Revert Buffalo BHR-4GRV to stock or DD-WRT

Installing and Using OpenWrt
1

I have flashed OpenWRT to a Buffalo BHR 4GRV, and it works reasonably well.
However, after I have tried to re-flash it to Stock or DD-WRT image, it fails miserably.

With the stock image flashed over console/WebUISERIAL/... I get "Bad Magic Number", after re-flashing an older DD-WRT image to it, I get segmentation fault:

BUFFALO U-BOOT Ver 1.00
  == CPU:400MHz, DDR:400MHz, AHB:200MHz ==
AP111 (ar7241 - Virian) U-boot
DRAM:  64 MB
WAN port disabling: done
Top of RAM usable for U-Boot at: 84000000
Reserving 257k for U-Boot at: 83fbc000
Reserving 192k for malloc() at: 83f8c000
Reserving 44 Bytes for Board Info at: 83f8bfd4
Reserving 36 Bytes for Global Data at: 83f8bfb0
Reserving 128k for boot params() at: 83f6bfb0
Stack Pointer at: 83f6bf98
Now running in RAM - U-Boot at: 83fbc000
flash bank #0 found 16 MB flash [W25Q128BV, blk:0x10000, sectors:256]
flash bank #1 found 16 MB flash [W25Q128BV, blk:0x10000, sectors:256]
Flash: 32 MB
*** Warning *** : PCIe WLAN Module not found !!!
In:    serial
Out:   serial
Err:   serial
Memory Test (address line)
uboot use  83F6BFB0 - 84000000
Memory Test start(0x80000000) end(0x83F00000) size(67108864)
Data line test start:0x80000000 pattern 0x00000001 0x00000003 0x00000007 0x0000000F 0x00000005 0x00000015 0x00000055 0xAAAAAAAA
Address line test start:0x80000000 len:0x3f00000 pattern 0xAAAAAAAA 0x55555555
Fill test patnum:5
fill Pattern 5555AAAA  Writing...   Reading...
fill Pattern AAAA5555  Writing...   Reading...
fill Pattern 0000FFFF  Writing...   Reading...
fill Pattern FFFF0000  Writing...   Reading...
fill Pattern AAAAAAAA  Writing...   Reading...
Memory Test OK
### buf_ver=[1.00] U-Boot Ver.=[1.00]
### build_date(env)=[Apr  6 2011 - 08:52:25] build_date(bin)=[Apr  6 2011 - 08:52:25]
ag7240_enet_initialize...
Reading MAC Address from ENV(0x83f8c319)
No valid address in Flash. Using fixed address
Virian MDC CFG Value ==> 4
: cfg1 0x7 cfg2 0x7114
eth0: 02:aa:bb:cc:dd:22
athrs16_reg_init: complete
eth0 up
Virian MDC CFG Value ==> 4
: cfg1 0xf cfg2 0x7214
eth1: 00:03:7f:09:0b:ad
eth1 up
eth0  02:AA:BB:CC:DD:22
, eth1  00:03:7F:09:0B:AD

dup 1 speed 1000

tftp server(receive) go, waiting:4[sec]
Load address: 0x81f00000

TftpServer Timeout;
no file was loaded.
LAN port disabling: done

## Checking Image at bf060000 ...
   Image Name:   DD-WRT v24 Linux Kernel Image
   Created:      2014-04-25  11:52:33 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1228245 Bytes =  1.2 MB
   Load Address: 80060000
   Entry Point:  800646d0
   Verifying Checksum ... crc32_fw: bf060040 - bf18be14 (len:0012bdd5) calc...
crc32_fw: range1 bf060040 - bf18be14
OK
change bootargs
console=ttyS0,115200 root=31:03 rootfstype=jffs2 init=/sbin/init mtdparts=ar7240-nor0:256k(u-boot),64k(u-boot-env),1152k@384k(uImage),6592k@1536k(rootfs),64k@320k(ART),64k@8128k(properties),8192k@8192k(flash1),16384k@16384k(flash2) mem=64M
## Booting image at bf060000 ...
   Image Name:   DD-WRT v24 Linux Kernel Image
   Created:      2014-04-25  11:52:33 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1228245 Bytes =  1.2 MB
   Load Address: 80060000
   Entry Point:  800646d0
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 800646d0) ...
## Giving linux memsize in bytes, 67108864

Starting kernel ...

