Hi!
I'm looking for some help to dump bios/firmware on a bcm963.
I have two of the same devices (switches), on one the firmware is stripped and locked
and on the other one it's full featured and unlocked.
On the unlocked on I can connect to the serial console and interrupt the boot process, I then get access to the cfe boot loader options:
CFE> help
Available commands:
write_reg Write the register.
read_reg Read the register.
sm Set memory or registers.
dm Dump memory or registers.
w Write the whole image start from beginning of the flash
e Erase [n]vram or [a]ll flash except bootrom
r Run program from flash image or from host depend on [f/h] flag
p Print boot line and board parameter info
c Change booline parameters
f Write image to the flash
i Erase persistent storage data
b Change board parameters
reset Reset the board
flashimage Flashes a compressed image after the bootloader.
help Obtain help for CFE commands
For more information about a command, enter 'help command-name'
*** command status = 0
Running cfe-tool https://github.com/openwrt-es/cfe-backup
I can dump the flash, like so:
sudo python2 cfetool.py --serial=/dev/ttyUSB3 --read=boot.brntool_dump --addr=0xb8000000 --size=0x40000
Now my question is, how do I figure out the --addr (start dump address) and the size?
The boot without interrupt looks like this:
CFE version 1.0.37-102.9 for BCM96338 (32bit,SP,BE)
Build Date: Wed Jan 6 14:32:37 CST 2010 (dale@rdserver2.sh.xavi.com.cn)
Copyright (C) 2000-2009 Broadcom Corporation.
flashinit........!
Parallel flash device: name MX29LV320AB, id 0x22a8, size 4096KB
Switch init .........!
BP_ENET_CONFIG_MDIO
global reset.....!
6185 port reset OK
Switch init successful.........!
CPU type 0x29010: 240MHz
Total memory: 33554432 bytes (32MB)
Boot Address 0xbfc00000
Board IP address : 192.168.1.1:ffffff00
Host IP address : 192.168.1.100
Gateway IP address :
Run from flash/host (f/h) : f
Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel
Boot delay (0-9 seconds) : 1
Board Id (0-9) : 96338W
Number of MAC Addresses (1-32) : 11
Base MAC Address : 00:22:07:f8:69:74
PSI Size (1-64) KBytes : 24
*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 0
Booting from only image (0xbfc10000) ...
Code Address: 0x80010000, Entry Address: 0x801c4000
Decompression OK!
Entry at 0x801c4000
Closing network.
Closing DMA Channels.
Starting program at 0x801c4000
Linux version 2.6.21.5 (dale@rdserver2.sh.xavi.com.cn) (gcc version 4.2.3) #1 Tue Jul 20 10:22:42 CST 2010
Parallel flash device: name MX29LV320AB, id 0x22a8, size 4096KB
96338W prom init
CPU revision is: 00029010
Determined physical RAM map:
memory: 01fa0000 @ 00000000 (usable)
On node 0 totalpages: 8096
DMA zone: 32 pages used for memmap
DMA zone: 0 pages reserved
DMA zone: 4064 pages, LIFO batch:0
Normal zone: 31 pages used for memmap
Normal zone: 3969 pages, LIFO batch:0
Built 1 zonelists. Total pages: 8033
Kernel command line: root=31:0 ro noinitrd console=ttyS0,115200
brcm mips: enabling icache and dcache...
Primary instruction cache 16kB, physically tagged, 2-way, linesize 16 bytes.
Primary data cache 8kB, 2-way, linesize 16 bytes.
Synthesized TLB refill handler (21 instructions).
Synthesized TLB load handler fastpath (33 instructions).
Synthesized TLB store handler fastpath (33 instructions).
Synthesized TLB modify handler fastpath (32 instructions).
PID hash table entries: 128 (order: 7, 512 bytes)
Using 120.000 MHz high precision timer.
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 30088k/32384k available (1500k kernel code, 2296k reserved, 239k data, 80k init, 0k highmem)
KLOB Pool 1 Initialized: 1048576 bytes <0x80200000 ... 0x80300000>
Calibrating delay loop... 238.59 BogoMIPS (lpj=119296)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
Total Flash size: 4096K with 71 sectors
File system address: 0xbfc10100
BLOG v1.0 Initialized
NET: Registered protocol family 8
NET: Registered protocol family 20
NET: Registered protocol family 2
Time: MIPS clocksource has been installed.
