OpenWrt Forum Archive

Topic: Support for SagemCom F@ST 2304 (Sky)

The content of this topic has been archived between 28 Apr 2018 and 7 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi,
Got this from friend, was hoping to unlock it to use with other ISP but couldnt find any unlock procedure / custom image.

So wanted to install OpenWRT but couldnt find any image. The router uses the Broadcom 6328 / 63281 (SoC)

Here are some inside pictures

http://i58.tinypic.com/11jq8o2.jpg

http://i61.tinypic.com/2v1b72w.jpg

http://i57.tinypic.com/2jett3n.jpg

http://i62.tinypic.com/16gkcpt.jpg

http://i59.tinypic.com/2n1i7tj.jpg

http://i57.tinypic.com/2mxeqef.jpg

http://i60.tinypic.com/5ee7t0.jpg

http://i62.tinypic.com/2m42bk3.jpg

http://i62.tinypic.com/2jai03r.jpg

http://i62.tinypic.com/24opla9.jpg

http://i61.tinypic.com/29cv1ht.jpg

http://i58.tinypic.com/214o6yw.jpg

http://i60.tinypic.com/2vak0lz.jpg

http://i59.tinypic.com/2whjskl.jpg

The serial port is working, i used DKU-5 cable (nokia)

here is the bootlog

HELO
CPUI
L1CI
DRAM
----
PHYS
ZQDN
PHYE
DINT
LSYN
USYN
MSYN
LMBE
PASS
----
ZBSS
CODE
DATA
L12F
MAIN


CFE version 5.14.6.1 for BCM96328 (32bit,SP,BE)
Build Date: Tue Mar  8 14:24:11 CST 2011 (zoucb@SZ01007.DONGGUAN.CN)
Copyright (C) 2005-2010 SAGEM Corporation.

HS Serial flash device: name MX25L64, id 0xc217 size 8192KB
Total Flash size: 8192K with 128 sectors
Chip ID: BCM6328B0, MIPS: 320MHz, DDR: 320MHz, Bus: 160MHz
Main Thread: TP0
Memory Test Passed
Total Memory: 67108864 bytes (64MB)
Boot Address: 0xb8000000

Board IP address                  : 192.168.1.1:ffffff00  
Host IP address                   : 192.168.1.100  
Gateway IP address                :   
Run from flash/host (f/h)         : f  
Default host run file name        : vmlinux  
Default host flash file name      : bcm963xx_fs_kernel  
Boot delay (0-9 seconds)          : 1  
Board Id (0-4)                    : F@ST2304  
Number of MAC Addresses (1-32)    : 11  
Base MAC Address                  : 7c:03:4c:7b:45:9d  
PSI Size (1-64) KBytes            : 40  
Enable Backup PSI [0|1]           : 0  
System Log Size (0-256) KBytes    : 0  
Main Thread Number [0|1]          : 0  

*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 110
Booting from only image (0xb8010000) ...
Code Address: 0x80010000, Entry Address: 0x80014230
Decompression OK!
Entry at 0x80014230
Closing network.
Disabling Switch ports.
Flushing Receive Buffers...
0 buffers found.
Closing DMA Channels.
Starting program at 0x80014230
Linux version 2.6.30 (cookiechen@SZ01007.DONGGUAN.CN) (gcc version 4.4.2 (Buildroot 2010.02-git) ) #1 Tue Aug 2 16:07:49 CST 2011

HS Serial flash device: name MX25L64, id 0xc217 size 8192KB

F@ST2304 prom init

CPU revision is: 0002a075 (Broadcom4350)

Determined physical RAM map:

 memory: 03f00000 @ 00000000 (usable)

Zone PFN ranges:

  DMA      0x00000000 -> 0x00001000

  Normal   0x00001000 -> 0x00003f00

Movable zone start PFN for each node

early_node_map[1] active PFN ranges

    0: 0x00000000 -> 0x00003f00

On node 0 totalpages: 16128

free_area_init_node: node 0, pgdat 80270750, node_mem_map 81000000

  DMA zone: 32 pages used for memmap

  DMA zone: 0 pages reserved

  DMA zone: 4064 pages, LIFO batch:0

  Normal zone: 94 pages used for memmap

  Normal zone: 11938 pages, LIFO batch:1

Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16002

Kernel command line: root=31:0 ro noinitrd console=ttyS0,115200

wait instruction: enabled

Primary instruction cache 32kB, VIPT, 4-way, linesize 16 bytes.

Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes

RCU-based detection of stalled CPUs is enabled.

NR_IRQS:128

PID hash table entries: 256 (order: 8, 1024 bytes)

console [ttyS0] enabled

Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)

Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)

Memory: 61096k/64512k available (2025k kernel code, 3396k reserved, 412k data, 112k init, 0k highmem)

Calibrating delay loop... 319.48 BogoMIPS (lpj=159744)

Mount-cache hash table entries: 512

net_namespace: 812 bytes

NET: Registered protocol family 16

Total Flash size: 8192K with 2048 sectors

registering PCI controller with io_map_base unset

registering PCI controller with io_map_base unset

bio: create slab <bio-0> at 0

pci 0000:01:00.0: PME# supported from D0 D3hot

pci 0000:01:00.0: PME# disabled

pci 0000:02:00.0: reg 10 64bit mmio: [0x000000-0x003fff]

pci 0000:02:00.0: supports D1 D2

pci 0000:01:00.0: PCI bridge, secondary bus 0000:02

pci 0000:01:00.0:   IO window: disabled

pci 0000:01:00.0:   MEM window: 0x10f00000-0x10ffffff

pci 0000:01:00.0:   PREFETCH window: disabled

PCI: Enabling device 0000:01:00.0 (0000 -> 0002)

PCI: Setting latency timer of device 0000:01:00.0 to 64

BLOG v2.1 Initialized

NET: Registered protocol family 8

NET: Registered protocol family 20

NET: Registered protocol family 2

IP route cache hash table entries: 1024 (order: 0, 4096 bytes)

TCP established hash table entries: 2048 (order: 2, 16384 bytes)

TCP bind hash table entries: 2048 (order: 1, 8192 bytes)

TCP: Hash tables configured (established 2048 bind 2048)

TCP reno registered

NET: Registered protocol family 1

squashfs: version 4.0 (2009/01/31) Phillip Lougher

squashfs: version 4.0 with LZMA457 ported by BRCM

msgmni has been set to 119

io scheduler noop registered (default)

pcieport-driver 0000:01:00.0: device [14e4:6328] has invalid IRQ; check vendor BIOS

PCI: Setting latency timer of device 0000:01:00.0 to 64

PPP generic driver version 2.4.2

PPP Deflate Compression module registered

PPP BSD Compression module registered

NET: Registered protocol family 24

bcm963xx_mtd driver v1.0

File system address: 0xb8010100

brcmboard: brcm_board_init entry

kerSysScreenPciDevices: 0x14e4:0x6328:(slot 0) detected

kerSysScreenPciDevices: 0x14e4:0x4313:(slot 0) detected

SES: Button Interrupt 0x1 is enabled

Serial: BCM63XX driver $Revision: 3.00 $

ttyS0 at MMIO 0xb0000100 (irq = 36) is a BCM63XX

ttyS1 at MMIO 0xb0000120 (irq = 36) is a BCM63XX

bcmxtmrt: Broadcom BCM6328B0 ATM/PTM Network Device v0.3 Aug  2 2011 16:05:06

Broadcom Logger v0.1 Aug  2 2011 16:03:19

TCP cubic registered

Initializing XFRM netlink socket

NET: Registered protocol family 17

NET: Registered protocol family 15

Initializing MCPD Module

Ebtables v2.0 registered

ebt_time registered

ebt_ftos registered

ebt_wmm_mark registered

802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>

All bugs added by David S. Miller <davem@redhat.com>

VFS: Mounted root (squashfs filesystem) readonly on device 31:0.

Freeing unused kernel memory: 112k freed


init started:  BusyBox v1.00 (2011.08.02-08:10+0000) multi-call binary
mount: Mounting none on /proc/bus/usb failed: No su

BusyBox v1.00 (2011.08.02-08:10+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.


Loading drivers and kernel modules... 

pktflow: module license 'Proprietary' taints kernel.

Disabling lock debugging due to kernel taint

Broadcom Packet Flow Cache  Char Driver v2.1 Mar 18 2010 21:39:51 Registered<242>

NBUFF v1.0 Initialized

Broadcom Packet Flow Cache learning via BLOG enabled.

Created Proc FS /procfs/fcache

Broadcom Packet Flow Cache registered with netdev chain

Constructed Broadcom Packet Flow Cache v2.1 Mar 18 2010 21:39:50

bcmxtmcfg: bcmxtmcfg_init entry

adsl: adsl_init entry

Broadcom BCM6328B0 Ethernet Network Device v0.1 Aug  2 2011 16:03:28

dgasp: kerSysRegisterDyingGaspHandler: bcmsw registered 

eth0: MAC Address: 7C:03:4C:7B:45:9D

eth1: MAC Address: 7C:03:4C:7B:45:9D

eth2: MAC Address: 7C:03:4C:7B:45:9D

eth3: MAC Address: 7C:03:4C:7B:45:9D

PCI: Enabling device 0000:02:00.0 (0000 -> 0002)

PCI: Setting latency timer of device 0000:02:00.0 to 64

otp_read_pci: bad crc

wl:not strapped or invalid data

wl:srom not detected,using main memory mapped srom info(wombo board)

wl:loading /etc/wlan/bcm4313_map.bin

wl0: Broadcom BCM4313 802.11 Wireless Controller 5.60.120.11.cpe4.406.4

dgasp: kerSysRegisterDyingGaspHandler: wl0 registered 

Broadcom 802.1Q VLAN Interface, v0.1


===== Release Version 5.23.1 (build timestamp 110802_1824) =====

Got primary config file from flash (len=34362), validating....
ip_tables: (C) 2000-2006 Netfilter Core Team

nf_conntrack version 0.5.0 (1008 buckets, 4032 max)

device eth0 entered promiscuous mode

device eth1 entered promiscuous mode

device eth2 entered promiscuous mode

device eth3 entered promiscuous mode

device wl0 entered promiscuous mode

br0: port 5(wl0) entering forwarding state

WLmngr Daemon is running
optarg=0 shmId=0 
BcmAdsl_Initialize=0xC00B6100, g_pFnNotifyCallback=0xC00DC7D4

wlevt_init@107: opened loopback socket 4
wlevt is ready for new msg...
pSdramPHY=0xA3FFFFF8, 0x1A6CB 0x5EADBEEF

AdslCoreSharedMemInit: shareMemAvailable=491424

AdslCoreHwReset:  AdslOemDataAddr = 0xA3F69564

dgasp: kerSysRegisterDyingGaspHandler: dsl0 registered 

Netfilter messages via NETLINK v0.30.

monitor task is initialized pid= 190 

rupgrade:error:13.405:ruReadMessageFromSmd:22:got SYSTEM_BOOT msg
rupgrade:error:13.406:ruUpdateWaitHour:1074:update wait hour: 0
rupgrade:error:14.071:ruGetConfig:174:The remote server is http://fast2304.skyfirmware.com 31
rupgrade:error:14.072:ruGetConfig:198:The post server is http://fast2304.skyfirmware.com
device wl0 left promiscuous mode

br0: port 5(wl0) entering disabled state

device wl0 entered promiscuous mode

br0: port 5(wl0) entering forwarding state

wl0.1 (): not using net_device_ops yet

wl0.2 (): not using net_device_ops yet

wl0.3 (): not using net_device_ops yet

br0: port 5(wl0) entering disabled state

There is no Predefined DevicePin in CFE
WPS Device PIN = 21464065
Setting SSID: "SKYB459D"
Setting SSID: "wl0_Guest1"
Setting SSID: "wl0_Guest2"
Setting SSID: "wl0_Guest3"
wlmngr_wlIfcDown: reset wifi_up_time
wlmngr_wlIfcDown: reset wifi_up_time
wlmngr_wlIfcDown: reset wifi_up_time
wlmngr_wlIfcDown: reset wifi_up_time
wlctl: Unsupported
chanspec 0x2b06 selected 
device wl0 left promiscuous mode

br0: port 5(wl0) entering disabled state

device wl0 entered promiscuous mode

br0: port 5(wl0) entering forwarding state

Reaped 762
UPnP daemon is ready to run
wlmngr_wlIfcUp: wifi_up_time=22


BCM96328 Broadband Router
Login: admin

Password: sky

the default webui userid and password works
user: admin
password: sky

now i get the prompt ">" which is not busybox

> help

?

