Boot OpenWrt in a Broadcom device with CFE locked

teknosrp · October 29, 2021, 5:02pm

Hello

I'm trying to port Openwrt to a Sercomm FD1018 router and I achieved compiling an Openwrt image. Now comes the test process. Apparently, the procedure is to stop the CFE bootloader and boot the Openwrt image from its command line, but unfortunately it seems to be locked.

Reading the OpenWRT pages of similar devices from the same manufacturer, AD1018 and H500-s, I have found this lines in their bootlog:

*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 0

The device I'm trying to port doesn't output these lines, it boots directly. I've tried pressing random keys or Ctrl+C during booting but it does nothing, the boot process continues anyway.

So, how can I boot an Openwrt image in this router for testing? I have Linux shell access in the stock firmware, if it can be helpful. If more info is needed, just ask for it.

Thanks in advance

frollic · October 30, 2021, 6:22am

Direct SPI flash, or flash new boot loader from OS.

teknosrp · October 30, 2021, 9:01am

How can I flash the bootloader from the OS? Apparently this would be the easiest way, as I can reuse the bootloader from those similar models.

Flash memory used is a NAND and I don't have a programmer for it, so I leave it as last option.

frollic · October 30, 2021, 10:27am

mtd write or dd or perhaps even cat, if your os supports it.

Note, if your boot loader flash fails, or is done incorrectly, you'll have a new paper weight, after next reboot.

bobafetthotmail · October 30, 2021, 4:36pm

In the wiki page of the AD1018 it seems the bootloader has a recovery mode triggered by pressing the reset button https://openwrt.org/toh/sercomm/ad1018#recovery
that should allow to send over a firmware image

Did you try if your device has that? Would be much safer than other options suggested, as if you flash a broken firmware you can still reboot and send another.

teknosrp · November 1, 2021, 3:08pm

My device also has this mode, but I don't know exactly what it flashes and where. I don't know if it overwrites all the flash including the bootloader, or if it just overwrites the operating system partition.

Do you have any idea or guess about how it works? Would you recommend me trying sending directly yhe Openwrt image using this recovery mode?

teknosrp · November 1, 2021, 3:18pm

The embedded OS has cat and dd commands, but not mtd. I have read that cat nor dd are good for writing directly to NAND flash as they don't manage bad blocks, but if there is not other option, this may work.

bobafetthotmail · November 2, 2021, 8:25am

I have no idea, I suggest to ask the developer of the sercomm-recovery tool used in that article, as he probably knows at least how it works on the original device https://github.com/danitool/sercomm-recovery

bobafetthotmail · November 2, 2021, 11:14am

mtd is only on OpenWrt I think? The "generic" commands to manipulate NAND (also in busybox upstream) are nanddump and nandwrite. You still probably don't have those.