Fritz!5490 EVA bootloader lost!!

EcbBc

Neuer User
Mitglied seit
4 Mrz 2020
Beiträge
24
Punkte für Reaktionen
1
Punkte
3
I can use the recovery tool for model 7490 (fritz.box_7490-07.12-recover.exe) Will I rebuild the mtdx?
 
Zuletzt bearbeitet:

PeterPawn

IPPF-Urgestein
Mitglied seit
10 Mai 2006
Beiträge
12,691
Punkte für Reaktionen
915
Punkte
113
First ... please check and edit your post #21 - it contains a lot of useless cites and translations to your native language and you should remove these senseless parts.

Second ... the recovery program will not install anything - at least I would bet, it will not. And even if it would write the firmware to the NAND flash chip ... if the bootloader can't read it from there on next start of device, what did you win then?

And without a corrected device specific block and therefore without a valid TFFS image in MTD3 and MTD4 from SPI flash (view from EVA), I'm in doubt, whether the system from RAM would ever reach the point, where the considerations, to write the system to the flash memory or not, are taken. And the recovery program doesn't anything else, than to load the image to memory and start it there. Possibly the existing EVA code would still do this ... but I can't see any (logical) reason to attempt it.
 

EcbBc

Neuer User
Mitglied seit
4 Mrz 2020
Beiträge
24
Punkte für Reaktionen
1
Punkte
3
I have run recovery fritz.box_7490-07.12-recover.exe and it has modified everything.

But it still does not start web interface and serial access stops.

If anyone has any ideas,
 

Ramihyn

Neuer User
Mitglied seit
10 Jun 2009
Beiträge
11
Punkte für Reaktionen
2
Punkte
3
As has been mentioned before, a Fritzbox without a working bootloader is nothing more or less than a plastic brick. And without the bootloader it'll be impossible to recover it, because the required code is part of the bootloader. Instead of wasting your time get a new box.
 

EcbBc

Neuer User
Mitglied seit
4 Mrz 2020
Beiträge
24
Punkte für Reaktionen
1
Punkte
3
Conclusion: I need a backup of an EVA bootloader of a 5490 router:(

I have modified the Eva Bootloader of a 7490 router. Then I have saved it on the 5490 router. This has given me ftp and serial access.

With the AVM FRITZ.Box_5490.de-en-es-it-fr-pl.06.84.recover-image.exe recovery tool, I was able to load 5490 firmware.

FRITZ!Box 5490 suchen an: 192.168.178.1
Eine Anlage gefunden! - Ermitteln der aktuellen Version.
Version erfolgreich ermittelt!
Hardware: FRITZ!Box 5490
Urlader: 2964
Firmware: 151.06.83
Flashbereich (mtd3)
Lösche Flashbereich (mtd3)
Restauriere Flashbereich (mtd3)
Flashbereich (mtd4)
Lösche Flashbereich (mtd4)
Restauriere Flashbereich (mtd4)
Restauriere Flashbereich (mtd1)
FRITZ!Box 5490 erfolgreich wiederhergestellt!
Die Wiederherstellung ist nach einem Neustart des Gerätes abgeschlossen.


But it doesn't load. PeterPawn is right.
The bootloader does not recognize the NAND Toshiba C58NVG2S0F 0x98 0xDC 512mb:eek::eek:

ROM VER: 1.1.4
CFG 05 ▒ĸgJ▒8[\]
<unknown NAND ID 0xDC>

(AVM) EVA Revision: 1.1964 Version: 2964
(C) Copyright 2005 AVM Date: Nov 27 2013 Time: 14:33:10 (0) 3 0x0-0x740D

[FLASH:] WINBOND Uniform-Flash 1MB 256 Bytes WriteBuffer
[FLASH:](Eraseregion [0] 16 sectors a 64kB)
[NAND:] 0MB <UNKNOWN>
▒▒ Manufacturer ID 0x98 Device ID 0xDC

[SYSTEM:] VR9 on 500MHz/250MHz/250MHz

.Atheros 8030/35 detected

Eva_AVM >


As you can see the attached bootloader, it only supports NAND SAMSUNG.MICRON.NUMONYX.HYNIX


If someone can send me a copy of the Eva loader of a 5490 router, I would be very grateful.

Thanks,
 

Anhänge

PeterPawn

IPPF-Urgestein
Mitglied seit
10 Mai 2006
Beiträge
12,691
Punkte für Reaktionen
915
Punkte
113
That's why I wrote:
and the installed memory chips are identical
in a previous post.

The simplest approach will be, to wait for an offer (better not in the public) for a copy.

