Trying to boot MAC1200R v2 (MT7628AN)

For Developers
1

I noticed there was added support for the Mercury MAC1200R v2 so now I am trying to get LEDE to work on this router. For now I can TFTP the "sysupgrade" image and BOOTM this image, but shortly after starting it hangs. I am trying to figure out if this is caused by the way I boot the image, or something is wrong with the compiled image. (I am installing debian right now in a VM to start building from source).

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2017.03.29 00:34:39 =~=~=~=~=~=~=~=~=~=~=~=

MT7628 # bootm

## Booting image at 82000000 ...

   Image Name:   MIPS LEDE Linux-4.4.56

   Image Type:   MIPS Linux Kernel Image (lzma compressed)

   Data Size:    1309604 Bytes =  1.2 MB

   Load Address: 80000000

   Entry Point:  80000000

   Verifying Checksum ... OK

   Uncompressing Kernel Image ... OK

No initrd

## Transferring control to Linux (at address 80000000) ...

## Giving linux memsize in MB, 64


Starting kernel ...


[    0.000000] Linux version 4.4.56 (buildbot@builds) (gcc version 5.4.0 (LEDE GCC 5.4.0 r3868-f3474ca) ) #0 Sun Mar 26 13:58:17 2017
[    0.000000] Board has DDR2
[    0.000000] Analog PMU set to hw control
[    0.000000] Digital PMU set to hw control
[    0.000000] SoC Type: MediaTek MT7628AN ver:1 eco:2
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 00019655 (MIPS 24KEc)
[    0.000000] MIPS: machine is Mercury MAC1200R v2
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 02000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x0000000000000000-0x0000000001ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x0000000001ffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000001ffffff]
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8128
[    0.000000] Kernel command line: console=ttyS0,57600 rootfstype=squashfs,jffs2
[    0.000000] PID hash table entries: 128 (order: -3, 512 bytes)
[    0.000000] Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
[    0.000000] Writing ErrCtl register=00008980
[    0.000000] Readback ErrCtl register=00008980
[    0.000000] Memory: 28092K/32768K available (3022K kernel code, 142K rwdata, 720K rodata, 204K init, 200K bss, 4676K reserved, 0K cma-reserved)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS:256
[    0.000000] intc: using register map from devicetree
[    0.000000] CPU Clock: 580MHz
[    0.000000] clocksource_probe: no matching clocksources found
[    0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 6590553264 ns
[    0.000012] sched_clock: 32 bits at 290MHz, resolution 3ns, wraps every 7405115902ns
[    0.015360] Calibrating delay loop... 385.84 BogoMIPS (lpj=1929216)
[    0.080526] pid_max: default: 32768 minimum: 301
[    0.089778] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.102725] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.122797] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.142191] futex hash table entries: 256 (order: -1, 3072 bytes)
[    0.154367] pinctrl core: initialized pinctrl subsystem
[    0.165910] NET: Registered protocol family 16
2

Starting flash dedicated image from RAM doesn't make sense.

3

I figured, since the OEM firmware copies from Flash to RAM before executing the code (and not running the code directly from Flash), I was hoping during develepment, I could do the similar. instead of copy from flash I would TFTP the image to RAM. Once I have a booting image (minimal packages) I could try to flash this without bricking the device.

As you know the U-boot on this device has an RSA check. On the OpenWRT forum, others managed to revert to an older U-boot version on a TP-Link 7500 (v5 to v3?). They put the u-boot image in front of the sysupgrade and flashed it like that. As far as I could find, there is no "old" version without RSA availlable for this device, so unless You, as the u-boot guru can work some magic, I am just trying different ways to get this router going with LEDE.

I am trying to build my own image now from source to see if that would make any difference. My hope is, that once I have it running from RAM, I could flash it from "inside" a running LEDE (basically doing a sysupgrade without the "old" LEDE firmware in Flash).

Maybe that doesn't make sense :slight_smile:

4

First of all, the image you are loading to RAM has embedded kernel which "thinks" that it's loaded from FLASH to RAM and expects to find some data on the flash at predefined offsets, starting from... rootfs. This will not work. Instead, you should build and load initramfs image which has embedded rootfs and is designed for that (loading to and starting from RAM without rootfs on flash/disk/etc.).

But anyway, the problem with this device is that the vendor U-Boot (the second one) always verifies RSA signature, so it doesn't matter what you will write to the flash, U-Boot won't load it without proper RSA signature.

5

Ah. I get it. And I guess that "simply" bypassing the RSA check (dirty patch a Jump over this routine) sounds much easier than done :wink:

Last time I used an (dis)assembler was back in the day of a Motorola 6809 8bit processor.

