Support D-Link DIR-X3260?

CPU:MT7622BV

FLASH:Winbond 25NO1GVZE1G 1Gb SPI-NAND
RAM:NANYA NT5CB256M16ER-FL 4Gb DDR3-2133

Wi-Fi 2.4GHZ Chip : MT7622BV
Wi-Fi 2.4GHZ 802.11 protocols: bgn
Wi-Fi 2.4GHZ MIMO config: 4x4:4(?)

Wi-Fi 5GHZ Chip : MT7915AN+MT7975AN
Wi-Fi 5GHZ 802.11 protocols: an+ac+ax
Wi-Fi 5GHZ MIMO config: 4x4:4(?)

Wi-Fi 2.4GHZ/5GHZ antenna connector: MHF4

Ethernet chip: MT7622BV

Switch:MT7531BE

LAN speed: 1GbE
LAN ports: 4
WAN speed: 1GbE
WAN ports: 1

PMIC:MT6380N

D-Link GPL Code
MTK Openwrt SDK (BASE: LEDE 17.01)

DIR-X3260_A1_V1.00B09_GPLCode_20211026.tar.gz

The big question would be if they've enabled secure boot or do any other tricks (signed firmwares) to prevent installing a 3rd party firmware like OpenWrt.

What I know at the moment is

U-BOOT will compare two firmware partitions
If it is not matched, it will be overwritten from the Firmware2 partition to the Firmware1 partition

Some of D-Link's AC models come with newer bootloaders that support (or require?) encrypted firmware, see:

That might play as well.

this unit is made by someone called "Friends Technology Co., Ltd"
where the DIR-2660 & other AC one's are made by "Shenzhen Gongjin Electronics Co., Ltd. / China,"
so I'm not sure if they would be simmer in any way
https://fccid.io/NCC/CCAR21LP1000T3
https://fccid.io/NCC/CCAJ19LP6100T7

maybe something here but again i think it's by "Bereau Veritas" so who knows

https://fcc.report/FCC-ID/KA2IRX1860A1/4644219

no firmware update available that i could find

I have backed up the firmware

And D-Link Taiwan official website has a new version of the firmware
But that thing is encrypted
D-Link F*** You

ok found the tw firmware
it has the same header & looks the same format as the AC ones

well it seemed to decrypt something "can't verify as I don't have the key"
I can't see the header that I would expect to see tho

http://luckys.onmypc.net/openwrt/DIR-X3260/DIRX3260A1_FW101B05_dec.bin

I have a firmware backup of my router
Does this help?

from what I can tell it's built off openwrt
I'm not used to the mediatek branch for the MT7622
& with out a unit I'm no going deep into it
but you could look at the image you have & compare it to the decrypted file I left there

How did you dump this? I have a COVR-X1862 set (two pieces COVR-X1860), and they also have the SHRS header (they are manufactured by the SGE), but with MT7621. MT7622 is ARM based however, similar to ath79 vs. ipq80xx.

Turns out they also changed the AES key, now that decryption is no longer possible with the tool that worked for COVR-C1200, COVR-P2500, DIR878, DIR-1960, DIR-2660, DIR-3060 etc... this has become quite cumbersome.

Since the firmware download is encrypted and the device is using NAND, the only way I could find to dump the firmware was via UART, i.e. using the uboot commands for NAND read (copy from NAND to RAM first), then displaying RAM contents with md, dumping this over UART... took somewhere around 1-2 hours and some scripting to dump the firmware partition

looking at the image decryption in ghidra, they came up with some fancy proprietary AES key generation involving something they call base64 interleaving / deinterleaving... But I couldn't reconstruct the actual algorithm, so the next steps for that device will be: Copy the decryption tool and all of the required .so files (trial and error until it runs) to another mt7621 router and run it... this should dump the key to stdout (which is routed to /dev/null during oem update process, not visible on ttyS0)... Hopefully, this will finally allow to flash COVR-X1860 at least via recovery, hoping the bootloader will only AES decrypt and not verify the RSA key (just like DIR2660 and DIR-3060).

I don't dare to believe this might work for that device in a smilar way...

So again, how did you dump the firmware? would you mind sharing the firmware mtd partition and bootloader?

Looking a the case, this device looks familiar to the new Broadcom devices by D-Link, called EAGLE (they have fancy AI shit built-in ), so maybe they found a new manufacturer besides Alpha Networks and SGE.

DIR-X1860 firmware uses the same AES keys as DIR-842 / DIR-859, by the way, it is also MT7621 but made by Alpha networks.

Since X3260 hardware specifications are roughly the same as Linksys E8450

So I use E8450 DTS to modify the partition table
Then compile

Then use TFTP to load this initramfs-kernel.bin
(Need to use UART)

Then use LUCI for backup

But if I have a FLASH programmer and a heat gun
I will consider using a FLASH programmer for backup

you should be able to pull the unencrypted firmware image from the dump
and see 1st if you can load it to ram like the initramfs image
if that works then I would try to see it its accepted buy a recovery interface
if that is accepted you know if you make openwrt in that form it should work

can boot

firmware dump

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2021.11.14 06:16:25 =~=~=~=~=~=~=~=~=~=~=~=
2

F0: 102B 0000

F6: 0000 0000

V0: 0000 0000 [0001]

00: 0000 0000

BP: 0000 0041 [0000]

G0: 0190 0000

T0: 0000 02D8 [000F]

Jump to BL


UNIVPLL_CON0 = 0xFE000000!!!

mt_pll_init: Set pll frequency for 25M crystal

[PMIC_WRAP]wrap_init pass,the return value=0.

