Please be aware that this is also highly implementation specific. U-boot can be patched to simply reset if emmc/storage can't be accessed. It doesn't have to drop into a shell. It's highly vendor dependent. Timing can also play a pretty big factor here.
It could be had for 150 open box on ebay. I could chip in if needed. I don't have enough understanding here... but cr1000a uses encrypted partitions it seems, so dumping emmc would not be useful?
Well the firmware upgrade script disables the console in this way, but I'm not sure it applies to boot as well:
if test "x$verbose" = "x"; then
Doesnt seem encrypted if it can be read witha logic analyzer
I have the u-boot binary reconstructed from a logic analyzer dump, but it's mangled in a way I cannot understand:
ehgtdvb_aesl_tlcekalct_attoobo_indmtlaor_m_n_ntftfxpmmr_ak_ftasaeadesbadiim_edw_e_la_ces)q0xehiiofsiqiq0xehhlp87_daalcrnsiq0xem_ofgr_igp8ÀÆb"
Þîg ©#,ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ7_dah_ntbadehiip_d_iu_oifpcnn_edosscbo_nbes_eiywt_eobov_dr_s_eiypitpr_fe_`tto_noei3tdfutev_cceivlrnegtpriincuteieviprn_xoti_p_ailo_edgtetisi_t_aidc_eedc_rnfrdtdc_edcmadftfn_radsboeshistcokatbo_omndc_ntiqmi_atbsd_dF6-eaUHV=<'R}>ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿctbadstpdvc_eoedvc_rb_hle_e_aetpadte_e_caspadte_e_rvdvgtuls_rviqpi_as_tiq0xem_lo_xbfep87_dar_opeeiq0xem_eu_igrsucs(( AAABBB boag=osl=iÙôÞÉꤶ÷ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿtMM,evrp12181.ems=5.5.5. 02468ACEaodbm02468ace Õ68@óûã/DÞË{2Â=LúN.fÙ²[I%ødh¤ÌepPíÚWؼä³,?¯kAgêòδs¬"
ùèunñq)·eVKÒ ÛþÍôÝ3a1Y_Q©µ
åÉïàM*°ë<Sa+~w&ic!}PGKÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿôªÍÊôe[qÇ|°mÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ0+ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ0`He ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¼ÑÝ.ù()b@·ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ0`He Z 6|{kÅ+×v}YðÔ¯¤Àý&?Ì¥ñØÇÃâ'un ;³ãÑíü[Ë9LÏïûM
ù<¨£õ¶!ÿÒì{&^¤ÛytS±¶þ[Íÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ§=]sÜ*î^Û2
\ÓbyÈmÕ©Vêzx.¦Æݽ>f5¹ÁøÙéUß¡
æhT»ëRO:% tr drs sntaind-0%8
ERR s-so drs sntaind-0%8
0HOls_ye 0%
ls_ne: xxfahci_eet xxfahboksz:0%
ls_est: xxpriintbeofe xxls_ye 00%
atto al fst0%
Atiueo-s -6 1s%6 1sieSatPriinifrainntaalbe3:%1s0%8 #6l #6l
se:ra ls yefie
se:ra ls ne aldmm edfahci eetfie
se:ra ls lc iefie
se:ra ls est alds%
se:Fie ofthtebadmci.mme oif p yefie
se:Gtscno-vrinfie
se a tbefud e:% e:%
MH%:;addldFM/N #O
+Yymÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ2xlx%)mmnopitSE LS nomtotmrgn_aegn_nc_ogn_nc_igtfe_ztmrla_aro xr rsntspotda' otkre:%
Jmigt(AC6 enlvamntrupn oARH4TTvamntra' otTT dfk u o rcn)mcisn ahd0%xfo niomn
trigkre .%
D rainfie!hnig.D n TG upr o opldi ag #8x-%0L"j@_`lmVZPWtÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿd
/eoy#ANN:fxpmmr ald
RstigCU..eo c:[%8x] r:[%8x]p:%8x p:%8x p:%8x1:%8x 9:%8x 8:%8x7:%8x 6:%8x 5:%8x 4:%8x3:%8x 2:%8x 1:%8x 0:%8xlg:%%%% Rs% FQ s oe%%
udfndisrcinotaeitrutrfthaotaaaoto sdatitrutrqetSR2I_6IQ2V_6U42K_6U62K_6U82K_6U1_6U1_
X[ 8(<@x|yyeJÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ6U1_6U1_6U1_6U1_6UE_2FQ3R_2SC3K_2U53K_2AT3K_2U93Y_2UD3K23K33K43Y_2rstig..ANN:Cce o nbe
Dcytn..al
&5aO6h34Dn.otsaerof po_adaalbenn%=addnn%=p00fboagb.t=otsro=t:b_otsroftpOIÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿg}$fboag}rowitc-rtco:Ubo tc scrutd
