Not working on U-Boot 2017.07-RELEASE-g78ed34f31579 (Sep 29 2017 - 07:43:44 -0700)

[0xFelix]

Seems like Cisco blocks the old method of getting a serial prompt in this uboot version?

The ubootwrite.py script is sending xyzzy, but no prompt appears.

Maybe CONFIG_AUTOBOOT_STOP_STR was changed?

Where can one obtain the latest GPL sources of Meraki's uboot?

[antonical]

Hopefully someone are able to fix it, sooner or later...

No clue what you're talking about, there is already a fix mentioned since quite a while. I doubt that someone will invest more time if there is already a fix. Considering that the OpenWRT implementation is also not fully functional there's no real point in my opinion to spend more time on finding a better way to install it.

I must have missed it then. I cannot find any way to flash these with OpenWRT if they have the 2017.07 version of U-Boot on them. If you know of a way maybe you could share it!

Tony

[kitor]

As it was mentioned a couple of times, this is NAND. This means you have to include wear leveling factor. As I understand, @alexsie48 took a nand dump in external programmer, thus in theory if you burn that into your flash (again considering wear leveling, I'm not sure how it's handled there) this may work.

I recently by accident got two non-working mr33s (orange led flashing: protip, there was shorted diode next to power input, PSU was acting werid due to short; it was booting fine on PoE), which happened to have old uboot, so a few days ago I replaced my still licensed unit with OpenWRT one. And, as expected, licensed / running one have new uboot...

Unfortunately I don't have any nand programmer on hand, so I guess I'm also waiting for report from "the brave person" that will try it first :)

[HombreTriton]

You got it! https://drive.google.com/file/d/1QpTB6-QqDuyeMJ1ssaXxYs5zhspUaA-N/view?usp=sharing Heres the link to the 2016 NAND Dump of the mr33. Hope this helps!

Hello! I flashed your bin to the nand of a updated mr33 using my RT809H. The flash process verify correctly but my Meraki not boot, is in orange led.

I checked the soldier points and I don't any fail.

I really don't understand what is happening

[Flole998]

Was it booting right before you flashed it or was there an issue before aswell?

[HombreTriton]

Was it booting right before you flashed it or was there an issue before aswell?

Yes, it booted perfectly before

[satis4action]

please do the reset with button, before starting with a new flash content

[HombreTriton]

please do the reset with button, before starting with a new flash content

Sadly not work for me

[mveplus]

please do the reset with button, before starting with a new flash content

Sadly not work for me

If you have saved your original dump of your NAND chip, flash it back and check if it's booting? From experience most problems I had with physical de-soldering/read/verify/write/verify were bad joints in the TSSOP socket or after returning to the PCB a pin or two not soldered/bad/short contact on the first/second re-flow. If it happens for a device to not boot then I'm using a drag soldering technique and good solder paste, low melting point solder and wick if needed, clean with IPA inspect each pin under microscope or similar.

[fservida]

I pulled a copy of the NAND from mine (new bootloader) and comparing to the one posted by @alexsie48 it seems to me that the NAND pages are divided in 512bytes partial-pages, each followed by 16bytes of spare. The image posted seem to have been "cleaned", but the part removed was the last 64 bytes of each page instead of the 4x16 "partial-spares", thus why direct reflashing may not work.

@alexsie48 would you be able to check this and maybe provide a new dump for the 2016?

[mveplus]

@fservida you may want to check this one, no guarantee of any sorts

[fservida]

@fservida you may want to check this one, no guarantee of any sorts

thanks, looking at yours, we have pretty much the same result, you have the same ECC pattern and raw size. However I see that it is also a 2017 U-Boot, do you have a dump of the old one by any chance?

[ziswiler]

I've tried even unsoldering the flash chip, but without success - looks like it's glued and then soldered.

So the only idea I've got is clamp on tsop-48 (https://www.aliexpress.com/item/32838230005.html?spm=a2g0s.9042311.0.0.27424c4dsE1VcC) and then writing old uboot.

I don't think so. We just de-soldered 4 pieces without any much of an issue. Just make sure to use some thin metal to slip under the chip/pins while doing it. At least my four pieces definitely had no glue or anything, just regular soldered TSOP48.

