Getting an old Cisco 2911 running with OpenWrt

Hey friends, how are you doing.
Fortunately i was able to contribute a little during the process of getting the EAP245 TP-Link supported for OpenWrt. I was able to learn quite a lot.
Now, as i have a lot of time, and beside messing with SoCs and micrcocontrollers i would like to give it a try on some Cisco 2911 routers.
Through my employer i have received a bunch of decommissioned Cisco 2911 as well as Cisco 2921 routers which are quite useless nowadays, due to the lack of licenses.
So i decided to check them out, and for my first try i would like to get a linux kernel running.
I have found information on https://www.linux-mips.org
Through the web archive on linux-cisco.org there are also detailed datasheets about architecture etc. available to this model as well as tools and kernel building instructions.
Unfortunately i am experiencing some initial issues. My current bootloader is lacking the "priv" command in order to get extended access and tools in order to get started.
What would you guys recommend in order to get started? Maybe starting with SPI and reading out the EEPROM, or something else?

This is not meant to be a serious attempt to port OpenWrt, but i would like to try it out, and hopefully learn even more about MIPS, and propieritary hardware.

Thanks in advance!

First steps on unknown devices are always

• find/document SerialPorts, and other connectors on the board.
• find/gather Device Specs.
• make/find HiDef Pictures.
• (attempt to) identify all chips/ICs, make/find/link annotated list with (ideally direct) links.
• attempt to connect to the SerialPort to get Bootup Messages.
• Find/gather/make (links to) Firmware dumps/images.
• Attempt to find existing SDKs/code/WIKIs for this device.
• Compose a post containing at least some of the above, so we can benefit from the research you have already done so far without googling it all again.

So, more info, and perhaps bootup messages would be good. Flash chip image contents, if you can get them, and if the are cleartext.

I would strongly suggest you tear the machines down and post images of the mainboards, making sure to use directional light so that any silkscreened text is readily visible.

Hey, i'm coming back to you guys with some infromation i've gathered.

I'll start with some photos.

Console access is given through the I/O panel using default baud rate.

Source: https://www.cisco.com/c/en/us/td/docs/routers/access/2900/hardware/installation/guide/Hardware_Installation_Guide/Internal_Modules.html#wp1115243

20220415_1843411920×3409 365 KB

20220415_1843441920×3409 314 KB

20220415_1844011920×1081 134 KB

20220415_1849391920×3409 388 KB

20220415_1845391920×2560 556 KB

20220415_1917561920×3409 574 KB

The device uses a bootloader called ROMMON. It's possible to execute some commands in order to boot possible custom images, using the "boot" command. Cisco executables work using the ELF binary format, but in addition to that, a custom e_machine value is necessary in the ELF header.
Every Cisco device has a custom e_machine value, in order to prevent loading an image for another model.

In order to boot into the ROMMON you have to press CTRL + Pause.

RO ROMMON (00000000)

Initializing DRAM
Clearing DRAM 1st 16MB..... done
Performing the Memory POST Test
Testing memory - L2 data cache ECC
Testing memory - L2 instruction cache ECC
Testing memory - ECC DDR memory
Memory POST Test Success



Memory tests are from 0x80403000 to 0x80503000

Testing memory - all 0xffffffff

Testing memory - data equals address

Testing memory - checkerboard

Testing memory - inverse checkerboard

Testing memory - all 0x00000000

Memory test complete -- PASS

Relocating the code to DRAM
Continue initializing the platform
Clearing the rest of 1st 256MB (240MB).....

Clearing next 256MB of On-board DRAM


Memory tests are from 0x80000000 to 0x80403000
Testing memory - all 0xffffffff
Testing memory - data equals address
Testing memory - checkerboard
Testing memory - inverse checkerboard
Testing memory - all 0x00000000
Memory test complete -- PASS


Memory tests are from 0x80803000 to 0x80B03000
Testing memory - all 0xffffffff
Testing memory - data equals address
Testing memory - checkerboard
Testing memory - inverse checkerboard
Testing memory - all 0x00000000
Memory test complete -- PASS


Memory tests are from 0x80B23F38 to 0x81000000
Testing memory - all 0xffffffff
Testing memory - data equals address
Testing memory - checkerboard
Testing memory - inverse checkerboard
Testing memory - all 0x00000000
Memory test complete -- PASS

Retrieve board id 4


Reset type is POR

No Frequency Margin

Performing the CPU BIST Test

Testing memory - CPU internal memory
CPU BIST Success

Performing the IOCTRL BIST Test

IOCTRL BIST Success


 Before CFI command

Passed CFI querry string


Value for write(TYP)=6


Value for write(Max)=3


Value for write buffer(TYP)=6


Value for write buffer(Max)=5


Value for erase(TYP)=9


Value for erase(MAX)=3


cfi_write_time = 400


cfi_wr_buf_time = 1000


cfi_erase_time = 7d0000


 After CFI commandInit Rommon Upgrade NVRAM Vars

Compact Flash Initialization


Compact Flash 0 is present


Power recycle of CF 0 successful


CF 1 not present


System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2011 by cisco Systems, Inc.


