First post here, so hopefully I'm in the right place. (srry mods if I'm posting in the wrong spot plz forgive <3) I work in game development, so this is definitely outside my scope of expertise, but I'm having fun messing around with it.

I saw another user (@meisterlone) got OpenWrt working on a similar-ish model (SAX1v1K). I was following his tutorial until I realized I had a different model lol. I couldn't find any info on anyone trying to get OpenWrt on this specific unit (SBE1V1K), so I thought I'd start the conversation and share what I found.

My setup is as follows: I'm using my PC to SSH into a Raspberry Pi Zero 2 W -> jumper wires -> SBE1V1K serial port.

I haven't been able to interrupt the U-Boot process with standard key presses. I also couldn't really test ctrl+c because it just kills the SSH session to my Pi rather than sending the signal to the router.

I read in meisterlone's guide that the "CLK signal that runs between the EMMC and the CPU must be interrupted at the perfect time (3-second window)... as soon as the 'Hit space key to stop autoboot' message appears."

My Questions Since this is a different model/chipset (Qualcomm IPQ9574 vs the SAX1v1k), I'm unsure if trying the shorting method is a good idea or if I'll just instant-brick it? Further, I never get a "press space to interrupt" prompt. The closest thing I see in the logs is a method named do_bootaskey(). I'm curious if the bootdelay is set to 0 or -2 to disallow interruptions, or if I could replicate the glitch bug during that do_bootaskey window.

Here is the startup log I pulled from the serial port:

Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.XF.0.3.1.1-00086-IPQ90xxLZB-2
S - IMAGE_VARIANT_STRING=IPQ9574LA
S - OEM_IMAGE_VERSION_STRING=crm-ubuntu142
S - Boot Interface: eMMC
S - Secure Boot: On
S - Boot Config @ 0x000a602c = 0x000002e3
S - JTAG ID @ 0x000a607c = 0x001ae0e1
S - OEM ID @ 0x000a6080 = 0x01f40001
S - Serial Number @ 0x000a60a8 = 0x7f65df66
S - Feature Config Row 0 @ 0x000a4010 = 0x0000000000000000
S - Feature Config Row 1 @ 0x000a4018 = 0x0000000000000000
S - Feature Config Row 2 @ 0x000a4020 = 0x8000300000000000
S - FM_VERSION @ 0x000a4004 = 0x00000003
S - TAG_VERSION @ 0x000a4004 = 0x00000006
S - FEATURE ID @ 0x000a4000 = 0x00000002
S - PBL Patch Ver: 0
S - TME-L LCS: 0x0b
S - I-cache: Off
S - D-cache: Off
B -      3413 - PBL, Start
B -     11496 - bootable_media_detect_entry, Start
B -     13763 - bootable_media_detect_success, Start
B -     79031 - elf_loader_entry, Start
B -     79495 - auth_hash_seg_entry, Start
B -     81437 - auth_hash_seg_exit, Start
B -     92404 - elf_segs_hash_verify_entry, Start
B -    128037 - elf_segs_hash_verify_exit, Start
B -    137062 - auth_xbl_sec_hash_seg_entry, Start
B -    137588 - auth_xbl_sec_hash_seg_exit, Start
B -    145405 - xbl_sec_segs_hash_verify_entry, Start
B -    145406 - xbl_sec_segs_hash_verify_exit, Start
B -    147015 - PBL, End
B -    119011 - SBL1, Start
B -    339465 - GCC [RstStat:0x10, RstDbg:0x600000] WDog Stat : 0x4
B -    342088 - System Reset Reason : Power on Reset [0x20]
B -    347456 - clock_init, Start
D -       976 - clock_init, Delta
B -    355416 - boot_flash_init, Start
D -     67344 - boot_flash_init, Delta
B -    426512 - sbl1_ddr_set_default_params, Start
D -       335 - sbl1_ddr_set_default_params, Delta
B -    432673 - boot_config_data_table_init, Start
D -      4422 - boot_config_data_table_init, Delta - (575 Bytes)
B -    442616 - CDT Version:2,Platform ID:8,Major ID:119,Minor ID:48,Subtype:1
B -    447465 - Image Load, Start
D -      6588 - OEM_MISC Image Loaded, Delta - (0 Bytes)
B -    456951 - Image Load, Start
D -      5154 - PMIC Image Loaded, Delta - (0 Bytes)
B -    464820 - sbl1_ddr_set_params, Start
B -    470096 - CPR configuration: 0x3a7
B -    472994 - Pre_DDR_clock_init, Start
D -        30 - Pre_DDR_clock_init, Delta
D -         0 - sbl1_ddr_set_params, Delta
B -    782935 - Image Load, Start
D -      5612 - Auth Metadata
D -       396 - Segments hash check
D -     12322 - APDP Image Loaded, Delta - (6380 Bytes)
B -    801479 - Image Load, Start
D -     16226 - TME-L FW Image Loaded, Delta - (224976 Bytes)
B -    819626 - Image Load, Start
D -      2959 - QTI_MISC Image Loaded, Delta - (0 Bytes)
B -    826031 - Image Load, Start
D -      5551 - Auth Metadata
D -       732 - Segments hash check
D -     16836 - QSEE Dev Config Image Loaded, Delta - (35786 Bytes)
B -    844606 - Image Load, Start
D -     10065 - Auth Metadata
D -     11865 - Segments hash check
D -     51819 - QSEE Image Loaded, Delta - (1410956 Bytes)
B -    897523 - Image Load, Start
D -      5276 - Auth Metadata
D -      1769 - Segments hash check
D -     20862 - RPM Image Loaded, Delta - (99276 Bytes)
B -    920093 - Image Load, Start
D -      5307 - Auth Metadata
D -      3569 - Segments hash check
D -     23455 - APPSBL Image Loaded, Delta - (533564 Bytes)
B -    946933 - SBL1, End
D -    831369 - SBL1, Delta
S - Flash Throughput, 49819 KB/s  (2312185 Bytes,  46411 us)
S - Core 0 Frequency, 800 MHz
S - DDR Frequency, 1600 MHz


