OpenWrt Forum Archive

Topic: Support for Netgear DGND3300V2

The content of this topic has been archived on 21 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
yamaduta
11 Mar 2018, 07:09

Hi, I've been trying to load OpenWrt on the Netgear DGND3300V2 over the weekend and I've been having some trouble in doing so. There's a generic binary that matches the board id (6358VW2) in the repos, but I've had no luck in flashing it so far.

The board has pads for a serial connection @ 115200 8N1 and I've managed to get into a CFE shell, but it's stripped down and lacks most of the commands that I'd need to do a successful flash. 

CFE> help
Available commands:

h                   Http Download
d                   Download
a                   Asmod
c                   Change booline parameters
b                   Change board parameters
reset               Reset the board
help                Obtain help for CFE commands

For more information about a command, enter 'help command-name'
*** command status = 0

I can gain access to the boards HTTP recovery mode by using the h command, but am unable to upload the OpenWrt image through it. Trying to do so results in a PID error:

CFE> h

Enter in ht*p download!!                                                        
                                                                                
Packet of length 32                                                             
436f 6e74 656e 742d 4c65 6e67 7468 3a20                                         
3234 3138 3631 360d 0a0d 0a2d 2d2d 2d2d                                         
                                                                                
content_length: 0x24e7b8 (2418616)                                                
final content_length: 0x24e6d0                                                  
PID not correct!

When compared to the stock firmware, the OpenWrt image is lacking the Sercomm firmware signature found towards the end of the stock image. I used dd to extract the SquashFS from the OpenWrt image and spliced it with the stock firmware:

root@x230:~/Documents/Tests# binwalk DGND3300v2NA-V2.1.00.33_1.00.33.img 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
7444          0x1D14          LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 128116 bytes
393216        0x60000         Broadcom 96345 firmware header, header size: 256, firmware version: "8", board id: "6358VW2", ~CRC32 header checksum: 0x557084B1, ~CRC32 data checksum: 0xC32D1F8B
393472        0x60100         Squashfs filesystem, big endian, lzma signature, version 3.0, size: 5437524 bytes, 573 inodes, blocksize: 16384 bytes, created: 2009-10-21 02:03:04
5832972       0x59010C        LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 3261212 bytes
6893036       0x692DEC        Sercomm firmware signature, version control: 0, download control: 0, hardware ID: "YNF72S", hardware version: 0x4100, firmware version: 0x0, starting code segment: 0x0, code size: 0x7300
6893099       0x692E2B        Sercomm firmware signature, version control: 0, download control: 0, hardware ID: "", hardware version: 0x0, firmware version: 0x0, starting code segment: 0x0, code size: 0x0


root@x230:~/Documents/Tests# binwalk openwrt-brcm63xx-generic-96358VW2-generic-squashfs-cfe.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Broadcom 96345 firmware header, header size: 256, firmware version: "8", board id: "6358VW2", ~CRC32 header checksum: 0x7ADA6576, ~CRC32 data checksum: 0xD8F59B7F
1382964       0x151A34        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 1981034 bytes, 668 inodes, blocksize: 262144 bytes, created: 2017-11-04 21:15:13

root@x230:~/Documents/Tests# binwalk openwrt-test-1.img 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
7444          0x1D14          LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 128116 bytes
393216        0x60000         Broadcom 96345 firmware header, header size: 256, firmware version: "8", board id: "6358VW2", ~CRC32 header checksum: 0x557084B1, ~CRC32 data checksum: 0xC32D1F8B
393472        0x60100         Squashfs filesystem, big endian, lzma signature, version 3.0, size: 2404130 bytes, 667 inodes, blocksize: 16384 bytes, created: 2018-03-10 01:49:13
6897664       0x694000        LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 3261212 bytes
7957728       0x796CE0        Sercomm firmware signature, version control: 0, download control: 0, hardware ID: "YNF72S", hardware version: 0x4100, firmware version: 0x0, starting code segment: 0x0, code size: 0x7300
7957791       0x796D1F        Sercomm firmware signature, version control: 0, download control: 0, hardware ID: "", hardware version: 0x0, firmware version: 0x0, starting code segment: 0x0, code size: 0x0

When my modified factory firmware is uploaded to the board through recovery mode, it passes the PID check and flashes, but appears to point to a non-existent memory address and fails the CRC checks. This automatically sends the board back to recovery mode:

CFE> h


Enter in ht*p download!!                                                        
                                                                                
Packet of length 32                                                             
436f 6e74 656e 742d 4c65 6e67 7468 3a20                                         
3739 3632 3539 360d 0a0d 0a2d 2d2d 2d2d                                         
                                                                                
content_length:0x797fe4(7962596)                                                
final content_length: 0x797ef4                                                  
PID correct!                                                                    
Start download...................... please wait for a moment                   
Download finish, start verify....................                               
Verify OK.                                                                      
Closing DMA Channels.                                                           
Call System Reset !                                                             
                                                                                
Resetting board...                                                              
                                                                                
CFE version 1.0.37-102.1 for BCM96358 (32bit,SP,BE)                             
Build Date: Thu Apr 28 17:53:06 CST 2011 (root@build_server)                    
Copyright (C) 2000-2008 Broadcom Corporation.                                   
                                                                                
