Fritz!5490 EVA bootloader lost!!

[EcbBc]

Hi, sorry for my English.

I bought a 5490 by ebay.

Trying to change the original firmware for a freetz I have left the router without EVA bootloader.

I used this command and the light went out.

".\EVA-FTP-Client.ps1 -Verbose -Debug -ScriptBlock { UploadFlashFile C:\Users\Administrador\Desktop\Freetz5490\eva_tools\a.image mtd1 }"

The LEDs are off and ethernet does not work.

I have tried to connect through the serial port and EVA bootloader does not exist.


Is there any way to reload EVA bootloader?

thank you very much.

Bild geschrumpft by stoney

 

[NDiIPP]

".\EVA-FTP-Client.ps1 -Verbose -Debug -ScriptBlock { UploadFlashFile C:\Users\Administrador\Desktop\Freetz5490\eva_tools\a.image mtd1 }"

That was the wrong Command. You can't flash a Firmware-Image to mtd1 on the 5490 because it's a NAND-Model.

---

Is there any way to reload EVA bootloader?

If the bootloader was really overwritten by written a Image in mtd1, then not really.

But you can still use them as doorstops or paperweights.

 

[EcbBc]

Vollzitat von darüber entfernt by stoney

Is there any solution? Can it be repaired?

 

[NDiIPP]

Can it be repaired?

If you find a way via JTAG- Interface (not public documented anywhere yet, imo) or you can flash the Serial-Flashchip (not the NAND-Chip) directly (unsolder before), then yes.
But in both cases, however, a suitable bootloader with the individually finalization (Environment, suited to this box) would be required (which may already fail if there is no backup available).

 

[EcbBc]

EVA bootloader is locked


when I try to connect it stays in this loop



Bild geschrumpft by stoney

 

[PeterPawn]

This device is lost ... all (known) options are listed in #4.

Sorry ... but this case is only one more, that shows, how a "trial and error"-approach may destroy a FRITZ!Box device or at least render it useless for its owner.

I can't understand, where/who/why (it) was/has ever mentioned, that for a 5490 device something should/may be written to MTD1.

Once more a warning: Writing invalid data to an unknown partition via EVA bootloader MAY destroy your device - not really physically, but that's not the first case, where the bootloader gets overwritten. You should know/be sure, what you're doing there.

Because this problem (or a similar one) is well-known ... one consequence of its first occurrence was this issue/pull request for Freetz: https://github.com/Freetz/freetz/pull/29 - to protect careless users from using a command/script, which hides the details from them and may still destroy the device.

But if a user itself issues such a command with the full aim to overwrite MTD1, I do not see any real (and still usable) protection, which may be implemented.

Surely the/my script could read and check the provided "HWRevision" value or something else, to auto-detect the used device model and deny writes to "critical targets", but then the next user takes a "normal" (or should I write: stupid?) FTP client to destroy the device and my script is still less useful for others (who know, what they're doing) - e.g. if the device is new and unknown to the script yet.

So I feel a little pity with the user, but not a really big one (the crucial question is, how the idea to write to MTD1 was ever born in his mind) or any liability (not even a "moral" one) for the occurred consequences - I've only provided the tool and did not use it myself in this case.

 

[EcbBc]

PeterPawn , do not worry
the responsibility is all mine !!!
I had not worked with a fritzbox router for a long time. The signed firmware is new to me.

 

[Grisu_]

times are changing - take it as (not really) expensive learning.

 

[EcbBc]

I bought a 7490, it comes next week.
The firmware is compiled using freetz-ng but to update I will ask

 

[koyaanisqatsi]

Hi

take it as (not really) expensive learning

...and a good Example for linking on "how it not works" for others

 

[NDiIPP]

... but to update I will ask

At the 7490 the same procedure as every ye..., eh, as with the 5490. The Firmware-Image is loaded into the RAM via EVA and not in mtd1:
http://www.yourfritz.de/desc-eva

 

[EcbBc]

[QUOTE = "NDiIPP, publicación: 2360361, miembro: 426072"]
Si encuentra una manera a través de la interfaz JTAG (no está documentada públicamente en ningún lugar todavía, imo) o puede actualizar el Serial-Flashchip (no el NAND-Chip) directamente (sin soldar antes), entonces sí.
Pero en ambos casos, sin embargo, se requeriría un gestor de arranque adecuado con la finalización individual (Entorno, adecuado para este cuadro) (que ya puede fallar si no hay una copia de seguridad disponible).
[/CITAR]

If you find a way via JTAG- Interface (not public documented anywhere yet, imo) or you can flash the Serial-Flashchip (not the NAND-Chip) directly (unsolder before), then yes.
But in both cases, however, a suitable bootloader with the individually finalization (Environment, suited to this box) would be required (which may already fail if there is no backup available).

chip 25L8035EM2I-10G MXIC




Is this the chip that you have to flash?

