Random Noise

cat /dev/random >> /dev/dsp

Linksys EA9500 Stuff

leave a comment »

Firmware Source: 

http://downloads.linksys.com/downloads/gpl/EA9500_v1.1.7.177204.tar.gz

Hardware Info:

CPU Broadcom BCM4709C0KFEBG dual-core @ 1.4 GHz
Switch in BCM4709C0KFEBG & BCM53125
RAM 256 MB
Flash 128 MB
2.4 GHz Radio BCM4366 4×4 2.4/5G single chip 802.11ac SoC
Skyworks SE2623L 2.4 GHz power amp (x4)
5 GHz radio BCM4366 4×4 2.4/5G single chip 802.11ac SoC
RFMD RFPA5542 5 GHz PA module (x4)
NOTE: There are two 5 GHz radios.
PCIe PLX Technology PEX8603 3-lane, 3-port PCIe switch

Serial Port:

20170201_160511

Possible JTAGs:

Blue seems to be the possible JTAG for BCM4709 SoC

Green, Red and Purple seem to be related to the BCM4366 radio SoCs.

20170201_161445

Flash Layout:

Notice this router has two copies of the firmware. You can force the router to boot from one or the other by partially booting the router 3 times.

cat /proc/mtd:
 dev: size erasesize name
 mtd0: 00080000 00020000 "boot"
 mtd1: 00180000 00020000 "nvram"
 mtd2: 01d00000 00020000 "linux"
 mtd3: 01ad2504 00020000 "rootfs"
 mtd4: 03300000 00020000 "linux2"
 mtd5: 030d245c 00020000 "rootfs2"
 mtd6: 02e00000 00020000 "brcmnand"

You can confirm partial boots from CFE/NVRam

CFE> nvram show | grep -i boot

bootpartition=0 
boot_wait=on 
maxpartialboots=3 
nvram_reboot=0 
partialboots=1

———

Found a Toshiba NAND flash:
Total size: 128MB
Block size: 128KB
Page Size: 2048B
OOB Size: 64B
Sector size: 512B
Spare size: 16B
ECC level: 8 (8-bit)
Device ID: 0x98 0xf1 0x80 0x15 0xf2 0x16
find_devinfo: devinfo block found at 0x00180000!

———

CFE> show devices
Device Name          Description
-------------------  ---------------------------------------------------------
uart0                NS16550 UART at 0x18000300
uart1                NS16550 UART at 0x18000400
nflash0              Toshiba NAND flash size 131072KB
nflash0.boot         Toshiba NAND flash offset 0 size 512KB
nflash0.nvram        Toshiba NAND flash offset 80000 size 1024KB
nflash0.devinfo      Toshiba NAND flash offset 180000 size 512KB
nflash0.trx          Toshiba NAND flash offset 200000 size 1KB
nflash0.os           Toshiba NAND flash offset 20001C size 29696KB
nflash0.trx2         Toshiba NAND flash offset 1F00000 size 1KB
nflash0.os2          Toshiba NAND flash offset 1F0001C size 29696KB
nflash1.boot         Toshiba NAND flash offset 0 size 512KB
nflash1.nvram        Toshiba NAND flash offset 80000 size 1024KB
nflash1.devinfo      Toshiba NAND flash offset 180000 size 512KB
nflash1.trx          Toshiba NAND flash offset 200000 size 29696KB
nflash1.trx2         Toshiba NAND flash offset 1F00000 size 29696KB
nflash1.brcmnand     Toshiba NAND flash offset 3C00000 size 69632KB
eth0                 Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller

VLAN Configs:

br0_ifnames=vlan1 eth1 eth2 eth3
vlan2ports=4 8
vlan1_ifname=br0
fwd_wlandevs=eth1 eth2 eth3
lan1_ifname=br1
lan1_hwnames=
vlan2hwname=et2
lan_ifnames=vlan1 eth1 eth2 eth3
lan_ipaddr=192.168.1.1
vlan1hwname=et2
vlan1ports=2 1 3 0 5 7 8*
lan_ifname=br0
evlan1ports=0 2 4 1 3 8
landevs=vlan1 wl0 wl1 wl2
lan_hwnames=
lan1_ifnames=wl1.1

 

GPIOs:

reset_gpio=17
gpio3=wps_button
gpio13=usbport1
gpio14=usbport2
gpio22=wps_led

 

Board Info:

boardnum=20150630
boardrev=0x1100
boardtype=0xA72F
boardflags=0x00000110
1:boardflags=0x10001000
1:boardflags2=0x00000004
1:boardflags3=0x0
1:boardflags4=0x0000000E
3:boardflags=0x10001000
2:boardflags=0x10001000
boardflags2=0x00000000
2:boardflags2=0x00000004
2:boardflags3=0x0
2:boardflags4=0x0000000E
3:boardflags2=0x00000004
3:boardflags3=0x0
3:boardflags4=0x0000000E

 

CFE boot options

boot -raw -z -addr=0x8000 -max=0xef8000 nflash0.os2

root=/dev/mtdblock2 console=ttyS0,115200 init=/sbin/preinit earlyprintk debug blueLED=1

 

Flashing Custom Firmware is possible

1. Set machines IP to 192.168.1.10/255.255.255.0 with Gateway = 192.168.1.1
2. Run Putty and connect to serial port (115200 8-bits per character, no parity, and 1 stop bit)
3. Ctrl+C to CFE prompt
4. Run TFTP Server and point to 192.168.1.10 to use it as server address.


5. Click Show Dir and select the file the transfer and click “Copy”
6. On CFE console type following commands one at a time and wait for each of them to finish. Make sure Image is not more than 28MB for this router or else you end up overwriting important partitions.

CFE> flash -noheader 192.168.1.10:/image.trx nflash0.trx
CFE> flash -noheader 192.168.1.10:/image.trx nflash1.trx

I tried to flash a generic dd-wrt firmware. It did boot however got kernel panics as expected.

Advertisements

Written by Vivek Unune

February 1, 2017 at 9:44 pm

Posted in Hardware, linux, openwrt

Tagged with , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: