Wavlink Quantum T8 hacking

After doing some research on cheap yet capable routers with possible OpenWRT support I came across the "Wavlink Quantum T8". This is also known as the following (or has some relation to these): JETSTREAM AC3000 ERAC3000 WS-WN536A8, WS-WN533A8, ARK T6, Quantum Max, Quantum T10, Quantum T12, Quantum D4C, Quantum D4, Quantum D6Q, Quantum D6, Quantum T8, Quantum T6..

Unfortunately that confuses things greatly when trying to find more information on it. Its a tri-band router with 8 antennas.

I understand this is not officially supported by OpenWRT, however there appear to be some who have gotten it to work, such as https://github.com/bubbadestroy/Jetstream_AC3000

After reading that over and finding it on Amazon for like $50 USD I thought "heck, I'll give it a shot!"

Well, first thing I have encountered is that the "webcmd.shtml" interface is no longer available for executing arbitrary Linux commands. This was used in several examples for backing up the stock firmware, something which I'd like to do in the event I want to send it back. It looks like it does have a firmware upgrade page, but I'm hesitant to push the button with some of the OpenWRT images floating around, without some potential way to de-brick it, in case of catastrophe.

I have a TTL serial port, JTAG interfaces, and a lot of embedded systems know how. Just want to see if anyone else has had any experience with this router before I start digging into it. Documentation seems fairly scarce.

I went for broke and installed the openwrt-ramips-mt7621-wavlink_wl-wn531a6-initramfs-kernel.bin image using the stock firmware upgrade web interface. After a very brief progress bar the web page reset to the login screen, which was confusing. However, it seems it was still upgrading in the background, because it rebooted after a minute or so. I was then able to ssh to 192.168.1.1 and found a minimal OpenWRT environment.

I then attempted to do a sysupgrade with the openwrt-ramips-mt7621-wavlink_wl-wn531a6-squashfs-sysupgrade.bin image. It closed the ssh session and said it was upgrading and after some time rebooted. It seemed to have gotten stuck though and so after 10 minutes or so I power cycled it. It then got stuck in a reboot loop. I was able to enter safe mode by pressing reset during the LED flashing phase of the OpenWRT startup and could then SSH in again. I tried the sysupgrade again, but still no go.

I then removed the 4 small screws on the bottom, carefully popped the cover off, removed the very large heatsink, and was glad to discover a 4 pin TTL serial port interface. Setting my serial terminal to 57600 baud I was able to capture the kernel boot up (will follow up with reply containing the log). It looks like it is crashing when attempting to initialize the mt7615e PCIe device. I suspect this is because of differences between the WN531A6, which this OpenWRT firmware is intended for, and this WN533A8 router. The 2 PCIe cards in the device are labeled WS-WN7615D-C (PCIE0) and WS-WN7615A-C (PCIE1), though I'm not sure if that is helpful or not. I think I need to become familiar with building OpenWRT and customizing it. I took pictures of the internals of this router which might be helpful for a Wiki page for this device.

On a side note, I made a rookie mistake and hooked up the +5V line from the USB ttl serial interface I have to the +3.3V line of the TTL serial interface on the router PCB, duhh! It was just very briefly as I was hooking up a clip probe connected to the power line and noticed one of the LEDs light up. I thought I had killed the device though (many expletives uttered), but it still behaves the same and I can still SSH in. However, I think I should install the stock firmware again to make sure everything is working. Now that I have access to the serial console, I feel more comfortable with changing the firmware.

Any thoughts or tips on these efforts would be appreciated.

Boot up log and Kernel crash in 2 parts, because length exceeds post limit. First part is bootloader prior to Kernel load:

===================================================================
                MT7621   stage1 code Aug 28 2018 16:58:15 (ASIC)
                CPU=500000000 HZ BUS=166666666 HZ
==================================================================
Change MPLL source from XTAL to CR...
do MEMPLL setting..
MEMPLL Config : 0x11100000
3PLL mode + External loopback
=== XTAL-40Mhz === DDR-1200Mhz ===
PLL3 FB_DL: 0x0, 1/0 = 787/237 01000000
PLL2 FB_DL: 0xe, 1/0 = 598/426 39000000
PLL4 FB_DL: 0x18, 1/0 = 596/428 61000000
do DDR setting..[01F40000]
Apply DDR3 Setting...(use customer AC)
          0    8   16   24   32   40   48   56   64   72   80   88   96  104  112  120
      --------------------------------------------------------------------------------
0000:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0001:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0002:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0003:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0004:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0005:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0006:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0007:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0008:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0009:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
000A:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
000B:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
000C:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
000D:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    1
000E:|    0    0    0    0    0    0    0    0    0    1    1    1    1    1    1    1
000F:|    0    0    0    1    1    1    1    1    1    1    1    1    1    1    0    0
0010:|    1    1    1    1    1    1    1    1    1    0    0    0    0    0    0    0
0011:|    1    1    1    0    0    0    0    0    0    0    0    0    0    0    0    0
0012:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0013:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0014:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0015:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0016:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0017:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0018:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
0019:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
001A:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
001B:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
001C:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
001D:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
001E:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
001F:|    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0    0
DRAMC_DQSCTL1[0e0]=13000000
DRAMC_DQSGCTL[124]=80000033
rank 0 coarse = 15
rank 0 fine = 64
B:|    0    0    0    0    0    0    0    0    1    1    1    0    0    0    0    0
opt_dle value:9
DRAMC_DDR2CTL[07c]=C287221D
DRAMC_PADCTL4[0e4]=000022B3
DRAMC_DQIDLY1[210]=0D0D0B0D
DRAMC_DQIDLY2[214]=0B0E0B0D
DRAMC_DQIDLY3[218]=0B0B080B
DRAMC_DQIDLY4[21c]=090A0B0A
DRAMC_R0DELDLY[018]=00002121
==================================================================
                RX      DQS perbit delay software calibration 
==================================================================
1.0-15 bit dq delay value
==================================================================
bit|     0  1  2  3  4  5  6  7  8  9
--------------------------------------
0 |    13 8 11 11 11 10 13 10 10 7 
10 |    11 11 10 10 10 7 
--------------------------------------

==================================================================
2.dqs window
x=pass dqs delay value (min~max)center 
y=0-7bit DQ of every group
input delay:DQS0 =33 DQS1 = 33
==================================================================
bit     DQS0     bit      DQS1
0  (2~65)33  8  (1~64)32
1  (0~61)30  9  (1~64)32
2  (1~62)31  10  (1~65)33
3  (1~61)31  11  (1~65)33
4  (1~62)31  12  (1~65)33
5  (1~63)32  13  (1~63)32
6  (0~64)32  14  (1~65)33
7  (1~63)32  15  (1~62)31
==================================================================
3.dq delay value last
==================================================================
bit|    0  1  2  3  4  5  6  7  8   9
--------------------------------------
0 |    13 11 13 13 13 11 14 11 11 8 
10 |    11 11 10 11 10 9 
==================================================================
==================================================================
     TX  perbyte calibration 
==================================================================
DQS loop = 15, cmp_err_1 = ffff0000 
dqs_perbyte_dly.last_dqsdly_pass[0]=15,  finish count=1 
dqs_perbyte_dly.last_dqsdly_pass[1]=15,  finish count=2 
DQ loop=15, cmp_err_1 = ffff0000
dqs_perbyte_dly.last_dqdly_pass[0]=15,  finish count=1 
dqs_perbyte_dly.last_dqdly_pass[1]=15,  finish count=2 
byte:0, (DQS,DQ)=(8,8)
byte:1, (DQS,DQ)=(8,8)
DRAMC_DQODLY1[200]=88888888
DRAMC_DQODLY2[204]=88888888
20,data:88
[EMI] DRAMC calibration passed

===================================================================
                MT7621   stage1 code done 
                CPU=500000000 HZ BUS=166666666 HZ
===================================================================


U-Boot 1.1.3 (Aug 20 2020 - 11:34:33)W

Board: Ralink APSoC DRAM:  128 MB
relocate_code Pointer at: 87f98000

Config XHCI 40M PLL 
flash manufacture id: c8, device id 40 18
find flash: GD25Q128C
*** Warning - bad CRC, using default environment

============================================ 
Ralink UBoot Version: 5.0.0.0
-------------------------------------------- 
ASIC MT7621A DualCore (MAC to MT7530 Mode)
DRAM_CONF_FROM: Auto-Detection 
DRAM_TYPE: DDR3 
DRAM bus: 16 bit
Xtal Mode=3 OCP Ratio=1/3
Flash component: SPI Flash
Date:Aug 20 2020  Time:11:34:33
============================================ 
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:256, ways:4, linesz:32 ,total:32768 

 ##### The CPU freq = 880 MHZ #### 
MT7621DA
 estimate memory size =128 Mbytes
#Reset_MT7530
set LAN/WAN LLLLW

531G4

Please choose the operation: 
   1: Load system code to SDRAM via TFTP. 
   2: Load system code then write to Flash via TFTP. 
   3: Boot system code via Flash (default).
   4: Enter boot command line interface.
   7: Load Boot Loader code then write to Flash via Serial. 
   9: Load Boot Loader code then write to Flash via TFTP. 
default: 3
 0 
   
3: System Boot system code via Flash.
## Booting image at bc050000 ...
   Image Name:   MIPS OpenWrt Linux-5.10.100
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    2858832 Bytes =  2.7 MB
   Load Address: 80001000
   Entry Point:  80001000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80001000) ...
## Giving linux memsize in MB, 128

Starting kernel ...

Part 2 of 2 of boot up log. The Kernel and subsequent crash:

[    0.000000] Linux version 5.10.100 (builder@buildhost) (mipsel-openwrt-linux-musl-gcc (OpenWrt GCC 11.2.0 r18812-918d4ab41e) 11.2.0, GNU ld (GNU Binutils) 2.37) #0 SMP Wed Feb 16 20:26:27 2022
[    0.000000] SoC Type: MediaTek MT7621 ver:1 eco:3
[    0.000000] printk: bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 0001992f (MIPS 1004Kc)
[    0.000000] MIPS: machine is Wavlink WL-WN531A6
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] VPE topology {2,2} total 4
[    0.000000] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.000000] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000]   HighMem  empty
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] percpu: Embedded 15 pages/cpu s30160 r8192 d23088 u61440
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 32480
[    0.000000] Kernel command line: console=ttyS0,57600 rootfstype=squashfs,jffs2
[    0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes, linear)
[    0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes, linear)
[    0.000000] Writing ErrCtl register=00020806
[    0.000000] Readback ErrCtl register=00020806
[    0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
[    0.000000] Memory: 118960K/131072K available (6991K kernel code, 627K rwdata, 1408K rodata, 1264K init, 244K bss, 12112K reserved, 0K cma-reserved, 0K highmem)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[    0.000000] rcu: Hierarchical RCU implementation.
[    0.000000]  Tracing variant of Tasks RCU enabled.
[    0.000000] rcu: RCU calculated value of scheduler-enlistment delay is 10 jiffies.
[    0.000000] NR_IRQS: 256
[    0.000000] random: get_random_bytes called from start_kernel+0x3cc/0x5e4 with crng_init=0
[    0.000000] CPU Clock: 880MHz
[    0.000000] clocksource: GIC: mask: 0xffffffffffffffff max_cycles: 0xcaf478abb4, max_idle_ns: 440795247997 ns
[    0.000013] sched_clock: 64 bits at 880MHz, resolution 1ns, wraps every 4398046511103ns
[    0.015853] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 4343773742 ns
[    0.033735] Calibrating delay loop... 586.13 BogoMIPS (lpj=2930688)
[    0.106051] pid_max: default: 32768 minimum: 301
[    0.115357] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
[    0.129761] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
[    0.147745] rcu: Hierarchical SRCU implementation.
[    0.157501] dyndbg: Ignore empty _ddebug table in a CONFIG_DYNAMIC_DEBUG_CORE build
[    0.172974] smp: Bringing up secondary CPUs ...
[    0.182533] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[    0.182543] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.182555] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[    0.182640] CPU1 revision is: 0001992f (MIPS 1004Kc)
[    0.242888] Synchronize counters for CPU 1: done.
[    0.304696] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[    0.304705] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.304713] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[    0.304758] CPU2 revision is: 0001992f (MIPS 1004Kc)
[    0.363747] Synchronize counters for CPU 2: done.
[    0.423946] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[    0.423954] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[    0.423962] MIPS secondary cache 256kB, 8-way, linesize 32 bytes.
[    0.424011] CPU3 revision is: 0001992f (MIPS 1004Kc)
[    0.483311] Synchronize counters for CPU 3: done.
[    0.542917] smp: Brought up 1 node, 4 CPUs
[    0.554975] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.574468] futex hash table entries: 1024 (order: 3, 32768 bytes, linear)
[    0.588292] pinctrl core: initialized pinctrl subsystem
[    0.600569] NET: Registered protocol family 16
[    0.610628] thermal_sys: Registered thermal governor 'step_wise'
[    0.611512] cpuidle: using governor teo
[    0.653937] random: fast init done
[    0.677522] clocksource: Switched to clocksource GIC
[    0.689271] NET: Registered protocol family 2
[    0.698192] IP idents hash table entries: 2048 (order: 2, 16384 bytes, linear)
[    0.713299] tcp_listen_portaddr_hash hash table entries: 512 (order: 0, 6144 bytes, linear)
[    0.729888] TCP established hash table entries: 1024 (order: 0, 4096 bytes, linear)
[    0.745115] TCP bind hash table entries: 1024 (order: 1, 8192 bytes, linear)
[    0.759024] TCP: Hash tables configured (established 1024 bind 1024)
[    0.771797] UDP hash table entries: 256 (order: 1, 8192 bytes, linear)
[    0.784687] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes, linear)
[    0.798744] NET: Registered protocol family 1
[    0.807291] PCI: CLS 0 bytes, default 32
[    0.817406] workingset: timestamp_bits=14 max_order=15 bucket_order=1
[    0.834334] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.845819] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.866241] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 251)
[    0.882659] mt7621_gpio 1e000600.gpio: registering 32 gpios
[    0.893955] mt7621_gpio 1e000600.gpio: registering 32 gpios
[    0.905254] mt7621_gpio 1e000600.gpio: registering 32 gpios
[    0.917209] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled
[    0.933741] printk: console [ttyS0] disabled
[    0.942257] 1e000c00.uartlite: ttyS0 at MMIO 0x1e000c00 (irq = 19, base_baud = 3125000) is a 16550A
[    0.960172] printk: console [ttyS0] enabled
[    0.960172] printk: console [ttyS0] enabled
[    0.976703] printk: bootconsole [early0] disabled
[    0.976703] printk: bootconsole [early0] disabled
[    0.996235] 1e000d00.uartlite2: ttyS1 at MMIO 0x1e000d00 (irq = 20, base_baud = 3125000) is a 16550A
[    1.018072] spi-mt7621 1e000b00.spi: sys_freq: 220000000
[    1.030216] spi-nor spi0.0: gd25q128 (16384 Kbytes)
[    1.040017] 5 fixed-partitions partitions found on MTD device spi0.0
[    1.052672] Creating 5 MTD partitions on "spi0.0":
[    1.062218] 0x000000000000-0x000000030000 : "u-boot"
[    1.073077] 0x000000030000-0x000000040000 : "config"
[    1.084163] 0x000000040000-0x000000050000 : "factory"
