EA8500 Help with MTD partition / NAND

Installing and Using OpenWrt
1

Hi all. I'd appreciate some help or even go as far as to offer compensation to remotely help if required to go as far as that.

I have been using an EA8500 with DDWRT then now with OpenWrt for quite some time. All I remember doing to downgrade that router was spend hours trying TFTP load timing just after power on and it finally took it. I bought another router to load OpenWrt on. I have had to dive in TTL PuTTY Let's say it has not gone well to downgrade or load openwrt especially forgetting to fix the flashimg2 env variable. I made mistakes being frustrated, loading the downgrade 1.1.4.169978_prod, it wouldn't allow to flash openwrt 19.07.4 from Linksys GUI. I downgraded to 1.1.4.168206_prod, and I could load openwrt image. But it still had a 1.1.9 linksys on the other partition. Somewhere I messed up on the env variables for flashimg2 and probably wiped over some NAND data wrecking the root or even further. I made mistakes on the image name and it appeared to erase the memory and not load an image. So, I have obviously a working live OpenWrt 19.07.2. I have been reading up and hacking away at attempting to copy the MTD partitions to the other EA8500. As much as I can usually piece together things, I'm basically lost. If I try further I likely to overwrite the Uboot.

What I tried in order to copy the partitions from the good router was dd if=/dev/mdtblock14 of=/mnt/sda1/mtdblock14 ... 15, 16, 17 and I am not sure I can weed through loading them to the other EA8500 from uboot with TFTP to the proper addresses. Can I just dump and load the complete nand from the good router?

I can post some logs, but I really feel the fix is beyond simple environment variables.

2

So I managed to load MTDparts 5,8,10,11,12,13,14,15,16,17 from my other router to the messed up router nand. I got 1.1.4.169978_prod firmware loaded and factory reset on both partitions. I have successfully now loaded OpenWRT 19.07.5 on the 2nd partition. I couldn't actually dump the other MTD partitions of the good router due to IO errors.

However, Now the repaired router has all the same MAC addresses and device wifi name / default wifi password. This isn't necessarily a horrible thing but is this able to be repaired? Probably edit something in one of the partitions.

3

ok so I restored my EA8500 from a working EA8500 by saving the MTD partitions and loading them manually to NAND in U-Boot environment. This would be necessary if you are certain you accidentally erased and flashed data to the wrong address / size by doing stupid things. Also If you have both bootable kernels that don't work any more at the same time. If you can boot to one still, as long as it is OpenWrt or DDwrt, you can go to command line SSH and load either backup MTD partition images or get from someone else and load them easily to the MTD partition names. This is easiest and will not require you to enter memory address start and size which can be subject to typo or bad information causing further erasing data / damage.

For me, I corrupted both root FS and maybe syscfg. By the time I learned to write the partitions to NAND, I just loaded all partitions from 10-17 to be sure.

  1. Default working U-Boot environment variables. In case there is any doubt. If you have extras, take note and edit to fit this default. To delete an environment variable in U-Boot use command "setenv variable" where variable is the variable to remove as it will have no value.
altkern=3780000
auto_recovery=yes
baudrate=115200
boot_part=2
boot_part_ready=3
boot_ver=1.0.9
bootargs=console=ttyHSL1,115200n8
bootcmd=bootipq
bootdelay=2
ethact=eth0
ethaddr=00:06:3b:01:41:00
flashimg=tftp $loadaddr $image;nand erase $prikern $filesize;nand write $loadaddr $prikern $filesize
flashimg2=tftp $loadaddr $image;nand erase $altkern $filesize;nand write $loadaddr $altkern $filesize
image=wraith.bin
ipaddr=192.168.1.1
loadaddr=42000000
machid=1260
netmask=255.255.255.0
partbootargs=console=ttyHSL1,115200n8 init=/sbin/init rootfstype=squashfs root=31:14
partbootargs2=console=ttyHSL1,115200n8 init=/sbin/init rootfstype=squashfs root=31:16
prikern=f80000
serverip=192.168.1.254
stderr=serial
stdin=serial
stdout=serial
  1. OpenWrt allows you to save mtd from the LUCI GUI page for flashing updates. You can only download mtd 5,8,10,11,12,13,14,15,16,17 so it seems. all others fail with zero byte size. From command line you can do dd if=/dev/mdtblock14 of=/mnt/sda/mtdblock14 you also can use cat command so i have read to write the mtd to a file. To load a saved partition back From openwrt command line you can use mtd erase and write command and the partition name. From U-Boot if you cannot boot any partition of the router you need to flash saved partitions with some crafted environment variables edited for your file names and for your router memory address and size values.

EA8500CA memory map for my router. Found in U-Boot by running command to show SMEM partition table.

