Help with CFE on BCM63168D0-based Actiontec F2250

I have an Actiontec F2250, which is based on the BCM63168D0 CPU. I have two of them, so I figured I could try flashing a firmware for another router based on the same SoC, the Comtrend VR-3032u. Worst case scenario, I can dump the NAND on my spare one and restore it on this one, right? I flashed the image from the CFE web interface, crossed my fingers, and OpenWrt booted without problems.

However, some things are not as they should be. This image isn't supposed to support wifi, but I also can't seem to get my ethernet ports working. Here's my ip a and ifconfig output:

root@OpenWrt:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether 70:f1:96:3a:1b:20 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::72f1:96ff:fe3a:1b20/64 scope link
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 70:f1:96:3a:1b:20 brd ff:ff:ff:ff:ff:ff
    inet brd scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fdb7:b6ee:10e8::1/60 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::72f1:96ff:fe3a:1b20/64 scope link
       valid_lft forever preferred_lft forever
5: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 70:f1:96:3a:1b:20 brd ff:ff:ff:ff:ff:ff
root@OpenWrt:/# ifconfig
br-lan    Link encap:Ethernet  HWaddr 70:F1:96:3A:1B:20
          inet addr:  Bcast:  Mask:
          inet6 addr: fe80::72f1:96ff:fe3a:1b20/64 Scope:Link
          inet6 addr: fdb7:b6ee:10e8::1/60 Scope:Global
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:24 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:3080 (3.0 KiB)

eth0      Link encap:Ethernet  HWaddr 70:F1:96:3A:1B:20
          inet6 addr: fe80::72f1:96ff:fe3a:1b20/64 Scope:Link
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:45 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:7260 (7.0 KiB)

eth0.1    Link encap:Ethernet  HWaddr 70:F1:96:3A:1B:20
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:24 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:3080 (3.0 KiB)

lo        Link encap:Local Loopback
          inet addr:  Mask:
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:581 errors:0 dropped:0 overruns:0 frame:0
          TX packets:581 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:45488 (44.4 KiB)  TX bytes:45488 (44.4 KiB)

I have my laptop (static IP) connected with an ethernet cable, but pinging the router gives me "Destination Host Unreachable".

I also thought it might be possible to get an image to the router over USB, but I don't have the necessary kernel modules to mount a USB disk.

I wanted to try flashing another firmware image, but the CFE web interface won't load! I get "Destination Host Unreachable" when the router's in CFE, too. An LED on the board flashes when I ping the router from my laptop, so I know something is getting through, at least.

I'm pretty much stuck here. In sum, I have a router running a semi-functional OpenWrt, I have an extra router of the same model running the stock fw, and I have a stock upgrade image (an upgrade image, so no baked-in CFE). I am able to get a console over serial. Do you have any suggestions for how I can use these resources to get this thing in a state such that I can flash another firmware image?


Does ping from the router work ?

Since the image you use isn't customized for your hardware, try switching ethernet ports.

Disabling the firewall (or set all the rules to ALLOW) might also be an option, just to make
sure not all ports have been assigned to the WAN zone.

You can build your own image, including the modules you require by using the imagebuilder
or compiling your own image from scratch.

1 Like

Hi Ben Kallus, unfortunatelly when you flashed the OpenWrt image via CFE you also flashed a new CFE, the one belonging to VR-3032u with its own ethernet configuration and you ended with a device without ethernet connectivity.

Broadcom images for bcm63xx devices with NAND flashes include a CFE RAM bootloader.

I don't see how you can recover your device. It might be possible if busybox could accept xmodem files via serial interface, but I'm afraid this feature is disabled by default.

Now you have two options:

  • Fix the ethernet connectivity from Openwrt CLI. But it may be not possible.
  • Send a working image via serial with the help of some hacking. E.g using something like this
1 Like

Thanks for the information. I got this router for free, so no major harm done. I'll look into shell_trx, but if all else fails I bet I can write a script to send the usb storage packages byte by byte over serial to the router. On the router's end, I'll write a shell script that reads stdin and writes it to a file. Then I can just opkg install those packages and transfer over the stock image on a USB drive. Does that sound like it'll work?

@frollic ping from the router does not work, and disabling the firewall doesn't work either. I think danitool is right in saying that my only option is serial, or to fix the ethernet config (which I have no idea how to do)

Sure, it will work

Alright, I can now send files to the router over serial. I found an awk script online to decode base64, so I just base64 encoded the stock firmware, then sent it to the router over serial with a .001 second delay between each byte.
Now, I just need to flash it. Can I use mtd, or do I need an image burner program like the one mentioned here?

The coreutils-base64 package comes with base64, and can do that for you as well.

If you don't want to spend time on reencoding the files, install lrzsz, and use the zmodem transfer protocol.

The qkermit package would be another option.

Feel free to share the awk link, good to know that kind of stuff ,)

Yes, mtd can be used to write to partitions.

1 Like

Be very carefull, probably you will only have 1 opportunity once you flash the new image and reboot the device.

Be aware NAND flash chips has OOB data, and CFE doesn like to load the RAM CFE from a partition without jffs2 cleanmarkers.

If you didn't backup the original NAND flash with OOB data, probably the best way to flash your device is to follow this guide

starting at step 3

If you are flashing a whole backup from another router, then you need to cut the backup to discard the ROM partition for flashing over the WFI partition.

If your are flashing the stock firmware, then I have no idea if you need to modify something before flashing. It could be encrypted and not suitable for direct flashing.

Anyway there are lot of chances to end with a totally bricked device.
It might be a better idea to only flash the CFE RAM partition, and double check if the read back is ok.

Thank you very much for writing all that; super helpful.
I'm new to working with embedded systems, so I hope you don't mind if I ask a few more questions:

  1. What is OOB data?
  2. What does the WFI partition do?
  3. /proc/mtd tells me I have a cferom partition and a cferam partition; what's the difference?
  4. Why isn't it safe to dump the entire NAND from my stock router and flash the whole backup onto my other one without cutting it up first?
  5. My two routers are the same model, but the flash chips are different (but same capacity). Will this be an issue if I'm going to restore one from the other's backup?

Thanks again!

Out Of Band data, used in NAND flashes to keep them "sane"

Whole Flash Image, it is a special format used by CFE bootloaders to flash images (including a RAM CFE)

If you mean a whole backup including OOB, the data in this special area may difer from the one on the other router.

Not a problem, but if you decide to flash also OOB data, the scenario for a brick can become worse if the specs are not the same.

If you make a backup from the other router, then do not include the OOB data if you decide to follow the guide for the HG532s. The command

flash_erase -j /dev/mtd1 0 0

Will erase the flash and also adds the clean markers to the OOB data, required for loading the CFE RAM bootloader and ensure a correct flashing over the mtd partition

BTW there were some chips which didn't recreate correctly the OOB data when erasing the flash chip. They were identified when adding support for the Sercomm H-532s. I think @Noltari still didn't fix it. Your chip shouldn't be in this group, otherwise you will end with an unrecoverable brick.

Thanks. In the root directory of the stock firmware image, there's a file called cferam.000. Should I just flash that over the cferam partition? This is my /proc/mtd:

mtd0: 00020000 00020000 "cferom"
mtd1: 07ac0000 00020000 "wfi"
mtd2: 00140000 00020000 "cferam"
mtd3: 03c20000 00020000 "firmware"
mtd4: 00500000 00020000 "kernel"
mtd5: 03720000 00020000 "ubi"
mtd6: 03d60000 00020000 "img2"

binwalking cferam.000 gives me this:

28            0x1C            CFE boot loader
221168        0x35FF0         Copyright string: "Copyright (C) 2000-2011 Broadcom Corporation."
222728        0x36608         HTML document header
222863        0x3668F         HTML document footer
230164        0x38314         CRC32 polynomial table, big endian
251136        0x3D500         HTML document header
252659        0x3DAF3         HTML document footer
252672        0x3DB00         HTML document header
254326        0x3E176         HTML document footer

Does that look like something I can just write to the cferam or cferom partition? If so, which one?

You shouldn't flash cferam.000 directly over any partition, it is the RAM bootloader not a partition. You need to flash a jffs2 partition image containing this file, how this partition is created can be seen in the Openwrt build root sources:

Thank you. I've dug through some of the makefiles, but I'm still pretty fuzzy about a lot of the details. I don't understand the distinction between the cferom and cferam partitions. This is my current (fuzzy) understanding:
cferam is a jffs2 partition with the file cferam.000 in it. When the router boots, I think that cferom is the start point, and that cferom copies cferam into memory and executes it, and then it's cferam's job to jump to the entry point of an OS image. Is that correct?

I'm even more confused by the fact that there is no cferom or cferam partition in the stock firmware image. Here's /proc/mtd on the stock firmware:

dev:    size   erasesize  name
mtd0: 03d40000 00020000 "rootfs"
mtd1: 03d40000 00020000 "rootfs_update"
mtd2: 00400000 00020000 "data"
mtd3: 00020000 00020000 "nvram"
mtd4: 00020000 00020000 "tag"
mtd5: 00020000 00020000 "tag_update"

cferam.068 is just stored in the root of the filesystem, along with a lzma-compressed kernel. rootfs_update is mounted at /mnt, and contains its own root filesystem with another cferam called cferam.069 and another lzma-compressed kernel. binwalking the stock firmware image I found a cferam.000 in the root of the filesystem. What is the difference between cferam.000 and cferam.068/9? Why is it that openwrt has a cferom partition, but the stock fw doesn't?

Thanks to anyone who read this!