├── .gitignore ├── Makefile ├── README.md ├── flash-factory.log ├── flash-factory.sh ├── flash-sysupgrade.log ├── flash-sysupgrade.sh ├── restore.log ├── ubntbox.patched.sha256sum └── ubntbox.sha256sum /.gitignore: -------------------------------------------------------------------------------- 1 | firmware-backup.bin 2 | XW.v6.1.7.32555.180523.1754.bin 3 | ubntbox 4 | ubntbox.patched 5 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | SHELL=bash 2 | 3 | REMOTE_UBNT ?= ubnt@192.168.1.20 4 | REMOTE_OWRT ?= root@192.168.1.175 5 | FW_BACKUP ?= firmware-backup.bin 6 | FW_OWRT ?= openwrt-ath79-generic-ubnt_bullet-m2hp-squashfs-sysupgrade.bin 7 | FW_UBNT ?= XW.v6.1.7.32555.180523.1754.bin 8 | UBNTBOX ?= ubntbox 9 | UBNTBOX_PATCHED ?= $(UBNTBOX).patched 10 | 11 | # Starting with OpenSSH v9.0, scp requires the -O option to use the legacy SCP protocol 12 | SCP_LEGACY_ARG := $(shell scp 2>&1 | grep -q O && echo -O) 13 | 14 | all: 15 | @echo 'Please read carefully README.md' 16 | 17 | $(FW_UBNT): 18 | wget https://dl.ubnt.com/firmwares/XW-fw/v6.1.7/$(FW_UBNT) 19 | 20 | $(FW_BACKUP): 21 | @echo "You first need to have a firmware backup!"; exit 1 22 | 23 | # $(1): input file 24 | # $(2): offset 25 | # $(3): count 26 | define nopout 27 | (dd if=/dev/zero bs=1 count=$(3) | dd of=$(1) bs=1 count=$(3) seek=$(2) conv=notrunc) 2> /dev/null 28 | endef 29 | 30 | $(UBNTBOX): 31 | scp $(SCP_LEGACY_ARG) $(REMOTE_UBNT):/sbin/$(UBNTBOX) $(UBNTBOX) 32 | @sha256sum -c $(UBNTBOX).sha256sum > /dev/null 33 | 34 | $(UBNTBOX_PATCHED): $(UBNTBOX) FORCE 35 | @cp $(UBNTBOX) $(UBNTBOX_PATCHED) 36 | @$(call nopout,$@,57104,2) 37 | @$(call nopout,$@,57107,4) 38 | @$(call nopout,$@,57112,1) 39 | @$(call nopout,$@,57115,7) 40 | @$(call nopout,$@,57123,7) 41 | @$(call nopout,$@,57131,9) 42 | @$(call nopout,$@,57141,5) 43 | @$(call nopout,$@,57147,3) 44 | @$(call nopout,$@,57151,15) 45 | @$(call nopout,$@,57168,10) 46 | @$(call nopout,$@,57179,2) 47 | @$(call nopout,$@,57183,5) 48 | @$(call nopout,$@,60576,8) 49 | @sha256sum -c $(UBNTBOX_PATCHED).sha256sum > /dev/null 50 | 51 | # Flashing OpenWrt factory image over airOS v6.1.7 52 | flash-factory: $(UBNTBOX_PATCHED) 53 | ssh-copy-id $(REMOTE_UBNT) 54 | @echo "Creating factory firmware backup" 55 | ssh $(REMOTE_UBNT) "cat /dev/mtd2 /dev/mtd3" > $(FW_BACKUP) 56 | ssh $(REMOTE_UBNT) "umount /tmp; mount -t tmpfs tmpfs /tmp" 57 | scp $(SCP_LEGACY_ARG) $(UBNTBOX_PATCHED) $(REMOTE_UBNT):/tmp/fwupdate.real 58 | scp $(SCP_LEGACY_ARG) $(FW_OWRT) $(REMOTE_UBNT):/tmp 59 | ssh $(REMOTE_UBNT) "/tmp/fwupdate.real -m /tmp/$(notdir $(FW_OWRT)) -d 2>&1" | tee $@.log 60 | 61 | # Flashing OpenWrt sysupgrade image over airOS v6.1.7 62 | flash-sysupgrade: $(FW_UBNT) 63 | ssh-copy-id $(REMOTE_UBNT) 64 | @echo "Creating factory firmware backup" 65 | ssh $(REMOTE_UBNT) "cat /dev/mtd2 /dev/mtd3" > $(FW_BACKUP) 66 | ssh $(REMOTE_UBNT) "umount /tmp ;mount -t tmpfs tmpfs /tmp" 67 | scp $(SCP_LEGACY_ARG) $@.sh $(FW_OWRT) $(FW_UBNT) $(REMOTE_UBNT):/tmp 68 | ssh $(REMOTE_UBNT) "/bin/sh /tmp/$@.sh /tmp/$(notdir $(FW_OWRT)) 2>&1" | tee $@.log 69 | 70 | # Restoring airOS backup over OpenWrt 71 | restore: $(FW_BACKUP) 72 | scp $(SCP_LEGACY_ARG) $(FW_BACKUP) $(REMOTE_OWRT):/tmp 73 | ssh $(REMOTE_OWRT) "mtd -r write /tmp/$(FW_BACKUP) firmware 2>&1" | tee $@.log 74 | 75 | clean: 76 | @-rm $(UBNTBOX) $(UBNTBOX_PATCHED) 2> /dev/null 77 | 78 | FORCE: ; 79 | .PHONY: all restore FORCE 80 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # BIG FAT WARNING 2 | 3 | > Flashing your router is always risky procedure. You're doing it at your own risk, you take the full responsibility 4 | > for any action you choose, we cannot be held liable for any damage you do to your device, other devices, any other 5 | > person or animal. 6 | 7 | ### Purpose 8 | 9 | Easier end-user flashing (no soldering needed) of OpenWrt firmware on UBNT M2HP [(and maybe others?)](#supported-and-tested-devices) devices running airOS v6.1.7. 10 | 11 | ### License 12 | 13 | [mtd](https://archive.openwrt.org/kamikaze/8.09.2/ar71xx/packages/mtd_8.2_mips.ipk) utility shipped in 14 | [flash-sysupgrade.sh](https://github.com/true-systems/ubnt-bullet-m2hp-openwrt-flashing/blob/master/flash-sysupgrade.sh) is licensed under 15 | GPLv2, everything else in this repository [is free and unencumbered software released into the public 16 | domain.](http://unlicense.org) 17 | 18 | ### Tested device list 19 | 20 | | Device | Status | Factory | Sysupgrade | 21 | |:-------------:|:------------:|:------------:|:------------:| 22 | | [Bullet M2HP](https://www.ubnt.com/airmax/bulletm/#specs) | `Working` | Yes | Yes | 23 | | [PowerBeam M5-400](https://openwrt.org/toh/hwdata/ubiquiti/ubiquiti_powerbeam_m5-400) | `Working` | No | Yes | 24 | | [Nanostation Loco M2 (xw)](https://openwrt.org/toh/ubiquiti/nanostationm2) | `Working` | No | Yes | 25 | 26 | We currently have access to just one type of device so can't confirm if similar approach might work on other devices with same airOS version. Feel free to test it and let us know. 27 | 28 | 29 | ### Usage 30 | #### Prerequisites 31 | 32 | 1. You need to flash your UBNT M2HP with [airOS v6.1.7 firmware](https://dl.ubnt.com/firmwares/XW-fw/v6.1.7/XW.v6.1.7.32555.180523.1754.bin) 33 | no other airOS version is currently supported 34 | 35 | 2. Download this toolkit sources 36 | ``` 37 | git clone https://github.com/true-systems/ubnt-bullet-m2hp-openwrt-flashing 38 | cd ubnt-bullet-m2hp-openwrt-flashing 39 | ``` 40 | #### Flashing OpenWrt sysupgrade image 41 | 42 | You can find [more details](#flashing-sysupgrade-image-using-mtd-over-ssh-in-airos-v617) about this method bellow. 43 | ``` 44 | make flash-sysupgrade FW_OWRT=/path/to/your/openwrt-ath79-generic-ubnt_bullet-m2hp-squashfs-sysupgrade.bin 45 | ``` 46 | 47 | #### Flashing OpenWrt factory image 48 | 49 | You can find [more details](#flashing-factory-image-using-patched-fwupdatereal-command-over-ssh-in-airos-v617) about this method bellow. 50 | 51 | ``` 52 | make flash-factory FW_OWRT=/path/to/your/openwrt-ath79-generic-ubnt_bullet-m2hp-squashfs-factory.bin 53 | ``` 54 | 55 | Example output from successful flashing sessions: 56 | 57 | * Flashing factory image in [flash-factory.log](https://raw.githubusercontent.com/true-systems/ubnt-bullet-m2hp-openwrt-flashing/master/flash-factory.log). 58 | * Flashing sysupgrade image in [flash-sysupgrade.log](https://raw.githubusercontent.com/true-systems/ubnt-bullet-m2hp-openwrt-flashing/master/flash-sysupgrade.log). 59 | 60 | #### Other useful make targets 61 | 62 | ##### Get patched `fwupdate.real` command 63 | 64 | For legal reasons, we can't redistribute patched binaries. To get patched `fwupdate.real` command with removed RSA image signature checking directly from your router with default IP address `192.168.1.20` use following commands. 65 | 66 | ``` 67 | make ubntbox.patched REMOTE_UBNT=ubnt@192.168.1.20 68 | mv ubntbox.patched fwupdate.real 69 | ``` 70 | 71 | ##### Restore from OpenWrt back to factory image 72 | 73 | Before running every flash command, we create backup of currently running factory firmware image in `firmware-backup.bin`. You can then restore your router running OpenWrt with `192.168.1.1` IP address back to this firmware by using this `make` target. 74 | ``` 75 | make restore REMOTE_OWRT=root@192.168.1.1 76 | ``` 77 | 78 | ### Background 79 | 80 | It's not possible to use `fwupdate.real` utility for flashing OpenWrt to UBNT devices anymore as it allows flashing of 81 | signed firmware images only: 82 | 83 | ``` 84 | XW.v6.1.7# fwupdate.real -m /tmp/openwrt-ath79-generic-ubnt_bullet-m2hp-squashfs-factory.bin -d 85 | ... 86 | Current: XW.ar934x.v6.1.7.32555.180523.1754 87 | 88 | New ver: XW.ar934x.v6.0.4-OpenWrt-r8452+9-e95e9fc 89 | Versions: New(393220) 6.0.4, Required(393220) 6.0.4 90 | FW Part: "kernel"(1), MAGIC: 'PART', Base: 0x9F050000, DLen: 0x00100000, PLen: 0x00100000 91 | FW Part: "rootfs"(2), MAGIC: 'PART', Base: 0x9F150000, DLen: 0x00280004, PLen: 0x00660000 92 | Bad Image Structure 93 | Signature check failed 94 | ``` 95 | 96 | So we were left with probably these remaining flashing methods: 97 | 98 | * solder serial console and use TFTP for image flashing using `tftpboot` with initramfs image 99 | * try to flash sysupgrade image using `mtd` over SSH in airOS 100 | * dissassemble and patch `fwupdate.real` command so it would accept and flash unsigned OpenWrt factory firmware images 101 | 102 | For end users, it's always more convenient to find some flashing method which 103 | wouldn't involve any soldering, so we've first tried to find out if it would be 104 | possible to flash OpenWrt with `mtd` over SSH in airOS. We've found out that 105 | it's doable. 106 | 107 | Then just out of the curiosity and for some fun, we've tried to patch out RSA 108 | signature checking from `fwupdate.real` utility and check if it would allow us 109 | flashing unsigned factory firmware image generated by OpenWrt. We've found out, 110 | that it's doable also. 111 | 112 | You can read more details about those two methods in more detail bellow. 113 | 114 | ### Flashing factory image using patched `fwupdate.real` command over SSH in airOS v6.1.7 115 | 116 | This approach is using patched `fwupdate.real` command from `ubntbox` utility. 117 | We've simply removed `Bad Image Structure` and `Signature check failed` checks, 118 | so it's now possible to flash factory images built with OpenWrt. 119 | 120 | `radiff2` with JSON output shows what was patched out in `ubntbox.patched`: 121 | 122 | ``` 123 | r2@6608438f7a41:~$ radiff2 -j /data/ubntbox /data/ubntbox.patched 124 | 125 | {"files":[{"filename":"/data/ubntbox", "size":715136, "sha256":"73460d7205549e1298fd0dad718edd61d06b8db07aecc637a41cbb547630e587"}, 126 | {"filename":"/data/ubntbox.patched", "size":715136, "sha256":"ca06d93741b30bdcb3a8b0577545aa0c32c4b5d9ac88f8580bae5a2774c890c3"}], 127 | "changes":[{"offset":57104,"from":"16e0", "to":"0000"}, 128 | {"offset":57107,"from":"038f9982", "to":"00000000"}, 129 | {"offset":57112,"from":"10", "to":"00"}, 130 | {"offset":57115,"from":"772410ff2d92e4", "to":"00000000000000"}, 131 | {"offset":57123,"from":"1402e420212484", "to":"00000000000000"}, 132 | {"offset":57131,"from":"3803c028210320f809", "to":"000000000000000000"}, 133 | {"offset":57141,"from":"9e30231040", "to":"0000000000"}, 134 | {"offset":57147,"from":"0a8fbc", "to":"000000"}, 135 | {"offset":57151,"from":"288f8283f88f8480288f99814c8c45", "to":"000000000000000000000000000000"}, 136 | {"offset":57168,"from":"0320f80924846d148fbc", "to":"00000000000000000000"}, 137 | {"offset":57179,"from":"2810", "to":"0000"}, 138 | {"offset":57183,"from":"662410ff2c", "to":"0000000000"}, 139 | {"offset":60576,"from":"16f1fc878f848028", "to":"0000000000000000"}] 140 | ``` 141 | 142 | Unfortunately we can't redistribute patched `ubntbox.patched` binary, but you 143 | can get patched `ubntbox` from your router by just running `make ubntbox.patched` command. 144 | You can find output from flashing session of factory image with patched `ubntbox.patched` in [flash-factory.log](https://raw.githubusercontent.com/true-systems/ubnt-bullet-m2hp-openwrt-flashing/master/flash-factory.log). 145 | 146 | ### Flashing sysupgrade image using `mtd` over SSH in airOS v6.1.7 147 | 148 | This approach is using [`mtd` utility from Kamikaze 8.09.2](https://archive.openwrt.org/kamikaze/8.09.2/ar71xx/packages/mtd_8.2_mips.ipk) 149 | for flashing OpenWrt sysupgrade image. Unfortunately this is not so easy either, as there seems to be some flash write 150 | lock protection in place, kernel is probably expecting some secret cookie, before it would allow writing to MTD flash: 151 | 152 | ``` 153 | XW.v6.1.7# dd if=/dev/zero of=/tmp/kernel bs=$((0x100000)) count=1 154 | 155 | XW.v6.1.7# /tmp/mtd write /tmp/kernel kernel 156 | Unlocking kernel ... 