I have a favorite cheap chinese router based on RT5350 (running OpenWRT).

Recently, I was wondering, why I can’t get WiFi on a few of them working. I have one piece running quite old (4xxx svn) OpenWRT where the WiFi works OK. So I tried to compile exactly the same version and install it on the non working piece. I also put the same wifi config there but nothing. It didn’t work.

Then I made a full flash backup from the working device and installed it to the non-working one and WOW! Wifi worked. So I started to compare the freshly compiled image with this backup.

First, I compared installed packages and they were the same versions. Then I tried to compare the whole filesystem with diff.

Different wifi modules were suspicious:

Binary files squashfs-root/lib/modules/3.10.36/cfg80211.ko and ../postrekovac/squashfs-root/lib/modules/3.10.36/cfg80211.ko differ
Binary files squashfs-root/lib/modules/3.10.36/gpio-button-hotplug.ko and ../postrekovac/squashfs-root/lib/modules/3.10.36/gpio-button-hotplug.ko differ
Binary files squashfs-root/lib/modules/3.10.36/mac80211.ko and ../postrekovac/squashfs-root/lib/modules/3.10.36/mac80211.ko differ
Binary files squashfs-root/lib/modules/3.10.36/rt2800lib.ko and ../postrekovac/squashfs-root/lib/modules/3.10.36/rt2800lib.ko differ
Binary files squashfs-root/lib/modules/3.10.36/rt2800soc.ko and ../postrekovac/squashfs-root/lib/modules/3.10.36/rt2800soc.ko differ
Binary files squashfs-root/lib/modules/3.10.36/rt2x00lib.ko and ../postrekovac/squashfs-root/lib/modules/3.10.36/rt2x00lib.ko differ

I spent quite a lot of time checking wifi module sources but that was a dead end.

Then I realized, I didn’t see any of the files I created on the device manually.  OpenWRT uses JFFS2 overlay partiton which holds changed files. So I listed contained files like this:

$ binwalk termo.fw

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             uImage header, header size: 64 bytes, header CRC: 0x55F32751, created: 2015-01-17 12:31:03, image size: 981934 bytes, Data Address: 0x80000000, Entry Point: 0x80000000, data CRC: 0x261036D0, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Linux Kernel Image"
64            0x40            LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 2903476 bytes
981998        0xEFBEE         Squashfs filesystem, little endian, version 4.0, compression:xz, size: 1991008 bytes, 749 inodes, blocksize: 262144 bytes, created: 2015-01-17 12:31:01
3014656       0x2E0000        JFFS2 filesystem, little endian
$ dd if=termo.fw of=termo.jffs bs=1 skip=3014656
851968+0 records in
851968+0 records out
851968 bytes (852 kB, 832 KiB) copied, 1.14645 s, 743 kB/s
$ jffs2reader termo.jffs
-rw-r--r-- 1    0        0              404 /wireless
drwxr-xr-x 1    0        0                0 /thermostat/
lrwxrwxrwx 1    0        0               12 /thermostat/curTemp  -> /tmp/curTemp
-rw-r--r-- 1    0        0                0 /thermostat/temp
lrwxrwxrwx 1    0        0               28 /thermostat/heating  -> /sys/class/gpio/gpio20/value
-rwxrwxrwx 1    0        0              679 /thermostat/thermostat.sh
-rwxr-xr-x 1    0        0               82 /thermostat/thermo-loop.sh
lrwxrwxrwx 1    0        0               13 /thermostat/lastData  -> /tmp/lastData
lrwxrwxrwx 1    0        0               12 /thermostat/history  -> /tmp/history
-rw-r--r-- 1    0        0                0 /thermostat/settings
-rw-r--r-- 1    0        0                0 /thermostat/histp
drwxr-xr-x 1    0        0                0 /etc/
---------- 1    0        0              115 /etc/shadow-
-rw------- 1    0        0              153 /etc/shadow
---------- 1    0        0              190 /etc/passwd-
-rw-r--r-- 1    0        0              190 /etc/passwd
drwxr-xr-x 1    0        0                0 /etc/init.d/
-rwxr-xr-x 1    0        0               83 /etc/init.d/thermostat
lrwxrwxrwx 1    0        0               18 /etc/init.d/client  -> (overlay-whiteout)
-rw-r--r-- 1    0        0                0 /etc/ethers
drwxr-xr-x 1    0        0                0 /etc/uci-defaults/
lrwxrwxrwx 1    0        0               18 /etc/uci-defaults/01_leds  -> (overlay-whiteout)
lrwxrwxrwx 1    0        0               18 /etc/uci-defaults/02_network  -> (overlay-whiteout)
lrwxrwxrwx 1    0        0               18 /etc/uci-defaults/12_network-generate-ula  -> (overlay-whiteout)
lrwxrwxrwx 1    0        0               18 /etc/uci-defaults/09_fix-seama-header  -> (overlay-whiteout)
lrwxrwxrwx 1    0        0               18 /etc/uci-defaults/10_migrate-shadow  -> (overlay-whiteout)
lrwxrwxrwx 1    0        0               18 /etc/uci-defaults/odhcpd.defaults  -> (overlay-whiteout)
lrwxrwxrwx 1    0        0               18 /etc/uci-defaults/11_migrate-sysctl  -> (overlay-whiteout)
drwxr-xr-x 1    0        0                0 /etc/config/
-rw-r--r-- 1    0        0             3887 /etc/config/firewall
-rw-r--r-- 1    0        0              134 /etc/config/dropbear
-rw-r--r-- 1    0        0              863 /etc/config/dhcp
-rw-r--r-- 1    0        0              797 /etc/config/network
-rw-r--r-- 1    0        0              422 /etc/config/system
-rw-r--r-- 1    0        0              413 /etc/config/wireless
-rw-r--r-- 1    0        0              645 /etc/config/uhttpd
drwx------ 1    0        0                0 /etc/dropbear/
-rw------- 1    0        0              458 /etc/dropbear/dropbear_dss_host_key
-rw------- 1    0        0              805 /etc/dropbear/dropbear_rsa_host_key
-rw-r--r-- 1    0        0              117 /etc/wpa_supplicant.conf
drwxr-xr-x 1    0        0                0 /etc/rc.d/
lrwxrwxrwx 1    0        0               20 /etc/rc.d/S98thermostat  -> ../init.d/thermostat
-rw-r--r-- 1    0        0                0 /etc/httpd.conf
drwxr-xr-x 1    0        0                0 /lib/
drwxr-xr-x 1    0        0                0 /lib/firmware/
-rw-r--r-- 1    0        0              512 /lib/firmware/soc_wmac.eeprom
drwxr-xr-x 1    0        0                0 /www/
-rw-r--r-- 1    0        0               95 /www/index.html
-rw-r--r-- 1    0        0               22 /www/index.lua
drwxrwxrwx 1    0        0                0 /www/cgi-bin/
-rwxrwxrwx 1    0        0             1093 /www/cgi-bin/page.cgi
-rwxrwxrwx 1    0        0               27 /www/cgi-bin/index.cgi
-rw-r--r-- 1    0        0              736 /www/cgi-bin/ignal
-rwxr-xr-x 1    0        0                0 /www/cgi-bin/temp.cgi
-rw-r--r-- 1    0        0                0 /www/style.css
drwxr-xr-x 1    0        0                0 /root/
-rw-r--r-- 1    0        0              672 /root/test.lua
drwxr-xr-x 1    0        0                0 /bin/
-rwxr-xr-x 1    0        0             4096 /bin/dht

Here I spotted one file:

-rw-r--r-- 1    0        0              512 /lib/firmware/soc_wmac.eeprom

Also, this file is mentioned in /etc/config/wireless so I googled it a bit and found this link (https://forum.openwrt.org/viewtopic.php?id=59349). It is about mtd2 which should hold some factory data.

Solution

Then I realized, that when I was writing bootloader directly to the SPI flash of my device (like in the picture), I’ve had erased the whole chip, so now there are zeroes instead some factory settings like MAC address etc.

So my solution was to compile latest OpenWRT with following patch to allow writing to mtd2 (it’s read-only by default, tip from here: https://forum.openwrt.org/viewtopic.php?id=47342):

--- a/target/linux/ramips/dts/A5-V11.dts
+++ b/target/linux/ramips/dts/A5-V11.dts
@@ -77,7 +77,6 @@
                factory: partition@40000 {
                        label = "factory";
                        reg = <0x40000 0x10000>;
-                       read-only;
                };
 
                partition@50000 {

I installed and booted the new image, then I took the soc_wmac.eeprom and wrote it to /dev/mtd2 using mtd tool, rebooted and wifi started to work!

Hope it helps!