[pmic_init] Preloader Start..................

[pmic_init] MT6380 CHIP Code, reg_val = 0, 1:E2  0:E3

[pmic_init] Done...................

Chip part number:7622B

MT7622 Version: 1.2.7, (iPA) 

SSC OFF

mt_pll_post_init: mt_get_cpu_freq = 1350000Khz

mt_pll_post_init: mt_get_mem_freq = 1600096Khz

mt_pll_post_init: mt_get_bus_freq = 1119920Khz

[PLFM] Init I2C: OK(0)



[BLDR] Build Time: 20180503-103334

==== Dump RGU Reg ========

RGU MODE:     4D

RGU LENGTH:   FFE0

RGU STA:      0

RGU INTERVAL: FFF

RGU SWSYSRST: 8000

==== Dump RGU Reg End ====

RGU: g_rgu_satus:0

 mtk_wdt_mode_config  mode value=10, tmp:22000010

PL P ON

WDT does not trigger reboot

WDT NONRST=0x20000000

WDT IRQ_EN=0x340003

RGU mtk_wdt_init:MTK_WDT_DEBUG_CTL(590200F3)

[EMI] MDL number = 2

[EMI] DRAMC calibration start



[EMI] DRAMC calibration end



[EMI]rank size auto detect

[EMI]rank0 size: 0x20000000

[MEM] complex R/W mem test pass

RAM_CONSOLE wdt status (0x0)=0x0

[SNF] [Cheng] ECC Control (1: Enable, 0: Disable) : 0



[SNF] Unlock all blocks ...



[SNF] Lock register(before). lock:0x7C 



[SNF] Lock register (after) new lock: 0



[BBT] BMT.v2 is found at 0x3FF

[SNF] Unlock all blocks ...



[SNF] Lock register(before). lock:0x0 



[SNF] Lock register (after) new lock: 0



[PLFM] Init Boot Device: OK(0)



[PART] blksz: 2048B

[PART] [0x0000000000000000-0x000000000007FFFF] "PRELOADER" (256 blocks) 

[PART] [0x0000000000080000-0x00000000000BFFFF] "tee1" (128 blocks) 

[PART] [0x00000000000C0000-0x000000000013FFFF] "lk" (256 blocks) 



Device APC domain init setup:



Domain Setup (0x0)

Domain Setup (0x0)

Device APC domain after setup:

Domain Setup (0x0)

Domain Setup (0x0)

Bad_Block_Table init, sizeof(Bad_Block_Table)= 8192 

[PART] Image with part header

[PART] name : U-Boot

[PART] addr : 41E00000h mode : -1

[PART] size : 368080

[PART] magic: 58881688h



[PART] load "lk" from 0x00000000000C0200 (dev) to 0x41E00000 (mem) [SUCCESS]

[PART] load speed: 9984KB/s, 368080 bytes, 36ms

load lk (ret=0)

[PART] Image with part header

[PART] name : atf

[PART] addr : FFFFFFFFh mode : -1

[PART] size : 57936

[PART] magic: 58881688h



[PART] load "tee1" from 0x0000000000080200 (dev) to 0x43000DC0 (mem) [SUCCESS]

[PART] load speed: 9429KB/s, 57936 bytes, 6ms

load tee1 (ret=0)

[BLDR] bldr load tee part ret=0x0, addr=0x43001000

[BLDR] boot part. not found

[BLDR] part_load_images ret=0x0

[BLDR] Others, jump to ATF



[BLDR] jump to 0x41E00000

[BLDR] <0x41E00000>=0xEA00000F

[BLDR] <0x41E00004>=0xE59FF014



U-Boot 2014.04-rc1 (Apr 13 2021 - 14:47:37)

