Help needed, identifying correct boot block

Installing and Using OpenWrt
1

Hi everyone,

I need some help flashing a device that isn't officially supported. I have a Netgear WND930 Access Point, which is, as said not supported. Since this AP isn't directly supported, I looked for a Netgear device with the same CPU architecture. That would be the WNDR4300. Unfortunately, flashing isn't working, probably because I'm not using the correct boot flag (or whatever follows the tftpboot command with 82000000 (example: tftpboot 82000000 xxxxxx-wndr4300-initramfs-uImage.bin)).

I've attached the boot log and the info from UBOOT of the AP.

Info from UBOOT:

ar7240> showmd
productID   = WND930
hwversion   = 1.0
reginfo     = 0
numimages   = 1
currimage   = 1
basemac     = 10:DA:43:46:37:60
maccnt      = 0
maccnt      = 0
maccnt      = 0
maccnt      = 0
serial      = 3VG285NN000DB
wpsPin      =
baudrate    = 9600
ip_addr     = 192.168.0.100
ethaddr     = 10:DA:43:46:37:68
arch_number = 3011
boot_params = 0x87F77FB0
memstart    = 0x80000000
memsize     = 0x08000000
flashstart  = 0x9F000000
flashsize   = 0x01000000
flashoffset = 0x0002B958
bi_cpufreq  = 0x23000000
bi_cpuinfo  = MIPS
checksum    = 0x2cf9c8ab

Info from BOOT log:

U-Boot 1.1.4LRN2-WND930-003 (Aug 13 2014 - 20:26:42)

DB120
DRAM:
sri
Wasp 1.3
LRN2 BOOTSTRAP:AC057E
System last status:0
wasp_ddr_initial_config(250): (32bit) ddr2 init
wasp_ddr_initial_config(432): Wasp ddr init done
Tap value selected = 0xf [0x0 - 0x1f]
GPIO_OUT_FUNCTION0_ADDRESS:0
GPIO_OUT_FUNCTION1_ADDRESS:B0A0900
GPIO_OUT_FUNCTION2_ADDRESS:180000
GPIO_OUT_FUNCTION3_ADDRESS:0
GPIO_OUT_FUNCTION4_ADDRESS:2E2F0000
GPIO_OUT_FUNCTION5_ADDRESS:0
GPIO_OE_ADDRESS:218300
GPIO_OUT_ADDRESS:26010
GPIO_IN_ADDRESS:236630
128 MB
Top of RAM usable for U-Boot at: 88000000
Reserving 211k for U-Boot at: 87fc8000
Reserving 192k for malloc() at: 87f98000
Reserving 44 Bytes for Board Info at: 87f97fd4
Reserving 36 Bytes for Global Data at: 87f97fb0
Reserving 128k for boot params() at: 87f77fb0
Stack Pointer at: 87f77f98
Now running in RAM - U-Boot at: 87fc8000
Flash Manuf Id 0xef, DeviceId0 0x40, DeviceId1 0x18
flash size 16MB, sector count = 256
Flash: 16 MB
Pull high AR8337 reset
pci_init_board: PCIe PLL not set for 40MHz refclk
BOARD IS NOT CALIBRATED!!!
In:    serial
Out:   serial
Err:   serial
Net:   ag934x_enet_initialize...
 wasp  reset mask:c02200
WASP  ----> S17 PHY *
athrs17_reg_init: complete
: cfg1 0x80000000 cfg2 0x7114
eth0: 10:da:43:46:37:68
set phy1 to power down mode
eth0 up
eth0
params_for_tuning_caps:40
Setting 0xb8116290 to 0x40802d0f
Hit any key to stop autoboot:  0
## Booting image at 9f050000 ...
   Image Name:   Linux Kernel
   Created:      2018-11-01  16:32:27 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    917504 Bytes = 896 kB
   Load Address: 80002000
   Entry Point:  801e51e0
   Verifying Checksum at 0x9f050040 ...OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 801e51e0) ...
## Giving linux memsize in bytes, 134217728

Starting kernel ...

▒Linux version 2.6.31-WND930_V2.1.5 (root@VVDN-BLD) (gcc version 4.2.4) #1 Thu Nov 1 21:54:22 IST 2018
flash_size passed from bootloader = 16
arg 1: console=ttyS0,9600
arg 2: root=31:03
arg 3: rootfstype=squashfs
arg 4: init=/sbin/init
arg 5: mtdparts=ath-nor0:256k(u-boot),64k(u-boot-env),2624k(uImage),12224k(rootfs),1024k(var),128k(manuf),64k(ART)
arg 6: mem=128M
CPU revision is: 0001974c (MIPS 74Kc)
ath_sys_frequency: cpu srif ddr apb cpu 560 ddr 429 ahb 214
Determined physical RAM map:
 memory: 08000000 @ 00000000 (usable)
User-defined physical RAM map:
 memory: 08000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
  Normal   0x00000000 -> 0x00008000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00008000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
Kernel command line: console=ttyS0,9600 root=31:03 rootfstype=squashfs init=/sbin/init mtdparts=ath-nor0:256k(u-boot)otfs),1024k(var),128k(manuf),64k(ART) mem=128M
PID hash table entries: 512 (order: 9, 2048 bytes)
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00000000
Readback ErrCtl register=00000000
Memory: 112740k/131072k available (1948k kernel code, 18164k reserved, 480k data, 156k init, 0k highmem)
NR_IRQS:128
plat_time_init: plat time init done
Calibrating delay loop... 279.55 BogoMIPS (lpj=559104)
Mount-cache hash table entries: 512

****************ALLOC***********************
 Packet mem: 8029aee0 (0xe00000 bytes)
********************************************

NET: Registered protocol family 16
PCI init:ath_pcibios_init
ath_pcibios_init(294): PCI CMD write: 0x356
registering PCI controller with io_map_base unset
bio: create slab <bio-0> at 0
SCSI subsystem initialized
pci 0000:00:00.0: PME# supported from D0 D1 D3hot
pci 0000:00:00.0: PME# disabled
Returning IRQ 64
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP reno registered
NET: Registered protocol family 1
ATH GPIOC major 0
squashfs: version 4.0 (2009/01/31) Phillip Lougher
JFFS2 version 2.2 (ZLIB) (RTIME) (c) 2001-2006 Red Hat, Inc.
fuse init (API version 7.12)
msgmni has been set to 220
io scheduler noop registered
io scheduler deadline registered (default)
Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0xb8020000 (irq = 19) is a 16550A
console [ttyS0] enabled
brd: module loaded
7 cmdlinepart partitions found on MTD device ath-nor0
Creating 7 MTD partitions on "ath-nor0":
0x000000000000-0x000000040000 : "u-boot"
0x000000040000-0x000000050000 : "u-boot-env"
0x000000050000-0x0000002e0000 : "uImage"
0x0000002e0000-0x000000ed0000 : "rootfs"
0x000000ed0000-0x000000fd0000 : "var"
0x000000fd0000-0x000000ff0000 : "manuf"
0x000000ff0000-0x000001000000 : "ART"
i2c /dev entries driver
i2c-gpio i2c-gpio: using pins 14 (SDA) and 13 (SCL)
TCP cubic registered
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
arch/mips/atheros/gpio.c (ath_simple_config_init) JUMPSTART_GPIO: 21
Init set PSE_RESET to pull Low
athwdt_init: Registering WDT success
ath_otp_init: Registering OTP success
ath_clksw_init: Registering Clock Switch Interface success
VFS: Mounted root (squashfs filesystem) readonly on device 31:3.
Freeing unused kernel memory: 156k freed

Mounting etc to ramfs.      [DONE]

Mounting var to jffs2.      rootfs on / type rootfs (rw)
/dev/root on / type squashfs (ro,relatime)
proc on /proc type proc (rw,relatime)
tmpfs on /tmp type tmpfs (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,mode=620)
none on /etc type tmpfs (rw,relatime)
[DONE]

Can anyone figure out which flag/block I need to set with TFTPBOOT to properly flash the image?

is it 9f050000 ? (from ## Booting image at 9f050000)

Another question, do I need to set the NAND to "unprotected" to be able to flash the device?
I asked because I flashed the OPENWRT image multiple time to different boot blocks, but the NETGEAR OS was still able to boot properly...

Thanks in advance!

2

Can you post "help" output from ubot cmd line?

This device is distinct from wndr4300, you have to tftpboot. For programming youll need to adapt dts partitions to not wipe out critical factory data.

3

Sure.

ar7240> help
?       - alias for 'help'
autoscr - run script from memory
base    - print or set address offset
bdinfo  - print Board Info structure
boot    - boot default, i.e., run 'bootcmd'
bootd   - boot default, i.e., run 'bootcmd'
bootelf - Boot from an ELF image in memory
bootm   - boot application image from memory
bootp   - boot image via network using BootP/TFTP protocol
bootvx  - Boot vxWorks from an ELF image
cmp     - memory compare
coninfo - print console devices and information
cp      - memory copy
crc32   - checksum calculation
dhcp    - invoke DHCP client to obtain IP/boot params
echo    - echo args to console
erase   - erase FLASH memory
ethreg    - S26 PHY Reg rd/wr  utility
exit    - exit script
flinfo  - print FLASH memory information
go      - start application at address 'addr'
help    - print online help
iminfo  - print header information for application image
itest   - return true/false on integer compare
loop    - infinite loop on address range
md      - memory display
mii     - MII utility commands
mm      - memory modify (auto-incrementing)
mtest   - simple RAM test
mw      - memory write (fill)
nfs     - boot image via network using NFS protocol
nm      - memory modify (constant address)
pci     - list and access PCI Configuration Space
ping    - send ICMP ECHO_REQUEST to network host
pll cpu-pll dither ddr-pll dither - Set to change CPU & DDR speed
pll erase
pll get
printenv- print environment variables
progmac - Set ethernet MAC addresses
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
savemd - save manufacturing data to persistent storage
setenv  - set environment variables
showmd- show manufacturing data
sleep   - delay execution for some time
srifpll cpu-pll ddr-pll - To change CPU & DDR speed through srif
srifpll erase
srifpll get
test    - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
version - print monitor version
4