[    1.095372] 0x000000050000-0x000000f00000 : "firmware"
[    1.106730] 2 uimage-fw partitions found on MTD device firmware
[    1.118556] Creating 2 MTD partitions on "firmware":
[    1.128448] 0x000000000000-0x0000002b9f90 : "kernel"
[    1.138332] mtd: partition "kernel" doesn't end on an erase/write block -- force read-only
[    1.155665] 0x0000002b9f90-0x000000eb0000 : "rootfs"
[    1.165569] mtd: partition "rootfs" doesn't start on an erase/write block boundary -- force read-only
[    1.184687] mtd: device 5 (rootfs) set to be root filesystem
[    1.196105] 1 squashfs-split partitions found on MTD device rootfs
[    1.208425] 0x000000680000-0x000000eb0000 : "rootfs_data"
[    1.220041] 0x000000f00000-0x000001000000 : "vendor"
[    1.279262] mt7530 mdio-bus:1f: MT7530 adapts as multi-chip module
[    1.294707] mtk_soc_eth 1e100000.ethernet eth0: mediatek frame engine at 0xbe100000, irq 22
[    1.312151] i2c /dev entries driver
[    1.319861] i2c-mt7621 1e000900.i2c: clock 100 kHz
[    1.331728] mt7621-pci 1e140000.pcie: host bridge /pcie@1e140000 ranges:
[    1.345114] mt7621-pci 1e140000.pcie:   No bus range found for /pcie@1e140000, using [bus 00-ff]
[    1.362636] mt7621-pci 1e140000.pcie:      MEM 0x0060000000..0x006fffffff -> 0x0000000000
[    1.378941] mt7621-pci 1e140000.pcie:       IO 0x001e160000..0x001e16ffff -> 0x0000000000
[    1.395311] mt7621-pci 1e140000.pcie: Parsing DT failed
[    1.408117] NET: Registered protocol family 10
[    1.418539] Segment Routing with IPv6
[    1.425927] NET: Registered protocol family 17
[    1.434901] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[    1.461038] 8021q: 802.1Q VLAN Support v1.8
[    1.472567] mt7530 mdio-bus:1f: MT7530 adapts as multi-chip module
[    1.503175] mt7530 mdio-bus:1f lan1 (uninitialized): PHY [mt7530-0:00] driver [MediaTek MT7530 PHY] (irq=27)
[    1.525345] mt7530 mdio-bus:1f lan2 (uninitialized): PHY [mt7530-0:01] driver [MediaTek MT7530 PHY] (irq=28)
[    1.547297] mt7530 mdio-bus:1f lan3 (uninitialized): PHY [mt7530-0:02] driver [MediaTek MT7530 PHY] (irq=29)
[    1.569352] mt7530 mdio-bus:1f lan4 (uninitialized): PHY [mt7530-0:03] driver [MediaTek MT7530 PHY] (irq=30)
[    1.591493] mt7530 mdio-bus:1f wan (uninitialized): PHY [mt7530-0:04] driver [MediaTek MT7530 PHY] (irq=31)
[    1.613625] mt7530 mdio-bus:1f: configuring for fixed/rgmii link mode
[    1.630505] DSA: tree 0 setup
[    1.636754] rt2880-pinmux pinctrl: pcie is already enabled
[    1.647827] mt7621-pci 1e140000.pcie: host bridge /pcie@1e140000 ranges:
[    1.661251] mt7621-pci 1e140000.pcie:   No bus range found for /pcie@1e140000, using [bus 00-ff]
[    1.678793] mt7621-pci 1e140000.pcie:      MEM 0x0060000000..0x006fffffff -> 0x0000000000
[    1.695102] mt7621-pci 1e140000.pcie:       IO 0x001e160000..0x001e16ffff -> 0x0000000000
[    1.711495] mt7621-pci-phy 1e149000.pcie-phy: PHY for 0xbe149000 (dual port = 1)
[    1.726646] mt7621-pci-phy 1e14a000.pcie-phy: PHY for 0xbe14a000 (dual port = 0)
[    1.741719] mt7621-pci 1e140000.pcie: failed to parse bus ranges property: -22
[    1.856312] mt7621-pci-phy 1e149000.pcie-phy: Xtal is 40MHz
[    1.867437] mt7621-pci-phy 1e14a000.pcie-phy: Xtal is 40MHz
[    1.978711] mt7621-pci 1e140000.pcie: pcie2 no card, disable it (RST & CLK)
[    1.992577] mt7621-pci 1e140000.pcie: PCIE0 enabled
[    2.002292] mt7621-pci 1e140000.pcie: PCIE1 enabled
[    2.012011] mt7621-pci 1e140000.pcie: PCI coherence region base: 0x60000000, mask/settings: 0xf0000002
[    2.030714] mt7621-pci 1e140000.pcie: PCI host bridge to bus 0000:00
[    2.043421] pci_bus 0000:00: root bus resource [io  0x1e160000-0x1e16ffff]
[    2.057123] pci_bus 0000:00: root bus resource [mem 0x60000000-0x6fffffff]
[    2.070822] pci_bus 0000:00: root bus resource [bus 00-ff]
[    2.081752] pci_bus 0000:00: root bus resource [mem 0x60000000-0x6fffffff] (bus address [0x00000000-0x0fffffff])
[    2.102070] pci 0000:00:00.0: [0e8d:0801] type 01 class 0x060400
[    2.114052] pci 0000:00:00.0: reg 0x10: [mem 0x00000000-0x7fffffff]
[    2.126536] pci 0000:00:00.0: reg 0x14: initial BAR value 0x00000000 invalid
[    2.140576] pci 0000:00:00.0: reg 0x14: [mem size 0x00010000]
[    2.152096] pci 0000:00:00.0: supports D1
[    2.160092] pci 0000:00:00.0: PME# supported from D0 D1 D3hot
[    2.172144] pci 0000:00:01.0: [0e8d:0801] type 01 class 0x060400
[    2.184158] pci 0000:00:01.0: reg 0x10: [mem 0x00000000-0x7fffffff]
[    2.196646] pci 0000:00:01.0: reg 0x14: initial BAR value 0x00000000 invalid
[    2.210687] pci 0000:00:01.0: reg 0x14: [mem size 0x00010000]
[    2.222211] pci 0000:00:01.0: supports D1
[    2.230205] pci 0000:00:01.0: PME# supported from D0 D1 D3hot
[    2.243143] pci 0000:00:00.0: bridge configuration invalid ([bus 00-00]), reconfiguring
[    2.259126] pci 0000:00:01.0: bridge configuration invalid ([bus 00-00]), reconfiguring
[    2.275334] pci 0000:01:00.0: [14c3:7615] type 00 class 0x000280
[    2.287367] pci 0000:01:00.0: reg 0x10: initial BAR value 0x00000000 invalid
[    2.301416] pci 0000:01:00.0: reg 0x10: [mem size 0x00100000 64bit]
[    2.314064] pci 0000:01:00.0: 2.000 Gb/s available PCIe bandwidth, limited by 2.5 GT/s PCIe x1 link at 0000:00:00.0 (capable of 4.000 Gb/s with 5.0 GT/s PCIe x1 link)
[    2.345160] pci 0000:00:00.0: PCI bridge to [bus 01-ff]
[    2.355600] pci 0000:00:00.0:   bridge window [io  0x0000-0x0fff]
[    2.367750] pci 0000:00:00.0:   bridge window [mem 0x60000000-0x600fffff]
[    2.381272] pci 0000:00:00.0:   bridge window [mem 0x60000000-0x600fffff pref]
[    2.395661] pci_bus 0000:01: busn_res: [bus 01-ff] end is updated to 01
[    2.409103] pci 0000:02:00.0: [14c3:7615] type 00 class 0x000280
[    2.421129] pci 0000:02:00.0: reg 0x10: initial BAR value 0x00000000 invalid
[    2.435173] pci 0000:02:00.0: reg 0x10: [mem size 0x00100000 64bit]
[    2.447824] pci 0000:02:00.0: 2.000 Gb/s available PCIe bandwidth, limited by 2.5 GT/s PCIe x1 link at 0000:00:01.0 (capable of 4.000 Gb/s with 5.0 GT/s PCIe x1 link)