Parallel flash device: name AM29LV320MT, id 0x2201, size 16384KB                
CPU type 0x2A010: 300MHz, Bus: 133MHz, Ref: 64MHz                               
CPU running TP0                                                                 
Total memory: 67108864 bytes (64MB)                                             
Boot Address 0xbe000000                                                         
                                                                                
                                                                                
Board IP address                  : 192.168.0.1                                 
Host IP address                   : 192.168.0.100                               
Gateway IP address                : 192.168.0.1                                 
Run from flash/host (f/h)         : f                                           
Default host run file name        : vmlinux                                     
Default host flash file name      : bcm963xx_fs_kernel                          
Boot delay (0-9 seconds)          : 3                                           
Board Id (0-5)                    : 96358VW2                                    
Number of MAC Addresses (1-32)    : 2                                           
Base MAC Address                  : 4c:60:de:6b:96:4c                           
PSI Size (1-64) KBytes            : 24                                          
Main Thread Number [0|1]          : 0                                           
Serial Number (16) Chars          : 287724B100F49                               
PIN Code (8) Chars                : 25932294                                    
DFS (8) Chars                     : 0                                           
PCBASN (16) Chars                 : 0                                           
                                                                                
*** Press any key to stop auto run (3 seconds) ***                              
Auto run second count down: 0                                                   
Booting from only image (0xbe060000) ...                                        
Code Address: 0xFFFFFFFF, Entry Address: 0xffffffff                             
Linux file system CRC error.  Corrupted image?                                  
Linux kernel CRC error.  Corrupted image?

I think that I've reached my limit in what I'm able to achieve here. It seems like it could be possible to flash a different/modified bootloader to the board from within the factory firmware, which might allow me to flash the standard OpenWrt image, but I could easily see that screwing up and the lack of a JTAG port would mean a hard brick if/when things go wrong. I've dumped the flash, taken board photos and gathered as much relevant information as I could from the board for the benefit of anyone who's more experienced with this kind of stuff, but I can't post links to a lot of it due to posting restrictions. Drop me a message and I'll link you to it if it would be helpful.  I'll post the rest below:

Bootlog: 

CFE version 1.0.37-102.1 for BCM96358 (32bit,SP,BE) 
Build Date: Thu Apr 28 17:53:06 CST 2011 (root@build_server) 
Copyright (C) 2000-2008 Broadcom Corporation. 
 
Parallel flash device: name AM29LV320MT, id 0x2201, size 16384KB 
CPU type 0x2A010: 300MHz, Bus: 133MHz, Ref: 64MHz 
CPU running TP0 
Total memory: 67108864 bytes (64MB) 
Boot Address 0xbe000000 
 
 
Board IP address                  : 192.168.0.1:ffffff00   
Host IP address                   : 192.168.0.100   
Gateway IP address                : 192.168.0.1   
Run from flash/host (f/h)         : f   
Default host run file name        : vmlinux   
Default host flash file name      : bcm963xx_fs_kernel   
Boot delay (0-9 seconds)          : 3   
Board Id (0-5)                    : 96358VW2   
Number of MAC Addresses (1-32)    : 2   
Base MAC Address                  : 4c:60:de:6b:96:4c   
PSI Size (1-64) KBytes            : 24   
Main Thread Number [0|1]          : 0   
Serial Number (16) Chars          : 287724B100F49   
PIN Code (8) Chars                : 25932294   
DFS (8) Chars                     : 0   
PCBASN (16) Chars                 : 0   
 
