Custom U-Boot for TP-Link routers based on ath79 platform

Recently I upgraded the flash chip of TP-Link Archar-C6 v2.0 EU from 8MB to 16MB. Cloned old flash contents to the new 16MB flash chip using an external programmer (CH341A). Everything works fine but I'm only getting the same space as I got earlier with the 8MB rom. Science I build openwrt from the source and flashed the router and worked and I know how to modify .dtsi/.dts,mk files in-order to build custom firmware for modified ROM size, I build my own openwrt which will work with 16MB ROM. I followed this instructions for modifying those files. It compiled successfully. Then I upgraded the router using Luci-< Flash new firmware image> using newly compiled sysupgrade image which will supports 16MB ROM. Everything goes fine, router upgraded and it shows free space of >8MB in the Luci section. After that I configured my router saved settings and rebooted. And then it's stuck on boot loop. 4-5 hour of retrying and debugging I found that the U-Boot is used by this router from TP-Link and the starting offset of every partition (u-boot,mac,firmware,tplink,art) is hard coded into the U-Boot also some of definition is in the "tplink" partition. Though I modified all the offset and size information into "tplink" partition using a hex editor thinking that the TP-Link U-Boot will read the offset configurations from "tplink" partition but didn't worked!!! Then again I found that GitHub Repo but it doesn't have ath79 compiled for now. Now I want to build U-Boot Mod from this Git Repo for ath79 platform. How can I do that and replace the U-Boot with a custom one?

this is what I bookmarked for myself recently, see '6. Install new Bootloader' here

2 Likes

OK, that might be helpfull, I'm looking into it... :slightly_smiling_face:

I found that "kmod-mtd-rw" is not enabled into the openwrt kernel, I need to re-build my current 8MB openwrt firmware with "kmod-mtd-rw" support so that I can write into the mtd partitions. Also it throws "-ash: mtd_write: not found" error!!

1 Like

on my router it is just mtd, not mtd_write

is not as simple as you thought. ath79 is not relevant here, but the SoC of your device, in this case QCA9563.

it is not yet officialy supported by pepe2k, but there is a pending PR in his GH repo. you need to checkout the code, apply patch from PR (or checkout PR repo directly) then add low level support for your device (LEDs, GPIOs, buttons etc.) and finaly build image. if all goes well after flashing it your device will boot modified u-boot version.

1 Like

So, I need to entirely reverse engineer the hardware of my router to find schematics and how all the things (SoC, Switch SoC, 5GHz SoC and GPIO) connected to each other. I don't have proper equipment to do that. Also I don't have that much higher level of under standing of linux kernel source modification. I'm a nube in this field.

no exactly. take a look at one of the commits adding support for some device in his mod and you'll see what is required

btw, adding support for Archer C7, all I did was copying code from openwrt mach file. made only small adjustements after that based on some testing.

2 Likes

OK, I will look into that..:slightly_smiling_face:

1 Like

kmod-mtd-rw is used to temporarily open the kernel write protect on the "factory" partitions that should never be written in ordinary use. This is not something you'd want in a production build.

The bootloader only needs to uncompress the kernel to RAM and boot it. Every other access to flash is done by OpenWrt. The partition definitions in the dts file will over-ride whatever the bootloader has. Since the kernel is generally stored entirely in the space that existed in the original flash chip, bootloader modificiation is seldom necessary to expand the flash.

1 Like

Yes, I will not put kmod-mtd-rw of my own production build. For sake of changing the U-Boot with some other "U-Boot-Mod" or "Breed" I need to write into mtd0, that's why I need to enable kmod-mtd-rw. Although for this kind of testing if I brick my router, I already backed up raw firmware directly from flash chip using an external firmware also backed up: u-boot,mac,firmware,tplink,art partitions individually. That's why I'm finding ways to modify boot-loader (u-boot) or replace it with something else that might able to use the 16MB rom.

"The bootloader only needs to uncompress the kernel to RAM and boot it. Every other access to flash is done by OpenWrt." was informative.

Thanks.. :slightly_smiling_face:

Since you're writing your own dts file you could also leave the bootloader, etc. writeable there.

I have some older 4/32 models swapped to 16 MB flash and never needed to change the bootloader. The bootloader only thinks there is 4 MB of flash but that is enough to get the kernel booted.

1 Like

cat /proc/mtd outputs:

root@Archar-C6:~# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00020000 00010000 "u-boot"
mtd1: 00010000 00010000 "mac"
mtd2: 007a0000 00010000 "firmware"
mtd3: 0019ef15 00010000 "kernel"
mtd4: 006010eb 00010000 "rootfs"
mtd5: 000e0000 00010000 "rootfs_data"
mtd6: 00020000 00010000 "tplink"
mtd7: 00010000 00010000 "art

In my case when the kernel booted successfully I can't use the extra 8MB space for opkg install space. Luci-Package-Manager shows 51% 475KB free space..

The partition table is still only for 8 MB. That should be set in the dts file.

1 Like

Yes, I did set 16MB in dts/dtsi files and it successfully compiles. Then I upgraded the router using the newly compiled sys-upgrade image, updated successfully. After that bad things happens, when I reboot the router it goes into boot-loop. Then I directly backed up the corrupted image from flash chip and analysed with hex-editor, I found that the art and tplink partitions are completely corrupted.

Of course you have to move the ART data to its new location at the end of the chip. If you leave it at 0x7f0000 which is right in the middle of the new chip it's going to get clobbered when the jffs is formatted.

Corrupted ART should not cause a failure to boot though, the wifi will not work but everything else should.

2 Likes

Yes, as you've said, I read somewhere that corrupted art will not cause a boot failure but wifi will not work. Also I raw backed up all the partitions when the meantime after up-gradation the router is working before reboot. Then I replaced the art, tplink partition with the non-corrupted one to the raw backed up 16MB ROM. After that I re-flashed the whole 16MB modified raw backup into the flash chip using external programmer. Same thing happened, it didn't boot.

With the 8MB Flash sizes of all partitions as follows:

u-boot:128KB
mac:64KB
firmware:7808KB
tplink:128KB
art:64KB

Total: 8MB

With the 16MB Flash sizes of all partitions as follows:

u-boot:128KB
mac:64KB
firmware:16000KB
tplink:128KB
art:64KB

Total: 16MB

1 Like