Turris 1.1 RTRS02 Blue - stuck on 3.8.5 - 3.6.5 - after reset, sdcard_recovery

Hi, while configuring T 1.1 on remote location and as it’s a bit more complicated set up, no rollback eventually helped getting back some semi-working state.

As I’m mainly Omnia user rather this one original HW line, unknowingly what it will cause, processed with red button, the reset.

There is no information(!) in documentation at all that if this is performed, overall it’s not possible to get back - or at least it seems to me.

Well the device ended up in state that I can connect it only into another already functioning gateway or there can’t be any connection at all (somehow managed that in LuCI as the source for WAN is passthrough from some LTE modem…). The web UI froze many times for each step and only way out from that state is to reboot device several times even if the skip it is chosen.

(Same happened after sdcard image update - working connection into internet can be done only after several restarts - unplugging cable - and until LAN is not set up different from the router you are connected at the time - ie. for most of the situations 192.168.2.1 will do it → another restart must be done - Turris won’t connect itself into internet.)

Also as https if forced mostly nowadays it wont load web UI - so new router ip must be inserted manually avoiding that redirection.

The web UI Reforis showed 3.8.5 but no access for ssh (Connection refused) nor opkg update (from LuCI).

After connecting into Turris through serial it won’t still allow opgk as there were no package, same for ssh.

Not knowing what to do I found here this post giving me hope this could be pushed up to higher versions.

But in my case updated always ended up:

Updater failed:
corruption: Signature validation failed

Even disabled DNSSEC as that can be done on 3.8.5 (but now on 3.6.5 can’t).

After few restarts with no success find here on forum there is a possibility to load some image with SD card and serial.
In hope of obtaining working SSH so can continue on it not being tied with machine connected directly into serial, did that.

Thanks to this page “Obnova systému a zavaděče z microSD karty [Turris wiki]” (there is another a bit different version on webarchive).

This link (https://doc.turris.cz/doc/cs/troubleshooting/sdcard_recovery) from here is not existing anymore and on archive it says is deleted.

After procedure:

Image moving into SD card had to be done with the program win32diskimager-1.0.0 as simple copy&paste will not work on Win10/11 and Rufus won’t recognize image (unfortunately my linux machine does not have sd card slot). Had to reformat the SD card - with Win ‘Create and format hard disk partitions’ tool.

If it’s messed up (the SD card image) - you will hear quite silent ‘bsssh’ from blinking diode for each light up. The diode (R414 D26) is located on MB - in middle between WAN port and CPU/aluminium block. In terminal, nothing will happen.

Otherwise if all good the diode blink only once and the process will start itself - wait until ‘=> HOTOVO’ is printed.

The switches had to be set up before and after procedure.

The system bot up successfully - it does even have opkg. But no ssh still (Connection refused - the sshd is not listed in LuCI) - so far I do have console so that is ok.

The update won’t be downloaded because there is some bad signature already (DNSSEC key change because of KSK rollover) - did find this info here.

So added the signature in /ets/root.keys, as second row.

Rebooted device (the service unbound restart does nothing, can’t remember correctly), run the updater.sh - but it still end up with:

curl: (22) The requested URL returned error: 404 Not Found
+ die Could not download list pack
+ echo error
+ echo Could not download list pack
+ echo Could not download list pack
Could not download list pack
+ echo Could not download list pack
+ my_logger -p daemon.err
+ logger -t updater -p daemon.err
+ kill -SIGABRT 3020
+ rm -rf /tmp/update /tmp/update-state/pid /tmp/update-state/lock /usr/share/updater/packages /usr/share/updater/plan
+ exit 1
+ rm -rf /tmp/update /tmp/update-state/pid /tmp/update-state/lock /usr/share/updater/packages /usr/share/updater/plan
+ exit 1

And opkg update as well:

curl: (60) SSL certificate problem: unable to get local issuer certificate

Signature check failed.
Remove wrong Signature file.

Collected errors:
* opkg_download: Failed to download https://repo.turris.cz/turris/packages//turrispackages/Packages.gz, curl returned 60.

This is for every repo url.

The content of root.keys changed - from 2 lines here (one original, one added by me) it ended up with:

"autotrust trust anchor file
;;id: . 1
;;last_queried: 1726094189 ;;Thu Sep 12 00:36:29 2024
;;last_success: 1726094189 ;;Thu Sep 12 00:36:29 2024
;;next_probe_time: 1726134248 ;;Thu Sep 12 11:44:08 2024
;;query_failed: 0
;;query_interval: 43199
;;retry_time: 8639
.       172800  IN      DNSKEY  257 3 8 - some key XxxxxxxxxxxxxxxxxxxxX"

But situation still the same - so this does not help at all.

Therefore as no nor-update can be processed → no 3.8.5 → no possibility for BTRFS migration and latest OS(?).

From here and few another similar post it seems to me that some signature had to be downloaded rather manual update.

Unfortunately all the “wget http://217.31.192.101/openwrt-repo/turris/packages/turrispackages/” links with whatever could presumably help are no accessible to me.

Getting only

"Connecting to 217.31.192.101 (217.31.192.101:80)
wget: error getting response: Connection reset by peer"

for all of them.

