This is a notification for all owns Mercury MAC1200R V2.
The factory original uboot use RSA sign to check the firmware at the update time, and check flash at the boot time, so it is no way to install OpenWRT/LEDE to it.
Fortunately, I find the TP-Link WR841N has same architecture with Mercury MAC1200R V2, MT7628AN+MT7612EN.
So I download the TP-Link WR841N factory firmware, extract uboot from .bin and write uboot to FLASH with TTL.
After uboot replaced, everything is easy to control. Boot the router and press Reset for 10 seconds and uboot can automaticly fetch tp_recovery.bin from 192.168.0.66 and write it to FLASH.
I own a Mercury MAC1200R V2 and I did replace the u-boot myself as well. The partition layout of the WR841N V13 is different compared to the Mercury. It seems to me that when flashing the firmware via the WR841N U-boot, some configuration-partitions will be overwritten (like device MAC address etc).
Hi Drbrains,
You are right. The partition is different. For example,MAC1200Rv2 flash layout plan use 0x0-0x1d800 store first stage uboot, and start from 0x1d800 is configuration area, then 0x30000 is second stage uboot, 0x40000 is kernel. For WR841N, 0x0-0x20000 is area for only 1 copy uboot, from 0x20000 is kernel.
Although the configuaration will be destory, WR841N uboot is a choice to install LEDE.
What is the uboot you use? Have you modify the factory uboot to accept 3rd party firmware? I have tried to modify factory uboot but give up. MAC1200R uboot is too complex to find RSA sign check function, /sbin/slpupgrade is more simple but if cannot pass uboot check the modification is useless.
Guys,since WR841N v13 GPL is available,also full U-boot sources with all modifications.
Why dont you edit it to fit MAC1200R v2 fully and also create correct target for OpenWRT?
Much better than destroying all device specific stuff
I will have a look at the GPL code. I used the uboot code from the Padavan project. The MTKSDK version I tried didn't compile properly.
I still need to modify it to include a web interface for flashing and change from the normal partition layout to the reduced memory version that Ralink is using and which is used on the MAC1200R v2.
@yq0019 did you manage to separate the uboot from the kernel in the OEM firmware?? More specifically did you find a way to restore to OEM firmware?
It the source of uboot is available, it is good news for me.
@robimarko
Could you give link to fetch WR841N V13 Uboot source? Thanks.
@drbrains
Yes, I use "spi read 0 1d800" to dump all content of first stage uboot from flash and rebuild the factory original uboot. The second stage uboot and kernel can be extract from downloaded factory firmware.
To restore to OEM firmware is possible. If you have backup the configuration and recovered to flash, the restore process can be successful, otherwise the restore process abort because HW ID and other things check failure.
Completely wrong,you are looking at kernel.
Look,U-boot does not care about partitions at all.
You need to add target matching your device to OpenWRT and then you can use initramfs image to sysupgrade.
If uboot does not care about partition, there is no need to looking for TL-WR841N_V13 uboot source. I only need to find the configuration of partition or make a new firmware with correct partition. Is it right?
Thanks for your link of TL-WR841N_V13 uboot source.
The partition layout is defined in Uboot source: Uboot/include/configs/rt2880.h.
I will modify source code and try it.
Have you backup all flash content before install Padavan uboot?
I have only dump 128 bytes of factory data 0x1d800-0x1d880 to show information. Actually whole 0x1d800-0x30000 is data area, like below:
0x01d800-0x01e000 : "factory_info"
0x01e000-0x020000 : "art"
0x020000-0x030000 : "config"
Besides, I am not sure what is "art" now. And I don't know the result if missing it running with factory firmware.
I did make a backup of all the different partitions. I didn't modify the uboot partitions before, so basically I was loosing 64Kb. I will modify the CFG_xx_SIZE now to match the MAC1200R v2 layout. Leaving the Uboot2 partition as is; even if this is not being used by the new Uboot or the Lede/OpenWRT firmware. This just to keep it easier to revert to stock once I have figured out how to make that process painless. (Not that I want this, but for fully support a router, I think there should be a way to get it back to "factory" new).
I will try to add some simple HTTPD service to be triggered by the reset switch. I have some modified code that was designed to be used on a MT7621. Should not be to complicated to modify it for our needs.
