Problem might be accessing shell as we don't know the password for root access.
I'm not really sure how to deflate the firmware and pack it back up to remove the password, if there is a process to do that somewhere I can give you shell access.
I might try failsafe and see if I can mount the root partition and delete the password files.
I can setup a vlan at work and give you direct access to a device with a guest vpn.
I'll just need to pick one up if one pops up in local buy-n-sell.
in addition to changing password, a working ssh server must be added to the image as well since the stock dropbear is modded to not use standard linux auth (/etc/password, etc) and has no support for an interactive shell even if you did know the password it uses.
completely and confidently untested:
#grab fw image if you dont have a dump handy
wget "https://static.tp-link.com/upload/firmware/2023/202309/20230919/Deco_X80-5G(EU)_1.0_2.1.1%20Build%2020230410%20Rel.%2078273.zip"
unzip Deco_X80-5G\(EU\)_1.0_2.1.1\ Build\ 20230410\ Rel.\ 78273.zip
tail -c +$((0x1814+1)) Deco_X80-5G\(EU\)_1.0_2.1.1\ Build\ 20230410\ Rel.\ 78273/full_x80-5G-SP1-up-ver2-1-1-P1\[20230410-rel78273\]_2023-04-11_08.56.46.bin > mtd12-rootfs.bin
#un-ubinize
ubireader_extract_images mtd12-rootfs.bin
#unpack rootfs
sudo unsquashfs ubifs-root/mtd12-rootfs.bin/img-1182106789_vol-ubi_rootfs.ubifs
#grab static dropbear executable from rando internet strangers
wget "https://github.com/ryanwoodsmall/static-binaries/raw/master/aarch64/dropbearmulti"
chmod +x dropbearmulti
#make changes in squashfs-root/
sudo sh -c "cat > squashfs-root/etc/rc.local <<-EOF
/mods/dropbearkey -t rsa -f /tmp/rsa_key
/mods/dropbear -r /tmp/rsa_key -p 2222
(echo 'deco'; echo 'deco') | passwd
exit 0
EOF"
sudo mkdir squashfs-root/mods/
sudo cp dropbearmulti squashfs-root/mods/
sudo ln -s dropbearmulti squashfs-root/mods/dropbearkey
sudo ln -s dropbearmulti squashfs-root/mods/dropbear
#re-pack rootfs
sudo mksquashfs squashfs-root ubi_rootfs.new.ubifs -b 262144 -comp xz
#re-ubinize
ubinize -o mtd12-rootfs.mod.bin -p 128KiB -m 2048 <( cat <<-EOF
[kernel]
mode=ubi
vol_id=0
vol_type=dynamic
vol_name=kernel
image=ubifs-root/mtd12-rootfs.bin/img-1182106789_vol-kernel.ubifs
[rootfs]
mode=ubi
vol_id=1
vol_type=dynamic
vol_name=ubi_rootfs
image=ubi_rootfs.new.ubifs
EOF
)
Ok the unpacking and packing and the creating of keys I can handle.
I'm not too sure about cross compiling bit, but if you can point to a compiled binary I can stuff in or more info I'm happy to try.
I'm guessing i just install gcc-arm-linux-gnueabi and binutils-arm-linux-gnueabi gcc-arm-linux-gnueabihf
CC=arm-linux-gnueabihf-gcc make
Is there an easy way to switch slots between mtd 12 and mtd13 from U-Boot it will save me mucking around flashing images over tftpboot.
you already presumably have a working copy of dropbear for arm64 in your openwrt build.
or see edits i made above that pulls the ipk from openwrt and untars it
But wouldn't it have to be compiled for a 4.4 kernel and the libs present on the deco device.
dropbear is a pure userspace application, it doesn't have any dependencies on kernel modules - you will however need to build it in a build-environment (buildroot) close to the OEM firmware, ideally using TP-Link's GPL tarball, the corresponding qsdk base or OpenWrt 19.07 (descending order of success chances). It's not the kernel you need to bother about, but the sonames and library ABIs dropbear depends upon (libc/ musl, zlib). It doesn't need to be 100% perfect, but at least close enough (so musl is your biggest concern).
or just use a precompiled static binary...
(see new script edits above)
It worked but this was the only thing of note:
the original dump was 43mb when this file is 26mb I guess that is just because it has had the image trimmed of blank space from my dump?
ubinize: volume size was not specified in section "kernel", assume minimum to fit image "ubifs-root/mtd12-rootfs.bin/img-1237982863_vol-kernel.ubifs"5713920 bytes (5.4 MiB) ubinize: volume size was not specified in section "rootfs", assume minimum to fit image "ubi_rootfs.new.ubifs"20332544 bytes (19.3 MiB)
yes, ubiformat will fill the rest of the 43mb MTD partition with 'empty' ubi blocks as it writes.
Hello all,
I've been messing about with one of my devices today. I was able to extract the rootfs from EU 2.0.0 firmware and write it to mtd12 and mtd13. From here I was able to boot into factory Deco firmware.
I checked for updates and was surprised that I said it was up to date. I knew this was not the case and I was able to upgrade the FW via web GUI to the next update (and repeat until 2.1.3).
From here, I can install OpenWRT and have the latest stock image underlying (LTE updates etc). This could also be useful if someone wanted to "convert" to the EU or US version. Of course, serial connection still required at this stage.
Ok so I have been playing around with a script to control the RGB led with a inifnite loop to cycle status one after the other, it works if run from -ash with /bin/sh leds.sh &
Is there a place to drop this script so it runs in the background by default ?
