Cannot access u-boot command line interface

ihrapsa · January 12, 2021, 11:19am

Hi, I own a MT7688AN 128mb ram, with 16mb nor flash BY25Q128AS router like device that I managed to install openWRT on it (It's the ceality wifi box). However, after a failed sysupgrade it is now in a semi-bricked state, it is on a constant bootloop. While on serial connection I am able to see the u-boot banner and 5 options; option 4 being for entering u-boot CLI but I cannot access it no matter how fast I try to choose option 4 (I guess it's disabled buy the manufacturer). It boots right into openwrt but after a while it starts giving some errors then it panics and reboots.

What options do I have to revive this?

I'm thinking to buy a ch341a programmer with soic 8 clip, read the chip, dump it, edit it to enable delay then write it back. After that use tftp to install a working openwrt bin file. I don't have a working full flash dump and this device is not at all documented on the internet.
Looking at the serial output, is there anything else I colud do?

Here is part of the serial output that repeats after every reboot
The entire log can be found here: https://pastebin.pl/view/b4b6e01c

Thank you very much!

board.c 3389:   [04040C0C]
DDR Calibration DQS reg = 00008A88
board.c 3389:   [04040D08]
DDR Calibration DQS reg = 00008A88


U-Boot 1.1.3 (Aug 14 2020 - 12:18:59)    Shenzhen Creality 3D Technology Co., Ltd

Board: Ralink APSoC DRAM:  128 MB
board.c 878:    relocate_code Pointer at: 87f50000
******************************
Software System Reset Occurred
******************************
flash manufacture id: 68, device id 40 18
find flash: BY25Q128AS
============================================ 
Ralink UBoot Version: 5.0.0.0
-------------------------------------------- 
ASIC 7628_MP (Port5<->None)
DRAM component: 1024 Mbits DDR, width 16
DRAM bus: 16 bit
Total memory: 128 MBytes
Flash component: SPI Flash
Date:Aug 14 2020  Time:12:18:59
============================================ 
icache: sets:512, ways:4, linesz:32 ,total:65536
dcache: sets:256, ways:4, linesz:32 ,total:32768 
board.c 1922:
 ##### The CPU freq = 580 MHZ #### 
board.c 1934:    estimate memory size =128 Mbytes
RESET MT7628 PHY!!!!!!
Please choose the operation: 
   1: Load system code to SDRAM via TFTP. 
   2: Load system code then write to Flash via TFTP. 
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial. 
   9: Load Boot Loader code then write to Flash via TFTP. 
default: 3

You choosed 3

 0 
   
3: System Boot system code via Flash.
## Booting image at bc050000 ...
   Image Name:   MIPS OpenWrt Linux-5.4.85
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    2004676 Bytes =  1.9 MB
   Load Address: 80000000
   Entry Point:  80000000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80000000) ...
## Giving linux memsize in MB, 128

Starting kernel ...