If there's no such offer in an acceptable time, you could check, whether one of the other supported chips uses the same internal structure and electrical specifications (up to the used registers and timings for an access).

If you've found one, you could try to modify its "Manufacturer ID" and "ID Code" in the binary table with the supported chip layouts (from EVA code), to reflect the existing one.

But that's really "hardcore" ... better be patient and wait for a copy with a proper version.
 
  • Like
Reaktionen: EcbBc

EcbBc

Neuer User
Mitglied seit
4 Mrz 2020
Beiträge
24
Punkte für Reaktionen
1
Punkte
3
Newer boxes probably all have NAND flash with hardware ECC .
For exampe: fritz! 7580 has e.g. Toshiba chips - TC58NVG2S3E - according to "dmesg":
NAND device: Manufacturer ID: 0x98, Chip ID: 0xdc (Toshiba NAND 512MiB 3,3V 8-bit), 512MiB, page size: 4096, OOB size: 128

If someone can send me a copy of the Eva loader of a 5490 router or 7580, I would be very grateful.

Thanks,
 

EcbBc

Neuer User
Mitglied seit
4 Mrz 2020
Beiträge
24
Punkte für Reaktionen
1
Punkte
3
With the recovery tool FRITZ.Box_5490.de-en-es-it-fr-pl.06.52.recover-image.exe I have updated the firm.
From the serial console I get this log:

The recovery tool appears to carry the bootloader?
##...............................................ExecuteProgram?
 

Anhänge

PeterPawn

IPPF-Urgestein
Mitglied seit
10 Mai 2006
Beiträge
12,691
Punkte für Reaktionen
915
Punkte
113
Sounds possible ... but the "device specific block" will still be invalid, if you didn't change it, before you've used the recovery program.

The SPI flash, where the boot-loader resides, seems to be still accessible (shown as "FLASH" on output lines) and therefor the recovery program (when it really contains a new version of the loader, what's not the case for each of these programs, afaik) may read the "config" block, modify its internal image of the loader and flash it to the device.

But I don't understand your log file ... or better: Your log file shows, that the loader wasn't updated really, because it shows the same output, after the system was loaded to RAM and had run from there. The installed NAND chips isn't detected still - no visible change(s) to the earlier attempts. Did you try to run a (network) packet dump on this attempt, to verify/watch the flash process for the new loader code?

The running Linux kernel has detected the proper NAND chip (line 204), but it dies shortly later, because it can't initialize the ethernet PHYs - that means, it did not install anything to NAND flash, too.
 

EcbBc

Neuer User
Mitglied seit
4 Mrz 2020
Beiträge
24
Punkte für Reaktionen
1
Punkte
3
I have not changed the EVA bootloader.
But I have been researching with recovery tools.
When I run the recovery tool FRITZ.Box_5490.de-en-es-it-fr-pl.06.52.recover-image.exe, what happens in the log happens.

With a Hexplorer software I have been exploring the recovery software(FRITZ.Box_5490.de-en-es-it-fr-pl.06.52.recover-image.exe) and the bootEva comes out inside it.
But I don't know how to extract it.

Recovery Soft(FRITZ.Box_5490.de-en-es-it-fr-pl.06.52.recover-image.exe) modify mtd1,mtd3 and mtd4.


I guess EVA bootloader is in mtd2???
 

PeterPawn

IPPF-Urgestein
Mitglied seit
10 Mai 2006
Beiträge
12,691
Punkte für Reaktionen
915
Punkte
113
Usually, yes.

But as "mtd1" looks odd in your list above, I'm a bit unsure. The recovery program should read "env", "count" and "config" (the latter one, to modify a loader image, if present) and write to "mtd3" and "mtd4" the same, freshly created TFFS image. The firmware to install is then loaded to RAM and started there (as shown in your log above) ... I've no idea, why "mtd1" would be written there and what's the new content.

Maybe, the loader code translates this target name to the right SPI flash region ... but usually the "mtd1" partition is used with NOR-based models to store the combination of kernel and filesystem image in one, common region of the flash storage (and those models are able to really store the new system via FTP server, opposite to the models, where NAND flash is used for this purpose).
 

