 1:E2  0:E3
[pmic_init] Done...................
Chip part number:7622B
MT7622 Version: 1.2.8, (iPA)
SSC OFF
mt_pll_post_init: mt_get_cpu_freq = 1350000Khz
mt_pll_post_init: mt_get_mem_freq = 1600000Khz
mt_pll_post_init: mt_get_bus_freq = 1119920Khz
[PLFM] Init I2C: OK(0)

[BLDR] Build Time: 20200522-165358
==== Dump RGU Reg ========
RGU MODE:     14
RGU LENGTH:   FFE0
RGU STA:      40000000
RGU INTERVAL: FFF
RGU SWSYSRST: 8000
==== Dump RGU Reg End ====
RGU: g_rgu_satus:2
 mtk_wdt_mode_config  mode value=10, tmp:22000010
PL RGU RST: ??
SW reset with bypass power key flag
Find bypass powerkey flag
WDT NONRST=0x20000000
WDT IRQ_EN=0x340003
RGU mtk_wdt_init:MTK_WDT_DEBUG_CTL(590200F3)
[EMI] MDL number = 2
[EMI] DRAMC calibration start

[EMI] DRAMC calibration end

[EMI]rank size auto detect
[EMI]start_addr[0x40000000]=0x12345678, test_addr[0x48000000]= 0xEDCBA987
[EMI]start_addr[0x40000000]=0x12345678, test_addr[0x50000000]= 0xEDCBA987
[EMI]start_addr[0x40000000]=0xEDCBA987, test_addr[0x60000000]= 0xEDCBA987
[EMI]rank0 size: 0x20000000
[MEM] complex R/W mem test pass
RAM_CONSOLE wdt status (0x2)=0x2
[BBT] BMT.v2 is found at 0x3FF
[PLFM] Init Boot Device: OK(0)

[PART] blksz: 2048B
[PART] [0x0000000000000000-0x000000000007FFFF] "PRELOADER" (256 blocks)
[PART] [0x0000000000080000-0x00000000000BFFFF] "tee1" (128 blocks)
[PART] [0x00000000000C0000-0x000000000013FFFF] "lk" (256 blocks)

Device APC domain init setup:

Domain Setup (0x0)
Domain Setup (0x0)
Device APC domain after setup:
Domain Setup (0x0)
Domain Setup (0x0)
[PART] Image with part header
[PART] name : U-Boot
[PART] addr : 41E00000h mode : -1
[PART] size : 342676
[PART] magic: 58881688h

[PART] load "lk" from 0x00000000000C0200 (dev) to 0x41E00000 (mem) [SUCCESS]
[PART] load speed: 16731KB/s, 342676 bytes, 20ms
load lk (ret=0)
[PART] Image with part header
[PART] name : atf
[PART] addr : FFFFFFFFh mode : -1
[PART] size : 57936
[PART] magic: 58881688h

[PART] load "tee1" from 0x0000000000080200 (dev) to 0x43000DC0 (mem) [SUCCESS]
[PART] load speed: 18859KB/s, 57936 bytes, 3ms
load tee1 (ret=0)
[BLDR] bldr load tee part ret=0x0, addr=0x43001000
[BLDR] boot part. not found
[BLDR] part_load_images ret=0x0
[BLDR] Others, jump to ATF

[BLDR] jump to 0x41E00000
[BLDR] <0x41E00000>=0xEA00000F
[BLDR] <0x41E00004>=0xE59FF014


U-Boot 2014.04-rc1 Version: 1.0.0.1 (Jul 21 2020 - 12:07:36)

static declaration g_total_rank_size = 0x1F000000
DRAM:  496 MiB
NAND:  Recognize SNAND: ID [e5 71 ], Device Name [FM35X1GA], Page Size [2048]B Spare Size [64]B Total Size [128]MB
[mtk_snand] probe successfully!
[BBT] BMT.v2 is found at 0x3ff
128 MiB
First booting, write default data (s_env) to flash...
[mtk_nand_erase_hw] mtk_nand_erase_hw @4249, ret:0x40. page:0x640
[mtk_nand_erase_hw] mtk_nand_erase_hw @4249, ret:0x40. page:0x6c0
In:    serial
Out:   serial
Err:   serial
Net:   mtk_eth
Uip activated