auto detection g_total_rank_size = 0x1F000000
DRAM:  496 MiB
NAND:  Recognize SNAND: ID [ef aa 21 ], Device Name [Winbond 1Gb], Page Size [2048]B Spare Size [64]B Total Size [128]MB
[mtk_snand] probe successfully!
[BBT] BMT.v2 is found at 0x3ff
128 MiB
In:    serial
Out:   serial
Err:   serial
Net:   mtk_eth
Uip activated
  *** U-Boot SPI NAND ***  Press UP/DOWN to move or Press 1~9,a~c to choose, ENTER to select     1. System Load Linux to SDRAM via TFTP.     2. System Load Linux Kernel then write to Flash via TFTP.     3. Boot system code via Flash.     4. System Load U-Boot then write to Flash via TFTP.     5. System Load U-Boot then write to Flash via Serial.     6. System Load ATF then write to Flash via TFTP.     7. System Load Preloader then write to Flash via TFTP.     8. System Load ROM header then write to Flash via TFTP.     9. System Load CTP then write to Flash via TFTP.     a. System Load CTP then Boot to CTP (via Flash).     b. System Load SingleImage then write to Flash via TFTP.     c. System Recover mode.     d. U-boot console mode.  Hit any key to stop autoboot:  3   *** U-Boot SPI NAND ***  Press UP/DOWN to move or Press 1~9,a~c to choose, ENTER to select     1. System Load Linux to SDRAM via TFTP.     2. System Load Linux Kernel then write to Flash via TFTP.     3. Boot system code via Flash.     4. System Load U-Boot then write to Flash via TFTP.     5. System Load U-Boot then write to Flash via Serial.     6. System Load ATF then write to Flash via TFTP.     7. System Load Preloader then write to Flash via TFTP.     8. System Load ROM header then write to Flash via TFTP.     9. System Load CTP then write to Flash via TFTP.     a. System Load CTP then Boot to CTP (via Flash).     b. System Load SingleImage then write to Flash via TFTP.     c. System Recover mode.     d. U-boot console mode.  *** U-Boot SPI NAND ***  Press UP/DOWN to move or Press 1~9,a~c to choose, ENTER to select     1. System Load Linux to SDRAM via TFTP.     2. System Load Linux Kernel then write to Flash via TFTP.     3. Boot system code via Flash.     4. System Load U-Boot then write to Flash via TFTP.     5. System Load U-Boot then write to Flash via Serial.     6. System Load ATF then write to Flash via TFTP.     7. System Load Preloader then write to Flash via TFTP.     8. System Load ROM header then write to Flash via TFTP.     9. System Load CTP then write to Flash via TFTP.     a. System Load CTP then Boot to CTP (via Flash).     b. System Load SingleImage then write to Flash via TFTP.     c. System Recover mode.     d. U-boot console mode.  *** U-Boot SPI NAND ***  Press UP/DOWN to move or Press 1~9,a~c to choose, ENTER to select     1. System Load Linux to SDRAM via TFTP.     2. System Load Linux Kernel then write to Flash via TFTP.     3. Boot system code via Flash.     4. System Load U-Boot then write to Flash via TFTP.     5. System Load U-Boot then write to Flash via Serial.     6. System Load ATF then write to Flash via TFTP.     7. System Load Preloader then write to Flash via TFTP.     8. System Load ROM header then write to Flash via TFTP.     9. System Load CTP then write to Flash via TFTP.     a. System Load CTP then Boot to CTP (via Flash).     b. System Load SingleImage then write to Flash via TFTP.     c. System Recover mode.     d. U-boot console mode. Please Input new setting /or enter to choose the default setting
Input kernel file name (07.firmware.bin) ==:

Input server IP (192.168.1.32) ==:

Input device IP (192.168.1.254) ==:

ETH already turn on and power on flow will be skipped...

 Waitting for RX_DMA_BUSY status Start... done

mt7531: mt7531_sw_init
mt7531: mt7531_core_pll_setup, hwstrap = 000000ff, xtal=25MHz
mt7531: mt7531_mac_port_setup, port = 6
mt7531: mt7531_set_port_sgmii_force_mode, port = 6
mt7531: timeout waiting for SGMII_LINK
mt7531: mt7531_mac_port_setup, PMCR6 = f805633b
>>>>>>>>>>>>>>>>>>>>>>>>>>>>> START CALIBRATION:
-------- gephy-calbration (port:0) --------
CALDLY = 40
0x1e-e0 = 2424
0x1f-115 = 4
  GE Rext AnaCal Done! (4)(0x24)  

 GE R50 AnaCal Done! (8) (0x35)(0xb5) 

 GE R50 AnaCal Done! (7) (0x37)(0xb7) 

 GE R50 AnaCal Done! (7) (0x37)(0xb7) 

 GE R50 AnaCal Done! (8) (0x35)(0xb5) 

 GE 1e_174(0xb5b7), 1e_175(0xb7b5)  

 GE Tx offset AnaCal Done! (pair-0)(6)(0x25) 0x1e_172=0x2520
 GE Tx offset AnaCal Done! (pair-1)(5)(0x24) 0x1e_172=0x2524
 GE Tx offset AnaCal Done! (pair-2)(5)(0x24) 0x1e_173=0x2420
 GE Tx offset AnaCal Done! (pair-3)(6)(0x25) 0x1e_173=0x2425
 GE Tx amp AnaCal Done! (pair-0)(1e_12 = 0x701c)
 GE Tx amp AnaCal Done! (pair-1)(1e_17 = 0x1616)
 GE Tx amp AnaCal Done! (pair-2)(1e_19 = 0x1d25)
 GE Tx amp AnaCal Done! (pair-3)(1e_21 = 0x2028)
PORT 0 RX_DC_OFFSET
before pairA output = 1d
after pairA output = ff
before pairB output = 1e
after pairB output = ff
before pairC output = f
after pairC output = 0
before pairD output = f
after pairD output = 1
-------- gephy-calbration (port:1) --------
CALDLY = 40
 GE R50 AnaCal Done! (9) (0x34)(0xb4) 

 GE R50 AnaCal Done! (7) (0x37)(0xb7) 

 GE R50 AnaCal Done! (7) (0x37)(0xb7) 

 GE R50 AnaCal Done! (8) (0x35)(0xb5) 

 GE 1e_174(0xb4b7), 1e_175(0xb7b5)  

