Not 0x8600 but 0x... as you see.
okay ill try, but how to search dts, firmware and config on binwalk?
-e -M
then get flat dts from file offset (dd bs=1 skip=1234 count=65536 of=my.dtb
then here
1 Like
ill try again login root, as an reference on archive (https://forum.archive.openwrt.org/viewtopic.php?id=69560), and the result is quite similar
Starting kernel ...
[ 0.000000] Linux version 3.3.8 (root@kvm.abloomy.com.cn) (gcc version 4.6.3 20120201 (prerelease) (Linaro GCC 4.6-2012.02) ) #1 Mon Feb 21 05:14:23 CST 2022
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU revision is: 00019750 (MIPS 74Kc)
[ 0.000000] SoC: Qualcomm Atheros QCA956X rev 0
[ 0.000000] Clocks: CPU:775.000MHz, DDR:650.000MHz, AHB:258.333MHz, Ref:25.000MHz
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 08000000 @ 00000000 (usable)
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] Zone PFN ranges:
[ 0.000000] Normal 0x00000000 -> 0x00008000
[ 0.000000] Movable zone start PFN for each node
[ 0.000000] Early memory PFN ranges
[ 0.000000] 0: 0x00000000 -> 0x00008000
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 32512
[ 0.000000] Kernel command line: board=AP152 console=ttyS0,115200 mtdparts=spi0.0:256k(u-boot)ro,64k(u-boot-env),1472k(kernel),11968k(rootfs),1920K(data),640k(nvram),64k(art),13440k@0x50000(firmware) rootfstype=squashfs,jffs2 noinitrd crashkernel=10M@20M oops=panic
[ 0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[ 0.000000] Writing ErrCtl register=00000000
[ 0.000000] Readback ErrCtl register=00000000
[ 0.000000] Memory: 126128k/131072k available (2304k kernel code, 4944k reserved, 629k data, 224k init, 0k highmem)
[ 0.000000] SLUB: Genslabs=9, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS:83
[ 0.000000] Calibrating delay loop... 385.84 BogoMIPS (lpj=1929216)
[ 0.060000] pid_max: default: 32768 minimum: 301
[ 0.060000] Mount-cache hash table entries: 512
[ 0.070000] NET: Registered protocol family 16
[ 0.070000] gpiochip_add: registered GPIOs 0 to 22 on device: ath79
[ 0.080000] MIPS: machine is Qualcomm Atheros AP152 reference board
[ 0.080000]
[ 0.080000] WLAN firmware dump buffer allocation of 2097152 bytes @ address 0x87a00000- SUCCESS !!!
[ 0.090000] registering PCI controller with io_map_base unset
[ 0.090000] ath79_init_eth_pdata:842 ath79_soc 16
[ 0.300000] bio: create slab <bio-0> at 0
[ 0.310000] PCI host bridge to bus 0000:00
[ 0.310000] pci_bus 0000:00: root bus resource [mem 0x12000000-0x13ffffff]
[ 0.320000] pci_bus 0000:00: root bus resource [io 0x0001]
[ 0.320000] pci 0000:00:00.0: BAR 0: assigned [mem 0x12000000-0x121fffff 64bit]
[ 0.330000] pci 0000:00:00.0: using irq 40 for pin 1
[ 0.330000] Switching to clocksource MIPS
[ 0.340000] NET: Registered protocol family 2
[ 0.340000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.340000] TCP established hash table entries: 4096 (order: 3, 32768 bytes)
[ 0.350000] TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.350000] TCP: Hash tables configured (established 4096 bind 4096)
[ 0.360000] TCP reno registered
[ 0.360000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 0.370000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 0.370000] NET: Registered protocol family 1
[ 0.390000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.390000] JFFS2 version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 0.400000] msgmni has been set to 246
[ 0.410000] io scheduler noop registered
[ 0.410000] io scheduler deadline registered (default)
[ 0.420000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
��r�������serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11) is a 16550A
[ 0.450000] console [ttyS0] enabled, bootconsole disabled
[ 0.450000] console [ttyS0] enabled, bootconsole disabled
[ 0.460000] m25p80 spi0.0: found mx25l51245g, expected m25p80
