@meisterlone -
yes, two bootloaders, and if uboot checksum is not checked by first bootloader it will be by itself.
it might run a checksum on the initramfs in the bootm command. i will test this.
I found a bug lol. I forced it to uboot console bypassing the password screen. Now i'll play around to see if I can get somewhere. tftpboot has been disabled. (the command)
However usbboot seems to respond.. I'll try figure something out tomorrow
U-Boot 1.3.3 [spf11.1_csu2] (Jan 27 2021 - 09:14:27 +0000)
DRAM: smem ram ptable found: ver: 1 len: 4
2 GiB
[Askey] Led init ...
NAND: Could not find nand_gpio in dts, using defaults
Not an ONFI device
ONFI probe failed
ID = ffffffff
Vendor = ff
Device = ff
qpic_nand: unknown NAND device manufacturer: ff device: ff
U-Boot BUG at drivers/mtd/mtdcore.c:420!
SF: Unsupported flash IDs: manuf ff, jedec ffff, ext_jedec ffff
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
0 MiB
MMC: <NULL>: 0 (eMMC)
In: serial@78B3000
Out: serial@78B3000
Err: serial@78B3000
machid: 8750106
eth5 MAC Address from ART is not valid
Hit space key to stop autoboot: 0
Unknown command 'fatload' - try 'help'
Net: MAC0 addr:2c:ea:dc:34:4a:ab
PHY ID1: 0x4d
PHY ID2: 0xd0b1
PHY ID1: 0x4d
PHY ID2: 0xd101
EDMA ver 1 hw init
Num rings - TxDesc:1 (0-0) TxCmpl:1 (7-7)
RxDesc:1 (15-15) RxFill:1 (7-7)
ipq807x_edma_alloc_rings: successfull
ipq807x_edma_setup_ring_resources: successfull
ipq807x_edma_configure_rings: successfull
ipq807x_edma_hw_init: successfull
eth0
IPQ807x#
Some options now:
IPQ807x# help
? - alias for 'help'
aes_256 - AES 256 CBC/ECB encryption/decryption
aq_load_fw- LOAD aq-fw-binary
aq_phy_restart- Restart Aquantia phy
base - print or set address offset
bdinfo - print Board Info structure
bootipq - bootipq from flash device
bootm - boot application image from memory
bypass_verify- bypass_verify
canary - test stack canary
chpart - change active partition
cmp - memory compare
cp - memory copy
crc32 - checksum calculation
dcache - enable or disable data cache
dcs_verify- dcs_verify
dhcp - boot image via network using DHCP/TFTP protocol
dm - Driver model low level access
echo - echo args to console
env - environment handling commands
erase - erase FLASH memory
exectzt - execute TZT
exit - exit script
ext4load- load binary file from a Ext4 filesystem
ext4ls - list files in a directory (default /)
ext4size- determine a file's size
ext4write- create a file in the root directory
false - do nothing, unsuccessfully
fdt - flattened device tree utility commands
flash - flash part_name
flash part_name load_addr file_size
flasherase- flerase part_name
flinfo - print FLASH memory information
fstype - Look up a filesystem type
fuseipq - fuse QFPROM registers from memory
go - start application at address 'addr'
help - print command description/usage
i2c - I2C sub-system
icache - enable or disable instruction cache
imxtract- extract a part of a multi-image
ipq_mdio- IPQ mdio utility commands
is_sec_boot_enabled- check secure boot fuse is enabled or not
itest - return true/false on integer compare
load - load binary file from a filesystem
loop - infinite loop on address range
ls - list files in a directory (default /)
md - memory display
mii - MII utility commands
mm - memory modify (auto-incrementing address)
mmc - MMC sub system
mmcinfo - display MMC info
mtdparts- define flash/nand partitions
mtest - simple RAM read/write test
mw - memory write (fill)
nand - NAND sub-system
nboot - boot from NAND device
nm - memory modify (constant address)
pci - list and access PCI Configuration Space
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect - enable or disable FLASH write protection
pwm_control- pwm_control
recover_act_part- recover_act_part
reset - Perform RESET of the CPU
run - run commands in an environment variable
runmulticore- Enable and schedule secondary cores
save - save file to a filesystem
saveenv - save environment variables to persistent storage
secext4load- read a file's data
secext4write- write data to file
secsquashfsload- read a file's data
secure_authenticate- authenticate the signed image
setenv - set environment variables
sf - SPI flash sub-system
showvar - print local hushshell variables
size - determine a file's size
sleep - delay execution for some time
smeminfo- print SMEM FLASH information
source - run script from memory
squashfs- determine a file's size
squashfsload- load binary file from a squashfs filesystem
test - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
tftpput - TFTP put command, for uploading files to a server
true - do nothing, successfully
uart - UART sub-system
ubi - ubi commands
usb - USB sub-system
usbboot - boot from USB device
version - print monitor, compiler and linker version
IPQ807x#
Can you show printenv output?