[ziswiler]

Then what we did is using an i.MX 6ULL based system with a TSOP48 socket to first dump the flash from a "golden" aka U-Boot 2012.07-g97ab7f1 device as follows:

nanddump --file=mtd0.dump --noecc --oob /dev/mtd0

Of course, I made sure using the same MTD layout as the MR33 plus continued dumping MTD0 to MTD9. Before, I actually verified on two devices both running OpenWrt that their partitions MTD0 to MTD9 were exactly the same. The only partition which contains device-specific information is indeed the ART partition MTD10. Leave that one alone!

Then, after swapping the NAND part with one from an U-Boot 2017.07-RELEASE-g78ed34f31579 device, one first has to erase them blocks e.g. as follows:

flash_erase /dev/mtd0 0 0

And then just flashing back the old one as follows:

nandwrite --noecc --oob /dev/mtd0 mtd0.dump

Again, continuing this from MTD0 to MTD9. And that's it. After soldering them NANDs all back into place we had 3 "new" units converted to "old" U-Boot which accepted the regular OpenWrt installation without the slightest hiccup.

Thanks, guys, for all the suggestions in this thread!

[usbjtag]

I just got MR33 and hook up the u-Link NAND with the 360 clip. It can easily read flash. However this device has the U-Boot 2017.07-RELEASE-g78ed34f31579 (Sep 29 2017 - 07:43:44 -0700). I need a dump (with ECC) from 2016. I should be able to make a video showing how to put openwrt on it soon.

[usbjtag]

I think all we need is the backup of a u-boot sector (with ECC) from a working MR33 with openWRT and we are ready to do.

[usbjtag]

@mveplus your backup has the latest u-boot.

[usbjtag]

@riptidewave93 can we know the physical location of openwrt firmware (part.safe in ubi) so we can directly program to it to avoid the installation process?

[ziswiler]

I don't think that location/offset is the same across different units. That's also why he left this open in the original installation guide.

[usbjtag]

I confirm that replace u-boot allows to use the serial port to the rest of the work. But I am hopping to make the step even simpler. I will soon make a video. In the meantime I noticed the PCB is very hot (around 12V area) and make the system less stable. I used a fan while doing the steps in the guide.

[usbjtag]

I have created video to program the OpenWRT on MR33. https://youtu.be/8nCkiAG1Dsw. Only need to replace the u-boot (if you decide to manually install you can skip the ubi portion) and ubi.

[tomczis]

Could you upload u-boot and ubi ?

[usbjtag]

https://www.usbjtag.com/filedownload/mr33ubootandubi.php

[tomczis]

Thank you

[satis4action]

Thank you!

[exetico]

One person posted this on Reddit: https://www.reddit.com/r/Cisco/comments/le3nxw/i_wrote_a_guide_on_flashing_cisco_meraki_mr33/?utm_source=share&utm_medium=ios_app&utm_name=iossmf

But the U-Boot issue are still the real problem, right?

In other words: No custom software to me, due to U-Boot 2017.07, right?

Maybe I just missed the latest progress and options, related to this?

I'm just asking to be 100% sure.

[Hurricos]

OP's guide assumes old, unlocked U-boot -- 2016 or before.

There are comments in this issue describing how to replace U-boot by attaching to the NAND directly with a TSOP-48 connector and driving the writes using a flashcat. By doing so you can revert to an older copy of U-boot without desoldering.

The video it links to is https://youtu.be/8nCkiAG1Dsw.

A complete image of the MR33's NAND flash with said older copy is available above. I've copied the 2017 and 2016 NAND dumps and created a torrent for them with BTIH ce525e5c751cb77a7f89a2a7e076126bb4c0dd84 (yielding this magnet link).

[exetico]

That's GREAT! Thanks.

[exetico]

Yesterday I was a bit too exised, and didn't relaise that I've already watched the video 🙃.

@Hurricos : Where can I buy the TSOP-48 connector and programmer needed, without paying too much? It looks a bit expensive, where I can find it (I own simple BIOS programmers, and other things like that - buy sadly nothing to connect to a NAND flash).

[ray0189]

hi guys is there a way to install OpenWRT without using the nad reprogramme as I don't have the money to buy one and

[Flole998]

There is a risk to bricking the access point, so if you can't afford a nand programmer it would be even worse if the access point is bricked.

