发布一个Broadcom芯片ADSL固件的修改方法和工具

hugebird · 发表于 2008-2-17 01:18:20

请大家下载18楼的1.5版

hugebird · 发表于 2009-9-14 17:35:05

53# hugebird

2009.9最新版

增加了kernel和rootfs CRC32的重新计算，可以允许不同固件kernel和rootfs及tag的组合。

hugebird · 发表于 2008-2-17 11:10:37

自从去年第一次使用Broadcom芯片的ADSL，一年已来感觉这一系列的设备非常耐玩。最突出的特点是它们采用Linux系统，很多大厂免费提供源码，有能力的用户可以增加自己的代码支持更多的功能。

Broadcom ADSL最常见芯片包括 6338，6348，6358，以及比较老的6345. 6338 是市场的主力，标准配置2MB Flash
和8MB的SDRAM。 6348面向中端市场，标准配置4MB Flash和16MB的SDRAM，一般加无线网卡作为无线路由一体机使用，6348支持USB1.0，加载驱动以后可以支持外置硬盘。6358面向高端市场，产品比较少见。

大多数厂家采用Broadcom的参考设计，仅根据网络端口的不同需求做简单的修改，再加上自己的软件。相同芯片的
ADSL设备，最大的不同在于网络接口，有的使用芯片内置的以太网PHY。有的采用外接以太网交换芯片支持多个端口。ADSL主芯片和外接交换芯片有多种连接方式，造成了固件不能通用。网络接口的定义在厂家提供的源码boardparms.c中。即使硬件设计一样不同厂家的设备，固件由于有标识保护不能互刷。

最近有空分析厂家提供的源码，基本搞清楚了固件的结构，下面提供的这个工具BrFWmod，可以对大部分标准BCM6xxx
ADSL设备的固件进行拆分和组合。可以对某些固件加上特定文件标识，用于其它厂家的设备。比如我们有A厂出的
设备，原厂的固件功能有缺陷，我们得到消息B厂的固件功能完善，但由于B固件与A设备不匹配，无法直接刷在A设备上
，除非采用JTAG一类的特殊设备。现在我们用BrFWmod,从A厂的原厂固件中提取标识，然后把标识组合在B固件上，得
到了在A设备上可以直接刷新的新固件。

固件的定义可以从任何源码的BcmTag.h中找到，通常分成4个部分，第一部分是256字节的文件头TAG，里面定义了，厂
家，型号，附件版本，并对后面的3个部分提供文件长度的索引和校验和，保证固件的完整性，第2部分是CFE，该部
分相当与电脑中的bios，又称为Boot Loader,启动引导，CFE中提供对设备网络的简单支持，可以在固件核心部分崩溃
的时候，提供TFTP等恢复手段。CFE还提供对硬件基本参数的设置。第3部分是Root File System，根文件
系统，类似于光盘的ISO文件，提供Linux系统所需的的文件系统，BrFWmod Linux版本可以把这部分进一部分解
成独立的文件，加入自己的工具以后还可以重新组合。BrFWmod Windows版本不支持对rootFS的分解。最后一部分是
Kernel系统核心,即Linux系统的Kernel。

下面介绍BrFWmod的使用方法，需要注意的是，有些厂商使用的文件头有自己的扩展，所以这个工具不能保证成功修改。这个工具目的是提供给那些自己有恢复手段（比如JTAG），并且有足够知识的高级用户的特殊应用。

请注意刷新非原厂固件对您的设备是非常危险的，一旦固件有误，那么您的设备有可能损坏。任何危险操作前请三思而后行。由于您的错误理解和错误使用本工具所造成的损失，本人概不负责。

[ 本帖最后由 hugebird 于 2008-2-17 03:24 编辑 ]

hugebird · 发表于 2008-2-17 11:11:38

BrFWmod的使用方法
===============================================================
Broadcom Chip ADSL FW Image De/Compress Utility v1.0-hugebird
===============================================================
ABOUT: This program decomp/comp the firmware image of a Broadcom chip
      based DSL MODEM.
         ---------------
USAGE: BrFwmod -decomp <-i inputfile> </m:X> </notag> </cfe> </rfs> </knl>
      BrFwmod -comp <-o outputfile> </m:X> </cfe> </r>
      BrFwmod -showinfo <-i inputfile>
         处理命令
         ------------------
         -decomp ........... 将一个固件分解成模块
         -comp ............. 将模块打包成一个新的固件
         -showinfo ......... 显示一个固件的头信息
         -i inputfile ...... 指定一个输入文件(默认Image.bin)
         -o outputfile  .... 指定一个输入文件(默认Image.XXXX_XXXX.bin)
         开关选项
         -----------------
         /cfe ........... ... 处理CFE部分
         /notag ............. 不解压缩文件头部分TAG.BIN
         /128K .............. 采用128KB作为Flash芯片的块大小，用于计算模块加载地址。
         /rfs ............... 分解时，处理Root FS部分
         /knl ............... 分解时，处理Kernel部分
         /m:X ............... 使用预定义的方法处理
            :1 ............... tag.bin , rootfs.bin, kernl.bin(默认打包方法)
            :2 ............... tag.bin, cfe.bin, rootfs.bin, kernl(默认分解方法)
            :3 ............... tag.bin, cfe.bin
            :4 ............... tag.bin
         /r ................. 解压缩RootFS, windows版不支持该操作
         -----------------------------------------------------------------

hugebird · 发表于 2008-2-17 11:14:42

下面以https://www.chinadsl.net/viewthread.php?tid=21564&extra=page%3D1 连接中的这个文件作为例子

>brfwmod -showinfo -i bcm96338Ezch_cfe_fs_kernel

复制代码

===============================================================
Broadcom Chip ADSL FW Image De/Compress Utility v1.0-hugebird
===============================================================
=====decoding the image information=============================
Tag Ver signature = '6'
SIG1(comany info) = 'ZXDSL831CIIE09'
SIG2(FW version) = 'ver. 2.0'
chip ID  = '6338'
board ID  = '96338E'
FW endianess  = Big Endian
CFE loading address = 0xBFC00000
CFE length  = 0x0000F688
RootFS loading address = 0xBFC10100
RootFS length  = 0x00162000
Kernel loading address = 0xBFD72100
Kernel length  = 0x00075C1F
Total Image length = 0x001E72A7
=====Finish decoding the information=============================

*** REQUESTED OPERATION IS COMPLETE, Bye! ***

可以看到该固件是针对6338，SIG1就是设备的标识，接下来我把这个固件分解

>brfwmod -decomp -i bcm96338Ezch_cfe_fs_kernel /m:2

复制代码

===============================================================
Broadcom Chip ADSL FW Image De/Compress Utility v1.0-hugebird
===============================================================
=====decoding the image information=============================
...
=====Finish decoding the information=============================
-->Read image to buffer successful, 1995431 Bytes!
-->Start to decompress the image ...
-->write TAG.BIN ...Done!
-->write CFE.BIN ...Done!
-->write ROOTFS.BIN ...Done!
-->write KERNL.BIN ...Done!
-->Done
*** REQUESTED OPERATION IS COMPLETE, Bye! ***

查看目录可以看到四个文件：后面的时间戳和您操作的时间相关
TAG.BIN.20080216_2255
CFE.BIN.20080216_2255
ROOTFS.BIN.20080216_2255
KERNL.BIN.20080216_2255
我们可以改名字
TAG.BIN, CFE.BIN, ROOTFS.BIN, KERNL.BIN
然后我们重新组合一个不含CFE的固件 mynewfirm.bin

>brfwmod -comp -o mynewfirm.bin /m:1

复制代码

===============================================================
Broadcom Chip ADSL FW Image De/Compress Utility v1.0-hugebird
===============================================================
=====decoding the image information=============================
Tag Ver signature = '6'
SIG1(comany info) = 'ZXDSL831CIIE09'
SIG2(FW version) = 'ver. 2.0'
chip ID  = '6338'
board ID  = '96338E'
FW endianess  = Big Endian
=====Finish decoding the information=============================

-->Prepare pack a new image
-->bypass read CFE.BIN to buffer...
-->read ROOTFS.BIN to buffer...
  --->use cfe length 65536 to cal RootFS loading addr
  --->Root FS will load at 0xBFC10100, length 0x00162000 Bytes. Done!
-->read KERNL.BIN to buffer...
  --->Kernel will load at 0xBFD72100, length 0x00075C1F Bytes. Done!
-->get image checksum. CRC32 = 30829322
-->get tag checksum. CRC32 = 17672550
-->write Tag to new image...
-->write buffer to new image...
-->Done
*** REQUESTED OPERATION IS COMPLETE, Bye! ***

