DSM-G600, DNS-3xx and NSA-220 Hack Forum

Unfortunately no one can be told what fun_plug is - you have to see it for yourself.

You are not logged in.

Announcement

#1 2009-03-15 20:55:16

sala
Member / Site Admin
From: Estonia
Registered: 2006-07-28
Posts: 731
Website

Recover from bad flash

This information is based on localhorst24 post on nas-central forum.

Code:

ATCB          copy from FLASH ROM to working buffer
ATBTx         block0 write enable (1=enable, other=disable)
ATSB          save working buffer to FLASH ROM
ATUR          upload router firmware to flash ROM

Example use of these commands:

Code:

ATCmd> atcb

OK

ATCmd> atbt1

OK

ATCmd> atsb

Erase block127, address 0xf8fe0000, length 0x20000...Done
Program block127, address 0xf8fe0000, length 0x20000...100%
OK

ATCmd> atur

Starting XMODEM upload (CRC mode)....
CC..........
Total 15660160 (0xeef480)bytes received

Timeout, please download again...

ERROR
RAS checksum error !!

ERROR

ATCmd> atur

Starting XMODEM upload (CRC mode)....
CC
Total 15660288 (0xeef500)bytes received

OK

Erase block0, address 0xf8000000, length 0x20000...Done
Program block0, address 0xf8000000, length 0x20000...100%
Erase block1, address 0xf8020000, length 0x20000...Done
Program block1, address 0xf8020000, length 0x20000...100%
Erase block2, address 0xf8040000, length 0x20000...Done
Program block2, address 0xf8040000, length 0x20000...100%
Erase block3, address 0xf8060000, length 0x20000...Done
Program block3, address 0xf8060000, length 0x20000...100%
Erase block4, address 0xf8080000, length 0x20000...Done
Program block4, address 0xf8080000, length 0x20000...100%
Erase block5, address 0xf80a0000, length 0x20000...Done
Program block5, address 0xf80a0000, length 0x20000...100%
Erase block6, address 0xf80c0000, length 0x20000...Done
Program block6, address 0xf80c0000, length 0x20000...100%
Erase block7, address 0xf80e0000, length 0x20000...Done
Program block7, address 0xf80e0000, length 0x20000...100%
Erase block8, address 0xf8100000, length 0x20000...Done
Program block8, address 0xf8100000, length 0x20000...100%
Erase block9, address 0xf8120000, length 0x20000...Done
Program block9, address 0xf8120000, length 0x20000...100%
Erase block10, address 0xf8140000, length 0x20000...Done
Program block10, address 0xf8140000, length 0x20000...100%
Erase block11, address 0xf8160000, length 0x20000...Done
Program block11, address 0xf8160000, length 0x20000...100%
Erase block12, address 0xf8180000, length 0x20000...Done
Program block12, address 0xf8180000, length 0x20000...100%
Erase block13, address 0xf81a0000, length 0x20000...Done
Program block13, address 0xf81a0000, length 0x20000... 61%
...............
Program block116, address 0xf8e80000, length 0x20000...100%
Program block117, address 0xf8ea0000, length 0x20000...100%
Program block118, address 0xf8ec0000, length 0x20000...100%
Program block119, address 0xf8ee0000, length 0x20000...100%
OK

Not support!

ATCmd> (power off your and power on)

XMODEM upload should use Xmodem1k protocol, but I have used default 128 byte blocks instead and it does work.
First time I did get "ERROR RAS checksum error !!" error, but second time it did finish correctly, as seen from example.
This might happen because of upload size differences. 311AFB0C0.bin size is 15660226 but in first upload it did send only 15660160 bytes and second successful upload was 15660288 bytes (2 bytes larger because of xmodem 128 byte blocks size).

//edit
I did remove atgo command because it looks like the kernel is preloaded into memory and you will still boot kernel from broken or old firmware.

Last edited by sala (2009-03-19 12:33:34)


DSM-G600 - NetBSD hdd-boot - 80GB Samsung SP0802N
NSA-220 - Gentoo armv5tel 20110121 hdd-boot - 2x 2TB WD WD20EADS

Offline

 

#2 2009-03-16 15:46:05

sala
Member / Site Admin
From: Estonia
Registered: 2006-07-28
Posts: 731
Website

Re: Recover from bad flash

Additionally I want to say, that if your bootext and bootbase is flashed incorrectly or completely missing then you will need JTAG to recover your device. But at the time of writing this post, there is no info about NSA-220 JTAG setup.

I personal think that, most safest way to flash firmware parts (kernel and initrd) could be method described at this post: http://dns323.kood.org/forum/viewtopic.php?id=4044

As far as I understand, Zyxel default firmware update process always includes bootbase and bootext update which sound kind of risky to me, especially to take a look at recent 3.11 firmware update bricking rates.


DSM-G600 - NetBSD hdd-boot - 80GB Samsung SP0802N
NSA-220 - Gentoo armv5tel 20110121 hdd-boot - 2x 2TB WD WD20EADS

Offline

 

Board footer

Powered by PunBB
© Copyright 2002–2010 PunBB