EA9500 Serial Console to CFE

[chadster766]

*Warning this will void your warranty

Opening the EA9500 case:

1. Remove the 4 screws under feet and product label

2. Remove plastic reinforcement cover

3. Remove cover plate

4. Connect USB to TTL cable

Below is some serial console output:

Digital core power voltage set to 1.05V
Decompressing...done
Digital core power voltage set to 1.05V

CFE Boot Loader v0.5.1__7.14.131.35

SHMOO VER 1.13

PKID07DC06011801080000000000001A103F01000000

S30000217
00001770


RDLYW0 00000004

RDENW0 00000037

RDQSW0

    0000000000111111111122222222223333333333444444444455555555556666
    0123456789012345678901234567890123456789012345678901234567890123
00 ------------++++++++++++++++++++++++++X+++++++++++++++++++++++++
01 ------------++++++++++++++++++++++++++X++++++++++++++++++++++++-
02 -------------+++++++++++++++++++++++++X+++++++++++++++++++++++++
03 ------------++++++++++++++++++++++++++X+++++++++++++++++++++++--
04 ------++++++++++++++++++++++++X+++++++++++++++++++++++----------
05 ---------------++++++++++++++++++++++++X++++++++++++++++++++++--
06 -------++++++++++++++++++++++++X++++++++++++++++++++++++--------
07 ------------++++++++++++++++++++++++++X+++++++++++++++++++++++++
08 ---+++++++++++++++++++++++++X+++++++++++++++++++++++++----------
09 --------+++++++++++++++++++++++++X++++++++++++++++++++++++------
10 --------+++++++++++++++++++++++++X+++++++++++++++++++++++++-----
11 -------++++++++++++++++++++++++X+++++++++++++++++++++++---------
12 --++++++++++++++++++++++++++X++++++++++++++++++++++++++---------
13 -----+++++++++++++++++++++++X+++++++++++++++++++++++------------
14 ------+++++++++++++++++++++++++X+++++++++++++++++++++++++-------
15 --+++++++++++++++++++++++++X+++++++++++++++++++++++++-----------


PW0

    0000000000111111111122222222223333333333444444444455555555556666
    0123456789012345678901234567890123456789012345678901234567890123
00 ---++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++-
01 ----++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++-
02 --+++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++
03 --+++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++--
04 +++++++++++++++++++++++++++X++++++++++++++++++++++++++----------
05 ---++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++--
06 ++++++++++++++++++++++++++++X++++++++++++++++++++++++++++-------
07 ---++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++
08 +++++++++++++++++++++++++++X++++++++++++++++++++++++++----------
09 +++++++++++++++++++++++++++++X++++++++++++++++++++++++++++------
10 +++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++-----
11 +++++++++++++++++++++++++++X+++++++++++++++++++++++++++---------
12 +++++++++++++++++++++++++++X+++++++++++++++++++++++++++---------
13 ++++++++++++++++++++++++++X+++++++++++++++++++++++++------------
14 ++++++++++++++++++++++++++++X++++++++++++++++++++++++++++-------
15 +++++++++++++++++++++++++++X++++++++++++++++++++++++++----------


NW0

    0000000000111111111122222222223333333333444444444455555555556666
    0123456789012345678901234567890123456789012345678901234567890123
00 ------------++++++++++++++++++++++++++X+++++++++++++++++++++++++
01 -------------+++++++++++++++++++++++++X+++++++++++++++++++++++++
02 -------------+++++++++++++++++++++++++X+++++++++++++++++++++++++
03 -----------++++++++++++++++++++++++++X++++++++++++++++++++++++++
04 --------+++++++++++++++++++++++++X+++++++++++++++++++++++++-----
05 ---------------++++++++++++++++++++++++X++++++++++++++++++++++++
06 -------++++++++++++++++++++++++++X++++++++++++++++++++++++++----
07 ------------++++++++++++++++++++++++++X+++++++++++++++++++++++++
08 ---++++++++++++++++++++++++++X++++++++++++++++++++++++++--------
09 --------++++++++++++++++++++++++++X++++++++++++++++++++++++++---
10 -------+++++++++++++++++++++++++++X++++++++++++++++++++++++++---
11 --------+++++++++++++++++++++++++X+++++++++++++++++++++++++-----
12 ---+++++++++++++++++++++++++++X++++++++++++++++++++++++++-------
13 -------++++++++++++++++++++++++X++++++++++++++++++++++++--------
14 -----++++++++++++++++++++++++++X++++++++++++++++++++++++++------
15 ---+++++++++++++++++++++++++X+++++++++++++++++++++++++----------


