Hi All. I've had this router for ages to do initial wifi6 performance testing. Finally got around to having a proper look at getting it to run openwrt. Next after this having a look at my xdr3230.
At first I thought I'd have to compile and flash the bootloader. But I ended up modifying the u-boot environment so I can tftpboot.
I have a method for running tftpboot and bootm. So i'll be working on getting a working initramfs now.
Bootloader appears to be locked and reset button doesn't appear to enable the prompt. Might be a timing thing given the default is 300ms IDK. So I'll try with a longer delay eventually?
If you can get it to trigger the corrupt OS HTTP bootloader you can use ctrl+C to get at the bootloader prompt. However commands are disabled. But you can string commands together with semicolon if you use one of the enabled commands first.
I haven't had a look or tried to check what the validation is for the normal flash files. Nor have I tested the more up to date bootloader which was with the firmware upgrade.
To start:
MT7621 # printenv
bootcmd=go 0xbfc30000
bootdelay=300
baudrate=57600
ethaddr=(Placeholder).
ipaddr=192.168.1.1
serverip=192.168.1.10
loadaddr=0x82000000
stdin=serial
stdout=serial
stderr=serial
boot failure log:
Summary
Autobooting in 300 ms
Firmware check failed!
Enter recovery mode.
============================================
Ralink UBoot Version: 5.0.0.0
--------------------------------------------
ASIC MT7621A DualCore (MAC to MT7530 Mode)
DRAM_CONF_FROM: Auto-Detection
DRAM_TYPE: DDR3
DRAM bus: 16 bit
Xtal Mode=3 OCP Ratio=1/3
Flash component: SPI Flash
Date:Jul 10 2020 Time:17:49:07
============================================
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:256, ways:4, linesz:32 ,total:32768
##### The CPU freq = 880 MHZ ####
estimate memory size =128 Mbytes
#Reset_MT7530
set ALL LAN Partition
Running command httpd!--Debug by CaiBin
NetTxPacket = 0x87FE3500
KSEG1ADDR(NetTxPacket) = 0xA7FE3500
HTTP server is ready!
Trying Eth0 (10/100-M)
Waitting for RX_DMA_BUSY status Start... done
ETH_STATE_ACTIVE!!
error: factory info header magic not correct
local info init failed, exit
Attaching option 01 to list
Attaching option 03 to list
Attaching option 06 to list
file: apps/dhcpd/dhcpd.c,line: 870==:dhcpd init OK. --debug by HouXB
HTTP server is starting at IP: 192.168.1.1
file: lib_uip.c,line: 115==:uip set a8c0-101. --debug by HouXB
file: lib_uip.c,line: 130==:start infinite loop! --debug by HouXB
Also of note I failed at cracking the root password in both the firmware it came with and the firmware in the firmware upgrade. But I'm no expert there.
I'm also not game to reverse engineer the factory firmware upgrade format/layout nor look for a root exploit in the web interface so we can have an easy method of flashing...
I may eventually try to create a bootloader replacement as I have spare SPI flash to solder on. I'm waiting on a pogo pin test fixture before I go for the heat gun and soldering iron haha. (I've worn out my cheap plastic programmers and/or the current for running the 3.3v rail is high....)
help output:
u boot help output
? - alias for 'help'
bootm - boot application image from memory
cp.b - memory copy
erase - erase SPI FLASH memory
go - start application at address 'addr'
help - print online help
httpd - start www server for firmware recovery
loadb - load binary file over serial line (kermit mode)
md - memory display
mdio - Ralink PHY register R/W command !!
mm - memory modify (auto-incrementing)
mtest - simple RAM test
nm - memory modify (constant address)
printenv- print environment variables
reset - Perform RESET of the CPU
rf - read/write rf register
saveenv - save environment variables to persistent storage
setenv - set environment variables
spi - spi command
tftpboot- boot image via network using TFTP protocol
version - print monitor version
An extract regarding the flash memory layout. I think this is the sizes but I'm going to need to think about it more.
It looks like the bootloader I ended up with is the first one. Then it runs another at bfc40000 which gives no delay and then loads the kernel. The full bootlog until it loads the kernel I'll have at the end.
Flash related bootlog extract
flashPartitionPreRead(96). [FLASH] partition factory_info : 00000800 bytes
flashPartitionPreRead(96). [FLASH] partition art : 00002000 bytes
flashPartitionPreRead(96). [FLASH] partition config : 00010000 bytes
flashPartitionPreRead(96). [FLASH] partition kernel_and_romfs: 006c0000 bytes
flashPartitionPreRead(96). [FLASH] partition tp_header : 00000200 bytes
flashPartitionPreRead(96). [FLASH] partition rootfs_data : 00100000 bytes
flashPartitionPreRead(96). [FLASH] partition normal_boot : 00010000 bytes
flashPartitionPreRead(96). [FLASH] partition kernel : 002a0074 bytes
flashPartitionPreRead(96). [FLASH] partition firmware : 007c0000 bytes
Bootlog until kernel load
===================================================================
MT7621 stage1 code 10:33:55 (ASIC)
CPU=500000000 HZ BUS=166666666 HZ
==================================================================
Change MPLL source from XTAL to CR...
do MEMPLL setting..
