Hi Sneeze,
Well this is tricky and involves knowledge of hex editors etc. not something i'm capable of supporting remotely. I had the router working and auto booting but during the refinement of this process i bricked the router. There is no way back as far as i have experienced, during the search for the bootmode jumpers to alter the configuration i killed the board.
So if you know your way around this here's the way i've did it.
First i have dumped the firmware of the router using the serial line using the command:
md.l 0xb0000000 0x1000000
This takes some time so sit back ...
After this i seperated the lines from the first line b0000000 until, and including, the address line b001fff0 into a seperated file edit.txt, this is one entire memory sector. By design you only can rewrite entire sectors in memory not parts of them.
Around line b001f400 you will see this:
b001f400: 27051956 f39b0ce0 4e897986 00000079 '..V....N.y....y
b001f410: 00000000 00000000 37961ac7 05070600 ........7.......
b001f420: 5a2d426f 6f742073 63726970 74000000 Z-Boot script...
b001f430: 00000000 00000000 00000000 00000000 ................
b001f440: 00000071 00000000 6563686f 0a656368 ...q....echo.ech
b001f450: 6f205a2d 426f6f74 20417574 6f736372 o Z-Boot Autoscr
b001f460: 69707420 66696c65 0a656368 6f203d3d ipt file.echo ==
b001f470: 3d3d3d3d 3d3d3d3d 3d3d3d3d 3d3d3d3d ================
b001f480: 3d3d3d3d 0a656368 6f0a6370 2e622030 ====.echo.cp.b 0
b001f490: 78623030 31343030 30203078 38326138 xb0014000 0x82a8
b001f4a0: 30303030 20307831 30303030 0a676f20 0000 0x10000.go
b001f4b0: 38326138 30303030 0a000000 00000000 82a80000........
This is the default Zyxel bootscript pointing to the wrong start address.
Replace it with your bootscript image, mine looked like:
b001f400: 27051956 917968a9 5a1abea1 0000005b '..V.yh.Z......[
b001f410: 00000000 00000000 2c0bfd2a 05070600 ........,..*....
b001f420: 5a2d426f 6f742073 63726970 74000000 Z-Boot script...
b001f430: 00000000 00000000 00000000 00000000 ................
b001f440: 00000053 00000000 6563686f 0a656368 ...S....echo.ech
b001f450: 6f205a2d 426f6f74 20417574 6f736372 o Z-Boot Autoscr
b001f460: 69707420 66696c65 0a656368 6f203d3d ipt file.echo ==
b001f470: 3d3d3d3d 3d3d3d3d 3d3d3d3d 3d3d3d3d ================
b001f480: 3d3d3d3d 0a656368 6f0a626f 6f746d20 ====.echo.bootm
b001f490: 30786230 30363030 30300a00 00000000 0xb0060000......
b001f4a0: 00000000 00000000 00000000 00000000 ................
b001f4b0: 00000000 00000000 00000000 00000000 ................
Fill out the lines with zeroes if necessary.
If you want to use your own script you have to convert your image file to hex text with the xxd command like:
mkimage -T script -C none -n 'Z-Boot script' -d script_file.txt myscript.img
xxd myscript.img > myscript.hex
Now replace all starting addresses b0... with 00 so the entire file looks like:
00000000: 1000000b 00000000 00000000 00000000 ................^M
00000010: 688c688c 00000000 312e312e 30000000 h.h.....1.1.0...^M
00000020: 00000000 00000000 00000000 00000000 ................^M
00000030: 40809000 40809800 40806800 401b7800 @...@...@.h.@.x.^M
00000040: 3c0800ff 3508ff00 0368d824 3c080001 <...5....h.$<...^M
00000050: 35089500 17680019 00000000 40088000 5....h......@...^M
00000060: 3c098000 3529ffff 01094024 3c093604 <...5)....@$<.6.^M
00000070: 01094025 00000000 40888000 00000040 ..@%....@......@^M
00000080: 00000040 00000040 000000c0 40086000 ...@...@....@.`.^M
00000090: 3c09fffc 3529ffff 01094024 24090000 <...5)....@$$...^M
000000a0: 01094025 00000000 40886000 00000040 ..@%....@.`....@^M
......
Now create a binary file from the hexdump by using the command:
xxd -r edit.txt > edit.bin
It should now be:
du edit.bin
128 edit.bin
Place this file on your tftp server
Now boot your router with serial connected and get to the console and do the following:
AMAZON_S # setenv ipaddr 192.168.2.250
AMAZON_S # setenv serverip 192.168.2.1
AMAZON_S # tftp 0x80700000 edit.bin
Using amazon_s Switch device
TFTP from server 192.168.2.1; our IP address is 192.168.2.250
Filename 'edit.bin'.
Load address: 0x80700000
Loading: ##########################
done
Bytes transferred = 131072 (20000 hex)
AMAZON_S # erase 0xB0000000 +${filesize}
Erase Flash from 0xb0000000 to 0xb001ffff
done
Erased 1 sectors
AMAZON_S # cp.b 0x80700000 0xB0000000 ${filesize}
Copy to Flash... done
AMAZON_S # reset
If all went well you will see:
ROM VER: 1.1.3
CFG 01
U-Boot 1.1.5-ARX182 1.1.11(Oct 3 2011)
Boot from NOR flash
AR9 BOARD
CLOCK CPU 333M RAM 166M
DRAM: 64 MB
relocate_code start
relocate_code finish.
Flash: 16 MB
*** Warning - bad CRC, using default environment
In: serial
Out: serial
Err: serial
Net:
switch chip id=0000ffff
switch chip id=0000ffff
amazon_s Switch
## Executing script at b001f400
Z-Boot Autoscript file
======================
## Booting image at b0060000 ...
Image Name: MIPS LEDE Linux-4.4.92
Created: 2017-10-17 17:46:20 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 1562155 Bytes = 1.5 MB
Load Address: 80002000
Entry Point: 80002000
Verifying Checksum ... OK
Uncompressing Kernel Image ... OK
Starting kernel ...
[ 0.000000] Linux version 4.4.92 (buildbot@debian8) (gcc version 5.4.0 (LEDE GCC 5.4.0 r3556-46e29bd) ) #0 Mon Oct 16 15:21:43 2017
[ 0.000000] SoC: AR9 rev 1.2
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 0001954c (MIPS 34Kc)
[ 0.000000] MIPS: machine is P2601HNFX - ZyXEL P-2601HN-Fx
[ 0.000000] Determined physical RAM map:
Again, i am not an experienced hacker so i can not help any further in a responsible way. I've bricked my router beyond repair when i tried to build in a time-out function to interrupt the boot process. But this was during a write action to flash from within Lede to a mtd device.
As you can see in my bootscript i had no time-out build in to interrupt the boot process so i could not get to the bootloaders prompt ever after this hack.