Thank you for explaining embedded images. I will google the subject to understand the proces better.

6

In fact, that was one of my ideas :slight_smile:
The only problem is lack of free time and too many things to take care of. But this device is still on my todo list.

https://github.com/true-systems/om5p-ac-v2-unlocker :slight_smile:

7

Unlocker makes some interesting read.

I don't like "no" as an answer, so I build an image with Ramdisk. The total LZMA is now 2.9MB vs the 1.2MB in the sysupgrade version. Hangs at the same point as before. I have a feeling it has to do with the Ralink GPIO not getting setup. In the OEM this is the next item in the log. Tomorrow I will try on another router just to see if that one boots with the ramdisk config. (WD740NDv4 running still dd-wrt)

8

I am still in the dark on the .DTS files, but if I compare the ones I found here:

https://dev.openwrt.org/ticket/20331


https://github.com/lede-project/source/blob/master/target/linux/ramips/dts/MAC1200RV2.dts

Besides the MTD partitions information in the first openwrt, which seems wrong compared to my serial console output (to me, the Lede DTS is correct). I am not seeing the "pinctl" part in the Lede DTS. The PCI bridge part is also slightly different.

I will do some digging on this.

9

Success!!! (not perfect yet)

## Booting image at 82000000 ...

   Image Name:   MIPS LEDE Linux-4.4.56

   Image Type:   MIPS Linux Kernel Image (lzma compressed)

   Data Size:    3247945 Bytes =  3.1 MB

   Load Address: 80000000

   Entry Point:  80000000

   Verifying Checksum ... OK

   Uncompressing Kernel Image ... OK

No initrd

## Transferring control to Linux (at address 80000000) ...

## Giving linux memsize in MB, 64


Starting kernel ...