[ihyoudou]

Hello, I wonder - does uboot from 2012 check nand model/ID? Would it be possible to use diffrent NAND chip with the same specifications as original? I don't know anyone with nand programmer (i only have raspi1B so this can be my secound route) but I found a offer with MT29F1G08ABADAWP NAND chip which can be programmed by seller with image that I provide.

Thank you in advance!

[chunkeey]

@usbjtag thank you! I was able to replicate the success (replacing a 2017.07 uboot with 2012.07). I went on eBay and bought a used, but fully soldered and tested PS3/xBow/WII Teensy++ 2.0 flasher. And I can confirm: it worked and the device now reports:

U-Boot 2012.07-g97ab7f1 [local,local] (Oct 06 2016 - 13:07:25)

DRAM:  242 MiB
machid : 0x8010001
Product: meraki_Stinkbug
NAND:  ONFI device found
128 MiB
Using default environment
...

Some of my findings:

Make sure you get the NANDway Single Chip setup and that TSO48 360-Clip. It was pretty much "plug and play". As you said, there's no need to do any soldering. Just leave the MR33 unplugged and connect the clip (the LED will light red, but that's OK!). the Teensy is able to provide enough power to read and flash the chip.

0. The first thing to do is to flash the latest 0.65 firmware to it (I used NANDway_SignalBoosterEdition.hex ). This is easily done with their included GUI/Software. Just follow their extensive README and guides. https://github.com/hjudges/NORway/blob/master/NANDway_README.txt

1. Get python2.7 + old python-serial (these will also be required for the old ubootwrite utility.)

2. Open up the MR33 and connect the TSO-Chip and then plug in the connected Teensy++ 2.0 to your PCs USB to check it out

   My initial handshake looked like this:

   NORway-master# python2.7 ./NANDway.py /dev/ttyACM0 0 info NANDway v0.65 - Teensy++ 2.0 NAND Flasher for PS3/Xbox/Wii (Original NORway.py by judges judges@eEcho.com) (Original noralizer.py by Hector Martin "marcan" hector@marcansoft.com)

   Pinging Teensy... Available memory: 3776 bytes

   NAND0 information: Raw ID data: 0xc2 0xf1 0x80 0x95 0x02

   NAND chip manufacturer: unknown (0xc2) NAND chip type: unknown (0xf1)

   NAND size: 8 MB NAND plus RAS size: 8 MB Page size: 2048 bytes Page plus RAS size: 2112 bytes Block size: 131072 bytes Block plus RAS size: 135168 bytes RAS size: 64 bytes Plane size: 8388608 bytes Pages per block: 64 Number of blocks: 64 Number of pages: 4096 Number of planes: 1 Bus width: 8-bit

Only 8 MiB of the full 128 MiB seemed to be accessible?!. Still the numbers (PageSize,BlockSize,...) all matched the expected values from the NAND-Chip. So I pushed on with the next step...

4. Do a "full" dump of the 8 MiB

That Dump is needed to provide "padding" in the next steps.

NORway-master# python2.7 ./NANDway.py /dev/ttyACM0 0 dump full.bin
NANDway v0.65 - Teensy++ 2.0 NAND Flasher for PS3/Xbox/Wii
(Original NORway.py by judges <judges@eEcho.com>)
(Original noralizer.py by Hector Martin "marcan" <hector@marcansoft.com>)

Pinging Teensy...
Available memory: 3776 bytes

NAND0 information:
Raw ID data: 0xc2 0xf1 0x80 0x95 0x02

NAND chip manufacturer: unknown (0xc2)
NAND chip type:         unknown (0xf1)

NAND size:              8 MB
NAND plus RAS size:     8 MB
Page size:              2048 bytes
Page plus RAS size:     2112 bytes
Block size:             131072 bytes
Block plus RAS size:    135168 bytes
RAS size:               64 bytes
Plane size:             8388608 bytes
Pages per block:        64
Number of blocks:       64
Number of pages:        4096
Number of planes:       1
Bus width:              8-bit

Dumping...
8448 KB / 8448 KB 
Done. [0:01:13.443255]

Then I looked into the "full.bin".... and it was 100% OK (for just being 8 MiB)!

