[spearmint]

Hi All,

I was flashing ddwrt and openwrt on my MR5500. Well - I got my first brick. So far I have used wireshark as per some instructions I found on the net, and I thought I would share. I have NOT figureed out tfptd-hpa yet (I am on linux) - getting up at 0430 I am going to call it a night for now before I head off to bed.

I have not seen this published on either DDWRT or openwrt. If I can debrick this should I update the Wiki on DDWRT?

Any tips on linux for using tftpd-hpa? I do have a CH340G, not used yet. Maybe give this a shot this weekend.

Linksys MR5500
ipaddress 192.168.1.254, filename MR5500-nand-ipq5018-single.img

[spearmint]

No. Time Source Destination Protocol Length Info
546 1222.377036604 192.168.1.1 192.168.1.254 TFTP 104 Read Request, File: MR5500-nand-ipq5018-single.img, Transfer type: octet, timeout=5, blksize=1468

Frame 546: 104 bytes on wire (832 bits), 104 bytes captured (832 bits) on interface enp0s31f6, id 0
Ethernet II, Src: AtherosCommu_xx:xx:xx (xx:xx:xx:xx:xx:xx), Dst: Dell_xx:xx:xx (xx:xx:xx:xx:xx:xx)
Internet Protocol Version 4, Src: 192.168.1.1, Dst: 192.168.1.254
User Datagram Protocol, Src Port: 1423, Dst Port: 69
Trivial File Transfer Protocol


from text download of wireshark

[kernel-panic69]

Thanks for the info. I'll update the Wiki once you've figured it out. Plenty of documentation "everywhere" on how to use tftpd-hpa. Kali Linux has a port of TFTPD32. P.S. you could've gotten IP information via u-boot via serial

[spearmint]

Running Linux Mint on the laptop I am using. I do have the tfptd-hpa server running. I have to figure out the nuances of it and be successful before I would call any victory.

so far so good with tftpd-hpa but waiting for the Weekend unless more things go Murphy's law on me.

[spearmint]

Request some guidance please.
Linksys MR5500
tftp failed
using CH340G and picocom
output below

I tried most of the night watching wireshark. I was able to get, only one time in hours the router to get TTY, I used aftp command on the ddwrt web page here https://wiki.dd-wrt.com/wiki/index.php/Tftp_flash

Wireshark showed a massive amount of packets sent from the 192.168.1.254 address, aftp timed out, nothing was flashed. So this failed... next step

Messed around and I finally got my CH340G figured out - I used picocom
picocom -b 115200 /dev/ttyUSB0

I was reading, and there are many conflicting write ups missing pieces of basic information I need to move forward - this is where I get lost with so many different instructions - if I may request some experienced guidance.

PICOCOM OUTPUT

$ sudo picocom -b 115200 /dev/ttyUSB0
[sudo] password for laptop:
picocom v3.1

port is : /dev/ttyUSB0
flowcontrol : none
baudrate is : 115200
parity is : none
databits are : 8
stopbits are : 1
escape is : C-a
local echo is : no
noinit is : no
noreset is : no
hangup is : no
nolock is : no
send_cmd is : sz -vv
receive_cmd is : rz -vv -E
imap is :
omap is :
emap is : crcrlf,delbs,
logfile is : none
initstring : none
exit_after is : not set
exit is : no

Type [C-a] [C-h] to see available commands
Terminal ready

Format: Log Type - Time(microstic
S - QC_IMAGE_VERSION_STRINGE_VARIANT_STRING=MAACANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x000002c5
B - 127 - PBL, Start
B - ry, Start
B - 3284 - bootable_media_detect_success, Start
B - 3288 - elf_loader_entr585 - auth_hash_seg_exit, Start
B - 98386 - elf_segs_hash_verify_entry, Start
B - 167575 - PBL, End
B - 138073 - SBL1, Start
B - 199439 - GCC [Dog Stat : 0x4
B - 207735 - - clock_init, Delta
B - 215421 - boot_flash_init, Start
Delta
B - 228628 - boot_config_data_table_init, Start
D - 4819 - boot_config_data_tab- 236558 - Boot Setting : 0xrsion:2,Platform ID:8,Major ID:4,Minor ID:0,Subtype:1
B - 249673 - sbl1_ddr_set_params, Start
B - 251259 - Pre_DDR_clock_init, Start
B - 256932 - Pre_DDR_clock_init, End
D - 220210 - QSEE Image Loaded, Delta - (523680 Bytes)
B - D - 177022 - APPSBL Image Loaded, Delta - (424484 Bytes)
B - 1314977 - QSEE Execution, Start
D - 61 - QSEE Execution, Delta
B - 1321443 - SBL1,s, 391430 us)
S - DDR Frequency, 800 MHz
S - Core 0 Frequency, 800 MHz


