Fixing a badly-flashed Netgear GSS116E
Welcome to the debut entry on “Dave's Stuff That Needs To Go Somewhere”, the place for me to write things that are possibly actually useful to people and so should exist somewhere other than just on my Mastodon account or similar.
The problem
Anyway, on to the subject of this post: the Netgear GSS116E switch. This is a 16-port managed gigabit switch. I was having some issues with mine, so I did a firmware update on it, and that entirely fixed those issues by making it inoperable.
Opening the switch up and getting at the flash module inside isn't too difficult – there's a whole load of little screws on the back to remove first, then there are a few on the inside that need to be removed to get the main switch PCB out. If I had this blog when I was doing it, I would've documented it better.
The flash module is an MX25L3206E SOP-8 package. It's located near some pin headers. I desoldered it and read it in a TL866II programmer. Running strings on the image seemed to show why it wasn't particularly happy:
Content-Disposition: form-data; name="fileField"; filename="GSS116E_LOADER_V1.0.0.5.bin"
Content-Type: application/octet-stream
I'm going to assume that the existing firmware didn't strip out the appropriate HTTP headers before writing the flash.
Anyway, I tried various different attempts to fix this in varying ways, none of which actually worked, then I put it away for a year.
The fix
Eventually I found another used GSS116E going for relatively cheap on eBay. Pulling the flash chip off this one gave me a good dump to compare with. Unsurprisingly it didn't have HTTP headers sitting at the top, but my initial attempts to understand what it was doing didn't work out, and so I gave up for a little while.
When I got the drive to look at it again, I realised that the beginning of the good flash image contained the string 10050, which I knew was a version number. I then realised that was the version number for the loader, which is what you're meant to flash first when upgrading from an older firmware release. Doing a bit more searching, I then realised that the firmware image proper starts at 0x50000 in the image. Sure enough, using the latest firmware release, taking the loader firmware, appending the actual firmware at 0x50000, flashing that, and doing a factory reset for good measure ended up with a happy switch! Equivalent commands to replicate this from scratch would be something like:
cp GSS116E_LOADER_V1.0.0.5.bin newfirmware.img
dd if=GSS116E_V1.6.1.7.bin of=newfirmware.img seek=640
Anyway, now I have two working GSS116E switches I'm not using instead of just one!
Footnote
Added note: I'm sure I found something about reverse engineering the firmware of the GSS108E, which I now... can't find, but that switch seems to use a completely different architecture, so none of this is likely to be relevant to it.