Guidance adding new device Linksys Velop WHW03

Hello!
I am trying to identify a device and add support to OpenWRT to it, but I am lost at to what is the specific process or steps to follow -- I am following the official guide: https://openwrt.org/docs/guide-developer/add.new.device

So far I have soldered PIN connectors to the TTL pinout on the board and gained access to the serial console.
I have seen it using UBOOT, and can access the underlying OS as a non-root user -- but with some privileges.

If I'm not mistaken, I should:

Any ideas or links to follow?

Funny enough, UBOOT and OS seem to be based already on OpenWRT.
U-BOOT version is: U-Boot 2012.07 [Chaos Calmer 15.05.1,r35193] (Nov 18 2016 - 02:45:15)
OS version, from /proc/version is: Linux version 3.14.77 (root@build-vm) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r35193) ) #1 SMP PREEMPT Fri Jan 11 07:12:58 PST 2019

If useful at all, here's the startup boot log
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1.1-00108
S - IMAGE_VARIANT_STRING=DAAAANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x00000023
S - Reset status Config, 0x00000000
S - Core 0 Frequency, 0 MHz
B - 261 - PBL, Start
B - 1338 - bootable_media_detect_entry, Start
B - 18768 - bootable_media_detect_success, Start
B - 18782 - elf_loader_entry, Start
B - 21202 - auth_hash_seg_entry, Start
B - 23347 - auth_hash_seg_exit, Start
B - 58309 - elf_segs_hash_verify_entry, Start
B - 172501 - PBL, End
B - 172525 - SBL1, Start
B - 264554 - pm_device_init, Start
D - 9 - pm_device_init, Delta
B - 266060 - boot_flash_init, Start
D - 31188 - boot_flash_init, Delta
B - 301595 - boot_config_data_table_init, Start
D - 2936 - boot_config_data_table_init, Delta - (419 Bytes)
B - 309323 - clock_init, Start
D - 7536 - clock_init, Delta
B - 320620 - CDT version:2,Platform ID:8,Major ID:1,Minor ID:0,Subtype:6
B - 324025 - sbl1_ddr_set_params, Start
B - 329120 - cpr_init, Start
D - 2 - cpr_init, Delta
B - 333502 - Pre_DDR_clock_init, Start
D - 4 - Pre_DDR_clock_init, Delta
D - 13171 - sbl1_ddr_set_params, Delta
B - 346797 - pm_driver_init, Start
D - 2 - pm_driver_init, Delta
B - 417812 - sbl1_wait_for_ddr_training, Start
D - 27 - sbl1_wait_for_ddr_training, Delta
B - 434209 - Image Load, Start
D - 15842 - QSEE Image Loaded, Delta - (269176 Bytes)
B - 450479 - Image Load, Start
D - 1031 - SEC Image Loaded, Delta - (0 Bytes)
B - 460356 - Image Load, Start
D - 13163 - APPSBL Image Loaded, Delta - (444963 Bytes)
B - 473944 - QSEE Execution, Start
D - 60 - QSEE Execution, Delta
B - 480138 - SBL1, End
D - 309725 - SBL1, Delta
S - Flash Throughput, 25143 KB/s (714910 Bytes, 28433 us)
S - DDR Frequency, 672 MHz

U-Boot 2012.07 [Chaos Calmer 15.05.1,r35193] (Nov 18 2016 - 02:45:15)

CBT U-Boot ver: 0.0.22

smem ram ptable found: ver: 1 len: 3
DRAM: 512 MiB
machid : 0x8010006
NAND: SF NAND unsupported id:ff:ff:ff:ffSF: Unsupported manufacturer ff
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
0 MiB
MMC: qca_mmc: 0
PCI0 Link Intialized
In: serial
Out: serial
Err: serial
machid: 8010006
flash_type: 1 => [eMMC]
LED(PCA963x) initializing ... done
Net: MAC0 addr:0:3:7f:14:8a:74
PHY ID1: 0x4d
PHY ID2: 0xd0b2
ipq40xx_ess_sw_init done
eth0
DEVINFO: devinfo_init EMMC ... DONE
Updating boot_count ... Done
Hit any key to stop autoboot: 0

So far I have been able to see that another Linksys devices, EA8300, shares most of the components, especially the SoC (IPQ4019) and the switch is from the same family (Qualcomm Atheros QCA8075 vs QCA8072).
However the flash is different (4GiB vs 256MiB).

When flashed with the latest available version (openwrt-19.07.2-ipq40xx-generic-linksys_ea8300-squashfs-factory.bin) I can see the kernel boot, but the rootfs expected is different.

Relevant u-boot environment variables:

bootpart1=set bootargs $partbootargs && mmc read $loadaddr $prikern 4000 && bootm $loadaddr
bootpart2=set bootargs $partbootargs2 && && mmc read $loadaddr $altkern  4000 && bootm $loadaddr
partbootargs=init=/sbin/init rootfstype=ext4 root=/dev/mmcblk0p15  rootwait console=ttyMSM0,115200n8
partbootargs2=init=/sbin/init rootfstype=ext4 root=/dev/mmcblk0p17 rootwait console=ttyMSM0,115200n8
prikern=4022
altkern=48022

We can see that mmcblk0p15 and mmcblk0p17 are the root partitions, which does not map to what the EA8300 uses.
From the OS I can also see that mmcblk0p19 is the config partition: /dev/mmcblk0p19 on /tmp/var/config type ext4 (rw,sync,relatime,data=ordered)

How can I discover the proper layout?
It does not seem to be using MTD at all, as /proc/mtd (although /proc/devices does list a block device mtdblock).

And how could I make a proper backup from u-boot, just in case I screw up and damage both partitions?

Normally stock bootlog prints the partition layout.

Right, below there is the full stock boot log.