U-Boot 2016.01 (Jun 11 2021 - 16:34:17 +0800)

CBT U-B11.3].[CSU2])

DRAM: smem rdor = c8
Device = 22
Serial 0x22
Serial NAND device Manufature:GD5F2GQ5REYIH
Device Size:256 MiB, Page size:2048, Spare Size:64, ECC:4-bit
SF: Unsupported flash IDs: manuf 00, jedec 0000, ext_jedec 0000
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
256 MiB
MMC: sdhci: Node Not found, skipping initialization

PCI Link Intialized
PCI1 is not defined in the device tree
In: serial@78AF000
Out: serial@78AF000
Err: serial@78AF000
machid: 8040001
eth0 MAC Address from ART is not valid
eth1 MAC Address from ART is not valid

Updating boot_count ... done

Hit any key to stop autoboot: 0

NAND read: device 0 offset 0x58c0000, size 0x800000
8388608 bytes read: OK
## Loading kernel from FIT Image at 44000000 ...
Bad FIT kernel image format!
ERROR: can't get kerMAC1 addr:0:11:22:33:44:55
athrs17_reg_init: complete
athrs17_vlan_config ...done
S17c eth0
Warning: eth0 MAC address

[spearmint]

Here is as far as I got tonight with the help command

IPQ5018# help
? - alias for 'help'
ar8xxx_dump- Dump ar8xxx registers
base - print or set address offset
bdinfo - print Booot from an ELF image in memory
bootipq - bootipq from flash device
bootm - boot applicatiOTP/TFTP protocol
bootvx - Boot vxWorks from an ELF image
back canary
chpart - change active partition
cmp - memory compare
coninfo - print console devices and information
cp - memory copy
crc32 - checksum calculation
dcache - enable or disable data cache
devinfo - device info handling cia network using DHCP/TFTP protocol
dm - Driver model lowrgs to console
editenv - edit exectzt - execute TZT

exit - exit script
false - do nothing, unsuccessfully
fatinfile from a dos filesystem
fatls - list files in a directory (default /)
fatsize - determine a file's size
fatwrite- write file into a dos filesystem
fh part_name
flash part_name load_addr file_size

flasherase- flerase part_name

imxtract- extract a part of a multi-imagert application at address
ipq5018_mdio- IPQ5018 mdio utility commands
ipq_mon integer compare
loop - infinite loop on address range
- MII utility commands
mm - memory modify (auto-incrementing address)
mmc - MMC sub system
mmcinfo - display MMC info
mtdparts- define flash/nand partitions
mtest - simple RAM read/write test
mw - NAND sub-system
nboot - boot from NAND device
nfs - boot image via network using NFS protocol
nm - memory m - send ICMP ECHO_REQUEST to n
? - alias for 'help'
ress offset
bdinfo - print Booot from an ELF image in memory
bootipq - bootipq from flash dot vxWorks from an ELF image
b from memory
canary - test sttive partition
cmp - memory compare
coninfo - print console devices and information
cpia network using DHCP/TFTP protocol
dm - Driver model low environment handling commands
erase - erase FLASH memory
exectzt - execute TZT

exit nothing, unsuccessfully
fatinfile from a dos filesystem
fatls - list files in a directory (default /)
fatsize - determine a file's size
fatwrite- write file into a dos filesystem
fdt - flattened device tree utility commands
flash - flash part_name
flash part_name mation
fuseipq - fuse QFPROM registers from memory

go - start application at addressd description/usage
i2c - I2C sub-system
icache - enable or disable instruction cache
imxtract- extract a part of a m
itest - return true/false on integer compare
loop - infinite loop on address range
- MII utility commands
mm - memory modify (auto-incrementing address)
mmc - MMC ple RAM read/write test
mw - memory write (fill)
nand - NAND sub-system
nboot - boot from NAND device
nfs - boot image via network using NFS protocol
nm - memory m - disk partition related comm- save environment variables to persistent storage
secure_authenticate- authenticate the signed image

setenv - set envirfor some time
smeminfo- print SMEM FLASH information
source - minimal test like /bin/sh
tftp - boot image via network using TFTP protocol
tftpput - TFTP put command, for uploadi do nothing, successfully
tzt - load and run tzt

uart - UART sub-system
ubi - ubi commands
usb - USB sub-system
usbboot - boot from
? - alias for 'help'
ar8xxx_dump- Dump ar8xxx registers
base - print or set addard Info structure
bootelf - Boot from an ELF image in memory
bootipq - bootipq from flash device
bootm - boot application image from memory
bootp - boot image via network using BOootz - boot Linux zImage image from memory
canary - test stack canary
chpart - change active partition
cmp - memorchecksum calculation
dcache - enable or disable data cache
devinfo - device info handling cia network using DHCP/TFTP protocol
dm - Driver model lowrgs to console
editenv - edit environment handling commands
erase - erase FLASH memory
exectzt - execute TZT

exit - exit script
false - do e file into a dos filesystem
frase- flerase part_name

flegisters from memory

go - start application at address 'addr'
help - print command description/usage
i2c - ulti-image
ipq5018_mdio- IPQ5018 mdio utility commands
ipq_mdio- IPQ mdio utility commands
is_sec_boot_enabled- check secuple RAM read/write test
mw ands
pci - list and accessvironment variables
protect - mmands in an environment variable
runmulticore- Enable and schedule secondary cores
saveenv - save environment variables to persistent storage
secure_authenticate- authenticate the signed image

setenv - set envirng files to a server
true - do nothing, successfully
tzt USB device
version - print monn
IPQ5018#

[lexridge]

When you get into uboot, does printenv work? All you need to do (if the same as 99.9% of all linksys routers) is change the IP to match your subnet the tftp server address (same subnet but different address) and filename it looks for, kinda like this:

setenv image factory-to-ddwrt-mx4300-r58070.img
setenv ipaddr 192.168.254.1
setenv serverip 192.168.254.15
run flashimg1|2

Is your uboot completely different from most other atheros Linksys routers?

EDIT: That should be run flashimg|flashimg2. Sorry for the typo.

[spearmint]

yes I have printenv working. I was like the dog who finaially caught the car, and I was not sure the best way to move forward since there is so many write ups. going to try today.

One of my hangup questions. How does picocom know where to pull the image.

Please allow me to recap so i can be corrected: and Thank you

* Assuming start terminal (linux mint) at the directory of the firmware image (correct? for my it is /home/user/Downloads/Router/tftp)
* picocom -b 115200 /dev/ttyUSB0
* setenv image factory-to-ddwrt-mr5500....img
* set ipaddr 192.168.254.1 (why 254 again? wireshark showed 192.168.1.254...)
* setenv serverip 192.168.254.15

Now connect ethernet correct? I assume this will transfer over ethernet to the routers LAN port...

appears I need to rename whatever I do flash to image=MR5500.img

I just downloaded r61848 for the MR5500

* run flashing 1
* run flashing 2

Also - factory or DDWRT? My intent is to get back to DDWRT to keep testing and learning.

[kernel-panic69]

Wireshark was showing the same information u-boot environment shows for TFTP server. Two different methods of recovery, the other requiring serial. And I prefer to know what the defaults were in u-boot, not what anyone decided to set.

[spearmint]

flashimg2 worked... ddwrt image.

wow thanks. time to reboot and see

[spearmint]

@lexridge & @kernel-panic69

THANK YOU!

