OpenWrt support for WAX206

For Developers
21

There are a few screws from the stand itself. Once you get those open, the panel on the bottom (if you orient it based on the majority of the ethernet ports) opens via the plastic claws. They actually used pretty good plastic for the plastic claws and its rather thick. I got mine opened without considering breakage and nothing broke.

For ease of access, I also ended up drilling a hold right next to the reset hole and fished a USB-TTL cable through. In my homelab environment I like to have console access to as many devices as possible, without needing to plug things in.

22

Okay, thanks for the information.
Your commend gave me enough courage to apply a bit of force, that allowed me to open the box without anything breaking.

23

So we can telnet into the device and get full access. All the commands needed for OpenWRT to update the firmware is there. However, I don't really see instructions on how to create a firmware for a model. Any ideas?

24

Well, it's currently not supported, so there's no image.

25

OK - So compiling a new image, how can I pick both 2 target systems or do I even need to? The driver for the network switch is under the Realtek MIPS target and the wifi drivers are under the Mediatek RaLink ARM. I did try a compile and sysupgrade, but I was unable to connect to the router afterwards.

Here's some dev doc's that may help others.

MediaTek Dev Docs

26

So the image worked to the extent I tested. However, it appears Netgear added a protection where once I rebooted, it hashed the sdram and if it did not match what was expected, it reflashed to stock and rebooted again.

27

Thnx for the feedback.

There might be a watch dog, but I still haven't hooked up mine to serial.

Post the dmesg, and lspci after a complete boot, printenv from uboot as well, don't think it's been posted previously.

28

Got around and soldered the serial console, but the solder they used have a high melting point (or my iron's too weak), I really struggled with one of the holes, and ended up drilling it instead.

anyway, here's the uboot printenv.

MT7622> printenv
arch=arm
atf_filename=trustzone.bin
backup_os_need_check=1
baudrate=115200
board=mt7622_evb
board_name=mt7622_evb
boot0=download_setting kernel;tftpboot ${loadaddr} ${kernel_filename}; bootm
boot1=download_setting kernel;tftpboot ${loadaddr} ${kernel_filename};run boot_wr_img;run boot_rd_img;bootm
boot10=if dialog "WARNING, this operation will flash all partitions (preloader + atf + uboot + linux)";then download_setting flashimage;tftpboot ${loadaddr} ${flashimage_filename};run wr_flashimage;invaild_env;else echo "operation aborted by user";fi;
boot2=run boot_check_backup_os;run boot_rd_img;bootm
boot3=download_setting uboot;tftpboot ${loadaddr} ${uboot_filename};run wr_uboot;invaild_env
boot4=loadb;run wr_uboot;invaild_env
boot5=download_setting atf;tftpboot ${loadaddr} ${atf_filename};run wr_atf
boot6=download_setting preloader;tftpboot ${loadaddr} ${preloader_filename};run wr_pl
boot7=download_setting hdr;tftpboot ${loadaddr} ${hdr_filename};run wr_rom_hdr
boot8=download_setting ctp;tftpboot ${loadaddr} ${ctp_filename};run wr_ctp
boot9=run boot_rd_ctp;boot_to_ctp
boot_backup_img=run boot_check_os; if test ${check_os_error} = 0; then nand read ${loadaddr} 0x2C0000 0x2600000;nand erase.spread 0x28C0000 0x2600000;nand write ${loadaddr} 0x28C0000 0x2600000 ;fi
boot_check_backup_os=setenv skip_load_os 1;nand read ${loadaddr} 0x28C0000 0x2600000;check_image;bootm; setenv skip_load_os 0;if test ${check_os_error} = 1; then  echo Bad backup os !!;run boot_backup_img; else setenv backup_os_need_check 0;fi
boot_check_os=setenv skip_load_os 1; run boot_rd_img;bootm;setenv skip_load_os 0;if test ${check_os_error} = 1; then echo Bad os !!;fi
boot_nmrp_clr_str_blks=nand erase.spread  ${stringtableoffset}  ${stringtablefreesize}
boot_nmrp_wr_str=filesize_check 0x40000;if test ${filesize_result} = good; then str_blks ; if test ${str_blk_crc} = ok;then nand erase.spread  ${stringtableoffset}  ${filesize};nand write ${loadaddr}  ${stringtableoffset} ${filesize};fi;fi
boot_rd_ctp=nand read 0x40000000 0x1400000 3000000
boot_rd_img=nand read ${loadaddr} 0x2C0000 0x2600000;check_image
boot_restore_img=setenv backup_os_need_check 1; run  boot_check_backup_os; if test ${backup_os_need_check} = 0; then nand read ${loadaddr} 0x28C0000 0x2600000;nand erase.spread 0x2C0000 0x2600000;nand write ${loadaddr} 0x2C0000 0x2600000 ;reset;fi
boot_version=20210401
boot_wr_img=decrypt_image;if test ${decrypt_result} = good; then filesize_check 0x2600000;if test ${filesize_result} = good; then check_image; setenv skip_load_os 1;bootm;setenv skip_load_os 0;if test ${check_os_error} = 0; then nand erase.spread 0x2C0000  ${filesize};nand write ${loadaddr} 0x2C0000 ${filesize};else echo Bad os !!; fi;fi;fi
bootcmd=No
bootdelay=3
bootfile=iverson_uImage
bootmenu_0=1. System Load Linux to SDRAM via TFTP.=run boot0
bootmenu_1=2. System Load Linux Kernel then write to Flash via TFTP.=run boot1
bootmenu_10=b. System Load SingleImage then write to Flash via TFTP.=run boot10
bootmenu_2=3. Boot system code via Flash.=run boot2
bootmenu_3=4. System Load U-Boot then write to Flash via TFTP.=run boot3
bootmenu_4=5. System Load U-Boot then write to Flash via Serial.=run boot4
bootmenu_5=6. System Load ATF then write to Flash via TFTP.=run boot5
bootmenu_6=7. System Load Preloader then write to Flash via TFTP.=run boot6
bootmenu_7=8. System Load ROM header then write to Flash via TFTP.=run boot7
bootmenu_8=9. System Load CTP then write to Flash via TFTP.=run boot8
bootmenu_9=a. System Load CTP then Boot to CTP (via Flash).=run boot9
bootmenu_delay=30
cpu=armv7
ctp_filename=ctp.bin
ethact=mtk_eth
ethaddr=AA:BB:CC:DD:EE:FF
fdt_high=0x6c000000
fenv_factory=off
fenv_model=WAX206
fenv_region=EU
flashimage_filename=flashimage.bin
gpt_filename=GPT_EMMC
hdr_filename=hdr.binary
invaild_env=no
ipaddr=192.168.1.1
kernel_filename=iverson_uImage
loadaddr=0x4007FF28
preloader_filename=preloader_fpga7622_64_ldvt.bin
serverip=192.168.1.100
soc=mt7622
stderr=serial
stdin=serial
stdout=serial
stringtablefreesize=0
stringtableoffset=0x5bc0000
uboot_filename=u-boot-mtk.bin
vendor=mediatek
wr_atf=filesize_check 0x20000;if test ${filesize_result} = good; then mtk_image_blks 131072;nand erase.spread 0x80000   ${filesize} ;mtk_image_blks 2048;nand write ${loadaddr} 0x80000 ${filesize};fi
wr_ctp=filesize_check 0xF20000;if test ${filesize_result} = good; then nand erase.spread 0x1400000 3000000 ;nand write ${loadaddr} 0x1400000 3000000;fi
wr_flashimage=decrypt_image;if test ${decrypt_result} = good; then filesize_check 0x8000000;if test ${filesize_result} = good; then nand erase.chip ;nand write ${loadaddr} 0x0 8000000;fi;fi
wr_pl=filesize_check 0x40000;if test ${filesize_result} = good; then nand erase.spread 0x00000 40000 ;nand write ${loadaddr} 0x00000 40000;fi
wr_rom_hdr=filesize_check 0x40000;if test ${filesize_result} = good; then nand erase.spread 0x00000 20000 ;nand write ${loadaddr} 0x00000 20000;fi
wr_uboot=filesize_check 0x80000;if test ${filesize_result} = good; then mtk_image_blks 131072;if test ${check_boot_error} = 0;then nand erase.spread 0xC0000  ${filesize} ;nand write ${loadaddr} 0xC0000 ${filesize};fi;fi

