[PATCH] ramips: add support for Notion R281 (mtd5)
Ian Pangilinan
ian.pangilinan at upd.edu.ph
Mon Jul 25 01:06:13 PDT 2022
> On 2022-07-25 15:21, Bjørn Mork wrote:
> Ian Pangilinan writes:
>
>> Here's the contents of the u-boot-env as a fw_printenv output:
>>
>> bootcmd=tftp
>
> This is odd. Might indicate that U-Boot doesn't use these settings at
> all?
>
>> baudrate=57600
>> ethaddr="00:AA:BB:CC:DD:10"
>> BootType=3
>
> But that's probably overriding the bootcmd - booting from flash by
> default.
>
>> uboot_ver=V1.1
>> PCB_SN=<snip>
>> SN=<snip>
>> dropbear_password=75912917
>> dropbear_mode=0
>> dropbear_key_type=0
>> bootargs=console=ttyS1,57600n8 root=/dev/mtdblock6
>
We can only guess what black magic goes on for devices such as these
where the bootloader is modified by the vendor, per request of the ISP
being their customer.
> This is sort of interesting since that root partition is dynamically
> split out of the firmware partition. I assume it would be
> /dev/mtdblock5 if you booted from the first image. But I don't think
> it's likely that U-Boot uses this as imput. It's rather something
> that's set by U-Boot depending on which image it decides to boot.
The layout is fixed afaict, depending on whether the bootloader is coded
to load at mtd4 or mtd5. In the mtd4 variant, I can make an educated
guess that it looks like this:
ALL
Bootloader
Config
Factory
firmware1
rootfs
rootfs_data
firmware2
ota
Configbak
So it will have bootargs=console=ttyS1,57600n8 root=/dev/mtdblock5. That
other firmware partition really is only there as a standby/backup copy.
>
>> wifi_ate=on
>> rootfs_data_ofs=0x3180000
>> rootfs_data_size=0x01d40000
>> rootfs_data_fail=0
>> IMEI=<snip>
>> stdin=serial
>> stdout=serial
>> stderr=serial
>> filesize=651338
>> fileaddr=84000000
>> ipaddr=10.10.10.123
>> serverip=10.10.10.3
>> autostart=no
>> bootfile=test.bin
>> bootdelay=3
>>
>> It may look like a dual-partition scheme on the outside, but the other
>> partition merely serves as backup to the main partition where the
>> bootloader
>> is hardcoded, it seems, to load. This is an ISP-branded device that is
>> actively being updated to thwart consumer modifications. And just
>> recently
>> they went beyond regular system updates and released a bootloader
>> update
>> that
>> effectively disables tftpboot.
>
> Ah, OK. So they do modify the bootloader too. Then I guess anything
> is
> possible.
>
> I've seen ISP-branded devices seemingly ignoring one of the dual
> partitions, using the other image purely as an emergency backup. The
> ZyXEL NR7101 used to be like this. But that was only because the ISP
> firmware never modified the BootingFlag variable. This changed with an
> update, but without changing U-Boot. It was already looking at the
> variable.
>
I was hoping that they used a variable to tell which flash address to
load, but it no longer looks that way if you consider the two different
partition layouts of the same hardware, thus two different bootloader
images with hardcoded values for each layout.
>> I guess they forgot that this is a CPE, where the C stands for
>> consumer.
>
> "customer", I believe :-)
>
Haha, yes good catch. :D
>> I
>> have tried setting load_firmware_addr=0xbc140000 but this did not
>> change
>> anything. The variable was taken from another device, a Cat.4 LTE R051
>> from the same vendor. I thought it could work, but it didn't.
>
> Maybe run "strings" on the U-Boot partition (or a copy of it) to see if
> any interesting variable names show up?
>
>
>> Here's the
>> serial console log from the stock firmware, in case you could find
>> something:
>> https://pastebin.com/etEUiphL
>
> Thanks. I see that you got no hints there. But that's not unusual.
> There could still be a magic variable controlling which image to load.
> Even one that doesn't show up in the current settings, making U-Boot
> fall back to a default value.
>
>
>
> Bjørn
>
Yes I have tried to strings /dev/mtd0, but I didn't see anything that
could give hint. Maybe I missed it, so here it is. Another set of eyes
is better than one. https://pastebin.com/uDcUyvNc
-ianp
More information about the openwrt-devel
mailing list