OpenWrt Forum Archive

Topic: DAP2553 new hardware - stuck on "imghdr magic"

The content of this topic has been archived on 19 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi,

I'm trying to get a D-Link DAP2553 to work with OpenWRT. I think it has all the right qualifications: supported processor (AR9132), "familiar" wifi chip (Atheros 9106, we'll see if it works), serial connection with root (without password) after startup, u-boot, and there's even GPL sources for the (ancient, 2.6.something) kernel that D-Link runs normally.
However, I'm stuck right after the beginning. After flashing a rather random openwrt-ar71xx (I chose the DIR 615 C1 because it somewhat seems to resemble this one), U-boot complains " Check Image ...
imghdr magic:a14e7dec, not match with:20040220
Image has problem! ... "

Would anyone know what's going on here? Is this some sort of hacked up u-boot that does it's own magical testing, or am I just missing a crucial step in getting things to work?

The flash writing and boot sequence goes something like this:

ar7100> loady 0x81000000
## Ready for binary (ymodem) download to 0x81000000 at 115200 bps...           
C## Total Size      = 0x003c0018 = 3932184 Bytes
Control flag in image header: 0x00000001
Control flag in boot config:  0x00000001
Upload file OK!
ar7100> erase bf0a0000 +400000
Erase Flash from 0xbf0a0000 to 0xbf49ffff in Bank # 1 First 0x5 last 0x24
 100%
Erased 32 sectors
ar7100> cp.b 0x80002000 0xbf0a0000 0x003c0018
Copy to Flash... 
 100%
done
ar7100> bootm 0xbf0a0000 0x80060000
---------1activeregion:1----------
Protect off BF040000 ... BF05FFFF
Un-Protecting sectors 2..2 in bank 1
Un-Protected 1 sectors
Erasing Flash...Erase Flash from 0xbf040000 to 0xbf05ffff in Bank # 1 First 0x22
 100%
Erased 1 sectors
Writing to Flash... 
 100%
done
Protecting sectors 2..2 in bank 1
Protected 1 sectors
---------2activeregion:1----------
env_relocate_dual_config[317] malloced ENV at 83fa4360, size()=4
----------dual gd->env_valid == 1----------
---------dual env flash---------
---------dual env flash 4---------
env_ptr_dual_config->data=83fa4371
env_ptr_dual_config->data=83f84019
---------after relocate_dual_config 3 activeregion:2----------
env_ptr_dual_config->data=83fa4364
env_ptr_dual_config->data=83f8400c
oldval==d
&env_data[ENV_SIZE]=83fa8360,env=83fa4364
len=10, env_data=3ffc
&env_data[ENV_SIZE]=83fa8360,env=83fa4364
=====env_ptr_dual_config->crc=84ed927a----ENV_SIZE=3ffc======
-------test dual_config CFG_ENV_SECT_SIZE 3-------
-------test dual_config CONFIG_INFERNO 4-------
=====env_ptr_dual_config->crc=84ed927a----ENV_SIZE=3ffc======
Protect off BFFA0000 ... BFFBFFFF
Un-Protecting sectors 125..125 in bank 1
Un-Protected 1 sectors
Erasing Flash...Erase Flash from 0xbffa0000 to 0xbffbffff in Bank # 1 First 0x7d
 100%
Erased 1 sectors
Writing to Flash... 
 100%
done
Protecting sectors 125..125 in bank 1
Protected 1 sectors
env_ptr_dual_config->data=83fa4371
env_ptr_dual_config->data=83f84019
---------4activeregion:2----------
## Booting image at bf0a0000 ...
   Image Name:   MIPS OpenWrt Linux-3.3.8
   Created:      2013-03-23  16:54:11 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    957188 Bytes = 934.8 kB
   Load Address: 80060000
   Entry Point:  80060000
   Uncompressing Kernel Image with LZMA ... 

 Check Image ... 
imghdr magic:a14e7dec, not match with:20040220
 Image has problem! ... 

