πŸ“– Flash Tutorials

πŸ”₯ H3C NX30 Pro Mac + ImmortalWrt TFTP Flash
View β†’
πŸ”₯ TP-Link WR940N V6 TFTP Recovery Tutorial
View β†’
πŸ”§ Xiaomi WR30U TTL + U-Boot Unbrick
View β†’
πŸ“š Router TFTP Guide 12+ Brands Complete Guide
View β†’
πŸ“– Tutorial Home

Table of Contents

Firmware Basics

Understanding firmware structure is key to unbricking and flashing.

Firmware Structure

A router firmware typically consists of the following parts.

Flash Partitions
Partition Name Size (Typical) Contents
u-boot 256KB-512KB Bootloader
kernel 3MB-5MB Linux kernel
rootfs Remaining space Root filesystem
nvram 64KB-128KB Configuration storage
art 64KB Wireless parameters
Filesystem Types
  1. SquashFS: Read-only compressed filesystem, common in OEM firmware
  2. JFFS2: Read-write, common in OpenWrt
  3. UBIFS: For large-capacity NAND Flash
  4. YAFFS2: Used in early embedded devices

Firmware Formats

Common Extensions
  1. .bin: Generic binary format
  2. .trx: Linksys/ASUS firmware format
  3. .chk: Netgear-specific format
  4. .img: Generic image format
Firmware Header

Most firmware starts with a fixed header: 

00 00 00 00 4D 49 50 53  # MIPS identifier

or 

FF FF FF FF              # Common in TP-Link

Boot Process

Complete Boot Sequence
  1. Power on β†’ CPU initialization
  2. U-Boot β†’ Reads environment variables
  3. Kernel load β†’ Reads kernel from Flash
  4. Filesystem β†’ Mounts root filesystem
  5. Network init β†’ Starts network services
  6. Web service β†’ HTTP service ready
U-Boot Boot Arguments
bootcmd=bootm 9f020000
bootargs=console=ttyS0,115200 root=/dev/mtdblock2
Interrupting Boot

Press a specific key during boot to enter:

  1. Enter: Enter command mode
  2. tftp: Network boot
  3. firmware: Specify firmware location

Bootloader Introduction

U-Boot

The most versatile open-source bootloader.

  1. Supports multiple CPU architectures (MIPS/ARM/x86)
  2. Supports network boot (TFTP)
  3. Boot arguments can be modified
  4. Common in some Xiaomi and Huawei models
setenv ipaddr 192.168.1.1
setenv serverip 192.168.1.100
tftpboot 0x81000000 firmware.bin
erase 0x9f000000 +0x300000
cp.b 0x81000000 0x9f000000 0x300000
Breed

A closed-source bootloader common in domestic routers in China.

  1. User-friendly interface (Web console)
  2. Supports multiple firmware backups
  3. Built-in TFTP recovery
  4. Common in PandoraBox and Padavan firmware
CFE

Broadcom chip-specific bootloader.

  1. Used in some Netgear and ASUS models
  2. Serial console operation
  3. Supports NFS network boot
OEM Boot
  1. Simple functionality
  2. Can only flash official firmware
  3. Some can be unlocked for third-party firmware

Firmware Modification

Extracting Firmware
# Use binwalk to extract
binwalk -e firmware.bin

# Or manually decompress
tar -xvf openwrt.bin
Modification Tools
  1. firmware-mod-kit: Firmware modification toolkit
  2. binwalk: Firmware analysis tool
  3. squashfs-tools: SquashFS filesystem tools
Flashing Firmware
  1. Upload via Web interface
  2. Flash via TFTP
  3. Via U-Boot command line
  4. Direct Flash write via TTL Serial

Security Checks

Firmware Signing

Modern routers have firmware signature verification:

  1. Secure Boot: Only allows official firmware
  2. Bootloader lock: Flash write disabled
  3. Flash lock: Read protection enabled
Bypass Methods
  1. Direct Flash write via TTL Serial
  2. Short specific pins on the Flash chip
  3. Exploit downgrade vulnerability to lower version
  1. Hardware Basics
  2. Prerequisites
  3. Breed
  4. U-Boot

⚠️ Technical Disclaimer

This tutorial is for learning and reference only. Flashing firmware carries risks and may cause bricked devices or void warranty. Before proceeding:

Last updated: April 2026