Initramfs Flashing Instructions

Overview

This document describes the successful method for flashing OpenWRT to a stock Datto AP440 device using a hardware glitch to bypass signature verification, combined with manual UBI partition setup.

Prerequisites

  • Stock Datto AP440 device
  • Hardware glitch capability (timing-based, grounding a pin during boot)
  • TFTP server at 192.168.100.8
  • OpenWRT build files (initramfs, kernel, and rootfs)
  • Serial console access to device

Method Summary

  1. Use hardware glitch to bypass U-Boot signature verification
  2. Boot into OpenWRT initramfs via TFTP or gain U-Boot shell access
  3. Manually format UBI partition and write kernel/rootfs
  4. Configure U-Boot environment variables
  5. Reboot into flashed OpenWRT system

Files Required

Files available here

├── initramfs (14590368 bytes, 0xdea1a0)
├── kernel   (5225828 bytes, 0x4fbd64)
└── rootfs   (8763568 bytes, 0x85b8b0)

Sizes will very with your build if you choose not to use the provided files.

Checksums

initramfs

  • MD5: 04bc53dcd240f53812a492646c579d23

kernel:

  • MD5: 2fbe6410df9af39e45986bc2262b2f7f
  • SHA256: c643f4ede84bd09900118fb8a219cc86c0a2d7bc8df159bba51aa4fb91fb742d

rootfs:

  • MD5: e85f2615f0e8e21acc53494f4477d24c
  • SHA256: 1f800bf7976eb995a2e04474e03a51e8461138c079f714f94f477a134127a6a7

Step-by-Step Process

Step 1: Boot Device and Glitch the SPI Flash

  1. Power on the stock Datto AP440
  2. Perform hardware glitch at the correct timing during boot
  3. This bypasses signature verification
  4. Device either:
    • Drops to U-Boot shell, OR
    • Boots into initramfs (if previously configured to do so)

Step 2: Boot into OpenWRT Initramfs

If you have U-Boot shell access, manually boot initramfs:

These two commands aren’t necessary because they are the default in the uboot env and should already exist

setenv ipaddr 192.168.100.9
setenv serverip 192.168.100.8
tftpboot 0x44000000 openwrt-qualcommax-ipq60xx-datto_ap440-initramfs-uImage.itb
bootm 0x44000000

Step 3: Format UBI Partition

Once booted into initramfs, format the UBI partition:

Detatch the ubi partition

ubidetach -p /dev/mtd1

Format the UBI partition (this erases and initializes it)

ubiformat /dev/mtd1 -y

Attach the UBI device

ubiattach -m 1 -d 0

Verify attachment

ubinfo -a

Expected output shows:

  • Count of UBI devices: 1
  • ubi0 attached to mtd1 (496 MiB)

Step 4: Create UBI Volumes

Create kernel volume (5.0 MiB)

ubimkvol /dev/ubi0 -N kernel -s 5225828

Create rootfs volume (8.4 MiB)

ubimkvol /dev/ubi0 -N rootfs -s 8763568

Verify volumes

ubinfo -a

Expected output shows:

  • Volume ID: 0 (kernel)
  • Volume ID: 1 (rootfs)

Step 5: Download Kernel and Rootfs

At this point you will need to connect to the wifi, or use an alternative means to transfer the files (i tried installing atftp but it wont connect to tftp server when booted) Set up HTTP server on a network host connected to wifi in order to transfer files (e.g. 192.168.1.103):

cd /path/to/files
python3 -m http.server 8000 &

On the device:

cd /tmp

Download files from network host

wget http://192.168.1.xxx:8000/kernel
wget http://192.168.1.xxx:8000/rootfs

from internet (if the device has internet access)

wget https://github.com/phobetard/AP440-Openwrt/raw/refs/heads/main/kernel
wget https://github.com/phobetard/AP440-Openwrt/raw/refs/heads/main/rootfs

Verify sizes

ls -lh kernel rootfs

Step 6: Write to UBI Volumes

Write kernel to volume 0

ubiupdatevol /dev/ubi0_0 /tmp/kernel

Write rootfs to volume 1

ubiupdatevol /dev/ubi0_1 /tmp/rootfs

Verify volumes are written

ubinfo -a

This should show:

root@OpenWrt:/tmp# ubinfo -a
UBI version:                    1
Count of UBI devices:           1
UBI control device major/minor: 10:127
Present UBI devices:            ubi0

ubi0
Volumes count:                           2
Logical eraseblock size:                 126976 bytes, 124.0 KiB
Total amount of logical eraseblocks:     3968 (503840768 bytes, 480.5 MiB)
Amount of available logical eraseblocks: 3772 (478953472 bytes, 456.7 MiB)
Maximum count of volumes                 128
Count of bad physical eraseblocks:       0
Count of reserved physical eraseblocks:  80
Current maximum erase counter value:     6
Minimum input/output unit size:          2048 bytes
Character device major/minor:            246:0
Present volumes:                         0, 1

Volume ID:   0 (on ubi0)
Type:        dynamic
Alignment:   1
Size:        42 LEBs (5332992 bytes, 5.0 MiB)
State:       OK
Name:        kernel
Character device major/minor: 246:1
-----------------------------------
Volume ID:   1 (on ubi0)
Type:        dynamic
Alignment:   1
Size:        70 LEBs (8888320 bytes, 8.4 MiB)
State:       OK
Name:        rootfs
Character device major/minor: 246:2

Step 7: Create and Test UBI Block Device

Create block device for rootfs this command fails, prob because the device exists, why would we create it now?

ubiblock --create /dev/ubi0_1

Test mount

mkdir -p /mnt/test

This command also fails (sometimes): but then seems to work because you can list files in

mount -t squashfs /dev/ubiblock0_1 /mnt/test

Verify OpenWRT filesystem, if nothing lists you have a problem

ls /mnt/test

You should see the OpenWRT directory structure (bin, etc, lib, usr, etc.)

