BPI-R4 Lite Ubuntu Image

Banana Pi Router design BPI-R4 Lite /BPI-R4 Mini(MT7987A)
61

Hi Frank,

I thought you said you did a new build for this on 2025/11/01…

https://github.com/frank-w/BPI-Router-Linux/releases/download/CI-BUILD-6.17-main-6.17.0-2025-11-01_1105/bpi-r4.itb

Where you changed this…

CONFIG_MEDIATEK_2P5GE_PHY=y
CONFIG_EXTRA_FIRMWARE="aeonsemi/as21x1x_fw.bin mediatek/mt7987/i2p5ge-phy-DSPBitTb.bin mediatek/mt7987/i2p5ge-phy-pmb.bin"

And thought you said it made the 2p5ge bind?

I tried to replace “/boot/bpi-r4.itb” with it and still not working on my end.

Should that have made it work? Or at least a temporary fix?

root@bpi-r4:~# dmesg | grep eth1
[    1.377722] mtk_soc_eth 15100000.ethernet eth1: mediatek frame engine at 0xffffffc084080000, irq 69
[    7.580514] mtk_soc_eth 15100000.ethernet eth1: PHY [mdio-bus:0f] driver [Generic Clause 45 PHY] (irq=POLL)
[    7.588296] mtk_soc_eth 15100000.ethernet eth1: configuring for phy/internal link mode
root@bpi-r4:~# zgrep MEDIATEK_2P5GE /proc/config.gz
CONFIG_MEDIATEK_2P5GE_PHY=m
62

I did only test with this builtin setting,not changed this in repo so build is still module and without firmware

But have changed it now in tree,till we find a better way. Pipeline is running,but will take some hours.

63

Pipeline finished. I was able to put the new bpi-r4.itb in /boot/bpi-r4.itb and it works.

https://github.com/frank-w/BPI-Router-Linux/releases/download/CI-BUILD-6.17-main-6.17.0-2025-11-04_2136/bpi-r4.itb

I will keep watch though for the final fix, but this at least can let me continue with customization of the OS. Thanks Frank!

1 Like
64

Hi @frank-w it looks like the legacy iptables is not compiled in the kernel. What are the chances of getting that? Is there a reason it was not included?

65

Debian had moved to nftables long time ago and ubuntu based on debian. To reduce compile-time on testing and space on rootfs i had not added this as there are many modules.

66

Agreed about nftables, however iptables syntax is still generally used and translated via iptables-nft (“translated” might not be the right word, it’s more complex than that). The device has iptables-nft and iptables-translate but the support is very limited, in fact too limited to be a functioning firewall (even router), which imo is what this device wants to become for basically anyone that invests in it. For example things like TCPMSS, MASQUERADE, SET, DNAT, SNAT are not even understood by iptables-nft. The kernel will need additional support for iptables-nft to function when applying those rules.

Kernel Issues:
Warning: Extension TCPMSS revision 0 not supported, missing kernel module?
Warning: Extension SET revision 0 not supported, missing kernel module?
Warning: Extension DNAT revision 0 not supported, missing kernel module?
Warning: Extension SNAT revision 0 not supported, missing kernel module?
Warning: Extension MASQUERADE revision 0 not supported, missing kernel module?

Those are just the ones I noticed so far…

So I think (but not sure if this is inclusive enough)…

 Feature         Kernel module/config                            
 --------------   ----------------------------------------------- 
 TCPMSS clamp   | xt_TCPMSS / TCPMSS match                        
 ipset sets     | xt_set, ip_set, ip_set_hash_net                 
 NAT (iptables) | xt_nat, xt_snat, xt_dnat, xt_masquerade, nf_nat 
 NAT helpers    | nf_nat_ftp, nf_conntrack_ftp                    
 Conntrack      | nf_conntrack, xt_conntrack                      
 nftables NAT   | nft_nat

I have not tried to build a kernel yet, but maybe it is time for me to give it a try? Any guide out there to get started? How difficult is it?

If this is doable, is there a place to grab your most recent build file and then modify it, that way it is easy to stay in sync with your testing and validation work?

67

Start with a basic setup, like so:

https://github.com/ericwoud/buildR64arch/blob/main/rootfs/etc/nftables.conf

68

Maybe I should explain the use case. I have an overlay system, a tool that simplifies/abstracts iptables/nft. It runs as a service and applies several templates (using traditional iptables syntax) when the device boots, and then you can issue it commands to create firewall rules on the fly as well. It basically takes a single command and turns it into one or more supporting iptables commands. So I have templates that have 100’s of rules in them. Also, iptables is symlink’d to iptables-nft for how many ever years now. So on a typical Ubuntu 24.04 system, iptables-nft does the translation of these rules and applies them with no issue, but that is because the support is in the kernel for iptables-nft to do so.