 GE Tx offset AnaCal Done! (pair-0)(7)(0x26) 0x1e_172=0x2620
 GE Tx offset AnaCal Done! (pair-1)(3)(0x22) 0x1e_172=0x2622
 GE Tx offset AnaCal Done! (pair-2)(2)(0x21) 0x1e_173=0x2120
 GE Tx offset AnaCal Done! (pair-3)(3)(0x22) 0x1e_173=0x2122
 GE Tx amp AnaCal Done! (pair-0)(1e_12 = 0x7c1f)
 GE Tx amp AnaCal Done! (pair-1)(1e_17 = 0x1d1d)
 GE Tx amp AnaCal Done! (pair-2)(1e_19 = 0x1e26)
 GE Tx amp AnaCal Done! (pair-3)(1e_21 = 0x232b)
PORT 1 RX_DC_OFFSET
before pairA output = f
after pairA output = ff
before pairB output = f
after pairB output = fe
before pairC output = 1c
after pairC output = ff
before pairD output = 1e
after pairD output = 0
-------- gephy-calbration (port:2) --------
CALDLY = 40
 GE R50 AnaCal Done! (6) (0x40)(0xc0) 

 GE R50 AnaCal Done! (6) (0x40)(0xc0) 

 GE R50 AnaCal Done! (5) (0x42)(0xc2) 

 GE R50 AnaCal Done! (5) (0x42)(0xc2) 

 GE 1e_174(0xc0c0), 1e_175(0xc2c2)  

 GE Tx offset AnaCal Done! (pair-0)(2)(0x21) 0x1e_172=0x2120
 GE Tx offset AnaCal Done! (pair-1)(5)(0x24) 0x1e_172=0x2124
 GE Tx offset AnaCal Done! (pair-2)(3)(0x22) 0x1e_173=0x2220
 GE Tx offset AnaCal Done! (pair-3)(5)(0x24) 0x1e_173=0x2224
 GE Tx amp AnaCal Done! (pair-0)(1e_12 = 0x5c17)
 GE Tx amp AnaCal Done! (pair-1)(1e_17 = 0x1515)
 GE Tx amp AnaCal Done! (pair-2)(1e_19 = 0x1d25)
 GE Tx amp AnaCal Done! (pair-3)(1e_21 = 0x1921)
PORT 2 RX_DC_OFFSET
before pairA output = 1b
after pairA output = 0
before pairB output = e
after pairB output = 0
before pairC output = 1e
after pairC output = ff
before pairD output = e
after pairD output = 1
-------- gephy-calbration (port:3) --------
CALDLY = 40
 GE R50 AnaCal Done! (8) (0x35)(0xb5) 

 GE R50 AnaCal Done! (7) (0x37)(0xb7) 

 GE R50 AnaCal Done! (8) (0x35)(0xb5) 

 GE R50 AnaCal Done! (8) (0x35)(0xb5) 

 GE 1e_174(0xb5b7), 1e_175(0xb5b5)  

 GE Tx offset AnaCal Done! (pair-0)(3)(0x22) 0x1e_172=0x2220
 GE Tx offset AnaCal Done! (pair-1)(1)(0x1) 0x1e_172=0x2201
 GE Tx offset AnaCal Done! (pair-2)(3)(0x22) 0x1e_173=0x2220
 GE Tx offset AnaCal Done! (pair-3)(8)(0x27) 0x1e_173=0x2227
 GE Tx amp AnaCal Done! (pair-0)(1e_12 = 0x6419)
 GE Tx amp AnaCal Done! (pair-1)(1e_17 = 0x2323)
 GE Tx amp AnaCal Done! (pair-2)(1e_19 = 0x1f27)
 GE Tx amp AnaCal Done! (pair-3)(1e_21 = 0x1e26)
PORT 3 RX_DC_OFFSET
before pairA output = e
after pairA output = ff
before pairB output = f
after pairB output = ff
before pairC output = e
after pairC output = 0
before pairD output = d
after pairD output = 0
-------- gephy-calbration (port:4) --------
CALDLY = 40
 GE R50 AnaCal Done! (6) (0x40)(0xc0) 

 GE R50 AnaCal Done! (6) (0x40)(0xc0) 

 GE R50 AnaCal Done! (6) (0x40)(0xc0) 

 GE R50 AnaCal Done! (7) (0x37)(0xb7) 

 GE 1e_174(0xc0c0), 1e_175(0xc0b7)  

 GE Tx offset AnaCal Done! (pair-0)(6)(0x25) 0x1e_172=0x2520
 GE Tx offset AnaCal Done! (pair-1)(4)(0x23) 0x1e_172=0x2523
 GE Tx offset AnaCal Done! (pair-2)(7)(0x26) 0x1e_173=0x2620
 GE Tx offset AnaCal Done! (pair-3)(3)(0x22) 0x1e_173=0x2622
 GE Tx amp AnaCal Done! (pair-0)(1e_12 = 0x4c13)
 GE Tx amp AnaCal Done! (pair-1)(1e_17 = 0xd0d)
 GE Tx amp AnaCal Done! (pair-2)(1e_19 = 0x131b)
 GE Tx amp AnaCal Done! (pair-3)(1e_21 = 0x121a)
PORT 4 RX_DC_OFFSET
before pairA output = f
after pairA output = fe
before pairB output = e
after pairB output = 1
before pairC output = e
after pairC output = 0
before pairD output = f
after pairD output = ff
 0x1b000014 = 0x00110214
Using mtk_eth device
TFTP from server 192.168.1.32; our IP address is 192.168.1.254
Filename '07.firmware.bin'.
Load address: 0x4007ff28
Loading: *T #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 #################################################################
 ###########
 3.2 MiB/s
done
Bytes transferred = 33554432 (2000000 hex)
get filesize 0x2000000
bootm flag=0, states=70f
## Loading kernel from FIT Image at 4007ff28 ...
   Using 'config@1' configuration
   Trying 'kernel@1' kernel subimage
     Description:  ARM64 OpenWrt Linux-4.4.198
     Type:         Kernel Image
     Compression:  lzma compressed
     Data Start:   0x40080010
     Data Size:    2611142 Bytes = 2.5 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x41080000
     Entry Point:  0x41080000
     Hash algo:    crc32
     Hash value:   960a73cd
     Hash algo:    sha1
     Hash value:   2a47e0d6ae5e6ed0e89d1e19cb9dfe7ff547dd5b
   Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading fdt from FIT Image at 4007ff28 ...
   Using 'config@1' configuration
   Trying 'fdt@1' fdt subimage
     Description:  ARM64 OpenWrt DIR-X3260 device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x402fd914
     Data Size:    31654 Bytes = 30.9 KiB
     Architecture: AArch64
     Hash algo:    crc32
     Hash value:   79146290
     Hash algo:    sha1
     Hash value:   e163867e150b19c5ca0dd1498d44f84222a211a8
   Verifying Hash Integrity ... crc32+ sha1+ OK
   Booting using the fdt blob at 0x402fd914
   Uncompressing Kernel Image ... OK
   Loading Device Tree to 5cf44000, end 5cf4eba5 ... OK

