fonix232:
Thanks for the data dump, the matching bits on the WD009 are indeed on mtd5 ( params , just after the kernel partition), and at 0x00, so even the smallest overflow of kernel bits would result in the overwrite of the original u-boot environment:
...
However since OpenWrt would be using mtd2 as uboot-env , if it was set up as such in envtools, that partition wouldn't matter - and I doubt it does much for the stock OS either. It does not match neither the running config IP addresses, nor the TFTP/webflash recovery mode network setup. To me it looks like ...
If you are interested in this u-boot-env thread, then please read (and follow to the linked GitHub discussion - load all the comments) my answer below!
All these devices think that the mtd2, Config partition is the u-boot-env partition, but it isn't.
And if someone got a serial connection and do a saveenv it will destroy the OpenWrt installation.
Because the real u-boot-env partition is the params partition:
dev: size erasesize name
mtd0: 00800000 00010000 "ALL"
mtd1: 00030000 00010000 "Bootloader"
mtd2: 00010000 00010000 "Config"
mtd3: 00010000 00010000 "Factory"
mtd4: 00180000 00010000 "Kernel_RootFS"
mtd5: 00010000 0001…
And if you are still interested, then please verify your device's u-boot saveenv behavior!
Thanks!