help

logout

exit

quit

reboot

adsl

xdslctl

xtm

brctl

cat

loglevel

logdest

virtualserver

ddns

df

dumpcfg

dumpmdm

meminfo

psp

kill

dnsproxy

syslog

echo

ifconfig

ping

ps

pwd

sntp

sysinfo

tftp

wlctl

arp

defaultgateway

dhcpserver

dns

lan

lanhosts

passwd

ppp

restoredefault

route

save

swversion

cfgupdate

swupdate

exitOnIdle

wan

typing "sh" starts the busybox

BusyBox v1.00 (2011.08.02-08:10+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

# help


Built-in commands:
-------------------
    . : break cd continue eval exec exit export help login newgrp
    read readonly set shift times trap umask wait [ arping busybox
    cat chmod cp date df dmesg echo expr false ftpget ifconfig init
    insmod kill killall klogd linuxrc ln logger logread ls mkdir
    mknod mount msh ping ps pwd reboot rm rmmod route sendarp sh
    sleep sysinfo syslogd test tftp tftpd top true tty umount vconfig

# cat cpuinfo
system type             : F@ST2304
processor               : 0
cpu model               : Broadcom4350 V7.5
BogoMIPS                : 319.48
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : no
hardware watchpoint     : no
ASEs implemented        :
shadow register sets    : 1
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available

unaligned exceptions            : 27

# cat meminfo
MemTotal:          61228 kB
MemFree:           38080 kB
Buffers:            2516 kB
Cached:             8648 kB
SwapCached:            0 kB
Active:             4312 kB
Inactive:           9308 kB
Active(anon):       2456 kB
Inactive(anon):        0 kB
Active(file):       1856 kB
Inactive(file):     9308 kB
SwapTotal:             0 kB
SwapFree:              0 kB
Dirty:                 0 kB
Writeback:             0 kB
AnonPages:          2476 kB
Mapped:             2356 kB
Slab:               6224 kB
SReclaimable:        360 kB
SUnreclaim:         5864 kB
PageTables:          292 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:       30612 kB
Committed_AS:       5904 kB
VmallocTotal:    1032148 kB
VmallocUsed:        2888 kB
VmallocChunk:    1024016 kB
#

# cat mtd
dev:    size   erasesize  name
mtd0: 00380000 00380000 "Physically mapped flash"

can get easly into cfe through serial.

So, anything usefull for OpenWRT ? image ?

Regards
Tahir
tahir00ali@gmail.com

Hey,

I've got this router too- only just upgraded from it. Looking to use it as a wireless bridge, seeing as it's got the broadcom chip and the F@ST 2404, 2604, 2704 and 2764 have all been hacked it should be possible... I'm pretty new to this but I'll see if I can take a look at it.

Also trying to do the same with my Home Hub 3.0A, at least it looks as though someone is close with that one...

~Bobby

That one had issues with WiFi sad

OpenWrt for that router is totally possible. The drawback is as always (with bcm63xx) ADSL not supported in OpenWrt.

You can make a backup of the bootloader with non-JTAG methods. I list them in difficult order:

* First one:
use https://github.com/openwrt-es/cfetool

* Second one:
precompile a openwrt RAM  version (<4MB size), enter CFE command line and execute
r 192.168.1.100:ram-firmware.elf
Then just backup the linux partition once Openwrt RAM firmware booted

* Third:
make a couple of utilities for backing up from the original firmware, probably you may need to insert fake kernel module to create mtd partitios for getting access to all flash memory. You need to deal with a toolchain compatible with the original firmware and probably hack some C code.

Four:
use your imagination tongue

The first question is: is it possible to use the CFE command line? has CFE  any limitation? sometimes manufacturers decide to manipulate the bootloader and you end deling with a borked CFE..

Are you saying that the only issue with Openwrt on the 2304 is the ADSL? Surely then if I were to want to use it as a wireless bridge (receiving wireless signal so I can plug in my desktop via ethernet) I would be fine with installing wrt? Only thing is, I have not one shadow of an idea where to start with compiling a trunk etc. (despite my reading very deeply..)

(Last edited by BobbyNewwwporrrrtP&R on 10 Feb 2015, 04:32)

The wifi seems to be differnt on both the devices,
the 2304 has

wl0: Broadcom BCM4313 802.11 Wireless Controller 5.60.120.11.cpe4.406.4

while the 2704 has

b43-phy0: Broadcom 43225 WLAN found (core revision 23)

Am not sure if the phyton script method will work to backup the flash, as the CFE didnt had the required cmds. (Will check it today) but i think it had the flash / whole flash / and run from host cmds available in CFE

BTW the ram image idea is good, but i dont know how to make ram image? i have built openwrt before but dont know how to build ram image / or what steps are needed to do that.

