I have a RB760igS ( hex S) that I was trying to replace routerOS with openwrt.
For that I have tried to first dump the original firmware directly from the SPI programmer.
But something strange happened in the middle. While I was dumping the unit somehow appeared to try to boot (beep) and after that the dump failed and I can not get the unit to work anymore.
It shows the power and SFP leds always ( no blinking )
netboot does not appear to work and the unit does not show up on winbox.
Any ideas? Can anyone provide me a flashrom working dump ?
I know the board is not dead because I can get the following on the serial:
RouterBOOT booter 6.48.6
Authorization: failure
A working openwrt dump would be more than enough and really helpful. I do not intend to revert to RouterOS anyways.
Could you try to load the backup booter, and see if you get the same error message?
Start to hold in the reset button before you apply power.
You should see 'RouterBOOT backup booter' on serial.
If that works, I would netinstall a RouterOS v6, then install the primary (upgrade) RouterBOOT. You will need to force the backup booter each time until you upgrade primary RouterBOOT.
RouterBOOT and its config is in the first 388kB and the rest is Linux. If that part of your dump is good, restoring it should recover it. Check the offset 4F000. You should see string "Hard" followed by MAC, model and RouterBOOT version.
Bootloader1 is the backup booter, used when you hold the reset button before applying power, or if the relevant softcfg tag is set, otherwise it jumps very early to bootloader2 (primary booter, which you can upgrade in RouterOS).
If you get nothing on serial when you force backup booter, likely this is damaged.
I have not seen this before in RouterBOOT, and I don't know what it is checking (something on NOR, could be checksum, or Hard tags, or bios, etc.).
I would read again the first 0xf000 bytes of NOR into a new file, and compare it with the old one. Maybe you got a good copy of these early bits before the device booted, and they are different to what is on device now.
Well, I did dump again and md5sum the first 0xf000 bytes and they differ. So I decided to try to flash from the dump I have. Well, now i get nothing on the SERIAL on both main and backup boot loaders and only POWER led is on, unforunatelly.
So, i tried to restore from a DUMP that I from a previous RB750GR3 and the device boots and it is reconigzed by winbox ( although it complains about licence as expected ). I will try to netboot openwrt and see what it happens. I hope it will work and SFP will also work in openwrt even if the device is recognized as a RB750GR3.
You want the hard_config data from your 760igs dump. This is what tells RouterBOOT which model is it (and the base MAC address). For example, strings on my hard_config partition give this:
strings /dev/mtd2
Hard
SERIALNUMBER
RB760iGS
hEX S
6.42.4
750g-mt
I know that the bootloader2 (primary booter) is shared between all the Mikrotik mt7621 devices. I am not sure about the backup booter.
I uploaded bootloader1 from one of my old 760igs here: https://we.tl/t-P9EL6LV3kd extracted sha256sum for the bootloader is 7aca968d375842ccf1e89ad291bb0ee4695563f2995502239c0983c21bd308b0
Thanks @johnth , but unfortunately i just can't flash anything on the unit anymore. I am still trying to figure it out why . I always get:
Using clock_gettime for delay loops (clk_id: 1, resolution: 1ns).
Found Winbond flash chip "W25Q128.V..M" (16384 kB, SPI) on ch341a_spi.
Erasing and writing flash chip... FAILED at 0x00026900! Expected=0xff, Found=0xe5, failed byte count from 0x00026000-0x00026fff: 0xff
ERASE FAILED!
Looking for another erase function.
FAILED at 0x00026900! Expected=0xff, Found=0xe5, failed byte count from 0x00020000-0x00027fff: 0xff
ERASE FAILED!
Looking for another erase function.
FAILED at 0x00026900! Expected=0xff, Found=0xe5, failed byte count from 0x00020000-0x0002ffff: 0xff
ERASE FAILED!
Looking for another erase function.
FAILED at 0x00026900! Expected=0xff, Found=0xe5, failed byte count from 0x00000000-0x00ffffff: 0x232bcf
ERASE FAILED!
Looking for another erase function.
FAILED at 0x00026900! Expected=0xff, Found=0xe5, failed byte count from 0x00000000-0x00ffffff: 0x232cc7
ERASE FAILED!
Looking for another erase function.
Looking for another erase function.
Looking for another erase function.
No usable erase functions left.
FAILED!
I still have not given up on this device, but I am out of ideas. I even tried windows programmers, but they also fail complaining the device maybe in protected mode and I do not know what this is or how to overcome it.
I would try to write only the first 0xf000 (backup booter), or go to 0x10000 if you need to write hard_config as well. With those, you can then NetInstall, or boot OpenWrt, then do more from within an OS.
Given the device did start to boot while you were reading, this could have happened while you were writing as well. It might be that you have a limited window of time where you can do operations before the device boots and starts confusing the SPI signals.
I remember when I connected my 760igs to SPI pins on an RPi to dump the NOR, there were extra LEDs active on the 760igs. I think I had to write small sections at a time, then read them back to verify they actually wrote.
The SPI NOR chip has a few options to make it go inactive, or write protect. Have a look at /CS, /WP, and /HOLD on the NOR datasheet, and make sure you have them wired up as expected, and no wires have loosened or slipped.
@johnth which app allows you to flash only small parts of the dump?
Flash rom does not allow me to use anything less then the full size
I used dd to split the dump in the first 0x10000