What I've learned so far:

  • it is not using MTD
  • it is based on QSDK
  • I need to find the DTB to be able to build an image with proper partition mappings
  • it reads the kernel to 0x84000000 from 0x4022 for a size of 4000 (not so sure about this)
  • since it holds two firmware images, there is a boot0 and boot1 along with two rootfs at /dev/mmcblk0p15 and /dev/mmcblk0p17
  • /dev/mmcblk0p19 holds persisted data (configuration)
  • there is a FDT also located in the kernel entrypoint

Apologies for such basic questions but:

  • is the FDT useful? if so, how can I dump it from memory?
  • how are the kernel and FDT identifed from the main entrypoint address at 0x84000000? (looks like kernel is at 0x840000e4 and FDT is at 0x8427b354)
  • having access to the OS, can I dump the device tree somehow?
  • I'm struggling to identify all partitions and their objective
  • would the general approach be: get DTB, build image based on another device, and boot?
  • would it be possible, or useful, to gain root access to the OS?

OS reports the following partitions:

/dev/mmcblk0       /dev/mmcblk0p12    /dev/mmcblk0p18    /dev/mmcblk0p6
/dev/mmcblk0boot0  /dev/mmcblk0p13    /dev/mmcblk0p19    /dev/mmcblk0p7
/dev/mmcblk0boot1  /dev/mmcblk0p14    /dev/mmcblk0p2     /dev/mmcblk0p8
/dev/mmcblk0p1     /dev/mmcblk0p15    /dev/mmcblk0p3     /dev/mmcblk0p9
/dev/mmcblk0p10    /dev/mmcblk0p16    /dev/mmcblk0p4     /dev/mmcblk0rpmb
/dev/mmcblk0p11    /dev/mmcblk0p17    /dev/mmcblk0p5

and during initialization it reports the following

[    1.772260] mmcblk0boot0: mmc0:0001 4FPD3R partition 1 4.00 MiB
[    1.772574] mmcblk0boot1: mmc0:0001 4FPD3R partition 2 4.00 MiB
[    1.772873] mmcblk0rpmb: mmc0:0001 4FPD3R partition 3 512 KiB
[    1.774898] GPT: device [179:15] (rootfs) set to be root filesystem
[    1.774926]  mmcblk0: p1 p2 p3 p4 p5 p6 p7 p8 p9 p10 p11 p12 p13 p14 p15 p16 p17 p18 p19
[    1.780471]  mmcblk0boot1: unknown partition table
[    1.781637]  mmcblk0boot0: unknown partition table

Stock boot log:

Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1.1-00108
S - IMAGE_VARIANT_STRING=DAAAANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x00000023
S - Reset status Config, 0x00000000
S - Core 0 Frequency, 0 MHz
B -       261 - PBL, Start
B -      1339 - bootable_media_detect_entry, Start
B -    125694 - bootable_media_detect_success, Start
B -    125708 - elf_loader_entry, Start
B -    128543 - auth_hash_seg_entry, Start
B -    130691 - auth_hash_seg_exit, Start
B -    168104 - elf_segs_hash_verify_entry, Start
B -    282211 - PBL, End
B -    282235 - SBL1, Start
B -    374260 - pm_device_init, Start
D -         9 - pm_device_init, Delta
B -    375767 - boot_flash_init, Start
D -     37604 - boot_flash_init, Delta
B -    417719 - boot_config_data_table_init, Start
D -      3300 - boot_config_data_table_init, Delta - (419 Bytes)
B -    425379 - clock_init, Start
D -      7517 - clock_init, Delta
B -    436768 - CDT version:2,Platform ID:8,Major ID:1,Minor ID:0,Subtype:6
B -    440174 - sbl1_ddr_set_params, Start
B -    445269 - cpr_init, Start
D -         2 - cpr_init, Delta
B -    449652 - Pre_DDR_clock_init, Start
D -         4 - Pre_DDR_clock_init, Delta
D -     13172 - sbl1_ddr_set_params, Delta
B -    462947 - pm_driver_init, Start
D -         2 - pm_driver_init, Delta
B -    533989 - sbl1_wait_for_ddr_training, Start
D -        27 - sbl1_wait_for_ddr_training, Delta
B -    550390 - Image Load, Start
D -     15805 - QSEE Image Loaded, Delta - (269176 Bytes)
B -    566623 - Image Load, Start
D -      1031 - SEC Image Loaded, Delta - (0 Bytes)
B -    576497 - Image Load, Start
D -     13562 - APPSBL Image Loaded, Delta - (444963 Bytes)
B -    590485 - QSEE Execution, Start
D -        60 - QSEE Execution, Delta
B -    596681 - SBL1, End
D -    316559 - SBL1, Delta
S - Flash Throughput, 23831 KB/s  (714910 Bytes,  29998 us)
S - DDR Frequency, 672 MHz


U-Boot 2012.07 [Chaos Calmer 15.05.1,r35193] (Nov 18 2016 - 02:45:15)

CBT U-Boot ver: 0.0.22

smem ram ptable found: ver: 1 len: 3
DRAM:  512 MiB
machid : 0x8010006
NAND:  SF NAND unsupported id:ff:ff:ff:ffSF: Unsupported manufacturer ff
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
0 MiB
MMC:   qca_mmc: 0
PCI0 Link Intialized
In:    serial
Out:   serial
Err:   serial
machid: 8010006
flash_type: 1 => [eMMC]
LED(PCA963x) initializing ... done
Net:   MAC0 addr:0:3:7f:14:8a:74
PHY ID1: 0x4d
PHY ID2: 0xd0b2
ipq40xx_ess_sw_init done
eth0
DEVINFO: devinfo_init EMMC ... DONE
Updating boot_count ... Done
Hit any key to stop autoboot:  2  1  0 

MMC read: dev # 0, block # 294946, count 16384 ... 16384 blocks read: OK
## Booting kernel from FIT Image at 84000000 ...
   Using 'config@1' configuration
   Trying 'kernel@1' kernel subimage
     Description:  ARM Linksys Linux-3.14.77
     Type:         Kernel Image
     Compression:  uncompressed
     Data Start:   0x840000e4
     Data Size:    2601280 Bytes = 2.5 MiB
     Architecture: ARM
     OS:           Linux
     Load Address: 0x80208000
     Entry Point:  0x80208000
     Hash algo:    crc32
     Hash value:   c9781a0c
     Hash algo:    sha1
     Hash value:   37b711dd484850281267e41af9e8633f3c87358a
   Verifying Hash Integrity ... crc32+ sha1+ OK
## Flattened Device Tree from FIT Image at 84000000
   Using 'config@1' configuration
   Trying 'fdt@1' FDT blob subimage
     Description:  ARM Linksys Nodes device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x8427b354
     Data Size:    39050 Bytes = 38.1 KiB
     Architecture: ARM
     Hash algo:    crc32
     Hash value:   12be89e6
     Hash algo:    sha1
     Hash value:   68bc225482fd163958cb678b7c9c3774b4df2926
   Verifying Hash Integrity ... crc32+ sha1+ OK
   Booting using the fdt blob at 0x8427b354
   Loading Kernel Image ... OK
OK
   Loading Device Tree to 87062000, end 8706e889 ... OK
eth1 MAC Address from ART is not valid
Using machid 0x8010006 from environment

Starting kernel ...