Starting kernel ...

[ATF][    23.456644]save kernel info
[ATF][    23.459580]Kernel_EL2
[ATF][    23.462251]Kernel is 64Bit
[ATF][    23.465339]pc=0x41080000, r0=0x5cf44000, r1=0x0
INFO:    BL3-1: Preparing for EL3 exit to normal world, Kernel
INFO:    BL3-1: Next image address = 0x41080000
INFO:    BL3-1: Next image spsr = 0x3c9
[ATF][    23.483037]el3_exit
[    0.000000] Booting Linux on physical CPU 0x0
[    0.000000] Linux version 4.4.198 (zengqinghuang@taogan-Lenovo) (gcc version 5.4.0 (LEDE GCC 5.4.0 r0-a3ff697) ) #0 SMP PREEMPT Tue Apr 13 07:17:01 UTC 2021
[    0.000000] Boot CPU: AArch64 Processor [410fd034]
[    0.000000] On node 0 totalpages: 131024
[    0.000000]   DMA zone: 2048 pages used for memmap
[    0.000000]   DMA zone: 0 pages reserved
[    0.000000]   DMA zone: 131024 pages, LIFO batch:31
[    0.000000] psci: probing for conduit method from DT.
[    0.000000] psci: PSCIv0.2 detected in firmware.
[    0.000000] psci: Using standard PSCI v0.2 function IDs
[    0.000000] psci: Trusted OS migration not required
[    0.000000] PERCPU: Embedded 18 pages/cpu @ffffffc01ffa3000 s35328 r8192 d30208 u73728
[    0.000000] pcpu-alloc: s35328 r8192 d30208 u73728 alloc=18*4096
[    0.000000] pcpu-alloc: [0] 0 [0] 1 
[    0.000000] Detected VIPT I-cache on CPU0
[    0.000000] CPU features: enabling workaround for ARM erratum 845719
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 128976
[    0.000000] Kernel command line: console=ttyS0,115200n1 loglevel=8 swiotlb=512 rootfstype=squashfs
[    0.000000] PID hash table entries: 2048 (order: 2, 16384 bytes)
[    0.000000] Dentry cache hash table entries: 65536 (order: 7, 524288 bytes)
[    0.000000] Inode-cache hash table entries: 32768 (order: 6, 262144 bytes)
[    0.000000] software IO TLB: mapped [mem 0x5fcf4000-0x5fdf4000] (1MB)
[    0.000000] Memory: 497236K/524096K available (5104K kernel code, 586K rwdata, 1780K rodata, 328K init, 383K bss, 26860K reserved, 0K cma-reserved)
[    0.000000] Virtual kernel memory layout:
[    0.000000]     modules : 0xffffff8000000000 - 0xffffff8008000000   (   128 MB)
[    0.000000]     vmalloc : 0xffffff8008000000 - 0xffffffbdbfff0000   (   246 GB)
[    0.000000]       .init : 0xffffff800873d000 - 0xffffff800878f000   (   328 KB)
[    0.000000]       .text : 0xffffff8008080000 - 0xffffff800857d000   (  5108 KB)
[    0.000000]     .rodata : 0xffffff800857d000 - 0xffffff800873d000   (  1792 KB)
[    0.000000]       .data : 0xffffff800878f000 - 0xffffff80088218e0   (   587 KB)
[    0.000000]     vmemmap : 0xffffffbdc0000000 - 0xffffffbfc0000000   (     8 GB maximum)
[    0.000000]               0xffffffbdc0000000 - 0xffffffbdc0800000   (     8 MB actual)
[    0.000000]     fixed   : 0xffffffbffe7fb000 - 0xffffffbffec00000   (  4116 KB)
[    0.000000]     PCI I/O : 0xffffffbffee00000 - 0xffffffbfffe00000   (    16 MB)
[    0.000000]     memory  : 0xffffffc000000000 - 0xffffffc020000000   (   512 MB)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
[    0.000000] Preemptible hierarchical RCU implementation.
[    0.000000] Build-time adjustment of leaf fanout to 64.
[    0.000000] NR_IRQS:64 nr_irqs:64 0
[    0.000000] Architected cp15 timer(s) running at 12.50MHz (phys).
[    0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x2e2049cda, max_idle_ns: 440795202628 ns
[    0.000003] sched_clock: 56 bits at 12MHz, resolution 80ns, wraps every 4398046511080ns
[    0.000057] clocksource: timer: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 191126102035 ns
[    0.000236] Console: colour dummy device 80x25
[    0.000252] Calibrating delay loop (skipped), value calculated using timer frequency.. 25.00 BogoMIPS (lpj=50000)
[    0.000259] pid_max: default: 32768 minimum: 301
[    0.000310] Mount-cache hash table entries: 1024 (order: 1, 8192 bytes)
[    0.000315] Mountpoint-cache hash table entries: 1024 (order: 1, 8192 bytes)
[    0.000801] sched-energy: CPU device node has no sched-energy-costs
[    0.000809] Invalid sched_group_energy for CPU0
[    0.000812] CPU0: update cpu_capacity 1024
[    0.000840] ASID allocator initialised with 32768 entries
[    0.032095] Detected VIPT I-cache on CPU1
[    0.032124] Invalid sched_group_energy for CPU1
[    0.032126] CPU1: update cpu_capacity 1024
[    0.032128] CPU1: Booted secondary processor [410fd034]
[    0.032163] Brought up 2 CPUs
[    0.032176] SMP: Total of 2 processors activated.
[    0.032182] CPU features: detected feature: 32-bit EL0 Support
[    0.032188] CPU: All CPU(s) started at EL2
[    0.032200] alternatives: patching kernel code
[    0.032276] Invalid sched_group_energy for CPU1
[    0.032282] Invalid sched_group_energy for Cluster1
[    0.032285] Invalid sched_group_energy for CPU0