[ 0.470000] m25p80 spi0.0: mx25l51245g (16384 Kbytes)
[ 0.470000] 8 cmdlinepart partitions found on MTD device spi0.0
[ 0.480000] Creating 8 MTD partitions on "spi0.0":
[ 0.490000] 0x000000000000-0x000000040000 : "u-boot"
[ 0.490000] 0x000000040000-0x000000050000 : "u-boot-env"
[ 0.500000] 0x000000050000-0x0000001c0000 : "kernel"
[ 0.500000] 0x0000001c0000-0x000000d70000 : "rootfs"
[ 0.510000] mtd: partition "rootfs" set to be root filesystem
[ 0.520000] mtd: partition "rootfs_data" created automatically, ofs=C70000, len=100000
[ 0.530000] 0x000000c70000-0x000000d70000 : "rootfs_data"
[ 0.530000] 0x000000d70000-0x000000f50000 : "data"
[ 0.540000] 0x000000f50000-0x000000ff0000 : "nvram"
[ 0.540000] 0x000000ff0000-0x000001000000 : "art"
[ 0.550000] 0x000000050000-0x000000d70000 : "firmware"
[ 0.570000] ag71xx_mdio: probed
[ 0.570000] eth0: Atheros AG71xx at 0xb9000000, irq 4
[ 1.130000] ag71xx ag71xx.0: eth0: connected to PHY at ag71xx-mdio.0:04 [uid=004dd074, driver=Qualcomm Atheros AR8033 PHY]
[ 1.140000] TCP cubic registered
[ 1.140000] NET: Registered protocol family 17
[ 1.150000] Bridge firewalling registered
[ 1.150000] 8021q: 802.1Q VLAN Support v1.8
[ 1.150000] ### of_selftest(): No testcase data in device tree; not running tests
[ 1.170000] VFS: Mounted root (squashfs filesystem) readonly on device 31:3.
[ 1.180000] Freeing unused kernel memory: 224k freed
- preinit -
Press the [f] key and hit [enter] to enter failsafe mode
f
- failsafe -
[ 5.130000] eth0: link up (100Mbps/Full duplex)
BusyBox v1.19.4 (2021-12-24 03:53:36 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
MM NM MMMMMMM M M
$MMMMM MMMMM MMMMMMMMMMM MMM MMM
MMMMMMMM MM MMMMM. MMMMM:MMMMMM: MMMM MMMMM
MMMM= MMMMMM MMM MMMM MMMMM MMMM MMMMMM MMMM MMMMM'
MMMM= MMMMM MMMM MM MMMMM MMMM MMMM MMMMNMMMMM
MMMM= MMMM MMMMM MMMMM MMMM MMMM MMMMMMMM
MMMM= MMMM MMMMMM MMMMM MMMM MMMM MMMMMMMMM
MMMM= MMMM MMMMM, NMMMMMMMM MMMM MMMM MMMMMMMMMMM
MMMM= MMMM MMMMMM MMMMMMMM MMMM MMMM MMMM MMMMMM
MMMM= MMMM MM MMMM MMMM MMMM MMMM MMMM MMMM
MMMM$ ,MMMMM MMMMM MMMM MMM MMMM MMMMM MMMM MMMM
MMMMMMM: MMMMMMM M MMMMMMMMMMMM MMMMMMM MMMMMMM
MMMMMM MMMMN M MMMMMMMMM MMMM MMMM
MMMM M MMMMMMM M M
M
---------------------------------------------------------------
For those about to rock... (QCA9558.LN, r482)
---------------------------------------------------------------
root@(none):/# help
Built-in commands:
------------------
. : [ [[ alias bg break cd chdir command continue echo eval exec
exit export false fg getopts hash help jobs kill let local printf
pwd read readonly return set shift source test times trap true
type ulimit umask unalias unset wait
root@(none):/# ls /etc
TZ hotplug2-common.rules preinit
acfg_common.conf hotplug2-init.rules profile
ath hotplug2.rules protocols
banner init.d rc.common
config inittab rc.d
crontabs iproute2 rc.local
defconfig lighttpd resolv.conf
diag.sh modules-boot.d services
dnsmasq.conf modules.d shadow
dropbear mtab shells
fstab openwrt_release sysctl.conf
functions.sh openwrt_version sysupgrade.conf
group opkg.conf uci-defaults
hosts passwd udhcpc.script
hotplug.d ppp upgrade_orig.patch
root@(none):/# ls /sys/devices/platform
ag71xx-mdio.0 ath79-spi gpio-keys-polled uevent
ag71xx.0 ath79-wdt qca956x_wmac
alarmtimer ehci-platform.0 serial8250
ar724x-pci.0 ehci-platform.1 serial8250.0
root@(none):/# ls /etc/defconfig
wndr3700
root@(none):/# ls /etc/uci-defaults
30_uboot-envtools migrate-shadow vlan-migration
gpio-button-hotplug migrate-sysctl wrt160nl
inittab-console-fixup network
leds sound
i have stuck again and have a headace now 
, here is 03.03 morning
Take a day off 
We are not in rush
1 Like
I think i want to close this project because my UART serial shorted and it send 5v over tx and rx and causing router short too, i will buy it again later with different model (WP838i, WP8722, C100 a.k.a Mojo Networks C100).
