Support for Mikrotik RB3011UiAS-RM?

Its most likely that you need to disable aux loader UART output.
You can see the example in this branch, also kernel2minor can be easily used since YAFFS is still used even on IPQ boards with SPI NOR as storage.

1 Like

Hi guys, just wanted to report that I have a different model Wireless Wire (not 'Dish'): "RBwAPG-60ad". It appears to work great with the LHGG-60ad-PR branch. Thank you for your hard work!

Let me know if there is anything about this device you'd like me to share.

I've tried disabling UART by setting AUX_LOADER_UART to NONE however I think i'm getting the same result.

Here is where the loader is sticking with UART enabled ( what I can see ). It's not timing out, just hanging:

RouterBOOT backup booter 6.43.10

RBD52G-5HacD2HnD

CPU frequency: 716 MHz
Memory size: 128 MiB
 Storage size: 16 MiB

Press any key within 2 seconds to enter setup
trying bootp protocol... OK
Got IP address: 192.168.100.83
resolved mac address 4C:5E:0C:XX:XX:XX
Gateway:  192.168.100.1
transfer started ............................... transfer ok, time=4.60s
setting up elf image... OK
jumping to kernel code

OpenWrt kernel loader for Qualcomm IPQ-4XXX/IPQ-806X
Copyright (C) 2019 Sergey Sergeev <adron@mstnt.com>

Extracting LZMA kernel...Done
Starting kernel at 0x80208000

I will continue to tinker with the ipq-aux-loader.

Hm, it could be due to TEXT_BASE2 address

1 Like

Ok, I read in an earlier post that TEXT_BASE2 was different. I'll review the TEXT_BASE2 discoveries from earlier and learn how to figure out what it should be.

If you have any ideas with what to try, let me know and I can do some trial+error.

I had HapAC2 booting successfully with robimarko's lhg60 branch. Didn't have time to work on it more... I will post bootlog when i get home.

That would be very helpful, I used the LHG60 branch as well.

Thank you.

Did you enable serial like here Support for Mikrotik Hap AC2???

I'm using this exact branch:

git remote show origin
* remote origin
  Fetch URL: https://github.com/robimarko/openwrt.git
  Push  URL: https://github.com/robimarko/openwrt.git
  HEAD branch: master
  Remote branch:
    LHGG-60ad-PR tracked
  Local branch configured for 'git pull':
    LHGG-60ad-PR merges with remote LHGG-60ad-PR
  Local ref configured for 'git push':
    LHGG-60ad-PR pushes to LHGG-60ad-PR (up to date)

This is my bootlog:


Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1.1-00096
S - IMAGE_VARIANT_STRING=DAABANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x00000020
S - Core 0 Frequency, 0 MHz
B -       262 - PBL, Start
B -      1344 - bootable_media_detect_entry, Start
B -      1688 - bootable_media_detect_success, Start
B -      1702 - elf_loader_entry, Start
B -      5149 - auth_hash_seg_entry, Start
B -      7333 - auth_hash_seg_exit, Start
B -    585171 - elf_segs_hash_verify_entry, Start
B -    702378 - PBL, End
B -    702402 - SBL1, Start
B -    790991 - pm_device_init, Start
D -         6 - pm_device_init, Delta
B -    792522 - boot_flash_init, Start
D -     45799 - boot_flash_init, Delta
B -    842524 - boot_config_data_table_init, Start
D -      3889 - boot_config_data_table_init, Delta - (419 Bytes)
B -    849741 - clock_init, Start
D -      7585 - clock_init, Delta
B -    861857 - CDT version:2,Platform ID:8,Major ID:1,Minor ID:0,Subtype:0
B -    865345 - sbl1_ddr_set_params, Start
B -    870333 - cpr_init, Start
D -         2 - cpr_init, Delta
B -    874824 - Pre_DDR_clock_init, Start
D -         4 - Pre_DDR_clock_init, Delta
D -     13146 - sbl1_ddr_set_params, Delta
B -    888524 - pm_driver_init, Start
D -         2 - pm_driver_init, Delta
B -    959520 - sbl1_wait_for_ddr_training, Start
D -        29 - sbl1_wait_for_ddr_training, Delta
B -    975352 - Image Load, Start
D -    143596 - QSEE Image Loaded, Delta - (267732 Bytes)
B -   1119448 - Image Load, Start
D -      1446 - SEC Image Loaded, Delta - (2048 Bytes)
B -   1129855 - Image Load, Start
D -     15854 - APPSBL Image Loaded, Delta - (27608 Bytes)
B -   1146127 - QSEE Execution, Start
D -        58 - QSEE Execution, Delta
B -   1152253 - SBL1, End
D -    451963 - SBL1, Delta
S - Flash Throughput, 1852 KB/s  (297807 Bytes,  160754 us)
S - DDR Frequency, 537 MHz


RouterBOOT booter 6.43.4

RouterBOARD D52G-5HacD2HnD-TC

CPU frequency: 716 MHz
  Memory size: 128 MiB
 Storage size:  16 MiB

Press any key within 2 seconds to enter setup

RouterBOOT-6.43.4
What do you want to configure?
   d - boot delay
   k - boot key
   s - serial console
   n - silent boot
   o - boot device
   r - reset booter configuration
   e - format storage
   w - repartition nand
   g - upgrade firmware
   i - board info
   p - boot protocol
   t - test ram memory
   x - exit setup
your choice: o - boot device

Select boot device:
   e - boot over Ethernet
 * n - boot from NAND, if fail then Ethernet
   1 - boot Ethernet once, then NAND
   o - boot from NAND only
   b - boot chosen device
   f - boot Flash Configure Mode
   3 - boot Flash Configure Mode once, then NAND
your choice: 1 - boot Ethernet once, then NAND

RouterBOOT-6.43.4
What do you want to configure?
   d - boot delay
   k - boot key
   s - serial console
   n - silent boot
   o - boot device
   r - reset booter configuration
   e - format storage
   w - repartition nand
   g - upgrade firmware
   i - board info
   p - boot protocol
   t - test ram memory
   x - exit setup
your choice: o - boot device

