HooToo TM-05, Add LZMA Loader

xabolcs · 2020-07-09T23:25:50.160Z

arrmo:

sysupgrade.bin via TFTP? It doesn't include the loader, so can't really do that ... agreed?

I'm interested how the recovery TFTP works, but if you test it with factory.bin then it not needed to try sysupgrade.bin.
Btw, it would soft-bricked!

arrmo:

Need to go find that . I never use it. That said ... I realized that we need to find a clean version of the u-boot-env .. would it be in the OEM build perhaps?

I linked some page in my comment, you could find some OEM upgrade binary!

arrmo:

So meaning ... save from u-boot, then OEM, make sure it starts => then check the variable?

Exactly!

arrmo:

Ya, this is sort of my question too - I don't have this.

A saveenv without defining dummy variables doesn't creates a correct environment?

arrmo:

Sorry, but what is user_backup and user? You lost me there. And Rootfs => it's really 3 partitions in the end, right (i.e. loader, kernel, rootfs)?

I referenced the OEM partition names.
Please have a look at OpenWrt Device page's Flash Layout!

xabolcs · 2020-07-10T01:18:11.296Z

xabolcs:

I'm interested how the recovery TFTP works, ...

Step 8 from Wiki:

The HT-TM05 will look for your computer at 10.10.10.254 and install the kernel file. Once it has finished installation of the kernel file, it will search for a (nonexistent) rootfs file — when it begins searching for this file, shut down the HT-TM05 by holding the power button normally.

So this is it ... @arrmo could you verify this?
If this really works, the OpenWrt factory.bin is really two file:

kernel - the 3 KByte loader
rootfs - the OKLI uImaged OpenWrt kernel + rootfs

Back to the loosing the size limitation. If we create a recovery TFTP acceptable file pair (kernel + rootfs), then the OpenWrt kernel + rootfs should fit in the OEM firmware partition, the 6144 K = 6 M sized Rootfs partition.
After OpenWrt boot, the semi-wasted 1660 KByte would be usable again (thanks to mtd-concat).

For testing you could find OEM kernel and rootfs at cryptographrix / HooToo_HT-TM05-hacking, extracted from fw-7620-WiFiDGRJ-HooToo-HT-TM05-2.000.022.

On the long run, when the 6 MByte size limit hits the device, we could tune the new factory recipe to slice the kernel + rootfs blob at 6 MByte and append the tail to the loader.bin.

arrmo · 2020-07-10T01:30:46.437Z

Ummm - right now I can't verify anything. Installed the HooToo OEM firmware, I think it trashed the device completely. Don't even get u-boot now ... . Recovery mode not even working. NOOOO!

xabolcs · 2020-07-10T01:32:21.158Z

Ouch! Sorry for trashing your device!

This should be my fault.

arrmo · 2020-07-10T01:35:24.395Z

Let's see if I can get it back - trying! It's not looking good though

arrmo · 2020-07-10T01:48:39.594Z

It's dead Jim . No serial output, just a green LED (not normal). Recovery (TFTP) doesn't start either. By all means let me know if you have other ideas, but I don't know what else to try. Seems the flash back to OEM somehow trashed u-boot?

xabolcs · 2020-07-10T01:53:35.412Z

arrmo:

Seems the flash back to OEM somehow trashed u-boot?

How did you flash OEM exactly?

Maybe it was oversized to 8 MByte flash, and the counter overflowed and continued from 0x0 overwriting the u-boot?

arrmo · 2020-07-10T01:59:53.705Z

xabolcs:

Maybe it was oversized to 8 MByte flash, and the counter overflowed and continued from 0x0 overwriting the u-boot?

That's what I'm wondering as well - file was 16 MB, opened it in 7-zip and it was an initrd (which seemed odd). But tried a TFTP flash to kernel (figured that should be safe and recoverable - seems I was wrong). Guess there is no way to recover u-boot?

xabolcs · 2020-07-10T02:06:25.395Z

arrmo:

Guess there is no way to recover u-boot?

Yes, you need dump (and recovery the wifi calibration, MAC, etc. data) the flash chip with an external reader, and reprogram it with from another device dump.

arrmo · 2020-07-10T02:16:30.695Z

Ummm - you mean remove it from the board? OK, that sounds like a no go ...

xabolcs · 2020-07-10T02:28:30.113Z

There are adapters which could connect the programmer to the flash chips on board, without removing!

Like this.

arrmo · 2020-07-10T02:43:00.208Z

xabolcs:

There are adapters which could connect the programmer to the flash chips on board, without removing!

