MAC1200R v2 firmware is not implemented very well, although double uboot takes it more robust than others.
I reviewed the log and refer to WR841N source. MAC1200R v2 is not real dual image designed, it use another small size uboot(64KB install of 128KB) as second stage code. For first stage uboot, it looks the second stage code is just like a normal kernel image.
At first I was confused by double uboot apperance, I think the first uboot should be protected more secure. But after typed "erase uboot", it erase content from 0-0x30000. It push me to try other uboot immediately. Fortunately, it works, so my MAC1200R v2 still can be handled, no need unsolder the flash chip.
@yq0019, I emailed you my art.bin and modified DTS file. I also included a new Uboot you might want to take a look at.
Please provide some feedback so I can maybe improve a little. I left the second Uboot-2 partition as-is, to make it easier to revert to stock should a user wishing to do so. Its like you said: flash the OEM Uboot (the first) back and it will ask for OEM firmware and handle the rest from there.
The major concern is that the "factory-info" and "art" partition share the same 64kB block with the Uboot, so during Uboot upgrade we need to make sure we flash those back into their original place inside this block.
@pepe2k made a nice uboot-update script so I'm not going to re-invent the wheel.
@drbrains
Thanks for your sending art file.
After append the art file to uboot, a whole 128K image is writed to FLASH. Then the original factory firmware works well, just like it is a fresh device.
.
.
The uboot you send to me is actually can not work standalone.
I cannot use this uboot to write linux image to 0x40000.
This command is not working: cp.b 0x82000000 0x40000 0x3800ac
And another command is executed not correctly(see log below).
So the problem is how to use this uboot to write kernel to 0x40000.
--Log start--
TFTP from server 192.168.1.100; our IP address is 192.168.1.1
Filename 'lede-17.01.4-ramips-mt7628-mac1200r-v2-squashfs-sysupgrade.bin'.
TIMEOUT_COUNT=10,Load address: 0x82000000
done
Bytes transferred = 3670188 (3800ac hex)
NetBootFileXferSize= 003800ac
MT7628 # md.b 0x82000000
82000000: 27 05 19 56 6b 99 bd 21 59 e6 41 ec 00 12 85 37 '..Vk..!Y.A....7
82000010: 80 00 00 00 80 00 00 00 df 28 84 53 05 05 02 03 .........(.S....
82000020: 4d 49 50 53 20 4c 45 44 45 20 4c 69 6e 75 78 2d MIPS LEDE Linux-
82000030: 34 2e 34 2e 39 32 00 00 00 00 00 00 00 00 00 00 4.4.92..........
MT7628 # md.b 0xbc040000 0x220
bc040000: 58 11 61 47 78 11 55 65 14 10 33 57 13 15 02 10 X.aGx.Ue..3W....
bc040010: 11 01 55 35 01 10 55 75 05 11 a1 50 10 10 07 01 ..U5..Uu...P....
MT7628 # cp.b 0x82000000 0x40000 0x3800ac
Usage:
cp - memory copy
MT7628 # help cp.b
cp
cp.uboot
- copy uboot block
cp.linux
- copy linux kernel block
MT7628 # spi erase 0x40000 0x3800ac
erase offs 0x40000, len 0x3800ac
.........................................................
MT7628 # cp.linux
Copy linux image[3670188 byte] to SPI Flash[0x00040000]....
MT7628 # md.b 0xbc040000 0x220
bc040000: 58 11 61 47 78 11 55 65 14 10 33 57 13 15 02 10 X.aGx.Ue..3W....
bc040010: 11 01 55 35 01 10 55 75 05 11 a1 50 10 10 07 01 ..U5..Uu...P....
MT7628 # printenv
bootcmd=tftp
bootdelay=2
baudrate=57600
ethaddr="00:AA:BB:CC:DD:10"
stdin=serial
stdout=serial
stderr=serial
filesize=3800ac
fileaddr=82000000
ipaddr=192.168.1.1
serverip=192.168.1.100
--LOG END--
The content in FLASH is wrong. I don't know why uboot copy wrong date to flash.
Now I erase the uboot from FLASH and I cannot recover with uboot, I am recover it manual with spi write. It is almost bricked if power down...
The MAC1200R is bricked.
I will try to recover it when I have time.
The Uboot I sent you should flash as 1st (only) Uboot. Starting at 0xBC000000. It has the webpage included triggered by the reset button. It will flash Lede/OpenWRT or Anything since there is no check as long as the file size is within limits (0x7b0000).
Alternatively, use UART console and Uboot menu option:
2: Load system code then write to Flash via TFTP.
I have it running on my own device. I can send you a “diff” with the SDK mentioned a few posts up to show you what I changed.
Hi Richard,
It is too late to see your email.
Thank you very much.
I will fix it when have time.
BTW: I think keep CLI working is more important. The menu choice is good, but it is less information to let others know how to choice.
Thank you again for your help.
I am already cleaning up the code. I added the update Uboot to the simple webpage as well. This to make it easier to update or revert back to the OEM Uboot. For this reason I feel it’s important to leave the second Uboot partition, even its useless for any alternate firmware and in essence we loose 64KB for user selected packages.
I also modified the reset button test during boot not to add extra delay. It is now part of the BootDelay loop, with a one time test just in case the user decides to remove or set to zero in the writable Uboot environment.
I think for 1st time factory-to-OpenWRT we should use a RAM image via TFTP with a minimal but functional OpenWRT and some scripts to help the user to upgrade the Uboot so the system-upgrade images can be used after.
I think I am late to this. Can you possibly share this work please? I just got myself a MAC1200R V2.
大神可否分享MAC1200v2的具体刷uboot方法。感谢~
万分感谢~~万分感谢~~
This is really a long time ago.
You can get modified Uboot from here, then you can flash any firmware.
However, 8M FLASH can't install any applications at all. After replacing it with 16M FLASH, it makes sense.
Hi @yq0019, I tried your uboot and modified with my device's info, but still didn't skip the RSA checking.
Finally, I found the easiest way to flash openwrt into it.
- Replace the original uboot with breed pascal for MT7628
- Restart and press reset button.
- From breed menu, flash firmware with latest openwrt stable version for initramfs
- Restart and run openwrt.
- From software upgrade menu, flash with the proper squashfs version.
- Restart ad enjoy.
In case you need to revert to the original firmware, do the following steps:
- Press reset when starting router.
- From breed menu, flash uboot with your original uboot.
- Restart and press reset button.
- From Mercury simple web, flash the original firmware