Debricked MR5500

factory-to-ddwrt.img did not work. I kept looping from the output I saw on picocom thru the CH340.
the linksys factory image did flash with the following

tftpd-hpa server running

create a directory to store files for the firmware
example /home/user/Downloads/tftp
chmod -R 777 /home/user/Downloads/tftp

edit tftpd-hpa
sudo nano /etc/default/tftpd-hpa
# /etc/default/tftpd-hpa

TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/home/user/Downloads/tftp"
TFTP_ADDRESS="0.0.0.0:69"
TFTP_OPTIONS="--secure --create"

Set static IP, I used network manager and edited my wired connection to lexridge's post
setenv image FW_MR5500_1.1.2.209598_prod.img
setenv ipaddr 192.168.254.1
setenv serverip 192.168.254.15
run flashimg2

NOTE: run flashimg1 was not recognized, only run flashimg2 worked

rebooted Linksys MR5500 to factory firmware. Everything is working

_____________________________________________________________________________________________

while I had the CH340 connected on factory firmware I inserted a USB thumb drive to see the output. I know openwrt was able to get usb2 working on the MR5500. However I am not a coder so i am not sure how this translates, or what amount of wishful thinking this is. However, on factory reflashed firmware output in below.

picocom output when plugging in USB

[fwupd] status details:"ERROR: Connecting server"
add_storage_drivers ===========
[fw.sh] fwup_checked_after_boot: 0
[fwupd] status details:"ERROR: Connecting server"
[fw.sh] fwup_forced_update: 0
mountscript add sda 1 usb
[utopia][usb hotplug] Loading partition 0/1
[utopia][usb hotplug] not mounted: sda is not a partition
DRIVE_COUNT = 0, CUR_COUNT = 1, numPartitions=1, partitionCnt=0
mountscript add sda1 1 usb
[utopia][usb hotplug] Loading partition 1/1
[utopia][usb hotplug] not mounted: sda1 (exfat) unsupported
DRIVE_COUNT = 0, CUR_COUNT = 1, numPartitions=1, partitionCnt=1
setting current device count from 0 to 0
Entry tsmb tsmb-stop, 1
find: /mnt/sd*/: No such file or directory
find: /mnt/sd*/: No such file or directory
find: /mnt/sd*/: No such file or directory
Entry tsmb tsmb-start, 1
[fw.sh] fwup_checked_after_boot: 0
[fwupd] status details:"ERROR: Connecting server"
[fw.sh] fwup_forced_update: 0
[fw.sh] fwup_checked_after_boot: 0
[fwupd] status details:"ERROR: Connecting server"
[fw.sh] fwup_forced_update: 0


Error on web page status in FACTORY firmware

Unexpected Error
ErrorDeviceNotInMasterMode
We've encountered an unexpected error. If the issue continues, please visit our Technical Support site.

Hide details
/jnap/nodes/storage/RefreshStorageDevices -- connection: close content-language: en content-length: 42 content-type: application/json; charset=utf-8 date: Sun, 22 Jun 2025 11:06:19 GMT server: lighttpd/1.4.39 status: 200 OK x-frame-options: SAMEORIGIN


EDIT: and the unplugging of the thumb drive in FACTORY firmware
Entry tsmb tsmb-stop, 1
find: /mnt/sd*/: No such file or directory
find: /mnt/sd*/: No such file or directory
find: /mnt/sd*/: No such file or directory
Entry tsmb tsmb-start, 1
mountscript remove sda1 1 usb
remove: disk = sda1, port = 1, devblock = sda
usbrmdrive sda1
usbrmdrive sda1, sda
removing usb info file /tmp/.usbinfo/sda.nfo
removing usb info file /tmp/.usbinfo/sda1.nfo
mountscript remove sda 1 usb
remove: disk = sda, port = 1, devblock = sda
usbrmdrive sda
usbrmdrive sda, sda

[lexridge]

[kernel-panic69]

I'm not going to publish anything that was not the defaults in u-boot.

[lexridge]

[spearmint]

learning was great, I was stuck

network manager made it simple to set any static, and it worked, I am back to my own setup.
I just posted logs in r61848. I am unsure if this router has an issue, or the build for the MR5500 is not loading. Too many variables after debricking.

EIther way my logs are there as the flash failed two times to get back on DDWRT so far.

THANK YOU!