1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

EA9500 Serial Console to CFE

Discussion in 'General Wireless Discussion' started by chadster766, Oct 14, 2016.

  1. chadster766

    chadster766 Senior Member

    Joined:
    May 6, 2014
    Messages:
    491
    *Warning this will void your warranty :eek:

    Opening the EA9500 case:

    1. Remove the 4 screws under feet and product label

    [​IMG]

    2. Remove plastic reinforcement cover

    [​IMG]

    3. Remove cover plate

    [​IMG]

    4. Connect USB to TTL cable

    [​IMG]

    Below is some serial console output:

    Code:
    Digital core power voltage set to 1.05V
    Decompressing...done
    Digital core power voltage set to 1.05V
    
    CFE Boot Loader v0.5.1__7.14.131.35
    
    SHMOO VER 1.13
    
    PKID07DC06011801080000000000001A103F01000000
    
    S30000217
    00001770
    
    
    RDLYW0 00000004
    
    RDENW0 00000037
    
    RDQSW0
    
        0000000000111111111122222222223333333333444444444455555555556666
        0123456789012345678901234567890123456789012345678901234567890123
    00 ------------++++++++++++++++++++++++++X+++++++++++++++++++++++++
    01 ------------++++++++++++++++++++++++++X++++++++++++++++++++++++-
    02 -------------+++++++++++++++++++++++++X+++++++++++++++++++++++++
    03 ------------++++++++++++++++++++++++++X+++++++++++++++++++++++--
    04 ------++++++++++++++++++++++++X+++++++++++++++++++++++----------
    05 ---------------++++++++++++++++++++++++X++++++++++++++++++++++--
    06 -------++++++++++++++++++++++++X++++++++++++++++++++++++--------
    07 ------------++++++++++++++++++++++++++X+++++++++++++++++++++++++
    08 ---+++++++++++++++++++++++++X+++++++++++++++++++++++++----------
    09 --------+++++++++++++++++++++++++X++++++++++++++++++++++++------
    10 --------+++++++++++++++++++++++++X+++++++++++++++++++++++++-----
    11 -------++++++++++++++++++++++++X+++++++++++++++++++++++---------
    12 --++++++++++++++++++++++++++X++++++++++++++++++++++++++---------
    13 -----+++++++++++++++++++++++X+++++++++++++++++++++++------------
    14 ------+++++++++++++++++++++++++X+++++++++++++++++++++++++-------
    15 --+++++++++++++++++++++++++X+++++++++++++++++++++++++-----------
    
    
    PW0
    
        0000000000111111111122222222223333333333444444444455555555556666
        0123456789012345678901234567890123456789012345678901234567890123
    00 ---++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++-
    01 ----++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++-
    02 --+++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++
    03 --+++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++--
    04 +++++++++++++++++++++++++++X++++++++++++++++++++++++++----------
    05 ---++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++--
    06 ++++++++++++++++++++++++++++X++++++++++++++++++++++++++++-------
    07 ---++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++
    08 +++++++++++++++++++++++++++X++++++++++++++++++++++++++----------
    09 +++++++++++++++++++++++++++++X++++++++++++++++++++++++++++------
    10 +++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++-----
    11 +++++++++++++++++++++++++++X+++++++++++++++++++++++++++---------
    12 +++++++++++++++++++++++++++X+++++++++++++++++++++++++++---------
    13 ++++++++++++++++++++++++++X+++++++++++++++++++++++++------------
    14 ++++++++++++++++++++++++++++X++++++++++++++++++++++++++++-------
    15 +++++++++++++++++++++++++++X++++++++++++++++++++++++++----------
    