[    0.000000] Linux version 5.4.85 (jonah1024@jonah1024-GL552JX) (gcc version 8.4.0 (OpenWrt GCC 8.4.0 unknown)) #0 Fri Jan 1 14:40:47 2021
[    0.000000] Board has DDR2
[    0.000000] Analog PMU set to hw control
[    0.000000] Digital PMU set to hw control
[    0.000000] SoC Type: MediaTek MT7688 ver:1 eco:2
[    0.000000] printk: bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 00019655 (MIPS 24KEc)
[    0.000000] MIPS: machine is Creality WB-01
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 32480
[    0.000000] Kernel command line: console=ttyS0,57600 rootfstype=squashfs,jffs2
[    0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes, linear)
[    0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes, linear)
[    0.000000] Writing ErrCtl register=0000800f
[    0.000000] Readback ErrCtl register=0000800f
[    0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
[    0.000000] Memory: 122300K/131072K available (4758K kernel code, 202K rwdata, 1052K rodata, 1212K init, 197K bss, 8772K reserved, 0K cma-reserved)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS: 256
[    0.000000] intc: using register map from devicetree
[    0.000000] random: get_random_bytes called from start_kernel+0x32c/0x520 with crng_init=0
[    0.000000] CPU Clock: 580MHz
[    0.000000] timer_probe: no matching timers found
[    0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 6590553264 ns
[    0.000011] sched_clock: 32 bits at 290MHz, resolution 3ns, wraps every 7405115902ns
[    0.015376] Calibrating delay loop... 385.02 BogoMIPS (lpj=770048)
[    0.059450] pid_max: default: 32768 minimum: 301
[    0.068788] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
[    0.083124] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
[    0.104797] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
[    0.124002] futex hash table entries: 256 (order: -1, 3072 bytes, linear)
[    0.137521] pinctrl core: initialized pinctrl subsystem
[    0.148909] NET: Registered protocol family 16
[    0.191160] workqueue: max_active 576 requested for napi_workq is out of range, clamping between 1 and 512
[    0.213660] clocksource: Switched to clocksource MIPS
[    0.224955] NET: Registered protocol family 2
[    0.234428] tcp_listen_portaddr_hash hash table entries: 512 (order: 0, 4096 bytes, linear)
[    0.250909] TCP established hash table entries: 1024 (order: 0, 4096 bytes, linear)
[    0.265990] TCP bind hash table entries: 1024 (order: 0, 4096 bytes, linear)
[    0.279912] TCP: Hash tables configured (established 1024 bind 1024)
[    0.292612] UDP hash table entries: 256 (order: 0, 4096 bytes, linear)
[    0.305454] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes, linear)
[    0.319514] NET: Registered protocol family 1
[    0.328060] PCI: CLS 0 bytes, default 32
[    0.340591] workingset: timestamp_bits=14 max_order=15 bucket_order=1
[    0.361888] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.373323] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.411590] mt7621_gpio 10000600.gpio: registering 32 gpios
[    0.422867] mt7621_gpio 10000600.gpio: registering 32 gpios
[    0.434071] mt7621_gpio 10000600.gpio: registering 32 gpios
[    0.445333] Serial: 8250/16550 driver, 3 ports, IRQ sharing disabled
[    0.459023] printk: console [ttyS0] disabled
[    0.467460] 10000c00.uartlite: ttyS0 at MMIO 0x10000c00 (irq = 28, base_baud = 2500000) is a 16550A
[    0.485257] printk: console [ttyS0] enabled
[    0.485257] printk: console [ttyS0] enabled
[    0.501749] printk: bootconsole [early0] disabled
[    0.501749] printk: bootconsole [early0] disabled
[    0.521757] spi-mt7621 10000b00.spi: sys_freq: 193333333
[    0.541228] spi-nor spi0.0: by25q128as (16384 Kbytes)
[    0.551358] 4 fixed-partitions partitions found on MTD device spi0.0
[    0.563944] Creating 4 MTD partitions on "spi0.0":
[    0.573445] 0x000000000000-0x000000030000 : "u-boot"
[    0.584351] 0x000000030000-0x000000040000 : "u-boot-env"
[    0.595937] 0x000000040000-0x000000050000 : "factory"
[    0.607035] 0x000000050000-0x000001000000 : "firmware"
[    0.621839] 2 uimage-fw partitions found on MTD device firmware
[    0.633595] Creating 2 MTD partitions on "firmware":
[    0.643446] 0x000000000000-0x0000001e9704 : "kernel"
[    0.654404] 0x0000001e9704-0x000000fb0000 : "rootfs"
[    0.665246] mtd: device 5 (rootfs) set to be root filesystem
[    0.678404] 1 squashfs-split partitions found on MTD device rootfs
[    0.690721] 0x000000e10000-0x000000fb0000 : "rootfs_data"
[    0.703310] libphy: Fixed MDIO Bus: probed
[    0.723018] rt3050-esw 10110000.esw: link changed 0x00
[    0.735304] mtk_soc_eth 10100000.ethernet eth0: mediatek frame engine at 0xb0100000, irq 5
[    0.753717] NET: Registered protocol family 10
[    0.766773] Segment Routing with IPv6
[    0.774251] NET: Registered protocol family 17
[    0.783135] 8021q: 802.1Q VLAN Support v1.8
[    0.796615] unable to read id index table
[    0.805105] Flash size not aligned to erasesize, reducing to 14080KiB
[    0.818394] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000000: 0x7368 instead
[    0.837214] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000004: 0x0a41 instead
[    0.855997] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000008: 0x346f instead
[    0.874779] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000010: 0x0057 instead
[    0.893559] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000014: 0x0004 instead
[    0.912341] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000018: 0x04c0 instead
[    0.931122] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x0000001c: 0x0004 instead
[    0.949902] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000020: 0x0f27 instead
[    0.968684] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000028: 0xa0e8 instead
[    0.987463] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000030: 0xa0e0 instead
[    1.006237] jffs2: Further such events for this erase block will not be printed
[    1.024544] jffs2: Empty flash at 0x00000038 ends at 0x00000040
[    1.068493] jffs2: Old JFFS2 bitmask found at 0x00008bb4
[    1.079012] jffs2: You cannot use older JFFS2 filesystems with newer kernels
[    1.121431] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00010000: 0xc660 instead
[    1.140222] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00010004: 0x736b instead
[    1.159002] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00010008: 0x2ccd instead
[    1.177781] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x0001000c: 0x2ea0 instead
[    1.196560] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00010010: 0xbfb6 instead
[    1.215341] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00010014: 0x48cc instead
[    1.234126] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00010018: 0x1cf8 instead
[    1.252906] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x0001001c: 0x254f instead
[    1.271686] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00010020: 0xb52c instead
[    1.290467] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00010024: 0x1f77 instead
[    1.309240] jffs2: Further such events for this erase block will not be printed
...................................................[similar lines repeating]......................................................................
[   58.815377] jffs2: Further such events for this erase block will not be printed
[   58.848421] jffs2: CLEANMARKER node found at 0x00da68fc, not first node in block (0x00da0000)
[   58.897463] jffs2: Node at 0x00dafb70 with length 0x00000586 would run over the end of the erase block
[   58.915902] jffs2: Perhaps the file system was created with the wrong erase size?
[   58.931126] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00db0000: 0x431c instead
[   58.949919] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00db0004: 0x4c0f instead
[   58.968700] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00db0008: 0xd60a instead
[   58.987479] jffs2: jffs2_scan_eraseblock(): Magic bitinstead
[   59.025039] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00db0014: 0xf7f3 instead
[   59.043820] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00db0018: 0xe3be instead
[   59.062601] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00db001c: 0x7911 instead
[   59.081380] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00db0020: 0xc081 instead
[   59.100161] jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00db0024: 0xe3e5 instead
[   59.118937] jffs2: Further such events for this erase block will not be printed
[   59.155644] jffs2: CLEANMARKER node found at 0x00db68fc, not first node in block (0x00db0000)
[   59.207984] jffs2: notice: (1) jffs2_build_xattr_subsystem: complete building xattr subsystem, 24 of xdatum (0 unchecked, 4 orphan) and 33 of xref (3 dead, 4 orphan) found.
[   59.238935] VFS: Mounted root (jffs2 filesystem) readonly on device 31:5.
[   59.259348] Freeing unused kernel memory: 1212K
[   59.268343] This architecture does not have kernel memory protection.
[   59.281097] Run /sbin/init as init process
[   59.289262] Run /etc/init as init process
[   59.297244] Run /bin/init as init process
[   59.305216] Run /bin/sh as init process
[   59.312838] Kernel panic - not syncing: No working init found.  Try passing init= option to kernel. See Linux Documentation/admin-guide/init.rst for guidance.
[   59.340895] Rebooting in 1 seconds..