cni_aeMna eiete ofgslce!ofgntaalbl
bom0%#saldt e ofgnm
pitn otrsBoigfols
Uignn eie0bdofe fhoeevmdd ad=ad &stn tprsmdat=ad:xlx0%l(s,{sprs &uipr s& b ed0% enl& nn eie% &stn tisnn%=add& eevmdat tprsnn%:xlx0%l(s,{sprs &nQ-\EI
_3F"ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿuipr s& b ed0% enl& s rb &fra xx0% xx& UigMCdvc
0HO_m ed0% xx0%nupre OTfahtp
Vrfig. m_eashsi h nai enltisTi steuecytdkre
Uignn eie%
nn eie% &stntisnn%=add& eevmdat tprsnn%:xlx0%l(s,{sprs &uipr s& krefpoe&enliaeatetctoald
badqaauC7z>~$8Tpgÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿmcmo/m_otc.U:fiuea s%/s)
BGb ed0% b_ots&m ed0% x
and second dump from the same addres:
ehgtdvb_aesl_tlcekalct_attoobo_indmtlaor_m_n_ntftfxpmmr_ak_ftasaeadesbadiim_edw_e_la_cesiq0xehiiofsiqiq0xehhlp87_daalcrnsiq0xem_ofgr_igp8ÀÆb"
Þîg ©#,ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ7_dah_ntbadehiip_d_iu_oifpcnn_edobqawtetatcahupdtodmqamnmldtsscbo_nbes_eiywt_eobov_dr_s_eiypitpr_fe_atto_noeistdfutevv_cceivlrnegtpriincuteieviprn_xoti_p_ailo_edgtetisi_t_aidc_eedc_rnfrdtdc_edcmadftfn_radsboeshistcokatbo_omndc_ntiqmi_atbsd_ctbadstpdvc_eoedvc_rb_hle_e_aetpadte_e_caspadte_e_rvdvgtuls_rviqpi_as_tiq0xem_lo_xbfep87_dar_opeeiq0xem_eu_igrsucs(( AAABBB boag=osl=iÙôÞÉꤶ÷ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿtMM,1208bocdboiqbodly2burt=120iad=9.6.01evrp12181.ems=5.5.5. 02468ACEaodbm02468ace Õ68ÿóûã/DÞË{2Â=LúN.fÙ²[I%ødh¤ÌepPíÚWؼä³,?¯kAgêòδs¬"
ùèunñq)·eVKÒ ÛþÍôÝ3a1Y_Qïµ
åÉïàM*°ë<Sa+~w&ic!}PGKÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ00+ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ00`He ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ¼ÑÝ.ù()b@·<ö©Ðÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ00`He Z 6|{kÅ+×v}YðÔ¯¤Àý&?Ì¥ñØÇÃâ'un§=]sÜ*î^Û2
\ÓbyÈmÕ©Vêzx.¦Æݽ>f5¹ÁøÙéUß¡
æhT»ëRO:% tr drs sntaind-0%8
ERR s-so drs sntaind-0%8
0HOls_ye 0%
ls_ne: xxfahci_eet xxfahboksz:0%
ls_est: xxpriintbeofe xxls_ye 0%
ls_ne: xxfahci_eet xxfahboksz:4Ët¾ìe`"ªVËÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ0%
atto al fst0%
Atiueo-s -6 1s%6 1sieSatPriinifrainntaalbe3:%1s0%8 #6l #6l
se:ra ls yefie
se:ra ls ne aldmm edfahci eetfie
se:ra ls lc iefie
se:ra ls est alds%
se:Fie ofthtebadmci.mme oif p yefie
se:Gtscno-vrinf@%:;addldFM/N #O
+Yymÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿsxlx%)mmnopitSE LS nomtotmrgn_aegn_nc_ogn_nc_igtfe_ztmrla_aro xr rsntspotda' otkre:%
Jmigt(AC6 enlvamntrupn oARH4TTvamntra' otTT dfk u o rcn)mcisn ahd0%xfo niomn
trigkre .%
D rainfie!hnig.D n TG upr o opldi agn
BdLnxAMzmg ai!enliae@%0l #8x-%0L"jH_`lmVZPWtÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿl
#eoy# ANN:fxpmmr ald
RstigCU..eo c:[%8x] r:[%8x]p:%8x p:%8x p:%8x1:%8x 9:%8x 8:%8x7:%8x 6:%8x 5:%8x 4:%8x3:%8x 2:%8x 1:%8x 0:%8xlg:%%%% Rs% FQ s oe%%
UdfndisrcinotaeitrutatitrutrqetSR2I_6IQ2V_6U42K_6U62K_6U82K_6U1_6U1_
X[ 8(<@x|yyeJÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ6U1_6U1_6U1_6U1_6UE_2FQ3R_2SC3K_2U53K_2AT3K_2U93Y_2UD3K23K33K43Y_2rstig..ANN:Cce o nbe
Dcytn..al
&5aO6h34Dn.otsaerof po_adaalbenn%=addnn%=p00fboagb.t=otsro=t:b_otsroftp=qahsrofnm=ots1rofnm=otsn0nn0rofnm=ots1gtboiq nupre otfahtp
stn otrs$boaU$5aX(yK!I>OIÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿg}$fboag}rowitc-rtco:Ubo tc scrutd
cni_ae
na eiete ofgslce!ofgntaalbl
bom0%#saldt e ofgnm
pitn otrsBoigfo ls
Uig.n eie0bdofe fhoeevmdd auipr s& b ed0% enl& s rb &fra xx0% xx& UigMCdvc
0HO_m ed0% xx0%nupre OTfahtp
Vrfig. m_eashsi h nai enltisTi steuecytdkre
Uignn eie%
nn eie% &stn tisnn%=add& eevmdat tprsnn%:xlx0%l(s,{sprs &uipr s& krem ed0% xX0%nai mg.fpoe&enliaeatetcto ald
badqaauC7z>~$8Tpgÿÿ
Most of the packets don't pass CRC checks, but seeing how the 2 dumps match pretty well I'm suspecting this is not simply noise.
I've probably screwed something up in my reconstructing program, but I'm not sure what.
I tried ISP, but I couldn't stop CPU from booting because the router doesn't have a CPU crystal you can short, it's clocked by the PMU, and the same PMU runs eMMC DC-DC converter.
I also tried to power the flash chip externally, but that didn't work as something is holding it in reset.
You dont need to stop the cpu from booting. You just need to electrically isolate the clk signal on the EMMC from the cpu, which by the looks of it, you should be able to do here. The cpu will try init the emmc, a couple of times and fail and then go idle.
I guess cutting the trace is an option, I just wasn't ready to go that far.
Sandpaper and steady hands lol. I just dont see any other way with this router. Unfortunately. Do you have a microscope?
Yes, but I'm done with this router for now, I'm focusing on other projects. Also I had destroyed my eMMC reader by trying to "fix" it because it wasn't reading the chip before I found the RST via and realized it's being held in reset.
Pretty impressive work though, getting somewhere with the logic analyzer. I also tried that and didnt get far. Internal resistance on the probes were too high, causing the kernel load to fail as soon as it switches the emmc to HS400 (high frequency) halfway through the boot process
Oh I experienced this as well, but when I switched to DSLogic with its coax probes the problem went away and I was able to boot with probes attached.
The analyzer wasn't fast enough to sample the HS400 signal though.
Interesting, noted!
Sorry to hear about your programmer. Which programmer were you using?
XGecu T48 with the eMMC ISP add-on. It's pretty nice but I had to set up an x86 Windows laptop to run their software. I can probably fix it to how it was before, as I've only destroyed the add-on, but I don't have the need for it right now.
@spol-eff In your previous post you said D0 was still up in the air. Could you please let me know exactly where D0, CMD and CLK are? I assume you did some further digging after that post. Much appreciated!
Sure, I've confirmed the location of D0 is correct in the picture here.
A later post has a picture showing labels for other traces. Pins from top to bottom in the logic analyzer window correspond to traces from left to right on the board.
Thank you! @a_guy and I ordered one of these to play around with
Excited what you guys come up with! Let me know if I can be of any help!
You didnt perhaps see a GPT partition table in your dumps
That and the 0x2000 bytes that follow would be interesting
Oh yeah, I did see it, but I jumped around the partition table and couldn't find anything useful. The various Qualcomm bits dumped fine, but U-boot bin was mangled, and the RootFS is LUKS-encrypted just like it's in the firmware upgrade file. The only useful part I managed to extract was the U-Boot environment, which I posted somewhere above.