EcbBc

Neuer User
Mitglied seit
4 Mrz 2020
Beiträge
24
Punkte für Reaktionen
1
Punkte
3
Hello again from Spain.
Since I have been confined for a long time I have been analyzing router 5490 a bit

When you run the fritz.box_5490-07.12-recover.exe recovery tool, it generates two files in c: \ windows

environment.log
ftp.log (attached)

)

The ftp.log file is very interesting. But I don't understand how you can open two ftp connections at the same time.
Example:
open ftp 192.168.178.1 port 21
......
open ftp data 192.168.178.1 port 3080

When I try to execute the commands of the ftp.log file in a windows cmd / ftp window it gives me an error connection



1584883176447.png
 

Anhänge

Zuletzt bearbeitet:

EcbBc

Neuer User
Mitglied seit
4 Mrz 2020
Beiträge
24
Punkte für Reaktionen
1
Punkte
3
Hello, in the source code

.......eva tools / Using EVA_Discovery Class.cs

The reference to the function is missing: eva.RetrieveStreamAsync ("env");

RetrieveStreamAsync (...

Can someone send it to me?

Thank's
 

PeterPawn

IPPF-Urgestein
Mitglied seit
10 Mai 2006
Beiträge
12,691
Punkte für Reaktionen
915
Punkte
113
This is an example (not a working one), how to use the (really full functioning) "YourFritz.EVA.EVADiscovery" class: https://github.com/PeterPawn/YourFritz/blob/master/eva_tools/Discovery.cs#L327

The part using this class should work as shown (the whole publishing of this C# code was an accident in the past) and ends at line 78: https://github.com/PeterPawn/YourFritz/blob/master/eva_tools/Using_EVA_Discovery_Class.cs#L78

The parts after/below this line (in the function "RunAsync", because there're some event handlers below, too) use the "YourFritz.EVA.EVAClient" class and the published version in the "master" branch does not implement the missing function yet - due to the accidental nature of the first "merge" in the past.

The unpublished parts in the "eva" branch aren't completed so far ... it lacks the implementation of write access to the FRITZ!Box device (the "STOR" command) and I'm not willing to publish it in this state - remember, the publishing of the other C# files from the "eva" branch was an accident only and the README.md at this place states is still the current: https://github.com/PeterPawn/YourFritz/tree/eva/eva ... and I'm not sure, whether the contents from my local GIT server are synced with GitHub or not (I'm using the internal one while writing code).

Nevertheless the used test routine from this file: https://github.com/PeterPawn/YourFritz/blob/eva/eva/TestFTPClient/Program.cs looks "well known" to me and should work as expected (it reads the "env" data from a FRITZ!Box device). But these parts are from the "eva" branch ... and you may read and use/try it, but not modify and re-publish any of the files from this branch. Please play fair and honor the license conditions included there.
 
  • Like
Reaktionen: EcbBc

EcbBc

Neuer User
Mitglied seit
4 Mrz 2020
Beiträge
24
Punkte für Reaktionen
1
Punkte
3
Hello from spain, I have been quarantined due to coronavirus, I am still investigating.

I have recreated the function (BootDeviceFromImage from EVA-FTP-Client.ps1 script) in visual studio c #.


On a computer with Ubuntu I have managed to generate freetz firmwares for the 5490 model.

With the fwmod tool I have unzipped the firmware into two files:filesystem.image , kernel.image

Can you see the content of these files (filesystem.image , kernel.image) and modify it?

What is the first file to be executed ?

Thanks,
 

Anhänge

PeterPawn

IPPF-Urgestein
Mitglied seit
10 Mai 2006
Beiträge
12,691
Punkte für Reaktionen
915
Punkte
113
Meanwhile it seems to me, I'm "lost in translation".

What's your aim, what do you want to achieve here?

Do you want to understand the steps during installation of a new firmware or do you want to reanimate your (defective) 5490 device?

If it's the latter one, I can't see, why you're trying to implement it in C# - there would be no difference at all, whether you try to flash with an own C# implementation or the Powershell scripts.

You have to provide much more context, what you're doing and why you're doing just that, whatever you're doing now.

It's not possible to create a proper image file (suitable for "RAM load" operation of EVA) using the "fwmod" utility from Freetz - at least not "out of the box".

If you want to extract kernel and filesystem from an original firmware image, use "image2ram" (from "eva_tools" - you may read/research the needed steps within, while the script itself creates the bootable image "as a whole" and does not really dissect kernel and filesystem - these files are only stored temporarily) or the proper function(s) (maybe "getBootableImage" is the right one, depending on your real intentions) from this Powershell class (with embedded C# code): https://github.com/PeterPawn/YourFritz/blob/master/signimage/FirmwareImage.ps1 - a description may be found in the file header or in the associated README.md file.

"fwmod" MAY create an usable image (with the "Freetz" modifications to the original firmware), if the right settings are used in the ".config" file. Using "-u" and "-p" options, will not create a file usable to start the device from.

And what's the "Debbug..." file for (from #36)? It shows the same result, as in an earlier file (#28 in this thread) ... the system dies at the moment, when it tries to initialize the network interfaces. And the EVA loader still doesn't recognize the existing NAND chip. What's the difference here, that anybody should read/interpret this file again?
 