Select boot device:
   e - boot over Ethernet
   n - boot from NAND, if fail then Ethernet
 * 1 - boot Ethernet once, then NAND
   o - boot from NAND only
   b - boot chosen device
   f - boot Flash Configure Mode
   3 - boot Flash Configure Mode once, then NAND
your choice: b - boot chosen device
Ethernet link absent...
trying bootp protocol... OK
Got IP address: 192.168.1.116
resolved mac address 70:85:C2:7A:FE:AB
Gateway: 192.168.1.10
transfer started ......................................... transfer ok, time=5.25s
setting up elf image... OK
jumping to kernel code
[    0.000000] Booting Linux on physical CPU 0x0
[    0.000000] Linux version 4.14.108 (alen@alen-desktop) (gcc version 7.4.0 (OpenWrt GCC 7.4.0 r9757-dd9acce88c)) #0 SMP Thu Mar 28 21:05:53 2019
[    0.000000] CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c5387d
[    0.000000] CPU: div instructions available: patching division code
[    0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
[    0.000000] OF: fdt: Machine model: Mikrotik RouterBOARD LHGG-60ad
[    0.000000] Memory policy: Data cache writealloc
[    0.000000] random: get_random_bytes called from start_kernel+0x88/0x3c0 with crng_init=0
[    0.000000] percpu: Embedded 15 pages/cpu @cfdb0000 s29324 r8192 d23924 u61440
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 64512
[    0.000000] Kernel command line: 
[    0.000000] PID hash table entries: 1024 (order: 0, 4096 bytes)
[    0.000000] Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
[    0.000000] Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Memory: 242792K/260096K available (4267K kernel code, 138K rwdata, 1176K rodata, 8192K init, 228K bss, 17304K reserved, 0K cma-reserved, 0K highmem)
[    0.000000] Virtual kernel memory layout:
[    0.000000]     vector  : 0xffff0000 - 0xffff1000   (   4 kB)
[    0.000000]     fixmap  : 0xffc00000 - 0xfff00000   (3072 kB)
[    0.000000]     vmalloc : 0xd0800000 - 0xff800000   ( 752 MB)
[    0.000000]     lowmem  : 0xc0000000 - 0xd0000000   ( 256 MB)
[    0.000000]     pkmap   : 0xbfe00000 - 0xc0000000   (   2 MB)
[    0.000000]     modules : 0xbf000000 - 0xbfe00000   (  14 MB)
[    0.000000]       .text : 0xc0208000 - 0xc072ad48   (5260 kB)
[    0.000000]       .init : 0xc0900000 - 0xc1100000   (8192 kB)
[    0.000000]       .data : 0xc1100000 - 0xc1122980   ( 139 kB)
[    0.000000]        .bss : 0xc1124000 - 0xc115d258   ( 229 kB)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[    0.000000] Hierarchical RCU implementation.
[    0.000000] NR_IRQS: 16, nr_irqs: 16, preallocated irqs: 16
[    0.000000] arch_timer: cp15 timer(s) running at 48.00MHz (virt).
[    0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0xb11fd3bfb, max_idle_ns: 440795203732 ns
[    0.000009] sched_clock: 56 bits at 48MHz, resolution 20ns, wraps every 4398046511096ns
[    0.000023] Switching to timer-based delay loop, resolution 20ns
[    0.000251] Calibrating delay loop (skipped), value calculated using timer frequency.. 96.00 BogoMIPS (lpj=480000)
[    0.000273] pid_max: default: 32768 minimum: 301
[    0.000418] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.000438] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.001108] CPU: Testing write buffer coherency: ok
[    0.001904] Setting up static identity map for 0x80300000 - 0x80300060
[    0.002064] Hierarchical SRCU implementation.
[    0.002765] smp: Bringing up secondary CPUs ...
[    0.005684] smp: Brought up 1 node, 4 CPUs
[    0.005705] SMP: Total of 4 processors activated (384.00 BogoMIPS).
[    0.005714] CPU: All CPU(s) started in SVC mode.
[    0.009706] VFP support v0.3: implementor 41 architecture 2 part 30 variant 7 rev 5
[    0.009878] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.009992] futex hash table entries: 1024 (order: 4, 65536 bytes)
[    0.010251] pinctrl core: initialized pinctrl subsystem
[    0.011263] NET: Registered protocol family 16
[    0.011660] DMA: preallocated 256 KiB pool for atomic coherent allocations
[    0.012767] cpuidle: using governor ladder
[    0.012814] cpuidle: using governor menu
[    0.027424] usbcore: registered new interface driver usbfs
[    0.027494] usbcore: registered new interface driver hub
[    0.027578] usbcore: registered new device driver usb
[    0.027639] pps_core: LinuxPPS API ver. 1 registered
[    0.027650] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
[    0.027675] PTP clock support registered
[    0.028866] clocksource: Switched to clocksource arch_sys_counter
[    0.029718] NET: Registered protocol family 2
[    0.030466] TCP established hash table entries: 2048 (order: 1, 8192 bytes)
[    0.030509] TCP bind hash table entries: 2048 (order: 2, 16384 bytes)
[    0.030560] TCP: Hash tables configured (established 2048 bind 2048)
[    0.030683] UDP hash table entries: 256 (order: 1, 8192 bytes)
[    0.030723] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
[    0.030940] NET: Registered protocol family 1
[    0.167794] No memory allocated for crashlog
[    0.168051] workingset: timestamp_bits=30 max_order=16 bucket_order=0
[    0.171485] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.171504] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.177140] io scheduler noop registered
[    0.177163] io scheduler deadline registered (default)
[    0.178429] OF: PCI: host bridge /soc/pci@40000000 ranges:
[    0.178467] OF: PCI:    IO 0x40200000..0x402fffff -> 0x40200000
[    0.178486] OF: PCI:   MEM 0x40300000..0x40ffffff -> 0x40300000
[    1.298869] qcom-pcie 40000000.pci: phy link never came up
[    1.308900] qcom-pcie 40000000.pci: cannot initialize host
[    1.309029] qcom-pcie: probe of 40000000.pci failed with error -110
[    1.310464] bam-dma-engine 8e04000.dma: num-channels unspecified in dt
[    1.310482] bam-dma-engine 8e04000.dma: num-ees unspecified in dt
[    1.311142] tcsr 1949000.tcsr: setting wifi_glb_cfg = 41000000
[    1.311237] tcsr 1953000.ess_tcsr: setting ess interface select = 1
[    1.311316] tcsr 1957000.tcsr: setting wifi_noc_memtype_m0_m2 = 2222222
[    1.311547] Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
[    1.312119] msm_serial 78af000.serial: msm_serial: detected port #0
[    1.312169] msm_serial 78af000.serial: uartclk = 1843200
[    1.312232] 78af000.serial: ttyMSM0 at MMIO 0x78af000 (irq = 25, base_baud = 115200) is a MSM
[    1.312259] msm_serial: console setup on port #0
[    1.847351] console [ttyMSM0] enabled
[    1.852237] msm_serial: driver initialized
[    1.860273] loop: module loaded
[    1.861423] spi_qup 78b5000.spi: IN:block:16, fifo:64, OUT:block:16, fifo:64
[    1.863449] m25p80 spi0.0: unrecognized JEDEC id bytes: 00, 00, 00
[    1.869969] m25p80: probe of spi0.0 failed with error -2
[    1.876486] libphy: ipq40xx_mdio: probed
[    1.922836] libphy: Fixed MDIO Bus: probed
[    2.068893] EDMA using MAC@ - using
[    2.068912] a6:31:b2:66:1e:10
[    2.074468] i2c /dev entries driver
[    2.108400] NET: Registered protocol family 10
[    2.116355] Segment Routing with IPv6
[    2.116497] NET: Registered protocol family 17
[    2.119587] 8021q: 802.1Q VLAN Support v1.8
[    2.123388] Registering SWP/SWPB emulation handler
\EA[    2.145030] Freeing unused kernel memory: 8192K
[    2.240734] init: Console is alive
[    2.241042] init: - watchdog -
[    2.253342] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[    2.266770] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[    2.279554] init: - preinit -
[    2.514452] random: jshn: uninitialized urandom read (4 bytes read)
[    2.552408] random: jshn: uninitialized urandom read (4 bytes read)
get_mac_binary: file  not found!
[    2.616196] random: jshn: uninitialized urandom read (4 bytes read)
[    2.841490] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[    6.017595] procd: - early -
[    6.017745] procd: - watchdog -
[    6.670206] procd: - watchdog -
[    6.673025] procd: - ubus -
[    6.692156] urandom_read: 5 callbacks suppressed
[    6.692167] random: ubusd: uninitialized urandom read (4 bytes read)
[    6.733557] random: ubusd: uninitialized urandom read (4 bytes read)
[    6.740185] procd: - init -
Please press Enter to activate this console.
[    6.878585] kmodloader: loading kernel modules from /etc/modules.d/*
[    6.883666] ip6_tables: (C) 2000-2006 Netfilter Core Team
[    6.890026] Loading modules backported from Linux version v4.19.23-0-g67d52fae61c1
[    6.890066] Backport generated by backports.git v4.19.23-1-0-g480a925a
[    6.898350] ip_tables: (C) 2000-2006 Netfilter Core Team
[    6.908260] nf_conntrack version 0.5.0 (4096 buckets, 16384 max)
[    6.937576] xt_time: kernel timezone is -0000
[    6.955092] PPP generic driver version 2.4.2
[    6.956118] NET: Registered protocol family 24
[    6.967346] kmodloader: done loading kernel modules from /etc/modules.d/*
[   26.831799] br-lan: port 1(eth0) entered blocking state
[   26.831846] br-lan: port 1(eth0) entered disabled state
[   26.836284] device eth0 entered promiscuous mode
[   26.844082] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready




BusyBox v1.30.1 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt SNAPSHOT, r9757-dd9acce88c
 -----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:/# 

Yes, I enabled serial with that method.

Can you attach your initramfs image?

I can try netbooting yours to see if it works on my hAP AC2.

I enabled DEBUG in ipq-aux-loader if this helps

TEXT_BASE2 is set to 0x00000000 inside of ipq-aux-loader-common
I am using the lhgg 60ad initramfs image.

RouterBOOT booter 6.43.12

RBD52G-5HacD2HnD

CPU frequency: 716 MHz
Memory size: 128 MiB
 Storage size: 16 MiB

Press any key within 2 seconds to enter setup..
trying bootp protocol.... OK
Got IP address: 192.168.100.83
resolved mac address 4C:5E:0C:XX:XX:XX
Gateway: 192.168.100.1
transfer started ............................... transfer ok, time=4.74s
setting up elf image... OK
jumping to kernel code

OpenWrt kernel loader for Qualcomm IPQ-4XXX/IPQ-806X
Copyright (C) 2019 Sergey Sergeev <adron@mstnt.com>

head loader TEXT_BASE = 0x80000000
kernel loader TEXT_BASE = 0x84800000

ARCH = 4200
Kernel image header:
magic = 0xd00dfeed, FIT uImage
size = 3466219
name = 'ARM OpenWrt Linux-4.14.118'
load = 0x80208000
ep = 0x80208000
compr = lzma

Extracting LZMA kernel...Done
Starting kernel at 0x80208000

Here it is

Your openwrt-ipq40xx-mikrotik_lhgg-60ad-initramfs-fit-uImage.elf hangs on my Mikrotik hAP AC2 as well, so something is different about my board.

