User Tools

Site Tools



This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:techref:bootloader:cfe [2012/11/17 14:22]
danitool add some info for bcm63xx CFEs
doc:techref:bootloader:cfe [2015/01/28 12:18] (current)
danitool [bcm63xx CFE]
Line 5: Line 5:
   * [[http://​​docs/​SiByte/​README-1.4.2.txt]]   * [[http://​​docs/​SiByte/​README-1.4.2.txt]]
-===== Available Patches ===== 
-If somebody writes a patche for the bootloader implementation of a particular device, you will find links to this on the wiki-page for that device. Yet we additionally accumulate all the patches wrote for a particular bootloader on his own page. Hopefully you can get a better comprehension of the functionality of the bootloader by having a look at them. 
Line 13: Line 11:
 +===== bcm47xx CFE =====
 +CFE on bcm47xx devices allows running/​installing firmware using a lot of different methods. Usually only few of them are available, depending on the choice of manufacturer who compiled and installed CFE. Most of the methods require access to the CFE console which means you need to attach a [[doc:​hardware:​port.serial|serial]] console. To get a prompt just keep CTRL+C pressed (or ESC for some models) while powering the device up.
-===== Changing CFE defaults ===== +Below is the (hopefully) completed list of methods. ​The best idea is to find one looking the best/easiest and check if it works on your device.
-The following ​is a guide from​wrt54g.html that I've copied here, with added commentary. I am not the original author, that credit goes to Oleg.// //+
-Copyright (c) 2005 Oleg I. Vdovikin IMPORTANT: This information provided AS IS, without any warranties. If in doubt leave this page now. This information applies to WRT54G hw rev 2.0, 2.2, 3.0. No other units were tested, but most likely WRT54GS units should be the same. WRT54G hw rev 1.x use different layout, so you need to adjust things accordingly.+==== Using auto-starting CFE TFTP server ====
-The wrt54g v.2.2 unit was kindly donated ​to me by maxx, the member of the forum. I would like to publically say thank you to him.+Some CFEs start TFTP server for few seconds right after hardware initializationThis is probably the only method of installing firmware with CFE that doesn'​t require serial consoleYou simply have to give CFE 1-3 seconds to initialize ​the switch and then set your IP and start sending ​the firmwareIf you have a serial console, you can identify TFTP server running with the following messages: 
 +_tftpd_open():​ retries=0/​3 
 +_tftpd_open():​ retries=1/​3 
 +_tftpd_open():​ retries=2/​3 
-==== Extracting default values ====+Unfortunately even if this method is available for you, it may not work. For example on Linksys E900 it fails after uploading firmware with the: 
 +CMD: [boot -raw -z -addr=0x80001000 -max=0x1851e50 -fs=memory :​0x807ae1b0] 
 +Loader:raw Filesys:​memory Dev:eth0 File::​0x807ae1b0 Options:​(null) 
 +Loading: PANIC: out of memory! 
-Telnet/ssh to your router running your favorite ​firmware ​and type the following+Please not that CFE may require a device specific ​firmware ​image (with a special header), otherwise (when using a generic .trx) it may fail with the
 +CMD: [flash -ctheader -mem -size=0x4c1000 0x807ae1b0 flash1.trx] 
 +Reading from 0x807ae1b0: CODE Pattern is incorrect! (E900) 
 +The file transferred is not a valid firmware image. 
 +==== Using CFE TFTP manually ====
 +CFE almost always contains ''​flash''​ command that may behave like both: TFTP client and server. The generic usage is following:
 <​code>​ <​code>​
-dd if=/​dev/​mtdblock/​0 bs=1 skip=4116 count=2048 | strings > /​tmp/​cfe.txt +flash [options] source-file [destination-device]
-dd if=/​dev/​mtdblock/​0 of=/​tmp/​cfe.bin+
 </​code>​ </​code>​
 +This is very important to pass ''​[destination-device]''​ argument or CFE will write to the ''​flash0''​ device overwriting the CFE! To see a list of available devices try ''​show devices''​ command.
