OpenWrt Forum Archive

Topic: TP-Link MR3420v1 16M flash /64M Memory hardware mod with uboot bin

The content of this topic has been archived between 4 Apr 2018 and 5 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

twinclouds wrote:

I received a moded 703n (8M/64M).  This guy simply used original 4M uboot and it works fine with my 8M rootfs.  What is the difference between 4M and 8M uboot?

Edit (02/15/2012):
I figured this out.  A 4M uboot cannot write anything longer than 4M.  However, the Openwrt can detect flash memory size on its own.  Thus, to flash a rootfs larger than 4M, one need to first install a 4M rootfs and then use ssh or luci to install a new rootfs, which can be larger than 4M.  A two step process but not too bad.

Aha, that is some useful information! Could you please explain how you went by to extend the rootfs "live" without uboot modification?

Lennong wrote:
twinclouds wrote:

......

Aha, that is some useful information! Could you please explain how you went by to extend the rootfs "live" without uboot modification?

That's simple.  I just updated firmware with xxxxfactory.bin image (8M) in the system management page (4M).

(Last edited by twinclouds on 28 Feb 2012, 02:22)

twinclouds wrote:
Lennong wrote:
twinclouds wrote:

......

Aha, that is some useful information! Could you please explain how you went by to extend the rootfs "live" without uboot modification?

That's simple.  I just updated firmware with xxxxfactory.bin image (8M) in the system management page (4M).

Interesting, I didn't think that was a feasible route regarding . Thanks!

Lennong wrote:
twinclouds wrote:
Lennong wrote:

Aha, that is some useful information! Could you please explain how you went by to extend the rootfs "live" without uboot modification?

That's simple.  I just updated firmware with xxxxfactory.bin image (8M) in the system management page (4M).

Interesting, I didn't think that was a feasible route regarding . Thanks!

I also thought the upgrade page in the web interface only work for sysupgrade.bin.  Actually, it also works for the factory.bin file.

twinclouds wrote:
Lennong wrote:
twinclouds wrote:

That's simple.  I just updated firmware with xxxxfactory.bin image (8M) in the system management page (4M).

Interesting, I didn't think that was a feasible route regarding . Thanks!

I also thought the upgrade page in the web interface only work for sysupgrade.bin.  Actually, it also works for the factory.bin file.

Yes, that did I know. However, to pass a 8MB image through the web iface running on a image that is configured to be 4MB, that I did not think was possible due to fault checks and whatnot. Well, it suits me fine with more wiggelroom in terms of upgrade methods.

I think once you installed an Openwrt image, it automatically recognize how much RAM and ROM are available and can make full use of them.  At that stage, uboot becomes irrelevant.
You can simply use the 4M openwrt to install additional packages using "opkg install ..."  It is only necessary to build an 8M image when you want to put more packages in during compiling and the image size is larger than 4M.  I found including packages during compilation can free up more ROM for future package installation.  It is because the packages installed using opkg take jffs format, which has no compression, while the image compiled in squashfs format has compression built in, as I was told.

And if you just use a standard horror story from the section on Back to original firmware? Simply add the compiled 128k u-boot file to the beginning of the compiled firmware (in hex editor). Then simply rename the image file so that included the word _boot.bin

(Last edited by Dioptimizer on 28 Feb 2012, 15:04)

Dioptimizer wrote:

And if you just use a standard horror story from the section on Back to original firmware? Simply add the compiled 128k u-boot file to the beginning of the compiled firmware (in hex editor). Then simply rename the image file so that included the word _boot.bin

Interesting.  If I do that, after reflashing, where the new image will starts?  Will it overwrite the original uboot file?  Also, how you flash the _boot.bin file?  using the upgrade web page or mtd?  Can you also use the serial interface?  If you can, what will be the the cp.b command looks like (original: cp.b 0x81000000 0x9f020000 0x3c0000) and where should the bootm starts (origianl: bootm 9f020000)?

