Help with debricking a Mediatek MT7620 based board

I recently got a Four-Faith device that uses the Mediatek MT7620A SoC. The device is running a very old OpenWRT version (white-russian) with a v2.6 kernel.
I want to upgrade the board to use a newer version of OpenWRT but I've managed to somehow brick the device.
I compiled my own image using the OpenWRT 18 branch on GitHub and tried to flash the board with the openwrt-ramips-mt7620-mt7620a_mt7610e-squashfs-sysupgrade.bin image I compiled.

I used mtd to flash the board using the following command:

mtd -r write openwrt-ramips-mt7620-mt7620a_mt7610e-squashfs-sysupgrade.bin /dev/mtd4

The available mtd devices were:

dev:    size   erasesize  name
mtd0: 00030000 00010000 "uboot"
mtd1: 00010000 00010000 "uboot-config"
mtd2: 00010000 00010000 "Factory"
mtd3: 00180000 00010000 "linux"
mtd4: 01e20000 00010000 "rootfs"
mtd5: 01f90000 00010000 "kernel_rootfs"
mtd6: 00010000 00010000 "nvram_backup"
mtd7: 00010000 00010000 "nvram"

After the write, the device cannot boot, but is stuck in a rebooting loop with the following error:

## Booting image at bc050000 ...
   Image Name:   MIPS OpenWrt Linux-4.14.133
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1583823 Bytes =  1.5 MB
   Load Address: 80000000
   Entry Point:  80000000
   Verifying Checksum ... Bad Data CRC

I've tried to debrick the board using tftp and an official firmware release. I've tried various tftp commands but I run into similar errors.

If I do not specify an address for loading or using a seemingly wrong address with tftpboot 0x00000000 openwrt-18.06.2-ramips-mt7620-mt7620a_mt7610e-squashfs-sysupgrade.bin I get the following error:

Four-Faith # bootm
## Booting image at 00000000 ...
   Image Name:   MIPS OpenWrt Linux-4.14.95
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1437376 Bytes =  1.4 MB
   Load Address: 80000000
   Entry Point:  80000000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... LZMA ERROR 1 - must RESET board to recover

Then it goes back to booting my wrong image.

If I specify a seemingly correct address such as tftpboot 0x2000000 openwrt-18.06.2-ramips-mt7620-mt7620a_mt7610e-squashfs-sysupgrade.bin it boots but eventually gets a kernel panic.

Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1437376 Bytes =  1.4 MB
   Load Address: 80000000
   Entry Point:  80000000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80000000) ...
## Giving linux memsize in MB, 256

Starting kernel ...

[    0.000000] Linux version 4.14.95 (buildbot@8ca046ec677b) (gcc version 7.3.0 (OpenWrt GCC 7.3.0 r7676-cddd7b4c77)) #0 Wed Jan 30 12:21:02 2019
[    0.000000] Board has DDR2
[    0.000000] Analog PMU set to hw control
[    0.000000] Digital PMU set to hw control
[    0.000000] SoC Type: MediaTek MT7620A ver:2 eco:6
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 00019650 (MIPS 24KEc)
[    0.000000] MIPS: machine is Ralink MT7620A evaluation board
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 10000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x0000000000000000-0x000000000fffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x000000000fffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x000000000fffffff]
[    0.000000] random: get_random_bytes called from 0x8042472c with crng_init=0
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 65024
[    0.000000] Kernel command line: console=ttyS0,57600 rootfstype=squashfs,jffs2
[    0.000000] PID hash table entries: 1024 (order: 0, 4096 bytes)
[    0.000000] Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
[    0.000000] Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Writing ErrCtl register=0006400d
[    0.000000] Readback ErrCtl register=0006400d
[    0.000000] Memory: 255168K/262144K available (3590K kernel code, 178K rwdata, 464K rodata, 176K init, 214K bss, 6976K reserved, 0K cma-reserved)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS: 256
[    0.000000] CPU Clock: 580MHz
[    0.000000] clocksource: systick: mask: 0xffff max_cycles: 0xffff, max_idle_ns: 583261500 ns
[    0.000000] systick: enable autosleep mode
[    0.000000] systick: running - mult: 214748, shift: 32
[    0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 6590553264 ns
[    0.000013] sched_clock: 32 bits at 290MHz, resolution 3ns, wraps every 7405115902ns
[    0.007601] Calibrating delay loop... 385.84 BogoMIPS (lpj=1929216)
[    0.073549] pid_max: default: 32768 minimum: 301
[    0.078289] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.084665] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.097477] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.107020] futex hash table entries: 256 (order: -1, 3072 bytes)
[    0.113018] pinctrl core: initialized pinctrl subsystem
[    0.119435] NET: Registered protocol family 16
[    0.126560] rt2880-pinmux pinctrl: error claiming hogs: -22
[    0.131979] rt2880-pinmux pinctrl: could not claim hogs: -22
[    0.137484] rt2880-pinmux: probe of pinctrl failed with error -22
[    0.144789] Can't analyze schedule() prologue at 8037d498
[    0.150265] mt7620-pci 10140000.pcie: could not find pctldev for node /pinctrl/pcie, deferring probe
[    0.176768] rt2880_gpio 10000600.gpio: registering 24 gpios
[    0.182226] rt2880_gpio 10000600.gpio: registering 24 irq handlers
[    0.192509] clocksource: Switched to clocksource systick
[    0.198808] NET: Registered protocol family 2
[    0.204077] TCP established hash table entries: 2048 (order: 1, 8192 bytes)
[    0.210828] TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
[    0.217049] TCP: Hash tables configured (established 2048 bind 2048)
[    0.223336] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.228972] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.235355] NET: Registered protocol family 1
[    0.242357] rt-timer 10000100.timer: maximum frequency is 1220Hz
[    0.249098] Crashlog allocated RAM at address 0x3f00000
[    0.256016] workingset: timestamp_bits=30 max_order=16 bucket_order=0
[    0.268418] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.274066] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.294543] io scheduler noop registered
[    0.298291] io scheduler deadline registered (default)
[    0.304280] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled
[    0.313102] of_serial 10000c00.uartlite: could not find pctldev for node /pinctrl/uartlite, deferring probe
[    0.322935] cacheinfo: Failed to find cpu0 device node
[    0.327857] cacheinfo: Unable to detect cache hierarchy for CPU 0
[    0.334513] spi-rt2880 10000b00.spi: could not find pctldev for node /pinctrl/spi, deferring probe
[    0.343830] libphy: Fixed MDIO Bus: probed
[    0.348291] mtk_soc_eth 10100000.ethernet: could not find pctldev for node /pinctrl/ephy, deferring probe
[    0.357977] rt2880_wdt 10000120.watchdog: Initialized
[    0.364339] NET: Registered protocol family 10
[    0.380031] Segment Routing with IPv6
[    0.383722] NET: Registered protocol family 17
[    0.388020] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[    0.400591] 8021q: 802.1Q VLAN Support v1.8
[    0.405328] mt7620-pci 10140000.pcie: could not find pctldev for node /pinctrl/pcie, deferring probe
[    0.414338] of_serial 10000c00.uartlite: could not find pctldev for node /pinctrl/uartlite, deferring probe
[    0.423865] spi-rt2880 10000b00.spi: could not find pctldev for node /pinctrl/spi, deferring probe
[    0.432613] mtk_soc_eth 10100000.ethernet: could not find pctldev for node /pinctrl/ephy, deferring probe
[    0.443274] Warning: unable to open an initial console.
[    0.449012] VFS: Cannot open root device "(null)" or unknown-block(0,0): error -6
[    0.456284] Please append a correct "root=" boot option; here are the available partitions:
[    0.464352] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)
[    0.473309] Rebooting in 1 seconds..

From what I can tell, it looks like I need to load the tftp image to a certain address. How would I get that address? Or how do I manage to debrick the router?

The Mediatek device - https://www.mediatek.com/products/homeNetworking/mt7620n-a
Four-faith router - https://en.four-faith.com/f3936wifioperatingrouter/

Thanks!

Hi, and welcome to the OpenWRT forums!

The sysupgrade.bin file consists of a kernel uImage concatenated with rootfs, so it should be written to the flash space that is covered by partitions mtd3 and mtd4 (apparently on your device there seems to be a virtual mtd5 partition for mtd3 + mtd4; this partition is usually called firmware in newer OpenWRT releases), so the sysupgrade image should probably be flashed to mtd5 instead.

When loading an image to RAM via tftp, the kernel boots from RAM but will look for the rootfs in the flash, which is not found, so you get the
[ 0.464352] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)
error. However you could try booting an initramfs-image, these are available from the snapshots folder in the downloads section. Booting this from RAM should then allow you to rewrite the sysupgrade image to mtd5.

// edit: since uboot actually found your kernel after the flashing, I assume you had written the sysupgrade to mtd3 rather than mtd4; however the new kernel (according to its header) is 1583823 Bytes, but the mtd3 partition is only 0x0180000 = 1572864 Bytes, so the uImage was truncated during flashing, resulting in Bad Data CRC.

Hey Sebastian.
Thanks for the reply.

I've downloaded the image you've recommended and tried the tftp command again.

However, the suddenly device goes off during the booting process using the command tftpboot 0x86400000 openwrt-ramips-mt7620-ralink_mt7620a-mt7530-evb-initramfs-kernel.bin:

Four-Faith # bootm
## Booting image at 86400000 ...
   Image Name:   MIPS OpenWrt Linux-4.14.132
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    3649374 Bytes =  3.5 MB
   Load Address: 80000000
   Entry Point:  80000000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80000000) ...
## Giving linux memsize in MB, 256

Starting kernel ...

[    0.000000] Linux version 4.14.132 (builder@buildhost) (gcc version 7.4.0 (OpenWrt GCC 7.4.0 r10574-273b803623)) #0 Wed Jul 24 18:36:27 2019
[    0.000000] Board has DDR2
[    0.000000] Analog PMU set to hw control
[    0.000000] Digital PMU set to hw control
[    0.000000] SoC Type: MediaTek MT7620A ver:2 eco:6
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 00019650 (MIPS 24KEc)
[    0.000000] MIPS: machine is Ralink MT7620a + MT7530 evaluation board
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 10000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x0000000000000000-0x000000000fffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x000000000fffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x000000000fffffff]
[    0.000000] random: get_random_bytes called from start_kernel+0x98/0x4a8 with crng_init=0
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 64960
[    0.000000] Kernel command line: console=ttyS0,57600 rootfstype=squashfs,jffs2
[    0.000000] PID hash table entries: 1024 (order: 0, 4096 bytes)
[    0.000000] Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
[    0.000000] Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Writing ErrCtl register=0006400d
[    0.000000] Readback ErrCtl register=0006400d
[    0.000000] Memory: 250976K/262144K available (4131K kernel code, 200K rwdata, 936K rodata, 3044K init, 220K bss, 11168K reserved, 0K cma-reserved)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS: 256
[    0.000000] CPU Clock: 580MHz
[    0.000000] clocksource: systick: mask: 0xffff max_cycles: 0xffff, max_idle_ns: 583261500 ns
[    0.000000] systick: enable autosleep mode
[    0.000000] systick: running - mult: 214748, shift: 32
[    0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 6590553264 ns
[    0.000011] sched_clock: 32 bits at 290MHz, resolution 3ns, wraps every 7405115902ns
[    0.007597] Calibrating delay loop... 385.84 BogoMIPS (lpj=1929216)
[    0.073551] pid_max: default: 32768 minimum: 301
[    0.078319] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.084703] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.098585] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.108148] futex hash table entries: 256 (order: -1, 3072 bytes)
[    0.114172] pinctrl core: initialized pinctrl subsystem
[    0.120729] NET: Registered protocol family 16
[    0.609158] mt7620-pci 10140000.pcie: PCIE0 no card, disable it(RST&CLK)
[    0.615665] mt7620-pci: probe of 10140000.pcie failed with error -1
[    0.641622] rt2880_gpio 10000600.gpio: registering 24 gpios
[    0.647102] rt2880_gpio 10000600.gpio: registering 24 irq handlers
[    0.657665] clocksource: Switched to clocksource systick
[    0.664024] NET: Registered protocol family 2
[    0.669328] TCP established hash table entries: 2048 (order: 1, 8192 bytes)
[    0.676077] TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
[    0.682312] TCP: Hash tables configured (established 2048 bind 2048)
[    0.688617] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.694247] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.700700] NET: Registered protocol family 1

Would you happen to know why?

Thanks again!

Why do you use a different image every time? Does your device have an external MT7530 switch?

That was my mistake in the original post - using the MT610E vs MT530E switch.

I've also tried with the openwrt-ramips-mt7620-ralink_mt7620a-evb-initramfs-kernel.bin image without the switch with the same results - the device goes off after the [ 0.701361] NET: Registered protocol family 1 log message.

