Topic: BCM6338 - extract firmware image

hi all,

http://wiki.openwrt.org/doc/techref/brcm63xx.imagetag

i run it for my routers image, and i got this:


# ./analyzetag -t bc300 -i AirTies_Air5021RU_FW_1.2.0.16_FullImage.bin
Broadcom image analyzer - v0.1.0
Copyright (C) 2009 Daniel Dickinson
Tag Version: 6
Signature 1: Broadcom Corporatio
Signature 2: ver. 2.0
Chip ID: 6338
Board ID: 96332CG
Bigendian: true
Image size: 001e171b, 1971995
CFE Address: bfc00000, 3217031168
CFE Length: 0000fdcc, 64972
Flash Root Address: bfc10100, 3217096960
Flash Root Length: 0014f000, 1372160
Flash Kernel Address: bfd5f100, 3218469120
Flash Kernel Length: 0008294f, 534863
Vendor information:
Image CRC: d7cd6807   [Computed Value: 13cf3ceb]
Rootfs CRC:             [Computed Value: c5b10d67]
Image CRC from sections: d7cd6807   [Computed Value: 13cf3ceb]
Header CRC: 0ce0a955   [Computed Value: 0ce0a955]


now how can i extract, modify and rebuild this image?

cpuinfo:

# cat /proc/cpuinfo
system type             : 96332CG
processor               : 0
cpu model               : BCM6338 V1.0
BogoMIPS                : 239.20
wait instruction        : no
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : yes
hardware watchpoint     : no
unaligned access                : 64354
VCED exceptions         : not available
VCEI exceptions         : not available

Re: BCM6338 - extract firmware image

HI
  u want to extract image into cfe.kernel ,filesystem etc?.
If so theres a tool ,namely BCMfwmod (various version) to do extactly the same. Google u will find it.

If u cant find it let me know, i can upload it for u.
regards
smile

Re: BCM6338 - extract firmware image

hi rahan, thank you for your reply.

yes, it is exactly what i am trying to do. i searched google but there are too few results, and all chinese, and all links dead

so i will appreciate if you upload it smile

Re: BCM6338 - extract firmware image

hi
  can i email  u those tools?.
whats ur email id?.

5 (edited by kursadyo 2011-09-09 14:44:29)

Re: BCM6338 - extract firmware image

of course, kursadyo [at] google_mail dot com
google mail is gma..
thanks

Re: BCM6338 - extract firmware image

your welcome. Check ur mail.
regards

Re: BCM6338 - extract firmware image

HI
   mail bounce back. probably filters. another email id?.

Re: BCM6338 - extract firmware image

here is another email
monsantiter [at] yahoo [dot] com

9 (edited by Jesse Marcel 2011-09-25 11:15:32)

Re: BCM6338 - extract firmware image

Nice post. I like the way you start and then conclude your thoughts. Thanks Kursadyo for sharing with us this post.

world war alliance codes

Re: BCM6338 - extract firmware image

Can i have too please?
spatsant [at] auth [dot] gr
Thanks a lot.

Re: BCM6338 - extract firmware image

spatsant i sent your mail, keep us posted about your progress.

hi Jesse, here is what i have done till now:


help document is only thing we have got.

kursat@kursat-ubuntu:~/air/BCMTOOLS/BcmFWmod17a/sourcecode$ ./brfwmod

===============================================================
   Broadcom ADSL FW Image De/Compress Utility v1.7a-hugebird
           Supprot CFE nvram format (Broadcom rev.3)
===============================================================

ABOUT: This program can decomp/comp a firmware image for Broadcom chip
        based DSL MODEM.

            ---------------
USAGE: BrFwmod -decomp <-i inputfile> </m:X> </notag> </cfe> </rfs> </knl>
        BrFwmod -comp <-o outputfile> </m:X> </cfe>  </cfeblk:X> </128K>
                      </nonvram></macaddr:XXXXXXXXXXXX></nvboardid:XXXX>
                      </noauxtoken></r>
        BrFwmod -showinfo <-i inputfile> 

            Required Parameter
            ------------------
            -decomp ........... decompress Image file into sub files
            -comp ............. compress
            -showinfo ......... show a Image file infomation
            -i inputfile ...... custom input file(Image.bin by default)
            -o outputfile  .... custom output file(Image_Time.bin by default)

            Optional Switches for -decomp command
            -------------------------------------
            /cfe ........... ... decomp CFE
            /notag ............. don't decomp image tag
            /rfs ............... decomp including root filesystem
            /knl ............... decomp including kernel image
            /m:X ............... use method [X] to deal with the Image
              :1 ............... tag+rootfs+kernel(default for comp)
              :2 ............... tag+cfe+rootfs+kernel(default for decomp)
              :3 ............... tag+cfe
              :4 ............... tag only
              :5 ............... cfe only, also use to mod cfe nvram data
            /notimestamp........ don't add time stamp to decomp sub filename

            /r ................. Linux only:decomp/comp root filesystem image
            Optional Switches for -comp command
            -----------------------------------
            /cfe ........... ... comp including CFE
            /64K ............... use 64KB as flash block size to calculate
            /128K .............. use 128KB as flash block size to calculate
            /s1 ................ set tag ImageSequence to [1]
            /s0 ................ clear tag ImageSequence to emperty
            /m:X ............... use method [X], same as -comp command
            /cfeblk:X .......... if cfe doesn' be built in, X use to
                                 count CFE length in X flash blocks
            /boardid:XXXX ...... max 15 chars for boardID in TAG
            /noauxtoken......... don't build in Rfs+Knl checksum in TAG
            /cfenvram .......... make a default CFE NVRAM data
            /cleannv ........... empty existed NVRAM data in CFE.BIN
            /b0 ................ write boot from latest Image sig in CFE NVRAM
            /b1 ................ write boot from previous Image sig in CFE NVRAM
            /macaddr:XXXX ...... 12 hex digits for Mac Address in CFE NVRAM
            /nvboardid:XXXX .... max 15 chars for boardID in CFE NVRAM

            ----------------------------------------------------------------

EXAMPLES: BrFwmod -decomp        <-decomp all sub files from Image.bin
           BrFwmod -decomp -i myfirm.bin /m:1   <-decomp all sub files except
                                  CFE.BIN from myfirm.bin
           BrFwmod -showinfo -i myfirm.bin  <-show myfirm.bin info
           BrFwmod -comp -o newfirm.bin /m:2      <-pack a complete new image
                                  newfirm.bin with all sub files
           BrFwmod -comp -o newcfe.bin /m:5 /b0 /nvboardid:96358GW
                                  <-make a modified CFE file with latest boot
                                   partition and boardid setting '96358GW'
           BrFwmod -comp -o newfirm.bin /m:2    /128K  <-pack a new image
                                   to fit 128KB flash sector size

NOTES: 1) The sub image files include TAG.BIN(image header), CFE.BIN(boot
           loader), ROOTFS(root file system),KERNL.BIN(Kernel image).
           Need rename to these file name -comp operation
        2) The TAG definition could be found from bcmTag.h from vendor GPL
           sourcecode package
        3) Please keep in mind,  board physical definiation exist in both
           CFE and Kernel.  Therefore, only corrct CFE + Kernel combination
           could work.
        4) The Root FS loading address  is calculated  with CFE length and
           flash block size. Usually this address is 0xBFC10100 for a 64KB
           and 0xBFC20100 for a 128KB tiny CFE. Try /128K, /64K and /cfeblk:X
           to meet your wish.The chip later than 6358 will default use /128K
        5) When pack CFE in a new image, default NVRAM block will not be built
           in.You can use /cfenvram to build one,or /cleannv to clean orignal
        6) When pack a new image, a RootFS+Kernl checksum token will be built
           in TAG for some vendor. use /noauxtoken to disable it.
        7) /boardid:xxxxxxx quick switch one firmware to fit another brand box.
           Usrally use to mod an other brand firmware
        8) -comp /m:5 allow you mod a CFE with specfic NVRAM setting. when m:5
           selected, you can ignore all '[/cfenvram] option NOT opened' warnings
        8) The Root FileSystem image ROOTFS.BIN can be unpacked into files
           in Linux version with /r option. You can patch it and add every
           thing you want


first i get my router's information:

kursat@kursat-ubuntu:~/air/BCMTOOLS/BcmFWmod17a/sourcecode$ ./brfwmod -showinfo -i AirTies_Air5021RU_FW_1.2.0.16_FullImage.bin

===============================================================
   Broadcom ADSL FW Image De/Compress Utility v1.7a-hugebird
           Supprot CFE nvram format (Broadcom rev.3)
===============================================================



============Decoding Tag Information=============
    Tag Ver signature   = '6'
    SIG1(comany info)   = 'Broadcom Corporatio'
    SIG2(FW version)    = 'ver. 2.0'
    Chip ID             = '6338'
    Board ID            = '96332CG'
    FW endianess        = Big Endian
    CFE loading at      = 0xBFC00000
    CFE length          = 0x0000FDCC
    RootFS loading at   = 0xBFC10100
    RootFS length       = 0x0014F000
    Kernel loading at   = 0xBFD5F100
    Kernel length       = 0x0008294F
    Total Image length  = 0x001E171B
=================================================



*** REQUESTED OPERATION IS COMPLETE, Bye! ***

then i extracted my firmware:

root@kursat-ubuntu:/home/kursat/air/BCMTOOLS/BcmFWmod17a/sourcecode# ./brfwmod -decomp -i AirTies_Air5021RU_FW_1.2.0.16_FullImage.bin /m:2 /notimestamp


===============================================================
   Broadcom ADSL FW Image De/Compress Utility v1.7a-hugebird
           Supprot CFE nvram format (Broadcom rev.3)
===============================================================



============Decoding Tag Information=============
    Tag Ver signature   = '6'
    SIG1(comany info)   = 'Broadcom Corporatio'
    SIG2(FW version)    = 'ver. 2.0'
    Chip ID             = '6338'
    Board ID            = '96332CG'
    FW endianess        = Big Endian
    CFE loading at      = 0xBFC00000
    CFE length          = 0x0000FDCC
    RootFS loading at   = 0xBFC10100
    RootFS length       = 0x0014F000
    Kernel loading at   = 0xBFD5F100
    Kernel length       = 0x0008294F
    Total Image length  = 0x001E171B
=================================================