db260179 · January 12, 2021, 1:13pm

What is the model number or device given?

All u-boot bootloaders have a fail safe recovery mode - Find the reset button on the router, turn it off then back on with holding down the reset button, watch this in the serial console.

Can u not ask the original seller for the firmware?

db260179 · January 12, 2021, 1:18pm

You will need a spi programmer to grab the current flash contents to keep the factory and uboot, as these are important.

Then you can hexedit this image and change the bootdelay and enable serial interaction.

ihrapsa · January 12, 2021, 3:34pm

I did how you told me: hold the reset button while booting and it started to countdown. Still I was not able to choose option 4 but instead of booting to flash it defaulted to an option 5 which was looking for a root_uImage on usb storage.

I renamed a previous working firmware image to root_uImage -> put it on a flash storage -> insert it -> BOOM it started to erase the flash and copy the new image.

Man... you're a GENIUS. Why didn't I try that? I feel so stupid now.

Thanks a lot!!!

Borromini · January 13, 2021, 3:44pm

It might be worth it to check if Hardware Flow Control is on. I've had a few devices where U-boot wouldn't respond to commands over serial until I turned that off. So certainly worth checking next time you need serial.

ihrapsa · January 13, 2021, 3:51pm

I disabled that as well and still no feedback. I was able to enter failsafe though. But this happens after Linux booted so I guess the u-boot is somehow locked to receive input?
I guess only way left is to edit the hex flash dump if I really want uboot access?
Thanks!

system · January 23, 2021, 3:51pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.