Is it possible to write OpenWrt directly to SPI flash?

afiskon · October 19, 2018, 12:21am

Hello,

I have MikroTik hAP Lite (RB941-2ND) and I would like to install OpenWRT on it. OpenWRT wiki suggests to use TFTP and DHCP method. However I'm curious whether it's possible to just make an image that could be written directly to SPI flash, e.g. using flashrom and a FT2232 board as a programmer. Since I already dumped the original content of SPI flash anyway for me this method would be even simpler.

I assembled OpenWRT according to wiki article. Now the content of the directory bin/targets/ar71xx/mikrotik is following:

total 82640
drwxr-xr-x 3 eax eax    4096 Oct 19 02:59 .
drwxr-xr-x 3 eax eax    4096 Oct 19 02:31 ..
-rw-r--r-- 1 eax eax   16079 Oct 19 02:31 config.seed
-rw-r--r-- 1 eax eax    3101 Oct 19 02:59 openwrt-ar71xx-mikrotik-default.manifest
-rwxr-xr-x 1 eax eax 4046176 Oct 19 02:59 openwrt-ar71xx-mikrotik-nand-64m-initramfs-kernel.bin
-rw-r--r-- 1 eax eax 4239360 Oct 19 02:59 openwrt-ar71xx-mikrotik-nand-64m-squashfs-sysupgrade.bin
-rwxr-xr-x 1 eax eax 4046176 Oct 19 02:59 openwrt-ar71xx-mikrotik-nand-large-ac-initramfs-kernel.bin
-rw-r--r-- 1 eax eax 4270080 Oct 19 02:59 openwrt-ar71xx-mikrotik-nand-large-ac-squashfs-sysupgrade.bin
-rwxr-xr-x 1 eax eax 4046176 Oct 19 02:59 openwrt-ar71xx-mikrotik-nand-large-initramfs-kernel.bin
-rw-r--r-- 1 eax eax 4270080 Oct 19 02:59 openwrt-ar71xx-mikrotik-nand-large-squashfs-sysupgrade.bin
-rwxr-xr-x 1 eax eax 4046176 Oct 19 02:59 openwrt-ar71xx-mikrotik-rb-nor-flash-16M-ac-initramfs-kernel.bin
-rwxr-xr-x 1 eax eax 1662164 Oct 19 02:59 openwrt-ar71xx-mikrotik-rb-nor-flash-16M-ac-kernel.bin
-rw-r--r-- 1 eax eax 4260771 Oct 19 02:59 openwrt-ar71xx-mikrotik-rb-nor-flash-16M-ac-squashfs-sysupgrade.bin
-rwxr-xr-x 1 eax eax 4046176 Oct 19 02:59 openwrt-ar71xx-mikrotik-rb-nor-flash-16M-initramfs-kernel.bin
-rwxr-xr-x 1 eax eax 1662164 Oct 19 02:59 openwrt-ar71xx-mikrotik-rb-nor-flash-16M-kernel.bin
-rw-r--r-- 1 eax eax 4260751 Oct 19 02:59 openwrt-ar71xx-mikrotik-rb-nor-flash-16M-squashfs-sysupgrade.bin
-rw-r--r-- 1 eax eax 2752512 Oct 19 02:59 openwrt-ar71xx-mikrotik-root.squashfs
-rwxr-xr-x 1 eax eax 5191268 Oct 19 02:59 openwrt-ar71xx-mikrotik-vmlinux.bin
-rwxr-xr-x 1 eax eax 5196392 Oct 19 02:59 openwrt-ar71xx-mikrotik-vmlinux.elf
-rwxr-xr-x 1 eax eax 7543732 Oct 19 02:59 openwrt-ar71xx-mikrotik-vmlinux-initramfs.bin
-rwxr-xr-x 1 eax eax 7548856 Oct 19 02:59 openwrt-ar71xx-mikrotik-vmlinux-initramfs.elf
-rw-r--r-- 1 eax eax 4063232 Oct 19 02:59 openwrt-ar71xx-mikrotik-vmlinux-initramfs.lzma
-rwxr-xr-x 1 eax eax 4046176 Oct 19 02:59 openwrt-ar71xx-mikrotik-vmlinux-initramfs-lzma.elf
-rw-r--r-- 1 eax eax 1703936 Oct 19 02:59 openwrt-ar71xx-mikrotik-vmlinux.lzma
-rwxr-xr-x 1 eax eax 1662164 Oct 19 02:59 openwrt-ar71xx-mikrotik-vmlinux-lzma.elf
drwxr-xr-x 2 eax eax    4096 Oct 19 02:59 packages
-rw-r--r-- 1 eax eax    2663 Oct 19 02:59 sha256sums

Can I use any of these files as an SPI flash image? If not is there some way to build an image?