On a regular boot, the boot sequence says:

U-Boot 1.1.4 (May 20 2011 - 16:44:33)

ALPHA  U-boot v2.00r009
DRAM:  
sri
64 MB
Top of RAM usable for U-Boot at: 84000000
Reserving 227k for U-Boot at: 83fc4000
Reserving 256k for malloc() at: 83f84000
Reserving 44 Bytes for Board Info at: 83f83fd4
Reserving 36 Bytes for Global Data at: 83f83fb0
Reserving 128k for boot params() at: 83f63fb0
Stack Pointer at: 83f63f98
Now running in RAM - U-Boot at: 83fc4000
Name: AMD-SPANSION Flash id: 0x1227E, Size: 16777216 bytes.
Flash: 16 MB
In:    serial
Out:   serial
Err:   serial
Net:   ag7100_enet_initialize...
: cfg1 0xf cfg2 0x7114
ATHRF1E: Port 0, Neg Success
ATHRF1E: unit 0 phy addr 0 ATHRF1E: reg0 1000
eth0: 00:05:0d:06:01:03
eth0 up
eth0
### main_loop entered: bootdelay=1

### main_loop: bootcmd="run runtime"
press 'q' to stop autoboot:  0 
---------1activeregion:1----------
Protect off BF040000 ... BF05FFFF
Un-Protecting sectors 2..2 in bank 1
Un-Protected 1 sectors
Erasing Flash...Erase Flash from 0xbf040000 to 0xbf05ffff in Bank # 1 First 0x2 last 0x2
^H^H^H^H^H 100%
Erased 1 sectors
Writing to Flash... 
^H^H^H^H^H 100%
done
Protecting sectors 2..2 in bank 1
Protected 1 sectors
---------2activeregion:1----------
env_relocate_dual_config[317] malloced ENV at 83fa4360, size()=4
----------dual gd->env_valid == 1----------
---------dual env flash---------
---------dual env flash 4---------
env_ptr_dual_config->data=83fa4371
env_ptr_dual_config->data=83f84019
---------after relocate_dual_config 3 activeregion:2----------
env_ptr_dual_config->data=83fa4364
env_ptr_dual_config->data=83f8400c
oldval==d
&env_data[ENV_SIZE]=83fa8360,env=83fa4364
len=10, env_data=3ffc
&env_data[ENV_SIZE]=83fa8360,env=83fa4364
=====env_ptr_dual_config->crc=84ed927a----ENV_SIZE=3ffc======
-------test dual_config CFG_ENV_SECT_SIZE 3-------
-------test dual_config CONFIG_INFERNO 4-------
=====env_ptr_dual_config->crc=84ed927a----ENV_SIZE=3ffc======
Protect off BFFA0000 ... BFFBFFFF
Un-Protecting sectors 125..125 in bank 1
Un-Protected 1 sectors
Erasing Flash...Erase Flash from 0xbffa0000 to 0xbffbffff in Bank # 1 First 0x7d last 0x7d
^H^H^H^H^H 100%
Erased 1 sectors
Writing to Flash... 
^H^H^H^H^H 100%
done
Protecting sectors 125..125 in bank 1
Protected 1 sectors
env_ptr_dual_config->data=83fa4371
env_ptr_dual_config->data=83f84019
---------4activeregion:2----------
## Booting image at bf0a0000 ...
   Image Name:   7zip Linux Kernel
   Created:      1970-01-01   0:00:00 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    -1 Bytes = 4096 MB
   Load Address: 80002000
   Entry Point:  80002000
   Uncompressing Kernel Image with LZMA ... 

 Check Image ... 
  
Image OK!
OK
No initrd
## Transferring control to Linux (at address 80002000) ...
## Giving linux memsize in bytes, 67108864

Starting kernel ...

After which:

Linux version 2.6.15--LSDK-7.1.3.63 (release@J10) (gcc version 3.4.4) #2 Wed Sep 25 10:58:25 CST 2013
flash_size passed from bootloader = 16
CPU revision is: 00019374
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
User-defined physical RAM map:
 memory: 04000000 @ 00000000 (usable)
Built 1 zonelists
Kernel command line: console=ttyS0,115200 root=/dev/mtdblock0 rw mem=64m 
Primary instruction cache 64kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
Cache parity protection disabled
PID hash table entries: 512 (order: 9, 8192 bytes)
Using 200.000 MHz high precision timer.
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Memory: 62220k/65536k available (1949k kernel code, 3256k reserved, 402k data, 124k init, 0k highmem)
Mount-cache hash table entries: 512
Checking for 'wait' instruction...  available.
NET: Registered protocol family 16
calling simple_config callback..
SCSI subsystem initialized
AR7100 GPIOC major 0
squashfs: version 3.1 (2006/08/19) Phillip Lougher
devfs: 2004-01-31 Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x1
Initializing Cryptographic API
io scheduler noop registered
io scheduler deadline registered
Serial: 8250/16550 driver $Revision: #1 $ 1 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0x0 (irq = 19) is a 16550A
RAMDISK driver initialized: 1 RAM disks of 65536K size 1024 blocksize
ELBOX CFI physmap flash device: 1000000 at bf000000
FLASH ID: AMD-SPANSION SIZE: (16 MB)
 AR9100 serial flash !!
ar9100-nor0: squashfs filesystem found at offset 0x00170000
Creating 10 MTD partitions on "ar9100-nor0":
0x001700c0-0x01000000 : "rootfs"
0x000a0000-0x00fc0000 : "upgrade"
0x00060000-0x00080000 : "rgdb"
0x00040000-0x00060000 : "bdcfg"
0x00080000-0x000a0000 : "langpack"
0x00fc0000-0x00fe0000 : "certificate"
0x00fe0000-0x01000000 : "radiocfg"
0x00000000-0x01000000 : "flash"
0x00000000-0x00040000 : "bootloader"
0x00040000-0x00060000 : "boot config"
FLASH ID: AMD-SPANSION SIZE: (16 MB)
u32 classifier
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 2, 16384 bytes)
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP reno registered
arp_tables: (C) 2002 David S. Miller
TCP bic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
Bridge firewalling registered
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
ar7100wdt_init: Registering WDT success
VFS: Mounted root (squashfs filesystem) readonly.
Mounted devfs on /dev
Freeing unused kernel memory: 124k freed
init started:  BusyBox v1.00 (2013.09.25-02:40+0000) multi-call binary
Starting pid 14, console /dev/tts/0: '/etc/init.d/rcS'
[/etc/init.d/S03config.sh]
Mounting proc and var ...
Inserting modules ...
Inserting Rebootm ...
Using /lib/modules/rebootm.ko
Rebootm loading ... 
Inserting atheros ethernet ...
Using /lib/modules/ag7100_mod.ko
Inserting gpio ...
Using /lib/modules/gpio.ko
GPIO driver initialized.
done.
Start xmldb ...
[/etc/scripts/misc/profile.sh] get ...
[/etc/scripts/misc/defnodes.sh] ...
[/etc/defnodes/S10setext.sh] ...
PHP [/etc/defnodes/S11setnodes.php] ...
PHP [/etc/defnodes/S12features.php] ...
PHP [/etc/defnodes/S13flashspeed.php] ...
PHP [/etc/defnodes/S20setnodes.php] ...
SQUASHFS error: Can't find a SQUASHFS superblock on mtdblock4
mount: Mounting /dev/mtdblock/4 on /www/locale/alt failed: Invalid argument
PHP [/etc/defnodes/S40brand.php] ...

As no one else seems to own a DAP2553 ;-) I'll answer myself. The GPL sources from D-Link contain a imghdr.h that seems to differ from the imghdr utility in the Openwrt sources. imghdr.h from D-Link:

/* vi: set sw=4 ts=4: */
/* imghdr.h
 *
 *    This file defines the image header format for web upgrade.
 *    Currently the image format is used by WRGG02/WRGG03.
 *
 *    Copyright (C) 2003-2004, Alpha Networks, Inc.
 *
 *    2004/2/20 by David Hsieh
 *
 */

#ifndef _IMGHDR_HEADER_
#define _IMGHDR_HEADER_
#include <stdint.h>

#define MAX_SIGNATURE    32

/* Image header for WRGG02. */
struct imghdr_struct {
    char            signature[MAX_SIGNATURE];
    uint64_t    image_offset1;
    uint64_t    flash_offset1;
    uint64_t    size1;
    unsigned char    check1[16];
    uint64_t    image_offset2;
    uint64_t    flash_offset2;
    uint64_t    size2;
    unsigned char    check2[16];
} imghdr;


/* Version 2 of image header. */
/*
 * Version 2 image will look like ...
 *
 * +--------------------------------------------+
 * | signature: 32 bytes                        |
 * +--------------------------------------------+
 * | image block 1 (imgblock_t)                 |
 * +--------------------------------------------+
 * | image 1                                    |
 * |                                            |
 * +--------------------------------------------+
 * | image block 2 (imgblock_t)                 |
 * +--------------------------------------------+
 * | image 2                                    |
 * |                                            |
 * +--------------------------------------------+
 */

#define IMG_MAX_DEVNAME        32
#define IMG_V2_MAGIC_NO        0x20040220    /* version 2 magic number */
#define IMG_V3_MAGIC_NO        0x20080321    /* version 3 magic number */

typedef struct _imgblock imgblock_t;
struct _imgblock
{
    uint32_t    magic;        /* image magic number (should be IMG_V2_MAGIC_NO in little endian). */
    uint32_t    size;        /* size of the image. */
    uint32_t    offset;        /* offset from the beginning of the storage device. */
    char            devname[IMG_MAX_DEVNAME];    /* null termiated string of the storage device name. ex. "/dev/mtd6" */
    unsigned char    digest[16];    /* MD5 digest of the image */
} __attribute__ ((packed));

typedef struct _imgblockv3 imgblock_tv3;
struct _imgblockv3
{
    uint32_t    magic;        /* image magic number (should be IMG_V2_MAGIC_NO in little endian). */
    char        version[16];/* firmware version ex: v1.00 */
    char        modle[16];  /* Modle name ex:DAP-2553 */
    uint32_t    flag[2];    /* control flag */
    uint32_t    reserve[2];    /* control flag */
    char        buildno[16];/* build number */
    uint32_t    size;        /* size of the image. */
    uint32_t    offset;        /* offset from the beginning of the storage device. */
    char            devname[IMG_MAX_DEVNAME];    /* null termiated string of the storage device name. ex. "/dev/mtd6" */
    unsigned char    digest[16];    /* MD5 digest of the image */
} __attribute__ ((packed));

typedef struct _imghdr2 imghdr2_t;
struct _imghdr2
{
    char            signature[MAX_SIGNATURE];
    uint32_t    magic;    /* should be IMG_V2_MAGIC_NO in little endian. */
} __attribute__ ((packed));

#endif

The header in the official firmware I'm looking at, seems to be imghdr2_t, followed by imgblock_tv3:

0000000: 7761 706e 6430 335f 646b 6273 5f64 6170  wapnd03_dkbs_dap
0000010: 3235 3533 0000 0000 0000 0000 0000 0000  2553............
0000020: 2103 0820 2103 0820 7631 3235 7263 3035  !.. !.. v125rc05
0000030: 3576 3233 3133 7334 6461 7032 3535 3300  5v2313s4dap2553.
0000040: 0000 0000 0000 0000 0100 0000 0000 0000  ................
0000050: 0000 0000 0000 0000 6439 7061 0000 0000  ........d9pa....
0000060: 0000 0000 0000 0000 0048 5020 0000 0000  .........HP ....
0000070: 2f64 6576 2f6d 7464 626c 6f63 6b2f 3100  /dev/mtdblock/1.
0000080: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000090: ab20 3bf0 16e1 bc91 2560 4899 e066 cfd3  . ;.....%`H..f..

MD5SUM calculation is based on three items. I'll quote the source, because I'm rather inexperienced as a programmer and I have some doubts about the type castings:

MD5Update(&ctx, (unsigned char *)&block->offset, sizeof(block->offset));
MD5Update(&ctx, (unsigned char *)block->devname, sizeof(block->devname));
MD5Update(&ctx, (unsigned char *)&block[1], block->size);

I'm not sure if I'm qualified enough to hack together a header calculator for this beast, I'll give it a try.

As a hobbyist, I'm intimidated too much by references to unreferenced structure member pointers, or is "(unsigned char *)&block->offset" a member of an unreferenced structure pointer? :-S

If anyone with more C knowledge could hack together an MD5sum calculator for the DAP2553, I'll gladly test. For now, I'm stumped. For your reference, the calculation code comes from https://dlink-gpl.s3.amazonaws.com/GPL1 … 130.tar.gz in file DAP2553_GPL130/progs.gpl/mathopd/upload.c, with header file to be found at imghrd.h in the same subdirectory.

It's good to see someone trying to "port" OpenWRT on this device!

I could only help you as a tester... smile

... unfortunately, we'll need a programmer first, to build a proper "mkdaphdr" for this device. I've tried it, but I guess I'm not qualified. As the D-link code is there, it won't be too hard for someone who has the right knowledge.

Hello,

I just got my TTL adapter. I think I can help but I would need a quick crash course on when the header is needed / generated.

ekacnet wrote:

Hello,

I just got my TTL adapter. I think I can help but I would need a quick crash course on when the header is needed / generated.

ekacnet, have you tried to contact valentijn?

I also have two DAP-2553 (P/N: EAP2553EEU...A1E, H/W Ver.: A1) which do their job right now, but which I would like to move over to OpenWRT. I have not done much OpenWRT hacking. How can I help? My C knowledge has gotten a bit rusty.

I can help you. valentijn, are you still interested in testing?
I am also have dap2553, and about 15 years of experience in C/C++.

I have a similar device, DAP-2695, that's giving the same error when I try to boot OpenWrt from flash. While U-Boot claims it expects 20040220, I found that it actually expects 20080321 (IMG_V3_MAGIC_NO). Maybe the same is true for the DAP-2553.