(Last edited by twinclouds on 28 Feb 2012, 17:25)

1. Wait, forget the serial interface, I wrote it specifically to simplify the firmware. serial interface or JTAG is needed in extreme cases, if the uboot will be unbootable.

2. According to my experience the name of the "boot" in the firmware file is made to ensure that the developer can fix the uboot - it's logical.

3. No mtd does not support writing to the boot area if it does not allow the kernel by default. I meant the other way to flash the router firmware version of the old factory image, and then make 128k+OpenwrtFirmware (in hex editor) and now the flash from the web-interface (factory firmware) to the "boot" firmware prefixed as their own.

I edited the factory.bin file use a hex editor by inserted the 128k uboot file at its beginning.  As a result, the image ended at 0x007DFFFF instead of 0x007BFFFF as the original factory.bin file.  I saved it as a xxxx_boot.bin file.  When I flash it using the luci system flash firmware function, I got: "The uploaded image file does not contain a supported format. Make sure that you choose the generic image format for your platform."  What I did wrong?

Maybe IdaPro can help you to do some hexing work, and make uboot meet with your needs as i can see from ida some string that we can modified below:

seg000:1A680 0000001D C       AP83 (ar9100) U-boot 0.0.11\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          
seg000:1A6A0 0000000D C       id read %#x\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          
seg000:1A6B0 00000023 C       The hell do you want flinfo for??\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    
seg000:1A6D4 00000010 C       write addr: %x\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       
seg000:1A6E4 00000025 C       \nFirst %#x last %#x sector size %#x\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 
seg000:1A70C 00000008 C       \b\b\b\b%4d                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            
seg000:1A714 00000023 C       flash size 8MB, sector count = %d\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    
seg000:1A738 0000000F C       \nResetting...\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       
seg000:1A748 0000000E C       Tx Timed out\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
seg000:1A758 00000011 C       dup %d speed %d\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      
seg000:1A76C 00000015 C       Cant allocate fifos\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  
seg000:1A784 0000001B C       ag7100_enet_initialize...\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            
seg000:1A7A0 0000000F C       malloc failed\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        
seg000:1A7C0 00000020 C       %s: unknown ethernet device %s\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       
seg000:1A7E0 00000030 C       No valid address in Flash. Using fixed address\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       
seg000:1A810 00000020 C       Fetching MAC Address from 0x%p\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       
seg000:1A830 00000015 C       : cfg1 %#x cfg2 %#x\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  
seg000:1A848 00000023 C       %s: %02x:%02x:%02x:%02x:%02x:%02x\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    
seg000:1A874 0000000E C       trying %#x...                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          
seg000:1A884 00000021 C       didnt work written %#x read %#x\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      
seg000:1A8A8 0000001C C       floor %d ceil %d size-1 %d\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           
seg000:1A8C4 00000014 C       worked; ceiling %d\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   
seg000:1A8D8 00000012 C       worked; floor %d\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     
seg000:1A8F4 00000014 C       Setting Tap to %#x\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   
seg000:1A908 00000023 C       something's wrong. rd %#x pat %#x\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    
seg000:1A938 00000009 C       bootargs                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
seg000:1A944 00000027 C       ## Loading Ramdisk Image at %08lx ...\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
seg000:1A96C 00000012 C       Bad Magic Number\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     
seg000:1A980 00000015 C       Bad Header Checksum\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  
seg000:1A998 0000001B C          Verifying Checksum ...                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
seg000:1A9B4 0000000E C       Bad Data CRC\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
seg000:1A9C4 0000001D C       No Linux MIPS Ramdisk Image\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          
seg000:1A9E4 00000009 C       mem=%luM                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
seg000:1A9F4 00000008 C       memsize                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
seg000:1AA04 0000000D C       initrd_start                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           
seg000:1AA1C 0000000C C       initrd_size                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            
seg000:1AA28 0000000C C       flash_start                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            
seg000:1AA34 0000000B C       flash_size                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             
seg000:1AA40 00000017 C       \nStarting kernel ...\n\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
seg000:1AA58 00000013 C       chip ID is 0x%08x\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    
seg000:1AA6C 00000011 C       initChip failed\n                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      
seg000:1AA90 0000000A unicode                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        
seg000:1AAE0 00000091 C       bootargs=console=ttyS0,115200 root=31:02 rootfstype=jffs2 init=/sbin/init mtdparts=ar9100-nor0:128k(u-boot),1024k(kernel),4096k(rootfs),64k(art)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       
seg000:1AB71 00000019 C       bootcmd=bootm 0xbf020000                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
seg000:1AB8A 0000000C C       bootdelay=1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            
seg000:1AB96 00000010 C       baudrate=115200                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        
seg000:1ABA6 0000001A C       ethaddr=00:1D:0F:11:22:33                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
seg000:1ABC0 00000013 C       ipaddr=192.168.0.2                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     
seg000:1ABD3 00000015 C       serverip=192.168.0.5                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   
seg000:1AE70 00000020 C       \b\b\b\b\b\b\b\b\b(((((\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            
seg000:1FE00 00000008 C       79717458
Dioptimizer wrote:

and now the flash from the web-interface (factory firmware)

did you miss that part?

nebbia88 wrote:
Dioptimizer wrote:

and now the flash from the web-interface (factory firmware)

did you miss that part?

I did this part as I said: "I flash it using the luci system flash firmware function".  It was exactly when the error message occurred. When flashing, I was already running openwrt but not original firmware from TP-Link but I don't think it should make any difference, or it would?

(Last edited by twinclouds on 29 Feb 2012, 17:24)

"I meant the other way to flash the router firmware version of the old factory image, and then make 128k+OpenwrtFirmware (in hex editor) and now the flash from the web-interface (factory firmware) to the "boot" firmware prefixed as their own"

i'm not 100% sure but from the whole sentence seems to me he is suggesting to flash FROM THE FACTORY firmware, elsewhere it makes no sense to add the word BOOT. the fact is that factory firmware knows that with the boot word it has to write also the boot part of the flash...

once again, i'm not sure, just trying to understand wink

I forgot about the header. When we cut off (0x20200) the top of the firmware image with the word "boot". As i see this structure, there should be:

header (0x200) + uboot (0x20000) + kernel (0x0x3B0000)

If we find on the official site at least one firmware with the word "boot"- only then we can understand (this) exactly what is contained in the header, and can even use it. The header is needed for web-interface of the original firmware.
Here I would like to remind you if you successfully get the header and add a uboot + kernel - you need to flash the image in the original firmware (not OpenWRT).

(Last edited by Dioptimizer on 6 Mar 2012, 12:31)

Now I am trying to build root to 16MB flash but seems I cannot find the mentioned partition info in

target/linux/ar71xx/files/arch/mips/ar71xx/mach-tl-mr3x20.c file.

16M:

                 .name           = "u-boot",
                 .offset         = 0,
                 .size           = 0x020000,
                 .mask_flags     = MTD_WRITEABLE,
         }, {
                 .name           = "kernel",
                 .offset         = 0x020000,
                 .size           = 0x140000,
         }, {
                 .name           = "rootfs",
                 .offset         = 0x160000,
                 .size           = 0xe90000,
         }, {
                 .name           = "art",
                 .offset         = 0xff0000,
                 .size           = 0x010000,
                 .mask_flags     = MTD_WRITEABLE,
         }, {
                 .name           = "firmware",
                 .offset         = 0x020000,
                 .size           = 0xfd0000,
         }
};

In addition the folder
target/linux/ar71xx/files/arch/mips/ar71xx

Is not present and has ath91 instead.

I am using the document in openwrt build root steps to get the source and building it.
Building the source is ok and it could work on the MR3420 with 16MB MX25L12854 but only see 4MB. Any suggestion to build a 16MB image for my MR3420?

cthun wrote:

Now I am trying to build root to 16MB flash but seems I cannot find the mentioned partition info in

target/linux/ar71xx/files/arch/mips/ar71xx/mach-tl-mr3x20.c file.