  *** U-Boot SPI NAND ***

     1. System Load Linux to SDRAM via TFTP.
     2. System Load Linux Kernel then write to Flash via TFTP.
     3. Boot master system code via Flash.
     4. Boot slave system code via Flash.
     5. System Load U-Boot then write to Flash via TFTP.
     6. System Load U-Boot then write to Flash via Serial.
     7. System Load ATF then write to Flash via TFTP.
     8. System Load Preloader then write to Flash via TFTP.
     U-Boot console


  Press UP/DOWN to move or Press 1~8 to choose, ENTER to select

NAND read: device 0 offset 0x2300000, size 0x2000
 8192 bytes read: OK
[do_read_image_blks] This is a FIT image,img_size = 0xd887a8
[do_read_image_blks] img_blks = 0x1b11
[do_read_image_blks] img_align_size = 0xd88800

NAND read: device 0 offset 0x2300000, size 0xd88800
 14190592 bytes read: OK
bootm flag=0, states=70f
## Loading kernel from FIT Image at 4007ff28 ...
   Using 'config-1' configuration
   Trying 'kernel-1' kernel subimage
     Description:  ARM64 OpenWrt Linux-6.1.78
     Type:         Kernel Image
     Compression:  lzma compressed
     Data Start:   0x40080024
     Data Size:    4207565 Bytes = 4 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x44000000
     Entry Point:  0x44000000
     Hash algo:    crc32
     Hash value:   708aa315
     Hash algo:    sha1
     Hash value:   859e9fca124e6f393be109dc7723a723ee6ce05e
   Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading ramdisk from FIT Image at 4007ff28 ...
   Using 'config-1' configuration
   Trying 'initrd-1' ramdisk subimage
     Description:  ARM64 OpenWrt linksys_e8450-ubi initrd
     Type:         RAMDisk Image
     Compression:  Unknown Compression
     Data Start:   0x40483530
     Data Size:    9950260 Bytes = 9.5 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: unavailable
     Entry Point:  unavailable
     Hash algo:    crc32
     Hash value:   1c786ebf
     Hash algo:    sha1
     Hash value:   0a9db0709621682897d6bfd683b3a16c80251432
   Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading fdt from FIT Image at 4007ff28 ...
   Using 'config-1' configuration
   Trying 'fdt-1' fdt subimage
     Description:  ARM64 OpenWrt linksys_e8450-ubi device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x40e00a74
     Data Size:    31366 Bytes = 30.6 KiB
     Architecture: AArch64
     Hash algo:    crc32
     Hash value:   f623760e
     Hash algo:    sha1
     Hash value:   6248f895a5944966d695553864c7245445ef52ae
   Verifying Hash Integrity ... crc32+ sha1+ OK
   Booting using the fdt blob at 0x40e00a74
   Uncompressing Kernel Image ... LZMA: uncompress or overwrite error 1 - must RESET board to recover
resetting ...
mtk_arch_reset at pre-loader!