MT7622> help
?       - alias for 'help'
backup_message- print backup message.
base    - print or set address offset
bdinfo  - print Board Info structure
boot    - boot default, i.e., run 'bootcmd'
boot_to_ctp- boot to ctp
bootd   - boot default, i.e., run 'bootcmd'
bootm   - boot application image from memory
bootmenu- ANSI terminal bootmenu
bootp   - boot image via network using BOOTP/TFTP protocol
check_image- check image in load_addr.
chpart  - change active partition
cmp     - memory compare
coninfo - print console devices and information
cp      - memory copy
crc32   - checksum calculation
ctp_check- check if ctp in load_addr is normal.
decrypt_image- decrypt image in load_addr.
dialog  - echo args to console, and get yes or no response from user
download_setting- set download image file name , and device IP , server IP before upgrade
echo    - echo args to console
editenv - edit environment variable
env     - environment handling commands
esw_read- esw_read   - Dump external switch/GMAC status !!

exit    - exit script
false   - do nothing, unsuccessfully
fdt     - flattened device tree utility commands
filesize_check- check if filesize of the image that you want to upgrade is normal.
go      - start application at address 'addr'
help    - print command description/usage
image_blks- read image size from img_size or image header if no specifying img_size, and divided by blk_size and save image blocks in image_blks variable.
image_check- check if image in load_addr is normal.
iminfo  - print header information for application image
imxtract- extract a part of a multi-image
invaild_env- need to invaild env.
itest   - return true/false on integer compare
led     - <set|clear|blink>  <power|net|wifin|wifia>  <green|red>
loadb   - load binary file over serial line (kermit mode)
loads   - load S-Record file over serial line
loadx   - load binary file over serial line (xmodem mode)
loady   - load binary file over serial line (ymodem mode)
loop    - infinite loop on address range
md      - memory display
mdio    - mdio   - Mediatek PHY register R/W command !!

mm      - memory modify (auto-incrementing address)
mmd     - mmd   - Mediatek MMD PHY register R/W command !!

mtdparts- define flash/nand partitions
mtk_image_blks- read image size from image header (MTK format) located at load_addr, divided by blk_size and save image blocks in image_blks variable.
mw      - memory write (fill)
nand    - NAND sub-system
nboot   - boot from NAND device
nm      - memory modify (constant address)
nmrp    - netgear nmrp tools
nor     - nor   - nor flash command

ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reco_message- print recovery message.
reg     - reg   - Mediatek PHY register R/W command !!

reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
serious_image_check- seriously check if image in load_addr is normal.
setenv  - set environment variables
showvar - print local hushshell variables
sleep   - delay execution for some time
snor    - snor   - spi-nor flash command

source  - run script from memory
str_blks- check str table blk from load_addr
switch_rxcal- Re-cal PHY Rx DC offset of mt7531 switch !!
switch_txcal- Re-cal PHY Tx offset of mt7531 switch !!
swreg   - swreg   - Mediatek switch register R/W command !!

test    - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
tftpsrv - act as a TFTP server and boot the first received file
true    - do nothing, successfully
uboot_check- check if uboot in load_addr is normal.
version - print monitor, compiler and linker version
3 Likes
29

There's a service starting during boot, called S99telnetenabled, it runs in the background, and I guess it's checking if the telnet have been enabled, somewhere, but I don't know where.

but, if one got serial access, it's easy to enable telnet anyway.

simply run ln -s /etc/init.d/telnet /etc/rc.d/S99telnet, or service telnet start, if it isn't needed after a reboot.

EDIT: seems the old telnetenable2 utility works here, execute with params, and telnet will be enabled.
Additional info can be found here: https://www.myopenrouter.com/article/telnetenable-netgear-r7000-and-netgear-r7500
link (not mine) to archive with Windows and Linux binaries: http://www.mediafire.com/file/tcen54n6k66yu58/telnetenable2.zip/file

30

Yeah, it took me upping my temp quite a bit to melt the solder that was there. Any idea on the watchdog you mentioned? I see some interesting things in the uboot printenv, but I dont know enough about uboot yet to understand it all.

31

Not yet, haven't tried to boot the image I created, want to see it for myself, and
have access to additional commands, from the openwrt image.

Btw, try the telnet enable binary I just updated my last post with.

Seems my FW got rolled back to 1.0.1.5 when I pressed the reset button for > 10 sec,
it was previously 1.0.4.0, YMMV.

32

openwrt boot log

bootm flag=0, states=70f
*  kernel: default image load address = 0x4007ff28
## Loading kernel from FIT Image at 4007ff28 ...
   Using 'config-1' configuration
   Trying 'kernel-1' kernel subimage
     Description:  ARM64 OpenWrt Linux-5.15.49
     Type:         Kernel Image
     Compression:  lzma compressed
     Data Start:   0x40080010
     Data Size:    4123188 Bytes = 3.9 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x44000000
     Entry Point:  0x44000000
     Hash algo:    crc32
     Hash value:   3f463e45
     Hash algo:    sha1
     Hash value:   e149c7f168b763ae1d17d24a2e38d08eeda854e7
   Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading ramdisk from FIT Image at 4007ff28 ...
   Using 'config-1' configuration
   Trying 'initrd-1' ramdisk subimage
     Description:  ARM64 OpenWrt linksys_e8450 initrd
     Type:         RAMDisk Image
     Compression:  Unknown Compression
     Data Start:   0x4046eb7c
     Data Size:    4102388 Bytes = 3.9 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: unavailable
     Entry Point:  unavailable
     Hash algo:    crc32
     Hash value:   49331546
     Hash algo:    sha1
     Hash value:   f6a329e0050580944ffcc712cef184b4123d1b5d
   Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading fdt from FIT Image at 4007ff28 ...
   Using 'config-1' configuration
   Trying 'fdt-1' fdt subimage
     Description:  ARM64 OpenWrt linksys_e8450 device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x4085857c
     Data Size:    31180 Bytes = 30.4 KiB
     Architecture: AArch64
     Hash algo:    crc32
     Hash value:   88bdc9e0
     Hash algo:    sha1
     Hash value:   0b2cbca9bf8beea5525917a1948394a087c177b5
   Verifying Hash Integrity ... crc32+ sha1+ OK
   Booting using the fdt blob at 0x4085857c
   Uncompressing Kernel Image ... OK
   Loading Ramdisk to 5cb67000, end 5cf508f4 ... OK
   Loading Device Tree to 5cb5c000, end 5cb669cb ... OK

Starting kernel ...