157 | Writing from /tmp/kernel to kernel ... 158 | 159 | XW.v6.1.7# md5sum /tmp/kernel 160 | b6d81b360a5672d80c27430f39153e2c /tmp/kernel 161 | 162 | XW.v6.1.7# md5sum /dev/mtd2 163 | 30c85e4d3c1a88c566d83678055025b9 /dev/mtd2 164 | ``` 165 | 166 | And it seems that `fwupdate.real` utility is able to unlock this flash 167 | protection, so as a workaround (until proper fix) we can simply initiate 168 | flashing of the factory v6.1.7 firmware image and interrupt it during the 169 | flashing process: 170 | 171 | ``` 172 | XW.v6.1.7# fwupdate.real -m /tmp/XW.v6.1.7.32555.180523.1754.bin -d 173 | Found mtd block: /dev/mtd0(u-boot) 174 | ... 175 | Block on '/dev/mtd3' at 00060000(len: 00010000) has no changes. 176 | [%7 ] 177 | ^C 178 | ``` 179 | 180 | Now the flash should be unlocked. Then we just need to solve missing `firmware` partition in the airOS firmware, but 181 | this is doable as we can split the sysupgrade image to `kernel` and `rootfs` parts: 182 | 183 | ``` 184 | XW.v6.1.7# cat /proc/mtd 185 | dev: size erasesize name 186 | mtd0: 00040000 00010000 "u-boot" 187 | mtd1: 00010000 00010000 "u-boot-env" 188 | mtd2: 00100000 00010000 "kernel" 189 | mtd3: 00660000 00010000 "rootfs" 190 | mtd4: 00040000 00010000 "cfg" 191 | mtd5: 00010000 00010000 "EEPROM" 192 | 193 | ``` 194 | 195 | Flashing part of the sysupgrade image to the `kernel` partition and the rest of the image to `rootfs`: 196 | 197 | ``` 198 | CI_BLKSZ=65536 199 | fw="/tmp/openwrt-ath79-generic-ubnt_bullet-m2hp-squashfs-sysupgrade.bin" 200 | rootfs_size=0x$(grep rootfs /proc/mtd | cut -d ' ' -f2) 201 | kernel_size=0x$(grep kernel /proc/mtd | cut -d ' ' -f2) 202 | kernel_blocks=$(($kernel_size / $CI_BLKSZ)) 203 | 204 | dd if="$fw" bs=$CI_BLKSZ count=$kernel_blocks 2>/dev/null | /tmp/mtd -e kernel write - kernel 205 | dd if="$fw" bs=$CI_BLKSZ skip=$kernel_blocks 2>/dev/null | /tmp/mtd -r -e rootfs write - rootfs 206 | ``` 207 | 208 | You can do all this steps manually or just use content of this repository for [more automated process](#usage). 209 | You can find complete output from flashing session of sysupgrade image with `make flash-sysupgrade` command using above explained approach in [flash-sysupgrade.log](https://raw.githubusercontent.com/true-systems/ubnt-bullet-m2hp-openwrt-flashing/master/flash-sysupgrade.log). 210 | -------------------------------------------------------------------------------- /flash-factory.log: -------------------------------------------------------------------------------- 1 | Found mtd block: /dev/mtd0(u-boot) 2 | Found mtd block: /dev/mtd1(u-boot-env) 3 | Found mtd block: /dev/mtd2(kernel) 4 | Found mtd block: /dev/mtd3(rootfs) 5 | Found mtd block: /dev/mtd4(cfg) 6 | Found mtd block: /dev/mtd5(EEPROM) 7 | Got U-Boot variable: mtdparts = mtdparts=ath-nor0:256k(u-boot),64k(u-boot-env),1024k(kernel),6528k(rootfs),256k(cfg),64k(EEPROM) 8 | Adding U-Boot partition: u-boot 9F000000 00040000 9 | Adding U-Boot partition: u-boot-env 9F040000 00010000 10 | Adding U-Boot partition: kernel 9F050000 00100000 11 | Adding U-Boot partition: rootfs 9F150000 00660000 12 | Adding U-Boot partition: cfg 9F7B0000 00040000 13 | Adding U-Boot partition: EEPROM 9F7F0000 00010000 14 | Calculating flash size: 15 | Adding block: /dev/mtd0("u-boot") - size: 00040000 16 | Adding block: /dev/mtd1("u-boot-env") - size: 00010000 17 | Adding block: /dev/mtd2("kernel") - size: 00100000 18 | Adding block: /dev/mtd3("rootfs") - size: 00660000 19 | Adding block: /dev/mtd4("cfg") - size: 00040000 20 | Adding block: /dev/mtd5("EEPROM") - size: 00010000 21 | Total flash size: 00800000 22 | Flash start: 9F000000 23 | Flash end: 9F800000 24 | Header MAGIC 'OPEN' 25 | Current: XW.ar934x.v6.1.7.32555.180523.1754 26 | 27 | New ver: XW.ar934x.v6.0.4-OpenWrt-r8461+10-c6a1bca 28 | Versions: New(393220) 6.0.4, Required(393220) 6.0.4 29 | FW Part: "kernel"(1), MAGIC: 'PART', Base: 0x9F050000, DLen: 0x00100000, PLen: 0x00100000 30 | FW Part: "rootfs"(2), MAGIC: 'PART', Base: 0x9F150000, DLen: 0x003C0004, PLen: 0x00660000 31 | Signature verified 32 | Signature MAGIC 'END.' 33 | FW Part: "kernel"(1), MAGIC: 'PART', Base: 0x9F050000, DLen: 0x00100000, PLen: 0x00100000 34 | FW Part: "rootfs"(2), MAGIC: 'PART', Base: 0x9F150000, DLen: 0x003C0004, PLen: 0x00660000 35 | Adding adjusted FW partition: 36 | name: 'kernel' 37 | flash_base: 0x9F050000 38 | mem_base: 0x80002000 39 | size: 0x00100000 40 | entry_point: 0x80002000 41 | data_len: 0x00100000 42 | desc_cksum: 0x00000000 43 | file_cksum: 0x00000000 44 | =========================== 45 | Adding adjusted FW partition: 46 | name: 'rootfs' 47 | flash_base: 0x9F150000 48 | mem_base: 0xBDBDBDBD 49 | size: 0x00660000 50 | entry_point: 0xBDBDBDBD 51 | data_len: 0x003C0004 52 | desc_cksum: 0x00000000 53 | file_cksum: 0x00000000 54 | =========================== 55 | Signature MAGIC 'END.' 56 | Working(1) with block: /dev/mtd0 57 | Skipping: artificial: 0, unallocated: 0,writeable: 1024(WRITEABLE: 400, flags: C00), fw.flash_base: 9F050000 < blk->base: 9F000000 + blk->size: 40000 58 | Copying FIS partition: 0 => 59 | name: 'u-boot' 60 | flash_base: 0x9F000000 61 | mem_base: 0xBDBDBDBD 62 | size: 0x00040000 63 | entry_point: 0xBDBDBDBD 64 | data_len: 0x00040000 65 | desc_cksum: 0xBDBDBDBD 66 | file_cksum: 0xBDBDBDBD 67 | =========================== 68 | Working(1) with block: /dev/mtd1 69 | Skipping: artificial: 0, unallocated: 0,writeable: 1024(WRITEABLE: 400, flags: C00), fw.flash_base: 9F050000 < blk->base: 9F040000 + blk->size: 10000 70 | Copying FIS partition: 1 => 71 | name: 'u-boot-env' 72 | flash_base: 0x9F040000 73 | mem_base: 0xBDBDBDBD 74 | size: 0x00010000 75 | entry_point: 0xBDBDBDBD 76 | data_len: 0x00010000 77 | desc_cksum: 0xBDBDBDBD 78 | file_cksum: 0xBDBDBDBD 79 | =========================== 80 | Working(1) with block: /dev/mtd2 81 | Working(2) with block: /dev/mtd2 82 | End check: 9F050000 + 00100000 <= 9F150000 83 | Creating FIS partition: 2 => 84 | name: 'kernel' 85 | flash_base: 0x9F050000 86 | mem_base: 0x80002000 87 | size: 0x00100000 88 | entry_point: 0x80002000 89 | data_len: 0x00100000 90 | desc_cksum: 0x00000000 91 | file_cksum: 0x00000000 92 | =========================== 93 | Working(1) with block: /dev/mtd2 94 | Skipping: artificial: 0, unallocated: 0,writeable: 1024(WRITEABLE: 400, flags: C00), fw.flash_base: 9F150000 < blk->base: 9F050000 + blk->size: 100000 95 | Working(1) with block: /dev/mtd3 96 | Working(2) with block: /dev/mtd3 97 | End check: 9F150000 + 00660000 <= 9F7B0000 98 | Creating FIS partition: 3 => 99 | name: 'rootfs' 100 | flash_base: 0x9F150000 101 | mem_base: 0xBDBDBDBD 102 | size: 0x00660000 103 | entry_point: 0xBDBDBDBD 104 | data_len: 0x003C0004 105 | desc_cksum: 0x00000000 106 | file_cksum: 0x00000000 107 | =========================== 108 | Working(3) with block: /dev/mtd4 109 | Copying FIS partition: 4 <= 110 | name: 'cfg' 111 | flash_base: 0x9F7B0000 112 | mem_base: 0xBDBDBDBD 113 | size: 0x00040000 114 | entry_point: 0xBDBDBDBD 115 | data_len: 0x00040000 116 | desc_cksum: 0xBDBDBDBD 117 | file_cksum: 0xBDBDBDBD 118 | =========================== 119 | Working(3) with block: /dev/mtd5 120 | Copying FIS partition: 5 <= 121 | name: 'EEPROM' 122 | flash_base: 0x9F7F0000 123 | mem_base: 0xBDBDBDBD 124 | size: 0x00010000 125 | entry_point: 0xBDBDBDBD 126 | data_len: 0x00010000 127 | desc_cksum: 0xBDBDBDBD 128 | file_cksum: 0xBDBDBDBD 129 | =========================== 130 | New FIS entries count 6 131 | Executing: '/bin/updatefix.sh 393479 393220' 132 | Current ver: 393479 133 | New version: 393220 134 | No need to fix. 135 | '/bin/updatefix.sh 393479 393220' result: 0 136 | Working(1) with block: /dev/mtd0 137 | Skipping: artificial: 0, unallocated: 0,writeable: 1024(WRITEABLE: 400, flags: C00), fw.flash_base: 9F050000 < blk->base: 9F000000 + blk->size: 40000 138 | Copying FIS partition: 0 => 139 | name: 'u-boot' 140 | flash_base: 0x9F000000 141 | mem_base: 0xBDBDBDBD 142 | size: 0x00040000 143 | entry_point: 0xBDBDBDBD 144 | data_len: 0x00040000 145 | desc_cksum: 0xBDBDBDBD 146 | file_cksum: 0xBDBDBDBD 147 | =========================== 148 | Working(1) with block: /dev/mtd1 149 | Skipping: artificial: 0, unallocated: 0,writeable: 1024(WRITEABLE: 400, flags: C00), fw.flash_base: 9F050000 < blk->base: 9F040000 + blk->size: 10000 150 | Copying FIS partition: 1 => 151 | name: 'u-boot-env' 152 | flash_base: 0x9F040000 153 | mem_base: 0xBDBDBDBD 154 | size: 0x00010000 155 | entry_point: 0xBDBDBDBD 156 | data_len: 0x00010000 157 | desc_cksum: 0xBDBDBDBD 158 | file_cksum: 0xBDBDBDBD 159 | =========================== 160 | Working(1) with block: /dev/mtd2 161 | Working(2) with block: /dev/mtd2 162 | Unlocking /dev/mtd2(kernel) ... 163 | Unlocking device failed: ioctl(MEMUNLOCK): Operation not supported 164 | Writing 'kernel ' to /dev/mtd2(kernel ) ... 165 | Writing: 0x00100000 bytes with offset 0x00000000 166 | [%0 ] 167 | Block on '/dev/mtd2' at 00000000(len: 00010000) has changes. 168 | [%6 ] 169 | Block on '/dev/mtd2' at 00010000(len: 00010000) has changes. 170 | [%12 ] 171 | Block on '/dev/mtd2' at 00020000(len: 00010000) has changes. 172 | [%18 ] 173 | Block on '/dev/mtd2' at 00030000(len: 00010000) has changes. 174 | [%25 ] 175 | Block on '/dev/mtd2' at 00040000(len: 00010000) has changes. 176 | [%31 ] 177 | Block on '/dev/mtd2' at 00050000(len: 00010000) has changes. 178 | [%37 ] 179 | Block on '/dev/mtd2' at 00060000(len: 00010000) has changes. 180 | [%43 ] 181 | Block on '/dev/mtd2' at 00070000(len: 00010000) has changes. 182 | [%50 ] 183 | Block on '/dev/mtd2' at 00080000(len: 00010000) has changes. 184 | [%56 ] 185 | Block on '/dev/mtd2' at 00090000(len: 00010000) has changes. 186 | [%62 ] 187 | Block on '/dev/mtd2' at 000A0000(len: 00010000) has changes. 188 | [%68 ] 189 | Block on '/dev/mtd2' at 000B0000(len: 00010000) has changes. 190 | [%75 ] 191 | Block on '/dev/mtd2' at 000C0000(len: 00010000) has changes. 192 | [%81 ] 193 | Block on '/dev/mtd2' at 000D0000(len: 00010000) has changes. 194 | [%87 ] 195 | Block on '/dev/mtd2' at 000E0000(len: 00010000) has changes. 196 | [%93 ] 197 | Block on '/dev/mtd2' at 000F0000(len: 00010000) has changes. 198 | [%100] 199 | 200 | End check: 9F050000 + 00100000 <= 9F150000 201 | Creating FIS partition: 2 => 202 | name: 'kernel' 203 | flash_base: 0x9F050000 204 | mem_base: 0x80002000 205 | size: 0x00100000 206 | entry_point: 0x80002000 207 | data_len: 0x00100000 208 | desc_cksum: 0x00000000 209 | file_cksum: 0x00000000 210 | =========================== 211 | Working(1) with block: /dev/mtd2 212 | Skipping: artificial: 0, unallocated: 0,writeable: 1024(WRITEABLE: 400, flags: C00), fw.flash_base: 9F150000 < blk->base: 9F050000 + blk->size: 100000 213 | Working(1) with block: /dev/mtd3 214 | Working(2) with block: /dev/mtd3 215 | Unlocking /dev/mtd3(rootfs) ... 216 | Unlocking device failed: ioctl(MEMUNLOCK): Operation not supported 217 | Writing 'rootfs ' to /dev/mtd3(rootfs ) ... 218 | Writing: 0x003C0004 bytes with offset 0x00000000 219 | [%0 ] 220 | Block on '/dev/mtd3' at 00000000(len: 00010000) has changes. 221 | [%1 ] 222 | Block on '/dev/mtd3' at 00010000(len: 00010000) has changes. 223 | [%3 ] 224 | Block on '/dev/mtd3' at 00020000(len: 00010000) has changes. 225 | [%4 ] 226 | Block on '/dev/mtd3' at 00030000(len: 00010000) has changes. 227 | [%6 ] 228 | Block on '/dev/mtd3' at 00040000(len: 00010000) has changes. 229 | [%8 ] 230 | Block on '/dev/mtd3' at 00050000(len: 00010000) has changes. 231 | [%9 ] 232 | Block on '/dev/mtd3' at 00060000(len: 00010000) has changes. 233 | [%11 ] 234 | Block on '/dev/mtd3' at 00070000(len: 00010000) has changes. 