Bypassing U-Boot Partition Read-only Permissions/masking by Chain-loading Uboot
Recently, we had to bypass a bootloader that had partition permissions and we needed to overwrite u-boot. Unfortunately, writing to this section of flash was not possible (invalid permissions/read-only), BUT, we could TFTP our own u-boot binary image to the device.
Area 1: D0004200 to D00083FF Environment
Area 2: D0008400 to D0083FFF (RO) U-Boot
Area 3: D0084000 to D020A9FF Kernel
Notice the above problem with uboot? Read-only. However, now we need to know WHERE we can chain-load uboot. This isn't recommended by the uboot developers, but sometimes, hacks are needed when JTAGs aren't present.
u-boot: file format elf32-littlearm
architecture: armv5te, flags 0x00000112:
EXEC_P, HAS_SYMS, D_PAGED
start address 0x21f00000
Next, load your image into RAM via TFTP and execute:
setenv serverip <serverTFTPIP>
tftpboot 0x20000000 u-boot.bin
go 0x21f00000
Uboot should be loaded and now if you have your partition map set to less restrictive elements - you can now load and write as you wish
Add new comment