This is the one from printenv

MT7622> printenv
arch=arm
atf_filename=trustzone.bin
auto_recovery=yes
baudrate=115200
board=mt7622_evb
board_name=mt7622_evb
boot0=download_setting kernel;tftpboot ${loadaddr} ${kernel_filename}; bootm
boot1=download_setting kernel;tftpboot ${loadaddr} ${kernel_filename};run boot_wr_img
boot2=run boot_rd_img;bootm
boot3=run boot_rd_slave_img;bootm
boot4=download_setting uboot;tftpboot ${loadaddr} ${uboot_filename};run wr_uboot;invaild_env
boot5=loadb;run wr_uboot;invaild_env
boot6=download_setting atf;tftpboot ${loadaddr} ${atf_filename};run wr_atf
boot7=download_setting preloader;tftpboot ${loadaddr} ${preloader_filename};run wr_pl
boot_mfg_img=nand read ${loadaddr} 0x5A00000 2000;image_blks 2048;nand read ${loadaddr} 0x5A00000 ${img_align_size};bootm
boot_rd_ctp=nand read 0x40000000 0x1400000 3000000
boot_rd_img=nand read ${loadaddr} 0x500000 2000;image_blks 2048;nand read ${loadaddr} 0x500000 ${img_align_size}
boot_rd_slave_img=nand read ${loadaddr} 0x2300000 2000;image_blks 2048;nand read ${loadaddr} 0x2300000 ${img_align_size}
boot_wr_img=filesize_check 0x2000000;if test ${filesize_result} = good; then image_blks 131072;nand erase.spread 0x500000  ${filesize};nand erase.spread 0x2300000  ${filesize};image_blks 2048;nand write ${loadaddr} 0x500000 ${filesize};nand write ${loadaddr} 0x2300000 ${filesize};fi
boot_wr_mfg_img=filesize_check 0x2000000;if test ${filesize_result} = good; then image_blks 131072;nand erase.spread 0x5A00000  ${filesize};image_blks 2048;nand write ${loadaddr} 0x5A00000 ${filesize};fi
bootargs=console=ttyS0,115200 rootdelay=1 rootfstype=squashfs earlyprintk mtdparts=master
bootcmd=No
bootdelay=3
bootfile=lede-mediatek-mt7622-MTK-AX3200-MT7531-squashfs-sysupgrade.bin
bootmenu_0=1. System Load Linux to SDRAM via TFTP.=run boot0
bootmenu_1=2. System Load Linux Kernel then write to Flash via TFTP.=run boot1
bootmenu_2=3. Boot master system code via Flash.=run boot2
bootmenu_3=4. Boot slave system code via Flash.=run boot3
bootmenu_4=5. System Load U-Boot then write to Flash via TFTP.=run boot4
bootmenu_5=6. System Load U-Boot then write to Flash via Serial.=run boot5
bootmenu_6=7. System Load ATF then write to Flash via TFTP.=run boot6
bootmenu_7=8. System Load Preloader then write to Flash via TFTP.=run boot7
bootmenu_delay=30
cpu=armv7
ctp_filename=ctp.bin
ethact=mtk_eth
ethaddr=00:0C:E7:11:22:33
fdt_high=0x6c000000
flashimage_filename=flashimage.bin
gpt_filename=GPT_EMMC
hdr_filename=hdr.binary
invaild_env=no
ipaddr=192.168.1.1
kernel_filename=openwrt-mediatek-mt7622-linksys_e8450-ubi-initramfs-recovery.itb
loadaddr=0x4007FF28
preloader_filename=preloader_fpga7622_64_ldvt.bin
serverip=192.168.1.2
soc=mt7622
stderr=serial
stdin=serial
stdout=serial
uboot_filename=u-boot-mtk.bin
vendor=mediatek
wr_atf=filesize_check 0x20000;if test ${filesize_result} = good; then mtk_image_blks 131072;nand erase.spread 0x80000	${filesize} ;mtk_image_blks 2048;nand write ${loadaddr} 0x80000 ${filesize};fi
wr_ctp=filesize_check 0xF20000;if test ${filesize_result} = good; then nand erase.spread 0x1400000 3000000 ;nand write ${loadaddr} 0x1400000 3000000;fi
wr_flashimage=filesize_check 0x8000000;if test ${filesize_result} = good; then nand erase.chip ;nand write ${loadaddr} 0x0 8000000;fi
wr_pl=filesize_check 0x40000;if test ${filesize_result} = good; then nand erase.spread 0x00000 40000 ;nand write ${loadaddr} 0x00000 40000;fi
wr_rom_hdr=filesize_check 0x40000;if test ${filesize_result} = good; then nand erase.spread 0x00000 20000 ;nand write ${loadaddr} 0x00000 20000;fi
wr_uboot=filesize_check 0x60000;if test ${filesize_result} = good; then mtk_image_blks 131072;nand erase.spread 0xC0000  ${filesize} ;mtk_image_blks 2048;nand write ${loadaddr} 0xC0000 ${filesize};fi

Environment size: 3852/16380 bytes
MT7622>

Note: I have already recovered the router on several occasions using jtag, since it presents the ERROR: BL2: Failed to load image id 3 (-2) when it receives a power outage.