Who has a binary copy of adam2 or EvA bootloader/bios?

Ausschließlich Bild geschrumpf - die Quotes sind unberührt by stoney

 

[NDiIPP]

Is this the chip that you have to flash?

Yes.

Edit:

Who has a binary copy of adam2 or EvA bootloader/bios?

I don't have a (suitable) Binary-Dump. This would also contain boxindividual data (MAC-Adresses, CWMP-Account, WiFi-Passphrase, Webif-Password etc.), that i wouldn't just pass on from another or a similar model.

 

[EcbBc]

Fullquote removed by stoney

I have a plan to recover 5490.

Buy CH341A 24 25 Series EEPROM Flash BIOS USB Programmer with Software & Driver

Solder CH341A programmer cables to the Flash chip

Program the chip with the EVA or Adams bootloader

The problem is that I don't have any bootloader


I have a 7240 router. I guess I can extract the adam bootloader.

How can adam or eva bootloader be backed up?

 

[NDiIPP]

The Bootloader of the 7240 is not compatible with the 5490, this will not work.

 

[PeterPawn]

And on the other hand it's not necessary, to desolder the chip first. It's possible to use a "test clip", too, e.g. this: https://www.amazon.de/WINGONEER-SOI...mmierung-Adapter-SOP8-Test-Clip/dp/B012VSGQ0Q or a similar one (depending on the count of pins).

To extract the binary code of the boot-loader, you need shell access to the device. Then you may dump the appropriate partition via /dev/mtd-something (usually it's number 6 for VR9 devices with this structure) - all of the device-specific values are located in one single block, starting at offset 0x580. The content of this area may get extracted (from a full-functioning boot-loader) using "RETR config" with the EVA FTP server. This - and only this - area is the "extractable part" of the boot-loader code, at least while using the FTP service. If someone wants to "de-personate" a copy of the loader, (s)he may replace/overwrite this block starting at offset 0x580 (in the size of the retrieved "config" file). It's still readable via FTP, because the recovery program by AVM uses this data to personalize the new loader image during an update of the "urlader" code.

============================================

But probably the redistribution of EVA code (even as image) to someone else may be a violation of AVM's license conditions.

In opposite to the loader from GRX5 devices, where my 7580 device contains an obvious reference to the loader from the "uClibc" or "uClibc-ng" project:

vidar:/home/FritzBox/FB7580/Box $ grep -abo "/lib/\(.*\)" mtd1_urlader
690864:/lib/ld-uClibc.so.0
953008:/lib/ld-uClibc.so.0
vidar:/home/FritzBox/FB7580/Box $

(with the highest possibility this is a relict from linking the code statically to this library), the VR9 loader does not contain any telltale tracks from the used library and so there's no sign, that it should, could or may be redistributable due to the license conditions of an used open-source component.

============================================

And while I manage two 5490 devices remotely myself, I've never extracted the loader code from one of them - because the needed shell access would require (at least for its initial installation) a "local presence". So I'm not able to compare the code really, but I would think and bet, that the code is the same as for a 7490 or 3490 - as long as the GPIO allocation and the installed memory chips are identical (this needs a simple recherche for validation). Therefore a copy from another model COULD work, too. The device-specific part needs to be adjusted to the final device in every case - whether it comes from the same model or from another one.

 

[EcbBc]

And on the other hand it's not necessary, to desolder the chip first. It's possible to use a "test clip", too, e.g. this: https://www.amazon.de/WINGONEER-SOI...mmierung-Adapter-SOP8-Test-Clip/dp/B012VSGQ0Q or a similar one (depending on the count of pins).

