I do not own a DG834GT, so I can only give you some hints.

HairyDairyMaid's debrick utility is written for little endian CPUs ...
But someone wrote a patch for the SE515 (BCM6345) to do a byte-swap before flashing.
Take a look at http://www.mcbachmann.de/projects/openwrt/jtag

./wrt54g -flash:custom /start:1fc00000 /window:1fc00000 /length:10000 /nobreak /noreset

(rename the CFE.BIN to CUSTOM.BIN before flashing).

Thanks for this.
I will make jtag and I will try.

Thanks
MisteroX

Thanks, I will try.

MisteroX

Hi.

Maybe it's another problem I encountered: at the moment the calculated CRCs are not fully compatible with every CFE. That means CRCs are calculated, but not correct, which is ignored by some versions. For the Siemens SE515 I created a patch [1] against the imagetag.c for OpenWrt rev. 12259 which fixes these issue but needs testing on other devices and newer revisions.

You can verify the generated image with the imginfo [2] tool, which also works with the original firmware (the checked file must be named "firmware.bin").

Bye
  Sven

[1] http://www.mcbachmann.de/projects/openw … rev_12259/
[2] http://www.mcbachmann.de/projects/openw … 9/imginfo/

(Last edited by Zven on 17 Nov 2008, 16:34)

@Zven,
first test on 96348GW-11 board, but no works fine.
1.-image loads, seems to be fine, and writes flash memory
2.-when system reboot, CFE says image corrupted, bad descompression.

i will try like se515 board.
Thnx for your work

also fails with values
    if (!strcmp("96348GW-11", tag.boardid)) {
        tag.headerver = 0x32;
        tag.payloadcrc = htonl(crc);

how did you find last values?

(Last edited by t3l3m4k0 on 17 Nov 2008, 23:52)

Hi guys!

I have a "Comtrend CT-536/1+" (bcm6348).

After a bit of hacking I got a shell on the ct-536...

Here some info about cpu:

# cat /proc/cpuinfo
system type             : 96348GW-11
processor               : 0
cpu model               : BCM6348 V0.7
BogoMIPS                : 255.59
wait instruction        : no
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : no
hardware watchpoint     : no
VCED exceptions         : not available
VCEI exceptions         : not available

...and wireless device:

# wlctl revinfo
vendorid: 0x14e4
deviceid: 0x4318
radiorev: 0x82050000
chipnum: 0x4318
chiprev: 0x2
corerev: 0x9
boardid: 0x449
boardvendor: 0x14e4
boardrev: 0x46
driverrev: 0x35a0f00
ucoderev: 0x1220098
bus: 0x1

I'm trying to install kamikaze firmware on it, but I have only one adsl router and I don't wan't to brick it :-P

svn co https://svn.openwrt.org/openwrt/trunk/
svn co https://svn.openwrt.org/openwrt/packages
cd ..
ln -s ../../packages/*/* .
cd ..
make menuconfig <= Here I select BCM63xx and Broadcom wireless (any think else??)
make

What's the next steep?
Will it works? (ok, i'll try any way)

Tnks!

PS: Sorry if the post is too large!

The current codeset for the bcm63xx is still very limited ...
I.e. no support for WLAN and DSL so far.

So you better keep our hands off!

OK! I'll wait. Tnks :-)

Hi.

I created a walkthrough for the SE515, you can view it here [1] (I think you just used the "f" command in CFE instead of the "flashimage"). I got the header version from the original firmware. Just download the imginfo tool, rename the original firmware to firmware.bin and start it. The output should look like:

Please note that the length and CRC values may differ from yours, because your firmware version may be another one. As you can see, the header version is 50, which means 0x32 in hex.

Bye
  Sven

[1] http://www.mcbachmann.de/projects/openw … hrough.txt

I'm glad to see open source drivers appearing for this platform. So far the closed source drivers were acceptable, but this weekend I got annoyed when I realised that with this closed source driver, netconsole won't work (and I can't get any serial connection either). :-(

Anyway, right now I bricked my router (DG834Gv4). I see I'm not the only one with this problem though; misteroX, have you had any luck yet? Mine seems to be in a bad enough state that even restoring CFE via JTAG doesn't make it go. I just tried again after fully erasing all flash contents, even. Tomorrow I will try a *full* reflash over JTAG, it's too late to try that now. Has anyone else had the problem with this platform that suddenly the thing boots with fast blinking LEDs, and even upgrades using raw Ethernet frames don't work anymore?

Also, can I assume that the first 64 KBytes of a firmware image is indeed a suitable CFE.BIN? Or is it actually different? I have vague memories of someone mentioning that things like the router's MAC address are encoded in it, for example. Could this be the reason my router doesn't want to boot from it?

No, OpenWrt does not include CFE. In general you are not supposed to touch the boot loader. OpenWrt is just the kernel and root filesystem.

does this mean we can get netbsd on it?

this is not the longest thread in the world, this is just a tribute

(Last edited by kd8ikt on 20 Nov 2008, 10:57)

Hi Wilmer,
nowadays a do not ever made any try about jtag for my router.
You will wait until I will buy a some new components for jtag.

By
MisteroX

Yes, most definitely. I wouldn't *want* it to touch CFE without a good reason. Still, my router somehow got itself into a very bad state (I blame the firmware flashing tool in the web interface) and it may be a corrupted CFE. I'd be really glad if someone could give me his/her CFE that is known to work...

How portable is the CFE code? From device to device and router manufacturer to manufacturer, as long as it's the same CPU and flash chip?