-Copy both cfe.bin ​and cfe.txt to your linux box (this is required).+Regarding ''​[options]''​ there is one important one called ''​-noheader'' ​and if you happen to be Linksys owner, there is also ''​-ctheader'':​ 
 +-noheader ​   Override header verification,​ flash binary without checking 
 +-ctheader ​   Check header of CyberTAN 
 +By default CFE validates received firmwares checking if they contain a device-specific headerThat won't allow installing firmware created for a different device. If you want to install ''​trx''​ firmware directly ​(image without an extra device-specific header), you may use ''​-noheader''​ option.
-To copy files from your router to your computer, make sure the Dropbear package is installed, and type:+=== TFTP client ===
 +In this scenario we will tell CFE to connect to the remote TFTP server, download firmware and install it on the flash. This means that ''​source-file''​ should be set to ''​host:​path/​firmware.bin''​ format. Example usage:
 <​code>​ <​code>​
-scp root@:/​tmp/​cfe.bin /directory/on/​your/​computer +flash -noheader flash0.trx 
-scp root@:/tmp/cfe.txt /​directory/​on/​your/​computer+flash -ctheader flash0.trx
 </​code>​ </​code>​
 +Unfortunately on some devices this method makes CFE hang right after downloading the firmware and it gets never written to the flash.
-//Check cfe.txt, it should look like this (this is from v.2.2): //+=== TFTP server ===
 +It's also possible to make ''​flash''​ start a TFTP server that will accept firmware for few seconds. The trick is to put '':''​ as a ''​source-file''​. Example usage:
 <​code>​ <​code>​
-boardtype=0x0708 + Example file to send
-boardnum=42 +flash -noheader ​flash0.trx openwrt-brcm47xx-squashfs.trx 
-boardrev=0x10 +flash -ctheader : flash0.trx openwrt-e900_v1-squashfs.bin
-boardflags=0x0118 +
-boardflags2=0 +
-sromrev=2 +
-clkfreq=200 +
-sdram_init=0x000b +
-sdram_config=0x0062 +
-sdram_refresh=0x0000 +
-sdram_ncdl=0x0 +
-et0macaddr=00:​90:​4C:​00:​00:00 +
-et0phyaddr=30 +
-et0mdcport=0 +
-gpio5=robo_reset +
-vlan0ports=1 2 3 4 5* +
-vlan0hwname=et0 +
-vlan1ports=0 5 +
-vlan1hwname=et0 +
-wl0id=0x4320 +
-il0macaddr=00:90:​4C:​00:​00:​00 +
-aa0=3 +
-ag0=255 +
-pa0maxpwr=0x4e +
-pa0itssit=62 +
-pa0b0=0x15eb +
-pa0b1=0xfa82 +
-pa0b2=0xfe66 +
-wl0gpio2=0 +
-wl0gpio3=0 +
-cctl=0 +
-ccode=0 +
-dl_ram_addr=a0001000 +
-os_ram_addr=80001000 +
-os_flash_addr=bfc40000 +
-lan_ipaddr= +
-lan_netmask= +
-scratch=a0180000 +
-boot_wait=off +
-watchdog=5000 +
 </​code>​ </​code>​
 +==== Using upgrade command ====
-==== Changing defaults ====+Some manufacturers provide an ''​upgrade''​ command that is usually just an alias to the parametrized ''​flash''​ executed in a loop. Of course it's much less flexible that the ''​flash''​ command, but also has some advantages like: 
 +  * Setting parameters automatically 
 +  * Running in a loop, so you have much more time to start sending the firmware (not only few seconds)
-Open cfe.txt using text editor and change defaults in the way you like (but be extremely careful, as some changes could prevent device from booting ​and you will need to use JTAG cable to bring it back to life)For me I've decided to enable both Afterburner (Speedbooster) and set boot_wait to on by default, so reset to default no longer messes the things, so I've applied this pseudo-patch (please note, that I've added bit 0x200 to boardflags to enable afterburner):+The most common ​(and probably safe) usage is to call it with ''​code.bin'' ​parameter:​ 
 +CFE> upgrade code.bin 
 +CMD: [upgrade code.bin] 
 +CMD: [flash ​-ctheader : flash1.trx] 
 +Reading :: _tftpd_open(): retries=0/​3 
 +Another possible parameters:
 <​code>​ <​code>​
--boardflags=0x0118 +boot.bin Usually works the same way as code.bin 
--boot_wait=off +linux.bin Doesn'​t always work ("​flash0.0:​ Device not found"​) 
-+boardflags=0x0318 +cfe.bin WARNING! Writes to the flash1.boot,​ you don't want to use it!
