says deleted file @lytr
I can flash firmware. I just not sure what to flash. I need to make initramfs that is acceptable to the router. See my other thread here if you can assist
link updated
@lytr if you can just run me through how to select the correct ELF from the binwalk that would be great.
How do you know which ELF?
How do you know the start and end of the file? Ie how to dump it out
Thanks
EDIT: Nvm I found it. Looks like I can just patch out this PW check
Updated one more time 
I decompiled a DTS file from the appended dtb in the stock kernel image found in partition "hlos"
Now I will attempt to build OpenWrt with this and flash the initrams to see if that will boot.
Any advice to get this right first time? 
Thanks!
You can check support for ZyXEL NBG7815 (Armor G5) and QNAP QHora-301w. Also uses eMMC flash memory.
Do you have uboot access?
I dont have uboot access and dont think its possible. I patched out the password check in the uboot elf and wrote it to emmc then got this error.
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.3.1-00163
S - IMAGE_VARIANT_STRING=HAASANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x000002e3
B - 203 - PBL, Start
B - 2740 - bootable_media_detect_entry, Start
B - 125736 - bootable_media_detect_success, Start
B - 125740 - elf_loader_entry, Start
B - 127165 - auth_hash_seg_entry, Start
B - 165240 - auth_hash_seg_exit, Start
B - 179714 - elf_segs_hash_verify_entry, Start
B - 242349 - PBL, End
B - 246470 - SBL1, Start
B - 296887 - GCC [RstStat:0x10, RstDbg:0x600000] WDog Stat : 0x4
B - 303170 - pm_device_init, Start
B - 426603 - PM_SET_VAL:Skip
D - 123098 - pm_device_init, Delta
B - 429043 - pm_driver_init, Start
D - 5215 - pm_driver_init, Delta
B - 435265 - clock_init, Start
D - 2135 - clock_init, Delta
B - 439383 - boot_flash_init, Start
D - 7869 - boot_flash_init, Delta
B - 450942 - boot_config_data_table_init, Start
D - 1037 - boot_config_data_table_init, Delta - (575 Bytes)
B - 458567 - Boot Setting : 0x00000618
B - 462319 - CDT version:2,Platform ID:8,Major ID:117,Minor ID:1,Subtype:6
B - 469425 - sbl1_ddr_set_params, Start
B - 473238 - CPR configuration: 0x30c
B - 476684 - cpr_init, Start
B - 479460 - Rail:0 Mode: 5 Voltage: 808000
B - 484675 - CL CPR settled at 760000mV
B - 487512 - Rail:1 Mode: 5 Voltage: 880000
B - 491690 - Rail:1 Mode: 7 Voltage: 920000
D - 16531 - cpr_init, Delta
B - 498583 - Pre_DDR_clock_init, Start
B - 502609 - Pre_DDR_clock_init, End
B - 505903 - DDR Type : PCDDR4
B - 512674 - do ddr sanity test, Start
D - 1067 - do ddr sanity test, Delta
B - 516395 - DDR: Start of HAL DDR Boot Training
B - 521123 - DDR: End of HAL DDR Boot Training
B - 526796 - DDR: Checksum to be stored on flash is 432286550
B - 537105 - Image Load, Start
D - 345107 - QSEE Image Loaded, Delta - (1380872 Bytes)
B - 882273 - Image Load, Start
D - 457 - SEC Image Loaded, Delta - (0 Bytes)
B - 889807 - Image Load, Start
D - 287859 - DEVCFG Image Loaded, Delta - (32468 Bytes)
B - 1177757 - Image Load, Start
D - 292861 - RPM Image Loaded, Delta - (93060 Bytes)
B - 1470710 - Image Load, Start
B - 789797 - Error code 37000105 at boot_config.c Line 329
This seems to be coming from the primary bootloader (uboot is secondary). Maybe a checksum or uboot elf is signed??
I have a hack that allows me to flash firmware without opening the device, so hopefully that is enough.
@robimarko how do I format this DTS I decompiled for the openwrt build? I dont have root access on the device, only have access to the filesystem. Trying to make an initial initrams image
For QNAP QHora-301w, the u-boot-env partition is on 8MB NOR flash.
Initramfs is loaded into RAM on startup, so you probably need access to uboot.
No the boot env partition is definitely here on the emmc. Its here:
UserData.BIN14 24610 25121 512 0:APPSBLENV
In my dump, at 0xC04400
Could I possibly patch this to try tftp on each boot
You cant use it directly, its just to get the relevant info
which parts are bare minimum required to boot?
Basically just UART and its pinctrl
Uboot now fails on the cmd "bootm" with this
Not allowed command, use bootipq.resetting ...
Thanks. I will get to that tomorrow. Regarding uboot. I tried to patch some bytes in uboot and then the device failed to boot uboot entirely, just because 1 byte changed. Do you think this is due to a checksum or is uboot signed and the device cant load anything else?
Secure boot is probably enabled
Partition list from eMMC backup:
Number Start (sector) End (sector) Size Code Name
1 34 2081 1024.0 KiB A012 0:SBL1
2 2082 3105 512.0 KiB FFFF 0:BOOTCONFIG
3 3106 4129 512.0 KiB FFFF 0:BOOTCONFIG1
4 4130 10273 3.0 MiB A016 0:QSEE
5 10274 16417 3.0 MiB FFFF 0:QSEE_1
6 16418 17441 512.0 KiB FFFF 0:DEVCFG
7 17442 18465 512.0 KiB FFFF 0:DEVCFG_1
8 18466 19489 512.0 KiB A022 0:APDP
9 19490 20513 512.0 KiB FFFF 0:APDP_1
10 20514 21537 512.0 KiB A018 0:RPM
11 21538 22561 512.0 KiB FFFF 0:RPM_1
12 22562 23585 512.0 KiB A01B 0:CDT
13 23586 24609 512.0 KiB FFFF 0:CDT_1
14 24610 25121 256.0 KiB FFFF 0:APPSBLENV
15 25122 29217 2.0 MiB A015 0:APPSBL
16 29218 33313 2.0 MiB FFFF 0:APPSBL_1
17 33314 35361 1024.0 KiB FFFF 0:ART
18 35362 51745 8.0 MiB FFFF 0:HLOS
19 51746 68129 8.0 MiB FFFF 0:HLOS_1
20 68130 330273 128.0 MiB FFFF rootfs
21 330274 346657 8.0 MiB FFFF 0:WIFIFW
22 346658 608801 128.0 MiB FFFF rootfs_1
23 608802 625185 8.0 MiB FFFF 0:WIFIFW_1
24 625186 1673761 512.0 MiB FFFF rootfs_data
25 1673762 2722337 512.0 MiB FFFF rootfs_data_1
26 2722338 2723361 512.0 KiB FFFF 0:ETHPHYFW
27 2723362 2739745 8.0 MiB FFFF econfig
28 2739746 2772513 16.0 MiB FFFF edata
29 2772514 3034657 128.0 MiB FFFF log
30 3034658 3067425 16.0 MiB FFFF persist
31 3067426 5164577 1024.0 MiB FFFF usr_app
32 5164578 5172769 4.0 MiB FFFF rsvd_1
33 5172770 5180961 4.0 MiB FFFF rsvd_2
34 5180962 5185057 2.0 MiB FFFF rsvd_3
35 5185058 5217825 16.0 MiB FFFF rsvd_4
36 5217826 5283361 32.0 MiB FFFF rsvd_5
37 5283362 5414437 64.0 MiB FFFF rsvd_6
38 5414438 15204321 4.7 GiB FFFF user_data