I dropped it in pre init but it broke the router because it did not start in the background and did not complete the preinit sequence.
#!/bin/sh
#
# start me with /bin/sh leds.sh &
# setup easy led drive functions
set_rgb_leds() {
echo "$1" > /sys/class/leds/red:/brightness
echo "$2" > /sys/class/leds/green:/brightness
echo "$3" > /sys/class/leds/blue:/brightness
}
while :
do
state0=0 # some function make led red
state1=0 # some function make led green
state2=0 # some function make led blue
state3=1 # show power led yellow
state4=0 # some function make led magenta
state5=0 # some function make led cyan
state6=0 # some function make led white
if [ "$state0" = "1" ]; then
set_rgb_leds 255 0 0 # red
sleep 2
set_rgb_leds 0 0 0
sleep 1
else
set_rgb_leds 0 0 0 # off
fi
if [ "$state1" = "1" ]; then
set_rgb_leds 0 255 0 # green
sleep 2
set_rgb_leds 0 0 0
sleep 1
else
set_rgb_leds 0 0 0 # off
fi
if [ "$state2" = "1" ]; then
set_rgb_leds 0 0 255 # blue
sleep 2
set_rgb_leds 0 0 0
sleep 1
else
set_rgb_leds 0 0 0 # off
fi
if [ "$state3" = "1" ]; then
set_rgb_leds 255 255 0 # yellow
sleep 2
set_rgb_leds 0 0 0
sleep 1
else
set_rgb_leds 0 0 0 # off
fi
if [ "$state4" = "1" ]; then
set_rgb_leds 255 0 255 # magneta
sleep 2
set_rgb_leds 0 0 0
sleep 1
else
set_rgb_leds 0 0 0 # off
fi
if [ "$state5" = "1" ]; then
set_rgb_leds 0 255 255 # cyan
sleep 2
set_rgb_leds 0 0 0
sleep 1
else
set_rgb_leds 0 0 0 # off
fi
if [ "$state6" = "1" ]; then
set_rgb_leds 255 255 255 # white
sleep 2
set_rgb_leds 0 0 0
sleep 1
else
set_rgb_leds 0 0 0 # off
fi
done
https://openwrt.org/docs/guide-developer/procd-init-scripts
But honestly I doubt such an infinite loop script would be accepted upstream OpenWrt.
I'm not sure how to make the rgb led usable any other way in the oem device they give priority or weight to specific led functions which I will try to add later.
The NZ firmware has slight differences in colours of the RGB LED compared to other countries I'm not sure why?
If the device is rebooting/ resetting or shutting down the led flashes yellow
it the device is powered up it is solid yellow at least until it establishes a connection.
If it is connected to 5g wwan or ethernet yellow is replaced with a white light (us) or purple light (nz).
If it is connected to 4g wwan the yellow is replaced by a green light.
If wps is enabled then it will flash blue.
If a linked mesh device is missing it flashes red.
If there is a fault it stays solid red (drop of internet does this)
explanation in manual (nz):
Yellow Deco is resetting.
Solid Yellow: Deco is starting up.
Pulse Blue: Deco is ready for setup or WPS in progress.
Solid Blue:Deco is setting up.
Pulse Green:Deco is upgrading firmware.
Solid Green:Deco is all set up and connected to 4G / WAN.
Solid Purple:Deco is all set up and connected to 5G.
Pulse Red: The satellite Deco is disconnected from the main Deco.
Solid Red:Deco has an issue
I have got it cycling showing each color from ash I just have to figure out how to add all the triggers weight/ priority to the led functions as best I can.
I'm not really sure on the triggers i guess i have to use netdev etc...and I can't just use the uci names as in the led config?
I known ODM's investing a lot of work in fancy LED patterns.
But this is not what we do in OpenWrt.
You don't need to have the same LED patterns as in the stock firmware.
Just expose each and every LED as device, define one of them as system (or whatever you want to call it) LED and define an alias in the DTS for that system LED.
Having a system LED is enough to tell which status the device is in.
Anything else can then the user decide through the OpenWrt LED functions.
I was planning to dualboot the factory os and OpenWrt to set it up for @naf to attempt to exploit the device but for some reason after installing an image on the second rootfs partition and rebooting the partition is seemingly formatted and cleared next boot, how do I stop that?
I was assuming I would just change the boot args from terminal to select either or to boot but it seems that is not the case.
That might be a u-boot specific function. Please provide the log from the install and reboot.
Does the stock firmware even support dualboot?
I think you might be right,
It seems the OEM firmware flashes the other root partition then switch bootargs to load up new OS, but I did not think it would format it upon bootup, I would of thought it would leave it intact unless the OEM OS uses it for something.
There is however no mention of mtd13 during loading and is does not support dual boot from the factory.