RouterBOOT booter 6.43.12

RBD52G-5HacD2HnD
CPU frequency: 716 MHz

Memory size: 128 MiB
 Storage size: 16 MiB

Press any key within 2 seconds to enter setup..
trying bootp protocol.... OK
Got IP address: 192.168.100.83
resolved mac address 4C:5E:0C:XX:XX:XX
Gateway: 192.168.100.1
transfer started ......................................... transfer ok, time=6.25s
setting up elf image... OK
jumping to kernel code

Interesting...

I think my hAP AC2 is hanging on the OpenWRT kernel,

// loader.c
printf("Starting kernel at 0x%08x\n", kernel_entry);
printf("\n");
cleanup_before_linux();
kernel_entry(kernel_p0, kernel_p1, kernel_p2);
reset_cpu(0);

kernel_entry() is where it hangs forever.

I took your hapac2_dump, and found your exact RouterBOOT version. I then put your exact RouterBOOT, hard_config, soft_config, etc. on my device. I then tried to netboot the openwrt-ipq40xx-mikrotik_lhgg-60ad-initramfs-fit-uImage.elf file and it still hangs when loading the kernel.

RouterBOOT booter 6.43.4

RouterBOARD D52G-5HacD2HnD-TC

CPU frequency: 716 MHz
Memory size: 128 MiB
 Storage size: 16 MiB

Press any key within 2 seconds to enter setup..
trying bootp protocol.... OK
Got IP address: 192.168.100.140
resolved mac address 4C:5E:0C:XX:XX:XX
Gateway: 192.168.100.1
transfer started ......................................... transfer ok, time=6.31s
setting up elf image... OK
jumping to kernel code

My original hap AC2 came on RouterOS 6.43.12, and would not let me downgrade below 6.43.10. I had to use dd with the mikrotik exploit to do this.

I wonder if they changed something...

Here is my SN/Revision: /910/US ( my hardware is a USA version )

The IPQ-Aux-Loader seems to be executed, but when starting the OpenWRT it just hangs. No output, no reboots ( not even the hardware watchdog is rebooting ). Just stays hung up.

I'm trying to figure out what's different...

Here are the mtdblocks0-1 ( 1 is my original RouterBOOT partition ).. Maybe there's something you guys will see that I am missing:
mtdblock1
mtdblock0

My hap is international / non US version, is it possible there is some hardware diference?

The last 3 digits of the serial number after the first "/", is the hardware revision number.
Mine is "/910" is yours earlier?

I'm not really sure what would be different, does your board have the IPQ4018-0VV?
ipq-aux-loader runs fine, it's purely the OpenWRT kernel that doesn't appear to either be starting ( or ipq-aux-loader is hanging when calling kernel_entry )

AFAIK the only difference between the international/US versions is the radio calibration regulatory data.

Well, if it gets stuck on jumping to kernel code than it means that aux loader actually does not start.
I had the same issue on LHGG60ad, and it was due to TEXT_BASE2

1 Like

I get UART output from the aux-loader:

jumping to kernel code

OpenWrt kernel loader for Qualcomm IPQ-4XXX/IPQ-806X
Copyright (C) 2019 Sergey Sergeev <adron@mstnt.com>

head loader TEXT_BASE = 0x80000000
kernel loader TEXT_BASE = 0x84800000

ARCH = 4200
Kernel image header:
magic = 0xd00dfeed, FIT uImage
size = 3466219
name = 'ARM OpenWrt Linux-4.14.118'
load = 0x80208000
ep = 0x80208000
compr = lzma

Extracting LZMA kernel...Done
Starting kernel at 0x80208000

It hangs on "Starting kernel at 0x8020800"

The second attempt with @subixonfire bootloader, i disabled UART so the test was identical to his. I suspected RouterBOOT was changed, since my version was 6.43.10.

Mine is /817. Meaning an older hw revision, that's why i was thinking it could be some hw change...

Ok got my self one with revision /911, This one will not boot with this initramfs. On first look the only deference is the ram chip.

Old version has NT5CC128M16IP-DI (256mb)
New version has NT5CC64M16GP-DI (128mb)

Can you check your ram chip, and what memory is winbox showing in /system/resources??

@robimarko Is ram size and/or ramchip defined in dts? Can we change that?