How safe is it to use MTD ? DDWRT to OpenWrt

Installing and Using OpenWrt
1

I have exhausted all my ressources to convert back to original stock firmware my dir-825 revB router. I tried many different combinations of Browsers no to avail. I did the 30/30/30 reset method, the Reset/Power On/Remove reset after 30 seconds, i can access the Recovery Mode of the router but it will not accept the stock firmware. I tried, Firefox Portable 13, Internet Explorer, Firefox latest 64bit and Microsoft Edge.

I came to the conclusion to try to use the mtd command to go straight from DD-WRT to OpenWRT and forget the "revert back to stock first" rule.

How safe will it be to use thos method?

Quote for another page on the internet

The TRICK is that the partition names are different between OpenWRT and DD-WRT. Whereas all OpenWRT instructions will tell you to write to the ‘firmware‘ partition, this does not exist on DD-WRT and you have to use the ‘linux‘ partition instead. Use the ‘mtd’ command as per the example below to write the OpenWRT image onto the router. Note the ‘-r’ argument will reboot the router as soon as the flash is complete. (As usual, do not power off or disconnect during the flashing!).

mtd -r write openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin linux

Model is DLink Dir-825, i have 2 routers the same but only one oa giving this issue.

2

The “trick” may also be that the partitions not only have different names, but different sizes or locations. Getting the partition map from what you’re running now is crucial. dmesg and cat /proc/mtd as a start.

3

mtd is safe as long as it is NOR flash, and you are absolutely certain of the partition sizes and locations, and the file that you flash is the right one. You would always use a sysupgrade file for direct flashing.

The best way to deal with web based recovery pages that don't work with a modern browser is to examine the page source to find the URL where the file upload will be put. Then use curl -F to PUT the file directly there. The -0 option forces curl down to http 1.0 which is usually a good idea.

2 Likes
4

There might also be bootloader differences (aside from the points mentioned by jeff), which makes this a very risky business (without knowing exactly what dd-wrt does for your particular model).

1 Like
5

If there weren't bootloader differences, would tftp flashing a factory image work? Would that rewrite the partition table as needed and get everything where it was supposed to be? (I guess the first question, does this device even have a tftp mode?)

6

@jeff : I ran both commands: dmesg and cat /proc/mtd
I even tried the MTD command to no avail, risky but the modem still has DDWRT running.

@mk24 : I see this message in dmesg output: Creating 8 MTD partitions on "ar7100-nor0":
I guess it is safe then?
I have a WinXP VM and tried to revert back to stock on IE 8.. the process failed..still.

new users can only mention 2 other users
@ slh : Model D-Link DIR-825 Rev B1, i guess i should be more specific with FCC ids?

@ dlakelan : I do not think my router has TFTP mode.

root@DD-WRT:~# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00050000 00010000 "RedBoot"
mtd1: 007b0000 00010000 "linux"
mtd2: 00516000 00010000 "rootfs"
mtd3: 00170000 00010000 "ddwrt"
mtd4: 00010000 00010000 "nvram"
mtd5: 00010000 00010000 "FIS directory"
mtd6: 00010000 00010000 "board_config"
mtd7: 00800000 00010000 "fullflash"

root@DD-WRT:~# dmesg
<5>[    0.000000] Linux version 3.10.108-d8 (root@linux) (gcc version 8.2.0 (OpenWrt GCC 8.2.0 r7577-d14647dd59) ) #1178 Wed Feb 6 01:55:59 CET 2019
<6>[    0.000000] bootconsole [early0] enabled
<6>[    0.000000] CPU0 revision is: 00019374 (MIPS 24Kc)
<6>[    0.000000] booting platform Atheros AR7161 rev 2 (0xaa)
<6>[    0.000000] Determined physical RAM map:
<6>[    0.000000]  memory: 04000000 @ 00000000 (usable)
<4>[    0.000000] Zone ranges:
<4>[    0.000000]   Normal   [mem 0x00000000-0x03ffffff]
<4>[    0.000000] Movable zone start for each node
<4>[    0.000000] Early memory node ranges
<4>[    0.000000]   node   0: [mem 0x00000000-0x03ffffff]
<7>[    0.000000] On node 0 totalpages: 16384
<7>[    0.000000] free_area_init_node: node 0, pgdat 802dcf60, node_mem_map 81000000
<7>[    0.000000]   Normal zone: 128 pages used for memmap
<7>[    0.000000]   Normal zone: 0 pages reserved
<7>[    0.000000]   Normal zone: 16384 pages, LIFO batch:3
<4>[    0.000000] Primary instruction cache 64kB, 4-way, VIPT, I-cache aliases, linesize 32 bytes.
<4>[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
<7>[    0.000000] pcpu-alloc: s0 r0 d32768 u32768 alloc=1*32768
<7>[    0.000000] pcpu-alloc: [0] 0
<4>[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256
<5>[    0.000000] Kernel command line: console=ttyS0,115200 root=1f02 rootfstype=squashfs noinitrd init=/sbin/init
<6>[    0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
<6>[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
<6>[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
<6>[    0.000000] Writing ErrCtl register=00000000
<6>[    0.000000] Readback ErrCtl register=00000000
<6>[    0.000000] Memory: 61552k/65536k available (2241k kernel code, 3984k reserved, 375k data, 196k init, 0k highmem)
<6>[    0.000000] NR_IRQS:83
<0>[    0.000000] irq init done
<4>[    0.000000] plat_time_init: plat time init done
<6>[    0.060000] Calibrating delay loop... 452.19 BogoMIPS (lpj=2260992)
<6>[    0.060000] pid_max: default: 32768 minimum: 301
<6>[    0.060000] Mount-cache hash table entries: 512
<6>[    0.070000] NET: Registered protocol family 16
<4>[    0.070000] Can't analyze schedule() prologue at 80067f4c
<4>[    3.070000] registering PCI controller with io_map_base unset
<6>[    3.080000] bio: create slab <bio-0> at 0
<6>[    3.090000] usbcore: registered new interface driver usbfs
<6>[    3.090000] usbcore: registered new interface driver hub
<6>[    3.100000] usbcore: registered new device driver usb
<6>[    3.100000] PCI host bridge to bus 0000:00
<6>[    3.100000] pci_bus 0000:00: root bus resource [mem 0x10000000-0x16ffffff]
<6>[    3.110000] pci_bus 0000:00: root bus resource [io  0x0000]
<6>[    3.110000] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
<7>[    3.120000] pci 0000:00:00.0: [168c:ff1d] type 00 class 0x020000
<6>[    3.120000] found calibration data for slot 0 on 0xBF661000
<6>[    3.130000] PCI: fixup device 0000:00:00.0
<7>[    3.130000] pci 0000:00:00.0: reg 10: [mem 0x00000000-0x0000ffff]
<7>[    3.130000] pci 0000:00:00.0: PME# supported from D0 D3hot
<7>[    3.130000] pci 0000:00:01.0: [168c:ff1d] type 00 class 0x020000
<6>[    3.130000] found calibration data for slot 1 on 0xBF665000
<6>[    3.140000] PCI: fixup device 0000:00:01.0
<7>[    3.150000] pci 0000:00:01.0: reg 10: [mem 0x00000000-0x0000ffff]
<7>[    3.150000] pci 0000:00:01.0: PME# supported from D0 D3hot
<7>[    3.150000] pci_bus 0000:00: busn_res: [bus 00-ff] end is updated to 00
<6>[    3.150000] pci 0000:00:00.0: BAR 0: assigned [mem 0x10000000-0x1000ffff]
<6>[    3.150000] pci 0000:00:01.0: BAR 0: assigned [mem 0x10010000-0x1001ffff]
<6>[    3.160000] Switching to clocksource MIPS
<6>[    3.160000] NET: Registered protocol family 2
<6>[    3.170000] TCP established hash table entries: 512 (order: 0, 4096 bytes)
<6>[    3.170000] TCP bind hash table entries: 512 (order: -1, 2048 bytes)
<6>[    3.180000] TCP: Hash tables configured (established 512 bind 512)
<6>[    3.180000] TCP: reno registered
<6>[    3.190000] UDP hash table entries: 256 (order: 0, 4096 bytes)
<6>[    3.190000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
<6>[    3.200000] NET: Registered protocol family 1
<7>[    3.200000] PCI: CLS 0 bytes, default 32
<5>[    3.200000] gpio_proc: module loaded and /proc/gpio/ created
<6>[    3.210000] Register LED Device
<5>[    3.210000] wl0gpio_proc: module loaded and /proc/wl0gpio/ created
<4>[    3.220000] AR7100 GPIOC major 0
<6>[    3.220000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
<6>[    3.230000] msgmni has been set to 120
<6>[    3.230000] io scheduler noop registered
<6>[    3.240000] io scheduler deadline registered (default)
<6>[    3.240000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
<6>[    3.270000] serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 19) is a 16550A
<6>[    3.280000] console [ttyS0] enabled, bootconsole disabled
<0>[    3.290000] guessed flashsize = 8M
<0>[    3.290000] scanning for root partition
<0>[    3.290000] uboot detected
<0>[    3.300000] bootloader size = 50000
<0>[    3.310000]
<0>[    3.310000] found squashfs at 13A000
<5>[    3.310000] Creating 8 MTD partitions on "ar7100-nor0":
<5>[    3.320000] 0x000000000000-0x000000050000 : "RedBoot"
<5>[    3.320000] 0x000000050000-0x000000800000 : "linux"
<5>[    3.330000] 0x00000013a000-0x000000650000 : "rootfs"
<4>[    3.330000] mtd: partition "rootfs" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
<5>[    3.350000] mtd: partition "rootfs" set to be root filesystem
<5>[    3.350000] 0x000000670000-0x0000007e0000 : "ddwrt"
<5>[    3.360000] 0x0000007e0000-0x0000007f0000 : "nvram"
<5>[    3.360000] 0x0000007f0000-0x000000800000 : "FIS directory"
<5>[    3.370000] 0x0000007f0000-0x000000800000 : "board_config"
<5>[    3.380000] 0x000000000000-0x000000800000 : "fullflash"
<4>[    3.380000] ->Oops: flash id 0x202017 .
<4>[    3.390000] Found an RTL8366S switch
<5>[    3.390000] Realtek RTL8366S ethernet switch driver version 0.2.2
<6>[    3.400000] rtl8366s rtl8366s: using GPIO pins 5 (SDA) and 7 (SCK)
<6>[    3.400000] rtl8366s rtl8366s: RTL8366 ver. 1 chip found
<6>[    3.430000] rtl8366s rtl8366s: applying initvals
<6>[    3.450000] libphy: rtl8366s: probed
<6>[    3.860000] PPP generic driver version 2.4.2
<6>[    3.860000] PPP BSD Compression module registered
<6>[    3.870000] PPP Deflate Compression module registered
<6>[    3.870000] PPP MPPE Compression module registered
<6>[    3.880000] NET: Registered protocol family 24
<6>[    3.890000] u32 classifier
<6>[    3.900000]     Performance counters on
<6>[    3.900000]     input device check on
<6>[    3.900000]     Actions configured
<6>[    3.910000] Netfilter messages via NETLINK v0.30.
<6>[    3.910000] nf_conntrack version 0.5.0 (961 buckets, 3844 max)
<4>[    3.920000] nf_conntrack_rtsp v0.7 loading
<4>[    3.920000] nf_nat_rtsp v0.7 loading
<6>[    3.930000] ip_tables: (C) 2000-2006 Netfilter Core Team
<6>[    3.930000] TCP: westwood registered
<6>[    3.930000] TCP: hybla registered
<6>[    3.940000] TCP: vegas registered
<6>[    3.940000] NET: Registered protocol family 17
<5>[    3.950000] Bridge firewalling registered
<6>[    3.950000] 8021q: 802.1Q VLAN Support v1.8
<6>[    3.950000] searching for nvram
<6>[    3.960000] nvram size = 65536
<6>[    3.990000] Atheros AR71xx hardware watchdog driver version 0.1.0
<6>[    4.000000] ar71xx-wdt: timeout=15 secs (max=25) ref freq=170000000
<6>[    4.010000] VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
<6>[    4.020000] Freeing unused kernel memory: 196K
<7>[    6.100000] ar71xx-wdt: enabling watchdog timer
<6>[    6.460000] eth0: Atheros AG71xx at 0xb9000000, irq 4, mode:RGMII
<6>[    6.780000] ag71xx ag71xx.1: connected to PHY at rtl8366s:04 [uid=001cc960, driver=Generic PHY]
<6>[    6.790000] eth1: Atheros AG71xx at 0xba000000, irq 5, mode:RGMII
<6>[    6.890000] rtl8366s rtl8366s: applying initvals
<7>[    6.910000] ar71xx: pll_reg 0xb8050010: 0x11110000
<6>[    6.910000] eth0: link up (1000Mbps/Full duplex)
<6>[    7.000000] Loading modules backported from Linux version wireless-drivers-next-for-davem-2017-09-01-0-geb464d4a8d09
<6>[    7.010000] Backport generated by backports.git backports-20160324-111-g97b8d7c4
<6>[    7.590000] ath: phy0: Ignoring endianness difference in EEPROM magic bytes.
<7>[    7.600000] ath: EEPROM regdomain: 0x0
<7>[    7.600000] ath: EEPROM indicates default country code should be used
<7>[    7.600000] ath: doing EEPROM country->regdmn map search
<7>[    7.600000] ath: country maps to regdmn code: 0x3a
<7>[    7.600000] ath: Country alpha2 being used: US
<7>[    7.600000] ath: Regpair used: 0x3a
<7>[    7.630000] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht'
<3>[    7.640000] gpiochip_find_base: cannot find free range
<3>[    7.640000] gpiochip_add: gpios -1..8 (ath9k-phy0) failed to register
<6>[    7.650000] ieee80211 phy0: Atheros AR9280 Rev:2 mem=0xb0000000, irq=48
<4>[    7.670000] PCI: Enabling device 0000:00:01.0 (0000 -> 0002)
<6>[    7.680000] ath: phy1: Ignoring endianness difference in EEPROM magic bytes.
<7>[    7.690000] ath: EEPROM regdomain: 0x0
<7>[    7.690000] ath: EEPROM indicates default country code should be used
<7>[    7.690000] ath: doing EEPROM country->regdmn map search
<7>[    7.690000] ath: country maps to regdmn code: 0x3a
<7>[    7.690000] ath: Country alpha2 being used: US
<7>[    7.690000] ath: Regpair used: 0x3a
<7>[    7.740000] ieee80211 phy1: Selected rate control algorithm 'minstrel_ht'
<3>[    7.750000] gpiochip_find_base: cannot find free range
<3>[    7.750000] gpiochip_add: gpios -1..8 (ath9k-phy1) failed to register
<6>[    7.760000] ieee80211 phy1: Atheros AR9280 Rev:2 mem=0xb0010000, irq=49
<6>[    9.660000] device br0 entered promiscuous mode
<6>[    9.680000] eth0: link down
<7>[    9.700000] ar71xx: pll_reg 0xb8050010: 0x11110000
<6>[    9.700000] eth0: link up (1000Mbps/Full duplex)
<6>[    9.710000] eth0: link down
<7>[    9.720000] ar71xx: pll_reg 0xb8050010: 0x11110000
<6>[    9.720000] eth0: link up (1000Mbps/Full duplex)
<6>[    9.730000] device eth0 entered promiscuous mode
<6>[    9.730000] br0: port 1(eth0) entered forwarding state
<6>[    9.740000] br0: port 1(eth0) entered forwarding state
<6>[    9.740000] device br0 left promiscuous mode
<6>[    9.750000] device br0 entered promiscuous mode
<6>[    9.760000] device br0 left promiscuous mode
<7>[    9.830000] ath: EEPROM regdomain: 0x8348
<7>[    9.830000] ath: EEPROM indicates we should expect a country code
<7>[    9.830000] ath: doing EEPROM country->regdmn map search
<7>[    9.830000] ath: country maps to regdmn code: 0x3a
<7>[    9.830000] ath: Country alpha2 being used: US
<7>[    9.830000] ath: Regpair used: 0x3a
<7>[    9.830000] ath: regdomain 0x8348 dynamically updated by user
<7>[    9.830000] ath: EEPROM regdomain: 0x8348
<7>[    9.830000] ath: EEPROM indicates we should expect a country code
<7>[    9.830000] ath: doing EEPROM country->regdmn map search
<7>[    9.830000] ath: country maps to regdmn code: 0x3a
<7>[    9.830000] ath: Country alpha2 being used: US
<7>[    9.830000] ath: Regpair used: 0x3a
<7>[    9.830000] ath: regdomain 0x8348 dynamically updated by user
<6>[   10.090000] nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.
<6>[   11.740000] br0: port 1(eth0) entered forwarding state
<6>[   17.170000] device ath0 entered promiscuous mode
<6>[   17.180000] br0: port 2(ath0) entered forwarding state
<6>[   17.180000] br0: port 2(ath0) entered forwarding state
<6>[   19.180000] br0: port 2(ath0) entered forwarding state
<6>[   22.910000] device ath1 entered promiscuous mode
<6>[   22.920000] br0: port 3(ath1) entered forwarding state
<6>[   22.920000] br0: port 3(ath1) entered forwarding state
<6>[   23.200000] device eth1 entered promiscuous mode
<1>[   23.480000] fast-classifier: starting up
<1>[   23.490000] fast-classifier: registered
<6>[   24.740000] device eth1 left promiscuous mode
<6>[   24.920000] br0: port 3(ath1) entered forwarding state