The ‘217.31.192.101’ is dead, no PING response. From 2 networks.

So the unsecure noSSL source is not an option nowadays(?).

Searching for solution with the errors from wget/updater (in Foris/LuCI/serial cmd) found out this post - pointing mainly for this one.

So:

root@turris:# curl -kv https://repo.turris.cz/turris/packages/base/ca-certif
icates_20190110-1_mpc85xx.ipk

returning:


* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):

/*some more steps during - deleting it for readability/*

* TLSv1.2 (IN), TLS handshake, Finished (20):
> GET /turris/packages/base/ca-certificates_20190110-1_mpc85xx.ipk HTTP/1.1
> Host: repo.turris.cz
> User-Agent: curl/7.53.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.22.1
< Date: Thu, 11 Sep 2024 09:00:00 GMT
< Content-Type: application/octet-stream
< Content-Length: 129705
< Last-Modified: Mon, 13 Dec 2021 14:57:24 GMT
< Connection: keep-alive
< ETag: "61b75f54-1faa9"
< Strict-Transport-Security: max-age=31536000
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< Content-Security-Policy: default-src 'self' 'unsafe-inline' data:; frame-ancestors 'self'
< Accept-Ranges: bytes

and continue for a while printing this (few seconds):

ґ▒bhn▒▒~▒:Km▒1t▒?▒n▒▒▒4▒▒▒▒n▒m▒▒▒▒޼▒▒-+d▒▒▒ỡ}g4▒<Rؓ▒MZ%▒`▒
▒▒▒▒M▒?C{~5}▒{▒̐~3▒▒0u▒▒▒,▒_
▒c▒$r▒.▒▒l"▒0U▒=▒▒▒▒▒ri▒qv/▒=▒E▒*ٵ<
I*▒▒;▒▒n▒▒▒▒▒r▒#2,L▒▒^h▒q)▒{▒▒+▒w▒▒y▒Y▒q̝▒▒▒w<▒ӯ▒▒▒;`▒▒q▒x▒OʆTQ,▒▒?▒Ğ▒|_▒2▒▒▒▒i▒▒▒▒o▒▒▒▒▒▒▒`

ending:

root@turris:#
PuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPu
TTYPuTTYPuTTYPuTTYuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuT
TYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuT

If the process is uninterrupted - it ends like above, terminal unusable, not reacting on any key action, had to be terminated manually.

If interrupted - the usability of session remain but in both cases there is no file to be found (as in the dir I’m running curl).

This is the last meaningful step done - from here as the ca-certificates can’t be installed therefore I can’t download and use https://repo.turris.cz/turris/packages/turrispackages/updater-ng_61.1.5.4-3.6-1_mpc85xx.ipk to push myself at (presumably) 3.11.23 - meaning get the Turris OS on 3.8.5 at least.

From that point AFAIK the way is straightforward:

opkg update
opkg install turris-btrfs
btrfs_migrate

and finally

cd ~
wget https://repo.turris.cz/hbs/medkit/turris1x-medkit-latest.tar.gz
schnapps import -f turris1x-medkit-*.tar.gz
schnapps rollback factory
reboot

But no way I’m able to get here.

Somehow according at least this and this post seems to me it’s possible - given no more communication about this stuck scenario I’m in.

So far from perfectly working Turris 1.1 BTRFS (yes, due to my misconfiguration) ended up after reset on 3.8.5 and after SD image with 3.6.5.

(That is the the version inside image - because 3.8.5 is to big. 6.5 should be updated on 8.5 automatically but that is the past info possibly pre-that-key change).

No SSH except the console for both factory versions (no sshd in /cgi-bin/luci/admin/system/startup).

Now don’t now what to do - seems to me, that all the info here is pre-KSK rollover(?) so as this is really old device it’s now stuck in this old version of OS?

What will all users do when they press the reset button?
At least I’m capable to know that I don’t know.

It took me several hours to even get here.

Maybe I’m missing something obvious as in the process of doing it long one can’t see his mistakes?

(And well I’m not czech native so using translator for forum posts…).

@FWWW and @mamuf - how did you managed the update process?

Useful links for me (maybe for anyone ending up with Turris 1.1 after reset):

Turris 1.x (Blue) Factory Reset to Turris OS 3.8.5 Catch 22 - no SSH, no internet, no updates, nothing working, bricked?

Nedostupný Turris 1.0

2 roky neaktualizovaný Turris 1.0

Nefunguje DNS, ale jen na Turrise

Nemožnost dostat se na SSH, nefunkční DNS

Cannot update Turris 1.1 after factory reset to 3.8.5 - updater.sh fails

Návod: Jak na Turrisu 1.x správně provést aktualizaci NOR a přechod na btrfs

Modry Turris potíže s připojením

Optional migration from Turris OS 3.x for advanced users

The official documentation related links:

Btrfs migration on Turris 1.x routers

Serial connection

Migration from Turris OS 3.x

TD;DR:

Gain internet connection from some functioning router LAN>WAN.

