Uboot Unlock

OpenWrt/Initramfs method

1. Check MTD layout:

   cat /proc/mtd

   Should show mtd0: 02000000 00010000 "spi0.0" (32MB flash)

2. Verify current bytes:

   dd if=/dev/mtd0 bs=1 skip=$((0x105050)) count=4 2>/dev/null | hexdump -C

   Expected: 00000000 01 00 a0 13 (unpatched)

3. Read entire flash:

   dd if=/dev/mtd0 of=/tmp/flash.bin bs=1M

4. Create backup:

   cp /tmp/flash.bin /tmp/flash_backup.bin

5. Apply patch:

   printf '\x00\x00\xa0\xe3' | dd of=/tmp/flash.bin bs=1 seek=$((0x105050)) conv=notrunc 2>/dev/null

6. Verify patch in file:

   dd if=/tmp/flash.bin bs=1 skip=$((0x105050)) count=4 2>/dev/null | hexdump -C

   Should show: 00000000 00 00 a0 e3

7. Write to flash:

   mtd write /tmp/flash.bin /dev/mtd0

   Takes 1-2 minutes. Wait for completion.

8. Verify patch in flash:

   dd if=/dev/mtd0 bs=1 skip=$((0x105050)) count=4 2>/dev/null | hexdump -C

   Should show: 00000000 00 00 a0 e3

9. Reboot:

   reboot

10. Test:

    • Watch for Hit any key to stop autoboot: 3 2 1
    • Press any key
    • Should get U-Boot prompt

uBoot shell method

Read entire 64KB sector containing patch (offset 0x100000)

sf probe && sf read 0x84000000 0x100000 0x10000  

Patch the 4 bytes at offset 0x5050 within the sector

mw 0x84005050 0xe3a00000  

Verify patch in memory

md 0x84005050 1  

Erase sector (64KB at 0x100000)

sf erase 0x100000 0x10000  

Write patched sector back

sf write 0x84000000 0x100000 0x10000  

Verify in flash

sf read 0x85000000 0x105050 0x4 && md 0x85000000 1  

SPI dump method

If you have the firmware dump and can flash it externally:

cp firmware_dump.bin patched_firmware_dump.bin

printf '\x00\x00\xa0\xe3' | dd of=patched_firmware_dump.bin bs=1 seek=$((0x105050)) conv=notrunc

Verify

dd if=patched_firmware_dump.bin bs=1 skip=$((0x105050)) count=4 2>/dev/null | hexdump -C

Flash to device using JTAG/SPI programmer