[    0.000000] Linux version 4.4.56 (richard@debian) (gcc version 5.4.0 (LEDE GCC 5.4.0 r3888-8fb39f1) ) #0 Tue Mar 28 09:43:58 2017
[    0.000000] Board has DDR2
[    0.000000] Analog PMU set to hw control
[    0.000000] Digital PMU set to hw control
[    0.000000] SoC Type: MediaTek MT7628AN ver:1 eco:2
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 00019655 (MIPS 24KEc)
[    0.000000] MIPS: machine is Mercury MAC1200R v2
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 02000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x0000000000000000-0x0000000001ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x0000000001ffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000001ffffff]
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8128
[    0.000000] Kernel command line: console=ttyS0,57600 rootfstype=squashfs,jffs2
[    0.000000] PID hash table entries: 128 (order: -3, 512 bytes)
[    0.000000] Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
[    0.000000] Writing ErrCtl register=00000980
[    0.000000] Readback ErrCtl register=00000980
[    0.000000] Memory: 26564K/32768K available (2657K kernel code, 135K rwdata, 664K rodata, 2168K init, 189K bss, 6204K reserved, 0K cma-reserved)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS:256
[    0.000000] intc: using register map from devicetree
[    0.000000] CPU Clock: 580MHz
[    0.000000] clocksource_probe: no matching clocksources found
[    0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 6590553264 ns
[    0.000010] sched_clock: 32 bits at 290MHz, resolution 3ns, wraps every 7405115902ns
[    0.015350] Calibrating delay loop... 385.84 BogoMIPS (lpj=1929216)
[    0.080517] pid_max: default: 32768 minimum: 301
[    0.089776] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.102724] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.122840] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.142233] futex hash table entries: 256 (order: -1, 3072 bytes)
[    0.154402] pinctrl core: initialized pinctrl subsystem
[    0.165358] NET: Registered protocol family 16
[    0.282901] mt7620-pci 10140000.pcie: Port 0 N_FTS = 1b105000
[    0.443908] PCI host bridge /pcie@10140000 ranges:
[    0.453247]  MEM 0x0000000020000000..0x000000002fffffff
[    0.463558]   IO 0x0000000010160000..0x000000001016ffff
[    0.481786] mt7621_gpio 10000600.gpio: registering 32 gpios
[    0.492875] mt7621_gpio 10000600.gpio: registering 32 gpios
[    0.503899] mt7621_gpio 10000600.gpio: registering 32 gpios
[    0.515557] PCI host bridge to bus 0000:00
[    0.523525] pci_bus 0000:00: root bus resource [mem 0x20000000-0x2fffffff]
[    0.537147] pci_bus 0000:00: root bus resource [io  0xffffffff]
[    0.548812] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0]
[    0.562227] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[    0.578385] pci 0000:00:00.0: bridge configuration invalid ([bus 00-00]), reconfiguring
[    0.594914] pci 0000:00:00.0: BAR 0: no space for [mem size 0x80000000]
[    0.607901] pci 0000:00:00.0: BAR 0: failed to assign [mem size 0x80000000]
[    0.621629] pci 0000:00:00.0: BAR 8: assigned [mem 0x20000000-0x200fffff]
[    0.635046] pci 0000:00:00.0: BAR 9: assigned [mem 0x20100000-0x201fffff pref]
[    0.649320] pci 0000:00:00.0: BAR 1: assigned [mem 0x20200000-0x2020ffff]
[    0.662747] pci 0000:01:00.0: BAR 0: assigned [mem 0x20000000-0x200fffff 64bit]
[    0.677206] pci 0000:01:00.0: BAR 6: assigned [mem 0x20100000-0x2010ffff pref]
[    0.691459] pci 0000:00:00.0: PCI bridge to [bus 01]
[    0.701255] pci 0000:00:00.0:   bridge window [mem 0x20000000-0x200fffff]
[    0.714681] pci 0000:00:00.0:   bridge window [mem 0x20100000-0x201fffff pref]
[    0.728968] pci 0000:00:00.0: card - bus=0x0, slot = 0x0 irq=0
[    0.740486] pci 0000:01:00.0: card - bus=0x1, slot = 0x0 irq=4
[    0.752976] clocksource: Switched to clocksource MIPS
[    0.764376] NET: Registered protocol family 2
[    0.773818] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[    0.787527] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[    0.800036] TCP: Hash tables configured (established 1024 bind 1024)
[    0.812689] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.824143] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.836798] NET: Registered protocol family 1
[    3.708487] Crashlog allocated RAM at address 0x1f00000
[    3.734113] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    3.745580] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    3.795513] io scheduler noop registered
[    3.803198] io scheduler deadline registered (default)
[    3.814227] Serial: 8250/16550 driver, 3 ports, IRQ sharing disabled
[    3.827970] console [ttyS0] disabled
[    3.834986] 10000c00.uartlite: ttyS0 at MMIO 0x10000c00 (irq = 28, base_baud = 2500000) is a 16550A
[    3.852818] console [ttyS0] enabled
[    3.852818] console [ttyS0] enabled
[    3.866555] bootconsole [early0] disabled
[    3.866555] bootconsole [early0] disabled
[    3.883865] spi-mt7621 10000b00.spi: sys_freq: 193333333
[    3.898225] m25p80 spi32766.0: using chunked io (size=32)
[    3.908989] m25p80 spi32766.0: s25fl064k (8192 Kbytes)
[    3.919205] 6 ofpart partitions found on MTD device spi32766.0
[    3.930755] Creating 6 MTD partitions on "spi32766.0":
[    3.940936] 0x000000000000-0x00000001d800 : "u-boot"
[    3.952543] 0x00000001d800-0x00000001e000 : "factory_info"
[    3.965317] 0x00000001e000-0x000000020000 : "art"
[    3.976537] 0x000000020000-0x000000030000 : "config"
[    3.988275] 0x000000030000-0x000000040000 : "u-boot2"
[    4.000199] 0x000000040000-0x000000800000 : "firmware"
[    4.064068] rt3050-esw 10110000.esw: link changed 0x00
[    4.075843] mtk_soc_eth 10100000.ethernet eth0: mediatek frame engine at 0xb0100000, irq 5
[    4.092761] mt7621_wdt 10000120.watchdog: Initialized
[    4.103478] NET: Registered protocol family 17
[    4.112384] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this.
[    4.137386] 8021q: 802.1Q VLAN Support v1.8
[    4.160717] Freeing unused kernel memory: 2168K (80362000 - 80580000)
[    4.186387] init: Console is alive
[    4.193424] init: - watchdog -
[    4.208913] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[    4.227107] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[    4.251912] init: - preinit -
[    4.380663] rt3050-esw 10110000.esw: link changed 0x00
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[    6.560891] procd: - early -
[    6.567399] procd: - watchdog -
[    7.127999] procd: - ubus -
[    7.140304] random: ubusd: uninitialized urandom read (4 bytes read, 11 bits of entropy available)
[    7.184702] random: ubusd: uninitialized urandom read (4 bytes read, 11 bits of entropy available)
[    7.203072] random: ubusd: uninitialized urandom read (4 bytes read, 11 bits of entropy available)
[    7.220908] random: ubusd: uninitialized urandom read (4 bytes read, 11 bits of entropy available)
[    7.239006] random: ubusd: uninitialized urandom read (4 bytes read, 11 bits of entropy available)
[    7.256855] random: ubusd: uninitialized urandom read (4 bytes read, 11 bits of entropy available)
[    7.274819] random: ubusd: uninitialized urandom read (4 bytes read, 11 bits of entropy available)
[    7.292810] random: ubusd: uninitialized urandom read (4 bytes read, 11 bits of entropy available)
[    7.311025] procd: - init -
Please press Enter to activate this console.
[    7.409640] rt3050-esw 10110000.esw: link changed 0x08
[    7.480860] kmodloader: loading kernel modules from /etc/modules.d/*
[    7.495321] Loading modules backported from Linux version wt-2017-01-31-0-ge882dff19e7f
[    7.511242] Backport generated by backports.git backports-20160324-13-g24da7d3c
[    7.573180] mt76_wmac 10300000.wmac: ASIC revision: 76280001
[    7.586542] mt76_wmac 10300000.wmac: Invalid MAC address, using random address 02:01:ad:76:22:4c
[    9.644136] mt76_wmac 10300000.wmac: Firmware Version: _e2_mp
[    9.655576] mt76_wmac 10300000.wmac: Build Time: 20150211175503
[    9.682980] firmware init done
[    9.866407] mt76x2e 0000:01:00.0: ASIC revision: 76120044
[    9.892491] mt76x2e 0000:01:00.0: ROM patch already applied
[    9.913842] mt76x2e 0000:01:00.0: Firmware Version: 0.0.00
[    9.924755] mt76x2e 0000:01:00.0: Build: 1
[    9.932859] mt76x2e 0000:01:00.0: Build Time: 201507311614____
[    9.982263] mt76x2e 0000:01:00.0: Firmware running!
[   10.025255] nf_conntrack version 0.5.0 (448 buckets, 1792 max)
[   10.145716] xt_time: kernel timezone is -0000
[   10.167134] ip_tables: (C) 2000-2006 Netfilter Core Team
[   10.215584] PPP generic driver version 2.4.2
[   10.244126] NET: Registered protocol family 24
[   10.275186] kmodloader: done loading kernel modules from /etc/modules.d/*
[   10.497548] random: jshn: uninitialized urandom read (4 bytes read, 16 bits of entropy available)
[   10.695018] random: jshn: uninitialized urandom read (4 bytes read, 17 bits of entropy available)
[   16.675211] device eth0.1 entered promiscuous mode
[   16.684775] device eth0 entered promiscuous mode
[   16.727878] br-lan: port 1(eth0.1) entered forwarding state
[   16.739021] br-lan: port 1(eth0.1) entered forwarding state
[   18.732995] br-lan: port 1(eth0.1) entered forwarding state
^CPlease press Enter to activate this console.