 </​code>​ </​code>​
 +==== Using web (http) server ====
-To make life easier for meI added "​reset_gpio=6"​ to the cfe.txt fileThis way, if I do set something wrong, like clkfreq, and the router just locks up, I wont have to try over and over again to hit a very slim window with the JTAG to erase the nvram. I can just hold reset when the router powers on, and it will use the default nvram values stored in the cfe.// //+Unfortunately only few manufacturers decide to enable itbut it's probably ​the most user friendly way of installing firmware. 
-If you do not understand some things in this file, do not try to edit it. This is also applies to afterburner. I've also tried to change default lan_ipaddr, but this does not work in the way I expect: CFE started to answer to ping request to new lan_ipaddr, but it does not accept tftp transfers... 
-==== Creating new CFE image ====+==== Changing ​CFE defaults ​====
-You will need nvserial utility which comes with several GPL tarballs. Linksys supplies ​it in the wrt54g.1.42.3wrt54g.1.42.2,​ wap55ag.1.07,​ wap54gv2.2.06. Launch nvserial in the way like this on your x86 linux box: You can get nvserial from [[​people/​inh/​programs/​nvserial]]+Every bcm47xx CFE has small NVRAM backup that is used to restore the main NVRAM when it gets deleted or corruptedIf you want to modify that backup NVRAMsee [[doc:techref:​bootloader:​cfe:​changing.defaults|changing defaults]] page.
-nvserial -i cfe.bin -o cfe_new.bin -b 4096 -c 2048 cfe.txt 
-It works really slow, but it should finally create cfe_new.bin file for youwhich has new embedded ​nvram.+===== bcm63xx CFE ===== 
 +bcm63xx CFE is totally different when compared with bcm47xxThe NVRAM is totally differentwithout any settings stored outside the CFE partition, they are totally ​embedded ​into CFE. The CLI has different commands, probably with less options. And almost always there is a web server available for flashing. Less options but more fool-proof.
-**Recompiling kernel with writable pmon partition**+To access CFE you need to attach a [[doc:​hardware:​port.serial|serial]] console. To get a prompt just press any key while powering the device up.
-By default most firmwares has pmon partition write protected, i.e. you can't flash anything to this first 256k of flash. This is to prevent corrupting PMON/CFE. To remove this "​lock"​ you will need to compile your own firmare with the following patch, you will need to copy the patch into "​target/​linux/​linux-2.4/​patches/​brcm"​. ​(This patch works with WHITERUSSIAN RC3)+==== Using CFE web (httpserver ====
-<​code>​ +It's probably the most user friendly way of installing firmwareBut sometimes some manufacturers decide to disable it (very uncommon)
---- linux-2.4.30/​arch/​mips/​bcm947xx/​setup.c.orig ​       2005-09-21 11:​24:​09.000000000 -0400 +
-+++ linux-2.4.30/​arch/​mips/​bcm947xx/​setup.c ​    ​2005-09-21 13:​48:​46.853425632 -0400 +
-@@ -174,7 +174,7 @@ +
- ​static struct mtd_partition bcm947xx_parts[] = { +{{:media:doc:cfe63xx_web-upgrade.png|}}
--       name"​pmon",​ offset0, size0, mask_flags: MTD_WRITEABLE, ​}+
-+       { name: "​pmon",​ offset: 0, size: 0 /*, mask_flags: MTD_WRITEABLE,​*/​ }, +
-        { name: "​linux",​ offset: 0, size: 0, }, +
-        { name: "​rootfs",​ offset: 0, size: 0, }, +
-        { name: "​nvram",​ offset: 0, size: 0, }+
 +The default IP address of CFE is almost always You should use a static IP in your PC since there isn't DHCP server available when running CFE.
-NoteAt least on White Russian recompiling ​the kernel is not necessary. Theres a kernel module thats makes the CFE Partition writable ​at​pub/​openwrt/​+For accessing this web interface: 
 +  * Unplug ​the power source 
 +  * Press the **RESET** button ​at the router, don't release it yet! 
 +  * Plug the power source 
 +  * Release the **RESET** button 
 +  * Wait some seconds 
 +  * Browse to
-==== Flashing new CFE image ====+**Note**: The RESET button doesn'​t work in some routers. Then you need to attach a [[doc:​hardware:​port.serial|serial]] console (serial TTL cable adapter required) to stop CFE when loading. Or shortcircuit TX and RX serial pins some seconds when powering on the router to simulate keyboard buttons pressing; this is ugly but it should work.
-So, once you've recompiled and flashed your new firmware you need you upgrade ​CFE. This process is dangerous, as flash failure during it will prevent your unit from booting. Copy cfe_new.bin to your wrt54g and flash it. The exact commands are dependent on the firmware. With OpenWrt I've used the following:+==== Using CFE TFTP client ====
-<code+If you want to install a firmware using TFTP, follow these steps (as an alternative to the above install process. 
-mtd unlock pmon +  * Connect a [[doc:​hardware:​port.serial|serial]] TTL cable to send commands to CFE via serial console software, for loading the firmware via TFTP. 
-mtd write -f /​tmp/​cfe_new.bin pmon+  * Start a TFTP server in your PC. Copy the //​**firmware.bin**//​ file to the TFTP server'​s directory. 
 +  * Set the IP at your pc to (or any compatible),​ and connect the ethernet cable to the router. 
 +This is a session of flashing via TFTP: 
 +<p style="​padding:​ 10px;​border:​1px solid grey;​height:​120px;​font:​12px/​14px Georgia, Garamond, Serif;​overflow:​Auto;​background-color:#​DEE4E7">​ 
 +<​code>​CFE> ​​firmware.bin 
 +Loading​firmware.bin ... 
 +Finished loading 2686980 bytes 
 +Flashing root file system and kernel at 0xbfc10000: .......................................... 
 +*** Image flash done *** ! 
 +Resetting board...\0xff
 </​code>​ </​code>​
-I recommend using the JTAG cable method for re-flashing your CFE. If something were to go wrongyou would end up needing ​the JTAG cable anyways. It's really cheap and easy to build, and makes it possible to recover from almost any error you make when writing to the flash. Check out http://​​OpenWrtDocs/​Troubleshooting ​**' ​**+==== CFE HEADER ==== 
 +At the begining of CFE, outside ​the NVRAM area there exist three interesting parameters: 
 +^ Offsets ^ parameter ^ possible values ^^ size ^ 
 +| 0x010-0x013 | **BpGetSdramSize** | 8MB 1 CHIP\\ 16MB 1 CHIP\\ 32MB 1 CHIP\\ 64MB 2 CHIP\\ 32MB 2 CHIP\\ 16MB 2 CHIP\\ 64MB 1 CHIP | **0**\\ **1**\\ **2**\\ **3**\\ **4**\\ **5**\\ **6** | 4 bytes\\ (unsigned long) | 
 +| 0x014-0x017 | **BpGetCMTThread**\\ (Main Thread) | core0\\ core1 | **0**\\ **1** | 4 bytes\\ (unsigned long) | 
 +| 0x570 | **CFE Version** | any |  |
-==== Checking it ==== 
-Embedded nvram is only used, when real nvram is either corrupted or empty (CRC/magic checks fails), so you will need to erase nvram or to reset to defaultsWith OpenWrt type this:+=== NVRAM === 
 +The NVRAM is located between offsets 0x580 to 0x97F. The size is 1KB (1024 bytes). 