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.3.1-00158
S - IMAGE_VARIANT_STRING=HAACANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x000002e5
B - 201 - PBL, Start
B - 2734 - bootable_media_detect_entry, Start
B - 3440 - bootable_media_detect_success, Start
B - 3444 - elf_loader_entry, Start
B - 6105 - auth_hash_seg_entry, Start
B - 6348 - auth_hash_seg_exit, Start
B - 68220 - elf_segs_hash_verify_entry, Start
B - 131063 - PBL, End
B - 144600 - SBL1, Start
B - 197335 - GCC [RstStat:0x10, RstDbg:0x600000] WDog Stat : 0x4
B - 203892 - pm_device_init, Start
B - 326533 - PM_SET_VAL:Skip
D - 122091 - pm_device_init, Delta
B - 328942 - pm_driver_init, Start
D - 5337 - pm_driver_init, Delta
B - 335256 - clock_init, Start
D - 2135 - clock_init, Delta
B - 339282 - boot_flash_init, Start
D - 12566 - boot_flash_init, Delta
B - 355630 - boot_config_data_table_init, Start
D - 3111 - boot_config_data_table_init, Delta - (575 Bytes)
B - 363133 - Boot Setting : 0x00000618
B - 367037 - CDT version:2,Platform ID:8,Major ID:1,Minor ID:4,Sub
type:0
B - 373960 - sbl1_ddr_set_params, Start
B - 377773 - CPR configuration: 0x30c
B - 381128 - cpr_init, Start
B - 384025 - Rail:0 Mode: 5 Voltage: 792000
B - 389119 - CL CPR settled at 744000mV
B - 391955 - Rail:1 Mode: 5 Voltage: 880000
B - 396225 - Rail:1 Mode: 7 Voltage: 888000
D - 16531 - cpr_init, Delta
B - 403027 - Pre_DDR_clock_init, Start
B - 407144 - Pre_DDR_clock_init, End
B - 410438 - DDR Type : PCDDR3
B - 416142 - do ddr sanity test, Start
D - 1037 - do ddr sanity test, Delta
B - 420991 - DDR: Start of HAL DDR Boot Training
B - 425627 - DDR: End of HAL DDR Boot Training
B - 431300 - DDR: Checksum to be stored on flash is 1377291785
B - 441731 - Image Load, Start
D - 224450 - QSEE Image Loaded, Delta - (1376448 Bytes)
B - 666272 - Image Load, Start
D - 61 - SEC Image Loaded, Delta - (0 Bytes)
B - 673958 - Image Load, Start
D - 10706 - DEVCFG Image Loaded, Delta - (26008 Bytes)
B - 684755 - Image Load, Start
D - 22052 - RPM Image Loaded, Delta - (86584 Bytes)
B - 706898 - Image Load, Start
D - 108946 - APPSBL Image Loaded, Delta - (672668 Bytes)
B - 815966 - QSEE Execution, Start
D - 61 - QSEE Execution, Delta
B - 821792 - USB D+ check, Start
D - 0 - USB D+ check, Delta
B - 828166 - SBL1, End
D - 685884 - SBL1, Delta
S - Flash Throughput, 6742 KB/s (2162955 Bytes, 320791 us)
S - DDR Frequency, 466 MHz
S - Core 0 Frequency, 1651 MHz
U-Boot 2016.01 (Feb 25 2021 - 20:16:45 +0800)
DRAM: smem ram ptable found: ver: 1 len: 4
1 GiB
NAND: Could not find nand_gpio in dts, using defaults
ONFI device found
ID = 158061c8
Vendor = c8
Device = 61
SF: Unsupported flash IDs: manuf 00, jedec 1c78, ext_jedec 4a74
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
128 MiB
MMC: <NULL>: 0
PCI0 is not defined in the device tree
PCI1 is not defined in the device tree
In: serial@78B3000
Out: serial@78B3000
Err: serial@78B3000
machid: 8010400
Card did not respond to voltage select!
eth0 MAC Address from ART is not valid
eth1 MAC Address from ART is not valid
eth2 MAC Address from ART is not valid
eth3 MAC Address from ART is not valid
eth4 MAC Address from ART is not valid
eth5 MAC Address from ART is not valid
gpio 38 set BOARD_3V9_5V_EN_GPIO to high[1]
gpio 64 set PHY_QCA8081_1V8_EN_GPIO to high[1]
gpio 33 set PHY_AR8033_3V3_EN_GPIO to high[1]
gpio 35 set ONOFF_MODULE_5G_GPIO to low[0] ... 1s
gpio 35 set ONOFF_MODULE_5G_GPIO to high[1]
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=0", size 9 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 72, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 1, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 15/8, WL threshold: 4096, image sequenc
e number: 1097309032
ubi0: available PEBs: 0, total reserved PEBs: 72, PEBs reserved for b
ad PEB handling: 20
Find no boot alter flag!
Enter magic string to stop autoboot in 1 seconds
Unmounting UBIFS volume ubi_factory_data!
ubi0: detaching mtd1
ubi0: mtd1 is detached
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=0", size 42 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 336, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 3, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 36/28, WL threshold: 4096, image sequen
ce number: 1403338935
ubi0: available PEBs: 0, total reserved PEBs: 336, PEBs reserved for
bad PEB handling: 20
Read 0 bytes from volume kernel to 44000000
No size specified -> Using max size (5332992)
## Loading kernel from FIT Image at 44000000 ...
Using 'config@hk01.c5' configuration
Trying 'kernel-1' kernel subimage
Description: ARM64 OpenWrt Linux-6.6.45
Type: Kernel Image
Compression: gzip compressed
Data Start: 0x440000e8
Data Size: 5190693 Bytes = 5 MiB
Architecture: AArch64
OS: Linux
Load Address: 0x41000000
Entry Point: 0x41000000
Hash algo: crc32
Hash value: c39380f6
Hash algo: sha1
Hash value: 150971bad1e5ec0ff4af48908836f965315b54ac
Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading fdt from FIT Image at 44000000 ...