BusyBox v1.26.2 () built-in shell (ash)

     _________
    /        /\      _    ___ ___  ___
   /  LE    /  \    | |  | __|   \| __|
  /    DE  /    \   | |__| _|| |) | _|
 /________/  LE  \  |____|___|___/|___|                      lede-project.org
 \        \   DE /
  \    LE  \    /  -----------------------------------------------------------
   \  DE    \  /    Reboot (SNAPSHOT, r3888-8fb39f1)
    \________\/    -----------------------------------------------------------

=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@LEDE:/#
10

I modified the DTS file to include PinCtrl and I modified some part of the GPIO to get it "fully" booting. After enabling radio0 and radio1 via Serial Console, I can connect both 2.4GHz and 5GHz and use the LuCi website.

For some reason the Wired part doesn't work yet. It looks like the switch is seen as a different chipset (RT3050-esw???)

11

U-boot: on the openwrt site, I noticed people flashing an unlocked uboot not specific for the device. I assume that we could compile a "genetic" MT7628AN Uboot. Why does it need to be in 2 stages? Can't we just flash a Uboot (1.1.3/4 mod?) as only Uboot? Or do we need to flash the secondary uboot and keep the Vendors first Uboot?

Just flashing a squashfs sysupgrade to firmware obviousely doesn't work. (I tried, gets back to recovery mode :stuck_out_tongue:)

12

In fact, it doesn't need to be 2-stages and that is the way how the original author of the support made it working. But, the general approach is to keep vendor custom data and preserve backward compatibility (with vendor firmware) if it's possible.

13

As a starting point I tried compiling this project:

However, it looks like the lede tool chain is too different to accept the make file as is. Should I try to modify the make file or just install the (older) openwrt build toolchain?

14

Another question:

The Vendor firmware needs a username/password at the SLP Login prompt on serial console. I noticed different TP-Link routers have the same, but I was not able to find the correct login.

Anyone knows how to login over serial after the devices fully boots (not type: slp within 1 second for u-boot)