Bypassing U-Boot Partition Read-only Permissions/masking by Chain-loading Uboot

Recently, we had to bypass a bootloader that had partition permissions and we needed to overwrite u-boot. Unfortunately, writing to this section of flash was not possible (invalid permissions/read-only), BUT, we could TFTP our own u-boot binary image to the device.

rea 0: D0000000 to D00041FF (RO) Bootstrap                                                                                      
Area 1: D0004200 to D00083FF      Environment                                                                                    
Area 2: D0008400 to D0083FFF (RO) U-Boot                                                                                        
Area 3: D0084000 to D020A9FF      Kernel                                                                                        

Notice the above problem with uboot? Read-only. However, now we need to know WHERE we can chain-load uboot. This isn't recommended by the uboot developers, but sometimes, hacks are needed when JTAGs aren't present.

#> objdump -f u-boot.bin

u-boot:     file format elf32-littlearm
architecture: armv5te, flags 0x00000112:
EXEC_P, HAS_SYMS, D_PAGED
start address 0x21f00000

Next, load your image into RAM via TFTP and execute:

setenv ipaddr <myIP>
setenv serverip <serverTFTPIP>
tftpboot 0x20000000 u-boot.bin
go 0x21f00000

Uboot should be loaded and now if you have your partition map set to less restrictive elements - you can now load and write as you wish

Blog tags: 

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd> <python> <c>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.