Total memory size = 512 MB - On-board = 512 MB, DIMM0 = 0 MB

Clear Auto Boot

Set up ROMMON TLB

Disable the 3rd level watchdog during mem test

Enable the 3rd level watchdog after mem test

Initialize PCIE Interface and Goofy

Enable EHWIC reference clock

Enable second reference clock source


Read second_ref_clock CLK2 : rc = 1 data [0x6]

Write second_ref_clock CLK2 : rc = 1 data [0x16]

Init Exception

Init Platform Cookie

Other core(s) process 


Sizing NVRAM


Set Up Environmental Data


Validate EEPROM Checksum.

Turn off the 2rd level watchdog

Turn off the 3rd level watchdog

Exiting Init

CISCO2911/K9 platform with 524288 Kbytes of main memory

Main memory is configured to 72/-1(On-board/DIMM0) bit mode with ECC enabled



Readonly ROMMON initialized

rommon 1 > 

Some commands i can execute. There is a "hidden" command "dump", which allows you to hexdump memory blocks. Maybe it can be useful.

rommon 1 > 

rommon 1 > 

rommon 1 > ?

alias               set and display aliases command

boot                boot up an external process

break               set/show/clear the breakpoint

confreg             configuration register utility

cont                continue executing a downloaded image

context             display the context of a loaded image

cookie              display contents of motherboard cookie PROM in hex

dev                 list the device table

dir                 list files in file system

frame               print out a selected stack frame

help                monitor builtin command help

history             monitor command history

iomemset            set IO memory percent

meminfo             main memory information

repeat              repeat a monitor command

reset               system reset

rommon-pref         Select ROMMON

set                 display the monitor variables

showmon             display currently selected ROM monitor

stack               produce a stack trace

sync                write monitor environment to NVRAM

sysret              print out info from last system return

tftpdnld            tftp image download

unalias             unset an alias

unset               unset a monitor variable

hwpart              Read HW resources partition

rommon 2 > iomems      aaaaaaaaaameminfo

------------------------------------------

Current Memory configuration is: 

On-board: Size =  512 MB: Start Phy Addr = 0x00000000_00000000

-------------------------------------------------

Main memory size: 512 MB in 72/-1(On-board/DIMM0) bit mode.

Available main memory starts at 0x81000000, size 507904KB

Smart Init is enabled.

NVRAM size: 256KB


Manufacturer's JEDEC ID code:

On-board: 

rommon 3 > dump

Enter in hex the start address [0x0]:  

Enter in hex the test size or length in bytes [0x0]:  a0x1000

Enter the operation size 'l'ong, 'w'ord, or 'b'yte  [b]:  b

000000  

*** TLB (Load/Fetch) Exception ***

Access address = 0x0

  PC = 0x80416810, SP = 0x80b0fd70, RA = 0x804167a8

  Cause Reg = 0x00000008, Status Reg = 0x504080e3


monitor: command "dump" aborted due to exception

rommon 4 > dev

Devices in device table:

        id  name

   flash0:  compact flash 0            

    flash:  compact flash 0            

   flash1:  compact flash 1            

bootflash:  boot flash                 

usbflash0:  usbflash0                  

usbflash1:  usbflash1                  

    eprom:  eprom                      

rommon 5 > boot

program load complete, entry point: 0x80803000, size: 0x1b340

boot: cannot determine first executable file name ondevice "flash0:"

rommon 6 > e[Ae[Bbooot  t ?


monitor: command "e[Ae[Bboot" not found

rommon 7 > boot 

program load complete, entry point: 0x80803000, size: 0x1b340

boot: cannot determine first executable file name ondevice "flash0:"

rommon 8 > boot eprom:

getdevnum warning: device "eprom" has size of zero

getdevnum warning: device "eprom" has size of zero


Invalid devbase

device does not contain a valid FS

boot: cannot open "eprom:"

boot: cannot determine first executable file name ondevice "eprom:"

rommon 9 > boot usbflash0:

open(): Open Error = -1

usbflash0: not present

rommon 10 > 

Now following the stock bootlog, when having the stock bootloader + stock Cisco IOS image installed.
Starting with *** ROMMON phase, followed by the "OS" phase.

***System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)***
***Technical Support: http://www.cisco.com/techsupport***
***Copyright (c) 2010 by cisco Systems, Inc.***


***Total memory size = 1536 MB - On-board = 512 MB, DIMM0 = 1024 MB***

***CISCO2911/K9 platform with 1572864 Kbytes of main memory***

***Main memory is configured to 72/72(On-board/DIMM0) bit mode with ECC enabled***



***Readonly ROMMON initialized***

***program load complete, entry point: 0x80803000, size: 0x1b340***

***program load complete, entry point: 0x80803000, size: 0x1b340***



IOS Image Load Test 

___________________ 

Digitally Signed Release Software 

program load complete, entry point: 0x81000000, size: 0x695fb18

Self decompressing the image : ################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################## [OK]


Smart Init is enabled

smart init is sizing iomem

                 TYPE      MEMORY_REQ

            SM Slot 1      0x00600000

    Onboard devices &

         buffer pools      0x0228F000 

-----------------------------------------------

               TOTAL:      0x0288F000


Rounded IOMEM up to: 44MB.