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
squashfs: LZMA suppport for slax.org by jro
io scheduler noop registered (default)
PPP generic driver version 2.4.2
NET: Registered protocol family 24
bcm963xx_mtd driver v1.0
brcmboard: brcm_board_init entry
Serial: BCM63XX driver $Revision: 3.00 $
ttyS0 at MMIO 0xfffe0300 (irq = 10) is a BCM63XX
bcmxtmrt: Broadcom BCM6338A2 ATM Network Device v0.1 Jul 20 2010 10:21:45
TCP cubic registered
Initializing XFRM netlink socket
NET: Registered protocol family 1
NET: Registered protocol family 17
NET: Registered protocol family 15
Ebtables v2.0 registered
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 80k freed
init started: BusyBox v1.00 (2010.07.20-02:24+0000) multi-call binary
BusyBox v1.00 (2010.07.20-02:24+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.
Loading drivers and kernel modules...
pktflow: module license 'Proprietary' taints kernel.
Broadcom Packet Flow Cache learning via BLOG enabled.
Created Proc FS /procfs/fcache
Constructed Broadcom Packet Flow Cache v0.1 Feb 26 2009 14:51:53
bcmxtmcfg: bcmxtmcfg_init entry
Broadcom BCMPROCFS v1.0 initialized
Broadcom BCM6338A2 Ethernet Network Device v0.3 Jul 20 2010 10:21:40
Config Ethernet Switch Through MDIO
6185 reset phy....!
dgasp: kerSysRegisterDyingGaspHandler: eth0 registered
eth0: MAC Address: 00:22:07:F8:69:74
0x19 0x01 0x3d
enable 100M campatible
Switch MAC Flush!
Switch VTB Flush!
ES678 swled and copper fiber switch module 0.0.1
igmp version 1.6.23.1
M88E6185 software-snooping
xavi_isnooping 2.02 initialised.
===== Release Version 4.02L.03 (build timestamp 100720_1022) =====
Switch MAC Flush!
Switch VTB Flush!
sw vlan_id 0 1
sw vlan_mode 0 0
sw vlan_id 1 1
sw vlan_mode 1 0
sw vlan_id 2 1
sw vlan_mode 2 0
sw vlan_id 3 1
sw vlan_mode 3 0
sw vlan_id 4 1
sw vlan_mode 4 0
sw vlan_id 5 1
sw vlan_mode 5 0
sw vlan_id 6 1
sw vlan_mode 6 0
sw vlan_id 7 1
sw vlan_mode 7 0
sw vlan_id 8 1
sw vlan_mode 8 0
sw vlan_id 9 1
sw vlan_mode 9 0
sw egress_mode 0 0
sw egress_mode 1 0
sw egress_mode 2 0
sw egress_mode 3 0
sw egress_mode 4 0
sw egress_mode 5 0
sw egress_mode 6 0
sw egress_mode 7 0
sw egress_mode 8 0
sw egress_mode 9 0
sw vlan_mode 0 1
sw vlan_mode 1 1
sw vlan_mode 2 1
sw vlan_mode 3 1
sw vlan_mode 4 1
sw vlan_mode 5 1
sw vlan_mode 6 1
sw vlan_mode 7 1
sw vlan_mode 8 1
sw vlan_mode 9 1
sw vlan_id 0 40
now pvid of 0 is 40
sw vlan_id 1 40
now pvid of 1 is 40
sw vlan_id 2 40
now pvid of 2 is 40
sw vlan_id 3 40
now pvid of 3 is 40
sw vlan_id 4 20
now pvid of 4 is 20
sw vlan_id 5 20
now pvid of 5 is 20
sw vlan_id 6 20
now pvid of 6 is 20
sw vlan_id 7 1
now pvid of 7 is 1
sw vlan_id 8 1
now pvid of 8 is 1
sw vlan_id 9 0
now pvid of 9 is 0
sw vlan_pri 0 0
sw vlan_pri 1 0
sw vlan_pri 2 0
sw vlan_pri 3 0
sw vlan_pri 4 0
sw vlan_pri 5 0
sw vlan_pri 6 0
sw vlan_pri 7 0
sw vlan_pri 8 0
sw vlan_pri 9 0
sw vlan_pri_mode 0 0
sw vlan_pri_mode 1 0
sw vlan_pri_mode 2 0
sw vlan_pri_mode 3 0
sw vlan_pri_mode 4 0
sw vlan_pri_mode 5 0
sw vlan_pri_mode 6 0
sw vlan_pri_mode 7 0
sw vlan_mode 0 1
sw vlan_mode 1 1
sw vlan_mode 2 1
sw vlan_mode 3 1
sw vlan_mode 4 1
sw vlan_mode 5 1
sw vlan_mode 6 1
sw vlan_mode 7 1
sw vlan_mode 8 1
sw vlan_mode 9 1
setvlangroup: sw vtb_add 40 9780123 X78 X90123
setvlangroup: sw vtb_add 20 978456 X78 X9456
setvlangroup: sw vtb_add 44 978 X78 X9
setvlancfg end
initctl pid=-1
cmdLine = initctl -o 1 -h XG6749 -u 1 -p 10.0.1.1 &
mkdir: Cannot create directory `/var/sys': File exists
sw port_enable 0 1
sw port_enable 1 1
sw port_enable 2 1
sw port_enable 3 1
sw port_enable 4 1
sw port_enable 5 1
sw port_enable 6 1
sw port_enable 7 1
sw egress_mode 0 0
sw egress_mode 1 0
sw egress_mode 2 0
sw egress_mode 3 0
sw egress_mode 4 0
sw egress_mode 5 0
sw egress_mode 6 0
sw egress_mode 7 0
sw egress_mode 8 0
sw rate_limiting_disable 0 2
disable port 0 ingress rate limiting
sw rate_limiting_disable 0 1
disable port 0 egress rate limiting
sw rate_limiting_disable 1 2
disable port 1 ingress rate limiting
sw rate_limiting_disable 1 1
disable port 1 egress rate limiting
sw rate_limiting_disable 2 2
disable port 2 ingress rate limiting
sw rate_limiting_disable 2 1
disable port 2 egress rate limiting
sw rate_limiting_disable 3 2
disable port 3 ingress rate limiting
sw rate_limiting_disable 3 1
disable port 3 egress rate limiting
sw rate_limiting_disable 4 2
disable port 4 ingress rate limiting
sw rate_limiting_disable 4 1
disable port 4 egress rate limiting
sw rate_limiting_disable 5 2
disable port 5 ingress rate limiting
sw rate_limiting_disable 5 1
disable port 5 egress rate limiting
sw rate_limiting_disable 6 2
disable port 6 ingress rate limiting
sw rate_limiting_disable 6 1
disable port 6 egress rate limiting
sw rate_limiting_disable 7 2
disable port 7 ingress rate limiting
sw rate_limiting_disable 7 1
disable port 7 egress rate limiting
swis: Port:0 igmp snooping enable
swis: Port:1 igmp snooping enable
swis: Port:2 igmp snooping enable
swis: Port:3 igmp snooping enable
swis: Port:4 igmp snooping enable
swis: Port:5 igmp snooping enable
swis: Port:6 igmp snooping enable
swis: Port:7 igmp snooping enable
sendto: Network is unreachable
device eth0 is not a slave of br0
device eth0 entered promiscuous mode
br0: port 1(eth0) entering learning state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state
interface eth1 does not exist!
interface eth1 does not exist!
SIOCGIFFLAGS: No such device
SIOCSIFADDR: No such device
Scratch pad is not initialized.
lanstat stat,version 1.1
watchdog using shmId=0
xmlprov:error:16.570:main:2934:xmlprov using shmId=0
send new wan ip
br0 linkup = 1
br0: port 1(eth0) entering disabled state
br0: port 1(eth0) entering learning state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state
sendto: Network is unreachable
BCM96338 XG6749
Login: sendto: Network is unreachable
Thanks in advance,