The mtd15 can be downloaded here: https://www.dropbox.com/s/n0uac1azj9ucryr/mtd15?dl=0
@ReDaLeRt sent me the dumps. What we have is as follows:
-
0:SBL1
is XBLLoader from QcomPkg. It does look like it authenticates U-Boot (given that Xiaomi configured it correctly, which is quite likely, this should be the case). U-Boot is loaded either from0:APPSBL
or from0:APPSBL_1
. -
0:APPSBL
and0:APPSBL_1
(contain same binaries) from the disassembly look like pretty much the same U-Boot 2016.01 from QCA QSDK and use a hardcoded bootipq command to load images.
I do not see a way to control this U-Boot from any writable and unsigned source tbh. There is a confusing part with ubootcmd
being present in mtd14, but I do not think it is read by U-Boot. I will probably have a deeper look, but so far it feels like a dead end.
Actually board_init
code in AX9000 is not different from the original QCA U-Boot and they apparently have:
CONFIG_ENV_IS_NOWHERE = 0
CONFIG_ENV_IS_IN_NAND = 1
CONFIG_QCA_MMC = 1
In this case, if SMEM reports that NAND is in use (which I have doubts, but that is a chance), 0:APPSBLENV
will be loaded as U-Boot environment. If true, one should be able to add atf=1
to 0:APPSBLENV
, and U-Boot
will use normal unsigned kernel loading (do_boot_unsignedimg
).
That is something that can be done from the stock FW to see if it works as Xiaomi does manipulate U-boot env from there
Is there any certain way I should be doing a sysupgrade? Last time I did it. My router wouldn't start back up. Maybe I didn't wait long enough after flashing. I've used other routers with OpenWrt but not sure if something is different on this router. Seems when I flash through LuCI it says flashing and reboots but it doesn't actually update
To add atf=1
to the 0:APPSBLENV
, just needs a nvram
command from SSH?
Probably nvram from the OEM firmware, fw_setenv ftom OpenWrt.
I think that will work on IPQ50xx only, its guarded in the source
What would you suggest for this SoC?
Hard to tell, as Xiaomi probably modified the bootloader a bit and we dont have sources.
I can only refer to the generic QCA bootloader they all use
I was not able to confirm it is actually guarded despite the comments so far. Would you mind showing the lines which you believe protect this?
You are correct, it could actually work as they then think that its ATF that is gonna validate it
/*
|| if atf is enable in env ,do_boot_signedimg is skip.
|| Note: This features currently support in ipq50XX.
*/
if (ret == 0 && buf == 1 && !getenv("atf")) {
ret = do_boot_signedimg(cmdtp, flag, argc, argv);
} else if (ret == 0 || ret == -EOPNOTSUPP) {
ret = do_boot_unsignedimg(cmdtp, flag, argc, argv);
}
Yes, atf stands for ARM Trusted Firmware, but it does not seem to be implemented for this SoC.
Yes, I know what ATF is, they only have it for IPQ50xx so far as they implement PSCI and stuff that ATF usually provides in QSEE which is QCA-s TrustZone implementation
IT WORKS!
After enabling the SSH on the OEM firmware, the setup followed:
nvram set atf="1"
nvram set flag_last_success=1
nvram set flag_boot_rootfs=1
nvram commit
ubiformat /dev/mtd22 -y -f /tmp/openwrt-ipq807x-generic-xiaomi_ax9000-squashfs-nand-factory.ubi
reboot
Well, that is then the universal way to just avoid secure boot like it did not exist at all.
Perfect for all of the boards currently booting by manual bootcmd avoiding all of that
Thanks for all the effort and help given!
The Wiki is now updated for the procedure: https://openwrt.org/inbox/toh/xiaomi/ax9000#for_the_international_oem_firmware_model_only
I am wondering if the documentation on the https://openwrt.org/inbox/toh/xiaomi/ax9000#state-of-the-art is up to date?
With robi's patch to the ath11k driver, both 5G ax bands should now be able to run simultaneously (built-in QCN5054 + PCIe-based QCN9024)
Could anyone confirm, and if so, maybe we should add this to that device's toh
section?
It's up to date because is following the first post on this thread, as the experimental firmware is currently on the @robimarko 's github repo.
I'm open to any given contributions for the wiki. If the info is not correct or updated, please, would you point the info source too?
Thanks.