Hello,
(EDIT : topic moved to the right section)
I am trying to run openwrt on this router : http://www.teldat.fr/fr/bintec-RS353aw-845.html
- CPU : VRX288 v1.2 (PSB 80920 EL) @500MHz
- RAM : 128 MiB
- Flash : 32 MiB (AMD/Spansion S29GL256FLT2I)
- 5 Ethernet ports ( 2xPHY11G and 3xPEF7071 )
- Wireless : Atheros AR9300 Rev:4
- xDSL modem (ADSL2/VDSL VRX208)
- 1 USB 2.0 host port
- 1 uart port (accessible via front USB device port)
- 1 JTAG header (standard 14pin Mips)
- Power supply : 230V socket on back.
- Power / Status / DSL / WLAN / USB LEDs
- Function and reset buttons.
- i2c bus : S-35390A real time clock.
Bootloader : proprietary bootmon.
OS : Proprietary OS "BOSS".
Boot log :
### RS353aw (Hardware-Rev. 1.0, Firmware-Rev. 1.1) ###
CPU Check ... passed (MIPS 34KEc [MT] @ 500/250.0 MHz)
SDRAM Check ................................................................................................................................. passed (128 MByte)
FLASH Check passed (32 MByte)
### Selftest passed ###
Press <sp> for boot monitor or any other key to boot system
Booting Image from Flash ROM
Checking image ... OK
Writing image to RAM (Release 10.1.9.106) ........................................................................................................................................................................................................................................................................................................................................................................................................................................................ OK (16385316 bytes)
Booting BOSS...
boss image started at 0x2d6a0
BOSS MIPS kernel v2.0 (RS353aw)
Copyright (c) 1996-2015 by bintec elmeg GmbH
Version V.10.1 Rev. 9 (Patch 6) IPv6, IPSec from 2016/07/21 00:00:00
The system is coming up.
Speed index... 332.80 MIPS
Collecting Entropy........................................
Installed modules:
Slot: BoardId SerialNo
0: SYS-VRX OK
1: GETH5 OK
3: VDSL OK
6: USB2 OK
7: WLAN-ATH OK
InstallModules = 0x5
The system is ready.
AUTOEXEC:
1 date Wed Oct 26 20:41:15 2016 done
1 configd SystemId: RN7Fxxxxxxxxxxx Cfg: (default) done
4 dslvrxd background
5 sysconfigd background
5 usbd background
9 comd background
10 isdnd background
11 isdnautocf background
19 ethoad background
19 pppoad background
19 rpoad background
50 brd background
50 ipd background
50 natproxyd background
51 telnetd background
51 alertd background
51 telnetd6 background
51 stfd background
51 snmpd background
52 httpd background
52 syslogd background
68 pppoed background
69 itpd background
69 tud background
70 routed background
70 pppd background
70 radiusd background
70 tacacspd background
70 gremprd background
70 l2tpd background
90 timed background
97 dnsd background
97 alived background
97 scheduled background
97 watchd background
99 vectoringd background
99 authd background
99 supplicantd background
99 vcapid background
99 ddnsd background
99 bootpd background
BOOTP: creating ipRouteTableEntry
BOOTP: Dest=192.168.0.0 IfIndex=1000000
BOOTP: NextHop=192.168.0.254 Mask=255.255.255.0
99 resolvd background
99 pingd background
99 scfgmgrd background
99 stunneld background
99 serviced background
99 dhcp6d background
99 ipsecd background
99 isdnlogind background
99 sshd background
99 httpproxyd background
99 traced background
99 upnpd background
99 capwapd background
99 caad background
99 wtpd background
99 tr069d background
Welcome to RS353aw version V.10.1 Rev. 9 (Patch 6) IPv6, IPSec from 2016/07/21 00:00:00
systemname is rs353aw, location
Login:
Pressing space key allows to enter to bootmonitor menu :
Press <sp> for boot monitor or any other key to boot system
RS353aw Bootmonitor V.1.0 from 2013/10/31 00:00:00
Copyright (c) 1996-2013 by Bintec Elmeg GmbH
(1) Boot System
(2) Software Update via TFTP
(3) Software Update via XMODEM
(4) Delete Configuration
(5) Default Bootmonitor Parameters
(6) Show System Information
Your Choice>
From this menu you can do some basic actions such as delete configuration or upgrade firmware. At this point, I first downloaded the firmware update file from the manufacturer's website. You can flash this file from web GUI or tftp. Basically, this file is a micro updater OS (named BLUP), with some embedded files.
