OpenWrt Forum Archive

Topic: Create a custom CFE for BCM6358 + BCM5325

The content of this topic has been archived between 14 Apr 2018 and 17 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

danitool wrote:

I don't remember the behavior of this CFE. Probably restoring the default IP for CFE was made for ensuring you always could have the default IP available, for the cases you forgot the custom IP,  or if the device is being configured by another owner.

Yes, probably this is good behaviour of CFE but i modified the source code, and now hold the RESET button for 6 seconds while power on router causes only break into CFE smile
In file: cfe_bcm63xx/cfe/cfe/arch/mips/board/bcm63xx_ram/src/bcm63xx_devs.c
simply need change value nInitPsiDelay greater than 2, eg. 30:

    const int nInitPsiDelay = 30;
    const int nBreakIntoCfeDelay = 5; //roy

Now have only break into CFE without reset to factory default:

CFE version 1.0.37-6.4 for BCM96358 (32bit,SP,BE)
Build Date: Wed Dec  7 02:54:07 CET 2016 (root@debian)
Copyright (C) 2016

Boot Address 0xbe000000

Initializing Arena.
Initializing Devices.
Parallel flash device: name AM29LV320MT, id 0x2201, size 16384KB

Now initializing the switch......done

CPU type 0x2A010: 300MHz, Bus: 133MHz, Ref: 64MHz
Total memory: 67108864 bytes (64MB)

Total memory used by CFE:  0x80401000 - 0x80528A20 (1210912)
Initialized Data:          0x8041DB00 - 0x80420120 (9760)
BSS Area:                  0x80420120 - 0x80426A20 (26880)
Local Heap:                0x80426A20 - 0x80526A20 (1048576)
Stack Area:                0x80526A20 - 0x80528A20 (8192)
Text (code) segment:       0x80401000 - 0x8041DB00 (117504)
Boot area (physical):      0x00529000 - 0x00569000
Relocation Factor:         I:00000000 - D:00000000


*** Break into CFE console ***

Board IP address                  : 192.168.xxx.xxx:ffffff00
Host IP address                   : 192.168.xxx.xxx
Gateway IP address                :
Run from flash/host (f/h)         : f
Default host run file name        : vmlinux
Default host flash file name      : bcm963xx_fs_kernel
Boot delay (0-9 seconds)          : 1
Board Id Name                     : HW553
Psi size in KB                    : 24
Number of MAC Addresses (1-32)    : 4
Base MAC Address                  : 00:24:89:46:df:22
Ethernet PHY Type                 : Internal
Memory size in MB                 : 64
CMT Thread Number                 : 1

web info: Waiting for connection on socket 0.
CFE>

Changes:

  • RESET while power on causes only break into CFE

  • fixed blue POWER LED while run CFE like in OpenWrt

cfe6358_07122016.zip - token without NVRAM

(Last edited by Gelip on 9 Dec 2016, 17:42)

danitool wrote:

You're totally right the broadcom token utility provides a way to make a flasheable image to the offset 0x0 where the bootloader lives. However when flashing does the CFE takes the previous config at the NVRAM? IIRC the answer is no. Unless you embedded the nvram in the CFE you built, it will keep awaiting for a new configuration, and from the point of view of an user without an UART serial adapter this is like a brick.

Another way to flash CFE keeping the previous NVRAM config at the router is to make a dummy firmware, with CFE at the begining, and some trailing zero bytes (zeroed firmware) at the end. In this case the new CFE doesn't need to have any NVRAM embedded. CFE will upgrade the new CFE keeping the original NVRAM, and since the firmware is zeroed, after finishing the flashing procecure it will keep awaiting for a new firmware.

I made tests:

  • flash cfe6358_token.bin (~63KB) from CFE web page - after restart router working OK - NVRAM is not changed (not touched)

  • flash cfe6358_mtd.bin (128KB filled with FF) from OpenWrt - after restart router CFE ask for new config because NVRAM is overwrite. If you do not have access to the serial console to the router looks like bricked.

  • flash cfe6358-nvr_token.bin (~63KB) from CFE web page - after restart router work OK but NVRAM has been modified in accordance with the built-in settings at compile time

The conclusion is that the safest way is flash CFE without embedded NVRAM settings with a token - cfe6358_token.bin (~63KB)

(Last edited by Gelip on 9 Dec 2016, 17:36)

Gelip wrote:

I made tests:

  • flash cfe6358_token.bin (~63KB) from CFE web page - after restart router working OK - NVRAM is not changed (not touched)

  • flash cfe6358_mtd.bin (128KB filled with FF) from OpenWrt - after restart router CFE ask for new config because NVRAM is overwrite. If you do not have access to the serial console to the router looks like bricked.

