Page 1 of 1
Help needed in dumping MR1100-2A1NAS firmware
Posted: Thu May 25, 2023 1:15 am
by vinicK15
I have two routers MR1100-2A1NAS where one router is bricked and the other is working fine. I tried flasing generic firmware on to the bricked router and it remained same. I am planning to dump the firmware from the working router and flash the same on to bricked device. I guess I have achieved few things which will finally lead me to do what I was expecting.
Things done:
Gained root access
Able to tranfer files from router to local machine
Need guidance in:
Identifying the partition containing the firmware.
Encrypting the firmware so that it can be flashed on to the device using fdt.exe
Any guidance is appreciated.
Thanks in advance.
Re: Help needed in dumping MR1100-2A1NAS firmware
Posted: Thu May 25, 2023 9:19 am
by Rich Hathaway
Hi you will never get it done like that, fdt is for flashing factory files, such as .spk files which you will not be able to make.
You need to use a proper loader and dump from 0 to 7ff then re sum it if needed and make it loadable, then you can write it back to the other one.
"firmware" generally refers to the modem partition which you likely do not have borked it is likely the system partition you need, which starts at block 24D and is partition 13
# Start Size A0 A1 A2 F# format ------ Name------
============================================================
00 0 00000a ff 01 00 00 LNX 0:SBL
01 a 00000a ff 01 ff 00 LNX 0:MIBIB
02 14 00005a ff 01 ff 00 LNX 0:EFS2
03 6e 000004 ff 01 00 00 LNX 0:TZ
04 72 000003 ff 01 00 00 LNX 0:RPM
05 75 000004 ff 01 00 00 LNX 0:aboot
06 79 000029 ff 01 00 00 LNX 0:boot
07 a2 000002 ff 01 00 00 LNX 0:SCRUB
08 a4 00011b ff 01 00 00 LNX 0:modem
09 1bf 000006 ff 01 00 00 LNX 0:misc
10 1c5 00002a ff 01 00 00 LNX 0:recovery
11 1ef 000003 ff 01 00 00 LNX 0:fota_none
12 1f2 00005b ff 01 00 00 LNX 0:recoveryfs
13 24d 000222 ff 01 00 00 LNX 0:system
14 46f 00003e ff 01 00 00 LNX 0:PAD1
15 4ad 000051 ff 01 00 00 LNX 0:USERRW
16 4fe 0000eb ff 01 00 00 LNX 0:HDATA
17 5e9 0001d7 ff 01 00 00 LNX 0:NTGFOTA
18 7c0 000023 ff 01 00 00 LNX 0:CUST
19 7e3 00001d ff 01 00 00 LNX 0:PERSIST
============================================================
Partition Table Version: 4
Re: Help needed in dumping MR1100-2A1NAS firmware
Posted: Thu May 25, 2023 10:56 pm
by vinicK15
Hi Rich,
Thanks for your reply.
I have dumped partition 13 using dd. I managed to get the loader files aswell(ENPRG9x55.bin). Can you please guide how I can use this loader file to write only partition 13 onto the bricked device.
Thanks.
Re: Help needed in dumping MR1100-2A1NAS firmware
Posted: Fri May 26, 2023 7:16 am
by Rich Hathaway
dd is not a suitable method to get a working/reloadable image, see my post below about it (#142)
https://forum.xda-developers.com/t/veri ... 669/page-8
and the loader you have will not work, you need a patched loader for this device or the bootloader will not accept it, you need to use a working loader to get your base file from not dd.
Re: Help needed in dumping MR1100-2A1NAS firmware
Posted: Sat May 27, 2023 1:39 am
by vinicK15
Sounds like it is impossible to fix this device without proper knowledge in low level systems.
Anyways, thanks for the inputs @Rich Hathaway
Re: Help needed in dumping MR1100-2A1NAS firmware
Posted: Sat May 27, 2023 10:15 am
by vinicK15
I guess I got appropriate loaders from,
https://github.com/bkerler/edl
The issue I am facing is to make this device go to edl mode.
@Rich Hathaway can you please guide me how I can force this device to 9008 mode?
Do we need to use any special edl cable?
Re: Help needed in dumping MR1100-2A1NAS firmware
Posted: Sat May 27, 2023 11:13 am
by Rich Hathaway
To go straight to 9008 mode you have to use the testpoint on the board or so you dont have to take it apart you can go to download mode (900E) first then from there you can go to 9008 by 2 commands, so send hello,
then the first cmd is "m 193d100 1" second is "d 7980000 4"
Re: Help needed in dumping MR1100-2A1NAS firmware
Posted: Sat May 27, 2023 11:33 am
by vinicK15
Is hello some kind of command line tool? I saw on some of your other posts where you posted output something like
Hello ver:3
but, when I googled it, I did not find anything related to it.
If it is some other tool, can you please disclose the tool which you use to fix this device?
Re: Help needed in dumping MR1100-2A1NAS firmware
Posted: Sat May 27, 2023 12:16 pm
by Rich Hathaway
vinicK15 wrote: Sat May 27, 2023 11:33 am
Hello ver:3
That is the response from the nand on the device.
You need to make a chip config file for the specific nand and chipset of the device and name it something like chipset.config or similar, your code needs to refer to it as whatever you named it
it needs to contain items such as udflag, the loader address of the nand, its bit construction value, the control value,msmid,whether or not it need sahara protocol and the name of the loader you want to use.
hello is just a handshake between the loader and the device that opens the bootloader for writing.
vinicK15 wrote: Sat May 27, 2023 11:33 am
If it is some other tool, can you please disclose the tool which you use to fix this device?
my tools are custom made and I will not be posting them. I dont use edl except for keygen so I am not very familiar with it but you may want to research it to see if it can use a proper loader instead of a firehouse maybe it can work for you but I dont know about it.
Re: Help needed in dumping MR1100-2A1NAS firmware
Posted: Sat Aug 19, 2023 8:23 am
by Rich Hathaway
Hi this is thread for m1, Perhaps you should make a thread for the m2 and this topic?
If it is unlocked sounds like you may need to check the apn.