->Read image to buffer successful, 1971995 Bytes!
->Start unpacking the image ...
  ->writing TAG.BIN ...Done!
  ->writing CFE.BIN ...Done!
  ->writing ROOTFS.BIN ...Done!
  ->Writing KERNL.BIN ...Done!
->Done


*** REQUESTED OPERATION IS COMPLETE, Bye! ***


now i have files, but i have to compress it. i didn't change anything at any files, just compress it back.
(if you want to change rootfs, try agpftools' lzma-unsquash script )
http://repofulm.dyndns.org/index.php?dir=jackthevendicator/utils/&file=agpf_tools.tar.gz


root@kursat-ubuntu:/home/kursat/air/BCMTOOLS/BcmFWmod17a/sourcecode# ./brfwmod -comp -o newImage.bin /m:2 /noauxtoken /64K

===============================================================
   Broadcom ADSL FW Image De/Compress Utility v1.7a-hugebird
           Supprot CFE nvram format (Broadcom rev.3)
===============================================================



============Decoding Tag Information=============
    Tag Ver signature   = '6'
    SIG1(comany info)   = 'Broadcom Corporatio'
    SIG2(FW version)    = 'ver. 2.0'
    Chip ID             = '6338'
    Board ID            = '96332CG'
    FW endianess        = Big Endian
=================================================

->Start packing a new image
  ->CFE loading at      0xBFC00000, length 0x0000FDCC
  ->use Block Size : 0x00010000
  ->The CFE length considering as 0x0000FDCC
  ->RootFS loading at   0xBFC10100, length 0x0014F000, CRC32 = 0x64C1659D
  ->Kernel loading at   0xBFD5F100, length 0x0008294F, CRC32 = 0x7BDBAA03
  ->Image checksum.             CRC32 = 0xD7CD6807
  ->Tag checksum.               CRC32 = 0x0CE0A955
  ->writing Tag to new image...
  ->writing buffer to new image...
->Done


*** REQUESTED OPERATION IS COMPLETE, Bye! ***

i tried many combinations of parameters, but firmware always rejected by router. i compare bin files' hexdumps:
(this is the closest result I've got)

root@kursat-ubuntu:/home/kursat/air/BCMTOOLS/BcmFWmod17a/sourcecode# hexcompare AirTies_Air5021RU_FW_1.2.0.16_FullImage.bin newImage.bin
122974,122976c122974,122975
< 01e1810 9e06 4218 ed88 7db4 007f c800 ebb5 07f5
< 01e1820 e948 8d96 9a43 49a6 770a 008f         
< 01e182b
---
> 01e1810 9e06 4218 ed88 7db4 007f 0000         
> 01e181b


there is 16 byte missing at the end of compressed file. there must be a checksum or something. i tried most of popular hash algorithm, but no result. so now i am stucked if you make progress please let me know how you have done.

regards,

ps: a newer version of this tools can contain checksum thing.

Re: BCM6338 - extract firmware image

hi you guys have a copy of BcmFWmod to stevie_t72 at yahoo dot com dot au

Cheers smile

Re: BCM6338 - extract firmware image

Hi
Steve, did u email me for the  tools?.

Re: BCM6338 - extract firmware image

rahan32@hotmail.com wrote:

Hi
Steve, did u email me for the  tools?.

Thanks rahan worked great smile

Re: BCM6338 - extract firmware image

Hi, can I have another copy?
crrdschbl [at] gmail [dot] com

Thanks!
Hey, this same thread is the first result when looking for this tool!

16 (edited by rahan32@hotmail.com 2011-12-05 15:21:21)

Re: BCM6338 - extract firmware image

Hello all



        Here's the link to Broadcom firmware tool.http://www.megafileupload.com/en/file/334083/BCMTOOLS-rar.html


smile

Re: BCM6338 - extract firmware image

Thank you rahan! Working with it.

Re: BCM6338 - extract firmware image

can we get a copy of the tools posted on megashares.com please.

Re: BCM6338 - extract firmware image

Please provide ur email id,if u need the tool.
Regard

Re: BCM6338 - extract firmware image

Hi, can i have the code tools for BCM96358, thanks
my box is pcluiton [at] gmail [doth] com

Re: BCM6338 - extract firmware image

Hi, can i have the code tools too?
my email address is pdflush [at] gmail [dot] com

Very thanks!

Re: BCM6338 - extract firmware image

Hi guys


         Please post ur email id, if u need bcmtools. Im having trouble sending mails to gmail ids. post alternate mail id instead.

Re: BCM6338 - extract firmware image

please send it to gpkumaran@rediffmail.com

Re: BCM6338 - extract firmware image

Hi! Can you please send bcmtools to me on captainbollocks at gmail dot com
humble thankfuls.

Re: BCM6338 - extract firmware image

hello everybody, I, too, would be very thankful if someone could send me the bcm-tools. my email is mustermahn at gmx dot net
thank you in advance!