[ATF][   516.892812]save kernel info
[ATF][   516.895749]Kernel_EL2
[ATF][   516.898419]Kernel is 64Bit
[ATF][   516.901507]pc=0x44000000, r0=0x5cb5c000, r1=0x0
INFO:    BL3-1: Preparing for EL3 exit to normal world, Kernel
INFO:    BL3-1: Next image address = 0x44000000
INFO:    BL3-1: Next image spsr = 0x3c9
[ATF][   516.919205]el3_exit
[    0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034]
[    0.000000] Linux version 5.15.49 (builder@buildhost) (aarch64-openwrt-linux-musl-gcc (OpenWrt GCC 11.3.0 r19971-416d4483e8) 11.3.0, GNU ld (GNU Binutils) 2.37) #0 SMP Wed Jun 29 22:23:42 2022
[    0.000000] Machine model: Linksys E8450
[    0.000000] earlycon: uart8250 at MMIO32 0x0000000011002000 (options '')
[    0.000000] printk: bootconsole [uart8250] enabled
[    0.000000] Zone ranges:
[    0.000000]   DMA      [mem 0x0000000040000000-0x000000005fffffff]
[    0.000000]   DMA32    empty
[    0.000000]   Normal   empty
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000040000000-0x0000000042ffffff]
[    0.000000]   node   0: [mem 0x0000000043000000-0x000000004302ffff]
[    0.000000]   node   0: [mem 0x0000000043030000-0x000000005fffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000040000000-0x000000005fffffff]
[    0.000000] psci: probing for conduit method from DT.
[    0.000000] psci: PSCIv0.2 detected in firmware.
[    0.000000] psci: Using standard PSCI v0.2 function IDs
[    0.000000] psci: Trusted OS migration not required
[    0.000000] percpu: Embedded 17 pages/cpu s29592 r8192 d31848 u69632
[    0.000000] pcpu-alloc: s29592 r8192 d31848 u69632 alloc=17*4096
[    0.000000] pcpu-alloc: [0] 0 [0] 1
[    0.000000] Detected VIPT I-cache on CPU0
[    0.000000] CPU features: kernel page table isolation disabled by kernel configuration
[    0.000000] CPU features: detected: ARM erratum 843419
[    0.000000] CPU features: detected: ARM erratum 845719
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 129024
[    0.000000] Kernel command line: earlycon=uart8250,mmio32,0x11002000 console=ttyS0,115200n1 swiotlb=512
[    0.000000] Dentry cache hash table entries: 65536 (order: 7, 524288 bytes, linear)
[    0.000000] Inode-cache hash table entries: 32768 (order: 6, 262144 bytes, linear)
[    0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
[    0.000000] Memory: 496828K/524288K available (8640K kernel code, 910K rwdata, 2356K rodata, 448K init, 308K bss, 27460K reserved, 0K cma-reserved)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
[    0.000000] rcu: Hierarchical RCU implementation.
[    0.000000]  Tracing variant of Tasks RCU enabled.
[    0.000000] rcu: RCU calculated value of scheduler-enlistment delay is 10 jiffies.
[    0.000000] NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0
[    0.000000] Root IRQ handler: gic_handle_irq
[    0.000000] GIC: Using split EOI/Deactivate mode
[    0.000000] arch_timer: cp15 timer(s) running at 12.50MHz (phys).
[    0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x2e2049cda, max_idle_ns: 440795202628 ns
[    0.000000] sched_clock: 56 bits at 12MHz, resolution 80ns, wraps every 4398046511080ns
[    0.008244] Calibrating delay loop (skipped), value calculated using timer frequency.. 25.00 BogoMIPS (lpj=125000)
[    0.018642] pid_max: default: 32768 minimum: 301
[    0.023363] Mount-cache hash table entries: 1024 (order: 1, 8192 bytes, linear)
[    0.030708] Mountpoint-cache hash table entries: 1024 (order: 1, 8192 bytes, linear)
[    0.039538] rcu: Hierarchical SRCU implementation.
[    0.044470] dyndbg: Ignore empty _ddebug table in a CONFIG_DYNAMIC_DEBUG_CORE build
[    0.052378] smp: Bringing up secondary CPUs ...
[    0.057285] Detected VIPT I-cache on CPU1
[    0.057334] CPU1: Booted secondary processor 0x0000000001 [0x410fd034]
[    0.057393] smp: Brought up 1 node, 2 CPUs
[    0.072072] SMP: Total of 2 processors activated.
[    0.076788] CPU features: detected: 32-bit EL0 Support
[    0.081944] CPU features: detected: CRC32 instructions
[    0.087187] CPU: All CPU(s) started at EL2
[    0.091297] alternatives: patching kernel code
[    0.099218] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.109111] futex hash table entries: 512 (order: 3, 32768 bytes, linear)
[    0.116026] pinctrl core: initialized pinctrl subsystem
[    0.122015] NET: Registered PF_NETLINK/PF_ROUTE protocol family
[    0.128181] DMA: preallocated 128 KiB GFP_KERNEL pool for atomic allocations
[    0.135286] DMA: preallocated 128 KiB GFP_KERNEL|GFP_DMA pool for atomic allocations
[    0.143076] DMA: preallocated 128 KiB GFP_KERNEL|GFP_DMA32 pool for atomic allocations
[    0.151243] thermal_sys: Registered thermal governor 'fair_share'
[    0.151247] thermal_sys: Registered thermal governor 'bang_bang'
[    0.157359] thermal_sys: Registered thermal governor 'step_wise'
[    0.163387] thermal_sys: Registered thermal governor 'user_space'
[    0.169591] ASID allocator initialised with 65536 entries