Using 2 percent iomem. [44MB/1536MB]



              Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706



Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.7(3)M8, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2021 by Cisco Systems, Inc.
Compiled Tue 02-Mar-21 07:51 by prod_rel_team


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco CISCO2911/K9 (revision 1.0) with 1527808K/45056K bytes of memory.
Processor board ID FTX1439A1ZF
4 Gigabit Ethernet interfaces
2 terminal lines
1 Services Module (SM) with Services Ready Engine (SRE)
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)



         --- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: 

There are 4 slots in order to add additional cards, providing multiple ethernet interfaces, etc.
These are equipped with PCI IDs, and these devics and clocks seem to follow the PCI 2.0 standard + Hotplug capability.
The CPU architecture is still unknown to me, i am suspecting some kind of MIPS architecture.

I was able to extract a lot of content out of the image, and i've found also VxWorks headers, but also a linux kernel uImage.
Is it maybe possible to enforce the GPL part of the license, and ask for disclosure of the GPL part of their software?

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
5541956       0x549044        Linux kernel version 2.6.32
5556368       0x54C890        gzip compressed data, maximum compression, from Unix, last modified: 2016-08-05 10:05:09
5664992       0x5670E0        DES SP2, big endian
5665504       0x5672E0        DES SP1, big endian
5687868       0x56CA3C        CRC32 polynomial table, little endian
5707524       0x571704        Copyright string: "Copyright (c) 1999-2006 Intel Corporation."
6118192       0x5D5B30        Unix path: /dev/vc/0
6172053       0x5E2D95        Copyright string: "copyright (C) 1996 okir@monad.swb.de)."
6374827       0x6145AB        Copyright string: "Copyright (c) 1999-2008 Intel Corporation."
6379640       0x615878        Copyright string: "Copyright(c) 1999-2006 Intel Corporation"
6421278       0x61FB1E        Copyright string: "Copyright(c) Pierre Ossman"
6455856       0x628230        Neighborly text, "NeighborSolicits/ipv6/xfrm6_mode_transport.c"
6455876       0x628244        Neighborly text, "NeighborAdvertisementsnsport.c"
6457455       0x62886F        Neighborly text, "neighbor %.2x%.2x.%.2x:%.2x:%.2x:%.2x:%.2x:%.2x lost on port %d(%s)(%s)"
6877184       0x68F000        ASCII cpio archive (SVR4 with no CRC), file name: "/dev", file name length: "0x00000005", file size: "0x00000000"
6877300       0x68F074        ASCII cpio archive (SVR4 with no CRC), file name: "/dev/console", file name length: "0x0000000D", file size: "0x00000000"
6877424       0x68F0F0        ASCII cpio archive (SVR4 with no CRC), file name: "/root", file name length: "0x00000006", file size: "0x00000000"
6877540       0x68F164        ASCII cpio archive (SVR4 with no CRC), file name: "TRAILER!!!", file name length: "0x0000000B", file size: "0x00000000"
6934024       0x69CE08        gzip compressed data, maximum compression, has original file name: "/ws/colbywen-sjc/patriot_2/modlnx/patriots/tmp/work/freescale-p1021mds-mv-linux/linux-2.6.32-1104131701/linux-2.6.32/fs/proc/sta", last modified: 2011-09-23 18:13:40
7204864       0x6DF000        ELF, 32-bit MSB shared object, PowerPC or cisco 4500, version 1 (SYSV)

Images can be obtained through the internet, let's say when you search for " c2900-universalk9-mz.SPA.152-1.GC.bin
I think it's not allowed to link them here.

Some interesting things i've found in the Cisco IOS image as well.
Maybe referring to the CPU in use?
The following lines are not ordered correctly, and are only a little extract of the complete binwalk.

163848060     0x9C41F7C       Broadcom 96345 firmware header, header size: 256, board id: "   hash... What? %d?", ~CRC32 header checksum: 0x52534100, ~CRC32 data checksum: 0x20202020
126079396     0x783D1A4       U-Boot version string, "U-Boot 1.1.1 (Development build) (Build time: Nov  1 2010 - 15:49:00)"