5. Prepare the flash image by replacing the uboot in the "full.bin"

   The first thing to do is to get the ubootmr332012.bin from the mr33.zip. This ubootmr332012.bin contains the whole 2 MiB, but only the first 660 KiB are needed. One issue with the NANDway.py flasher is that the offset and length are in HEX and have the unit of BlockSize+RAS (=135168 = 0x21000 = 132KiB). If this isn't the case it will Error: expecting file size to be a multiplication of block+ras size: 135168.NANDway.pyalso expects that the filesize of the file we flash has atleast the size of (offset+length)*(BlockSize+RAS). Since we just want to flash the Uboot at0x700000(0x738000` with OOB) we need to pad the file and use the "full.bin" for this.

   Anyway to prepare the "flash-image" I did the following: Used the "full.bin" dump to pad the the uboot332012.bin (only the first 660KiB of the file are needed) image to create my newflash-mr33.bin file for the next step

   dd if=full.bin bs=$((0x738000)) count=1 > newflash-mr33.bin; dd if=ubootmr332012.bin bs=132k count=5 >> newflash-mr33.bin

   For reference the sha256sum of that file was:

   2f9e02bce8a499cd69ed50041469967e6933cd1a0173edee6216749c712fb60f newflash-mr33.bin

6. Flash the MR33

   Now for the flashing, I'm only interested in offset 0x38 blocks ( = 0x700000 / 0x738000) with size of 0x5 (640 KiB / 660 KiB)

   NORway-master# python2.7 ./NANDway.py /dev/ttyACM0 0 vwrite newflash-mr33.bin 38 5
   NANDway v0.65 - Teensy++ 2.0 NAND Flasher for PS3/Xbox/Wii (Original NORway.py by judges judges@eEcho.com) (Original noralizer.py by Hector Martin "marcan" hector@marcansoft.com)

   Pinging Teensy... Available memory: 3776 bytes

   NAND0 information: Raw ID data: 0xc2 0xf1 0x80 0x95 0x02

   NAND chip manufacturer: unknown (0xc2) NAND chip type: unknown (0xf1)

   NAND size: 8 MB NAND plus RAS size: 8 MB Page size: 2048 bytes Page plus RAS size: 2112 bytes Block size: 131072 bytes Block plus RAS size: 135168 bytes RAS size: 64 bytes Plane size: 8388608 bytes Pages per block: 64 Number of blocks: 64 Number of pages: 4096 Number of planes: 1 Bus width: 8-bit

   Writing... Writing 5 blocks to device (starting at offset 38)... 660 KB / 660 KB

   Done. [0:00:12.824139]

And I was done! :)

I'll be looking into making a new uboot-mr33 image that could be used instead of ubootmr332012... So it will have a unlocked prompt from the get go and there won't be any reason to upload the uboot through serial. This would also have the advantage that I can host my own creation without having to worry about Cisco taking it down.

[Flole998]

@chunkeey Awesome, I think with the new uboot Image this device might actually become interesting again, especially if the few small bugs that still exists are fixed (like the VLAN issue for example).

[ray0189]

@chunkeey is it possible for you to make a video or in-depth instructions so we can do this it would be nice

[Leo-PL]

I managed to bring up another device using NAND method, this time using FT2232 as a programmer: https://spritesmods.com/?art=ftdinand&page=2

I had to merge write support for the software from here: https://github.com/ohjeongwook/NANDReader_FTDI and fix two compile warnings, and then erase the needed regions a few times, and write them a for a few times again, in order for verification to pass. I plan on writing more robust write support in my fork, with possibility of separate erase, and overwriting only changed data. I could not get https://github.com/ohjeongwook/dumpflash to work either because of https://github.com/ohjeongwook/dumpflash/issues/31 - I see that someone was probably fiddling with MR33 too - mine had the exact same NAND as in that issue.

@kitor i think you might want to pick up my programmer to try it on your remaining device ;-)

[dmascord]

This process worked for me, for a device that originally had 2017.x, flashed in the 2012.x uboot, and used the "normal" installation instructions to flash OpenWRT.

I used the TL866II plus after desoldering the NAND - http://www.autoelectric.cn/en/tl866_main.html

It worked pretty well after I straightened the pins (bent a bit while desoldering :|). Their software has a partitioning mode, so can set the blocks for the uboot, read off the whole flash, replace the uboot partition bin with the 2012 one, and flash back the whole flash. (Flashing without erasing the whole NAND wasn't reliable).

