Discovery on other Linkplay A31 modules

[eNBeWe]

I have two Linkplay A31 modules that differ in their behaviour. I try to document these modules here and maybe get some more info in the process.

Module 1 - Originally installed on Arylic Up2Stream Amp 2.1

(https://www.arylic.com/products/up2stream-amp-2-1-amp-board)

• This board has not been properly analyzed. I ripped off one of the serial console pads, so I have to solder at a different place.

Module 2 - Sourced through AliExpress

• Serial console of running linux available with settings: 3.3V level, 57600 @ 8-N-1
• Boot log of embedded linux

<break>
␍␊
LINUX started...␍␊
␍␊
 THIS IS ASIC␍␊
[    0.000000] Linux version 2.6.36+ (linkplay@linkplay) (gcc version 4.6.4 (Buildroot 2013.11) ) #1 Thu Dec 28 15:18:25 CST 2017␍␊
[    0.000000] ␍␊
[    0.000000]  The CPU feqenuce set to 575 MHz␍␊
[    0.000000] CPU revision is: 00019655 (MIPS 24Kc)␍␊
[    0.000000] Software DMA cache coherency␍␊
[    0.000000] Determined physical RAM map:␍␊
[    0.000000]  memory: 04000000 @ 00000000 (usable)␍␊
[    0.000000] Zone PFN ranges:␍␊
[    0.000000]   Normal   0x00000000 -> 0x00004000␍␊
[    0.000000] Movable zone start PFN for each node␍␊
[    0.000000] early_node_map[1] active PFN ranges␍␊
[    0.000000]     0: 0x00000000 -> 0x00004000␍␊
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256␍␊
[    0.000000] Kernel command line: console=ttyS1,57600n8 root=/dev/mtdblock6␍␊
[    0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)␍␊
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)␍␊
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)␍␊
[    0.000000] Primary instruction cache 64kB, VIPT, , 4-waylinesize 32 bytes.␍␊
[    0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes␍␊
[    0.000000] Writing ErrCtl register=000670df␍␊
[    0.000000] Readback ErrCtl register=000670df␍␊
[    0.000000] Memory: 61184k/65536k available (2594k kernel code, 4292k reserved, 805k data, 128k init, 0k highmem)␍␊
[    0.000000] NR_IRQS:128␍␊
[    0.000000] console [ttyS1] enabled␍␊
[    0.008000] Calibrating delay loop... 382.97 BogoMIPS (lpj=765952)␍␊
[    0.096000] pid_max: default: 32768 minimum: 301␍␊
[    0.100000] Mount-cache hash table entries: 512␍␊
[    0.104000] NET: Registered protocol family 16␍␊
[    0.108000] bio: create slab <bio-0> at 0␍␊
[    0.112000] Switching to clocksource MIPS␍␊
[    0.132000] NET: Registered protocol family 2␍␊
[    0.144000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes)␍␊
[    0.156000] TCP established hash table entries: 2048 (order: 2, 16384 bytes)␍␊
[    0.172000] TCP bind hash table entries: 2048 (order: 1, 8192 bytes)␍␊
[    0.184000] TCP: Hash tables configured (established 2048 bind 2048)␍␊
[    0.196000] TCP reno registered␍␊
[    0.204000] UDP hash table entries: 256 (order: 0, 4096 bytes)␍␊
[    0.216000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)␍␊
[    0.228000] NET: Registered protocol family 1␍␊
[    0.236000] Load Kernel WDG Timer Module␍␊
[    0.244000] squashfs: version 4.0 (2009/01/31) Phillip Lougher␍␊
[    0.256000] JFFS2 version 2.2 (NAND) (ZLIB) (RTIME) (c) 2001-2006 Red Hat, Inc.␍␊
[    0.272000] msgmni has been set to 119␍␊
[    0.280000] io scheduler noop registered (default)␍␊
[    0.288000] ***ralink_gpio_init gpiomode = 0x54054415 RALINK_GPIOMODE_DFT=0x54014015␍␊
[    0.304000] Ralink gpio driver initialized␍␊
