IPQ8068: Support for Huawei AP7050DE

Svanto24 · October 9, 2024, 8:55am

Hello all,
I recently looked at von Rosenberg's excellent commit for the Huawei AP5030DN, and was impressed with how relatively smooth the process was for enterprise equipment. I was wondering if it would be viable to port OpenWRT to Huawei devices using the newer ARM-based IPQx SoCs via the same TFTP interface, and recently had the opportunity to buy an AP7050DE for fairly cheap. The board inside the device appears very similar to the AP6050 Ver. A. , but with a larger RAM capacity and a different antenna. Here are some external pictures:

I appended the tty bootlog below. I know that one thing to watch out for with IPQ8068 is secure boot, but I don't see any indications of it being utilised in the bootlog. Is there a good way to non-destructively find out whether secureboot or worse yet hardware fuses are present?

I'm trying to figure out what to do next. Should I just flash stock openwrt and see if I am held back by the same 1.6s watchdog and PHY suspension, that von Rosenberg was with the AP5030DN, trial and error?

Thank you very much for all your input!

Bootlog:

Welcome To HUAWEI Wlan World 

U-Boot 628 (Jul 29 2020 - 18:23:32)

DRAM:  512 MB
NAND:  128 MB
NOR:   4 MB


Board Type: 0x105
BOOT:  Primary
USB0:   USB XHCI 1.00
USB1:   USB XHCI 1.00
0 Storage Device(s) found
PCI0 Link Intialized
PCI1 Link Intialized
Press CTRL+T for Full Memory Test in 1 Seconds:  1  0 
Net:   Ethernet Mac: <redacted>
eth0, eth1


Start Up time(s) : 1
POST test:   Begin

Testing GE_0      :  Passed.
Testing GE_1      :  Passed.
Testing PCIE1     :  Passed. 

Testing PCIE2     :  Passed. 

Testing DDR       :  Passed. 

Testing Nor  Flash:  Passed. 

Testing Nand Flash:  Passed. 


Saving POST results: Done
POST test:   End

Image: Current Bootup is B 

Press f or F  to stop Auto-Boot in 3 seconds:  3  2  1  0 

No need to update from sys-boot!
   Image Name:   Linux Kernel Image
   Image Type:   ARM Linux Kernel Image (lzma compressed)
   Data Size:    2662871 Bytes = 2.5 MB
   Load Address: 41508000
   Entry Point:  41508000
   Verifying Checksum ... dcrc 0xfd39bea, image_get_dcrc 0xfd39bea
OK
   Uncompressing Kernel Image ... OK
Linux version 3.10.62-ltsi-WR6.0.0.21_standard (root@100.109.231.145) (gcc version 4.8.1 (GCC) ) #1 SMP PREEMPT Wed Jul 29 18:25:04 CST 2020
CPU: ARMv7 Processor [512f04d0] revision 0 (ARMv7), cr=10c5387d
CPU: PIPT / VIPT nonaliasing data cache, PIPT instruction cache
Machine: Qualcomm Atheros AP7050DE reference board
msm_reserve_memory: 0x44000000, 0x100000
msm_reserve_memory: 0x44800000, 0x400000
Memory policy: ECC disabled, Data cache writealloc
smem_find(137, 80): wrong size 72
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 123178
Kernel command line: console=ttyHSL1,9600n8 norootfssplit ubi.mtd=RWFS rootautoubi=10 root=/dev/mtdblock34 ro rootfstype=squashfs rdinit=/sbin/init
FWD_MEM: aligned address c6b00000 

