Not working on U-Boot 2017.07-RELEASE-g78ed34f31579 (Sep 29 2017 - 07:43:44 -0700) #13
Comments
|
Update: I tried pressing space instead on boot...
It is dead now, won't boot and the orange LED stays lit. Maybe Cisco is not so keen on replacing this device's firmware afterall. |
|
Looks like this is now reflected in the flashing documentation in Google Drive. Is there any chance this will be solved, and is there something we can do to help? |
|
@Ordspilleren best thing to do at this point is to request the latest u-boot GPL source from Meraki. This should hopefully show us what |
|
I got the U-boot source from Meraki. From at quick look at the code, the whole |
|
My Meraki licence expires this year, I wait hopeful that the 2017.07 version of U-Boot is able to be flashed before then! Unfortunately this is beyond my ability. |
|
Looks like what you're doing there is enabling secureboot. xyzzy should still work (with secureboot disabled) though, at least it seems like that in the code/config, I only had a brief look at the source though. Some fuses are write once and can never be deactivated (at least not in software), I don't know if that fuse is one of those. |
|
In the 20170427 u-boot sources the file Instead the newer |
|
any news on the issue? I'm stuck on"uploading image" no prompt... |
|
If it's really an efuse then you blow it once and that's it, no way to recover. What you can always do when secureboot is inactive is desolder the flash and replace the uboot. |
|
I found this document on Secure boot :https://www.qualcomm.com/media/documents/files/secure-boot-and-image-authentication-technical-overview.pdf |
|
Has anyone managed to JTAG the MR33? I've got a couple of fresh ones and I would like to backup the firmware so that I can "roll-back" the Meraki bootloader later when it gets updated.. I suspect that the pinout is the 10x2 holes on the side, but I'm getting weird readings on my multi-meter and the traces don't seem to line up whats specified in the standard ARM 20-pin JTAG Layout... |
|
Guys, any news? |
|
What did you do so far? Already pressed space and seen |
Did you work this out? I have the same issue. Verbose mode gives me "Waiting for prompt.." then nothing. I've tried setting the baud rate, data bits and stop bit, but still nothing. Have verified that I have a working serial connection in/out. |
|
I never got this working. I blew two rasperryPi's and then the AP itself trying to JTAG in and dump the memory so that I could flash it back if necessacary... Not that it means it doesn't work, jus tthat im not very good at soldering and double checking cable pinouts :( |
|
Any update on this? |
|
The method I mentioned above still works. Desolder flash, replace uboot, solder it on again. |
@Flole998 are there any instructions on this? I've never flashed a NAND flash chip before, removing it should be ok, I have a heat gun but only really done this many years ago. Also, is it the chip under the tape? |
|
There are datasheets available that tell you everything you need to know about that flash. The basic steps are dump, seperate OOB/ECC, modify, calculate new ECC and write back. What might work aswell is to short the flash when uboot tries to load the kernel, depending on it's configuration it might fall back to a console. |
|
Was this tested anywhere? As I'm not familiar with how wear leveling, etc works. But I have two MR33 - one running OpenWRT, one on stock software (fortunately still 2y of license to wait for any developments). I thought about booting modded one into initrd and then hot-swapping flash and reflashing it from linux - would this work? (let's skip physical part of swapping flash in the answer) If I understand correctly, in this kind of environment software (uboot/linux kernel) is responsible for all the leveling/ecc stuff, not memory controller like on flash drives? |
|
Actually I've done it before, it's been quite some time ago though. I'm not sure if someone else has done it or if this is documented somewhere. I've heard of hot-swapping flash causing a brick before, however that was on a different device. What could work is cloning the other NAND if you don't want to do the modifications manually, if it contains calibration data though that would need to be written back afterwards. |
|
The thing is, I've waited until the boot process finishes and I accidentally tried to exit out of screen using CTRL+C, and this gave me a Meraki> prompt. Now I don't know at which step that it causes the fuse to blow. Is it once it reboots with the uploaded openwrt u-boot and realises it's not signed or something? Because I've replicated what I've done on the same device over several reboots and I always get the prompt. Also, I took a full back up when I successfully flashed another MR33 yesterday of MTD. Is this useful for the MR33 with the newer firmware? |
|
@Flole998 referrer : https://openwrt.org/toh/aruba/aruba_ap-105 |
|
The basic process is the same, yes. Just that this is not a SPI Flash and the address is obviously different. But dumping, replacing and writing back are the correct steps, just that in this case I desoldered the Flash because I don't want the CPU to interfere with my programming operation. |
|
If you observe the boot process when you're connected via UART, it will
tell you
…On Wed, 15 Jan 2020, 12:27 Richard L. Alhama, ***@***.***> wrote:
hi how would you determine the uboot version without running ubootwrite.py?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#13?email_source=notifications&email_token=ABBTB3CX4PL2IUH65CHMJO3Q536KTA5CNFSM4GMEISR2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJAEQDI#issuecomment-574638093>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABBTB3CBZO2SKL2HZVVJC5LQ536KTANCNFSM4GMEISRQ>
.