[    0.312000] this is mfi_ioctl_init Dec 28 2017 15:18:18␍␊
[    0.324000] i2c_start_condition set I2C/SDA to OUTPUT mode␍␊
[    0.560000] got id failed␍␊
[    0.564000] i2c_inited slave address 0x22 ===␍␊
[    0.572000] i2c_release set I2C/SDA to input mode␍␊
[    0.584000] Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled␍␊
[    0.596000] serial8250: ttyS0 at MMIO 0x10000d00 (irq = 21) is a 16550A␍␊
[    0.608000] serial8250: ttyS1 at MMIO 0x10000c00 (irq = 20) is a 16550A␍␊
[    0.624000] brd: module loaded␍␊
[    0.632000] flash manufacture id: ef, device id 40 18␍␊
[    0.640000] W25Q128BV(ef 40180000) (16384 Kbytes)␍␊
[    0.652000] mtd .name = raspi, .size = 0x01000000 (16M) .erasesize = 0x00010000 (64K) .numeraseregions = 0␍␊
[    0.672000] user1 00d80000 - 00e00000  size 00080000 ␍␊
[    0.680000] user2 00e00000 - 01000000  size 00200000 ␍␊
[    0.692000] Creating 10 MTD partitions on "raspi":␍␊
[    0.700000] 0x000000000000-0x000001000000 : "ALL"␍␊
[    0.712000] 0x000000000000-0x000000030000 : "Bootloader"␍␊
[    0.720000] ===========check_rootfs offset=37023d i=64, ret=0  ==============␍␊
[    0.736000] name:Wiimu Rootfs␍␊
[    0.740000] ih_time:0xbd9b445a␍␊
[    0.748000] ih_magic:0x56190527␍␊
[    0.752000] ih_hcrc:0xf445258a␍␊
[    0.760000] ih_size:905216 Bytes␍␊
[    0.768000] ih_dcrc:0x46f4ca8c␍␊
[    0.772000] os=6, arch=5, type=7, comp=1␍␊
[    0.780000] ih_ksz:0x00000000␍␊
[    0.780000] ␍␊
[    0.780000] ␍␊
[    0.792000] 0x000000030000-0x000000040000 : "Config"␍␊
[    0.804000] 0x000000040000-0x000000050000 : "Factory"␍␊
[    0.816000] 0x000000050000-0x000000250000 : "bkKernel"␍␊
[    0.824000] 0x000000250000-0x00000037027d : "Kernel"␍␊
[    0.836000] mtd: partition "Kernel" doesn't end on an erase block -- force read-only␍␊
[    0.852000] 0x00000037027d-0x000000d80000 : "RootFS"␍␊
[    0.860000] mtd: partition "RootFS" doesn't start on an erase block boundary -- force read-only␍␊
[    0.880000] 0x000000250000-0x000000d80000 : "Kernel_RootFS"␍␊
[    0.892000] 0x000000d80000-0x000000e00000 : "user"␍␊
[    0.900000] 0x000000e00000-0x000001000000 : "user2"␍␊
[    0.912000] rdm_major = 253␍␊
[    0.924000] ␍␊
[    0.924000] ␍␊
[    0.924000] === pAd = c0054000, size = 1242560 ===␍␊
[    0.924000] ␍␊
[    0.944000] <-- RTMPAllocTxRxRingMemory, Status=0, ErrorValue=0x␍␊
[    0.956000] <-- RTMPAllocAdapterBlock, Status=0␍␊
[    0.964000] mt7628_init()-->␍␊
[    0.972000] mt7628_init(FW(8a00), HW(8a01), CHIPID(7628))␍␊
[    0.984000] e2.bin mt7628_init(1135)::(2), pChipCap->fw_len(63888)␍␊
[    0.996000] <--mt7628_init()␍␊
[    1.000000] TCP cubic registered␍␊
[    1.008000] NET: Registered protocol family 17␍␊
[    1.024000] get_rootfs_checked_flag = 1␍␊
[    1.032000] this is not first bootup, ignore check rootfs␍␊
[    1.052000] arch/mips/ralink/nvram.c 375: ERROR! Bad CRC ffffffff, ignore values in flash.␍␊
[    1.072000] arch/mips/ralink/nvram.c 375: ERROR! Bad CRC ffffffff, ignore values in flash.␍␊
[    1.096000] arch/mips/ralink/nvram.c 375: ERROR! Bad CRC ffffffff, ignore values in flash.␍␊
[    1.120000] VFS: Mounted root (squashfs filesystem) readonly on device 31:6.␍␊
[    1.136000] Freeing unused kernel memory: 128k freed␍␊
[    1.876000] Algorithmics/MIPS FPU Emulator v1.5␍␊
␍init started: BusyBox v1.12.1 ()␍␊
␍starting pid[    1.896000] devpts: called with bogus options␍␊