WRDQW0

    0000000000111111111122222222223333333333444444444455555555556666
    0123456789012345678901234567890123456789012345678901234567890123
00 +++++++++++++++++++++++++++X+++++++++++++++++++++++++++---------
01 ++++++++++++++++++++++++++++X+++++++++++++++++++++++++++--------
02 ++++++++++++++++++++++++++++X++++++++++++++++++++++++++++-------
03 +++++++++++++++++++++++++++X+++++++++++++++++++++++++++---------
04 ++++++++++++++++++++++++X++++++++++++++++++++++++---------------
05 ++++++++++++++++++++++++++++X+++++++++++++++++++++++++++--------
06 ++++++++++++++++++++++++++X+++++++++++++++++++++++++------------
07 ++++++++++++++++++++++++++++X++++++++++++++++++++++++++++-------
08 +++++++++++++++++++++++++X+++++++++++++++++++++++++-------------
09 +++++++++++++++++++++++++++X+++++++++++++++++++++++++++-------+-
10 ++++++++++++++++++++++++++++X++++++++++++++++++++++++++++-------
11 ++++++++++++++++++++++++++X+++++++++++++++++++++++++------------
12 +++++++++++++++++++++++++X++++++++++++++++++++++++--------------
13 +++++++++++++++++++++++++X+++++++++++++++++++++++++-------------
14 ++++++++++++++++++++++++++X++++++++++++++++++++++++++-----------
15 +++++++++++++++++++++++++X+++++++++++++++++++++++++-------------


WRDMW0 00000027
WRDMW0 00000025


ADDR

    0000000000111111111122222222223333333333444444444455555555556666
    0123456789012345678901234567890123456789012345678901234567890123
00 +++++++++++++++++++++++S+++++++X++++++++++++++++++++++++++++++++

Decompressing...done
Found a Toshiba NAND flash:
Total size:  128MB
Block size:  128KB
Page Size:   2048B
OOB Size:    64B
Sector size: 512B
Spare size:  16B
ECC level:   8 (8-bit)
Device ID: 0x98 0xf1 0x80 0x15 0xf2 0x16
find_devinfo: devinfo block found at 0x00180000!

Press Ctrl+C to stop in CFE


CFE version 7.14.131.35 (r612453) based on BBP 1.0.37 for BCM947XX (32bit,SP,)
Build Date: Fri Jan 22 18:07:59 CST 2016 (proc@ubuntu12d04LTS), for the EA9500 board
Copyright (C) 2000-2008 Broadcom Corporation.
Copyright (C) 2016 Arcadyan Corporation.

Flashing all LEDs ...

Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
DDR Clock: 800 MHz
Info: DDR frequency set from clkfreq=1400,*800*

### RoboID=53012, vid=1 val32=0x35faf val16=0x1 ###

### RoboID=53012, vid=2 val32=0x22110 val16=0x2 ###
et2: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 7.14.131.35 (r612453)
CPU type 0x0: 1400MHz
Tot mem: 262144 KBytes

CFE mem:    0x00F00000 - 0x01799D2C (9018668)
Data:       0x00F601E0 - 0x00F608A8 (1736)
BSS:        0x00F608B8 - 0x00F97D2C (226420)
Heap:       0x00F97D2C - 0x01797D2C (8388608)
Stack:      0x01797D2C - 0x01799D2C (8192)
Text:       0x00F00000 - 0x00F52488 (337032)
Boot:       0x0179A000 - 0x017DA000
Reloc:      I:00000000 - D:00000000

