Help needed in dumping MR1100-2A1NAS firmware

Post by **vinicK15** » Thu May 25, 2023 1:15 am

I have two routers MR1100-2A1NAS where one router is bricked and the other is working fine. I tried flasing generic firmware on to the bricked router and it remained same. I am planning to dump the firmware from the working router and flash the same on to bricked device. I guess I have achieved few things which will finally lead me to do what I was expecting.

Things done:
Gained root access
Able to tranfer files from router to local machine

Need guidance in:
Identifying the partition containing the firmware.
Encrypting the firmware so that it can be flashed on to the device using fdt.exe

Any guidance is appreciated.
Thanks in advance.

Post by **Rich Hathaway** » Thu May 25, 2023 9:19 am

Hi you will never get it done like that, fdt is for flashing factory files, such as .spk files which you will not be able to make.
You need to use a proper loader and dump from 0 to 7ff then re sum it if needed and make it loadable, then you can write it back to the other one.
"firmware" generally refers to the modem partition which you likely do not have borked it is likely the system partition you need, which starts at block 24D and is partition 13
# Start Size A0 A1 A2 F# format ------ Name------
============================================================

00 0 00000a ff 01 00 00 LNX 0:SBL

01 a 00000a ff 01 ff 00 LNX 0:MIBIB

02 14 00005a ff 01 ff 00 LNX 0:EFS2

03 6e 000004 ff 01 00 00 LNX 0:TZ

04 72 000003 ff 01 00 00 LNX 0:RPM

05 75 000004 ff 01 00 00 LNX 0:aboot

06 79 000029 ff 01 00 00 LNX 0:boot

07 a2 000002 ff 01 00 00 LNX 0:SCRUB

08 a4 00011b ff 01 00 00 LNX 0:modem

09 1bf 000006 ff 01 00 00 LNX 0:misc

10 1c5 00002a ff 01 00 00 LNX 0:recovery

11 1ef 000003 ff 01 00 00 LNX 0:fota_none

12 1f2 00005b ff 01 00 00 LNX 0:recoveryfs

13 24d 000222 ff 01 00 00 LNX 0:system

14 46f 00003e ff 01 00 00 LNX 0:PAD1

15 4ad 000051 ff 01 00 00 LNX 0:USERRW

16 4fe 0000eb ff 01 00 00 LNX 0:HDATA

17 5e9 0001d7 ff 01 00 00 LNX 0:NTGFOTA

18 7c0 000023 ff 01 00 00 LNX 0:CUST

19 7e3 00001d ff 01 00 00 LNX 0:PERSIST
============================================================
Partition Table Version: 4

Post by **vinicK15** » Thu May 25, 2023 10:56 pm

Hi Rich,

Thanks for your reply.
I have dumped partition 13 using dd. I managed to get the loader files aswell(ENPRG9x55.bin). Can you please guide how I can use this loader file to write only partition 13 onto the bricked device.

Thanks.

Post by **Rich Hathaway** » Fri May 26, 2023 7:16 am

dd is not a suitable method to get a working/reloadable image, see my post below about it (#142)

https://forum.xda-developers.com/t/veri ... 669/page-8

and the loader you have will not work, you need a patched loader for this device or the bootloader will not accept it, you need to use a working loader to get your base file from not dd.

Post by **vinicK15** » Sat May 27, 2023 1:39 am

Sounds like it is impossible to fix this device without proper knowledge in low level systems.
Anyways, thanks for the inputs @Rich Hathaway

Post by **vinicK15** » Sat May 27, 2023 10:15 am

I guess I got appropriate loaders from, https://github.com/bkerler/edl
The issue I am facing is to make this device go to edl mode.
@Rich Hathaway can you please guide me how I can force this device to 9008 mode?
Do we need to use any special edl cable?

Post by **Rich Hathaway** » Sat May 27, 2023 11:13 am

To go straight to 9008 mode you have to use the testpoint on the board or so you dont have to take it apart you can go to download mode (900E) first then from there you can go to 9008 by 2 commands, so send hello,
then the first cmd is "m 193d100 1" second is "d 7980000 4"

Post by **vinicK15** » Sat May 27, 2023 11:33 am

Is hello some kind of command line tool? I saw on some of your other posts where you posted output something like
Hello ver:3
but, when I googled it, I did not find anything related to it.
If it is some other tool, can you please disclose the tool which you use to fix this device?

Post by **Rich Hathaway** » Sat May 27, 2023 12:16 pm

vinicK15 wrote: ↑Sat May 27, 2023 11:33 am
Hello ver:3

That is the response from the nand on the device.
You need to make a chip config file for the specific nand and chipset of the device and name it something like chipset.config or similar, your code needs to refer to it as whatever you named it
it needs to contain items such as udflag, the loader address of the nand, its bit construction value, the control value,msmid,whether or not it need sahara protocol and the name of the loader you want to use.
hello is just a handshake between the loader and the device that opens the bootloader for writing.

vinicK15 wrote: ↑Sat May 27, 2023 11:33 am If it is some other tool, can you please disclose the tool which you use to fix this device?

my tools are custom made and I will not be posting them. I dont use edl except for keygen so I am not very familiar with it but you may want to research it to see if it can use a proper loader instead of a firehouse maybe it can work for you but I dont know about it.

Post by **Rich Hathaway** » Sat Aug 19, 2023 8:23 am

Hi this is thread for m1, Perhaps you should make a thread for the m2 and this topic?
If it is unlocked sounds like you may need to check the apn.

Wireless Joint

Help needed in dumping MR1100-2A1NAS firmware

Help needed in dumping MR1100-2A1NAS firmware

Re: Help needed in dumping MR1100-2A1NAS firmware

Re: Help needed in dumping MR1100-2A1NAS firmware

Re: Help needed in dumping MR1100-2A1NAS firmware

Re: Help needed in dumping MR1100-2A1NAS firmware

Re: Help needed in dumping MR1100-2A1NAS firmware

Re: Help needed in dumping MR1100-2A1NAS firmware

Re: Help needed in dumping MR1100-2A1NAS firmware

Re: Help needed in dumping MR1100-2A1NAS firmware

Re: Help needed in dumping MR1100-2A1NAS firmware