*** Press any key to stop auto run (3 seconds) *** 
Auto run second count down: 3<0x08>3<0x08>2<0x08>1<0x08>0 
Booting from only image (0xbe060000) ... 
Code Address: 0x80010000, Entry Address: 0x80312000 
Decompression OK! 
Entry at 0x80312000 
Closing network. 
Closing DMA Channels. 
Starting program at 0x80312000 
Linux version 2.6.21.5 (root@localhost.localdomain) (gcc version 4.2.3) #1 Wed Oct 21 09:40:42 CST 2009 
 Parallel flash device: name AM29LV320MT, id 0x2201, size 16384KB 
 96358VW2 prom init 
 CPU revision is: 0002a010 
 Determined physical RAM map: 
  memory: 03fa0000 @ 00000000 (usable) 
 On node 0 totalpages: 16288 
   DMA zone: 32 pages used for memmap 
   DMA zone: 0 pages reserved 
   DMA zone: 4064 pages, LIFO batch:0 
   Normal zone: 95 pages used for memmap 
   Normal zone: 12097 pages, LIFO batch:1 
 Built 1 zonelists.  Total pages: 16161 
 Kernel command line: root=31:0 ro noinitrd console=ttyS0,115200 
 brcm mips: enabling icache and dcache... 
 Primary instruction cache 32kB, physically tagged, 2-way, linesize 16 bytes. 
 Primary data cache 16kB, 2-way, linesize 16 bytes. 
 Synthesized TLB refill handler (21 instructions). 
 Synthesized TLB load handler fastpath (33 instructions). 
 Synthesized TLB store handler fastpath (33 instructions). 
 Synthesized TLB modify handler fastpath (32 instructions). 
 PID hash table entries: 256 (order: 8, 1024 bytes) 
 Using 150.000 MHz high precision timer. 
 Dentry cache hash table entries: 8192 (order: 3, 32768 bytes) 
 Inode-cache hash table entries: 4096 (order: 2, 16384 bytes) 
 Memory: 61192k/65152k available (2187k kernel code, 3944k reserved, 888k data, 108k init, 0k highmem) 
 Calibrating delay loop... 299.00 BogoMIPS (lpj=747520) 
 Mount-cache hash table entries: 512 
 NET: Registered protocol family 16 
 Total Flash size: 16384K with 128 sectors 
 File system address: 0xbe060100 
 registering PCI controller with io_map_base unset 
 SCSI subsystem initialized 
 usbcore: registered new interface driver usbfs 
 usbcore: registered new interface driver hub 
 usbcore: registered new device driver usb 
 BLOG v1.0 Initialized 
 NET: Registered protocol family 8 
 NET: Registered protocol family 20 
 Time: MIPS clocksource has been installed. 
 NET: Registered protocol family 2 
 IP route cache hash table entries: 1024 (order: 0, 4096 bytes) 
 TCP established hash table entries: 2048 (order: 2, 16384 bytes) 
 TCP bind hash table entries: 2048 (order: 1, 8192 bytes) 
 TCP: Hash tables configured (established 2048 bind 2048) 
 TCP reno registered 
 squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher 
 squashfs: LZMA suppport for slax.org by jro 
 fuse init (API version 7.8) 
 io scheduler noop registered (default) 
 PPP generic driver version 2.4.2 
 NET: Registered protocol family 24 
 IMQ starting with 2 devices... 
 IMQ driver loaded successfully. 
 ⇥    Hooking IMQ before NAT on PREROUTING. 
 ⇥    Hooking IMQ after NAT on POSTROUTING. 
 bcm963xx_mtd driver v1.0 
 kernel_addr == 0xbe590100 rootfs_addr == 0xbe060100 
 Physically mapped flash: Found 1 x16 devices at 0x0 in 16-bit bank 
  Amd/Fujitsu Extended Query Table at 0x0040 
 Physically mapped flash: CFI does not contain boot bank location. Assuming top. 
 number of CFI chips: 1 
 cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness. 
 Creating 6 MTD partitions on "Physically mapped flash": 
 0x00060100-0x00590100 : "fs" 
 mtd: partition "fs" doesn't start on an erase block boundary -- force read-only 
 0x00060000-0x01000000 : "tag+fs+kernel" 
 0x00000000-0x00020000 : "bootloader" 
 0x00040000-0x00060000 : "nvram" 
 0x00000000-0x00020000 : "bootloader" 
 0x00020000-0x00040000 : "DPF_file" 
 usbmon: debugfs is not available 
 PCI: Enabling device 0000:00:0a.0 (0000 -> 0002) 
 PCI: Setting latency timer of device 0000:00:0a.0 to 64 
 ehci_hcd 0000:00:0a.0: EHCI Host Controller 
 ehci_hcd 0000:00:0a.0: new USB bus registered, assigned bus number 1 
 ehci_hcd 0000:00:0a.0: irq 18, io mem 0xfffe1300 
 ehci_hcd 0000:00:0a.0: USB f.f started, EHCI 1.00, driver 10 Dec 2004 
 usb usb1: configuration #1 chosen from 1 choice 
 hub 1-0:1.0: USB hub found 
 hub 1-0:1.0: 2 ports detected 
 ohci_hcd: 2006 August 04 USB 1.1 'Open' Host Controller (OHCI) Driver 
 hub 1-0:1.0: over-current change on port 2 
 PCI: Enabling device 0000:00:09.0 (0000 -> 0002) 
 PCI: Setting latency timer of device 0000:00:09.0 to 64 
 ohci_hcd 0000:00:09.0: OHCI Host Controller 
 ohci_hcd 0000:00:09.0: new USB bus registered, assigned bus number 2 
 ohci_hcd 0000:00:09.0: irq 13, io mem 0xfffe1400 
 usb usb2: configuration #1 chosen from 1 choice 
 hub 2-0:1.0: USB hub found 
 hub 2-0:1.0: 2 ports detected 
 USB Universal Host Controller Interface driver v3.0 
 Initializing USB Mass Storage driver... 
 usbcore: registered new interface driver usb-storage 
 USB Mass Storage support registered. 
 brcmboard: brcm_board_init entry 
 Serial: BCM63XX driver $Revision: 3.00 $ 
 ttyS0 at MMIO 0xfffe0100 (irq = 10) is a BCM63XX 
 ttyS1 at MMIO 0xfffe0120 (irq = 11) is a BCM63XX 
 GACT probability NOT on 
 nf_conntrack version 0.5.0 (509 buckets, 4072 max) 
 ip_tables: (C) 2000-2006 Netfilter Core Team 
 TCP cubic registered 
 NET: Registered protocol family 1 
 NET: Registered protocol family 10 
 ip6_tables: (C) 2000-2006 Netfilter Core Team 
 IPv6 over IPv4 tunneling driver 
 NET: Registered protocol family 17 
 NET: Registered protocol family 15 
 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com> 
 All bugs added by David S. Miller <davem@redhat.com> 
 VFS: Mounted root (squashfs filesystem) readonly. 
 Freeing unused kernel memory: 108k freed 
  init started:  BusyBox v1.00 (2009.10.21-01:56+0000) multi-call binary 
 init started:  BusyBox v1.00 (2009.10.21-01:56+0000) multi-call binary 
 Starting pid 125, console /dev/console: '/usr/etc/rcS' 
Algorithmics/MIPS FPU Emulator v1.5 
 bcm_enet: module license 'Proprietary' taints kernel. 
 ****** not smartflush 
 Broadcom BCM6358A1 Ethernet Network Device v0.3 Oct 21 2009 09:38:34 
 Config Ethernet Switch Through MDIO Pseudo PHY Interface 
 ethsw: found bcm5325e! 
 dgasp: kerSysRegisterDyingGaspHandler: eth0 registered  
 eth0: MAC Address: 4C:60:DE:6B:96:4C 
 blaadd: blaa_detect entry 
 IPv6: add_dev failed for atm0 
 adsl: adsl_init entry 
 IPv6: add_dev failed for dsl0 
 netfilter PSD loaded - (c) astaro AG 
 ipt_random match loaded 
 insmod finish 
BcmAdsl_Initialize=0xC007BF50, g_pFnNotifyCallback=0xC0095AA4 
 AnnexCParam=0x00000008 AnnexAParam=0x00003987 adsl2=0x00000003 
 pSdramPHY=0xA3FFFFF8, 0xEF5CFF7F 0xFBFFBFC7 
 AdslCoreHwReset:  AdslOemDataAddr = 0xA3FFBB64 
 AnnexCParam=0x00000008 AnnexAParam=0x00003987 adsl2=0x00000003 
 dgasp: kerSysRegisterDyingGaspHandler: dsl0 registered  
 ATM proc init !!! 
 device eth0 entered promiscuous mode 
 SIOCGIFFLAGS: No such device 
interface eth1 does not exist! 
RC: wifi_init() 
/usr/sbin/wlctl: wl driver adapter not found 
RC: insert wl.ko... 
PCI: Enabling device 0000:00:01.0 (0000 -> 0002) 
 wl: srom not detected, using main memory mapped srom info (wombo board) 
 wl0: wlc_attach: MAC addr from system pool. id:0x776c0000 
 wl0: MAC Address: 4C:60:DE:6B:96:4D 
 wl0: Broadcom BCM4318 802.11 Wireless Controller 5.10.85.0.cpe4.402.4 
 dgasp: kerSysRegisterDyingGaspHandler: wl0 registered  
 PCI: Enabling device 0000:00:02.0 (0000 -> 0002) 
 wl: srom not detected, using main memory mapped srom info (wombo board) 
 wl1: wlc_attach: MAC addr from system pool. id:0x776c0001 
 wl1: MAC Address: FF:84:64:00:00:00
 wl1: Broadcom BCM4322 802.11 Wireless Controller 5.10.85.0.cpe4.402.4 
 dgasp: kerSysRegisterDyingGaspHandler: wl1 registered  
 =============rc start  
ap_name=(null) action=start 
device eth0 is already a member of a bridge; can't enslave it to bridge br0. 
br0: port 1(eth0) entering learning state 
 br0: topology change detected, propagating 
 br0: port 1(eth0) entering forwarding state 
 /sbin/ifconfig br1 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255/bin/echo GMT+0 > /etc/TZ 
ap_name=firewall action=restart 
fw_pt  
iptables v1.3.8: host/network `(null)' not found 
Try `iptables -h' or 'iptables --help' for more information. 
iptables v1.3.8: host/network `(null)' not found 
Try `iptables -h' or 'iptables --help' for more information. 
iptables v1.3.8: host/network `(null)' not found 
Try `iptables -h' or 'iptables --help' for more information. 
iptables v1.3.8: host/network `(null)' not found 
Try `iptables -h' or 'iptables --help' for more information. 
iptables v1.3.8: host/network `(null)' not found 
Try `iptables -h' or 'iptables --help' for more information. 
iptables v1.3.8: host/network `(null)' not found 
Try `iptables -h' or 'iptables --help' for more information. 
iptables v1.3.8: host/network `(null)' not found 
Try `iptables -h' or 'iptables --help' for more information. 
/bin/echo GMT+0 > /etc/TZ 
0:0 
sh: cannot create /proc/net/ipt_condition/schedule: Directory nonexistent 
killall: udhcpd: no process killed 
killall: miniupnpd: no process killed 
killall: dnrd: no process killed 
Notice: caching turned off 
Warning: Using /etc/hosts will be removed in a future version. Please use only the /etc/dnrd/master file or use -m off. 
dnrd -a 192.168.0.1 -m hosts -c off --timeout=0 -b  
lan_ifnames=eth0 wl0 wl1  
lan1_ifnames=wl0.1 wl1.1  
========idx=0 
Setting SSID "NETGEAR-2.4-G" 
Setting SSID "NETGEAR-2.4G_g_Guest1" 
Setting SSID "NETGEAR_Guest2" 
Setting SSID "NETGEAR_Guest3" 
rc (wifi): BssMacAddr for SSID 3 is NULL, ERROR 
rc (wifi): BssMacAddr for SSID 4 is NULL, ERROR 
/usr/sbin/wlctl: Out of Range Channel 
usage: /usr/sbin/bcmupnp -D [-W <wanif>] 
Reaped 720 
UPnP::upnp_init:UPnP daemon is ready to run 
========idx=1 
Setting SSID "NETGEAR-DualBand-N" 
Setting SSID "NETGEAR-5G_n_Guest1" 
Setting SSID "NETGEAR-5G_Guest2" 
Setting SSID "NETGEAR-5G_Guest3" 
rc (wifi): BssMacAddr for SSID 3 is NULL, ERROR 
rc (wifi): BssMacAddr for SSID 4 is NULL, ERROR 
Chanspec set to 0x1d26 
usage: /usr/sbin/bcmupnp -D [-W <wanif>] 
Reaped 944 
UPnP::upnp_init:UPnP daemon is ready to run 
wlmngr_startWsc: ap-er mode (er-done) 
killall: smbd: no process killed 
killall: nmbd: no process killed 
killall: bftpd: no process killed 
killall: smbd: no process killed 
UPnP::upnp_request_handler:UPNP_CMD_DEV_ADD 
UPnP::upnp_device_attach:br0: attach WFADevice.xml 
killall: nmbd: no process killed 
killall: bftpd: no process killed 
=============rc finish  
min_time=1,max_time=4, 
route: SIOC[ADD|DEL]RT: File exists 
 