235 | [%13 ] 236 | Block on '/dev/mtd3' at 00080000(len: 00010000) has changes. 237 | [%14 ] 238 | Block on '/dev/mtd3' at 00090000(len: 00010000) has changes. 239 | [%16 ] 240 | Block on '/dev/mtd3' at 000A0000(len: 00010000) has changes. 241 | [%18 ] 242 | Block on '/dev/mtd3' at 000B0000(len: 00010000) has changes. 243 | [%19 ] 244 | Block on '/dev/mtd3' at 000C0000(len: 00010000) has changes. 245 | [%21 ] 246 | Block on '/dev/mtd3' at 000D0000(len: 00010000) has changes. 247 | [%23 ] 248 | Block on '/dev/mtd3' at 000E0000(len: 00010000) has changes. 249 | [%24 ] 250 | Block on '/dev/mtd3' at 000F0000(len: 00010000) has changes. 251 | [%26 ] 252 | Block on '/dev/mtd3' at 00100000(len: 00010000) has changes. 253 | [%28 ] 254 | Block on '/dev/mtd3' at 00110000(len: 00010000) has changes. 255 | [%29 ] 256 | Block on '/dev/mtd3' at 00120000(len: 00010000) has changes. 257 | [%31 ] 258 | Block on '/dev/mtd3' at 00130000(len: 00010000) has changes. 259 | [%33 ] 260 | Block on '/dev/mtd3' at 00140000(len: 00010000) has changes. 261 | [%34 ] 262 | Block on '/dev/mtd3' at 00150000(len: 00010000) has changes. 263 | [%36 ] 264 | Block on '/dev/mtd3' at 00160000(len: 00010000) has changes. 265 | [%38 ] 266 | Block on '/dev/mtd3' at 00170000(len: 00010000) has changes. 267 | [%39 ] 268 | Block on '/dev/mtd3' at 00180000(len: 00010000) has changes. 269 | [%41 ] 270 | Block on '/dev/mtd3' at 00190000(len: 00010000) has changes. 271 | [%43 ] 272 | Block on '/dev/mtd3' at 001A0000(len: 00010000) has changes. 273 | [%44 ] 274 | Block on '/dev/mtd3' at 001B0000(len: 00010000) has changes. 275 | [%46 ] 276 | Block on '/dev/mtd3' at 001C0000(len: 00010000) has changes. 277 | [%48 ] 278 | Block on '/dev/mtd3' at 001D0000(len: 00010000) has changes. 279 | [%49 ] 280 | Block on '/dev/mtd3' at 001E0000(len: 00010000) has changes. 281 | [%51 ] 282 | Block on '/dev/mtd3' at 001F0000(len: 00010000) has changes. 283 | [%53 ] 284 | Block on '/dev/mtd3' at 00200000(len: 00010000) has changes. 285 | [%54 ] 286 | Block on '/dev/mtd3' at 00210000(len: 00010000) has changes. 287 | [%56 ] 288 | Block on '/dev/mtd3' at 00220000(len: 00010000) has changes. 289 | [%58 ] 290 | Block on '/dev/mtd3' at 00230000(len: 00010000) has changes. 291 | [%59 ] 292 | Block on '/dev/mtd3' at 00240000(len: 00010000) has changes. 293 | [%61 ] 294 | Block on '/dev/mtd3' at 00250000(len: 00010000) has changes. 295 | [%63 ] 296 | Block on '/dev/mtd3' at 00260000(len: 00010000) has changes. 297 | [%64 ] 298 | Block on '/dev/mtd3' at 00270000(len: 00010000) has changes. 299 | [%66 ] 300 | Block on '/dev/mtd3' at 00280000(len: 00010000) has changes. 301 | [%68 ] 302 | Block on '/dev/mtd3' at 00290000(len: 00010000) has changes. 303 | [%69 ] 304 | Block on '/dev/mtd3' at 002A0000(len: 00010000) has changes. 305 | [%71 ] 306 | Block on '/dev/mtd3' at 002B0000(len: 00010000) has changes. 307 | [%73 ] 308 | Block on '/dev/mtd3' at 002C0000(len: 00010000) has changes. 309 | [%74 ] 310 | Block on '/dev/mtd3' at 002D0000(len: 00010000) has changes. 311 | [%76 ] 312 | Block on '/dev/mtd3' at 002E0000(len: 00010000) has changes. 313 | [%78 ] 314 | Block on '/dev/mtd3' at 002F0000(len: 00010000) has changes. 315 | [%79 ] 316 | Block on '/dev/mtd3' at 00300000(len: 00010000) has changes. 317 | [%81 ] 318 | Block on '/dev/mtd3' at 00310000(len: 00010000) has changes. 319 | [%83 ] 320 | Block on '/dev/mtd3' at 00320000(len: 00010000) has changes. 321 | [%84 ] 322 | Block on '/dev/mtd3' at 00330000(len: 00010000) has changes. 323 | [%86 ] 324 | Block on '/dev/mtd3' at 00340000(len: 00010000) has changes. 325 | [%88 ] 326 | Block on '/dev/mtd3' at 00350000(len: 00010000) has changes. 327 | [%89 ] 328 | Block on '/dev/mtd3' at 00360000(len: 00010000) has changes. 329 | [%91 ] 330 | Block on '/dev/mtd3' at 00370000(len: 00010000) has changes. 331 | [%93 ] 332 | Block on '/dev/mtd3' at 00380000(len: 00010000) has changes. 333 | [%94 ] 334 | Block on '/dev/mtd3' at 00390000(len: 00010000) has changes. 335 | [%96 ] 336 | Block on '/dev/mtd3' at 003A0000(len: 00010000) has changes. 337 | [%98 ] 338 | Block on '/dev/mtd3' at 003B0000(len: 00010000) has changes. 339 | [%99 ] 340 | Block on '/dev/mtd3' at 003C0000(len: 00000004) has changes. 341 | [%100] 342 | 343 | End check: 9F150000 + 00660000 <= 9F7B0000 344 | Creating FIS partition: 3 => 345 | name: 'rootfs' 346 | flash_base: 0x9F150000 347 | mem_base: 0xBDBDBDBD 348 | size: 0x00660000 349 | entry_point: 0xBDBDBDBD 350 | data_len: 0x003C0004 351 | desc_cksum: 0x00000000 352 | file_cksum: 0x00000000 353 | =========================== 354 | Working(3) with block: /dev/mtd4 355 | Copying FIS partition: 4 <= 356 | name: 'cfg' 357 | flash_base: 0x9F7B0000 358 | mem_base: 0xBDBDBDBD 359 | size: 0x00040000 360 | entry_point: 0xBDBDBDBD 361 | data_len: 0x00040000 362 | desc_cksum: 0xBDBDBDBD 363 | file_cksum: 0xBDBDBDBD 364 | =========================== 365 | Working(3) with block: /dev/mtd5 366 | Copying FIS partition: 5 <= 367 | name: 'EEPROM' 368 | flash_base: 0x9F7F0000 369 | mem_base: 0xBDBDBDBD 370 | size: 0x00010000 371 | entry_point: 0xBDBDBDBD 372 | data_len: 0x00010000 373 | desc_cksum: 0xBDBDBDBD 374 | file_cksum: 0xBDBDBDBD 375 | =========================== 376 | New FIS entries count 6 377 | FIS Change: change in partition entry 'kernel'. 378 | FIS Change: change in partition entry 'rootfs'. 379 | FIS Change: added partition terminator instead of 0xBD. 380 | New partition count: 6, changes: 3 381 | Done 382 | 383 | 384 | -------------------------------------------------------------------------------- /flash-factory.