[    0.032289] Invalid sched_group_energy for Cluster0
[    0.036954] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
[    0.036974] futex hash table entries: 512 (order: 4, 65536 bytes)
[    0.037084] pinctrl core: initialized pinctrl subsystem
[    0.037585] NET: Registered protocol family 16
[    0.037989] [SPM] spm_base = ffffff8008026000
[    0.037994] [SPM] spm_irq_0 = 6, spm_irq_1 = 7
[    0.037997] [SPM] spm_irq_2 = 8, spm_irq_3 = 9
[    0.038000] [SPM] set spm as wakeup devcie.
[    0.038005] [SPM] spm_rtc cnt: 24414.
[    0.052062] cpuidle: using governor menu
[    0.052113] vdso: 2 pages (1 code @ ffffff8008583000, 1 data @ ffffff8008794000)
[    0.052266] DMA: preallocated 256 KiB pool for atomic allocations
[    0.052364] Serial: AMBA PL011 UART driver
[    0.052419] [SPM] PWAKE_EN:1, PCMWDT_EN:0, BYPASS_SYSPWREQ:0, I2C_CHANNEL:2
[    0.052424] [SLP] SLEEP_DPIDLE_EN:1, REPLACE_DEF_WAKESRC:0, SUSPEND_LOG_EN:1
[    0.081275] vgaarb: loaded
[    0.081435] SCSI subsystem initialized
[    0.082654] rbus 18000000.wbsys: PCI host bridge to bus 0000:00
[    0.082664] pci_bus 0000:00: root bus resource [mem 0x18000000-0x180fffff]
[    0.082672] pci_bus 0000:00: root bus resource [bus 00-ff]
[    0.082690] pci 0000:00:00.0: [14c3:7622] type 00 class 0x000280
[    0.082706] pci 0000:00:00.0: reg 0x10: [mem 0x18000000-0x1800000f 64bit]
[    0.082713] pci 0000:00:00.0: reg 0x18: [mem 0x00000000-0x0000000f]
[    0.082720] pci 0000:00:00.0: reg 0x1c: [mem 0x00000000-0x0000000f]
[    0.082726] pci 0000:00:00.0: reg 0x20: [mem 0x00000000-0x0000000f]
[    0.082733] pci 0000:00:00.0: reg 0x24: [mem 0x00000000-0x0000000f]
[    0.082764] pci 0000:00:00.0: of_irq_parse_pci() failed with rc=-22
[    0.083498] clocksource: Switched to clocksource arch_sys_counter
[    0.088374] NET: Registered protocol family 2
[    0.088959] TCP established hash table entries: 4096 (order: 3, 32768 bytes)
[    0.088994] TCP bind hash table entries: 4096 (order: 4, 65536 bytes)
[    0.089053] TCP: Hash tables configured (established 4096 bind 4096)
[    0.089102] UDP hash table entries: 256 (order: 1, 8192 bytes)
[    0.089116] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[    0.089223] NET: Registered protocol family 1
[    0.089262] PCI: CLS 0 bytes, default 128
[    0.096755] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.096943] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.097403] fuse init (API version 7.23)
[    0.099923] io scheduler noop registered
[    0.100149] io scheduler cfq registered (default)
[    0.128733] mtk-pcie 1a143000.pcie: pcie rc 0 linkup success
[    0.128887] mtk-pcie 1a143000.pcie: PCI host bridge to bus 0001:00
[    0.128898] pci_bus 0001:00: root bus resource [??? 0x00000000 flags 0x0]
[    0.128905] pci_bus 0001:00: root bus resource [mem 0x20000000-0x27ffffff]
[    0.128911] pci_bus 0001:00: root bus resource [bus 00-ff]
[    0.128948] pci 0001:00:00.0: [14c3:5396] type 01 class 0x060400
[    0.129001] pci 0001:00:00.0: reg 0x10: [mem 0x00000000-0xffffffff 64bit pref]
[    0.129124] pci 0001:00:00.0: of_irq_parse_pci() failed with rc=-22
[    0.129245] pci 0001:00:00.0: bridge configuration invalid ([bus 00-00]), reconfiguring
[    0.129464] pci 0001:01:00.0: [14c3:7915] type 00 class 0x000280
[    0.129770] pci 0001:01:00.0: reg 0x10: [mem 0x00000000-0x000fffff 64bit pref]
[    0.129883] pci 0001:01:00.0: reg 0x18: [mem 0x00000000-0x00003fff 64bit pref]
[    0.129996] pci 0001:01:00.0: reg 0x20: [mem 0x00000000-0x00000fff 64bit pref]
[    0.130510] pci 0001:01:00.0: supports D1 D2
[    0.130516] pci 0001:01:00.0: PME# supported from D0 D1 D2 D3hot D3cold
[    0.135101] pci_bus 0001:01: busn_res: [bus 01-ff] end is updated to 01
[    0.135139] pci 0001:00:00.0: BAR 0: no space for [mem size 0xffffffff 64bit pref]
[    0.135146] pci 0001:00:00.0: BAR 0: failed to assign [mem size 0xffffffff 64bit pref]
[    0.135153] pci 0001:00:00.0: BAR 8: assigned [mem 0x20000000-0x201fffff]
[    0.135163] pci 0001:01:00.0: BAR 0: assigned [mem 0x20000000-0x200fffff 64bit pref]
[    0.135255] pci 0001:01:00.0: BAR 2: assigned [mem 0x20100000-0x20103fff 64bit pref]
[    0.135346] pci 0001:01:00.0: BAR 4: assigned [mem 0x20104000-0x20104fff 64bit pref]
[    0.135436] pci 0001:00:00.0: PCI bridge to [bus 01]
[    0.135447] pci 0001:00:00.0:   bridge window [mem 0x20000000-0x201fffff]
[    0.135506] pcieport 0001:00:00.0: of_irq_parse_pci() failed with rc=-22
[    0.135522] pcieport 0001:00:00.0: enabling device (0000 -> 0002)
[    0.135698] pcieport 0001:00:00.0: Signaling PME through PCIe PME interrupt
[    0.135704] pci 0001:01:00.0: Signaling PME through PCIe PME interrupt
[    0.135714] pcie_pme 0001:00:00.0:pcie01: service driver pcie_pme loaded
[    0.236626] mtk-pcie 1a145000.pcie: Port1 link down
[    0.236800] mtk-pcie 1a145000.pcie: PCI host bridge to bus 0002:00
[    0.236809] pci_bus 0002:00: root bus resource [??? 0x00000000 flags 0x0]
[    0.236815] pci_bus 0002:00: root bus resource [mem 0x28000000-0x2fffffff]
[    0.236822] pci_bus 0002:00: root bus resource [bus 00-ff]
[    0.240813] Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled
[    0.241884] console [ttyS0] disabled
[    0.262112] 11002000.serial: ttyS0 at MMIO 0x11002000 (irq = 232, base_baud = 1562500) is a ST16650V2
[    1.131672] console [ttyS0] enabled
[    1.155705] 11005000.serial: ttyS1 at MMIO 0x11005000 (irq = 233, base_baud = 1562500) is a ST16650V2
[    1.165650] Unable to detect cache hierarchy for CPU 0
[    1.173854] loop: module loaded
[    1.177494] dump_power_table[0] = { .cpufreq_khz = 1350000,.cpufreq_ncpu = 2,.cpufreq_power = 995 }
[    1.186726] dump_power_table[1] = { .cpufreq_khz = 1262500,.cpufreq_ncpu = 2,.cpufreq_power = 811 }
[    1.195943] dump_power_table[2] = { .cpufreq_khz = 1137500,.cpufreq_ncpu = 2,.cpufreq_power = 736 }
[    1.205161] dump_power_table[3] = { .cpufreq_khz = 1025000,.cpufreq_ncpu = 2,.cpufreq_power = 624 }
[    1.214376] dump_power_table[4] = { .cpufreq_khz = 1350000,.cpufreq_ncpu = 1,.cpufreq_power = 517 }
[    1.223595] dump_power_table[5] = { .cpufreq_khz = 812500,.cpufreq_ncpu = 2,.cpufreq_power = 492 }
[    1.232723] dump_power_table[6] = { .cpufreq_khz = 1262500,.cpufreq_ncpu = 1,.cpufreq_power = 377 }
[    1.241941] dump_power_table[7] = { .cpufreq_khz = 600000,.cpufreq_ncpu = 2,.cpufreq_power = 376 }
[    1.251070] dump_power_table[8] = { .cpufreq_khz = 1137500,.cpufreq_ncpu = 1,.cpufreq_power = 333 }
[    1.260287] dump_power_table[9] = { .cpufreq_khz = 437500,.cpufreq_ncpu = 2,.cpufreq_power = 295 }
[    1.269416] dump_power_table[10] = { .cpufreq_khz = 1025000,.cpufreq_ncpu = 1,.cpufreq_power = 258 }
[    1.278718] dump_power_table[11] = { .cpufreq_khz = 300000,.cpufreq_ncpu = 2,.cpufreq_power = 225 }
[    1.287933] dump_power_table[12] = { .cpufreq_khz = 812500,.cpufreq_ncpu = 1,.cpufreq_power = 204 }
[    1.297149] dump_power_table[13] = { .cpufreq_khz = 600000,.cpufreq_ncpu = 1,.cpufreq_power = 166 }
[    1.306364] dump_power_table[14] = { .cpufreq_khz = 437500,.cpufreq_ncpu = 1,.cpufreq_power = 140 }
[    1.315579] dump_power_table[15] = { .cpufreq_khz = 300000,.cpufreq_ncpu = 1,.cpufreq_power = 119 }
[    1.325957] [cal] calefuse1= 0x816e1d00
[    1.329892] [cal] calefuse2= 0x540010
[    1.333641] [cal] g_adc_ge_t= 0x2e1
[    1.337213] [cal] g_adc_oe_t= 0x205
[    1.340788] [cal] g_degc_cali= 0x34
[    1.344360] [cal] g_adc_cali_en_t= 0x1
[    1.348194] [cal] g_o_slope= 0x0
[    1.351506] [cal] g_o_slope_sign= 0x0
[    1.355253] [cal] g_id= 0x0
[    1.358210] [cal] g_o_vtsmcu1= 0x0
[    1.361694] [cal] g_o_vtsmcu2= 0x150
[    1.365353] [cal] g_o_vtsmcu3= 0x0
[    1.368837] [cal] g_o_vtsmcu4= 0x0
[    1.372321] [cal] g_ge= 0x225
[    1.375456] [cal] g_gain= 0x2935
[    1.378848] [cal] g_x_roomt1= 0x1f0f
[    1.396170] Recognize NAND: ID [
[    1.399232] ef aa 
[    1.401242] 21 [    1.402986] ], [Winbond 1Gb], Page[2048]B, Spare [64]B Total [128]MB
[    1.409522] nand: device found, Manufacturer ID: 0xef, Chip ID: 0xaa
[    1.415875] nand: Winbond NAND 128MiB 1,8V 8-bit
[    1.420491] nand: 128 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
[    1.428059] [NAND]select ecc bit:4, sparesize :64
[    1.433646] [BBT] BMT.v2 is found at 0x3ff
[    1.437773] 12 ofpart partitions found on MTD device MTK-SNAND
[    1.443604] Creating 12 MTD partitions on "MTK-SNAND":
[    1.448743] 0x000000000000-0x000000080000 : "Preloader"
[    1.455137] 0x000000080000-0x0000000c0000 : "ATF"
[    1.460669] 0x0000000c0000-0x000000140000 : "Bootloader"
[    1.467050] 0x000000140000-0x0000001c0000 : "Config"
[    1.473064] 0x0000001c0000-0x0000002c0000 : "Factory"
[    1.479751] 0x0000002c0000-0x000000300000 : "Config2"
[    1.485565] 0x000000300000-0x000002300000 : "firmware"
[    1.531387] 2 fit-fw partitions found on MTD device firmware
[    1.537049] 0x000000300000-0x0000005a0000 : "kernel"
[    1.545491] 0x0000005a0000-0x000002300000 : "rootfs"
[    1.584509] mtd: device 8 (rootfs) set to be root filesystem
[    1.590179] 0x000002300000-0x000004300000 : "firmware2"
[    1.632473] 0x000004300000-0x000004d00000 : "rootfs_data"
[    1.649805] 0x000004d00000-0x000006100000 : "Private"
[    1.678221] 0x000006100000-0x000006700000 : "mydlink"
[    1.690612] 0x000006700000-0x000007100000 : "myconfig"
[    1.707657] mtk-snand 1100d000.snfi: [mtk_snand] probe successfully!
[    1.714455] mtk-nor 11014000.spi: unrecognized JEDEC id bytes: 00,  0,  0

