Topic: Bricked DG834GT, CFE still accessible and TFTP flash possible

The content of this topic has been archived on 3 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

Per Hansson

15 Aug 2005, 15:44

Hi, when custmizing the Netgear firmware I did an error, and the router came into a looping state when booting, I cancelled the boot and went into the CFE. There is the possibility to load a new firmware via TFTP but it does not seem to expect a "normal" Netgear firmware in that sense, it seems to require a firmware that is "compressed" in what format I have no idea... The help seem to hint that it should be named "bcm963xx_fs_kernel" when flashing or "vmlinux" when just booting from a tftp server...

Here you can see my attemps (and the routers error codes to them)

*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 1
CFE>
CFE> help
Available commands:

d                   Download
a                   Asmod
w                   Write the whole image start from beginning of the flash
e                   Erase [n]vram or [a]ll flash except bootrom
r                   Run program from flash image or from host depend on [f/h] fl
ag
p                   Print boot line and board parameter info
c                   Change booline parameters
f                   Write image to the flash
i                   Erase persistent storage data
b                   Change board parameters
reset               Reset the board
flashimage          Flashes a compressed image after the bootloader.
help                Obtain help for CFE commands

For more information about a command, enter 'help command-name'
*** command status = 0
CFE>
CFE>
CFE>
CFE>
CFE> w 192.168.0.1:DG834GT_V1.01.28.img
Loading 192.168.0.1:DG834GT_V1.01.28.img ...
Finished loading 3219456 bytes
Illegal whole flash image
Finished flashing image.
*** command status = -1
CFE>
CFE>
CFE> r 192.168.0.1:DG834GT_V1.01.28.img
Retry loading it as a compressed image.
Loading 192.168.0.1:DG834GT_V1.01.28.img ...
Finished loading 3219456 bytes
Code Address: 0x10000278, Entry Address: 0x00000000
Failed on decompression.  Corrupted image?
*** command status = 3219456
CFE>
CFE>
CFE> f 192.168.0.1:DG834GT_V1.01.28.img
Loading 192.168.0.1:DG834GT_V1.01.28.img ...
Finished loading 3219456 bytes
Firmware tag version [0] is not compatible with the current Tag version [6].
*** command status = -1
CFE>
CFE>
CFE>
CFE> flashimage 192.168.0.1:orginal.img
Loading 192.168.0.1:orginal.img ...
Finished loading 3227648 bytes
...............................................................

Finished flashing image.
Resetting board...

CFE version 1.0.37-5.11 for BCM96348 (32bit,SP,BE)
Build Date: Fri Sep 17 15:59:48 CST 2004 (root@Run-P4)
Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.

Initializing Arena.
Initializing Devices.
internal_open
bcm6348enet: init_emac
CPU type 0x29107: 256MHz, Bus: 128MHz, Ref: 32MHz

Total memory used by CFE:  0x80401000 - 0x8051C910 (1161488)
Initialized Data:          0x80418630 - 0x804192D0 (3232)
BSS Area:                  0x804192D0 - 0x8041A910 (5696)
Local Heap:                0x8041A910 - 0x8051A910 (1048576)
Stack Area:                0x8051A910 - 0x8051C910 (8192)
Text (code) segment:       0x80401000 - 0x80418624 (95780)
Boot area (physical):      0x0051D000 - 0x0055D000
Relocation Factor:         I:00000000 - D:00000000

Board IP address                : 192.168.0.10:ffffff00
Host IP address                 : 192.168.0.1
Gateway IP address              :
Run from flash/host (f/h)       : f
Default host run file name      : vmlinux
Default host flash file name    : bcm963xx_fs_kernel
Boot delay (0-9 seconds)        : 1
Board Id Name                   : 96348GW-10
Psi size in KB                  : 16
Number of MAC Addresses (1-32)  : 2
Base MAC Address                : 00:0f:b5:54:e7:92
Ethernet PHY Type               : Internal
Memory size in MB               : 16

*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 0
Code Address: 0xDB71FF85, Entry Address: 0xa595e348
Failed on decompression.  Corrupted image?
Download mode ... press enter to stop
CFE>
CFE>
CFE> help w

