So I pulled the partitions and what I’m seeing doesn’t make sense to me. Going to code, <b>CONFIG_ENV_OFFSET</b> is defined in 3 places as :
0x60000 = /firmware
0x20000 = /u-boot
0x4200 = /u-boot
CONFIG_ENV_ADDR is additionally defined as 0xbfc20000 ((Is this a CPU map for 0x20000)
There is no U-Boot config at any of these addresses. If someone tries save the U-Boot environment, it looks like it stomps on firmware or U-Boot code. The final address might be a “special address” which could land anywhere or result in a kernel fault if it is in a mode that checks bounds.
Not dissuaded by lack of correct pointers, I did find the following at 0x25440 in /u-boot:
*Note: this looks more like Domino than AR150 partitions
bootargs=console=ttyATH0,115200 board=domino root=31:03 rootfstype=squashfs,jffs2 noinitrd mtdparts=spi0.0:256k(u-boot)ro,64k(u-boot-env)ro,1280k(kernel),14656k(rootfs),64k(nvram),64k(art)ro,15936k@0x50000(firmware)bootcmd=bootm 0x9f050000
bootdelay=1
baudrate=115200
ipaddr=192.168.1.1
serverip=192.168.1.2
bootfile=“firmware.bin”
loadaddr=0x80800000
ncport=6666
uboot_addr=0x9F000000
uboot_name=uboot_for_gl-ar150.bin
uboot_size=0x40000
lu=if ping $serverip; then tftp $loadaddr $uboot_name && if itest.l $filesize == $uboot_size; then erase $uboot_addr +$filesize && cp.b $loadaddr $uboot_addr $filesize && echo OK!; else echo ERROR! Wrong file size!; fi; else ERROR! Server not reachable!; fi
firmware_addr=0x9F050000
firmware_name=openwrt-gl-ar150.bin
lf=if ping $serverip; then tftp $loadaddr $firmware_name && erase $firmware_addr +$filesize && cp.b $loadaddr $firmware_addr $filesize && echo OK!; else ERROR! Server not reachable!; fi
lc=tftp 0x81000000 config.bin &&cp.b 0x9fff1000 0x80060000 0xf000 && cp.b 0x81000000 0x80060002 0x06 &&erase 0x9fff0000 +0x10000 && cp.b 0x81000000 0x9fff0000 $filesize && cp.b 0x80060000 0x9fff1000 0xf000