I got a half bricked Drobo B810i NAS here to fix failed firmware update (
https://files.drobo.com/webrelease/b810i/B810i_Firmware_2-0-1.zip). Need some help from either U-Boot or openocd heros. Drobo users are welcome. I never had a Drobo in my hands before. I was able to rescue some other devices by just flashing the firmware on eprom via programmer or by using jtag interface. But this Drobo NAS is hard to fix.
Best solution i guess would be a flash memory dump from a working device. If you can provide one, please contact me.
Device behavior:
I can't find the device via Drobo GUI (
https://files.drobo.com/webrelease/dashboard/drobodashboardinstaller_3.5.0.exe). Nmap doesn't show any open port. The only info i have is, it failed to start after firmware update.
The device turns on, gets an ip via dhcp but no interaction via network possible from outside.
I opened the device to find two suspicious looking pin headers and 2x10 pin holes. The pin headers are UART serial ports. Both are active at 115200 8N1. To my surprise, one starts a Marvell U-Boot process which loads VxWorks. It stops at some point and the other UART port gets active, showing a linux boot process with a root shell at the end. There are two eprom IC's. I desoldered both and dumped the content.
Both boot logs are attached. The CPU is a Marvell Armada XP Sheeva SoC:
Marvell PJ4B (584) v7 (Rev 2) LE (cat /proc/cpuinfo tells PJ4Bv7 rev 2 (v71)),
Description: SOC ARMADA XP ARM7 732-Pin FCBGA, (Sheeva)
MV78-BJR2
P35V110.1
1528 B0E
MV78460-B0 C120
SoC MV88F7846 Rev 8 / 562f5842
Board DB-78460-BP rev 2.0
Drobo version kyten-uboot-2.33
On the VxWorks UART port i dont have a shell, but i can stop the boot process to enter the u-boot shell with very limited commands. It's not the u-boot main line shell. A log with available commands and a printenv is attached. No ethernet port is available in u-boot. I found some files using fatls and dumped the files:
Marvell>> fatls usb 0:1
17734472 vxworks
3168928 lximage
crashlogs/
224 nocrashmsg
0 hiblog
512 hibhdr
48 amitlog
4 bootcount
1024004 eventlog
556 hdr_prev
256 rebootreason
7698058 vxi2.bin
801272 ubhw.bin
556 ubhw.hdr
556 hdr
556 lxhdr
556 vxi2.hdr
17734472 vxworks_prev
3684024 lximage_prev
556 lxhdr_prev
11319620 rtpi.bin
556 rtpi.hdr
31457280 lxfs.bin
556 lxfs.hdr
To dump files on u-boot i used (for example):
fatload usb 0:1 20000000 vxworks_prev
md.b 20000000 <size of content in bytes>
On the linux UART port, i can start telnetd and dropbear. But can't login as root. I don't know what secrets are waiting here. Maybe i can rescue the system from here?
The 2x10 pin holes looked like an arm default connector. I added pin headers and hooked my j-link on it with no luck on either jlink or openocd.
I figured out the needed config files for my olimex tiny-h and openocd. The default config let me halt the system but i couldn't reset the cpu.
The config files are attached. Rename it from .txt to cfg if you want to use it.
openocd -d1 -f interface//olimex-arm-usb-tiny-h.cfg -f target/armada370.cfg
After figuring out to circumvent the reset problem, i had to learn, that my dumped files had wrong byte order. I first converted the dump using xxd. But it's easier to use "-endian little" in the target config file to fix this.
I read the ARMADA-XP-Functional-SpecDatasheet (
https://datasheet.datasheetarchive.com/originals/crawler/marvell.com/002fa441a27967d992f905776d519926.pdf) and found
Table 11: MMU Virtual-to-Physical Address Translation Table
Device Physical Address Virtual Address Size Caching
SDRAM 0x0 0x0 1 GB Non-Cachable
L2-SRAM 0x40000000 0x40000000 1 MB Cachable
PCI-Express 0x80000000 0x80000000 640 MB Non-Cachable
CESA SRAM 0xC8000000 0xC8000000 1 MB Non-Cachable
Internal Register 0xD0000000 0xD0000000 1 MB Non-Cachable
NOR Flash 0xD8000000 0xD8000000 128 MM Non-Cachable
SPI Flash 0xD4000000 0xD4000000 64 MB Cachable
Device Bus 0xD3800000 0xD3800000 711 MB Non-Cachable
BootROM 0xFFF00000 0xFFF00000 1 MB Cachable
I dumped the spi flash again, this time via jtag to compare the content:
init
reset halt
dump_image B810i-8MB-spi-rom.bin 0xD4000000 0x800000
Since i'm not a programmer or IT specialist in general, working with address and size values is hard to me.
