This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Flashing Tool crashes while uploading APX.uimage via TFTP

I have an APX 320 which I've purchased off a person on eBay. The device looks new, in original packaging and in mint condition.

Unfortunately the device won't boot, so have tried to use the Sophos Flashing Tool to fix it. While the tool recognises the device, when trying to upload the firmware APX.uimage (which I copied from /content/apfw from my XG) - the application crashes during the TFTP upload. 

I have seen other, older posts of the Sophos Flashing Tool crashing :-(

Unfortunately with autoboot set to 0, I can't manually upload the firmware.

Windows Application Event Log

Application: Sophos Flashing Tool.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.IOException
   at System.IO.__Error.WinIOError(Int32, System.String)
   at System.IO.FileStream.SeekCore(Int64, System.IO.SeekOrigin)
   at System.IO.FileStream.Seek(Int64, System.IO.SeekOrigin)
   at FlashingTool.TFTPServer.SendStream(System.Net.IPEndPoint, Int32)
   at FlashingTool.TFTPServer.DoAck(Byte[], System.Net.IPEndPoint)
   at FlashingTool.TFTPServer.Listener()
   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
   at System.Threading.ThreadHelper.ThreadStart()

Serial output

Resetting CPU ...

resetting ...
 
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1.1-00108
S - IMAGE_VARIANT_STRING=DAABANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x00000021
S - Reset status Config, 0x00000010
S - Core 0 Frequency, 0 MHz
B -       261 - PBL, Start
B -      1338 - bootable_media_detect_entry, Start
B -      1678 - bootable_media_detect_success, Start
B -      1692 - elf_loader_entry, Start
B -      5068 - auth_hash_seg_entry, Start
B -      7210 - auth_hash_seg_exit, Start
B -    578514 - elf_segs_hash_verify_entry, Start
B -    694676 - PBL, End
B -    694700 - SBL1, Start
B -    785027 - pm_device_init, Start
D -         7 - pm_device_init, Delta
B -    786552 - boot_flash_init, Start
D -     56098 - boot_flash_init, Delta
B -    846796 - boot_config_data_table_init, Start
D -      3840 - boot_config_data_table_init, Delta - (419 Bytes)
B -    854273 - clock_init, Start
D -      7564 - clock_init, Delta
B -    866012 - CDT version:2,Platform ID:8,Major ID:1,Minor ID:0,Subtype:6
B -    869425 - sbl1_ddr_set_params, Start
B -    874522 - cpr_init, Start
D -         2 - cpr_init, Delta
B -    878905 - Pre_DDR_clock_init, Start
D -         4 - Pre_DDR_clock_init, Delta
D -     13176 - sbl1_ddr_set_params, Delta
B -    892219 - pm_driver_init, Start
D -         3 - pm_driver_init, Delta
B -    962907 - sbl1_wait_for_ddr_training, Start
D -        27 - sbl1_wait_for_ddr_training, Delta
B -    979173 - Image Load, Start
D -    138457 - QSEE Image Loaded, Delta - (269176 Bytes)
B -   1118062 - Image Load, Start
D -      1441 - SEC Image Loaded, Delta - (2048 Bytes)
B -   1128363 - Image Load, Start
D -    220121 - APPSBL Image Loaded, Delta - (450356 Bytes)
B -   1348881 - QSEE Execution, Start
D -        60 - QSEE Execution, Delta
B -   1355105 - SBL1, End
D -    662482 - SBL1, Delta
S - Flash Throughput, 2006 KB/s  (721999 Bytes,  359828 us)
S - DDR Frequency, 672 MHz


U-Boot 2012.07 (Dec 05 2017 - 16:05:06)

smem ram ptable found: ver: 1 len: 3
DRAM:  512 MiB
machid : 0x8010006
NAND:  ONFI device found
ID = 9590dcc2
Vendor = c2
Device = dc
SF: Detected GD25Q32 with page size 4 KiB, total 4 MiB
ipq_spi: page_size: 0x100, sector_size: 0x1000, size: 0x400000
516 MiB
In:    serial
Out:   serial
Err:   serial
machid: 8010006
flash_type: 0
Configurate GPIO setting
Configurate TPM reset from low to high.
Configurate BLE reset from low to high.
Net:   
PHY ID = 0x4dd072, eth0 found AR8035 PHY
MAC0 addr:7c:5a:1c:1:42:48
eth0
Creating 1 MTD partitions on "nand0":
0x000000000000-0x000020000000 : "mtd=0"
UBI: attaching mtd2 to ubi0
UBI: physical eraseblock size:   131072 bytes (128 KiB)
UBI: logical eraseblock size:    126976 bytes
UBI: smallest flash I/O unit:    2048
UBI: VID header offset:          2048 (aligned 2048)
UBI: data offset:                4096
UBI: attached mtd2 to ubi0
UBI: MTD device name:            "mtd=0"
UBI: MTD device size:            512 MiB
UBI: number of good PEBs:        4095
UBI: number of bad PEBs:         1
UBI: max. allowed volumes:       128
UBI: wear-leveling threshold:    4096
UBI: number of internal volumes: 1
UBI: number of user volumes:     3
UBI: available PEBs:             2167
UBI: total number of reserved PEBs: 1928
UBI: number of PEBs reserved for bad PEB handling: 40
UBI: max/mean erase counter: 13/1
SF: Detected GD25Q32 with page size 4 KiB, total 4 MiB
Hit any key to stop autoboot:  0 
Read 0 bytes from volume image to 88000000
No size specified -> Using max size (67170304)
Wrong Image Format for bootm command
ERROR: can't get kernel image!
Read 0 bytes from volume image_backup to 88000000
No size specified -> Using max size (67170304)
Wrong Image Format for bootm command
ERROR: can't get kernel image!
eth0 PHY0 up Speed :100 Full duplex
Status packet sent after ARP request
Using eth0 device
TFTP from server 169.254.12.35; our IP address is 169.254.12.34
Filename 'APX.uimage'.
Load address: 0x88000000
Loading: *#################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 #################################################################
	 ###########################T T T T T T T 