FWD_MEM: 48000000 

FWD_MEM: Allocating 128MB (32768 pages) of memory at addr c6b00000
Memory: 351768k/357912k available, 144872k reserved, 0K highmem
Virtual kernel memory layout:
    vector  : 0xffff0000 - 0xffff1000   (   4 kB)
    fixmap  : 0xffc00000 - 0xfff00000   (3072 kB)
    vmalloc : 0xdf000000 - 0xff000000   ( 512 MB)
    lowmem  : 0xc0000000 - 0xdeb00000   ( 491 MB)
    pkmap   : 0xbfe00000 - 0xc0000000   (   2 MB)
    modules : 0xbf000000 - 0xbfe00000   (  14 MB)
      .text : 0xc0008000 - 0xc0721a3c   (7271 kB)
      .init : 0xc0722000 - 0xc0756e00   ( 212 kB)
      .data : 0xc0758000 - 0xc080acc0   ( 716 kB)
       .bss : 0xc080acc0 - 0xc08f8834   ( 951 kB)
CPU1: Booted secondary processor
AXI: msm_bus_fabric_init_driver(): msm_bus_fabric_init_driver
smem_find(137, 80): wrong size 72
clk_tbl_nss - loaded
msm_pcie_setup: no link initialization
PCI: enabling device 0000:02:00.0 (0140 -> 0143)
PCI: enabling device 0000:00:00.0 (0140 -> 0143)
SCSI subsystem initialized
smd: no register irq on wcnss_a11
smd: deregistering IRQs
SMD: smd_core_platform_init() not ok
get_bootconfig_partition: magic not found
msm_rpm_log_probe: OK
Creating 15 MTD partitions on "msm_nand":
0x000000000000-0x000000040000 : "SBL1"
0x000000040000-0x000000180000 : "MIBIB"
0x000000180000-0x0000002c0000 : "SBL2"
0x0000002c0000-0x000000540000 : "SBL3"
0x000000540000-0x000000660000 : "DDRCONFIG"
0x000000660000-0x000000780000 : "SSD"
0x000000780000-0x000000a00000 : "TZ"
0x000000a00000-0x000000c80000 : "RPM"
0x000000c80000-0x000001400000 : "APPSBL"
0x000001400000-0x000002e00000 : "ROOTFSA"
0x000002e00000-0x000004800000 : "ROOTFSB"
0x000004800000-0x000005000000 : "KERNELA"
0x000005000000-0x000005800000 : "KERNELB"
0x000005800000-0x000006c00000 : "RWFS"
0x000006c00000-0x000008000000 : "EMT"
m25p80 spi5.0: found mx25l3205d, expected s25fl512s
Creating 18 MTD partitions on "m25p80":
0x000000000000-0x000000010000 : "SBL1"
0x000000010000-0x000000030000 : "MIBIB"
0x000000030000-0x000000050000 : "SBL2"
0x000000050000-0x000000080000 : "SBL3"
0x000000080000-0x000000090000 : "DDRCONFIG"
0x000000090000-0x0000000a0000 : "SSD"
0x0000000a0000-0x0000000d0000 : "TZ"
0x0000000d0000-0x0000000f0000 : "RPM"
0x0000000f0000-0x0000001f0000 : "APPSBL"
0x0000001f0000-0x000000200000 : "APPSBLENV"
0x000000200000-0x000000220000 : "ICT"
0x000000220000-0x000000240000 : "BoardData"
0x000000240000-0x000000260000 : "BoardData-B"
0x000000260000-0x0000002c0000 : "ResultA"
0x0000002c0000-0x000000320000 : "ResultB"
0x000000320000-0x000000340000 : "ArtArgs"
0x000000340000-0x000000400000 : "Rsv"
0x000000000000-0x0000001f0000 : "NORBOOT"
ipq-dwc3 ipq-dwc3.0: unable to read platform data num of dbm eps
ipq-dwc3 ipq-dwc3.1: unable to read platform data num of dbm eps
unable to find transceiver of type USB2 PHY
msm_hsusb_host msm_hsusb_host: unable to find transceiver
Registering SWP/SWPB emulation handler
ipq_nss_get_mac_addr: MAC[0]: ff:ff:ff:ff:ff:ff
ipq_nss_get_mac_addr: MAC[1]: ff:ff:ff:ff:ff:ff
ipq_nss_get_mac_addr: MAC[2]: ff:ff:ff:ff:ff:ff
ipq_nss_get_mac_addr: MAC[3]: ff:ff:ff:ff:ff:ff
no pmic restart interrupt specified
UBI: attaching mtd13 to ubi0
UBI: scanning is finished
UBI: attached mtd13 (name "RWFS", size 20 MiB) to ubi0
UBI: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
UBI: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
UBI: VID header offset: 2048 (aligned 2048), data offset: 4096
UBI: good PEBs: 160, bad PEBs: 0, corrupted PEBs: 0
UBI: user volume: 1, internal volumes: 1, max. volumes count: 128
UBI: max/mean erase counter: 1630/1344, WL threshold: 4096, image sequence number: 871908348
UBI: available PEBs: 0, total reserved PEBs: 160, PEBs reserved for bad PEB handling: 20
UBI: attaching mtd10 to ubi1
UBI: scanning is finished
UBI: attached mtd10 (name "ROOTFSB", size 26 MiB) to ubi1
UBI: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
UBI: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
UBI: VID header offset: 2048 (aligned 2048), data offset: 4096
UBI: good PEBs: 208, bad PEBs: 0, corrupted PEBs: 0
UBI: user volume: 1, internal volumes: 1, max. volumes count: 128
UBI: max/mean erase counter: 1/0, WL threshold: 4096, image sequence number: 331879724
UBI: available PEBs: 42, total reserved PEBs: 166, PEBs reserved for bad PEB handling: 20
attach mtd10 return ubi1

Bad inittab entry at line 10

Bad inittab entry at line 11

starting pid 109, tty '': '-/etc/init.d/rcS'
hello

ksecure: module license 'unspecified' taints kernel.
Disabling lock debugging due to kernel taint
MIMC_KERNEL: Module init.
Insmod bsp_adapter

Insmod cryptodev
Insmod I2C
Insmod GPIO
Initializing arch flag Done.
 starting thermald...
read content=/modules/3.10.62/net/wifi_module.ko,len=36.

Insmod broadcom
######## 32Bit Kernel ##########
######## MSS Memory Device register success  ########



**********************************************************

* Driver    :NSS GMAC Driver for RTL v(3.72a)

* Version   :1.0

* Copyright :Copyright (c) 2013-2014 The Linux Foundation. All rights reserved.