[    2.478950] pci 0000:00:01.0: PCI bridge to [bus 02-ff]
[    2.489387] pci 0000:00:01.0:   bridge window [io  0x0000-0x0fff]
[    2.501525] pci 0000:00:01.0:   bridge window [mem 0x60000000-0x600fffff]
[    2.515047] pci 0000:00:01.0:   bridge window [mem 0x60000000-0x600fffff pref]
[    2.529449] pci_bus 0000:02: busn_res: [bus 02-ff] end is updated to 02
[    2.542673] pci 0000:00:00.0: BAR 0: no space for [mem size 0x80000000]
[    2.555848] pci 0000:00:00.0: BAR 0: failed to assign [mem size 0x80000000]
[    2.569720] pci 0000:00:01.0: BAR 0: no space for [mem size 0x80000000]
[    2.582892] pci 0000:00:01.0: BAR 0: failed to assign [mem size 0x80000000]
[    2.596775] pci 0000:00:00.0: BAR 8: assigned [mem 0x60000000-0x600fffff]
[    2.610302] pci 0000:00:00.0: BAR 9: assigned [mem 0x60100000-0x601fffff pref]
[    2.624689] pci 0000:00:01.0: BAR 8: assigned [mem 0x60200000-0x602fffff]
[    2.638213] pci 0000:00:01.0: BAR 9: assigned [mem 0x60300000-0x603fffff pref]
[    2.652609] pci 0000:00:00.0: BAR 1: assigned [mem 0x60400000-0x6040ffff]
[    2.666137] pci 0000:00:01.0: BAR 1: assigned [mem 0x60410000-0x6041ffff]
[    2.679664] pci 0000:00:00.0: BAR 7: assigned [io  0x1e160000-0x1e160fff]
[    2.693185] pci 0000:00:01.0: BAR 7: assigned [io  0x1e161000-0x1e161fff]
[    2.706721] pci 0000:01:00.0: BAR 0: assigned [mem 0x60000000-0x600fffff 64bit]
[    2.721300] pci 0000:00:00.0: PCI bridge to [bus 01]
[    2.731198] pci 0000:00:00.0:   bridge window [io  0x1e160000-0x1e160fff]
[    2.744719] pci 0000:00:00.0:   bridge window [mem 0x60000000-0x600fffff]
[    2.758243] pci 0000:00:00.0:   bridge window [mem 0x60100000-0x601fffff pref]
[    2.772642] pci 0000:02:00.0: BAR 0: assigned [mem 0x60200000-0x602fffff 64bit]
[    2.787215] pci 0000:00:01.0: PCI bridge to [bus 02]
[    2.797106] pci 0000:00:01.0:   bridge window [io  0x1e161000-0x1e161fff]
[    2.810636] pci 0000:00:01.0:   bridge window [mem 0x60200000-0x602fffff]
[    2.824156] pci 0000:00:01.0:   bridge window [mem 0x60300000-0x603fffff pref]
[    2.846455] VFS: Mounted root (squashfs filesystem) readonly on device 31:5.
[    2.864835] Freeing unused kernel memory: 1264K
[    2.873917] This architecture does not have kernel memory protection.
[    2.886763] Run /sbin/init as init process
[    2.895370] mt7530 mdio-bus:1f: Link is Up - 1Gbps/Full - flow control off
[    3.445650] init: Console is alive
[    3.452852] init: - watchdog -
[    4.286679] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[    4.392017] usbcore: registered new interface driver usbfs
[    4.403128] usbcore: registered new interface driver hub
[    4.413871] usbcore: registered new device driver usb
[    4.434886] xhci-mtk 1e1c0000.xhci: supply vbus not found, using dummy regulator
[    4.449925] xhci-mtk 1e1c0000.xhci: supply vusb33 not found, using dummy regulator
[    4.465265] xhci-mtk 1e1c0000.xhci: xHCI Host Controller
[    4.475900] xhci-mtk 1e1c0000.xhci: new USB bus registered, assigned bus number 1
[    4.497712] xhci-mtk 1e1c0000.xhci: hcc params 0x01401198 hci version 0x96 quirks 0x0000000000290010
[    4.516010] xhci-mtk 1e1c0000.xhci: irq 21, io mem 0x1e1c0000
[    4.528770] hub 1-0:1.0: USB hub found
[    4.536358] hub 1-0:1.0: 2 ports detected
[    4.545082] xhci-mtk 1e1c0000.xhci: xHCI Host Controller
[    4.555727] xhci-mtk 1e1c0000.xhci: new USB bus registered, assigned bus number 2
[    4.570672] xhci-mtk 1e1c0000.xhci: Host supports USB 3.0 SuperSpeed
[    4.583555] usb usb2: We don't know the algorithms for LPM for this host, disabling LPM.
[    4.600691] hub 2-0:1.0: USB hub found
[    4.608341] hub 2-0:1.0: 1 port detected
[    4.623581] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[    4.657915] init: - preinit -
[    5.559415] random: jshn: uninitialized urandom read (4 bytes read)
[    5.640286] random: jshn: uninitialized urandom read (4 bytes read)
[    5.718061] random: jshn: uninitialized urandom read (4 bytes read)
[    5.969804] mtk_soc_eth 1e100000.ethernet eth0: configuring for fixed/rgmii link mode
[    5.985914] mtk_soc_eth 1e100000.ethernet eth0: Link is Up - 1Gbps/Full - flow control rx/tx
[    5.988096] mt7530 mdio-bus:1f lan1: configuring for phy/gmii link mode
[    6.016293] 8021q: adding VLAN 0 to HW filter on device lan1
[    6.030202] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[   10.165352] random: crng init done
[   10.172141] random: 7 urandom warning(s) missed due to ratelimiting
[   10.235233] mount_root: jffs2 not ready yet, using temporary tmpfs overlay
[   10.252870] urandom-seed: Seed file not found (/etc/urandom.seed)
[   10.453001] procd: - early -
[   10.459044] procd: - watchdog -
[   11.107723] procd: - watchdog -
[   11.114610] procd: - ubus -
[   11.286650] procd: - init -
Please press Enter to activate this console.
[   11.978525] kmodloader: loading kernel modules from /etc/modules.d/*
[   12.100636] urngd: v1.0.2 started.
[   12.180845] Loading modules backported from Linux version v5.15.8-0-g43e577d7a2cb
[   12.195817] Backport generated by backports.git v5.15.8-1-0-g83f664bb
[   12.363866] mt7621-pci 1e140000.pcie: bus=1 slot=0 irq=23
[   12.374672] pci 0000:00:00.0: enabling device (0004 -> 0007)
[   12.385953] mt7615e 0000:01:00.0: enabling device (0000 -> 0002)
[   12.415286] ------------[ cut here ]------------
[   12.424695] WARNING: CPU: 0 PID: 753 at backports-5.15.8-1/net/wireless/core.c:891 wiphy_register+0xd08/0xd10 [cfg80211]
[   12.446504] Modules linked in: mt7615e(+) mt7615_common mt7603e mt76_connac_lib mt76 mac80211 cfg80211 slhc nfnetlink nf_reject_ipv6 nf_reject_ipv4 nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c hwmon crc_ccitt compat sha256_generic libsha256 seqiv jitterentropy_rng drbg hmac cmac leds_gpio xhci_plat_hcd xhci_pci xhci_mtk xhci_hcd gpio_button_hotplug usbcore nls_base usb_common crc32c_generic
[   12.514941] CPU: 0 PID: 753 Comm: kmodloader Not tainted 5.10.100 #0
