CFE
Available Patches
If somebody writes a patche for the bootloader implementation of a particular device, you will find links to this on the wiki-page for that device. Yet we additionally accumulate all the patches wrote for a particular bootloader on his own page. Hopefully you can get a better comprehension of the functionality of the bootloader by having a look at them.
Using the CFE
bcm47xx CFE
Changing CFE defaults
The following is a guide from http://wl500g.dyndns.org/wrt54g.html that I've copied here, with added commentary. I am not the original author, that credit goes to Oleg.
Copyright © 2005 Oleg I. Vdovikin IMPORTANT: This information provided AS IS, without any warranties. If in doubt leave this page now. This information applies to WRT54G hw rev 2.0, 2.2, 3.0. No other units were tested, but most likely WRT54GS units should be the same. WRT54G hw rev 1.x use different layout, so you need to adjust things accordingly.
The wrt54g v.2.2 unit was kindly donated to me by maxx, the member of the forum.chupa.nl forum. I would like to publically say thank you to him.
Extracting default values
Telnet/ssh to your router running your favorite firmware and type the following
dd if=/dev/mtdblock/0 bs=1 skip=4116 count=2048 | strings > /tmp/cfe.txt dd if=/dev/mtdblock/0 of=/tmp/cfe.bin
Copy both cfe.bin and cfe.txt to your linux box (this is required).
To copy files from your router to your computer, make sure the Dropbear package is installed, and type:
scp root@:/tmp/cfe.bin /directory/on/your/computer scp root@:/tmp/cfe.txt /directory/on/your/computer
Check cfe.txt, it should look like this (this is from v.2.2):
boardtype=0x0708 boardnum=42 boardrev=0x10 boardflags=0x0118 boardflags2=0 sromrev=2 clkfreq=200 sdram_init=0x000b sdram_config=0x0062 sdram_refresh=0x0000 sdram_ncdl=0x0 et0macaddr=00:90:4C:00:00:00 et0phyaddr=30 et0mdcport=0 gpio5=robo_reset vlan0ports=1 2 3 4 5* vlan0hwname=et0 vlan1ports=0 5 vlan1hwname=et0 wl0id=0x4320 il0macaddr=00:90:4C:00:00:00 aa0=3 ag0=255 pa0maxpwr=0x4e pa0itssit=62 pa0b0=0x15eb pa0b1=0xfa82 pa0b2=0xfe66 wl0gpio2=0 wl0gpio3=0 cctl=0 ccode=0 dl_ram_addr=a0001000 os_ram_addr=80001000 os_flash_addr=bfc40000 lan_ipaddr=192.168.1.1 lan_netmask=255.255.255.0 scratch=a0180000 boot_wait=off watchdog=5000 bootnv_ver=2
Changing defaults
Open cfe.txt using text editor and change defaults in the way you like (but be extremely careful, as some changes could prevent device from booting and you will need to use JTAG cable to bring it back to life). For me I've decided to enable both Afterburner (Speedbooster) and set boot_wait to on by default, so reset to default no longer messes the things, so I've applied this pseudo-patch (please note, that I've added bit 0x200 to boardflags to enable afterburner):
-boardflags=0x0118 -boot_wait=off +boardflags=0x0318 +boot_wait=on
To make life easier for me, I added "reset_gpio=6" to the cfe.txt file. This way, if I do set something wrong, like clkfreq, and the router just locks up, I wont have to try over and over again to hit a very slim window with the JTAG to erase the nvram. I can just hold reset when the router powers on, and it will use the default nvram values stored in the cfe.
If you do not understand some things in this file, do not try to edit it. This is also applies to afterburner. I've also tried to change default lan_ipaddr, but this does not work in the way I expect: CFE started to answer to ping request to new lan_ipaddr, but it does not accept tftp transfers…
Creating new CFE image
You will need a nvserial utility which comes with several GPL tarballs. Linksys supplies it in the wrt54g.1.42.3, wrt54g.1.42.2, wap55ag.1.07, wap54gv2.2.06. Launch nvserial in the way like this on your x86 linux box: You can get nvserial from http://downloads.openwrt.org/people/inh/programs/nvserial
nvserial -i cfe.bin -o cfe_new.bin -b 4096 -c 2048 cfe.txt
It works really slow, but it should finally create cfe_new.bin file for you, which has new embedded nvram.
