SOLVED: ZTE MF287 unable to load wifi firmware

Hello, please help...
I've installed fresh OpenWRT on ZTE MF287, but no wireless menu is present.
Looking at the dmesg, there's some problem to load the ath10k firmware.

root@OpenWrt:/lib/firmware/ath10k/QCA4019/hw1.0# dmesg |grep wifi
[    0.204824] tcsr 1949000.tcsr: setting wifi_glb_cfg = 41000000
[    0.205162] tcsr 1957000.tcsr: setting wifi_noc_memtype_m0_m2 = 2222222
[   17.718911] ath10k_ahb a000000.wifi: qca4019 hw1.0 target 0x01000000 chip_id 0x003b00ff sub 0000:0000
[   17.718996] ath10k_ahb a000000.wifi: kconfig debug 0 debugfs 1 tracing 0 dfs 1 testmode 0
[   17.732604] ath10k_ahb a000000.wifi: firmware ver 10.4-3.6-00140 api 5 features no-p2p,mfp,peer-flow-ctrl,btcoex-param,allows-mesh-bcast,no-ps crc32 ba79b746
[   17.783795] ath10k_ahb a000000.wifi: Loading BDF type 0
[   18.756458] ath10k_ahb a000000.wifi: failed to fetch board data for bus=ahb,bmi-chip-id=0,bmi-board-id=24,variant=zte,mf287plus from ath10k/QCA4019/hw1.0/board-2.bin
[   18.976820] ath10k_ahb a000000.wifi: failed to fetch board-2.bin or board.bin from ath10k/QCA4019/hw1.0
[   18.976924] ath10k_ahb a000000.wifi: failed to fetch board file: -12
[   18.985315] ath10k_ahb a000000.wifi: could not probe fw (-12)
[   19.994990] ath10k_ahb a800000.wifi: qca4019 hw1.0 target 0x01000000 chip_id 0x003b00ff sub 0000:0000
[   19.995077] ath10k_ahb a800000.wifi: kconfig debug 0 debugfs 1 tracing 0 dfs 1 testmode 0
[   20.008871] ath10k_ahb a800000.wifi: firmware ver 10.4-3.6-00140 api 5 features no-p2p,mfp,peer-flow-ctrl,btcoex-param,allows-mesh-bcast,no-ps crc32 ba79b746
[   20.060495] ath10k_ahb a800000.wifi: Loading BDF type 0
[   20.064596] ath10k_ahb a800000.wifi: failed to fetch board data for bus=ahb,bmi-chip-id=0,bmi-board-id=25,variant=zte,mf287plus from ath10k/QCA4019/hw1.0/board-2.bin
[   20.268787] ath10k_ahb a800000.wifi: failed to fetch board-2.bin or board.bin from ath10k/QCA4019/hw1.0
[   20.268872] ath10k_ahb a800000.wifi: failed to fetch board file: -12
[   20.277348] ath10k_ahb a800000.wifi: could not probe fw (-12)

The firmware files are apparently in place:

root@OpenWrt:/lib/firmware/ath10k/QCA4019/hw1.0# ll
drwxr-xr-x    1 root     root           304 Aug 19 14:06 ./
drwxr-xr-x    1 root     root           224 Aug 19 14:01 ../
-rw-r--r--    1 root     root       1798048 Aug 19 14:15 board-2.bin
-rw-r--r--    1 root     root        583344 Aug 19 14:06 firmware-5.bin

No wireless though:

root@OpenWrt:~# uci show wireless
uci: Entry not found

I'm sorry if it was already answered elswhere, but i am new to OpenWRT and search didn't help me.
Thank you

Can you run output of strings on the board file?

Hi, do you mean these?

root@OpenWrt:/etc# ubus call system board
{
	"kernel": "5.15.127",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "ZTE MF287Plus",
	"board_name": "zte,mf287plus",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.0-rc3",
		"revision": "r23389-5deed175a5",
		"target": "ipq40xx/generic",
		"description": "OpenWrt 23.05.0-rc3 r23389-5deed175a5"
	}
}

No I mean output of command strings on the board bin

Support for this device was backported from snapshot. I suppose that a backport of the firmware file is also required and I missed that!?
What @Ansuel suggests is checking exactly that.

Edit: No, the package is being built and available in the download section.
Do you have a "regular" MF287 or a MF287+?

Edit2: Oh damn, it's looking for board IDs 24 and 25 while IDs 20 and 21 are provided in the .bin file. Looks like I was too fast in determining that MF287+ and MF287 share the same board.

