TP-WR902AC-V3 Flash upgrade to 16M

Wasn't there another wifi calibration partition?
Do you have a backup of the original 8MB flash? It would come handy. Or can you read the original chip with an eeprom programmer?

Stock rom:

flash manufacture id: ef, device id 40 18
W25Q128BV(ef 40180000) (16384 Kbytes)
mtd .name = raspi, .size = 0x01000000 (16M) .erasesize = 0x00010000 (64K) .numeraseregions = 0
Creating 7 MTD partitions on "raspi":
0x000000000000-0x000000020000 : "boot"
0x000000020000-0x000000160000 : "kernel"
0x000000160000-0x0000007c0000 : "rootfs"
mtd: partition "rootfs" set to be root filesystem
0x0000007c0000-0x0000007d0000 : "config"
0x0000007d0000-0x0000007e0000 : "romfile"
0x0000007e0000-0x0000007f0000 : "rom"
0x0000007f0000-0x000000800000 : "radio"
Register flash device:flash0

OpenWRT:

spi-mt7621 10000b00.spi: sys_freq: 193333333
spi-nor spi0.0: w25q128 (16384 Kbytes)
4 fixed-partitions partitions found on MTD device spi0.0
OF: Bad cell count for /palmbus@10000000/spi@b00/flash@0/partitions
OF: Bad cell count for /palmbus@10000000/spi@b00/flash@0/partitions
OF: Bad cell count for /palmbus@10000000/spi@b00/flash@0/partitions
OF: Bad cell count for /palmbus@10000000/spi@b00/flash@0/partitions
Creating 4 MTD partitions on "spi0.0":
0x000000000000-0x000000020000 : "boot"
0x000000020000-0x000000f20000 : "firmware"
2 tplink-fw partitions found on MTD device firmware
Creating 2 MTD partitions on "firmware":
0x000000000000-0x00000021860d : "kernel"
mtd: partition "kernel" doesn't end on an erase/write block -- force read-only
0x000000218610-0x000000f00000 : "rootfs"
mtd: partition "rootfs" doesn't start on an erase/write block boundary -- force read-only
mtd: setting mtd3 (rootfs) as root device
1 squashfs-split partitions found on MTD device rootfs
0x000000550000-0x000000f00000 : "rootfs_data"
0x0000007b0000-0x0000007c0000 : "config"
0x0000007c0000-0x0000007f0000 : "factory"

Managed to dump all partitions from stock rom:

mtd0: 00020000 00010000 "boot"
mtd1: 00140000 00010000 "kernel"
mtd2: 00660000 00010000 "rootfs"
mtd3: 00010000 00010000 "config"
mtd4: 00010000 00010000 "romfile"
mtd5: 00010000 00010000 "rom"
mtd6: 00010000 00010000 "radio"

OpenWRT:

mtd0: 00020000 00010000 "boot"
mtd1: 00f00000 00010000 "firmware"
mtd2: 0021860d 00010000 "kernel"
mtd3: 00ce79f0 00010000 "rootfs"
mtd4: 009b0000 00010000 "rootfs_data"
mtd5: 00010000 00010000 "config"
mtd6: 00030000 00010000 "factory"

Binwalk (stock):

binwalk mtd1.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
512           0x200           LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3642484 bytes

binwalk mtd2.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Squashfs filesystem, little endian, version 4.0, compression:xz, size: 6251106 bytes, 778 inodes, blocksize: 262144 bytes, created: 2023-02-23 09:27:21

binwalk mtd3.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------

binwalk mtd4.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
binwalk mtd5.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------

binwalk mtd6.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------


-rwxr-xr-x 1 dela dela  131072 Aug 30 20:31 mtd0.bin
-rwxr-xr-x 1 dela dela 1310720 Aug 30 20:31 mtd1.bin
-rwxr-xr-x 1 dela dela 6684672 Aug 30 20:31 mtd2.bin
-rwxr-xr-x 1 dela dela   65536 Aug 30 20:31 mtd3.bin
-rwxr-xr-x 1 dela dela   65536 Aug 30 20:31 mtd4.bin
-rwxr-xr-x 1 dela dela   65536 Aug 30 20:31 mtd5.bin
-rwxr-xr-x 1 dela dela   65536 Aug 30 20:31 mtd6.bin

It is the radio partition.

Can you check the dst ?
....
big-endian;

&pcie0 {
	mt76x0e@0,0 {
		reg = <0x0000 0 0 0 0>;
		mtd-mac-address = <&config 0xe490>;
		mtd-mac-address-increment = <(2)>;
		mediatek,mtd-eeprom = <&config 0xe05d>;
		big-endian;
		ieee80211-freq-limit = <5000000 6000000>;
	};
};

I haven't changed anything in the .dts, the partition layout is referenced in the .dtsi

Can you change the endianity in the dtsi for the eeprom partition and compile again?

&pcie0 {
	mt76@0,0 {
		reg = <0x0000 0 0 0 0>;
		mediatek,mtd-eeprom = <&factory 0x28000>;
                big-endian;
		ieee80211-freq-limit = <5000000 6000000>;
		nvmem-cells = <&macaddr_factory_f100>;
		nvmem-cell-names = "mac-address";
		mac-address-increment = <(-1)>;
	};
};

or

	mt76@0,0 {
		reg = <0x0000 0 0 0 0>;
		mediatek,mtd-eeprom = <&factory 0x28000>;
                little-endian;
		ieee80211-freq-limit = <5000000 6000000>;
		nvmem-cells = <&macaddr_factory_f100>;
		nvmem-cell-names = "mac-address";
		mac-address-increment = <(-1)>;
	};
};

Compile both, then try them which one has working radio.

Endianness wasn't the issue but, empty mtd5 ( config ) and mtd6 ( factory ) partitions.

Checked the stock mtd5 ( rom ) and mtd6( radio ) with a HEX editor and they contained some data, while the openwrt partitions were completely empty.

Mtd6 (radio) had some data on offsets 0x20000 (&wmac) and 0x28000 (&pcie0).

&wmac {
        status = "okay";

        mediatek,mtd-eeprom = <&factory 0x20000>;

        nvmem-cells = <&macaddr_factory_f100>;
        nvmem-cell-names = "mac-address";
};

&pcie0 {
        mt76@0,0 {
                reg = <0x0000 0 0 0 0>;
                mediatek,mtd-eeprom = <&factory 0x28000>;
                ieee80211-freq-limit = <5000000 6000000>;
                nvmem-cells = <&macaddr_factory_f100>;
                nvmem-cell-names = "mac-address";
                mac-address-increment = <(-1)>;
        };
};

Then i realized, while 2.4G was working i kept getting randomized MAC on eth on every reboot.

mt7615e 0000:01:00.0: Invalid MAC address, using random address 7a:fd:b0:59:62:69

mtd5 (rom) had a lot more data.

Recompiled another image without read-only option in .dtsi for config and factory partitions.
Based on the offsets above, figured that the radio partition should go on factory, and rom partition, containing some configuration, into config partition.

SSH'd both stock partitions to /tmp and flashed over the empty config and factory partitions using MTD:

mtd unlock config 
mtd -r write /tmp/mtd5.bin config

After reboot, eth0 got the proper MAC (from the sticker), not random:

[   16.128936] mt76_wmac 10300000.wmac: ASIC revision: 76280001
[   16.354225] random: crng init done
[   16.357747] random: 22 urandom warning(s) missed due to ratelimiting
[   17.167074] mt76_wmac 10300000.wmac: Firmware Version: 20151201
[   17.173102] mt76_wmac 10300000.wmac: Build Time: 20151201183641
[   17.194354] mt76_wmac 10300000.wmac: firmware init done

The previous error for 5G radio changed from:

[   18.205162] mt76x0e 0000:01:00.0: EEPROM data check failed: ffff
[   18.301090] mt76x0e 0000:01:00.0: driver does not support default EEPROM

to:

[   18.085336] mt76x0e 0000:01:00.0: EEPROM data check failed: 1076
[   18.197637] mt76x0e 0000:01:00.0: driver does not support default EEPROM

Flashed mtd6 to factory:

mtd unlock factory
mtd -r write /tmp/mtd6.bin factory

After reboot 5G came up:

[   15.968952] mt76_wmac 10300000.wmac: ASIC revision: 76280001
[   16.222346] random: crng init done
[   16.225867] random: 22 urandom warning(s) missed due to ratelimiting
[   17.007043] mt76_wmac 10300000.wmac: Firmware Version: 20151201
[   17.013070] mt76_wmac 10300000.wmac: Build Time: 20151201183641
[   17.034358] mt76_wmac 10300000.wmac: firmware init done
[   17.489490] PPP generic driver version 2.4.2
[   17.499213] NET: Registered protocol family 24
[   17.512200] mt76x0e 0000:01:00.0: card - bus=0x1, slot = 0x0 irq=4
[   17.518838] mt76x0e 0000:01:00.0: ASIC revision: 76100002
[   17.526449] mt76x0e 0000:01:00.0: Firmware Version: 0.1.00
[   17.915296] mt76x0e 0000:01:00.0: EEPROM ver:02 fae:00

Haven't tested stability or performance yet.

@kukulo Thanks man, the partition layout helped, will mark as solution.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.