This could be a lot of things, apparently the next step after that message would be to initialize some timers, but it might as well be caused by some gpio settings that will cause over-current only after several milliseconds upon being set to output... (we've had a lot of fun when porting for the DIR-510L...)

I don't think it could be the serial console switching to another port (this is usually announced in the kernel log), but what exactly happens after that line? Do you see any LEDs changing / remaining switched on, does it reboot automatically or is just nothing happening until power is unplugged? Do you have any chance of measuring the current consumption to see if there's still any fluctuations after that line?

If your bootloader happens to support writing directly to the flash via tftp, you could just try writing the sysupgrade image to the position where uboot will expect it (0xbc050000).

After that line, the device goes off completely and automatically reboots. The device will try to boot the image I flashed it with that bricked it.

I have tried writing both the sysupgrade and kernel image to the 0xbc050000 address, but I get the following error:

## Booting image at bc050000 ...
   Image Name:   MIPS OpenWrt Linux-4.14.133
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1583823 Bytes =  1.5 MB
   Load Address: 80000000
   Entry Point:  80000000
   Verifying Checksum ... Bad Data CRC

It looks like even after writing the new image, it'll try to boot with the erroneous one (MIPS OpenWrt Linux-4.14.133).

I can try see if I can monitor the current during the boot process.

Thanks again!

I only have very little experience with using the bootloader for updating, but I recall that some versions of uboot don't have a command to write directly into flash (i.e. transfer data, unlock, erase blockwise, write), but you rather have to copy the image to some position in RAM first via tftp, and then use some other command to actually write it from RAM to flash.

I eventually learned that there is no such thing as a "generic" image for a chipset, e.g. MT7620, but those device profiles with no further manufacturer / model name are usually the standard development boards supplied by the chip vendor. So these might have some GPIOs used as outputs, while on your board the same pin should be treated as an input, and weird things can happen if the line is driven to 3.3V or GND (e.g. on DIR-510L this caused a shortage which then triggered a reset as the voltage was dropping)...

Since you have the build environment working, check the GPIOs in your .dts and maybe disable / set them as input for now.

I don't think the device goes off, it's just that the GPIO/UART driver combo for this bin doesn't match what the SoC on your board needs - and so you see no serial output, and no lights come on. Ya?

In any case, this chipset has a uboot command for tftp (forget manual commands, or try here ), on mine it's press 1 to boot from tftp (when connected via serial).

Mine goes like this:

U-Boot 1.1.3 (Apr 13 2015 - 19:08:43)

Board: Ralink APSoC DRAM:  64 MB
relocate_code Pointer at: 83fb4000
enable ephy clock...done. rf reg 29 = 5
SSC disabled.
******************************
Software System Reset Occurred
******************************
spi_wait_nsec: 29
spi device id: c2 20 17 c2 20 (2017c220)
find flash: MX25L6405D
raspi_read: from:30000 len:1000
raspi_read: from:30000 len:1000
============================================
Ralink UBoot Version: 4.1.2.0
--------------------------------------------
ASIC 7620_MP (Port5<->None)
DRAM component: 512 Mbits DDR, width 16
DRAM bus: 16 bit
Total memory: 64 MBytes
Flash component: SPI Flash
Date:Apr 13 2015  Time:19:08:43
============================================
icache: sets:512, ways:4, linesz:32 ,total:65536
dcache: sets:256, ways:4, linesz:32 ,total:32768

 ##### The CPU freq = 580 MHZ ####
 estimate memory size =64 Mbytes

Please choose the operation:
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial.
   9: Load Boot Loader code then write to Flash via TFTP.

You choosed 1

 0
raspi_read: from:40028 len:6


1: System Load Linux to SDRAM via TFTP.
 Please Input new ones /or Ctrl-C to discard
	Input device IP (192.168.1.6) ==:192.168.1.6
	Input server IP (192.168.1.5) ==:192.168.1.5
	Input Linux Kernel filename (openwrt-ramips-mt7620-zyxel_wre6505-initramfs-kernel.bin) ==:openwrt-ramips-mt7620-zyxel_wre6505-initramfs-kernel.bin

 netboot_common, argc= 3

 NetTxPacket = 0x83FE4CC0

 KSEG1ADDR(NetTxPacket) = 0xA3FE4CC0

 NetLoop,call eth_halt !

