Topic: Comtrend CT-5072T

The content of this topic has been archived on 30 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

dewyatt

21 Jun 2011, 19:08

Hi all.
My ISP just upgraded all our ADSL modems and I noticed the new modem is running linux.
EDIT: I did manage to find the source code http://download.comtrend.com/AR-5062-B0 … ase.tar.gz. Looking over it now.
UPDATE: The source code archive on their website is corrupt. -_- Emailed them.
I can login via ssh or telnet to a limited menu but can escape to a shell with something like "ping ; sh" or "route ; sh".

> help
?
help
logout
reboot
adsl
atm
ddns
dumpcfg
ifconfig
ping
siproxd
sntp
sysinfo
tftp
version
build
traceroute
save_default
> version
B031-312CTU-C03_R03.A2pB030a.d22k
> build
Build Time: May 5 2010 16:52:21

I'd like to possibly get openwrt going on here but I really want to backup my firmware first.
Unfortunately, I can't find a way to do so.
I can try "cat /dev/mtdblock0 > /var/flash.bin" but then I have no way of retrieving flash.bin.
There is an httpd running and serving from /webs but it's read-only so I can't use that.
There is a limited tftp command that will only send/receive config data or receive (only) a firmware image.
There is also an ftp server that I can't login to and appears to only be for firmware upgrades.

It looks like the flash chip is MX25L3205 (http://pdf1.alldatasheet.com/datasheet- … 3205D.html).
There is a also a 4-pin connector on the board, not sure what it is.
Any clues on what it is?

What is the easiest way to backup my firmware?

The chips I can see are:
BROADCOM BCM6332KFBG
Mezza Z2V28S40BTP-G7
MX25L3205
nova(?) MT0782

Here's dmesg/etc output:

# echo /*
/bin /dev /etc /lib /linuxrc /mnt /proc /sbin /usr /var /webs

# mount
/dev/mtdblock0 on / type squashfs (ro)
/proc on /proc type proc (rw,nodiratime)
tmpfs on /var type tmpfs (rw)
tmpfs on /mnt type tmpfs (rw)

# cat /proc/cpuinfo
system type : 96332AT-122
processor : 0
cpu model : BCM6338 V1.0
BogoMIPS : 239.20
wait instruction : no
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : yes
hardware watchpoint : no
unaligned access : 33641
VCED exceptions : not available
VCEI exceptions : not available

# cat /proc/devices
Character devices:
1 mem
2 pty
3 ttyp
4 ttyS
5 /dev/tty
5 /dev/console
10 misc
108 ppp
205 atmapi
206 bcrmboard
208 adsl
212 bcm
Block devices:
31 mtdblock

# cat /proc/interrupts
CPU0
0: 0 MIPS brcm_0
7: 121145 MIPS timer
10: 31 MIPS brcm_10
12: 0 MIPS brcm_12
13: 1096 MIPS brcm_13
14: 0 MIPS brcm_14
17: 1 MIPS brcm_17
23: 2561 MIPS brcm_23
ERR: 0