[    0.181455] pstore: Registered ramoops as persistent store backend
[    0.187665] ramoops: using 0x10000@0x42ff0000, ecc: 0
[    0.213630] cryptd: max_cpu_qlen set to 1000
[    0.220171] SCSI subsystem initialized
[    0.224035] libata version 3.00 loaded.
[    0.227994] usbcore: registered new interface driver usbfs
[    0.233515] usbcore: registered new interface driver hub
[    0.238873] usbcore: registered new device driver usb
[    0.244874] clocksource: Switched to clocksource arch_sys_counter
[    0.251449] NET: Registered PF_INET protocol family
[    0.256448] IP idents hash table entries: 8192 (order: 4, 65536 bytes, linear)
[    0.264107] tcp_listen_portaddr_hash hash table entries: 256 (order: 0, 4096 bytes, linear)
[    0.272507] Table-perturb hash table entries: 65536 (order: 6, 262144 bytes, linear)
[    0.280286] TCP established hash table entries: 4096 (order: 3, 32768 bytes, linear)
[    0.288092] TCP bind hash table entries: 4096 (order: 4, 65536 bytes, linear)
[    0.295310] TCP: Hash tables configured (established 4096 bind 4096)
[    0.301748] UDP hash table entries: 256 (order: 1, 8192 bytes, linear)
[    0.308314] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes, linear)
[    0.315395] NET: Registered PF_UNIX/PF_LOCAL protocol family
[    0.321087] PCI: CLS 0 bytes, default 64
[    0.325293] Unpacking initramfs...
[    0.337158] workingset: timestamp_bits=46 max_order=17 bucket_order=0
[    0.346442] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.352305] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.394545] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 250)
[    0.403151] mt7622-pinctrl 10211000.pinctrl: invalid group "pwm_ch7_2" for function "pwm"
[    0.414541] mt-pmic-pwrap 10001000.pwrap: unexpected interrupt int=0x1
[    0.435514] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled
[    0.443826] printk: console [ttyS0] disabled
[    0.468363] 11002000.serial: ttyS0 at MMIO 0x11002000 (irq = 125, base_baud = 1562500) is a ST16650V2
[    0.477705] printk: console [ttyS0] enabled
[    0.477705] printk: console [ttyS0] enabled
[    0.486080] printk: bootconsole [uart8250] disabled
[    0.486080] printk: bootconsole [uart8250] disabled
[    0.516452] 11004000.serial: ttyS1 at MMIO 0x11004000 (irq = 126, base_baud = 1562500) is a ST16650V2
[    0.526311] 1100c000.serial: ttyS2 at MMIO 0x1100c000 (irq = 130, base_baud = 17499995) is a MediaTek BTIF
[    0.536077] serial serial0: tty port ttyS2 registered
[    0.542162] mtk_rng 1020f000.rng: registered RNG driver
[    0.547790] random: crng init done
[    0.554266] loop: module loaded
[    0.557444] Loading iSCSI transport class v2.0-870.
[    0.563394] mtk-ecc 1100e000.ecc: probed
[    0.569695] spi-nand spi2.0: Toshiba SPI NAND was found.
[    0.575061] spi-nand spi2.0: 256 MiB, block size: 128 KiB, page size: 2048, OOB size: 128
[    0.583296] mtk-snand 1100d000.spi: ECC strength: 12 bits per 512 bytes
[    0.591153] [BBT] BMT.v2 is found at 0x7ff
[    1.290377] Freeing initrd memory: 4004K
[    1.301431] 12 fixed-partitions partitions found on MTD device spi2.0
[    1.307900] Creating 12 MTD partitions on "spi2.0":
[    1.312772] 0x000000000000-0x000000080000 : "Preloader"
[    1.319104] 0x000000080000-0x0000000c0000 : "ATF"
[    1.324390] 0x0000000c0000-0x000000140000 : "u-boot"
[    1.330299] 0x000000140000-0x0000001c0000 : "u-boot-env"
[    1.336630] 0x0000001c0000-0x0000002c0000 : "factory"
[    1.343302] 0x000000300000-0x000000320000 : "devinfo"
[    1.348825] 0x000000320000-0x000000340000 : "senv"
[    1.354050] 0x000000360000-0x000000380000 : "bootseq"
[    1.359715] 0x000000500000-0x000002300000 : "firmware1"
[    1.405362] 0x000002300000-0x000004100000 : "firmware2"
[    1.450925] 0x000004100000-0x000005a00000 : "data"
[    1.489372] 0x000005a00000-0x000006e00000 : "mfg"
[    1.536795] mtk_soc_eth 1b100000.ethernet: generated random MAC address 52:56:d0:23:08:e2
[    1.545279] mtk_soc_eth 1b100000.ethernet eth0: mediatek frame engine at 0xffffffc008ea0000, irq 141
[    1.554930] i2c_dev: i2c /dev entries driver
[    1.560010] mtk-wdt 10212000.watchdog: IRQ index 0 not found
[    1.565810] mtk-wdt 10212000.watchdog: Watchdog enabled (timeout=31 sec, nowayout=0)
[    1.576677] NET: Registered PF_INET6 protocol family
[    1.582385] Segment Routing with IPv6
[    1.586185] In-situ OAM (IOAM) with IPv6
[    1.590138] NET: Registered PF_PACKET protocol family
[    1.595217] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[    1.608253] 8021q: 802.1Q VLAN Support v1.8
[    1.613510] pstore: Using crash dump compression: deflate
[    1.628774] mtk-pcie 1a143000.pcie: host bridge /pcie@1a143000 ranges:
[    1.635348] mtk-pcie 1a143000.pcie: Parsing ranges property...
[    1.641176] mtk-pcie 1a143000.pcie:      MEM 0x0020000000..0x0027ffffff -> 0x0020000000
[    1.791177] mtk-pcie 1a143000.pcie: PCI host bridge to bus 0000:00
[    1.797366] pci_bus 0000:00: root bus resource [bus 00-ff]
[    1.802847] pci_bus 0000:00: root bus resource [mem 0x20000000-0x27ffffff]
[    1.809720] pci_bus 0000:00: scanning bus
[    1.813762] pci 0000:00:00.0: [14c3:3258] type 01 class 0x060400
[    1.819793] pci 0000:00:00.0: reg 0x10: [mem 0x00000000-0x1ffffffff 64bit pref]
[    1.828482] pci_bus 0000:00: fixups for bus
[    1.832661] pci 0000:00:00.0: scanning [bus 00-00] behind bridge, pass 0
[    1.839362] pci 0000:00:00.0: bridge configuration invalid ([bus 00-00]), reconfiguring
[    1.847371] pci 0000:00:00.0: scanning [bus 00-00] behind bridge, pass 1
[    1.854162] pci_bus 0000:01: scanning bus
[    1.858377] pci 0000:01:00.0: [14c3:7915] type 00 class 0x000280
[    1.864555] pci 0000:01:00.0: reg 0x10: [mem 0x00000000-0x000fffff 64bit pref]
[    1.871881] pci 0000:01:00.0: reg 0x18: [mem 0x00000000-0x00003fff 64bit pref]
[    1.879206] pci 0000:01:00.0: reg 0x20: [mem 0x00000000-0x00000fff 64bit pref]
[    1.887157] pci 0000:01:00.0: supports D1 D2
[    1.891419] pci 0000:01:00.0: PME# supported from D0 D1 D2 D3hot D3cold
[    1.898054] pci 0000:01:00.0: PME# disabled
[    1.902531] pci 0000:01:00.0: 2.000 Gb/s available PCIe bandwidth, limited by 2.5 GT/s PCIe x1 link at 0000:00:00.0 (capable of 4.000 Gb/s with 5.0 GT/s PCIe x1 link)
[    1.946086] pci_bus 0000:01: fixups for bus
[    1.950263] pci_bus 0000:01: bus scan returning with max=01
[    1.955836] pci_bus 0000:01: busn_res: [bus 01-ff] end is updated to 01
[    1.962450] pci_bus 0000:00: bus scan returning with max=01
[    1.968032] pci 0000:00:00.0: BAR 0: no space for [mem size 0x200000000 64bit pref]
[    1.975686] pci 0000:00:00.0: BAR 0: failed to assign [mem size 0x200000000 64bit pref]
[    1.983683] pci 0000:00:00.0: BAR 8: assigned [mem 0x20000000-0x201fffff]
[    1.990470] pci 0000:01:00.0: BAR 0: assigned [mem 0x20000000-0x200fffff 64bit pref]
[    1.998294] pci 0000:01:00.0: BAR 2: assigned [mem 0x20100000-0x20103fff 64bit pref]
[    2.006120] pci 0000:01:00.0: BAR 4: assigned [mem 0x20104000-0x20104fff 64bit pref]
[    2.013940] pci 0000:00:00.0: PCI bridge to [bus 01]
[    2.018906] pci 0000:00:00.0:   bridge window [mem 0x20000000-0x201fffff]
[    2.025803] pcieport 0000:00:00.0: assign IRQ: got 146
[    2.030945] pcieport 0000:00:00.0: enabling device (0000 -> 0002)
[    2.037053] pcieport 0000:00:00.0: enabling bus mastering
[    2.042481] mtk-pcie 1a143000.pcie: msi#0 address_hi 0x0 address_lo 0x44e2d0c0
[    2.049856] pcieport 0000:00:00.0: PME: Signaling with IRQ 146
[    2.055751] pcieport 0000:00:00.0: saving config space at offset 0x0 (reading 0x325814c3)
[    2.063922] pcieport 0000:00:00.0: saving config space at offset 0x4 (reading 0x100006)
[    2.071928] pcieport 0000:00:00.0: saving config space at offset 0x8 (reading 0x6040000)
[    2.080016] pcieport 0000:00:00.0: saving config space at offset 0xc (reading 0x10000)
[    2.087929] pcieport 0000:00:00.0: saving config space at offset 0x10 (reading 0xc)
[    2.095587] pcieport 0000:00:00.0: saving config space at offset 0x14 (reading 0x0)
[    2.103236] pcieport 0000:00:00.0: saving config space at offset 0x18 (reading 0x40010100)
[    2.111498] pcieport 0000:00:00.0: saving config space at offset 0x1c (reading 0x4200000)
[    2.119672] pcieport 0000:00:00.0: saving config space at offset 0x20 (reading 0x20102000)
[    2.127936] pcieport 0000:00:00.0: saving config space at offset 0x24 (reading 0x0)
[    2.135589] pcieport 0000:00:00.0: saving config space at offset 0x28 (reading 0x0)
[    2.143238] pcieport 0000:00:00.0: saving config space at offset 0x2c (reading 0x0)
[    2.150892] pcieport 0000:00:00.0: saving config space at offset 0x30 (reading 0x0)
[    2.158545] pcieport 0000:00:00.0: saving config space at offset 0x34 (reading 0x50)
[    2.166284] pcieport 0000:00:00.0: saving config space at offset 0x38 (reading 0x0)
[    2.173933] pcieport 0000:00:00.0: saving config space at offset 0x3c (reading 0x20192)
[    2.182250] mtk-pcie 1a145000.pcie: host bridge /pcie@1a145000 ranges:
[    2.188791] mtk-pcie 1a145000.pcie: Parsing ranges property...
[    2.194620] mtk-pcie 1a145000.pcie:      MEM 0x0028000000..0x002fffffff -> 0x0028000000
[    2.414900] mtk-pcie 1a145000.pcie: Port1 link down
[    2.419877] mtk-pcie 1a145000.pcie: PCI host bridge to bus 0001:00
[    2.426059] pci_bus 0001:00: root bus resource [bus 00-ff]
[    2.431539] pci_bus 0001:00: root bus resource [mem 0x28000000-0x2fffffff]
[    2.438411] pci_bus 0001:00: scanning bus
[    2.443497] pci_bus 0001:00: fixups for bus
[    2.447676] pci_bus 0001:00: bus scan returning with max=00
[    2.453642] mtk_hsdma 1b007000.dma-controller: MediaTek HSDMA driver registered
[    2.522487] mt7530 mdio-bus:00: configuring for fixed/2500base-x link mode
[    2.530056] mt7530 mdio-bus:00: Link is Up - 2.5Gbps/Full - flow control rx/tx