MEMPLL Config : 0x11100000
3PLL mode + External loopback
=== XTAL-40Mhz === DDR-1200Mhz ===
PLL2 FB_DL: 0xb, 1/0 = 605/419 2D000000
PLL3 FB_DL: 0xf, 1/0 = 525/499 3D000000
PLL4 FB_DL: 0x10, 1/0 = 705/319 41000000
do DDR setting..[01F40000]
Apply DDR3 Setting...(use customer AC)
0 8 16 24 32 40 48 56 64 72 80 88 96 104 112 120
--------------------------------------------------------------------------------
0000:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0001:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0002:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0003:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0004:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0005:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0006:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0007:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0008:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0009:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
000A:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
000B:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
000C:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
000D:| 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1
000E:| 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1
000F:| 0 0 1 1 1 1 1 1 1 1 1 1 0 0 0 0
0010:| 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0
0011:| 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0012:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0013:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0014:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0015:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0016:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0017:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0018:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0019:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
001A:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
001B:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
001C:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
001D:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
001E:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
001F:| 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
rank 0 coarse = 15
rank 0 fine = 56
B:| 0 0 0 0 0 0 0 0 0 1 1 1 0 0 0 0
opt_dle value:10
DRAMC_R0DELDLY[018]=00002021
==================================================================
RX DQS perbit delay software calibration
==================================================================
1.0-15 bit dq delay value
==================================================================
bit| 0 1 2 3 4 5 6 7 8 9
--------------------------------------
0 | 14 11 13 14 13 11 15 10 11 7
10 | 11 11 10 10 10 7
--------------------------------------
==================================================================
2.dqs window
x=pass dqs delay value (min~max)center
y=0-7bit DQ of every group
input delay:DQS0 =33 DQS1 = 32
==================================================================
bit DQS0 bit DQS1
0 (1~62)31 8 (1~62)31
1 (2~64)33 9 (1~62)31
2 (1~64)32 10 (1~64)32
3 (1~64)32 11 (1~62)31
4 (1~64)32 12 (1~63)32
5 (1~61)31 13 (1~62)31
6 (1~62)31 14 (1~64)32
7 (1~60)30 15 (1~60)30
==================================================================
3.dq delay value last
==================================================================
bit| 0 1 2 3 4 5 6 7 8 9
--------------------------------------
0 | 15 11 14 15 14 13 15 13 12 8
10 | 11 12 10 11 10 9
==================================================================
==================================================================
TX perbyte calibration
==================================================================
DQS loop = 15, cmp_err_1 = ffff0000
dqs_perbyte_dly.last_dqsdly_pass[0]=15, finish count=1
dqs_perbyte_dly.last_dqsdly_pass[1]=15, finish count=2
DQ loop=15, cmp_err_1 = ffff0000
dqs_perbyte_dly.last_dqdly_pass[0]=15, finish count=1
dqs_perbyte_dly.last_dqdly_pass[1]=15, finish count=2
byte:0, (DQS,DQ)=(8,8)
byte:1, (DQS,DQ)=(8,8)
20,data:88
[EMI] DRAMC calibration passed
===================================================================
MT7621 stage1 code done
CPU=500000000 HZ BUS=166666666 HZ
===================================================================
U-Boot 1.1.3 (Jul 10 2020 - 17:49:07)
Board: Ralink APSoC DRAM: 128 MB
relocate_code Pointer at: 87fa0000
set ALL LAN Partition
Config XHCI 40M PLL
flash manufacture id: 1c, device id 70 17
Warning: un-recognized chip ID, please update bootloader!
*** Warning - bad CRC, using default environment
Press reset button to enter recovery mode.
Autobooting in 300 ms
#Reset_MT7530
verifying uboot partition...
ok
verifying kernel and romfs partition...
copy the last 0x300000 bytes of the partition to ram ...
ok
To boot, bootcmd = go 0xbfc30000.
## jump to 0xBFC30000, PHYS_FLASH_1 0xBFC00000
U-Boot 1.1.3 (Jul 10 2020 - 18:09:53)
Board: Ralink APSoC DRAM: 128 MB
relocate_code Pointer at: 87fbc000
Config XHCI 40M PLL
flash manufacture id: 1c, device id 70 17
Warning: un-recognized chip ID, please update bootloader!
*** Warning - bad CRC, using default environment
============================================
Ralink UBoot Version: 4.3.S.0
--------------------------------------------
ASIC MT7621A DualCore (MAC to MT7530 Mode)
DRAM_CONF_FROM: Auto-Detection
DRAM_TYPE: DDR3
DRAM bus: 16 bit
Xtal Mode=3 OCP Ratio=1/3
Flash component: SPI Flash
Date:Jul 10 2020 Time:18:09:53
============================================
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:256, ways:4, linesz:32 ,total:32768
##### The CPU freq = 880 MHZ ####
estimate memory size =128 Mbytes
#Reset_MT7530
set ALL LAN Partition
To boot and runcmd bootm 0xBFC40000.
Autobooting in 0 ms
## Booting image at bfc40000 ...
addr:0xbfc40000
---- tpHdr = bfc40000
---- text base = 81001000
---- entry point = 81001000
Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 81001000) ...
## Giving linux memsize in MB, 128
Starting kernel ...
LINUX started...
edit1:
OK so modifying the u-boot environment causes the u boot check to fail, which means you no longer try to boot linux/second u-boot from flash? You go straight to the httpd u-boot command.
I should have a backup of the whole flash from my SPI test clip but i'm yet to test / try. I have other things to get working first haha. I guess I can also eventually try the updated firmware image.
edit2:
Recovered the uboot environment and normal factory using the httpd recovery. Needed to rename the file to make it shorter. tftpboot has lzma issues. Working on trying to boot something minimal otherwise I guess I'm shelving this until I want to experiment with mediatek uboot and mt7621, then go try my xdr3230. (Not to mention this is an 8M target so no good other than learning before I try mediatek uboot for mt7622....).
Also of note md.b doesn't look like it can dump the second half of the flash so I'm using spi read to dump the flash.