Ignore the bootcmd & fileaddr. I am trying a bunch of things. Normally bootcmd is just "bootipq"
IPQ807x# printenv
baudrate=115200
bootargs=console=ttyMSM0,115200n8
bootcmd=fatload mmc 0:1 4400 snp.efi
bootdelay=2
eth1addr=2c:ea:dc:34:4a:ac
eth2addr=2c:ea:dc:34:4a:ac
eth3addr=2c:ea:dc:34:4a:ac
eth4addr=2c:ea:dc:34:4a:ac
ethact=eth0
ethaddr=2c:ea:dc:34:4a:ab
fdt_high=0x4A200000
fdtcontroladdr=4a985be0
fileaddr=4400
filesize=1a0
flash_type=5
ipaddr=192.168.10.10
machid=8750106
mmcargs=mmc_mid=0x15
netmask=255.255.255.0
reboot-reason=rea=ffffffff
reboot-time=time=ffffffff
serverip=192.168.10.1
soc_version_major=2
soc_version_minor=0
stderr=serial@78B3000
stdin=serial@78B3000
stdout=serial@78B3000
Environment size: 643/262140 bytes
IPQ807x#
Have made a lot of progress. Managed to unlock the bootloader. Now I can actually try some interesting things, if i can get bootm to do something
IPQ807x# setenv fileaddr 41000000
IPQ807x# setenv loadaddr 41000000
IPQ807x# setenv bootfile kernel.img
IPQ807x# dhcp
ipq807x_eth_halt: done
eth0 PHY0 Down Speed :10 Half duplex
eth0 PHY1 Down Speed :10 Half duplex
eth0 PHY2 Down Speed :10 Half duplex
eth0 PHY3 up Speed :1000 Full duplex
eth0 PHY4 Down Speed :10 Half duplex
eth0 PHY5 Down Speed :10 Half duplex
ipq807x_eth_init: done
BOOTP broadcast 1
DHCP client bound to address 192.168.0.197 (3058 ms)
Using eth0 device
TFTP from server 192.168.0.1; our IP address is 192.168.0.197
Filename 'kernel.img'.
Load address: 0x41000000
Loading: *
Got TFTP_OACK: TFTP remote port: changes from 69 to 33692
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
####################################################
2.1 MiB/s
done
Bytes transferred = 8388096 (7ffe00 hex)
ipq807x_eth_halt: done
IPQ807x# bootm 41000000
secure boot fuse is enabled
Wrong Image Format for bootm command
ERROR: can't get kernel image!
IPQ807x# <INTERRUPT>
IPQ807x# bootm <INTERRUPT>
IPQ807x# bootm
secure boot fuse is enabled
Wrong Image Format for bootm command
ERROR: can't get kernel image!
IPQ807x# bootm 41000000
secure boot fuse is enabled
Wrong Image Format for bootm command
ERROR: can't get kernel image!
It works!! The dynalink RT5010w initramfs image boots. No wifi, but at least im in.
I will compile some notes and post the 'hack' to get uboot working a bit later.
IPQ807x# tftpboot kernel_dyna.img
secure boot fuse is enabled
debug cert - not found
ipq807x_eth_halt: done
eth0 PHY0 Down Speed :10 Half duplex
eth0 PHY1 Down Speed :10 Half duplex
eth0 PHY2 Down Speed :10 Half duplex
eth0 PHY3 Down Speed :10 Half duplex
eth0 PHY4 Down Speed :10 Half duplex
eth0 PHY5 up Speed :1000 Full duplex
ipq807x_eth_init: done
Using eth0 device
TFTP from server 192.168.0.1; our IP address is 192.168.0.10
Filename 'kernel_dyna.img'.
Load address: 0x44000000
Loading: *
Got TFTP_OACK: TFTP remote port: changes from 69 to 35352
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
##############
2.1 MiB/s
done
Bytes transferred = 11642156 (b1a52c hex)
ipq807x_eth_halt: done
IPQ807x# bootm
secure boot fuse is enabled
## Loading kernel from FIT Image at 44000000 ...
Using 'config@rt5010w-d350-rev0' configuration
Trying 'kernel-1' kernel subimage
Description: ARM64 OpenWrt Linux-5.15.87
Type: Kernel Image
Compression: gzip compressed
Data Start: 0x440000e8
Data Size: 11598331 Bytes = 11.1 MiB
Architecture: AArch64
OS: Linux
Load Address: 0x41000000
Entry Point: 0x41000000
Hash algo: crc32
Hash value: e7baf9b6
Hash algo: sha1
Hash value: 2bd2ab2d775855ce3efcde7fe561e4d39929e35b
Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading fdt from FIT Image at 44000000 ...
