Fixed position partition splitting and bad blocks on nand flash

bmork · April 18, 2021, 11:37am

I am in desperate need of some education. I assume the issue and solution is documented somewhere, but haven't found an answer I like.... I guess what I am looking for is the "Universally Undisputed Correct Solution"

The basic problem is installation of OpenWrt on a device with NAND flash where the OEM firmware provides no writable rootfs, and the bootloader has no UBI support. So we want to split the OEM firmware partition in a kernel mtd the bootloader can read and a UBI mtd for the rootfs and other data the bootloader don't need ot see.

This is simple in device tree: We just create an additional UBI partition starting where we want to put it.

The question is: How do we bootstrap the split properly, when installing from either OEM firmware or bootloader? They obviously only know about the OEM partition layout.

Being a simple mind, I've always thaought that this is as simple as: Create a "factory" image which is the concatination of the kernel and ubi partitions, where the kernel is padded to the split point. This image can then be flashed like the OEM firmware from e.g. the bootloader, and when booted it will known about the proper split from device tree and mount the rootfs and rootfs_data found in the UBI image.

Now I've been "lucky" enough to get hold of a device with a bad block. As expressed by the bootloader:

Check image validation:
Image1 Header Magic Number --> OK
Image2 Header Magic Number --> OK
Image1 Header Checksum --> OK
Image2 Header Checksum --> OK
Image1 Data Checksum --> ................................................ranand_read: skip reading a fact bad block 440000 -> 460000
....................................................OK
Image2 Data Checksum --> ....................................................................................................OK
Image1 Stable Flag --> Not stable
Image1 Try Counter --> 0

Image1: OK Image2: OK

The bad block is in the part of the OEM firmware partition which I must use for the kernel. So I realize that the "factory image" I described is a recipe for disaster. The bad block is properly skipped both when reading and writing. Which means that the kernel partition is one block smaller that my padding calculation assumed, and the UBI image with the rootfs ends up at the wrong position. It's no longer where the device tree says it should be, but one block offset. Resulting in

[ 3.411400] UBI error: no valid UBI magic found inside mtd4

since that magic now is actually in the second block of mtd4 instead of the first.

So I know the problem. But I still don't have a solution I like...

I could require a two step installation process, where the user has to boot an initramfs with the proper device tree first and then sysupgrade to the real installation from there. But I would prefer avoiding the additional step if possible.

Or I could replace the fixed partition split with some dynamic splitting method, allowing a combined kernel+rootfs image without any specific assumption on rootfs placement. But this is not possible with UBI AFAIK. Keeping PEM counters and doing proper wear levelling means that we can't move, add or remove underlying flash blocks. And I believe we do want UBI under any writable file system on nand flash? So this method is pretty much ruled out.

Any comments are appreciated, whether you have a solution or not.

hnyman · April 18, 2021, 2:56pm

Like I commented to you in the other discussion, the problem has been observed with R7800 earlier. So far, the initramfs+sysupgrade approach is the easiest fix, as it allows writing kernel and rootfs to the correct places separately.

Likely the proper long-term solution would be bad block management built into the kernel, so that rootfs loading with bad blocks would happen ok. Some OEMs have built it, and I think that it is implemented for some targets also with OpenWrt.

A recent OpenWrt implementation of bad block management is
https://git.openwrt.org/?p=openwrt/openwrt.git;a=commitdiff;h=11425c9de29c8b9c5e4d7eec163a6afbb7fbdce2
I haven't really tried to analyse if that one solves the rootfs location prob, but it is at least a step to that direction.

You might also read discussion in :
R7800 -> Flashing openwrt causes bootloop (bad block in kernel area)

especially the few messages around here, where I quoted the BB logic from Netgear GPL sources:

gist.github.com

https://gist.github.com/hnyman/8abb5054e0589f41d65e0a16ad9d708b

R7800-V1.0.2.44_gpl_src-git_home-linux.git-sourcecode-drivers-mtd-mtdpart.c

/*
 * Simple MTD partitioning layer
 *
 * Copyright © 2000 Nicolas Pitre <nico@fluxnic.net>
 * Copyright © 2002 Thomas Gleixner <gleixner@linutronix.de>
 * Copyright © 2000-2010 David Woodhouse <dwmw2@infradead.org>
 * Copyright (c) 2013 The Linux Foundation. All rights reserved.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by

This file has been truncated. show original

I have not tried to port/implement it to OpenWrt, but it gives one answer how OEMs tackle the NAND bad block handling with their firmware.

csharper2005 · June 19, 2021, 5:38pm

Hi @bmork! Is your problem the same with mine?

github.com/openwrt/openwrt

FS#3887 - MTD partition offset not correctly mapped when bad eraseblocks present

opened 07:05AM - 19 Jun 21 UTC

closed 11:02PM - 26 Feb 23 UTC

openwrt-bot

kernel flyspray

*csharper2005:* - Device problem occurs on: * Beeline Smartbox GIGA with ba…d erase block on NAND flash * Possible other NAND devices with bad erase blocks on flash - Software versions of OpenWrt/LEDE release, packages, etc: <code>OpenWrt SNAPSHOT r16952-677813c776</code> - Steps to reproduce: 1. Write Openwrt kernel (mtd4) and UBI (mtd6) partitions from the stock firmware on a device with badblock(s). 2. Get bootloop: <code>[ 4.040886] mt7530 mdio-bus:1f: Link is Up - 1Gbps/Full - flow control off [ 4.042039] UBI error: no valid UBI magic found inside mtd6 [ 4.065746] hctosys: unable to open rtc device (rtc0) [ 4.076584] /dev/root: Can't open blockdev [ 4.084755] VFS: Cannot open root device "(null)" or unknown-block(0,0): error -6</code> Root cause: 1. Both U-Boot and stock firmware detects a bad eraseblock, all following offsets are sifted by one block (0x20000). Our mtd4 and mtd6 in fact are written at 0x420000 and 0x1020000. <code>******************************************** Flash Map Information ******************************************** Partition Logic_Offs Logic_size Real_Offs Real_Size u-boot 0 100000 0 100000 part_map 100000 100000 100000 100000 factory-data 200000 100000 200000 120000 dual-flag 300000 100000 320000 100000 uImage1 400000 600000 420000 600000 uImage2 a00000 600000 a20000 600000 rootfs1 1000000 1800000 1020000 1800000 rootfs2 2800000 1800000 2820000 1800000 config/log 4000000 800000 4020000 800000 app-tmp 4800000 c00000 4820000 c00000 free-space 5400000 2800000 5420000 2800000 badblock-reserve 7c00000 400000 7c20000 360000</code> 2. U-Boot still waiting for a kernel at 0x420000 and it's ok. 3. Openwrt detects a bad eraseblock, but does NOT shift all following offsets by one block: <code>[ 1.198092] nand: device found, Manufacturer ID: 0xc2, Chip ID: 0xf1 [ 1.210738] nand: Macronix MX30LF1G18AC [ 1.218369] nand: 128 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64 [ 1.233435] mt7621-nand 1e003000.nand: ECC strength adjusted to 4 bits [ 1.246486] mt7621-nand 1e003000.nand: Using programmed access timing: 21005134 [ 1.261038] mt7621-nand 1e003000.nand: Using programmed access timing: 21005134 [ 1.275588] Scanning device for bad blocks [ 1.312129] Bad eraseblock 22 at 0x0000002c0000 [ 2.583817] 8 fixed-partitions partitions found on MTD device mt7621-nand [ 2.597331] Creating 8 MTD partitions on "mt7621-nand": [ 2.607736] 0x000000000000-0x000000100000 : "u-boot" [ 2.618828] 0x000000100000-0x000000200000 : "dynamic partition map" [ 2.632380] 0x000000200000-0x000000300000 : "Factory" [ 2.643531] 0x000000300000-0x000000400000 : "Boot Flag" [ 2.655139] 0x000000400000-0x000000a00000 : "kernel" [ 2.666172] 0x000000a00000-0x000001000000 : "Kernel 2" [ 2.677543] 0x000001000000-0x000007c00000 : "ubi" [ 2.688598] 0x000007c20000-0x000007fa0000 : "bad block reserved"</code> 3. As a result OpenWRT expects to find UBI at 0x1000000. In fact UBI is at 0x10200000. It causes boot loop: <code> [ 4.025957] pci 0000:00:01.0: bridge window [mem 0x60400000-0x604fffff pref] [ 4.040886] mt7530 mdio-bus:1f: Link is Up - 1Gbps/Full - flow control off [ 4.042039] UBI error: no valid UBI magic found inside mtd6 [ 4.065746] hctosys: unable to open rtc device (rtc0) [ 4.076584] /dev/root: Can't open blockdev [ 4.084755] VFS: Cannot open root device "(null)" or unknown-block(0,0): error -6 [ 4.099639] Please append a correct "root=" boot option; here are the available partitions: [ 4.116269] 1f00 1024 mtdblock0 [ 4.116274] (driver?) [ 4.129299] 1f01 1024 mtdblock1 [ 4.129302] (driver?) [ 4.142303] 1f02 1024 mtdblock2 [ 4.142305] (driver?) [ 4.155316] 1f03 1024 mtdblock3 [ 4.155319] (driver?) [ 4.168323] 1f04 6144 mtdblock4 [ 4.168326] (driver?) [ 4.181324] 1f05 6144 mtdblock5 [ 4.181327] (driver?) [ 4.194323] 1f06 110592 mtdblock6 [ 4.194326] (driver?) [ 4.207336] 1f07 3584 mtdblock7 [ 4.207339] (driver?) [ 4.220336] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0) [ 4.236804] Rebooting in 1 seconds..</code>

