Dumping BCM63xx firmware over serial console

Hi,

there was a similar issue asked already: https://forum.archive.openwrt.org/viewtopic.php?id=66564

Trying once again, maybe someone could answer this time

I'm trying to dump a Broadcom firmware through CFE serial console. The cfetool (patched to work with python3) dumps the first 0x100000 bytes and then hangs because the router reboots. The file it produced contained the only pattern all the file long: 00 00 02 02 02 00 00 00

Trying to run CFE command "dm" manually gives the same bytes at address b8000000. The address b9000000 give the cpu exception:

CFE version 1.0.38-114.170 for BCM96362 (32bit,SP,BE)
Build Date: Thu Jul 10 11:05:46 CEST 2014 (f.bellintani@quelo)
Copyright (C) 2000-2011 Broadcom Corporation.

NAND flash device: name ST NAND512W3A2CN6, id 0x2076 block 16KB size 65536KB
8367 Force MII
8367 Start rtk_port_phyEnableAll_set
Chip ID: BCM6362B0, MIPS: 400MHz, DDR: 333MHz, Bus: 166MHz
Main Thread: TP0
Memory Test Passed
Total Memory: 134217728 bytes (128MB)
Boot Address: 0xb8000000

Board IP address                  : 192.168.1.1:ffffff00  
Host IP address                   : 192.168.1.100  
Gateway IP address                :   
Run from flash/host (f/h)         : f  
Default host run file name        : vmlinux  
Default host flash file name      : bcm963xx_fs_kernel  
Boot delay (0-9 seconds)          : 1  
Boot image (0=latest, 1=previous) : 0  
Board Id (0-15)                   : 96362ADVNrtk  
Number of MAC Addresses (1-32)    : 10  
Base MAC Address                  : 00:10:18:00:00:00  
PSI Size (1-64) KBytes            : 24  
Enable Backup PSI [0|1]           : 0  
System Log Size (0-256) KBytes    : 0  
Auxillary File System Size Percent: 0  
Main Thread Number [0|1]          : 0  
Voice Board Configuration (0-15)  : LE88506  

*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 1


 Port 4 link UP


CFE> 
web info: Waiting for connection on socket 0


CFE> 

CFE> dm b8000000 128
b8000000: 00000202 02000000 00000202 02000000    ................
b8000010: 00000202 02000000 00000202 02000000    ................
b8000020: 00000202 02000000 00000202 02000000    ................
b8000030: 00000202 02000000 00000202 02000000    ................
b8000040: 00000202 02000000 00000202 02000000    ................
b8000050: 00000202 02000000 00000202 02000000    ................
b8000060: 00000202 02000000 00000202 02000000    ................
b8000070: 00000202 02000000 00000202 02000000    ................



*** command status = 0

CFE> dm 802624b0 128
802624b0: 40086000 3c011000 3021001b 01014025    @.`.<...0!....@%
802624c0: 3908001f 60886000 000000c0 3c0a8026    9...`.`.....<..&
802624d0: 250824dc 01000008 00200000 3c288032    %.$...... ..<(.2
802624e0: 25089000 ad000000 2c0b8035 25292158    %.......,..5%)!X
802624f0: 25080004 110afffe ad000000 3c01a032    %...........<..2
80262500: ac2497b0 3c018032 ac2597b8 3c01a032    .$..<..2.%..<..2
80262510: ac2687bc 3c018032 a82797e0 40802000    .&..<..2.'..@. .
80262520: 3c1c802d 279e8000 241d3fe0 03bce821    <..-'...$.?....!



*** command status = 0

CFE> dm 80000000 256
80000000: 3c1b8061 277b68ac 03600008 241a0008    <..a'{h..`..$...
80000010: 00000000 00000000 00000000 00000000    ................
80000020: 00000000 00000000 00000000 00000000    ................
80000030: 00000000 00000000 00000000 00000000    ................
80000040: 80637070 00000000 00000000 00000000    .cpp............
80000050: 00000000 00000000 00000000 00000000    ................
80000060: 00000000 00000000 00000000 00000000    ................
80000070: bfc00000 00000000 00000000 00000000    ................
80000080: 3c1b8060 277b1528 03600008 241a0010    <..`'{.(.`..$...
80000090: 00000000 00000000 00000000 00000000    ................
800000a0: 00000000 00000000 00000000 00000000    ................
800000b0: 00000000 00000000 00000000 00000000    ................
800000c0: 00000000 00000000 00000000 00000000    ................
800000d0: 00000000 00000000 00000000 00000000    ................
800000e0: 00000000 00000000 00000000 00000000    ................
800000f0: 00000000 00000000 00000000 00000000    ................


*** command status = 0

CFE> dm 80000000 1024
80000000: 3c1b8061 277b68ac 03600008 241a0008    <..a'{h..`..$...
80000010: 00000000 00000000 00000000 00000000    ................
80000020: 00000000 00000000 00000000 00000000    ................
80000030: 00000000 00000000 00000000 00000000    ................
80000040: 80637070 00000000 00000000 00000000    .cpp............
80000050: 00000000 00000000 00000000 00000000    ................
80000060: 00000000 00000000 00000000 00000000    ................
80000070: bfc00000 00000000 00000000 00000000    ................
80000080: 3c1b8060 277b1528 03600008 241a0010    <..`'{.(.`..$...
80000090: 00000000 00000000 00000000 00000000    ................
800000a0: 00000000 00000000 00000000 00000000    ................
800000b0: 00000000 00000000 00000000 00000000    ................
800000c0: 00000000 00000000 00000000 00000000    ................
800000d0: 00000000 00000000 00000000 00000000    ................
800000e0: 00000000 00000000 00000000 00000000    ................
800000f0: 00000000 00000000 00000000 00000000    ................
80000100: ac1a0050 ac1b0058 ac1f0060 ac1c0068    ...P...X...`...h
80000110: 8c1a0070 0340f809 00000000 8c1a0050    ...p.@.........P
80000120: 8c1b0058 8c1f0060 8c1c0068 42000018    ...X...`...hB...
80000130: 00000000 00000000 00000000 00000000    ................
80000140: 00000000 00000000 00000000 00000000    ................
80000150: 00000000 00000000 00000000 00000000    ................
80000160: 00000000 00000000 00000000 00000000    ................
80000170: 00000000 00000000 00000000 00000000    ................
80000180: 3c1b8060 277b1528 03600008 241a0020    <..`'{.(.`..$.. 
80000190: 00000000 00000000 00000000 00000000    ................
800001a0: 00000000 00000000 00000000 00000000    ................
800001b0: 00000000 00000000 00000000 00000000    ................
800001c0: 00000000 00000000 00000000 00000000    ................
800001d0: 00000000 00000000 00000000 00000000    ................
800001e0: 00000000 00000000 00000000 00000000    ................
800001f0: 00000000 00000000 00000000 00000000    ................
80000200: 3c1b8060 277b1528 03600008 241a0028    <..`'{.(.`..$..(
80000210: 00000000 00000000 00000000 00000000    ................
80000220: 00000000 00000000 00000000 00000000    ................
80000230: 00000000 00000000 00000000 00000000    ................
80000240: 00000000 00000000 00000000 00000000    ................
80000250: 00000000 00000000 00000000 00000000    ................
80000260: 00000000 00000000 00000000 00000000    ................
80000270: 00000000 00000000 00000000 00000000    ................
80000280: 00000000 00000000 00000000 00000000    ................
80000290: 00000000 00000000 00000000 00000000    ................
800002a0: 00000000 00000000 00000000 00000000    ................
800002b0: 00000000 00000000 00000000 00000000    ................
800002c0: 00000000 00000000 00000000 00000000    ................
800002d0: 00000000 00000000 00000000 00000000    ................
800002e0: 00000000 00000000 00000000 00000000    ................
800002f0: 00000000 00000000 00000000 00000000    ................
80000300: 00000000 00000000 00000000 00000000    ................
80000310: 00000000 00000000 00000000 00000000    ................
80000320: 00000000 00000000 00000000 00000000    ................
80000330: 00000000 00000000 00000000 00000000    ................
80000340: 00000000 00000000 00000000 00000000    ................
80000350: 00000000 00000000 00000000 00000000    ................
80000360: 00000000 00000000 00000000 00000000    ................
80000370: 00000000 00000000 00000000 00000000    ................
80000380: 00000000 00000000 00000000 00000000    ................
80000390: 00000000 00000000 00000000 00000000    ................
800003a0: 00000000 00000000 00000000 00000000    ................
800003b0: 00000000 00000000 00000000 00000000    ................
800003c0: 00000000 00000000 00000000 00000000    ................
800003d0: 00000000 00000000 00000000 00000000    ................
800003e0: 00000000 00000000 00000000 00000000    ................
800003f0: 00000000 00000000 00000000 00000000    ................


*** command status = 0

CFE> dm b9000000 128
**Exception 32: EPC=80606354, Cause=0000801C (BusErrWr )
                RA=8060625C, VAddr=00000000

        0  ($00) = 00000000     AT ($01) = 00000000
        v0 ($02) = B9000000     v1 ($03) = B9000000
        a0 ($04) = 807422C2     a1 ($05) = 807422C2
        a2 ($06) = 80742228     a3 ($07) = 00000008
        t0 ($08) = 80742220     t1 ($09) = 806282A0
        t2 ($10) = 00000001     t3 ($11) = 0000000C
        t4 ($12) = 00000008     t5 ($13) = 00000000
        t6 ($14) = 00000000     t7 ($15) = 3F1B8C86
        s0 ($16) = 00000000     s1 ($17) = 80624D64
        s2 ($18) = 00000080     s3 ($19) = 00000020
        s4 ($20) = B9000000     s5 ($21) = 00000010
        s6 ($22) = 807422B8     s7 ($23) = 00000001
        t8 ($24) = 004E414E     t9 ($25) = 00000020
        k0 ($26) = 80625A78     k1 ($27) = 00000017
        gp ($28) = 80637070     sp ($29) = 807422A8
        fp ($30) = 00000003     ra ($31) = 8060625C


Resetting board in 60 seconds...

Any ideas which address do I need to use with dm command to dump the firmware?

Thanks

So more info, when it boots it shows this:

Booting from latest image (0xb9f00000) ...
Decompression OK!
Entry at 0x802624b0
Closing network.
Disabling Switch ports.
Flushing Receive Buffers...
0 buffers found.
Closing DMA Channels.
Starting program at 0x802624b0

Tried dm b9f00000 16, but it also gives the cpu exception

Hi @ptlink, The cfetool utility isn't compatible with NAND flash chips. If the dn command is present in the bootloader you can use another tool like this one

It won't dump the OOB data, and badblocks if present are skipped. Command example for dumping the NAND flash:

python -m cfenand -D /dev/ttyUSB0 -O nand.bin -t 0.05 nand

Does that mean that if dn command is not available at CFE, then it is not possible to dump the firmware over the serial?

CFE> dn
Invalid command: "dn"
Available commands: phy, sm, dm, w, e, r, p, c, i, a, b, reset, force, help

*** command status = -1

It's still possible, i.e loading a custom RAM CFE bootloader with the command "dn" included, or U-boot, but you must compile the bootloader.

You can also compile an Openwrt RAM version, and load it with the command "r", example:
r 192.168.1.7:openwrt-ram.elf
The flash won't be touched. And then dump the flash using the NAND tools from the OpenWrt serial console. This is probably the easier method (assuming the NAND flash is correctly recognized by Openwrt).

Regards

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.