Using 'config@hk01.c5' configuration
Trying 'fdt-1' fdt subimage
Description: ARM64 OpenWrt tplink_x80-5g device tree blob
Type: Flat Device Tree
Compression: uncompressed
Data Start: 0x444f3650
Data Size: 47820 Bytes = 46.7 KiB
Architecture: AArch64
Hash algo: crc32
Hash value: d05891f4
Hash algo: sha1
Hash value: deec6e2139cd0e6b2de67e154416b0a80a4df8bc
Verifying Hash Integrity ... crc32+ sha1+ OK
Booting using the fdt blob at 0x444f3650
Uncompressing Kernel Image ... OK
Loading Device Tree to 4a3f1000, end 4a3ffacb ... OK
Could not find PCI in device tree
Using machid 0x8010400 from environment
Starting kernel ...
Jumping to AARCH64 kernel via monitor
[ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034
]
[ 0.000000] Linux version 6.6.45 (professor_jonny@MRSPARKLE) (aarc
h64-openwrt-linux-musl-gcc (OpenWrt GCC 13.3.0 r27152-9801a7a866) 13.
3.0, GNU ld (GNU Binutils) 2.42) #0 SMP Wed Aug 21 12:27:21 2024
[ 0.000000] Machine model: tplink x80-5g
[ 0.000000] OF: reserved mem: 0x0000000040000000..0x0000000040ffff
ff (16384 KiB) nomap non-reusable nss@40000000
[ 0.000000] OF: reserved mem: 0x000000004a400000..0x000000004a5fff
ff (2048 KiB) nomap non-reusable tzapp@4a400000
[ 0.000000] OF: reserved mem: 0x000000004a600000..0x000000004a9fff
ff (4096 KiB) nomap non-reusable bootloader@4a600000
[ 0.000000] OF: reserved mem: 0x000000004aa00000..0x000000004aafff
ff (1024 KiB) nomap non-reusable sbl@4aa00000
[ 0.000000] OF: reserved mem: 0x000000004ab00000..0x000000004abfff
ff (1024 KiB) nomap non-reusable smem@4ab00000
[ 0.000000] OF: reserved mem: 0x000000004ac00000..0x000000004affff
ff (4096 KiB) nomap non-reusable memory@4ac00000
[ 0.000000] OF: reserved mem: 0x000000004b000000..0x0000000050efff
ff (97280 KiB) nomap non-reusable wcnss@4b000000
[ 0.000000] OF: reserved mem: 0x0000000050f00000..0x0000000050ffff
ff (1024 KiB) nomap non-reusable q6_etr_dump@50f00000
[ 0.000000] OF: reserved mem: 0x0000000051000000..0x00000000510fff
ff (1024 KiB) nomap non-reusable m3_dump@51000000
[ 0.000000] Zone ranges:
[ 0.000000] DMA [mem 0x0000000040000000-0x000000007fffffff]
[ 0.000000] DMA32 empty
[ 0.000000] Normal empty
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000040000000-0x0000000040ffffff
]
[ 0.000000] node 0: [mem 0x0000000041000000-0x000000004a3fffff
]
[ 0.000000] node 0: [mem 0x000000004a400000-0x00000000510fffff
]
[ 0.000000] node 0: [mem 0x0000000051100000-0x000000007fffffff
]
[ 0.000000] Initmem setup node 0 [mem 0x0000000040000000-0x0000000
07fffffff]
[ 0.000000] psci: probing for conduit method from DT.
[ 0.000000] psci: PSCIv1.0 detected in firmware.
[ 0.000000] psci: Using standard PSCI v0.2 function IDs
[ 0.000000] psci: MIGRATE_INFO_TYPE not supported.
[ 0.000000] psci: SMC Calling Convention v1.0
[ 0.000000] percpu: Embedded 18 pages/cpu s35112 r8192 d30424 u737
28
[ 0.000000] Detected VIPT I-cache on CPU0
[ 0.000000] alternatives: applying boot alternatives
[ 0.000000] Kernel command line: ubi.mtd=rootfs root=mtd:ubi_rootf
s rootfstype=squashfs rootwait root=/dev/ubiblock0_1
[ 0.000000] Dentry cache hash table entries: 131072 (order: 8, 104
8576 bytes, linear)
[ 0.000000] Inode-cache hash table entries: 65536 (order: 7, 52428
8 bytes, linear)
[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages:
258048
[ 0.000000] mem auto-init: stack:off, heap alloc:off, heap free:of
f
[ 0.000000] software IO TLB: SWIOTLB bounce buffer size adjusted t
o 1MB
[ 0.000000] software IO TLB: area num 4.
[ 0.000000] software IO TLB: mapped [mem 0x000000007eb00000-0x0000
00007ec00000] (1MB)
[ 0.000000] Memory: 885764K/1048576K available (8128K kernel code,
890K rwdata, 2504K rodata, 1472K init, 274K bss, 162812K reserved, 0
K cma-reserved)
[ 0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nod
es=1
[ 0.000000] rcu: Hierarchical RCU implementation.
[ 0.000000] Tracing variant of Tasks RCU enabled.
[ 0.000000] rcu: RCU calculated value of scheduler-enlistment dela
y is 10 jiffies.
[ 0.000000] NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0
[ 0.000000] Root IRQ handler: gic_handle_irq
[ 0.000000] GICv2m: range[mem 0x0b00a000-0x0b00affc], SPI[448:479]
[ 0.000000] rcu: srcu_init: Setting srcu_struct sizes based on con
tention.
[ 0.000000] arch_timer: cp15 and mmio timer(s) running at 19.20MHz
(virt/virt).
