Hey all,
Trying to debrick an Zyxel P-2601HN-F1 using the serial connection. Have the connection, got logged in and have debug access but I seem to be unable to actually get the thing unbricked.
I've done as followed:
1. connect to the serial connection with a baud rate of 115200
Which gets me the following info.
ROM VER: 1.รน
ROM VER: 1.1.3
CFG 01
U-Boot 1.1.5-ARX182 1.1.8(May 7 2010)
Boot from NOR flash
AR9 BOARD
CLOCK CPU 333M RAM 166M
DRAM: 64 MB
relocate_code start
relocate_code finish.
Flash: 16 MB
*** Warning - bad CRC, using default environment
In: serial
Out: serial
Err: serial
Net:
switch chip id=0000ffff
switch chip id=0000ffff
amazon_s Switch
## Executing script at b001f400
Z-Boot Autoscript file
======================
## Starting application at 0x82A80000 ...
Protected 1 sectors
Hit any key to stop autoboot: 0
MRD_CERT_1 check =0
MRD_CERT_2 check =0
wrong hdrChksum
all FW images are wrong!!!
multibootServiceListen.....
Stopping autoboot gets me here:
ZHAL> ls
ATBT x block0 write enable (1=enable, other=disable)
ATWM x set MAC address in working buffer
ATEN x,(y) set BootExtension Debug Flag (y=password)
ATSE show the seed of password generator
ATWZ a(,b,c) write ZyXEL MAC addr, Country code, EngDbgFlag
ATCB copy from FLASH ROM to working buffer
ATCL clear working buffer
ATSB save working buffer to FLASH ROM
ATBU dump manufacturer related data in working buffer
ATSH dump manufacturer related data in ROM
ATCO x set country code in working buffer
ATFL x set EngDebugFlag in working buffer
ATVD x set vendor name in working buffer
ATPN x set product name in working buffer
ATFE x,y,... set feature bits in working buffer
ATSN x set serial number in working buffer
ATTL MRD_CERT partition utility
ATGO boot up whole system
ATGU go back to U-Boot command line mode
ATRT (x,y,z,u) ATRT RAM read/write test (x=level, y=start addr, z=end addr, u
=iterations
ATUR x,y upgrade RAS image (imgAddr, filename)
ATUB x,y upgrade ZyU-Boot image (imgAddr, filename)
ATWH x write HW version
ATHV x set HW version in working buffer
ZHAL>
I use the following command to unable protected functions. (pw depends on the mac address)
ATEN 1,10F0A563
ATSH gives me the following:
wrong hdrChksum
No RAS!!!
bdinfo:
boot_params = 0x82B3FFB0
memstart = 0x80000000
memsize = 0x04000000
flashstart = 0xB0000000
flashsize = 0x01000000
flashoffset = 0x00000000
ethaddr = 40:4A:03:FD:AF:30
ip_addr = 192.168.1.1
baudrate = 115200 bps
Now to solve this I have tried to upgrade the RAS using the ATUR command, this does not work and it crashes on the same problem.
I also tried to do the same from the u-boot command line mode. (tftpboot image, and boot from memory) this gave me bad magic nr errors. Possibly I screwed this process up.. The image did arrive as requested via tftp but apparently it did not work.
Anyone have an idea as to how I can unbrick this thing?
regards and thnx.
(Last edited by prittweed on 4 Apr 2014, 14:57)