It's too late I already messed the router (it's a brick now 
)
I managed to get the DTS that was backed up in my UBI.bin extracted from the original dump :
// SPDX-License-Identifier: GPL-2.0-or-later OR MIT
/dts-v1/;
#include "mt7981.dtsi"
#include "mt7981-pinctrl.dtsi"
/ {
model = "Netgear WAX210";
compatible = "netgear,wax210", "mediatek,mt7981";
aliases {
serial0 = &uart0;
led-boot = &led_power;
led-failsafe = &led_power;
led-running = &led_power;
led-upgrade = &led_power;
};
chosen {
stdout-path = "serial0:115200n8";
};
leds {
compatible = "gpio-leds";
led_power: power {
label = "green:power";
gpios = <&pio 13 0>;
default-state = "on";
};
led_amber {
label = "amber:power";
gpios = <&pio 12 0>;
default-state = "off";
};
};
keys {
compatible = "gpio-keys";
reset {
label = "reset";
gpios = <&pio 1 1>;
linux,code = <KEY_RESTART>;
};
};
};
&uart0 {
status = "okay";
};
ð {
status = "okay";
phy-mode = "gmii";
phy-handle = <&phy0>;
mdio {
phy0: ethernet-phy@0 {
reg = <0>;
phy-mode = "gmii";
};
};
};
&spi0 {
pinctrl-names = "default";
pinctrl-0 = <&spi0_flash_pins>;
status = "okay";
spi_nand@0 {
#address-cells = <1>;
#size-cells = <1>;
compatible = "spi-nand";
reg = <0>;
spi-max-frequency = <52000000>;
partitions {
compatible = "fixed-partitions";
#address-cells = <1>;
#size-cells = <1>;
partition@0 {
label = "bl2";
reg = <0x0 0x100000>;
read-only;
};
partition@100000 {
label = "u-boot-env";
reg = <0x100000 0x80000>;
};
partition@180000 {
label = "factory";
reg = <0x180000 0x200000>;
read-only;
};
partition@380000 {
label = "fip";
reg = <0x380000 0x200000>;
read-only;
};
partition@580000 {
label = "firmware";
reg = <0x580000 0x3A80000>;
};
};
};
};
&pio {
spi0_flash_pins: spi0-pins {
mux {
function = "spi";
groups = "spi0", "spi0_wp_hold";
};
conf-pu {
pins = "SPI0_CS", "SPI0_HOLD", "SPI0_WP";
drive-strength = <8>;
bias-pull-up = <103>;
};
conf-pd {
pins = "SPI0_CLK", "SPI0_MOSI", "SPI0_MISO";
drive-strength = <8>;
bias-pull-down = <103>;
};
};
};
not sure it's the first version though cause I played a bit with it...
I ran this python script to get the dtb from the ubi.bin partition : (commented in French but nothing crazy to understand I think)
import sys
import struct
def find_dtbs(filename):
# Signature magique du Device Tree (d0 0d fe ed) Big Endian
DTB_MAGIC = b'\xd0\x0d\xfe\xed'
with open(filename, 'rb') as f:
data = f.read()
file_len = len(data)
offset = 0
found_count = 0
print(f"Analyse de {filename} ({file_len} bytes)...")
while True:
# Chercher la signature magique
offset = data.find(DTB_MAGIC, offset)
if offset == -1:
break
# On a trouvé un header potentiel
print(f"\n[+] Header DTB trouvé à l'offset: {offset} (0x{offset:x})")
# Lire la taille du DTB (elle est stockée 4 octets aprÚs le magic)
# Format: Magic(4) + TotalSize(4) en Big Endian
try:
totalsize_bytes = data[offset+4 : offset+8]
totalsize = struct.unpack('>I', totalsize_bytes)[0]
print(f" Taille déclarée: {totalsize} bytes")
# VĂ©rification de bon sens (un DTB fait rarement plus de 200KB ou moins de 100 bytes)
if 100 < totalsize < 200000:
dtb_content = data[offset : offset+totalsize]
output_name = f"extracted_{found_count}.dtb"
with open(output_name, 'wb') as out:
out.write(dtb_content)
print(f" ---> Extrait vers : {output_name} â
")
found_count += 1
else:
print(" ---> Faux positif (taille incohérente).")
except Exception as e:
print(f" Erreur de lecture: {e}")
# Avancer pour chercher le suivant
offset += 4
print(f"\nTerminé. {found_count} fichier(s) .dtb extrait(s).")
if __name__ == "__main__":
if len(sys.argv) < 2:
print("Usage: python find_dtb.py <fichier_ubi>")
else:
find_dtbs(sys.argv[1])
from there I ran :
dtc -I dtb -O dts extracted_0.dtb > wax210.dts
(don't pay attention to warnings)
and I got the dts
(or what I think looks like it 
)