Spectrum SAX1V1K (Askey RT5010W) OpenWrt Support

looks great. just make sure to install the recovery and test it of course.

I grabbed another one of these off eBay, but I didn't check if it was 100% functional before I tried to flash it.

The old script passed, when executed, but u-boot is only looping:

## Starting application at 0x4A9647CC ...
data abort
pc : [<4a9647f4>]          lr : [<4a964e80>]
reloc pc : [<4a9647f4>]    lr : [<4a964e80>]
sp : 4a77f3c8  ip : 058fbb17     fp : 4a91153c
r10: 00000002  r9 : 4a77fea0     r8 : 4a77f86a
r7 : 4a98d190  r6 : 4a96dd4d     r5 : 4a77f450  r4 : 0000041a
r3 : 00000073  r2 : 4a77f884     r1 : 0000041a  r0 : 4a77f450
Flags: nzcv  IRQs off  FIQs off  Mode SVC_32
Resetting CPU ...

resetting ...

Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.3.1-00163
S - IMAGE_VARIANT_STRING=HAASANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x000002e3
B -       201 - PBL, Start
B -      2736 - bootable_media_detect_entry, Start
B -     78216 - bootable_media_detect_success, Start
B -     78221 - elf_loader_entry, Start
B -     79650 - auth_hash_seg_entry, Start
B -    117726 - auth_hash_seg_exit, Start
B -    132345 - elf_segs_hash_verify_entry, Start
B -    194981 - PBL, End
B -    313662 - SBL1, Start
B -    392565 - GCC [RstStat:0x10, RstDbg:0x600000] WDog Stat : 0x4
B -    402417 - pm_device_init, Start
B -    594414 - PM_SET_VAL:Skip
D -    190137 - pm_device_init, Delta
B -    596885 - pm_driver_init, Start
D -      5215 - pm_driver_init, Delta
B -    603046 - clock_init, Start
D -      2165 - clock_init, Delta
B -    607224 - boot_flash_init, Start
D -      7838 - boot_flash_init, Delta
B -    618784 - boot_config_data_table_init, Start
D -      1067 - boot_config_data_table_init, Delta - (575 Bytes)
B -    626409 - Boot Setting :  0x00000618
B -    630130 - CDT version:2,Platform ID:8,Major ID:117,Minor ID:1,Subtype:6
B -    637236 - sbl1_ddr_set_params, Start
B -    641079 - CPR configuration: 0x30c
B -    644434 - cpr_init, Start
B -    647301 - Rail:0 Mode: 5 Voltage: 808000
B -    652425 - CL CPR settled at 760000mV
B -    655262 - Rail:1 Mode: 5 Voltage: 880000
B -    659532 - Rail:1 Mode: 7 Voltage: 904000
D -     16439 - cpr_init, Delta
B -    666333 - Pre_DDR_clock_init, Start
B -    670329 - Pre_DDR_clock_init, End
B -    673714 - DDR Type : PCDDR4
B -    680516 - do ddr sanity test, Start
D -      1037 - do ddr sanity test, Delta
B -    684206 - DDR: Start of HAL DDR Boot Training
B -    688964 - DDR: End of HAL DDR Boot Training
B -    694637 - DDR: Checksum to be stored on flash is -963777385
B -    705038 - Image Load, Start
D -    345199 - QSEE Image Loaded, Delta - (1380872 Bytes)
B -   1050328 - Image Load, Start
D -       457 - SEC Image Loaded, Delta - (0 Bytes)
B -   1057862 - Image Load, Start
D -    287890 - DEVCFG Image Loaded, Delta - (32468 Bytes)
B -   1345812 - Image Load, Start
D -    292892 - RPM Image Loaded, Delta - (93060 Bytes)
B -   1638795 - Image Load, Start
D -    313144 - APPSBL Image Loaded, Delta - (628336 Bytes)
B -   1952061 - QSEE Execution, Start
D -        61 - QSEE Execution, Delta
B -   1957856 - USB D+ check, Start
D -         0 - USB D+ check, Delta
B -   1964261 - SBL1, End
D -   1652886 - SBL1, Delta
S - Flash Throughput, 34418 KB/s  (2135983 Bytes,  62059 us)
S - DDR Frequency, 600 MHz
S - Core 0 Frequency, 1651 MHz