 NetLoop,call eth_init !
Trying Eth0 (10/100-M)

 Waitting for RX_DMA_BUSY status Start... done


 ETH_STATE_ACTIVE!!
TFTP from server 192.168.1.5; our IP address is 192.168.1.6
Filename 'openwrt-ramips-mt7620-zyxel_wre6505-initramfs-kernel.bin'.

 TIMEOUT_COUNT=10,Load address: 0x80a00000
Loading: Got ARP REPLY, set server/gtwy eth addr (00:0e:c6:8e:87:bd)
Got it
#################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 ############
done
Bytes transferred = 4053594 (3dda5a hex)
NetBootFileXferSize= 003dda5a
Automatic boot of image at addr 0x80A00000 ...
## Booting image at 80a00000 ...
   Image Name:   MIPS OpenWrt Linux-4.14.132
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    4053530 Bytes =  3.9 MB
   Load Address: 80000000
   Entry Point:  80000000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80000000) ...
## Giving linux memsize in MB, 64

Starting kernel ...

You can get the address by watching what your uboot does when it tries to load its own kernel. In your case:

   Load Address: 80000000
   Entry Point:  80000000
...
## Transferring control to Linux (at address 80000000) ...

Try: the kernel with the “go” command (start address is 0x0400 bytes after the load address used for the “tftpboot” command) as per link above.

Hey Paul, thanks for the suggestion!

I tried it out, but the only change is that the device goes off after the go command.

Four-Faith # tftpboot 0x86400000 openwrt-ramips-mt7620-ralink_mt7620a-evb-initramfs-kernel.bin

 netboot_common, argc= 3 

 NetTxPacket = 0x8FFD5600 

 KSEG1ADDR(NetTxPacket) = 0xAFFD5600 

 NetLoop,call eth_halt ! 

 NetLoop,call eth_init ! 
Trying Eth0 (10/100-M)

 Waitting for RX_DMA_BUSY status Start... done


 ETH_STATE_ACTIVE!! 
TFTP from server 192.168.1.50; our IP address is 192.168.1.21
Filename 'openwrt-ramips-mt7620-ralink_mt7620a-evb-initramfs-kernel.bin'.

 TIMEOUT_COUNT=10,Load address: 0x86400000
Loading: Got ARP REPLY, set server/gtwy eth addr (68:f7:28:4c:fa:25)
Got it
#################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         ###############################################################
done
Bytes transferred = 3649481 (37afc9 hex)
NetBootFileXferSize= 0037afc9
Four-Faith # go 0x86400400
## Starting application at 0x86400400 ...

Router-boot-v1.3 (Jun  2 2016 - 09:21:45)
Press 'Ctrl+c' key to stop autoboot   0 

I have tried with both the initramfs and sysupgrade images with the same result.
The device does seem to actually go off since all of its lights go off, and the next log message is the autoboot process.

Just a guess - this means that the uboot is built slightly differently for your platform. See if you can get the source, or dump it from the device (via tftp). I saw some advanced questions and solutions on stackoverflow for this kind of thing. Like this one (No two uboots are made the same...)

What commands do you have available?

These are the commands I have:

Four-Faith # help
?       - alias for 'help'
bootm   - boot application image from memory
cp      - memory copy
erase   - erase SPI FLASH memory
go      - start application at address 'addr'
help    - print online help
i2ccmd  - read/write data to eeprom via I2C Interface
loadb   - load binary file over serial line (kermit mode)
md      - memory display
mdio   - Ralink PHY register R/W command !!
mm      - memory modify (auto-incrementing)
msdc - msdc verified command
nm      - memory modify (constant address)
printenv- print environment variables
reset   - Perform RESET of the CPU
rf      - read/write rf register
saveboot    - save bootloader  into flash
saveenv - save environment variables to persistent storage
saveimg    - save linux image into flash
setenv  - set environment variables
setmac -- Set MAC address of LAN/WAN/2G/5G
spi     - spi command
tftpboot- boot image via network using TFTP protocol
version - print monitor version

I should try get the source of u-boot or the kernel image? Not sure I quite understand your suggestion.

uboot. The HW loads Uboot 1.1.3, then boots into

Ralink UBoot Version: 4.1.2.0

when you boot, what options do you have? Do you get a menu e.g. to boot something from tftp like mine above?


Please choose the operation:
   1: Load system code to SDRAM via TFTP.
   2: Load system code then write to Flash via TFTP.
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial.
   9: Load Boot Loader code then write to Flash via TFTP.

Long shot, but try to tftp boot from the mfr provided initramfs-kernel.bin image. Same result? You should be able to get one from them.

