This hack looked easy but turned out to be very hard even for me, who had soldering and programmer experience.
I have purchased Chinese RB03 (1.0.13) version of router, purchased CH341A programmer (without 3.3v data-pins mod yet), soldered the wires and ... failed.
I succeeded,.. You should modify the crash partition and entery the factory mode. In the factory mode, telnet will be forced to be enable. Also you can login without password!
@zfgeng you have used method to make it without reading and modifying CRC-32, so you failed with that like me. I just want to clarify that snander-modify-crc32 instructions do not work at all. I tried to cut OOB data from the dump, but I failed with that too, OOB chunks locations are not consistent and I think it is programmer problem (or I just don't understand nand good enough).
You cannot delete the oob data directly. At the beginning, I did the same as you did. After flashing the nand, the data of the bdata partition could not be recognized. Later, I tried to dump the nvram partition data separately, delete the oob data, fill it with 0000, and calculate that the crc32 exactly matches the original data, so I set the parameters such as ssh and telnet, and recalculated the correct crc32 value. , and record it. I re-copied a copy of the original nvram partition data, directly modified the parameters and crc32 without deleting the oob data, and finally flash it! After the router reboot ,I modified wifi settings, the nvram partition crc32 is auto recalculated, and the data of telnet_en=1 and uart_en=1 are preserved.
@zfgeng thank you! Removing that nasty OOB chunks at the exact location helped calculating CRC-32. I got telnet and root, but this is not for the faint of heart
Small guide to help newbies:
dump first 0x200000 bytes of nand in raw mode:
snander.exe -d -l 0x200000 -r dump.raw
open hex editor and Find "ssh_en", there are multiple locations, look for the second one, it should be after 0x180000, in my case it was 0x195000. Locate start of this block (multiple of 0x22000). Let's suppose it starts at START
Save block starting from START length 0x22000 into to two files - block.raw and fix.raw, yes, two copies
3.1) Open block.raw and fill with zero everything starting from 0x200 length 0xffff to clear those nasty OOB chunks (OOB is internal nand error correction data, don't bother with it)
Now you can calculate CRC-32 of a block starting from 0x4 and length 0xfffc, it should match to initial CRC-32 written at the beginning (look other guide up there if you don't understand)
If CRC-32 matches you can continue (remember the order of bytes, it is reversed). Change telnet_en=0 to telnet_en=1
recalculate CRC-32 checksum and remember it
now open fix.raw, because you need those nasty OOB chunks again ...
modify this fix.raw dump from telnet_en=0 to telnet_en=1 and write that new calculated CRC-32 checksum to the beginning (warning - order of bytes is reversed). Save file.
use snander to write fix.raw into START location on your nand like this:
erase block:
snander.exe -e -d -a START -l 0x22000
write new data:
snander.exe -d -a START -l 0x22000 -w fix.raw
start router, you got telnet
use python script up there to calculate root password from serial
root@XiaoQiang:/tmp# nvram set flag_boot_success=1
root@XiaoQiang:/tmp# nvram set flag_try_sys1_failed=0
root@XiaoQiang:/tmp#
root@XiaoQiang:/tmp# nvram set flag_try_sys2_failed=0
root@XiaoQiang:/tmp# mtd -r write sysupgrade.bin firmware
Unlocking firmware ...
Writing from sysupgrade.bin to firmware ...
Rebooting ...
Connection to 192.168.31.1 closed by remote host.
Connection to 192.168.31.1 closed.
However, now just the orange LED lights up. I can only get the Ethernet interface working when I hold down "RESET" at power on. Do you have any suggestion how to proceed? eg. what image for recovery via TFTP?
@thorsten97 build is made so you have to flash both firmware, firmware1 and overlay. It's not the build using a single partition. You need to step back and write all 3 partitions in order for it to work
Hi, I have a ax3200 router with telnet enable. I get telnet password from https://www.oxygen7.cn/miwifi/ with SN of my router. Then, I enable SSH as describe in https://github.com/openwrt/openwrt/pull/4810.
I download de firmware of @thorsten97. On the first try, I bricked the router and had to recover it via tftp.
I can see three files. I upload factory.bin and rootfs.ubi to router and I have executed the following commands:
mtd write factory.bin firmware
mtd write factory.bin firmware1
mtd write -r rootfs.ubi overlay
...
File sysupgrade.bin not used.
With this, the router stay on orange light and no boot up. How do I have to do it to make it work?
Makes sense,
I just attached a serial console. to see what's going on:
[PART] load "lk" from 0x00000000000C0200 (dev) to 0x41E00000 (mem) [SUCCESS]
[PART] load speed: 16581KB/s, 356560 bytes, 21ms
load lk (ret=0)
[PART] Image with part header
[PART] name : atf
[PART] addr : FFFFFFFFh mode : -1
[PART] size : 57936
[PART] magic: 58881688h
[PART] load "tee1" from 0x0000000000080200 (dev) to 0x43000DC0 (mem) [SUCCESS]
Erasing NAND...
[mtk_nand_erase_hw] mtk_nand_erase_hw @4249, ret:0x40. page:0x280
Erasing at 0x140000 -- 100% complete.
Writing to NAND... OK
Booting System 0
NAND read: device 0 offset 0x2c0000, size 0x2000
8192 bytes read: OK
[do_read_image_blks] Image format error,neither FIT image nor old image.
Bad Magic Number.
NAND read: device 0 offset 0x2c0000, size 0x0
0 bytes read: OK
bootm flag=0, states=70f
Wrong Image Format for bootm command
ERROR: can't get kernel image!
MT7622>
Unfortunately, the second option of the bootloader (boot firmware 1) also doesn't work, so I cannot reflash the remaining necessary partitions. So from what I've read, the next convenient option would be to recover a firmware via TFTP. Does anyone have a suggestion what FW to use with TFTP to recover without locking myself out from installing OpenWRT (telnet blocked, etc.)?
give me some time ...