Random Noise

cat /dev/random >> /dev/dsp

Linksys EA9500 Stuff

with 8 comments

Firmware Source: 


Hardware Info:

CPU Broadcom BCM4709C0KFEBG dual-core @ 1.4 GHz
Switch in BCM4709C0KFEBG & BCM53125
RAM 256 MB
Flash 128 MB
2.4 GHz Radio BCM4366 4×4 2.4/5G single chip 802.11ac SoC
Skyworks SE2623L 2.4 GHz power amp (x4)
5 GHz radio BCM4366 4×4 2.4/5G single chip 802.11ac SoC
RFMD RFPA5542 5 GHz PA module (x4)
NOTE: There are two 5 GHz radios.
PCIe PLX Technology PEX8603 3-lane, 3-port PCIe switch

Serial Port:


Possible JTAGs:

Blue seems to be the possible JTAG for BCM4709 SoC

Green, Red and Purple seem to be related to the BCM4366 radio SoCs.


Flash Layout:

Notice this router has two copies of the firmware. You can force the router to boot from one or the other by partially booting the router 3 times.

cat /proc/mtd:
 dev: size erasesize name
 mtd0: 00080000 00020000 "boot"
 mtd1: 00180000 00020000 "nvram"
 mtd2: 01d00000 00020000 "linux"
 mtd3: 01ad2504 00020000 "rootfs"
 mtd4: 03300000 00020000 "linux2"
 mtd5: 030d245c 00020000 "rootfs2"
 mtd6: 02e00000 00020000 "brcmnand"

You can confirm partial boots from CFE/NVRam

CFE> nvram show | grep -i boot



Found a Toshiba NAND flash:
Total size: 128MB
Block size: 128KB
Page Size: 2048B
OOB Size: 64B
Sector size: 512B
Spare size: 16B
ECC level: 8 (8-bit)
Device ID: 0x98 0xf1 0x80 0x15 0xf2 0x16
find_devinfo: devinfo block found at 0x00180000!


CFE> show devices
Device Name          Description
-------------------  ---------------------------------------------------------
uart0                NS16550 UART at 0x18000300
uart1                NS16550 UART at 0x18000400
nflash0              Toshiba NAND flash size 131072KB
nflash0.boot         Toshiba NAND flash offset 0 size 512KB
nflash0.nvram        Toshiba NAND flash offset 80000 size 1024KB
nflash0.devinfo      Toshiba NAND flash offset 180000 size 512KB
nflash0.trx          Toshiba NAND flash offset 200000 size 1KB
nflash0.os           Toshiba NAND flash offset 20001C size 29696KB
nflash0.trx2         Toshiba NAND flash offset 1F00000 size 1KB
nflash0.os2          Toshiba NAND flash offset 1F0001C size 29696KB
nflash1.boot         Toshiba NAND flash offset 0 size 512KB
nflash1.nvram        Toshiba NAND flash offset 80000 size 1024KB
nflash1.devinfo      Toshiba NAND flash offset 180000 size 512KB
nflash1.trx          Toshiba NAND flash offset 200000 size 29696KB
nflash1.trx2         Toshiba NAND flash offset 1F00000 size 29696KB
nflash1.brcmnand     Toshiba NAND flash offset 3C00000 size 69632KB
eth0                 Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller

VLAN Configs:

br0_ifnames=vlan1 eth1 eth2 eth3
vlan2ports=4 8
fwd_wlandevs=eth1 eth2 eth3
lan_ifnames=vlan1 eth1 eth2 eth3
vlan1ports=2 1 3 0 5 7 8*
evlan1ports=0 2 4 1 3 8
landevs=vlan1 wl0 wl1 wl2



Board Info:


CFE boot options

boot -raw -z -addr=0x8000 -max=0xef8000 nflash0.os2

root=/dev/mtdblock2 console=ttyS0,115200 init=/sbin/preinit earlyprintk debug blueLED=1


Flashing Custom Firmware:

For this you will need:

  1. USB to serial cable: Adafruit USB Cable
  2. PuTTy Utility
  3. TFTP Server


  1. Connect the serial cable as shown below and connect other end to USB port on your PC. Note: the right most pin is not connected. Note down the COM port number that appears in your device manager. Every time you switch the usb port, a new COM port number will be assigned. For instance I get a COM5.devmanserial
  2. Then connect a ethernet cable to port 8 and the other end to your PC’s ethernet port. Do not start the router yet.
  3. Set your machine’s IP to with Gateway =
  4. Run Putty and connect to serial port (115200 8-bits per character, no parity, and 1 stop bit)Putty Settings Serialputty
  5. Now start the router using power button. You should see Putty terminal showing boot log. Ctrl+C to start the CFE prompt. putty
  6. Copy the firmware image (e.g. openwrt.trx) to same folder as TFTP Server exe. Then run TFTP Server and point to to use it as server address. Click browse and point to the tftp folder. tptpserver
  7. On CFE console type following command and wait for it to finish. Make sure Image is not more than 29MB for this router or else you end up overwriting important partitions.
CFE> flash -noheader nflash0.trx



Written by Vivek Unune

February 1, 2017 at 9:44 pm

Posted in Hardware, linux, openwrt

Tagged with , ,

8 Responses

Subscribe to comments with RSS.

  1. When you click the “Copy” button, nothing happens.
    What firmware can I upload to this router?


    September 10, 2017 at 12:15 pm

    • You cannot upload anything as these firmwares are encrypted. You have to open the router and attach a serial cable and then you could flash a custom firmware. Checkout LEDE forums

      Vivek Unune

      September 10, 2017 at 1:51 pm

  2. Connect the router and the computer adapter PL2303HX USB to UART TTL
    Launched PuTTY
    Turned on the router and stopped the key combination Ctrl+C to CFE prompt
    Run TFTP Server and point to to use it as server address
    I have firmware Ver. 19.1 MB FW_EA9500_1.1.7.180968_prod.img from the official site
    Rename the file to EA9500.img
    In TFTP Server Click Show Dir and select the file the transfer EA9500.img and click “Copy”
    In PuTTY On CFE console type following commands
    CFE> flash -noheader nflash0.trx
    CFE> flash -noheader nflash1.trx
    Reading TFTP error 1: File not found
    Failed.: Network protokol error
    *** command status = -22


    September 10, 2017 at 3:48 pm

    • Sergey,

      You have to download LEDE, from https://forum.lede-project.org/t/build-for-linksys-ea9500/1817
      Then place it under TFTP Server with name image.trx

      If you are trying to flash factory firmware, you have to be careful as to what you are doing.
      As Factory firmware is encrypted. Also it has a 256 byte trailer appended to the end of the factory firmware.



      Vivek Unune

      September 20, 2017 at 2:07 pm

  3. Thank you,
    I downloaded the firmware, but WAN does not work, the network does not have Internet access.
    Although the local network and WiFi began to work.
    Let me remind you that the router died before the cyclic restart and did not boot at all.
    Today I Restores Router Tp-Link WR-841N V8. And I tried to load the firmware LEDE into it, it booted up and immediately the Internet appeared on PPPoE
    And on Linksys I can not in any way, help please.
    I took a dump of Patty, I can send you, maybe you can tell me a thought.


    September 20, 2017 at 4:08 pm

  4. what is the command to switch partitions?


    January 25, 2018 at 12:23 pm

    • nvram set bootpartition=0 && nvram set partialboots=0 && nvram commit

      bootpartition can be 0 or 1

      Vivek Unune

      January 25, 2018 at 12:30 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: