A bit more info on the HG612, if anyone is still interested...
Below are excerpts from a hex dump of the HG612 flash memory. Full binary dumps are at the links below. The dump shows the beginning of the CFE bootloader image, the 256 byte bc310+ firmware 'tag' header in the Huawei, and, identifiably by its magic number ('qshs'), the beginning of the big-endian squashfs root file system on the router:
Text |
1
23
45
67
89
1011
1213
1415
1617
1819
2021
2223
2425
2627
2829
3031
3233
3435
3637
3839
4041
4243
4445
4647
4849
5051
5253
5455
5657
5859
6061
6263
6465
6667
6869
7071
7273
7475
7677
7879
8081
8283
8485
8687
| CFE version 1.0.37-102.6 for BCM96368 (32bit,SP,BE)
Build Date: Mon Mar 2 15:45:35 CST 2009 ([email protected])Copyright (C) 2000-2008 Broadcom Corporation.
Parallel flash device: name MX29LV640BT, id 0x22c9, size 8192KB
CPU type 0x2A031: 400MHz, Bus: 160MHz, Ref: 64MHzCPU running TP0
Total memory: 33554432 bytes (32MB)Boot Address 0xb8000000
Board IP address : 192.168.1.1:ffffff00
Host IP address : 192.168.1.100 Gateway IP address :
Run from flash/host (f/h) : f Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel Boot delay (0-9 seconds) : 3
Boot image (0=latest, 1=previous) : 0 Board Id (0-4) : 96368MVWG
Number of MAC Addresses (1-32) : 11 Base MAC Address : 00:e0:fc:09:09:09
PSI Size (1-64) KBytes : 64 Main Thread Number [0|1] : 0
*** Press any key to stop auto run (3 seconds) ***
Auto run second count down: 2CFE> web info: Waiting for connection on socket 0.
CFE> CFE> help
Available commands:
sm Set memory or registers.dm Dump memory or registers.
w Write the whole image start from beginning of the flashe Erase [n]vram or [a]ll flash except bootrom
r Run program from flash image or from host depend on [f/h] flagp Print boot line and board parameter info
c Change booline parametersf Write image to the flash
i Erase persistent storage datab Change board parameters
reset Reset the boardflashimage Flashes a compressed image after the bootloader.
help Obtain help for CFE commands
For more information about a command, enter 'help command-name'*** command status = 0
CFE> dm b8000000 8388608b8000000: 10 00 02 7a 00 00 00 00 00 00 00 00 00 00 00 00 ...z............
b8000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................b8000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
<...>
b8000560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b8000570: 63 66 65 2d 76 01 00 25 66 06 00 00 00 00 00 00 cfe-v..%f.......b8000580: 00 00 00 05 65 3d 31 39 32 2e 31 36 38 2e 31 2e ....e=192.168.1.
b8000590: 31 3a 66 66 66 66 66 66 30 30 20 68 3d 31 39 32 1:ffffff00 h=192b80005a0: 2e 31 36 38 2e 31 2e 31 30 30 20 67 3d 20 72 3d .168.1.100 g= r=
b80005b0: 66 20 66 3d 76 6d 6c 69 6e 75 78 20 69 3d 62 63 f f=vmlinux i=bcb80005c0: 6d 39 36 33 78 78 5f 66 73 5f 6b 65 72 6e 65 6c m963xx_fs_kernel
b80005d0: 20 64 3d 33 20 70 3d 30 20 00 00 00 00 00 00 00 d=3 p=0 .......b80005e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b80005f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
<....>
b8010000: 37 00 00 00 42 72 6f 61 64 63 6f 6d 20 43 6f 72 7...Broadcom Corb8010010: 70 6f 72 61 74 69 6f 00 76 65 72 2e 20 32 2e 30 poratio.ver. 2.0
b8010020: 00 00 00 00 00 00 36 33 36 38 00 00 39 36 33 36 ......6368..9636b8010030: 38 4d 56 57 47 00 00 00 00 00 00 00 31 00 33 35 8MVWG.......1.35
b8010040: 33 31 33 34 35 00 00 00 33 32 31 37 30 33 31 31 31345...32170311b8010050: 36 38 00 00 35 38 32 30 30 00 00 00 00 00 33 32 68..58200.....32
b8010060: 31 37 30 39 36 39 36 30 00 00 32 36 37 38 37 38 17096960..267878b8010070: 34 00 00 00 33 32 31 39 37 37 35 37 34 34 00 00 4...3219775744..