U-Boot 1.0.10 [spf12.2_CSU2] (Sep 12 2024 - 02:30:19 +0000)

DRAM:  smem ram ptable found: ver: 2 len: 4
2 GiB
pwm init
pwm ctl start================================
NAND:  QPIC: disabled, skipping initialization
SF: Unsupported flash IDs: manuf 00, jedec 0000, ext_jedec 0000
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
0 MiB
MMC:   <NULL>: 0 (eMMC)
PCI0 is not defined in the device tree
PCI Link Intialized
PCI Link Intialized
PCI Link Intialized
In:    serial@78B1000
Out:   serial@78B1000
Err:   serial@78B1000
machid: 8773001
eth5 MAC Address from ART is not valid

MMC read: dev # 0, block # 39458, count 1024 ... 1024 blocks read: OK
CRC check good on phy fw file (0x47BD)
PHYFW:Loading IRAM...........done.
PHYFW:Loading DRAM..............done.
phy fw image load  CRC-16 (0x0) does not match calculated CRC-16 (0x114E)


 do_bootaskey()
 check temperature of soc 26 ,and threshold 80
pwm ctl start================================
debug cert - not found
verify init: active_part [0], bak_part [1]
verify FW [0] start
askey_dualimg_emmc.c [298] runcmd=mmc read 0x44000000 0x14022 0x94

MMC read: dev # 0, block # 81954, count 148 ... 148 blocks read: OK
Parsing phdr load addr 0x0 offset 0x0 size 0x94 type 0x0
Parsing phdr load addr 0x0 offset 0x1000 size 0x13e8 type 0x0
Parsing phdr load addr 0x44000000 offset 0x3000 size 0x39ff90 type 0x1
askey_dualimg_emmc.c [86] act_part=0

MMC read: dev # 0, block # 81954, count 14336 ... 14336 blocks read: OK
Parsing phdr load addr 0x0 offset 0x0 size 0x94 type 0x0
Parsing phdr load addr 0x0 offset 0x1000 size 0x13e8 type 0x0
Parsing phdr load addr 0x44000000 offset 0x3000 size 0x2840000 type 0x1
runcmd=mmc read 0x42003000 0x1B022 0x3D000 &&

MMC read: dev # 0, block # 110626, count 249856 ... 249856 blocks read: OK
img_info.img_offset=0x3000,img_info.img_size=0x2840000
Rootfs elf image authentication success
verify FW [0] success
backup start ...bak_part=1
askey_dualimg_emmc.c [153] read_kernel,runcmd=mmc read 0x44000000 0x17822 0x94

MMC read: dev # 0, block # 96290, count 148 ... 148 blocks read: OK
Parsing phdr load addr 0x0 offset 0x0 size 0x94 type 0x0
Parsing phdr load addr 0x0 offset 0x1000 size 0x13e8 type 0x0
Parsing phdr load addr 0x44000000 offset 0x3000 size 0x39fefc type 0x1
askey_dualimg_emmc.c [89] act_part=1
askey_dualimg_emmc.c [165] runcmd=mmc read 0x43ffd000 0x17822 0x3800

MMC read: dev # 0, block # 96290, count 14336 ... 14336 blocks read: OK
no need backup, FW & FW_1 is same.
askey_dualimg_emmc.c [153] read_kernel,runcmd=mmc read 0x44000000 0x14022 0x94

MMC read: dev # 0, block # 81954, count 148 ... 148 blocks read: OK
Parsing phdr load addr 0x0 offset 0x0 size 0x94 type 0x0
Parsing phdr load addr 0x0 offset 0x1000 size 0x13e8 type 0x0
Parsing phdr load addr 0x44000000 offset 0x3000 size 0x39ff90 type 0x1
askey_dualimg_emmc.c [86] act_part=0
askey_dualimg_emmc.c [165] runcmd=mmc read 0x43ffd000 0x14022 0x3800

MMC read: dev # 0, block # 81954, count 14336 ... 14336 blocks read: OK
[do_boot_signedimg_askey,1095]ret1=2,IMAGE_FORMAT_FIT=2,IMAGE_FORMAT_LEGACY=1
## Loading kernel from FIT Image at 44000000 ...
   Using 'config@rtq7300t-rev0' configuration
   Trying 'kernel@1' kernel subimage
     Description:  ARM64 OpenWrt Linux-5.4.213
     Type:         Kernel Image
     Compression:  lzma compressed
     Data Start:   0x440000e8
     Data Size:    3547435 Bytes = 3.4 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x42080000
     Entry Point:  0x42080000
     Hash algo:    crc32
     Hash value:   e274a865
     Hash algo:    sha1
     Hash value:   6b8d31a892598e1db9061717ef82619bc37221d8
   Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading fdt from FIT Image at 44000000 ...
   Using 'config@rtq7300t-rev0' configuration
   Trying 'fdt@rtq7300t-rev0' fdt subimage
     Description:  ARM64 OpenWrt rtq7300t device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x4438b304
     Data Size:    83642 Bytes = 81.7 KiB
     Architecture: AArch64
     Hash algo:    crc32
     Hash value:   0b0873b5
     Hash algo:    sha1
     Hash value:   81e9a06c593a55ec8dc1fabb52f284a390fec2da
   Verifying Hash Integrity ... crc32+ sha1+ OK
   Booting using the fdt blob at 0x4438b304
   Uncompressing Kernel Image ... OK
   Loading Device Tree to 484e8000, end 484ff6b9 ... OK

MMC read: dev # 0, block # 37410, count 2048 ... 2048 blocks read: OK
Could not find PCI0 in device tree
Using machid 0x8773001 from environment

Starting kernel ...

Jumping to AARCH64 kernel via monitor

Possibly Relevant Things I found:
I found these links which might be relevant since this uses the IPQ95xx chipset:

• zilogic-systems/feed-ipq: OpenWrt feed for Qualcomm WiFi SoC platforms
• CodeLinaro OpenWrt Target (IPQ95xx)

Just want to repeat this once more lol, this is totally outside my depth. I was just frustrated Spectrum wouldn't let me change anything except barebones settings in their app. I realized I had a different model than the guide I was following, and I probably used quite a few terms incorrectly here, so forgive the noobness lol.