The router uses W25Q128FV 16 Mbyte SPI flash chip.

mk24 · October 19, 2018, 12:34am

The NOR sysupgrade.bin is a direct image of what should be in the system area of the flash chip. Of course it should start where the bootloader expects it, not at zero. OpenWrt does not contain any bootloader, radio calibration, or other unit-specific data that was placed in the flash chip at the factory. You will need to preserve those blocks of flash.

zorxd · October 19, 2018, 2:11pm

the wiki is outdated.

You should TFTP load this file: http://downloads.openwrt.org/releases/18.06.1/targets/ar71xx/mikrotik/openwrt-18.06.1-ar71xx-mikrotik-rb-nor-flash-16M-initramfs-kernel.bin

The wiki explains how to do it on Linux using dnsmasq but you can also use tftpd32 on Windows.
You will get OpenWRT running in RAM.

And then install this file (over sysupgrade command line or luci web interface):
http://downloads.openwrt.org/releases/18.06.1/targets/ar71xx/mikrotik/openwrt-18.06.1-ar71xx-mikrotik-rb-nor-flash-16M-squashfs-sysupgrade.bin

afiskon · October 19, 2018, 10:22pm

@zorxd Thanks. Eventually I installed OpenWRT according to your comment. Afterwards I compared flash memory dumps before upgrade, after upgrade and sysupgrade.bin image. Apparently sysupgrade.bin is not just an image written by some offset and can't be easily programmed to flash the way I intended to program it.

mbo2o · October 19, 2018, 11:46pm

$ binwalk openwrt-18.06.1-ar71xx-mikrotik-rb-nor-flash-16M-squashfs-sysupgrade.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
1040          0x410           ELF, 32-bit MSB MIPS-I executable, MIPS, version 1 (SYSV)
10748         0x29FC          Copyright string: "Copyright (C) 2011 Gabor Juhos <juhosg@openwrt.org>"
1507328       0x170000        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2332282 bytes, 1166 inodes, blocksize: 262144 bytes, created: 2018-08-16 07:51:15

afiskon · October 20, 2018, 12:22pm

@mbo2o,

$ binwalk mikrotik-openwrt.dump

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
1824          0x720           CRC32 polynomial table, little endian
132112        0x20410         ELF, 32-bit MSB MIPS-I executable, MIPS, version 1 (SYSV)
141820        0x229FC         Copyright string: "Copyright (C) 2011 Gabor Juhos <juhosg@openwrt.org>"
1638400       0x190000        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2332282 bytes, 1166 inodes, blocksize: 262144 bytes, created: 2018-08-16 07:51:15
3997696       0x3D0000        JFFS2 filesystem, big endian

$ binwalk --hexdump --red mikrotik.dump mikrotik-openwrt.dump | head -n 100

OFFSET      mikrotik.dump                                                        mikrotik-openwrt.dump
--------------------------------------------------------------------------------
*
0x0001F000  74 66 6F 53 8B CA E0 08 00 04 00 0C 00 00 00 10 |tfoS............| \ 74 66 6F 53 85 AA E4 DD 00 04 00 0C 00 00 00 10 |tfoS............|
*
0x0001F050  00 04 00 09 00 00 00 00 00 04 00 0F 00 00 00 00 |................| / 00 04 00 09 00 00 00 01 00 04 00 0F 00 00 00 00 |................|
*
0x0001F080  00 04 00 0D 00 00 00 00 00 08 00 06 33 2E 34 31 |............3.41| \ 00 04 00 0D 00 00 00 01 00 08 00 06 33 2E 34 31 |............3.41|
0x0001F090  00 00 00 00 00 08 00 0B 00 00 00 00 00 00 1F BA |................| / 00 00 00 00 00 08 00 0B 00 00 00 00 00 00 21 C7 |..............!.|
*
0x00020000  00 00 00 03 00 00 00 01 FF FF 72 77 00 00 00 00 |..........rw....| \ 00 00 00 01 00 00 00 01 FF FF 6B 65 72 6E 65 6C |..........kernel|
*
0x00020100  00 00 00 00 00 00 00 00 00 00 FF FF 00 00 41 ED |..............A.| / 00 00 00 00 00 00 00 00 00 00 FF FF 00 00 81 A4 |................|
0x00020110  00 00 00 00 00 00 00 00 00 00 00 27 00 00 00 27 |...........'...'| \ 00 00 00 6A 00 00 00 6F 5B 75 E4 A7 5B 75 E4 A7 |...j...o[u..[u..|
0x00020120  00 00 00 27 FF FF FF FF FF FF FF FF FF FF FF FF |...'............| / 5B 75 E4 A7 00 16 0C 68 FF FF FF FF FF FF FF FF |[u.....h........|
*
0x000201F0  FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 |................| \ 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF |................|
*
0x00020400  00 00 10 01 30 00 01 05 80 00 00 01 00 00 00 00 |....0...........| / 00 00 10 00 10 00 01 01 E0 00 00 01 00 00 00 00 |................|
0x00020410  00 00 00 03 00 00 00 01 FF FF 6E 6F 76 61 00 00 |..........nova..| \ 7F 45 4C 46 01 02 01 00 00 00 00 00 00 00 00 00 |.ELF............|
0x00020420  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| / 00 02 00 08 00 00 00 01 80 06 00 00 00 00 00 34 |...............4|
0x00020430  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| \ 00 16 0B A0 00 00 00 00 00 34 00 20 00 01 00 28 |.........4.....(|
0x00020440  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| / 00 05 00 04 00 00 00 01 00 00 10 00 80 06 00 00 |................|
0x00020450  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| \ 80 06 00 00 00 15 FA CC 00 15 FA CC 00 00 00 05 |................|
0x00020460  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| / 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
0x00020510  00 00 00 00 00 00 00 00 00 00 FF FF 00 00 41 ED |..............A.| \ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
0x00020520  00 00 00 00 00 00 00 00 00 00 00 27 00 00 00 27 |...........'...'| / 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
0x00020530  00 00 00 27 FF FF FF FF FF FF FF FF FF FF FF FF |...'............| \ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
0x00020540  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |................| / 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
~
0x000205D0  FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00 |................| \ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
0x000205E0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |................| / 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
~
0x00020600  FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 |................| \ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
0x00020610  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |................| / 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
~
0x00020810  00 00 10 01 30 00 01 06 80 00 00 01 00 00 00 00 |....0...........| \ 00 00 10 00 00 00 01 01 00 00 00 01 00 00 04 00 |................|
0x00020820  00 00 00 03 00 00 01 06 FF FF 65 74 63 00 00 00 |..........etc...| / 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
0x00020920  00 00 00 00 00 00 00 00 00 00 FF FF 00 00 41 ED |..............A.| \ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
0x00020930  00 00 00 00 00 00 00 00 00 00 00 27 00 00 00 27 |...........'...'| / 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
0x00020940  00 00 00 27 FF FF FF FF FF FF FF FF FF FF FF FF |...'............| \ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
0x00020950  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |................| / 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
~
0x000209E0  FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00 |................| \ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
0x000209F0  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |................| / 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
~
0x00020A10  FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 |................| \ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
0x00020A20  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |................| / 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
~
0x00020C20  00 00 10 01 30 00 01 07 80 00 01 06 00 00 00 00 |....0...........| \ 00 00 10 00 00 00 01 01 00 00 00 02 00 00 04 00 |................|
0x00020C30  00 00 00 03 00 00 00 01 FF FF 76 61 72 00 00 00 |..........var...| / 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
0x00020D30  00 00 00 00 00 00 00 00 00 00 FF FF 00 00 41 ED |..............A.| \ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