I'm not sure about how well is BCM4313 supported in linux. AFAIK this wifi chip should behave better with brcmsmac drivers, not wl, nor b43. With latest OpenWrt versions brcmsmac became better, but I can't tell how well this particular wifi will perform.

If true that CFE can run firmware images then that will be enough. For building a RAM image, first you need to modify some source code for adding your board ID to OpenWRT, then just select in menuconfig the RAM image, and a minimal configuration to build a tiny image not more than 4MB size.

I can build it for you, I did it several times with other routers, is not that difficult.

Regards.

danitool wrote:

I'm not sure about how well is BCM4313 supported in linux. AFAIK this wifi chip should behave better with brcmsmac drivers, not wl, nor b43. With latest OpenWrt versions brcmsmac became better, but I can't tell how well this particular wifi will perform.

If true that CFE can run firmware images then that will be enough. For building a RAM image, first you need to modify some source code for adding your board ID to OpenWRT, then just select in menuconfig the RAM image, and a minimal configuration to build a tiny image not more than 4MB size.

I can build it for you, I did it several times with other routers, is not that difficult.

Regards.

Any help on this would be amazing! I feel as though this would be a lot easier if we could examine the firmware installed, I can't seem to find any for the 2304 online, but do you think we could extract it from the router somehow? Could always compare it to one of the builds released on here for the other F@ST routers, and change the 2304's firmware appropriately *

*Edit- although, I'm not experienced in any of this, so I could be talking rubbish...

(Last edited by BobbyNewwwporrrrtP&R on 10 Feb 2015, 14:35)

Hi, I built a RAM firmware with this particular board ID included

https://drive.google.com/uc?export=down … nVKNVZCRHM

Tu load this firmware into the router's RAM, first put the file in your computer TFTP server's directory, and execute at the CFE console:

r 192.168.1.100:initramfs-2304.elf

192.168.1.100 should be the IP of the computer with the TFTP server (first check the TFTP server is working fine)

Let me know what happens, just paste here the output from the serial console.

danitool wrote:

Hi, I built a RAM firmware with this particular board ID included

https://drive.google.com/uc?export=down … nVKNVZCRHM

Tu load this firmware into the router's RAM, first put the file in your computer TFTP server's directory, and execute at the CFE console:

r 192.168.1.100:initramfs-2304.elf

192.168.1.100 should be the IP of the computer with the TFTP server (first check the TFTP server is working fine)

Let me know what happens, just paste here the output from the serial console.

Ok, I'm happy to do it with mine- do I need to do anything to the router first? (soldering etc. )

You only need access to the serial console at the router. It's obvious, otherwise you can't execute the command in the CFE serial console.

But... that requires soldering, right? I'm sorry, I just really don't know where to start

In this pic
http://i58.tinypic.com/214o6yw.jpg
You can clearly view a pinheader for the serial port, thus no soldering required. You need a serial TTL cable adapter for conecting your computer to that pin header. I guess you don't have one, otherwise you wouldn't ask this question.

danitool wrote:

In this pic
http://i58.tinypic.com/214o6yw.jpg
You can clearly view a pinheader for the serial port, thus no soldering required. You need a serial TTL cable adapter for conecting your computer to that pin header. I guess you don't have one, otherwise you wouldn't ask this question.

Awesome, thank you! so.. http://www.ebay.co.uk/itm/USB-2-0-to-TT … 566bc51304   Would that do?

Yes, that's exactly what you need. Once you got it, only connect TX,RX and GND. Never connect VCC.

danitool wrote:

Yes, that's exactly what you need. Once you got it, only connect TX,RX and GND. Never connect VCC.

Ok, I've ordered the cable so as soon as it's here I'll get to work. In the meantime I'll start dismantling the machine

danitool wrote:

Hi, I built a RAM firmware with this particular board ID included

https://drive.google.com/uc?export=down … nVKNVZCRHM

Tu load this firmware into the router's RAM, first put the file in your computer TFTP server's directory, and execute at the CFE console:

r 192.168.1.100:initramfs-2304.elf

192.168.1.100 should be the IP of the computer with the TFTP server (first check the TFTP server is working fine)

Let me know what happens, just paste here the output from the serial console.

Thanks for building ram version,
i got openwrt BB source yesterday and messed it up as i duplicated the 2704 patch and and renamed the new copy as 2304 but it messed up both the patches. so was unable to compile it, will try to read how to add new device tongue any pointers ?

will try this image when i get back home.

For the console i used Profilic based adapter and its not good to work on Windows 8, alot of driver / system crash. The same hardware works fine in Win7.

Next to the Serial Port, there seems to be JTAG port, any idea what the pins maybe ?

also there is an unpopulated USB port with missing components, i got 2x15K (153 SMD) pull up / down and 2x33 ohm (330 SMD) path resistors  but am unable to salvage the smd resister as they dont have any values printed on the other circuits, first step is to get OpenWRT and 2nd will be to get USB working.

connected the router directly to pc with ip 192.168.1.100
used tftpd32 on win8.1 pro (x64)

you have to press "any key" i pressed into to breakinto cfe,

used usb to rs232 (Profilic based <-- not recomended for win8) crashs the whole pc

used putty with Serial and just changed the speed to 115200

here is the output

CPUI
L1CI
DRAM
----
PHYS
ZQDN
PHYE
DINT
LSYN
USYN
MSYN
LMBE
PASS
----
ZBSS
CODE
DATA
L12F
MAIN


CFE version 5.14.6.1 for BCM96328 (32bit,SP,BE)
Build Date: Tue Mar  8 14:24:11 CST 2011 (zoucb@SZ01007.DONGGUAN.CN)
Copyright (C) 2005-2010 SAGEM Corporation.

HS Serial flash device: name MX25L64, id 0xc217 size 8192KB
Total Flash size: 8192K with 128 sectors
Chip ID: BCM6328B0, MIPS: 320MHz, DDR: 320MHz, Bus: 160MHz
Main Thread: TP0
Memory Test Passed
Total Memory: 67108864 bytes (64MB)
Boot Address: 0xb8000000

Board IP address                  : 192.168.1.1:ffffff00  
Host IP address                   : 192.168.1.100  
Gateway IP address                :   
Run from flash/host (f/h)         : f  
Default host run file name        : vmlinux  
Default host flash file name      : bcm963xx_fs_kernel  
Boot delay (0-9 seconds)          : 1  
Board Id (0-4)                    : F@ST2304  
Number of MAC Addresses (1-32)    : 11  
Base MAC Address                  : 7c:03:4c:7b:45:9d  
PSI Size (1-64) KBytes            : 40  
Enable Backup PSI [0|1]           : 0  
System Log Size (0-256) KBytes    : 0  
Main Thread Number [0|1]          : 0  

*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 111
CFE> 
web info: Waiting for connection on socket 0.