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # vim: ts=4 sts=4 sw=4 noet 3 | 4 | echo "FIXME, not working yet, but you can try 'make flash-factory' instead"; exit 1 5 | 6 | # FIXME: Need to find out different patching method as dd on airOS 7 | # doesn't support conv option 8 | nop() { 9 | dd if=/dev/zero bs=1 count=$3 | \ 10 | dd of=$1 bs=1 count=$3 seek=$2 conv=notrunc 2> /dev/null 11 | } 12 | 13 | patch_ubntbox() { 14 | local ubntbox="/sbin/ubntbox" 15 | local fwupdate="/tmp/fwupdate.real" 16 | local md5_patched="57946077ad228ea93067ce9ee980afb6" 17 | local md5_unpatched="6f7d535db287794ca7e13158f80f1ef3" 18 | 19 | local unpatched=$(md5sum $ubntbox) && unpatched="${unpatched%% *}" 20 | [ $unpatched = $md5_unpatched ] || { 21 | echo "Unable to patch $ubntbox ($unpatched)"; exit 1 22 | } 23 | 24 | echo "Removing RSA signature checking in $fwupdate" 25 | 26 | cp $ubntbox $fwupdate 27 | nop $fwupdate 57104 2 28 | nop $fwupdate 57107 4 29 | nop $fwupdate 57112 1 30 | nop $fwupdate 57115 7 31 | nop $fwupdate 57123 7 32 | nop $fwupdate 57131 9 33 | nop $fwupdate 57141 5 34 | nop $fwupdate 57147 3 35 | nop $fwupdate 57151 1 36 | nop $fwupdate 57168 1 37 | nop $fwupdate 57179 2 38 | nop $fwupdate 57183 5 39 | nop $fwupdate 60576 8 40 | 41 | local patched=$(md5sum $fwupdate) && patched="${patched%% *}" 42 | [ $patched = $md5_patched ] || { 43 | echo "Patching $fwupdate failed ($patched)"; exit 1 44 | } 45 | 46 | echo "Patching, done!" 47 | } 48 | 49 | flash_factory() { 50 | local fw="$1" 51 | [ -e "$fw" ] || { 52 | echo "No such file: $fw, did you forget to upload it?"; exit 1 53 | } 54 | 55 | local image_magic=$(dd if="$fw" bs=13 count=1 2> /dev/null) 56 | [ $image_magic = "OPENXW.ar934x" ] || { 57 | echo "Only OpenWrt factory firmware image for ubnt-xw ar934x platform is supported"; exit 1 58 | } 59 | 60 | echo "Flashing factory image, good luck!" 61 | # /tmp/fwupdate.real -m "$fw" -d 62 | } 63 | 64 | [ -n "$1" ] || { 65 | echo "Usage: $0 openwrt-factory-image.bin" 66 | exit 1 67 | } 68 | 69 | patch_ubntbox 70 | flash_factory "$1" 71 | -------------------------------------------------------------------------------- /flash-sysupgrade.log: -------------------------------------------------------------------------------- 1 | Verifying /sbin/ubntbox checksum... 2 | Trying to unlock flash... 3 | Found mtd block: /dev/mtd0(u-boot) 4 | Found mtd block: /dev/mtd1(u-boot-env) 5 | Found mtd block: /dev/mtd2(kernel) 6 | Found mtd block: /dev/mtd3(rootfs) 7 | Found mtd block: /dev/mtd4(cfg) 8 | Found mtd block: /dev/mtd5(EEPROM) 9 | Got U-Boot variable: mtdparts = mtdparts=ath-nor0:256k(u-boot),64k(u-boot-env),1024k(kernel),6528k(rootfs),256k(cfg),64k(EEPROM) 10 | Adding U-Boot partition: u-boot 9F000000 00040000 11 | Adding U-Boot partition: u-boot-env 9F040000 00010000 12 | Adding U-Boot partition: kernel 9F050000 00100000 13 | Adding U-Boot partition: rootfs 9F150000 00660000 14 | Adding U-Boot partition: cfg 9F7B0000 00040000 15 | Adding U-Boot partition: EEPROM 9F7F0000 00010000 16 | Calculating flash size: 17 | Adding block: /dev/mtd0("u-boot") - size: 00040000 18 | Adding block: /dev/mtd1("u-boot-env") - size: 00010000 19 | Adding block: /dev/mtd2("kernel") - size: 00100000 20 | Adding block: /dev/mtd3("rootfs") - size: 00660000 21 | Adding block: /dev/mtd4("cfg") - size: 00040000 22 | Adding block: /dev/mtd5("EEPROM") - size: 00010000 23 | Total flash size: 00800000 24 | Flash start: 9F000000 25 | Flash end: 9F800000 26 | Header MAGIC 'UBNT' 27 | Current: XW.ar934x.v6.1.7.32555.180523.1754 28 | 29 | New ver: XW.ar934x.v6.1.7.32555.180523.1754 30 | Versions: New(393479) 6.1.7, Required(393220) 6.0.4 31 | FW Part: "u-boot"(1), MAGIC: 'PART', Base: 0x9F000000, DLen: 0x0003A408, PLen: 0x00040000 32 | FW Part: "kernel"(2), MAGIC: 'PART', Base: 0x9F050000, DLen: 0x000E9BB2, PLen: 0x00100000 33 | FW Part: "rootfs"(3), MAGIC: 'PART', Base: 0x9F150000, DLen: 0x00600000, PLen: 0x00660000 34 | FW Part: "script"(4), MAGIC: 'EXEC', Base: 0x00000000, DLen: 0x0000A9EE, PLen: 0x0000A9EE 35 | FW Part: "signtr"(5), MAGIC: 'EXEC', Base: 0x00000000, DLen: 0x00000121, PLen: 0x00000121 36 | Signature partition found 37 | Signature verified 38 | Signature MAGIC 'END.' 39 | FW Part: "u-boot"(1), MAGIC: 'PART', Base: 0x9F000000, DLen: 0x0003A408, PLen: 0x00040000 40 | Skipping 'u-boot' FW part. 41 | FW Part: "kernel"(2), MAGIC: 'PART', Base: 0x9F050000, DLen: 0x000E9BB2, PLen: 0x00100000 42 | FW Part: "rootfs"(3), MAGIC: 'PART', Base: 0x9F150000, DLen: 0x00600000, PLen: 0x00660000 43 | FW Part: "script"(4), MAGIC: 'EXEC', Base: 0x00000000, DLen: 0x0000A9EE, PLen: 0x0000A9EE 44 | Extract Script: 'tar -xz -C /tmp' 45 | Pre-Check Script '/tmp/bin/precheck' success. 46 | FW Part: "signtr"(5), MAGIC: 'EXEC', Base: 0x00000000, DLen: 0x00000121, PLen: 0x00000121 47 | Signature partition found 48 | Adding adjusted FW partition: 49 | name: 'kernel' 50 | flash_base: 0x9F050000 51 | mem_base: 0x80002000 52 | size: 0x00100000 53 | entry_point: 0x80002000 54 | data_len: 0x000E9BB2 55 | desc_cksum: 0x00000000 56 | file_cksum: 0x00000000 57 | =========================== 58 | Adding adjusted FW partition: 59 | name: 'rootfs' 60 | flash_base: 0x9F150000 61 | mem_base: 0xBDBDBDBD 62 | size: 0x00660000 63 | entry_point: 0xBDBDBDBD 64 | data_len: 0x00600000 65 | desc_cksum: 0x00000000 66 | file_cksum: 0x00000000 67 | =========================== 68 | Signature MAGIC 'END.' 69 | Working(1) with block: /dev/mtd0 70 | Skipping: artificial: 0, unallocated: 0,writeable: 1024(WRITEABLE: 400, flags: C00), fw.flash_base: 9F050000 < blk->base: 9F000000 + blk->size: 40000 71 | Copying FIS partition: 0 => 72 | name: 'u-boot' 73 | flash_base: 0x9F000000 74 | mem_base: 0xBDBDBDBD 75 | size: 0x00040000 76 | entry_point: 0xBDBDBDBD 77 | data_len: 0x00040000 78 | desc_cksum: 0xBDBDBDBD 79 | file_cksum: 0xBDBDBDBD 80 | =========================== 81 | Working(1) with block: /dev/mtd1 82 | Skipping: artificial: 0, unallocated: 0,writeable: 1024(WRITEABLE: 400, flags: C00), fw.flash_base: 9F050000 < blk->base: 9F040000 + blk->size: 10000 83 | Copying