Goal 1: Boot OpenWRT on SDRAM via TFTP.
Hi there, I'm trying to test/build OpenWRT for a non-supported device based on MT7628NN platform.
I'm able to access the device via UART, and see the console log, among other things:
Boot options:
Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP.
MTD partitions based on flash manufacture id: ef, device id 40 18, W25Q128BV(ef 40180000) (16384 Kbytes):
Creating 17 MTD partitions on "raspi":
0x000000000000-0x000001000000 : "ALL"
0x000000000000-0x000000030000 : "Bootloader"
0x000000030000-0x000000040000 : "Mac"
0x000000040000-0x000000050000 : "Factory"
0x000000050000-0x0000001a0000 : "Kernel"
0x0000001a0000-0x000000660000 : "RootFs"
0x000000660000-0x000000920000 : "RootFS_Ext"
0x000000920000-0x000000a70000 : "Kernel_bak"
0x000000a70000-0x000000f30000 : "RootFs_bak"
0x000000050000-0x000000660000 : "Kernel_RootFs"
0x000000920000-0x000000f30000 : "Kernel_RootFs_bak"
0x000000f30000-0x000000f90000 : "RootFS_Data"
0x000000050000-0x000000f90000 : "Image_All"
0x000000f90000-0x000000fb0000 : "SystemLog"
0x000000fb0000-0x000000fd0000 : "Config"
0x000000fd0000-0x000000ff0000 : "Config_bak"
0x000000ff0000-0x000001000000 : "Mac_bak"
Within the device, those partitions were mounted on the following devices:
# cat /proc/mtd
dev: size erasesize name
mtd0: 01000000 00010000 "ALL"
mtd1: 00030000 00010000 "Bootloader"
mtd2: 00010000 00010000 "Mac"
mtd3: 00010000 00010000 "Factory"
mtd4: 00150000 00010000 "Kernel"
mtd5: 004c0000 00010000 "RootFs"
mtd6: 002c0000 00010000 "RootFS_Ext"
mtd7: 00150000 00010000 "Kernel_bak"
mtd8: 004c0000 00010000 "RootFs_bak"
mtd9: 00610000 00010000 "Kernel_RootFs"
mtd10: 00610000 00010000 "Kernel_RootFs_bak"
mtd11: 00060000 00010000 "RootFS_Data"
mtd12: 00f40000 00010000 "Image_All"
mtd13: 00020000 00010000 "SystemLog"
mtd14: 00020000 00010000 "Config"
mtd15: 00020000 00010000 "Config_bak"
mtd16: 00010000 00010000 "Mac_bak"
I tried to boot with Load system code to SDRAM via TFTP. using a pre-built image of a similar device (using the sample platform), I choose TP-Link TL-WR841N-v13, or more precisely: openwrt-ramips-mt76x8-tplink_tl-wr841n-v13-initramfs-kernel.bin, and I got the following error (after the image was successfully loaded from TFTP): Bad Magic Number
Then, I exported the kernel partition (/dev/mtd4) to a file for analyzing, and saw the following:
binwalk mtd4-kernel.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 uImage header, header size: 64 bytes, header CRC: 0x8D80ECD7, created: 2019-03-23 09:05:59, image size: 1376192 bytes, Data Address: 0x80000000, Entry Point: 0x8000C150, data CRC: 0xBFFC1703, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Linux Kernel Image"
64 0x40 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3894108 bytes
To make sure I was doing the basic things, I download the stock firmware and tried to load it via TFTP but still got the Bad Magic Number error, when analyzing the stock image, I found the following:
binwalk stock-image.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
96 0x60 uImage header, header size: 64 bytes, header CRC: 0x8D80ECD7, created: 2019-03-23 09:05:59, image size: 1376192 bytes, Data Address: 0x80000000, Entry Point: 0x8000C150, data CRC: 0xBFFC1703, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Linux Kernel Image"
160 0xA0 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3894108 bytes
1376352 0x150060 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 4433606 bytes, 842 inodes, blocksize: 131072 bytes, created: 2019-04-13 08:18:02
5812320 0x58B060 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2788362 bytes, 112 inodes, blocksize: 131072 bytes, created: 2019-04-13 08:18:02
Somehow, there were 96 bytes before the uImage header that contained some strings, which I removed manually with a hex editor, here the image after such change:
binwalk stock-image-modified.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 uImage header, header size: 64 bytes, header CRC: 0x8D80ECD7, created: 2019-03-23 09:05:59, image size: 1376192 bytes, Data Address: 0x80000000, Entry Point: 0x8000C150, data CRC: 0xBFFC1703, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Linux Kernel Image"
64 0x40 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3894108 bytes
1376256 0x150000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 4433606 bytes, 842 inodes, blocksize: 131072 bytes, created: 2019-04-13 08:18:02
5812224 0x58B000 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2788362 bytes, 112 inodes, blocksize: 131072 bytes, created: 2019-04-13 08:18:02
I then tried to load the modified version, and it worked!