**********************************************************done.

read content=/modules/3.10.62/net/umac.ko,len=29.

done.

read content=/root/cap32,len=12.

done.

read content=/modules/msu.ko,len=16.

done.

read content=/root/vos.o,len=12.

UBIFS: background thread "ubifs_bgt0_0" started, PID 148
UBIFS: recovery needed
UBIFS: recovery completed
UBIFS: mounted UBI device 0, volume 0, name "RWFS"
UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
UBIFS: FS size: 15998976 bytes (15 MiB, 126 LEBs), journal size 2920448 bytes (2 MiB, 23 LEBs)
UBIFS: reserved for root: 0 bytes (0 KiB)
UBIFS: media format: w4/r0 (latest is w4/r0), UUID 4B10169E-E57E-41D5-8A97-822BA10BC03E, small LPT model
mount RWFS successfully
get path free Disk 1628 
get path free size enough!

Insmod ipq eth module OK.


Drv_ap_api module:Init

Get the HighMem address is 0xe1800000 

mtd30
Wifi Load AP7050DE freq 
AP7050DE load default caldata
377+0 records in
377+0 records out
12064 bytes (11.8KB) copied, 0.059075 seconds, 199.4KB/s
377+0 records in
377+0 records out
12064 bytes (11.8KB) copied, 0.038175 seconds, 308.6KB/s
377+0 records in
377+0 records out
12064 bytes (11.8KB) copied, 0.044611 seconds, 264.1KB/s
coset ulMcThValue: 512

py ap7050de boarddata file to /lib/firmware
11ac wave2 Target Bin or Patch Selecting
0:Uninstall Target Patch Sucess!
wifi start ko path ./modules/3.10.62/net

__ol_ath_attach() Allocated scn d87004c0
Atheros Attach: dev name wifi1, radio id: 1
Chip id: 0xa, chip version: 0x1000000

 Target Version is 1000000
ol_transfer_bin_file: flash data file defined
ol_transfer_bin_file[3888] Get Caldata for wifi1.
ol_transfer_bin_file 3963: Download Flash data len 12064

 Board data initialized
ol_ath_download_firmware:##Board Id 1 , CHIP Id 0
ol_transfer_bin_file: Board Data File download to address=0xc0000 file name=QCA9984/hw.1/boardData_QCA9984_CUS239_5G_v1_001.bin
ol_transfer_bin_file: Downloading firmware file: QCA9984/hw.1/athwlan.bin
+HWT
-HWT
Firmware_Build_Number:74 
ol_ath_thermal_mitigation_attach: --
###############Load radio 1

wifi1 Attach success

###############Radio[1] enter cs thread


__ol_ath_attach() Allocated scn d88804c0
Atheros Attach: dev name wifi0, radio id: 0
Chip id: 0xa, chip version: 0x1000000

 Target Version is 1000000
ol_transfer_bin_file: flash data file defined
ol_transfer_bin_file[3888] Get Caldata for wifi0.
ol_transfer_bin_file 3963: Download Flash data len 12064

 Board data initialized
ol_ath_download_firmware:##Board Id 2 , CHIP Id 0
ol_transfer_bin_file: Board Data File download to address=0xc0000 file name=QCA9984/hw.1/boardData_QCA9984_CUS260_2G_v1_002.bin
ol_transfer_bin_file: Downloading firmware file: QCA9984/hw.1/athwlan.bin
+HWT
-HWT
Firmware_Build_Number:74 
ol_ath_thermal_mitigation_attach: --
###############Load radio 0

wifi0 Attach success

###############Radio[0] enter cs thread

__sa_init_module 
cat: can't open '/proc/rf_switch': No such file or directory
Mount fsimage type: patch
User fs folder    : /opt
Loop device       : /dev/loop0
Mount folder      : /mnt/patch
Wed Jul 29 18:29:30 UTC 2020
find: /mnt/patch/V200R019C00SPC803B728/*/lib: No such file or directory
cap32 start, build time 10:29:21

get security mode sucess, mode 0

Module MEM Init         ...MSS_PUB_Init Succ, ret = 0
AP_Board_Cfg Succ, ret = 0
... OK!

Module DIAG Init        ...... OK!

Module PBUF Init get security mode sucess, mode 0

Module MEM Init         ...... OK!

Module DIAG Init        ...... OK!

Module PBUF Init        ...... OK!

Module IM Init          ...... OK!

Module IIC Init         ...... OK!

Module HAL Init         ...... OK!

Module Timer Init       ...... OK!

Module TIME Init        ...... OK!

MSS_Global_Init Succ, ret = 0
       ...... OK!

Module IM Init          ...... OK!

Module MSU Init OK 

MSU_Init Succ, ret = 0
IIC Init         ...... OK!

Module HAL Init         ...... OK!MSS_IM_InstGlobalInit Succ, ret = 0
MSS_Local_Init Succ, ret = 0


Module Timer Init       ...... OK!

Module TIME Init        ...... OK!

MSS_Global_Init success!

MSC Process run on core [0], PID = [280]

MSC_TCTL_Init Succ!  u32Ret = 0

MSC goto scheduler!

done.

read content=/root/cmdtree.bin,len=18.

done.

read content=/root/db.dat,len=13.

done.

read content=/root/infoeng.res,len=18.

done.



VOS_Start ...... 

 PPI_DEV_SysInit begin.
 
 CDEV_InitProduct Success ! 

 DEV_EVT_InitEvtData Success ! 

 PPI_DEV_SysInit End. 
......OK
Task GRSA Init......Ok


  Press any key to get started

frollic · October 9, 2024, 9:04am

does this work ?

Svanto24 · October 9, 2024, 9:14am

it does yeah! Sorry, I didn't have a whole lot of time to prod around. I'm not at the machine at the moment but I'll try to post the log in an hour or two. Is there anything else I should try to include?

frollic · October 9, 2024, 9:18am

then interrupt it, and run printenv (mask any MAC addresses) and help.

post the outputs, use the </> button to sandwich the text, when you do.

Svanto24 · October 9, 2024, 9:55am

Understood, here it is! Thank you very much.

Welcome To HUAWEI Wlan World 

U-Boot 628 (Jul 29 2020 - 18:23:32)

DRAM:  512 MB
NAND:  128 MB
NOR:   4 MB


Board Type: 0x105
BOOT:  Primary
USB0:   USB XHCI 1.00
USB1:   USB XHCI 1.00
0 Storage Device(s) found
PCI0 Link Intialized
PCI1 Link Intialized
Press CTRL+T for Full Memory Test in 1 Seconds:  1  0 
Net:   Ethernet Mac: <redacted>
eth0, eth1


Start Up time(s) : 1
POST test:   Begin

Testing GE_0      :  Passed.
Testing GE_1      :  Passed.
Testing PCIE1     :  Passed. 

Testing PCIE2     :  Passed. 

Testing DDR       :  Passed. 

Testing Nor  Flash:  Passed. 

Testing Nand Flash:  Passed. 


Saving POST results: Done
POST test:   End

Image: Current Bootup is B 

Press f or F  to stop Auto-Boot in 3 seconds:  3  0 
Password for uboot cmd line :

ar7240>printenv
baudrate=9600
bootargs=console=ttyHSL1,9600n8
bootcmd=bootipq
bootdelay=3
ethact=eth0
fileaddr=0x42000000
ipaddr=192.168.1.111
machid=1260
serverip=192.168.1.11
stderr=serial
stdin=serial
stdout=serial
ubootfile=u-boot.bin

Environment size: 250/65532 bytes
ar7240>help
?       - alias for 'help'
aging   -  aging cmd 

apmode  -  apmode {fit|fat|cloud}

clear_emt- clear_emt: clear emt file

clear_passwd-  clear boot password

defaultuser-  use the default user(admin) or the custom user

format_fs-  file system format bit will be set

h2f     - setting the flag to decide whether to write the data in highmem to flash or not

help    - print command description/usage
passwd  -  modify boot password following prompts

pdinfo  -  show product information

pdmac   -  set MAC addresses of product

ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
update  -  update boot or system from tftp

version -  show boot and system version

ar7240>

Svanto24 · October 11, 2024, 9:36am

Progress on this have been slow due to the strange partitioning between two memory chips (4MB NOR, 128MB NAND) and no tools to display the partition table beyond what's shown at boot here.

Creating 15 MTD partitions on "msm_nand":
0x000000000000-0x000000040000 : "SBL1"
0x000000040000-0x000000180000 : "MIBIB"
0x000000180000-0x0000002c0000 : "SBL2"
0x0000002c0000-0x000000540000 : "SBL3"
0x000000540000-0x000000660000 : "DDRCONFIG"
0x000000660000-0x000000780000 : "SSD"
0x000000780000-0x000000a00000 : "TZ"
0x000000a00000-0x000000c80000 : "RPM"
0x000000c80000-0x000001400000 : "APPSBL"
0x000001400000-0x000002e00000 : "ROOTFSA"
0x000002e00000-0x000004800000 : "ROOTFSB"
0x000004800000-0x000005000000 : "KERNELA"
0x000005000000-0x000005800000 : "KERNELB"
0x000005800000-0x000006c00000 : "RWFS"
0x000006c00000-0x000008000000 : "EMT"
m25p80 spi5.0: found mx25l3205d, expected s25fl512s
Creating 18 MTD partitions on "m25p80":
0x000000000000-0x000000010000 : "SBL1"
0x000000010000-0x000000030000 : "MIBIB"
0x000000030000-0x000000050000 : "SBL2"
0x000000050000-0x000000080000 : "SBL3"
0x000000080000-0x000000090000 : "DDRCONFIG"
0x000000090000-0x0000000a0000 : "SSD"
0x0000000a0000-0x0000000d0000 : "TZ"
0x0000000d0000-0x0000000f0000 : "RPM"
0x0000000f0000-0x0000001f0000 : "APPSBL"
0x0000001f0000-0x000000200000 : "APPSBLENV"
0x000000200000-0x000000220000 : "ICT"
0x000000220000-0x000000240000 : "BoardData"
0x000000240000-0x000000260000 : "BoardData-B"
0x000000260000-0x0000002c0000 : "ResultA"
0x0000002c0000-0x000000320000 : "ResultB"
0x000000320000-0x000000340000 : "ArtArgs"
0x000000340000-0x000000400000 : "Rsv"
0x000000000000-0x0000001f0000 : "NORBOOT"

msm_nand is the 128mb NOR flash chip. M25P80 is definitely SPI/NOR memory, looks like they use several different ones interchangeably (at least that's why the device seems to be named after one chip, and it finds a different chip while expecting yet another chip) but all are larger than 4mb, which makes me wonder if there's some space on the NOR chip we are not seeing here being used by the system.

To be honest I don't understand what I'm looking at at all, other than there's two roots, so it's some sort of a dual-boot system. I don't understand why or how, but upon rebooting (pictured here after memtesting the device), I can see that the system briefly boots into a secondary system before booting into a primary one.

After full ram test, must reset board!
resetting ...
DRAM:  512 MB
NAND:  128 MB
NOR:   4 MB
BOOT:  Secondary
Start up the normal boot...


Welcome To HUAWEI Wlan World 

U-Boot 628 (Jul 29 2020 - 18:23:32)

DRAM:  512 MB
NAND:  128 MB
NOR:   4 MB


Board Type: 0x105
BOOT:  Primary
USB0:   USB XHCI 1.00
USB1:   USB XHCI 1.00
0 Storage Device(s) found
PCI0 Link Intialized
PCI1 Link Intialized

Interestingly however, it seems that from the bootloader console, we can update both the system itself and boot system via tftp, which would be really helpful unless the files require huawei signatures or something. Especially since on earlier models like the AP5030DN, contributors had to add kernel modules to fix the huawei bootloader disabling PHYs on boot.

EDIT: here's the boot console output for the update command

ar7240>update
update -  update boot or system from tftp


Usage:
update boot               - update boot(u-boot.bin) from tftp
update system <filename>  - update system from tftp
emt                       - update emt from tftp

Still, the question is, what does running the the uboot and system update commands actually do? Does it only update the primary boot, or replace both primary and secondary? I have no idea.

frollic · October 11, 2024, 9:44am

try the update command, with no additional params, it should be pretty safe, esp if you isolate the device.

looks like they wiped some of the entries in the u-boot help menu, see if the commands tftpboot and bootm work nevertheless.

Svanto24 · October 11, 2024, 9:46am

Sorry, I forgot to append the update command output in the previous post. Here it is, like I mentioned there's choice to update both the bootloader and the system.

ar7240>update
update -  update boot or system from tftp


Usage:
update boot               - update boot(u-boot.bin) from tftp
update system <filename>  - update system from tftp
emt                       - update emt from tftp

M10 · October 12, 2024, 9:56am

Hi, i can buy cheap Huawei AP6050DN for fun, i see that this is similiar model , did anyone made some progress with porting openwrt? I like how this ap look and since i have yo wait for support cudy ap3000 indoor this is good toy for weekend.

Svanto24 · October 12, 2024, 1:17pm

Hi, no support for this device is available and it is very possible it will never be available. Please do not buy an AP6050DN with an expectation of running OpenWRT on it.

Support hasn't even begun. What I'm doing now is trying to figure out this device's partition table. I now believe that it's using U-boot's A/B partition scheme, and from what the boot log says it's currently loading into B, meaning the update system command should target the A partitions (ROOTFSA, KERNELA). But that's entirely guesswork on my part, and I will elaborate once I can properly sit down and make a writeup. If you happen to have the huawei GPL sources for this device, or a huawei firmware update image, please let me know.
Several things can stop development in its tracks once I build said image and try to flash it:
a. The update tool will only accept huawei-signed images. Not much I can do.
b. We will find out Huawei has pulled a cisco, has made use of the IPQxxxx series' new "secure boot" feature, and blows the QFPROM fuses (thanks qualcomm) that martyr the cpu. At which point this device would have been killed. Finito. There is sadly some evidence in the partition table that this may be the case. I am doing this fully aware I may kill my device.
c. I'm simply unable to get it working.
If I do successfully flash it, there's several more issues:
a. I might find out the hardware is supportable, but huawei quirks like needing to modify the kernel to wake the PHYs up after they were put to sleep by the modified bootloader remain. Plus, much like in the AP5030DN's case, there may be a hardware watchdog that will need to be bypassed.
b. the IPQ806x CPUs are, asides from the QFPROM harakiri, also infamous for frequency-scaling related crashes. This is currently handled by leaving the CPU at max clocks, all the time, which will inevitably consume more power, especially considering the AP7050DE already seems more power hungry than the AP5030DN on its spec sheet.

If you want a similar device to play with that is already supported and maintained by people far more skilled than I am, consider the Huawei AP5030DN which uses a simpler flash scheme and an older CPU which does not have QFPROM fuses, and the flashing process is fairly straightforward.

M10 · October 12, 2024, 4:41pm

Now i'm a little bit worried i'll try to cancel my order. Thanks.

Svanto24 · October 12, 2024, 4:48pm

Sorry to hear, but it should be clear we're nowhere near supporting it given the thread started 3 days ago and no indication of support has been given in the 9 posts prior to yours...

Generally, it's not a good idea to purchase a device for use with OpenWRT unless it's listed in the table of hardware

M10 · October 12, 2024, 5:00pm

For menit's bot a problem, i've bought it for fun aware that it might be nice looking paper holder

Svanto24 · October 13, 2024, 9:32pm

So what have I learned thus far. Honestly not a whole lot, asides from the fact that things have gotten a lot worse for OpenWRT supportability since my Wifi 5 Unifi AP-AC-LR, and that supporting any ARM-based huawei target is not worthwhile in my opinion.

It definitely is an uboot A/B partition system. But it seems heavily modified. There are several SBL partitions but SBL output is wholly hidden from the user. That means if there are secureboot checks in there I wouldn't know.
Stock UBOOT firmware commands are gone, replaced with huawei commands
I have attempted to binwalk the firmware update file, but I did not get very far.

32            0x20            UBI erase count header, version: 1, EC: 0x0, VID header offset: 0x800, data offset: 0x1000
19398688      0x1280020       uImage header, header size: 64 bytes, header CRC: 0x85261B47, created: 2023-12-08 10:40:57, image size: 2660248 bytes, Data Address: 0x41508000, Entry Point: 0x41508000, data CRC: 0x909F9E5C, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: lzma, image name: "Linux Kernel Image"
19398752      0x1280060       LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 8400064 bytes
22059352      0x1509958       Qualcomm SBL1, image addr: 2a000000, image size: 58144, code size: 58144, sig size: 0, cert chain size: 0, oem_root_cert_sel: 1, oem_num_root_certs: 1
22101504      0x1513E00       Unix path: /home/z00197496/BR_WLAN_V2R9C00_BRANCH_BSP/externsrc/opensource/boot/ipq806x/ipq806x_sbl/ipq8064-ilq-1-3_qca_oem_src-boot.git/bo
22126168      0x1519E58       ATAGs msm parition table (msmptbl), version: 3, number of paritions: 17
22191704      0x1529E58       ATAGs msm parition table (msmptbl), version: 3, number of paritions: 17
22343668      0x154EFF4       Unix path: /home/z00197496/BR_WLAN_V2R9C00_BRANCH_BSP/externsrc/opensource/boot/ipq806x/ipq806x_sbl/ipq8064-ilq-1-3_qca_oem_src-boot.git/bo
22513508      0x1578764       CRC32 polynomial table, little endian
22514612      0x1578BB4       Unix path: /home/z00197496/BR_WLAN_V2R9C00_BRANCH_BSP/externsrc/opensource/boot/ipq806x/ipq806x_sbl/ipq8064-ilq-1-3_qca_oem_src-boot.git/bo
22852884      0x15CB514       Base64 standard index table
23329349      0x163FA45       Certificate in DER format (x509 v3), header length: 4, sequence length: 1284
23329461      0x163FAB5       Certificate in DER format (x509 v3), header length: 4, sequence length: 1288
23532696      0x1671498       CRC32 polynomial table, little endian
23534520      0x1671BB8       CRC32 polynomial table, little endian
23536748      0x167246C       CRC32 polynomial table, little endian
23537792      0x1672880       SHA256 hash constants, little endian
23641328      0x168BCF0       SHA256 hash constants, little endian
23678363      0x1694D9B       PGP armored data, public key block

What I have noticed is that there are X.509 certificates in DER format, which suggests that the firmware contains cryptographic certificates for signature verification. This complicates things. Hopefully it doesn't mean the secureboot fuses are already blown on the CPU.

Since the idea of writing an image for the device seemed rather out of reach at this point, I have instead decided to pop the warranty seal and look into the hardware with the hope of seeing if I can desolder the chips, dump them, and either reprogram them or replace them with ones that run stock uboot. But since prusalab closed their makerspace and I no longer have access to a soldering station proper, don't expect that to happen anytime soon, if at all. Sorry.

Here's some photos from me prying into the hardware:
TL;DR: Both the NOR flash and NAND flash are fairly accessible for a soldering job. Hardware watchdog is present, also accessible. Since I already abandoned all hope, maybe this is the way to go?

That's a lot of antennas. As you can see, there is some sort of thermal gunk under the metal shields. It looks like it's injected given it protrudes from holes on the other side. That means that getting the metal shields off nondestructively would not be easy, definitely not something that I wish to do.

Here's a close up. I did my best so that the chip labels would be legible.

However, here's where it gets interesting:

SGM706-RYS8. That's a hardware watchdog, I think the same as the AP5030DN had. And the chip above it. mx25l3233f is off the shelf NOR flash. I think that's our NOR memory chip.

Build quality is not that great. most of the screws screw into plastic, so if you were to regularly take it apart, it will rattle. The rest screws into aluminum.

Antenna design is strange. Looks pretty fragile.

Now for the other side. I undid all the screws and...

Damn. It turns out the bottom side is covered in thermal pads. It took me quite a while with a hair dryer and some near-destructive methods of prying the fortunately fairly durable lower pcb to get it off.

I wish I got a better pic other other side, but this is what I got.

However, the real find is this.

MX30UF1G18-TI
We got NAND flash!