  SUMMARY

     Write the whole image start from beginning of the flash

  USAGE

     eg. w [hostip:]whole_image_file_name

*** command status = 0
CFE>
CFE> help r

  SUMMARY

     Run program from flash image or from host depend on [f/h] flag

  USAGE

     eg. r [[hostip:]filenaem]<cr> if no filename, use the file name in 'Default
 host run file name'

*** command status = 0
CFE> help f

  SUMMARY

     Write image to the flash

  USAGE

     eg. f [[hostip:]filename]<cr> -- if no filename, tftped from host with file
 name in 'Default host flash file name'

*** command status = 0
CFE>
CFE>
CFE> p
Board IP address                : 192.168.0.10:ffffff00
Host IP address                 : 192.168.0.1
Gateway IP address              :
Run from flash/host (f/h)       : f
Default host run file name      : vmlinux
Default host flash file name    : bcm963xx_fs_kernel
Boot delay (0-9 seconds)        : 1
Board Id Name                   : 96348GW-10
Psi size in KB                  : 16
Number of MAC Addresses (1-32)  : 2
Base MAC Address                : 00:0f:b5:54:e7:92
Ethernet PHY Type               : Internal
Memory size in MB               : 16

*** command status = 0

Post #2

Per Hansson

15 Aug 2005, 16:32

I had a look in the build.sh file for the firmware...

Sure enough it does build the firmware as a bcm963xx_fs_kernel file... But when I tried to load that I got the same error...

CFE> r 192.168.0.1:bcm963xx_fs_kernel
Retry loading it as a compressed image.
Loading 192.168.0.1:bcm963xx_fs_kernel ...
Finished loading 3106109 bytes
Code Address: 0x36000000, Entry Address: 0x42726f61
Failed on decompression. Corrupted image?
*** command status = 3106109

Here is the build.sh file, note that I have commented out the section that normally deletes the bcm963xx_fs_kernel file...

echo
echo "Original Image:" $1    (DG834GT_V1.01.28.img)
echo "Your Filesystem:" $2    (target)
echo "New Image:" $3        (newimage.img)
echo
echo "Press 'y' to continue"

read yn

if [ "$yn" = "y" ]; then
        tools/mkcramfs -g -r $2 fs.bin

        tools/bcmImageBuilder --output bcm963xx_fs_kernel --chip 6348 --board "96348GW-10" --blocksize 64 --cfefile tools/cfe6348.bin --rootfsfile fs.bin  --kernelfile tools/vmlinux.lz
        tools/makeImage $3 $1 bcm963xx_fs_kernel
#       rm -rf fs.bin bcm963xx_fs_kernel
        echo $4 "Created!"
else
        echo "EXIT!"
fi

Post #3

Per Hansson

15 Aug 2005, 16:39

Sorry, with the command "flashimage" I was able to load the bcm963xx_fs_kernel file just fine and the Router now works...

CFE> flashimage 192.168.0.1:bcm963xx_fs_kernel
Loading 192.168.0.1:bcm963xx_fs_kernel ...
Finished loading 3155261 bytes
...............................................................

Finished flashing image.
Resetting board...

CFE version 1.0.37-5.11 for BCM96348 (32bit,SP,BE)
Build Date: Fri Sep 17 15:59:48 CST 2004 (root@Run-P4)
Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.

Initializing Arena.
Initializing Devices.
internal_open
bcm6348enet: init_emac
CPU type 0x29107: 256MHz, Bus: 128MHz, Ref: 32MHz

Total memory used by CFE:  0x80401000 - 0x8051C910 (1161488)
Initialized Data:          0x80418630 - 0x804192D0 (3232)
BSS Area:                  0x804192D0 - 0x8041A910 (5696)
Local Heap:                0x8041A910 - 0x8051A910 (1048576)
Stack Area:                0x8051A910 - 0x8051C910 (8192)
Text (code) segment:       0x80401000 - 0x80418624 (95780)
Boot area (physical):      0x0051D000 - 0x0055D000
Relocation Factor:         I:00000000 - D:00000000