I just used python to calculate the values by just enter it in the python prompt. The MX25L6406E is a 64Mbit SPI flash, providing 8 MB of memory. 8 MB x 2^20 = 8388608 byte decimal. The get the hex value i enter in python prompt:
>>> hex(8388608)
And get 0x800000 as result ( I learned, to get the decimal size from a hex value, just use 0x800000 in python. Be aware this works for the size, you have to subtract -1 from this value when you calculate address space because counting starts at 0. 8388608-1 = 8388607 will give you 0x7fffff as end-address).
To better compare the dump i grabbed via jtag, i used hexdump -v for both files, the jtag dump and the programmer dump of the SPI flash and compared them using diff.
I did the same with the 128 MB NOR-flash. Sadly i couldn't find it's content in the firmware file. The firmware-file has .tdf file extension.
Binwalk show me some complex content:
binwalk release.B810i.2-0-1.tdf
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
556 0x22C ELF, 32-bit LSB executable, ARM, version 1 (ARM)
2537455 0x26B7EF mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 4bit
3119831 0x2F9AD7 Neighborly text, "NeighborCacheToLivenet.inet.IcmpRatelimitBucketsize"
3129084 0x2FBEFC Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/config/comps/src/usrMmuInit.c
3201803 0x30DB0B Copyright string: "Copyright 1995-2005 Jean-loup Gailly "
3209995 0x30FB0B uuencoded data, file name: "%s", file permissions: "644"
3243227 0x317CDB Neighborly text, "NeighborCacheToLives does not appear to be attached"
3310242 0x3282A2 LZMA compressed data, properties: 0x64, dictionary size: -2147483648 bytes, uncompressed size: 191 bytes
3377101 0x3387CD Copyright string: "Copyright Wind River Systems, Inc., 1984-2012"
3453504 0x34B240 VxWorks WIND kernel version "2.13"
3756176 0x395090 StuffIt Deluxe (data): TDList
3756659 0x395273 StuffIt Deluxe (data): TDs
3756766 0x3952DE StuffIt Deluxe (data): TD
3756919 0x395377 StuffIt Deluxe (data): TDs
3757433 0x395579 StuffIt Deluxe (data): TD
3757537 0x3955E1 StuffIt Deluxe (data): TDData
3887780 0x3B52A4 Intel x86 or x64 microcode, sig 0x013b3d9c, pf_mask 0x1361b7f, 1B79-01-36, rev 0x0001, size 3
5212665 0x4F89F9 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/config/comps/src/dataSegPad.c
5436987 0x52F63B PARity archive data - file number 29540
5759546 0x57E23A Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/config/comps/src/version.c
5875588 0x59A784 PARity archive data - file number 24943
6590393 0x648FB9 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types
6593974 0x649DB6 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types
6594607 0x64A02F Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h
6604113 0x64C551 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/base
6604527 0x64C6EF Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/base
6606244 0x64CDA4 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/private
6609213 0x64D93D Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/config/comps/src
6612136 0x64E4A8 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6614894 0x64EF6E Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6617233 0x64F891 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6619091 0x64FFD3 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/stdio.h
6619590 0x6501C6 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6620819 0x650693 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6621968 0x650B10 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/shellInterpCmdLib.h
6622200 0x650BF8 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/sysLib.h
6622371 0x650CA3 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6624233 0x6513E9 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6626207 0x651B9F Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6627736 0x652198 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6628927 0x65263F Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/ctype.h
6629111 0x6526F7 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6634433 0x653BC1 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6637208 0x654698 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6638776 0x654CB8 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6639712 0x655060 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6641724 0x65583C Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6643254 0x655E36 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6645267 0x656613 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6646950 0x656CA6 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6648413 0x65725D Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWind.h
