I've managed to unbrick my device :-) The problem was that I did not wait long enough to let the recovery process finish. My device does not reboot after recovery, I need to manually reset the power (after waiting for > 5 min).
Now the device correctly asks for the AD7200_1.0_tp_recovery.bin during recovery.
Update these are the steps which worked for me in the end:
- Binwalk on the current FW (160309) looks as follows:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
306577 0x4AD91 Certificate in DER format (x509 v3), header length: 4, sequence length: 1284
306693 0x4AE05 Certificate in DER format (x509 v3), header length: 4, sequence length: 1288
356060 0x56EDC CRC32 polynomial table, little endian
357884 0x575FC CRC32 polynomial table, little endian
430656 0x69240 Minix filesystem, V1, little endian, 0 zones
451249 0x6E2B1 uImage header, header size: 64 bytes, header CRC: 0x1D4EB8A5, created: 2016-03-09 02:08:13, image size: 1868608 bytes, Data Address: 0x41508000, Entry Point: 0x41508000, data CRC: 0xD2FA6374, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.4.103"
465248 0x71960 xz compressed data
465469 0x71A3D xz compressed data
2321074 0x236AB2 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 17694738 bytes, 3197 inodes, blocksize: 262144 bytes, created: 2016-03-09 02:09:06
20016075 0x1316BCB XML document, version: "1.0"
20023572 0x1318914 XML document, version: "1.0"
20025003 0x1318EAB Unix path: /var/run/appflow/tccpipe</listen_path>
20029086 0x1319E9E Unix path: /usr/share/miniupnpd/firewall.include</path>
20033316 0x131AF24 Unix path: /cover.jpg/AlbumArtSmall.jpg/albumartsmall.jpg/AlbumArt.jpg/albumart.jpg/Album.jpg/album.jpg/Folder.jpg/folder.jpg/Thumb.jpg/thu
20040237 0x131CA2D Unix path: /usr/local/bin/jiggle_firewall</exec>
20041083 0x131CD7B Unix path: /usr/local/bin/apply_appflow</exec>
- I extract the squash file system:
dd if=AD7200-US-up-ver1-0-10-P1\[20160902-rel57400\]_2016-09-02_15.50.11.bin bs=1 skip=2321074 count=17694450 of=squash_fs.bin
- Unpack it (use the binary from the GPL code):
- Edit stuff ...
- Delete the '/dev' directory
- Repack it:
mksquashfs4 squashfs-root/ squash_fs_repacked.bin -nopad -noappend -root-owned -comp xz -Xpreset 9 -Xe -Xlc 0 -Xlp 2 -Xpb 2 -b 256k -p '/dev d 755 0 0' -p '/dev/console c 600 0 0 5 1'
- Prepare coping the modified squash fs back:
cp AD7200-US-up-ver1-0-8-P1[20160309-rel36550]_2016-03-09_10.10.34.bin repacked.bin
- Check that the new file does not exceed the lenght of the origianl squashfs binary
- Copy the modified squash-fs binary into the firmware binary
dd if=squash_fs_repacked.bin of=repacked.bin bs=1 seek=2321074 conv=notrunc
To recalculate the MD5 sum I do the following:
- Strip away 4 byte FW lenght + 16 byte old MD5sum:
dd bs=20 skip=1 if=repacked.bin of=repacked_trimmed.bin
- Generate a binary file from the 16 byte MD5 "key":
echo -n $'\x7A\x2B\x15\xED\x9B\x98\x59\x6D\xE5\x04\xAB\x44\xAC\x2A\x9F\x4E' > md5key.bin
- Generate 14 byte zeros (needed to overwrite "fw-type:cloud" string)
echo -n "0000000000000000000000000000" | xxd -r -p > 14byte_zeros.bin
- Create data part to create md5sum
dd bs=34 skip=1 if=repacked.bin of=repacked_trimmed.bin
- Append md5key and 14 byte zeros to the rest of the image
cat md5key.bin 14byte_zeros.bin repacked_trimmed.bin > repacked_md5rdy.bin
- Create md5sum
md5sum repacked_md5rdy.bin |awk '{print $1"0000000000000000000000000000"}' | xxd -r -p > md5_new.bin
- Copy new md5sum into repacked image
dd if=md5_new.bin of=repacked.bin bs=1 seek=4 conv=notrunc
Daniel
(Last edited by DanielAW on 24 Oct 2016, 14:39)