No, I do not get that menu, or any menu.
When the device boots, it just gives a counter for either booting to the operating system or interrupting the process and going to the mini-shell.

From what I can tell, the manufacturer of the device just used the image that came with the board. The Mediatek CPU comes with an OpenWRT installation (white russion, kernel 2.6), so I do not think that route might work.

Again, thanks for all your suggestions, but I think I might write this device off at this point!

It's entirely possible that during write, your uboot got affected. Unlikely, but possible.

It looks like you could be close, however. In the kernel you built, I see

[    0.423865] spi-rt2880 10000b00.spi: could not find pctldev for node /pinctrl/spi, deferring probe

The bit which detects and talks to your MTD partitions. Your kernel is missing something. It could be PCIe? Or pinctrl context is missing from your DTD file. See below. You need to compile in the right kernel bits, I think. SPI seems to be there, but you may need to enable the pinctrl - which pins are used for gpio and which for other attached 'devices' on your SoC. Anyway, keep cracking, I think once you've got the right kernel modules and dtd file definitions in there, then your MTD partitions will show and you can start doing things.

pinctrl:

       pinctrl {
                state_default: pinctrl0 {
                        gpio {
                                /* i2c          inhibits gpio 01-02 */
                                /* spi          inhibits gpio 03-06 */
                                /* uartf        inhibits gpio 07-14 */
                                /* uartl        inhibits gpio 15-16 */
                                /* wdt_rst      inhibits gpio 17    */
                                /* pa_pe        inhibits gpio 18-21 */
                                /* mdio         inhibits gpio 22-23 */
                                /* rgmii1       inhibits gpio 24-35 i.e. gpio 1:0-11 most LEDs */
                                /* rgmii2       inhibits gpio 60-71 i.e. gpio 2:20 - wlan2G RED and 2:23 - toggle */
                                /* if you forget to 'mux' in a group here (add to 'group' list) needed by a gpio pin, no gpio LEDs work */
                                //other available groups include: "wled", "nd_sd", "ephy", "spi refclk"
                                ralink,group = "i2c", "uartf", "rgmii1", "rgmii2";
                                ralink,function = "gpio";
                        };
                };
        };

SPI:

&spi0 {
        /*
        consumes GPIO 3-6 and 37-39
        */
        status = "okay";

        flash@0 {
                compatible = "jedec,spi-nor";
                reg = <0>;
                spi-max-frequency = <10000000>;

                partitions {
                        compatible = "fixed-partitions";
                        #address-cells = <1>;
                        #size-cells = <1>;

                        partition@0 {
                                label = "u-boot";
                                reg = <0x0 0x30000>;
                                read-only;
                        };

                        partition@30000 {
                                label = "u-boot-env";
                                reg = <0x30000 0x10000>;
                        };

                        factory: partition@40000 {
                                label = "factory";
                                reg = <0x40000 0x10000>;
                                read-only;
                        };

                        firmware: partition@50000 {
                                compatible = "denx,uimage";
                                label = "firmware";
                                reg = <0x50000 0x7b0000>;
                        };
                };
        };
};

If this is done,

This is my kernel boot log with those above bits in there - compare and see if you lack something:

[    0.000000] Linux version 4.14.132 (root@3f3a90fd34ff) (gcc version 7.4.0 (OpenWrt GCC 7.4.0 r10602-679a01f)) #0 Thu Jul 25 14:17:51 2019
[    0.000000] Board has DDR2
[    0.000000] Analog PMU set to hw control
[    0.000000] Digital PMU set to hw control
[    0.000000] SoC Type: MediaTek MT7620A ver:2 eco:6
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 00019650 (MIPS 24KEc)
[    0.000000] MIPS: machine is ZyXEL WRE6505
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 04000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 16240
[    0.000000] Kernel command line: console=ttyS0,57600n8 root=/dev/ram0 rootfstype=ramfs rootfstype=squashfs,jffs2
[    0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Writing ErrCtl register=00031130
[    0.000000] Readback ErrCtl register=00031130
[    0.000000] Memory: 56716K/65536K available (3547K kernel code, 181K rwdata, 748K rodata, 3388K init, 210K bss, 8820K reserved, 0K cma-reserved)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS: 256
[    0.000000] CPU Clock: 580MHz
[    0.000000] clocksource: systick: mask: 0xffff max_cycles: 0xffff, max_idle_ns: 583261500 ns
[    0.000000] systick: enable autosleep mode
[    0.000000] systick: running - mult: 214748, shift: 32
[    0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 6590553264 ns
[    0.000011] sched_clock: 32 bits at 290MHz, resolution 3ns, wraps every 7405115902ns
[    0.015470] Calibrating delay loop... 385.84 BogoMIPS (lpj=1929216)
[    0.087723] pid_max: default: 32768 minimum: 301
[    0.097176] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.110203] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.130709] random: get_random_u32 called from bucket_table_alloc+0x244/0x2d8 with crng_init=0
[    0.148293] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.167767] futex hash table entries: 256 (order: -1, 3072 bytes)
[    0.179990] pinctrl core: initialized pinctrl subsystem
[    0.190847] NET: Registered protocol family 16
[    0.461632] PCI host bridge /pcie@10140000 ranges:
[    0.471028]  MEM 0x0000000020000000..0x000000002fffffff
[    0.481402]   IO 0x0000000010160000..0x000000001016ffff
[    0.510235] rt2880_gpio 10000600.gpio: registering 24 gpios
[    0.521270] rt2880_gpio 10000600.gpio: registering 24 irq handlers
[    0.533866] rt2880_gpio 10000638.gpio: registering 16 gpios
[    0.544862] rt2880_gpio 10000638.gpio: registering 16 irq handlers
[    0.557468] rt2880_gpio 10000660.gpio: registering 32 gpios
[    0.568468] rt2880_gpio 10000660.gpio: registering 32 irq handlers
[    0.581054] rt2880_gpio 10000688.gpio: registering 1 gpios
[    0.591871] rt2880_gpio 10000688.gpio: registering 1 irq handlers
[    0.604791] PCI host bridge to bus 0000:00
[    0.612791] pci_bus 0000:00: root bus resource [mem 0x20000000-0x2fffffff]
[    0.626505] pci_bus 0000:00: root bus resource [io  0xffffffff]
[    0.638233] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0]
[    0.651735] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[    0.669088] pci 0000:00:00.0: BAR 0: no space for [mem size 0x80000000]
[    0.682149] pci 0000:00:00.0: BAR 0: failed to assign [mem size 0x80000000]
[    0.695953] pci 0000:00:00.0: BAR 8: assigned [mem 0x20000000-0x201fffff]
[    0.709454] pci 0000:00:00.0: BAR 1: assigned [mem 0x20200000-0x2020ffff]
[    0.722965] pci 0000:01:00.0: BAR 0: assigned [mem 0x20000000-0x200fffff]
[    0.736459] pci 0000:01:00.1: BAR 0: assigned [mem 0x20100000-0x201fffff]
[    0.749957] pci 0000:00:00.0: PCI bridge to [bus 01]
[    0.759808] pci 0000:00:00.0:   bridge window [mem 0x20000000-0x201fffff]
[    0.779119] clocksource: Switched to clocksource systick
[    0.790906] NET: Registered protocol family 2
[    0.800348] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[    0.814127] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[    0.826713] TCP: Hash tables configured (established 1024 bind 1024)
[    0.839518] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.851037] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.863786] NET: Registered protocol family 1
[    2.719126] random: fast init done
[    5.005377] rt-timer 10000100.timer: maximum frequency is 1220Hz
[    5.019859] workingset: timestamp_bits=14 max_order=14 bucket_order=0
[    5.039780] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    5.051281] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    5.148921] io scheduler noop registered
[    5.156632] io scheduler deadline registered (default)
[    5.167644] Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
[    5.181329] console [ttyS0] disabled