Boot version: v0.5.1__7.14.131.35

Device eth0:  hwaddr 48-F8-B3-F6-49-51, ipaddr 192.168.1.1, mask 255.255.255.0
        gateway not set, nameserver not set
Loader:raw, invalid tftp target filename (:)!
Could not load :: Invalid parameter
Checking CRC validity of nflash1.trx ... OK
Booting(0): boot -raw -z -addr=0x8000 -max=0xef8000 nflash0.os:
Loader:raw Filesys:raw Dev:nflash0.os File: Options:(null)
Loading: ..... 5438272 bytes read
Entry at 0x00008000
Closing network.
Starting program at 0x00008000
cfe_start: launch kernel with blue LED0 is on!

console [ttyS0] enabled, bootconsole disabled
serial8250.0: ttyS1 at MMIO 0x18000400 (irq = 117) is a 16550
brd: module loaded
loop: module loaded
pflash: found no supported devices
bcmsflash: found no supported devices
The first offset=200000, 2nd offset=1f00000
Boot partition size = 524288(0x80000)
lookup_nflash_rootfs_offset: offset = 0x200000
nflash: squash filesystem with lzma found at block 33
lookup_nflash_rootfs_offset: offset = 0x1f00000
nflash: squash filesystem with lzma found at block 265
Creating 6 MTD partitions on "nflash":
0x000000000000-0x000000080000 : "boot"
0x000000080000-0x000000200000 : "nvram"
0x000000200000-0x000001f00000 : "linux"
0x00000042dba4-0x000001f00000 : "rootfs"
0x000001f00000-0x000005200000 : "linux2"
0x00000212db04-0x000005200000 : "rootfs2"

 

[chadster766]

I don't have any experience with CFE boot loader.

Any instruction on how to use it to load firmware and how on how to backup the current CFE would be appreciated.

Also if anyone knows how to compile a kernel for this boot loader that would be very helpful since I would like to have this router compatible with the McDebian firmware.

https://github.com/Chadster766/McDebian

 

[RMerlin]

Any instruction on how to use it to load firmware and how on how to backup the current CFE would be appreciated.

Flashing is usually done over TFTP.

CFE content is usually in the first mtd partition, so you'd have to make a dump of it. You'll have to see what exact CFE feature are included, as this varies between manufacturers. Asus for instance include a mini web server in theirs, which can be used for flashing a firmware.

 

[RMerlin]

Also if anyone knows how to compile a kernel for this boot loader that would be very helpful since I would like to have this router compatible with the McDebian firmware.

I thought Linksys were locking down third party firmwares on their EA series.

 

[chadster766]

Flashing is usually done over TFTP.

CFE content is usually in the first mtd partition, so you'd have to make a dump of it. You'll have to see what exact CFE feature are included, as this varies between manufacturers. Asus for instance include a mini web server in theirs, which can be used for flashing a firmware.

What command do I run to get the list of features?

The CFE web server feature seems to be disabled. I pressed the recessed reset button during boot and the CFE console output didn't change or nmap show any ports open on the unit.

 

[chadster766]

I thought Linksys were locking down third party firmware's on their EA series.

I don't really know the details around how wireless manufactures are locking down there equipment or even it they can. They have to load firmware onto there devices somehow and provide GPL code if requested.

 

[L&LD]

No, they don't.

 

[chadster766]

I thought Linksys were locking down third party firmwares on their EA series.

I'm just wondering if it's possible to build a firmware for this model.

If you can instruct me on how to do a test build and load it without losing the ability to recover the CFE that would be great.

Is a DTS blob still loaded with the kernel in CFE?

 

[chadster766]

No, they don't.

Do you mean they don't have to provide GPL source code upon request?

 

[L&LD]

Yes.

 

[chadster766]

Yes.

AFAIK many manufactures have lost lawsuits and have paid huge penalties because of not following GPL licencing rules.

 

[L&LD]

No doubt. But that isn't a guarantee of what the future will bring.

This is what is happening today. Tomorrow? Manufacturers can change the rules as they wish. They're not here for 'us', when all is said and done. The bottom line is what drives business. Not a sense of being nice or playing fair.

 

[RMerlin]

What command do I run to get the list of features?