Transfered the Firmware via SCP to /tmp on the router and performed the MTD command.

root@DD-WRT:~# mtd -r write openwrt-18.06.2-ar71xx-generic-dir-825-b1-squashfs-sysupgrade.bin linux
Unlocking linux ...
Could not unlock MTD device: linux
linux: Not supported
Writing from openwrt-18.06.2-ar71xx-generic-dir-825-b1-squashfs-sysupgrade.bin to linux ...  [ ]Caught SIGSEGV (11) at 0x77370594
Fault at memory location 0x0000004c due to address not mapped to object (1).
Thread 1063: mtd
=== Context:
ZERO:00000000   AT:00000000   V0:00000000   V1:00000000   A0:00000000   A1:00000000
  A2:00000000   A3:00000000   T0:00000000   T1:00000000   T2:00000000   T3:00000000
  T4:00000000   T5:00000000   T6:00000000   T7:00000000   S0:00000000   S1:00000000
  S2:00000000   S3:00000000   S4:00000000   S5:00000000   S6:00000000   S7:00000000
  T8:00000000   T9:00000000   K0:00000000   K1:00000000   GP:00000000   SP:00000000
  FP:00000000   RA:00000000
=== Backtrace:
# [0x77370590]: stack size 32
# Text at 0x7725affd is not mapped; terminating backtrace.
???(+0)[0x77370594]
/usr/lib/libshutils.so[0x7725c000](safe_fread+0x00000024)[0x7726054d]
=== Code:
77370554:  8f998938 afa60030 27a60030 afbf0024 afbc0010 afa70034 afa60018 0411125b
77370574:  00000000 8fbf0024 03e00008 27bd0028 3c1c0003 279c3e3c 0399e021 27bdffe0
77370594: >8c82004c afbc0010 afb00018 afbf001c 04400010 00808025 8f99892c 0411fdb1
773705b4:  00000000 8fbc0010 8e030000 2404ffcf 00641824 10400009 ae030000 8fbf001c
7

I was unable to successfully TFTP flash OpenWRT to my WZR-HP-G300NH2 router which already had a DD-WRT build installed. So I gave the TFTP effort up and installed a sysupgrade image via mtd command, which did work.

Can I correctly infer from this discussion thread that the only path to safely upgrade the OpenWRT build from this state is the same method of utilizing the mtd command to write another sysupgrade image?

8

After OpenWrt is running, use its sysupgrade command to install new versions. Make sure to use the sysupgrade image for your model. When changing between major versions it is advised to not try to save settings.

1 Like
9

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.