126376732     0x7885B1C       Broadcom firmware header dcom 5400. Model: rdes State %s --> %s (%s). Firmware version:  (%s).
126376748     0x7885B2C       Broadcom firmware header dcom 5401. Model: > %s (%s). Firmware version: N.
165166580     0x9D83DF4       ELF, 32-bit MSB MIPS32 rel2 executable, MIPS, version 1 (SYSV)
166741188     0x9F044C4       uuencoded data, file name: "", file permissions: "644"
166748812     0x9F0628C       Unix path: /usr/local/Cavium_Networks/toolchain/src/newlib/libc/sys/octeon/octeon-coremask.c
167181808     0x9F6FDF0       SHA256 hash constants, big endian
167182476     0x9F7008C       AES S-Box
167183276     0x9F703AC       AES Inverse S-Box
167191184     0x9F72290       CRC32 polynomial table, little endian
167198608     0x9F73F90       SQLite 3.x database,, user version 67240450
167323520     0x9F92780       Zip archive data, at least v2.0 to extract, compressed size: 246131, uncompressed size: 801462, name: san2/CPY-v157_3_m_throttle.V157_3_M8/vob/ios/sys/nms/canis/canis_sm_fpga.bin
167569879     0x9FCE9D7       End of Zip archive, footer length: 22
167569904     0x9FCE9F0       Zip archive data, at least v2.0 to extract, compressed size: 116791, uncompressed size: 402936, name: san2/CPY-v157_3_m_throttle.V157_3_M8/vob/ios/sys/nms/pse/pse_sm_fpga.bin
167686915     0x9FEB303       End of Zip archive, footer length: 22
167690368     0x9FEC080       uImage header, header size: 64 bytes, header CRC: 0xA10BCD39, created: 2016-08-05 10:46:09, image size: 9325999 bytes, Data Address: 0x0, Entry Point: 0x0, data CRC: 0x7630D6E8, OS: Linux, CPU: PowerPC, image type: Multi-File Image, compression type: gzip, image name: "Kernel + Pivot Root Helper initr"

I have formatted one of my legacy USB 250M drives, and i have put the linux.bin onto it.
I've tried to boot it, it didn't work. But at least it shows the possibility to boot something.

rommon 3 > boot usbflash0:
program load complete, entry point: 0x80903000, size: 0x4c4a0
program load complete, entry point: 0x80903000, size: 0x4c4a0
loadprog: bad file magic number:      0x0
boot: cannot load "usbflash0:"

Lots of info! Nice quantity of RAM and IO/Ports.

What is the lsusb output when hooking up the MicroUSB port, if any?

The binwalk mentions a PowerPC uImage, and U-Boot. Have you tried extracting those already, and attempted to glean the CPU arch from it?

Each of the addon-on cards might also run a "complete OS", maybe the PowerPC linux image is for one of them, if you strongly suspect the main CPU to be something MIPS, not PPC.

A compact flash card is mentioned, have you tried dumping that?

So, you are sure, that the platform is meant to be able to support NonCisco-binaries? Even without replacing flash contents/chips?

Alright lsusb says:

Bus 003 Device 031: ID 05a6:0009 Cisco Systems, Inc. Cisco USB Console

Here's some result of someone, trying to run Linux on a Cisco 3600 switch (but they are older).
Flashing something without risking a brick is not an issue, i can flash anything and try it out.

Regarding the PowerPC Linux kernel you were right, i was able to check some logs. The Linux kernel is only responsible for an additional storage unit which can be installed, providing RAID capability. Not default.

The compact flash drive was empty, it has been used to provide a TFTP server in this case. But it can be equipped as well with some sort of ELF executable.

Attempting to load file openwrt-c3600-vmlinux.elf
Booting openwrt-c3600-vmlinux.elf.
Loaded 3527696 bytes at 80365410.
Kicking into Linux.
Linux version 2.6.27.10 (ffainelli@jumper) (gcc version 4.1.2) #1 Wed Jan 7 21:32:08 CET 2009
Cisco 3620 Multiservice Router with 131072kB of RAM.
console [early0] enabled
CPU revision is: 00002110 (R4700)
FPU revision is: 00002110
Determined physical RAM map:
 memory: 08000000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Zone PFN ranges:
  Normal   0x00000000 -> 0x00008000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00008000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
Kernel command line: root=/dev/mtdblock2 rootfstype=squashfs,jffs2 init=/etc/preinit noinitrd console=ttyS0,115200console=ttyS0,62
Primary instruction cache 16kB, VIPT, 2-way, linesize 32 bytes.
Primary data cache 16kB, 2-way, VIPT, cache aliases, linesize 32 bytes
PID hash table entries: 512 (order: 9, 2048 bytes)
MIPS counter frequency: 40008530Hz
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Memory: 126292k/131072k available (1807k kernel code, 4608k reserved, 298k data, 1208k init, 0k highmem)
Calibrating delay loop... 79.61 BogoMIPS (lpj=159232)
Mount-cache hash table entries: 512
net_namespace: 592 bytes
NET: Registered protocol family 16
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP reno registered
NET: Registered protocol family 1
audit: initializing netlink socket (disabled)
type=2000 audit(2.610:1): initialized
squashfs: version 3.0 (2006/03/15) Phillip Lougher
Registering mini_fo version $Id$
JFFS2 version 2.2. (NAND) (SUMMARY)  © 2001-2006 Red Hat, Inc.
msgmni has been set to 247
io scheduler noop registered
io scheduler cfq registered (default)
Serial: 8250/16550 driver2 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0x1e840000 (irq = 5) is a 16550A
console handover: boot [early0] -> real [ttyS0]
TCP bic registered
NET: Registered protocol family 17
Freeing unused kernel memory: 1208k freed
[sighandler]: No more events to be processed, quitting.
[cleanup]: Waiting for children.
[cleanup]: All children terminated.
- preinit -
Press CTRL-C for failsafe

