Announcement

**lotas** · 11-10-2022, 01:14 PM

Re: nand bad block with an RT809H, didn't boot

The algorithm must be known to the processor itself, this algorithm is used to communicate with Nand memory. If you find someone else's Dump, then the MAC and S / N will be different, but sometimes in new devices the firmware (dump) is tied to the hardware, when turned on, the processor reads from nand (Keys, a unique code) and if it does not match, the device will not turn on.

**Formaster** · 11-10-2022, 03:26 PM

Re: nand bad block with an RT809H, didn't boot

Do you think I can make a correct dump with flashcat? And write it back to the brand new nand. In lucky case is not SN/MAC stricted or boot glitch maybe jump into root.

**lotas** · 11-10-2022, 03:49 PM

Re: nand bad block with an RT809H, didn't boot

Well, if you haven't killed your native dump with the RT809 programmer, then you can try, the main thing is that the bootloader, MAC, S / N ... survive.

**Formaster** · 11-11-2022, 05:52 AM

Re: nand bad block with an RT809H, didn't boot

Think that flashcat mach1 also can't handle it. Any other recommended programmer?

Maybe you right Lotas, i found a custom parameters on Xgecu util.

If take the Xgecu t48 model which cheaper, may use the adapters from the RT809H? or also for t56...

Attached Files

**CapLeaker** · 11-11-2022, 05:53 PM

Re: nand bad block with an RT809H, didn't boot

Some adapters are not interchangeable. I’ve got the TL866 II and the RT809H. Some routers have an emergency / recovery mode. I’d play around with that. I remember years ago recovering bricked routers by uploading the firmware without an programmer, using UART and FTP instead. I never took the flash off the board ànd using a programmer as it is just too much work plus needing a dump.

**CapLeaker** · 11-11-2022, 09:04 PM

Re: nand bad block with an RT809H, didn't boot

Apparently this ftp method works for Zyxel too… it’s a different router, but the idea is the same.

Or another way to recover NBG6616:
1. Install Tftpd32
2. In the Windows network adapter, manually set the IP address as 192.168.1.33, netmask 255.255.255.0
3. Download firmware from ftp://ftp2.zyxel.com/NBG6616/firmware/
4. Copy firmware file into the tftp directory and name it "ras.bin"
5. Push HW WPS button, and then boot on NBG6616 (You will see file transfer in Tftpd32, and then release button)
6. Wait for around 3~5 minutes, after the image has been flashed all LEDs will blink fast
7. Reboot NBG6616, recovery done

**Formaster** · 11-12-2022, 04:07 AM

Re: nand bad block with an RT809H, didn't boot

Thank you CapLeaker! I already tried this method's before bricked the fw, saidly all service ports was filtered, while it was an ISP version of the router.

Now won't boot up. Thinking to make a dump from a working one official Zyxel, but the chance are big that is S/N restricted. Maybe can do it someone who are good in reverse engeneering.

**CapLeaker** · 11-12-2022, 08:02 AM

Re: nand bad block with an RT809H, didn't boot

I don't think that they are S/N restricted. Look around if there is another service port somehow on the board. If FTP doesn't work, try the UART. There's gotta be a way to recover that darn thing somehow.
I also wonder if they just had changed the FTP service port to something else.

**Formaster** · 11-12-2022, 10:56 AM

Re: nand bad block with an RT809H, didn't boot

Checked all the avaible ports with NMAP before bricked. Every service ports, ssh, telnet, ftp was firewall filtered. The problem is now via uart clear nothing life signal. Bootloader dont stay up.

I found this row in HEX: pictures below, hex and uart log

but this is maybe only for stricted gpon connection. I ordered an xgecu t48, hope doing well with my tsop48 adapter and take another zyxel router to dump correctly the nand.

Attached Files

**lotas** · 11-12-2022, 11:18 AM

Re: nand bad block with an RT809H, didn't boot

The T48 has its own adapter for Nand TSOP48.
https://aliexpress.ru/item/100500448...00029314019156

https://aliexpress.ru/item/100500459...00029782074979

**CapLeaker** · 11-12-2022, 02:45 PM

Re: nand bad block with an RT809H, didn't boot

Well, I guess that it may now be the only way to recover this thing by getting a working dump.
However there has to be a way to flash this with an empty chip somehow. Just out of curiosity, upload a high resolution picture of the board.

**CapLeaker** · 11-12-2022, 03:05 PM

Re: nand bad block with an RT809H, didn't boot

I googled for "zyxel ax7501-b0 firmware download" and short and sweet found:
There is now firmware version 5.15(ABPC.1)C0 for AX7501-BO available to download as a V5.17(ABPC.1)C0.zip file.
Sweet thing is: Unpacked, it's a .bin file 66.25MB. Since you're flashing a NAND, you need U-Boot. Looks like on your pics it didn't boot at all? If this is the case you have to restore U-Boot on the NAND.

https://support.zyxel.eu/hc/en-us/ar...ry-for-DNSpooq

first thing on the list.

**Formaster** · 11-13-2022, 04:56 AM

Re: nand bad block with an RT809H, didn't boot

Some pictures atttached. Found this firmware too and I also see that uboot is missing to boot, but no idea how can be restrored. Specially from the original dump.

Attached Files

**CapLeaker** · 11-13-2022, 02:36 PM

Re: nand bad block with an RT809H, didn't boot

Everything is done through the TTL. I am not sure if the officially firmware (66MB one) contains a full flash or not. Can’t hurt to flash it like it is and see what happens. After all you don’t know what the ISP flash contained. There should be a few ways flashing this router, via TTL and some serial terminal program (probably slow) and via FTP.
At this state I don’t think the router knows anything much as it looks to boot from something. But as long as the TTL works the router can be saved with the correct file(s) loaded up to it.

**Formaster** · 11-13-2022, 03:24 PM

Re: nand bad block with an RT809H, didn't boot

Already tested the official fw, no luck. My theory is too, if got the boot, than the device saved. Because I can't reverse engeneer this broken fw and also can't build the u-boot from zero for this Broadcom 6858 cpu, still waiting for the Xgecu programmer, than take a similar router to dump correct the nand. Hope with some luck.

**CapLeaker** · 11-14-2022, 05:38 AM

Re: nand bad block with an RT809H, didn't boot

There is a way to send uboot via serial terminal. Maybe try that.

Announcement

nand bad block with an RT809H, didn't boot

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment