Dear Crossflashers,
during my effort to analyse the new RSA signed firmware, I found a way to crossflash routers which have already a RSA signed firmware installed, without opening the devices at all. Anyone who is interested in more detailed information, can get them from
https://github.com/xdarklight/mktplinkfw3/blob/master/README.md.
All that has to be done, is to alter the first firmware header:
1. replace the values at the hex positions 0x34 to 0x3F of the to-be flashed firmware with the values of an stock firmware, that matches the running firmware (if the currently running firmware is a W8980 firmware use the values from a stock W8980 image, if the currently running firmware is a W8980B firmware use the values from a stock W8980B image and so on)
2. temporary replace the md5 hash at hex position 0x40 to 0x4F with 8C EF 33 5F D5 C5 CE FA AC 9C 28 DA B2 E9 0F 42
3. calculate the the md5 hash/checksum of the whole file
4. replace the temporary md5 hash at hex position 0x40 to 0x4F with the value from 3.
Now the firmware should be accepted by the the routers firmware upgrade page. Don't forget to restore the factory defaults afterwards.
I've made a video for the younger ones among us:
[youtube]https://youtu.be/noEVttStvSw[/youtube]
// Edit: temporary md5 hash was wrong