Reboot when prompted by end of process.

vi /etc/resolv.conf - delete 127.0.0.1 and replace it with 8.8.8.8
save with Esc :wq

curl -O -k https://repo.turris.cz/turris/packages/base/ca-certificates_20190110-1_mpc85xx.ipk

opkg install ca-certificates_20190110-1_mpc85xx.ipk

opkg update

opkg install turris-btrfs

btrfs_migrate - if no SD detected > power off > reformat SD card/change SD card

cd /tmp

curl -O -k https://repo.turris.cz/hbs/medkit/turris1x-medkit-latest.tar.gz

schnapps import -f turris1x-medkit-latest.tar.gz

schnapps rollback factory

reboot

Set up initial steps in reForis (WiFi is not here yet, must be done separately from within reForis) > in settings > administration > snapshots > create manually 1 snapshot so you have a point of return.

Reboot device (hard reboot - power cord in/out) and verify that device will boot up as is.

Enjoy


Hi.

despite that you deleted the answer - I would like to thank you @JosefKo because it solved my problem(!).

If can recall correctly (because after reboot the ssh serial output history is empty):

  1. did that in web Foris UI > set up LAN from 192.168.1.1 for 192.168.2.1 - this will allow internet and the checks in DNS tab confirm show that.

(Now the Foris allow me to skip the wizard with no error page - unlike previous attempts.)

It’s necessary in process unplugging the Ethernet cable causing it reset the settings in PC adapter and clear cache in browser (that is because previous info from Foris will stay in memory refusing even with right adapter setting load the UI).

If someone is capable to do that in ssh, that is the way as well.

  1. vi /etc/resolv.conf - delete 127.0.0.1 and replace it with 8.8.8.8
    save with Esc > :wq

Had to do that after each network restart/reboot - otherwise error ‘couldn’t resolve host’

curl -O -k https://repo.turris.cz/turris/packages/base/ca-certificates_20190110-1_mpc85xx.ipk

opkg install ca-certificates_20190110-1_mpc85xx.ipk

  1. opkg update

  2. power off pulling the cord (serial can stay connected, it will resume itself)
    and inserting the SD card (there is no info as how it should be formatted - did fat32 and full formatting while preparing the SD card)

  3. power on, wait for boot up

opkg install turris-btrfs

this exiting with

Collected errors:
 * resolve_conffiles: Existing conffile /etc/fw_env.config is different from the conffile in the new package. The new conffile will be placed at /etc/fw_env.config-opkg.
 * resolve_conffiles: Existing conffile /etc/config/schnapps is different from the conffile in the new package. The new conffile will be placed at /etc/config/schnapps-opkg.
 * resolve_conffiles: Existing conffile /etc/cron.d/schnapps is different from the conffile in the new package. The new conffile will be placed at /etc/cron.d/schnapps-opkg.

btrfs_migrate

here the process returned 2 errors:

root@turris:/# btrfs_migrate
No MicroSD card present!

Well despite seeing the SD card info about it’s presence while booting (the log slow down for few sec). Did choose to reformat card again.

and

root@turris:/# btrfs_migrate
/bin/ash: btrfs_migrate: Permission denied

Have no idea why - reboot helped

After next attempt:

Cannot parse config file ‘/etc/fw_env.config’: Invalid argument
Error: environment not initialized
Migration successful, please reboot!

so after reboot

step 7)

cd /tmp
curl -O -k https://repo.turris.cz/hbs/medkit/turris1x-medkit-l
atest.tar.gz
schnapps import -f turris1x-medkit-*.tar.gz

schnapps rollback factory

reboot

After playing with successfully booted up 7.0.2 it somehow stopped working.

While searching for some info - found this

root@turris:/# schnapps list
ERROR: not a valid btrfs filesystem: /
    # | Type      | Size        | Date                        | Description
------+-----------+-------------+-----------------------------+------------------------------------
    1 | rollback  |    51.77MiB | 2024-09-15 18:00:00 +0200   | Rollback to snapshot factory 6:00 PM

So repeated the process again (after another by red button reset) and now I do have 7.0.2 working so far.

Saw another error but I’m not able to match this for command that it belong to.

mv: can't rename '/mnt/.snapshots/@factory': No such file or directory ERROR: Could not statfs: No such file or directory Your factory image was updated!

And some info:

mtdblock: MTD device 'rootfs' is NAND, please consider using UBI block devices instead. 6:52 PM

Despite that seems to me it’s working.

So from 3.6.5 (I didn’t make again the SD image recovery tbh) it’s possible to go back for 7.0.2 directly!

Also do recommend changing the SD card after many years for fresh one - because this it something I’m really not willing to repeat often.


Side note:

updater.sh fail despite the certificates so tried this:

the system update for 3.8.5 (info from here)

but

opkg-trans -a updater-ng_59.3.3-1_mpc85xx.ipk -r updater-ng_59.3.3-1_mpc85xx.ipk

or different/newest .ipk does not complete, throw error so it’s maybe not possible anymore or my machine had some bad state with 3.6.5 - who knows.

Hello, I wanted to add more details, because I realized its not step by step with all details, but seems you solved that even with “not so much detailed” advice.

1 Like