Large flash and qtnfmac driver for R7500v1

Do I understand it correctly that the firmware for the Quantenna Topaz chips is missing? I don't have any experience with wifi drivers, but I found an old driver package with the firmware while trying to make my R7500 usable again: https://github.com/ILOVEPIE/qts1kpcie_wifi_driver/tree/BuildScripts/kernel/quantenna_qts1kpcie/files/lib/firmware

It's absolutely huge but maybe it works.

Edit: I compiled OpenWrt and put the firmware files from the latest stock sources (130) at the locations specified in the kernel log. It uploads everything correctly but shows a firmware execution failure ~50 seconds later.

As you already know this is the incompatible firmware I mentioned earlier.
Actually it boots correctly and you can even enable 5G using TTL console. This firmware is I think so called softmac used in genuine Netgear firmware.

I even contacted guys from Quantenna and AFAIK the firmware is ready but stuck in legal department.
The other problem is acquisition of Quantenna but other company, so the firmware release it rather low priority and no one know when and if it happens.

Ok, thank you for the info.

Hopefully the new firmware also means that the connection issues with ac get resolved.

It is really sad :cry: that they developed a new full mac driver but not published the firmware for it...better to remove it from the kernel and commit it as closed code than give a false hopes...

Hi,

I saw the patch that increases flash size of the R7500v2 (by using the Netgear partition).
https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=57b1e951b52010e42c64ee617e0b5b9d547d3a0d
Is there a reason why this was not done for the R7500v1, too?

OK, in case of the R7500v1 the Netgear partition would only add 12M, but the "reserve" partition would add another 70MB. Is there a reason not to use "reserve"?

On my R7500v1 the "reserve" partition is filled with 0xFF.

One reason is that the developers with capability to merge the change probably do not have a r7500v1 to test on.

If you or another user does the work, tests, and submits a PR like what was done for the r7800 and r7500v2, then it is possible it will get merged. There is forum thread describing what was done for the r7500v2 (including testing) here.

Note in the linked post above, I found that settings made while using the "stock" image were preserved even after flashing openwrt followed by reflashing stock. The speculation is that the "reserve" partition is where the stock images save these settings. If the reserve partition is overwritten, some extra effort might be required to go back to stock - perhaps reformatting the partition? I don't know and I don't have an r7500v1 so you or another user will have to experiment.

HTH

EDIT: if you do decide to experiment, make a backup of any partition you overwrite... and keep in mind that you might not be able to go back.

@anon98444528 Thanks for your reply and for the link to your post in the R7500v2 thread. I actually missed that.
When I got the router I reset it to factory defaults. So this may explain why "reserve" is empty. OTOH it does not matter - even if the OEM firmware stores stuff there, rolling back to factory default is all we need to do, right? So the only partition I would have to worry about is "netgear" and I don't see why or how this should be different from the R7500v2 or R7800.
Remains the proof...
Alas, in the age of high-speed unlimited internet it may seem strange to you but I have very limited bandwidth and pay for download volume right now (being in a very remote area close to the arctic circle...). If I'm correct your repo on git is 186MB, plus all the feeds...
So this would have to wait. :cry:

If in doubt, it's better to be very conservative about repurposing flash partitions. Especially considering that the r7500 v1 only comes with 256 MB RAM (which means you can't install/ run everything but the kitchen sink anyways).

1 Like

my repo isn't relevant or necessary for the r7500v1 and is out of date. Don't waste your download budget on it - just clone/download the official openwrt git repo and work with that. You will only have to edit a few lines of the dts file anyway.

if you remove/overwrite the "reserve" partition, there might be a chance you won't be able to use the OEM firmware even after re-flashing it. The r7800 and r7500v2 OEM firmware have code to check and rebuild the "netgear" partition if it missing/damaged. @hnyman did not find similar logic for the "reserve" partition which is why he (and I) avoided removing it.

If I lived in a remote area, could not easily replace the device, and risked losing something I needed (like 5GHz wifi), I would not take the risk. Use your own judgement.

EDIT: based on the post of another user above in this thread, it does look like OEM firmware will at least boot and run after having used an openwrt image with the "reserve" partition removed. How well the OEM firmware runs and if it can still save settings are some of the things I suspect you would have to experiment with and demonstrate to get the change merged into openwrt.

Please correct me if I am wrong, but my understanding of flash memory was that an mtd partition is just a bunch of flash cells from address x to address y. There is no "boot sector", no partition table, no backup partition tables. The boundaries are set arbitrarily and hard coded.
As I wrote before, on my router the "reserve" partition was filled with 0xFF (= unprogrammed flash). So there would be nothing to be restored or even repaired in the "reserve" address space.

Meanwhile I compiled OpenWRT 19.07.04 with a changed dts file.
(I did this on a VPS server I almost forgot I still had. :wink: That helped me to avoid downloading the sources to my computer up here.)
Result:
The full flash is available now, 86.8Mb in overlay, and I can still use the official packages.

So I got everything I wanted, but...
how to give back?

I filled the overlay partition with a recognizable pattern:
yes "" | tr "\n" "1" | dd of=/overlay/work/test
Then I rolled back to the OEM image and played a bit with it. Everything I tried worked.
Finally I installed the stock OpenWRT image (with the limited flash), backed up mtd6 ("netgear") and mtd7 ("reserve") and compared to the backups I had made before.

Result:
mtd6 ("netgear") has been overwritten. The pattern has vanished. I quickly screened the contents for strings. At the beginning of "netgear" there is still (or again?) some OpenWRT stuff. The rest is OEM.

mtd7 ("reserve") still contains UBI tags, the pattern "1", and OpenWRT stuff (like USB IDs). So it seems the OEM firmware has not touched "reserve" at all. Not at first OEM installation, when it all read 0xFF, not after rolling back from OpenWRT. Apparently the OEM firmware completely ignores it.

Question is: Is this a problem?
The only issue I can think of would be if any later version of the OEM firmware makes use of "reserve" and does so by writing to an erase block without first erasing it. But wouldn't that be utterly... unprofessional?

First off, my complements on successfully making the change.

Regarding the reserve partition, I'm really not the person to ask.

If your stock /dev/mtd7 partition really was blank and unformatted (contained no ubifs volumes/data) then I don't see how overwriting it is a problem. In this case, if netgear sends out an update that makes use of it, then they would have to format/prepare it.

Regardless, I hope you kept a copy of your stock /dev/mtd7 partition as you may need it later to convince the dev's it's really blank. (I'm not the one you need to convince).

The r7500v2 "reserve" partition does contain 3 ubifs volumes, "pot", "config", and "language_volume". "pot" and "config" are empty, but my "language_volume" does contain some data. Nothing that looks terribly important but I'm not the best person to judge that.

I can post the tools/commands I used to backup and examine my /dev/mtd7. If you have a backup of your stock "reserve" partition, you can use something similar to take a look at yours. (EDIT: please ask if you wan't this - I won't otherwise post it as it seems the r7500v1 and the r7500v2 are different and it is somewhat lengthy).

HTH

Hi HTH,

Thank you for your response.

I still have the backed up mtd7 and I did a
xxd -p R7500v1.mtd7.bin | grep -v f
which yielded - nothing.
Thus, thank you for your offer, but I am not sure what else I could possibly do to convince the devs that it was empty.

OTOH I found this box on ebay. Second hand. It had the OEM firmware on it, but how would I know how the previous owner messed with it and whether it really was in OEM condition?

Anyways, it is not a big change I made and it's not rocket science. But it will add value to those who picked this box because the toh lists it with 128MB flash and who are surprised to find only 8MB but shy away from re-compiling OpenWRT.

So if the devs approve I can provide a diff. Towards OpenWRT 19.07.4 or current master.
Or I can clone the repo to GitHub and send a pull request.
I am just not sure how to proceed or if anyone is interested at all, especially since this router seems to be considered as "outdated and unfit" already:

It's all a matter of perspective. :wink:
The router I replaced with it had only 64MB RAM. And 256MB should be plenty for a wireguard tunnel, so that I can safely control this place via the internet when I am not here, even though my ISP does all he can to prevent me from doing so. :wink:

1 Like

Begin EDIT:

dd if=R7500v1.mtd7.bin 2>/dev/null | tr -d '\377' | wc -c

I think should return 0 if every value in the partition is decimal 255/0xFF/octal 377.

Don't spend too much time trying to prove a negative. Submit at PR at github (for just the expanded flash - link this forum thread and specifically your posts in which you did the testing), post a link to the github PR here and encourage other r7500v1 users to comment (at the github PR and not just this forum thread) about the contents of their /dev/mtd7 aka "reserve" partition.

At least one user above has posted the contents of their /dev/mtd7 partition so you can use that as "evidence" to start.

Be patient, courteous, and responsive with the dev's (just like you have been here) as it may take a while to get accepted into master and longer to make it into a "stable" build.

that will be up to the dev's - and I wouldn't worry too much about having got the box on ebay - likely the "devs" will ask other r7500v1 users to check.

the xxd command you used does give some non-zero output for my "reserve" partition but it is mostly zeros...

other things you or other users might want to try on a mtd backup include strings R7500v1.mtd7.bin, "ubireader_display_info R7500v1.mtd7.bin", ubireader_extract_images R7500v1.mtd7.bin, then binwalk -e any ubifs volumes that get extracted with a non zero size which in your case should be none..
End EDIT

Looks like you are on your way... good luck.

Thank you for reminding me - I forgot he had made his files available.
I checked his mtd7 backup and it is like mine: all 0xFF = unprogrammed flash.

Just to avoid any confusion: Yours is a R7500v2, right?
The xxd command does a hex dump of the entire file, he -p switch drops the leading '0x', and the result is piped through grep, checking for an inverse match of the letter 'f'. So any byte that is not all '1' (binary) will show up. The return code of the command last executed (which is grep) is '1', which means "no match".

Correct.

My r7500v2 reserve partition has 3 ubifs volumes, 2 empty and one with data. In your PR you should mention that the r7500v1 and the r7500v2 are different in the respect that the r7500v1 apparently does not use its reserve partition. I suspect the r7800 is similar to the r7500v2

For other r7500v1 users that might want to verify that the "reserve" partition is empty "in place" (i.e. on the device without having to download a copy):

xxd is not available by default in openwrt but can be installed with:

opkg update
opkg install xxd

Alternatively, the dd/tr/wc commands are available by default and the command to run is:

dd if=/dev/mtd7 2>/dev/null | tr -d '\377' | wc -c

which should return 0 on an r7500v1

I can confirm a result of "0"

Did you ever get 5ghz wifi working ? I don't see this enabled yet in the OpenWRT 23.05.0-rc2 , was going to spend some time getting it working for a R7500v1 I have here.