LANTIQ (TP-LINK) bootloader crash course

hello,

SWIM obtained a TP-LINK AX50 today, and was quite bemused to see the lack of a u-boot menu.

is this normal for TP-LINK routers, or is this due to the device being an intel variant?

nonetheless, this friend of mine wants to solicit expertise from the community-at-large in translating a kernel and rootfs (squashed and ubinized) to a tp-link flashable firmware.

he assumes you need to use some commands in the u-boot. here's what he gave me:

ROM VER: 2.1.0
CFG 0a
B
.
.


U-Boot 2010.06-dirty-LANTIQ-v-2.3.149 (Jul 08 2020 - 12:59:31)

interAptiv
cps cpu/ddr run in 800/666 Mhz
DRAM:  224 MiB
NAND:  NAND device: Manufacturer ID: 0xc8, Chip ID: 0xd1 (Gigadevice NAND 128MiB 3,3V 8-bit)
128 MiB
Bad block table found at page 65472, version 0x01
Bad block table found at page 65408, version 0x01
In:    serial
Out:   serial
Err:   serial
Net:   multi type
Internal phy firmware version: 0x8548
GRX500 Switch

Type "run flash_nfs" to mount root filesystem over NFS

Hit any key to stop autoboot:  0 
GRX500 # help
?       - alias for 'help'
base    - print or set address offset
bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
chpart  - change active partition
cmp     - memory compare
cp      - memory copy
crc32   - checksum calculation
echo    - echo args to console
go      - start application at address 'addr'
help    - print command description/usage
loadb   - load binary file over serial line (kermit mode)
loady   - load binary file over serial line (ymodem mode)
loop    - infinite loop on address range
md      - memory display
mm      - memory modify (auto-incrementing address)
mtdparts- define flash/nand partitions
mtest   - simple RAM read/write test
mw      - memory write (fill)
nand    - NAND sub-system
nboot   - boot from NAND device
nm      - memory modify (constant address)
printenv- print environment variables
rarpboot- boot image via network using RARP/TFTP protocol
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
secboot - Command to Boot TOS
setenv  - set environment variables
tftpboot- boot image via network using TFTP protocol
ubi     - ubi commands
upgrade - upgrade - forward/backward copy memory to pre-defined flash location
GRX500 # printenv
bootcmd=run flash_flash
bootdelay=1
baudrate=115200
preboot=echo;echo Type \"run flash_nfs\" to mount root filesystem over NFS;echo
bootfile="uImage"
mem=224M
phym=224M
ipaddr=192.168.1.1
serverip=192.168.1.2
ethaddr=00:E0:92:00:01:40
sup_mac=32
res_mac=2
netdev=eth0
console=ttyLTQ0
tftppath=
loadaddr=0x80800000
rootpath=/mnt/full_fs
rootfsmtd=/dev/mtdblock6
nfsargs= setenv bootargs ubi.mtd=system_sw root=/dev/nfs rw nfsroot=$(serverip):$(rootpath)
ramargs=setenv bootargs root=/dev/ram rw
addip=setenv bootargs $(bootargs) ip=$(ipaddr):$(serverip):$(gatewayip):$(netmask):$(hostname):$(netdev):on
addmisc=setenv bootargs $(bootargs) console=$(console),$(baudrate) ethaddr=$(ethaddr) panic=1 $(mtdparts) init=/etc/preinit active_bank=$(active_bank) update_chk=$(update_chk) maxcpus=4 pci=pcie_bus_perf ethwan=$(ethwan) ubootver=$(ver) mem=256M@512M Production=$(Production) 
flash_nfs=run nfsargs addip addmisc;bootm $(kernel_addr)
net_nfs=run run_bootcore;tftp $(loadaddr) $(tftppath)$(bootfile);run nfsargs addip addmisc;bootm
net_flash=run run_bootcore;tftp $(loadaddr) $(tftppath)$(bootfile); run flashargs addip addmisc; bootm
net_ram=run run_bootcore;tftp $(loadaddr) $(tftppath)$(bootfile); run ramargs addip addmisc; bootm
u-boot=u-boot.ltq
rootfs=rootfs.img
firmware=firmware.img
fullimage=fullimage.img
totalimage=totalimage.img
load=tftp $(loadaddr) $(u-boot)
update=protect off 1:0-2;era 1:0-2;cp.b $(loadaddr) B0000000 $(filesize)
flashargs=setenv bootargs ubi.mtd=system_sw rootfsname=$(rootfsname) ro rootfstype=squashfs do_overlay
flash_flash=run run_bootcore;ubi read $(loadaddr) $(kernel_vol);run flashargs addmisc;bootm $(loadaddr);reset
update_nandboot=tftp $(loadaddr) $(tftppath)u-boot-nand.bin;nand erase 0 100000;nand erase 2C0000 FA00000;nand write.partial $(loadaddr) 0 $(filesize)