[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU revision is: 00019374 (MIPS 24Kc)
AR7242
detect mem size
Uart Init
Booting AR7240(Python)...
[    0.000000] sys id = 1101 Atheros AR7242 rev 1.1 (0x1101)
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 04000000 @ 00000000 (usable)
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x00000000-0x03ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x00000000-0x03ffffff]
[    0.000000] Primary instruction cache 64kB, 4-way, VIPT, I-cache aliases, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[    0.000000] Linux version 3.9.11 (root@dd-wrt.buildserver) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.01 r39555) ) #57 Mon Apr 14 13:59:27 CEST 2014
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256
[    0.000000] Kernel command line: console=ttyS0,115200 root=1f02 rootfstype=squashfs noinitrd init=/sbin/init
[    0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] __ex_table already sorted, skipping sort
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] Memory: 60836k/65536k available (2476k kernel code, 4700k reserved, 754k data, 224k init, 0k highmem)
[    0.000000] NR_IRQS:80
[    0.000000] Calibrating delay loop... 265.42 BogoMIPS (lpj=1327104)
[    0.080000] pid_max: default: 32768 minimum: 301
[    0.080000] Mount-cache hash table entries: 512
[    0.090000] NET: Registered protocol family 16
[    0.340000] PCI: no PCIe module found
[    0.360000] bio: create slab <bio-0> at 0
[    0.360000] usbcore: registered new interface driver usbfs
[    0.370000] usbcore: registered new interface driver hub
[    0.370000] usbcore: registered new device driver usb
[    0.380000] Switching to clocksource MIPS
[    0.380000] NET: Registered protocol family 2
[    0.390000] TCP established hash table entries: 512 (order: 0, 4096 bytes)
[    0.390000] TCP bind hash table entries: 512 (order: -1, 2048 bytes)
[    0.400000] TCP: Hash tables configured (established 512 bind 512)
[    0.400000] TCP: reno registered
[    0.410000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.410000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.420000] NET: Registered protocol family 1
[    0.420000] gpio_proc: module loaded and /proc/gpio/ created
[    0.430000] squashfs: version 3.0 (2006/03/15) Phillip Lougher
[    0.440000] msgmni has been set to 118
[    0.440000] alg: No test for stdrng (krng)
[    0.450000] io scheduler noop registered
[    0.450000] io scheduler deadline registered (default)
[    0.460000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[    0.490000] serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11) is a 16550A
[    0.490000] console [ttyS0] enabled, bootconsole disabled
[    0.490000] console [ttyS0] enabled, bootconsole disabled
[    0.510000] check spi banks 2
[    0.510000] 0000 : EF 40 18
[    0.510000] found W25Q128BV device on bank#0
[    0.520000] 0000 : EF 40 18
[    0.520000] found W25Q128BV device on bank#1
[    0.520000] SPI flash size total:32 Mbytes
[    0.610000]
[    0.610000] found squashfs at 18C000
[    0.610000] Creating 9 MTD partitions on "ar7240-nor0":
[    0.620000] 0x000000000000-0x000000050000 : "RedBoot"
[    0.620000] 0x000000060000-0x000001fe0000 : "linux"
[    0.630000] 0x00000018c000-0x000001440000 : "rootfs"
[    0.630000] mtd: partition "rootfs" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
[    0.650000] mtd: partition "rootfs" set to be root filesystem
[    0.650000] 0x000001440000-0x000001fe0000 : "ddwrt"
[    0.660000] 0x000001fe0000-0x000001ff0000 : "nvram"
[    0.670000] 0x000001ff0000-0x000002000000 : "FIS directory"
[    0.670000] 0x000001ff0000-0x000002000000 : "board_config"
[    0.680000] 0x000000000000-0x000002000000 : "fullflash"
[    0.690000] 0x000000040000-0x000000050000 : "uboot-env"
[    0.700000] tun: Universal TUN/TAP device driver, 1.6
[    0.700000] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
[    0.910000] PPP generic driver version 2.4.2
[    0.910000] PPP BSD Compression module registered
[    0.920000] PPP Deflate Compression module registered
[    0.920000] PPP MPPE Compression module registered
[    0.930000] NET: Registered protocol family 24
[    0.950000] u32 classifier
[    0.950000]     Performance counters on
[    0.950000]     input device check on
[    0.960000]     Actions configured
[    0.960000] Netfilter messages via NETLINK v0.30.
[    0.960000] nf_conntrack version 0.5.0 (950 buckets, 3800 max)
[    0.970000] nf_conntrack_rtsp v0.6.21 loading
[    0.980000] nf_nat_rtsp v0.6.21 loading
[    0.980000] ip_tables: (C) 2000-2006 Netfilter Core Team
