Personally I would not attempt any of the below unless I had a programmer AND a working backup of my device's flash, so you've been warned.
At the very least: try to avoid writing over boot loader area so you have at least the boot loader as a last resort to restore your flash memory. If your bootloader gets corrupted you will need a programmer to unbrick your device (assuming you have a good copy of your device's flash memory).
Modify your flash.bin file as you see fit (i.e. modify a script to run something from the SD card as I did in https://github.com/guino/BazzDoorbell)
Place a copy of the modified flash.bin file into the root of a fat32 formated SD card (it does not have to be the same card used in #11, but that card should work just fine)
Download and unzip this ppsMmcTool.txt to the root of the SD card.
The file you downloaded from step 4 is configured to write THE WHOLE flash memory of the device which I don't recommend doing. Instead, I recommend you use the information from binwalk to write only the section you want of the flash, so for this purpose, let's say you only modified the cramfs (app section) of the firmware which in my firmware this is what binwalk shows:
3604480 0x370000 CramFS filesystem, little endian, size: 3805184, version 2, sorted_dirs, CRC 0x9C53DE6A, edition 1, 929 blocks, 3 files
8060940 0x7B000C JFFS2 filesystem, little endian
The above tells me 3 things: 1-The offset of the cramfs (app partition) in the flash is 0x370000, 2-The size of the current cramfs partition is 3805184 bytes (0x3A1000) and the space reserved for the cramfs partition is likely 4352kb (0x7B0000-0x370000) -- please note there's no guarantee that that's the exact amount of space reserved for the cramfs so I would highly suggest you keep your changes to a minimum and try to make the cramfs partition size as close to the original as possible. In my case this size is easily confirmed from the URL http://admin:056565099@ip/proc/cmdline which yields 4352k for the "app" partition:
With the above information at hand we should adjust the ppsMmcTool.txt file so it only writes the section we modified. Using the app partition as an example we want to adjust the line in ppsMmcTool.txt to 1: set the read address and 2: set the destination address and 3: set the size to be written, so change the part that says sf write 42000000 0 so the line whole looks like this:
PAY ATTENTION: There are 3 (three) changes made above:
42370000 = the read address 42000000 (fixed address where flash.bin is loaded) + 370000 (the offset of cramfs inside flash.bin)
370000 = the target/destination address in the flash memory (offset of changes in the flash.bin file)
3A1000 = the size of the cramfs partition to write (same as original in my case). You can usually add a few lines of text, rebuild the cramfs partition and keep its original size because of how it allocates/compresses data. Please note that IF you read the flash.bin file (#11) using a different address like 81000000 you should also use the same address in ppsMmcTool.txt (like 81370000 in this example).
TRIPLE CHECK the addresses above in the file -- if you make any mistakes chances are you may brick your device and will need a programmer to fix it (assuming you have a working flash and have what it takes to open the device and do any soldering work required). I MYSELF am familiar with this and made a mistake which bricked my device (and I had to use the programmer to restore it) so you've been warned again.
Make sure flash.bin and ppsMmcTool.txt are both in the SD card, then properly eject/unmount the SD card from the computer.
Power off the device and insert SD card.
HOLD the reset button pressed and power up the device while holding the reset button, you can let go of the reset button after 5 seconds, but let the device boot up as confirmation that the process completed. If the device does not boot within 2 minutes you should expect something went wrong and chances are you bricked it and will need a programmer to restore the flash. The whole write process takes less than 1 minute to write the whole chip (8Mb) when I tested it.
If you did everything correctly then the device should now have your modifications written to the flash, so copy whatever files/scripts you want to use (i.e. initrun.sh, custom.sh, etc) to the SD card and if everything worked as expected it should allow you to root/customize the device.
DANGER!! THIS PROCESS MAY BRICK YOUR DEVICE
Personally I would not attempt any of the below unless I had a programmer AND a working backup of my device's flash, so you've been warned.
At the very least: try to avoid writing over boot loader area so you have at least the boot loader as a last resort to restore your flash memory. If your bootloader gets corrupted you will need a programmer to unbrick your device (assuming you have a good copy of your device's flash memory).
Process
Get a copy of your flash.bin file from the device (using https://github.com/guino/BazzDoorbell/issues/11 or programmer)
Modify your flash.bin file as you see fit (i.e. modify a script to run something from the SD card as I did in https://github.com/guino/BazzDoorbell)
Place a copy of the modified flash.bin file into the root of a fat32 formated SD card (it does not have to be the same card used in #11, but that card should work just fine)
Download and unzip this ppsMmcTool.txt to the root of the SD card.
The file you downloaded from step 4 is configured to write THE WHOLE flash memory of the device which I don't recommend doing. Instead, I recommend you use the information from binwalk to write only the section you want of the flash, so for this purpose, let's say you only modified the cramfs (app section) of the firmware which in my firmware this is what binwalk shows:
The above tells me 3 things: 1-The offset of the cramfs (app partition) in the flash is 0x370000, 2-The size of the current cramfs partition is 3805184 bytes (0x3A1000) and the space reserved for the cramfs partition is likely 4352kb (0x7B0000-0x370000) -- please note there's no guarantee that that's the exact amount of space reserved for the cramfs so I would highly suggest you keep your changes to a minimum and try to make the cramfs partition size as close to the original as possible. In my case this size is easily confirmed from the URL http://admin:056565099@ip/proc/cmdline which yields 4352k for the "app" partition:
With the above information at hand we should adjust the ppsMmcTool.txt file so it only writes the section we modified. Using the app partition as an example we want to adjust the line in ppsMmcTool.txt to 1: set the read address and 2: set the destination address and 3: set the size to be written, so change the part that says
sf write 42000000 0so the line whole looks like this:PAY ATTENTION: There are 3 (three) changes made above: 42370000 = the read address 42000000 (fixed address where flash.bin is loaded) + 370000 (the offset of cramfs inside flash.bin) 370000 = the target/destination address in the flash memory (offset of changes in the flash.bin file) 3A1000 = the size of the cramfs partition to write (same as original in my case). You can usually add a few lines of text, rebuild the cramfs partition and keep its original size because of how it allocates/compresses data. Please note that IF you read the flash.bin file (#11) using a different address like 81000000 you should also use the same address in ppsMmcTool.txt (like 81370000 in this example). TRIPLE CHECK the addresses above in the file -- if you make any mistakes chances are you may brick your device and will need a programmer to fix it (assuming you have a working flash and have what it takes to open the device and do any soldering work required). I MYSELF am familiar with this and made a mistake which bricked my device (and I had to use the programmer to restore it) so you've been warned again.
Make sure flash.bin and ppsMmcTool.txt are both in the SD card, then properly eject/unmount the SD card from the computer.
Power off the device and insert SD card.
HOLD the reset button pressed and power up the device while holding the reset button, you can let go of the reset button after 5 seconds, but let the device boot up as confirmation that the process completed. If the device does not boot within 2 minutes you should expect something went wrong and chances are you bricked it and will need a programmer to restore the flash. The whole write process takes less than 1 minute to write the whole chip (8Mb) when I tested it.
If you did everything correctly then the device should now have your modifications written to the flash, so copy whatever files/scripts you want to use (i.e. initrun.sh, custom.sh, etc) to the SD card and if everything worked as expected it should allow you to root/customize the device.