AR300M brick and..recovery attempt

Thanks a lot @misujr. Really. I mean it. Finding this support by the community was the only way I could hope to recover the router, and indeed it is. Let’s hope I don’t do something stupid!

Dear @alzhao , I seem to progress. The dump of ART might be redundant, as part of the chip seems fine.
I can send you privately the dump to verify that some parts do not need to be flashed again?

Or even better, I try to flash uboot and see if the rest of the chip behaves correctly.
Could you indicate me the command to launch with the CH341A to flash on the chip only the sectors for the uboot?

No rush. If you have time, as I know you’re celebrating (Spring Festival, am I right?)

Regards to all of you,
Gabriel

I don’t know about this. I think you can just flash the uboot and it should flash at the beginning of the Nor, right?

about your art, seems it is not correct. Is this the last 64K of the Nor?

Thanks for the reply Alzhao…unfortunately my attempt to just open the uboot file and write to the chip, hoping it would address in the correct section of Nor, failed. The program flashed it, but on top of the previous configuration. As a result, the garbled characters you can see in the background of picture below.
Therefore, I flashed again the dump I made some day ago, and now the condition is this one:

“Chip main memory with the contents are in disagreement”
I guess it has to do with the addresses and the proper allineation of the contents in the chip.
Reading again the chip, this is the last part of it, at address 00FFF310, where maybe ART starts:

Do you think it is damaged?
@misujr and @Johnex , do you happen to know this particular situation? Do you have hints?
@Johnex , I think you know best than anyone how to behave, using the CH341 as programmer… having at least 2 images to flash, UBOOT and ART, how do I specify the addresses to locate where to flash the images (either decimal or hexadecimal)? Maybe using the CH341 but running it on linux?
@misujr , at this point, since my dump file does not work, it would be very useful to have your dump of the whole chip (with random MAC), flash it to have a working UART console, and from there correct the art partition using the MTD nomenclature, like you did to recover your ART, because by the end of holiday season (next week I think) the customer service will send me a backup of my ART partition. I’ll be hugely thankful if you passed me a whole working dump file.

Thanks to all of you…I’m sorry to disturb you with my problems.

Since you are on Windows, the best way is to use a hex editor. I personally use 010 Editor, but it costs money so the best free one is HxD:

https://mh-nexus.de/en/programs.php

You want to open the backup you made, and also open just the ART section, so you have 2 tabs open. You then place the cursor in the backup file tab to where you want to insert or replace the ART. Go to the ART tab, select all, copy, then paste it into the backup tab. HxD will overwrite all bytes following the cursor with whatever you copied. If the section you want to replace is bigger than the new content for example, you can instead select the block to replace before hand. You can also do it if you know the range via “Edit → Select Block”.

After you have done your edits, save it as a new file and flash that with the CH341A.

Appending to the end:

Replacing section:

Johnex thanks a lot. You couldn’t be more precise than this.

I hope my dump is still usable replacing sections of it.
Here is my dump file…could someone scroll it rapidly and tell me if I need another dump file to work on, or I can manage recovering the router just using mine?
I don’t really know how it should look like. Dunno for example if UBOOT and ART are both damaged, or only UBOOT.
It is the first time I open a firmware and see how it is written.

Seems that you failed to flash the correct data.

Can you erase the flash first so that it is all FF. Then flash the uboot again.

Hello guru. Welcome back!
I think I will wait for the ART dump from Support and possibly @misujr 's full dump.
Pardon me if I’m so careful, but I know I’m no expert, and usually when I throw myself in these things with no precautions I end f**king up everything. I know it is already messed up, but I can do worse! I don’t really know what I was really doing the other day…
If you fellows agree with me, please help me collect all possible images beforehand, and then juggle the balls.
ATM, my preferred option would be to flash @misujr dump through CH341, and then from UART flash the ART with my mac addresses and calibration.

Is it an acceptable milestone?

I am not really super familiar with using the CH341A. I have it and I have used it but not enough to know my way around it . I am more familiar with the flashrom tool under linux.
My dump is here : File on MEGA
Bear in mind that I have just wrote a random mac and serial number but that shouldn’t be a problem.
The router that gave the dump is one with internal antennae so although it will not match the art partition on yours, still it should not stress your router’s RF too much .
Please let me know once you got the dump so I can remove it .
Also sorry for the late response but I am in the same time zone and culture as the support team from GLi so I just got back to my office .

L.E.: As @alzhao said , please first erase the content of the chip and then write the dump.
As long as you don’t “fry” the IC, then you are safe to try to write on it for quite a few times so don’t worry, just watch the pinout . Worse come to worse you can buy a new ic and that is still worth to save the router.

BR,
Misujr

@misujr you are very careful.
I wish you have the same from your fellows!
I made a copy of your dump in my MEGA, so you can remove it if you wish.

Now the only thing I’m missing is the ART, and I’m good to go.
At this point, I’m sure I will be able to recover the router!

Mee too, but my doubt is that you need a whole image to flash, since the programmer does not know where to put the images in the available partitions. With your bin, I circumnavigate the problem in one go.

Thanks a lot to everyone! I’ll report back when there is development!