 24, tty '': '/etc_ro/rcS'␍␊
mount: mounting none on /proc/bus/usb failed: No such file or directory␍␊
Welcome to WiiMu␍␊
␍␊
␍starting pid 33, tty '/dev/ttyS1': '/bin/sh'␍␊
␍␊
␍␊
BusyBox v1.12.1 () built-in shell (ash)␍␊
Enter 'help' for a list of built-in commands.␍␊
␍␊
# goahead: waiting for nvram_daemon nvram_daemon(backup image)␍␊
. need_to_load_default SSID1=[SoundSystem_5B00]␍␊
need_to_load_default mvProductId=[UP2STREAM_AMP_2P1]␍␊
need_to_load_default mvHardwareVersion=[WiiMu-A31]␍␊
need_to_load_default BssidNum=[1]␍␊
need_to_load_default RadioOn=[1]␍␊
need_to_load_default nvram_broken=[0]␍␊
nvram_daemon do not load default parameters␍␊
nvram_daemon loaded, creat /var/run/nvramd.pid ok, ␍␊
internet.sh␍␊
enter internet.sh␍␊
/sbin/chpasswd.sh: line 19: chpasswd: not found␍␊
/sbin/internet.sh: line 278: grep: not found␍␊
/sbin/internet.sh: line 326: iptables: not found␍␊
/sbin/internet.sh: line 327: iptables: not found␍␊
##### restore Ralink ESW to dump switch #####␍␊
/sbin/config-vlan.sh: line 785: switch: not found␍␊
/sbin/config-vlan.sh: line 785: switch: not found␍␊
/sbin/config-vlan.sh: line 785: switch: not found␍␊
/sbin/config-vlan.sh: l[    2.628000] TX_BCN DESC a3e6c000 size = 320␍␊
ine 785: switch:[    2.636000] RX[0] DESC a3e6f000 size = 1024␍␊
 not found␍␊
/sbi[    2.648000] RX[1] DESC a3e70000 size = 1024␍␊
n/config-vlan.sh: line 785: switch: not found␍␊
/[    2.668000] E2pAccessMode=0␍␊
sbin/config-vlan[    2.672000] cfg_mode=9␍␊
.sh: line 785: s[    2.680000] cfg_mode=9␍␊
witch: not found[    2.688000] wmode_band_equal(): Band Equal!␍␊
␍␊
/sbin/config-v[    2.700000] AndesSendCmdMsg: Could not send in band command due to diable fRTMP_ADAPTER_MCU_SEND_IN_BAND_CMD␍␊
lan.sh: line 785: switch: not fo[    2.724000] APSDCapable[0]=0␍␊
und␍␊
/sbin/confi[    2.732000] APSDCapable[1]=0␍␊
g-vlan.sh: line [    2.740000] APSDCapable[2]=0␍␊
785: switch: not[    2.748000] APSDCapable[3]=0␍␊
 found␍␊
/sbin/co[    2.756000] APSDCapable[4]=0␍␊
nfig-vlan.sh: li[    2.764000] APSDCapable[5]=0␍␊
ne 785: switch: [    2.776000] APSDCapable[6]=0␍␊
not found␍␊
/sbin[    2.784000] APSDCapable[7]=0␍␊
/config-vlan.sh:[    2.792000] APSDCapable[8]=0␍␊
 line 785: switc[    2.800000] APSDCapable[9]=0␍␊
h: not found␍␊
/s[    2.808000] APSDCapable[10]=0␍␊
bin/lan.sh: line[    2.816000] APSDCapable[11]=0␍␊
 11: killall: no[    2.824000] APSDCapable[12]=0␍␊
t found␍␊
/sbin/l[    2.836000] APSDCapable[13]=0␍␊
an.sh: line 13: [    2.844000] APSDCapable[14]=0␍␊
killall: not fou[    2.852000] APSDCapable[15]=0␍␊
nd␍␊
/sbin/lan.sh[    2.860000] default ApCliAPSDCapable[0]=0␍␊
: line 14: killall: not found␍␊
/sbin/lan.sh: line 17: killall: not found␍␊
[    3.076000] Key1Str is Invalid key length(0) or Type(0)␍␊
[    3.088000] Key2Str is Invalid key length(0) or Type(0)␍␊
[    3.100000] Key3Str is Invalid key length(0) or Type(0)␍␊
[    3.108000] Key4Str is Invalid key length(0) or Type(0)␍␊
[    3.168000] load fw image from fw_header_image␍␊
[    3.176000] AndesMTLoadFwMethod1(2182)::pChipCap->fw_len(63888)␍␊
[    3.188000] FW Version:20151201␍␊
[    3.192000] FW Build Date:20151201183641␍␊
[    3.200000] CmdAddressLenReq:(ret = 0)␍␊
[    3.208000] CmdFwStartReq: override = 1, address = 1048576␍␊
[    3.220000] CmdStartDLRsp: WiFI FW Download Success␍␊
[    3.232000] MtAsicDMASchedulerInit(): DMA Scheduler Mode=0(LMAC)␍␊
[    3.244000] efuse_probe: efuse = 10000012␍␊
[    3.252000] RtmpChipOpsEepromHook::e2p_type=0, inf_Type=4␍␊
[    3.260000] RtmpEepromGetDefault::e2p_dafault=2␍␊
[    3.272000] RtmpChipOpsEepromHook: E2P type(2), E2pAccessMode = 2, E2P default = 2␍␊
[    3.284000] NVM is FLASH mode␍␊
[    3.292000] 1. Phy Mode = 14␍␊
[    3.460000] Country Region from e2p = ffff␍␊
[    3.468000] tssi_1_target_pwr_g_band = 35␍␊
[    3.476000] 2. Phy Mode = 14␍␊
[    3.484000] 3. Phy Mode = 14␍␊
[    3.488000] NICInitializeAsic(653): Not support rtmp_mac_sys_reset () for HIF_MT yet!␍␊
[    3.504000] mt_mac_init()-->␍␊
[    3.512000] MtAsicInitMac()-->␍␊
[    3.516000] mt7628_init_mac_cr()-->␍␊
[    3.524000] MtAsicSetMacMaxLen(1276): Set the Max RxPktLen=1024!␍␊
[    3.536000] <--mt_mac_init()␍␊
[    3.540000] ⇥    WTBL Segment 1 info:␍␊
[    3.548000] ⇥    ⇥   MemBaseAddr/FID:0x28000/0␍␊
[    3.556000] ⇥    ⇥   EntrySize/Cnt:32/128␍␊
[    3.564000] ⇥    WTBL Segment 2 info:␍␊
[    3.568000] ⇥    ⇥   MemBaseAddr/FID:0x40000/0␍␊
[    3.576000] ⇥    ⇥   EntrySize/Cnt:64/128␍␊
[    3.584000] ⇥    WTBL Segment 3 info:␍␊
[    3.592000] ⇥    ⇥   MemBaseAddr/FID:0x42000/64␍␊
[    3.600000] ⇥    ⇥   EntrySize/Cnt:64/128␍␊
[    3.604000] ⇥    WTBL Segment 4 info:␍␊
[    3.612000] ⇥    ⇥   MemBaseAddr/FID:0x44000/128␍␊
[    3.620000] ⇥    ⇥   EntrySize/Cnt:32/128␍␊
[    3.628000] EZLink: full clear mcast data!!!␍␊
[    3.636000] MCS Set = ff 00 00 00 00␍␊
[    3.668000] CmdSlotTimeSet:(ret = 0)␍␊
[    3.676000] <==== rt28xx_init, Status=0␍␊
[    3.688000] @@@ ed_monitor_exit : ===>␍␊
[    3.696000] @@@ ed_monitor_exit : <===␍␊
[    3.700000] mt7628_set_ed_cca: TURN OFF EDCCA  mac 0x10618 = 0xd7083f0f␍␊
[    3.716000] WiFi Startup Cost (ra0): 1.092s␍␊
ifconfig: ioctl 0x8914 failed: Cannot assign requested address␍␊
ifconfig: ioctl 0x8913 failed: No such device␍␊
/sbin/nat.sh: line 47: can't create /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout: nonexistent directory␍␊
/sbin/nat.sh: line 47: can't create /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established: nonexistent directory␍␊
/sbin/nat.sh: line 47: iptables: not found␍␊
/sbin/nat.sh: line 47: iptables: not found␍␊
mii_mgr: ioctl error␍␊
mii_mgr: ioctl error␍␊
mii_mgr: ioctl error␍␊
mii_mgr: ioctl error␍␊
auto set envirnoment OK␍␊
/sbin/wan.sh: line 13: killall: not found␍␊
/sbin/wan.sh: line 14: killall: not found␍␊
Waiting for Wireless Events from interfaces...␍␊
enter live.sh␍␊
./live.sh: line 10: date: not found␍␊
./live.sh: line 14: umount: not found␍␊
./live.sh: line 15: umount: not found␍␊
./live.sh: line 28: grep: not found␍␊
./live.sh: line 28: grep: not found␍␊
./live.sh: line 28: df: not found␍␊
./live.sh: line 28: grep: not found␍␊
./live.sh: line 28: grep: not found␍␊
*********check the mtdblock8 writable or not***********************␍␊
./live.sh: line 28: df: not found␍␊
./live.sh: line 50: grep: not found␍␊
./live.sh: line 50: grep: not found␍␊
./live.sh: line 50: df: not found␍␊
./live.sh: line 50: grep: not found␍␊
./live.sh: line 50: grep: not found␍␊
*********check the mtdblock9 writable or not***********************␍␊
drwxr--r-x    2 0        0               0 wiimu␍␊
drwxr-xr-x    2 0        0               0 user␍␊
drwxrwxr-x    3 1000     1000            0 misc␍␊
drwxr-xr-x    2 0        0               0 data␍␊
./live.sh: line 50: df: not found␍␊