重新显示一下新固件的信息

>brfwmod -showinfo -i mynewfirm.bin

复制代码

===============================================================
Broadcom Chip ADSL FW Image De/Compress Utility v1.0-hugebird
===============================================================
=====decoding the image information=============================
Tag Ver signature = '6'
SIG1(comany info) = 'ZXDSL831CIIE09'
SIG2(FW version) = 'ver. 2.0'
chip ID  = '6338'
board ID  = '96338E'
FW endianess  = Big Endian
No CFE in Image
RootFS loading address = 0xBFC10100
RootFS length  = 0x00162000
Kernel loading address = 0xBFD72100
Kernel length  = 0x00075C1F
Total Image length = 0x001D7C1F
=====Finish decoding the information=============================
*** REQUESTED OPERATION IS COMPLETE, Bye! ***

hugebird · 发表于 2008-2-17 11:17:28

接下来帖一下BcmTAG.H. 这个文件是从U.S Robotics 9108源码中摘出来的，供参考

/*
<:copyright-gpl
Copyright 2002 Broadcom Corp. All Rights Reserved.
This program is free software; you can distribute it and/or modify it
under the terms of the GNU General Public License (Version 2) as
published by the Free Software Foundation.
This program is distributed in the hope it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
59 Temple Place - Suite 330, Boston MA 02111-1307, USA.
:>
*/
//**************************************************************************************
// File Name : bcmTag.h
//
// Description: add tag with validation system to the firmware image file to be uploaded
// via http
//
// Created : 02/28/2002 seanl
//**************************************************************************************
#ifndef _BCMTAG_H_
#define _BCMTAG_H_
#define BCM_SIG_1 "U.S. Robotics"
#define BCM_SIG_2 "ver. 304L0113" // was "firmware version 2.0" now it is split 6 char out for chip id.
#define BCM_TAG_VER "6"
#define BCM_TAG_VER_LAST "26"
// file tag (head) structure all is in clear text except validationTokens (crc, md5, sha1, etc). Total: 128 unsigned chars
#define TAG_LEN 256
#define TAG_VER_LEN 4
#define SIG_LEN 20
#define SIG_LEN_2 14 // Original second SIG = 20 is now devided into 14 for SIG_LEN_2 and 6 for CHIP_ID
#define CHIP_ID_LEN 6
#define IMAGE_LEN 10
#define ADDRESS_LEN 12
#define FLAG_LEN 2
#define TOKEN_LEN 20
#define BOARD_ID_LEN 16
#define RESERVED_LEN (TAG_LEN - TAG_VER_LEN - SIG_LEN - SIG_LEN_2 - CHIP_ID_LEN - BOARD_ID_LEN - \
(4*IMAGE_LEN) - (3*ADDRESS_LEN) - (3*FLAG_LEN) - (2*TOKEN_LEN))
// TAG for downloadable image (kernel plus file system)
typedef struct _FILE_TAG
{
unsigned char tagVersion[TAG_VER_LEN]; // tag version. Will be 2 here.
unsigned char signiture_1[SIG_LEN]; // text line for company info
unsigned char signiture_2[SIG_LEN_2]; // additional info (can be version number)
unsigned char chipId[CHIP_ID_LEN]; // chip id
unsigned char boardId[BOARD_ID_LEN]; // board id
unsigned char bigEndian[FLAG_LEN]; // if = 1 - big, = 0 - little endia of the host
unsigned char totalImageLen[IMAGE_LEN]; // the sum of all the following length
unsigned char cfeAddress[ADDRESS_LEN]; // if non zero, cfe starting address
unsigned char cfeLen[IMAGE_LEN]; // if non zero, cfe size in clear ASCII text.
unsigned char rootfsAddress[ADDRESS_LEN]; // if non zero, filesystem starting address
unsigned char rootfsLen[IMAGE_LEN]; // if non zero, filesystem size in clear ASCII text.
unsigned char kernelAddress[ADDRESS_LEN]; // if non zero, kernel starting address
unsigned char kernelLen[IMAGE_LEN]; // if non zero, kernel size in clear ASCII text.
unsigned char imageSequence[FLAG_LEN * 2]; // incrments everytime an image is flashed
unsigned char reserved[RESERVED_LEN]; // reserved for later use
unsigned char imageValidationToken[TOKEN_LEN];// image validation token - can be crc, md5, sha; for
// now will be 4 unsigned char crc
unsigned char tagValidationToken[TOKEN_LEN]; // validation token for tag(from signiture_1 to end of // mageValidationToken)
} FILE_TAG, *PFILE_TAG;
#define CRC32_INIT_VALUE 0xffffffff /* Initial CRC32 checksum value */
#define CRC_LEN 4
// only included if for bcmTag.exe program
// #ifdef BCMTAG_EXE_USE
static unsigned long Crc32_table[256] = {