I won't have access to my MF287 for a couple of days, but then I can fix it.
@buzzdev If you want to have a look in the meantime, you need to extract the board file from the stock firmware. The boot log contains the name of the board file being loaded. This is how it looks for the MF287+:

[   29.381752] ol_ath_download_firmware :First OTP download and Execute is good address:0x5000 return param 4660
[   29.390633] ol_ath_download_firmware:##Board Id 20 , CHIP Id 0
[   29.396618] ol_ath_download_firmware: BOARDDATA DOWNLOAD TO address 0xc0000
[   29.403433] 
[   29.403433]  wifi0: Selecting board data file name boardData_1_0_IPQ4019_DK04_2G.bin
[   29.412622] ol_transfer_bin_file: Board Data File download to address=0xc0000 file name=IPQ4019/hw.1/boardData_1_0_IPQ4019_DK04_2G.bin

Unfortunately, I did not save a boot log of the MF287 stock firmware, so I will have to flash back to stock.

Hi @Ansuel
did you mean the output of this?

root@OpenWrt:/lib/firmware/ath10k/QCA4019/hw1.0# strings board-2.bin |grep -i board
QCA-ATH10K-BOARD
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=zte,mf287plusm
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=zte,mf287plusm

Thank you

Hi Andi @andyboeh,
thank you for the info, that vas very helpful!
My router is one of the very first Neos with modelID 3neo. So i believe it is actually the regular MF287.

Indeed, the board id. i have is 24/25. I've even tried (as an experiment) to use firmware from here (https://github.com/kvalo/ath10k-firmware/tree/master/QCA4019/hw1.0), but that didn't work either.

Extracting the wifi firmware from the original firmware was my next idea, but i am not sure at the moment, how to do that...
I also didn't save a dmesg from the stock firmware so let me revert to the stock for now and get the boot log.

danke
LG

@andyboeh just for info...
the replacement board-2.bin from that i've used from https://github.com/kvalo/ath10k-firmware/blob/master/QCA4019/hw1.0/board-2.bin contains all of these, but not my variant:

$ strings board-2.bin |grep -i board |grep -i zte
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=zte,mf286d
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=zte,mf286d
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=ZTE-MF18Am
bus=ahb,bmi-chip-id=0,bmi-board-id=31,variant=ZTE-MF18Am
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=zte,mf289f
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=zte,mf289f

$ strings board-2.bin |grep -i board |egrep '24|25'
bus=ahb,bmi-chip-id=0,bmi-board-id=24,variant=ZyXEL-WRE6606m
bus=ahb,bmi-chip-id=0,bmi-board-id=25,variant=ZyXEL-WRE6606m
bus=ahb,bmi-chip-id=0,bmi-board-id=25,variant=ALFA-Network-AP120C-AC
bus=ahb,bmi-chip-id=0,bmi-board-id=24,variant=ASUS-MAP-AC1300mmm
bus=ahb,bmi-chip-id=0,bmi-board-id=25,variant=ASUS-MAP-AC1300mmm

So that's probably that's why it didn't work

Full board strings:

$ strings board-2.bin |grep -i board
QCA-ATH10K-BOARD
bus=ahb,bmi-chip-id=0,bmi-board-id=16mmm
bus=ahb,bmi-chip-id=0,bmi-board-id=17mmm
bus=ahb,bmi-chip-id=0,bmi-board-id=18mmm
bus=ahb,bmi-chip-id=0,bmi-board-id=19mmm
bus=ahb,bmi-chip-id=0,bmi-board-id=20mmm
bus=ahb,bmi-chip-id=0,bmi-board-id=21mmm
bus=ahb,bmi-chip-id=0,bmi-board-id=28mmm
bus=ahb,bmi-chip-id=0,bmi-board-id=29mmm
bus=ahb,bmi-chip-id=0,bmi-board-id=30mmm
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=Meraki-MR33mmm
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=Meraki-MR33mmm
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=GL-B1300mm
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=GL-B1300mm
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=Netgear-EX6100v2mm
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=Netgear-EX6150v2mm
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=Netgear-EX6100v2mm
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=Netgear-EX6150v2mm
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=RT-AC58Umm
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=RT-AC58Umm
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=ASUS-RT-AC58Um
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=ASUS-RT-AC58Um
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=ZyXEL-NBG6617m
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=ZyXEL-NBG6617m
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=Netgear-WAC510
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=Netgear-WAC510
bus=ahb,bmi-chip-id=0,bmi-board-id=24,variant=ZyXEL-WRE6606m
bus=ahb,bmi-chip-id=0,bmi-board-id=25,variant=ZyXEL-WRE6606m
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=EnGenius-EAP1300mm
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=EnGenius-EAP1300mm
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=ASUS-MAP-AC2200mmm
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=ASUS-MAP-AC2200mmm
bus=ahb,bmi-chip-id=0,bmi-board-id=25,variant=ALFA-Network-AP120C-AC
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=AVM-FRITZBox-7530m
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=AVM-FRITZBox-7530m
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=linksys-ea6350v3mm
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=linksys-ea6350v3mm
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=AVM-FRITZRepeater-3000
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=AVM-FRITZRepeater-3000
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=EnGenius-ENS620EXT
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=EnGenius-ENS620EXT
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=Netgear-Orbi-Pro-SRK60
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=Netgear-Orbi-Pro-SRK60
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=OM-A62
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=OM-A62
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=OM-A42
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=OM-A42
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=EnGenius-EAP2200mm
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=EnGenius-EAP2200mm
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=EnGenius-EMR3500mm
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=EnGenius-EMR3500mm
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=EnGenius-EMD1m
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=EnGenius-EMD1m
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=EnGenius-ENH1350EXTmmm
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=EnGenius-ENH1350EXTmmm
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=EnGenius-EMR5000mm
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=EnGenius-EMR5000mm
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=AVM-FRITZRepeater-1200
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=AVM-FRITZRepeater-1200
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=dlink,dap-2610
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=dlink,dap-2610
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=ezviz-cs-w3-wd1200g-eupmmm
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=ezviz-cs-w3-wd1200g-eupmmm
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=CM520-79Fm
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=CM520-79Fm
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=Aruba-AP-303mm
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=Aruba-AP-303mm
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=cellc,rtl30vwm
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=cellc,rtl30vwm
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=AVM-FRITZBox-4040m
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=AVM-FRITZBox-4040m
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=Buffalo-WTR-M2133HPmmm
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=Buffalo-WTR-M2133HPmmm
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=Luma-WRTQ-329ACNmm
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=Luma-WRTQ-329ACNmm
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=linksys-mr8300-v0-fccm
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=linksys-mr8300-v0-fccm
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=PlasmaCloud-PA2200
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=PlasmaCloud-PA2200
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=linksys-whw01-v1mm
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=linksys-whw01-v1mm
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=ASUS-RT-AC42Um
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=zte,mf286d
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=zte,mf286d
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=PlasmaCloud-PA1200
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=PlasmaCloud-PA1200
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=GO_BREEZEm
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=GO_GALEmmm
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=GO_BREEZEm
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=GO_GALEmmm
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=GL-B2200mm
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=GL-B2200mm
bus=ahb,bmi-chip-id=0,bmi-board-id=24,variant=ASUS-MAP-AC1300mmm
bus=ahb,bmi-chip-id=0,bmi-board-id=25,variant=ASUS-MAP-AC1300mmm
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=devolo,magic-2-wifi-nextmm
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=devolo,magic-2-wifi-nextmm
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=Aruba-AP-365mm
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=Aruba-AP-365mm
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=Edgecore OAP100mmm
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=Edgecore OAP100mmm
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=Qxwlan-E2600AC-C2m
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=Qxwlan-E2600AC-C2m
bus=ahb,bmi-chip-id=0,bmi-board-id=29,variant=Qxwlan-E2600AC-C2m
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=linksys-ea8300-ahm
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=linksys-ea8300-eum
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=linksys-ea8300-fcc
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=linksys-ea8300-icm
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=linksys-ea8300-ahm
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=linksys-ea8300-eum
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=linksys-ea8300-fcc
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=linksys-ea8300-icm
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=P&W-R619AC
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=P&W-R619AC
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=Pakedge-WR-1mm
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=Pakedge-WR-1-ACMAm
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=Pakedge-WR-1-SRRCm
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=Pakedge-WR-1mm
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=Pakedge-WR-1-ACMAm
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=Pakedge-WR-1-ICmmm
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=Pakedge-WR-1-SRRCm
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=Sony-NCP-HG100-Cellularmmm
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=Sony-NCP-HG100-Cellularmmm
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=8devices-Habanerom
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=8devices-Habanerom
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=8devices-Jalapenom
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=8devices-Jalapenom
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=linksys-whw03v2mmm
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=linksys-whw03v2mmm
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=Qxwlan-E2600AC-C1m
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=Qxwlan-E2600AC-C1m
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=GL-A1300mm
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=GL-A1300mm
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=GL-S1300mm
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=GL-S1300mm
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=Teltonika-RUTX10mm
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=Teltonika-RUTX10mm
bus=ahb,bmi-chip-id=0,bmi-board-id=28,variant=Qxwlan-E2600AC
bus=ahb,bmi-chip-id=0,bmi-board-id=29,variant=Qxwlan-E2600AC
bus=ahb,bmi-chip-id=0,bmi-board-id=30,variant=Qxwlan-E2600AC
bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=GL-AP1300m
bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=GL-AP1300m
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=GL-AP1300m
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=GL-AP1300m
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=ZTE-MF18Am
bus=ahb,bmi-chip-id=0,bmi-board-id=31,variant=ZTE-MF18Am
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=Extreme-Networks-WS-AP3915immm
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=Extreme-Networks-WS-AP3915immm
bus=ahb,bmi-chip-id=0,bmi-board-id=20,variant=zte,mf289f
bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=zte,mf289f

Yes, upstream does not have the BDF for our devices, they live in the qca-wireless git. This was the commit for the MF287+, a similar one is probably needed for the MF287. You will have to play around with a Python tool, ath10k-bdencoder.py to create a proper board-2.bin based on the extract from stock.

https://git.openwrt.org/?p=project/firmware/qca-wireless.git;a=commit;h=a1897c8e097635212cda8d0867f0cf88193775ef

It is. I have one, too, but I'll have access to it only in a couple of days. I never did much testing on it, to be honest, as I added support for the DreiNeo first and I do not use Wireless on these boxes at all.

If you need an old 3neo, just let me know in a PM.

Hmm.. i've just flashed the ...recovery.bin to follow your guide at https://www.aboehler.at/doku/doku.php/projects:zte_mf28x#restore_stock but now i am unable (don't know) how to connect to the router.. It is nicely blinking though.
I know it's perhaps a stupid question, but could you please advice?

Thank you

It is possible that it doesn't contain the web interface. Do you get an IP on your computer? Can you connect via SSH?

Hi Andi,
if the adapter is set to DHCP i only get self assigned IP 169.254.173.105 but it has no link.
If i set the IP manually to 192.168.1.2 it gets a link, but 192.168.1.1 is not reachable.

Strange thing is, that if i run ping to 192.168.1.1 the output is varying:

$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
ping: sendto: No route to host
Request timeout for icmp_seq 4
ping: sendto: Host is down
Request timeout for icmp_seq 5
ping: sendto: Host is down
Request timeout for icmp_seq 6
ping: sendto: Host is down
Request timeout for icmp_seq 7
ping: sendto: Host is down
Request timeout for icmp_seq 8
ping: sendto: Host is down
Request timeout for icmp_seq 9
ping: sendto: Host is down
Request timeout for icmp_seq 10

It seems i will be connecting the serial console soon

Hi @andyboeh the serial console is connected, but it seems to be booting in some strange way.
Should I perhaps open a new thread, regarding the recovery?

Here's the boot console.
Any idea what's going on?

Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1.1-00096
S - IMAGE_VARIANT_STRING=DAABANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x00000021
S - Core 0 Frequency, 0 MHz
B -       261 - PBL, Start
B -      1338 - bootable_media_detect_entry, Start
B -      1678 - bootable_media_detect_success, Start
B -      1692 - elf_loader_entry, Start
B -      5068 - auth_hash_seg_entry, Start
B -      7209 - auth_hash_seg_exit, Start
B -    572126 - elf_segs_hash_verify_entry, Start
B -    686901 - PBL, End
B -    686925 - SBL1, Start
B -    775250 - pm_device_init, Start
D -         6 - pm_device_init, Delta
B -    776760 - boot_flash_init, Start
D -     54263 - boot_flash_init, Delta
B -    835209 - boot_config_data_table_init, Start
D -      3843 - boot_config_data_table_init, Delta - (419 Bytes)
B -    842429 - clock_init, Start
D -      7552 - clock_init, Delta
B -    854503 - CDT version:2,Platform ID:8,Major ID:1,Minor ID:1,Subtype:0
B -    857991 - sbl1_ddr_set_params, Start
B -    862979 - cpr_init, Start
D -         2 - cpr_init, Delta
B -    867471 - Pre_DDR_clock_init, Start
D -         4 - Pre_DDR_clock_init, Delta
D -     13148 - sbl1_ddr_set_params, Delta
B -    881174 - pm_driver_init, Start
D -         2 - pm_driver_init, Delta
B -    951227 - sbl1_wait_for_ddr_training, Start
D -        29 - sbl1_wait_for_ddr_training, Delta
B -    966835 - Image Load, Start
D -    134998 - QSEE Image Loaded, Delta - (262104 Bytes)
B -   1102329 - Image Load, Start
D -      1448 - SEC Image Loaded, Delta - (2048 Bytes)
B -   1112706 - Image Load, Start
D -    249415 - APPSBL Image Loaded, Delta - (510627 Bytes)
B -   1362544 - QSEE Execution, Start
D -        58 - QSEE Execution, Delta
B -   1368720 - SBL1, End
D -    683906 - SBL1, Delta
S - Flash Throughput, 2009 KB/s  (775198 Bytes,  385719 us)
S - DDR Frequency, 537 MHz


U-Boot 2012.07 [Barrier Breaker unknown,unknown] (Dec 23 2016 - 15:30:35)

smem ram ptable found: ver: 1 len: 3
DRAM:  256 MiB
machid : 0x8010100
NAND:  spi_nand: spi_nand_flash_probe SF NAND ID 0:c8:d1:c8
SF: Detected GD5F1GQ4XB with page size 2 KiB, total 128 MiB
SF: Detected MX25L1605D with page size 4 KiB, total 2 MiB
ipq_spi: page_size: 0x100, sector_size: 0x1000, size: 0x200000
130 MiB
MMC:   
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
machid: 8010100
flash_type: 0
Net:   MAC0 addr:84:c5:ea:87:c8:0
PHY ID1: 0x4d
PHY ID2: 0xd0b1
ipq40xx_ess_sw_init done
eth0
Uaztemain: enter into ! 
zte_getHandOffState: read data=0x20 from 0x0
Uaztemain: no need to update ‘’ 
Hit any key to stop autoboot:  1  0 
Creating 1 MTD partitions on “nand1”:
0x000001300000-0x000003500000 : “mtd=0”
UBI: attaching mtd2 to ubi0
UBI: physical eraseblock size:   131072 bytes (128 KiB)
UBI: logical eraseblock size:    126976 bytes
UBI: smallest flash I/O unit:    2048
UBI: VID header offset:          2048 (aligned 2048)
UBI: data offset:                4096
UBI: attached mtd2 to ubi0
UBI: MTD device name:            “mtd=0”
UBI: MTD device size:            34 MiB
UBI: number of good PEBs:        272
UBI: number of bad PEBs:         0
UBI: max. allowed volumes:       128
UBI: wear-leveling threshold:    4096
UBI: number of internal volumes: 1
UBI: number of user volumes:     2
UBI: available PEBs:             18
UBI: total number of reserved PEBs: 254
UBI: number of PEBs reserved for bad PEB handling: 2
UBI: max/mean erase counter: 4/2
Volume kernel not found!

(IPQ40xx) # 

You are stuck in bootloader. You can now easily boot the initramfs version using tftp and restore stock from there.

I will look into this as well, just give me a few more days.

Thanxs Andi,
i've managed to load the kernel with tftpboot and then bootm commands.
The bootloader IP were in different range 192.168.0.0/24 and it was expecting the PC to be at 192.168.0.22.
Then it requested the file C0A80001.img from the tftpd server. SO i took the kernel image from https://downloads.openwrt.org/releases/23.05.0-rc3/targets/ipq40xx/generic/openwrt-23.05.0-rc3-ipq40xx-generic-zte_mf287plus-initramfs-zImage.itb then renamed it to that file and it was booting fine.

After booting the kernel it changed the IP range again to 192.168.1.0/24.
So switched the PC's NIC to DHCP and now i can access it vie ssh just fine.

Trying to do normal sysupgrade to OpenWRT again.

hmm... now i'm lost

image2092×304 68.7 KB

In serial console:
[ 905.897205] ubi: mtd14 is already attached to ubi0

That's expected, but not required since you are already running an initramfs image. The reason is that the "regular" image mounts some partitions of the flash read-write and you cannot easily overwrite the partitions. The initramfs image (and the -recovery image) run entirely from RAM and you can write to the flash. The -recover image is, essentially, a flashable initramfs image.

Just to be clear: You need a backup of the stock UBI partitions, otherwise, you cannot flash back to stock.

Edit: I saw just now that you are trying to flash the factory.bin. This is only required for installing via the Exploit. If you are already running OpenWrt (as you are from initramfs), you need the regular sysupgrade image.

@andyboeh
ok, it is now restored to OpenWRT running from flash... phew... Many thanxs for help!

