Boot OpenWrt in a Broadcom device with CFE locked


I'm trying to port Openwrt to a Sercomm FD1018 router and I achieved compiling an Openwrt image. Now comes the test process. Apparently, the procedure is to stop the CFE bootloader and boot the Openwrt image from its command line, but unfortunately it seems to be locked.

Reading the OpenWRT pages of similar devices from the same manufacturer, AD1018 and H500-s, I have found this lines in their bootlog:

*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 0

The device I'm trying to port doesn't output these lines, it boots directly. I've tried pressing random keys or Ctrl+C during booting but it does nothing, the boot process continues anyway.

So, how can I boot an Openwrt image in this router for testing? I have Linux shell access in the stock firmware, if it can be helpful. If more info is needed, just ask for it.

Thanks in advance

1 Like

Direct SPI flash, or flash new boot loader from OS.

How can I flash the bootloader from the OS? Apparently this would be the easiest way, as I can reuse the bootloader from those similar models.

Flash memory used is a NAND and I don't have a programmer for it, so I leave it as last option.

mtd write or dd or perhaps even cat, if your os supports it.

Note, if your boot loader flash fails, or is done incorrectly, you'll have a new paper weight, after next reboot.

In the wiki page of the AD1018 it seems the bootloader has a recovery mode triggered by pressing the reset button
that should allow to send over a firmware image

Did you try if your device has that? Would be much safer than other options suggested, as if you flash a broken firmware you can still reboot and send another.

My device also has this mode, but I don't know exactly what it flashes and where. I don't know if it overwrites all the flash including the bootloader, or if it just overwrites the operating system partition.

Do you have any idea or guess about how it works? Would you recommend me trying sending directly yhe Openwrt image using this recovery mode?

The embedded OS has cat and dd commands, but not mtd. I have read that cat nor dd are good for writing directly to NAND flash as they don't manage bad blocks, but if there is not other option, this may work.

I have no idea, I suggest to ask the developer of the sercomm-recovery tool used in that article, as he probably knows at least how it works on the original device

mtd is only on OpenWrt I think? The "generic" commands to manipulate NAND (also in busybox upstream) are nanddump and nandwrite. You still probably don't have those.