[    0.000000] Booting Linux on physical CPU 0x0
[    0.000000] Linux version 3.14.77 (root@build-vm) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r35193) ) #1 SMP PREEMPT Fri Jan 11 07:12:58 PST 2019
[    0.000000] CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c5387d
[    0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
[    0.000000] Machine model: Linksys Nodes based on Qualcomm Technologies, Inc. IPQ40xx/AP-DK07.1-C1
[    0.000000] Reserved memory: failed to reserve memory for node 'rsvd1@87000000': base 0x87000000, size 5 MiB
[    0.000000] Memory policy: Data cache writealloc
[    0.000000] PERCPU: Embedded 8 pages/cpu @dfbc7000 s8448 r8192 d16128 u32768
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 127232
[    0.000000] Kernel command line: init=/sbin/init rootfstype=ext4 root=/dev/mmcblk0p17 rootwait console=ttyMSM0,115200n8 clk_ignore_unused
[    0.000000] PID hash table entries: 2048 (order: 1, 8192 bytes)
[    0.000000] Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
[    0.000000] Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
[    0.000000] Memory: 500496K/513024K available (5078K kernel code, 420K rwdata, 1704K rodata, 208K init, 328K bss, 12528K reserved, 0K highmem)
[    0.000000] Virtual kernel memory layout:
[    0.000000]     vector  : 0xffff0000 - 0xffff1000   (   4 kB)
[    0.000000]     fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
[    0.000000]     vmalloc : 0xe0800000 - 0xff000000   ( 488 MB)
[    0.000000]     lowmem  : 0xc0000000 - 0xe0000000   ( 512 MB)
[    0.000000]     pkmap   : 0xbfe00000 - 0xc0000000   (   2 MB)
[    0.000000]     modules : 0xbf000000 - 0xbfe00000   (  14 MB)
[    0.000000]       .text : 0xc0208000 - 0xc08a7b1c   (6783 kB)
[    0.000000]       .init : 0xc08a8000 - 0xc08dc100   ( 209 kB)
[    0.000000]       .data : 0xc08de000 - 0xc09472f4   ( 421 kB)
[    0.000000]        .bss : 0xc09472f4 - 0xc099965c   ( 329 kB)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[    0.000000] Preemptible hierarchical RCU implementation.
[    0.000000] NR_IRQS:16 nr_irqs:16 16
[    0.000000] Architected cp15 timer(s) running at 48.00MHz (virt).
[    0.000008] sched_clock: 56 bits at 48MHz, resolution 20ns, wraps every 2863311552512ns
[    0.000019] Switching to timer-based delay loop
[    0.000343] Calibrating delay loop (skipped), value calculated using timer frequency.. 96.00 BogoMIPS (lpj=480000)
[    0.000361] pid_max: default: 32768 minimum: 301
[    0.000639] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.000653] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.012355] CPU: Testing write buffer coherency: ok
[    0.012713] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
[    0.012786] Setting up static identity map for 0x802137b0 - 0x80213808
[    0.090630] CPU1: Booted secondary processor
[    0.090675] CPU1: thread -1, cpu 1, socket 0, mpidr 80000001
[    0.110623] CPU2: Booted secondary processor
[    0.110658] CPU2: thread -1, cpu 2, socket 0, mpidr 80000002
[    0.130657] CPU3: Booted secondary processor
[    0.130692] CPU3: thread -1, cpu 3, socket 0, mpidr 80000003
[    0.130831] Brought up 4 CPUs
[    0.130876] SMP: Total of 4 processors activated (384.00 BogoMIPS).
[    0.130884] CPU: All CPU(s) started in SVC mode.
[    0.141313] VFP support v0.3: implementor 41 architecture 2 part 30 variant 7 rev 5
[    0.141691] pinctrl core: initialized pinctrl subsystem
[    0.142136] regulator-dummy: no parameters
[    0.142794] NET: Registered protocol family 16
[    0.144390] DMA: preallocated 2048 KiB pool for atomic coherent allocations
[    0.144920] cpuidle: using governor ladder
[    0.144933] cpuidle: using governor menu
[    0.154115] hw-breakpoint: Debug register access (0xee003e17) caused undefined instruction on CPU 2
[    0.154123] hw-breakpoint: Debug register access (0xee003e17) caused undefined instruction on CPU 1
[    0.154131] hw-breakpoint: Debug register access (0xee003e17) caused undefined instruction on CPU 3
[    0.154135] hw-breakpoint: CPU 1 failed to disable vector catch
[    0.154168] hw-breakpoint: Debug register access (0xee003e17) caused undefined instruction on CPU 0
[    0.154254] 
[    0.154254] Version Rollback Feature Disabled
[    0.157569] i2c-msm-v2 78b7000.i2c: probing driver i2c-msm-v2
[    0.159031] sps:sps is ready.
[    0.165549] bio: create slab <bio-0> at 0
[    0.167086] SD0 VccQ: 1800 <--> 3000 mV 
[    0.167599] SCSI subsystem initialized
[    0.168462] msm_bus_fabric_init_driver
[    0.168636] msm_bus_device 580000.ad-hoc-bus: Util-fact is missing, default to 100
[    0.168652] msm_bus_device 580000.ad-hoc-bus: Vrail-comp is missing, default to 100
[    0.168671] msm_bus_device 580000.ad-hoc-bus: Failed to get bus clk for bus4096 ctx1
[    0.168716] msm_bus_device 580000.ad-hoc-bus: Util-fact is missing, default to 100
[    0.168730] msm_bus_device 580000.ad-hoc-bus: Vrail-comp is missing, default to 100
[    0.168747] msm_bus_device 580000.ad-hoc-bus: Failed to get bus clk for bus1024 ctx1
[    0.194920] Bluetooth: Core ver 2.18
[    0.194993] NET: Registered protocol family 31
[    0.195004] Bluetooth: HCI device and connection manager initialized
[    0.195023] Bluetooth: HCI socket layer initialized
[    0.195038] Bluetooth: L2CAP socket layer initialized
[    0.195105] Bluetooth: SCO socket layer initialized
[    0.195293] 80000.qcom,pcie supply vreg-3.3 not found, using dummy regulator
[    0.195368] 80000.qcom,pcie supply vreg-1.8 not found, using dummy regulator
[    0.195429] 80000.qcom,pcie supply vreg-0.9 not found, using dummy regulator
[    0.195482] 80000.qcom,pcie supply gdsc-vdd not found, using dummy regulator
[    0.290547] msm_pcie_enable: msm_pcie_enable: PCIe: trigger the reset of endpoint of RC0.
[    0.300493] msm_pcie_enable: msm_pcie_enable: PCIe RC0 PHY is ready!
[    0.320490] msm_pcie_enable: msm_pcie_enable: PCIe: Release the reset of endpoint of RC0.
[    0.460634] msm_pcie_enable: msm_pcie_enable: PCIe RC0 link initialized
[    0.460869] PCI host bridge to bus 0000:00
[    0.460892] pci_bus 0000:00: root bus resource [io  0x40200000-0x402fffff]
[    0.460908] pci_bus 0000:00: root bus resource [mem 0x40300000-0x40ffffff]
[    0.460924] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[    0.461008] msm_pcie_oper_conf: msm_pcie_oper_conf: Read of RC0 0:0x00 + 0x0014[4] is all FFs
[    0.461432] PCI: bus0: Fast back to back transfers disabled
[    0.461451] pci 0000:00:00.0: bridge configuration invalid ([bus 00-00]), reconfiguring
[    0.461733] msm_pcie_oper_conf: msm_pcie_oper_conf: Read of RC0 1:0x00 + 0x0014[4] is all FFs
[    0.462284] PCI: bus1: Fast back to back transfers disabled
[    0.462380] msm_pcie_oper_conf: msm_pcie_oper_conf: Read of RC0 0:0x00 + 0x0028[4] is all FFs
[    0.462416] pci 0000:00:00.0: BAR 8: assigned [mem 0x40400000-0x405fffff]
[    0.462434] pci 0000:00:00.0: BAR 0: assigned [mem 0x40300000-0x40300fff 64bit]
[    0.462466] pci 0000:01:00.0: BAR 0: assigned [mem 0x40400000-0x405fffff 64bit]
[    0.462506] pci 0000:00:00.0: PCI bridge to [bus 01]
[    0.462528] pci 0000:00:00.0:   bridge window [mem 0x40400000-0x405fffff]
[    0.462550] msm_pcie_probe: msm_pcie_probe: RC0 is enabled in bootup
[    0.462848] Switched to clocksource arch_sys_counter
[    0.464669] NET: Registered protocol family 2
[    0.465940] TCP established hash table entries: 4096 (order: 2, 16384 bytes)
[    0.466015] TCP bind hash table entries: 4096 (order: 3, 32768 bytes)
[    0.466104] TCP: Hash tables configured (established 4096 bind 4096)
[    0.466161] TCP: reno registered
[    0.466180] UDP hash table entries: 256 (order: 1, 8192 bytes)
[    0.466210] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[    0.466559] NET: Registered protocol family 1
[    0.467340] hw perfevents: enabled with ARMv7 Cortex-A7 PMU driver, 5 counters available
[    0.468741] futex hash table entries: 1024 (order: 4, 65536 bytes)
[    0.478170] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.478188] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.479149] msgmni has been set to 977
[    0.480829] Key type asymmetric registered
[    0.480848] Asymmetric key parser 'x509' registered
[    0.480885] io scheduler noop registered
[    0.480895] io scheduler deadline registered (default)
[    0.481768] tcsr 194b000.tcsr: setting usb hs phy mode select = e700e7
[    0.481837] tcsr 1953000.ess_tcsr: setting ess interface select = 0
[    0.481904] tcsr 1949000.tcsr: setting wifi_glb_cfg = 41000000
[    0.481966] tcsr 1957000.tcsr: setting wifi_noc_memtype_m0_m2 = 2222222
[    0.482673] Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
[    0.483727] msm_serial_hsl_probe: detected port #0 (ttyMSM0)
[    0.483770] msm_serial_hsl_probe: Bus scaling is disabled
[    0.483924] 78af000.serial: ttyMSM0 at MMIO 0x78af000 (irq = 139, base_baud = 115200) is a MSM
[    0.484000] msm_hsl_console_setup: console setup on port #0
[    1.290285] console [ttyMSM0] enabled
[    1.294371] msm_serial_hsl_init: driver initialized
[    1.299317] uart_tx_gpio is not available
[    1.302787] uart_rx_gpio is not available
[    1.306824] uart_cts_gpio is not available
[    1.310863] uart_rfr_gpio is not available
[    1.314963] Wakeup irq not specified.
[    1.318592] BLSP UART: Bus scaling is disabled.
[    1.323325] sps: BAM device 0x07884000 is not registered yet.
[    1.328830] sps:BAM 0x07884000 is registered.
[    1.333337] 78b0000.uart: ttyQHS0 at MMIO 0x78b0000 (irq = 140, base_baud = 460800) is a MSM HS UART
[    1.342613] qca_serial_hs module loaded
[    1.350125] spi_qsd 78b6000.spi: chipselect 0 already in use
[    1.354782] spi_master spi1: spi_device register error /soc/spi@78b6000/em358x@0
[    1.373433] libphy: ipq40xx_mdio: probed
[    1.379870] ipq40xx-mdio 90000.mdio: ipq40xx-mdio driver was registered
[    1.385540] tun: Universal TUN/TAP device driver, 1.6
[    1.390488] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
[    1.396803] PPP generic driver version 2.4.2
[    1.401073] PPP BSD Compression module registered
[    1.405613] PPP Deflate Compression module registered
[    1.410628] NET: Registered protocol family 24
[    1.415070] i2c /dev entries driver
[    1.420060] Bluetooth: HCI UART driver ver 2.2
[    1.423501] Bluetooth: HCI H4 protocol initialized
[    1.428243] Bluetooth: HCI BCSP protocol initialized
[    1.433802] sdhci: Secure Digital Host Controller Interface driver
[    1.439352] sdhci: Copyright(c) Pierre Ossman
[    1.443717] sdhci-pltfm: SDHCI platform and OF driver helper
[    1.449880] sdhci_msm 7824900.sdhci: Got SD LDO GPIO #33
[    1.555019] sdhci_msm 7824900.sdhci: Got CD GPIO #22.
[    1.565306] mmc0: no vmmc regulator found
[    1.612884] mmc0: SDHCI controller on 7824900.sdhci [7824900.sdhci] using ADMA
[    1.619425] leds-pca963x 0-0062: PCA963X_HW_BLINK ON
[    1.643877] leds-pca963x 0-0062: PCA963X LED initialize ok done
[    1.651143] hidraw: raw HID events driver (C) Jiri Kosina
[    1.664047] u32 classifier
[    1.667848]     Performance counters on
[    1.670673]     input device check on
[    1.674324] Netfilter messages via NETLINK v0.30.
[    1.678997] nfnl_acct: registering with nfnetlink.
[    1.683885] nf_conntrack version 0.5.0 (7820 buckets, 31280 max)
[    1.690501] ctnetlink v0.93: registering with nfnetlink.
[    1.695217] nf_conntrack_rtsp v0.7 loading
[    1.699267] ip_set: protocol 6
[    1.702405] gre: GRE over IPv4 demultiplexor driver
[    1.707054] ip_gre: GRE over IPv4 tunneling driver
[    1.713386] mmc0: BKOPS_EN bit is not set
[    1.716540] nf_nat_rtsp v0.7 loading
[    1.720021] ip_tables: (C) 2000-2006 Netfilter Core Team
[    1.725523] TCP: cubic registered
[    1.729335] NET: Registered protocol family 10
[    1.734661] ip6_tables: (C) 2000-2006 Netfilter Core Team
[    1.739563] sit: IPv6 over IPv4 tunneling driver
[    1.751418] mmc0: new HS200 MMC card at address 0001
[    1.756050] mmcblk0: mmc0:0001 4FPD3R 3.64 GiB 
[    1.756633] NET: Registered protocol family 17
[    1.756768] Bridge firewalling registered
[    1.756780] Ebtables v2.0 registered
[    1.771998] Bluetooth: RFCOMM TTY layer initialized
[    1.772260] mmcblk0boot0: mmc0:0001 4FPD3R partition 1 4.00 MiB
[    1.772574] mmcblk0boot1: mmc0:0001 4FPD3R partition 2 4.00 MiB
[    1.772873] mmcblk0rpmb: mmc0:0001 4FPD3R partition 3 512 KiB
[    1.774898] GPT: device [179:15] (rootfs) set to be root filesystem
[    1.774926]  mmcblk0: p1 p2 p3 p4 p5 p6 p7 p8 p9 p10 p11 p12 p13 p14 p15 p16 p17 p18 p19
[    1.780471]  mmcblk0boot1: unknown partition table
[    1.781637]  mmcblk0boot0: unknown partition table
[    1.818179] Bluetooth: RFCOMM socket layer initialized
[    1.823299] Bluetooth: RFCOMM ver 1.11
[    1.826971] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[    1.832256] Bluetooth: BNEP filters: protocol multicast
[    1.837509] Bluetooth: BNEP socket layer initialized
[    1.842416] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[    1.848342] Bluetooth: HIDP socket layer initialized
[    1.853308] l2tp_core: L2TP core driver, V2.0
[    1.857619] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[    1.862377] l2tp_netlink: L2TP netlink interface
[    1.867030] 8021q: 802.1Q VLAN Support v1.8
[    1.871322] Registering SWP/SWPB emulation handler
[    1.877298] regulator-dummy: disabling
[    1.881158] input: gpio_keys.6 as /devices/soc.0/gpio_keys.6/input/input0
[    1.887182] drivers/rtc/hctosys.c: unable to open rtc device (rtc0)
[    1.896831] clk: Not disabling unused clocks
[    1.904125] EXT4-fs (mmcblk0p17): mounted filesystem with ordered data mode. Opts: (null)
[    1.911311] VFS: Mounted root (ext4 filesystem) readonly on device 179:17.
[    1.918513] Freeing unused kernel memory: 208K (c08a8000 - c08dc000)
*********************************************************************************
              _        _  __    _    __ _____ __   __ _____
             | |      | ||  \  | |  / // ____]\ \ / // ____]TM
             | |      | ||   \ | | / /| (___   \ V /| (____
             | |      | || |\ \| |\ \  \____ \  \ /  \____ \
             | |_____ | || | \   | \ \  ____) | | |   ____) |
             |_______||_||_|  \__|  \_\[____ /  |_|  [_____/