[    0.980000] IPP2P v0.8.2 loading
[    0.990000] TCP: westwood registered
[    0.990000] TCP: hybla registered
[    1.000000] TCP: vegas registered
[    1.000000] NET: Registered protocol family 17
[    1.000000] Bridge firewalling registered
[    1.010000] 8021q: 802.1Q VLAN Support v1.8
[    1.010000] searching for nvram
[    1.020000] nvram size = 0
[    1.090000] Broken NVRAM found, recovering it (Magic FFFFFFFF)
[    1.100000] Atheros AR71xx hardware watchdog driver version 0.1.0
[    1.100000] ar71xx-wdt: timeout=15 secs (max=21) ref freq=200000000
[    1.110000] VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
[    1.120000] Freeing unused kernel memory: 224k freed
start service
starting Architecture code for wzrg450
starting hotplug
Jan  1 00:00:02 udevtrigger[242]: parse_config_file: can't open '/etc/udev/udev.conf' as config file: No such file or directory
start MSTP Daemon
1970-01-01 00:00:04 main: Sanity checks succeeded
done
load ag71xx or ag7100_mod Ethernet Driver
[    4.650000] switch0: Atheros AR8316 switch registered on ag71xx-mdio.0
[    4.650000] libphy: ag71xx_mdio: probed
[    4.660000] eth0: Atheros AG71xx at 0xb9000000, irq 4, mode:RGMII
[    5.220000] ar8316: Using port 4 as switch port
[    5.720000] ag71xx ag71xx.0 eth0: connected to PHY at ag71xx-mdio.0:00 [uid=004dd041, driver=Atheros AR8216/AR8236/AR8316]
configure eth0 to 4C:E6:76:EA:BD:5D
configure vlan1 to 4C:E6:76:EA:BD:5D
configure vlan2 to 4C:E6:76:EA:BD:5D
ifconfig: SIOCSIFHWADDR: Device or resource busy
load ATH 802.11 a/b/g Driver
insmod: ath_hal.ko: module not found
insmod: ath_pci.ko: module not found
insmod: ath_ahb.ko: module not found
load ATH9K 802.11n Driver
[    7.030000] Loading modules backported from Linux version master-2013-06-27-0-gdcfa6d5
[    7.030000] Backport generated by backports.git backports-20130617-4-ge3220f5
insmod: compat_firmware_class.ko: module not found
[    7.220000] cfg80211: Calling CRDA to update world regulatory domain
[    7.230000] cfg80211: World regulatory domain updated:
[    7.230000] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[    7.240000] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[    7.250000] cfg80211:   (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[    7.260000] cfg80211:   (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[    7.270000] cfg80211:   (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[    7.270000] cfg80211:   (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
Segmentation fault
[USB] checking...
umount: can't umount /mnt: No such file or directory
rmmod: usblp: No such file or directory
rmmod: printer: No such file or directory
rmmod: usb-storage: No such file or directory
rmmod: sr_mod: No such file or directory
rmmod: cdrom: No such file or directory
rmmod: sd_mod: No such file or directory
rmmod: scsi_wait_scan: No such file or directory
rmmod: scsi_mod: No such file or directory
rmmod: usbmisc_imx: No such file or directory
rmmod: ci13xxx_imx: No such file or directory
rmmod: ci_hdrc: No such file or directory
rmmod: phy-mxs-usb: No such file or directory
rmmod: fsl-mph-dr-of: No such file or directory
rmmod: usb-libusual: No such file or directory
rmmod: dwc_otg: No such file or directory
rmmod: xhci-hcd: No such file or directory
rmmod: usb-ohci: No such file or directory
rmmod: ohci-hcd: No such file or directory
rmmod: uhci-hcd: No such file or directory
rmmod: usb-uhci: No such file or directory
rmmod: ehci-pci: No such file or directory
rmmod: ehci-platform: No such file or directory
rmmod: ehci-hcd: No such file or directory
rmmod: fsl-mph-dr-of: No such file or directory
rmmod: usbcore: No such file or directory
rmmod: usb-common: No such file or directory
rmmod: xfs: No such file or directory
rmmod: msdos: No such file or directory
rmmod: vfat: No such file or directory
rmmod: fat: No such file or directory
rmmod: nls_utf8: No such file or directory
rmmod: nls_iso8859-2: No such file or directory
rmmod: nls_iso8859-1: No such file or directory
rmmod: nls_cp437: No such file or directory
rmmod: nls_cp932: No such file or directory
rmmod: nls_cp936: No such file or directory
rmmod: nls_cp950: No such file or directory
rmmod: nls_base: No such file or directory
rmmod: ext3: No such file or directory
rmmod: jbd: No such file or directory
rmmod: ext2: No such file or directory
rmmod: mbcache: No such file or directory
rmmod: fuse: No such file or directory
Segmentation fault
[    8.750000] eth0: link up (1000Mbps/Full duplex)
[    9.370000] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
[    9.370000]