I am very grateful to those of you who have helped me, sorry if it was a bother, and sorry if it took up your free time.
Thanks guyss😁
2 Likes
i have one of this router to bro.. how's is the progress ?
1 Like
reread the 1st half of the 1st sentence, understand the 1st half of the 1st sentence ?
1 Like
i just want to know the progress. 
how far do you think Rioalfrz got after they fried their device 9 mo ago ?
1 Like
I'm sorry, I give up with that. Now I'm using the WP8333 / Mojo C100 with the stock firmware
Are you from Indonesia?
1 Like
Hello, i have tried porting with some finding
-
Its built in RJ45 console do UART just fine, but when powering via POE it scrambled during UBOOT. it will normalize in linux .
-
Despite FCC(not really FCC?) doc, it use QCA9888 instead QCA9885 (or 988x) for WiFi
[ 25.990000] wifi1: Selecting board data file name boardData_2_0_QCA9888_5G_YA841.bin 69.940000] bin_filename=QCA9888/hw.2/athwlan.bin swap_filename=/lib/firmware/QCA9888/hw.2/athwlan.codeswap.bin [ 69.950000] ol_transfer_bin_file: Downloading firmware file: QCA9888/hw.2/athwlan.bin [ 70.000000 -
Its Physical are AR8033, FCC and firmware confirm this, so this thing not cousin to Yuncore, it should more similiar to Unifi AP AC
Now my problem are:
- I am setting PHY on 0.0 while it should 0.4 bootlog tell this,unifi use this,also there is specific pll-data for their family, silly me i know(to focused on yuncore), to make it worst i use 988x (i blame doc for this), and not bringing kmod-usb
- openwrt 25.12 boot just fine
- but i am getting locked from all side
My question:
Asking gemini, UBOOT flashing should be :
# 1. Transfer the file to RAM (0x81000000 is a safe spot in DDR)
tftp 0x81000000 fw.bin
# 2. Erase the firmware partition
# We start at 0x9f050000 and erase the length of the file we just downloaded
erase 0x9f050000 +$filesize
# 3. Copy from RAM to Flash
cp.b 0x81000000 0x9f050000 $filesize
# 4. Boot it
bootm 0x9f050000
is this correct?
firmware indeed on 0x000000050000-0x000000d70000 : "firmware"
But are other command correct, like 0x9f << this identifier
because some guide were using 0xbf
Finally managed to boot and ethernet and wifi working with 25.12 cherry picking dts.
Starting kernel ...
[ 0.000000] Linux version 6.12.67 () (mips-openwrt-linux-musl-gcc (OpenWrt GCC 14.3.0 r32527-b1dc2736db) 14.3.0, GNU ld (GNU Binutils) 2.44) #0 Tue Jan 27 23:25:41 2026
[ 0.000000] printk: legacy bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 00019750 (MIPS 74Kc)
[ 0.000000] MIPS: machine is Liteon WP8722-BT
[ 0.000000] SoC: Qualcomm Atheros QCA956X ver 1 rev 0
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] OF: reserved mem: Reserved memory: No reserved-memory node in the DT
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Kernel command line: console=ttyS0,115200n8 rootfstype=squashfs,jffs2
[ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes, linear)
[ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes, linear)
[ 0.000000] Writing ErrCtl register=00000000
[ 0.000000] Readback ErrCtl register=00000000
[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 32768
[ 0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] RCU Tasks Trace: Setting shift to 0 and lim to 1 rcu_task_cb_adjust=1 rcu_task_cpu_ids=1.
[ 0.000000] NR_IRQS: 51
[ 0.000000] CPU clock: 775.000 MHz
[ 0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 4932285024 ns
[ 0.000001] sched_clock: 32 bits at 388MHz, resolution 2ns, wraps every 5541893118ns
[ 0.008261] Calibrating delay loop... 385.84 BogoMIPS (lpj=1929216)
[ 0.074781] pid_max: default: 32768 minimum: 301
[ 0.088878] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
[ 0.096613] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
[ 0.113941] Memory: 118788K/131072K available (6793K kernel code, 601K rwdata, 1532K rodata, 1240K init, 229K bss, 11736K reserved, 0K cma-reserved)
[ 0.132162] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 0.142594] futex hash table entries: 256 (order: 0, 3072 bytes, linear)
[ 0.156220] pinctrl core: initialized pinctrl subsystem
[ 0.165011] NET: Registered PF_NETLINK/PF_ROUTE protocol family
[ 0.185681] clocksource: Switched to clocksource MIPS
[ 0.201453] NET: Registered PF_INET protocol family
[ 0.206867] IP idents hash table entries: 2048 (order: 2, 16384 bytes, linear)
[ 0.215255] tcp_listen_portaddr_hash hash table entries: 1024 (order: 0, 4096 bytes, linear)
[ 0.224252] Table-perturb hash table entries: 65536 (order: 6, 262144 bytes, linear)
[ 0.233437] TCP established hash table entries: 1024 (order: 0, 4096 bytes, linear)
[ 0.241559] TCP bind hash table entries: 1024 (order: 1, 8192 bytes, linear)
[ 0.249035] TCP: Hash tables configured (established 1024 bind 1024)
[ 0.256404] MPTCP token hash table entries: 512 (order: 1, 6144 bytes, linear)
[ 0.264261] UDP hash table entries: 256 (order: 0, 4096 bytes, linear)
[ 0.271223] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes, linear)
[ 0.279334] NET: Registered PF_UNIX/PF_LOCAL protocol family
[ 0.285380] PCI: CLS 0 bytes, default 32
[ 0.293314] workingset: timestamp_bits=14 max_order=15 bucket_order=1
[ 0.301834] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.308034] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 0.324810] pinctrl-single 1804002c.pinmux: 544 pins, size 68
[ 0.336641] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[ 0.344417] printk: legacy console [ttyS0] disabled
[ 0.350253] 18020000.uart: ttyS0 at MMIO 0x18020000 (irq = 11, base_baud = 1562500) is a 16550A
[ 0.359521] printk: legacy console [ttyS0] enabled
[ 0.359521] printk: legacy console [ttyS0] enabled
[ 0.369918] printk: legacy bootconsole [early0] disabled
[ 0.369918] printk: legacy bootconsole [early0] disabled
[ 0.392131] 4 fixed-partitions partitions found on MTD device spi0.0
[ 0.399065] Creating 4 MTD partitions on "spi0.0":
[ 0.404036] 0x000000000000-0x000000040000 : "u-boot"
[ 0.411597] 0x000000040000-0x000000050000 : "u-boot-env"
[ 0.418575] 0x000000050000-0x000000ff0000 : "firmware"
[ 0.425488] 2 uimage-fw partitions found on MTD device firmware
[ 0.431705] Creating 2 MTD partitions on "firmware":
[ 0.436859] 0x000000000000-0x0000002b0000 : "kernel"
[ 0.443333] 0x0000002b0000-0x000000fa0000 : "rootfs"
[ 0.449801] mtd: setting mtd4 (rootfs) as root device
[ 0.455114] 1 squashfs-split partitions found on MTD device rootfs
[ 0.461557] 0x0000007a0000-0x000000fa0000 : "rootfs_data"
[ 0.468522] 0x000000ff0000-0x000001000000 : "art"
[ 1.196468] ag71xx-legacy 19000000.eth: connected to PHY at mdio.0:04 [uid=004dd074, driver=Qualcomm Atheros AR8031/AR8033]
[ 1.208732] eth0: Atheros AG71xx at 0xb9000000, irq 4, mode: sgmii
[ 1.215636] i2c_dev: i2c /dev entries driver
[ 1.222176] NET: Registered PF_INET6 protocol family
[ 1.232908] Segment Routing with IPv6
[ 1.236863] In-situ OAM (IOAM) with IPv6
[ 1.241046] NET: Registered PF_PACKET protocol family
[ 1.246353] 8021q: 802.1Q VLAN Support v1.8
[ 1.268741] PCI host bridge to bus 0000:00
[ 1.272994] pci_bus 0000:00: root bus resource [mem 0x12000000-0x13ffffff]
[ 1.280155] pci_bus 0000:00: root bus resource [io 0x0000]
[ 1.285921] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[ 1.294171] pci 0000:00:00.0: [168c:0056] type 00 class 0x028000 PCIe Endpoint
[ 1.301684] pci 0000:00:00.0: BAR 0 [mem 0x00000000-0x001fffff 64bit]
[ 1.308500] pci 0000:00:00.0: PME# supported from D0 D3hot
[ 1.315139] pci_bus 0000:00: busn_res: [bus 00-ff] end is updated to 00
[ 1.322056] pci 0000:00:00.0: BAR 0 [mem 0x12000000-0x121fffff 64bit]: assigned
[ 1.337375] clk: Disabling unused clocks
[ 1.349063] VFS: Mounted root (squashfs filesystem) readonly on device 31:4.