[ 0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff
max_cycles: 0x46d987e47, max_idle_ns: 440795202767 ns
[ 0.000001] sched_clock: 56 bits at 19MHz, resolution 52ns, wraps
every 4398046511078ns
[ 0.000145] Calibrating delay loop (skipped), value calculated usi
ng timer frequency.. 38.40 BogoMIPS (lpj=192000)
[ 0.000158] pid_max: default: 32768 minimum: 301
[ 0.005170] Mount-cache hash table entries: 2048 (order: 2, 16384
bytes, linear)
[ 0.005184] Mountpoint-cache hash table entries: 2048 (order: 2, 1
6384 bytes, linear)
[ 0.009430] RCU Tasks Trace: Setting shift to 2 and lim to 1 rcu_t
ask_cb_adjust=1.
[ 0.009654] rcu: Hierarchical SRCU implementation.
[ 0.009659] rcu: Max phase no-delay instances is 1000.
[ 0.010601] smp: Bringing up secondary CPUs ...
[ 0.011266] Detected VIPT I-cache on CPU1
[ 0.011366] CPU1: Booted secondary processor 0x0000000001 [0x410fd
034]
[ 0.012039] Detected VIPT I-cache on CPU2
[ 0.012106] CPU2: Booted secondary processor 0x0000000002 [0x410fd
034]
[ 0.012762] Detected VIPT I-cache on CPU3
[ 0.012826] CPU3: Booted secondary processor 0x0000000003 [0x410fd
034]
[ 0.012896] smp: Brought up 1 node, 4 CPUs
[ 0.012904] SMP: Total of 4 processors activated.
[ 0.012910] CPU features: detected: 32-bit EL0 Support
[ 0.012914] CPU features: detected: CRC32 instructions
[ 0.012982] CPU features: emulated: Privileged Access Never (PAN)
using TTBR0_EL1 switching
[ 0.012989] CPU: All CPU(s) started at EL1
[ 0.012992] alternatives: applying system-wide alternatives
[ 0.023150] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xf
fffffff, max_idle_ns: 19112604462750000 ns
[ 0.023177] futex hash table entries: 1024 (order: 4, 65536 bytes,
linear)
[ 0.024907] pinctrl core: initialized pinctrl subsystem
[ 0.026619] NET: Registered PF_NETLINK/PF_ROUTE protocol family
[ 0.027195] DMA: preallocated 128 KiB GFP_KERNEL pool for atomic a
llocations
[ 0.027238] DMA: preallocated 128 KiB GFP_KERNEL|GFP_DMA pool for
atomic allocations
[ 0.027271] DMA: preallocated 128 KiB GFP_KERNEL|GFP_DMA32 pool fo
r atomic allocations
[ 0.027656] thermal_sys: Registered thermal governor 'step_wise'
[ 0.027713] cpuidle: using governor menu
[ 0.027916] ASID allocator initialised with 65536 entries
[ 0.053301] qcom,cpr4-apss-regulator b018000.cpr4-ctrl: CPR valid
fuse count: 4
[ 0.056182] Modules: 29408 pages in range for non-PLT usage
[ 0.056192] Modules: 520928 pages in range for PLT usage
[ 0.060905] SCSI subsystem initialized
[ 0.061095] usbcore: registered new interface driver usbfs
[ 0.061129] usbcore: registered new interface driver hub
[ 0.061192] usbcore: registered new device driver usb
[ 0.061621] qcom_scm: convention: smc arm 64
[ 0.063323] clocksource: Switched to clocksource arch_sys_counter
[ 0.067071] NET: Registered PF_INET protocol family
[ 0.067236] IP idents hash table entries: 16384 (order: 5, 131072
bytes, linear)
[ 0.069806] tcp_listen_portaddr_hash hash table entries: 512 (orde
r: 1, 8192 bytes, linear)
[ 0.069828] Table-perturb hash table entries: 65536 (order: 6, 262
144 bytes, linear)
[ 0.069844] TCP established hash table entries: 8192 (order: 4, 65
536 bytes, linear)
[ 0.069928] TCP bind hash table entries: 8192 (order: 6, 262144 by
tes, linear)
[ 0.070201] TCP: Hash tables configured (established 8192 bind 819
2)
[ 0.070304] UDP hash table entries: 512 (order: 2, 16384 bytes, li
near)
[ 0.070342] UDP-Lite hash table entries: 512 (order: 2, 16384 byte
s, linear)
[ 0.070790] NET: Registered PF_UNIX/PF_LOCAL protocol family
[ 0.070843] PCI: CLS 0 bytes, default 64
[ 0.072470] workingset: timestamp_bits=46 max_order=18 bucket_orde
r=0
[ 0.073011] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.073019] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CM
ODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 0.079259] qcom-qmp-usb-phy 78000.phy: supply vdda-phy not found,
using dummy regulator
[ 0.079430] qcom-qmp-usb-phy 78000.phy: supply vdda-pll not found,
using dummy regulator
[ 0.080616] qcom-qusb2-phy 79000.phy: supply vdd not found, using
dummy regulator
[ 0.080760] qcom-qusb2-phy 79000.phy: supply vdda-pll not found, u
sing dummy regulator
[ 0.080818] qcom-qusb2-phy 79000.phy: supply vdda-phy-dpdm not fou
nd, using dummy regulator
[ 0.080981] qcom-qusb2-phy 79000.phy: Registered Qcom-QUSB2 phy
[ 0.089237] Serial: 8250/16550 driver, 2 ports, IRQ sharing disabl
ed
[ 0.090286] msm_serial 78b3000.serial: msm_serial: detected port #
0
[ 0.090328] msm_serial 78b3000.serial: uartclk = 3686400
[ 0.090678] 78b3000.serial: ttyMSM0 at MMIO 0x78b3000 (irq = 20, b
ase_baud = 230400) is a MSM
[ 0.090713] msm_serial: console setup on port #0
[ 0.090752] printk: console [ttyMSM0] enabled
[ 0.853719] msm_serial: driver initialized