I don't know how to compile b43 from make menuconfig, i had compiled b43 driver from make kernek make_menuconfig.
i not had tested much how it works, because i don't use wifi, but i permormed scannig and it returned up to 13 cells.
Yo must supply b43 firmware to make it in order to run, like here says:
http://linuxwireless.org/en/users/Drive … cefirmware

every board must have a personaliced CFE, but sometimes CFE from similar boards seems to run fine

thnks Zven,
Yes i tried to "f" command" and web firmware loading, and it not works.
"flasimage" command woks and worked fine to me, but i tried it to test if it loads from web firmware loader, for those don't have a serial cable connected to router.

Saludos

Okay, that probably explains why my first attempt at fixing my router failed. If only I had a backup... I also just realised that the portability is probably also limited by the fact that many manufacturers map their flash space in different ways.

I noticed there are some tools that can personalize images, but they all assume there's some block of ASCII text in the middle of the image, which isn't there in any CFE image I have for my router. So I'm assuming that either BCM6348-based routers don't encode some system information in the bootloader or at least don't do it in ASCII anymore.

I'll go and grep the image I have for known MAC addresses and see what happens. If anyone with a DG834Gv4 (or maybe GT) could give me a dump of his/her CFE.BIN I'd be very very grateful...

(Last edited by Wilmer on 20 Nov 2008, 11:04)

Yes, looks like it's binary now. From a hexdump:

00000680  00 00 00 00 39 36 33 34  38 57 33 00 00 00 00 00  |....96348W3.....|
00000690  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 02  |................|
000006a0  00 1f 33 85 e1 6a 00 00  12 47 65 4f 00 00 00 00  |..3..j...GeO....|
000006b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

00:1f:33:85:e1:6a is my router's MAC address. Not sure what the 32-bit integer after it is, but it could be a checksum. I may have to recalculate that one to make my router boot again. I just tried flashing a CFE with just these 64 bytes copied over, but most likely I'll also have to recalculate my checksum.

Interestingly, I just noticed that the router does seem to respond to ARP requests. It still thinks its MAC address is FF:FF:FF:FF:FF:FF. TFTP doesn't work right now, most likely because of that MAC address.

I'll get this fixed, I'm sure now. :-)

FWIW, the full flash fixed my problem. Took five hours, but it saved me waiting for two weeks getting a replacement unit (if at all). :-)

Hi, I restored the original netgear cfe.bin in the dg834gt with jtag. At boot time i see this:

Even after i have inserted the required parameters, at every boot i see this.

I'm unable to send something via tftp.

what can it be?

Thanks
MisteroX

1.- try with boards ID number 4 and 2, and more mac (try 11 macs)
2.- try with flashimage ip_tftp_server:name_firmware
3.- try other cfe

good luck

Hi t3l3m4k0,
Can I use one of this cfe for dg834gt and which of them published on link below? 
http://downloads.openwrt.org/people/inh/cfe/

Can I recreate a new CFE following this guide?
http://wiki.openwrt.org/OpenWrtDocs/Cus … rmware/CFE

Obviously inserting my board parameters and my MacAddres.

At the end I transform all of it in big endian and I Flash through the jtag.

Do you think it's possible ?

Thanks
Misterox

Those CFEs are all meant for older boards, for little-endiain CPUs with the settings all encoded in ASCII. Also note that they're 256KB big, while at least the CFE in my DG834Gv4 is only 64KBytes.

Look at a hexdump of your CFE image. I think around offset 680 there should be some settings/board information like in my post above. Unfortunately changing these is not that simple since there's a checksum that has to be correct.

As wilmer says, you cannot use this cfe, are so old for your board.

Have you tried with help command when boot stops. There is a command to setup mac, like this:

CFE version 1.0.37-0.8 for BCM96348 (32bit,SP,BE)
Build Date: ¤@  2¤ë 20 18:37:34 CST 2006 (root@localhost.localdomain)
Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.

Initializing Arena.
Initializing Devices.
CPU type 0x29107: 256MHz, Bus: 128MHz, Ref: 32MHz

Total memory used by CFE:  0x80401000 - 0x805246F0 (1193712)
Initialized Data:          0x8041C680 - 0x8041E080 (6656)
BSS Area:                  0x8041E080 - 0x804226F0 (18032)
Local Heap:                0x804226F0 - 0x805226F0 (1048576)
Stack Area:                0x805226F0 - 0x805246F0 (8192)
Text (code) segment:       0x80401000 - 0x8041C67C (112252)
Boot area (physical):      0x00525000 - 0x00565000
Relocation Factor:         I:00000000 - D:00000000

Board IP address                : 192.168.1.19:ffffff00
Host IP address                 : 192.168.1.21
Gateway IP address              : 192.168.1.1
Run from flash/host (f/h)       : f
Default host run file name      : vmlinux
Default host flash file name    : bcm963xx_fs_kernel
Boot delay (0-9 seconds)        : 3
Board Id Name                   : 96348GW-11
Psi size in KB                  : 24
Number of MAC Addresses (1-32)  : 11
Base MAC Address                : 11:22:33:44:55:66
Ethernet PHY Type               : Internal
Memory size in MB               : 16

*** Press any key to stop auto run (3 seconds) ***
Auto run second count down: 3
web info: Waiting for connection on socket 0.
CFE>   help
Available commands:

asus                Write bootcode, mac, or rdom to flash
w                   Write the whole image start from beginning of the flash
e                   Erase [n]vram or [a]ll flash except bootrom
r                   Run program from flash image or from host depend on [f/h] flag
p                   Print boot line and board parameter info
c                   Change booline parameters
f                   Write image to the flash
i                   Erase persistent storage data
b                   Change board parameters
reset               Reset the board
flashimage          Flashes a compressed image after the bootloader.
help                Obtain help for CFE commands

For more information about a command, enter 'help command-name'
*** bcm63xx_main.c command status = 0
CFE>