Mikrotik RouterBoard 450G
|SoC||Atheros AR7161 rev 2 (MIPS 24Kc V7.4, Big Endian)|
|RAM||256 MiB DDR|
|Flash||Hynix NAND 512MiB 3,3V 8-bit|
|Clocks||CPU:680.000MHz, DDR:340.000MHz, AHB:170.000MHz, Ref:40.000MHz|
|Ethernet ports||5 physical, 2 on the CPU (1+4) - Gigabit|
|Extra storage||MicroSD slot on the SPI bus|
|Serial||Yes - 115000 8N1|
|JTAG||Yes, but no pins|
|Extras||1 beeper, 2 LEDs (1 programmable)|
|Power||2 power jacks (1 external, 1 internal) + Passive PoE supported on port 1 / 10-28 V|
The system comes with a proprietary bootloader called "Routerboot". There are 2 instances of it on the system, one on a read-write memory which you can upgrade to new Rooterboot versions (and maybe try some other bootloader?) and one on a read-only memory which acts as a fallback when the other instance doesn't work. This essentially makes the board pretty hard to brick.
Apart from booting from the "kernel" partition of the NAND (see below), Routerboot also supports boot over network on the 1st ethernet port (the PoE one), using either bootp (the default) or dhcp to configure itself. Unfortunately it doesn't seem to support boot from the MicroSD card.
By default the system comes with RouterOS, a proprietary linux-based operating system from Microtik.
The NAND does not have any partition table by default, it has hardcoded partitions inside the kernel driver. According to the openwrt backfire kernel, the layout is:
|0x0 - 0x00040000 (256 KiB)||"booter"||Unknown - Unreadable|
|0x00040000 - 0x00440000 (4MiB)||"kernel"||Contains the kernel|
|0x00440000-0x20000000 (508 MiB)||"rootfs"||Contains the root file system|
The default filesystem is yaffs.
The "kernel" partition
According to the 450G manual, this partition is supposed to be a 4MiB yaffs partition that contains an elf executable called "kernel" in the top level directory. However, the openwrt kernel is 3.6 - 3.8 MiB and doesn't fit together with the yaffs metadata & reserved space in 4 MiB. To circumvent that, the openwrt trunk kernel specifies a slightly different partition layout where the "kernel" partition is 6 MiB. This allows you to place a 3.8 MiB kernel inside, but in case you try to replace it with another kernel without formatting the partition, it is likely that yaffs will use some blocks beyond the 4 MiB barrier as part of its wear-leveling functionality, in which case the boot loader (Routerboot) will not be able to boot the kernel. To circumvent that, you always need to format the partition before installing a new kernel:
$ mtd erase kernel $ mount -t yaffs /dev/mtdblock5 /mnt $ cp your_new_kernel.elf /mnt/kernel $ umount /mnt
Other visible MTD devices
OpenWRT trunk also shows these partitions (extract from dmesg):
m25p80 spi0.0: pm25lv512 (64 Kbytes) spi0.0: searching for MyLoader partition table at offset 0x10000 Searching for RedBoot partition table in spi0.0 at offset 0xe000 Searching for RedBoot partition table in spi0.0 at offset 0xf000 No RedBoot partition table detected in spi0.0 Creating 4 MTD partitions on "spi0.0": 0x000000000000-0x00000000b000 : "routerboot" 0x00000000b000-0x00000000c000 : "hard_config" 0x00000000d000-0x00000000f000 : "bios" 0x00000000f000-0x000000010000 : "soft_config"
The network devices layout looks like this:
+-----------+ +-----------+ | | eth0 | | | +-------+----------5+-Eth1/PoE | | | | | AR7161 | | AR8316 +-1+-Eth2 | | eth1 | +-4+-Eth3 | +-------+0-------+-3+-Eth4 | | | +-2+-Eth5 +-----------+ +-----------+
- eth0 of the SoC is connected to the Eth1/PoE port.
- eth1 of the SoC is connected to port 0 of the AR8316 switch, which allows it to communicate with the other 4 ports, Eth2-Eth5.
- The Eth1/PoE port can be configured to act as port 5 of the switch and not to be connected on eth0 of the CPU, however this is currently only possible with RouterOS, as the open source AR8316 driver does not implement this functionality (someone needs to reverse engineer RouterOS to find out how it is done).
- Note that the AR8316 ports are not assigned to physical ports in order. Port 1 is Eth2, but port 2 is Eth5, port 3 is Eth4 and port 4 is Eth3.
- You can easily use each port as a separate interface on the OS by configuring VLANs on the switch.
Flashing with OpenWrt/DebWrt
To flash the system you need to replace both the kernel and the root filesystem, which are two different images and you need to use the command line to do this (I don't know if there is a different way...). To get to a command line you will need to boot a working OpenWrt kernel+initrd from the network.
Booting OpenWrt from the network
- Get a working OpenWrt kernel image with an embedded initramfs. To build this image, in the OpenWrt configuration you select "Target Images -> ramdisk". Make sure to use OpenWrt trunk (kernel >= 2.6.39) and not the stable version, backfire. Backfire's kernel has a different memory layout (as explained above) and is not suitable for this job. OpenWrt will build a lot of images; the one you will use is "openwrt-ar71xx-nand-vmlinux-initramfs.elf", as this is the only one that RouterBoot can boot (it expects to read elf headers). Alternatively, you can download a ready working image from here.