I already bought a replacement router, so I don't mind messing with this one. If anyone has ideas on how to get OpenWrt running on this but doesn't have access to the hardware, let me know what to try and I'd love to document the results here c:

FCC photos: https://device.report/fccid/H8NSBE1V1K

you can tunnel your serial trough ssh

ssh -t ip-rasp picocom -b 115200 /dev/tty

Really depends if they left bootm properly intact in their u-boot and/or have a check to disable it when secure boot is fused, similar to that RT5010W link you provided. (Which is also Askey)

Although sometimes they do these things, but leave the memory read/write functions intact, thus allowing you to chain them in the bootcmd to patch the boot commands before execution. (Not sure if that runs into any instruction cache issues or anything, but I think it has been done before.)

A good friend of mine shared a 4-bit eMMC pinout. You can try shorting CLK to GND during boot or to ~1V and you should be able to enter the boot loader. It does have bootm, but I’m not sure if they enable signature checking with it.

sbe1v1k1920×1994 924 KB

One big issue with this device is that they finally hardcoded the boot command, so having a custom one like the SAX1V1K will not be happening.
Any hacks would have to reapply the boot patches every startup.

It’s possible to boot OpenWrt! See the commit. However, these Qualcomm targets aren’t for the faint of heart… I’m not entirely sure how to wire Ethernet (or Wi-Fi, yet) correctly in the device tree.

The kernel boot log shows several BDFs being loaded. Here’s a snippet:

Feb 26 01:03:33 kernel: [   16.526947] cnss[38]: INFO: Target capability: chip_id: 0x0, chip_family: 0xb, board_id: 0xff, soc_id: 0x401a2200, fw_version: 0x110d7fff, fw_build_timestamp: 2024-10-26 06:17, otp_version: 0x0 eeprom_caldata_read_timeout 0s bdf_dnld_method 1 regdb_mandatory 1 rxgainlut_support 1
Feb 26 01:03:33 kernel: [   16.536584] cnss[38]: INFO: Downloading BDF: qcn9224/regdb.bin, size: 25656
Feb 26 01:03:33 kernel: [   16.558947] remoteproc remoteproc0: remote processor QCN9224_PCI1 is now up
Feb 26 01:03:33 kernel: [   16.565002] cnss[38]: INFO: Downloading BDF: qcn9224/bdwlan.b0001, size: 63488
Feb 26 01:03:33 kernel: [   16.565864] cnss[38]: INFO: Waiting for FW ready. Device: 0x1109, FW ready timeout: 15 seconds
Feb 26 01:03:33 kernel: [   16.585615] cnss[38]: INFO: Downloading BDF: qcn9224/caldata_2.bin, size: 184320
Feb 26 01:03:33 kernel: [   16.698945] cnss[38]: INFO: FW ready received for device 0x1109

Feb 26 01:03:33 kernel: [   18.720058] cnss[39]: INFO: Target capability: chip_id: 0x0, chip_family: 0xb, board_id: 0xff, soc_id: 0x401a2200, fw_version: 0x110d7fff, fw_build_timestamp: 2024-10-26 06:17, otp_version: 0x0 eeprom_caldata_read_timeout 0s bdf_dnld_method 1 regdb_mandatory 1 rxgainlut_support 1
Feb 26 01:03:33 kernel: [   18.720129] cnss[39]: INFO: Downloading BDF: qcn9224/regdb.bin, size: 25656
Feb 26 01:03:33 kernel: [   18.726351] cnss[39]: INFO: Downloading BDF: qcn9224/bdwlan.b0004, size: 102400
Feb 26 01:03:33 procd: /etc/rc.d/S26qca-nss-ecm: net.bridge.bridge-nf-call-ip6tables = 1
Feb 26 01:03:33 procd: /etc/rc.d/S26qca-nss-ecm: net.bridge.bridge-nf-call-iptables = 1

Feb 26 01:03:41 kernel: [   26.292452] cnss[3a]: INFO: Target capability: chip_id: 0x0, chip_family: 0xb, board_id: 0xff, soc_id: 0x401a2200, fw_version: 0x110d7fff, fw_build_timestamp: 2024-10-26 06:17, otp_version: 0x0 eeprom_caldata_read_timeout 0s bdf_dnld_method 1 regdb_mandatory 1 rxgainlut_support 1
Feb 26 01:03:41 kernel: [   26.292511] cnss[3a]: INFO: Downloading BDF: qcn9224/regdb.bin, size: 25656
Feb 26 01:03:41 kernel: [   26.298723] cnss[3a]: INFO: Downloading BDF: qcn9224/bdwlan.b0002, size: 100352
Feb 26 01:03:41 kernel: [   26.319059] cnss[3a]: INFO: Downloading BDF: qcn9224/caldata_4.bin, size: 184320

All have the board_id 0xff (255), but the OEM device tree has the board_id’s of 1, 2 and 4:

        wifi7@f00000 {
            compatible = "qcom,cnss-qcn9224";
            qcom,wlan-ramdump-dynamic = <0x600000>;
            qrtr_node_id = <0x33>;
            qca,auto-restart;
            status = "ok";
            interrupt-bmap = <0x100512>;
            base-addr = "W0\0";
            m3-dump-addr = <0x58f00000>;
            etr-addr = <0x59000000>;
            caldb-addr = <0x59100000>;
            pageable-addr = <0x59900000>;
            hremote-size = <0x1c00000>;
            pageable-size = <0xc00000>;
            tgt-mem-mode = <0x00>;
            caldb-size = <0x800000>;
            qca,extended-intc;
                        ... snip ...
            hremote_node = <0x44>;
            board_id = <0x02>;

Currently, my board-2.json looks like

[
	{
		"board": [
			{
				"names": [
					"bus=pci,qmi-chip-id=0,qmi-board-id=1,variant=Askey-SBE1V1K"
				],
				"data": "bus=pci,qmi-chip-id=0,qmi-board-id=1,variant=Askey-SBE1V1K.bin"
			},
			{
				"names": [
					"bus=pci,qmi-chip-id=0,qmi-board-id=2,variant=Askey-SBE1V1K"
				],
				"data": "bus=pci,qmi-chip-id=0,qmi-board-id=2,variant=Askey-SBE1V1K.bin"
			},
			{
				"names": [
					"bus=pci,qmi-chip-id=0,qmi-board-id=4,variant=Askey-SBE1V1K"
				],
				"data": "bus=pci,qmi-chip-id=0,qmi-board-id=4,variant=Askey-SBE1V1K.bin"
			}
		]
	}
]

With the data being bdwlan.b000x from the WIFIFW partition, where x is 1, 2 or 4. I’m not sure if this is right though, given the boot log.

ath12k driver is complaining about my BDF.

[   13.135019] ath12k_pci 0001:01:00.0: qmi dma allocation failed (29360128 B type 1), will try later with small size
[   13.165450] ath12k_pci 0001:01:00.0: memory type 10 not supported
[   13.185170] ath12k_pci 0001:01:00.0: chip_id 0x0 chip_family 0xb board_id 0xff soc_id 0x401a2200
[   13.185197] ath12k_pci 0001:01:00.0: fw_version 0x150c0673 fw_build_timestamp 2025-04-24 15:13 fw_build_id QC_IMAGE_VERSION_STRING=WLAN.WBE.1.5-0165
1-QCAHKSWPL_SILICONZ-1
[   13.210826] ath12k_pci 0001:01:00.0: failed to fetch board data for bus=pci,qmi-chip-id=0,qmi-board-id=255 from ath12k/QCN9274/hw2.0/board-2.bin
[   13.210870] ath12k_pci 0001:01:00.0: failed to fetch board.bin from QCN9274/hw2.0
[   13.222880] ath12k_pci 0001:01:00.0: qmi failed to load bdf:
[   13.230231] ath12k_pci 0001:01:00.0: qmi failed to load board data file:-12

My board-2.json:

[
	{
		"board": [
			{
				"names": ["bus=pci,qmi-chip-id=0,qmi-board-id=255,variant=Askey-SBE1V1K_1"],
				"data": "bus=pci,qmi-chip-id=0,qmi-board-id=255,variant=Askey-SBE1V1K_1.bin"
			},
			{
				"names": ["bus=pci,qmi-chip-id=0,qmi-board-id=255,variant=Askey-SBE1V1K_2"],
				"data": "bus=pci,qmi-chip-id=0,qmi-board-id=255,variant=Askey-SBE1V1K_2.bin"
			},
			{
				"names": ["bus=pci,qmi-chip-id=0,qmi-board-id=255,variant=Askey-SBE1V1K_4"],
				"data": "bus=pci,qmi-chip-id=0,qmi-board-id=255,variant=Askey-SBE1V1K_4.bin"
			}
		]
	}
]

And relevant DTS sections: https://github.com/openwrt/openwrt/pull/21586/changes/fdfe9182d7fde49d6ef16601d0802cd6c699e46f#diff-595a20118083236ad47155f3ed23b3a427029153033e24de4458474f31697611R462-R595

@robimarko any hints here? Apparently upstream is supposed to specify variants in this manner, but it looks like the driver is having trouble finding it.

Well, I dont think that ath12k supports variants, it most likely needs to be implemented

I submitted a patch upstream that implements this and WiFi now works perfectly. However, none of my Ethernet ports pass traffic.

I’ve got the device fully OpenWrt functional sans the PWM fan. The trips appear correct and sensors shows that the fan should be on, but it never spins. Unsure if it’s a bug in the pwm driver. Everything else is functional pending the linked PRs (and one driver revert).

I have HW version 4.1 with uboot 1.0.10 and when booting with the initramfs it has no issues but after installing to emmc it hangs at

[   11.993912] qcom,gcc-ipq9574 1800000.clock-controller: sync_state() pending due to 3a000000.ethernet 
[   11.999647] qcom,nsscc-ipq9574 39b00000.clock-controller: sync_state() pending due to 3a000000.ethernet 
[   12.008862] qcom,gcc-ipq9574 1800000.clock-controller: sync_state() pending due to 7a00000.ethernet-pcs 
[   12.017968] qcom,nsscc-ipq9574 39b00000.clock-controller: sync_state() pending due to 7a00000.ethernet-pcs 
[   12.027350] qcom,gcc-ipq9574 1800000.clock-controller: sync_state() pending due to 7a10000.ethernet-pcs 
[   12.037064] qcom,nsscc-ipq9574 39b00000.clock-controller: sync_state() pending due to 7a10000.ethernet-pcs 
[   12.046356] qcom,gcc-ipq9574 1800000.clock-controller: sync_state() pending due to 7a20000.ethernet-pcs 
[   12.056075] qcom,nsscc-ipq9574 39b00000.clock-controller: sync_state() pending due to 7a20000.ethernet-pcs

also it will only boot the initramfs from 0x80000000, trying 0x44000000 errors and reboots

I made a typo in the uboot env vars. Please Check the latest commit instructions and set them again.

fw_setenv bootargs ‘console=ttyMSM0,115200n8 rootwait root=/dev/mmcblk0p27’

how does this compare to our favorite device?

It isn't (yet) being scalped to high heaven on eBay.

For those interested in buying this device:

follow the installation instructions closely

Through... trial and error, we have discovered that a bootloader bug means it is insanely easy to brick, requiring soldering the eMMC.

IPQ9570 seems about ~3x faster than AN7581. Still have yet to evaluate the actual performance since I can’t get the fan working properly and the design depends heavily on good airflow through the core. I’d say it will soon be an excellent contender.

And yes, heavy emphasis on installation. I’ve had to desolder, reprogram, reball and re-solder the eMMC probably near 10 times now.

And that’s where the party ends… just fried my second and last unit by shooting 12V directly into the tach line. Someone else will have to pick up where I left off. All that remains is the fan and setting wireless MAC addresses properly.

I’m probably doing something wrong or have something misconfigured but my initramfs image can do dhcp and connect with my PC over the lan ports but running off the eMMC I can’t connect to the router at all. I see all my ports getting assigned random MACs and the PHYs are properly negotiating with my PC’s NIC.

Can you share the bootlog?