TFTP Upgrade process (the most interesting as it allows to boot directly from RAM) :
RS353aw Bootmonitor V.1.0 from 2013/10/31 00:00:00
Copyright (c) 1996-2013 by Bintec Elmeg GmbH
(1) Boot System
(2) Software Update via TFTP
(3) Software Update via XMODEM
(4) Delete Configuration
(5) Default Bootmonitor Parameters
(6) Show System Information
Your Choice> 2
Enter local IP address [192.168.2.1]:
Enter IP address of TFTP server [192.168.2.2]:
Enter file name of image [test1.cev]: test.cev
Are your entries correct (y or n) ? y
Starting file transfer ................................................................................................................................................................................................................................................................................................................OK (9663748 bytes received)
Checking new image ... OK
Your current software release is 10.1.9.106.
Loaded new image has release 1.0.
Now choose from the following:
(u) Update Flash ROM
(r) Write image to RAM and start it
(e) Exit
Enter (u, r or e): r
Booting BOSS...
boss image started at 0x5fb0034
RS353aw BLUP V.(SRC) from Sep 25 2013 15:40:16
Copyright (c) 1996-2013 by Bintec Elmeg GmbH
List of files in this update (len 9503948):
Version Length Name
10.1.9.106 6358675 Boss
10.1.9.106 1771126 webpages.ez
10.1.9.106 1308477 text_ger.ez
1.1 65664 GPHY_CPR
Proceed with update (y or n) ? y
*** Don't power-off your router while the update takes place ***
Updating Boss
New software release is 10.1.9.106
Erasing Flash-ROM ................................................. OK
Writing Flash-ROM ................................................. OK
Verify Flash-ROM ................................................. OK
Updating webpages.ez
skipped, already in flash
Updating text_ger.ez
skipped, already in flash
Updating GPHY_CPR
skipped, already in flash
Blup update successful.
Rebooting...
As you can see, it downloads the file and starts it. The entry point seems to be 0x5fb0034.
If you try to alter the upgrade file, it tells you "incorrect CRC" but it tells you the correct CRC.
Here is the beginning of the upgrade file :
00000000 54 45 4C 44 41 54 20 43 6C 6F 73 65 64 45 79 65 TELDAT ClosedEye
00000010 56 69 73 75 61 6C 00 00 01 00 00 01 00 00 00 00 Visual..........
00000020 00 02 70 00 00 02 70 00 00 00 00 00 EC B8 D4 64 ..p...p........d
00000030 EC B8 D4 64 10 00 00 0A 00 00 00 00 43 45 56 00 ...d........CEV.
00000040 04 00 04 20 00 00 00 00 00 01 A6 20 00 01 B0 00 ... ....... ....
00000050 00 01 B6 50 00 02 70 00 00 01 55 90 00 01 A3 90 ...P..p...U.....
00000060 04 11 00 01 00 00 00 00 3C 08 00 01 25 08 2C 94 ........<...%.,.
00000070 3C 09 00 00 25 29 00 34 01 09 40 23 01 1F 40 21 <...%).4..@#..@!
00000080 01 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
You can find :
- Magic string at the beginning "TELDAT ClosedEyeVisual"
- The BLUP Image length in Bytes 00027000 (159744Bytes). The CRC is calculated in this area.
- Fisrt Image CRC EC B8 D4 64 at offset 2C
- Second image CRC (which is the same) at offset 30
- Beginning of the BLUP upgrader at offset 34.
- Magic string "CEV" of BLUP at offset 3C
While downloading the firmware, the device checks if the CRC is correct. Then, it verifies if the image is valid (by checking the presence of "CEV" magic). Finally, it writes the entire image to RAM at 0x05fb0000 address. At this point, you can see the first execution begins at 0x05fb0034. If you go to offset 34, you can see the ASM instruction 1000000A which is a jump to offset 0x3E (0A+34). This avoid executing the magic string (CEV) and crash.
For testing purpose, you can run the following commands :
$ dd if=update.cev of=image bs=1 skip=52 count=159744
159744+0 enregistrements lus
159744+0 enregistrements écrits
159744 bytes (160 kB, 156 KiB) copied, 0,190313 s, 839 kB/s
$ crc32 image
ecb8d464
You can see the CRC is correct
To execute my own code, I have to put it somewhere after the magic string, and modify the Jump instruction. For simplicity, I choose to put the new code at offset 0x40.
First, I cut the upgrade file to keep only the first 64bytes. This is done with dd.
dd if=upgrade.cev of=header.cev bs=64 count=1
Then, with an hex editor, modify the jump at offset 34 to jump to offset 40 :
10 00 00 02 00 00 00 00 43 45 56 00
Then, simply concatenate your code with cat :
cat header.cev mycode.bin > newimage.cev
At this point, you have a good image, but with incorrect CRC. To obtain the correct CRC, you just have to download this image to the router with tftp, and it will tells you the good CRC. Copy/paste to your image using an hex editor.
Checking new image ... failed: CRC-error (0x042b49b7 <> 0xd90a573a)
I compiled U-boot after changing TEXT_START to offset 0x05FB0040 (I will explain how to do that), and tried to boot it. See next post.
(Last edited by sebtx on 14 Nov 2016, 21:44)