[exetico]

I guess the answer is "no", but I'll try anyway: Has anyone tried to use the E3 FLASHER? (Created to flash the PS3 NAND-chip) Or are the two chips incompatible with each other? I just noticed that the PS3 have 48 pins, too?

I need pick up a newTL866II Plus, or borrow the ES FLASHER from a friend.. And if the E3 FLASHER was an option, I would definitely like to use that, instead of spending money on a new programmer.

Else, I think I'll pick up this and this. Please let me know, if I've found the wrong items.

[chunkeey]

I guess the answer is "no", but I'll try anyway: Has anyone tried to use the E3 FLASHER? (Created to flash the PS3 NAND-chip) Or are the two chips incompatible with each other? I just noticed that the PS3 have 48 pins, too?

I need pick up a newTL866II Plus, or borrow the ES FLASHER from a friend.. And if the E3 FLASHER was an option, I would definitely like to use that, instead of spending money on a new programmer.

Hmm, my used PS3/xBow/WII Teensy++ 2.0 flasher from eBay was shipped in a little black Box label "E3 NOR Clip Suit". If your nandflasher board looks like this: https://www.pjrc.com/store/teensypp.html , you should be able to follow the instructions I posted here: https://github.com/riptidewave93/LEDE-MR33/issues/13#issuecomment-802309974

Cheers

[exetico]

I guess the answer is "no", but I'll try anyway: Has anyone tried to use the E3 FLASHER? (Created to flash the PS3 NAND-chip) Or are the two chips incompatible with each other? I just noticed that the PS3 have 48 pins, too? I need pick up a newTL866II Plus, or borrow the ES FLASHER from a friend.. And if the E3 FLASHER was an option, I would definitely like to use that, instead of spending money on a new programmer.

Hmm, my used PS3/xBow/WII Teensy++ 2.0 flasher from eBay was shipped in a little black Box label "E3 NOR Clip Suit". If your nandflasher board looks like this: https://www.pjrc.com/store/teensypp.html , you should be able to follow the instructions I posted here: #13 (comment)

Cheers

Interesting. The E3 Flasher looks like this. As you can see, it's an all-in-one product. But... Maybe it's still an option to use it? 🤔I just think that there's sadly too many logics build into the E3 Flasher today, made specific for the PS3.

If someone from Denmark are listening. Fell free to DM me, if you have the hardware nedded 👍😁...

[dmascord]

I have ordered an E3 flasher clip, so hopefully in two-ish weeks I will have it to try it out. You might need something like https://docs.zeigren.com/books/flashcatusb-clip-adapters/page/tsop56-nor-e3-%28type-a%29-adapter to connect to it.

https://docs.zeigren.com/books/flashcatusb-clip-adapters/page/troubleshooting#bkmrk-e3-nand-clip-extra-c for more information on using the E3 NOR clip to read random NAND chips...

[exetico]

How did it go, @dmascord ? :-)

[dmascord]

HI,

The clip arrived, but I need to get the connector and build an adaptor for it. Definitely looks like it should work.

Cheers,

Damien

---

From: Tobias Nordahl Kristensen @.> Sent: Friday, August 20, 2021 7:57:36 PM To: riptidewave93/LEDE-MR33 @.> Cc: Damien Mascord @.>; Mention @.> Subject: Re: [riptidewave93/LEDE-MR33] Not working on U-Boot 2017.07-RELEASE-g78ed34f31579 (Sep 29 2017 - 07:43:44 -0700) (#13)

How did it go. @dmascordhttps://github.com/dmascord ? :-)

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/riptidewave93/LEDE-MR33/issues/13#issuecomment-902579630, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AANX3Q4DATHHMEUOEZWKQOTT5YRJBANCNFSM4GMEISRQ. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email.

[tamirhad]

Hey everyone, just bought the 360clip+tennsy++2.0. sorry for the noob question(didnt flash Nand before). this is how i suppose to connect everything? https://github.com/hjudges/NORway/blob/master/NANDway_Installation/NANDway-SignalBoosterEdition-to-UNI-48-Clip.jpg I have a confusion with the power connections(I will be using the teensy with onboard regulator): for VCC: the 360clip gets its 3.3v from external source via pins 12+37? should i connect them both or just single one of them? can i get it directly from teensy board? for GND: according to the image the 360 clip should be sharing his GND with teensy, how can i get GND from the teensy? thanks!

[mveplus]

Hi all,

If anyone has the time to compile a custom u-boot for mr33, and do not want to risk its device and deal with de/soldering or have no access to programmers, ping it here I can flash it and test it. I did turn my second unit in dev board ;), with an easy NAND flash swap socket:

Cheers,

[Leo-PL]

I noticed, that despite the flash layout has a backup partition for U-boot, Cisco didn't make use of it, and U-boot is only found in the first copy. Despite being upgraded in unattended way by stock firmware!

@mveplus, could you please check, what would happen if U-boot is written only to the backup partition? With such setup, I'm keen on porting this: https://github.com/gl-inet/uboot-ipq40xx for MR33.

OT: I also bought this type of socket for TSPO48, but haven't soldered it in so far. I had quite hard time dealing with ones for SOP8W and SOP16W - it's hard not to melt the plastic on them.

[mveplus]

@Leo-PL while I was playing with it I've noticed that too! While I was figuring out the NAND layout and looking to overwrite my original dump with @usbjtag u-boot dump the first two three times I actually overwrote the backup instead of the primary one, the device was dead silent on the console and not booting at all; led to constant red, but I may have not got the boundaries correct I'll try again over the weekend. The idea for the u-boot web flash and recovery is good ;), I've seen it on other u-boot devices.

OT: I also bought this type of socket for TSPO48, but haven't soldered it in so far. I had quite hard time dealing with ones for SOP8W and SOP16W - it's hard not to melt the plastic on them. I bought two of these and it's very hard to solder it as socket pins are under the plastic, my JBC soldering tips that could reach under could not deliver enough heat to some of the pads&pins to solder it right; I had to use only hot air and isolate the exposed socket plastic with thermal tape, but still melted part of the socket but worked at the end. I actually scrwed up the first socket on the first try ;( I would not try this again without preheating the PCB on the bottom while working on it.

[tamirhad]

@chunkeey, can you please elaborate on the voltage connections? did you used regulator? bought teensy2.0++ with 360 clip and followed this connection diagram: https://github.com/hjudges/NORway/blob/master/NANDway_Installation/NANDway-SignalBoosterEdition-to-UNI-48-Clip.jpg used voltage regulator and cut the 5v trace, connected 3.3v to 12+37 pins and no luck, getting: "Error reading size of NAND" :(

[chunkeey]

I bought it from eBay pre-assembled/soldered. The .jpg with the schematic you posted looks like the same setup the seller did. But there's a wire on the backside on the +5v running to somewhere else on the board. The previous owner applied some black tape that went gunky on the backside pcb. From what I can tell it's there to isolation on the backside. I can't tell you exactly to what it's connected due to the gunkyness (and I don't want to rip it apart). But the the multimeter reads +3.26v when measured on that +5v pin.

As for "Error reading size of NAND". Mine also reports the wrong NAND size. It says it's "8 MiB". But this was good enough because the bootloader is within the first 8 MiB.

[cristian-calin]

Hi Guys.

I can get a cheap used MR33 (about $35) from a local classified ads website. The owner does not know what U-Boot version the MR33 has, but it told me that the device was last time connected to the internet about 2 years ago.

Do you think it's worth the risk of getting this one? Can I read the U-Boot version from this device using a Raspberry Pi 2 Model B connected to the MR33 serial pins as outlined in this article? If so, what is the command for this? Thank you!

[Leo-PL]

@cristian-calin Be wary. this device is old enough to have the updated U-boot to the point, that procedure from the article will kill it permanently by burning secure boot fuses. You'll likely need to go through the hoops of modifying NAND flash conents directly. Edit: I remember posting a comment on the author's page about that, and it strangely never went through the moderation. In the first comment, which did, the author didn't seem to have caught the real message.

BTW. Does anyone here have such a broken unit, and could desolder the main SoC? I'd like to trace out, where JTAG and USB lines go. IPQ4029 just as all other Qualcomm devices expose a Sahara interface over their USB port, when launching SBL1 fails, or if you force them by pulling a specific GPIO when on-chip boot ROM executes. This is called EDL mode. This is likely used for factory programming. My suspicion for USB is on the Tag-Connect footprint on the lower part of the board.