b8010080: 37 39 34 33 36 31 00 00 00 00 00 00 00 00 45 63 794361........Ecb8010090: 68 6f 4c 69 66 65 5f 00 00 00 00 00 00 00 00 00 hoLife_.........
b80100a0: 00 00 56 31 30 30 52 30 30 31 43 30 31 42 30 32 ..V100R001C01B02b80100b0: 37 53 50 30 35 00 00 00 00 00 00 00 00 00 00 00 7SP05...........
b80100c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................b80100d0: 00 00 00 00 00 00 00 00 dc 44 9c 8e d6 34 da d6 .........D...4..
b80100e0: bf 02 72 a9 00 00 00 00 00 00 00 00 46 5f e8 7c ..r.........F_.|b80100f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b8010100: 71 73 68 73 00 00 01 4f 00 66 ff d4 b7 ff f6 d4 qshs...O.f......b8010110: 00 aa 95 3e bf e4 c9 48 00 66 28 22 00 03 00 00 ...>...H.f("....
b8010120: c9 04 00 10 c0 01 00 4b 45 46 13 00 00 00 00 08 .......KEF......b8010130: c2 05 b4 00 01 00 00 00 00 00 1e ff f7 b8 00 00 ................ |
What is interesting from those hex dumps is that the CFE in the Huawei (and probably the closely related BCM6368-based Alcatel V1000H as well) has support for multiple firmware images in the same flash.
This means that when the firmware is updated, presumably via tftpd, the old firmware image is backed-up by moving it to a higher area of flash memory.
In theory, the multi-image CFE should allow experimental kernels to be flashed without risk of bricking the device. If there are any serious problems, the original firmware image can always be rolled-back by changing the bootloader pointers (in the 256 byte 'tag' header).
In France, there is a very successful Open Source project called OpenBox that targets a Broadcom-6348 based modem/router called the NeufBox. The developers have built a toolset for hacking the device. They have gotten a working x86 build of unsquashfs. Their version of that tool is compatible with the (obsolete) version of mksquashfs that was used to create the rootfs in the Broadcom firmware images. The tool is unsquashfs 3.2r2 with an early patch for lzma compression. [1]
The squashfs tools that are shipped with modern x86 linux distros are not backwardly compatible with the (big-endian) squashfs that is used in these bcm6368 devices.
Other tools in the OpenBox project can do the donkey work of splitting the firmware image into individual components (i.e. the cfe, hdr, rootfs and kernel). After a small amount of patching, those tools will also work for the bcm6368 firmware images.
With a functional unsquashfs tool the rootfs can be extracted, modified and re-built with mksquashfs. The original kernel image can be extracted as a hex dump from the CFE shell, and re-used.
By combining a new rootfs image with the original kernel, a firmware image can be built with correct CRCs using the bcmImageBuilder from Broadcom's hostTools suite. That's what I've done with the Huawei. [2]
After a good poke around in the sourcecode of busybox in the GPL tarball from the Alcatel GPL code, I discovered that all the code is there to flash a new firmware image by uploading it via the tftpd daemon.[3][4]
[1]
http://svn.gna.org/svn/openbox4/trunk/tools/
[2]
https://docs.google.com/leaf?id=0B6wW18mYskvBNDFlMzc...
https://docs.google.com/leaf?id=0B6wW18mYskvBZWYzYzJ...
https://docs.google.com/leaf?id=0B6wW18mYskvBODg2YjY...
https://docs.google.com/leaf?id=0B6wW18mYskvBYjE2ODl...
https://docs.google.com/leaf?id=0B6wW18mYskvBNjcxNDM...
https://docs.google.com/leaf?id=0B6wW18mYskvBYTA2NjE...
https://docs.google.com/leaf?id=0B6wW18mYskvBMzQzYTA...
https://docs.google.com/leaf?id=0B6wW18mYskvBZDVjYjk...
https://docs.google.com/leaf?id=0B6wW18mYskvBYmIwY2Y...
https://docs.google.com/leaf?id=0B6wW18mYskvBYzJiY2Q...
https://docs.google.com/leaf?id=0B6wW18mYskvBMWQ3ZTI...
[3]
http://opensource.actiontec.com/
[4] see ~/userspace/public/libs/cms_util and the cmsImg_writeImage() call in tftpd.c of the busybox source
Edited by asbokid (Sun 03-Jul-11 10:37:33)