[    5.188326] 10000c00.uartlite: ttyS0 at MMIO 0x10000c00 (irq = 20, base_baud = 2500000) is a Palmchip BK-3103
[    5.208099] console [ttyS0] enabled
[    5.208099] console [ttyS0] enabled
[    5.221868] bootconsole [early0] disabled
[    5.221868] bootconsole [early0] disabled
[    5.238334] cacheinfo: Failed to find cpu0 device node
[    5.248605] cacheinfo: Unable to detect cache hierarchy for CPU 0
[    5.265629] spi spi0.0: force spi mode3
[    5.274159] m25p80 spi0.0: mx25l6405d (8192 Kbytes)
[    5.283983] 4 fixed-partitions partitions found on MTD device spi0.0
[    5.296649] Creating 4 MTD partitions on "spi0.0":
[    5.306223] 0x000000000000-0x000000030000 : "u-boot"
[    5.317087] 0x000000030000-0x000000040000 : "u-boot-env"
[    5.328629] 0x000000040000-0x000000050000 : "factory"
[    5.339737] 0x000000050000-0x000000800000 : "firmware"
[    5.379675] libphy: Fixed MDIO Bus: probed
[    5.396232] gsw: setting port4 to ephy mode
[    5.404654] mtk_soc_eth 10100000.ethernet eth0 (uninitialized): port 4 link up (100Mbps/Full duplex)
[    5.423108] mtk_soc_eth 10100000.ethernet: loaded mt7620 driver
[    5.435617] mtk_soc_eth 10100000.ethernet eth0: mediatek frame engine at 0xb0100000, irq 5
[    5.452657] rt2880_wdt 10000120.watchdog: Initialized
[    5.463401] NET: Registered protocol family 17
[    5.472389] 8021q: 802.1Q VLAN Support v1.8
[    5.502896] Freeing unused kernel memory: 3388K
[    5.511956] This architecture does not have kernel memory protection.
[    5.540557] init: Console is alive
[    5.547590] init: - watchdog -
[    5.575818] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[    5.599938] usbcore: registered new interface driver usbfs
[    5.611020] usbcore: registered new interface driver hub
[    5.621739] usbcore: registered new device driver usb
[    5.637973] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    5.655983] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[    5.674642] init: - preinit -
[    5.885687] 8021q: adding VLAN 0 to HW filter on device eth0
[    5.911790] random: procd: uninitialized urandom read (4 bytes read)
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[    7.074779] procd: - early -
[    7.081475] procd: - watchdog -
[    7.315360] procd: - watchdog -
[    7.321934] procd: - ubus -
[    7.335254] random: ubusd: uninitialized urandom read (4 bytes read)
[    7.359237] random: ubusd: uninitialized urandom read (4 bytes read)
[    7.372573] random: ubusd: uninitialized urandom read (4 bytes read)
[    7.386412] procd: - init -
Please press Enter to activate this console.
[    7.856582] kmodloader: loading kernel modules from /etc/modules.d/*
[    7.887945] Loading modules backported from Linux version v5.2-rc7-0-g6fbc7275c7a9
[    7.903101] Backport generated by backports.git v5.2-rc7-1-0-g021a6ba1
[    7.926763] urngd: jent-rng init failed, err: 2
[    7.942705] nf_conntrack version 0.5.0 (1024 buckets, 4096 max)
[    8.017559] xt_time: kernel timezone is -0000
[    8.047032] ip_tables: (C) 2000-2006 Netfilter Core Team
[    8.120260] mt76x0e 0000:01:00.0: card - bus=0x1, slot = 0x0 irq=4
[    8.132829] mt76x0e 0000:01:00.0: ASIC revision: 76100002
[    8.145212] mt76x0e 0000:01:00.0: Firmware Version: 0.1.00
[    8.241113] mt76x0e 0000:01:00.0: EEPROM ver:01 fae:00
[    8.297573] rt2800_wmac 10180000.wmac: loaded eeprom from mtd device "factory"
[    8.312062] ieee80211 phy1: rt2x00_set_rt: Info - RT chipset 6352, rev 0500 detected
[    8.327515] ieee80211 phy1: rt2x00_set_rf: Info - RF chipset 7620 detected
[    8.392249] kmodloader: done loading kernel modules from /etc/modules.d/*

While debricking my ralink devices I use next commands of ralink modified uboot:

erase linux
tftpboot 80100000 firmware.bin
cp.linux 80100000
reset

Some comments for commands:

  • ralink uboot don't erase flash before write
  • tftpboot ignore load address 80100000 and use fixed (typically 80100000 or 81000000)
  • ralink uboot use special syntax for writing memory to flash
  • after flashing always do reset command
    I hope that these known features may help.

Some important info. Next commands correctly flash firmware for your router:

erase tplink 20000 7a0000
tftpboot 82000000 firmware.bin
cp.linux 82000000
reset

Don't use 'erase linux' - it erase all data upto end of flash!

Should I use the memory values you've provided?

Yes. tftpboot load data at correct memory address. cp.linux ignore address parameter and always use precompiled 82000000.
Check correct completed operation with comparing data at memory address 8200000 and flash address 20000

md 82000000
md bc020000