Recompiling kernel with writable pmon partition
By default most firmwares has pmon partition write protected, i.e. you can't flash anything to this first 256k of flash. This is to prevent corrupting PMON/CFE. To remove this "lock" you will need to compile your own firmare with the following patch, you will need to copy the patch into "target/linux/linux-2.4/patches/brcm". (This patch works with WHITERUSSIAN RC3)
--- linux-2.4.30/arch/mips/bcm947xx/setup.c.orig 2005-09-21 11:24:09.000000000 -0400
+++ linux-2.4.30/arch/mips/bcm947xx/setup.c 2005-09-21 13:48:46.853425632 -0400
@@ -174,7 +174,7 @@
#ifdef CONFIG_MTD_PARTITIONS
static struct mtd_partition bcm947xx_parts[] = {
- { name: "pmon", offset: 0, size: 0, mask_flags: MTD_WRITEABLE, },
+ { name: "pmon", offset: 0, size: 0 /*, mask_flags: MTD_WRITEABLE,*/ },
{ name: "linux", offset: 0, size: 0, },
{ name: "rootfs", offset: 0, size: 0, },
{ name: "nvram", offset: 0, size: 0, },
Note: At least on White Russian recompiling the kernel is not necessary. Theres a kernel module thats makes the CFE Partition writable at http://myantihero.net/pub/openwrt/
Flashing new CFE image
So, once you've recompiled and flashed your new firmware you need you upgrade CFE. This process is dangerous, as flash failure during it will prevent your unit from booting. Copy cfe_new.bin to your wrt54g and flash it. The exact commands are dependent on the firmware. With OpenWrt I've used the following:
mtd unlock pmon mtd write -f /tmp/cfe_new.bin pmon
I recommend using the JTAG cable method for re-flashing your CFE. If something were to go wrong, you would end up needing the JTAG cable anyways. It's really cheap and easy to build, and makes it possible to recover from almost any error you make when writing to the flash. Check out http://openwrt.org/OpenWrtDocs/Troubleshooting '
Checking it
Embedded nvram is only used, when real nvram is either corrupted or empty (CRC/magic checks fails), so you will need to erase nvram or to reset to defaults. With OpenWrt type this:
mtd erase nvram
Then cross your fingers and reboot your unit. And remember - I'm not responsible for any damage to your unit, as this information is provided AS IS for my own pleasure. oleg@cs.msu.su Posted: 2005-04-03
Customizing Firmware Image
It is relatively easy to create a custom firmware image which is pre-loaded with particular software packages and your own files. Please use the OpenWrt Image Builder.
bcm63xx CFE
CFE for bcm63xx boards have a different structure. At the begining of CFE, outside the NVRAM area there exist two interesting parameters:
| Offsets | parameter | possible values | size | |
|---|---|---|---|---|
| 0x010-0x013 | BpGetSdramSize | 8MB 1 CHIP 16MB 1 CHIP 32MB 1 CHIP 64MB 2 CHIP 32MB 2 CHIP 16MB 2 CHIP 64MB 1 CHIP |
0 1 2 3 4 5 6 |
4 bytes (unsigned long) |
| 0x014-0x017 | BpGetCMTThread (Main Thread) |
core0 core1 |
0 1 |
4 bytes (unsigned long) |
NVRAM
The NVRAM is located between offsets 0x580 to 0x97F. The size is 1KB (1024 bytes).
In this pic you can see the NVRAM highlighted:
| NVRAM | |||
|---|---|---|---|
| Offsets | parameter | size | |
| 0x580-0x583 | NVRAM DATA ID | 4 bytes | |
| 0x584-0x683 | BOOT LINE | e=192.168.1.1 (Board IP) h=192.168.1.100 (Host IP) g= (Gateway IP) r=f/h (run from flash/host) f=vmlinux (if r=h) i=bcm963xx_fs_kernel d=3 (delay, 0=forever prompt) p=0 (boot image, 0=latest, 1=previous) |
256 bytes |
| 0x684-0x693 | Board ID | 16 bytes | |
| 0x694-0x69B | reserved | 8 bytes | |
| 0x69C-0x69F | Number MAC Addresses | 4 bytes | |
| 0x6A0-0x6A5 | Base MAC Address | 6 bytes | |
| 0x6A6-0x6A7 | reserved | 2 bytes | |
| 0x6A8-0x6AB | CheckSum | 4 bytes | |
| 0x6AC-0x97F | — EMPTY — | 724 bytes | |
 |
Not all bcm63xx CFEs share this structure, some CFEs seem to have additional parameters like PsiSize, Country, SerialNumber, etc. As a result of this the CheckSum maybe located in different offsets and therefore the calculation is different. The EMPTY space isn't used to calculate the CheckSum |
PSI
At the end of the flash, there exists a PSI partition (Profile Storage Information), about 16KB size. 
doc/techref/bootloader/cfe.txt · Last modified: 2013/05/22 02:57 by danitool