Have you already found a solution?

bmork · June 19, 2021, 9:09pm

Yes. seems so.

Not really. I have opted to not create "factory" images trying to pad the rootfs to a specific offset. It's better to recommend a two-step initial installation, writing an initramfs first and then sysupgrade after booting into the initramfs with the proper split defined by device tree

csharper2005 · June 19, 2021, 9:23pm

Could you give me an affected device model, please? I would like to add this info to the bug description.

Unfortunately, it doesn't work for me. Sysupgrade writes kernel at 0x400000 (according to layout in DTS file), but U-boot tries 0x42000 (0x40000 + bad block shift) only.

bmork · June 20, 2021, 5:19am

I have a ZyXEL NR7101 with a bad block early in the first firmware partition. It's after kernel offset, but before any reasonable rootfs location.

So this isn't as bad as a block moving the kernel offset and confusing the boot loader. That would affect the oem firmware too?

Hmm, thinking about it: shouldn't the boot loader ignore the bad blocks when looking for the kernel address? I can't understand how it's supposed to work if it doesn't.

FWIW, the NR7101 has no problem loading it secondary/recovery image, which will be "misplaced" if you count usable blocks instead of using the absolute address.

csharper2005 · June 20, 2021, 9:45am

I think that it should do so and this behavour is correct. For the second slot of my device

*************************************
Boot Flag : Sercomm1
*************************************
Fw header Magic check OK!
FW header checksum should: 0x47b7b0fe, crc32 result: 0x47b7b0fe, Fw header CRC check OK!
kernel : real offset: 0x00a20100, data length: 0x003dd3f8,checksum :0x67d1e2fd
kernel result: 0x67d1e2fd, kernel check sum ok!
rootfs:  real offset: 0x02820000, data length: 0x0093e000, checksum :0x81bdb3ef
rootfs result: 0x81bdb3ef, rootfs check sum ok!

So what we have:
Case 1. There are no bad blocks. The layout of the stock firmware and OpenWrt are the same. Everyone is happy

Case 2. Bad blocks. U-Boot and stock firmware uses adaptive layout (shifted according badblocks). While openwrt continues to use static offsets from DTS. So we have different layouts. It could cause various weird issues:

Device bricking;
Boot loops;
Problems with reverting to stock using mtd utils.
That is the reason why real users in real life prefer to use Breed instead the stock U-Boot.

At the same time, if the OpenWrt behavior will be changed in favor of an adaptive layout (harmonized with U-Boot and the stock) current users who hammered openwrt using some hacks could get bricks and bootlops.

However, I find it more correct to use adaptive layout. It's safer, more universal and less tricky. Openwrt is used by the end-users who do not have UART, NAND programmers, soldering irons.