Please press Enter to activate this console. UPnP::upnp_request_handler:Device command. 
 
Starting pid 1008, console /dev/console: '/bin/sh' 
 
 
BusyBox v1.00 (2009.10.21-01:56+0000) Built-in shell (ash)

Flash dump info:

root@x230:~/Documents/Flash Backup# binwalk mtd0.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Squashfs filesystem, big endian, lzma signature, version 3.0, size: 5437514 bytes, 573 inodes, blocksize: 16384 bytes, created: 2009-10-12 07:20:43



root@x230:~/Documents/Flash Backup# binwalk mtd1.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Broadcom 96345 firmware header, header size: 256, firmware version: "8", board id: "6358VW2", ~CRC32 header checksum: 0x8E25A9F, ~CRC32 data checksum: 0xDF124676
256           0x100           Squashfs filesystem, big endian, lzma signature, version 3.0, size: 5437514 bytes, 573 inodes, blocksize: 16384 bytes, created: 2009-10-12 07:20:43
5439756       0x53010C        LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 3261212 bytes
6500071       0x632EE7        Sercomm firmware signature, version control: 0, download control: 0, hardware ID: "YNF72S", hardware version: 0x4100, firmware version: 0x0, starting code segment: 0x0, code size: 0x7300
6500134       0x632F26        Sercomm firmware signature, version control: 0, download control: 0, hardware ID: "", hardware version: 0x0, firmware version: 0x0, starting code segment: 0x0, code size: 0x0



root@x230:~/Documents/Flash Backup# binwalk mtd2.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
7444          0x1D14          LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 129044 bytes



root@x230:~/Documents/Flash Backup# binwalk mtd3.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------



root@x230:~/Documents/Flash Backup# binwalk mtd4.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
7444          0x1D14          LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 129044 bytes



root@x230:~/Documents/Flash Backup# binwalk mtd5.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------

Other Stuff:

# cat /proc/cmdline
root=31:0 ro noinitrd console=ttyS0,115200

# cat /proc/cmdline
root=31:0 ro noinitrd console=ttyS0,115200

# cat /proc/cpuinfo
system type             : 96358VW2
processor               : 0
cpu model               : BCM6358 V1.0
BogoMIPS                : 299.00
wait instruction        : no
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : no
hardware watchpoint     : no
ASEs implemented        :
VCED exceptions         : not available
VCEI exceptions         : not available

unaligned exceptions            : 38578

# cat /proc/meminfo
MemTotal:        61316 kB
MemFree:         41568 kB
Buffers:          2564 kB
Cached:           8016 kB
SwapCached:          0 kB
Active:           5672 kB
Inactive:         7296 kB
SwapTotal:           0 kB
SwapFree:            0 kB
Dirty:               0 kB
Writeback:           0 kB
AnonPages:        2404 kB
Mapped:           1624 kB
Slab:             4508 kB
SReclaimable:      536 kB
SUnreclaim:       3972 kB
PageTables:        340 kB
NFS_Unstable:        0 kB
Bounce:              0 kB
CommitLimit:     30656 kB
Committed_AS:     5628 kB
VmallocTotal:  1032148 kB
VmallocUsed:      1544 kB
VmallocChunk:  1029116 kB

# cat /proc/devices
Character devices:
  1 mem
  2 pty
  3 ttyp
  4 ttyS
  5 /dev/tty
  5 /dev/console
  5 /dev/ptmx
 10 misc
 90 mtd
108 ppp
128 ptm
136 pts
180 usb
189 usb_device
205 atmapi
206 brcmboard
208 adsl
225 /dev/sc_led
254 usb_endpoint

Block devices:
  8 sd
 31 mtdblock
 65 sd
 66 sd
 67 sd
 68 sd
 69 sd
 70 sd
 71 sd
128 sd
129 sd
130 sd
131 sd
132 sd
133 sd
134 sd
135 sd

# ls /sys/devices/platform
uevent

# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00530000 00020000 "fs"
mtd1: 00fa0000 00020000 "tag+fs+kernel"
mtd2: 00020000 00020000 "bootloader"
mtd3: 00020000 00020000 "nvram"
mtd4: 00020000 00020000 "bootloader"
mtd5: 00020000 00020000 "DPF_file"