I think it's just "cmds" or "help" (I don't have a serial hooked router at hand at the moment). However it provides very little information.

The CFE web server feature seems to be disabled. I pressed the recessed reset button during boot and the CFE console output didn't change or nmap show any ports open on the unit.

Could be something Asus added themselves. Keep in mine that the CFE can be heavily customized by the manufacturer. Asus actually includes the CFE source code in their GPL drops, if you want to take a look at it.

If you can instruct me on how to do a test build and load it without losing the ability to recover the CFE that would be great.

No idea how the rest of that model's design works, sorry. Basically, it should just boot the kernel located in that linux mtd partition, passing it an init command that will be model-specific. You will have to observe what gets passed as argument to the kernel at boot time.

You will have to take a look at Linksys's GPL drop to learn more about the firmware image format accepted by their recovery mode / UI-based upgrade. Tomato/DD-WRT would be other candidates to look at, since they might support other EA models that are also CFE-based.

I don't really know the details around how wireless manufactures are locking down there equipment or even it they can. They have to load firmware onto there devices somehow and provide GPL code if requested.

There are a lot of ways a device can be locked down while still retaining GPL compliance:

1) Signed bootloader. That means the CFE will only accept to load a kernel with a valid RSA signature, and the manufacturer is the only one with the signing key. That's how devices like the WDTV work, meaning you can play with the userspace code, but not the kernel itself.

2) Only accept RSA signed firmware images through the CFE recovery mode, meaning only low-level hacking (possibly JTAG) would allow you to bypass this

3) Keep the radio-specific configuration in a separate location, meaning that any third party firmware would be unable to interact with this portion of the firmware. That's how their WRT line of products work AFAIK (or that's at least the explanation they gave at the time in their marketing blurb).

The GPL only requires them to provide the source code.

 

[sfx2000]

Linksys typically will release the GPL changes, sometimes one has to ask - in any event, I haven't seen a drop from them in some time that will result in a full firmware image - and that's ok, it's consistent with the licensing of the GPL2/GPL3 code...

They're not obligated to share their own code - just any changes to GPL..

 

[RMerlin]

Basically, your partition table is:

0x000000000000-0x000000080000 : "boot"
0x000000080000-0x000000200000 : "nvram"
0x000000200000-0x000001f00000 : "linux"
0x00000042dba4-0x000001f00000 : "rootfs"
0x000001f00000-0x000005200000 : "linux2"
0x00000212db04-0x000005200000 : "rootfs2"

/dev/mtd0 contains the CFE
/dev/mtd1 contains the nvram
/dev/mtd2 contains the linux kernel
/dev/mtd3 contains the root filesystem of the OS
/dev/mtd4 and /dev/mtd5 contains a second firmware image

Your firmware image probably needs to be in TRX format (based on your log output), and must be written on top of the linux partition (the rootfs that's part of the same TRX image will overstep the linux partition and fill up the rootfs partition).

 

[RMerlin]

Linksys typically will release the GPL changes, sometimes one has to ask - in any event, I haven't seen a drop from them in some time that will result in a full firmware image - and that's ok, it's consistent with the licensing of the GPL2/GPL3 code...

They're not obligated to share their own code - just any changes to GPL..

http://support.linksys.com/en-us/gplcodecenter

(and the Netgear equivalent: http://kb.netgear.com/app/answers/detail/a_id/2649/~/open-source-code-for-programmers-(gpl) )

 

[sfx2000]

Any instruction on how to use it to load firmware and how on how to backup the current CFE would be appreciated.

Also if anyone knows how to compile a kernel for this boot loader that would be very helpful since I would like to have this router compatible with the McDebian firmware.

Linksys has been clear that the WRT's are where FOSS/3rd parties should be focused...

The broadcom based EA9500 is going to have binary blobs that you will not have adequate documentation for to ensure that proper operation and performance is maintained...

I would suggest focusing on the WRT's where there is good mindshare...

 

[chadster766]

Thanks everyone for the recommendations and information

 

[riyerb16]

Would it be possible to put back the pictures that went along with the very detailed step-by-step instructions? Much obliged.

 

[chadster766]

I managed to find the original pics and fix the post.