Seeing as both NOR and NOND memory is accessible, that makes the idea of soldering them a bit more attainable than trying to figure out huawei's proprietary modifications to U-boot, or their device tree structure.

M10 · October 15, 2024, 5:32pm

Hi, i see some progress here did You tried to connect to console and grab bootlog? I have nokia ac400i but when i compare then i see nokia is better quality made.

Svanto24 · October 15, 2024, 5:48pm

Hi, yeah, the bootlog is in the first post. I have four of these devices total so I continue to crack away at it until I've exhausted all options software-wise. However I have not been able to obtain the device tree. I'm considering making a GPL request to Huawei. In the meantime I'm trying to come up with my own and seeing how far down the bootlog it lets me get. At least until I brick it.

tmn505 · October 15, 2024, 7:03pm

Does the pdinfo show something useful? That update command might use tftp command from U-Boot so if they did not "ifdef"-ed the source correctly some additional command might be available even tough they don't appear in help output. Try the following ones: dhcp, tftp, tftpboot. Try also some like: go, bootm, booti, bootz, md, loads.
After booting, is the shell with Huawei> prompt restricted or is it normal busybox?

Svanto24 · October 15, 2024, 8:03pm

Hello! Thanks for asking.

Neither pdinfo nor printenv seem to produce anything much of interest unfortunately

ar7240>pdinfo

Product Name: AP7050DE
Boot Rom Version: 628
Hardware version: VER.A
Country Code: CN
Ethernet Mac: <redacted>
Wireless Mac: <redacted>
Serial Number: <redacted>

ar7240>printenv
baudrate=9600
bootargs=console=ttyHSL1,9600n8
bootcmd=bootipq
bootdelay=3
ethact=eth0
fileaddr=0x42000000
ipaddr=192.168.1.111
machid=1260
serverip=192.168.1.11
stderr=serial
stdin=serial
stdout=serial
ubootfile=u-boot.bin

Environment size: 250/65532 bytes

Unfortunately none of the suggested uboot commands work either

ar7240>dhcp
Unknown command 'dhcp' - try 'help'
ar7240>tftp
Unknown command 'tftp' - try 'help'
ar7240>tftboot
Unknown command 'tftboot' - try 'help'
ar7240>go
Unknown command 'go' - try 'help'
ar7240>bootm
Unknown command 'bootm' - try 'help'
ar7240>booti
Unknown command 'booti' - try 'help'
ar7240>bootz
Unknown command 'bootz' - try 'help'
ar7240>md
Unknown command 'md' - try 'help'
ar7240>loads

So as for the <Huawei> shell it's unfortunately pretty restricted but also has several modes:

Initial mode has these commands:

<Huawei>?
User view commands:
  backup         Backup  information
  cd             Change current directory
  cls            Clear screen
  copy           Copy from one file to another
  debugging      <Group> debugging command group
  delete         Delete a file
  dir            List files on a filesystem
  display        Display information
  format         Format file system
  free           Release a user terminal interface
  ftp            Establish an FTP connection
  help           Description of the interactive help system
  led            Led
  lldp           Link Layer Discovery Protocol
  lock           Lock the current user terminal interface
  mkdir          Create a new directory
  mmi-mode       Machine-machine mode
  more           Display the contents of a file
  mount          Mount device
  move           Move from one file to another
  patch          Patch operation
  ping           <Group> ping command group
  pwd            Display current working directory
  quit           Exit from current mode and enter prior mode
  reboot         Reboot system
  rename         Rename a file or directory
  reset          <Group> reset command group
  return         Enter the privileged mode
  rmdir          Remove an existing directory
  save           Save file
  screen-length  Set the number of lines displayed on a screen
  screen-width   Set the width of lines displayed on a screen
  send           Send information to other user terminal interfaces
  startup        <Group> startup command group
  system-view    SystemView from terminal
  telnet         Open a telnet connection
  terminal       Set the terminal line characteristics
  tftp           Establish a TFTP connection
  tracert        Trace route function
  umount         Umount device
  undelete       Restore deleted files or directory
  undo           Negate a command or set its defaults
  unzip          Unzip files or directory
  zip            Zip files or directory

I can see tftp and ftp are both among them but that's about it. I tried running some commands I knew from busybox here but this did not help.

Error: Unrecognized command found at '^' position.
<Huawei>bash
        ^
Error: Unrecognized command found at '^' position.
<Huawei>grep
        ^
Error: Unrecognized command found at '^' position.
<Huawei>getsebool
        ^
Error: Unrecognized command found at '^' position.
<Huawei>whoami
        ^

An interesting thing is that you can go into the system-view menu which presents a different set of commands:

<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]?
System view commands:
  anti-attack      Specify anti-attack configurations
  ap-address       Set ip address
  ap-mode-switch   Ap-mode-switch
  ap-sysname       Set AP name
  arp              <Group> arp command group
  backup           Backup  information
  capture-packet   Capture-packet
  capwap           CAPWAP
  cloud-mng        Cloud management
  console          Console
  dhcpv6           Dynamic host configure protocol for IPv6
  diagnose         Change into diagnose mode
  display          Display information
  ecc              Specify the module configurations
  file             File system command word
  ftp              Set the FTP source
  header           Define the login banner
  hotkey           Specify hotkey configuration information
  icmp             Indicates ICMP configuration information
  info-center      <Group> info-center command group
  interface        Specify the interface configuration view
  ip               <Group> ip command group
  l2-topology      Layer 2 topology
  load-balance     Specify load balance mode
  mac-address      MAC address
  management-vlan  Mangement vlan
  matched          Is Command can be matched by upper template
  mmi-mode         Machine-machine mode
  observe-port     Specify observing port
  ping             <Group> ping command group
  pki              Configure Public Key Infrastructure (PKI) module information
  portal           PORTAL module
  quit             Exit from current mode and enter prior mode
  reset            <Group> reset command group
  return           Enter the privileged mode
  rsa              Specify RSA module configuration information
  set              <Group> set command group
  sftp             Establish an SFTP connection
  ssh              <Group> ssh command group
  stelnet          Establish an Stelnet connection
  tcp              Specify TCP(Transmission Control Protocol) configuration information
  telnet           <Group> telnet command group
  tftp             Establish a TFTP connection
  tftp-server      TFTP Server
  tracert          Trace route function
  undo             Negate a command or set its defaults
  upgrade          Upgrade
  user-interface   Configure the user terminal interface

the upgrade menu pertains to specifically to ftp and sftp servers

[Huawei]upgrade version ?
  ftp   FTP server
  sftp  SFTP server

here you can once again go into another view, the "diagnose" view:

[Huawei-diagnose]?
Diagnose view commands:
  acl                     Access Control List
  anti-attack             Specify anti-attack configurations
  ap-address              Set ip address
  ap-emt                  Ap-emt
  ap-startup-option       Ap-startup-option
  application-apperceive  Set application-apperceive information
  backup                  Backup  information
  band-steer              Band-steer
  capwap                  CAPWAP
  check                   Check
  clear                   <Group> clear command group
  debugging               <Group> debugging command group
  delete                  Delete
  display                 Display information
  dynamic-power-reduce    Dynamic-power-reduce
  emt                     Emt
  failure                 The failure managed
  firewall                Firewall
  info-center             <Group> info-center command group
  iot-card                Command
  ipc                     IPC information
  ipv6                    IPv6 configuration commands
  iwconfig                Iwconfig
  mem-damage-check        Memory demage check
  mem-record              Record the memory allocation
  memory-monitor          Memory monitor
  mirror                  Specify Mirror feature
  neighbour-link          Neighbour-link
  ping                    <Group> ping command group
  pki                     <Group> pki command group
  quit                    Exit from current mode and enter prior mode
  refresh                 Refresh routes to I/O board
  reset                   <Group> reset command group
  restore                 Restore default MAC
  resume                  Resume ap wired port statistics
  return                  Enter the privileged mode
  set                     <Group> set command group
  socket                  Socket module
  socket-monitor          Switch of sock-monitor
  station-trace           Station-trace
  stop                    Stop ap wired port statistics
  task-switch-record      Task-switch-record
  terminal                <Group> terminal command group
  test                    Test
  trace-pkt               Trace packet
  tracert                 Trace route function
  undo                    Negate a command or set its defaults
  vrbd                    System hardware and software version information
  wds                     Wds
  wifi                    Wifi

But hey, at least we can get version data here.

[Huawei-diagnose]vrbd
 Board 0  SoftWare Compiled Jul 29 2020, 10:28:12 By AP7050DE GROUP
 Board 0  BootRom  Compiled Jul 29 2020, 18:23:32 By AP7050DE GROUP
 Board 0  SoftWare Version V200R019C00SPC803B728 By AP7050DE GROUP
 Board 0  VRP      VRPV500R017C20SPCa31F001S001
 Board 0  DOPRA    DOPRA SSP V300R005C00SPC051
 Board 0  ESAP     Version V200R019C00SPC736B011
 Board 0  VPP      VPP V300R003C28SPC038
 Board 0  WMP      WMPV100R019C00SPC330B261
 Board 0  SoftWare for user V200R019C00SPC803

I accidentally setup "emt" as the startup option aaand I might've bricked myself. Oops. Doesn't bar me from uboot though.

Saving POST results: Done
POST test:   End
Image: Current Bootup is B

Press f or F  to stop Auto-Boot in 3 seconds:  0

get_emt_file_from_flash fail!
eth0 Waiting for PHY auto negotiation to complete... TIMEOUT !
Auto-neg error, defaulting to 10BT/HD
Using eth0 device

ARP Retry count exceeded; starting again
eth0 Waiting for PHY auto negotiation to complete... TIMEOUT !
Auto-neg error, defaulting to 10BT/HD
Using eth0 device

ARP Retry count exceeded; starting again
ping failed; host 192.168.1.11 is not alive
eth0 Waiting for PHY auto negotiation to complete... TIMEOUT !
Auto-neg error, defaulting to 10BT/HD
Using eth0 device

ARP Retry count exceeded; starting again
eth0 Waiting for PHY auto negotiation to complete... TIMEOUT !
Auto-neg error, defaulting to 10BT/HD
Using eth0 device