Good day Openwrt,
So I'm pretty new to this whole thing, but reverse engineering has always been one of my hobbies. I had an old router lying around and I decided to give it a shot at trying to get Openwrt running on it.
So currently, I have identified the serial pads on the router and soldered on some pins. Using putty I managed to get (what I believe to be) a full dump of my firmware. I have also compiled Openwrt for the bcrm47xx architecture, but whenever I try to boot the vmlinux.elf from an TFTP server I get the following messages:
[ 0.000000] Linux version 4.14.141 (dean@dean-Lenovo-Legion-Y530-15ICH) (gcc version 7.4.0 (OpenWrt GCC 7.4.0 r10975-681acdcc54)) #0 Mon Sep 9 07:38:55 2019
[ 0.000000] CPU0 revision is: 00019749 (MIPS 74Kc)
[ 0.000000] bcm47xx: Using bcma bus
[ 0.000000] (NULL device *): bus0: Found chip with id 53572, rev 0x01 and package 0x08
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 01000000 @ 00000000 (usable)
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[ 0.000000] This processor doesn't support highmem. -16384k highmem ignored
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x0000000000000000-0x0000000000ffffff]
[ 0.000000] HighMem empty
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000000000000-0x0000000000ffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000000ffffff]
[ 0.000000] random: get_random_bytes called from start_kernel+0x9c/0x4a4 with crng_init=0
[ 0.000000] Built 1 zonelists, mobility grouping off. Total pages: 4060
[ 0.000000] Kernel command line: noinitrd console=ttyS0,115200
[ 0.000000] PID hash table entries: 64 (order: -4, 256 bytes)
[ 0.000000] Dentry cache hash table entries: 2048 (order: 1, 8192 bytes)
[ 0.000000] Inode-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.000000] Writing ErrCtl register=00000000
[ 0.000000] Readback ErrCtl register=00000000
[ 0.000000] Memory: 10840K/16384K available (3819K kernel code, 162K rwdata, 832K rodata, 168K init, 299K bss, 5544K reserved, 0K cma-reserved, 0K highmem)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS: 128
[ 0.000000] (NULL device *): bus0: Core 0 found: ChipCommon (manuf 0x4BF, id 0x800, rev 0x27, class 0x0)
[ 0.000000] (NULL device *): bus0: Core 1 found: IEEE 802.11 (manuf 0x4BF, id 0x812, rev 0x1C, class 0x0)
[ 0.000000] (NULL device *): bus0: Core 2 found: GBit MAC (manuf 0x4BF, id 0x82D, rev 0x03, class 0x0)
[ 0.000000] (NULL device *): bus0: Core 3 found: MIPS 74K (manuf 0x4A7, id 0x82C, rev 0x05, class 0x0)
[ 0.000000] (NULL device *): bus0: Core 4 found: SDR/DDR1 Memory Controller (manuf 0x4BF, id 0x835, rev 0x02, class 0x0)
[ 0.000000] (NULL device *): bus0: Found M25P16 serial flash (size: 2048KiB, blocksize: 0x10000, blocks: 32)
[ 0.000000] (NULL device *): bus0: Early bus registered
[ 0.000000] MIPS: machine is Unknown Board
[ 0.000000] bcm47xx: Setting up vectored interrupts
[ 0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 12741736309 ns
[ 0.000024] sched_clock: 32 bits at 150MHz, resolution 6ns, wraps every 14316557820ns
[ 0.000130] Calibrating delay loop... 149.91 BogoMIPS (lpj=749568)
[ 0.070106] pid_max: default: 32768 minimum: 301
[ 0.070784] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.070843] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.077461] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 0.077540] futex hash table entries: 256 (order: -1, 3072 bytes)
[ 0.078912] NET: Registered protocol family 16
[ 0.130300] clocksource: Switched to clocksource MIPS
[ 0.133512] NET: Registered protocol family 2
[ 0.135423] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.135506] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.135566] TCP: Hash tables configured (established 1024 bind 1024)
[ 0.135915] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 0.135993] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 0.136768] NET: Registered protocol family 1
[ 0.294253] can not parse nvram name sb/1/ag3(null) with value 0xff got -34
[ 0.329061] can not parse nvram name sb/1/rxpo2g(null) with value 0xff got -34
[ 0.472730] 2(S)*
[ 0.472740] 3
[ 0.472767] 4
[ 0.472787] 5
[ 0.472807] 6
[ 0.472827] D
[ 0.472846] I
[ 0.472865]
[ 0.472907] 2(S)
[ 0.472917] 3*
[ 0.472937] 4
[ 0.472957] 5
[ 0.472976] 6
[ 0.472996] D
[ 0.473015] I
[ 0.473033]
[ 0.473075] 2(S)
[ 0.473084] 3
[ 0.473104] 4*
[ 0.473124] 5
[ 0.473143] 6
[ 0.473163] D
[ 0.473182] I
[ 0.473200]
[ 0.473241] 2(S)
[ 0.473250] 3
[ 0.473270] 4
[ 0.473289] 5
[ 0.473309] 6
[ 0.473328] D
[ 0.473347] I*
[ 0.473366]
[ 0.473408] 2(S)
[ 0.473417] 3
[ 0.473437] 4
[ 0.473457] 5
[ 0.473476] 6
[ 0.473496] D*
[ 0.473515] I
[ 0.473533]
[ 0.475270] (NULL device *): bus0: Bus registered
[ 0.476990] Crashlog allocated RAM at address 0xf00000
[ 0.484547] workingset: timestamp_bits=14 max_order=12 bucket_order=0
[ 0.501141] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.501188] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 0.533739] io scheduler noop registered
[ 0.533788] io scheduler deadline registered (default)
[ 0.534192] Serial: 8250/16550 driver, 2 ports, IRQ sharing enabled
[ 0.535537] console [ttyS0] disabled
[ 0.555928] serial8250.0: ttyS0 at MMIO 0xb8000300 (irq = 2, base_baud = 1250000) is a U6_16550A
[ 1.061843] console [ttyS0] enabled
[ 1.091130] 4 bcm47xxpart partitions found on MTD device bcm47xxsflash
[ 1.097787] Creating 4 MTD partitions on "bcm47xxsflash":
[ 1.103369] 0x000000000000-0x000000020000 : "boot"
[ 1.116536] 0x000000020000-0x0000001e0000 : "firmware"
[ 1.123963] 1 trx partitions found on MTD device firmware
[ 1.129475] Creating 1 MTD partitions on "firmware":
[ 1.134674] 0x00000000001c-0x0000001c0000 : "linux"
[ 1.146245] 0x0000001e0000-0x0000001f0000 : "nvram"
[ 1.155150] 0x0000001f0000-0x000000200000 : "nvram"
[ 1.170840] libphy: Fixed MDIO Bus: probed
[ 1.175324] bgmac_bcma bcma0:2: Found PHY addr: 30 (NOREGS)
[ 1.214958] b53_common: found switch: BCM5325, rev 4
[ 1.220167] libphy: bcma_mdio mii bus: probed
[ 1.224721] bgmac_bcma bcma0:2: Support for Roboswitch not implemented
[ 1.332098] bgmac_bcma: Broadcom 47xx GBit MAC driver loaded
[ 1.338464] bcm47xx-wdt bcm47xx-wdt.0: BCM47xx Watchdog Timer enabled (30 seconds)
[ 1.349268] NET: Registered protocol family 10
[ 1.364188] Segment Routing with IPv6
[ 1.368186] NET: Registered protocol family 17
[ 1.373010] 8021q: 802.1Q VLAN Support v1.8
[ 1.383044] VFS: Cannot open root device "(null)" or unknown-block(0,0): error -6
[ 1.390773] Please append a correct "root=" boot option; here are the available partitions:
[ 1.399287] 1f00 128 mtdblock0
[ 1.399300] (driver?)
[ 1.406033] 1f01 1792 mtdblock1
[ 1.406048] (driver?)
[ 1.412774] 1f02 1791 mtdblock2
[ 1.412789] (driver?)
[ 1.419453] 1f03 64 mtdblock3
[ 1.419462] (driver?)
[ 1.426184] 1f04 64 mtdblock4
[ 1.426198] (driver?)
[ 1.432930] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)
[ 1.444163] Rebooting in 1 seconds..
[ 2.447376] bcm47xx: Please stand by while rebooting the system...
I am unsure as to how I would fix this, some help would really be appreciated.
Here is the log for how the router usually boots:
Decompressing...done
CFE version 5.100.138.3 based on BBP 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: 2011-05-26 10:33:50 4 (richard@aeteam.com)
Copyright (C) 2000-2008 Broadcom Corporation.
Init Arena
Init Devs.
Boot partition size = 131072(0x20000)
Found an ST compatible serial flash with 32 64KB blocks; total size 2MB
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.100.138.3
CPU type 0x19749: 300MHz
Tot mem: 16384 KBytes
CFE mem: 0x80700000 - 0x80798550 (623952)
Data: 0x8072E3A0 - 0x807315C0 (12832)
BSS: 0x807315C0 - 0x80732550 (3984)
Heap: 0x80732550 - 0x80796550 (409600)
Stack: 0x80796550 - 0x80798550 (8192)
Text: 0x80700000 - 0x8072E39C (189340)
Device eth0: hwaddr C8-3A-35-55-32-20, ipaddr 192.168.0.1, mask 255.255.255.0
gateway not set, nameserver not set
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
Loading: ..... 2848468 bytes read
Entry at 0x80001000
Closing network.
Starting program at 0x80001000
IP Filter: v3.4.35 initialized. Default = pass all, Logging = disabled
PCI: no core
PCI: no core
PCI: Fixing up bus 0
wl_pci_probe: find [14e4:4329] bus 0 slot 1 func 0 irq 1
eCos Router/AP V5.110.27.21 (Compiled at 19:36:34 on Sep 22 2014)
sys_led_test_gpio=6
Using pin 6 for sys_led output
wps_led_test_gpio=7
System start
vlan1: VLAN interface created
vlan2: VLAN interface created
wlconf: PHYTYPE: 4
EAPD task started
initWebs: lanip=[192.168.0.1]
NAS task started
CLI>
and here it how it boots when the process is interrupted by Ctrl+C:
Decompressing...done
CFE version 5.100.138.3 based on BBP 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: 2011-05-26 10:33:50 4 (richard@aeteam.com)
Copyright (C) 2000-2008 Broadcom Corporation.
Init Arena
Init Devs.
Boot partition size = 131072(0x20000)
Found an ST compatible serial flash with 32 64KB blocks; total size 2MB
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.100.138.3
CPU type 0x19749: 300MHz
Tot mem: 16384 KBytes
CFE mem: 0x80700000 - 0x80798550 (623952)
Data: 0x8072E3A0 - 0x807315C0 (12832)
BSS: 0x807315C0 - 0x80732550 (3984)
Heap: 0x80732550 - 0x80796550 (409600)
Stack: 0x80796550 - 0x80798550 (8192)
Text: 0x80700000 - 0x8072E39C (189340)
Device eth0: hwaddr C8-3A-35-55-32-20, ipaddr 192.168.0.1, mask 255.255.255.0
gateway not set, nameserver not set
Startup canceled
CFE> ^C
CFE> ^C
CFE> ^C
CFE>