Joined: 16 Apr 2016 Posts: 307 Location: California
Posted: Sun Jun 25, 2017 8:21 Post subject: Malachi
Malachi,
So you have a R6700 that has been modified with a R7000 CFE?
The only way it shouldn't flash is if the firmware isn't matching the board id.
I had this one router that it appeared the board ID was correct BUT the person who had changed the Board ID manually typed it and instead of using Zeros (00) used O's (The Letter O) and it appeared almost identical. So at the CFE prompt i burned the new ID and it fixed it. I have also seen where they copy and paste from websites and there is a extra "space" character in the board ID that isnt being seen through putty.
Re-burn the board id for R7000 board id
If that doesn't work, re-burn the R6700 board id and load a R6700 ddwrt.
I also got around this problem by stripping the header of a DDWRT Web Upgrade Image. If I remember it was the first 28 bytes. This way there is no header. _________________ My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
Joined: 16 Apr 2016 Posts: 307 Location: California
Posted: Sun Jun 25, 2017 16:29 Post subject: Re: Bricked r6700
Malachi wrote:
Ivegot a bricked r6700 that I've got my serial cable on.
Every firmware I've tried to upload through the cfe gives me a checksum mismatch.
I've tried netgear fw, brainslayer and Kong builds.
The cfe doesn't have a help section. It says it's an r7000 cfe.
I've tried flashing using flash -noheader : nflash1.trx but get the same message.
The board Id is correct.
Any tips?
Just for information purposes that at the top it says r7000 cfe. I would guess that the r7000, r6900 and r6700 all use the same cfe designed for the r7000 but find it strange that on an r7000 if I type help, I get a help menu but on the r6700 there is no help menu. So the cfe though it says r7000 cfe, it is crippled somehow. _________________ I am far from a guru, I'm barely a novice.
CFE for Foxconn Router R7000 version: v1.0.22
Build Date: Wed Mar 19 11:14:20 CST 2014
Init Arena
Init Devs.
Boot up from NAND flash...
Bootcode Boot partition size = 524288(0x80000)
DDR Clock: 800 MHz
Info: DDR frequency set from clkfreq=1000,*800*
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 6.37.15.1 (r407936)
et1: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 6.37.15.1 (r407936)
CPU type 0x0: 1000MHz
Tot mem: 262144 KBytes
Device eth0: hwaddr A0-04-60-8A-65-5D, ipaddr 192.168.1.1, mask 255.255.255.0
gateway not set, nameserver not set
Checking crc...Invalid boot block on disk
Device eth0 has been deactivated.
Device eth0: hwaddr A0-04-60-8A-65-5D, ipaddr 192.168.1.1, mask 255.255.255.0
gateway not set, nameserver not set
Start TFTP server
Reading :: _________________ I am far from a guru, I'm barely a novice.
This is what i get no matter what firmware I upload:
Decompressing...done
CFE for Foxconn Router R7000 version: v1.0.22
Build Date: Wed Mar 19 11:14:20 CST 2014
Init Arena
Init Devs.
Boot up from NAND flash...
Bootcode Boot partition size = 524288(0x80000)
DDR Clock: 800 MHz
Info: DDR frequency set from clkfreq=1000,*800*
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 6.37.15.1 (r407936)
et1: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 6.37.15.1 (r407936)
CPU type 0x0: 1000MHz
Tot mem: 262144 KBytes
Device eth0: hwaddr A0-04-60-8A-65-5D, ipaddr 192.168.1.1, mask 255.255.255.0
gateway not set, nameserver not set
Checking crc...Invalid boot block on disk
Device eth0 has been deactivated.
Device eth0: hwaddr A0-04-60-8A-65-5D, ipaddr 192.168.1.1, mask 255.255.255.0
gateway not set, nameserver not set
Start TFTP server
Reading :: Done. 24756282 bytes read
Checksum mismatch:
Image chksum: 0xE7FB9981
Calc chksum: 0x442D5A85
Reading :: _________________ I am far from a guru, I'm barely a novice.
*** command status = -1
CFE> set env BOARD_ID U12H270T00_NETGEAR
Invalid command: "set"
*** command status = -1
CFE> burnboardid
Invalid command: "burnboardid"
*** command status = -1
CFE> ?
Invalid command: "?"
