Support for Mikrotik RB3011UiAS-RM?

adron · February 24, 2019, 1:37pm

So it looks like we have the following:

Qualcomm-boot1: offset 0x00000, size = 0x23000
Qualcomm-boot2: offset 0x23000, size = 0x5D000
RouterBoot:  offset  = 0x80000, size = 0x0E000
hard_config:  offset = 0x8E000, size = 0x02000
dts_config:  offset  = 0x90000, size = 0x10000
unk_data1:  offset   = 0xA0000, size = 0x10000
unk_data2:  offset   = 0xB0000, size = 0x0D000
soft_config:  offset = 0xBD000, size = 0x02000

Rest space are filled with zero.

Ultimately, it gives this: the first Qualcomm-boot1 starts the second one(Qualcomm-boot2) which starts the RouterBOOT and it already starts the aux-loader which starts the linux kernel.

robimarko · February 24, 2019, 4:07pm

Gave it a try and with the following partitions:

			compatible = "fixed-partitions";
			#address-cells = <1>;
			#size-cells = <1>;

			partition0@0 {
				label = "Qualcomm-boot1";
				reg = <0x00000000 0x23000>;
				read-only;
			};

			partition1@23000 {
				label = "Qualcomm-boot2";
				reg = <0x00023000 0x5d000>;
				read-only;
			};

			partition2@80000 {
				label = "RouterBoot";
				reg = <0x00080000 0x0e000>;
				read-only;
			};

			partition3@8e000 {
				label = "hard_config";
				reg = <0x0008e000 0x02000>;
			};

			partition4@90000 {
				label = "dts_config";
				reg = <0x00090000 0x10000>;
				read-only;
			};

			partition5@a0000 {
				label = "unk_data1";
				reg = <0x000a0000 0x10000>;
				read-only;
			};

			partition6@b0000 {
				label = "unk_data2";
				reg = <0x000b0000 0x0d000>;
				read-only;
			};

			partition7@bd000 {
				label = "soft_config";
				reg = <0x000bd000 0x02000>;
			};
		};

rbcfg does not work

root@OpenWrt:/# rbcfg show
invalid configuration

adron · February 24, 2019, 4:49pm

I think this is because it is designed for a different byte order(MIPS), that used in ARM systems.
I try to fix it.

adron · February 24, 2019, 6:25pm

Done

#rbcfg show
boot_delay=2
boot_device=nandeth
boot_key=any
boot_protocol=bootp
cpu_mode=powersave
uart_speed=115200

I also tested it on mips platform. All work as expected.

BUT! On RB450Gx4 it does not save settings:
mtdblock: erase of region [0x0, 0x1000] on "soft_config" failed

#mtd erase soft_config
Unlocking soft_config ...
Erasing soft_config ...
Failed to erase block on soft_config at 0x0

SPI NOR is write protected ?

robimarko · February 24, 2019, 6:53pm

Hm, it should not be as there is no read_only flag on hard_config and soft_config

adron · February 24, 2019, 7:35pm

I found a solution to the problem:

diff --git a/target/linux/ipq40xx/config-4.19 b/target/linux/ipq40xx/config-4.19
index 63e8caf..dacf6ea 100644
--- a/target/linux/ipq40xx/config-4.19
+++ b/target/linux/ipq40xx/config-4.19
@@ -312,6 +312,7 @@ CONFIG_MTD_NAND_ECC=y
 CONFIG_MTD_NAND_QCOM=y
 CONFIG_MTD_SPI_NAND=y
 CONFIG_MTD_SPI_NOR=y
+CONFIG_MTD_SPI_NOR_USE_4K_SECTORS=y
 CONFIG_MTD_SPLIT_FIRMWARE=y
 CONFIG_MTD_SPLIT_FIT_FW=y
 CONFIG_MTD_UBI=y

adron · February 24, 2019, 7:39pm

Now all works as expected:

root@OpenWrt:/# rbcfg show
boot_delay=2
boot_device=eth
boot_key=any
boot_protocol=bootp
cpu_mode=powersave
uart_speed=115200
root@OpenWrt:/# rbcfg set boot_device nandeth
root@OpenWrt:/# rbcfg apply
root@OpenWrt:/# reboot
   And system boots from nand.

robimarko · February 24, 2019, 7:39pm

Awesome, glad it works.

adron · February 27, 2019, 7:47pm

The aux-loader for RB3011(ipq-8064) is ready.

robimarko · February 27, 2019, 7:49pm

Awesome job with the loader.