6649544 0x6576C8 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6652174 0x65810E Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6654945 0x658BE1 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6658657 0x659A61 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6660516 0x65A1A4 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6663594 0x65ADAA Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6665437 0x65B4DD Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6666841 0x65BA59 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6669902 0x65C64E Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6671719 0x65CD67 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6677727 0x65E4DF Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6680176 0x65EE70 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6682160 0x65F630 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6684011 0x65FD6B Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6686322 0x660672 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6688411 0x660E9B Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6689449 0x6612A9 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6691360 0x661A20 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
6692850 0x661FF2 Unix path: /home/buildtest/WindRiver_Vx6.8.3/vxworks-6.8/target/h/types/vxWindCommon.h
7099515 0x6C547B Intel x86 or x64 microcode, sig 0x171f8000, pf_mask 0xe00, 1C00-01-05, rev 0x1000000, size 1
7105579 0x6C6C2B Intel x86 or x64 microcode, pf_mask 0x11ff, 1F00-01-12, rev 0x1000000, size 1
7105947 0x6C6D9B Intel x86 or x64 microcode, sig 0x1850e000, pf_mask 0x1133200, 1B00-01-13, rev 0x1000000, size 112641
7113627 0x6C8B9B Intel x86 or x64 microcode, pf_mask 0x11ff, 1C00-01-21, rev 0x1000000, size 1
7114059 0x6C8D4B Intel x86 or x64 microcode, pf_mask 0x11ff, 1A00-01-22, rev 0x1000000, size 1
7114475 0x6C8EEB Intel x86 or x64 microcode, pf_mask 0x11ff, 1C00-01-23, rev 0x1000000, size 1
7115579 0x6C933B Intel x86 or x64 microcode, pf_mask 0x11ff, 1900-01-25, rev 0x1000000, size 1
7116683 0x6C978B Intel x86 or x64 microcode, sig 0x1a59c800, pf_mask 0x1283200, 2000-01-28, rev 0x1000000, size 175105
7231995 0x6E59FB Intel x86 or x64 microcode, sig 0x270cf000, pf_mask 0x2042900, 1C00-02-04, rev 0x1001200, size 69633
7234923 0x6E656B Intel x86 or x64 microcode, sig 0x0b197800, pf_mask 0x2112f00, 1A00-02-11, rev 0x1001200, size 1025
7481721 0x722979 StuffIt Deluxe (data): TD
7481737 0x722989 StuffIt Deluxe (data): TD
7481777 0x7229B1 StuffIt Deluxe (data): TD
7481829 0x7229E5 StuffIt Deluxe (data): TD
7520182 0x72BFB6 StuffIt Deluxe (data): TD
7548080 0x732CB0 StuffIt Deluxe (data): TD
7586280 0x73C1E8 StuffIt Deluxe (data): TDList
7598715 0x73F27B StuffIt Deluxe (data): TDData
7672522 0x7512CA StuffIt Deluxe (data): TDs
7693403 0x75645B StuffIt Deluxe (data): TDs
7698614 0x7578B6 ELF, 32-bit LSB executable, ARM, version 1 (ARM)
13807918 0xD2B12E Ubiquiti firmware additional data, name: UTED, size: 1634159721 bytes, size2: 1937001583 bytes, CRC32: 0
14211981 0xD8DB8D Copyright string: "Copyright 1995-2005 Jean-loup Gailly "
14218058 0xD8F34A CRC32 polynomial table, little endian
14222154 0xD9034A CRC32 polynomial table, big endian
14228929 0xD91DC1 Copyright string: "Copyright 1995-2005 Mark Adler "
14785144 0xE19A78 Intel x86 or x64 microcode, sig 0x7c6c0000, pf_mask 0x904802c0, 1901-04-28, rev 0x-10000, size 4
15035498 0xE56C6A Copyright string: "Copyright (c) 1992-2002 by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED."
15037214 0xE5731E Copyright string: "Copyright (c) 1992-2002 by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED."
18825010 0x11F3F32 Private key in DER format (PKCS header length: 4, sequence length: 25856
19018234 0x12231FA uImage header, header size: 64 bytes, header CRC: 0xE53864B7, created: 2020-09-09 12:29:44, image size: 3168864 bytes, Data Address: 0x20008000, Entry Point: 0x20008000, data CRC: 0xE3EC93A1, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.2.96-3"
19018298 0x122323A Linux kernel ARM boot executable zImage (little-endian)
19036286 0x122787E gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
22187162 0x1528C9A JFFS2 filesystem, little endian
My intention at the beginning was, just flash the firmware file. But it seems some magic is needed.
@tv84
@DavidAlfa
Any hint how to move forward?
Any help is welcome.