Could you check 0x1d880-0x1e000? Is it all zero? Thanks.
Simple httpd is provided by MAC1200R v2, TPLink uboot provides tftp recover as similar solution. Although http is more user-friendly, there are lots of youtube video guide about tftp recovery, I think it is acceptable. If we only need a little modification about partition, it cost less time.
To rollback to factory device, I think three steps is needed: Firstly, use OpenWRT/LEDE mtd device to write uboot(0x0-0x1d800). Secondly, reboot MAC1200R, the uboot will automatically start simple httpd when it failed checking FLASH RSA sign. ThenMAC1200R v2 factory firmware can be upload, it includes 2nd stage uboot and kernel. Thirdly, press reset key to clear configuration.
I will check the partitions tomorrow and get back to you on the ART content. I’m not sure if the MT76 driver uses it. I only think it reads the MAC address from the MTD partition as indicated in the .dts file. BTW I updated the .dts file but never got around to push it since it was useless without a modified Uboot anyways.
I created a new Uboot with simple httpd. For me it’s not about the time, but about the learning experience for myself. I need to modify the code a bit more so the ART update and U-boot update wont mess up anything else. Then add some eye candy like the Mercure logo, just because I can
The TFTP is still there, but needs a Serial connection. Not sure if I want to change that to auto start depending on how long the reset button is pressed. Maybe I will study @pepe2k ‘s code some more and even add the net console. After all if we need to replace the Uboot with something else we might as well make it fancy and feature rich.
Edit: what about UART baud rate? Should we keep 57600? Or change to a more standard 115200?? Making the modifications in the .dts as well??
Just now I rollback my MAC1200R v2 to original factory device even without "art" data. It is very easy. But without art data, factory firmware shutdown WLAN 2.4G&5G. ( Or maybe not caused by art data, another possible is the TPWR841N write register with wrong data.)
The prerequisite is the uboot can boot. I think it is even not a prerequisite.
Step 1: Press t or slp when booting to enter "MT7628 #" prompt.
Step 2: Type following command to write flash. The my-factory-backup.bin is backup of 0-0x20000 content of FLASH.
setenv ipaddr 192.168.1.1
setenv serverip 192.168.1.100
tftpboot 0x82000000 my-factory-backup.bin
erase tplink 0 0x20000
cp.b 0x82000000 0 0x20000
Now you can check the result:
spi read 3e80 0x26
md.b 0xbc003e80
to check current content:
bc003e80: 55 2d 42 6f 6f 74 20 31 2e 31 2e 33 20 28 4e 6f U-Boot 1.1.3 (No
bc003e90: 76 20 32 34 20 32 30 31 36 20 2d 20 30 39 3a 35 v 24 2016 - 09:5
bc003ea0: 31 3a 31 30 29 00 00 00 00 00 00 00 00 00 00 00 1:10)...........
spi read 1d800 0x26
md.b 0xbc01d800
to check current content:
bc01d800: 4d 31 43 54 01 f2 00 01 7b 6d 61 63 3a 11 22 33 M1CT....{mac:._.
bc01d810: 44 55 66 2c 70 69 6e 3a 00 00 00 00 00 00 00 00 ...,pin:........
bc01d820: 2c 64 65 76 49 64 3a 41 41 41 41 41 41 41 41 41 ,devId:AAAAAAAAA
bc01d830: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
Note: Here I hide my mac and devId for privacy
Step 3: Reboot MAC1200R, it enter recovery mode automaticlly. So you can connect ethernet cable to your MAC1200R. Then you can access http://192.168.1.1 and upload firmware that download from Mercury website.
Now the firware is factory original version.
I tried just flashing the OEM U-boot without adding the factory_config and art partitions inside the 0x20000 block. This will result in the firmware not getting accepted because of missing HwID. I had to reflash the U-boot including the factory_config and art partitions in order to get the OEM webpage to accept the OEM firmware.
(I actually messed that up and ended up using my RPi to flash the whole rom via SPI. Has nothing to do with the Uboot and/or OEM firmware, just me not paying attention what/where to flash). I didn't bother to unsolder the chip and did a ISP flash, which is also not really the best thing to do
