Can't get Kernel Image

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Can't get Kernel Image

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Can't get Kernel Image
Can't get Kernel Image
2022-10-09 11:28:04
Hardware Version: V3
Firmware Version: ?

Hello everyone.
I have a problem and I hope someone can help me.
A few years ago (2018/19) I bought a TP-Link Switch T1600G-28PS v.3
At that time I unpacked the switch, did a few tests with the config, was satisfied,
packed it back in the original packaging and stored it.


Now I wanted to install and use the switch productively in my home for the first time, and unfortunately found that the switch no longer works.
When I switch it on, only the PWR LED lights up, otherwise nothing happens except that the fans are running. (No Sys LED or anything else).


What I've done so far:
I opened the case, checked the individual operating voltages at the test points on the mainboard, everything was OK.
With the oscilloscope I could see the data on the flash chip that goes in both directions during boot (DI/DO on the SPI interface), which tells me that the switch is not completely dead.
I looked for the pins for the UART interface in the data sheet of the RTL8382, found a header for it on the mainboard, soldered a USB<->UART converter to it, and looked at the terminal output:
The switch boots into the TP-Link Boot Util v1.0.0 and then tries to start the operating system automatically. This fails with the message "Could not get Kernal Image" and you end up in the main menu of Boot-Util 1.0.0.

I've seen this in some forum articles but people always seem to end up with RMA which is not an option for me as I have no warranty and the switch is EoL. (But Fabric New ARRRRGH!)

Unfortunately, this main menu does not offer the option of performing a firmware upgrade. Only the reset function, which unfortunately didn't bring any improvement, and the "select another image" function, which didn't bring any improvement either.
I unsoldered the Winbond 25Q256JV (32MB NOR Flash) flash chip and connected it to the SPI of a RaspberryPi, then made a backup of the entire flash using flashrom.
Then a binwalk over the dump and I was able to get a rough picture of the structure.

I assume my bootloader is ok since I think this "Boot-Util 1.0.0" is the bootloader right?
I downloaded a current firmware.bin from the TP-Link site, successfully decrypted it with the help of OpenSSL and the known DES key, then made a binwalk. In this 512 byte header I can see the target addresses of the flash memory.
With this knowledge, I looked for the two memory areas in the dump file of the Flashrom, in which the 2 images lie. They are byte identical.

I don't think so, but I'm not sure if I did a firmware update before packing it a few years ago. As I know myself, I would have checked afterwards whether it had worked.
And if I had done that, the two images in the memory areas of the flash would now be different, right?

I looked for the GPL files at TP-Link to, as described in this post Support for RTL838x based managed switches - #73 by anon13997276, to compile an advanced bootloder. Unfortunately I can only find GPL files for V.1 and V.2 there, and I have v.3.
Nevertheless, I tried to compile V.2, but I failed due to some dependencies or toolchain errors.

 

Main question: am I on the right track if I try to place a new image directly in Flash using the hex editor?
Or could the error lie somewhere else, e.g. defective RAM, which is defective at a certain address and only causes problems when the kernel image is loaded, but not when Boot-Util-1.0.0 is loaded?

Side questions: How can I merge a decrypted new image of TP-Link into flash memory? Complete bin file to specific address? encrypted/decrypted?, with/without 512byte header? only kernels? Do I also have to observe the CRC in the flash chip, or is that just an issue in the TP-Link bin file?

I am very grateful for any help.

  0      
  0      
#1
Options