Discussion:
[OpenWrt-Devel] Un-softbricking Linksys E900 (bcm47xx) with CFE
Rafał Miłecki
2013-09-09 10:30:13 UTC
Permalink
I've installed firmware with broken network. It's useless, so I need
to install another firmware using CFE.
Waiting for 3 seconds to upgrade ...
CMD: [load -raw -addr=0x807ae1b0 -max=0x1851e50 :]
Loader:raw Filesys:tftp Dev:eth0 File:: Options:(null)
Loading: _tftpd_open(): retries=0/3
_tftpd_open(): retries=1/3
_tftpd_open(): retries=2/3
So I simply decided to power my E900 on and start:
sudo /sbin/ifconfig eth0 192.168.1.2
tftp 192.168.1.1 -m binary -c put E900_v1.0.04.001_US_20120816.bin

It almost work... but with some error at the end :(
Waiting for 3 seconds to upgrade ...
CMD: [load -raw -addr=0x807ae1b0 -max=0x1851e50 :]
Loader:raw Filesys:tftp Dev:eth0 File:: Options:(null)
Loading: _tftpd_open(): retries=0/3
_tftpd_open(): retries=1/3
.... 7123968 bytes read
### Start=291907748 E=-285817888 Delta=-577725636 ###
Entry at 0x807ae1b0
CMD: [boot -raw -z -addr=0x80001000 -max=0x1851e50 -fs=memory :0x807ae1b0]
Loader:raw Filesys:memory Dev:eth0 File::0x807ae1b0 Options:(null)
Loading: PANIC: out of memory!
I'm a bit confused... First of all CFE didn't write my image to the
flash. Secondly it failed to run it from the memory.

Any ideas?

I'm uploading manufacturer's firmware. It's 7123968B. I've also tried
uploading my own much smaller firmware which is only 5161984B but it
failed in the same way.

Unfortunately this Linksys compiled&installed CFE without web server
or "tftpd" command, so I cant's use any of that 2 alternative methods.
--
Rafał
Rafał Miłecki
2013-09-09 10:40:59 UTC
Permalink
Post by Rafał Miłecki
Unfortunately this Linksys compiled&installed CFE without web server
or "tftpd" command, so I cant's use any of that 2 alternative methods.
My CFE has 3 interesting commands: upgrade, flash and save (for the
full list see cfe.help.txt).

1) flash [options] source-file [destination-file]
Passing source-file is easy (like 192.168.1.2:/bin/code.bin), but I'm
not sure about destination-file.
Post by Rafał Miłecki
The destination-device parameter may be a flash device or an EEPROM. If not specified, destination-device defaults to flash0, which is typically the boot ROM.
If I don't pass anything as destination-file argument... Is CFE going
to write to the flash at offset 0x0? Overwriting itself? Or is it
going to write to the correct TRX offset? If it's going to use 0x0 by
default, should I pass -offset=value to avoid killing the CFE?

2) upgrade

It's not documented in my CFE manual.

3) save

It seems to be the opposite of "flash". It reads some device memory
and saves it somewhere, for example in the remote TFTP server.
--
Rafał
Rafał Miłecki
2013-09-09 10:52:42 UTC
Permalink
Post by Rafał Miłecki
1) flash [options] source-file [destination-file]
Passing source-file is easy (like 192.168.1.2:/bin/code.bin), but I'm
not sure about destination-file.
Post by Rafał Miłecki
The destination-device parameter may be a flash device or an EEPROM. If not specified, destination-device defaults to flash0, which is typically the boot ROM.
If I don't pass anything as destination-file argument... Is CFE going
to write to the flash at offset 0x0? Overwriting itself? Or is it
going to write to the correct TRX offset? If it's going to use 0x0 by
default, should I pass -offset=value to avoid killing the CFE?
I think I could use "flash0.trx" as a destination-file instead of
using "flash0" and hacking it with -offset.

What do you think about this:
flash -noheader 192.168.1.2:openwrt-brcm47xx-squashfs.trx flash0.trx

(Please see attached cfe.show.devices.txt).
--
Rafał
Hauke Mehrtens
2013-09-09 12:49:54 UTC
Permalink
Post by Rafał Miłecki
Post by Rafał Miłecki
1) flash [options] source-file [destination-file]
Passing source-file is easy (like 192.168.1.2:/bin/code.bin), but I'm
not sure about destination-file.
Post by Rafał Miłecki
The destination-device parameter may be a flash device or an EEPROM. If not specified, destination-device defaults to flash0, which is typically the boot ROM.
If I don't pass anything as destination-file argument... Is CFE going
to write to the flash at offset 0x0? Overwriting itself? Or is it
going to write to the correct TRX offset? If it's going to use 0x0 by
default, should I pass -offset=value to avoid killing the CFE?
I think I could use "flash0.trx" as a destination-file instead of
using "flash0" and hacking it with -offset.
flash -noheader 192.168.1.2:openwrt-brcm47xx-squashfs.trx flash0.trx
(Please see attached cfe.show.devices.txt).
I used something similar to flash my WNDR3400 after I accidentally
removed the board_data partition and the normal flashing did not work
any more, I do ot have access to my documentation currently,

This out of memory problem could also be that the wrong compression was
used.
CMD: [boot -raw -z -addr=0x80001000 -max=0x1851e50 -fs=memory :0x807ae1b0]
This looks like it expect gzip compressed data.

Is there any page with a small documentation of CFE, I just know of a
PDF from Broadcom? Most of my devices do not have this help command, it
would be nice to have some of these informations in the wiki.

Hauke
Rafał Miłecki
2013-09-09 14:06:49 UTC
Permalink
Post by Hauke Mehrtens
Post by Rafał Miłecki
Post by Rafał Miłecki
1) flash [options] source-file [destination-file]
Passing source-file is easy (like 192.168.1.2:/bin/code.bin), but I'm
not sure about destination-file.
Post by Rafał Miłecki
The destination-device parameter may be a flash device or an EEPROM. If not specified, destination-device defaults to flash0, which is typically the boot ROM.
If I don't pass anything as destination-file argument... Is CFE going
to write to the flash at offset 0x0? Overwriting itself? Or is it
going to write to the correct TRX offset? If it's going to use 0x0 by
default, should I pass -offset=value to avoid killing the CFE?
I think I could use "flash0.trx" as a destination-file instead of
using "flash0" and hacking it with -offset.
flash -noheader 192.168.1.2:openwrt-brcm47xx-squashfs.trx flash0.trx
(Please see attached cfe.show.devices.txt).
I used something similar to flash my WNDR3400 after I accidentally
removed the board_data partition and the normal flashing did not work
any more, I do ot have access to my documentation currently,
This out of memory problem could also be that the wrong compression was
used.
CMD: [boot -raw -z -addr=0x80001000 -max=0x1851e50 -fs=memory :0x807ae1b0]
This looks like it expect gzip compressed data.
Well, I was uploading original firmware, so there couldn't be much
wrong. Unless it's CFE that doesn't like original router firmware.

In that situation I decided to give "flash" command a try (as planned
earlier). It didn't work. Image was transferred, but CFE never started
writing it to the flash :(

CFE> flash -ctheader 192.168.1.2:/code.bin flash0.trx
CMD: [flash -ctheader 192.168.1.2:/code.bin flash0.trx]
Reading 192.168.1.2:/code.bin: _tftp_open(): retries=0/3
Done. 5161984 bytes read, fname=(null)
[NO PROMPT, REBOOT WAS NEEDED]

CFE> flash -ctheader 192.168.1.2:/E900_v1.0.04.001_US_20120816.bin flash0.trx
CMD: [flash -ctheader 192.168.1.2:/E900_v1.0.04.001_US_20120816.bin flash0.trx]
Reading 192.168.1.2:/E900_v1.0.04.001_US_20120816.bin: _tftp_open(): retries=0/3
Done. 7123968 bytes read, fname=(null
[NO PROMPT, REBOOT WAS NEEDED]

But then I found another way of installing firmware. I called "flash"
command without pointing remote host of file. In that combination CFE
decided to setup tftp server and wait for the firmware (just like in
case of running "tftpd" in other CFEs, Netgear for example):

CFE> flash -ctheader : flash0.trx
CMD: [flash -ctheader : flash0.trx]
Reading :: _tftpd_open(): retries=0/3
Done. 5157888 bytes read, fname=flash1.trx
CODE Pattern is correct! (E900)

TRX flash_size: 8388608, len: 5156864
it's code.bin

TRX file size = 5156864
Burning code image.
Programming...done. 5156864 bytes written
*** command status = 0

Hooray! After that I just had to type "reboot". Of course, on my
machine I had to run:
tftp 192.168.1.1 -m binary -c put code.bin
Post by Hauke Mehrtens
Is there any page with a small documentation of CFE, I just know of a
PDF from Broadcom? Most of my devices do not have this help command, it
would be nice to have some of these informations in the wiki.
I know of http://melbourne.wireless.org.au/files/wrt54/cfe.pdf only.

It would be nice to document all that command and know issues.
--
Rafał
Nathan Hintz
2013-09-10 01:48:14 UTC
Permalink
On Mon, 9 Sep 2013 16:06:49 +0200
Post by Rafał Miłecki
Post by Hauke Mehrtens
Post by Rafał Miłecki
Post by Rafał Miłecki
1) flash [options] source-file [destination-file]
Passing source-file is easy (like 192.168.1.2:/bin/code.bin), but
I'm not sure about destination-file.
Post by Rafał Miłecki
The destination-device parameter may be a flash device or an
EEPROM. If not specified, destination-device defaults to flash0,
which is typically the boot ROM.
If I don't pass anything as destination-file argument... Is CFE
going to write to the flash at offset 0x0? Overwriting itself? Or
is it going to write to the correct TRX offset? If it's going to
use 0x0 by default, should I pass -offset=value to avoid killing
the CFE?
I think I could use "flash0.trx" as a destination-file instead of
using "flash0" and hacking it with -offset.
flash -noheader 192.168.1.2:openwrt-brcm47xx-squashfs.trx
flash0.trx
(Please see attached cfe.show.devices.txt).
I used something similar to flash my WNDR3400 after I accidentally
removed the board_data partition and the normal flashing did not
work any more, I do ot have access to my documentation currently,
This out of memory problem could also be that the wrong compression
was used.
CMD: [boot -raw -z -addr=0x80001000 -max=0x1851e50
-fs=memory :0x807ae1b0] This looks like it expect gzip compressed
data.
Well, I was uploading original firmware, so there couldn't be much
wrong. Unless it's CFE that doesn't like original router firmware.
In that situation I decided to give "flash" command a try (as planned
earlier). It didn't work. Image was transferred, but CFE never started
writing it to the flash :(
CFE> flash -ctheader 192.168.1.2:/code.bin flash0.trx
CMD: [flash -ctheader 192.168.1.2:/code.bin flash0.trx]
Reading 192.168.1.2:/code.bin: _tftp_open(): retries=0/3
Done. 5161984 bytes read, fname=(null)
[NO PROMPT, REBOOT WAS NEEDED]
CFE> flash -ctheader 192.168.1.2:/E900_v1.0.04.001_US_20120816.bin
CFE> flash0.trx
CMD: [flash -ctheader 192.168.1.2:/E900_v1.0.04.001_US_20120816.bin
_tftp_open(): retries=0/3 Done. 7123968 bytes read, fname=(null
[NO PROMPT, REBOOT WAS NEEDED]
But then I found another way of installing firmware. I called "flash"
command without pointing remote host of file. In that combination CFE
decided to setup tftp server and wait for the firmware (just like in
CFE> flash -ctheader : flash0.trx
CMD: [flash -ctheader : flash0.trx]
Reading :: _tftpd_open(): retries=0/3
Done. 5157888 bytes read, fname=flash1.trx
CODE Pattern is correct! (E900)
TRX flash_size: 8388608, len: 5156864
it's code.bin
TRX file size = 5156864
Burning code image.
Programming...done. 5156864 bytes written
*** command status = 0
Hooray! After that I just had to type "reboot". Of course, on my
tftp 192.168.1.1 -m binary -c put code.bin
Post by Hauke Mehrtens
Is there any page with a small documentation of CFE, I just know of
a PDF from Broadcom? Most of my devices do not have this help
command, it would be nice to have some of these informations in the
wiki.
I know of http://melbourne.wireless.org.au/files/wrt54/cfe.pdf only.
It would be nice to document all that command and know issues.
On Linksys E3000, I've always used the CFE command "upgrade code.bin"; and
then tftp'd from my linux box using the command
"tftp -v -l -4 -m binary 192.168.1.1 -c put openwrt-e3000_v1-squashfs.bin".
I found this through experimentation; and never stumbled upon the right
combination using the "flash" command.

Nathan
Rafał Miłecki
2013-09-10 08:26:30 UTC
Permalink
Post by Nathan Hintz
On Linksys E3000, I've always used the CFE command "upgrade code.bin"; and
then tftp'd from my linux box using the command
"tftp -v -l -4 -m binary 192.168.1.1 -c put openwrt-e3000_v1-squashfs.bin".
I found this through experimentation; and never stumbled upon the right
combination using the "flash" command.
Thanks! Your command seems to be an alias for the "flash -ctheader :
flash1.trx", but run in a loop.

CFE> upgrade code.bin
CMD: [upgrade code.bin]
CMD: [flash -ctheader : flash1.trx]
Reading :: _tftpd_open(): retries=0/3
_tftpd_open(): retries=1/3
_tftpd_open(): retries=2/3
Failed.: Timeout occured
Try 1 ...
CMD: [flash -ctheader : flash1.trx]
Reading :: _tftpd_open(): retries=0/3
_tftpd_open(): retries=1/3
_tftpd_open(): retries=2/3
Failed.: Timeout occured
Try 2 ...
CMD: [flash -ctheader : flash1.trx]
Reading :: _tftpd_open(): retries=0/3
_tftpd_open(): retries=1/3
_tftpd_open(): retries=2/3
Failed.: Timeout occured
Try 3 ...
CMD: [flash -ctheader : flash1.trx]
Reading :: _tftpd_open(): retries=0/3
_tftpd_open(): retries=1/3
_tftpd_open(): retries=2/3
Failed.: Timeout occured
Try 4 ...
CMD: [flash -ctheader : flash1.trx]
Reading :: _tftpd_open(): retries=0/3
_tftpd_open(): retries=1/3
Done. 5166080 bytes read, fname=flash1.trx
CODE Pattern is correct! (E900)

TRX flash_size: 8388608, len: 5165056
it's code.bin

TRX file size = 5165056
Burning code image.
Programming...done. 5165056 bytes written
Upgrade successfully ...
*** command status = 0
--
Rafał
Loading...