I'm trying to do something useful with a BCM96838 based device that is an ISP provided all-in-box fiber box with GPON, 4 ethernet ports and wifi. I'm fully aware this device will never run OpenWRT in any useful way but I would like ask for some help regarding it's CFE/bootloader.
Using JTAG I can interrupt the boot process of the device but it asks for a password. I've never seen anything like this in other broadcom devices:
Base: 5.2_02A
CFE version 1.0.38-161.138 for BCM96838 (32bit,SP,BE)
Build Date: Fri Jul 24 14:42:24 WEST 2020
Copyright (C) 2000-2015 Broadcom Corporation.
Boot Strap Register: 0x800078ff
Chip ID: BCM68380_B0, MIPS: 600MHz, DDR: 533MHz, Bus: 240MHz
RDP: 800MHz
Main Thread: TP0
Total Memory: 268435456 bytes (256MB)
Boot Address: 0xbfc00000
NAND ECC BCH-4, page size 0x800 bytes, spare size used 64 bytes
NAND flash device: MXIC MX30LF1G08AA, id 0xc2f1 block 128KB size 131072KB
Board IP address : 192.168.1.1:ffffff00
Host IP address : 192.168.1.100
Gateway IP address :
Run from flash/host/tftp (f/h/c) : f
Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel
Boot delay (0-9 seconds) : 1
Boot image (0=latest, 1=previous) : 0
Default host ramdisk file name :
Default ramdisk store address :
Default DTB file name :
Board Id : [redacted]
Number of MAC Addresses (1-64) : 10
Base MAC Address : [redacted]
PSI Size (1-128) KBytes : 24
Enable Backup PSI [0|1] : 0
System Log Size (0-256) KBytes : 0
Auxillary File System Size Percent: 0
Main Thread Number [0|1] : 0
GPON Serial Number : [redacted]
GPON Password : [redacted]
MC memory allocation (MB) : 4
TM memory allocation (MB) : 36
DHD 0 memory allocation (MB) : 20
DHD 1 memory allocation (MB) : 0
DHD 2 memory allocation (MB) : 0
WLan Feature : 0x00
Voice Board Configuration (0-1) : LE9540
Partition 1 Size (MB) : 0M
Partition 2 Size (MB) : 0M
Partition 3 Size (MB) : 0M
Partition 4 Size (MB) (Data) : 4M
*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: kkkkk
PASSWD>
web info: Waiting for connection on socket 0.
Now as you can see after interrupting the "auto run" it asks for PASSWD>. Interestingly that last line also point to having the built in webserver for firmware upgrades enabled.
Is there anyone with Broadcom experience able to tell me if there's a way to get around the CFE password? Is there a default password? Or any other tip on how I can overcome it.
It doesn't make much sense to have a password protected bootloader and then it also has a fully open webui that can be used to replace the device's firmware.
What I do know is that Broadcom does not have open-source firmware, so using OpenWrt will be a challenge. Most devices have written: xDSL and ATM are NOT SUPPORTED . Not by some binary nor are there GPL drivers available!
But you are already aware of that
Well, if you (or Broadcom) want to protect the boot-loader, but not the rest of your device, this is a way to do that. If -for example- the wifi firmware is somewhere written in that boot-block, you can not overwrite it.
Yeah I know it will not run OpenWrt and I'm aware of the BMC propriety drivers. My goals was to get into the CFE and dump the router flash so I can explore the firmware.
This router was developed by the ISP and it is totally locked, its WebUI doesn't allow for firmware upgrades or any advanced change, not even adding custom IP routes.
I tried the "p" key and it doesn't seem to do anything except for eventually stopping on the password prompt. As you can see on the following log there are "p" before the CFE version line:
ppppD%G%@G#[00][00][00]ppHELO
CPUI
L1CI
PLLI
PMCB
HELO
CPUI
L1CI
5.0202A-1.0.38-161.138-ALB-0
DRAM
----
PHYS
ZQDN
PHYE
DINT
TST1
TST2
PASS
----
ZBSS
L12F
MAIN
FPS0
----
PAR0
J002
JFFS
BT02
0001
----
PAR1
J003
JFFS
BT03
0492
----
TRY1
NAN3
JFS2
pRFS2
JFFS
JFS2
ppNAN5
Base: 5.2_02A
CFE version 1.0.38-161.138 for BCM96838 (32bit,SP,BE)
Build Date: Fri Jul 24 14:42:24 WEST 2020 (...)
Copyright (C) 2000-2015 Broadcom Corporation.
Boot Strap Register: 0x800078ff
Chip ID: BCM68380_B0, MIPS: 600MHz, DDR: 533MHz, Bus: 240MHz
RDP: 800MHz
Main Thread: TP0
Total Memory: 268435456 bytes (256MB)
Boot Address: 0xbfc00000
(...)
*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 1ppp1
ppppenable IH Wan-Wan forwarding...
data_path_go Done!!
Creating CPU ring for queue number 0 with 32 packets descriptor=0x80a95fa0
Done initializing Ring 0 Base=0xa2615240K End=0xa2615440K calculated entries= 32 RDD Base=2615240K descriptor=0x80a95fa0
Open PHY 1 on MAC 0 : link state = Down
Open PHY 2 on MAC 1 : link state = Down
Open PHY 3 on MAC 2 : link state = Down
Open PHY 4 on MAC 3 : link state = Down
PASSWD>
web info: Waiting for connection on socket 0.[1B][J
PASSWD>pppppppppppppp
I sent the key with Termite set not to send any CR or LF after. With CR/LF I can't even stop the bootloader.
The reason of suggesting this key was this piece of code found in the bootloader
/*
* handle_cfe_abort()
*
* Read uart and if 'p' is pressed
* only initiaze Flash and jump to cfe prompt
* only purpose of this function is recovery
* in case if the board hangs or resets
* before reaching the real prompt
*
*/
static void handle_cfe_abort(void)
{
char interactive='\0';
if(console_status())
{
console_read(&interactive, 1);
if(interactive == 'p')
{
printf("*************** CFERAM ABORT DETECTED *************** \n");
printf("dropping to cfe prompt without board initiliazation\n");
board_bootdevice_init();
bcm63xx_run_ex(1,1);
cfe_set_prompt();
cfe_command_loop();
}
}
}