U-Boot 1.5.1 [spf11.4_csu2] (Jun 15 2022 - 09:05:59 +0000)

DRAM:  smem ram ptable found: ver: 1 len: 4
2 GiB
[Askey] Led init ...
NAND:  Could not find nand_gpio in dts, using defaults
Not an ONFI device
ONFI probe failed
ID = ffffffff
Vendor = ff
Device = ff
qpic_nand: unknown NAND device manufacturer: ff device: ff
U-Boot BUG at drivers/mtd/mtdcore.c:420!
SF: Unsupported flash IDs: manuf ff, jedec ffff, ext_jedec ffff
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
0 MiB
MMC:   <NULL>: 0 (eMMC)
In:    serial@78B3000
Out:   serial@78B3000
Err:   serial@78B3000
machid: 8750106
eth5 MAC Address from ART is not valid
Hit space key to stop autoboot:  1

since it's u-boot you can't be sure, but there's no "port up" on the remote device, nor do I see any activity when sniffing using tcpdump.

Any ideas, or should I just put it on the recycle pile ?

My router suddenly stopped working. I did a reboot from LUCI and it never turned on. No light, no power, nothing. Tried different power adapters but not Turing on. Nothing on serials.

As soon as I connect the power the lan port light blinks just once, that’s it. Then no response from it.

Anyone know what’s going on?

we're not clairvoyants, we're nerds.

if serial's dead, then it's really dead, or your serial thingie is bad.

No output in serial. RX is 3v and TX is 0V. VCC 3.3V and GND 0V.

Tx should fluctuate, at least initially, after power on, when measured using a voltmeter.

I've just got a used Spectrum router from eBay. The configure-uboot.sh script fails with slot 0 and slot 1 hash mismatch. Slot 0 hash is for 1.5.0 [spf11.4_csu1] and slot 1 is for 1.5.1 [spf11.4_csu2], and this later version is booting. Can y'all recomend a safe way to proceed?

Here is the output of configure-boot.sh and the boot log up to the kernel start

root@SAX1V1K:/tmp# ./configure-uboot.sh 

starting configuration script...


GPT hash: 56e9617a45826e7e6bb4106e6ad40c59
found known GPT!

U-Boot slot 0 hash: 85ae38d2a62b124f431ba5baba6b42ad
U-Boot slot 1 hash: 7bc2f7766b270ea120495334cd1e5c56

ERROR: U-Boot hashes for slots 0 and 1 do not match! contact support forum
press ctrl+c to stop...
^C
root@SAX1V1K:/tmp# reboot 
PREBOOT: Reboot Type: user Reason: Human Triggered Reboot 
root@SAX1V1K:/tmp# 
root@SAX1V1K:/tmp# 
root@SAX1V1K:/tmp# mcastds: Leaving mcsd executive program

Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.3.1-00163
S - IMAGE_VARIANT_STRING=HAASANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x000002e3
B -       201 - PBL, Start
B -      2735 - bootable_media_detect_entry, Start
B -     52290 - bootable_media_detect_success, Start
B -     52294 - elf_loader_entry, Start
B -     54293 - auth_hash_seg_entry, Start
B -     92343 - auth_hash_seg_exit, Start
B -    107296 - elf_segs_hash_verify_entry, Start
B -    169931 - PBL, End
B -    273036 - SBL1, Start
B -    351207 - GCC [RstStat:0x10, RstDbg:0x600000] WDog Stat : 0x4
B -    360937 - pm_device_init, Start
B -    553453 - PM_SET_VAL:Skip
D -    190686 - pm_device_init, Delta
B -    555954 - pm_driver_init, Start
D -      5185 - pm_driver_init, Delta
B -    562023 - clock_init, Start
D -      2135 - clock_init, Delta
B -    566232 - boot_flash_init, Start
D -      9668 - boot_flash_init, Delta
B -    579591 - boot_config_data_table_init, Start
D -      1189 - boot_config_data_table_init, Delta - (575 Bytes)
B -    587247 - Boot Setting :  0x00000618
B -    590998 - CDT version:2,Platform ID:8,Major ID:117,Minor ID:1,Subtype:6
B -    598013 - sbl1_ddr_set_params, Start
B -    601826 - CPR configuration: 0x30c
B -    605303 - cpr_init, Start
B -    608078 - Rail:0 Mode: 5 Voltage: 808000
B -    613263 - CL CPR settled at 760000mV
B -    616100 - Rail:1 Mode: 5 Voltage: 880000
B -    620278 - Rail:1 Mode: 7 Voltage: 912000
D -     16531 - cpr_init, Delta
B -    627171 - Pre_DDR_clock_init, Start
B -    631197 - Pre_DDR_clock_init, End
B -    634583 - DDR Type : PCDDR4
B -    641354 - do ddr sanity test, Start
D -      1067 - do ddr sanity test, Delta
B -    645075 - DDR: Start of HAL DDR Boot Training
B -    649711 - DDR: End of HAL DDR Boot Training
B -    655475 - DDR: Checksum to be stored on flash is 431657461
B -    665784 - Image Load, Start
D -    346694 - QSEE Image Loaded, Delta - (1380872 Bytes)
B -   1012569 - Image Load, Start
D -       457 - SEC Image Loaded, Delta - (0 Bytes)
B -   1020103 - Image Load, Start
D -    289231 - DEVCFG Image Loaded, Delta - (32468 Bytes)
B -   1309426 - Image Load, Start
D -    294233 - RPM Image Loaded, Delta - (93060 Bytes)
B -   1603720 - Image Load, Start
D -    314669 - APPSBL Image Loaded, Delta - (628336 Bytes)
B -   1918511 - QSEE Execution, Start
D -        61 - QSEE Execution, Delta
B -   1924306 - USB D+ check, Start
D -         0 - USB D+ check, Delta
B -   1930711 - SBL1, End
D -   1659962 - SBL1, Delta
S - Flash Throughput, 31211 KB/s  (2135983 Bytes,  68435 us)
S - DDR Frequency, 600 MHz
S - Core 0 Frequency, 1651 MHz


U-Boot 1.5.1 [spf11.4_csu2] (Jun 15 2022 - 09:05:59 +0000)

DRAM:  smem ram ptable found: ver: 1 len: 4
2 GiB
[Askey] Led init ...
NAND:  Could not find nand_gpio in dts, using defaults
Not an ONFI device
ONFI probe failed
ID = ffffffff
Vendor = ff
Device = ff
qpic_nand: unknown NAND device manufacturer: ff device: ff
U-Boot BUG at drivers/mtd/mtdcore.c:420!
SF: Unsupported flash IDs: manuf ff, jedec ffff, ext_jedec ffff
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
0 MiB
MMC:   <NULL>: 0 (eMMC)
In:    serial@78B3000
Out:   serial@78B3000
Err:   serial@78B3000
machid: 8750106
eth5 MAC Address from ART is not valid
Hit space key to stop autoboot:  0 


[Askey] do_bootaskey()
 check temperature of soc 52 ,and threshold 80

[Askey] thermal_check_temp pass
mmc:mmcargs=mmc_mid=11
[Askey] do_boot_signedimg_askey()
debug cert - not found
verify init: active_part [1], bak_part [0]
verify FW [1] start
do verify start
verify kernel start

MMC read: dev # 0, block # 51746, count 16384 ... 16384 blocks read: OK
qca_verify.c [29] load_addr:0x44000000 size:0x800000
Kernel image authentication success 
verify rootfs start

MMC read: dev # 0, block # 346658, count 70321 ... 70321 blocks read: OK
qca_verify.c [57] load_addr:0x41000000 size:0x2257928
Rootfs image authentication success 
do verify success
verify FW [1] success
backup start ...

MMC read: dev # 0, block # 35362, count 16384 ... 16384 blocks read: OK
no need backup, FW & FW_1 is same.
secure boot fuse is enabled
## Loading kernel from FIT Image at 44000028 ...
   Using 'config@rt5010w-d187-rev6' configuration
   Trying 'kernel@1' kernel subimage
     Description:  ARM64 OpenWrt Linux-4.4.60
     Type:         Kernel Image
     Compression:  gzip compressed
     Data Start:   0x44000110
     Data Size:    4014157 Bytes = 3.8 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x41080000
     Entry Point:  0x41080000
     Hash algo:    crc32
     Hash value:   5acd13a6
     Hash algo:    sha1
     Hash value:   3d6976cd1248efe8158d889377bb05d860cbc84b
   Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading fdt from FIT Image at 44000028 ...
   Using 'config@rt5010w-d187-rev6' configuration
   Trying 'fdt@rt5010w-d187-rev6' fdt subimage
     Description:  ARM64 OpenWrt rt5010w-d187 device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x44462500
     Data Size:    82631 Bytes = 80.7 KiB
     Architecture: AArch64
     Hash algo:    crc32
     Hash value:   facc177b
     Hash algo:    sha1
     Hash value:   72db93a818eed8a017c9aaa351b6fd240fb9f36d
   Verifying Hash Integrity ... crc32+ sha1+ OK
   Booting using the fdt blob at 0x44462500
   Uncompressing Kernel Image ... OK
   Loading Device Tree to 4a1e8000, end 4a1ff2c6 ... OK
Using machid 0x8750106 from environment

Starting kernel ...

you overwrite one with the other - Spectrum SAX1V1K (Askey RT5010W) OpenWrt Support - #227 by iv7777.

Oh, I see, I'm sorry I haven't read through the thread. I've done the dd, run the config script, transferred the recovery using nc (because scp did not want to connect for some reason), run the dd to write the recovery partition and now I'm in the openwrt recovery! Thank y'all for your work on this, this is a great inexpensive router now.

Hi, I need information on firmware compatibility

I've found this device listed on a local market for good price and I was wondering if i can put OpenWrt on it . But unfortunately i don't know firmware version on listed device so i need to know:
Is this method limited to specific firmware version on device?
If yes then can newer firmware downgraded to compatible firmware?

Thanks for your time and attention

(Sorry if topic is duplicate i didn't read fully)

What method ?

(Perhaps you should ?)

Breaking into root shell with interrupting EMMC on boot stage

I've read GitHub and also OpenWrt page but I didn't find anything about compatible firmware versions

Then it's probably a no ...?

Thanks for your reply .
I just wanted to be sure

I found a new device with a new bootloader and used this method to boot OpenWrt with the help of AI.

Target Device: Spectrum SAX1V1K (Askey RT5010W)
Target Firmware: v1.5.9 (Secure Boot Enabled)
Note: This guide addresses the v1.5.9 bootloop by manually handling the unlock sequence.

Reference Logs

• Pre-Flash / U-Boot Log: View on Pastebin
• Successful OpenWrt Boot Log: View on Pastebin

Step 1: Inject Configuration Script (Split Method)

Split the script to prevent serial buffer overflows.

1. Create Part A
In the Stock OS terminal (via Serial Login) , run:

cat > part_a.sh

Paste the code, press Enter, then Ctrl + D.

#!/bin/sh
# STRICTLY FOR U-Boot 1.5.9 [spf11.5_cs] ONLY
error() { echo; echo "ERROR:" "$@"; echo "press ctrl+c to stop..."; cat > /dev/null; echo; exit 1; }
pause() { echo "WARNING:" "$@"; echo "enter 'yes' to continue..."; while true; do if [[ "$( head -n1 )" == "yes" ]]; then break; fi; done; echo; }
configure_uboot() {
echo; echo "starting configuration script..."; echo
local gpt_hash="$( dd if=/dev/mmcblk0 bs=512 count=34 2> /dev/null | md5sum | cut -d' ' -f1 )"
case "$gpt_hash" in 56e9617a45826e7e6bb4106e6ad40c59|cadc5e13e8b7c648996a29588a72d349) break ;; *) error "unknown GPT hash!" ;; esac
local uboot0_hash="$( cat /dev/mmcblk0p15 | md5sum | cut -d' ' -f1 )"
local uboot1_hash="$( cat /dev/mmcblk0p16 | md5sum | cut -d' ' -f1 )"
if [[ "$uboot0_hash" != "$uboot1_hash" ]]; then error "U-Boot hashes do not match!"; fi
local uboot_ver="1.5.9 [spf11.5_cs] Aug 19 2024"
local uboot_hack="mw 4a912258 0a000007 1; mw 4a91f1c4 0a000006 1; go 4a967854"
if [[ "$uboot0_hash" == "baf03dfc53dde25c54a351091ae48b84" ]]; then echo "found U-Boot: $uboot_ver"; else error "unknown U-Boot hash!"; fi
pause "about to configure U-Boot environment"
if [[ ! -f /etc/fw_env.config ]]; then echo "/dev/mmcblk0p14 0x0 0x40000 0x40000 1" > /etc/fw_env.config; fi
fw_setenv boot_stage1 'echo "Hit Ctrl+C for shell..."; sleep 2 || exit; run boot_stage1_ok'
fw_setenv boot_stage1_ok 'run boot_stage2'
fw_setenv boot_stage2 'run boot_stage2_flag_read; run boot_stage2_choose'
fw_setenv boot_stage2_choose 'if itest *43FFFFFC == 0; then BOOT_NUM=1; run boot_stage2_try; elif itest *43FFFFFC == 1; then BOOT_NUM=2; run boot_stage2_try; elif itest *43FFFFFC == 2; then BOOT_NUM=3; run boot_stage2_try; else run boot_stage2_skip; fi'
fw_setenv boot_stage2_try 'run boot_stage2_flag_write; echo; echo "## Info: waiting for boot interrupt #$BOOT_NUM..."; sleep 5 || exit; BOOT_NUM=0; run boot_stage2_flag_write; echo; run boot_stage2_ok'
fw_setenv boot_stage2_skip 'echo "## Info: max boot interrupt count reached"; BOOT_NUM=0; run boot_stage2_flag_write; echo; run boot_stage2_fail'

2. Create Part B
Run:

cat > part_b.sh

Paste the code, press Enter, then Ctrl + D.

fw_setenv boot_stage2_flag_read 'mmc read 43FFFE00 0x509E21 1; md 43FFFFF8 2; if itest *43FFFFF8 != B007F1A6; then mw 43FFFFF8 B007F1A6 1; mw 43FFFFFC 0 1; fi'
fw_setenv boot_stage2_flag_write 'mw 43FFFFFC "$BOOT_NUM" 1; md 43FFFFF8 2; mmc write 43FFFE00 0x509E21 1'
fw_setenv boot_stage2_ok 'run boot_stage3'
fw_setenv boot_stage2_fail 'run boot_stage4'
fw_setenv boot_stage3 'run boot_main; run boot_stage3_fail'
fw_setenv boot_stage3_fail 'run boot_stage4'
fw_setenv boot_stage4 'run boot_recovery; run boot_stage4_fail'
fw_setenv boot_stage4_fail 'run boot_stage5'
fw_setenv boot_stage5 'run boot_tftp'
fw_setenv boot_main 'SLOT=0; run boot_slot'
fw_setenv boot_slot 'run boot_set_slot_$SLOT || exit; run boot_set_type_squashfs; run boot_hack; mmc read 44000000 "$KERNEL" 0x4000 && bootm'
fw_setenv boot_set_slot_0 'KERNEL=0x8A22; ROOTFS=/dev/mmcblk0p20'
fw_setenv boot_set_slot_1 'KERNEL=0xCA22; ROOTFS=/dev/mmcblk0p22'
fw_setenv boot_recovery 'run boot_set_type_initramfs; run boot_hack; mmc read 44000000 0x4F9E22 0x10000 && bootm'
fw_setenv boot_tftp 'run boot_set_type_initramfs; run boot_set_ip; run boot_hack; tftpboot recovery.img && bootm'
fw_setenv boot_write_recovery_from_tftp 'run boot_set_type_initramfs; run boot_set_ip; run boot_hack; tftpboot recovery.img || exit; mmc write 44000000 0x4F9E22 0x10000'
fw_setenv boot_set_ip 'setenv ipaddr 192.168.1.1; setenv netmask 255.255.255.0; setenv serverip 192.168.1.2'
fw_setenv boot_set_type_initramfs 'setenv loadaddr 44000000; setenv bootargs console=ttyMSM0,115200n8 $EXTRAARGS'
fw_setenv boot_set_type_squashfs 'setenv loadaddr 44000000; setenv bootargs console=ttyMSM0,115200n8 root=$ROOTFS rootwait $EXTRAARGS'
fw_setenv boot_hack "$uboot_hack"
fw_setenv bootcmd "run boot_stage1"
echo "Done."
}
configure_uboot "$@"

3. Combine and Run

cat part_a.sh part_b.sh > final_script.sh
sh final_script.sh

Reboot the router.

Step 2: Manual Unlock & RAM Boot

CRITICAL: Do NOT let auto-boot run. Manual intervention required to bypass v1.5.9 go command.

1. Catch Shell: Ctrl+C at IPQ807x#.
2. Manual Unlock:

mw 4a912258 0a000007 1
mw 4a91f1c4 0a000006 1

3. Setup Network & Boot:

setenv ipaddr 192.168.1.1; setenv serverip 192.168.1.2; setenv netmask 255.255.255.0
run boot_set_type_initramfs
tftpboot 0x44000000 recovery.img
bootm 0x44000000

Step 3: Flash Permanent Firmware

1. Open http://192.168.1.1.
2. System > Backup / Flash Firmware.
3. Flash Image > Upload sysupgrade.bin.
4. UNCHECK "Keep Settings".

Step 4: Persistence Fix (Anti-Bootloop)

1. Catch Shell: Ctrl+C at IPQ807x#.
2. Clean Environment:

env default -a

3. Inject Permanent Bootchain:

setenv uboot_hack 'mw 4a912258 0a000007 1; mw 4a91f1c4 0a000006 1'
setenv openwrt_args 'setenv bootargs console=ttyMSM0,115200n8 root=/dev/mmcblk0p20 rootwait'
setenv openwrt_load 'mmc read 0x44000000 0x8A22 0x4000'
setenv bootcmd 'run uboot_hack; run openwrt_args; run openwrt_load; bootm 0x44000000'
saveenv
reset

Status: Complete. Router boots OpenWrt automatically.

could you please add these steps to the wiki https://openwrt.org/toh/spectrum/sax1v1k

This doesn't compute ?

iPQ807x# would be U-Boot, while fw_setenv etc is OS.

You're 100% correct, good catch! I mixed up the prompts in my write-up. I've updated the post to reflect that the script must be run from the Stock OS via Serial login, not the U-Boot prompt.

Don’t have account to edit the page.

ask for one here Applying for OpenWrt wiki account