0x00020D40  00 00 00 00 00 00 00 00 00 00 00 27 00 00 00 27 |...........'...'| / 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
0x00020D50  00 00 00 27 FF FF FF FF FF FF FF FF FF FF FF FF |...'............| \ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
0x00020D60  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |................| / 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
~
0x00020DF0  FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00 |................| \ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
0x00020E00  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |................| / 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
~
0x00020E20  FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 |................| \ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
0x00020E30  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |................| / 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
~
0x00021030  00 00 10 01 30 00 01 08 80 00 00 01 00 00 00 00 |....0...........| \ 00 00 10 00 00 00 01 01 00 00 00 03 00 00 04 00 |................|
0x00021040  00 00 00 03 00 00 01 08 FF FF 70 64 62 00 00 00 |..........pdb...| / 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
0x00021140  00 00 00 00 00 00 00 00 00 00 FF FF 00 00 41 ED |..............A.| \ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
0x00021150  00 00 00 00 00 00 00 00 00 00 00 27 00 00 00 27 |...........'...'| / 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
0x00021160  00 00 00 27 FF FF FF FF FF FF FF FF FF FF FF FF |...'............| \ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
0x00021170  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |................| / 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
~
0x00021200  FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00 |................| \ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
0x00021210  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |................| / 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
~
0x00021230  FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 |................| \ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
0x00021240  FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |................| / 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
~
0x00021440  00 00 10 01 30 00 01 09 80 00 01 08 00 00 00 00 |....0...........| \ 00 00 10 00 00 00 01 01 00 00 00 04 00 00 04 00 |................|
0x00021450  00 00 00 01 00 00 01 09 FF FF 69 6D 61 67 65 00 |..........image.| / 40 80 90 00 40 80 98 00 40 80 68 00 40 08 60 00 |@...@...@.h.@.`.|
0x00021460  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| \ 3C 09 10 00 35 29 00 1F 01 09 40 25 39 08 00 1F |<...5)....@%9...|
0x00021470  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| / 40 88 60 00 00 00 00 C0 40 08 80 00 24 09 FF F8 |@.`.....@...$...|
0x00021480  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| \ 01 09 40 24 35 08 00 03 40 88 80 00 00 00 00 00 |..@$5...@.......|
0x00021490  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| / 40 80 48 00 40 80 58 00 00 00 00 C0 3C 08 80 A0 |@.H.@.X.....<...|
0x000214A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| \ 25 08 00 5C 04 11 00 01 00 00 00 00 03 E8 40 23 |%..\..........@#|
0x000214B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| / 11 00 00 1C 00 00 00 00 3C 09 80 A0 25 29 00 00 |........<...%)..|
0x000214C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| \ 3C 0A 80 B6 25 4A FA E0 01 09 40 21 8D 0B 00 00 |<...%J....@!....|
0x000214D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| / AD 2B 00 00 21 29 00 04 01 2A 08 2A 14 20 FF FB |.+..!)...*.*....|
0x000214E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| \ 21 08 00 04 3C 08 80 A0 25 08 00 00 3C 09 80 B6 |!...<...%...<...|
0x000214F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| / 25 29 FA E0 24 0A FF E0 01 0A 40 24 01 2A 48 24 |%)..$.....@$.*H$|
0x00021500  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| \ 24 0A 00 20 10 00 00 04 00 00 00 00 BD 15 00 00 |$...............|
0x00021510  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| / BD 10 00 00 01 0A 40 20 15 09 FF FC 00 00 00 00 |......@.........|
0x00021520  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| \ 00 00 00 0F 3C 08 80 B6 25 08 FA E0 3C 09 80 B6 |....<...%...<...|
0x00021530  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| / 25 29 FB 00 10 00 00 03 00 00 00 00 AD 00 00 00 |%)..............|
0x00021540  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| \ 21 08 00 04 15 09 FF FD 00 00 00 00 3C 1D 80 B6 |!...........<...|
0x00021550  00 00 00 00 00 00 00 00 00 00 FF FF 00 00 81 A4 |................| / 27 BD 1B 00 27 BD FF F0 3C 08 80 A0 25 08 09 34 |'...'...<...%..4|
0x00021560  00 00 00 00 00 00 00 00 00 00 00 27 00 00 00 27 |...........'...'| \ 01 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 |................|
0x00021570  00 00 00 27 00 00 00 00 FF FF FF FF FF FF FF FF |...'............| / 8F A2 00 10 00 80 58 25 8F AC 00 14 83 AA 00 1B |......X%........|

Even if we assume the image was just written with offset 0x00020000 (because we see ELF file at offset 0x00020410) there are bytes that were changed before 0x00020000 and there was a JFFS2 file system created.

I'm not an expert in OpenWRT or embedded devices though. Maybe these changed were made after the first boot.

zorxd · October 22, 2018, 9:06pm

yes I think the jffs2 partition is created on the first boot to store the settings, as the squashfs is read only