#define IMG_V2_MAGIC_NO        0x20040220    /* version 2 magic number */
#define IMG_V3_MAGIC_NO        0x20080321    /* version 3 magic number */

Unfortunately D-Link didn't include the U-Boot sources in the GPL tarbals on http://tsd.dlink.com.tw/GPL.asp. I requested to publish the U-Boot sources on 2/04/2015 by email to gplcode@dlink.com, but that was silently ignored. I asked again via Twitter, feel free to retweet to draw some attention.

xeno0904 wrote:

I can help you. valentijn, are you still interested in testing?
I am also have dap2553, and about 15 years of experience in C/C++.

Any news? smile

actually I have a "spare" unit for testing purposes, just in case you need an Openwrt tester!

Please try if mkwrggimg works for DAP-2553. With this, I can create a bootable initramfs image for my DAP-2695. As I said before, U-Boot on this device claims it expects the imghdr to be 20040220, but it actually needs to be 20080321 for it to boot:

imghdr magic:20040220, not match with:20040220

To boot the initramfs via TFTP:

tftpboot 0x81000000 lede-ar71xx-generic-dap-2695-a1-initramfs-kernel.bin
bootm 0x81000000

I noticed that my device frequently fails to transfer the image, I need to kill and retry the tftpboot command multiple times for it to succeed.

EDIT:
As of now I have a working factory image for my DAP-2695. built from my LEDE staging tree.

EDIT2:
After looking in the sources for the DAP-2553, I can confirm that the same image header is used as with the DAP-2695:

./configs/defconfig/wapnd03_dkbs_dap2553.config:ELBOX_FIRMWARE_HEADER_VERSION=3

Based on this, the v2image utility in the D-Link sources uses IMG_V3_MAGIC_NO which is 0x20080321. This means the mkwrggimg utility in my LEDE staging tree should work for the DAP-2553. Please try, and let me know how it goes.

(Last edited by stintel on 7 Aug 2016, 20:08)

Hello,

mkwrggimg indeed works. I've added the LEDE boot log to the Wiki entry.

The next thing that needs to be figured out is the flash. Currently I'm getting

[    9.282353] m25p80 spi0.0: unrecognized JEDEC id bytes: 00,  0,  0

and it might not even be connected to the spi bus in the first place.

My two old DAP-2553 are starving ... Anything I could help with to move this along? Any pointer to "reverse engineering flash layout for dummies"? ;-)

ignisf could you provide some guidelines on what to do, in order to get to the same point as you, is there any specific in building the openwrt image and what about your mkwrggimg tool.

I started to dig a bit in the firmware image and in the source, it seems that the stock kernel is a 2.6.15 and the option for the flash seems to be CONFIG_MTD_AR9100_PARALLEL_FLASH. Looking at the source code of recent kernels it seems not to be in the main tree.
Most probably the code from 2.6.15 needs to be ported to the openwrt kernel

ignisf wrote:

Hello,

mkwrggimg indeed works. I've added the LEDE boot log to the Wiki entry.

The next thing that needs to be figured out is the flash. Currently I'm getting

[    9.282353] m25p80 spi0.0: unrecognized JEDEC id bytes: 00,  0,  0

and it might not even be connected to the spi bus in the first place.

I still have a spare unit to "sacrifice" smile

As I understand you're able to boot the image loaded in ram; there is also available a "resident" image to test?

I got this vaguely working on openwrt.
First you need to get the file tools/firmware-utils/src/mkwrggimg.c from the stagging repo indicated above.
Then add $(call cc,mkwrggimg md5, -Wall) in the tools/firmware-utils/Makefile (section define Host/Compile)

Then once the binary is compiled
It has to be used somehow like that:
./build_dir/host/firmware-utils/bin/mkwrggimg -s wapnd03_dkbs_dap2553 -i bin/ar71xx/openwrt-ar71xx-generic-dir-615-c1-squashfs-sysupgrade.bin -o /var/lib/tftpboot/3200A8C0.img -v v132rc074v2316s5  -m dap2553  -b 1 -d /dev/mtdblock/1 -B g3lh

At that moment the image can be loaded, but for the moment there is still an issue with the lzma decompression:

Bytes transferred = 3211428 (3100a4 hex)
ar7100> bootm 0x81000000
## Booting image at 81000000 ...
   Image Name:   7zip Linux Kernel
   Created:      1970-01-01   0:00:00 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    -1 Bytes = 4096 MB
   Load Address: 80002000
   Entry Point:  80002000
   Uncompressing Kernel Image with LZMA ...

 Check Image ...

Image OK!
too long file.
LZMA ERROR - must RESET board to recover !!

The discussion might have continued from here.