Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Write partitions to emmc flash. Netgear MR1100 #117

Open
Semsem8519 opened this issue Jul 27, 2021 · 10 comments
Open

Write partitions to emmc flash. Netgear MR1100 #117

Semsem8519 opened this issue Jul 27, 2021 · 10 comments
Labels
bug Something isn't working enhancement New feature or request

Comments

@Semsem8519
Copy link

Hi. I dumped partitions successfully but when I wanted to write them to the emmc it fails.

https://imgur.com/a/maKaTVy
@bkerler
Copy link
Owner

bkerler commented Aug 1, 2021

Hi, streaming write support hasn't been tested so far. I will have a look.

@bkerler bkerler added the bug Something isn't working label Aug 1, 2021
@Semsem8519
Copy link
Author

Thank you so much. My device is currently bricked into 9008 mode because I apparently stupidly erased some partitions(sbl and mibib) with the flashwrite command when I telnet'ed into the device. I have a partition backup from another device but I could not get QFIL to write to the device too. I really hope I don't end up with a paperweight device. Thank you.

@jbgtenn423
Copy link

It can be revived, is that the only partitions you erased? If so I can send you something to restore those two.

@Semsem8519
Copy link
Author

Hi. Yes I only erased those two partitions. Thank you so much for helping me. I really appreciate it.

@jbgtenn423
Copy link

jbgtenn423 commented Aug 3, 2021 via email

@bkerler bkerler added the enhancement New feature or request label Aug 27, 2021
@lgeek
Copy link

lgeek commented Jan 9, 2023
edited
Loading

Hi. Sorry about digging up an old issue, but it still seems to be valid. I'm trying to fix an MR1100 stuck in a bootloop. It didn't get fixed by regular firmware flashing with the fdt tool, so I assume something is corrupt in the settings partition or somewhere else that doesn't get modified by the firmware update. I also have a working MR1100 with the same part / hw revision number, and I've dumped the NAND of both devices using edl (thanks!).

My plan was to start overwriting each partition from the bad unit with the one from the good unit, until something changes. But writing using EDL doesn't seem to be working yet. I've been trying to fix things on my own, but now I got stuck on generating a valid partition table. Here's what I've done so far:

for the wl command:

  • in edlclient/Library/streaming_client.py#L423
    -replaced self.streaming.write_flash(partition, filename) with self.streaming.write_flash(partname=partition, filename=filename) as the arguments didn't match write_flash()'s signature (first argument is lba)

This allowed execution to proceed a bit further, but then send_section_header() (called from write_flash) fails. The return value of send_section_header()'s send() is \x0eNo partition table received before open multi\n. So it sounds like the loader is always expecting to receive a partition table.

Then I noticed that the code for the w command appears to be sending the partition table, via enter_flash_mode() called with a ptable argument. I've first tried to just send it back the partition table read from the device using edl --gpt (by calling edl w with --partitionfilename). Now send_ptable() fails with \x0eUnknown error accepting partition table\n from the loader. I've also tried the code that's commented out for w to generate a partition table with a single entry for the partition I'm writing, but I get the same error. Same if I patch that code to use 0x55EE73AA and 0xE35EBDDB as the magic numbers in the header (that's what's used in the partition table of the device).

I've also taken a peek at the loader in Ghidra to see if that error message has an obvious cause, but I'm more experienced with dynamic reverse engineering and for now I got lost chasing up functions. But I'm pretty sure that there's a fair amount of code that needs to be reversed to understand why it fails with that message.

I'd appreciate any help in moving past this and, of course, if I get things working I'd be more than happy to contribute back any fixes needed to edl.

@mosasha1234
Copy link

Hi. Sorry about digging up an old issue, but it still seems to be valid. I'm trying to fix an MR1100 stuck in a bootloop. It didn't get fixed by regular firmware flashing with the fdt tool, so I assume something is corrupt in the settings partition or somewhere else that doesn't get modified by the firmware update. I also have a working MR1100 with the same part / hw revision number, and I've dumped the NAND of both devices using edl (thanks!).

My plan was to start overwriting each partition from the bad unit with the one from the good unit, until something changes. But writing using EDL doesn't seem to be working yet. I've been trying to fix things on my own, but now I got stuck on generating a valid partition table. Here's what I've done so far:

for the wl command:

  • in edlclient/Library/streaming_client.py#L423
    -replaced self.streaming.write_flash(partition, filename) with self.streaming.write_flash(partname=partition, filename=filename) as the arguments didn't match write_flash()'s signature (first argument is lba)

This allowed execution to proceed a bit further, but then send_section_header() (called from write_flash) fails. The return value of send_section_header()'s send() is \x0eNo partition table received before open multi\n. So it sounds like the loader is always expecting to receive a partition table.

Then I noticed that the code for the w command appears to be sending the partition table, via enter_flash_mode() called with a ptable argument. I've first tried to just send it back the partition table read from the device using edl --gpt (by calling edl w with --partitionfilename). Now send_ptable() fails with \x0eUnknown error accepting partition table\n from the loader. I've also tried the code that's commented out for w to generate a partition table with a single entry for the partition I'm writing, but I get the same error. Same if I patch that code to use 0x55EE73AA and 0xE35EBDDB as the magic numbers in the header (that's what's used in the partition table of the device).

I've also taken a peek at the loader in Ghidra to see if that error message has an obvious cause, but I'm more experienced with dynamic reverse engineering and for now I got lost chasing up functions. But I'm pretty sure that there's a fair amount of code that needs to be reversed to understand why it fails with that message.

