Repacking Broadcom CFE firmware update image

For Developers
1

Hello! :slight_smile:

I'm trying to unpack and rebuild a Broadcom based router firmware image (for a Tenda RX3), using ubireader_*, ubinize and mkimage tools. It mostly works, but for some reason the router does not seem to accept the UBI image generated by ubinize.

What I'm trying to do:

  1. Start from a factory firmware (update) image of the router. This is a .bin file apparently in u-boot legacy format (64 byte header + UBI image).
  2. Extract the raw UBI image using dd.
  3. Extract the UBI volumes using ubireader_extract_images. There are 4 volumes in total: rootfs_ubifs, METADATA, METADATA_COPY, filestruct_full.bin.
  4. Rebuild the UBI image using ubinize.
  5. Rebuild the firmware image using mkimage (+change the product id bytes in the resulting image)
  6. Try to upload the firmware image using the Broadcom CFE recovery web interface.

What results I get:

  • The factory firmware image is successfully flashed to the router.
  • A firmware image rebuilt from the raw UBI image using mkimage can also be flashed successfully.
  • A firmware image with an UBI image rebuilt with ubinize and packaged with mkimage is rejected by the router with an invalid image error.

After a bit of debugging I observed that:

  • All 3 images seems to have a valid UBI image, and seems to contain the same 4 volumes. The UBI volumes extracted with ubireader_extract_images have matching MD5 sum.
  • Inspecting the factory and rebuilt UBI images with ubireader_display_info shows they are almost identical. What differs is the "First UBI PEB Number" which is 1 for the factory image and 0 for the rebuilt image. Diff: https://pasteboard.co/hBEScyEwGdDq.png

From this I suspect the rebuilt firmware image is rejected because of the UBI image is rebuilt...

Has anybody experience with building firmware images for Broadcom routers? I would appreciate some help. Probably I'm missing some setting / particularity needed by the Broadcom CFE updater...

Thanks,
Attila

PS: At this point I'm just trying to hack / modify the router's firmware. Later, I will also try to build OpenWRT for it.

2

I do not want to dash your hopes, but this looks like a Broadcom 802.11ax platform. You might be able to get OpenWrt going, but you'll never get wireless working. Broadcom simply does not offer any drivers for it that might work on OpenWrt.

1 Like
3

Yeah, I'm well aware of that. :slight_smile: I bought this Tenda RX3 mostly to experiment with hardware hacking. Maybe I will run things like a DNS server on it, but I have no intention to run it as my main wireless router.

1 Like