FIS partition: 1 => 84 | name: 'u-boot-env' 85 | flash_base: 0x9F040000 86 | mem_base: 0xBDBDBDBD 87 | size: 0x00010000 88 | entry_point: 0xBDBDBDBD 89 | data_len: 0x00010000 90 | desc_cksum: 0xBDBDBDBD 91 | file_cksum: 0xBDBDBDBD 92 | =========================== 93 | Working(1) with block: /dev/mtd2 94 | Working(2) with block: /dev/mtd2 95 | End check: 9F050000 + 00100000 <= 9F150000 96 | Creating FIS partition: 2 => 97 | name: 'kernel' 98 | flash_base: 0x9F050000 99 | mem_base: 0x80002000 100 | size: 0x00100000 101 | entry_point: 0x80002000 102 | data_len: 0x000E9BB2 103 | desc_cksum: 0x00000000 104 | file_cksum: 0x00000000 105 | =========================== 106 | Working(1) with block: /dev/mtd2 107 | Skipping: artificial: 0, unallocated: 0,writeable: 1024(WRITEABLE: 400, flags: C00), fw.flash_base: 9F150000 < blk->base: 9F050000 + blk->size: 100000 108 | Working(1) with block: /dev/mtd3 109 | Working(2) with block: /dev/mtd3 110 | End check: 9F150000 + 00660000 <= 9F7B0000 111 | Creating FIS partition: 3 => 112 | name: 'rootfs' 113 | flash_base: 0x9F150000 114 | mem_base: 0xBDBDBDBD 115 | size: 0x00660000 116 | entry_point: 0xBDBDBDBD 117 | data_len: 0x00600000 118 | desc_cksum: 0x00000000 119 | file_cksum: 0x00000000 120 | =========================== 121 | Working(3) with block: /dev/mtd4 122 | Copying FIS partition: 4 <= 123 | name: 'cfg' 124 | flash_base: 0x9F7B0000 125 | mem_base: 0xBDBDBDBD 126 | size: 0x00040000 127 | entry_point: 0xBDBDBDBD 128 | data_len: 0x00040000 129 | desc_cksum: 0xBDBDBDBD 130 | file_cksum: 0xBDBDBDBD 131 | =========================== 132 | Working(3) with block: /dev/mtd5 133 | Copying FIS partition: 5 <= 134 | name: 'EEPROM' 135 | flash_base: 0x9F7F0000 136 | mem_base: 0xBDBDBDBD 137 | size: 0x00010000 138 | entry_point: 0xBDBDBDBD 139 | data_len: 0x00010000 140 | desc_cksum: 0xBDBDBDBD 141 | file_cksum: 0xBDBDBDBD 142 | =========================== 143 | New FIS entries count 6 144 | Executing: '/bin/updatefix.sh 393479 393479' 145 | Current ver: 393479 146 | New version: 393479 147 | No need to fix. 148 | '/bin/updatefix.sh 393479 393479' result: 0 149 | Exec Script: '/tmp/bin/preflash' 150 | Working(1) with block: /dev/mtd0 151 | Skipping: artificial: 0, unallocated: 0,writeable: 1024(WRITEABLE: 400, flags: C00), fw.flash_base: 9F050000 < blk->base: 9F000000 + blk->size: 40000 152 | Copying FIS partition: 0 => 153 | name: 'u-boot' 154 | flash_base: 0x9F000000 155 | mem_base: 0xBDBDBDBD 156 | size: 0x00040000 157 | entry_point: 0xBDBDBDBD 158 | data_len: 0x00040000 159 | desc_cksum: 0xBDBDBDBD 160 | file_cksum: 0xBDBDBDBD 161 | =========================== 162 | Working(1) with block: /dev/mtd1 163 | Skipping: artificial: 0, unallocated: 0,writeable: 1024(WRITEABLE: 400, flags: C00), fw.flash_base: 9F050000 < blk->base: 9F040000 + blk->size: 10000 164 | Copying FIS partition: 1 => 165 | name: 'u-boot-env' 166 | flash_base: 0x9F040000 167 | mem_base: 0xBDBDBDBD 168 | size: 0x00010000 169 | entry_point: 0xBDBDBDBD 170 | data_len: 0x00010000 171 | desc_cksum: 0xBDBDBDBD 172 | file_cksum: 0xBDBDBDBD 173 | =========================== 174 | Working(1) with block: /dev/mtd2 175 | Working(2) with block: /dev/mtd2 176 | Unlocking /dev/mtd2(kernel) ... 177 | Unlocking device failed: ioctl(MEMUNLOCK): Operation not supported 178 | Writing 'kernel ' to /dev/mtd2(kernel ) ... 179 | Writing: 0x000E9BB2 bytes with offset 0x00000000 180 | [%0 ] 181 | Block on '/dev/mtd2' at 00000000(len: 00010000) has no changes. 182 | [%6 ] 183 | Block on '/dev/mtd2' at 00010000(len: 00010000) has no changes. 184 | [%13 ] 185 | Block on '/dev/mtd2' at 00020000(len: 00010000) has no changes. 186 | [%20 ] 187 | Block on '/dev/mtd2' at 00030000(len: 00010000) has no changes. 188 | [%27 ] 189 | Block on '/dev/mtd2' at 00040000(len: 00010000) has no changes. 190 | [%34 ] 191 | Block on '/dev/mtd2' at 00050000(len: 00010000) has no changes. 192 | [%41 ] 193 | Block on '/dev/mtd2' at 00060000(len: 00010000) has no changes. 194 | [%47 ] 195 | Block on '/dev/mtd2' at 00070000(len: 00010000) has no changes. 196 | [%54 ] 197 | Block on '/dev/mtd2' at 00080000(len: 00010000) has no changes. 198 | [%61 ] 199 | Block on '/dev/mtd2' at 00090000(len: 00010000) has no changes. 200 | [%68 ] 201 | Block on '/dev/mtd2' at 000A0000(len: 00010000) has no changes. 202 | [%75 ] 203 | Block on '/dev/mtd2' at 000B0000(len: 00010000) has no changes. 204 | [%82 ] 205 | Block on '/dev/mtd2' at 000C0000(len: 00010000) has no changes. 206 | [%88 ] 207 | Block on '/dev/mtd2' at 000D0000(len: 00010000) has no changes. 208 | [%95 ] 209 | Block on '/dev/mtd2' at 000E0000(len: 00009BB2) has no changes. 210 | [%100] 211 | 212 | End check: 9F050000 + 00100000 <= 9F150000 213 | Creating FIS partition: 2 => 214 | name: 'kernel' 215 | flash_base: 0x9F050000 216 | mem_base: 0x80002000 217 | size: 0x00100000 218 | entry_point: 0x80002000 219 | data_len: 0x000E9BB2 220 | desc_cksum: 0x00000000 221 | file_cksum: 0x00000000 222 | =========================== 223 | Working(1) with block: /dev/mtd2 224 | Skipping: artificial: 0, unallocated: 0,writeable: 1024(WRITEABLE: 400, flags: C00), fw.flash_base: 9F150000 < blk->base: 9F050000 + blk->size: 100000 225 | Working(1) with block: /dev/mtd3 226 | Working(2) with block: /dev/mtd3 227 | Unlocking /dev/mtd3(rootfs) ... 228 | Unlocking device failed: ioctl(MEMUNLOCK): Operation not supported 229 | Writing 'rootfs ' to /dev/mtd3(rootfs ) ... 230 | Writing: 0x00600000 bytes with offset 0x00000000 231 | [%0 ] 232 | Block on '/dev/mtd3' at 00000000(len: 00010000) has no changes. 233 | [%1 ] 234 | Block on '/dev/mtd3' at 00010000(len: 00010000) has no changes. 235 | [%2 ] 236 | Block on '/dev/mtd3' at 00020000(len: 00010000) has no changes. 237 | [%3 ] 238 | Block on '/dev/mtd3' at 00030000(len: 00010000) has no changes. 