CFE> r 192.168.1.100:initramfs-2304.elf
0x80010000/3773844 0x803a9594/211272 Entry at 0x80014d10
Closing network.
Disabling Switch ports.
Flushing Receive Buffers...
0 buffers found.
Closing DMA Channels.
Starting program at 0x80014d10
[    0.000000] Linux version 3.10.49 (dani@tool) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r44365) ) #2 Tue Feb 10 20:48:04 CET 2015
[    0.000000] Detected Broadcom 0x6328 CPU revision b0
[    0.000000] CPU frequency is 320 MHz
[    0.000000] 64MB of RAM installed
[    0.000000] registering 32 GPIOs
[    0.000000] board_bcm963xx: Boot address 0xb8000000
[    0.000000] board_bcm963xx: CFE version: 53.46.49-52.46-54
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU revision is: 0002a075 (Broadcom BMIPS4350)
[    0.000000] board: board name: F@ST2304
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 04000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x00000000-0x03ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x00000000-0x03ffffff]
[    0.000000] Primary instruction cache 32kB, VIPT, 4-way, linesize 16 bytes.
[    0.000000] Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256
[    0.000000] Kernel command line:  root=/dev/mtdblock2 rootfstype=squashfs,jffs2 noinitrd console=ttyS0,115200
[    0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Memory: 60956k/65536k available (2303k kernel code, 4580k reserved, 610k data, 796k init, 0k highmem)
[    0.000000] NR_IRQS:256
[    0.000000] Calibrating delay loop... 318.46 BogoMIPS (lpj=636928)
[    0.036000] pid_max: default: 32768 minimum: 301
[    0.040000] Mount-cache hash table entries: 512
[    0.048000] NET: Registered protocol family 16
[    0.288000] registering PCI controller with io_map_base unset
[    0.300000] bio: create slab <bio-0> at 0
[    0.304000] PCI host bridge to bus 0000:00
[    0.308000] pci_bus 0000:00: root bus resource [mem 0x10f00000-0x10ffffff]
[    0.312000] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0]
[    0.316000] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[    0.320000] pci 0000:00:00.0: bridge configuration invalid ([bus 00-00]), reconfiguring
[    0.324000] pci 0000:00:00.0: BAR 8: assigned [mem 0x10f00000-0x10ffffff]
[    0.328000] pci 0000:01:00.0: BAR 0: assigned [mem 0x10f00000-0x10f03fff 64bit]
[    0.332000] pci 0000:00:00.0: PCI bridge to [bus 01]
[    0.336000] pci 0000:00:00.0:   bridge window [mem 0x10f00000-0x10ffffff]
[    0.340000] PCI: Enabling device 0000:00:00.0 (0000 -> 0002)
[    0.344000] Switching to clocksource MIPS
[    0.352000] NET: Registered protocol family 2
[    0.360000] TCP established hash table entries: 512 (order: 0, 4096 bytes)
[    0.364000] TCP bind hash table entries: 512 (order: -1, 2048 bytes)
[    0.372000] TCP: Hash tables configured (established 512 bind 512)
[    0.380000] TCP: reno registered
[    0.384000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.388000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.396000] NET: Registered protocol family 1
[    1.612000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    1.620000] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    1.632000] msgmni has been set to 119
[    1.636000] io scheduler noop registered
[    1.640000] io scheduler deadline registered (default)
[    1.648000] bcm63xx_uart.0: ttyS0 at MMIO 0xb0000100 (irq = 36) is a bcm63xx_uart
[    1.656000] console [ttyS0] enabled, bootconsole disabled
[    1.656000] console [ttyS0] enabled, bootconsole disabled
[    1.672000] m25p80 spi1.0: found mx25l6405d, expected m25p80
[    1.680000] m25p80 spi1.0: mx25l6405d (8192 Kbytes)
[    1.684000] bcm63xxpart: CFE boot tag found with version 6 and board type F@ST2304
[    1.692000] bcm63xxpart: Partition 0 is CFE offset 0 and length 10000
[    1.700000] bcm63xxpart: Partition 1 is rootfs offset 10100 and length 380000
[    1.708000] bcm63xxpart: Partition 2 is kernel offset 390100 and length d57c8
[    1.712000] bcm63xxpart: Partition 3 is nvram offset 7f0000 and length 10000
[    1.720000] bcm63xxpart: Partition 4 is linux offset 10000 and length 7e0000
[    1.728000] bcm63xxpart: Spare partition is offset 470000 and length 380000
[    1.736000] 5 bcm63xxpart partitions found on MTD device spi1.0
[    1.740000] Creating 5 MTD partitions on "spi1.0":
[    1.748000] 0x000000000000-0x000000010000 : "CFE"
[    1.756000] 0x000000010100-0x000000390100 : "rootfs"
[    1.760000] mtd: partition "rootfs" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
[    1.776000] mtd: device 1 (rootfs) set to be root filesystem
[    1.780000] mtdsplit: no squashfs found in "spi1.0"
[    1.784000] 0x000000390100-0x0000004658c8 : "kernel"
[    1.792000] mtd: partition "kernel" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
[    1.808000] 0x0000007f0000-0x000000800000 : "nvram"
[    1.816000] 0x000000010000-0x0000007f0000 : "linux"
[    1.864000] b53_common: found switch: BCM63xx, rev 0
[    1.868000] bcm63xx-wdt bcm63xx-wdt:  started, timer margin: 30 sec
[    1.880000] TCP: cubic registered
[    1.880000] NET: Registered protocol family 17
[    1.888000] 8021q: 802.1Q VLAN Support v1.8
[    1.904000] Freeing unused kernel memory: 796K (802e9000 - 803b0000)
procd: Console is alive
procd: - watchdog -
[    1.964000] Button Hotplug driver version 0.4.1
procd: - preinit -
ifconfig: SIOCGIFFLAGS: No such device
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
ifconfig: SIOCGIFFLAGS: No such device
procd: - early -
procd: - watchdog -
procd: - ubus -
procd: - init -
Please press Enter to activate this console.
[    9.572000] bcm63xx_enetsw bcm63xx_enetsw.0: link UP on Port 2, 100Mbps, full-duplex
[   10.624000] device eth0 entered promiscuous mode
[   10.632000] bcm63xx_enetsw bcm63xx_enetsw.0: link UP on Port 2, 100Mbps, full-duplex
[   10.640000] br-lan: port 1(eth0) entered forwarding state
[   10.644000] br-lan: port 1(eth0) entered forwarding state
procd: - init complete -
[   12.648000] br-lan: port 1(eth0) entered forwarding state