Using 'config@rt5010w-d350-rev0' configuration
Trying 'fdt-1' fdt subimage
Description: ARM64 OpenWrt dynalink_dl-wrx36 device tree blob
Type: Flat Device Tree
Compression: uncompressed
Data Start: 0x44b0fc28
Data Size: 41883 Bytes = 40.9 KiB
Architecture: AArch64
Hash algo: crc32
Hash value: b249df20
Hash algo: sha1
Hash value: 827d5b08a2cee589612e0c87765bb7991c878dbf
Verifying Hash Integrity ... crc32+ sha1+ OK
Booting using the fdt blob at 0x44b0fc28
Uncompressing Kernel Image ... OK
Loading Device Tree to 4a1f2000, end 4a1ff39a ... OK
Using machid 0x8750106 from environment
Starting kernel ...
Jumping to AARCH64 kernel via monitor
[ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034]
[ 0.000000] Linux version 5.15.87 (root@DESKTOP-F7F31J2) (aarch64-openwrt-linux-musl-gcc (OpenWrt GCC 12.2.0 r21791+23-c03e458c86) 12.2.0, GNU ld (GNU Binutils) 2.39) #0 SMP Sat Jan 14 15:45:09 2023
[ 0.000000] Machine model: Dynalink DL-WRX36
[ 0.000000] Zone ranges:
[ 0.000000] DMA [mem 0x0000000040000000-0x00000000bfffffff]
[ 0.000000] DMA32 empty
[ 0.000000] Normal empty
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000040000000-0x0000000040ffffff]
[ 0.000000] node 0: [mem 0x0000000041000000-0x000000004a3fffff]
[ 0.000000] node 0: [mem 0x000000004a400000-0x00000000510fffff]
[ 0.000000] node 0: [mem 0x0000000051100000-0x00000000bfffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000040000000-0x00000000bfffffff]
[ 0.000000] psci: probing for conduit method from DT.
[ 0.000000] psci: PSCIv1.0 detected in firmware.
[ 0.000000] psci: Using standard PSCI v0.2 function IDs
[ 0.000000] psci: MIGRATE_INFO_TYPE not supported.
[ 0.000000] psci: SMC Calling Convention v1.0
[ 0.000000] percpu: Embedded 17 pages/cpu s30360 r8192 d31080 u69632
[ 0.000000] Detected VIPT I-cache on CPU0
[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 516096
[ 0.000000] Kernel command line: console=ttyMSM0,115200n8 root=/dev/ubiblock0_1
[ 0.000000] Dentry cache hash table entries: 262144 (order: 9, 2097152 bytes, linear)
[ 0.000000] Inode-cache hash table entries: 131072 (order: 8, 1048576 bytes, linear)
[ 0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
[ 0.000000] Memory: 1910156K/2097152K available (7360K kernel code, 848K rwdata, 2040K rodata, 8064K init, 273K bss, 186996K reserved, 0K cma-reserved)
[ 0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[ 0.000000] rcu: Hierarchical RCU implementation.
[ 0.000000] Tracing variant of Tasks RCU enabled.
[ 0.000000] rcu: RCU calculated value of scheduler-enlistment delay is 10 jiffies.
[ 0.000000] NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0
[ 0.000000] Root IRQ handler: gic_handle_irq
[ 0.000000] GICv2m: range[mem 0x0b00a000-0x0b00affc], SPI[448:479]
[ 0.000000] arch_timer: cp15 and mmio timer(s) running at 19.20MHz (virt/virt).
[ 0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x46d987e47, max_idle_ns: 440795202767 ns
[ 0.000000] sched_clock: 56 bits at 19MHz, resolution 52ns, wraps every 4398046511078ns
[ 0.000114] Calibrating delay loop (skipped), value calculated using timer frequency.. 38.40 BogoMIPS (lpj=192000)
[ 0.000130] pid_max: default: 32768 minimum: 301
[ 0.000284] Mount-cache hash table entries: 4096 (order: 3, 32768 bytes, linear)
[ 0.000303] Mountpoint-cache hash table entries: 4096 (order: 3, 32768 bytes, linear)
[ 0.001880] rcu: Hierarchical SRCU implementation.
[ 0.002050] dyndbg: Ignore empty _ddebug table in a CONFIG_DYNAMIC_DEBUG_CORE build
[ 0.002569] smp: Bringing up secondary CPUs ...
[ 0.003150] Detected VIPT I-cache on CPU1
[ 0.003212] CPU1: Booted secondary processor 0x0000000001 [0x410fd034]
[ 0.003820] Detected VIPT I-cache on CPU2
[ 0.003860] CPU2: Booted secondary processor 0x0000000002 [0x410fd034]
[ 0.004425] Detected VIPT I-cache on CPU3
[ 0.004462] CPU3: Booted secondary processor 0x0000000003 [0x410fd034]
[ 0.004529] smp: Brought up 1 node, 4 CPUs
[ 0.004555] SMP: Total of 4 processors activated.
[ 0.004563] CPU features: detected: 32-bit EL0 Support
[ 0.004570] CPU features: detected: CRC32 instructions
[ 0.004622] CPU features: emulated: Privileged Access Never (PAN) using TTBR0_EL1 switching
[ 0.004632] CPU: All CPU(s) started at EL1
[ 0.004653] alternatives: patching kernel code
[ 0.012343] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 0.012378] futex hash table entries: 1024 (order: 4, 65536 bytes, linear)
[ 0.012517] pinctrl core: initialized pinctrl subsystem
[ 0.013508] NET: Registered PF_NETLINK/PF_ROUTE protocol family
[ 0.013967] DMA: preallocated 256 KiB GFP_KERNEL pool for atomic allocations
[ 0.014026] DMA: preallocated 256 KiB GFP_KERNEL|GFP_DMA pool for atomic allocations
[ 0.014083] DMA: preallocated 256 KiB GFP_KERNEL|GFP_DMA32 pool for atomic allocations
[ 0.014406] thermal_sys: Registered thermal governor 'step_wise'
[ 0.015878] cpuidle: using governor menu
[ 0.016076] ASID allocator initialised with 65536 entries
[ 0.017213] OF: /opp-table: could not get #nvmem-cell-cells for /soc/efuse@a4000/speedbin@125
[ 0.068180] qcom,cpr4-apss-regulator b018000.cpr4-ctrl: CPR valid fuse count: 4
[ 0.076634] SCSI subsystem initialized
[ 0.076814] usbcore: registered new interface driver usbfs
[ 0.076855] usbcore: registered new interface driver hub
[ 0.076890] usbcore: registered new device driver usb
[ 0.077323] qcom_scm: convention: smc arm 64
[ 0.078481] clocksource: Switched to clocksource arch_sys_counter
[ 0.079208] NET: Registered PF_INET protocol family
[ 0.079368] IP idents hash table entries: 32768 (order: 6, 262144 bytes, linear)
[ 0.080747] tcp_listen_portaddr_hash hash table entries: 1024 (order: 2, 16384 bytes, linear)
[ 0.080792] Table-perturb hash table entries: 65536 (order: 6, 262144 bytes, linear)
[ 0.080809] TCP established hash table entries: 16384 (order: 5, 131072 bytes, linear)
[ 0.080970] TCP bind hash table entries: 16384 (order: 6, 262144 bytes, linear)
[ 0.081259] TCP: Hash tables configured (established 16384 bind 16384)
[ 0.081349] UDP hash table entries: 1024 (order: 3, 32768 bytes, linear)
[ 0.081414] UDP-Lite hash table entries: 1024 (order: 3, 32768 bytes, linear)
[ 0.081608] NET: Registered PF_UNIX/PF_LOCAL protocol family
[ 0.081639] PCI: CLS 0 bytes, default 64
[ 0.101620] workingset: timestamp_bits=46 max_order=19 bucket_order=0
[ 0.105332] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.105354] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 0.107381] qcom-qmp-phy 78000.phy: supply vdda-phy not found, using dummy regulator
[ 0.107544] qcom-qmp-phy 78000.phy: supply vdda-pll not found, using dummy regulator
[ 0.108615] qcom-qmp-phy 78000.phy: Registered Qcom-QMP phy
[ 0.109475] qcom-qusb2-phy 79000.phy: supply vdda-pll not found, using dummy regulator
[ 0.109631] qcom-qusb2-phy 79000.phy: supply vdda-phy-dpdm not found, using dummy regulator
[ 0.109797] qcom-qusb2-phy 79000.phy: Registered Qcom-QUSB2 phy
[ 0.113987] bam-dma-engine 704000.dma-controller: num-channels unspecified in dt
[ 0.114014] bam-dma-engine 704000.dma-controller: num-ees unspecified in dt
[ 0.117709] Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
[ 0.118262] msm_serial 78b3000.serial: msm_serial: detected port #0
[ 0.118302] msm_serial 78b3000.serial: uartclk = 3686400
[ 0.118345] 78b3000.serial: ttyMSM0 at MMIO 0x78b3000 (irq = 22, base_baud = 230400) is a MSM
[ 0.118378] msm_serial: console setup on port #0
[ 0.754051] printk: console [ttyMSM0] enabled
[ 0.759179] msm_serial: driver initialized
[ 0.766911] loop: module loaded
[ 0.768085] nand: No NAND device found
[ 0.770861] spmi spmi-0: PMIC arbiter version v2 (0x20010000)
[ 0.776727] s1: supplied by regulator-dummy
[ 0.779831] s2: supplied by regulator-dummy
[ 0.783779] vdd_s3: supplied by regulator-dummy
[ 0.788110] vdd_s4: supplied by regulator-dummy
[ 0.792626] s5: supplied by regulator-dummy
[ 0.797003] l1: supplied by regulator-dummy
[ 0.801165] l2: supplied by regulator-dummy
[ 0.805314] l3: supplied by regulator-dummy
[ 0.809534] l4: supplied by regulator-dummy
[ 0.813652] l5: supplied by regulator-dummy
[ 0.817818] l6: supplied by regulator-dummy
[ 0.822022] l7: supplied by regulator-dummy
[ 0.826147] l8: supplied by regulator-dummy
[ 0.830334] l9: supplied by regulator-dummy
[ 0.834620] l11: supplied by regulator-dummy
[ 0.838671] l12: supplied by regulator-dummy
[ 0.843163] l13: supplied by regulator-dummy
[ 0.895624] i2c_dev: i2c /dev entries driver
[ 0.899463] sdhci: Secure Digital Host Controller Interface driver
[ 0.899506] sdhci: Copyright(c) Pierre Ossman
[ 0.904952] sdhci-pltfm: SDHCI platform and OF driver helper
[ 0.912632] remoteproc remoteproc0: releasing cd00000.q6v5_wcss
[ 0.917144] NET: Registered PF_INET6 protocol family
[ 0.921610] Segment Routing with IPv6
[ 0.925994] In-situ OAM (IOAM) with IPv6
[ 0.929591] NET: Registered PF_PACKET protocol family
[ 0.933549] 8021q: 802.1Q VLAN Support v1.8
[ 0.953916] qcom,cpr4-apss-regulator b018000.cpr4-ctrl: CPR valid fuse count: 4
[ 0.954213] cpr4_ipq807x_apss_read_fuse_data: apc_corner: speed bin = 0
[ 0.960108] cpr4_ipq807x_apss_read_fuse_data: apc_corner: CPR fusing revision = 1
[ 0.966642] cpr4_ipq807x_apss_read_fuse_data: apc_corner: CPR misc fuse value = 0
[ 0.974312] cpr4_ipq807x_apss_read_fuse_data: apc_corner: Voltage boost fuse config = 0 boost = disable
[ 0.981816] cpr3_mem_acc_init: apc: not using memory accelerator regulator
[ 0.990953] cpr4_ipq807x_apss_calculate_open_loop_voltages: apc_corner: fused SVS: open-loop= 704000 uV
[ 0.997895] cpr4_ipq807x_apss_calculate_open_loop_voltages: apc_corner: fused NOM: open-loop= 816000 uV
[ 1.007885] cpr4_ipq807x_apss_calculate_open_loop_voltages: apc_corner: fused TURBO: open-loop= 880000 uV
[ 1.017693] cpr4_ipq807x_apss_calculate_open_loop_voltages: apc_corner: fused STURBO: open-loop= 968000 uV
[ 1.027550] cpr4_ipq807x_apss_calculate_target_quotients: apc_corner: fused SVS: quot[ 7]= 737, quot_offset[ 7]= 0
[ 1.037315] cpr4_ipq807x_apss_calculate_target_quotients: apc_corner: fused NOM: quot[ 7]= 949, quot_offset[ 7]= 210
[ 1.048165] cpr4_ipq807x_apss_calculate_target_quotients: apc_corner: fused TURBO: quot[ 7]=1057, quot_offset[ 7]= 105
[ 1.059101] cpr4_ipq807x_apss_calculate_target_quotients: apc_corner: fused STURBO: quot[ 7]=1215, quot_offset[ 7]= 155
[ 1.070178] cpr3_regulator_init_ctrl: apc: Default CPR mode = closed-loop
[ 1.072608] cpufreq: cpufreq_online: CPU0: Running at unlisted initial frequency: 19200 KHz, changing to: 1017600 KHz
[ [ 1.101820] Freeing unused kernel memory: 8064K
[ 1.178590] Run /init as init process
[ 1.342855] init: Console is alive
[ 1.342979] init: - watchdog -
[ 1.349536] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[ 1.365820] ssdk_switch_device_num_init[1335]:INFO:ess-switch dts node number: 1
[ 1.365929] ssdk_dt_get_switch_node[1124]:INFO:ess-switch DT exist!
[ 1.372354] ssdk_dt_parse_access_mode[999]:INFO:switch_access_mode: local bus
[ 1.378281] ssdk_dt_parse_access_mode[1012]:INFO:switchreg_base_addr: 0x3a000000
[ 1.385584] ssdk_dt_parse_access_mode[1013]:INFO:switchreg_size: 0x1000000
[ 1.393042] ssdk_dt_parse_mac_mode[327]:INFO:mac mode = 0xb
[ 1.399724] ssdk_dt_parse_mac_mode[336]:INFO:mac mode1 = 0xff
[ 1.405187] ssdk_dt_parse_mac_mode[345]:INFO:mac mode2 = 0xc
[ 1.411109] ssdk_dt_parse_phy_info[716]:INFO:[PORT 6] port_mac_sel = QGMAC_PORT
[ 1.416851] ssdk_dt_parse_uniphy[364]:INFO:ess-uniphy DT exist!
[ 1.423960] ssdk_dt_parse_intf_mac[942]:INFO:dp1 MAC 2c:ea:dc:34:4a:ac
[ 1.429787] ssdk_dt_parse_intf_mac[942]:INFO:dp2 MAC 2c:ea:dc:34:4a:ac
[ 1.436377] ssdk_dt_parse_intf_mac[942]:INFO:dp3 MAC 2c:ea:dc:34:4a:ac
[ 1.442894] ssdk_dt_parse_intf_mac[942]:INFO:dp4 MAC 2c:ea:dc:34:4a:ac
[ 1.449470] ssdk_plat_init[1692]:INFO:ssdk_plat_init start
[ 1.569750] ssdk_gcc_clock_init[1275]:INFO:SSDK gcc clock init successfully!
[ 1.570797] malibu_phy_api_ops_init[2846]:INFO:qca probe malibu phy driver succeeded!
[ 1.579918] hsl_phy_phydev_get[773]:ERROR:phy_addr 4 phydev is NULL
[ 1.584845] qca808x_phy_api_ops_init[2566]:INFO:qca probe qca808x phy driver succeeded!
[ 1.591047] regi_init[3953]:INFO:Initializing HPPE!!
[ 1.828482] ssdk_ppe_reset_init[1535]:INFO:ppe reset successfully!
[ 1.832082] qca_hppe_portctrl_hw_init[126]:INFO:Hawkeye PPE port initializing
[ 1.834799] hsl_phy_phydev_get[773]:ERROR:phy_addr 4 phydev is NULL
[ 1.841159] hsl_phy_phydev_get[773]:ERROR:phy_addr 4 phydev is NULL
[ 2.534669] ssdk_switch_register[2017]:INFO:Chip version 0x1500
[ 2.534701] qca_link_polling_select[1487]:INFO:link-polling-required node does not exist
[ 2.539403] ssdk_switch_register[2043]:INFO:polling is selected
[ 2.547725] regi_init[3957]:INFO:Initializing HPPE Done!!
[ 2.553444] ssdk_genl_init[211]:INFO:ssdk genl family register success.
[ 2.558933] regi_init[4020]:INFO:qca-ssdk module init succeeded!
[ 2.567729] EDMA ver 1 hw init
[ 2.571823] EDMA HW Reset completed succesfully
[ 2.574485] Num rings - TxDesc:1 (23-23) TxCmpl:1 (7-7)
[ 2.578888] RxDesc:1 (15-15) RxFill:1 (7-7)
[ 2.584671] Generic PHY 90000.mdio-1:00: attached PHY driver (mii_bus:phy_addr=90000.mdio-1:00, irq=POLL)
[ 2.588839] nss-dp 3a001000.dp1 lan4: Registered netdev lan4(qcom-id:1)
[ 2.598280] Generic PHY 90000.mdio-1:01: attached PHY driver (mii_bus:phy_addr=90000.mdio-1:01, irq=POLL)
[ 2.604925] nss-dp 3a001200.dp2 lan3: Registered netdev lan3(qcom-id:2)
[ 2.614383] Generic PHY 90000.mdio-1:02: attached PHY driver (mii_bus:phy_addr=90000.mdio-1:02, irq=POLL)
[ 2.621050] nss-dp 3a001400.dp3 lan2: Registered netdev lan2(qcom-id:3)
[ 2.630566] Generic PHY 90000.mdio-1:03: attached PHY driver (mii_bus:phy_addr=90000.mdio-1:03, irq=POLL)
[ 2.637189] nss-dp 3a001600.dp4 lan1: Registered netdev lan1(qcom-id:4)
[ 2.847163] QCA808X ethernet 90000.mdio-1:1c: attached PHY driver (mii_bus:phy_addr=90000.mdio-1:1c, irq=POLL)
[ 2.847667] nss-dp 3a007000.dp6-syn wan: Registered netdev wan(qcom-id:6)
[ 2.856152] **********************************************************
[ 2.862915] * NSS Data Plane driver
[ 2.869329] **********************************************************
[ 2.882371] xhci-hcd xhci-hcd.1.auto: xHCI Host Controller
[ 2.882426] xhci-hcd xhci-hcd.1.auto: new USB bus registered, assigned bus number 1
[ 2.886905] xhci-hcd xhci-hcd.1.auto: hcc params 0x0220fe65 hci version 0x110 quirks 0x0000000002010010
[ 2.894415] xhci-hcd xhci-hcd.1.auto: irq 89, io mem 0x08a00000
[ 2.903808] xhci-hcd xhci-hcd.1.auto: xHCI Host Controller
[ 2.909602] xhci-hcd xhci-hcd.1.auto: new USB bus registered, assigned bus number 2
[ 2.915149] xhci-hcd xhci-hcd.1.auto: Host supports USB 3.0 SuperSpeed
[ 2.923301] hub 1-0:1.0: USB hub found
[ 2.929318] hub 1-0:1.0: 1 port detected
[ 2.933501] usb usb2: We don't know the algorithms for LPM for this host, disabling LPM.
[ 2.937429] hub 2-0:1.0: USB hub found
[ 2.945251] hub 2-0:1.0: 1 port detected
[ 2.950087] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[ 2.956065] init: - preinit -
[ 3.007808] random: jshn: uninitialized urandom read (4 bytes read)
[ 3.025313] random: jshn: uninitialized urandom read (4 bytes read)
[ 3.034285] random: jshn: uninitialized urandom read (4 bytes read)
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[ 5.136500] procd: - early -
[ 5.136583] procd: - watchdog -
[ 5.649805] procd: - watchdog -
[ 5.650172] procd: - ubus -
[ 5.654351] random: ubusd: uninitialized urandom read (4 bytes read)
[ 5.701759] random: ubusd: uninitialized urandom read (4 bytes read)
[ 5.701932] random: ubusd: uninitialized urandom read (4 bytes read)
[ 5.708067] procd: - init -
Please press Enter to activate this console.
[ 5.791752] urngd: v1.0.2 started.
[ 5.805317] random: crng init done
[ 5.805349] random: 28 urandom warning(s) missed due to ratelimiting
[ 5.806593] kmodloader: loading kernel modules from /etc/modules.d/*
[ 5.840338] Loading modules backported from Linux version v6.1-rc8-0-g76dcd734eca2
[ 5.840376] Backport generated by backports.git v5.15.81-1-41-g02e352527db5
[ 5.850502] NET: Registered PF_QIPCRTR protocol family
[ 5.873853] PPP generic driver version 2.4.2
[ 5.874406] NET: Registered PF_PPPOX protocol family
[ 5.882222] ath11k c000000.wifi: ipq8074 hw2.0
[ 5.882254] ath11k c000000.wifi: FW memory mode: 0
[ 5.886595] remoteproc remoteproc0: powering up cd00000.q6v5_wcss
[ 5.891309] remoteproc remoteproc0: Booting fw image IPQ8074/q6_fw.mdt, size 668
[ 6.249835] remoteproc remoteproc0: remote processor cd00000.q6v5_wcss is now up
[ 6.251704] ath11k c000000.wifi: qmi ignore invalid mem req type 3
[ 6.256906] ath11k c000000.wifi: chip_id 0x0 chip_family 0x0 board_id 0xff soc_id 0xffffffff
[ 6.262346] ath11k c000000.wifi: fw_version 0x250a04a5 fw_build_timestamp 2021-12-20 07:09 fw_build_id WLAN.HK.2.5.0.1-01208-QCAHKSWPL_SILICONZ-1
[ 6.272339] kmodloader: done loading kernel modules from /etc/modules.d/*
[ 6.327124] ath11k c000000.wifi: qmi failed to load CAL data file:cal-ahb-c000000.wifi.bin
[ 6.327197] ath11k c000000.wifi: failed to load board data file: -12
[ 10.098373] br-lan: port 1(lan1) entered blocking state
[ 10.098416] br-lan: port 1(lan1) entered disabled state
[ 10.102728] device lan1 entered promiscuous mode
[ 10.114637] br-lan: port 2(lan2) entered blocking state
[ 10.114683] br-lan: port 2(lan2) entered disabled state
[ 10.118950] device lan2 entered promiscuous mode
[ 10.126695] br-lan: port 3(lan3) entered blocking state
[ 10.128789] br-lan: port 3(lan3) entered disabled state
[ 10.133958] device lan3 entered promiscuous mode
[ 10.142799] br-lan: port 4(lan4) entered blocking state
[ 10.143771] br-lan: port 4(lan4) entered disabled state
[ 10.148987] device lan4 entered promiscuous mode
[ 13.448652] nss-dp 3a007000.dp6-syn wan: PHY Link up speed: 1000
[ 13.448721] IPv6: ADDRCONF(NETDEV_CHANGE): wan: link becomes ready
[ 31.208524] l11: disabling
1 Like
Unfortunately, it looks like they are checking every firmware image with some kind of public key encryption. This means that we cant use warehouse_api to flash the device. This makes the chances of flashing custom firmware without opening the device a lot lower.
I published my security research for this device here;
MeisterLone/Askey-RT5010W-D187-REV6: Reverse Engineering the Askey RT5010W (github.com)
Here is a teardown video of the device as well as an example of how to glitch it to get a shell in U-Boot.
1 Like
@ghoffman are you game to try the glitch?
i will give it a try. should i solder a wire to the board so i don't have to 'aim' so well during the u-boot time interval?
have you tried putting the wrx36 u-boot on the device? i still think changing the 1-st stage bootloader is the way to go - but if no go, that would require require flash reporgamming at a evel you have but i dont!
direct me about what exactly you want
thx
I wouldnt solder anything. You only need to get it right once and then never again
Its not necessary to change uboot, The stock uboot works fine. Let me know if the glitch works.
When you get a prompt, do
setenv bootcmd usbboot
saveenv
Check the commands exist
bootm
bootipq
tftpboot
Oh yes, could you also do “bdinfo” cmd. Copy the address it shows at “relocaddress” and run this cmd
md.b relocaddress 20000
Save log and send to me.
I need to find out if your bootloader is exactly the same as mine
is there a bootcmd that will detect the reset button push? if we replaced the boot command to first check for reset button push and then error out, we coul duse that as an easier way once we first did your hack to program the command. im envisoning some logic like - if (reset button pushed) then (error, to u-boot) else (next boot command) ?
@ghoffman I dont know how to do that. It may be possible but im not sure. You could pretty easily set it to try TFTP boot first and if that fails, continue to regular boot. For now i just set it to go directly to uboot shell while we are building openwrt support
For now im just trying to figure out how to get wifi working
Hey @robimarko . The dynalink initramfs boots on this device. What are my next steps to get wifi working? Specifically how to configure my openwrt build to know which firmware blobs to use?
Here is the bootlog for the dynalink initramfs running on our device;
Askey-RT5010W-D187-REV6/dynalink_initramfs_bootlog.txt at master · MeisterLone/Askey-RT5010W-D187-REV6 (github.com)
and here is the stock firmware
Askey-RT5010W-D187-REV6/stock_firmware_bootlog.txt at master · MeisterLone/Askey-RT5010W-D187-REV6 (github.com)
Thank you!
for wifi you need to extract the board-2 file from original firmware and find where the precal file is placed.
@Ansuel well I think I found the board firmware blob, it is extremely similar to what others have used for the dynalink router, but the binary I found looks like it is missing some kind of header. Please see below.. am I supposed to process this file somehow?
@meisterlone -
great work here. i'm a little slow on testing the pinshort hack becasue i stupidly stripped the screws that hold the main heatsink. i'm trying a few other ways to glitch the system during the uboot window...
You need to add a proper json header to the board file:
Add the dts property
qcom,ath11k-calibration-variant = "Netgear-RAX120v2";
to the wifi node (adapt the value accordingly, must match the value from the board file.
The qcom,board_id property is no longer needed.
To add the board file to your image, add the file + device entry to package/firmware/ipq-wifi