    
    NW0
    
        0000000000111111111122222222223333333333444444444455555555556666
        0123456789012345678901234567890123456789012345678901234567890123
    00 ------------++++++++++++++++++++++++++X+++++++++++++++++++++++++
    01 -------------+++++++++++++++++++++++++X+++++++++++++++++++++++++
    02 -------------+++++++++++++++++++++++++X+++++++++++++++++++++++++
    03 -----------++++++++++++++++++++++++++X++++++++++++++++++++++++++
    04 --------+++++++++++++++++++++++++X+++++++++++++++++++++++++-----
    05 ---------------++++++++++++++++++++++++X++++++++++++++++++++++++
    06 -------++++++++++++++++++++++++++X++++++++++++++++++++++++++----
    07 ------------++++++++++++++++++++++++++X+++++++++++++++++++++++++
    08 ---++++++++++++++++++++++++++X++++++++++++++++++++++++++--------
    09 --------++++++++++++++++++++++++++X++++++++++++++++++++++++++---
    10 -------+++++++++++++++++++++++++++X++++++++++++++++++++++++++---
    11 --------+++++++++++++++++++++++++X+++++++++++++++++++++++++-----
    12 ---+++++++++++++++++++++++++++X++++++++++++++++++++++++++-------
    13 -------++++++++++++++++++++++++X++++++++++++++++++++++++--------
    14 -----++++++++++++++++++++++++++X++++++++++++++++++++++++++------
    15 ---+++++++++++++++++++++++++X+++++++++++++++++++++++++----------
    
    
    WRDQW0
    
        0000000000111111111122222222223333333333444444444455555555556666
        0123456789012345678901234567890123456789012345678901234567890123
    00 +++++++++++++++++++++++++++X+++++++++++++++++++++++++++---------
    01 ++++++++++++++++++++++++++++X+++++++++++++++++++++++++++--------
    02 ++++++++++++++++++++++++++++X++++++++++++++++++++++++++++-------
    03 +++++++++++++++++++++++++++X+++++++++++++++++++++++++++---------
    04 ++++++++++++++++++++++++X++++++++++++++++++++++++---------------
    05 ++++++++++++++++++++++++++++X+++++++++++++++++++++++++++--------
    06 ++++++++++++++++++++++++++X+++++++++++++++++++++++++------------
    07 ++++++++++++++++++++++++++++X++++++++++++++++++++++++++++-------
    08 +++++++++++++++++++++++++X+++++++++++++++++++++++++-------------
    09 +++++++++++++++++++++++++++X+++++++++++++++++++++++++++-------+-
    10 ++++++++++++++++++++++++++++X++++++++++++++++++++++++++++-------
    11 ++++++++++++++++++++++++++X+++++++++++++++++++++++++------------
    12 +++++++++++++++++++++++++X++++++++++++++++++++++++--------------
    13 +++++++++++++++++++++++++X+++++++++++++++++++++++++-------------
    14 ++++++++++++++++++++++++++X++++++++++++++++++++++++++-----------
    15 +++++++++++++++++++++++++X+++++++++++++++++++++++++-------------
    
    
    WRDMW0 00000027
    WRDMW0 00000025
    
    
    ADDR
    
        0000000000111111111122222222223333333333444444444455555555556666
        0123456789012345678901234567890123456789012345678901234567890123
    00 +++++++++++++++++++++++S+++++++X++++++++++++++++++++++++++++++++
    
    Decompressing...done
    Found a Toshiba NAND flash:
    Total size:  128MB
    Block size:  128KB
    Page Size:   2048B
    OOB Size:    64B
    Sector size: 512B
    Spare size:  16B
    ECC level:   8 (8-bit)
    Device ID: 0x98 0xf1 0x80 0x15 0xf2 0x16
    find_devinfo: devinfo block found at 0x00180000!
    
    Press Ctrl+C to stop in CFE
    
    
    CFE version 7.14.131.35 (r612453) based on BBP 1.0.37 for BCM947XX (32bit,SP,)
    Build Date: Fri Jan 22 18:07:59 CST 2016 ([email protected]), for the EA9500 board
    Copyright (C) 2000-2008 Broadcom Corporation.
    Copyright (C) 2016 Arcadyan Corporation.
    
    Flashing all LEDs ...
    