It is strange, that it tries to init WLAN (fails, it is not available for the router), and then it does not find any kmod files. Am I doing something wrong? (Sure, I am :slight_smile: )

What should be the way to get back to Stock or at least change to DD-WRT?
I need to create a tool, that automates the firmware update to openwrt, but I would need an initial state to test... :frowning:

I have even pulled an MTD backup from another one, but the image is about 33MB, and I don't even have that much space on the device after a clean flash. I have tried to flash it from USB storage with mtd write firmware_mtd_backup.bin firmware, but that did not work either:

Unlocking firmware ...

Writing from mtd1_linux.backup to firmware ...  [w][ 2483.510094] SQUASHFS error: Failed to read block 0x38daac: -5
[ 2483.515898] SQUASHFS error: Unable to read metadata cache entry [38daaa]
[ 2483.522712] SQUASHFS error: read_indexes: reading block [38daaa:5f]
[ 2483.529117] SQUASHFS error: Unable to read metadata cache entry [38daaa]
[ 2483.535860] SQUASHFS error: read_indexes: reading block [38daaa:5f]
[ 2483.542224] SQUASHFS error: Unable to read metadata cache entry [38daaa]
[ 2483.548979] SQUASHFS error: read_indexes: reading block [38daaa:5f]
[ 2483.555339] SQUASHFS error: Unable to read metadata cache entry [38daaa]
[ 2483.562101] SQUASHFS error: read_indexes: reading block [38daaa:5f]
Rebooting ...
[ 2540.081827] SQUASHFS error: Unable to read metadata cache entry [38daaa]
[ 2540.088717] SQUASHFS error: read_indexes: reading block [38daaa:5f]
[ 2540.095076] SQUASHFS error: Unable to read metadata cache entry [38daaa]
[ 2540.101881] SQUASHFS error: read_indexes: reading block [38daaa:5f]
[ 2542.109887] Deleting MTD partitions on "spi0.0":
[ 2542.117969] Removing MTD device #0 (spi0.0) with use count 1
[ 2542.124212] Deleting MTD partitions on "spi0.1":
[ 2542.133078] SQUASHFS error: Unable to read metadata cache entry [38daaa]
[ 2542.139932] SQUASHFS error: read_indexes: reading block [38daaa:5f]
[ 2542.146312] SQUASHFS error: Unable to read metadata cache entry [38daaa]
[ 2542.153052] SQUASHFS error: read_indexes: reading block [38daaa:5f]
[ 2542.161906] Removing MTD device #1 (spi0.1) with use count 1
[ 2542.169748] reboot: Restarting system

After that I get back to the above Segmentation fault

2

After some more investigation it seems that my nvram settings are lost/broken. Is there an "easy" (software) way to copy it from another, working device? Can I e. g. dd it, and flash it somehow with u-boot?

3

Are you able to flash openwrt?

4

Since you have a serial connection, about the most bombproof way to unbrick or install with OpenWrt is to manually TFTP and boot the initramfs-kernel.bin file, then use that running instance of OpenWrt to flash the sysupgrade build, using the sysupgrade script instead of mtd directly. Both of those build files are available in the 22.03.3 directory.

OpenWrt does not use nvram.

1 Like
5

I was actually trying to revert to DD-WRT, but this time I've got some errors during mtd flashing with:
mtd -r write /tmp/firmware_dd-wrt_RSP_Buffalo.bin firmware

After that, I got:

Unlocking firmware ...

Writing from /tmp/firmware_dd-wrt_RSP_Buffalo.bin to firmware ...
Rebooting ...
[ 1530.834413] SQUASHFS error: Failed to read block 0x38e8ec: -5
[ 1530.840220] SQUASHFS error: Unable to read metadata cache entry [38e8ea]
[ 1530.847039] SQUASHFS error: Unable to read inode 0x67e1fee
sh: /sbin/reboot: I/O error
[ 1532.854657] Deleting MTD partitions on "spi0.0":
[ 1532.862849] Removing MTD device #0 (spi0.0) with use count 1
[ 1532.869080] Deleting MTD partitions on "spi0.1":
[ 1532.879136] Removing MTD device #1 (spi0.1) with use count 1
[ 1532.888121] reboot: Restarting system

Am I right to assume, I have a bad flash chip? Is there a way to test it? I have tried several different firmwares with the same result, so I would expect, that the source images are OK.

Never the less, I can still flash OpenWRT, that works (well, until I bump into the flash issues, if there are any), and probably that is the most, I've should asked here in this forum, as the rest is probably more related to DD-WRT, thanks!

6

See if you can get openwrt running.

Might be better to post in the DD wrt forum for support flashing DD wrt

1 Like