Mikrotik RouterBoard 450G

Jump to: navigation, search

See also http://wiki.openwrt.org/toh/mikrotik/rb450g


SoC Atheros AR7161 rev 2 (MIPS 24Kc V7.4, Big Endian)
Flash Hynix NAND 512MiB 3,3V 8-bit
Clocks CPU:680.000MHz, DDR:340.000MHz, AHB:170.000MHz, Ref:40.000MHz
Switch Atheros AR8316
Ethernet ports 5 physical, 2 on the CPU (1+4) - Gigabit
Extra storage MicroSD slot on the SPI bus
Serial Yes - 115000 8N1
JTAG Yes, but no pins
Extras 1 beeper, 2 LEDs (1 programmable)
Power 2 power jacks (1 external, 1 internal) + Passive PoE supported on port 1 / 10-28 V


Boot loader[edit]

The system comes with a proprietary bootloader called "Routerboot". There are 2 instances of it on the system, one on a read-write memory which you can upgrade to new Rooterboot versions (and maybe try some other bootloader?) and one on a read-only memory which acts as a fallback when the other instance doesn't work. This essentially makes the board pretty hard to brick.

Apart from booting from the "kernel" partition of the NAND (see below), Routerboot also supports boot over network on the 1st ethernet port (the PoE one), using either bootp (the default) or dhcp to configure itself. Unfortunately it doesn't seem to support boot from the MicroSD card.


By default the system comes with RouterOS, a proprietary linux-based operating system from Microtik.

Memory Layout[edit]

The NAND does not have any partition table by default, it has hardcoded partitions inside the kernel driver. According to the openwrt backfire kernel, the layout is:

Position Name Purpose
0x0 - 0x00040000 (256 KiB) "booter" Unknown - Unreadable
0x00040000 - 0x00440000 (4MiB) "kernel" Contains the kernel
0x00440000-0x20000000 (508 MiB) "rootfs" Contains the root file system

The default filesystem is yaffs.

The "kernel" partition[edit]

According to the 450G manual, this partition is supposed to be a 4MiB yaffs partition that contains an elf executable called "kernel" in the top level directory. However, the openwrt kernel is 3.6 - 3.8 MiB and doesn't fit together with the yaffs metadata & reserved space in 4 MiB. To circumvent that, the openwrt trunk kernel specifies a slightly different partition layout where the "kernel" partition is 6 MiB. This allows you to place a 3.8 MiB kernel inside, but in case you try to replace it with another kernel without formatting the partition, it is likely that yaffs will use some blocks beyond the 4 MiB barrier as part of its wear-leveling functionality, in which case the boot loader (Routerboot) will not be able to boot the kernel. To circumvent that, you always need to format the partition before installing a new kernel:

$ mtd erase kernel
$ mount -t yaffs /dev/mtdblock5 /mnt
$ cp your_new_kernel.elf /mnt/kernel
$ umount /mnt

Other visible MTD devices[edit]

OpenWRT trunk also shows these partitions (extract from dmesg):

m25p80 spi0.0: pm25lv512 (64 Kbytes)
spi0.0: searching for MyLoader partition table at offset 0x10000
Searching for RedBoot partition table in spi0.0 at offset 0xe000
Searching for RedBoot partition table in spi0.0 at offset 0xf000
No RedBoot partition table detected in spi0.0
Creating 4 MTD partitions on "spi0.0":
0x000000000000-0x00000000b000 : "routerboot"
0x00000000b000-0x00000000c000 : "hard_config"
0x00000000d000-0x00000000f000 : "bios"
0x00000000f000-0x000000010000 : "soft_config"

Ethernet Ports[edit]

The network devices layout looks like this:

  +-----------+       +-----------+
  |           | eth0  |           |
  |           +-------+----------5+-Eth1/PoE
  |           |       |           |
  |  AR7161   |       | AR8316 +-1+-Eth2
  |           | eth1  |        +-4+-Eth3
  |           +-------+0-------+-3+-Eth4
  |           |       |        +-2+-Eth5
  +-----------+       +-----------+
  • eth0 of the SoC is connected to the Eth1/PoE port.
  • eth1 of the SoC is connected to port 0 of the AR8316 switch, which allows it to communicate with the other 4 ports, Eth2-Eth5.
  • The Eth1/PoE port can be configured to act as port 5 of the switch and not to be connected on eth0 of the CPU, however this is currently only possible with RouterOS, as the open source AR8316 driver does not implement this functionality (someone needs to reverse engineer RouterOS to find out how it is done).
  • Note that the AR8316 ports are not assigned to physical ports in order. Port 1 is Eth2, but port 2 is Eth5, port 3 is Eth4 and port 4 is Eth3.
  • You can easily use each port as a separate interface on the OS by configuring VLANs on the switch.

Flashing with OpenWrt/DebWrt[edit]

To flash the system you need to replace both the kernel and the root filesystem, which are two different images and you need to use the command line to do this (I don't know if there is a different way...). To get to a command line you will need to boot a working OpenWrt kernel+initrd from the network.

Booting OpenWrt from the network[edit]

  • Get a working OpenWrt kernel image with an embedded initramfs. To build this image, in the OpenWrt configuration you select "Target Images -> ramdisk". Make sure to use OpenWrt trunk (kernel >= 2.6.39) and not the stable version, backfire. Backfire's kernel has a different memory layout (as explained above) and is not suitable for this job. OpenWrt will build a lot of images; the one you will use is "openwrt-ar71xx-nand-vmlinux-initramfs.elf", as this is the only one that RouterBoot can boot (it expects to read elf headers). Alternatively, you can download a ready working image from here.
  • Setup dhcp & tftp netboot enviroment: Once you have the image, you will need to configure a tftp & dhcp server to serve it. The method to do this is out of the scope of this article.
  • Connect the routerboard with rs232 and ethernet: Connect the routerboard's RS232 with your computer's RS232 using a null-modem cable. Also connect the Eth1/POE port (do not use Eth2-Eth5 as they are connected to internal switch and it is offline on bootloading) to whatever machine/network is serving dhcp & tftp. On your computer, setup a terminal emulator to get access to the serial port. A very popular one is minicom, which will work out of the box. To run it, you need to execute something like that: "sudo minicom -D /dev/ttyUSB0", where ttyUSB0 here is the serial device (assuming that you are using a usb-to-serial adapter). Note: that it will need to be run as root, unless you have access to the serial device (which is usually achieved by adding your user to the dialup group).
  • Configure routerboard to use DHCP instead of BOOTP: When the setup is ready, power up the routerboard and watch the bootloader in minicom. By default routerboard will try to boot only with BOOTP protocol which is not what we want. So to change it enter the setup by pressing a key in the first 2 seconds of the bootup process.
 RouterBOOT booter 2.29
 RouterBoard 450G 
 CPU frequency: 680 MHz
   Memory size: 256 MB
 Press any key within 2 seconds to enter setup.

Then you will see the setup menu where you will choose to configure boot protocol, where by pressing p you will configure the boot protcol

 What do you want to configure?
   d - boot delay
   k - boot key
   s - serial console
   n - silent boot
   o - boot device
   u - cpu mode
   f - cpu frequency
   r - reset booter configuration
   e - format nand
   g - upgrade firmware
   i - board info
   p - boot protocol
   b - booter options
   t - do memory testing
   x - exit setup
 your choice: p - boot protocol

Bootloader will show you all the supported alternatives, where you will choose DHCP (if not yet done) by pressing 2

 Choose which boot protocol to use:
 * 1 - bootp protocol
   2 - dhcp protocol
 your choice: 2 - dhcp protocol

And finally choose to boot from ethernet and not NAND. You probably don't want everytime to boot from ethernet so you can ask bootloader to try once ethernet and on next boots use NAND. This can be done by pressing o on main menu ( boot device) and the pressing 1 ("boot Ethernet once, then NAND")

 Select boot device:
   e - boot over Ethernet
   n - boot from NAND, if fail then Ethernet
 * 1 - boot Ethernet once, then NAND
   o - boot from NAND only
   b - boot chosen device
   f - boot Flash Configure Mode
   3 - boot Flash Configure Mode once, then NAND
 your choice: 1 - boot Ethernet once, then NAND

And reboot by pressing x (exit)!

Backing up RouterOS[edit]

Before you proceed you may want to backup RouterOS.

The first thing you need to do (to be safe) is to export the license key of RouterOS using the WinBox application that can be found on the web interface of RouterOS. It's a windows application, but it runs on wine as well. When you run it, go to System -> License -> Export Key... and save the key.

The second step is to backup the NAND contents. You can do this by dd-ing the two mtd devices that we are going to format. These are /dev/mtd5 and /dev/mtd6 - kernel & rootfs, respectively. (The dd's can take a few minutes, so be patient!)

# cd /tmp
# dd if=/dev/mtd5 | gzip > routeros_kernel.img.gz
# dd if=/dev/mtd6 | gzip > routeros_rootfs.img.gz
# scp routeros_kernel.img.gz routeros_rootfs.img.gz user@some.remote.machine:~/

You can use netcat instead of scp, to avoid unnecessary cpu overhead on the routeboard (ssl and compression). You do that by setting up a netcat server on your pc that will gzip the input and write output to a file. This must be done two times, one for the kernel and one for the rootfs.

user@host:~# nc -l 2000 | gzip -9 > routeros_kernel.img.gz

and you execute the following on the routerboard

root@OpenWrt:/# dd if=/dev/mtd5 | nc ip.to.my.host 2000

The same must be done for root fs, so you resetup a new server

user@host:~# nc -l 2000 | gzip -9 > routeros_rootfs.img.gz

and you execute the following on routerboard

root@OpenWrt:/# dd if=/dev/mtd6 | nc ip.to.my.host 2000

To restore it later you would just have to do the reverse - i.e. boot this OpenWrt kernel from the network, scp the images to /tmp from a remote machine, and run "zcat routeros_kernel.img.gz | dd of=/dev/mtd5" and respectively for the rootfs.

TODO: test restore!

Preparing the OpenWrt/DebWrt images[edit]

OpenWrt (and DebWrt) provides a lot of images. First of all, if you built the initramfs as well previously, you will need to rebuild OpenWrt without this option enabled, so that a normal kernel without the embedded initramfs is built. The final files that you will need to upload to the RouterBoard are the elf kernel image and the rootfs tarball, usually named "openwrt-ar71xx-nand-vmlinux.elf" and "openwrt-ar71xx-nand-rootfs.tar.gz".


# cd /tmp
# scp user@some.remote.machine:/path/to/openwrt-ar71xx-nand-vmlinux.elf .
# scp user@some.remote.machine:/path/to/openwrt-ar71xx-nand-rootfs.tar.gz .
# mtd erase kernel
# mount -t yaffs /dev/mtdblock5 /mnt
# cp openwrt-ar71xx-nand-vmlinux.elf /mnt/kernel
# umount /mnt
# mtd erase rootfs
# mount -t yaffs /dev/mtdblock6 /mnt
# cd /mnt
# tar xpzf /tmp/openwrt-ar71xx-nand-rootfs.tar.gz
# cd /tmp
# umount /mnt