Glitching Method

If you insist on continuing down this road, you may have the most luck just altering the uboot bootcmd env var with the cmd_success line in the fwupgrade.cfg file, so that it just boots straight into initramfs (you need to be running a tftp server) then you can follow the Initramfs-Flashing-Instructions. This will lead to an unlocked bootloader and a persistent installation of openwrt on the device.

What you’ll need:

• TFTP server setup

• Serial cable connected to the device

• I prefer to use minicom because it doesn’t freak out if you use the scroll wheel on your mouse.

• You’ll want to adjust

Step 1) Setup a tftp server. There are many ways to do this, but here’s my preferred method:

sudo apt update && sudo apt install tftpd-hpa
sudo systemctl enable tftpd-hpa
sudo systemctl start tftpd-hpa
sudo systemctl status tftpd-hpa

Step 2) Place the fwupgrade.cfg file in the tftp servers directory

[shell_enable]
cmd_success=sf probe; sf read 0x42000000 0x3a0000 0x8000; mw.b 0x42000003 0x001; sf erase 0x3a0000 0x10000; sf write 0x42000000 0x3a0000 0x8000; setenv bootcmd 'tftpboot 0x44000000 openwrt-qualcommax-ipq60xx-datto_ap440-initramfs-uImage.itb; bootm 0x44000000'; saveenv; echo U-Boot shell enabled and bootcmd set to TFTP; sleep 2; reset

Step 3) Set your computers network interface ip to: 192.168.100.8

This is because the device has a hardcoded IP it looks for the tftp server on

The device will give itself the ip: 192.168.100.9 during boot

Step 4) Glitch the SPI This is where you need to ground pin 8 on the SPI chip. I don’t have a reliable way to do this, so the best I can say is… good luck.

Just start tapping during the countdown. I did it to the mario theme song…. sometimes it worked, sometimes it didn’t, you do you.

The SPI chip is a GD25LQ32ESIG. Which you can find more information about here