# ifconfig -a
atm0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          [NO FLAGS]  MTU:0  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

br0       Link encap:Ethernet  HWaddr 4C:60:DE:6B:96:4C  
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::4e60:deff:fe6b:964c/64 Scope:Link
          UP BROADCAST RUNNING  MTU:1500  Metric:1
          RX packets:626 errors:0 dropped:0 overruns:0 frame:0
          TX packets:220 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:49344 (48.1 KiB)  TX bytes:24111 (23.5 KiB)

br1       Link encap:Ethernet  HWaddr 00:00:00:00:00:00  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:468 (468.0 B)

cpcs0     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          [NO FLAGS]  MTU:65535  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

dsl0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          [NO FLAGS]  MTU:0  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth0      Link encap:Ethernet  HWaddr 4C:60:DE:6B:96:4C  
          inet6 addr: fe80::4e60:deff:fe6b:964c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:575 errors:0 dropped:0 overruns:0 frame:0
          TX packets:226 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:52347 (51.1 KiB)  TX bytes:25615 (25.0 KiB)
          Interrupt:25 Base address:0x5120 

imq0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          UP RUNNING NOARP  MTU:16000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

imq1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          NOARP  MTU:16000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:11000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:54 errors:0 dropped:0 overruns:0 frame:0
          TX packets:54 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:12313 (12.0 KiB)  TX bytes:12313 (12.0 KiB)

sit0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wl0       Link encap:Ethernet  HWaddr 4C:60:DE:6B:96:4C  
          inet6 addr: fe80::4e60:deff:fe6b:964c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:5075
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:39 

wl0.1     Link encap:Ethernet  HWaddr 62:60:DE:6B:96:4D  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:5075
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wl0.2     Link encap:Ethernet  HWaddr 4C:60:DE:6B:96:4D  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:5075
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wl0.3     Link encap:Ethernet  HWaddr 4C:60:DE:6B:96:4D  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:5075
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wl1       Link encap:Ethernet  HWaddr 4C:60:DE:6B:96:4B  
          inet6 addr: fe80::4e60:deff:fe6b:964b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:39 

wl1.1     Link encap:Ethernet  HWaddr 62:60:DE:6B:96:4A  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wl1.2     Link encap:Ethernet  HWaddr FF:9B:54:00:00:00  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wl1.3     Link encap:Ethernet  HWaddr FF:9B:54:00:00:00  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


# ls /sys/class/net
atm0   br1    dsl0   imq0   lo     wl0    wl0.2  wl1    wl1.2
br0    cpcs0  eth0   imq1   sit0   wl0.1  wl0.3  wl1.1  wl1.3

# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.4c60de6b964c       no              eth0
                                                        wl0
                                                        wl1
br1             8000.000000000000       no  
# cat svn.info 
Path: .
URL: svn://172.31.2.251:36901/svn/Platform/DG834V4/DGND3300/Source
Repository Root: svn://172.31.2.251:36901/svn/Platform/DG834V4
Repository UUID: cf59f481-0efb-4984-9059-ba1194d2ff62
Revision: 2057
Node Kind: directory
Schedule: normal
Last Changed Author: derek
Last Changed Rev: 2031
Last Changed Date: 2009-10-12 15:10:28 +0800 (Mon, 12 Oct 2009)

VER: A2.1.00.33_1.00.33NA
Build from: localhost.localdomain /Platform/DGND3300/Source
DATE: Wed Oct 21 09:55:38 CST 2009
BOARD_ID: DGND3300v2
Boot Loader CFE version 1.0.37-12.1 for BCM96348 (32bit,SP,BE)
ADSL driver version: AnnexA version - A2pB023k.d20k_rc2
Firmware version: A2.1.00.33_1.00.33NA

Tech Specs:

  • SoC: Broadcom BCM6358U

  • NOR Flash: Macronix MX29GL128ELT2I-90G  16MB

  • RAM: Nanya NT5DS32M16BS -5T 64MB

  • Ethernet: Broadcom BCM6358A1

  • Radio 1: Broadcom BCM4318E

  • Radio 2: Broadcom BCM4233

Post #2
yamaduta
12 Mar 2018, 02:05

OK, I've managed to get past the CRC checks - turns out that taking the header from one image and transplanting it to another is a bad idea that would never have worked.

I installed the dependencies needed to run the tools included with the GPL sources that Netgear released for this model, and extracted the filesystem from the OpenWrt image available for this board with Binwalk.

I then combined the stock firmware and the OpenWrt filesystem using the ./build.sh script included with the firmware tools. I was able to flash the resulting image through the recovery web interface successfully.

This image starts to boot as normal, but fails shortly after mounting the SquashFS:

VFS: Mounted root (squashfs filesystem) readonly.                               
Freeing unused kernel memory: 108k freed                                        
Press the [f] key and hit [enter] to enter failsafe mode                        
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level    
ifconfig: SIOCGIFFLAGS: No such device                                          
open: No such file or directory                                                 
open: No such file or directory                                                 
open: No such file or directory                                                 
open: No such file or directory                                                 
open: No such file or directory                                                 
open: No such file or directory                                                 
open: No such file or directory                                                 
open: No such file or directory

If I press f at the prompt, I can enter OpenWrt failsafe mode. Running ifconfig shows that none of the network interfaces have been detected, and running firstboot times out with no effect.

Press the [f] key and hit [enter] to enter failsafe mode                        
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level    
f                                                                               
touch: /tmp/failsafe                                                            
- failsafe -                                                                    
Exited: Failure reading random device /dev/urandom                              
                                                                                
                                                                                
BusyBox v1.24.2 () built-in shell (ash)                                         
                                                                                
ash: can't access tty; job control turned off                                   
  _______                     ________        __                                
 |       |.-----.-----.-----.|  |  |  |.----.|  |_                              
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|                             
 |_______||   __|_____|__|__||________||__|  |____|                             
          |__| W I R E L E S S   F R E E D O M                                  
 -----------------------------------------------------                          
 DESIGNATED DRIVER (Bleeding Edge, 50072)                                       
 -----------------------------------------------------                          
  * 2 oz. Orange Juice         Combine all juices in a                          
  * 2 oz. Pineapple Juice      tall glass filled with                           
  * 2 oz. Grapefruit Juice     ice, stir well.                                  
  * 2 oz. Cranberry Juice                                                       
 -----------------------------------------------------                          
================= FAILSAFE MODE active ================                         
special commands:                                                               
* firstboot          reset settings to factory defaults                         
* mount_root     mount root-partition with config files                         
                                                                                
after mount_root:                                                               
* passwd                         change root's password                         
* /etc/config               directory with config files                         
                                                                                
for more help see:                                                              
ht*p://wiki.openwrt.org/doc/howto/generic.failsafe                              
=======================================================                         
                                                                                
root@(none):/#                                                                                                                              
root@(none):/# ifconfig                                                                                               
root@(none):/# ifconfig -a                                                      
imq0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-0 
          NOARP  MTU:16000  Metric:1                                            
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0                    
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0                  
          collisions:0 txqueuelen:11000                                         
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)                                
                                                                                
imq1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-0 
          NOARP  MTU:16000  Metric:1                                            
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0                    
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0                  
          collisions:0 txqueuelen:11000                                         
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)                                
                                                                                
lo        Link encap:Local Loopback                                             
          LOOPBACK  MTU:16436  Metric:1                                         
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0                    
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0                  
          collisions:0 txqueuelen:0                                             
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)                                
                                                                                
sit0      Link encap:IPv6-in-IPv4                                               
          NOARP  MTU:1480  Metric:1                                             
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0                    
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0                  
          collisions:0 txqueuelen:0                                             
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)                                
                                                     
root@(none):/#

What would I need to do to get my image to boot successfully and detect the boards network interfaces?

Post #3
danitool
12 Mar 2018, 19:59

Hi, this may help you to generate a compatible Netgear firmware without extracting the filesystem

https://openwrt.org/toh/netgear/dg834g.v4#installation

Not sure about your network error, but are you using the latest Openwrt snapshot?
https://downloads.lede-project.org/snap … x/generic/

Probably the RG100a  has a more compatible firmware with your device
https://downloads.lede-project.org/snap … fs-cfe.bin

Can you send me the link with the internal pics?

Regards

Post #4
yamaduta
13 Mar 2018, 02:30

Hey Danitool, just sent you the link but it may have gone through to your spam folder. I've given that method a try, but it creates an image that flashes, but fails to boot with the same error that I was getting before:

*** Press any key to stop auto run (3 seconds) ***                              
Auto run second count down: 0                                                   
Booting from only image (0xbe060000) ...                                        
Code Address: 0xFFFFFFFF, Entry Address: 0xffffffff                             
Linux file system CRC error.  Corrupted image?                                  
Linux kernel CRC error.  Corrupted image?

After having another look at the ./build.sh script from the GPL source, I think that I've worked out why this happens. 

if [ "$yn" = "y" ]; then
#    tools/mkcramfs $2 fs.bin
#    tools/mksquashfs $2 fs.bin -noappend -be -lzma -no-fragments -noI

    tools/mksquashfs $2 fs.bin -noappend -be -no-fragments -noI -b 16384

    tools/bcmImageBuilder --output bcm963xx_fs_kernel --chip 6358 --board "96358VW2" --blocksize 384 --cfefile tools/cfe6358.bin --rootfsfile fs.bin  --kernelfile tools/vmlinux.lz

    tools/makeImage $3 $1 bcm963xx_fs_kernel
    #rm -rf fs.bin bcm963xx_fs_kernel
           echo $3 "Created!"    
else
    echo "EXIT!"
fi

First, the script creates the SquashFS (fs.bin) from the folder specified in the variable $2. Then, fs.bin is passed as the --rootfsfile argument to bcmImageBuilder, which combines it with a compressed Linux kernel and a copy of the bootloader. This is the point where the CRC checksum for the output file, bcm963xx_fs_kernel, is generated.

Finally, the makeImage script is called, combining the stock image ($1) with bcm963xx_fs_kernel to create the final image ($3).

If I use the method that you linked for the DG834G, I'm left with a firmware will pass the recovery mode PID check and successfully flash, but fails to boot because it lacks the kernel that the bootloader is expecting to find in the mtd1 partition. I feel a bit thick now, as there was a massive hint in the partition name all along:

# cat /proc/mtd
dev:    size   erasesize  name
mtd1: 00fa0000 00020000 "tag+fs+kernel"

It's possible to modify the ./build.sh script to output a valid firmware with a valid CRC checksum and kernel by swapping around a few variables and commenting out the line where the SquashFS is created:

if [ "$yn" = "y" ]; then
#    tools/mkcramfs $2 fs.bin
#    tools/mksquashfs $2 fs.bin -noappend -be -lzma -no-fragments -noI
    #tools/mksquashfs $2 fs.bin -noappend -be -no-fragments -noI -b 16384
    tools/bcmImageBuilder --output bcm963xx_fs_kernel --chip 6358 --board "96358VW2" --blocksize 384 --cfefile tools/cfe6358.bin --rootfsfile $2  --kernelfile tools/vmlinux.lz
    tools/makeImage $3 $1 bcm963xx_fs_kernel
    #rm -rf fs.bin bcm963xx_fs_kernel
           echo $3 "Created!"    
else
    echo "EXIT!"
fi