Added TAGs
[edited by: Erick Jan at 4:18 AM (GMT -8) on 12 Jan 2024]
Parents
  • We are in two ! I just posted it I didn't notice your post. I hope someone will give us some hints on this.

    If anyone can give us any info on how TFTP upload works maybe I can test to create a TFTP server on my own that can serve the file correctly .  

  • 100%! I think the problem may be with the .NET Sophos Reflashing Tool and it's embedded TFTP server.

    I tried using Solarwinds TFTP server with APX.uimage in the TFTP root directory - waiting for the Sophos Reflashing Tool to crash, then enabling the Solarwinds TFTP server - hoping that the APX would retrieve the remainder of the file from here instead. This didn't work :-(

    I have been following  excellent post on how to recover an APX120 (with a bricked APX120) which I succeeded in doing (unbrick APX120, break bootdelay=0 & recover APX120 - Discussions - Sophos Firewall - Sophos Community)

    With the autoboot=0 the only option seems to be to trip the boot sequence to go into an emergency shell then follow the steps in the post. As Juergen mentions, access to the chip is harder on the APX320 as there is a metal cover over it :-(

    Many thanks to the eBay seller who refunded my purchase, but for now I have a bricked AP.

    Ultimately we need Sophos to fix the Reflashing Tool...

  • The Tool was not workig in any way for me.

    The article says ...

    "The Sophos Flashing Tool will only work if the boot loader cannot load the access point firmware image. If the firmware can be booted or the bootloader is damaged, this tool will not work."

    In all my tinkering with the APX120 and APX320 and RED-15, RED-20, RED-50, i never saw the uBoot try to load a kernel from tftp itself.

    The APX120 has no environment settings to look for any tftp server (so tool will not help).
    The APX320 has some settings, but i never saw any traces of loading from tftp.

    I had some APX120 where bootdelay was at 5 seconds , so loadingt the APX.uimage from TFTP was fine.

    The RED-15 can be flashed to OpenWRT, there is a default image availabe.

    The RED-20 used a from TFTP but it can load a kernel from TFTP or USB

    The RED-50 had a second image that i was able to load.

    If the Hardware has a good design, it should be possible to break autoboot with a hidden keystroke or some testpoint on the pcb at High or Low Level...

    Time will tell

  • could it be triggered in some way from the Sophos flashing tool app? ( the AP320 starting loading APX.uimage ) 

    There is a :

    Status packet sent after ARP request

    and after that is starting to load :


    Using eth0 device
    TFTP from server 169.254.12.35; our IP address is 169.254.12.34
    Filename 'APX.uimage'.
    Load address: 0x88000000
    Loading: *#################################################################

    In some way is loading but it hangs a few seconds after. I cannot understand if its a "fake" loading that will never work in anyway or if it's just a Sophos flashing tool bug.

  • I never had success with the Flashtool, they don´t provide the required firmware nor is the app stable.
    it crashed from time to time. 

    It was easiert to break the autoboot or flash incircuit for me.

    If i have some time i´ll try and check, if the flashtools sends any information.
    But for my understanding, the APX send´s  a magix packet to the flashtool and get´s the image.

    But some APX had a corrupted NAND and i cleared this first.
    Some older APX images provide a OpenWrt login shell without any password needed.

  • I've noticed the message "TFTP: Transfer stopped" while the TFTP transfer still looks to be happening (console output) - then a few seconds later the tool crashes, then so does the transfer.

    Looks like a bug on the Reflashing Tool - I also notice no progress in the progress bar. It's like maybe the embedded TFTP server isn't aware of the transfer progress.

Reply
  • I've noticed the message "TFTP: Transfer stopped" while the TFTP transfer still looks to be happening (console output) - then a few seconds later the tool crashes, then so does the transfer.

    Looks like a bug on the Reflashing Tool - I also notice no progress in the progress bar. It's like maybe the embedded TFTP server isn't aware of the transfer progress.

Children