Please press Enter to activate this console. PPP generic driver version 2.4.2
ip_tables: (C) 2000-2006 Netfilter Core Team
nf_conntrack version 0.5.0 (2048 buckets, 8192 max)
CONFIG_NF_CT_ACCT is deprecated and will be removed soon. Plase use
nf_conntrack.acct=1 kernel paramater, acct=1 nf_conntrack module option or
sysctl net.netfilter.nf_conntrack_acct=1 to enable it.



BusyBox v1.11.3 (2009-01-04 14:32:11 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 KAMIKAZE (bleeding edge, r13923) -------------------
  * 10 oz Vodka       Shake well with ice and strain
  * 10 oz Triple sec  mixture into 10 shot glasses.
  * 10 oz lime juice  Salute!
 ---------------------------------------------------
root@OpenWrt:/#

I have also retrieved some output regarding the platform itself on the device.
Output of "show platform"
Due to it's size it's on pastebin.

Is there maybe anything useful you want me to paste from these show commands below?

Router#show ?
  aaa                       Show AAA values
  access-expression         List access expression
  access-lists              List access lists
  acircuit                  Access circuit info
  adjacency                 Adjacent nodes
  aliases                   Display alias commands
  alignment                 Show alignment information
  alps                      Alps information
  application               Application Routing
  archive                   Archive functions
  arp                       ARP table
  async                     Information on terminal lines used as router
                            interfaces
  authentication            Shows Auth Manager registrations or sessions
  auto                      Show Automation Template
  autoupgrade               Show autoupgrade related information
  backhaul-session-manager  Backhaul Session Manager information
  backup                    Backup status
  banner                    Display banner information
  bcm560x                   BCM560x HW Table
  beep                      Show BEEP information
  bfd                       BFD protocol info
 --More--           bgp                       BGP information
  bridge                    Bridge Forwarding/Filtering Database [verbose]
  bridge-domain             Bridge-domain
  bsc                       BSC interface information
  bstun                     BSTUN interface information
  buffers                   Buffer pool statistics
  bulkstat                  Bulkstat show commands
  cache                     Shows Device-Sensor Cache Informations 
  calendar                  Display the hardware calendar
  call                      Show call
  call-home                 Show command for call home
  caller                    Display information about dialup connections
  capability                Capability Information
  cca                       CCA information
  cce                       Common Classification Engine (CCE)
  cdapi                     CDAPI information
  cdp                       CDP information
  cef                       CEF address family independent status
  checkpoint                Checkpoint Facility (CF)
  cisp                      Shows CISP information
  class-map                 Show CPL Class Map
  clns                      CLNS network information
  clock                     Display the system clock
 --More--           cls                       DLC user information
  cns                       CNS agents
  compress                  Show compression statistics
  configuration             Contents of Non-Volatile memory
  connection                Show Connection
  context                   Show context information about recent crash(s)
  control-plane             Control Plane information
  controllers               Interface controller status
  cops                      COPS information
  credentials               Show credentials service configuration
  crm                       Carrier Resource Manager info
  crypto                    Encryption module
  csdb                      Show CSDB Information
  cts                       Cisco Trusted Security information
  cwmp                      Show CPE WAN Management Protocol(cwmp) information
  dampening                 Display dampening information 
  data-corruption           Show data errors
  database                  Show Database
  dcm                       Data Collection Manager Core Details
  debugging                 State of each debugging option
  decnet                    DECnet information
  derived-config            Derived operating configuration
  device-sensor             Shows Device Sensor Information 
 --More--           dhcp                      Dynamic Host Configuration Protocol status
  diag                      Show diagnostic information for port
                            adapters/modules
  dialer                    Dialer parameters and statistics
  dlep                      Show dlep commands
  dlsw                      Data Link Switching information
  dmvpn                     Display DMVPN session related information
  dnsix                     Shows Dnsix/DMDP information
  domain                    Domain Show Commands
  dot1q-tunnel              Display dot1q tunnel ports
  dot1x                     Dot1x information
  drip                      DRiP DB
  dspfarm                   Display DSPFARM related information 
  dspu                      Display DSPU information
  dtp                       DTP information
  dxi                       atm-dxi information
  eap                       Shows EAP registration/session information
  ecfmpal                   Show ECFM Commands
  eigrp                     EIGRP show commands
  energywise                EnergyWise show commands
  entry                     Queued terminal entries
  environment               Environmental monitor statistics
  errdisable                Error disable
 --More--           eswilp                    Marvel ATU & VTU table dump
  etherchannel              EtherChannel information
  ethernet                  Ethernet parameters
  event                     Embedded event related commands
  event-manager             Event manager information
  exception                 exception information
  fallback                  Display Fallback configuration
  fastblk                   fastblk memory information
  fhrp                      FHRP information
  file                      Show filesystem information
  flash0:                   display information about flash0: file system
  flash1:                   display information about flash1: file system
  flash:                    display information about flash: file system
  flow                      Flow information
  flow-sampler              Display the flow samplers configured
  format                    Show format information
  frame-relay               Frame-Relay information
  fras                      FRAS Information
  fras-host                 FRAS Host Information
  funi                      FUNI information
  glbp                      GLBP information
  hardware                  Hardware specific information
  history                   Display the session command history
 --More--           hosts                     IP domain-name, lookup style, nameservers, and host
                            table
  html                      HTML helper commands
  id-manager                ID pool manager
  idb                       List of Interface Descriptor Blocks
  identity                  Identity profiles and policies
  idmgr                     IDMGR interaction
  if-mgr                    if-mgr information
  interfaces                Interface status and configuration
  inventory                 Show the physical inventory
  ip                        IP information
  ipam                      IP Addr Mgr (IPAM) information
  ipc                       Interprocess communications commands
  iphc-profile              Show IPHC Profile
  ipv6                      IPv6 information
  isis                      IS-IS routing information
  iua                       ISDN User Adaptation Layer information
  key                       Key information
  keymap                    Terminal keyboard mappings
  keystore                  Show keystore information
  kron                      Kron Subsystem
  l2protocol-tunnel         Display L2PT status and configurations
  l3vpn                     l3vpn encapsulation ip commands
 --More--           l4f                       L4F details
  lat                       DEC LAT information
  license                   Show license information
  line                      TTY line information
  lisp                      Locator/ID Separation Protocol
  llc2                      IBM LLC2 circuit information
  lldp                      LLDP information
  local-ack                 Local Acknowledgement virtual circuits
  location                  Display the system location
  logging                   Show the contents of logging buffers
  login                     Display Secure Login Configurations and State
  mab                       MAB information
  mac-address-table         MAC forwarding table
  macdb                     show MAC database
  mace                      Measurements Aggregation and Correlation Engine
  management                Display the management applications
  mdf                       Show the names of configured EMM menus
  mdns                      MDNS feature
  mediatrace                Mediatrace show commands
  memory                    Memory statistics
  mfib                      MFIB address family independent status
  microcode                 show configured microcode for downloadable hardware
  mls                       Show MultiLayer Switching information
 --More--           modem-pool                Display modem pool information
  modemcap                  Show Modem Capabilities database
  monitor                   Monitoring different system events
  mpls                      MPLS information
  mtm                       MTM
  mwi                       mwi related information
  nat64                     NAT64 information
  nbf                       NBF (NetBEUI) information
  ncia                      Native Client Interface Architecture
  netbios-cache             NetBIOS name cache contents
  netconf                   Show NETCONF information
  network-clocks            Network clocks information
  nhrp                      Display NHRP related information
  nmsp                      nmsp show commands
  node                      Show known LAT nodes
  ntp                       Network time protocol
  object-group              List object groups
  odb                       Opaque Database
  odm-format                Show the schema used for ODM input file
  ospfv3                    OSPFv3 information
  pagp                      Port channel information
  parameter-map             parameter map information
  parser                    Display parser information
 --More--           pas                       Port Adaptor Information
  pci                       PCI Information
  performance               Media Monitor show commands
  persistent                Show persistent information
  platform                  Displays platform information
  pm                        Show Port Manager commands
  pnp                       Display PNP information
  policy-manager            Policy Manager
  policy-map                Show Policy Map
  ppp                       PPP parameters and statistics
  pppatm                    PPP over ATM
  pppoe                     PPPoE information
  printers                  Show LPD printer information
  privilege                 Show current privilege level
  processes                 Active process statistics
  profile                   Media services profile application
  protocols                 Active network routing protocols
  qdm                       Show information about QoS Device Manager
  qllc                      Display qllc-llc2 and qllc-sdlc conversion
                            information
  qos                       Quality of Service show commands
  r2cp                      Show r2cp commands
  radius                    Shows radius information
 --More--           rbscp                     RBSCP information
  redundancy                Redundancy Facility (RF) information
  region                    Region Manager Status
  registry                  Function registry information
  reload                    Scheduled reload information
  resource                  Display Resource Usage/Relations and more details
  rhosts                    Remote-host+user equivalences
  rib                       Routing Information Base
  rif                       RIF cache entries
  rlm                       Show RLM
  rmon                      rmon statistics
  rom-monitor               show ROMMON region information
  route-map                 route-map information
  route-tag                 route-tag information
  rpl                       RPL protocol status
  rudpv1                    Rudpv1 information
  running-config            Current operating configuration
  sampler                   Sampler information
  sasl                      show SASL information
  scp                       SCP commands
  sctp                      SCTP information
  sdllc                     Display sdlc - llc2 conversion information
  secure                    Show secure image and configuration archive
 --More--           service-overlay           Service Overlay show commands
  service-routing           Service-Routing show commands
  services                  LAT learned services
  sessions                  Information about Telnet connections
  sgbp                      SGBP group information
  smf                       Software MAC filter
  sna                       Display SNA host information
  snap                      Show information on SNAP server
  snapshot                  Snapshot parameters and statistics
  snasw                     SNASW show commands
  snmp                      snmp statistics
  sntp                      Simple network time protocol
  sockets                   Socket Details
  software                  List software information
  source-bridge             Source-bridge parameters and statistics
  spanning-tree             Spanning tree topology
  ssh                       Status of SSH server connections
  ssm                       Segment Switching Manager Status
  stacks                    Process stack utilization
  standby                   Hot Standby Router Protocol (HSRP) information
  startup-config            Contents of startup configuration
  storm-control             Show packet storm control configuration
  stun                      STUN status and configuration
 --More--           subscriber                Subscriber Service Switch Information
  subscriber-policy         Subscriber policy
  subsys                    Show subsystem information
  table-map                 Show Table Map
  tacacs                    Shows tacacs+ server statistics 
  tarp                      TARP information
  tcp                       Status of TCP connections
  tdm                       TDM connection information
  tech-support              Show system information for Tech-Support
  template                  Template information
  terminal                  Display terminal configuration parameters
  test_rib_access           RIB_ACCESS TEST info
  time-range                Time range
  tn3270                    TN3270 settings
  topology                  Topology instance information
  track                     Tracking information
  translate                 Protocol translation information
  trunk                     Trunk Group info
  ttycap                    Terminal capability tables
  tunnel                    Show configured tunnels
  ucse                      UCSE
  udp                       UDP Details
  usb                       USB Interface
 --More--           users                     Display information about terminal lines
  vc-group                  Show VC Group
  version                   System hardware and software status
  video                     video quality monitoring
  vlan-range                VLAN Range
  vlan-switch               VTP VLAN status
  vlans                     Virtual LANs Information
  vmi                       Show vmi commands
  vnet                      Virtual NETwork instance information
  vofm                      Display Video Opt Flow Manager information
  vpdn                      VPDN information
  vrf                       VPN Routing/Forwarding instance information
  vrrp                      VRRP information
  vtemplate                 Virtual Template interface information
  vtp                       VTP information
  waas                      IOS Wide Area Application Services
  warm-reboot               Show Warm Reboot related information
  wccp                      WCCP information
  whoami                    Info on current tty line
  wrr-queue                 WRR queue
  wsma                      Show Web Services Management Agents information
  x25                       X.25 information
  x28                       X.28 rotary information
 --More--           x29                       X.29 information
  xconnect                  Xconnect information
  xos                       Cross-OS Library Information and Traces
  xsd-format                Show the ODM XSD for the command