    Init Arena
    Init Devs.
    Boot partition size = 262144(0x40000)
    DDR Clock: 800 MHz
    Info: DDR frequency set from clkfreq=1400,*800*
    
    ### RoboID=53012, vid=1 val32=0x35faf val16=0x1 ###
    
    ### RoboID=53012, vid=2 val32=0x22110 val16=0x2 ###
    et2: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 7.14.131.35 (r612453)
    CPU type 0x0: 1400MHz
    Tot mem: 262144 KBytes
    
    CFE mem:    0x00F00000 - 0x01799D2C (9018668)
    Data:       0x00F601E0 - 0x00F608A8 (1736)
    BSS:        0x00F608B8 - 0x00F97D2C (226420)
    Heap:       0x00F97D2C - 0x01797D2C (8388608)
    Stack:      0x01797D2C - 0x01799D2C (8192)
    Text:       0x00F00000 - 0x00F52488 (337032)
    Boot:       0x0179A000 - 0x017DA000
    Reloc:      I:00000000 - D:00000000
    
    Boot version: v0.5.1__7.14.131.35
    
    Device eth0:  hwaddr 48-F8-B3-F6-49-51, ipaddr 192.168.1.1, mask 255.255.255.0
            gateway not set, nameserver not set
    Loader:raw, invalid tftp target filename (:)!
    Could not load :: Invalid parameter
    Checking CRC validity of nflash1.trx ... OK
    Booting(0): boot -raw -z -addr=0x8000 -max=0xef8000 nflash0.os:
    Loader:raw Filesys:raw Dev:nflash0.os File: Options:(null)
    Loading: ..... 5438272 bytes read
    Entry at 0x00008000
    Closing network.
    Starting program at 0x00008000
    cfe_start: launch kernel with blue LED0 is on!
    
    console [ttyS0] enabled, bootconsole disabled
    serial8250.0: ttyS1 at MMIO 0x18000400 (irq = 117) is a 16550
    brd: module loaded
    loop: module loaded
    pflash: found no supported devices
    bcmsflash: found no supported devices
    The first offset=200000, 2nd offset=1f00000
    Boot partition size = 524288(0x80000)
    lookup_nflash_rootfs_offset: offset = 0x200000
    nflash: squash filesystem with lzma found at block 33
    lookup_nflash_rootfs_offset: offset = 0x1f00000
    nflash: squash filesystem with lzma found at block 265
    Creating 6 MTD partitions on "nflash":
    0x000000000000-0x000000080000 : "boot"
    0x000000080000-0x000000200000 : "nvram"
    0x000000200000-0x000001f00000 : "linux"
    0x00000042dba4-0x000001f00000 : "rootfs"
    0x000001f00000-0x000005200000 : "linux2"
    0x00000212db04-0x000005200000 : "rootfs2"
     
  2. chadster766

    chadster766 Senior Member

    Joined:
    May 6, 2014
    Messages:
    491
    I don't have any experience with CFE boot loader.

    Any instruction on how to use it to load firmware and how on how to backup the current CFE would be appreciated.

    Also if anyone knows how to compile a kernel for this boot loader that would be very helpful since I would like to have this router compatible with the McDebian firmware.

    https://github.com/Chadster766/McDebian
     
  3. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,301
    Location:
    Canada
    Flashing is usually done over TFTP.

    CFE content is usually in the first mtd partition, so you'd have to make a dump of it. You'll have to see what exact CFE feature are included, as this varies between manufacturers. Asus for instance include a mini web server in theirs, which can be used for flashing a firmware.
     
    chadster766 likes this.
  4. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,301
    Location:
    Canada
    I thought Linksys were locking down third party firmwares on their EA series.
     
    chadster766 likes this.
  5. chadster766

    chadster766 Senior Member

    Joined:
    May 6, 2014
    Messages:
    491
    What command do I run to get the list of features?

    The CFE web server feature seems to be disabled. I pressed the recessed reset button during boot and the CFE console output didn't change or nmap show any ports open on the unit.
     
  6. chadster766

    chadster766 Senior Member

    Joined:
    May 6, 2014
    Messages:
    491
    I don't really know the details around how wireless manufactures are locking down there equipment or even it they can. They have to load firmware onto there devices somehow and provide GPL code if requested.
     
  7. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,743
    No, they don't. ;)
     
  8. chadster766

    chadster766 Senior Member

    Joined:
    May 6, 2014
    Messages:
    491
    I'm just wondering if it's possible to build a firmware for this model.

    If you can instruct me on how to do a test build and load it without losing the ability to recover the CFE that would be great.

    Is a DTS blob still loaded with the kernel in CFE?
     
  9. chadster766

    chadster766 Senior Member

    Joined:
    May 6, 2014
    Messages:
    491
    Do you mean they don't have to provide GPL source code upon request?
     