The only issue with this is that the OpenWrt images available already have their own CRC checksum generated when they're compiled, so you end up with an image has two separate checksums:

root@x230:~/Documents/Build# binwalk buildtest.img 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
7444          0x1D14          LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 128116 bytes
393216        0x60000         Broadcom 96345 firmware header, header size: 256, firmware version: "8", board id: "6358VW2", ~CRC32 header checksum: 0xE178E33C, ~CRC32 data checksum: 0xC432DF2E
393472        0x60100         Broadcom 96345 firmware header, header size: 256, firmware version: "8", board id: "6358VW2", ~CRC32 header checksum: 0x9EAB6B3F, ~CRC32 data checksum: 0xDBA0A575
1918720       0x1D4700        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 2085464 bytes, 800 inodes, blocksize: 262144 bytes, created: 2018-03-12 11:19:23
4063504       0x3E0110        LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 3261212 bytes
5123568       0x4E2DF0        Sercomm firmware signature, version control: 0, download control: 0, hardware ID: "YNF72S", hardware version: 0x4100, firmware version: 0x0, starting code segment: 0x0, code size: 0x7300

This can be easily fixed by using dd to create another image that simply skips the OpenWrt-generated firmware header. This stripped image can be passed to the ./build.sh script to create an image with the correct checksum.

The problem that I'm now encountering is that the ancient kernel included with the GPL sources doesn't seem to support the SquashFS format now used by the OpenWrt Build system. It works fine right up until it tries to load the SquashFS, at which point it panics and goes into a bootloop:

No filesystem could mount root, tried:  squashfs msdos vfat fuseblk
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(31,0)
Rebooting in 1 seconds..

CFE version 1.0.37-102.1 for BCM96358 (32bit,SP,BE)
Build Date: Thu Apr 28 17:53:06 CST 2011 (root@build_server)
Copyright (C) 2000-2008 Broadcom Corporation.


I'm unsure whether it's due to the endianness (stock image uses big while the OpenWrt image uses big) of the filesystem, or the version number (v3 for stock compared to v4 for OpenWrt), but either way, I'd need to find a way to compile a compatible kernel before I can get much further.

With regards to the network issue, I have a feeling that it's missing the driver needed to initialise the switch. The bootlog says that it's a BCM5325e, which would use the B53 driver, but I'm not sure how to include it in an image as I can't find a kmod for it within make menuconfig.

Post #5
danitool
13 Mar 2018, 10:17

You shouldn't use the kernel image from the original firmware mixed with Openwrt, it lacks jff2 support among other features and won't boot ok.

The problem with your CFE is that expects the firmware at offset 0x60000, but the Openwrt firmwares use commonly the 0x10000 or 0x20000 offset, this offset is hardcoded into the firmware header.

Post #6
yamaduta
13 Mar 2018, 23:58

What would be the best course of action to resolve this?

I can create new firmware headers with bcmImageBuilder that point to the right offset, but I'm struggling with the kernel side of things.

I tried to compile an up to date kernel using the OpenWrt build system last night and I think that I messed up somewhere - the uncompressed size of the LZMA data looks wrong.

root@x230:~/Documents/Build/tools# binwalk vmlinuz

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             ELF, 32-bit MSB executable, MIPS, version 1 (SYSV)
66688         0x10480         LZMA compressed data, properties: 0x6D, dictionary size: 1048576 bytes, uncompressed size: -1 bytes

If I try to build and flash an image using this, I get this output from the serial console :

*** Press any key to stop auto run (3 seconds) ***                              
Auto run second count down: 0                                                   
Booting from only image (0xbe060000) ...                                        
**Exception 32: EPC=80528D7C, Cause=80420B60 (Exc24    )                        
                RA=00000000, VAddr=80420B60                                     
                                                                                
        0  ($00) = 66726F6D     AT ($01) = 7920696D                             
        v0 ($02) = 28307862     v1 ($03) = 30303029                             
        a0 ($04) = 0A000000     a1 ($05) = 00000000                             
        a2 ($06) = 00000000     a3 ($07) = 00000000                             
        t0 ($08) = 00000000     t1 ($09) = 80414350                             
        t2 ($10) = 80528E0C     t3 ($11) = 003DA000                             
        t4 ($12) = 80528E0C     t5 ($13) = 003DA000                             
        t6 ($14) = 80412A2C     t7 ($15) = 00000000                             
        s0 ($16) = 00000000     s1 ($17) = 08300A00                             
        s2 ($18) = 20736563     s3 ($19) = 636F756E                             
        s4 ($20) = 776E3A20     s5 ($21) = 756E2028                             
        s6 ($22) = 636F6E64     s7 ($23) = 2A2A0A00                             
        t8 ($24) = 00000000     t9 ($25) = 00000000                             
        k0 ($26) = 00000000     k1 ($27) = 00000000                             
        gp ($28) = 00000000     sp ($29) = 00000000                             
        fp ($30) = 00000000     ra ($31) = 00000000

It looks like it's failing to decompress?

The discussion might have continued from here.