Install OpenWrt via the serial port

Hello. I need your generous help to understand how to determine the addresses used in OpenWrt installation via the serial port. According to OpenWrt's documentation, the router's flash memory must be freed through this command: erase 0xbf020000 +0x7c0000. What is the name of these addresses? Are they called Offset addresses or have another technical name? 0xbf020000 is the start address where to copy the firmware to, and 0x7c0000 is the firmware size. How could I determine/calculate them? The documentation mentions that the firmware must be saved to the router's RAM through this command: tftpboot 0x81000000 firm.bin. Is the address used in this example specific to certain devices or could be used with any device? If this RAM address is device specific, how could I determine the right address? Thank you for your precious help.

Which device are we talking about?

1 Like

Sagem F@ST2604

This device has only 4MB flash + 16MB RAM, which is insufficient for current OpenWrt. See for details.

If I were you, I would not invest a single minute in getting OpenWrt running on this underspeced device and instead get a new device with sufficient flash + RAM straight away.


There's no way that any recent version will run on 16 MB RAM.


I already read this in the OpenWrt's website. I would like to understand how to calculate/determine the values of these addresses in order to brush up my knowledge. Thank you for the reply, M. TMOMAS. Could you explain me how to determine these values.

I could install an old version of OpenWrt on this device. I like to revive old hardware instead of throwing it away and pollute the environment.

@alex_tony_sekares, welcome to the community!


Boot Address 0xbfc00000

1 Like

If I use this address, I could erase the device's bootloader! I think that the clusters containing the bootloader must be avoided. Please, could you help me find the formula to calculate the address of the firmware size and the start address where to copy the firmware to? Thank you for your help. <3

Then you would use commands to load and boot to memory only. Be advised, you don't have much memory.

If the bootloader has a printenv command or something similar - you may wish to run it.

I didn't think it was necessary to paste everything:

Total memory used by CFE:  0x80401000 - 0x8052A990 (1218960)
Initialized Data:          0x8041E2D0 - 0x80421100 (11824)
BSS Area:                  0x80421100 - 0x80428990 (30864)
Local Heap:                0x80428990 - 0x80528990 (1048576)
Stack Area:                0x80528990 - 0x8052A990 (8192)
Text (code) segment:       0x80401000 - 0x8041E2CC (119500)
Boot area (physical):      0x0052B000 - 0x0056B000
Relocation Factor:         I:00000000 - D:00000000


1 Like

So, it will be safe to copy the firmware to this address: 0x0052B000 which is the beginning of the boot area?

The flash layout seems to be:
Page 0 - Bootloader
Page 1 - kernel begins:

Booting from image (0xbfc10000) ...
Decompression OK!

Page 3F : parameter storage

Addresses 0xbfc0 0000 to 0xbfff ffff are the 4 MB of the flash chip. Addresses 0x8000 0000 to 0x80ff ffff are the 16 MB of the RAM chip.

Unusual the bootloader seems only 64 kB in size but I don't know a lot about Broadcom systems.

I'd consider a neighbor running a b/g only AP to be a form of pollution, but I don't know if it's even possible to bring up WiFi on this hardware with OpenWrt.


Thank you, MK24, for your bounteous assistance. I am extremely obliged to you. Please, could you help me find the formula to calculate the firmware size? Could you tell me what is the technical name of these addresses? <3

"Firmware size" (assuming you mean the partitioning of the flash) is set by the combination of the boot loader passing MTD parameters to the kernel, and/or MTD definitions within the kernel (and/or DTB, if a device-tree kernel).

1 Like

Thank you, M. Jeff, for the reply. The firmware size is the size of the binary file to save to the device's flash according to the documentation. Could you explain how to calculate this value? Should I simply convert the file size in bytes to hexadecimal format?

Echoing the comments of others, 16 MB of RAM is not sufficient to run Linux, and hasn't been for years.

You need to know the partitioning of the flash as set by the OEM so that you don't overwrite anything important. Based on the MTD partitions created in the OEM firmware, you can determine available flash.

Your built firmware needs to be smaller than that amount (which will be less than 4 MB), as well as at least 192 kB for the overlay file system. There is no "formula" to calculate the size of the firmware -- you need to "build it and see".

For example:

$ binwalk openwrt-18.06.4-brcm47xx-legacy-linksys-wrt54g-squashfs.bin 

0             0x0             BIN-Header, board ID: W54G, hardware version: 4702, firmware version: 4.71.71, build date: 2019-06-27
32            0x20            TRX firmware header, little endian, image size: 4395008 bytes, CRC32: 0x70C5B1C8, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x948, rootfs offset: 0x16C000
60            0x3C            gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00)
2408          0x968           LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: -1 bytes
1490976       0x16C020        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2609438 bytes, 1174 inodes, blocksize: 65536 bytes, created: 2019-06-27 12:18:52

(which is over 4 MB, in this case)

Edit: For what might work, and the limitations found

1 Like

The OpenWrt project released firmwares for this old device. The compiled firmware available for Sagem Fast 2604 is smaller than 4 MB. Theoretically, it should work! Nonetheless, the main hurdle that I face is to determine the right values of the addresses. I need the right start address where to save the firmware to, and I need also to determine the hexadecimal value relative to the size of the firmware file. Many thanks, M. Jeff, for your precious help. <3

Anything prior to 18.06.4 has known, severe, actively exploited security flaws in the kernel, third-party application software, and 802.11 protocols. Use of any of these with any type of wireless or Internet connectivity is unwise, at best, more likely a threat to your security and the security of others (as your insecure router could be easily taken over as part of a botnet, jump point, or C3 to support attacks on others).

Suitable replacements with at least 16 MB of flash, at least 128 MB of RAM, and current wireless support are available starting at around US$20.


I did not know about security holes in older version of OpenWrt. Thank you, M. Jeff, for this information. At any way, I use old hardware like Sagem Fast 2604 to learn and to brush up my knowledge. I do not plan to use it in serious work. The price is not important for me. I could buy a new router. But, this is not my objective because I want to learn.

Because of the tiny size of flash and the unusable size of RAM, I believe you'll be spending most of your time fighting against those, which is not generally valuable. 4/32 devices are at the end of support, 16 MB devices "died" years ago. Some of the people that are very experienced with OpenWrt have struggled getting comparable devices, like the WRT54g, running at all.

For learning how OpenWrt works, you can run it in a VM on your desktop/laptop using an x86_64 image.

For learning how to develop for/with OpenWrt, I'd suggest something that is current and supported with at least 16 MB of flash and at least 128 MB of RAM. A device with a USB port (for a flash stick) is convenient, but not required. A device that is already supported can help you understand how it is supported, before diving into trying to support a different device.

Some relatively inexpensive devices from reputable manufacturers that meet those specs include I2C/GPIO headers, if that was the direction you were headed.