16M:
...
In addition the folder
target/linux/ar71xx/files/arch/mips/ar71xx

Is not present and has ath91 instead.

That topic was covered on the first page of this thread: https://forum.openwrt.org/viewtopic.php … 12&p=1

MBS wrote:
cthun wrote:

Now I am trying to build root to 16MB flash but seems I cannot find the mentioned partition info in

target/linux/ar71xx/files/arch/mips/ar71xx/mach-tl-mr3x20.c file.

16M:
...
In addition the folder
target/linux/ar71xx/files/arch/mips/ar71xx

Is not present and has ath91 instead.

That topic was covered on the first page of this thread: https://forum.openwrt.org/viewtopic.php … 12&p=1

Thanks, I read through all the post and I manage to get it to work and it compiles a 15.6MB image.

However I can't flash the image using u-boot. It crashes while loading half way from tftp.  Most probably I am still using the 32MB DDR. Since most of the image contains 0xff, I just truncate the 15.6MB image to 4MB. It boots and works well.

(Last edited by cthun on 26 Mar 2012, 04:13)

Has anybody figured out how to build the u-boot for the 9331 based routers, e.g., 740n v4, 703n?  The instructions cannot be directory used.
I also noticed that there is a version of 743n that come with a usb port for 3G dongle.  It is only on sale in China and pretty cheap.  Does anyone know about it?

Part Four: Make up a flash programmer file:
1. Use Winhex to create a empty 16M template, use replace to replace all 00 to FF.
2. Open the u-boot.bin previously you created, copy all (Ctrl+A) and Write(Ctrl+b) the 128k bytes from begining to the template.
3. Open the openwrt firmware openwrt-ar71xx-generic-tl-mr3420-v1-squashfs-factory.bin write all data(about 15.75M) as step 2 from 0x000000020000 to the file.
4. Open the art file, write the 64k file to the lastest 64k from 0x000000ff0000 to your template.
5. save all to a new file such as New.bin for future usage.


Part five: Solder the chip
1. Flash the whole file to your flash chip by flash programmer ( you shall have this hardware to as help from others)
2. Solder the flash and memory chip, 64M RAM can be detected after changing the chip, no need to modify the uboot code to support 64M RAM
3. Solder the TTL pin for TTL debugging.

Does anyone have such files and can share them, could put them somewhere to download?
I mean bin file to solder the chip and openwrt 16M ?

Im asking cause I have stoped just on the beggining:

/bin/sh: mips-linux-uclibc-gcc: not found
make[2]: *** No rule to make target `.depend'.  Stop.
make[2]: Leaving directory `/virtual/home/bartosz/mr3420_3220v1/ap99/boot/u-boot/post/cpu'
make[1]: *** [depend] Error 2
make[1]: Leaving directory `/virtual/home/bartosz/mr3420_3220v1/ap99/boot/u-boot'
make: *** [uboot] Error 2

(Last edited by sethiel on 2 Jul 2012, 10:00)

sethiel wrote:

Part Four: Make up a flash programmer file:
1. Use Winhex to create a empty 16M template, use replace to replace all 00 to FF.
2. Open the u-boot.bin previously you created, copy all (Ctrl+A) and Write(Ctrl+b) the 128k bytes from begining to the template.
3. Open the openwrt firmware openwrt-ar71xx-generic-tl-mr3420-v1-squashfs-factory.bin write all data(about 15.75M) as step 2 from 0x000000020000 to the file.
4. Open the art file, write the 64k file to the lastest 64k from 0x000000ff0000 to your template.
5. save all to a new file such as New.bin for future usage.


Part five: Solder the chip
1. Flash the whole file to your flash chip by flash programmer ( you shall have this hardware to as help from others)
2. Solder the flash and memory chip, 64M RAM can be detected after changing the chip, no need to modify the uboot code to support 64M RAM
3. Solder the TTL pin for TTL debugging.

Does anyone have such files and can share them, could put them somewhere to download?
I mean bin file to solder the chip and openwrt 16M ?

Im asking cause I have stoped just on the beggining:

/bin/sh: mips-linux-uclibc-gcc: not found
make[2]: *** No rule to make target `.depend'.  Stop.
make[2]: Leaving directory `/virtual/home/bartosz/mr3420_3220v1/ap99/boot/u-boot/post/cpu'
make[1]: *** [depend] Error 2
make[1]: Leaving directory `/virtual/home/bartosz/mr3420_3220v1/ap99/boot/u-boot'
make: *** [uboot] Error 2

Sure, I have a compiled image here that I used for my mod. If you send me pm with your MAC and pin number I will change that for you and then send it over.

Finally I was able to compile the u-boot from TP-Link sources, for ap121 (ar9331 based devices).
The hardest was to find out how to fix the missing mips-linux-gcc error, as I have almost no idea about Linux.
I found the solution here (russian)
http://openrouter.info/forum/viewtopic. … p;start=20

You need the full 150Router.tar.bz2 file, not just the u-boot, as there are lots of dependencies.
Uncompress it to some folder. Enter into that folder.
Uncompress the file "gcc-4.3.3.tar.bz2" inside branch_hornet_linux/toolchain/ by doing "tar -xf gcc-4.3.3.tar.bz2 ./"
Create a folder called "bin" inside "branch_hornet_linux"
Create a file inside folder branch_hornet_linux called Makefile.
Edit it and paste the following:

export BUILD_TOPDIR=$(PWD)
MAKECMD=make ARCH=mips CROSS_COMPILE=mips-linux-
export PATH:=$(BUILD_TOPDIR)/toolchain/gcc-4.3.3/build_mips/staging_dir/usr/bin/:$(PATH)
export FLASH_SIZE=4
export COMPRESSED_UBOOT=1
export CONFIG_HORNET_1_1_WAR=1

all:
    cd $(BUILD_TOPDIR)/ap121/boot/u-boot/ && $(MAKECMD) ap121_config
    cd $(BUILD_TOPDIR)/ap121/boot/u-boot/ && $(MAKECMD)
    cp $(BUILD_TOPDIR)/ap121/boot/u-boot/tuboot.bin $(BUILD_TOPDIR)/bin

clean:
    cd $(BUILD_TOPDIR)/ap121/boot/u-boot/ && $(MAKECMD) clean
    rm -f $(BUILD_TOPDIR)/bin/*

clean_all:
    cd $(BUILD_TOPDIR)/ap121/boot/u-boot/ && $(MAKECMD) distclean
    rm -f $(BUILD_TOPDIR)/bin/*

remember to change "export FLASH_SIZE=x" to the MB of your flash. You still need to modify the ap121. if higher than 8MB.
do "chmod 664 Makefile"

Now, just open the terminal and go to the branch_hornet_linux folder.
Do:
make clean
make

It will compile in just a minute or so, and at the end it will put something like this:

Image Name:   u-boot image
Created:      Sun Sep  2 21:58:12 2012
Image Type:   MIPS Linux Firmware (lzma compressed)
Data Size:    32200 Bytes = 31.45 kB = 0.03 MB
Load Address: 0x80010000
Entry Point:  0x80010000
make[1]: Leaving directory `/home/ubuntu/150Router/branch_hornet_linux/ap121/boot/u-boot'
cp /home/ubuntu/150Router/branch_hornet_linux/ap121/boot/u-boot/tuboot.bin /home/ubuntu/150Router/branch_hornet_linux/bin

And done!! Your u-boot should be in branch_hornet_linux/bin. The rest of the part is the same as told in this topic.


If you get "separator error" when doing make, is due the spaces in the lines like this:

    cd $(BUILD_TOPDIR)/ap121/boot/u-boot/ && $(MAKECMD) ap121_config
<-->
This is a tabulation, not 4 spaces!! When pasting ensure that they are correct, if not delete them and puts tabs instead.

Where to buy these chips in india or a seller who ships to india ?

S25FL128PIF
MX25L12805
Hynix HY5DU121622DTP-D43