981213 · March 1, 2024, 4:26am

The binary build for Windows/Linux/MacOS of the promised utility is available on the release page:

mtk_uartboot can start a BL2 via bootrom recovery before bootrom tries anything on the flash.
With a purposely built BL2 to load FIP from serial, we can bypass the broken BL2/FIP on the flash and boot into OpenWrt.
The BL2 needs to be built with two extra arguments:

BOOT_DEVICE=ram RAM_BOOT_UART_DL=1

Here's one built with Github Action which should work on E8450:
bl2-mt7622-1ddr-ram.bin

Here's the usage:
Get the special BL2 built above, and the old FIP image:
openwrt-23.05.2-mediatek-mt7622-linksys_e8450-ubi-bl31-uboot.fip
Do not use the new UBI-layout one from snapshots for recovery on old OpenWrt install or you may damage the wifi calibration data!
(I didn't verify whether the UBI FIP would break old eeprom but let's be cautious until someone checks that.)

Close any terminal software that might be using the serial port, disconnect the power to the router, connect your serial cable to the router and launch the utility:

/mtk_uartboot -p bl2-mt7622-1ddr-ram.bin -a -f openwrt-23.05.2-mediatek-mt7622-linksys_e8450-ubi-bl31-uboot.fip

It should print this:

mtk_uartboot - 0.1.0
Using serial port: /dev/ttyUSB0
Handshake...

It automatically uses the first serial it finds, but if that's incorrect, restart the utility with -s <serial_port> argument, where <serial_port> is the name or path to your adapter. e.g. /dev/tty* on Linux, COM* on Windows, or /dev/cu.usbserial-*. (Thanks @_FailSafe !)
After the utility is launched with the correct serial port, power-on the router, and the utility should immediately start printing like this:

hw code: 0x7622
hw sub code: 0x8a00
hw ver: 0xcb00
sw ver: 0x100
Baud rate set to 460800
sending payload to 0x201000...
Checksum: 0x2f4e
Setting baudrate back to 115200
Jumping to 0x201000 in aarch64...
Waiting for BL2. Message below:
==================================
NOTICE:  BL2: v2.10.0   (release):v2.4-rc0-5845-gbacca82a8
NOTICE:  BL2: Built : 11:44:01, Jan 18 2024
NOTICE:  WDT: Cold boot
NOTICE:  CPU: MT7622
NOTICE:  WDT: disabled
NOTICE:  Starting UART download handshake ...
==================================
BL2 UART DL version: 0x10
Baudrate set to: 921600
FIP sent.
==================================
NOTICE:  Received FIP [size] @ 0x40400000 ...
==================================

and after the FIP is sent, you should be booting into your old OpenWrt install.

If it stuck at handshake or throws weird errors like Operation timed out, you can try with different USB-UART adapters. The cheap WCH CH34X works for me every time. But my fake FT232R doesn't work sometimes.

You'll need to boot the router with this utility on every reboot until you re-flashed BL2 and FIP.

The recovery procedure can be easier (with less boots over serial) if someone (maybe @daniel ) can build a u-boot FIP with special script to tftpboot the installer directly. I don't own this router so I can't help with this.

_FailSafe · March 1, 2024, 1:59pm

First of all, thank you for this! This is amazing and much needed for those of us who have found our beloved E8450/RT3200 devices unbootable for various reasons over the years.

This is typically going to be something like /dev/cu.usbserial-* on Mac. For example, my UART adapter is /dev/cu.usbserial-A50285BI. One can easily find this via ls /dev/cu.usbserial-*.

I am trying to wrap my head around this. Where does one source the new BL2 and FIP? And once booted back into the old OpenWrt install with this utility, how would one rewrite the BL2 and FIP?

Maybe I'm overthinking/overcomplicating this. Just trying to get a good handle on the whole process before diving in on my two RT3200s that need fixing.

daniel · March 1, 2024, 2:02pm

The best way imho is to be fast after mtk_uartboot finished its job and enter the U-Boot menu. Then use the bootmenu to write BL2 and FIP of the 23.05.2 release (do not use snapshot unless you have already run the v1.1.0 installer!). You have to rename the files to match with the bootloaders expectations and serve them via TFTP.

farnwomt · March 1, 2024, 2:40pm

Initially excited, then disappointed as I am stuck at "handshake" and I get no further.

Perhaps my cable? Although it seems to work fine in terms of showing me the console when I use a suitable terminal program?

Any thoughts on a good diagnostic approach to working out why I am stuck in "handshake"? Is this something I could perhaps do with a Raspberry Pi instead?

Thanks,
Michael