[ 1.363117] Freeing unused kernel image (initmem) memory: 1240K
[ 1.369278] This architecture does not have kernel memory protection.
[ 1.375953] Run /sbin/init as init process
[ 2.151108] init: Console is alive
[ 2.155016] init: - watchdog -
[ 4.007369] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[ 4.071055] usbcore: registered new interface driver usbfs
[ 4.076964] usbcore: registered new interface driver hub
[ 4.082552] usbcore: registered new device driver usb
[ 4.107992] gpio_button_hotplug: loading out-of-tree module taints kernel.
[ 4.131771] SCSI subsystem initialized
[ 4.168722] usbcore: registered new interface driver usb-storage
[ 4.175941] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[ 4.193973] init: - preinit -
[ 7.865710] random: crng init done
Cannot parse config file '/etc/fw_env.config': No such file or directory
Failed to find NVMEM device
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[ 12.907621] eth0: link up (1000Mbps/Full duplex)
rm: can't remove '/tmp/tmp.LMBdki': No such file or directory
[ 13.063553] mount_root: jffs2 not ready yet, using temporary tmpfs overlay
[ 13.074797] urandom-seed: Seed file not found (/etc/urandom.seed)
[ 13.206707] eth0: link down
[ 13.224314] procd: - early -
[ 13.227740] procd: - watchdog -
[ 13.922996] procd: - watchdog -
[ 13.964432] procd: - ubus -
[ 14.125965] procd: - init -
Please press Enter to activate this console.
[ 15.462168] kmodloader: loading kernel modules from /etc/modules.d/*
[ 16.832588] Loading modules backported from Linux version v6.18.7-0-g5dfbc5357
[ 16.840119] Backport generated by backports.git c8a37ce
[ 17.157650] urngd: v1.0.2 started.
[ 17.469021] PPP generic driver version 2.4.2
[ 17.496946] NET: Registered PF_PPPOX protocol family
[ 17.599665] ath10k 6.15 driver, optimized for CT firmware, probing pci device: 0x56.
[ 17.646836] ath10k_pci 0000:00:00.0: enabling device (0000 -> 0002)
[ 17.653652] ath10k_pci 0000:00:00.0: pci irq legacy oper_irq_mode 1 irq_mode 0 reset_mode 0
[ 21.005049] ath10k_pci 0000:00:00.0: qca9888 hw2.0 target 0x01000000 chip_id 0x00000000 sub 0000:0000
[ 21.014655] ath10k_pci 0000:00:00.0: kconfig debug 0 debugfs 1 tracing 0 dfs 1 testmode 0
[ 21.029761] ath10k_pci 0000:00:00.0: firmware ver 10.4-3.9.0.2-00157 api 5 features no-p2p,mfp,peer-flow-ctrl,allows-mesh-bcast,no-ps,iram-recovery crc32 812c4602
[ 21.365770] ath10k_pci 0000:00:00.0: board_file api 2 bmi_id 0:25 crc32 5968d47d
[ 23.260887] ath10k_pci 0000:00:00.0: 10.4 wmi init: vdevs: 16 peers: 528 tid: 102
[ 23.268883] ath10k_pci 0000:00:00.0: msdu-desc: 2500 skid: 32
[ 23.328409] ath10k_pci 0000:00:00.0: htt-ver 2.2 wmi-op 6 htt-op 4 cal pre-cal-nvmem max-sta 512 raw 0 hwcrypto 1
[ 23.514660] ieee80211 phy1: Atheros AR9561 Rev:0 mem=0x695c2bd9, irq=2
[ 23.556163] kmodloader: done loading kernel modules from /etc/modules.d/*
[ 46.801762] br-lan: port 1(eth0) entered blocking state
[ 46.807238] br-lan: port 1(eth0) entered disabled state
[ 46.812674] ag71xx-legacy 19000000.eth eth0: entered allmulticast mode
[ 46.819709] ag71xx-legacy 19000000.eth eth0: entered promiscuous mode
[ 49.947709] eth0: link up (1000Mbps/Full duplex)
[ 49.952561] br-lan: port 1(eth0) entered blocking state
[ 49.958019] br-lan: port 1(eth0) entered forwarding state
[ 50.986299] eth0: link down
[ 50.989546] br-lan: port 1(eth0) entered disabled state
[ 52.029474] jffs2_scan_eraseblock(): End of filesystem marker found at 0x0
[ 52.065953] jffs2_build_filesystem(): unlocking the mtd device...
[ 52.066005] done.
[ 52.074376] jffs2_build_filesystem(): erasing all blocks after the end marker...
[ 53.067701] eth0: link up (1000Mbps/Full duplex)
[ 53.080325] br-lan: port 1(eth0) entered blocking state
[ 53.085760] br-lan: port 1(eth0) entered forwarding state
[ 82.897714] done.
[ 82.899741] jffs2: notice: (2349) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
[ 83.062126] overlayfs: upper fs does not support tmpfile.
BusyBox v1.37.0 (2026-01-27 23:25:41 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 25.12-SNAPSHOT, r32527-b1dc2736db
-----------------------------------------------------
i know its better use its original device tree,but
i still cant extract original dts/dtb,
this is my output binwalk of mtd7 firmware:
DECIMAL HEXADECIMAL DESCRIPTION
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0 0x0 uImage firmware image, header size: 64 bytes, data size: 1094421 bytes, compression: lzma, CPU: MIPS32, OS: Linux,
image type: Multi-File Image, load address: 0x80060000, entry point: 0x80060000, creation time: 2022-02-20 21:15:44,
image name: "MIPS OpenWrt 182 Linux-3.3.8"
1507328 0x170000 SquashFS file system, little endian, version: 4.0, compression: xz, inode count: 1206, block size: 262144, image size:
11152660 bytes, created: 2022-02-20 21:15:28
12713984 0xC20000 JFFS2 filesystem, big endian, nodes: 2887, total size: 983052 bytes
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
same here, cannot extract dts/dtb.
I gave up hunting DTS, seem either it so weirdly smashed in kernel or code, am too noob to continue ghidra (maybe loading attidue adjustment .ko do something)
But doing my testing with my port seem stable so far
- mostly follow unifi ac : cal,pre-cal, PLL.
- sigmii are to 0.4
- AP are QCA-9888 (i am using non -ct ,but you can test with ct seem just fine)
- there is only one led GPIO that can bee toogle,its blue:GPIO2. power led are hardwired so it constantly show red led. And also why its purple in default firmware when wlan trigger (blue+red=purple)
- WPS and reser are GPIO1, but carefull,this is shared to console/UART, i didnt use in new dts, as UART for me still winner
Source:
For led there is script in extracted rootfs:
~/src/WP8722-bt/extractions/original_firmware.bin.extracted/170000 ❯ rg gpio
squashfs-root/sbin/led_init
3:echo 0 > /sys/class/gpio/export
4:echo 2 > /sys/class/gpio/export
5:echo 3 > /sys/class/gpio/export
6:echo out > /sys/class/gpio/gpio0/direction
7:echo out > /sys/class/gpio/gpio2/direction
8:echo out > /sys/class/gpio/gpio3/direction
9:echo 0 > /sys/class/gpio/gpio0/value
10:echo 0 > /sys/class/gpio/gpio2/value
11:echo 0 > /sys/class/gpio/gpio3/value
16: echo 1 > /sys/class/gpio/gpio3/value
18: echo 0 > /sys/class/gpio/gpio3/value
21: echo 0 > /sys/class/gpio/gpio3/value
For wps,in default firmware,during pressed :
root@(none):/# mount -t debugfs none /sys/kernel/debug
root@(none):/# grep "wps" /sys/kernel/debug/gpio
root@(none):/# cat /sys/kernel/debug/
bdi/ gpio mips/
root@(none):/# cat /sys/kernel/debug/gpio
GPIOs 0-22, ath79:
gpio-1 (WPS button ) in hi
root@(none):/#
1 Like
i am preparing for PR.
one thing that i still need to be check
There is factory webui in : http://172.16.100.1:9000/
if you can connect to SSID.
in webui there is firmware upgrade page.
I still testing if we can reset the router and access page using default password.
removing need of serial
1 Like