cp: c[    4.796000] led=13, on=1, off=4000, blinks,=1, reset=1, time=4000␍␊
annot stat '/system/workdir/misc/aliasr-ca.pem': No such file or directory␍␊
cp: cannot stat '/system/workdir/misc/aliasr-config.json': No such file or directory␍␊
cp: cannot stat '/system/workdir/lib/alsa': No such file or directory␍␊
cp: cannot stat '/system/workdir/misc/config': No such file or directory␍␊
cp: cannot stat '/etc_ro/ssl/certs/ca-certificates.crt': No such file or directory␍␊
killall rt2860apd 1>/dev/null 2>&1␍␊
killall -q klogd␍␊
/bin/sh: killall: not found␍␊
killall -q syslogd␍␊
/bin/sh: killall: not found␍␊
syslogd -C8 1>/dev/null 2>&1␍␊
klogd 1>/dev/null 2>&1␍␊
killall -q zebra␍␊
/bin/sh: killall: not found␍␊
killall -q ripd␍␊
/bin/sh: killall: not found␍␊
goahead set web root: /etc_ro/web␍␊
webs: Listening for HTTP requests at address 10.10.10.254␍␊
Get ENV[001]:NULL␍␊
fa_uart_OpenDevice ++ ␍␍␊
Critcal>>>>>>>>>>>>>>>>>>>>>>>> UnixSocketClient_Init /tmp/RequestIOGuard pIn(GNOTIFY=MCUGetVersion) ret=-1 ␍␍␊
fa_uart_OpenDevice -- ␍␍␊
mv_ioguard ready to go at 5197␍␍␊
g_platform_opt.name WiimuBox ␍␍␊
g_gpio_key_indicator[0] = 0x800␍␊
g_gpio_key_indicator[1] = 0x0␍␊
g_gpio_key_indicator[2] = 0x0␍␊
UART send: AXX+BOT+DON␍␊
 at 5198␍␊
UART send: AXX+BOT+UP0␍␊
 at 5198␍␊
UART send: AXX+MCU+VER␍␊
 at 5198␍␊
UART send: AXX+PLM+GET␍␊
 at 5198␍␊
UART recv MC at 5208␍␊
UART recv U+VER+0044& at 5212␍␊
ParseEventFormMCU event=789 0044 at 5212++␍␊
ParseEventFormMCU --␍␊
␍␊
################# WMUtil_Set_NVRAM mvProductId=UP2STREAM_AMP_2P1 #################␍␊
nvram_bufset [mvProductId = UP2STREAM_AMP_2P1 ] value is the same, no need to update␍␊
################# WMUtil_Set_NVRAM mvHardwareVersion=WiiMu-A31 #################␍␊
nvram_bufset [mvHardwareVersion = WiiMu-A31 ] value is the same, no need to update␍␊
WMUtil_Get_GenConfig USBAutoPlay==1␍␊
g_asr_remark = 1␍␊
cp: cannot stat '/system/workdir/misc/totalqueue.xml': No such file or directory␍␊
cp: cannot stat '/system/workdir/misc/keymap.xml': No such file or directory␍␊
cp: cannot stat '/system/workdir/misc/keyTrans.xml': No such file or directory␍␊
PostOldCompatible++ prompt=0, volume=0, cap1=305200, cap2=28e90b80, ssidstrategu=2, mcu_protocol_ver=0, alink_ver=0, stream=bef022e, plm=8016, type=0, i2sfmt=0 ␍␍␊
PostOldCompatible-- prompt=0, volume=80, cap1=305200, cap2=28e90b80, mcu_protocol_ver=0, alink_ver=0, stream=bef022e, plm=8016, SpotifyMode=AMP_PLATE, type=1, i2sfmt=0 ␍␍␊
[00:00:05.647] UpnPmain enter ␍␊
LoadUUid ␍␍␊
upnp uuid uuid:FF3100A2-A8A7-2229-F635-EA16FF3100A2 ␍␍␊
upnp_renderout: Could not stat '/system/workdir/misc/grender-48x48.png': No such file or directory␍␊
upnp_renderout: Could not stat '/system/workdir/misc/grender-120x120.png': No such file or directory␍␊
upnp_renderout: Could not stat '/system/workdir/misc/grender-48x48.jpg': No such file or directory␍␊
upnp_renderout: Could not stat '/system/workdir/misc/grender-120x120.jpg': No such file or directory␍␊
===iwpriv ra0 set IpBase=168430170==␍␊
registering '/upnp/rendertransportSCPD.xml'␍␊
registering '/upnp/renderconnmgrSCPD.xml'␍␊
***********DumpWifiPerferList Start******** ␍␍␊
-----------WPS Connection ------------␍␍␊
ssid  ␍␍␊
password  ␍␍␊
AuthMode  ␍␍␊
EncrypType  ␍␍␊
MemoryChannel ␍␊
-----------Router Connection ------------␍␍␊
ssid  ␍␍␊
password  ␍␍␊
AuthMode  ␍␍␊
EncrypType  ␍␍␊
MemoryChannel ␍␊
***********DumpWifiPerferList End******** ␍␍␊
registering '/upnp/rendercontrolSCPD.xml'␍␊
Upnp init ++ ␍␊
g_wiimu_shm->uuid = FF3100A2A8A72229F635EA16␍␊
gUpnpSdkNLSuuid = FF3100A2-A8A7-2229-F635-EA16FF3100A2␍␊
cp: cannot stat '/system/workdir/script/hosts': No such file or directory␍␊
cp: cannot stat '/system/workdir/script/dnsmasq.conf': No such file or directory␍␊
StartMiniServerSSDP ␍␍␊
create_ssdp_sock_v4 ipAddr 10.10.10.254 ␍␍␊
create_ssdp_sock_v4 mDNS ipAddr 10.10.10.254 ␍␍␊
[00:00:05.733] Start NTP Server ␍␊
/bin/sh: dnsmasq: not found␍␊
Upnp init -- ␍␊
/bin/sh: ntpd: not found␍␊
[00:00:05.765] enter udhcpc thread ␍␊
[00:00:05.765] mv_netguard cmdSocket_thread enter ␍␊
[00:00:05.765] BackgroundScanThread enter ␍␊
[00:00:05.766] enter netguard_flexible_thread ␍␊
dhcpd get ra0 ip address 10.10.10.254 ␍␍␊
MAC 00:22:6c:f8:5b:00 ␍␍␊
[00:00:05.767] enter check internet thread ␍␊
[00:00:05.769] Guard recv_buf GUARD_WPS_CLIENT+++++++ ␍␊
Critcal>>>>>>>>>>>>>>>>>>>>>>>> UnixSocketClient_Init /tmp/Requesta01controller pIn(setPlayerCmd:stop) ret=-1 ␍␍␊
Critcal>>>>>>>>>>>>>>>>>>>>>>>> UnixSocketClient_Init /tmp/RequestIOGuard pIn(GNOTIFY=NET_CONNECTING) ret=-1 ␍␍␊
PRIV_ENV_PRJ_NAME ret 1 buf[UP2STREAM_AMP_2P1]␍␊
PRIV_ENV_PRJ_UUID ret -1 buf[]␍␊
priv name[UP2STREAM_AMP_2P1] project name[UP2STREAM_AMP_2P1] uuid[FF3100A2]␍␊
silenceOTATime, start: -1:-1--1:-1␍␊
[00:00:05.798] gen_random_wpapsk:imozogkn ␍␊
C[    6.052000] [PMF]RTMPMakeRsnIeCap: RSNIE Capability MFPC=0, MFPR=0␍␊
ritcal>>>>>>>>>>>>>>>>>>>>>>>> UnixSocketClient_Init /tmp/RequestIOGuard pIn(GNOTIFY=WPS_START) ret=-1 ␍␍␊
[00:00:06.099] softap_setup disable, SoundSystem_5B00, OPEN, NONE, 696D6F7A6F676B6E, hide:1 ␍␊
==notify_airplay_deregister netstat=0 delta_ts=6099␍␊
################# WMUtil_Set_NVRAM ApCliSsid= #################␍␊
nvram_bufset [ApCliSsid =  ] value is the same, no need to update␍␊
[00:00:06.100] WIFI ClearRouter ApCliSsid  ␍␊
Critcal>>>>>>>>>>>>>>>>>>>>>>>> UnixSocketClient_Init /tmp/RequestIOGuard pIn(NVRAM_COMMIT) ret=-1 ␍␍␊
################# WMUtil_Set_NVRAM WpsApCliSsid= #################␍␊
nvram_bufset [WpsApCliSsid =  ] value is the same, no need to update␍␊
[00:00:06.112] WIFI CleanMaster WpsApCliSsid  ␍␊
Critcal>>>>>>>>>>>>>>>>>>>>>>>> UnixSocketClient_Init /tmp/RequestIOGuard pIn(NVRAM_COMMIT) ret=-1 ␍␍␊
[00:00:06.183] softap_setup enable: SoundSystem_5B00 ␍␊
[00:00:06.183] WIFI 0 --> NET CONNECTING ␍␊
Critcal>>>>>>>>>>>>>>>>>>>>>>>> UnixSocketClient_Init /tmp/RequestIOGuard pIn(GNOTIFY=NET_CONNECTING) ret=-1 ␍␍␊
Upnp init OK␍␊
[00:00:06.274] Upnp Ready for rendering.. ␍␊
reinit ssdp ++ ␍␍␊
StopMiniServer_ssdp ++ ␍␍␊
StopMiniServer_ssdp -- ␍␍␊
StartMiniServerSSDP ␍␍␊
create_ssdp_sock_v4 ipAddr 10.10.10.254 ␍␍␊
create_ssdp_sock_v4 mDNS ipAddr 10.10.10.254 ␍␍␊
reinit ssdp --␍␍␊
[00:00:06.322] Guard recv_buf------------ ␍␊
Critcal>>>>>>>>>>>>>>>>>>>>>>>> UnixSocketClient_Init /tmp/RequestIOGuard pIn(LEDTest) ret=-1 ␍␍␊
A01controller recv_buf EasyLinkResponseStop +++++++␍␍␊
rm: cannot remove '/tmp/easylink_enable': No such file or directory␍␊
A01controller recv_buf ----------------␍␍␊
Critcal>>>>>>>>>>>>>>>>>>>>>>>> UnixSocketClient_Init /tmp/RequestIOGuard pIn(GNOTIFY=NET_MISS_ROUTER) ret=-1 ␍␍␊
[00:01:06.348] WIFI 3 --> NET DOWN ␍␊
A01controller recv_buf NET_DISCONNECTED_SSID +++++++␍␍␊
A01controller recv_buf ----------------␍␍␊

[eNBeWe]

After booting Module 2 the web interface is broken

Partition data:

# cat /proc/mtd 
dev:    size   erasesize  name
mtd0: 01000000 00010000 "ALL"
mtd1: 00030000 00010000 "Bootloader"
mtd2: 00010000 00010000 "Config"
mtd3: 00010000 00010000 "Factory"
mtd4: 00200000 00010000 "bkKernel"
mtd5: 0012027d 00010000 "Kernel"
mtd6: 00a0fd83 00010000 "RootFS"
mtd7: 00b30000 00010000 "Kernel_RootFS"
mtd8: 00080000 00010000 "user"
mtd9: 00200000 00010000 "user2"

[eNBeWe]

Board 1

Even after soldering to the trace on the board I can't get any serial output from the module. I THINK I should get data, but there seems to be nothing ...

[hn]

There is no obvious difference between the two boards (and also my board: https://github.com/hn/linkplay-a31/blob/main/linkplay-a31-pcb-front.jpg).

I think you fried board 1 somehow, maybe one can check later to revive it.

Board 2 has the same CPU (even the same revision) as mine:

THIS IS ASIC
Linux version 2.6.36+ (wiimu@wiimu-build-1) (gcc version 3.4.2) #1 Sun Feb 5 10:24:56 CST 2017

The CPU feqenuce set to 575 MHz

MIPS CPU sleep mode enabled.
CPU revision is: 00019655 (MIPS 24Kc)

The flash chip is the same as well.

The module should be compatible with this project. The (slight) difference in the partition table does not matter.

You need to get into the bootloader which looks like this

U-Boot 1.1.3 (Feb  5 2017 - 10:24:17)

Board: Ralink APSoC DRAM:  64 MB
relocate_code Pointer at: 83fb4000
******************************
Software System Reset Occurred
******************************
flash manufacture id: ef, device id 40 18
find flash: W25Q128BV
TOTAL_FLASH_SIZE: 16 MBytes
*** Warning - bad CRC, using default environment

============================================
Ralink UBoot Version: 4.3.0.0
--------------------------------------------
ASIC 7628_MP (Port5<->None)
DRAM component: 512 Mbits DDR, width 16
DRAM bus: 16 bit
Total memory: 64 MBytes
Flash component: SPI Flash
[...]
Please choose the operation:
   0: Boot system code via Flash (default).
   1: Entr boot command line interface.
   2: Load Boot Loader code then write to Flash via TFTP.
   3: Load backup system code then write to Flash via TFTP.
   4: Load system code then write to Flash via TFTP.
   5: Load system code to SDRAM via TFTP.
   6: Load user1 code then write to Flash via TFTP.
   7: Load user2 code then write to Flash via TFTP.

Check:

• Try holding the ESC key down during power-up
• Try to vary the baud rate, maybe U-boot uses a different baud rate.
• Try to call printenv (shows U-Boot args) from within the running vendor system

[eNBeWe]

The board 1 boots fine and works without issue with the default firmware. Just the serial won't play ball.

I tried all usual baud rates with board 2 without any result. I can see that the console output takes some time until it starts, so I guess u-boot is doing something. I will try printenv next.

Edit: There is no printenv in the image available

[hn]

• U-Boot config is in mtd2. Try cat /dev/mtdblock2 > /tmp/mtd2.bin and look for strings (probably starting at 0x2000 within the (binary) file). But that probably won't help much. It seems they locked down U-Boot. Hrmmm.
• Try to look for strings in mtd1 (U-Boot binary), e.g. baudrate.
• There might be a slight chance that they unintentionally mixed up U-boot and the bootloader output is redirected to UART1 (pin 24/25 of the module). Try to check for serial traffic there.

[eNBeWe]

I just tried pin 24/25 but there is nothing interesting there, just some strings that look like some internal protocol

Currently I am a bit stuck trying to get the partition data off the device. I can cat the partitions to tmp but I don't have a good way to get these files out for analysis.

[eNBeWe]

Just a thought ... Could I flash the software through mtd from the running system?

[eNBeWe]

Got some data from mtd1 and mtd2. I managed to slip these files in the http server that is running and showing the wifi-config page.

mtd1.zip mtd2.zip

(zipped, so I can attach these)

From a quick glance I see u-boot there ... but no idea how to get to it.

[hn]

but I don't have a good way to get these files out for analysis.

Configure WiFi and use curl (LD_LIBRARY_PATH=/system/workdir/lib /system/workdir/bin/curl --upload-file in this case).

Since there is no uuencode/base64 on the system, the only other (painful) way would be something like this.

Just a thought ... Could I flash the software through mtd from the running system?

It probably should work (mtd_write to mtd7, see /system/workdir/script/burnrootImage.sh). If anything goes wrong, your're lost. Better try and think about other options before doing that.

[hn]

Module 2: If you have access to an oscilloscope or logic analyzer, I would double-check again if any level change occurs on the serial TX pin before the kernel starts. An ESP8266 can also be used as a cheap replacement

Module 1: If you have access to a microscope and probe needles you might check for serial activity directly at the MT7688 UART pins.

[eNBeWe]

New findings: Module 1 is actually a different chip. It seems to be a MT7628Nn, not a MT7688. At least that is what the package marking says under the sticker. With my equipment I can't reliably probe the chip precisely enough.

Module 2 shows no activity on the TX pin before the linux kernel log (at least nothing shown on the oscilloscope).

[eNBeWe]

I flashed, I rebooted, I bricked ... I tried the image on module 2. Now it looks like I am stuck in the bootloader that I can't access. No serial output on the console and no wifi rescue point coming up. Well, I bought it so I can test stuff with it without breaking the "working" module 1.

[hn]

Module 1: If I remember correctly, these MCUs are pin- and software-compatible and differ only in WiFi capabilites:

The difference between MT7688 and MT7628: MT7688 WIFI 2.4G bgn theoretical maximum rate 150Mbps 1T1R single antenna mode MT7628 WIFI 2.4G bgn theoretical maximum rate 300Mbps 2T2R dual antenna mode

Module 2: What MCU label is under the sticker? The SPI-NOR flash probably can be read/flashed with a SOIC-8 clip (similiar to https://github.com/hn/linkplay-a31/tree/main?tab=readme-ov-file#series-2-cap806405-amplifier-board). You might be able to restore the backup of partition mtd7 (you made a backup, right?) this way. I wonder why module 2 does not boot the OpenWrt firmware (assuming you flashed it successfully). Maybe the obscure bootloader does some extra checksumming or some other magic.

[eNBeWe]

Module 2 is a MT7688AN. I might have just YOLOed it without taking a backup before. The mtd_write at least went through to 100%, so my guess would be, that it flashed.

I went through the datasheet and there doesn't seem to be a way to configure the behavior of UART0 through some of the other pins. I kind of suspected the carrier-board to do something weird, so the bootloader won't output. But I don't see any plausible pin that could cause that.

I could have checked the registers of the MCU for UART0_MODE, but since it works later in the process, I don't see how that could have changed anything.

[hn]

Module 2: U-Boot output has been silenced in code (they have intentionally removed the call to the initialization function for UART0). You can work around this by changing bytes c400 to 5c01 at offset 0x1190 of your mtd1.bin. This is just a dirty fix (it changes an offset to a jump table), but it works:

U-Boot 1.1.3 (Sep 25 2019 - 16:59:36)

Board: Ralink APSoC DRAM:  256 MB
relocate_code Pointer at: 8ffb4000
flash manufacture id: 0, device id 0 0
Warning: un-recognized chip ID, please update bootloader!
TOTAL_FLASH_SIZE: 4 MBytes
*** Warning - bad CRC, using default environment

============================================
Ralink UBoot Version: 4.3.0.0
--------------------------------------------
ASIC 7628_MP (Port5<->None)
DRAM component: 512 Mbits DDR, width 16
DRAM bus: 16 bit
Total memory: 64 MBytes
Flash component: SPI Flash
Date:Sep 25 2019  Time:16:59:36
============================================

(this is your mtd1.bin running in an emulator)

[eNBeWe]

Can I do that change through writing to the memory chip with a SOIC-8 clip? I bought one, but never used it. Can you walk me through that or should I just google it? ;)

[hn]

You'll find lots of howtos on the web with helpful pictures. In the end it comes down to something like this:

• Remove all cabling from the A31 module (no external power)
• Make sure not to put on the SOIC clip the wrong way around (search for 'W25Q128BV pinout', double-check pins of the clip)
• Backup flash contents with flashrom. I usually do this multiple times and diff the binaries -- they should be identical of course.
• Might be a problem: If you put on the SOIC clip, this may power on the MCU as well, and it will disturb communications. Then you have to silence the MCU (e.g. pull down reset pin).
• Patch dump and upload (as I said it's a dirty fix, don't know if you'll experience any side effects)
• Repower module and check U-Boot output.

[eNBeWe]

After some probing around (and learning how to use a RasPi for SPI interface) I was able to write a new rom (and read the "original" rom before).

original.zip patched.zip

I read the written data back and it matched the patched image.

Sadly, I STILL don't get U-Boot to speak to me.

[hn]

That's strange. Can you please check (e.g. with a scope) that there is really 'nothing' -- maybe the baud rate is wrong, I would not see that in the emulator.