Sorry, never saw your post.
Okay, so I'm aware of a few interesting options for alternative boot methods... there's the RavPower WD009, the Belkin RT3200, and now this Xiaomi router.
I'll have to explore the exact method by which these work... which means I'll probably have to first find whatever code additions to those images enables the process (as separate from all the other adaptations that just make the device work).
I do suspect a naive overwrite of the partitions (akin to Belkin RT3200 and Xiaomi) may not work, I think some of the partitions somehow firmware for the radios, given the MTD names. So that might mean they are fixed in place. At best they'd need to be moved, which also may not work.
mtd18: 06100000 00020000 "rootfs"<-- OS #1
mtd19: 00900000 00020000 "0:wififw" <-- "probably" firmware for the wi-fi...
mtd20: 06100000 00020000 "rootfs_1" <-- OS #2
mtd21: 00900000 00020000 "0:wififw_1" <-- "probably" firmware for the wi-fi...
mtd22: 01600000 00020000 "ubifs" <-- particularly large but not part of OpenWRT boot?
Plus whatever all the others do... If I understand correctly, the rootfs and rootfs_1 contain the entire OpenWRT image and the others may as well be magic as far as I know. I'm curious if this partition layout is common for this architecture or if it's completely novel...
Anyway, the RavPower design is, um, interesting. Apparently it chain-boots by having u-boot load a second bootloader that then loads the kernel from a new location since the kernel partition size is hardcoded as "tiny."
I feel like that holds promise if it's the original bootloader holding us back from dual-image support, but that still raises the question of where we can stick a second bootloader that isn't inside one of the firmware partitions (unless that would work... We could use the other as a bootloader+internal ramdisk recovery, but that sounds hard to coordinate across two separate UBI partitions and I'm still hoping for full A/B image support).
Anyone got a clue what the other partitions are and if we need them?
Second and more importantly, what methods exist to recover if I somehow break a partition or the bootchain in testing?
I ordered up some SPI flash reader clips and a Pi Pico as an SPI reader, but I'm not sure what software tools would work to read/write a nand and get the ECC correct. In addition, how do I prevent the host from requesting reads/writes while I'm making a dump or restore? These things work for BIOS flashing but I imagine there are hardware differences to the chip's interface. Then there's the chance of getting a bad block if I try to restore a full image... I may need to request help on how to only image/write certain parts using external tools.
For methods that don't need me to open the case (but which won't work if I can't boot something) there's MTD but the wiki says not to use that on flash. That said, perusal of my dump say the OEM firmware just uses MTD during a sysupgrade anyway (I mean, OEMs are usually not respectful of the flash, but it's weird that it works at all). Was MTD patched to work natively with nand (if so, the guide should probably get updated, at least to mention when that was added)?
The wiki and an unanswered forum thread mention the proper nand tools, but I'm not sure exactly how to sub them in for creating the MTD backup. Meanwhile, LuCI has a tool to download the partitions but I'm not sure if it is nand-aware or not.
I also tried accessing the partitions past 24 but neither LuCI nor the command line seem to be able to do anything with them, which is also weird:
cat /proc/mtd
dev: size erasesize name
mtd0: 00100000 00020000 "0:SBL1"
mtd1: 00100000 00020000 "0:MIBIB"
mtd2: 00080000 00020000 "0:BOOTCONFIG"
mtd3: 00080000 00020000 "0:BOOTCONFIG1"
mtd4: 00300000 00020000 "0:QSEE"
mtd5: 00300000 00020000 "0:QSEE_1"
mtd6: 00080000 00020000 "0:DEVCFG"
mtd7: 00080000 00020000 "0:DEVCFG_1"
mtd8: 00080000 00020000 "0:APDP"
mtd9: 00080000 00020000 "0:APDP_1"
mtd10: 00080000 00020000 "0:RPM"
mtd11: 00080000 00020000 "0:RPM_1"
mtd12: 00080000 00020000 "0:CDT"
mtd13: 00080000 00020000 "0:CDT_1"
mtd14: 00080000 00020000 "0:APPSBLENV"
mtd15: 00100000 00020000 "0:APPSBL"
mtd16: 00100000 00020000 "0:APPSBL_1"
mtd17: 00080000 00020000 "0:ART"
mtd18: 06100000 00020000 "rootfs_1"
mtd19: 00900000 00020000 "0:WIFIFW_1"
mtd20: 06100000 00020000 "rootfs"
mtd21: 00900000 00020000 "0:WIFIFW"
mtd22: 01600000 00020000 "ubifs"
mtd23: 00080000 00020000 "0:ETHPHYFW"
mtd24: 00280000 00020000 "certificate"
mtd25: 003ff000 0001f000 "kernel"
mtd26: 0218b000 0001f000 "ubi_rootfs"
mtd27: 0331a000 0001f000 "rootfs_data"
mtd28: 00f04000 0001f000 "log"
mtd29: 00516000 0001f000 "vendor"
mtd30: 0001f000 0001f000 "user_data"
mtd31: 0020f000 0001f000 "wifi_fw"
-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
cat /sys/class/mtd/mtd24/offset
262668288
cat /sys/class/mtd/mtd25/offset
cat: can't open '/sys/class/mtd/mtd25/offset': No such file or directory
cat /sys/class/mtd/mtd26/offset
cat: can't open '/sys/class/mtd/mtd26/offset': No such file or directory
cat /sys/class/mtd/mtd27/offset
cat: can't open '/sys/class/mtd/mtd27/offset': No such file or directory
cat /sys/class/mtd/mtd28/offset
cat: can't open '/sys/class/mtd/mtd28/offset': No such file or directory
cat /sys/class/mtd/mtd29/offset
cat: can't open '/sys/class/mtd/mtd29/offset': No such file or directory
cat /sys/class/mtd/mtd30/offset
cat: can't open '/sys/class/mtd/mtd30/offset': No such file or directory
cat /sys/class/mtd/mtd31/offset
cat: can't open '/sys/class/mtd/mtd31/offset': No such file or directory