To extract the binary code of the boot-loader, you need shell access to the device. Then you may dump the appropriate partition via /dev/mtd-something (usually it's number 6 for VR9 devices with this structure) - all of the device-specific values are located in one single block, starting at offset 0x580. The content of this area may get extracted (from a full-functioning boot-loader) using "RETR config" with the EVA FTP server. This - and only this - area is the "extractable part" of the boot-loader code, at least while using the FTP service. If someone wants to "de-personate" a copy of the loader, (s)he may replace/overwrite this block starting at offset 0x580 (in the size of the retrieved "config" file). It's still readable via FTP, because the recovery program by AVM uses this data to personalize the new loader image during an update of the "urlader" code.

============================================

But probably the redistribution of EVA code (even as image) to someone else may be a violation of AVM's license conditions.

In opposite to the loader from GRX5 devices, where my 7580 device contains an obvious reference to the loader from the "uClibc" or "uClibc-ng" project:

vidar:/home/FritzBox/FB7580/Box $ grep -abo "/lib/\(.*\)" mtd1_urlader
690864:/lib/ld-uClibc.so.0
953008:/lib/ld-uClibc.so.0
vidar:/home/FritzBox/FB7580/Box $

(with the highest possibility this is a relict from linking the code statically to this library), the VR9 loader does not contain any telltale tracks from the used library and so there's no sign, that it should, could or may be redistributable due to the license conditions of an used open-source component.

============================================

And while I manage two 5490 devices remotely myself, I've never extracted the loader code from one of them - because the needed shell access would require (at least for its initial installation) a "local presence". So I'm not able to compare the code really, but I would think and bet, that the code is the same as for a 7490 or 3490 - as long as the GPIO allocation and the installed memory chips are identical (this needs a simple recherche for validation). Therefore a copy from another model COULD work, too. The device-specific part needs to be adjusted to the final device in every case - whether it comes from the same model or from another one.

PeterPawn Thank you very much, I will try and comment on how it goes.
I have to buy the "test clip"


With instruction
".\EVA-FTP-Client.ps1 -Verbose -Debug -ScriptBlock { UploadFlashFile C:\Users\Administrador\Desktop\Freetz5490\eva_tools\a.image mtd1 }"
I overwritten the MDT1?

My bootloader must be in the mdt1?

Thank's

 

[PeterPawn]

My bootloader must be in the mdt1?

That's wrong ... probably the "definition" of MTD1 boundaries was the same, as for a 7490 (I'll not check this in a 5490, at least not yet, but someone else could look into a generated "support file" to verify this.):

mtd0    0x400000,0x3400000
mtd1    0x0,0x400000
mtd2    0x0,0x40000
mtd3    0x40000,0xA0000
mtd4    0xA0000,0x100000
mtd5    0x0,0x200000

But as it was written now multiple times (even in this thread), you should know, what you're doing.

And so it doesn't matter, which name is used by the "urlader" code partition (from the view point of this boot-loader, while it's running and in control of the device) - it's usually rather "mtd2". But you really can't read/export the content of this partition with any function, that's provided by a running EVA instance.

And if you look at the definition for "mtd1" and "mtd2" from above, you'll notice, that they share the first 256 KB of the flash memory (start at 0x0, size of mtd1 is 0x400000 and size of mtd2 is 0x40000 - but the second value is usually rather the last address (+1) and not a size value ... but combined with a start address of 0x0, the values are identical) and so it's not really surprising, if a write access to "mtd1" kills the bootloader code from the first 256 KB, if the FTP server accepts a write attempt and erases the SPI flash in a size of 0x400000 (4 MB - that's more than the real size of the SPI memory) as first step.

Sure, it's a big bug from the FTP server, that it accepts and executes such a write attempt ... but it's also a big mistake of the user, to try such one for the wrong target.

Older devices (here a 7390 with NOR flash, that's mapped to a start address of 0x9F000000 on the memory bus) use definitions for "mtd2" and "mtd1", that do not share a common section:

mtd0    0x9F000000,0x9F000000
mtd1    0x9F020000,0x9FF00000
mtd2    0x9F000000,0x9F020000
mtd3    0x9FF00000,0x9FF80000
mtd4    0x9FF80000,0xA0000000

If AVM did not correctly enable or disable one command or target name from another model in the EVA code, such failures may occur - but usually they'll never get noticed, because no-one uses the wrong commands/targets for such write attempts - as long as (s)he knows, how to do it in the right manner.