smem: SMEM_PARTITION_TABLE_OFFSET failed
flash_type:             0x2
flash_index:            0x0
flash_chip_select:      0x0
flash_block_size:       0x20000
partition table offset 0x0
No.: Name             Attributes            Start             Size
  0: 0:SBL1           0x0000ffff              0x0          0x40000
  1: 0:MIBIB          0x0000ffff          0x40000         0x140000
  2: 0:SBL2           0x0000ffff         0x180000         0x140000
  3: 0:SBL3           0x0000ffff         0x2c0000         0x280000
  4: 0:DDRCONFIG      0x0000ffff         0x540000         0x120000
  5: 0:SSD            0x0000ffff         0x660000         0x120000
  6: 0:TZ             0x0000ffff         0x780000         0x280000
  7: 0:RPM            0x0000ffff         0xa00000         0x280000
  8: 0:ART            0x0000ffff         0xc80000         0x140000
  9: 0:APPSBL         0x0000ffff         0xdc0000         0x100000
 10: u_env            0x0000ffff         0xec0000          0x40000
 11: s_env            0x0000ffff         0xf00000          0x40000
 12: devinfo          0x0000ffff         0xf40000          0x40000
 13: kernel           0x0000ffff         0xf80000         0x300000
 14: rootfs           0x0000ffff        0x1280000        0x2500000
 15: alt_kernel       0x0000ffff        0x3780000         0x300000
 16: alt_rootfs       0x0000ffff        0x3a80000        0x2500000
 17: syscfg           0x0000ffff        0x5f80000        0x2080000

To restore partitions, I stole some of the basic parameters in the "flashimg" command variable. I recommend only restoring partitions you sure that have been corrupt or overridden by mistake. devinfo or MTD12 will change your router name, password, WPS key, and Mac address to whatever device you got the data from. This can be edited at a later time if you were required to load this partition due to damage. You need to use Putty and TFTP to load them. Read here http://mrjcd.com/EA8500_DD-WRT/ which tells you how to load the firmware by TTL Putty and Tftp. If you know how this works. Put your MTD partition images in the root folder of your TFTP server. Warning: this will still likely erase the memort block if your TFTP failed to get the file. To test if TFTP will fetch the file execute the command "tftp $loadaddr mtdblock10" and it will load the file to ram, If that worked then the rest will work.

This was my last resort restore process that I went through. I Don't claim that this is to be successful for you. It definitely is only good memory addressing for at least my EA8500. Memory address for other routers obviously will not be the same, so don't run the commands.


setenv u_env_1 'tftp $loadaddr mtdblock10;nand erase ec0000 40000;nand write $loadaddr ec0000 40000'

setenv s_env_1 'tftp $loadaddr mtdblock11;nand erase f00000 40000;nand write $loadaddr f00000 40000'

setenv devinfo_1 'tftp $loadaddr mtdblock12;nand erase f40000 40000;nand write $loadaddr f40000 40000'

setenv kernel_1 'tftp $loadaddr mtdblock13;nand erase f80000 300000;nand write $loadaddr f80000 300000'

setenv rootfs_1 'tftp $loadaddr mtdblock14;nand erase clean 1280000 2500000;nand write $loadaddr 1280000 2500000'

setenv kernel_2 'tftp $loadaddr mtdblock15;nand erase 3780000 300000;nand write $loadaddr 3780000 300000'

setenv rootfs_2 'tftp $loadaddr mtdblock16;nand erase clean 3a80000 2500000;nand write $loadaddr 3a80000 2500000'

setenv syscfg_1 'tftp $loadaddr mtdblock17;nand erase 5f80000 2080000;nand write $loadaddr 5f80000 2080000'

You would have to use the command "run variable" such as "run kernel_2" to run one of these new command strings
  1. Lastly, if you have overriden your deviceinfo with some other router data, you can at least change your SSID, Wifi password, WPS key, and MAC address to the sticker values on your router
Ok, so I have found the information I need finally. Here is how anyone can permanently modify their deviceinfo. It even appears you can change your router country of origin. If you change this data you need to factory reset apparently to take the data to the running firmware.

I found the info in this link. One method can be done in linux but be careful you know what MTD part holds the data. The other method is in U-Boot

https://community.linksys.com/t5/Wireless-Routers/How-to-restore-the-data-device-ID/td-p/958652/page/2

From TTL Putty connection at U-Boot
[quote]devinfo - devinfo handling commands

Usage:
devinfo get [name] - gets the value of the specified variable
devinfo set [name=value] - sets the value of the specified variable
devinfo unset [name] - deletes the specified variable
devinfo update [args...] - update devinfo from the specified file
devinfo commit - commit variables to flash
devinfo erase - erase all devinfo
devinfo show - shows all variables[/quote]

I changed the following to match my sticker again.
[quote]
cert_region=US
default_passphrase=xxxxxxxxxx
default_ssid=Linksys99999
hw_mac_addr=B4:75:0E:5A:xx:xx
serial_number=xxxxxxxxxxxxx
wps_device_pin=xxxxxxxxxx

(I don't know what the TC passphrase or TC SSID are for so I have not changed them as I don't know where these original values would be)
tc_passphrase=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
tc_ssid=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
uuid_key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
4

Ok, so I was in U-Boot and going to flashimg, except something was wrong with the file name or whatever.

Since the environment variables don't have the "filesize" set
So, it erased f8000, size 0x7080000
117964800 bytes written and killed both bootable systems again

Shouldn't there be a default environment variable "filesize 300000" so this does not happen??

1 Like
5

Hello! I'm following your topic. Exactly the same problem, I can't think of anything. Any new ideas?

6

Not really. I just did a couple more routers. The end result I still loaded all my older router partition data. Even if I got the downgrade, I kept getting invalid firmware from Linksys web flash. Personally, I want the Linksys web flash to work. I always leave partition 1 as Linksys and partition 2 as the alternate firmware. This means I usually boot back to linksys FW to flash new versions of the alternate such as Openwrt.

The EA8500 seems to have become quite the challenge to flash now VS when I got my first router flashed was an early FW which detected invalid. I re-flashed it without opening the casing by quickly initiating TFTP loader very quickly from router power up. It took me a few days to get it. But I did.