robimarko · March 4, 2019, 1:10pm

@adron How would I go on getting the loader working on traditional SPI-NOR?
I got a LHGG-60adkit and it only has 16MB of SPI-NOR

adron · March 4, 2019, 1:59pm

Hello. Aux-loader doesn't care where it boot from(nand or network). The main thing is to pack it correctly so that the RouterBoot can find and run it.
To get started, jailbreak the LHGG-60adkit and see which file system is used for the kernel partition.

robimarko · March 4, 2019, 2:05pm

I am pretty sure that squashfs is used like on QCA MIPS Mikrotik devices with only SPI-NOR.
Unfortunately, there is no way to jailbreak it.
But I will dump the contents of SPI-NOR after I desolder it

adron · March 4, 2019, 2:43pm

Have you tried to boot it over network(bootp)?

robimarko · March 4, 2019, 2:58pm

Not yet, will do after dumping whole flash

robimarko · March 4, 2019, 7:01pm

OK, finally dumped the flash and managed to find UART pads.
But only QCA SPL prints something and then UART stops.

Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1.1-00096
S - IMAGE_VARIANT_STRING=DAABANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x00000021
S - Core 0 Frequency, 0 MHz
B -       261 - PBL, Start
B -      1338 - bootable_media_detect_entry, Start
B -      1678 - bootable_media_detect_success, Start
B -      1691 - elf_loader_entry, Start
B -      5068 - auth_hash_seg_entry, Start
B -      7211 - auth_hash_seg_exit, Start
B -    572128 - elf_segs_hash_verify_entry, Start
B -    687157 - PBL, End
B -    687181 - SBL1, Start
B -    775560 - pm_device_init, Start
D -         6 - pm_device_init, Delta
B -    777070 - boot_flash_init, Start
D -     45686 - boot_flash_init, Delta
B -    826948 - boot_config_data_table_init, Start
D -      3836 - boot_config_data_table_init, Delta - (419 Bytes)
B -    834157 - clock_init, Start
D -      7558 - clock_init, Delta
B -    846236 - CDT version:2,Platform ID:8,Major ID:1,Minor ID:0,Subtype:0
B -    849726 - sbl1_ddr_set_params, Start
B -    854714 - cpr_init, Start
D -         2 - cpr_init, Delta
B -    859206 - Pre_DDR_clock_init, Start
D -         4 - Pre_DDR_clock_init, Delta
D -     13147 - sbl1_ddr_set_params, Delta
B -    872485 - pm_driver_init, Start
D -         2 - pm_driver_init, Delta
B -    944445 - sbl1_wait_for_ddr_training, Start
D -        30 - sbl1_wait_for_ddr_training, Delta
B -    959998 - Image Load, Start
D -    143546 - QSEE Image Loaded, Delta - (267732 Bytes)
B -   1104047 - Image Load, Start
D -      1441 - SEC Image Loaded, Delta - (2048 Bytes)
B -   1114335 - Image Load, Start
D -     16047 - APPSBL Image Loaded, Delta - (28180 Bytes)
B -   1130802 - QSEE Execution, Start
D -        58 - QSEE Execution, Delta
B -   1136914 - SBL1, End
D -    451844 - SBL1, Delta
S - Flash Throughput, 1854 KB/s  (298379 Bytes,  160899 us)
S - DDR Frequency, 672 MHz

I can send you the FW dump but trick that you sent me with Hard and Soft I dont know if it will work since only difference between this one and RB450Gx4 is that RB450Gx4 has SoftJ instead of SoftG written in 0xbd000

I tried netbooting image and it appears to be loaded over tftp but there is no serial output.
I tried GPIO16/17 and GPIO60/61 for UART pins.

Hm, it actually looks like it does not boot as I set one of RSSI LEDs to default on and it did not turn on.
So its getting stuck before booting

adron · March 4, 2019, 9:13pm

Ok. Send me a flash dump to adron@yapic.net

adron · March 4, 2019, 9:22pm

About how to enable a disabled com port: http://www.lan23.ru/forum/showthread.php?t=11898&page=3
But there everything is in Russian.
The short meaning is:

To enable the com port, you need to change the parameter with the
tag 21 (0x15).
In this parameter, the lowest bit must be switched from one to zero.

for example(for rb941-2nd), in hard_config:
  00 04 00 15 00 28 40 01
we need to change to
  00 04 00 15 00 28 40 00

or for (hAP):
  00 04 00 15 00 29 40 05
we need to change to
  00 04 00 15 00 28 40 00

robimarko · March 4, 2019, 9:39pm

Sent you a full flash dump.
I dont really understand where exactly do I need to change the hex value to enable UART?

adron · March 4, 2019, 9:42pm

Can't download first-dump.bin
Google says that I have no access rights.