Adding OpenWrt support for MikroTik cAP ac

I'd like to add support for MikroTik cAP ac, but I've never done it before.

It's similar to RB450Gx4 and hAP ac² that are WIP, but it's more simple (no nand, no switch, no sdcard, no usb, same arch and routerboot)

What has been successfully done:

1. Serial port connected
2. EEPROM dumped (in-circuit, with CH341A and SOIC clip)
3. DTB dumped (with binwalk) and DTS decompiled (with dtc, without errors)
4. Techdata page filled (possibly a bit early, but I believe the support will be completed )
5. Device page filled

Well, I chcked out @robimarko's tree and mmaker's tree and created a new device. I've tried DTS, from EEPROM, and manually created one but it doesn't boot. I see nothing on the serial port except this log: MikroTik rb450gx4 support. It definitely loads ELF file from my TFTP, but than fails and reboots.

Can I publish decompiled DTS file here? Looks like it should be under GPL, as it's inside linux kernel, on the other side it's reverse engineering...

Nice to see some work on cAP ac.
First, I would enable UART.
That could be done with modifiying hard config bits since you have already dumped the flash.
That would enable to see where it fails, I think that it fails on the aux loader as it tries to write to a UART port that is not initialised.

Also, you can freely post the DTS/DTB, its not reverse engineering at all since DTB can always be converted to DTS using dtc.

Is there some docs or tools for this or it's a manual magic?

https://sergio.outerface.net/misc/qcom-ipq4018-capac.dts

Only manually.

Those IPQ DTS-es are only useful to dig for GPIO pins for POE, buttons, etc as I found that pinctrl tends to be wrong and it appears that they still hardcode some stuff into drivers.

The main problem was in wrong pinout. I mistakenly thought if console reacts on key pressing in the terminal and produces some output this is TX. I was completely wrong: it was CPU RESET . It's designed for in-circuit flash programming.

Serial console is enabled and I couldn't even imagine that it would be so easy!
In the RB3011UiAS-2HnD-IN topic I've found a link to lan23.ru that explains how to do it:

The lowest bit must be changed from 1 to 0 for the parameter with the 0x15 tag.
Example:

00 04 00 15 00 28 40 01
                      ↓
00 04 00 15 00 28 40 00

In my case it was:

A7 0B 0B 15 00 04 00 01
                      ↓
A7 0B 0B 15 00 04 00 00

Moreover: OpenWrt BOOTS NOW!
It runs with manually created DTS that I mentioned above. But I'm really new to DTS, never done this before, and I don’t understand almost everything that is written there

I'll publish my results soon.

BTW, russian is my first language, so I can easily help with any questions regarding lan23.ru or any other.

Thanks for the information @532910.

I was following the similar information available on enabling serial on the Hap AC2:

https://forum.openwrt.org/t/support-for-mikrotik-hap-ac2/23333/5

modifying the hard config partition, available on the same address.

I was able to read the flash using the CH341a and SOIC clip, and found the config similar to yours

15 00 04 00 01

Did you modify the backup of nor-flash and write the complete image, or is there a way to just modify the needed byte?

Did you modify the backup of nor-flash and write the complete image

yes

is there a way to just modify the needed byte?

I don't know, I use flashrom and it supports only complete image writing.

You can actually make a layout and write only parts.
But flashrom will anyway flash just the changed bits

flashrom -w says: Erasing and writing flash chip... Erase/write done. and it takes a long time, so it doesn't look like it

Well that is not correct behaviour.
Which version is that?

Hi ,

I tried flashing the modified image:

Before flashing:

• The uart pins connected to usb to uart - PBL messages were displayed on the minicom
• Backup of the entire flash taken (In-circuit)
• modified 15 00 04 00 01 to 15 00 04 00 00 on the flash image backup.
• flashed the new image into the flash using flashrom

$ sudo flashrom --programmer ch341a_spi -w  mtik_cap_ac.bin 
flashrom v1.2-4-gad08aef on Linux 4.15.0-62-generic (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Winbond flash chip "W25Q128.V..M" (16384 kB, SPI) on ch341a_spi.
Reading old flash chip contents... done.
Erasing and writing flash chip... FAILED at 0x0007e282! Expected=0xff, Found=0xef, failed byte count from 0x0007e000-0x0007efff: 0x1
ERASE FAILED!
Reading current flash chip contents... done. Looking for another erase function.
FAILED at 0x0005013c! Expected=0xff, Found=0xbf, failed byte count from 0x00050000-0x00057fff: 0x3
ERASE FAILED!
Reading current flash chip contents... done. Looking for another erase function.
FAILED at 0x00290052! Expected=0xff, Found=0x7f, failed byte count from 0x00290000-0x0029ffff: 0x4
ERASE FAILED!
Reading current flash chip contents... done. Looking for another erase function.
FAILED at 0x0015941d! Expected=0xff, Found=0xfd, failed byte count from 0x00000000-0x00ffffff: 0x75
ERASE FAILED!
Reading current flash chip contents... done. Looking for another erase function.
FAILED at 0x00038001! Expected=0xff, Found=0xf0, failed byte count from 0x00000000-0x00ffffff: 0x32f
ERASE FAILED!
Reading current flash chip contents... 