[ 0.862817] loop: module loaded
[ 0.864246] nand: device found, Manufacturer ID: 0xc8, Chip ID: 0x
61
[ 0.864777] nand: ESMT PSR1GA30DT
[ 0.871365] nand: 128 MiB, SLC, erase size: 128 KiB, page size: 20
48, OOB size: 64
[ 0.875837] spmi spmi-0: PMIC arbiter version v2 (0x20010000)
[ 0.934638] i2c_dev: i2c /dev entries driver
[ 0.941008] sdhci: Secure Digital Host Controller Interface driver
[ 0.941053] sdhci: Copyright(c) Pierre Ossman
[ 0.946257] sdhci-pltfm: SDHCI platform and OF driver helper
[ 0.952332] remoteproc remoteproc0: releasing cd00000.q6v5_wcss
[ 0.959786] NET: Registered PF_INET6 protocol family
[ 0.963156] Segment Routing with IPv6
[ 0.967167] In-situ OAM (IOAM) with IPv6
[ 0.970733] NET: Registered PF_PACKET protocol family
[ 0.974779] 8021q: 802.1Q VLAN Support v1.8
[ 1.010559] qcom,cpr4-apss-regulator b018000.cpr4-ctrl: CPR valid
fuse count: 4
[ 1.010886] cpr4_ipq807x_apss_read_fuse_data: apc_corner: speed bi
n = 0
[ 1.016720] cpr4_ipq807x_apss_read_fuse_data: apc_corner: CPR fusi
ng revision = 1
[ 1.023284] cpr4_ipq807x_apss_read_fuse_data: apc_corner: CPR misc
fuse value = 0
[ 1.031011] cpr4_ipq807x_apss_read_fuse_data: apc_corner: Voltage
boost fuse config = 0 boost = disable
[ 1.038486] cpr3_mem_acc_init: apc: not using memory accelerator r
egulator
[ 1.047608] cpr4_ipq807x_apss_calculate_open_loop_voltages: apc_co
rner: fused SVS: open-loop= 704000 uV
[ 1.054547] cpr4_ipq807x_apss_calculate_open_loop_voltages: apc_co
rner: fused NOM: open-loop= 808000 uV
[ 1.064535] cpr4_ipq807x_apss_calculate_open_loop_voltages: apc_co
rner: fused TURBO: open-loop= 864000 uV
[ 1.074338] cpr4_ipq807x_apss_calculate_open_loop_voltages: apc_co
rner: fused STURBO: open-loop= 944000 uV
[ 1.084197] cpr4_ipq807x_apss_calculate_target_quotients: apc_corn
er: fused SVS: quot[ 7]= 767, quot_offset[ 7]= 0
[ 1.093959] cpr4_ipq807x_apss_calculate_target_quotients: apc_corn
er: fused NOM: quot[ 7]= 972, quot_offset[ 7]= 205
[ 1.104809] cpr4_ipq807x_apss_calculate_target_quotients: apc_corn
er: fused TURBO: quot[ 7]=1073, quot_offset[ 7]= 100
[ 1.115745] cpr4_ipq807x_apss_calculate_target_quotients: apc_corn
er: fused STURBO: quot[ 7]=1226, quot_offset[ 7]= 150
[ 1.126922] cpr3_regulator_init_ctrl: apc: Default CPR mode = clos
ed-loop
[ 1.129497] nand: device found, Manufacturer ID: 0xc8, Chip ID: 0x
61
[ 1.144388] nand: ESMT PSR1GA30DT
[ 1.150792] nand: 128 MiB, SLC, erase size: 128 KiB, page size: 20
48, OOB size: 64
[ 1.154473] 17 qcomsmem partitions found on MTD device qcom_nand.0
[ 1.161477] Creating 17 MTD partitions on "qcom_nand.0":
[ 1.167661] 0x000000000000-0x000000100000 : "0:sbl1"
[ 1.174702] 0x000000100000-0x000000200000 : "0:mibib"
[ 1.179471] 0x000000200000-0x000000280000 : "0:bootconfig"
[ 1.183965] 0x000000280000-0x000000300000 : "0:bootconfig1"
[ 1.189293] 0x000000300000-0x000000600000 : "0:qsee"
[ 1.197171] 0x000000600000-0x000000680000 : "0:devcfg"
[ 1.199991] 0x000000680000-0x000000700000 : "0:apdp"
[ 1.204984] 0x000000700000-0x000000780000 : "0:rpm"
[ 1.210140] 0x000000780000-0x000000800000 : "0:cdt"
[ 1.214703] 0x000000800000-0x000000980000 : "0:appsblenv"
[ 1.220445] 0x000000980000-0x000000b80000 : "0:appsbl"
[ 1.226530] 0x000000b80000-0x000000c00000 : "0:art"
[ 1.230129] 0x000000c00000-0x000003600000 : "rootfs"
[ 1.272683] mtd: setting mtd12 (rootfs) as root device
[ 1.273059] mtdsplit: no squashfs found in "rootfs"
[ 1.276791] 0x000003600000-0x000006000000 : "rootfs_1"
[ 1.320926] 0x000006000000-0x000006080000 : "0:ethphyfw"
[ 1.321967] 0x000006080000-0x000006980000 : "factory_data"
[ 1.334217] 0x000006980000-0x000007a80000 : "runtime_data"
[ 1.358414] cpufreq: cpufreq_online: CPU0: Running at unlisted ini
tial frequency: 800000 KHz, changing to: 1017600 KHz
[ 1.360307] remoteproc remoteproc0: cd00000.q6v5_wcss is available
[ 1.368475] ubi0: attaching mtd12
[ 1.608237] ubi0: scanning is finished
[ 1.615604] ubi0: attached mtd12 (name "rootfs", size 42 MiB)
[ 1.615640] ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 1269
76 bytes
[ 1.620334] ubi0: min./max. I/O unit sizes: 2048/2048, sub-page si
ze 2048
[ 1.627129] ubi0: VID header offset: 2048 (aligned 2048), data off
set: 4096
[ 1.633968] ubi0: good PEBs: 336, bad PEBs: 0, corrupted PEBs: 0
[ 1.640732] ubi0: user volume: 3, internal volumes: 1, max. volume
s count: 128
[ 1.646991] ubi0: max/mean erase counter: 36/28, WL threshold: 409
6, image sequence number: 1403338935
[ 1.654023] ubi0: available PEBs: 0, total reserved PEBs: 336, PEB
s reserved for bad PEB handling: 20
[ 1.663322] ubi0: background thread "ubi_bgt0d" started, PID 583
[ 1.664141] block ubiblock0_1: created from ubi0:1(ro?[ 1.68753
6] VFS: Mounted root (squashfs filesystem) readonly on device 254:0.