I do have the ubi0 and ubi1 backup of the stock firmware.

So from now on, can i just follow this procedure?

No, you need either the -recovery image or -initramfs image. It would have been possible before you restored OpenWrt , directly after the tftpboot. As mentioned before, we are overwriting UBI partitions and that doesn't work if they are mounted.

thank you Andi, but i am probably missing something. My apologies for that.
I did sysupgrade to recovery image and i am back to bootloader shell.

root@OpenWrt:/tmp# sysupgrade -v openwrt-23.05.0-rc3-ipq40xx-generic-zte_mf287plus-squashfs-recovery.bin
ubiattach: error!: cannot attach mtd14
           error 17 (File exists)
Sat Aug 19 14:07:03 UTC 2023 upgrade: Saving config files...
etc/config/dhcp
etc/config/dropbear
etc/config/firewall
etc/config/luci
etc/config/network
etc/config/rpcd
etc/config/system
etc/config/ubootenv
etc/config/ucitrack
etc/config/uhttpd
etc/dropbear/dropbear_ed25519_host_key
etc/dropbear/dropbear_rsa_host_key
etc/group
etc/hosts
etc/inittab
etc/luci-uploads/.placeholder
etc/nftables.d/10-custom-filter-chains.nft
etc/nftables.d/README
etc/opkg/keys/b5043e70f9a75cde
etc/passwd
etc/profile
etc/rc.local
etc/shadow
etc/shells
etc/shinit
etc/sysctl.conf
etc/uhttpd.crt
etc/uhttpd.key
Sat Aug 19 14:07:03 UTC 2023 upgrade: Commencing upgrade. Closing all shell sessions.

The console output:

[  307.621754] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready
[  344.854714] ubi: mtd14 is already attached to ubi0
[  346.910924] ubi: mtd14 is already attached to ubi0
Watchdog handover: fd=3
- watchdog -
Watchdog did not previously reset the system
Sat Aug 19 14:07:04 UTC 2023 upgrade: Sending TERM to remaining processes …
Sat Aug 19 14:07:08 UTC 2023 upgrade: Sending KILL to remaining processes …
[  357.875034] stage2 (2720): drop_caches: 3
Sat Aug 19 14:07:15 UTC 2023 upgrade: Switching to ramdisk…
[  363.530026] UBIFS (ubi0:2): background thread “ubifs_bgt0_2” stops
[  363.546535] UBIFS (ubi0:2): un-mount UBI device 0
Sat Aug 19 14:07:20 UTC 2023 upgrade: Performing system upgrade…
verifying sysupgrade tar file integrity
umount: can’t unmount /dev/ubiblock0_1: Invalid argument
[  363.997163] block ubiblock0_1: released
Volume ID 0, size 1 LEBs (126976 bytes, 124.0 KiB), LEB size 126976 bytes (124.0 KiB), dynamic, name “rootfs”, alignment 1
Set volume size to 31363072
Volume ID 1, size 247 LEBs (31363072 bytes, 29.9 MiB), LEB size 126976 bytes (124.0 KiB), dynamic, name “rootfs_data”, alignment 1
[  364.868900] UBIFS (ubi0:1): default file-system created
[  364.871552] UBIFS (ubi0:1): Mounting in unauthenticated mode
[  364.873203] UBIFS (ubi0:1): background thread “ubifs_bgt0_1” started, PID 3475
[  365.164931] UBIFS (ubi0:1): UBIFS: mounted UBI device 0, volume 1, name “rootfs_data”
[  365.165008] UBIFS (ubi0:1): LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
[  365.171847] UBIFS (ubi0:1): FS size: 30093312 bytes (28 MiB, 237 LEBs), max 247 LEBs, journal size 1523712 bytes (1 MiB, 12 LEBs)
[  365.181734] UBIFS (ubi0:1): reserved for root: 1421380 bytes (1388 KiB)
[  365.193336] UBIFS (ubi0:1): media format: w5/r0 (latest is w5/r0), UUID 9A0B3CD2-EBB9-46FE-873F-AF1D9C450606, small LPT model
[  365.254243] UBIFS (ubi0:1): un-mount UBI device 0
[  365.254347] UBIFS (ubi0:1): background thread “ubifs_bgt0_1” stops
configuration saved
sysupgrade successful
umount: can’t unmount /dev: Resource busy
umount: can’t unmount /tmp: Resource busy
[  365.358060] reboot: Restarting system

...and back in bootloader:
(IPQ40xx) #