Board IP address                : 192.168.0.10:ffffff00
Host IP address                 : 192.168.0.1
Gateway IP address              :
Run from flash/host (f/h)       : f
Default host run file name      : vmlinux
Default host flash file name    : bcm963xx_fs_kernel
Boot delay (0-9 seconds)        : 1
Board Id Name                   : 96348GW-10
Psi size in KB                  : 16
Number of MAC Addresses (1-32)  : 2
Base MAC Address                : 00:0f:b5:54:e7:92
Ethernet PHY Type               : Internal
Memory size in MB               : 16

*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 0
Code Address: 0x80010000, Entry Address: 0x8001046c
Decompression OK!
Entry at 0x8001046c
Closing network.
Starting program at 0x8001046c
Total Flash size: 4096K with 71 sectors
Scratch pad is not used for this flash part.
96348GW-10 prom init
CPU revision is: 00029107
Primary instruction cache 16kb, linesize 16 bytes (2 ways)
Primary data cache 8kb, linesize 16 bytes (2 ways)
Linux version 2.4.17 (root@Run-P4) (gcc version 3.1) #353 Wed May 11 09:13:15 CS
T 2005
Determined physical RAM map:
 memory: 00fa0000 @ 00000000 (usable)
On node 0 totalpages: 4000
zone(0): 4000 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/mtdblock0 ro
bcm_console_setup
Calibrating delay loop... 255.59 BogoMIPS
Memory: 13960k/16000k available (1357k kernel code, 2040k reserved, 92k data, 56
k init, 0k highmem)
Dentry-cache hash table entries: 2048 (order: 2, 16384 bytes)
Inode-cache hash table entries: 1024 (order: 1, 8192 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
Checking for 'wait' instruction...  unavailable.
POSIX conformance testing by UNIFIX
PCI: Fixing up bus 0
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
devfs: v1.7 (20011216) Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x1
brcmboard: brcm_board_init entry
Module bcm63xx_cons.c v1.1 May 10 2005 14:49:22
block: 64 slots per queue, batch=16
PPP generic driver version 2.4.1
blaadd: blaa_detect entry
adsl: adsl_init entry
Broadcom BCM6348A2 Ethernet Network Device v0.1 May 10 2005 14:53:51 External PH
Y Reverse MII (SPI Device 1)
eth0: MAC Address: 00:0F:B5:54:E7:92
 Amd/Fujitsu Extended Query Table v1.1 at 0x0040
number of CFI chips: 1
Creating 4 MTD partitions on "Physically mapped flash":
0x00010100-0x00299100 : "fs"
mtd: partition "fs" doesn't start on an erase block boundary -- force read-only
0x00010000-0x003f0000 : "tag+fs+kernel"
0x00000000-0x00010000 : "bootloader"
0x003f0000-0x00400000 : "nvram"
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 512 bind 1024)
Linux IP multicast router 0.06 plus PIM-SM
ipt_random match loaded
netfilter PSD loaded - (c) astaro AG
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
NET4: Ethernet Bridge 008 for NET4.0
VFS: Mounted root (cramfs filesystem) readonly.
Mounted devfs on /dev
Freeing unused kernel memory: 56k freed
serial console detected.  Disabling virtual terminals.
console=/dev/console
init started:  BusyBox v0.61.pre (2004.12.01-10:39+0000) multi-call binary
Starting pid 13, console /dev/console: '/usr/etc/rcS'
Algorithmics/MIPS FPU Emulator v1.5
Using /lib/modules/push_button.o
Using /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ipt_REJECT.o
ap_name=wlan action=stop
bridge br0 doesn't exist!
bridge br0 doesn't exist!
SIOCGIFFLAGS: No such device
SIOCGIFFLAGS: No such device
rmmod: ath_ap_mips: No such file or directory
BcmAdsl_Initialize=0x800AB328, g_pFnNotifyCallback=0x80186980
AdslCoreHwReset: AdslOemDataAddr = 0xA0FF73B0
device eth0 entered promiscuous mode
eth0 Link UP.
ap_name=(null) action=start
br0: port 1(eth0) entering listening state
br0: port 1(eth0) entering learning state
br0: port 1(eth0) entering forwarding state
br0: topology change detected, propagating
No CoutryCode Matched.
Using /usr/lib/ath_ap_mips.o
killall: syslogd: no process killed
killall: upnpd: no process killed
SIOCADDRT: File exists
Waiting for enter to start '/bin/sh' (pid 157, terminal /dev/console)

Please press Enter to activate this console. UPnP Initialized
Intialized UPnP
        with fullurl=http://192.168.0.1:49152/gateway.xml
                     ipaddress=192.168.0.1 port=49152
             web_dir_path=/usr/upnp/
             desc_doc_url=http://192.168.0.1:49152
Specifying the webserver root directory -- /usr/upnp/
Registering the RootDevice
RootDevice Registered
Initializing State Table
fullurl http://192.168.0.1:49152/gateway.xml
Advertisements Sent

Post #4

Per Hansson

15 Aug 2005, 21:57

Hmm, now I can not upgrade the router via the webinterface anymore... I tried to load back a original Netgear image via the CFE but I could still not upgrade the flash image after that via the web-interface

This is the error message I get:

Upgrade file is not the correct type or version for this device.

Upgrade failed.

Please obtain the correct file and try again.

Post #5

rdb

16 Aug 2005, 07:51

Yeah. I found that too.
My assumption is that the router is now looking for a different firmware version number.

I had intended to look at the broadcom firmware header that has been analysed by Skaya but I got distracted.

Post #6

Per Hansson

16 Aug 2005, 08:04

rdb; thank you for your reply...

But where do you mean this version number can be stored? I have erased the nvram settings and also all flash (options "e n" and "e a" in the CFE and then made sure they where the same as before my CFE flash... I have also erased persistent storage data (option i)

I tried to flash the complete firmware including the CFE (build option --include-cfe for bcmImageBuilder) however that did not work, the router did not accept the firmware...

And via the web interface I have tried flashing all available Netgear firmwares without luck, the only way for me to flash right now is from the CFE with the command "flashimage" or "f"

Post #7

Per Hansson

16 Aug 2005, 09:00

I realize now what the problem is, a google search for "dg834g checksum" turns upp allot of info, I tried using the checksum.c application but it complained about wrong file size... So I guess it needs to be modified to work with the DG834GT...

A google search for "DG834GT checksum" turns up nothing of interest

Post #8

Per Hansson

16 Aug 2005, 10:37

Would it be possible to rebuild an image created by makeImage in the format bcmImageBuilder makes them?

Because it is makeImage that adds the CRC checksum to the bcm963xx_fs_kernel file turning it into a normal netgear.img file you can use via the webinterface but that the CFE does not support, catch22 there....

Post #9

Per Hansson

16 Aug 2005, 13:14

Found something that looks interesting: http://skaya.enix.org/wiki/DumpFirmware

The ability to dump the whole firmware... I think this firmware dump is what the CFE command "w" expects.. So with a dump from a "normal" DG834GT I think I could fix mine...

However the binary will not work, I tried compiling it myself with the same results

Anyone want to give this a shot?

Post #10

Per Hansson

16 Aug 2005, 17:26

Another thing that would be interesting is flashing the whole image... But I can not figure out what format it expects the firmware to be in, everything I have tried just makes the CFE tell me that this is not a valid image...

w                   Write the whole image start from beginning of the flash
r                   Run program from flash image or from host depend on [f/h] flag

Post #11

Per Hansson

16 Aug 2005, 22:10

Per Hansson wrote:

Would it be possible to rebuild an image created by makeImage in the format bcmImageBuilder makes them?
Because it is makeImage that adds the CRC checksum to the bcm963xx_fs_kernel file turning it into a normal netgear.img file you can use via the webinterface but that the CFE does not support, catch22 there....

Seems I was incorrect here. The bcm963xx_fs_kernel files header and data checksum values are both correct

So what causes the web-interface to think that the firmwars are not correct is totally beyond me...

The discussion might have continued from here.

Page 1 of 1