BusyBox v1.22.1 (2015-02-10 20:28:19 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 BARRIER BREAKER (Barrier Breaker, r44365)
 ---------------------------------kjjjjjjj
  * 1/2 oz Galliano         Pour all ingredients into
  * 4 oz cold Coffee        an irish coffee mug filled
  * 1 1/2 oz Dark Rum       with crushed ice. Stir.
  * 2 tsp. Creme de Cacao
 -----------------------------------------------------

CPU info

root@OpenWrt:/# cat /proc/cpuinfo
system type        : bcm63xx/F@ST2304 (0x6328/0xB0)
machine            : Unknown
processor        : 0
cpu model        : Broadcom BMIPS4350 V7.5
BogoMIPS        : 318.46
wait instruction    : yes
microsecond timers    : yes
tlb_entries        : 32
extra interrupt vector    : yes
hardware watchpoint    : no
isa            : mips1 mips2 mips32r1
ASEs implemented    :
shadow register sets    : 1
kscratch registers    : 0
core            : 0
VCED exceptions        : not available
VCEI exceptions        : not available

MTD

root@OpenWrt:/# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00010000 00010000 "CFE"
mtd1: 00380000 00010000 "rootfs"
mtd2: 000d57c8 00010000 "kernel"
mtd3: 00010000 00010000 "nvram"
mtd4: 007e0000 00010000 "linux"

partitions

root@OpenWrt:/proc# cat partitions 
major minor  #blocks  name

  31        0         64 mtdblock0
  31        1       3584 mtdblock1
  31        2        853 mtdblock2
  31        3         64 mtdblock3
  31        4       8064 mtdblock4

WebUI (recovery) is also available on 192.168.1.1 after breaking into CFE

Hi daemon123, the next task you can do is backups.

The original firmware is stored in the "linux" mtd partition. For transfering it to your computer

- In your computer execute

nc -l -p 5600|dd of=mtd4-OEM_firmware_backup.bin

nc = netcat

- In the router execute

dd if=/dev/mtd4|nc 192.168.1.100 5600

You may also want to backup the CFE bootloader (mtd0).

i dont have other router ready with usb, can it be saved into ram and then transferred to host pc which has tftpd running ?

You can, but I didn't include a tftp client in the build. BTW you can install it in Openwrt:

https://downloads.openwrt.org/barrier_b … cm63xx.ipk
wget this file from openwrt and install it

opkg install tftp-hpa_0.48-3_brcm63xx.ipk

backup

dd if=/dev/mtd4 of=/tmp/mtd4-OEM_firmware_backup.bin

tftp put

tftp-hpa -v -m binary 192.168.1.100 -c put /tmp/mtd4-OEM_firmware_backup.bin

Cannot ping the router
now have the netcat setup in virtual machine, but no communication with router except for serial port.

disabled br-lan (ifconfig br-lan down)
and gave eth0 192.168.1.1 but still nothing.

Sorry, I commited a mistake with the switch configuration. I've built again the RAM firmware with correct swtich config, and this time with a tftp client (tftp-hpa) included. I reuploaded to the same link

https://drive.google.com/uc?export=down … nVKNVZCRHM

danitool wrote:

Sorry, I commited a mistake with the switch configuration. I've built again the RAM firmware with correct swtich config, and this time with a tftp client (tftp-hpa) included. I reuploaded to the same link

https://drive.google.com/uc?export=down … nVKNVZCRHM

Thanks for your help with all of this danitool