 (c) 2013 Belkin International, Inc. and/or its affiliates. All rights reserved.
 Booting nodes (firmware version 1.1.8.192419) 
*********************************************************************************
[utopia][init] System Initialization
[utopia][init] Creating /proc
[utopia][init] Creating /sys
[utopia][init] Creating /dev
[utopia][init] Creating /tmp
[utopia][init] Allocating 250M for /tmp
[utopia][init] Prepairing /dev/pts
[utopia][init] Setting /tmp and /var permissions
[utopia][init] Starting udev..
[    2.201987] EXT4-fs (mmcblk0p17): re-mounted. Opts: errors=remount-ro,data=ordered
[utopia][init] Checking HW version...1
Attempting mount of syscfg partition
[utopia][init] Using persistent syscfg data from /var/config/syscfg
[utopia][init] Starting system logging
[utopia][init] Starting sysevent subsystem
[utopia][init] Starting blue ...
[utopia][init] Enabling DesignWare USB3 DRD Core drivers
[utopia][init] Loading QCA Ethernet, NSS and GMAC drivers
net.netfilter.nf_conntrack_acct = 1
[utopia][init] Late loading usb drivers
[utopia][init] Setting any unset system values to default
[utopia][init] no persistence config file (/var/config/pstcfg) found
setting up MAC addresses for all interface based on 58:EF:68:67:3F:0A
Updating NTP Servers if necessary
[utopia][init] syscfg loaded removing tmp file
Program the switch...
[utopia][init] initializing ZigBee interface
[utopia][init] initializing V1 interface
[utopia][init] GPIO OUT 56
[utopia][init] GPIO OUT 45
[utopia][init] GPIO OUT 49
[utopia][init] GPIO OUT 55
[utopia][init] GPIO IN 50
[utopia][init] ZigBee interface ready to use
checking for interactive script start up...

no user scheduled tasks found...
senq running 
/etc/init.d/service_senq.sh   Starting in mode 1
1970-01-01 00:00:08: node-mode running 
Updating BootCount MMC ... Done

attempting to sync sysinfo.cgi auth credentials
[utopia][init] Load WiFi cal data from eMMC(mmcblk0p10) to FS.
[utopia][init] Setup link to WiFi firmware and board data (US)
[utopia][init] BDF root dir is /lib/firmware/IPQ4019/v1
[utopia][init] Multi-region is not supported or not enabled
[utopia][init] Cert region: US
[utopia][init] No REGION definded, use FCC
NSS Auto scaling disabled 
[utopia][init] Loading QCA Enhanced Connection manager
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
[utopia][init] Initializing BTLE interface
[utopia][init] Bluetooth Mac Address: 58 EF 68 67 3F 0A
[utopia][init] Cert Region: US
[utopia][init] BT PSR: /etc/psr_v1/pb-234-csr8x11-rev2.FCC.psr
Device setup complete
Loading PSKEY_HCI_LMP_LOCAL_VERSION ... done
Loading PSKEY_LMP_REMOTE_VERSION ... done
Loading 0x212c ... done
Loading 0x212d ... done
Loading 0x212e ... done
Loading 0x212f ... done
Loading 0x2130 ... done
Loading 0x2131 ... done
Loading 0x2132 ... done
Loading 0x2133 ... done
Loading 0x2134 ... done
Loading 0x2135 ... done
Loading 0x2136 ... done
Loading 0x2137 ... done
Loading 0x220b ... done
Loading 0x222b ... done
Loading 0x222c ... done
Loading 0x2139 ... done
Loading 0x213a ... done
Loading 0x213b ... done
Loading PSKEY_LC_MAX_TX_POWER ... done
Loading PSKEY_HOST_INTERFACE ... done
Loading 0x01ea ... done
Loading PSKEY_ANA_FREQ ... done
Loading PSKEY_ANA_FTRIM ... done
Loading 0x22c8 ... done
Loading 0x2480 ... done
Loading 0x2483 ... done
Loading 0x2484 ... done
Loading 0x2485 ... done
Loading 0x2493 ... done
Loading 0x2488 ... done
Device setup complete
Device setup complete
[utopia][init] BTLE interface ready to use
btsetup service
btsetup: btsetup-start
inserting fpbypass.ko for QCA
btsetup: Slave mode and Peripheral role
bluetoothd.init: /var/run/dbus created
attempting to sync sysinfo.cgi auth credentials
bluetoothd.init: dbus-daemon started
adding group for lldpd user
Thu Oct 11 06:00:00 UTC 2012


nodes login: Starting devicedb ... 