I'd appreciate any help in moving past this and, of course, if I get things working I'd be more than happy to contribute back any fixes needed to edl.

hello igeek
sorry to trouble you,
but i also have a bootlooping mr1100 and i am trying to recover it, so if you could please send me the dump you have taken from the other working device. it will be highly appreciated

thanks in advance and best regards

@Semsem8519
Copy link
Author

Hi. Sorry about digging up an old issue, but it still seems to be valid. I'm trying to fix an MR1100 stuck in a bootloop. It didn't get fixed by regular firmware flashing with the fdt tool, so I assume something is corrupt in the settings partition or somewhere else that doesn't get modified by the firmware update. I also have a working MR1100 with the same part / hw revision number, and I've dumped the NAND of both devices using edl (thanks!).
My plan was to start overwriting each partition from the bad unit with the one from the good unit, until something changes. But writing using EDL doesn't seem to be working yet. I've been trying to fix things on my own, but now I got stuck on generating a valid partition table. Here's what I've done so far:
for the wl command:

  • in edlclient/Library/streaming_client.py#L423
    -replaced self.streaming.write_flash(partition, filename) with self.streaming.write_flash(partname=partition, filename=filename) as the arguments didn't match write_flash()'s signature (first argument is lba)

This allowed execution to proceed a bit further, but then send_section_header() (called from write_flash) fails. The return value of send_section_header()'s send() is \x0eNo partition table received before open multi\n. So it sounds like the loader is always expecting to receive a partition table.
Then I noticed that the code for the w command appears to be sending the partition table, via enter_flash_mode() called with a ptable argument. I've first tried to just send it back the partition table read from the device using edl --gpt (by calling edl w with --partitionfilename). Now send_ptable() fails with \x0eUnknown error accepting partition table\n from the loader. I've also tried the code that's commented out for w to generate a partition table with a single entry for the partition I'm writing, but I get the same error. Same if I patch that code to use 0x55EE73AA and 0xE35EBDDB as the magic numbers in the header (that's what's used in the partition table of the device).
I've also taken a peek at the loader in Ghidra to see if that error message has an obvious cause, but I'm more experienced with dynamic reverse engineering and for now I got lost chasing up functions. But I'm pretty sure that there's a fair amount of code that needs to be reversed to understand why it fails with that message.
I'd appreciate any help in moving past this and, of course, if I get things working I'd be more than happy to contribute back any fixes needed to edl.

hello igeek sorry to trouble you, but i also have a bootlooping mr1100 and i am trying to recover it, so if you could please send me the dump you have taken from the other working device. it will be highly appreciated

thanks in advance and best regards

What is your email? We can try something that might be successful in getting your device to boot normally.

@Akhtian
Copy link

Akhtian commented Apr 2, 2023

Hi. I also have bootloop issue. Also i have working device. Can you help me with it ? I tried to do dump from working device, but there is no success. My email is akhtian@gmail.com

@jericsmith504
Copy link

Hi. Sorry about digging up an old issue, but it still seems to be valid. I'm trying to fix an MR1100 stuck in a bootloop. It didn't get fixed by regular firmware flashing with the fdt tool, so I assume something is corrupt in the settings partition or somewhere else that doesn't get modified by the firmware update. I also have a working MR1100 with the same part / hw revision number, and I've dumped the NAND of both devices using edl (thanks!).
My plan was to start overwriting each partition from the bad unit with the one from the good unit, until something changes. But writing using EDL doesn't seem to be working yet. I've been trying to fix things on my own, but now I got stuck on generating a valid partition table. Here's what I've done so far:
for the wl command:

  • in edlclient/Library/streaming_client.py#L423
    -replaced self.streaming.write_flash(partition, filename) with self.streaming.write_flash(partname=partition, filename=filename) as the arguments didn't match write_flash()'s signature (first argument is lba)

This allowed execution to proceed a bit further, but then send_section_header() (called from write_flash) fails. The return value of send_section_header()'s send() is \x0eNo partition table received before open multi\n. So it sounds like the loader is always expecting to receive a partition table.
Then I noticed that the code for the w command appears to be sending the partition table, via enter_flash_mode() called with a ptable argument. I've first tried to just send it back the partition table read from the device using edl --gpt (by calling edl w with --partitionfilename). Now send_ptable() fails with \x0eUnknown error accepting partition table\n from the loader. I've also tried the code that's commented out for w to generate a partition table with a single entry for the partition I'm writing, but I get the same error. Same if I patch that code to use 0x55EE73AA and 0xE35EBDDB as the magic numbers in the header (that's what's used in the partition table of the device).
I've also taken a peek at the loader in Ghidra to see if that error message has an obvious cause, but I'm more experienced with dynamic reverse engineering and for now I got lost chasing up functions. But I'm pretty sure that there's a fair amount of code that needs to be reversed to understand why it fails with that message.
I'd appreciate any help in moving past this and, of course, if I get things working I'd be more than happy to contribute back any fixes needed to edl.

hello igeek sorry to trouble you, but i also have a bootlooping mr1100 and i am trying to recover it, so if you could please send me the dump you have taken from the other working device. it will be highly appreciated
thanks in advance and best regards

What is your email? We can try something that might be successful in getting your device to boot normally.

Apologies for opening old issue, if there is a solution here, would greatly appreciate any assistance as I appear to be in same boat with looping MR1100 that fails normal firmware attempts with fdt. my email is eric@nola4.com if anyone out there is watching. Thank you!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@lgeek @bkerler @Semsem8519 @jbgtenn423 @jericsmith504 @Akhtian @mosasha1234