Router#show      aa

I have seen someone executing an ELF "Hello World" program through the Rommon, so it seems to be possible to execute NonCisco binaries as well, putting some effort into it.

EDIT:

I have seen, my platform is quite similar to the C3600 series. And some people seem to have developed something already.
https://web.archive.org/web/20100923194424/http://www.linux-cisco.org/~philippe/cisco-linux/
Unfortunately these downloads aren't reachable anymore, so i think i have to start over from scratch.

Only thing left i've found is the patch file from them.
http://downloads.openwrt.org/people/florian/c3600/openwrt-c3600-r14994.diff and kernel patch.
https://pastebin.com/jzgrPfc8

EDIT2:

I was at least able to get their "Hello World" program downloaded. I think it's already kinda success.
I'll adjust the e_machine value, and let's see. If it works, maybe i can get the kernel built somehow.

rommon 2 > boot usbflash0:
program load complete, entry point: 0x80903000, size: 0x4c4a0
program load complete, entry point: 0x80903000, size: 0x4c4a0
loadprog: error - Invalid image for platform
e_machine = 30, cpu_type = 194 
boot: cannot load "usbflash0:"

I have edited the e_machine value using hex editor to 0xC2

boot usbflash0:
program load complete, entry point: 0x80903000, size: 0x4c4a0
program load complete, entry point: 0x80903000, size: 0x4c4a0


IOS Image Load Test 
___________________ 
Unsigned Image Found, bailing out 
Signature DID NOT VERIFY
boot: cannot load "usbflash0:"

I think the next big step is to get around this verifiying process.

If someone is willing to contribute somehow, let me know, i'll send you one of these devices for free. At least in the EU it would be feasible.

This is a MIPS R4700.

One of the biggest challenges I think you will face with R4700 MIPS (MIPSIII) is going to be rewriting legacy init setup into device trees (and having arch-specific parsing for all of your device trees). Since is the only project I can see supporting anything like this, I imagine that's going to be a lot of work

One more comment: GNS3 can run full IOS images -- not sure if that'd work for the 2911, but it's all MIPS. You should be able to see what sort of virtualization platform that uses in order to turn around and test OpenWrt images, if you can build them.