-<​code>​ +In this pic you can see the NVRAM highlighted:​ \\ 
-mtd erase nvram +{{:​doc:​techref:​bootloader:​cfe_nvram-bcm63xx_2.png?​300|}} 
-</code>+^ NVRAM version<5 (usually found in BCM6338, BCM6348, BCM6358) ^^^^ 
 +^ Offsets ^ parameter ^^ size ^ 
 +| 0x580 | **NVRAM Version** || 4 bytes | 
 +| 0x584 | **BOOT LINE** | e= (Board IP)\\ h= (Host IP)\\ g=  (Gateway IP)\\  r=f/h (run from flash/​host)\\ f=vmlinux (if r=h)\\ i=bcm963xx_fs_kernel\\ d=3 (delay, 0=forever prompt)\\ p=0 (boot image, 0=latest, 1=previous) | 256 bytes | 
 +| 0x684 | **Board ID** || 16 bytes | 
 +| 0x694 | **reserved** || 8 bytes | 
 +| 0x69C | **Number MAC Addresses** || 4 bytes | 
 +| 0x6A0 | **Base MAC Address** || 6 bytes | 
 +| 0x6A6 | **reserved** || 2 bytes | 
 +| 0x6A8 | **CheckSum** || 4 bytes | 
 +| 0x6AC | **--- EMPTY ---** || 724 bytes |
 +| {{:​meta:​48px-dialog-warning.svg.png|}} | Not all bcm63xx CFEs share this structure, some CFEs seem to have additional parameters like **PsiSize**,​ **Country**,​ **SerialNumber**,​ etc. As a result of this the CheckSum maybe located at different offsets and therefore the calculation is different. The **EMPTY** space isn't used to calculate the CheckSum |
-Then cross your fingers and reboot your unit. And remember - I'm not responsible for any damage to your unitas this information is provided AS IS for my own Posted: 2005-04-03+^ NVRAM version>​=5 (usually found in BCM6328BCM6362, BCM6368, BCM6816) ^^^^ 
 +^ Offsets ^ parameter ^^ size (bytes) ^ 
 +| 0x580 | **NVRAM Version** || 4 | 
 +| 0x584 | **BOOT LINE** | e= (Board IP)\\ h= (Host IP)\\ g=  (Gateway IP)\\  r=f/h (run from flash/​host)\\ f=vmlinux (if r=h)\\ i=bcm963xx_fs_kernel\\ d=3 (delay, 0=forever prompt)\\ p=0 (boot image, 0=latest, 1=previous) | 256 | 
 +| 0x684 | **Board ID** || 16 | 
 +| 0x694 | **Main Thread** || 4 | 
 +| 0x698 | **Psi size** || 4 | 
 +| 0x69C | **Number MAC Addresses** || 4 | 
 +| 0x6A0 | **Base MAC Address** || 6 | 
 +| 0x6A6 | **reserved** || 2 | 
 +| 0x6A8 | **old CheckSum** || 4 | 
 +| 0x6AC | **gpon Serial Number** || 13 | 
 +| 0x6B9 | **gpon Password** || 11 | 
 +| 0x6C4 | **wps Device Pin** || 8 | 
 +| 0x6CC | **wlan Params** || 256 | 
 +| 0x7CC | **Syslog Size** || 4 | 
 +| 0x7D0 | **Nand Part Ofs Kb** || 20 | 
 +| 0x7E4 | **Nand Part Size Kb** || 20 | 
 +| 0x7F8 | **Voice Board Id** || 16 | 
 +| 0x808 | **afe Id** || 8 | 
 +| 0x810 | **Unused** || 364 | 
 +| 0x97C | **CheckSum** || 4 |
-===== Customizing Firmware Image ===== +NVRAM versions >=5 always have the checksum placed at the end of the NVRAM.
-It is relatively easy to create a custom firmware image which is pre-loaded with particular software packages and your own files. Please use the OpenWrt [[oldwiki:​imagebuilderhowto|Image Builder]].+
-===== CFE for bcm63xx SoC ===== 
-|{{:​meta:​48px-construction.svg.png|}} | Maybe the entire article should be splited with different sections for different CFEs, but for now just add the information for this particular CFE | 
-CFE for bcm63xx boards have a different structure. The NVRAM is located between offsets 0x584 to 0x983. The size is 1KB (1024 bytes). ​ 
-In this pic you can see the NVRAM highlighted:​ \\ +==== PSI ==== 
 +At the end of the flash outside the CFE, there exists a PSI partition (Profile Storage Information),​ about 16KB size. In Openwrt ​this area is **protected with a partition called nvram**. Do not confuse with the CFE NVRAM!!
-At the end of the flash, there exists a PSI partition (Profile Storage Information),​ about 16KB sizeFIXME+There isn't any interaction between CFE and PSI except for restoring it to defaults or erasing this area. The settings present in this area are only used by the OEM firmware.
doc/techref/bootloader/cfe.1353158539.txt.bz2 · Last modified: 2012/11/17 14:22 by danitool