Step 8: Configure U-Boot Environment

Set U-Boot environment variables for booting from NAND:

Set MTD IDs and partition layout

fw_setenv mtdids 'nand0=nand0,nand1=spi0.0'
fw_setenv mtdparts 'mtdparts=nand0:16m(kernel),496m(ubi)'

Set boot command

Option A) My Preferred Method set to attempt tftp first and then fallback to installed system (THIS IS MY PREFERRED METHOD

fw_setenv bootcmd 'if tftpboot 0x44000000 openwrt-qualcommax-ipq60xx-datto_ap440-initramfs-uImage.itb; then bootm 0x44000000; else nand device 0; mtdparts; ubi part ubi; ubi read 0x44000000 kernel; bootm 0x44000000; fi'

Option B) Set to boot straight into nand (installed firmware)

fw_setenv bootcmd 'nand device 0; mtdparts; ubi part ubi; ubi read 0x44000000 kernel; bootm 0x44000000'

Set boot arguments (includes root filesystem)

fw_setenv bootargs 'console=ttyMSM0,115200n8 board=AP440 root=/dev/ubiblock0_1'

Step 9: Verify U-Boot Configuration

fw_printenv mtdids
fw_printenv mtdparts
fw_printenv bootcmd
fw_printenv bootargs

Expected output:

mtdids=nand0=nand0,nand1=spi0.0
mtdparts=mtdparts=nand0:16m(kernel),496m(ubi)
bootcmd=nand device 0; mtdparts; ubi part ubi; ubi read 0x44000000 kernel; bootm 0x44000000
bootargs=console=ttyMSM0,115200n8 board=AP440 root=/dev/ubiblock0_1

Step 10: Check uBoot shell is enabled

hexdump -C -s 3 -n 1 /dev/mtd11

output:

root@OpenWrt:~# hexdump -C -s 3 -n 1 /dev/mtd11 00000003 01 |.| 00000004

  • 01 = shell disabled
  • 00 = shell enabled

If it shows: 01 as in the example above, then uboot did not successfully execute all the commands in the [[obsidian://open?vault=Smart_Home&file=OpenWRT%2FAP440%2F |Fwupgrade.cfg]] file. Don’t worry, this isn’t entirely unexpected. We’re glitching the chip afterall, strange things happen. Enabling the shell will require another reboot, but its as simple as simple as setting the [[Boot Commands#uboot shell fix and bootcmd change | bootcmd]]

Step 11: Reboot

The first reboot should autoboot to the initramfs you have hosted on the tftp server. Stop the tftp server and reboot again to boot into the flashed firmware.

reboot

The device should now boot directly from the flashed OpenWRT system on NAND (if tftp server isn’t serving initramfs):

  • Hardware glitch
  • TFTP boot
  • Any manual intervention

MTD Partition Layout

After a successful flash:

mtd0: 01000000 00020000 "kernel"     (16MB, unused - kernel is in UBI)
mtd1: 1f000000 00020000 "ubi"        (496MB, contains kernel and rootfs volumes)
mtd2-mtd12: SPI flash partitions     (bootloader, config, etc.)

UBI Volume Layout

Volume ID:   0 (on ubi0)
Type:        dynamic
Alignment:   1
Size:        42 LEBs (5332992 bytes, 5.0 MiB)
State:       OK
Name:        kernel
Character device major/minor: 246:1
-----------------------------------
Volume ID:   1 (on ubi0)
Type:        dynamic
Alignment:   1
Size:        70 LEBs (8888320 bytes, 8.4 MiB)
State:       OK
Name:        rootfs
Character device major/minor: 246:2
-----------------------------------
Volume ID:   2 (on ubi0)
Type:        dynamic
Alignment:   1
Size:        3772 LEBs (478953472 bytes, 456.7 MiB)
State:       OK
Name:        rootfs_data
Character device major/minor: 246:3

Troubleshooting

Issue: UBI attach fails with “inconsistent vol_type”

Cause: UBI partition contains old/corrupted data Solution: Run ubiformat /dev/mtd1 -y to erase and reinitialize

Issue: Cannot download files with tftp

Cause: the device has trouble with tftp during boot when it has both ethernet cables plugged in Solution: remove one of the ethernet cables

Issue: ubiblock device shows “Resource busy”

Cause: Device is already mounted Solution: Check cat /proc/mounts | grep ubi - it may already be mounted

Issue: Device doesn’t boot after reboot

Cause: U-Boot environment not saved correctly Solution: Boot back into initramfs and verify uboot env vars with fw_printenv command

Notes

  • The hardware glitch is only required for the initial flash
  • Once OpenWRT is flashed and U-Boot environment is configured, subsequent boots work normally
  • The glitch bypasses RSA signature verification in U-Boot’s flashit command
  • This method permanently flashes the device (not RAM-only boot)
  • The stock firmware dual-boot mechanism (firmware1/firmware2) is replaced with a single UBI partition

Success Criteria

✅ Device boots to OpenWRT without glitch or TFTP ✅ UBI partition properly formatted and accessible ✅ Kernel and rootfs volumes created and written ✅ Root filesystem mounts successfully ✅ U-Boot environment configured correctly ✅ Network and system functionality verified

Date

Successfully tested: December 10, 2025