Further edit: OK ... upon re-examination, this looks like some cursed, smashed-together MIPS64 OCTEON-I hodge-podge -- and, yep, it's an octeon.

Thanks a lot! Yep i think that's this chip.
I have found this project here, they were able to run.

Unfortunately i am still struggeling to build this one, i didn't mess a lot with cross-compile toolchains, and i got Debian 11 running.

Also these guys seemed to have some kind of positive results, so they are running the same CPU.
https://web.archive.org/web/20120109123924/http://www.linux-cisco.org:80/index.php/Cisco_3600_Series

I think it will be a lot of work, i think i won't be able to do all of it due to my lack of knowledge, but maybe there will be some assistance by experienced people. At least my current goal is to get a running Linux kernel.

Is there maybe anyone, in order to assist me with cross-compiling this cilo project, as well as applying the kernel patch in order to compile a kernel?

EDIT: Yep i m sure it's an octeon. That's what i've found using binwalk.

166748812     0x9F0628C       Unix path: /usr/local/Cavium_Networks/toolchain/src/newlib/libc/sys/octeon/octeon-coremask.c

According to Debian, this MIPS CPU should be supported, or at least Cavium Octeon MIPS32 and MIPS64.

Hello,

According to [https://gcc.gnu.org/onlinedocs/gcc/MIPS-Options.html] (https://gcc.gnu.org/onlinedocs/gcc/MIPS-Options.html) you can set the -march compile time switch to

-march=r4700 to get GCC to compile for that processor.

Kind regards,
Tony

Hello @Knogle

It seems like CILO is a ROMMON replacement that can load multiple segment ELF files, which will also allow the router to load either Cisco IOS or new software (such as OpenWRT).
- your linked archive page about C3600 says:
"ROMMON
The Cisco 3600 series have a fairly `standard' ROMMON. The ROMMON prompt can be accessed by hitting BREAK during boot (c-A F in Minicom). The priv command is available for the Cisco 3600 routers. Calculate your priv password based on your cookie here [3].

CILO, the bootloader used for the Cisco 3600 Series, boots directly from ROMMON before loading a kernel."

Looking at the CILO GIT site, it seems like you will need to add Cisco 2911 to the Mach folder https://git.bocc.de/jochen/cilo/src/branch/master/mach in order for it to have specific support for the hardware. There are 3 that are already supported (C1700, C3600, and C7200) so those can be copied to produce the start.S file and the files needed for IO support.

https://git.bocc.de/jochen/cilo/src/branch/master/DEVELOPMENT explains about how to add new platforms to CILO.

It might be worth trying to get CILO working first, and then OpenWRT can be second.
- CILO would allow you to test your build environment, and the information you work out for CILO would be what you also need for OpenWRT.

Kind regards,
Tony

Hello @Knogle

You might want to use tools like readelf , see https://en.wikipedia.org/wiki/Readelf available on Linux see https://man7.org/linux/man-pages/man1/readelf.1.html , because that should give some definite information about the Cisco IOS and what processor it is built for.
- see https://en.wikipedia.org/wiki/Executable_and_Linkable_Format for information about what information will be in the ELF file.

Kind regards,
Tony

Thanks for your replies.
I have gone through these steps as well. I was able to compile matching binaries already for this processor, that's not an issue, and works fine using the mips-toolchain.
Unfortunately the most important step is to get CILO compiled. Thanks for your help already, but could you check out, if you get something compiled out of the CILO repo? The CPU arch in my 2911 is matching the C1700 one and is able to execute this code as well. Checked it out with some lines of C code compiled for C1700 and tested on both.

@Knogle I was wondering if there was any update or progress since the last post ?

Hey, i hope you are doing fine.
Unfortunately not. Because i wasn't able to properly build a GCC Crosscompiler and compile the CILO code yet, otherwise there should be no issue.
Patches for OpenWrt are also already in place.

Cool.
The OpenWRT patches are merged to the mainline then ?
Is the CILO source available somewhere ?

The repo itself is offline unfortunately, but i've cloned it before going down.
Also reached out to the developer, but unfortunately he has no idea on how to compile it after 15 years.
So here you go.
Getting this to work, would be the next major step.

That's great, thanks, at least not starting from zero.
The device I am currently looking at is actually a PowerPC architecture, but this will be an excellent start.
I also have a couple of Cisco 1921 routers that I believe are mips64 based

Can you run sh ver on them?
I also think the code from dynamips might be interesting, which emulates MIPS Cisco Code in GNS3.

But maybe we can get the CILO working

I think I will be able to run sh ver on some of the devices that already have IOS installed, I am awaiting delivery of a CF card for the C1811 as they didn't have any when I got them, I found some old images online.
I have made some minor changes to printf to remove inline which prevents the object code from being generated in the transaltion unit, the Makefile to disable stack frame checks, force some arguments to be passed to the linker and removed a few warning and it appears to build under mips, I will try the PowerPC next.

image754×70 3.39 KB

BTW, it would be great to have clone access to the repo, of have it uploaded to GitHub so I can fork it or push directly