  • flash cfe6358-nvr_token.bin (~63KB) from CFE web page - after restart router work OK but NVRAM has been modified in accordance with the built-in settings at compile time

The conclusion is that the safest way is flash CFE without embedded NVRAM settings with a token - cfe6358_token.bin (~63KB)

@Gelip, appreciate for your hard work, is your CFE mod safe to flash on HG553 and HG556a?

(Last edited by broneo on 10 Dec 2016, 13:12)

broneo wrote:

@Gelip, appreciate for your hard work, is your CFE mod safe to flash on HG553 and HG556a?

My latest CFE is safe to flash only on HG553 over Web update page.

HG556a use other BoardID - HW556 or HW556aV2 and other GPIO's. My CFE does not have such ID's so the OEM router firmware probably will not work:

CFE> b
Press:  <enter> to use current value
        '-' to go previous parameter
        '.' to clear the current value
        'x' to exit this command
Board Id Name (0-6)
HW553            -------  0
96358VW2         -------  1
96358VW          -------  2
96358VW-16       -------  3
96358GW          -------  4
96358GW-16       -------  5
96358M           -------  6       :  0

OpenWrt maybe work with other ID's where version compatible with ID e.g.:

if you set BoardID=HW553 in CFE then need flash OpenWrt for HG553 (not for HG556)

but it may not work properly !!! - read my this topic:
Unblock or replace CFE in vodafone HG553

(Last edited by Gelip on 10 Dec 2016, 14:54)

Gelip wrote:
broneo wrote:

@Gelip, appreciate for your hard work, is your CFE mod safe to flash on HG553 and HG556a?

My latest CFE is safe to flash only on HG553 over Web update page.

HG556a use other BoardID - HW556 or HW556aV2 and other GPIO's. My CFE does not have such ID's so the OEM router firmware probably will not work:

CFE> b
Press:  <enter> to use current value
        '-' to go previous parameter
        '.' to clear the current value
        'x' to exit this command
Board Id Name (0-6)
HW553            -------  0
96358VW2         -------  1
96358VW          -------  2
96358VW-16       -------  3
96358GW          -------  4
96358GW-16       -------  5
96358M           -------  6       :  0

OpenWrt maybe work with other ID's where version compatible with ID e.g.:

if you set BoardID=HW553 in CFE then need flash OpenWrt for HG553 (not for HG556)

but it may not work properly !!! - read my this topic:
Unblock or replace CFE in vodafone HG553

I got it, if we use cfe without nvram it is safe, otherwords mac adress etc (in nvram still intact). But my HG553 mac address is totally different with mac address written on back body of my HG553, can you help me how to edit and repair mac address in order to match with the mac address as printed in the back of router, or can you help me make a modified cfe hg553 with my router mac address embedded into it?

(Last edited by broneo on 13 Dec 2016, 14:10)

broneo wrote:

I got it, if we use cfe without nvram it is safe, otherwords mac adress etc (in nvram still intact). But my HG553 mac address is totally different with mac address written on back body of my HG553, can you help me how to edit and repair mac address in order to match with the mac address as printed in the back of router, or can you help me make a modified cfe hg553 with my router mac address embedded into it?

If you have access to the serial console is very easy, use command b:

CFE> b
Press:  <enter> to use current value
        '-' to go previous parameter
        '.' to clear the current value
        'x' to exit this command
Board Id Name (0-6)
HW553            -------  0
96358VW2         -------  1
96358VW          -------  2
96358VW-16       -------  3
96358GW          -------  4
96358GW-16       -------  5
96358M           -------  6       :  0
Number of MAC Addresses (1-32)    :  4
Base MAC Address                  :  00:11:22:33:44:55 enter here MAC address from back body

If you do not have access to the console send me your MAC address to e-mail. I embed it to you in CFE wink

(Last edited by Gelip on 14 Dec 2016, 07:03)

Gelip wrote:

If you do not have access to the console send me your MAC address to e-mail. I embed it to you in CFE wink

Gelip pls info your email contact, i couldn't sent any PM to you profile

(Last edited by broneo on 14 Dec 2016, 07:14)

@Gelip

I have managed to flash with your cfe nvram mod embedded with my mac address. And my hg553 mac addres now is revert back to factory mac address.
Thank you very much, next step, do I need flash your cfe6358_token.bin (~63KB)  to avoid any nvram modification in the future?

(Last edited by broneo on 15 Dec 2016, 08:17)

broneo wrote:

@Gelip

I have managed to flash with your cfe nvram mod embedded with my mac address. And my hg553 mac addres now is revert back to factory mac address.
Thank you very much, next step, do I need flash your cfe6358_token.bin (~63KB)  to avoid any nvram modification in the future?

Yes, to avoid any NVRAM modification in the future you need flash CFE without NVRAM embedded - cfe6358_token.bin

Gelip wrote:

Changes:

  • modified web interface

http://savepic.net/8685528m.png
cfe6358_token_17122016.zip

the previous cfe token is running well, what is the difference with this one?

broneo wrote:

the previous cfe token is running well, what is the difference with this one?

Only cosmetic changes in web interface.

P.S. Do not quote the entire post only selected sentence!

In the source code, I found a file:
cfe_bcm63xx/cfe/cfe/net/dev_tcpconsole.c
Probably this is telnet console:

/*  *********************************************************************
    *  Broadcom Common Firmware Environment (CFE)
    *
    *  TCP Console Driver                       File: dev_tcpconsole.c
    *
    *  Evil hack:  A console driver that uses a TCP socket.
    *
    *  Author:  Mitch Lichtenberg (mpl@broadcom.com)
    *
    *********************************************************************

#define TCPCONSOLE_DEFAULT_PORT 23              /* telnet */

I compile this file edit three Makefile's:
cfe_bcm63xx/cfe/cfe/arch/mips/board/bcm63xx_ram/src/Makefile:

BSPOBJS +=               \
...
        dev_tcpconsole.o    \
        ui_tcpcmds.o        \
        ui_envcmds.o        \

cfe_bcm63xx/cfe/cfe/arch/mips/board/bcm63xx_ram/src/ram_cfe.mk:

NETOBJS = net_ether.o net_tftp.o net_ip.o net_udp.o  net_dns.o net_arp.o \
          net_api.o net_tcp.o net_tcpbuf.o dev_tcpconsole.o
UIOBJS  = ui_command.o ui_cmddisp.o ui_tcpcmds.o ui_envcmds.o ui_devcmds.o

Also need increase CFE size threshold from 65536 bytes e.g. to 100 000 bytes in:
cfe_bcm63xx/cfe/build/broadcom/bcm63xx_rom/Makefile:

ALL : sanity_check cfe$(BRCM_CHIP)
        gcc  -o ${HOSTTOOLS}/addvtoken -I ${INC_SHARED_PUB_PATH} -I/usr/include  ${HOSTTOOLS}/addvtoken.c
        @if [ $(shell find . -name cfe$(BRCM_CHIP).bin -printf '%s\n') -le 100000 ] ; then \
                ${HOSTTOOLS}/addvtoken cfe$(BRCM_CHIP).bin bcm9$(BRCM_CHIP)_cfe.w; \
        else \
                find . -name cfe$(BRCM_CHIP).bin -printf '\nERROR: cfe.bin size, %s, is greater than 65536 maximum size$
                rm cfe$(BRCM_CHIP) cfe$(BRCM_CHIP).bin; \
        fi
        @echo done

Files dev_tcpconsole.o, ui_tcpcmds.o & ui_envcmds.o compiled, added to uncompressed CFE (cfe_bcm63xx/cfe/build/broadcom/bcm63xx_ram/cfe6358.bin), CFE working after flash to router but no work new functions - no new available commands and no work telnet sad

Any help?

(Last edited by Gelip on 18 Dec 2016, 23:17)

Gelip wrote:

I made tests:

  • flash cfe6358_token.bin (~63KB) from CFE web page - after restart router working OK - NVRAM is not changed (not touched)

  • flash cfe6358_mtd.bin (128KB filled with FF) from OpenWrt - after restart router CFE ask for new config because NVRAM is overwrite. If you do not have access to the serial console to the router looks like bricked.

  • flash cfe6358-nvr_token.bin (~63KB) from CFE web page - after restart router work OK but NVRAM has been modified in accordance with the built-in settings at compile time

The conclusion is that the safest way is flash CFE without embedded NVRAM settings with a token - cfe6358_token.bin (~63KB)

Warning! This behavior is only good if the currently loaded CFE is mine, and the same version we want to flash. If change from the original to my CFE router asks for configuration in serial console and looks like bricked.

Therefore the safest way to flash my CFE is the version with built-in NVRAM !!!

Unfortunately, the MAC address will be changed to 00:11:22:33:44:55 but the router will work.

New cosmetic changes:

  • added image hg553.png to web interface

http://savepic.net/8692416m.png
cfe6358-nvr_mac001122334455_token.zip

The discussion might have continued from here.