[转帖]另类刷新BCM63XX芯片固件的好方法[英文]
[这个贴子最后由gzwyx在 2007/03/08 03:58pm 第 1 次编辑]应该可以在一个使用BCM芯片的路由版猫上,通刷各个公司各个品牌的不同固件。
这是外国某网站看到的,通过用winhex软件修改固件中最初的一段代码,达到骗过固件中的认证,从而用最简单的方法,刷新固件。
最大的好处,是不用去制作任何的jtag线,不用做任何的硬改。
原贴地址:
http://corz.org/comms/hardware/router/other.bt.voyager.routers.php?page=all
节抄其中最主要的部分:
BT Voyager 2091 UNLOCKED!
The BT Voyager 2091 has been cracked!
An unlocked firmware is available..
Apart from a rare and early release, all versions of the BT Voyager 2091 are "ISP-Locked", that is, BT has locked it so you can';t use them with another ISP. More recently, 2091 users have unlocked it..
Extra big packet of Jube Jubes to Alessio for figuring out how to turn a Dynalink 1050W firmware into a working BT Voyager 2091 firmware (with a little help from SkayaWiki ), in his own words..
Hi,
I tried to put the Dynalink 1050W <http://www.dynalink.com.au/firmware.htm?prod=RTA1025W> firmware in my BT voyager 2091 Wireless router - they both use the BCM6348 Chipset (check the brochure http://www.dynalink.com.au/modemsadsl_cur.htm?prod=RTA1025W).
I did this pretty much what I found on http://skaya.enix.org/wiki/FirmwareFormat:
From the Voyager2091 - cfe-voyager2091_btr-v301m-a2pb018c1 I took from the very beginning of the file
36 00 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 56 32 30 39 31 5F 42 42 00 00 00 00 00 00 00 00 31 00
and copied into cfe-rta1025wnz-v328q_a2pb01. The first section of the firmware contains data about the vendor: now the Dynalink 1050w "sounds" like a Voyager 2091.
In the modified Dynalink 1050W firmware, I was not keen on touching the following section which contains size/address of loader/rootfs (this could make your router unusable!)
I calculated the checksum with flipped bits:
bytes 236-239: contains the checksum from byte 0 to byte 255 - the checksum is 43 6C F1 22
byte 216-219: contains the checksum from byte 256 to the end of file - the checksum is 82 12 7F 96
Then I saved the firmware and uploaded to the Voyager via web interface, the upload went fine and the Voyager rebooted, it went up without any problem.
Alessio is on BT himself, so Paulo whipped out his copy of XVI32, did the dirty with the two firmwares files, and successfully connected his 2091 to AOL. The rest, as they say, is history. *g*
Check out the Useful links section below for the file you need. Then follow this simple procedure (adapted from Dan';s comment)..
unzip the firmware
connect the router to the computer via ethernet
in your web browser, go to http://192.168.1.1
select "Advanced" from the menu
enter user/password (default is admin/admin)
select "Ugrade"
select from pc to router (top of page)
browse to previously unzipped file (cfe-rta1025wnz-v328q_a2pb021)
select "Ugrade"
DO NOT power off during the upgrade!
wait a good 5mins
all lights should be green on router
point web browser at http://192.168.1.1 again
ensure the VPI/VCI setting are set to 0/38
ensure ADSL is connected and web page says "ready to connect"
enter broadband login details
It should now connect without issue.
[转帖]另类刷新BCM63XX芯片固件的好方法[英文]
[这个贴子最后由gzwyx在 2007/03/08 04:36pm 第 2 次编辑]准备用自己的阿尔卡特511E试试刷RTA230的固件,但猫放在另一个家里,要过一段时间才过去。-=-=-=- 以下内容由 gzwyx 在 2007年03月08日 04:22pm 时添加 -=-=-=-
[转帖]另类刷新BCM63XX芯片固件的好方法[英文]
BCM芯片固件的格式:http://skaya.enix.org/wiki/FirmwareFormat
After downloading many different firmwares, I tried to understand how they were structured to build my own. After some days of hacking and a little headache, I can provide the almost-complete format for the firmware used in BroadCom96345-based routers.
First, here are some links to firmware images :
USR9105 2.1
USR9106 2.1
SE515 (version?)
(more to come, feel free to add yours too)
Firmware structure
A firmware image is generally made of 3 parts : a header, a root filesystem, and a kernel image. But the SE515 firmware had 4 parts : a header, a kind of loader, a root filesystem and a kernel image. By analyzing very closely this image, I could finally understand one thing : a firmware image isn';t directly copied into the flash memory of the router. In fact, the header is just a "summary", depicting the size of the following parts, and the address at which they should be flashed. In other firmwares, the "loader" part is absent, probably because it';s not useful to modify it. I don';t know why it exists in the SE515 ; maybe they really needed to update the loader, maybe they just forgot to remove this section.
