Solved RT-AX86U rootfs mounted read-only after firmware upgrade to 3004.388.10

[exception898]

Hello everyone,

I’m seeking help with my ASUS RT-AX86U, which worked fine until I performed a firmware upgrade to 3004.388.10. After the upgrade, the router still routes internet & WiFi, but I'm unable to log in and the root filesystem (ubi:rootfs_ubifs) mounts as read-only (ro,relatime) even after repeated rescue-mode reflashes. The web UI login sometimes works briefly, but most of the time it fails (404 /login.cgi), and writes to / fail.

Here’s a full summary of what has happened, what I’ve tried, and detailed diagnostics — if anyone has additional suggestions beyond what I’ve done, I’d greatly appreciate them.

Additional relevant details:

• /login.cfg is missing in the /www folder.
• /jffs is writable and appears healthy (so scripts or settings stored there work).
• I attempted a WPS-hard reset (hold WPS while powering on), verified the hard reset as it cleared /jffs/scripts and forced the initial setup wizard, so that step was performed.
• I used the ASUS Firmware Restoration Tool (rescue mode) to reflash the firmware (tried stock build matching model) and let the automatic reboot complete.
• After reboot, I executed

  mount | grep rootfs

  and found ro. Then I tried

  mount -o remount,rw /

  , which succeeded, but after a normal reboot,

  mount | grep rootfs

  returned "ro" again.
• The web UI login is unstable: sometimes works, but often fails, and writes (such as saving settings) are not persistent or fail silently.
• The router functions as an internet gateway/LAN/Wi-Fi device without issues; the core routing/NAT functions appear unaffected.
• Warranty expired; I’m attempting to salvage the unit rather than replace it immediately.

MTD partitions:

dev:    size   erasesize  name
mtd0: 05f00000 00020000 "rootfs"
mtd1: 05f00000 00020000 "rootfs_update"
mtd2: 00800000 00020000 "data"
mtd3: 00100000 00020000 "nvram"
mtd4: 05f00000 00020000 "image"
mtd5: 05f00000 00020000 "image_update"
mtd6: 10000000 00020000 "dummy1"
mtd7: 10000000 00020000 "dummy2"
mtd8: 00100000 00020000 "misc3"
mtd9: 02f00000 00020000 "misc2"
mtd10: 00800000 00020000 "misc1"
mtd11: 05619000 0001f000 "rootfs_ubifs"
mtd12: …

Mounts:

/dev/mtdblock9 on /jffs type jffs2 (rw,noatime) 
ubi:rootfs_ubifs on / type ubifs (ro,relatime)

Bad Block / UBI-info:

dmesg | grep -i bad
Bad block table found at page 131008, version 0x01 
Bad block table found at page 130944, version 0x01 
nand_read_bbt: bad block at 0x000002aa0000 
ubi0: good PEBs: 759, bad PEBs: 1, corrupted PEBs: 0 
ubi0: available PEBs: 0, total reserved PEBs: 759, PEBs reserved for bad PEB handling: 14 
… 
cat /sys/class/ubi/ubi*/bad_peb_count 
1 
0

HTTPD Continually Restarting:

Oct 17 20:51:44 RT-AX86U: start https:8443
Oct 17 20:51:44 RT-AX86U: start httpd:80
Oct 17 20:51:44 httpd: Succeed to init SSL certificate...8443
Oct 17 20:51:44 httpd: S:RT-AX86U-0C00 Server Certificate, I:RT-AX86U-0C00 Root Certificate 20240101000031, 2024/1/1 ~ 2044/1/2
Oct 17 20:51:44 dnsmasq[2943]: possible DNS-rebind attack detected: [REDACTED URL]
Oct 17 20:51:44 dnsmasq[2943]: possible DNS-rebind attack detected: [REDACTED URL]
Oct 17 20:51:44 dnsmasq[2943]: possible DNS-rebind attack detected: [REDACTED URL]
Oct 17 20:51:44 dnsmasq[2943]: possible DNS-rebind attack detected: [REDACTED URL]
Oct 17 20:51:45 dnsmasq[2943]: possible DNS-rebind attack detected: [REDACTED URL]
Oct 17 20:51:45 dnsmasq[2943]: possible DNS-rebind attack detected: [REDACTED URL]
Oct 17 20:51:47 HTTPD: [LOGIN][https][Web] success ([REDACTED IPv4])
Oct 17 20:51:48 HTTPD: [LOGIN][https][APP] success ([REDACTED IPv4])
Oct 17 20:51:48 kernel: potentially unexpected fatal signal 11.
Oct 17 20:51:48 kernel: CPU: 3 PID: 8240 Comm: httpds Tainted: P           O    4.1.52 #2
Oct 17 20:51:48 kernel: Hardware name: Broadcom-v8A (DT)
Oct 17 20:51:48 kernel: task: ffffffc02d0c6180 ti: ffffffc026d54000 task.ti: ffffffc026d54000
Oct 17 20:51:48 kernel: PC is at 0xf6ee572e
Oct 17 20:51:48 kernel: LR is at 0xf6eb1858
Oct 17 20:51:48 kernel: pc : [<00000000f6ee572e>] lr : [<00000000f6eb1858>] pstate: 200f0030
Oct 17 20:51:48 kernel: sp : 00000000fff23b88
Oct 17 20:51:48 kernel: x12: 00000000ffffffff 
Oct 17 20:51:48 kernel: x11: 00000000fff24084 x10: 0000000000000000 
Oct 17 20:51:48 kernel: x9 : 00000000f6fab7a8 x8 : 00000000f6fad000 
Oct 17 20:51:48 kernel: x7 : 00000000f77df4d0 x6 : 000000000000002d 
Oct 17 20:51:48 kernel: x5 : 00000000000b6408 x4 : 0000000000000007 
Oct 17 20:51:48 kernel: x3 : 0000000000000000 x2 : 0000000000000001 
Oct 17 20:51:48 kernel: x1 : 0000000000000140 x0 : 0000000000000147 
Oct 17 20:51:51 dnsmasq[2943]: possible DNS-rebind attack detected: [REDACTED URL]
Oct 17 20:51:51 dnsmasq[2943]: possible DNS-rebind attack detected: [REDACTED URL]
Oct 17 20:51:51 dnsmasq[2943]: possible DNS-rebind attack detected: [REDACTED URL]
Oct 17 20:51:51 dnsmasq[2943]: possible DNS-rebind attack detected: [REDACTED URL]
Oct 17 20:51:51 dnsmasq[2943]: possible DNS-rebind attack detected: [REDACTED URL]
Oct 17 20:51:51 dnsmasq[2943]: possible DNS-rebind attack detected: [REDACTED URL]
Oct 17 20:52:14 watchdog: start httpd
Oct 17 20:52:14 rc_service: watchdog 1625:notify_rc start_httpd
Oct 17 20:52:14 RT-AX86U: start https:8443
Oct 17 20:52:14 RT-AX86U: start httpd:80
Oct 17 20:52:14 httpd: Succeed to init SSL certificate...8443
Oct 17 20:52:14 httpd: S:RT-AX86U-0C00 Server Certificate, I:RT-AX86U-0C00 Root Certificate 20240101000031, 2024/1/1 ~ 2044/1/2
Oct 17 20:52:18 HTTPD: [LOGIN][https][APP] success ([REDACTED IPv4])
Oct 17 20:53:49 HTTPD: [LOGIN][https][Web] success ([REDACTED IPv4])
Oct 17 20:53:49 kernel: potentially unexpected fatal signal 11.
Oct 17 20:53:49 kernel: CPU: 0 PID: 8718 Comm: httpds Tainted: P           O    4.1.52 #2
Oct 17 20:53:49 kernel: Hardware name: Broadcom-v8A (DT)
Oct 17 20:53:49 kernel: task: ffffffc02d0a7540 ti: ffffffc02d118000 task.ti: ffffffc02d118000
Oct 17 20:53:50 kernel: PC is at 0xf6e416a4
Oct 17 20:53:50 kernel: LR is at 0xf6e0d858
Oct 17 20:53:50 kernel: pc : [<00000000f6e416a4>] lr : [<00000000f6e0d858>] pstate: 600f0030
Oct 17 20:53:50 kernel: sp : 00000000ffd23798
Oct 17 20:53:50 kernel: x12: 00000000ffffffff 
Oct 17 20:53:50 kernel: x11: 00000000ffd23c94 x10: 0000000000000000 
Oct 17 20:53:50 kernel: x9 : 00000000f6f077a8 x8 : 00000000f6f09000 
Oct 17 20:53:50 kernel: x7 : 00000000f773b4d0 x6 : 000000000000002d 
Oct 17 20:53:50 kernel: x5 : 00000000000b6408 x4 : 0000000000000000 
Oct 17 20:53:50 kernel: x3 : 0000000000000000 x2 : 0000000000000001 
Oct 17 20:53:50 kernel: x1 : 00000000000001c0 x0 : 00000000fffffff8 
Oct 17 20:54:14 watchdog: start httpd
Oct 17 20:54:14 rc_service: watchdog 1625:notify_rc start_httpd
Oct 17 20:54:14 RT-AX86U: start https:8443
Oct 17 20:54:14 RT-AX86U: start httpd:80
Oct 17 20:54:14 httpd: Succeed to init SSL certificate...8443
Oct 17 20:54:14 httpd: S:RT-AX86U-0C00 Server Certificate, I:RT-AX86U-0C00 Root Certificate 20240101000031, 2024/1/1 ~ 2044/1/2
Oct 17 20:54:14 HTTPD: [LOGIN][https][Web] success ([REDACTED IPv4])

What has been tried:

• WPS hard reset (NVRAM & user settings cleared)
• Rescue-mode flash via Firmware Restoration Tool
• Flash multiple times / fresh setup (no config restore)
• Verified /jffs is healthy and writable
• Verified bad block count (only 1 bad PEB) and that /jffs scripts run (so config partition is okay)
• Attempt to remount rootfs RW, but remains R/O after reboot
• Checked logs (dmesg, UBI bad PEB counts)

Questions:

• Main concern is, is all hope lost? Is it time to look for a replacement?
• If not, then beyond the rescue-mode reflashes and WPS hard reset, is there an alternative software-only solution available that I may have missed — for example: a built-in recovery command to remap or skip the bad block, or a lower-level firmware utility?
• Is there any workaround to continue using the router long-term (as you already can, given it routes) without rootfs RW access — e.g., by disabling certain features, disabling writes, or using configuration via /jffs exclusively? Does using the router with the current limitation have any detriment?
• Are there hidden options in ASUSWRT (or Merlin) to force remapping or reinitialization of the rootfs volume without shell access in rescue mode?

I appreciate any help you can provide — thanks in advance!

 

[ColinTaylor]

There isn't meant to be a file at /www/login.cfg

rootfs is meant to be read-only.

A single bad block usually isn't a problem.

Go back to the previous firmware version and see if the problem persists. There appears to be a problem with httpds in the 3004.388.10 release.

 

[RMerlin]

Oct 17 20:53:49 HTTPD: [LOGIN][https][Web] success ([REDACTED IPv4])

There is currently a bug in 3004.388.10 that Home Automation and the mobile app will cause the web server to crash.

 

[exception898]

You guys are Gods! Thank you! Just did a downgrade with the Firmware Restoration tool. Now I can log in again. I don't know why I didn't think of downgrading, but it never occurred to me that it might be a bug in httpd.