found that... might also be helpful

ar7240> printenv
bootargs=console=ttyS0,9600 root=31:03 rootfstype=squashfs init=/sbin/init mtdparts=ath-nor0:256k(u-boot),64k(u-boot-env),2624k(uImage),12224k(rootfs),1024k(var),128k(manuf),64k(ART)
bootdelay=2
baudrate=9600
dir=
lu=tftp 0x80060000 ${dir}u-boot.bin&&erase 0x9f000000 +$filesize&&cp.b $fileaddr 0x9f000000 $filesize
lf=tftp 0x80060000 ${dir}rootfs.squashfs&&erase 0x9f2e0000 +0xbf0000&&cp.b $fileaddr 0x9f2e0000 $filesize
lk=tftp 0x80060000 ${dir}vmlinux${bc}.lzma.uImage&&erase 0x9f050000 +$filesize&&cp.b $fileaddr 0x9f050000 $filesize
lk1=tftp 0x80060000 ${dir}wnc_vmlinux${bc}.lzma.uImage&&erase 0x9fed0000 +0x100000&&cp.b $fileaddr 0x9fed0000 $filesize
lf1=tftp 0x80060000 ${dir}wnc_rootfs.squashfs&&erase 0x9f050000 +0x290000&&cp.b $fileaddr 0x9f050000 $filesize
reginfo=0
serial#=3VG285NN000DB
ethaddr=10:DA:43:46:37:68
basemac=10:DA:43:46:37:60
ethact=eth0
filesize=e0040
fileaddr=80060000
FTM=0
bootcmd=bootm 0x9f050000
ipaddr=192.168.1.1
serverip=192.168.1.10
stdin=serial
stdout=serial
stderr=serial

Environment size: 1011/65532 bytes
5

okay, I completely broke the images first... got the message Bad Magic Number when trying to reboot, but luckily because of the above env information and the original image I was able to get it running again :wink:

It's now trying to boot from OPENWRT but it generates the following

No filesystem could mount root, tried:  squashfs
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(31,3)
Rebooting in 3 seconds..

When flashing, I used the squashfs_factory image and I just flashed that part lf=tftp 0x80060000 ${dir}openwrt.squashfs&&erase 0x9f2e0000 +0xbf0000&&cp.b $fileaddr 0x9f2e0000 $filesize

6

Stop flashing. You need to netboot kernel type of image.

7

okay, can you help me with that?
what do you mean by that?

do you mean I need to boot from NFS first, instead of using that tftpboot options?

8

Bot over tftp, the "kernel" images include initramfs so you have simple tools from ram. Just tftpboot other file. 4 boot menu optioms contain mtd erase, meaning they are various oem recoverty modes. You arevweek(s) from programming flash.

9

okay, I got it flashed... but with an image from a different device and vendor... :wink:
What's weird, I used the same flashing mechanism as for the image from netgear, but that is not working. With images from netgear devices I always get Bad Magic Number when trying to boot from it.

Any idea, how I could flash the device with an netgear image, from running openwrt?

10

There is no "from netgear" generic image, are you talking to chatbot in other window that says to discard proper documentation and just run amok?

11

Okay let me rephrase that a little bit.
I used the command above f=tftp 0x80060000 ${dir}openwrt.squashfs&&erase 0x9f2e0000 +0xbf0000&&cp.b $fileaddr 0x9f2e0000 $filesize (which is from the netgear base install off uboot) to flash the Openwrt images FOR netgear devices.

The problem really is, that there is no real documentation of this device...
But I'm looking for specific images like the ones with the correct CPU type and Flash size like my device has. It's not like that I try whatever OPENWRT image...

12

You need to use an image that has the kernel partition in the place where the bootloader tries to boot it. "Bad magic number" means that the bootloader did not find the header of a kernel at the place it tried to boot.

Hopefully the ART partition did not get clobbered through all of this.

1 Like
13

As already mentioned, you are putting the cart before the horses - and in doing so you might have already destroyed both vital (irrecoverable) data and anything to go by for adding real device support.

1 Like
14

As of now UBoot still works fine.
How could I check the ART partition if that is vital to the device?

What would be the best approach to check what image to use at best?

You mentioned the bootloader is looking for an kernel header at a specific block, how can I dentify an image if it has the kernel header at this place?

15

That is something you'd have to determine with and from the original vendor firmware. That's why it's so important to backup and document as much as possible, before touching the flash.

16

I still have that image, it's not the problem.
I tried to find something about how to find that kernel header, but for now haven't what could help...