Theres also an "update_firmware" warehouse command that takes a tftp address and file name, but that is probably going to check the image and fail on verifying it. I havent looked into that yet because im not sure what firmware to try flash even. Maybe the initrams for the dynalink RT5010W?
For now i would just really like to get root access on the device, and I thought the command injection was my ticket
Uboot password is probably stored as a sha256 hash:
@meisterlone -
how did you get warehouse mode?
is there access to fw_printenv / fw_setenv or another way to set uboot environment?
i'd set up a tftp server for the wrx36 nitramfs if i could figure out how/where to get it to look
U-boot with elf header (can be easy open with ghidra or ida):
EDIT: New link
I can flash firmware. I just not sure what to flash. I need to make initramfs that is acceptable to the router. See my other thread here if you can assist
link updated
@lytr if you can just run me through how to select the correct ELF from the binwalk that would be great.
How do you know which ELF?
How do you know the start and end of the file? Ie how to dump it out
Thanks
EDIT: Nvm I found it. Looks like I can just patch out this PW check
Updated one more time 
I decompiled a DTS file from the appended dtb in the stock kernel image found in partition "hlos"
Now I will attempt to build OpenWrt with this and flash the initrams to see if that will boot.
Any advice to get this right first time? 
Thanks!
You can check support for ZyXEL NBG7815 (Armor G5) and QNAP QHora-301w. Also uses eMMC flash memory.
Do you have uboot access?
I dont have uboot access and dont think its possible. I patched out the password check in the uboot elf and wrote it to emmc then got this error.
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.3.1-00163
S - IMAGE_VARIANT_STRING=HAASANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x000002e3
B - 203 - PBL, Start
B - 2740 - bootable_media_detect_entry, Start
B - 125736 - bootable_media_detect_success, Start
B - 125740 - elf_loader_entry, Start
B - 127165 - auth_hash_seg_entry, Start
B - 165240 - auth_hash_seg_exit, Start
B - 179714 - elf_segs_hash_verify_entry, Start
B - 242349 - PBL, End
B - 246470 - SBL1, Start
B - 296887 - GCC [RstStat:0x10, RstDbg:0x600000] WDog Stat : 0x4
B - 303170 - pm_device_init, Start
B - 426603 - PM_SET_VAL:Skip
D - 123098 - pm_device_init, Delta
B - 429043 - pm_driver_init, Start
D - 5215 - pm_driver_init, Delta
B - 435265 - clock_init, Start
D - 2135 - clock_init, Delta
B - 439383 - boot_flash_init, Start
D - 7869 - boot_flash_init, Delta
B - 450942 - boot_config_data_table_init, Start
D - 1037 - boot_config_data_table_init, Delta - (575 Bytes)
B - 458567 - Boot Setting : 0x00000618
B - 462319 - CDT version:2,Platform ID:8,Major ID:117,Minor ID:1,Subtype:6
B - 469425 - sbl1_ddr_set_params, Start
B - 473238 - CPR configuration: 0x30c
B - 476684 - cpr_init, Start
B - 479460 - Rail:0 Mode: 5 Voltage: 808000
B - 484675 - CL CPR settled at 760000mV
B - 487512 - Rail:1 Mode: 5 Voltage: 880000
B - 491690 - Rail:1 Mode: 7 Voltage: 920000
D - 16531 - cpr_init, Delta
B - 498583 - Pre_DDR_clock_init, Start
B - 502609 - Pre_DDR_clock_init, End
B - 505903 - DDR Type : PCDDR4
B - 512674 - do ddr sanity test, Start
D - 1067 - do ddr sanity test, Delta
B - 516395 - DDR: Start of HAL DDR Boot Training
B - 521123 - DDR: End of HAL DDR Boot Training
B - 526796 - DDR: Checksum to be stored on flash is 432286550
B - 537105 - Image Load, Start
D - 345107 - QSEE Image Loaded, Delta - (1380872 Bytes)
B - 882273 - Image Load, Start
D - 457 - SEC Image Loaded, Delta - (0 Bytes)
B - 889807 - Image Load, Start
D - 287859 - DEVCFG Image Loaded, Delta - (32468 Bytes)
B - 1177757 - Image Load, Start
D - 292861 - RPM Image Loaded, Delta - (93060 Bytes)
B - 1470710 - Image Load, Start
B - 789797 - Error code 37000105 at boot_config.c Line 329
This seems to be coming from the primary bootloader (uboot is secondary). Maybe a checksum or uboot elf is signed??
I have a hack that allows me to flash firmware without opening the device, so hopefully that is enough.
@robimarko how do I format this DTS I decompiled for the openwrt build? I dont have root access on the device, only have access to the filesystem. Trying to make an initial initrams image
For QNAP QHora-301w, the u-boot-env partition is on 8MB NOR flash.
Initramfs is loaded into RAM on startup, so you probably need access to uboot.
No the boot env partition is definitely here on the emmc. Its here:
UserData.BIN14 24610 25121 512 0:APPSBLENV
In my dump, at 0xC04400
Could I possibly patch this to try tftp on each boot
You cant use it directly, its just to get the relevant info
which parts are bare minimum required to boot?
Basically just UART and its pinctrl