done. Looking for another erase function.
Looking for another erase function.
Looking for another erase function.
No usable erase functions left.
FAILED!
Uh oh. Erase/write failed. Checking if anything has changed.
Reading current flash chip contents... done.
Apparently at least some data has changed.
Your flash chip is in an unknown state.
Please report this on IRC at chat.freenode.net (channel #flashrom) or
mail flashrom@flashrom.org, thanks!

After flashing, the PBL output that were being displayed on the serial stopped. the device is not booting into routeros.

Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1.1-00096
S - IMAGE_VARIANT_STRING=DAABANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x00000021
S - Core 0 Frequency, 0 MHz
B -       262 - PBL, Start
B -      1342 - bootable_media_detect_entry, Start
B -      1683 - bootable_media_detect_success, Start
B -      1697 - elf_loader_entry, Start
B -      5104 - auth_hash_seg_entry, Start
B -      7271 - auth_hash_seg_exit, Start
B -    577868 - elf_segs_hash_verify_entry, Start
B -    694289 - PBL, End
B -    694313 - SBL1, Start
B -    782841 - pm_device_init, Start
D -         6 - pm_device_init, Delta
B -    784364 - boot_flash_init, Start
D -     45978 - boot_flash_init, Delta
B -    834540 - boot_config_data_table_init, Start
D -      3857 - boot_config_data_table_init, Delta - (419 Bytes)
B -    842012 - clock_init, Start
D -      7566 - clock_init, Delta
B -    853780 - CDT version:2,Platform ID:8,Major ID:1,Minor ID:0,Subtype:0
B -    857269 - sbl1_ddr_set_params, Start
B -    862257 - cpr_init, Start
D -         2 - cpr_init, Delta
B -    866750 - Pre_DDR_clock_init, Start
D -         4 - Pre_DDR_clock_i.
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1.1-00096
S - IMAGE_VARIANT_STRING=DAABANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x00000021
S - Core 0 Frequency, 0 MHz
B -       262 - PBL, Start
B -      1342 - bootable_media_detect_entry, Start
B -      1683 - bootable_media_detect_success, Start
B -      1697 - elf_loader_entry, Start
B -      5104 - auth_hash_seg_entry, Start
B -      7271 - auth_hash_seg_exit, Start
B -    577869 - elf_segs_hash_verify_entry, Start
B -    694290 - PBL, End
B -    694314 - SBL1, Start
B -    782842 - pm_device_init, Start
D -         6 - pm_device_init, Delta
B -    784365 - boot_flash_init, Start
B -   3115669 - Boot error ocuured!. Error code: 302a

Tried the stable version 1.1 of flashrom, with same results.

Was i supposed to take out the nor flash for read and write?

Which version is that?

1.2-5 from debian sid

Have you read this:

and this:
https://openwrt.org/inbox/toh/mikrotik/mikrotik_rbcapgi-5acd2nd_cap_ac#pin_header
?

@532910 Thanks Sergio, I modified the uart connection and removed CPU reset; But at the time of flashing it was connected to CPU reset.

I am still facing the same issue flashing into the nor.

++ pulled down the CPU reset pin to ground.

Isn't PBL part of the SoC ROM in case of ipq40xx? Any thoughts on why modifying the flash could have affected the PBL log on uart?

Any suggestion? Thanks.

F..., I'm sorry, it's my fault! Please check the updated pinout.

From what I see, you made a dump and then flashed it but since the pinout was partially incorrect it managed to corrupt the NOR?

PBL is indeed part of the SoC, but its really small and is used only to load the SBL1 which is first thing on the SPI-NOR, that is the log you see over UART.
If @532910 has a valid bootloader dump, you can simply make a layout file and flash that only

From what I see, you made a dump and then flashed it but since the pinout was partially incorrect it managed to corrupt the NOR?

While reading works fine, writing requires CPU RESET to be low.

No worries! just an opportunity to learn more about the platform now!

Thanks @robimarko. I'll try flashing the bootloader, I hope there's no restrictions on the trustzone/qsee to flash other devices' bootloader?

@532910 if possible can you please share your flash dump?

Just shorting the CPU RESET pin to ground is sufficient for this, right?

There are no restrictions as safe boot is not active.