[    2.539012] mt7530 mdio-bus:00 lan1 (uninitialized): PHY [mt7530-0:00] driver [MediaTek MT7531 PHY] (irq=147)
[    2.558957] mt7530 mdio-bus:00 lan2 (uninitialized): PHY [mt7530-0:01] driver [MediaTek MT7531 PHY] (irq=148)
[    2.578668] mt7530 mdio-bus:00 lan3 (uninitialized): PHY [mt7530-0:02] driver [MediaTek MT7531 PHY] (irq=149)
[    2.598321] mt7530 mdio-bus:00 lan4 (uninitialized): PHY [mt7530-0:03] driver [MediaTek MT7531 PHY] (irq=150)
[    2.618222] mt7530 mdio-bus:00 wan (uninitialized): PHY [mt7530-0:04] driver [MediaTek MT7531 PHY] (irq=151)
[    2.629173] DSA: tree 0 setup
[    2.632874] xhci-mtk 1a0c0000.usb: xHCI Host Controller
[    2.638127] xhci-mtk 1a0c0000.usb: new USB bus registered, assigned bus number 1
[    2.647173] xhci-mtk 1a0c0000.usb: hcc params 0x01403198 hci version 0x96 quirks 0x0000000000210010
[    2.656258] xhci-mtk 1a0c0000.usb: irq 135, io mem 0x1a0c0000
[    2.662453] hub 1-0:1.0: USB hub found
[    2.666290] hub 1-0:1.0: 2 ports detected
[    2.670551] xhci-mtk 1a0c0000.usb: xHCI Host Controller
[    2.675790] xhci-mtk 1a0c0000.usb: new USB bus registered, assigned bus number 2
[    2.683184] xhci-mtk 1a0c0000.usb: Host supports USB 3.0 SuperSpeed
[    2.689499] usb usb2: We don't know the algorithms for LPM for this host, disabling LPM.
[    2.697877] hub 2-0:1.0: USB hub found
[    2.701637] hub 2-0:1.0: 1 port detected
[    2.706294] UBI error: no valid UBI magic found inside mtd10
[    2.712820] Freeing unused kernel memory: 448K
[    2.774971] Run /init as init process
[    2.778625]   with arguments:
[    2.781582]     /init
[    2.783845]   with environment:
[    2.786984]     HOME=/
[    2.789334]     TERM=linux
[    2.919090] init: Console is alive
[    2.922590] init: - watchdog -
[    2.929546] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[    2.939639] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[    2.956294] init: - preinit -
[    3.000137] mtk_soc_eth 1b100000.ethernet eth0: configuring for fixed/2500base-x link mode
[    3.008598] mtk_soc_eth 1b100000.ethernet eth0: Link is Up - 2.5Gbps/Full - flow control rx/tx
[    3.015193] mt7530 mdio-bus:00 lan1: configuring for phy/gmii link mode
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[    5.067024] procd: - early -
[    5.069965] procd: - watchdog -
[    5.596625] procd: - watchdog -
[    5.599934] procd: - ubus -
[    5.653221] procd: - init -
Please press Enter to activate this console.
[    5.751627] urngd: v1.0.2 started.
[    5.794138] kmodloader: loading kernel modules from /etc/modules.d/*
[    5.803535] 8139too: 8139too Fast Ethernet driver 0.9.28
[    5.810369] Loading modules backported from Linux version v5.15.33-0-g06f50ca83ace
[    5.817960] Backport generated by backports.git v5.15.33-1-0-g183c4ab2
[    5.862361] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht'
[    5.885320] mt7622-wmac 18000000.wmac: HW/SW Version: 0x8a108a10, Build Time: 20190801210006a
[    5.885320]
[    5.901907] PPP generic driver version 2.4.2
[    5.907536] NET: Registered PF_PPPOX protocol family
[    5.916181] kmodloader: done loading kernel modules from /etc/modules.d/*
[    5.923935] mt7622-wmac 18000000.wmac: N9 Firmware Version: 2.0, Build Time: 20200131180931
[   10.895671] mtk_soc_eth 1b100000.ethernet eth0: Link is Down
[   10.905329] mtk_soc_eth 1b100000.ethernet eth0: configuring for fixed/2500base-x link mode
[   10.913793] mtk_soc_eth 1b100000.ethernet eth0: Link is Up - 2.5Gbps/Full - flow control rx/tx
[   10.917854] mt7530 mdio-bus:00 lan1: configuring for phy/gmii link mode
[   10.930247] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[   10.938872] br-lan: port 1(lan1) entered blocking state
[   10.944118] br-lan: port 1(lan1) entered disabled state
[   10.951031] device lan1 entered promiscuous mode
[   10.955691] device eth0 entered promiscuous mode
[   10.969721] mt7530 mdio-bus:00 lan2: configuring for phy/gmii link mode
[   10.979435] br-lan: port 2(lan2) entered blocking state
[   10.981235] mt7530 mdio-bus:00 lan2: Link is Up - 1Gbps/Full - flow control rx/tx
[   10.984668] br-lan: port 2(lan2) entered disabled state
[   10.999285] device lan2 entered promiscuous mode
[   11.006464] br-lan: port 2(lan2) entered blocking state
[   11.011707] br-lan: port 2(lan2) entered forwarding state
[   11.018790] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready
[   11.026496] mt7530 mdio-bus:00 lan3: configuring for phy/gmii link mode
[   11.036162] br-lan: port 3(lan3) entered blocking state
[   11.041400] br-lan: port 3(lan3) entered disabled state
[   11.048850] device lan3 entered promiscuous mode
[   11.058956] mt7530 mdio-bus:00 lan4: configuring for phy/gmii link mode
[   11.068417] br-lan: port 4(lan4) entered blocking state
[   11.073655] br-lan: port 4(lan4) entered disabled state
[   11.081422] device lan4 entered promiscuous mode
[   11.093119] mt7530 mdio-bus:00 wan: configuring for phy/gmii link mode

mtd

dev:    size   erasesize  name
mtd0: 00080000 00020000 "Preloader"
mtd1: 00040000 00020000 "ATF"
mtd2: 00080000 00020000 "u-boot"
mtd3: 00080000 00020000 "u-boot-env"
mtd4: 00100000 00020000 "factory"
mtd5: 00020000 00020000 "devinfo"
mtd6: 00020000 00020000 "senv"
mtd7: 00020000 00020000 "bootseq"
mtd8: 01e00000 00020000 "firmware1"
mtd9: 01e00000 00020000 "firmware2"
mtd10: 01900000 00020000 "data"
mtd11: 01400000 00020000 "mfg"

lspci

01:00.0 Class 0002: 14c3:7915
00:00.0 Class 0604: 14c3:3258

lsusb (there are however no USB ports)

Bus 001 Device 001: ID 1d6b:0002
Bus 002 Device 001: ID 1d6b:0003

@d4rkeagle6591 how long before the watch dog kicked in ?

33

It occurred when I rebooted the device. I rebooted it manually.

34

Just got my WAX206. Came with firmware version 1.0.3.0 US. Failed to get telnetable2 to enable telnet, so I soldered onto the serial terminal.

Once I logged in over serial, I enabled telnet and ssh via uci. In /etc/config/system there is an option disableTelnet that needs to be set to '0', and in /etc/config/dropbear there is an option enable that needs to be set to '1'.

I upgraded the Netgear firmware to version 1.0.4.0 US via the web interface, and ssh continues to work. I haven't tried @frollic's firmware yet - not convinced that I need it yet, seeing as access to ssh and uci enables a lot of scenarios that I care about.

opkg fails because it references 17.01-SNAPSHOT packages that don't exist:
http://downloads.lede-project.org/releases/17.01-SNAPSHOT/targets/mediatek/mt7622/packages/Packages.gz
http://downloads.lede-project.org/releases/17.01-SNAPSHOT/packages/aarch64_cortex-a53_neon-vfpv4/base/Packages.gz

I tried pointing opkg to the 21.02 packages to see if I could install nano. That required modifying /etc/opkg.conf to accept the aarch64_cortex-a53 architecture, and copying the appropriate key into /etc/opkg/keys. That then failed complaining that /overlay was not writable, which is true.

35

Just FYI, it's not a firmware to be used for anything serious, but device exploration.

The driver for the Realtek WAN isn't there, and it's an initramfs, not intended to be written to flash.

1 Like
36

any support for it in near future possible i.e next 12months?

37

Yes, I still plan to seriously work on this. However, likely not before August as I am to lead a hiking group next week and am still busy with preparations there.

1 Like
38

I'm happy to work on this but would love some advice from you experts. Netgear already provides the source for their OpenWRT 17 build, so I guess the goal here is simply to convert it to version 21, right? Is it just a matter of starting with some version 21 template and moving the configuration from the Netgear v17 build over to a version 21 template?

I haven't yet found a guide for this. But I have been collecting lots of information. Maybe I should be creating a device page with what I have. Suggestions welcome, especially from folks with experience with the process.

39

An annotated closeup of the UART pads (J19) after I soldered a pin header on. There's no need to take the board out to get this on. As usual, your serial port needs to connect RX to the router's TX, and TX to the router's RX. Use a 3 pin header to help prevent you from accidentally connecting to VCC.

WAX206_UART_Header
WAX206_UART_Header1920×2560 291 KB

40

As already posted, can't use 21, since the 2.5gbit NIC was added in 5.10, and 21 runs 5.4.

The 21 ship has already sailed, anyway.