[   12.527591] Stack : 80a30000 00000001 00000005 80083478 808c0000 807b0250 00000000 00000000
[   12.544265]         8241da5c 80a10000 8077e370 8245b8a8 8084ce87 00000001 8241da00 8c8da84d
[   12.560931]         00000000 00000000 8077e370 8241d8a0 ffffefff 00000000 ffffffea 00000000
[   12.577597]         8241d8ac 00000110 80852858 ffffffff 80000000 00000001 00000000 80780000
[   12.594259]         00000009 8267ac98 8267ac9c 00000001 00000018 80403f20 00000000 80a10000
[   12.610922]         ...
[   12.615789] Call Trace:
[   12.620676] [<800080e0>] show_stack+0x30/0x100
[   12.629536] [<8037e9d8>] dump_stack+0x9c/0xcc
[   12.638223] [<8002ff1c>] __warn+0xc0/0x12c
[   12.646372] [<8002ffe4>] warn_slowpath_fmt+0x5c/0xac
[   12.656331] [<825812dc>] wiphy_register+0xd08/0xd10 [cfg80211]
[   12.668103] [<82601508>] ieee80211_register_hw+0x9ac/0xd74 [mac80211]
[   12.680986] [<824e3c5c>] mt76_register_phy+0x138/0x314 [mt76]
[   12.692447] [<826e3e64>] mt7615_register_ext_phy+0x2c4/0x2fc [mt7615_common]
[   12.706497] [<826f85ac>] mt7615_register_device+0x1a8/0x230 [mt7615e]
[   12.719327] [<826fa56c>] mt7615_mmio_probe+0x184/0x238 [mt7615e]
[   12.731289] [<803c137c>] pci_device_probe+0xbc/0x150
[   12.741173] [<80416188>] really_probe+0x108/0x4d8
[   12.750535] [<80416c44>] device_driver_attach+0x124/0x134
[   12.761277] [<80416cd0>] __driver_attach+0x7c/0x13c
[   12.771007] [<80413b14>] bus_for_each_dev+0x68/0xa4
[   12.780713] [<8041530c>] bus_add_driver+0x134/0x214
[   12.790420] [<804174bc>] driver_register+0x98/0x154
[   12.800126] [<80001644>] do_one_initcall+0x50/0x1a8
[   12.809833] [<800c3694>] do_init_module+0x60/0x228
[   12.819367] [<800c5f68>] sys_init_module+0x150/0x18c
[   12.829254] [<80014578>] syscall_common+0x34/0x58
[   12.838613] 
[   12.841964] ---[ end trace 264bb7622c4c7d00 ]---
[   12.853214] mt7615e: probe of 0000:01:00.0 failed with error -22
[   12.865433] mt7621-pci 1e140000.pcie: bus=2 slot=1 irq=24
[   12.876311] pci 0000:00:01.0: enabling device (0004 -> 0007)
[   12.887653] mt7615e 0000:02:00.0: enabling device (0000 -> 0002)
[   12.988300] pci 0000:01:00.0: Failed to get patch semaphore
[   13.002708] mt7615e 0000:02:00.0: HW/SW Version: 0x8a108a10, Build Time: 20180518100604a
[   13.002708] 
[   13.024360] PPP generic driver version 2.4.2
[   13.035712] NET: Registered protocol family 24
[   13.060284] kmodloader: done loading kernel modules from /etc/modules.d/*
[   13.217606] CPU 2 Unable to handle kernel paging request at virtual address 00000000, epc == 00000001, ra == 826e56d4
[   13.238790] Oops[#1]:
[   13.243318] CPU: 2 PID: 34 Comm: kworker/u8:2 Tainted: G        W         5.10.100 #0
[   13.258934] Workqueue: phy0 0x826f8364
[   13.266394] $ 0   : 00000000 00000001 00000001 00007615
[   13.276809] $ 4   : 8255a000 000041f0 00000002 ffff00fe
[   13.287225] $ 8   : 80d45fe0 0000fc00 00000002 00000003
[   13.297661] $12   : 81024bc0 00000800 00000000 00000000
[   13.308104] $16   : 8255a000 000041f0 fffffff5 8186db00
[   13.318517] $20   : 00000000 00000000 00000100 fffffffe
[   13.328920] $24   : 00000001 804b74c8                  
[   13.339329] $28   : 80d44000 80d45df8 80850000 826e56d4
[   13.349733] Hi    : 00197ffc
[   13.355449] Lo    : 7110155c
[   13.361175] epc   : 00000001 0x1
[   13.367617] ra    : 826e56d4 mt7615_mcu_exit+0x4f4/0x794 [mt7615_common]
[   13.380941] Status: 1100fc03 KERNEL EXL IE 
[   13.389267] Cause : 50800008 (ExcCode 02)
[   13.397227] BadVA : 00000000
[   13.402946] PrId  : 0001992f (MIPS 1004Kc)
[   13.411081] Modules linked in: pppoe ppp_async nft_fib_inet nf_flow_table_ipv6 nf_flow_table_ipv4 nf_flow_table_inet pppox ppp_generic nft_reject_ipv6 nft_reject_ipv4 nft_reject_inet nft_reject nft_redir nft_quota nft_objref nft_numgen nft_nat nft_masq nft_log nft_limit nft_hash nft_flow_offload nft_fib_ipv6 nft_fib_ipv4 nft_fib nft_ct nft_counter nft_chain_nat nf_tables nf_nat nf_flow_table nf_conntrack mt7615e mt7615_common mt7603e mt76_connac_lib mt76 mac80211 cfg80211 slhc nfnetlink nf_reject_ipv6 nf_reject_ipv4 nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c hwmon crc_ccitt compat sha256_generic libsha256 seqiv jitterentropy_rng drbg hmac cmac leds_gpio xhci_plat_hcd xhci_pci xhci_mtk xhci_hcd gpio_button_hotplug usbcore nls_base usb_common crc32c_generic
[   13.543941] Process kworker/u8:2 (pid: 34, threadinfo=7e6ae6e6, task=94688667, tls=00000000)
[   13.560721] Stack : ffff8feb 806d2a08 00000100 8002eecc 00000bb8 825da400 00000122 8255a000
[   13.577363]         8255a000 826e5f38 0b000001 80cf0bc0 00000000 00000002 8255a000 800a20d0
[   13.594006]         00000000 00000000 0000000a 8255a000 fffffff5 826f83a4 824b7b80 806cfbb8
[   13.610649]         00000000 00000000 8255c24c 80cf8100 80c08000 80049cc8 80c08000 80c08000
[   13.627292]         80850000 80c08018 80c08000 80850000 80cf8100 80cf8114 80c08000 80850000
[   13.643937]         ...
[   13.648803] Call Trace:
[   13.648807] 
[   13.656619] [<806d2a08>] schedule_timeout+0x70/0xe0
[   13.666336] [<8002eecc>] kernel_thread+0x68/0x74
[   13.675544] [<826e5f38>] mt7615_mcu_init+0x28/0x398 [mt7615_common]
[   13.688041] [<800a20d0>] msleep+0x2c/0x44
[   13.696015] [<826f83a4>] 0x826f83a4
[   13.702951] [<806cfbb8>] _cond_resched+0x1c/0x60
[   13.712151] [<80049cc8>] process_one_work+0x214/0x478
[   13.722201] [<8004a0ac>] worker_thread+0x180/0x5e8
[   13.731726] [<80049f2c>] worker_thread+0x0/0x5e8
[   13.740910] [<80049f2c>] worker_thread+0x0/0x5e8
[   13.750095] [<80050bd8>] kthread+0x13c/0x144
[   13.758586] [<80050a9c>] kthread+0x0/0x144
[   13.766729] [<80050a9c>] kthread+0x0/0x144
[   13.774873] [<80050a9c>] kthread+0x0/0x144
[   13.783021] [<80002ff8>] ret_from_kernel_thread+0x14/0x1c
[   13.793760] 
[   13.796709] Code: (Bad address in epc)
[   13.804172] 
[   13.807122] 
[   13.810325] ---[ end trace 264bb7622c4c7d01 ]---
[   13.819569] Kernel panic - not syncing: Fatal exception
[   13.829996] Rebooting in 1 seconds..

flashed or booted?

the initramfs is designed for inram usage, not for flashing.
which would be option 1 in the uboot menu.

Good to know. So yes, booted that, then did a sysupgrade with the sysupgrade image, which I guess did the actual flashing?

I'm attempting to remove the mt7615e module load from /etc/modules.d in safe mode. However, when I run mount_root after logging in I get this:
mount_root: jffs2 not ready yet, using temporary tmpfs overlay

Which I think causes the changes I make to not be synchronized to the flash file system.

yes, but for already existing openwrt installs, so mainly when upgrading from an older version of openwrt.
some devices however use the sysupgrade for installation, like the wn531a6, but most use the factory image.

I did a sysupgrade with openwrt-21.02.1-ramips-mt7621-wavlink_wl-wn531a6-squashfs-sysupgrade.bin instead of the snapshot and it now boots and LuCI is working as well! It seems like there is still a Kernel oops in relation to the mt7615e kernel module, but the later page fault that was happening before does not occur with the 21.02.1 release of the WN531A6 firmware.

It looks like there are only 2 wireless radios showing which isn't surprising since that is what the WN531A6 has. It also looks like the 2nd nac radio is not working correctly as it does not detect 5GHz networks. The 2.4GHz radio did detect ones though, but I have not yet tested it anymore than that.

Probably time to roll up my sleeves and figure out how to build a proper Kernel to utilize the radios with this device. Any tips would be appreciated.

snapshot don't contain luci, you manually have to add it post flashing, so that's normal.

I created a new target mt7621_wavlink_wl-wn533a8.dts based on the mt7621_wavlink_wl-wn531a6.dts file, added it to image/mt7621.mk, and added it to mt7621/base-files/etc/board.d/02_network which had a specific MAC setting for the wn531a6. Using this I successfully built and installed an OpenWRT image to the router.