Thank you for the kind words .
Great you got the file .
Please try to flash the file from me and see if you can power up the router and get into it . If you can then that is a great step .
Though you will need to see if you can get it online to be able to install kmod-mtd-rw that will allow you to replace the ART partition in an easy manner ( at least the way I found easy:-) ) .

Hello fellow members…
I just wanted to tell you thanks to everyone’s help I was able to fully recover the AR300M!
I basically had to flash the dump kindly provided by @misujr ,and then slowly work out all the “partitions” of both NOR and NAND to make it as new. Did not need to follow this method…the serial console was enough.
I can dig in the detailed explanation if needed, but basically the most important thing to say is that I found preferable to flash all the sections through TFTP and serial console, since the UBOOT UI has some quirks here and there. Specifically, both NAND and ART flash did not execute properly, via 192.168.1.1 and 192.168.1.1/art.html It is a bug with the size of files (at least for the NAND fw)
I found a little confusing the scripts in the uboot console, but in the end they worked. Surely, you need to rename the files in the tftp server to match exactly the ones in the scripts. In particular, the script that flashes the ART section is not really well documented, and I ended up issuing commands when a script was provided, but nonetheless I succeeded.

If you need further details, just ask me in a reasonable timelapse. I’ll try my best to explain properly, and give back what I received!

Thank you all, again. I mean it. This is a great forum and community, as much as owrt forum!
Keep up the good work.

Glad to see you got this sorted and got back your router .
If you have the time and availability, maybe you can post a guide on how to get the NAND working using the method you described above. My reason to ask this is simple, the router I have saved has only NOR memory on the pcb but I can put a nand flash on it just for the sake of adding more memory and I would be interested to try your method of flashind the NAND memory and then getting it up an running. I am not yet familiar with flashing the NAND from NOR so a guide from you who did this just recently with success would be great and I think might help others in the future in case they face the same problem. No time constraint on my side so please do it only if and when you the time for this .

Again congrats for the success .

BR,
Misujr

Hi there,
I’ve been tinkering with my AR300M today, since it seemed to not like the latest firmware, and along the way I appear to have hosed my ART partition in trying to recover it to a working state. I’ve managed to recover the main firmware, but I think I may have overwritten the ART when trying to manually get the firmware in the right spots on the chip to have it boot.
Is there any chance I could get a reupload of the dump file from @misujr or @bright_plastik if you still have it?
Thanks!

Hi Drag…
I’m moving in a new house ATM, so I’m surrounded by chaos and doubts. I’ll eventually get over it and find the dump of the original firmware and pass it on to you.
Watch out though, if you fried your ART (as I did) the only way you can fully recover the router is by getting in contact with @alzhao, as only him can send you a proper ART with your correct mac addresses.
In all the recovery process, don’t ever use the GUI pages for upload of FW. Only use serial console and built-in flash commands.
This is very, very important.
The GUI is bugged, and never got fixed.

Thanks for the response. I’m aware that the ART is MAC-address specific (that’s what tipped me off that something was wrong, when it didn’t pick the static IP assignment back up) though based on the OpenWRT wiki it’s relatively easy to modify back to the original values. It’s more about the calibration data for the wireless interfaces; if I’ve blown that away, then it’s going to need refitting.
I also filed a support request earlier today on the contact page, so this is somewhat of a backup in that sense.
And yes, I do agree that the firmware update process leaves a lot to be desired; the whole issue started when trying to install 3.212 over the top of 3.211 from the web interface. This also extends to the uboot upgrade; I probably reflashed it four times today, for no gain, because it was saying a date in July 2019, when the file name on GitHub suggested it was compiled in late 2020. The 2019 date was probably the last version bump upstream. Trying to figure out updating NOR was also very confusing, especially since there’s no .bin builds for the AR300M.
Best of luck with the move, hopefully I won’t require the dump before you’re ready and able to provide it. Please don’t rush on my account.

Well, I decided to take another crack at it, and I found your dump file above in post 25 (somehow I missed it the first time through); it contained an ART partition at offset 0xFF0000 through to the end. I was able to substitute in the device MAC (0x0), serial (0x20 and 0x30), DDNS token (0x10), and then restore to factory after writing the modified file to ART (using kmod-mtd-rw). And it’s all back to working order! So now there’s really no need to find the dump

And about fifteen minutes after I managed this, support came through with a correct dump anyway; including the originally broken second serial number (at 0x20; I originally replaced it with the same contents that I put at 0x30, since it was the same length. It is a different serial, not noted anywhere on the case. I suspect that it is likely used internally for some services such as GoodCloud and/or DDNS; I hadn’t tested either of these.) 0x30 does contain the published serial number. I’ll be using this going forward.

Excellent Drag!
Very clever of you. I didn’t recall loading it online for ease of access, but right now couldn’t ever find the dump on one of the computers.
So good you managed to recover the box!
Besides it’s fragility with fw flash, the ar300m is a very capable box. With nor and NAND, it’s like having two of them in a single package.
I wish you to squeeze out all functions you want.

Hi! I’m in a similar situation; would it be possible to temporarily re-upload the same image from AR300M? Thanks!

Hi hrenexus, the dump file is still online…so you could use it to flash the whole chip.
Do you still need it?
It’s in post no. 25!

thanks! I downloaded it, will try