And if you don't try to collect the correct info for a box, BEFORE you start any further experiments, you will kill the next device soon. Meanwhile your question, as cited at the very beginning of this post, is practically the next "misunderstanding" and not really a good sign for a systematical collection of (correct) infos.

Sure, sometimes it's useful, if anyone has the "cohones", to dare to try even unusual things. But I'd bet, correct info, that was collected in preparation for such a "brave action", will help much more, than any premature conclusions, based on old and outdated articles.

So you should try to collect such info and - if you're unsure, whether they're still valid - you may ensure here.

But such questions (at least with this - rather unusual - intention) should have a stable base of good knowledge, contain a compact description of the circumstances/conclusions/facts and shouldn't occur after the first read source already - and you should be able to show, where you found an info, if it's wrong (the still open question, how you came to the idea to write to mtd1 on a 5490 model).

Otherwise also the "helpers" will become responsible for the premature death of many innocent FRITZ!Box devices - what a horrible notion.

Addition: And to clarify another point, too ... the view of the running system on the flash partitions via "/proc/mtd" (and therefore even via "/dev/mtd[block]X") is a different one and completely unrelated to the view of EVA. Do not mix up the numbers from the views of different systems (EVA vs. FRITZ!OS).

 

[EcbBc]

Hi !!! I have half recovered the 5490 router !!

With the help of a CH341A programmer and test clip I have managed to get a copy of the EVA bootloader of a router 7490.

Then I programmed the EvaBootloader.bin(extracted fritz7490) directly to the WINBOND W25Q80BV chip of the router 5490.

Now Eva bootloader and ftp works!!!



I tried to recover the fritz5490 using the FRITZ.Box_5490.de-en-es-it-fr-pl.06.84.recover-image.exe tool.
It doesn't let me, it tells me to use the recovery tool of a 7490 router



The serial access starts but it stops and does not let me write



Can I modify the Bootloader.bin (extracted from 7490) with the environment variables of a 5490 router?

What do you advise me?

Bilder geschrumpft by stoney

 

[PeterPawn]

I (personally) would stop here and try (once more) to get a bootloader image for a 5490 device.

The results of your attempts are not as excellent, as you think (or as it seems, that you think).

While reading the output from serial console you will see, that the loader does not find the installed NAND flash chip ... and the 5490 model has one with 512 MB capacity, too.

The output from a 7490 looks like this:

ROM VER: 1.1.4
CFG 05
** START
RVEC bf200000
[\]

(AVM) EVA Revision: 1.1964 Version: 2964
(C) Copyright 2005 AVM Date: Nov 27 2013 Time: 14:33:10 (1) 3 0x0-0x740D

[FLASH:] MACRONIX Uniform-Flash 1MB 256 Bytes WriteBuffer
[FLASH:](Eraseregion [0] 16 sectors a 64kB)
[NAND:] 512MB MICRON 2048 Pagesize 128k Blocksize 4096 Blocks 8Bit 1 CS HW
[SYSTEM:] VR9 on 500MHz/250MHz/250MHz

.Atheros 8030/35 detected

Eva_AVM >

and because the EVA loader has to use this NAND chip later for loading/decompression of kernel image to (random access) memory, it's essential, that it may detect it.

No NAND flash, no start from this flash memory - never mind, whether it contains a (functioning) firmware or not.

I don't think, that any changes to repair the "device specific block" at offset 0x580 with the settings from a (real) 5490, will also lead to a proper detection of the used NAND flash.

It COULD be, that the GPIO assignments are really different on a 7490 and a 5490 device - as I wrote above.

If the EVA code does not use the correct pins to communicate with the NAND chip, it will never find it. Whether the pin assignments are identical or not, may be discovered from the kernel sources for these models.

EDIT: OK, it looks like the NAND flash may be accessed (the pin assignments are correct in this case) and the Manufacturer ID and the ID Code are real - according to this source: http://www.linux-mtd.infradead.org/nand-data/nanddata.html, it's a Toshiba chip (0x98, 0xDC), but it seems, that this one is unknown to the existing (bootloader) code.