  10. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,743
    Yes.
     
  11. chadster766

    chadster766 Senior Member

    Joined:
    May 6, 2014
    Messages:
    491
    AFAIK many manufactures have lost lawsuits and have paid huge penalties because of not following GPL licencing rules.
     
  12. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,743
    No doubt. But that isn't a guarantee of what the future will bring.

    This is what is happening today. Tomorrow? Manufacturers can change the rules as they wish. They're not here for 'us', when all is said and done. The bottom line is what drives business. Not a sense of being nice or playing fair.
     
    chadster766 likes this.
  13. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,301
    Location:
    Canada
    I think it's just "cmds" or "help" (I don't have a serial hooked router at hand at the moment). However it provides very little information.

    Could be something Asus added themselves. Keep in mine that the CFE can be heavily customized by the manufacturer. Asus actually includes the CFE source code in their GPL drops, if you want to take a look at it.

    No idea how the rest of that model's design works, sorry. Basically, it should just boot the kernel located in that linux mtd partition, passing it an init command that will be model-specific. You will have to observe what gets passed as argument to the kernel at boot time.

    You will have to take a look at Linksys's GPL drop to learn more about the firmware image format accepted by their recovery mode / UI-based upgrade. Tomato/DD-WRT would be other candidates to look at, since they might support other EA models that are also CFE-based.

    There are a lot of ways a device can be locked down while still retaining GPL compliance:

    1) Signed bootloader. That means the CFE will only accept to load a kernel with a valid RSA signature, and the manufacturer is the only one with the signing key. That's how devices like the WDTV work, meaning you can play with the userspace code, but not the kernel itself.

    2) Only accept RSA signed firmware images through the CFE recovery mode, meaning only low-level hacking (possibly JTAG) would allow you to bypass this

    3) Keep the radio-specific configuration in a separate location, meaning that any third party firmware would be unable to interact with this portion of the firmware. That's how their WRT line of products work AFAIK (or that's at least the explanation they gave at the time in their marketing blurb).

    The GPL only requires them to provide the source code.
     
    chadster766 likes this.
  14. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,252
    Location:
    San Diego, CA
    Linksys typically will release the GPL changes, sometimes one has to ask - in any event, I haven't seen a drop from them in some time that will result in a full firmware image - and that's ok, it's consistent with the licensing of the GPL2/GPL3 code...

    They're not obligated to share their own code - just any changes to GPL..
     
    chadster766 likes this.
  15. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,301
    Location:
    Canada
    Basically, your partition table is:

    Code:
    0x000000000000-0x000000080000 : "boot"
    0x000000080000-0x000000200000 : "nvram"
    0x000000200000-0x000001f00000 : "linux"
    0x00000042dba4-0x000001f00000 : "rootfs"
    0x000001f00000-0x000005200000 : "linux2"
    0x00000212db04-0x000005200000 : "rootfs2"
    
    /dev/mtd0 contains the CFE
    /dev/mtd1 contains the nvram
    /dev/mtd2 contains the linux kernel
    /dev/mtd3 contains the root filesystem of the OS
    /dev/mtd4 and /dev/mtd5 contains a second firmware image

    Your firmware image probably needs to be in TRX format (based on your log output), and must be written on top of the linux partition (the rootfs that's part of the same TRX image will overstep the linux partition and fill up the rootfs partition).
     
    chadster766 likes this.
  16. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,301
    Location:
    Canada
    http://support.linksys.com/en-us/gplcodecenter

    (and the Netgear equivalent: http://kb.netgear.com/app/answers/detail/a_id/2649/~/open-source-code-for-programmers-(gpl) )
     
    chadster766 likes this.
  17. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,252
    Location:
    San Diego, CA
    Linksys has been clear that the WRT's are where FOSS/3rd parties should be focused...

    The broadcom based EA9500 is going to have binary blobs that you will not have adequate documentation for to ensure that proper operation and performance is maintained...

    I would suggest focusing on the WRT's where there is good mindshare...
     
    chadster766 likes this.
  18. chadster766

    chadster766 Senior Member

    Joined:
    May 6, 2014
    Messages:
    491
    Thanks everyone for the recommendations and information :)