In my bold attempt just now
Found that you can run a tampered bootloader

Maybe can give up all the stock firmware
Use UBI format like E8450

(Because I want to make it easier for me to use TFTP to Write firmware, so I modified bootloader the default IP inside)

I was thinking this will have different keys for decryption
but if you have convinced your self you can recover by uploading your dumped firmware file back
time to make your own
you should work towards making an image to flash via the recover interface
but look's like you are on your way

firmwaare backup

Do not use on other X3260, other D-Link models and other brands of routers

p.s.
To use on other X3260, only firmware patition files can be used

It can be used as unencrypted TFTP recovery firmware.

After all, the original factory does not seem to provide unencrypted TFTP recovery firmware

Awesome, I couldn't make DIR-X1860 or COVR-X1860 boot an image loaded via tftp (lzma error 1), only the D-Link one extracts fine (until kernel panic when it can't find rootfs).
Image header is also 0xDOODFEED, maybe there's still something wrong with the image format, or SGE used some proprietary lzma modifications...

Thanks, I'll have a look at the crypto stuff when I'm back at my main machine

make sure you are loading the correct image type
initramfs-kernel should not be looking in flash for any files system

I gave up

Can roughly make DTS configuration

But firmware mirroring is a bit difficult
Always trigger firmware check

It seems I need to buy an Linksys E8450

I was thinking that this shit thing is the same as the E8450 hardware specification

But the problem on the firmware is a big trouble

I can't do it with my previous experience