Wednesday, April 9, 2008

Full Flash - to - flashable update file converter

... is coming soon. Just need to test it a little.

Meanwhile, does anyone know how the LZMA Squash-fs from Broadcom routers can be mounted on x86 machine? I tried to port the module from Siemens GPL package, but failed. Though it may be the endianness problem...

Thursday, April 3, 2008

CFE Loader in full-flash

Ok, probably the bad news for those who rent bcm963xx devices from the providers.

The full flash contains not just the contents of the flash update file, but also some information how the flashing was done. This means if the user, renting the device, would flash the device with another firmware and then flash it back, the Provider will notice the change.

Wednesday, April 2, 2008

bcm963xx firmware dumps vs. update files

This is the next step. It's important to find out how to create an update file from the flash dump. The update files are already explored and described.

The dumps are less explored. What I see, is unlike in firmware updates, CFE-Boot-Loader comes before the flash header.
  • The root-fs and the kernel image are coming after the header, like in the update files.
  • If I move the boot-loader to the place between the header and the start of the root-fs, the checksum of the root-fs & kernel is OK.
  • The checksum of header is also OK.
  • The checksum of the complete image fails.
What does it mean? The only option I see is the stored Boot-Loader is not the same as in the update file. Maybe it's just the addresses/offsets, which are changed during flashing. It's necessary to compare the flash dumps with the flash update files to see what is going on.

Stay tuned. ;-)

Dumping Busybox Firmware of newer bcm963xx devices

Particularly this script is for routers bases on BusyBox with kernel 2.6.8.1 built with gcc 3.4.2. It's inspired by Jerome Petazzoni's SkayaWiki, which is unfortunately quite outdated.

The world has been changed a lot since 2.4.x kernels. Also it now it's much less room in the RAM to play with. Jerome did the trick, using 1.5M all-in-one BusyBox binary, but nowadays I had to do the same, having all in all just 124K! Nonetheless, it's obviously possible. :-D

Disclaimer: you may use these scripts ONLY to dump the firmware of your own devices, and purely for educational purposes. Also I don't provide any warranty of any kind! The script is working in my case, but may damage your router, format all your hard drives, and insult your Mother-in-law.

The script was developed and tested under Linux. I haven't chance to run it under cygwin, but it should work. If anyone tries this I would appreciate the feedback.

Ok. Let's see, how you can use it.

The current version of the script has just one dependency:
  • python
To run the script, download it here, (you have to replace underscores in the name with dots, it's a limitation of my hosting provider), unpack it, edit the string

inichat=[("Login name:","admin\n"),("Password:","admin\n"),("> ","sh\n")]

providing your superuser account. The login prompt may also vary. In some older firmwares it's 'Login:', in mine it's 'Login name:'.

After changing this line (and, optionally your router - ip address), you can launch the script by typing:

python bcmfwext.py filename_to_save

The script is sending 4 files to the bcm963xx device, showing the progress per file, so don't get surprised when after something like 255/255, you see something like 1/7500.

On my system it takes approx 7 minutes to get the dump, so be patient. But if it takes more than 30 minutes, something went wrong.

Any feedback would be appreciated in English, German or Russian.

Good luck!