[ 1.687998] Freeing unused kernel memory: 1472K
[ 1.693735] Run /sbin/init as init process
[ 1.862695] init: Console is alive
[ 1.862831] init: - watchdog -
[ 2.452723] kmodloader: loading kernel modules from /etc/modules-b
oot.d/*
[ 2.475071] gpio_button_hotplug: loading out-of-tree module taints
kernel.
[ 2.507954] ssdk_dt_parse_interrupt[941]:INFO:intr-gpio does not e
xist
[ 4.203400] regi_init[2525]:INFO:Initializing HPPE Done!!
[ 4.203522] regi_init[2574]:INFO:qca-ssdk module init succeeded!
[ 4.209912] EDMA ver 1 hw init
[ 4.214105] EDMA HW Reset completed succesfully
[ 4.216757] Num rings - TxDesc:1 (23-23) TxCmpl:1 (7-7)
[ 4.221154] RxDesc:1 (15-15) RxFill:1 (7-7)
[ 4.226776] dp5: ppe offload disabled: 0 for macid 5
[ 4.230530] dp5: Switch attached to macid 5 status: 0
[ 4.335524] Qualcomm QCA8081 90000.mdio-1:1c: attached PHY driver
(mii_bus:phy_addr=90000.mdio-1:1c, irq=POLL)
[ 4.336396] GMAC6(ffffff80032f2900) Invalid MAC@ - using c6:d7:7f:
25:83:c0
[ 4.344436] dp6-syn: ppe offload disabled: 0 for macid 6
[ 4.351270] dp6-syn: Switch attached to macid 6 status: 0
[ 4.423750] Qualcomm Atheros AR8031/AR8033 90000.mdio-1:04: attach
ed PHY driver (mii_bus:phy_addr=90000.mdio-1:04, irq=POLL)
[ 4.424551] ******************************************************
****
[ 4.434058] * NSS Data Plane driver
[ 4.440361] ******************************************************
****
[ 4.456284] xhci-hcd xhci-hcd.1.auto: xHCI Host Controller
[ 4.456334] xhci-hcd xhci-hcd.1.auto: new USB bus registered, assi
gned bus number 1
[ 4.460791] xhci-hcd xhci-hcd.1.auto: hcc params 0x0220fe65 hci ve
rsion 0x110 quirks 0x0000008002000010
[ 4.468289] xhci-hcd xhci-hcd.1.auto: irq 37, io mem 0x08a00000
[ 4.477712] xhci-hcd xhci-hcd.1.auto: xHCI Host Controller
[ 4.483510] xhci-hcd xhci-hcd.1.auto: new USB bus registered, assi
gned bus number 2
[ 4.489058] xhci-hcd xhci-hcd.1.auto: Host supports USB 3.0 SuperS
peed
[ 4.497001] hub 1-0:1.0: USB hub found
[ 4.503218] hub 1-0:1.0: 1 port detected
[ 4.507260] usb usb2: We don't know the algorithms for LPM for thi
s host, disabling LPM.