- Setup dhcp & tftp netboot enviroment: Once you have the image, you will need to configure a tftp & dhcp server to serve it. The method to do this is out of the scope of this article.
- Connect the routerboard with rs232 and ethernet: Connect the routerboard's RS232 with your computer's RS232 using a null-modem cable. Also connect the Eth1/POE port (do not use Eth2-Eth5 as they are connected to internal switch and it is offline on bootloading) to whatever machine/network is serving dhcp & tftp. On your computer, setup a terminal emulator to get access to the serial port. A very popular one is minicom, which will work out of the box. To run it, you need to execute something like that: "sudo minicom -D /dev/ttyUSB0", where ttyUSB0 here is the serial device (assuming that you are using a usb-to-serial adapter). Note: that it will need to be run as root, unless you have access to the serial device (which is usually achieved by adding your user to the dialup group).
- Configure routerboard to use DHCP instead of BOOTP: When the setup is ready, power up the routerboard and watch the bootloader in minicom. By default routerboard will try to boot only with BOOTP protocol which is not what we want. So to change it enter the setup by pressing a key in the first 2 seconds of the bootup process.
RouterBOOT booter 2.29 RouterBoard 450G CPU frequency: 680 MHz Memory size: 256 MB Press any key within 2 seconds to enter setup.
Then you will see the setup menu where you will choose to configure boot protocol, where by pressing p you will configure the boot protcol
RouterBOOT-2.29 What do you want to configure? d - boot delay k - boot key s - serial console n - silent boot o - boot device u - cpu mode f - cpu frequency r - reset booter configuration e - format nand g - upgrade firmware i - board info p - boot protocol b - booter options t - do memory testing x - exit setup your choice: p - boot protocol
Bootloader will show you all the supported alternatives, where you will choose DHCP (if not yet done) by pressing 2
Choose which boot protocol to use: * 1 - bootp protocol 2 - dhcp protocol your choice: 2 - dhcp protocol
And finally choose to boot from ethernet and not NAND. You probably don't want everytime to boot from ethernet so you can ask bootloader to try once ethernet and on next boots use NAND. This can be done by pressing o on main menu ( boot device) and the pressing 1 ("boot Ethernet once, then NAND")
Select boot device: e - boot over Ethernet n - boot from NAND, if fail then Ethernet * 1 - boot Ethernet once, then NAND o - boot from NAND only b - boot chosen device f - boot Flash Configure Mode 3 - boot Flash Configure Mode once, then NAND your choice: 1 - boot Ethernet once, then NAND
And reboot by pressing x (exit)!
Backing up RouterOS
Before you proceed you may want to backup RouterOS.
The first thing you need to do (to be safe) is to export the license key of RouterOS using the WinBox application that can be found on the web interface of RouterOS. It's a windows application, but it runs on wine as well. When you run it, go to System -> License -> Export Key... and save the key.
The second step is to backup the NAND contents. You can do this by dd-ing the two mtd devices that we are going to format. These are /dev/mtd5 and /dev/mtd6 - kernel & rootfs, respectively. (The dd's can take a few minutes, so be patient!)
# cd /tmp # dd if=/dev/mtd5 | gzip > routeros_kernel.img.gz # dd if=/dev/mtd6 | gzip > routeros_rootfs.img.gz # scp routeros_kernel.img.gz routeros_rootfs.img.gz firstname.lastname@example.org:~/
You can use netcat instead of scp, to avoid unnecessary cpu overhead on the routeboard (ssl and compression). You do that by setting up a netcat server on your pc that will gzip the input and write output to a file. This must be done two times, one for the kernel and one for the rootfs.
user@host:~# nc -l 2000 | gzip -9 > routeros_kernel.img.gz
and you execute the following on the routerboard
root@OpenWrt:/# dd if=/dev/mtd5 | nc ip.to.my.host 2000
The same must be done for root fs, so you resetup a new server
user@host:~# nc -l 2000 | gzip -9 > routeros_rootfs.img.gz
and you execute the following on routerboard
root@OpenWrt:/# dd if=/dev/mtd6 | nc ip.to.my.host 2000
To restore it later you would just have to do the reverse - i.e. boot this OpenWrt kernel from the network, scp the images to /tmp from a remote machine, and run "zcat routeros_kernel.img.gz | dd of=/dev/mtd5" and respectively for the rootfs.
TODO: test restore!
Preparing the OpenWrt/DebWrt images
OpenWrt (and DebWrt) provides a lot of images. First of all, if you built the initramfs as well previously, you will need to rebuild OpenWrt without this option enabled, so that a normal kernel without the embedded initramfs is built. The final files that you will need to upload to the RouterBoard are the elf kernel image and the rootfs tarball, usually named "openwrt-ar71xx-nand-vmlinux.elf" and "openwrt-ar71xx-nand-rootfs.tar.gz".
# cd /tmp # scp email@example.com:/path/to/openwrt-ar71xx-nand-vmlinux.elf . # scp firstname.lastname@example.org:/path/to/openwrt-ar71xx-nand-rootfs.tar.gz . # mtd erase kernel # mount -t yaffs /dev/mtdblock5 /mnt # cp openwrt-ar71xx-nand-vmlinux.elf /mnt/kernel # umount /mnt # mtd erase rootfs # mount -t yaffs /dev/mtdblock6 /mnt # cd /mnt # tar xpzf /tmp/openwrt-ar71xx-nand-rootfs.tar.gz # cd /tmp # umount /mnt