DeviceDB database version 3
Options:
    Daemonize       : yes
    Server UDS Path   : /tmp/devicedb/server_link
    Database File     : /tmp/devicedb/devicedb.db
    DB Transient File : /tmp/devicedb/transient.db
DeviceDB Daily Backup Cron job created
No TopoDB persistence data to import
TopoDB data not imported
ARP agent not started: not in master mode.
hcisetup: Enabled LE advertising
Starting ddd_ethernet_agent ... 
udhcpc (v1.19.4) started
lldpd event ETH::port_4_status down received. 
lldpd event ETH::port_5_status down received. 
nss_build_bypass is called with ipv4_wan_ipaddr
lldpd event ipv4_wan_ipaddr 0.0.0.0 received. 
Sending discover...
backhaul_switching status event default_router NULL received on backhaul_switching_mgr
Sending discover...
Sending discover...
No lease, forking to background
nss_build_bypass is called with lan-started
conntrack_parse running 
creating conntrack cron job
ARP agent not started: not in master mode.
Lighttpd Model Base: WHW03B
Generating Rainier lighttpd config
service shield is called with 'lan-started'
udhcpc (v1.19.4) started
shield will not run on non-master units
Sending discover...
Build temporary www configuration directory: 
$1$l3HQGzvY$rBx/p7iJQcDgkZZR44CY//
killall: thrulayd: no process killed
Registering Service Linksys04814._http._tcp.local port 80
killall: thrulay: no process killed
Got a reply for Linksys04814._http._tcp.local.: Name now registered and active
subscriber running 
/etc/init.d/service_subscriber.sh lan-status started MODE: 1
/etc/init.d/service_subscriber.sh lan-status started: Not Master; ignoring status change (mode: 1)
service_guardian.sh is called with lan-status
starting /sbin/nmbd for bridge mode
killall: mosquitto: no process killed
fastpath, sysevent received: bridge-status
Sending discover...
nodes_notificationevents: info: Received event shield::subscription_status with value: inactive
net.bridge.bridge-nf-call-ip6tables = 0
nodes_notificationevents: info: Handled event shield::subscription_status.
net.bridge.bridge-nf-call-iptables = 0
service shield is called with 'shield::subscription_status'
shield will not run on non-master units
killall: mdns_lookup: no process killed
wifi, sysevent received: lan-started (Wed Oct 10 23:00:17 PDT 2012)
LookUpMaster call OK.
mDNS lookup is on going...
wifi, service_start()
[utopia][init] Loading GMAC and WLAN drivers
smart_connect, sysevent received: wifi-status starting
Sending discover...
Starting smbd ... 
No lease, forking to background
5311 3214
backhaul_switching status event system_state-normal received
backhaul_switching status event backhaul::media 2 received on backhaul_switching_mgr
Backhaul media 2 received, but wifi status is not started. Will do backhaul check later
[utopia][init] Creating wifi devices
ath0
ath1
ath10
 Multi-region is not supported or not enabled
Not ready for JNAP. Sleeping for 15 seconds...
Wireless backhaul connect is canceled, as wifi-status is not started, will start later...
smart connect client, generating client device data
ping: bad address 'www.linksys.com'
wifi, wifi_physical_start(ath0)
Auto channel
wifi, wifi_virtual_start(ath0)
wifi, wifi_user_start(ath0)
wifi_user, ath0 TxBF enabled
ifconfig: SIOCSIFFLAGS: Network is down
wifi, primary AP: ath0 is up (Wed Oct 10 23:00:31 PDT 2012)
wifi, wifi_guest_start(ath0)
wifi, guest ath2 is disabled, do not start wifi guest
wifi, wifi_smart_configured_start(ath0)
ath5      No such device

ath5
wifi_user, ath5 TxBF enabled
ath4      No such device

ath4
wifi, smart connect configured AP: ath5 is up 
wifi, wifi_physical_start(ath1)
Auto channel
Following channels are blocked from Channel selection algorithm  
[149] [153] [157] [161] [165] 
wifi, wifi_virtual_start(ath1)
wifi, wifi_user_start(ath1)
wifi_user, ath1 TxBF enabled
wifi_user, ath1 MU-MIMO enabled
ifconfig: SIOCSIFFLAGS: Network is down
wifi, primary AP: ath1 is up (Wed Oct 10 23:00:33 PDT 2012)
wifi, wifi_guest_start(ath1)
wifi, guest ath3 is disabled, do not start wifi guest
wifi, wifi_physical_start(ath10)
Auto channel
Following channels are blocked from Channel selection algorithm  
[36] [40] [44] [48] 
wifi, wifi_virtual_start(ath10)
wifi, wifi_user_start(ath10)
wifi_user, ath10 TxBF enabled
wifi_user, ath10 MU-MIMO enabled
ifconfig: SIOCSIFFLAGS: Network is down
wifi, primary AP: ath10 is up (Wed Oct 10 23:00:35 PDT 2012)
wifi, wifi_guest_start(ath10)
wifi, guest ath6 is disabled, do not start wifi guest
wifi, start_hostapd()
wifi, start hostapd (Wed Oct 10 23:00:35 PDT 2012)
Configuration file: /tmp/hostapd-ath0.conf
Configuration file: /tmp/hostapd-ath1.conf
Configuration file: /tmp/hostapd-ath10.conf
Configuration file: /tmp/hostapd-ath5.conf
Configuration file: /tmp/hostapd-ath4.conf

Made some progress trying to understand how everything works but still learning, so my assumptions could be incorrect.

This device does not use NAND, but MMC, therefore no MTD was available.
mmcinfo will list the current MMC device, such as

Device: qca_mmc
Manufacturer ID: 15
OEM: 100
Name: 4FPD3
Tran Speed: 25000000
Rd Block Len: 512
MMC version 4.0
High Capacity: Yes
Capacity: 3.6 GiB
Bus Width: 8-bit

And to list partitions you can execute mmc part and will print the following:

Partition Map for MMC device 0  --   Partition Type: EFI

Part    Name                    Start LBA       End LBA
  1     0:SBL1                  0x00000022      0x00000421
  2     0:BOOTCONFIG            0x00000422      0x00000821
  3     0:QSEE                  0x00000822      0x00000C21
  4     0:QSEE_1                0x00000C22      0x00001021
  5     0:CDT                   0x00001022      0x00001221
  6     0:CDT_1                 0x00001222      0x00001421
  7     0:BOOTCONFIG1           0x00001422      0x00001621
  8     0:APPSBL                0x00001622      0x00001E21
  9     0:APPSBL_1              0x00001E22      0x00002621
 10     0:ART                   0x00002622      0x00002821
 11     u_env                   0x00002822      0x00003021
 12     s_env                   0x00003022      0x00003821
 13     devinfo                 0x00003822      0x00004021
 14     kernel                  0x00004022      0x00048021
 15     rootfs                  0x00008022      0x00048021
 16     alt_kernel              0x00048022      0x0008C021
 17     alt_rootfs              0x0004C022      0x0008C021
 18     sysdiag                 0x0008C022      0x0008C421
 19     syscfg                  0x0008C422      0x00747FDE

I have not been able to find a Device Tree Blob, but the first thing U-Boot does is to load at address 0x84000000 the content of the selected kernel, for instance the primary is located at 0x4022 for a size of 0x4000.
Command used could be mmc read 84000000 4022 4000.