The only issue I see currently is the problem with the WN7615D-C and WN7615A-C wireless radios. The first one is a dual band radio, with both 2.4GHz and 5GHz. The second one looks like 5GHz only. From what I can tell the mt7615e Linux driver mentions support for dual band. What I'm confused about though is how this driver is configured for the particular WiFi PCIe card? Does it auto detect the devices or is it related to options defined in the .dts file such as mediatek,mtd-eeprom or reg? Maybe this deserves a new forum topic.

1 Like

Could you share your mt7621_wavlink_wl-wn533a8.dts and/or openwrt image and/or create a pull request so it gets build upstream?

Yes, I will do that. It has been working for me for several months now. I still have not gotten the second 5G interface to work though. However, I have not tried it with the most recent kernel. Everything else seems to work, including the 2.4G and first 5G interface and I get much better coverage than my previous outdated router which was also running OpenWRT. My testing of this Wavlink T8 decreased significantly after I deployed it, since it is a bit inconvenient to deprive the family home of Internet access :wink:

1 Like

Yes, two radios is better than none (which was my case). With the T6 config, I could boot openwrt, but no WiFi.

If you want to share your mt7621_wavlink_wl-wn533a8.dts I could try getting a PR upstream.

I own the same device (Quantum T8) since some time, initially installed the OpenWRT snapshot around the same time when this thread was created and then it did lie around for a while. I revived it over the holidays by installing the most recent 23.05.5. Thanks a lot for providing an upstream build (at least).

After the revival I noticed it was still using a WN531A6 system image and as a consequence the sysupgrade did lead to crashes during boot as the device does not have a MT7603 card (see thread above). I managed to install the correct firmware/system image via the tftpd method easily. Thanks a lot to the whole OpenWRT community for all of this and up-to-date instructions via the wiki. That part worked like a charm!

Status right now: the device seems to run reasonably well, but the wifi portion does not behave as expected. And I think I reached a point where I need help with that.

There are 3 phy interfaces [0,1,2] and they seem to show the right properties (checked via iw list): 2.4GHz + 2x5GHz, 40+80+160MHz bandwidth, 2x+4x MU-MIMO on the two 5GHz, etc.. However, whatever I try, I don't get much more than 400mbps troughput via wifi. I tried with different devices (Macbook Pro M2, iPhone 13, HP ZBook Firefly). They should be capable of 80MHz or even 160MHz on 5GHz and for sure 2 streams. Even if a single device uses 2 streams, the throughput caps at ~400mbps. Multiple devices connect to the same phy even if a second 5GHz phy is not in use and in sum never use more than ~400mbps. So far I've not seen multiple devices use both 5GHz phys. Please note that with heavy network traffic CPU usage stays reasonably low (30-35%) and throughput on wired lan easily tops the 1Gbps.

To me it seems that there's an issue with MIMO advertising or this is a bug with the MT7615 driver. The driver in use is what the release image provides: AFAIK it is the proprietary one from Mediatek, but I'm not sure.

I'm thankful for any useful input.

I think you have started in an old thread with old info
the current image to the T8 is https://downloads.openwrt.org/releases/23.05.5/targets/ramips/mt7621/openwrt-23.05.5-ramips-mt7621-wavlink_wl-wn533a8-squashfs-sysupgrade.bin

the only bad thing I find about this device, I find
is in my country, the only capable 160Mhz channel is 36 > 64
and would need the 2nd 4x 7614N radio to work here
which it's limited not to
there maybe frequency limiting hardware on this, I'm not sure
I believe the original firmware is most likely the same limitation tho

Yes, I finally managed to install your cited image (taking the unnecessary detour via the wrong WN531A6 image :wink: ).

You're right. I had to select the right country (Germany in my case) to be able to enable phy2 (the 5GHz PHY with VHT160). The selected channels right now are 6 (for 2.4GHz), 36 (1st 5GHz) and 108 (2nd 5GHz).

I don't 100% understand your comment. Are you saying MIMO isn't possible on that device? I do see this:

[ MU_MIMO_AIR_SNIFFER ]: MU-MIMO sniffer

on both 5GHz PHYs.

I'm not sure about MIMO
just that for me in Australia I need to use ch 36>64 for 160Mhz
and I need the 4x radio for this "2nd one as the 1st is 2x2.5g + 2x5G"
and as the 2nd radio is at lest software blocked to not work on channel 36
it makes this not possible
you can just use 80Mhz and this works fine, last time I used this device
I should recheck tho can if you want ?

I do find the DBDC radio's "1st one" are noticeably slower than the full 4x device
even on connecting to the 2x devises I have
best 2 of the 4 antenna's etc

Okay, I may still not fully understand.

Worth noting is that I also get those ~400mbps on phy1 (1st 5GHz with VHT80, I believe that's the DBDC) and not only the (potentially faster) phy2. All devices always show up to connect to both with 866mbps, but they never reach that, nor even get close. Same with "low-level" iperf3. And even 2 streams don't improve it, neither for a single device, nor for multiple.

My expectation: the device allows to use up to 3.2Gbps of bandwidth and I could get up to that if there are no conflicts (other active wifis, noise, etc.). I allow for -400mbps of the 2.4GHz part as long as I've no device that uses it (assuming no device uses multiple streams on 2.4+5 + DBDC). But multiple devices + multiple streams on 5GHz alone should show to use a good share of that available bandwidth.

Mine is set up as a dump access point
and copying a file from and to windows smbv3 using WPA2
1st radio ch 36 is 40 > 73MB,s
2nd radio ch 149 is 65 > 73MB,s
the 2nd radio is lots more consistent speed both connected at 866Mhz
but this is what I would call a good speed for AC 1 metre away
the laptop has an intel AX210 radio
firmware is V24.10.0-rc2

73MB/s sounds good, I guess that translates to VHT80 on both. I wish I would be able to reach that on any. The only difference I see is channel 149 vs. 100 (effectively 100-132) and VHT80 instead of VHT160 on PHY2. But I did configure that as well and remember that it didn't change anything.

BTW, I'm also trying in the range of 1-2m. But I'm not sure about the power settings at all, especially as the MT76x seem to be not very reliable on the settings.

Do you suggest me to try the release candidate?