0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA,
0x076DC419, 0x706AF48F, 0xE963A535, 0x9E6495A3,
0x0EDB8832, 0x79DCB8A4, 0xE0D5E91E, 0x97D2D988,
0x09B64C2B, 0x7EB17CBD, 0xE7B82D07, 0x90BF1D91,
0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE,
0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7,
0x136C9856, 0x646BA8C0, 0xFD62F97A, 0x8A65C9EC,
0x14015C4F, 0x63066CD9, 0xFA0F3D63, 0x8D080DF5,
0x3B6E20C8, 0x4C69105E, 0xD56041E4, 0xA2677172,
0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B,
0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940,
0x32D86CE3, 0x45DF5C75, 0xDCD60DCF, 0xABD13D59,
0x26D930AC, 0x51DE003A, 0xC8D75180, 0xBFD06116,
0x21B4F4B5, 0x56B3C423, 0xCFBA9599, 0xB8BDA50F,
0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924,
0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D,
0x76DC4190, 0x01DB7106, 0x98D220BC, 0xEFD5102A,
0x71B18589, 0x06B6B51F, 0x9FBFE4A5, 0xE8B8D433,
0x7807C9A2, 0x0F00F934, 0x9609A88E, 0xE10E9818,
0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01,
0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E,
0x6C0695ED, 0x1B01A57B, 0x8208F4C1, 0xF50FC457,
0x65B0D9C6, 0x12B7E950, 0x8BBEB8EA, 0xFCB9887C,
0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3, 0xFBD44C65,
0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2,
0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB,
0x4369E96A, 0x346ED9FC, 0xAD678846, 0xDA60B8D0,
0x44042D73, 0x33031DE5, 0xAA0A4C5F, 0xDD0D7CC9,
0x5005713C, 0x270241AA, 0xBE0B1010, 0xC90C2086,
0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F,
0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4,
0x59B33D17, 0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD,
0xEDB88320, 0x9ABFB3B6, 0x03B6E20C, 0x74B1D29A,
0xEAD54739, 0x9DD277AF, 0x04DB2615, 0x73DC1683,
0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8,
0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1,
0xF00F9344, 0x8708A3D2, 0x1E01F268, 0x6906C2FE,
0xF762575D, 0x806567CB, 0x196C3671, 0x6E6B06E7,
0xFED41B76, 0x89D32BE0, 0x10DA7A5A, 0x67DD4ACC,
0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5,
0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252,
0xD1BB67F1, 0xA6BC5767, 0x3FB506DD, 0x48B2364B,
0xD80D2BDA, 0xAF0A1B4C, 0x36034AF6, 0x41047A60,
0xDF60EFC3, 0xA867DF55, 0x316E8EEF, 0x4669BE79,
0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236,
0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F,
0xC5BA3BBE, 0xB2BD0B28, 0x2BB45A92, 0x5CB36A04,
0xC2D7FFA7, 0xB5D0CF31, 0x2CD99E8B, 0x5BDEAE1D,
0x9B64C2B0, 0xEC63F226, 0x756AA39C, 0x026D930A,
0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713,
0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38,
0x92D28E9B, 0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21,
0x86D3D2D4, 0xF1D4E242, 0x68DDB3F8, 0x1FDA836E,
0x81BE16CD, 0xF6B9265B, 0x6FB077E1, 0x18B74777,
0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C,
0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45,
0xA00AE278, 0xD70DD2EE, 0x4E048354, 0x3903B3C2,
0xA7672661, 0xD06016F7, 0x4969474D, 0x3E6E77DB,
0xAED16A4A, 0xD9D65ADC, 0x40DF0B66, 0x37D83BF0,
0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9,
0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6,
0xBAD03605, 0xCDD70693, 0x54DE5729, 0x23D967BF,
0xB3667A2E, 0xC4614AB8, 0x5D681B02, 0x2A6F2B94,
0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B, 0x2D02EF8D
};
// #endif // BCMTAG_USE
#endif // _BCMTAG_H_

复制代码

hugebird · 发表于 2008-2-17 11:21:02

工具的源码过些时候发布在这个贴子里。目前Linux下的RootFS解压缩功能尚为完成。

hugebird · 发表于 2008-2-17 11:23:36

原帖由 hugebird 于 2008-2-16 17:18 发表

工具包里面还有一个计算模块CRC32校验和的工具

使用方法

>calbcrc <input name>

复制代码

chenclc27 · 发表于 2008-2-17 11:28:38

有一定的难度，不是每个人都能做的

hugebird · 发表于 2008-2-17 11:28:44

一些厂家源码的链接

USR
http://www.usr.com/support/s-gpl-code.asp

NetGear

http://kbserver.netgear.com/kb_web_files/open_src.asp

BelKin
http://www.belkin.com/support/gpl.asp

hugebird · 发表于 2008-2-18 17:15:11

账号		自动登录	找回密码
密码			注册

发布一个Broadcom芯片ADSL固件的修改方法和工具

本帖子中包含更多资源

本帖子中包含更多资源

点评

点评

评分

本帖子中包含更多资源