|
|
connect terminal to uart port and you must see on the begining of the boot process, like this "U-Boot 2012.07-g97ab7f1 [local,local] (Oct 06 2016 - 13:07:25)"
|
I have U-Boot 2017.07-RELEASE-g78ed34f31579 (Sep 29 2017). Guess I have to hone my soldering skills then. Thanks |
|
Hi guys, Is there a way to know the bootloader version (without opening) by booting the MR33 and checking firmware version by example ? Thanks |
|
I've tried even unsoldering the flash chip, but without success - looks like it's glued and then soldered. So the only idea I've got is clamp on tsop-48 (https://www.aliexpress.com/item/32838230005.html?spm=a2g0s.9042311.0.0.27424c4dsE1VcC) and then writing old uboot. |
|
If it's glued down and they didn't put too much glue on it you can just remove it with a heatgun. The problem with those clamps is that the CPU must be held in reset and the pins for the flash must not be pulled in either direction (low or high), otherwise the CPU will interfere and you will get weird results. |
|
It is strictly the kernel size, not just the rest of image. |
|
I did reduce the kernel size, i believe i removed USB support and also emmc support. |
|
By any chance, do you have any boot log of such image? My devices froze right after "Starting kernel", showing no further activity. Regardless of the cause, the issue is still there - I believe the images should be disabled until the root cause is at least known. |
|
I'm seeing exactly the same thing, no further output. |
|
Could you do |
|
I no longer have those images, I've deleted them since I considered them broken |
|
What do you think is the limit for the kernel size? |
|
That's basically consistent with what I was seeing, some builds were working, others weren't, the size doesn't seem to matter. |
|
@sijans do you know from which lines were the working and non-working kernels? i.e. 5.10 or 5.15? Maybe there is a regression blocking boot. |
|
Both 5.15. 5.15.111 was not working, 5.15.113 boots fine, but I need to check what is installed currently. Maybe even a newer version. Edit: It's a gluon build with 5.15.111 that runs fine again. |
|
Now I wonder how to use the Meraki's dual boot scheme with OpenWrt, to get some kind of recovery in case the boot fail. I'd be grateful for any documentation. Going to dig through U-boot sources to get some information on that, because debricking the unit is royal PITA. |
|
@Leo-PL You need access to the serial console and have an initramfs image in the second partition "part.old". If you enter Default boot command is |
|
I made some progress investigating the booting issue here: openwrt/openwrt#12953 |
|
I had to flash an MR33 recently, and since python2 is no longer packaged for many distributions, I migrated Fork is here: https://github.com/halmartin/mr33-openwrt-flash Tested on Arch Linux with python 3.11.5, no warranty provided 😄 |
|
Does anyone have a 2017 uboot dump? I want to look into a file and see whether i can find anything that can be exploited into writing, or at least getting shell access without bricking the board. |
You don't need a dump, the source code for 2017.07 is available. You can find the function that enables secure boot, bricking the device, right here: https://github.com/riptidewave93/meraki-uboot/blob/mr33-20190225/board/qca/arm/common/meraki_rel_boot.c#L107-L135 You can dig through the u-boot source code for vulns, but I hope you have a large stack of devices you don't mind bricking if you plan to test it... |
|
Maybe I'm being naive, but wouldn't Josh be able to patch the fuse burn out
of a u-boot build, load it with a NAND clip, and then be able to test
possible vulns against this 'neutered' build? I know it's not ideal, but
it's better than bricking boards en-masse.
…On Sun, Apr 21, 2024 at 6:44 AM Hal Martin ***@***.***> wrote:
Does anyone have a 2017 uboot dump? I want to look into a file and see
whether i can find anything that can be exploited into writing, or at least
getting shell access without bricking the board.
You don't need a dump, the source code for 2017.07 is available.
You can find the function that bricks the device right here:
https://github.com/riptidewave93/meraki-uboot/blob/mr33-20190225/board/qca/arm/common/meraki_rel_boot.c#L107-L135
You can dig through the u-boot source code for vulns, but I hope you have
a large stack of devices you don't mind bricking if you plan to test it...
—
Reply to this email directly, view it on GitHub
<#13 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACSLB44S63JABWYRHPHUVA3Y6LHS3AVCNFSM4GMEISR2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMBWG43TONZRGU3Q>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
If anyone still has an MR33 which had the fuses blown, and you have a NAND programmer, please get in touch. I recently came into possession of the signed |
|
It turned out, that I destroyed the chip from fused unit from Felix in the process of trying to reball it 5 times, so I'll have to try with my spare IPQ4019 desoldered from different unit. @kosma helped me out to resolder the replacement chip, but it didn't even start booting - I replaced the NAND contents back to stock MR33 for the test. I suspect some kind of another hardware failure - worst case, I still have one more IPQ4019 to try - I'm willing to fuse it for the cause. |
|
Also @DariuszJJ still have that fused unit? I might need another one to test image from @halmartin if I don't get mine back up running, because that's just a matter of rewriting NAND. |
|
BTW: I would have like half a dozen of such units just lying around if anybody needs any. They could be had for just the shipping fee. I even still have the clip-on NAND programmer. I moved on to Wi-Fi 6E equipment: a few Acer Predator Connect W6 and Verizon CR1000A units (;-p). |
|
But... these are still working units? |
Yes, of course, they worked fine for me for many years.
Not sure what is expensive for you but one piece could probably be shipped for as little as EUR 15. Plus maybe there are also other ways to pass them on towards Poland (;-p). |
|
EUR 15 is still way less than the "360 clip" itself - OTOH it feels wasteful to purposefully brick a fully working unit for such experiment. Let's wait a little while to see if something bricked shows up - I'll have that offer in the back of my head ;-] As for other ways - yeah, I know a guy from Zurich, but I'm not sure if it's worth to bother him for 15EUR. |
|
@ziswiler by any chance, are you going to 38C3? I'm thinking about buying the MR33s from you and putting them to use in and around my local hackerspace. |
I ask my friend from Łódź and i think still have one with blowed fuses |
That's a great reason to finally come to FOSDEM, then!
Great, I'm waiting eagerly for the reply. I'll cover the shipping as well. |
|
@ziswiler I likely won't make it to the FOSDEM, but a friend will do, so he can pick the stuff up for me. Please contact me via email (searchable in OpenWrt's repository). How much would you like for those MR33's and the clip? |
and others
Seems like Cisco blocks the old method of getting a serial prompt in this uboot version?
The ubootwrite.py script is sending
xyzzy, but no prompt appears.Maybe
CONFIG_AUTOBOOT_STOP_STRwas changed?Where can one obtain the latest GPL sources of Meraki's uboot?
The text was updated successfully, but these errors were encountered: