Hacking on the Asus DSL-N14U

While diving into how the GPL release of the code generates the images for the bootloader flasher tool, I found that the TRX packing tool had been modified, presumably by Tencent. For this reason, the images I was generating were different from the ones expected.

I have cloned the firmware-utils repo of OpenWRT and added a "tctrx" tool in order to be able to generate adecuate images.

The mirror can be found in:

The tool has not been cleaned up yet... Just modified to work as expected for my router. Will do cleaning up afterwards...

Hi, you may be interested in these patches:

https://patchwork.ozlabs.org/project/openwrt/patch/20201228002438.414861-2-funman@videolan.org/
https://patchwork.ozlabs.org/project/openwrt/patch/20201228002438.414861-3-funman@videolan.org/
https://patchwork.ozlabs.org/project/openwrt/patch/20201228002438.414861-4-funman@videolan.org/

I think RT6855A might be similar to RT63365. Just check the registers in the GPL to see if they match. Anyway, you can use them as reference for supporting this SoC

Oh, this is really nice to have! I believe it will be of use very soon...

For the time being I am focusing on generating an image with the correct format although I know the kernel will not work yet. The problem at the moment is that Tencent modified the TRX tool to customize it.

For the time being I think I have the knowledge on how to keep goint. Whenever I reach the point were I will be able to generate a flashable image I will get back to the patchset you have provided in order to start kernel support.

Thank you @danitool!

imagen

I've got an image with the correct signature. Just wondering if it will flash. Rather scared to do so hahaha

After some tinkering I have found that the existing bootloader checks filenames to determine whether to overwrite the fw or to overwrite the firmware:

imagen

After correctly modifying the makefiles to generate name-correct updates I have tryed to flash my first image with an unmodified kernel.

I have succesfully flashed the image but run into new errors:

Search PHY addr and found PHY addr=1
Press reset button to boot command mode.
Press any key in 1 secs to enter boot command mode.
bldr> ipaddr 192.168.2.1
ipaddr 192.168.2.1
Change IP address to 192.168.2.1
bldr> 
httpd
bldr> httpd
PBUF_POOL_BUFSIZE = 256
tcp_bind()
Local Port = 0
tcp_bind: bind to port 80
bldr> 
bldr> START TO RECEIVE the FILE
...........................................................................................................
START TO CLOSE the FILE
Received file: 
rcvdata_size = 3654273
start = 0x800201E6
Real crc code: 572F070
Check data success, prepare to upload
...
erase addr=20000 size=10000
erase addr=30000 size=10000
erase addr=40000 size=10000
erase addr=50000 size=10000
erase addr=60000 size=10000
erase addr=70000 size=10000
erase addr=80000 size=10000
erase addr=90000 size=10000
erase addr=a0000 size=10000
erase addr=b0000 size=10000
erase addr=c0000 size=10000
erase addr=d0000 size=10000
erase addr=e0000 size=10000
erase addr=f0000 size=10000
erase addr=100000 size=10000
erase addr=110000 size=10000
erase addr=120000 size=10000
erase addr=130000 size=10000
erase addr=140000 size=10000
erase addr=150000 size=10000
erase addr=160000 size=10000
erase addr=170000 size=10000
erase addr=180000 size=10000
erase addr=190000 size=10000
erase addr=1a0000 size=10000
erase addr=1b0000 size=10000
erase addr=1c0000 size=10000
erase addr=1d0000 size=10000
erase addr=1e0000 size=10000
erase addr=1f0000 size=10000
erase addr=200000 size=10000
erase addr=210000 size=10000
erase addr=220000 size=10000
erase addr=230000 size=10000
erase addr=240000 size=10000
erase addr=250000 size=10000
erase addr=260000 size=10000
erase addr=270000 size=10000
erase addr=280000 size=10000
erase addr=290000 size=10000
erase addr=2a0000 size=10000
erase addr=2b0000 size=10000
erase addr=2c0000 size=10000
erase addr=2d0000 size=10000
erase addr=2e0000 size=10000
erase addr=2f0000 size=10000
erase addr=300000 size=10000
erase addr=310000 size=10000
erase addr=320000 size=10000
erase addr=330000 size=10000
erase addr=340000 size=10000
erase addr=350000 size=10000
erase addr=360000 size=10000
erase addr=370000 size=10000
erase addr=380000 size=10000
erase addr=390000 size=10000
program from 20000 to 39c281
...............................................................................................................
Firmware is uploaded successfully!
go
go
Decompress to 80020000 free_mem_ptr=80600000 free_mem_ptr_end=80780000
Uncompressing [LZMA] ... 
not enough memory
 -- System halted

It looks like the kernel I am generating is not LZMA compressed and the bootloader tries to uncompress it...

After adding an LZMA stage to the image generation:

...
Firmware is uploaded successfully!
go
go
Decompress to 80020000 free_mem_ptr=80600000 free_mem_ptr_end=80780000
Uncompressing [LZMA] ... 
decompression error
 -- System halted

Now going to investigate why decompression fails and if any particular modifications need to be made to the LZMA stage to get a kernel loaded!

Commited the changes to my repo :slight_smile:

Much testing since last post. I have found that the decompression error is due to kernel size. Original uncompressed kernel size is 3.3MB while kernel generated by OpenWRT is around 6.5MB.

I am really struggling to downsize the kernel. Currently tinkering with kernel_menuconfig and testing whatever I can remove from the kernel but still seems to be too much.

Being drastic there are two ways here:
1 - Reducing kernel size a bunch.
2 - Going for a custom bootloader.

I would really want to keep it in option 1 if possible.

At this point, I would really apreciate any kind of input or clue on how to keep this fordward :slight_smile:

It's been a while since my last post here. I am still learning about OpenWRT and routers in general.The project is still ongoing but I've been posting to Mastodon.

The current state is:

  • I've refactored some loader code in https://github.com/openwrt/openwrt/pull/11867. Currently almost aproved and awaiting merge. I would like to further work on loader unification after the pull request.
  • That loader code unification allowed me to add suport for my target. I was able to generate and flash an image that when booted, loads the loader and decompresses the Kernel.

I am currently a bit stuck here. The router seems to halt.Either just before jumping to the kernel or when it jumps to the kernel...

It is all a bit confusing as it sometimes is able to print the full loader text and sometimes seems to crash before printing it all...

I know it halts because a led begins to flash fast.

Current options:

  • Further reverse engineering the bootloader to see what is the code responsible for the fast blinking led and learn about interruptions...
  • Writing an interruption handling code to be able to print what is happening and where it is happening so that I can further debug the issue...
  • Give up on the original bootloader and go deeper down the rabbit hole. Port U-Boot!

As always, any feedback and ideas are welcome!

The refactored loader code landed in OpenWRT codebase! I am glad that this hacking journey has at least brought some improvements to the project. I've been doing stuff away from this device. I lack some of the knowledge needed to take this further at the pace I would like it to go...

I am not abandoning the project yet but before I get back to it I would probably would like to perform a second refactor of the loader to merge it with the generic loader just to keep the codebase as clean as possible.