ubi_init=setenv kernelA_id 0;setenv rootfsA_id 1;setenv firmwareA_id 2;setenv kernelB_id 3;setenv rootfsB_id 4;setenv firmwareB_id 5;setenv bootcoreA_id 6; setenv bootcoreB_id 7;setenv setbank check_image$(update_chk);run $(setbank);ubi part system_sw
update_chk=0
switchbankA=setenv active_bank A;setenv kernel_id $(kernelA_id);setenv rootfs_id $(rootfsA_id);setenv f_kernel_size f_kernel_sizeA;setenv kernel_vol kernelA;setenv rootfs_vol rootfsA;setenv firmware_vol firmwareA;setenv rootfsname rootfsA;setenv bootcore_vol bootcoreA
switchbankB=setenv active_bank B;setenv kernel_id $(kernelB_id);setenv rootfs_id $(rootfsB_id);setenv f_kernel_size f_kernel_sizeB;setenv kernel_vol kernelB;setenv rootfs_vol rootfsB;setenv firmware_vol firmwareB;setenv rootfsname rootfsB;setenv bootcore_vol bootcoreB
check_image0=run switchbankA
check_image1=run switchbankB;setenv update_chk 0;save
check_image2=run switchbankB
check_image3=run switchbankA;setenv update_chk 2;save
update_uboot=tftp $(loadaddr) $(tftppath)$(u-boot); nand write.partial $(loadaddr) 0x4000 $(filesize);reset
update_kernel=run ubi_init;tftpboot $(loadaddr) $(tftppath)$(bootfile);run switchbankB;upgrade $(loadaddr) $(filesize);run switchbankA;set update_chk 0;upgrade $(loadaddr) $(filesize)
update_bootloader=update_uboot
update_rootfs=run ubi_init;tftpboot $(loadaddr) $(tftppath)$(rootfs);run switchbankB;upgrade $(loadaddr) $(filesize);run switchbankA;set update_chk 0;upgrade $(loadaddr) $(filesize)
update_fullimage=run ubi_init;tftpboot $(loadaddr) $(tftppath)$(fullimage);run switchbankB;upgrade $(loadaddr) $(filesize);run switchbankA;set update_chk 0;upgrade $(loadaddr) $(filesize)
update_totalimage=run ubi_init;tftpboot $(loadaddr) $(tftppath)$(totalimage);upgrade $(loadaddr) $(filesize)
update_gphyfirmware=tftpboot $(loadaddr) $(tftppath)gphy_firmware.img;nand write.partial $(loadaddr) 0x180000 $(filesize);re
gphy_fw_addr=0x180000
update_bootcore=run ubi_init;tftpboot $(loadaddr) $(tftppath)$(bootcore);run switchbankB;upgrade $(loadaddr) $(filesize);run switchbankA;set update_chk 0;upgrade $(loadaddr) $(filesize)
run_bootcore=run ubi_init; ubi read 0xA0400000 $(bootcore_vol) ; secboot load_os 0x88000000 0xA0400000 0x200000
bootcore=uImage_bootcore
reset_uboot_config=nand erase $(f_ubootconfig_addr) $(f_ubootconfig_range);nand erase $(f_red_ubootconfig_addr) $(f_ubootconfig_range);
reset_ddr_config=nand write.partial 80400000 $(f_ddrconfig_addr) $(f_ddrconfig_size)
reset_sysconfig=run ubi_init;ubi remove sysconfig;ubi remove sysconfigA;ubi remove sysconfigB
mtdparts=mtdparts=17c00000.nand-parts:1m(uboot),256k(ubootconfigA),256k(ubootconfigB),256k(gphyfirmware),1m(calibration),124m(system_sw),-(res)
part0_begin=0x00000000
part1_begin=0x00040000
part2_begin=0x002C0000
part3_begin=0x07000000
part4_begin=0x07040000
part5_begin=0x07080000
total_part=6
flash_end=0x07FFFFFF
data_block0=uboot
data_block1=kernel
data_block2=rootfs
data_block3=sysconfig
data_block4=ubootconfig
data_block5=dectconfig
total_db=6
f_uboot_addr=0x00000000
f_uboot_size=0x40000
f_ubootconfig_addr=0x100000
f_ubootconfig_size=0x4000
f_ubootconfig_end=0x07040FFF
f_ubootconfig_range=0x40000
f_red_ubootconfig_addr=0x140000
f_gphy_firmware_addr=IFX_CFG_FLASH_GPHY_FIRMWARE_IMAGE_START_ADDR
f_gphy_firmware_size=IFX_CFG_FLASH_GPHY_FIRMWARE_IMAGE_SIZE
f_gphy_firmware_end=IFX_CFG_FLASH_GPHY_FIRMWARE_IMAGE_END_ADDR
f_kernel_addr=0x00040000
f_kernel_size=0
f_kernel_end=IFX_CFG_FLASH_KERNEL_IMAGE_END_ADDR
f_rootfs_addr=0x002C0000
f_rootfs_size=0
f_rootfs_end=IFX_CFG_FLASH_ROOTFS_IMAGE_END_ADDR
f_fwdiag_addr=IFX_CFG_FLASH_FIRMWARE_DIAG_START_ADDR
f_fwdiag_size=IFX_CFG_FLASH_FIRMWARE_DIAG_SIZE
f_sysconfig_addr=0x07000000
f_sysconfig_size=0x10000
f_dectconfig_addr=0x07080000
f_dectconfig_size=0x400
f_wlanconfig_addr= IFX_CFG_FLASH_WLAN_CFG_START_ADDR
f_wlanconfig_size=IFX_CFG_FLASH_WLAN_CFG_SIZE
f_ddrconfig_addr=0x00003fe8
f_ddrconfig_size=24
f_ddrconfig_end=0x00003fff
stdin=serial
stdout=serial
stderr=serial
ver=U-Boot-2010.06-dirty-LANTIQ-v-2.3.149
ethact=GRX500 Switch

Environment size: 5861/16379 bytes

early relevant portiosn of bootlog

ROM VER: 2.1.0
CFG 0a
B
.
.


U-Boot 2010.06-dirty-LANTIQ-v-2.3.149 (Jul 08 2020 - 12:59:31)

interAptiv
cps cpu/ddr run in 800/666 Mhz
DRAM:  224 MiB
NAND:  NAND device: Manufacturer ID: 0xc8, Chip ID: 0xd1 (Gigadevice NAND 128MiB 3,3V 8-bit)
128 MiB
Bad block table found at page 65472, version 0x01
Bad block table found at page 65408, version 0x01
In:    serial
Out:   serial
Err:   serial
Net:   multi type
Internal phy firmware version: 0x8548
GRX500 Switch

Type "run flash_nfs" to mount root filesystem over NFS

Hit any key to stop autoboot:  0 
Creating 1 MTD partitions on "nand0":
0x0000002c0000-0x000007ec0000 : "mtd=5"
UBI: attaching mtd1 to ubi0
UBI: physical eraseblock size:   131072 bytes (128 KiB)
UBI: logical eraseblock size:    126976 bytes
UBI: smallest flash I/O unit:    2048
UBI: VID header offset:          2048 (aligned 2048)
UBI: data offset:                4096
UBI: attached mtd1 to ubi0
UBI: MTD device name:            "mtd=5"
UBI: MTD device size:            124 MiB
UBI: number of good PEBs:        992
UBI: number of bad PEBs:         0
UBI: max. allowed volumes:       128
UBI: wear-leveling threshold:    4096
UBI: number of internal volumes: 1
UBI: number of user volumes:     5
UBI: available PEBs:             349
UBI: total number of reserved PEBs: 643
UBI: number of PEBs reserved for bad PEB handling: 9
UBI: max/mean erase counter: 2/0
bootcoreA volume not found
Volume kernelA found at volume id 0
read 0 bytes from volume 0 to 80800000(buf address)
Read [3145728] bytes
## Booting kernel from Legacy Image at 80800000 ...
   Image Name:   MIPS LTQCPE Linux-3.10.104
   Created:      2020-07-08   5:17:29 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    3145664 Bytes = 3 MiB
   Load Address: a0020000
   Entry Point:  a002df00
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK

Starting kernel ...

[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Linux version 3.10.104 (raymond@Raymond) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 15.05_ltq) ) #1 SMP Wed Jul 8 13:17:08 CST 2020
[    0.000000] TLBINV/F supported, config4=0xc0000000
[    0.000000] TLBINV/F supported, config4=0xc0000000
[    0.000000] SoC: GRX500 rev 1.2
[    0.000000] GCMP present

binwalk of stock fw (what a mess!!)

GagansMacPro:router Gagan$ binwalk ~/Downloads/Archer\ AX50\(US\)_V1_200708/ax50v1_intel-up-ver1-0-9-P1\[20200708-rel55037\]_signed.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
4519          0x11A7          uImage header, header size: 64 bytes, header CRC: 0xB7455DE6, created: 2020-07-08 07:18:29, image size: 29654552 bytes, Data Address: 0x0, Entry Point: 0x0, data CRC: 0x506ACDE2, OS: Linux, CPU: MIPS, image type: Multi-File Image, compression type: none, image name: "TP-Link Totalimage"
4591          0x11EF          uImage header, header size: 64 bytes, header CRC: 0xF85FFD41, created: 2020-07-08 07:18:28, image size: 150864 bytes, Data Address: 0x0, Entry Point: 0x0, data CRC: 0x888C4C94, OS: Linux, CPU: MIPS, compression type: lzma, image name: "U-Boot Img"
39107         0x98C3          CRC32 polynomial table, little endian
51855         0xCA8F          CRC32 polynomial table, little endian
55855         0xDA2F          uImage header, header size: 64 bytes, header CRC: 0x908FBBD4, created: 2020-07-08 05:01:29, image size: 99600 bytes, Data Address: 0xA0400000, Entry Point: 0xA0400000, data CRC: 0x38F8E3FA, OS: Linux, CPU: MIPS, image type: Firmware Image, compression type: lzma, image name: "u-boot image"
55919         0xDA6F          LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 343580 bytes
155519        0x25F7F         uImage header, header size: 64 bytes, header CRC: 0xCD4DD048, created: 2020-07-08 07:18:29, image size: 131072 bytes, Data Address: 0x0, Entry Point: 0x0, data CRC: 0x6C65B573, OS: Linux, CPU: MIPS, image type: Firmware Image, compression type: lzma, image name: "gphyfw"
155583        0x25FBF         uImage header, header size: 64 bytes, header CRC: 0xE76A1040, created: 2020-07-08 05:01:39, image size: 29176 bytes, Data Address: 0x0, Entry Point: 0x0, data CRC: 0x6D88B827, OS: Linux, CPU: MIPS, image type: Multi-File Image, compression type: lzma, image name: "GPHY Firmware"
155655        0x26007         LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 65664 bytes
286655        0x45FBF         uImage header, header size: 64 bytes, header CRC: 0x846655C1, created: 2020-07-08 07:17:38, image size: 26226688 bytes, Data Address: 0x0, Entry Point: 0x0, data CRC: 0x78134F7C, OS: Linux, CPU: MIPS, image type: Filesystem Image, compression type: lzma, image name: "LTQCPE RootFS"
286719        0x45FFF         Squashfs filesystem, little endian, version 4.0, compression:xz, size: 26223172 bytes, 5462 inodes, blocksize: 131072 bytes, created: 2020-07-08 07:17:37
26513407      0x1948FFF       uImage header, header size: 64 bytes, header CRC: 0xC71E56C7, created: 2020-07-08 05:17:29, image size: 3145664 bytes, Data Address: 0xA0020000, Entry Point: 0xA002DF00, data CRC: 0xD79B6C75, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS LTQCPE Linux-3.10.104"
26513471      0x194903F       LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 9232128 bytes

oh, he says if he's being graded on the soldering, then:


Don't know if it possibly, but maybe that v3 header rsa sign could be solved by replacing the TP-Link public key, using the following root access:

to check if your device is rsa-signed, binwalk the stock firmware.

if binwalk shows just one file, then it has secure boot enabled.

if it doesn't, then it's not secure boot.

this is a pro tip from daniel schwierzeck who managed the lantiq uboot