OK, I'm interested in trying that, but guessing the programmer is not just from a PC? I admit, not real familiar with this, sorry.

xabolcs · 2020-07-10T02:48:15.764Z

arrmo:

I admit, not real familiar with this, sorry.

Me neither.

xabolcs · 2020-07-10T02:53:37.807Z

Here is the kernel + rootfs separated factory.bin:

hootoo-tm05-u-boot-env.patch
bin/targets/ramips/mt7620/openwrt-ramips-mt7620-hootoo_tm05-initramfs-kernel.bin
bin/targets/ramips/mt7620/openwrt-ramips-mt7620-hootoo_tm05.manifest
bin/targets/ramips/mt7620/openwrt-ramips-mt7620-hootoo_tm05-squashfs-factory.kernel
bin/targets/ramips/mt7620/openwrt-ramips-mt7620-hootoo_tm05-squashfs-factory.rootfs
bin/targets/ramips/mt7620/openwrt-ramips-mt7620-hootoo_tm05-squashfs-sysupgrade.bin

I had to modify LOADER_FLASH_OFFS to the OEM start address of roots, hope it works:

-  LOADER_FLASH_OFFS := 0xFD051000
+  LOADER_FLASH_OFFS := 0xFD200000

My branch is at: https://github.com/xabolcs/openwrt/tree/hootoo-tm05
And the diff (which based on commits): https://github.com/arrmo/openwrt/compare/hootoo-tm05...xabolcs:hootoo-tm05

mpratt14 · 2020-07-10T04:23:37.752Z

@arrmo If you are interested I can help you program the chip again. The thing that he linked is just an adapter. I use the FT232H as a programmer. You might not need an adapter if you would prefer to solder a wire to each pin.

adafruit.com

Adafruit FT232H Breakout - General Purpose USB to GPIO, SPI, I2C

Wouldn't it be cool to drive a tiny OLED display, read a color sensor, or even just flash some LEDs directly from your computer? Sure you can program an Arduino or ...

PRICE: $14.95 USD

https://www.ftdichip.com/Products/ICs/FT232H.htm

and I use the two libraries, pyftdi and Adafruit Blinka, both pure Python. I want to write a guide on Openwrt website for flash chip upgrading but don't have the time

Quite a learning experience...however it depends on if you have or can obtain/compile a copy of the uboot image, and there is also the factory partition... and your soldering skills...

arrmo · 2020-07-10T11:25:38.076Z

mpratt14:

If you are interested I can help you program the chip again

I am! If for nothing else vs. some entertainment ... LOL. So, I need the breakout board, and adapter (for a couple bucks that's easier than soldering to an SO8 package ). FYI, I'm actually an EE, but not a BB person - rather RF. So do have circuit skills, just by no means an expert in this area.

mpratt14:

Quite a learning experience...however it depends on if you have or can obtain/compile a copy of the uboot image, and there is also the factory partition... and your soldering skills...

I ordered a new HooToo last night - so can get them from there ... agreed?

arrmo · 2020-07-10T11:27:24.919Z

BTW, wondering if this repair should be a different thread here?

Also, on the mtd-concat, a new thread as well (and it applies to the RAVPower device as well)? To that end ... HooToo is DOA for now, but we can try this on the RAVPower => just don't want to try that OEM thing again ... . Also thinking - do I submit the WD03 PR => get the HooToo and RAVPower in to the base Openwrt code, then add the mtd-concat as a new PR, covering both? Thoughts?

arrmo · 2020-07-10T12:57:43.964Z

mpratt14:

https://www.ftdichip.com/Products/ICs/FT232H.htm

Thinking about it - what interface is used, JTAG? Asking because I do have a RPi sitting here ... I think that provides JTAG, no?

Thanks!

arrmo · 2020-07-10T17:50:27.734Z

xabolcs:

There are adapters which could connect the programmer to the flash chips on board, without removing!

Like this one, for example? https://www.amazon.com/Organizer-SOIC8-Flash-Programmer-Adpter/dp/B07ZCZ7L85/ref=sr_1_6?crid=2XU6VMLH6WRDP&dchild=1&keywords=soic8+sop8+flash+chip+ic+test+clips+socket+adpter+bios%2F24%2F25%2F93&qid=1594403358&sprefix=Soic8+Sop8+Flash+Chip+Ic%2Caps%2C168&sr=8-6

arrmo · 2020-07-10T19:30:57.355Z

mpratt14:

https://www.ftdichip.com/Products/ICs/FT232H.htm

BTW, just found that my son has an Arduino MEGA 2560 sitting here (from one of his university classes) ... looks to have JTAG on it directly? So then just the adapter?

Thanks!