[ 4.511284] hub 2-0:1.0: USB hub found
[ 4.519197] hub 2-0:1.0: 1 port detected
[ 4.525805] usbcore: registered new interface driver usb-storage
[ 4.526964] kmodloader: done loading kernel modules from /etc/modu
les-boot.d/*
[ 4.539463] init: - preinit -
[ 4.974456] ubi1: attaching mtd15
[ 5.024339] ubi1: scanning is finished
[ 5.031357] ubi1: attached mtd15 (name "factory_data", size 9 MiB)
[ 5.031397] ubi1: PEB size: 131072 bytes (128 KiB), LEB size: 1269
76 bytes
[ 5.036507] ubi1: min./max. I/O unit sizes: 2048/2048, sub-page si
ze 2048
[ 5.043294] ubi1: VID header offset: 2048 (aligned 2048), data off
set: 4096
[ 5.050156] ubi1: good PEBs: 72, bad PEBs: 0, corrupted PEBs: 0
[ 5.056923] ubi1: user volume: 1, internal volumes: 1, max. volume
s count: 128
[ 5.062825] ubi1: max/mean erase counter: 15/8, WL threshold: 4096
, image sequence number: 1097309032
[ 5.070124] ubi1: available PEBs: 0, total reserved PEBs: 72, PEBs
reserved for bad PEB handling: 20
[ 5.079423] ubi1: background thread "ubi_bgt1d" started, PID 740
UBI device number 1, total 72 LEBs (9142272 bytes, 8.7 MiB), availabl
e 0 LEBs (0 bytes), LEB size 126976 bytes (124.0 KiB)
[ 5.103155] UBIFS (ubi1:0): Mounting in unauthenticated mode
[ 5.139260] UBIFS (ubi1:0): recovery needed
[ 5.173318] random: crng init done
[ 5.185950] UBIFS (ubi1:0): recovery deferred
[ 5.186028] UBIFS (ubi1:0): UBIFS: mounted UBI device 1, volume 0,
name "ubi_factory_data", R/O mode
[ 5.189286] UBIFS (ubi1:0): LEB size: 126976 bytes (124 KiB), min.
/max. I/O unit sizes: 2048 bytes/2048 bytes
[ 5.198499] UBIFS (ubi1:0): FS size: 4825088 bytes (4 MiB, 38 LEBs
), max 48 LEBs, journal size 1142785 bytes (1 MiB, 9 LEBs)
[ 5.208305] UBIFS (ubi1:0): reserved for root: 0 bytes (0 KiB)
[ 5.219578] UBIFS (ubi1:0): media format: w4/r0 (latest is w5/r0),
UUID 555FE482-AC27-41A3-A0C3-47CC50ED88FA, small LPT model
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debu
g level
[ 7.580230] UBIFS (ubi0:2): Mounting in unauthenticated mode
[ 7.580345] UBIFS (ubi0:2): background thread "ubifs_bgt0_2" start
ed, PID 819
[ 7.618330] UBIFS (ubi0:2): recovery needed
[ 7.766888] UBIFS (ubi0:2): recovery completed
[ 7.766993] UBIFS (ubi0:2): UBIFS: mounted UBI device 0, volume 2,
name "rootfs_data"
[ 7.770245] UBIFS (ubi0:2): LEB size: 126976 bytes (124 KiB), min.
/max. I/O unit sizes: 2048 bytes/2048 bytes
[ 7.778163] UBIFS (ubi0:2): FS size: 16506880 bytes (15 MiB, 130 L
EBs), max 140 LEBs, journal size 1015809 bytes (0 MiB, 7 LEBs)
[ 7.788051] UBIFS (ubi0:2): reserved for root: 779660 bytes (761 K
iB)
[ 7.799673] UBIFS (ubi0:2): media format: w5/r0 (latest is w5/r0),
UUID 7E1B1489-8ECD-435F-8782-174B00E3683C, small LPT model
[ 7.810114] mount_root: switching to ubifs overlay
[ 7.820955] overlayfs: null uuid detected in lower fs '/', falling
back to xino=off,index=off,nfs_export=off.
[ 7.827560] urandom-seed: Seeding with /etc/urandom.seed
[ 7.889162] procd: - early -
[ 7.889272] procd: - watchdog -
Failed to connect to ubus
[ 8.427285] procd: - watchdog -
[ 8.427513] procd: - ubus -
[ 8.584651] procd: - init -
Please press Enter to activate this console.
[ 8.926952] kmodloader: loading kernel modules from /etc/modules.d
/*
[ 9.004864] jitterentropy: Initialization failed with host not com
pliant with requirements: 9
[ 9.036196] urngd: v1.0.2 started.
[ 9.129682] gpio-fan gpio-fan: GPIO fan initialized
[ 9.131168] GACT probability on
[ 9.134027] Mirror/redirect action on
[ 9.139934] u32 classifier
[ 9.140304] input device check on
[ 9.142908] Actions configured
[ 9.156455] usbcore: registered new interface driver cdc_wdm
[ 9.156967] Loading modules backported from Linux version v6.9.9-0
-g28fdf4518483
[ 9.161190] Backport generated by backports.git v6.1.97-1-29-gf1d2
4a3683b2
[ 9.183543] NET: Registered PF_QIPCRTR protocol family
[ 9.187715] usbcore: registered new interface driver usbserial_gen
eric
[ 9.187792] usbserial: USB Serial support registered for generic
[ 9.201640] xt_time: kernel timezone is -0000
[ 9.202333] usbcore: registered new interface driver cdc_ether
[ 9.206000] usbcore: registered new interface driver cdc_ncm
[ 9.242429] PPP generic driver version 2.4.2
[ 9.243287] NET: Registered PF_PPPOX protocol family
[ 9.246675] usbcore: registered new interface driver qmi_wwan
[ 9.253250] wireguard: WireGuard 1.0.0 loaded. See www.wireguard.c
om for information.
[ 9.256430] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld
<Jason@zx2c4.com>. All Rights Reserved.
We need the entire log, including u-boot
I updated the log above above but it does not mention any thing ?
this is after flashing mtd13 with ubiformat and rebooting.
That catches my eye:
Find no boot alter flag!
Other than that I don't see anything in the logs regarding erasing/formatting the second rootfs partition.
Please provide the u-boot printenv and how do you try to switch the boot part?
And how can you tell the second rootfs partition is erased?