"Going back to original firmware" and "stripped images"

zamana · April 28, 2020, 7:03pm

Hi!

Regarding "going back to original firmware" and "stripped images", may I conclude that that "skip=257" option in the dd command came from this calculation?

root@OpenWrt:~# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 0001fb00 00010000 "factory-boot"
mtd1: 00000500 00010000 "mac"
mtd2: 00010000 00010000 "u-boot"
mtd3: 007a0000 00010000 "firmware"
mtd4: 001d0000 00010000 "kernel"
mtd5: 005d0000 00010000 "rootfs"
mtd6: 00390000 00010000 "rootfs_data"
mtd7: 00020000 00010000 "tplink"
mtd8: 00010000 00010000 "art"

mtd0 size: 0001fb00 = 129792
mtd1 size: 00000500 = 1280

(129792 + 1280) / 512 = 256

In this particular case, the "skip" will continue to be 257?

Thanks.
Regards.

zamana · April 28, 2020, 7:19pm

Complementing my own question, with the skip=257 we are actually getting rid of this part?

hnyman · April 28, 2020, 7:42pm

No.
That means that you skip 257 blocks of 512 bytes each.
( the dd command parameters continue.... "skip = 257 bs=512" , bs=blocksize)

In practice, usually factory header of 512 bytes, plus 128 kB of u-boot, 128.5 kB in total.

Which router you are talking about?
That advice is for some TPLink models, where some OEM firmware files have header plus in some firmware files an unnecessary u-boot bootloader (128 kB size) before the actual firmware begins.

For some routers, TP-Link has published both "recovery images" with the u-boot to be stripped, and normal image without that and stripping of only the 0,5 kB header.

So, the correct amount depends on the exact file that you are talking about.

zamana · April 28, 2020, 8:53pm

Thanks for the explanation.

Specifically, my router is a TP-Link Archer C60 V3.

Support for OpenWRT started in February (snapshot only yet), and the stock firmware ins't available from the Brazilian region site.

I tried to apply the US and the EU firmwares, but no success.

Anyway I have a "feeling" that the US version should work, because it supports more "special_id" devices than the EU version:

US SupportList:
{product_name:Archer C60,product_ver:3.0.0,special_id:00000000}
{product_name:Archer C60,product_ver:3.0.0,special_id:45550000}
{product_name:Archer C60,product_ver:3.0.0,special_id:4B520000}
{product_name:Archer C60,product_ver:3.0.0,special_id:54570000}
{product_name:Archer C60,product_ver:3.0.0,special_id:42520000}
{product_name:Archer C60,product_ver:3.0.0,special_id:52550000}
{product_name:Archer C60,product_ver:3.0.0,special_id:55530000}

EU SupportList:
{product_name:Archer C60,product_ver:3.0.0,special_id:00000000}
{product_name:Archer C60,product_ver:3.0.0,special_id:45550000}

I only didn't find yet what would be the "special_id" of my router version.

Anyway, can you help me to calculate the skip value that I should use, if any, in the case of the US firmware version?

Thanks!

mk24 · April 28, 2020, 9:13pm

The IDs are two letter country codes in ASCII, for example 55 53 = "US" and 45 55 = "EU" and 42 57 = "BR".

Which kind of suggests your BR unit is intended to accept the US firmware. Have you tried TFTP recovery?

zamana · April 28, 2020, 9:22pm

Amazing!

"BR" would be 42 52...

Well... I tried the TFTP method with these firmwares from US and EU, and the result was a "bricked" device that I recovered by using the OpenWRT snaphot for my device.

So, I guess that, if the firmwares wasn't "accepted" by my device because "BR" isn't supported, I could change the bin file to artificially supports my BR device, and theoretically, it should work.

How much I could be possible wrong?

UPDATE: actually 42 52 is there... so no binary change is necessary.

The only thing left now would be the skip value, if any.

From the US firmware version, I found these values:

fwup-ptn fs-uboot base 0x01000 size 0x0d45b	
fwup-ptn os-image base 0x0e45b size 0xe6eda	
fwup-ptn file-system base 0xf5335 size 0x6606e5	
fwup-ptn soft-version base 0x755a1a size 0x00059	
fwup-ptn support-list base 0x755a73 size 0x001d5	
fwup-ptn extra-para base 0x755c48 size 0x0000b	
fwup-ptn profile base 0x755c53 size 0x02dae	
fwup-ptn default-config base 0x758a01 size 0x02329	
fwup-ptn partition-table base 0x00800 size 0x00800

Is it possible to calculate the skip value from this?

mk24 · April 28, 2020, 9:45pm

I think you would skip to the base of os-image, that is remove the first 0xe45b bytes.

zamana · April 29, 2020, 2:09pm

Well... unfortunately nothing worked.

I tried all the possible combinations and I'm still with the OpenWRT firmware applied. There's no way to make that US firmware to be applied on my router

Baka · May 6, 2023, 5:08am

Can someone please help get the stripped image for Archer A9 V6 US. This is the binwalk output:

The firmware image as is, is not being accepted in TFTP recovery. I want to go back to stock. Thanks

I don't know exact dd or other commands need to be run. It is clear from the screenshot though which is the u boot partition but I don't know how to skip, the blocksize, etc. If someone has experience, pls help.

Update: I figured it out. Thanks

Vigneshwaran1 · August 15, 2023, 7:45am

Would you please explain or provide the sources from which you have inferred the values for blocksize skip and count, I need to flash the firmware but I don't know how to strip the image.

This is the binwalk output:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
73936         0x120D0         U-Boot version string, "U-Boot 1.1.3 (Jan  5 2022 - 15:46:51)"
132096        0x20400         uImage header, header size: 64 bytes, header CRC: 0x3676CEB7, created: 2022-01-05 07:52:13, image size: 1950293 bytes, Data Address: 0x81001000, Entry Point: 0x813D34D0, data CRC: 0x9D6B59CA, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "Linux Kernel Image"
132160        0x20440         LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 5622656 bytes
2228736       0x220200        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 9988072 bytes, 731 inodes, blocksize: 131072 bytes, created: 2022-01-05 08:12:14
16515584      0xFC0200        Zip archive data, at least v1.0 to extract, name: bin/
16515646      0xFC023E        Zip archive data, at least v1.0 to extract, name: lib/
16515708      0xFC027C        Zip archive data, at least v2.0 to extract, compressed size: 26325, uncompressed size: 227187, name: lib/NetIspInfo.ini
16542345      0xFC6A89        End of Zip archive, footer length: 22
16542367      0xFC6A9F        Zip archive data, at least v2.0 to extract, compressed size: 3776957, uncompressed size: 4569088, name: mdm9640-boot.img
20319398      0x1360CA6       Zip archive data, at least v2.0 to extract, compressed size: 27316734, uncompressed size: 38535168, name: mdm9640-sysfs.ubi
47636207      0x2D6DEEF       Zip archive data, at least v2.0 to extract, compressed size: 30722848, uncompressed size: 38404096, name: NON-HLOS.ubi
78359380      0x4ABAB54       End of Zip archive, footer length: 22

Thank you.