239 | [%4 ] 240 | Block on '/dev/mtd3' at 00040000(len: 00010000) has no changes. 241 | [%5 ] 242 | Block on '/dev/mtd3' at 00050000(len: 00010000) has no changes. 243 | [%6 ] 244 | Block on '/dev/mtd3' at 00060000(len: 00010000) has no changes. 245 | [%7 ] 246 | Block on '/dev/mtd3' at 00070000(len: 00010000) has no changes. 247 | [%8 ] 248 | Block on '/dev/mtd3' at 00080000(len: 00010000) has no changes. 249 | [%9 ] 250 | Block on '/dev/mtd3' at 00090000(len: 00010000) has no changes. 251 | [%10 ] 252 | Block on '/dev/mtd3' at 000A0000(len: 00010000) has no changes. 253 | [%11 ] 254 | Block on '/dev/mtd3' at 000B0000(len: 00010000) has no changes. 255 | [%12 ] 256 | Block on '/dev/mtd3' at 000C0000(len: 00010000) has no changes. 257 | [%13 ] 258 | Block on '/dev/mtd3' at 000D0000(len: 00010000) has no changes. 259 | [%14 ] 260 | Block on '/dev/mtd3' at 000E0000(len: 00010000) has no changes. 261 | [%15 ] 262 | Block on '/dev/mtd3' at 000F0000(len: 00010000) has no changes. 263 | [%16 ] 264 | Block on '/dev/mtd3' at 00100000(len: 00010000) has no changes. 265 | [%17 ] 266 | Block on '/dev/mtd3' at 00110000(len: 00010000) has no changes. 267 | [%18 ] 268 | Block on '/dev/mtd3' at 00120000(len: 00010000) has no changes. 269 | [%19 ] 270 | Block on '/dev/mtd3' at 00130000(len: 00010000) has no changes. 271 | [%20 ] 272 | Block on '/dev/mtd3' at 00140000(len: 00010000) has no changes. 273 | [%21 ] 274 | Block on '/dev/mtd3' at 00150000(len: 00010000) has no changes. 275 | [%22 ] 276 | Block on '/dev/mtd3' at 00160000(len: 00010000) has no changes. 277 | [%23 ] 278 | Block on '/dev/mtd3' at 00170000(len: 00010000) has no changes. 279 | [%25 ] 280 | Block on '/dev/mtd3' at 00180000(len: 00010000) has no changes. 281 | [%26 ] 282 | Block on '/dev/mtd3' at 00190000(len: 00010000) has no changes. 283 | [%27 ] 284 | Block on '/dev/mtd3' at 001A0000(len: 00010000) has no changes. 285 | [%28 ] 286 | Block on '/dev/mtd3' at 001B0000(len: 00010000) has no changes. 287 | [%29 ] 288 | Block on '/dev/mtd3' at 001C0000(len: 00010000) has no changes. 289 | [%30 ] 290 | Block on '/dev/mtd3' at 001D0000(len: 00010000) has no changes. 291 | [%31 ] 292 | Block on '/dev/mtd3' at 001E0000(len: 00010000) has no changes. 293 | [%32 ] 294 | Block on '/dev/mtd3' at 001F0000(len: 00010000) has no changes. 295 | [%33 ] 296 | Block on '/dev/mtd3' at 00200000(len: 00010000) has no changes. 297 | [%34 ] 298 | Block on '/dev/mtd3' at 00210000(len: 00010000) has no changes. 299 | [%35 ] 300 | Block on '/dev/mtd3' at 00220000(len: 00010000) has no changes. 301 | [%36 ] 302 | Block on '/dev/mtd3' at 00230000(len: 00010000) has no changes. 303 | [%37 ] 304 | Block on '/dev/mtd3' at 00240000(len: 00010000) has no changes. 305 | [%38 ] 306 | Block on '/dev/mtd3' at 00250000(len: 00010000) has no changes. 307 | [%39 ] 308 | Block on '/dev/mtd3' at 00260000(len: 00010000) has no changes. 309 | [%40 ] 310 | Block on '/dev/mtd3' at 00270000(len: 00010000) has no changes. 311 | [%41 ] 312 | Block on '/dev/mtd3' at 00280000(len: 00010000) has no changes. 313 | [%42 ] 314 | Block on '/dev/mtd3' at 00290000(len: 00010000) has no changes. 315 | [%43 ] 316 | Block on '/dev/mtd3' at 002A0000(len: 00010000) has no changes. 317 | [%44 ] 318 | Block on '/dev/mtd3' at 002B0000(len: 00010000) has no changes. 319 | [%45 ] 320 | Block on '/dev/mtd3' at 002C0000(len: 00010000) has no changes. 321 | [%46 ] 322 | Block on '/dev/mtd3' at 002D0000(len: 00010000) has no changes. 323 | [%47 ] 324 | Block on '/dev/mtd3' at 002E0000(len: 00010000) has no changes. 325 | [%48 ] 326 | Block on '/dev/mtd3' at 002F0000(len: 00010000) has no changes. 327 | [%50 ] 328 | Block on '/dev/mtd3' at 00300000(len: 00010000) has no changes. 329 | [%51 ] 330 | Block on '/dev/mtd3' at 00310000(len: 00010000) has no changes. 331 | [%52 ] 332 | Block on '/dev/mtd3' at 00320000(len: 00010000) has no changes. 333 | [%53 ] 334 | Block on '/dev/mtd3' at 00330000(len: 00010000) has no changes. 335 | [%54 ] 336 | Block on '/dev/mtd3' at 00340000(len: 00010000) has no changes. 337 | [%55 ] 338 | Block on '/dev/mtd3' at 00350000(len: 00010000) has no changes. 339 | [%56 ] 340 | Block on '/dev/mtd3' at 00360000(len: 00010000) has no changes. 341 | [%57 ] 342 | Block on '/dev/mtd3' at 00370000(len: 00010000) has no changes. 343 | [%58 ] 344 | Block on '/dev/mtd3' at 00380000(len: 00010000) has no changes. 345 | [%59 ] 346 | Block on '/dev/mtd3' at 00390000(len: 00010000) has no changes. 347 | [%60 ] 348 | Block on '/dev/mtd3' at 003A0000(len: 000Flash unlocked! 349 | Only sysupgrade firmware image /tmp/openwrt-ath79-generic-ubnt_bullet-m2hp-squashfs-factory.bin is supported 350 | -------------------------------------------------------------------------------- /flash-sysupgrade.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/true-systems/ubnt-openwrt-flashing/9a8fb9f0bb131aae6449771ead59190528956c73/flash-sysupgrade.sh -------------------------------------------------------------------------------- /restore.log: -------------------------------------------------------------------------------- 1 | Unlocking firmware ... 2 | 3 | Writing from /tmp/firmware-backup.bin to firmware ... [ ][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w][e][w] 4 | Rebooting ... 5 | -------------------------------------------------------------------------------- /ubntbox.patched.sha256sum: -------------------------------------------------------------------------------- 1 | ca06d93741b30bdcb3a8b0577545aa0c32c4b5d9ac88f8580bae5a2774c890c3 ubntbox.patched 2 | -------------------------------------------------------------------------------- /ubntbox.sha256sum: -------------------------------------------------------------------------------- 1 | 73460d7205549e1298fd0dad718edd61d06b8db07aecc637a41cbb547630e587 ubntbox 2 | --------------------------------------------------------------------------------