# cat /proc/mtd
dev: size erasesize name
mtd0: 00231000 00001000 "Physically mapped flash"

# dmesg
Linux version 2.6.8.1 (camille@broadcom_int) (gcc version 3.4.2) #1 Wed May 5 16:50:23 CST 2010
Serial flash device: name MX25L3205D, id 0xc216, size 4096KB
96332AT-122 prom init
CPU revision is: 00029010
Determined physical RAM map:
memory: 00fa0000 @ 00000000 (usable)
On node 0 totalpages: 4000
DMA zone: 4000 pages, LIFO batch:1
Normal zone: 0 pages, LIFO batch:1
HighMem zone: 0 pages, LIFO batch:1
Built 1 zonelists
Kernel command line: root=31:0 ro noinitrd console=ttyS0,115200
brcm mips: enabling icache and dcache...
Primary instruction cache 16kB, physically tagged, 2-way, linesize 16 bytes.
Primary data cache 8kB 2-way, linesize 16 bytes.
PID hash table entries: 64 (order 6: 512 bytes)
Using 120.000 MHz high precision timer.
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 13952k/16000k available (1416k kernel code, 2028k reserved, 203k data, 68k init, 0k highmem)
KLOB Pool 1 Initialized: 1048576 bytes <0x80e00000 ... 0x80f00000>
Calibrating delay loop... 239.20 BogoMIPS
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Checking for 'wait' instruction... unavailable.
NET: Registered protocol family 16
Total Flash size: 4096K with 1024 sectors
File system address: 0xbfc10100
Can't analyze prologue code at 80170c54
Initializing Cryptographic API
PPP generic driver version 2.4.2
NET: Registered protocol family 24
Using noop io scheduler
bcm963xx_mtd driver v1.0
brcmboard: brcm_board_init entry
Invalid External Interrupt definition
Serial: BCM63XX driver $Revision: 3.00 $
ttyS0 at MMIO 0xfffe0300 (irq = 10) is a BCM63XX
NET: Registered protocol family 2
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 512 bind 1024)
Initializing IPsec netlink socket
NET: Registered protocol family 1
NET: Registered protocol family 17
NET: Registered protocol family 15
Ebtables v2.0 registered
NET: Registered protocol family 8
NET: Registered protocol family 20
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 68k freed
Algorithmics/MIPS FPU Emulator v1.5
atmapi: module license 'Proprietary' taints kernel.
adsl: adsl_init entry
blaadd: blaa_detect entry
Broadcom BCMPROCFS v1.0 initialized
Broadcom BCM6338A2 Ethernet Network Device v0.3 May 5 2010 16:49:18
Config Internal PHY Through MDIO
BCM63xx_ENET: 100 MB Full-Duplex (auto-neg)
eth0: MAC Address: 64:68:0C:E1:D6:CA
eth0 Link UP.
BcmAdsl_Initialize=0xC00707D8, g_pFnNotifyCallback=0xC00929E4
pSdramPHY=0xA0FFFFF8, 0x11CDDF 0xDEADBEEF
AdslCoreSharedMemInit: shareMemAvailable=2080
AdslCoreHwReset: AdslOemDataAddr = 0xA0FF4C24
dgasp: kerSysRegisterDyingGaspHandler: dsl0 registered
ATM proc init !!!
ip_tables: (C) 2000-2002 Netfilter core team
ip_conntrack version 2.1 (125 buckets, 0 max) - 384 bytes per conntrack
ip_conntrack_pptp version 2.1 loaded
ip_nat_pptp version 2.0 loaded
ip_ct_h323: init success
ip_nat_h323: init success
BRCM NAT Caching v1.0 Nov 20 2007 10:22:27
BRCM NAT Cache: Hooking hit function @ c0061088
ip_conntrack_rtsp v0.01 loading
ip_nat_rtsp v0.01 loading
device eth0 entered promiscuous mode
br0: port 1(eth0) entering learning state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state
br0: port 1(eth0) entering disabled state
br0: port 1(eth0) entering learning state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state

Pics:

(Last edited by dewyatt on 21 Jun 2011, 20:07)

Post #2

dewyatt

23 Jun 2011, 00:05

I ordered this cable:
http://www.superdroidrobots.com/shop/it … itemid=337
So I'll see if that 4-pin connector is a serial console.

Post #3

dewyatt

25 Jun 2011, 02:54

It was indeed a serial console.
Boot output:

1.0.37-12.2-6 for BCM96338 (32bit,SP,BE)
Build Date: Fri Apr 24 10:23:24 CST 2009 (root@rd4-linux)
Copyright (C) 2000-2006 Broadcom Corporation.
Boot Address 0xbfc00000
Initializing Arena.
Initializing Devices.
Serial flash device: name MX25L3205D, id 0xc216, size 4096KB
Auto-negotiation timed-out
10 MB Half-Duplex (assumed)
CPU type 0x29010: 240MHz
Total memory: 16777216 bytes (16MB)
Total memory used by CFE: 0x80401000 - 0x80528860 (1210464)
Initialized Data: 0x8041DB50 - 0x80420080 (9520)
BSS Area: 0x80420080 - 0x80426860 (26592)
Local Heap: 0x80426860 - 0x80526860 (1048576)
Stack Area: 0x80526860 - 0x80528860 (8192)
Text (code) segment: 0x80401000 - 0x8041DB48 (117576)
Boot area (physical): 0x00529000 - 0x00569000
Relocation Factor: I:00000000 - D:00000000
Board IP address : 192.168.1.1:ffffff00
Host IP address : 192.168.1.100
Gateway IP address :
Run from flash/host (f/h) : f
Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel
Boot delay (0-9 seconds) : 1
Board Id (0-11) : 96332AT-122
Number of MAC Addresses (1-32) : 11
Base MAC Address : 64:68:0c:e1:d6:ca
PSI Size (1-64) KBytes : 24
Serial Number : 10C5062XXXF-AG005993
*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 110
Booting from only image (0xbfc10000) ...
Code Address: 0x80010000, Entry Address: 0x801a6018
Decompression OK!
Entry at 0x801a6018
Closing network.
Starting program at 0x801a6018
Linux version 2.6.8.1 (camille@broadcom_int) (gcc version 3.4.2) #1 Wed May 5 16:50:23 CST 2010
Serial flash device: name MX25L3205D, id 0xc216, size 4096KB
96332AT-122 prom init
CPU revision is: 00029010
Determined physical RAM map:
memory: 00fa0000 @ 00000000 (usable)
On node 0 totalpages: 4000
DMA zone: 4000 pages, LIFO batch:1
Normal zone: 0 pages, LIFO batch:1
HighMem zone: 0 pages, LIFO batch:1
Built 1 zonelists
Kernel command line: root=31:0 ro noinitrd console=ttyS0,115200
brcm mips: enabling icache and dcache...
Primary instruction cache 16kB, physically tagged, 2-way, linesize 16 bytes.
Primary data cache 8kB 2-way, linesize 16 bytes.
PID hash table entries: 64 (order 6: 512 bytes)
Using 120.000 MHz high precision timer.
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 13952k/16000k available (1416k kernel code, 2028k reserved, 203k data, 68k init, 0k highmem)
KLOB Pool 1 Initialized: 1048576 bytes <0x80e00000 ... 0x80f00000>
Calibrating delay loop... 239.20 BogoMIPS
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Checking for 'wait' instruction... unavailable.
NET: Registered protocol family 16
Total Flash size: 4096K with 1024 sectors
File system address: 0xbfc10100
Can't analyze prologue code at 80170c54
Initializing Cryptographic API
PPP generic driver version 2.4.2
NET: Registered protocol family 24
Using noop io scheduler
bcm963xx_mtd driver v1.0
brcmboard: brcm_board_init entry
Invalid External Interrupt definition
Serial: BCM63XX driver $Revision: 3.00 $
ttyS0 at MMIO 0xfffe0300 (irq = 10) is a BCM63XX
NET: Registered protocol family 2
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 512 bind 1024)
Initializing IPsec netlink socket
NET: Registered protocol family 1
NET: Registered protocol family 17
NET: Registered protocol family 15
Ebtables v2.0 registered
NET: Registered protocol family 8
NET: Registered protocol family 20
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 68k freed

init started: BusyBox v1.00 (2010.05.05-08:56+0000) multi-call binary
Algorithmics/MIPS FPU Emulator v1.5

BusyBox v1.00 (2010.05.05-08:56+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

Loading drivers and kernel modules...
atmapi: module license 'Proprietary' taints kernel.
adsl: adsl_init entry
blaadd: blaa_detect entry
Broadcom BCMPROCFS v1.0 initialized
Broadcom BCM6338A2 Ethernet Network Device v0.3 May 5 2010 16:49:18
Config Internal PHY Through MDIO
BCM63xx_ENET: Auto-negotiation timed-out
BCM63xx_ENET: 10 MB Half-Duplex (assumed)
eth0: MAC Address: 64:68:0C:E1:D6:CA
insmod: cannot insert `/lib/modules/2.6.8.1/extra/bcm_enet.ko': Success (17): Success
BcmAdsl_Initialize=0xC00707D8, g_pFnNotifyCallback=0xC00929E4
pSdramPHY=0xA0FFFFF8, 0x1410 0x80011202
AdslCoreSharedMemInit: shareMemAvailable=2080
AdslCoreHwReset: AdslOemDataAddr = 0xA0FF4C24
dgasp: kerSysRegisterDyingGaspHandler: dsl0 registered
ATM proc init !!!
ip_tables: (C) 2000-2002 Netfilter core team
ip_conntrack version 2.1 (125 buckets, 0 max) - 384 bytes per conntrack
ip_conntrack_pptp version 2.1 loaded
ip_nat_pptp version 2.0 loaded
ip_ct_h323: init success
ip_nat_h323: init success
BRCM NAT Caching v1.0 Nov 20 2007 10:22:27
BRCM NAT Cache: Hooking hit function @ c0061088
ip_conntrack_rtsp v0.01 loading
ip_nat_rtsp v0.01 loading

==> Comtrend Router Software Version: B031-312CTU-C03_R03 <==
app: configure ethernet speed failed.
device eth0 entered promiscuous mode
br0: port 1(eth0) entering learning state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state

glbDnsRelDhcpEnable=FALSE
Starting BcmNtwk_startDefDhcpSrv with leasedTime=60
dns1=192.168.0.1, dns2=192.168.0.1
ifconfig eth0 Link down
br0: port 1(eth0) entering disabled state
ifconfig eth0 Link up
br0: port 1(eth0) entering learning state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state
br0: port 1(eth0) entering disabled state

I still don't see any way of backing up the firmware. Anyone have any ideas?

P.S: Can anyone else confirm that the source code archive from comtrend is corrupt? http://download.comtrend.com/AR-5062-B0 … ase.tar.gz

Post #4

dewyatt

5 Jul 2011, 20:41

For anyone interested, Comtrend fixed the source code download:
http://download.comtrend.com/AR-5062-B0 … ase.tar.gz
Downloading now, will check it out.

Post #5

asbokid

20 Jul 2011, 21:19

dewyatt wrote:

It was indeed a serial console.

Well spotted! Any sign of a JTAG connector?

dewyatt wrote:

Boot output:

1.0.37-12.2-6 for BCM96338 (32bit,SP,BE)
Build Date: Fri Apr 24 10:23:24 CST 2009 (root@rd4-linux)
Copyright (C) 2000-2006 Broadcom Corporation.

Boot Address 0xbfc00000

Initializing Arena.
Initializing Devices.
Serial flash device: name MX25L3205D, id 0xc216, size 4096KB
Auto-negotiation timed-out
10 MB Half-Duplex (assumed)
CPU type 0x29010: 240MHz
Total memory: 16777216 bytes (16MB)

Total memory used by CFE:  0x80401000 - 0x80528860 (1210464)
Initialized Data:          0x8041DB50 - 0x80420080 (9520)
BSS Area:                  0x80420080 - 0x80426860 (26592)
Local Heap:                0x80426860 - 0x80526860 (1048576)
Stack Area:                0x80526860 - 0x80528860 (8192)
Text (code) segment:       0x80401000 - 0x8041DB48 (117576)
Boot area (physical):      0x00529000 - 0x00569000
Relocation Factor:         I:00000000 - D:00000000

Board IP address                  : 192.168.1.1:ffffff00  
Host IP address                   : 192.168.1.100  
Gateway IP address                :   
Run from flash/host (f/h)         : f  
Default host run file name        : vmlinux  
Default host flash file name      : bcm963xx_fs_kernel  
Boot delay (0-9 seconds)          : 1  
Board Id (0-11)                   : 96332AT-122  
Number of MAC Addresses (1-32)    : 11  
Base MAC Address                  : 64:68:0c:e1:d6:ca  
PSI Size (1-64) KBytes            : 24  
Serial Number                     : 10C5062XXXF-AG005993  

*** Press any key to stop auto run (1 seconds) ***

I still don't see any way of backing up the firmware. Anyone have any ideas?

You should be able to interrupt the CFE bootloader before it boots the Linux kernel. At that point, typing help will present you with a menu like this:

CFE> 
CFE> help
Available commands:

sm                  Set memory or registers.
dm                  Dump memory or registers.
w                   Write the whole image start from beginning of the flash
e                   Erase [n]vram or [a]ll flash except bootrom
r                   Run program from flash image or from host depend on [f/h] flag
p                   Print boot line and board parameter info
c                   Change booline parameters
f                   Write image to the flash 
i                   Erase persistent storage data
b                   Change board parameters
reset               Reset the board
flashimage          Flashes a compressed image after the bootloader.
help                Obtain help for CFE commands

For more information about a command, enter 'help command-name'
*** command status = 0
CFE>

You can use the dm (dump memory) command in the bootloader to backup your flash.

The bootloader in your device reports all the information you need to do the backup...

Boot Address 0xbfc00000
Serial flash device: name MX25L3205D, id 0xc216, size 4096KB

So the parameters for the dm command will be:

CFE> dm bfc00000 4194304

Start the 'log to file' function on your terminal emulator, and capture the flash dump, which is in hex, and will look like this.

CFE> dm bfc00000 4194304
bfc00000: 10 00 02 7a 00 00 00 00 00 00 00 00 00 00 00 00    ...z............
bfc00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
bfc00020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
bfc00030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................

It takes about half an hour to hexdump the contents of a 4MB flash over a 115200bps serial connection.

Remember to close your capture log when it's done ;-)

Tidy up the hex with a text editor to remove everything but the hexdump lines.

Then use the xxd tool to 'reverse' the hexdump back to a binary.

xxd doesn't like that memory address column, it's expecting offsets there instead, so you have to 'cut' down the column with..

 $ cut -b3- flashdump.txt | xxd -r > flashdump.bin

And that should be a byte-perfect dump of your flash memory contents.

Do a couple of dumps and cmp the two images, just to make sure it's pukka.

Now you can use the available tools to dismantle the Broadcom firmware into its various components (CFE bootloader, 256 byte header tag, root filesystem, kernel, and the NVR region).

cheers,
asbokid

P.S. Don't forget to make the flash dump available to other firmware hackers!

Post #6

dewyatt

21 Jul 2011, 18:35

asbokid wrote:

Well spotted! Any sign of a JTAG connector?

Thanks for the response!
I don't see any but I'm not experienced.
Looking back at my pictures I can't spot anything that looks like a JTAG.

asbokid wrote:

You should be able to interrupt the CFE bootloader before it boots the Linux kernel. At that point, typing help will present you with a menu like this:

Unfortunately, I don't have all the options you have in my CFE menu:

CFE> help
Available commands:

w                   Write the whole image start from beginning of the flash
e                   Erase [n]vram or [a]ll flash except bootrom
r                   Run program from flash image or from host depend on [f/h] flag
p                   Print boot line and board parameter info
c                   Change booline parameters
f                   Write image to the flash 
i                   Erase persistent storage data
b                   Change board parameters
reset               Reset the board
flashimage          Flashes a compressed image after the bootloader.
help                Obtain help for CFE commands

For more information about a command, enter 'help command-name'
*** command status = 0
CFE>

I also tried the dm command anyway but of course it didn't work (invalid command).
So I still don't have any way to backup my firmware.

(Last edited by dewyatt on 21 Jul 2011, 18:36)

Post #7

akhilpo

19 Jun 2012, 19:32

hey any progress here?? I have a same board. I know it had been a long time. Please post an update on progress if you had any.

The discussion might have continued from here.

Page 1 of 1