... is coming soon. Just need to test it a little.
Meanwhile, does anyone know how the LZMA Squash-fs from Broadcom routers can be mounted on x86 machine? I tried to port the module from Siemens GPL package, but failed. Though it may be the endianness problem...
Wednesday, April 9, 2008
Thursday, April 3, 2008
CFE Loader in full-flash
Ok, probably the bad news for those who rent bcm963xx devices from the providers.
The full flash contains not just the contents of the flash update file, but also some information how the flashing was done. This means if the user, renting the device, would flash the device with another firmware and then flash it back, the Provider will notice the change.
The full flash contains not just the contents of the flash update file, but also some information how the flashing was done. This means if the user, renting the device, would flash the device with another firmware and then flash it back, the Provider will notice the change.
Wednesday, April 2, 2008
bcm963xx firmware dumps vs. update files
This is the next step. It's important to find out how to create an update file from the flash dump. The update files are already explored and described.
The dumps are less explored. What I see, is unlike in firmware updates, CFE-Boot-Loader comes before the flash header.
Stay tuned. ;-)
The dumps are less explored. What I see, is unlike in firmware updates, CFE-Boot-Loader comes before the flash header.
- The root-fs and the kernel image are coming after the header, like in the update files.
- If I move the boot-loader to the place between the header and the start of the root-fs, the checksum of the root-fs & kernel is OK.
- The checksum of header is also OK.
- The checksum of the complete image fails.
Stay tuned. ;-)
Dumping Busybox Firmware of newer bcm963xx devices
Particularly this script is for routers bases on BusyBox with kernel 2.6.8.1 built with gcc 3.4.2. It's inspired by Jerome Petazzoni's SkayaWiki, which is unfortunately quite outdated.
The world has been changed a lot since 2.4.x kernels. Also it now it's much less room in the RAM to play with. Jerome did the trick, using 1.5M all-in-one BusyBox binary, but nowadays I had to do the same, having all in all just 124K! Nonetheless, it's obviously possible. :-D
Disclaimer: you may use these scripts ONLY to dump the firmware of your own devices, and purely for educational purposes. Also I don't provide any warranty of any kind! The script is working in my case, but may damage your router, format all your hard drives, and insult your Mother-in-law.
The script was developed and tested under Linux. I haven't chance to run it under cygwin, but it should work. If anyone tries this I would appreciate the feedback.
Ok. Let's see, how you can use it.
The current version of the script has just one dependency:
inichat=[("Login name:","admin\n"),("Password:","admin\n"),("> ","sh\n")]
providing your superuser account. The login prompt may also vary. In some older firmwares it's 'Login:', in mine it's 'Login name:'.
After changing this line (and, optionally your router - ip address), you can launch the script by typing:
python bcmfwext.py filename_to_save
The script is sending 4 files to the bcm963xx device, showing the progress per file, so don't get surprised when after something like 255/255, you see something like 1/7500.
On my system it takes approx 7 minutes to get the dump, so be patient. But if it takes more than 30 minutes, something went wrong.
Any feedback would be appreciated in English, German or Russian.
Good luck!
The world has been changed a lot since 2.4.x kernels. Also it now it's much less room in the RAM to play with. Jerome did the trick, using 1.5M all-in-one BusyBox binary, but nowadays I had to do the same, having all in all just 124K! Nonetheless, it's obviously possible. :-D
Disclaimer: you may use these scripts ONLY to dump the firmware of your own devices, and purely for educational purposes. Also I don't provide any warranty of any kind! The script is working in my case, but may damage your router, format all your hard drives, and insult your Mother-in-law.
The script was developed and tested under Linux. I haven't chance to run it under cygwin, but it should work. If anyone tries this I would appreciate the feedback.
Ok. Let's see, how you can use it.
The current version of the script has just one dependency:
- python
inichat=[("Login name:","admin\n"),("Password:","admin\n"),("> ","sh\n")]
providing your superuser account. The login prompt may also vary. In some older firmwares it's 'Login:', in mine it's 'Login name:'.
After changing this line (and, optionally your router - ip address), you can launch the script by typing:
python bcmfwext.py filename_to_save
The script is sending 4 files to the bcm963xx device, showing the progress per file, so don't get surprised when after something like 255/255, you see something like 1/7500.
On my system it takes approx 7 minutes to get the dump, so be patient. But if it takes more than 30 minutes, something went wrong.
Any feedback would be appreciated in English, German or Russian.
Good luck!
Subscribe to:
Posts (Atom)