EcbBc

Neuer User
Mitglied seit
4 Mrz 2020
Beiträge
24
Punkte für Reaktionen
1
Punkte
3
The router is not defective.

I overwritten the EVA bootloader. It stopped working

I installed a bootloader from a 7490 router , but the NAND chip does not recognize me.

When i try to initialize with a recovery tool or using powerShell, the system just dies iwhen nitialize network interfaces.

may be due to mac addres ?

1) I would like to load an executable to the Ram:


3) I would like to initialize the sytema step by step.

if i can load the startup system the web environment will load ?
 

PeterPawn

IPPF-Urgestein
Mitglied seit
10 Mai 2006
Beiträge
12,691
Punkte für Reaktionen
915
Punkte
113
The router is not defective.
It's a question of the own view point ... does your router start with its firmware as expected? If the answer is "no", it's defective ... obviously/at least the software, not necessarily the hardware.

I would like to load an executable to the Ram:
EVA isn't ADAM2, I would suspect, that the format is a different one (but I only know the source code of AVMs "flash partition scanner" from the kernel package) ... and as you could see already, your box is able to run a firmware image, if it's loaded to RAM. What's the idea behind experiments with other formats (as described in the linked page)?

If this image would not "panic", it could continue with other activities. But the original firmware is (explicitely) made to initialize the network interfaces (that's built into the kernel) and even if this hurdle has been taken (anytimes in the future, if your attempts were successful in a manner, I can't imagine in the moment), the "/etc/init.d/E03-flash_update" script tries to install the running system to flash memory.

Let's think a little bit further ... after you've had any success installing the firmware to NAND flash and try to restart the device afterwards. What will you do, when the bootloader code isn't recognizing the NAND flash anyway?

Why do you think, installing the firmware to NAND flash would change anything within/for the "EVA loader"? You've understood, that this code was stored in the SPI flash, haven't you?

If you want to overcome the point, where two of your serial log files showed the same "kernel panic", you have to use an own image ... with an own kernel, too. Do you have such one? Did you understand, how it works and how you could build such an own image?

These are the "basics" I've meant some posts above. You're now mixing up (in my opinion) different ADAM2 implementations (OpenWRT has an own page for "EVA", better read this one) and try obviously some approaches, whose senses I can't realize.

Your problem is clear ... the bootloader was erased by accident and the newly installed EVA version is for a different model and does not recognize the installed NAND flash chip. But it has to read from there the system to start and this not only once ... no, on each further reboot.

So your first task is to get and install a functioning bootloader ... any further steps are (relatively) senseless, if the loader is unable to read the system and none of your current attempts (as documented above) is appropriate (in my opinion), to change anything from this situation.

I did not read any comments or results regarding the proposal, to replace/correct the "device specific block" at offset 0x580 of the loader partition ... instead you're trying some (in my opinion useless) approaches to run a system from RAM. As long as you haven't a plan, how to overcome the "kernel panic", what do you want to achieve now with the other activities?

3) I would like to initialize the sytema step by step.
Which "steps" are meant here? First, second, third ... describe your intentions and your actions, together with the results. But think and research, before you start further actions. If you're not sure, what's the aim and whether the used manner is a right one, you'll put more damages to the device and your chances, to make your mistakes undone, are sinking more and more.

At the first glance, the recovery program for version 151.06.52 seems to contain an update for the EVA loader, at least according to the strings found around offset 0x01554e00 from this (Windows PE) file. Why don't you try now to extract this loader from the recovery program and to flash it (with a correct configuration block for your device - which you have to build first, no question) with your external programmer, as you did it with the 7490 code?

THIS would be the next (logical) step, at least in my universe and I can't see any sense within an attempt, to make the second (or third) step in front of the first one and to try the installation of a system to NAND flash or to run a system (at least not an original one, which panics after some seconds) from RAM.

If you've a full-functioning EVA loader and the installed NAND chip is detected properly, the next step may be taken ... but only then.
 
Zuletzt bearbeitet:

EcbBc

Neuer User
Mitglied seit
4 Mrz 2020
Beiträge
24
Punkte für Reaktionen
1
Punkte
3
At the first glance, the recovery program for version 151.06.52 seems to contain an update for the EVA loader, at least according to the strings found around offset 0x01554e00 from this (Windows PE) file. Why don't you try now to extract this loader from the recovery program and to flash it (with a correct configuration block for your device - which you have to build first, no question) with your external programmer, as you did it with the 7490 code?


What software would you use to extract the eva bootloader from the recovery tool?