Header
The header is 256-bytes long. It';s made of null-terminated strings and a couple of checksums. When I mention "a 20-bytes string", that means like char string; in C ; i.e. if the string is shorter than 20 bytes, it will be padded with 00 bytes.
a 4-bytes magic number, 36 00 00 00 in all my firmwares (it might rather be a version number)
a 20-bytes string, generally "Broadcom Corporation" (but some vendors did set this string to spaces)
a 20-bytes string, generally "Firmware version 1.0" (sometimes erased, too)
a 16-bytes string, maybe the router model ("96345GW", "96345R", "RTA230"...)
a 2-bytes string, "1" each time (that is, 31 00)
2005-03-19 Heinz Peter Hippenstiel
--------------------------------------------------------------------------------
I was analysing the Broadcom sources and flashed a vanilla Broadcom image to my SE515. It was moaning about the wrong board-id when I was trying to reflash my other selfmade images from the Broadcom web interface. A little analysis brought up that the header is a little different:
a 20-bytes string, the vendor name "Broadcom Corporation" (but some vendors did set this string to spaces)
a 14-bytes string, the fw version "Firmware version 2.0" (sometimes erased, too)
a 6-bytes string, the board id "6345" (or "6348" for newer chips, may be blank)
a 16-bytes string, the router model ("96345GW", "96345R", "RTA230" ... I expect this is a must have)
--------------------------------------------------------------------------------
Then there is the size/address part. Each number is written as-is, as a decimal string ; sizes are 10-bytes strings, and adresses are 12-bytes strings. For instance, size 1234 will be encoded as 31 32 33 34 00 00 00 00 00 00.
the size of the image, without the header (that is, file size minus 256)
the address at which the loader should be flashed (0xBFC00000?)
the size of the loader
the address at which the root filesystem should be flashed (was always 0xBFC10100)
the size of the root filesystem
the address at which the kernel filesystem should be flashed (was always root filesystem address + root filesystem size)
the size of the kernel
If a part should not be flashed, both size and address will be 0 (that';s the case of the loader part in most firmwares ; I didn';t see yet a firmware without kernel or filesystem part, but I bet it';s possible). The size of the image will always be equal to the sum of the sizes of the other parts.
After this part there';s nothing until the last 40 bytes of the header ; byte 216 to 219 will be the data checksum (from byte 256 to the end of the file), and byte 236 to 239 will be the header checksum (from byte 0 to byte 235). The checksums are regular CRC32 checksums, but with all bits flipped.
Loader
The loader in the SE515 firmware seems to be a CFE bootloader ; I don';t know much about it, but you can download CFE sources somewhere and have a look if you want. I don';t know if other routers use CFE too, but I think it';s the case, and I will try to find a way to extract the loader part of my router to check.
Root filesystem
It';s just a filesystem image "as-is".
Kernel
I did not yet succeed into cross-compiling a MIPS kernel, so I can';t compare to tell if it';s a regular kernel or if it';s mangled somehow.
Conclusions
I bet that the checksums are here to be validated by the "upload firmware" program. After all, there';s no point into flashing a checksum itself, because once you have flashed and verified an image, it won';t change by tomorrow :-)
The Flash memory seems to be mapped at 0xBFC00000. The fact that the root filesystem flash address is 0xBFC10100 means that it should be possible to flash a loader-less firmware straight at 0xBFC10000, but I don';t know if it';s a pure coincidence or if it';s on purpose.
[转帖]另类刷新BCM63XX芯片固件的好方法[英文]
E文不好,看不懂希望高手给翻译一下![转帖]另类刷新BCM63XX芯片固件的好方法[英文]
不错,不错。这是我一直以来的愿望,值得研究。[转帖]另类刷新BCM63XX芯片固件的好方法[英文]
顶上,高手翻译一下.[转帖]另类刷新BCM63XX芯片固件的好方法[英文]
不错不错。看来那个511e有咸鱼翻身的机会了。[转帖]另类刷新BCM63XX芯片固件的好方法[英文]
具体怎么弄啊~~511E...又不说的另类刷..LZ也够另类的-=-=-=- 以下内容由 tq0c10o0 在 2007年07月01日 08:10pm 时添加 -=-=-=-
511E没有网页上升级的啊..有专门的程序用来升级..最好能骗过程序就好了~~啊啊 那位有用编程器读取的NETCORE 2505NR的完整版固件。就是论坛上大家讲的用编程器才能读取和写入的 “带底层文件的程序”的固件。
请发一个给我 988988@mail.gywb.cn 谢谢!
我的2505NR让我给弄坏了,现在成“砖头”了。 看的头晕!不知道有没有6348的固件?
页:
[1]
2