Then, I analyzed the TP-Link TL-WR841N-v13 image openwrt-ramips-mt76x8-tplink_tl-wr841n-v13-initramfs-kernel.bin:
binwalk openwrt-ramips-mt76x8-tplink_tl-wr841n-v13-initramfs-kernel.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
512 0x200 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 10365768 bytes
I extracted the binary content skipping the first 512 bytes with dd if=openwrt-ramips-mt76x8-tplink_tl-wr841n-v13-initramfs-kernel.bin of=openwrt.lzma bs=1 skip=512 & decompressed with unlzma openwrt.lzma, finally, analyzed with binwalk:
binwalk openwrt
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
5925708 0x5A6B4C Ubiquiti partition header, header size: 56 bytes, name: "PARTLABEL=", base address: 0x6E667300, data size: 0 bytes
6142112 0x5DB8A0 CRC32 polynomial table, little endian
6143136 0x5DBCA0 xz compressed data
6213140 0x5ECE14 Unix path: /lib/firmware/updates/5.10.176
6264012 0x5F94CC Unix path: /sys/firmware/devicetree/base
6267753 0x5FA369 Unix path: /sys/firmware/fdt': CRC check failed
6283333 0x5FE045 Neighborly text, "neighbor table overflow!ork address"
6283545 0x5FE119 Neighborly text, "neighbor get requestrequest"
6283595 0x5FE14B Neighborly text, "neighbor get requestget request"
6283649 0x5FE181 Neighborly text, "neighbor get request request"
6283700 0x5FE1B4 Neighborly text, "neighbor get requestet request"
6283753 0x5FE1E9 Neighborly text, "neighbor get requestNeighbour entry not found"
6283795 0x5FE213 Neighborly text, "neighbor get requestified"
6283977 0x5FE2C9 Neighborly text, "neighbor dump requestp request"
6284028 0x5FE2FC Neighborly text, "neighbor dump requestump request"
6284081 0x5FE331 Neighborly text, "neighbor dump request"
6284123 0x5FE35B Neighborly text, "neighbor dump requesttable dump request"
6284177 0x5FE391 Neighborly text, "neighbor table dump requestghbor table dump request"
6284237 0x5FE3CD Neighborly text, "neighbor table dump requeste dump request"
6284287 0x5FE3FF Neighborly text, "neighbor table dump requestyer address given"
6284368 0x5FE450 Neighborly text, "Neighbor entry is now deadit"
6371224 0x613798 Neighborly text, "NeighborSolicitsp6InErrors"
6371244 0x6137AC Neighborly text, "NeighborAdvertisementstMsgs"
6377710 0x6150EE Neighborly text, "neighbor %.2x%.2x.%pM losthas been deprecated and is always %u"
6598656 0x64B000 ELF, 32-bit LSB MIPS64 shared object, MIPS, version 1 (SYSV)
6606880 0x64D020 AES Inverse S-Box
6607136 0x64D120 AES S-Box
7361748 0x7054D4 LZMA compressed data, properties: 0x6D, dictionary size: 1048576 bytes, uncompressed size: -1 bytes
10356612 0x9E0784 Flattened device tree, size: 9156 bytes, version: 17
But none of the descriptions had the uImage header.
At this point, my hypothesis is that as part of the Load system code to SDRAM via TFTP, the bootloader is looking for a uImage header at location 0 of the binary, which isn't being provided by the
openwrt-ramips-mt76x8-tplink_tl-wr841n-v13-initramfs-kernel.bin I was trying.
I then compiled/built the image manually, same results (expected, since I didn't change anything).
Question 1: Is my hypothesis correct?
Question 2: Should I generate an image that should include uBoot + Kernel? If so, How can I achieve that?
Thanks!