So I am not trying to start fresh so much as I am trying to port a system that has been around for a long time and is “already understood” to this device.

This is why I asked about me building a separate kernel forked off yours, as I know you do not want to introduce slower build times to your process. I imagine it is already pretty lengthy as is.

69

Do you have a kernel config file of that functional system?

You can rip from it the whole netfilter chapter and replace that part in the BPI kernel config file.

Should work, except maybe some dependencies, so after applying, check if it is still complete.

Then build your own kernel files with this config.

70

Afaik i had iptables still actice for bpi-r2,so maybe copy the config symbols from this defconfig.

But you have to build if by your own.

71

I know minimally what I need to have from the error messages, just need to learn how to build it into your bpi-r4.itb for the r4 lite.

72

There is a readme :slight_smile: basicly you can use build.sh for all.

./build.sh defconfig

As first step after changing build.conf to the right board to add your options. Then follow readme. Building in ubuntu is recommended. You can also look what ci pipeline does (.github/workflows/build.yaml)

73

@ericwoud @frank-w Appreciate all the help so far. I don’t have the bandwidth for it this weekend, too much other stuff going on. But will look into it during the week, see if I can make some progress.

74

mt7987 phy firmware is finally merged to linux-firmware, so it should be visible.

but as we found out here, it still needs to be builtin to get it working.

75

I see it :slight_smile: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/mediatek/mt7987

1 Like
76

Hi Frank, is there a way to pull the defconfig .config file for this specific build?

https://github.com/frank-w/BPI-Router-Linux/releases/download/CI-BUILD-6.17-main-6.17.0-2025-11-04_2136/bpi-r4.itb

I think that I am getting the main 6.12 kernel template or generic 6.17 or something else but not sure. I know that I do not see your phy changes and additional hardware lines in the config.

git clone https://github.com/frank-w/BPI-Router-Linux.git
cd BPI-Router-Linux/
git checkout 6.17-r4lite
./build.sh importconfig

I suppose I could always copy /proc/config.gz on the device over to .config and try “make menuconfig”? Not sure if there are any implications there?

77

The build is from 6.17-main branch, so just change to this change build.conf importconfig and build

78

Well, I finally got around to building a kernel. It hangs on boot (CPU stall?)

This is my process for copying it in from USB…

cd ~/tmp
sudo tar -xvzf bpi-r4lite_6.17.0_custom-iptables.tar.gz
sudo cp -rv ~/tmp/BPI-BOOT/. /boot/
sudo cp -rv ~/tmp/BPI-ROOT/etc/. /etc/
sudo cp -rv ~/tmp/BPI-ROOT/lib/modules/. /usr/lib/modules/
sudo cp -rv ~/tmp/BPI-ROOT/lib/firmware/. /usr/lib/firmware/

On reboot I get this…

[  OK  ] Started dpkg-db-backup.timer - Daily dpkg database backup timer.
[  OK  ] Started e2scrub_all.timer - Period…Metadata Check for All Filesystems.
[  OK  ] Started fstrim.timer - Discard unused filesystem blocks once a week.
[  OK  ] Started logrotate.timer - Daily rotation of log files.
[  OK  ] Started man-db.timer - Daily man-db regeneration.
[   70.253020] rcu: INFO: rcu_sched detected stalls on CPUs/tasks:
[   70.258953] rcu:     2-...0: (0 ticks this GP) idle=926c/1/0x4000000000000000 softirq=1280/1280 fqs=3001
[   70.268161] rcu:     3-...0: (1 GPs behind) idle=b1c4/1/0x4000000000000000 softirq=1829/1830 fqs=3001
[   70.277105] rcu:     (detected by 1, t=6002 jiffies, g=-107, q=6 ncpus=4)

I can give more details about the process if need be, but I noticed it placed the file in a structure like this…

…/SD/bpi-r4lite_6.17.0-main.tar.gz

Not sure why it is /SD/…

Is that normal or did I do something to trigger a SD card build?

79

This dir is for collecting the files from kernel build (uImage,itb,modules) before pack or creating deb manually. I placed it outside the kerneldir to not interefere with buildsystem or versioncontrol. So that is correct so far.

Do not use etc and lib firmware on R4lite,but i guess they are empty in latest kernel versions (this was for the old mt6625 driver on R2). Imho this should not break anything.

Currently i have no idea why rcu dtall happens.

80

My guess is this does not matter?

cat ../SD/BPI-ROOT/etc/modprobe.d/cryptodev.conf
blacklist cryptodev

Appears to just blacklist cryptodev

Other than that file getting copied over, the rest was /lib/modules (and the /boot folder).