This is in fact a FIT image that contains a config@1 structure with the kernel@1 and fdt@1.
This version of U-Boot comes with a couple of handy commands: imxtract and fdt.
With imxtract we can load part of the Device Tree to a memory address.
For instance, if I want to extract the fdt@1 from address 0x84000000 into address 0x84005000, I could run imxtract 84000000 fdt@1 84005000.

With the FDT in memory, we can load it and browse it.
fdt addr 84005000 and fdt print.

Now I will try to partially create the Device Tree, pull IPQ wifi firmware from Linksys EA8300, diff and complete the kernel config file from the GPL released code from Linksys with OpenWRT's default for IPq40xx, and build an image.

Finally I was able to build an image and test the initramfs in the board, mainly due to using DTSI from qcom-ipq4019-ap.dk04.1 and looking at the EA8300/Habanero DTS.

Pushing all changes to a specific repository: https://github.com/flipy/openwrt

Right now WiFi does not load as it cannot find any firmware binary files, but unsure if it is related to CAL data, missing or incorrect firmware binary files or bad DTS.

DTS located in: https://github.com/flipy/openwrt/blob/master/target/linux/ipq40xx/files-4.19/arch/arm/boot/dts/qcom-ipq4019-whw03.dts

Boot errors:

[    8.788031] firmware ath10k!pre-cal-ahb-a000000.wifi.bin: firmware_loading_store: map pages failed
[    8.871357] firmware ath10k!cal-ahb-a000000.wifi.bin: firmware_loading_store: map pages failed
[    8.947400] firmware ath10k!QCA4019!hw1.0!ct-firmware-5.bin: firmware_loading_store: map pages failed
[    9.049437] firmware ath10k!QCA4019!hw1.0!ct-firmware-2.bin: firmware_loading_store: map pages failed
[    9.134333] firmware ath10k!QCA4019!hw1.0!firmware-6.bin: firmware_loading_store: map pages failed
[    9.135864] ath10k_ahb a000000.wifi: qca4019 hw1.0 target 0x01000000 chip_id 0x003b00ff sub 0000:0000
[    9.142319] ath10k_ahb a000000.wifi: kconfig debug 0 debugfs 1 tracing 0 dfs 1 testmode 0
[    9.157516] ath10k_ahb a000000.wifi: firmware ver 10.4b-ct-4019-fW-013-b63cea875 api 5 features mfp,peer-flow-ctrl,txstatus-noack,wmi-10.x-CT,ratemask-CT,regdump-CT,txrate-CT,flush-all-CT,pingpong-CT,ch-regs-CT,nop-CT,set-special-CT,tx-rc-CT,cust-stats-CT,txrate2-CT,beacon-cb-CT,wmi-block-ack-CT,wmi-bcn-rc-CT crc32 a09ca172
[    9.183734] ath10k_ahb a000000.wifi: found invalid board magic
[    9.228263] firmware ath10k!QCA4019!hw1.0!board.bin: firmware_loading_store: map pages failed
[    9.228546] ath10k_ahb a000000.wifi: failed to fetch board-2.bin or board.bin from ath10k/QCA4019/hw1.0
[    9.235811] ath10k_ahb a000000.wifi: failed to fetch board file: -11
[    9.245298] ath10k_ahb a000000.wifi: could not probe fw (-11)
[    9.470348] firmware ath10k!fwcfg-ahb-a800000.wifi.txt: firmware_loading_store: map pages failed
[    9.589729] firmware ath10k!pre-cal-ahb-a800000.wifi.bin: firmware_loading_store: map pages failed
[    9.724226] firmware ath10k!cal-ahb-a800000.wifi.bin: firmware_loading_store: map pages failed
[    9.825507] firmware ath10k!QCA4019!hw1.0!ct-firmware-5.bin: firmware_loading_store: map pages failed
[    9.922685] firmware ath10k!QCA4019!hw1.0!ct-firmware-2.bin: firmware_loading_store: map pages failed
[   10.007439] firmware ath10k!QCA4019!hw1.0!firmware-6.bin: firmware_loading_store: map pages failed
[   10.008963] ath10k_ahb a800000.wifi: qca4019 hw1.0 target 0x01000000 chip_id 0x003b00ff sub 0000:0000
[   10.015331] ath10k_ahb a800000.wifi: kconfig debug 0 debugfs 1 tracing 0 dfs 1 testmode 0
[   10.030688] ath10k_ahb a800000.wifi: firmware ver 10.4b-ct-4019-fW-013-b63cea875 api 5 features mfp,peer-flow-ctrl,txstatus-noack,wmi-10.x-CT,ratemask-CT,regdump-CT,txrate-CT,flush-all-CT,pingpong-CT,ch-regs-CT,nop-CT,set-special-CT,tx-rc-CT,cust-stats-CT,txrate2-CT,beacon-cb-CT,wmi-block-ack-CT,wmi-bcn-rc-CT crc32 a09ca172
[   10.056913] ath10k_ahb a800000.wifi: found invalid board magic
[   10.102547] firmware ath10k!QCA4019!hw1.0!board.bin: firmware_loading_store: map pages failed
[   10.102832] ath10k_ahb a800000.wifi: failed to fetch board-2.bin or board.bin from ath10k/QCA4019/hw1.0
[   10.110191] ath10k_ahb a800000.wifi: failed to fetch board file: -11
[   10.119514] ath10k_ahb a800000.wifi: could not probe fw (-11)```

Finally got it working.
All code related is in my github.

As a summary of steps:

  1. Get FTD from working device
  2. Based on similar device, build Device Tree
  3. Get partition layout from OEM
  4. Get BDF files from OEM (only if not directly supporte by wireless chip implementation)

For QCA based chips, this repository has all the tools necessary -- export data from a working board-2.bin file and work from there.

Device is almost fully working, but the following does not work:

  • LEDs
  • ZigBee
  • Partition loading is hardcode to block device, not using MTD

Next steps is to try to port the V2 version, which is exactly the same hardware but with a 512Mb NAND (Macronix MX30LF4G18AC-XKI).

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.