*** command status = -1
CFE> nvram erase
*** command status = 0
CFE> nvram set boardid=U12H270T00_NETGEAR
*** command status = 0
CFE> tftpd
Start TFTP server
Reading :: Done. 27566138 bytes read
Board ID : U12H270T10_NETGEAR
Image ID : U12H270T00_NETGEAR
Reading :: _________________ I am far from a guru, I'm barely a novice.
so your R7000 has corruption cfe. itself check crc then deactivate eth port. if you can able run firmware to busy box then used usb ttl to backup and fix cfe throught CLI like dd if=/dev/cfe.bin of=/xx/usb/backup.bin and compare bin .( i used winhex to compare bun and tera term to connect usb ttl with computer). if problem on ID board then you can go to cd /bin or cd /sbin. at there you can see alot command from netgear then compare board ID of nvram with CFE bootload and firmware. all these step go through if firmware able to run,if not only CLI cfe able to do. unfortunally all netgear hide all these CLI help.so the only thing used cfe back up from other router.check cpu info to make sure it compatible.set up manual ip of computer with turn off window defender and set internet option LAN=192.168.1.1. set up tftp32.exe only tftpd. check go though use CLI ping. then put the name firmware in tftp32. if on done then you can replace bootload with goodone,but you need edit cfe mac addr with itself router or some firmware will hash mac addr then router unable to communitcation by LAN PORT. On netgear router CLI is flash -noheader 192.168.1.1:cfename.bin flash0.boot where flash0.boot is first partition of nand flash aka bootload cfe, cfename.bin is your cfe you want replace (must put in direction of tftp32.exe fold). 192.168.1.1 is ipaddr of router (on other router is different). all tool like putty or tera term, tftp32,tftp64, CLi of cfe can able search on google. how to do then you can search on youtube. all for research and leraning if you want.
so your R7000 has corruption cfe. itself check crc then deactivate eth port. if you can able run firmware to busy box then used usb ttl to backup and fix cfe throught CLI like dd if=/dev/cfe.bin of=/xx/usb/backup.bin and compare bin .( i used winhex to compare bun and tera term to connect usb ttl with computer). if problem on ID board then you can go to cd /bin or cd /sbin. at there you can see alot command from netgear then compare board ID of nvram with CFE bootload and firmware. all these step go through if firmware able to run,if not only CLI cfe able to do. unfortunally all netgear hide all these CLI help.so the only thing used cfe back up from other router.check cpu info to make sure it compatible.set up manual ip of computer with turn off window defender and set internet option LAN=192.168.1.1. set up tftp32.exe only tftpd. check go though use CLI ping. then put the name firmware in tftp32. if on done then you can replace bootload with goodone,but you need edit cfe mac addr with itself router or some firmware will hash mac addr then router unable to communitcation by LAN PORT. On netgear router CLI is flash -noheader 192.168.1.1:cfename.bin flash0.boot where flash0.boot is first partition of nand flash aka bootload cfe, cfename.bin is your cfe you want replace (must put in direction of tftp32.exe fold). 192.168.1.1 is ipaddr of router (on other router is different). all tool like putty or tera term, tftp32,tftp64, CLi of cfe can able search on google. how to do then you can search on youtube. all for research and leraning if you want.
I already tried that. I flashed an r7000 cfe that I had as a backup. Still the same result.
The lan port still works, I get ttl=100 and am able to upload firmware and cfe. _________________ I am far from a guru, I'm barely a novice.
I tried flashing an r6700 cfe from a forum user, two different r7000 cfe's and even the xvortex cfe for the r7000 on it.
No matter what firmware I try I get checksum mismatch.
I uploaded the same firmware 3 different times and each time the calculated checksum was different.
something is wrong.
Reading :: Done. 30191674 bytes read
Checksum mismatch:
Image chksum: 0x4526DA8B
Calc chksum: 0x2989ED40
Reading :: Done. 30191674 bytes read
Checksum mismatch:
Image chksum: 0x4526DA8B
Calc chksum: 0x6736ED1E
Reading :: Done. 30191674 bytes read
Checksum mismatch:
Image chksum: 0x4526DA8B
Calc chksum: 0x55D3A533
Reading :: _________________ I am far from a guru, I'm barely a novice.
I tried flashing an r6700 cfe from a forum user, two different r7000 cfe's and even the xvortex cfe for the r7000 on it.
No matter what firmware I try I get checksum mismatch.
I uploaded the same firmware 3 different times and each time the calculated checksum was different.
something is wrong.
I've used command line tftp and tfpd32 and tftpd from the cfe.
So there is nothing I can do? _________________ I am far from a guru, I'm barely a novice.
