Finding flash dump functions about bcm2-utils HOT 5 OPEN

With the following modification, I could dump image2 with the below command

diff --git a/profiledef.c b/profiledef.c
index b9a648f..e8a4e7d 100644
--- a/profiledef.c
+++ b/profiledef.c
@@ -219,6 +219,14 @@ struct bcm2_profile bcm2_profiles[] = {
                                .version = "2.4.0",
                                .intf = BCM2_INTF_BLDR,
                                .magic = { 0x83f8a9ac, "2.4.0" },
+                               .printf = 0x83f88174,
+                               .spaces = {
+                                       {
+                                               .name = "flash",
+                                               .read = { 0x83f810e4, BCM2_READ_FUNC_OBL }
+                                       }
+                               }
+
                        },
                },
        },

bcm2dump -vv dump /dev/ttyUSB0 flash image2 image2.bin 

It's reporting 4.34k bytes/s. I am not sure but it looks like this bootloader doesn't have the same flash read functions as others so reading with SPI read is slow. Is there a way to make it fast? I see two ways

• Enabling telnet again so we can dump with console
• Finding fast flash read functions.

from bcm2-utils.

With the following modification, I could dump image2 with the below command

Wanna create a PR for that?

It's reporting 4.34k bytes/s. I am not sure but it looks like this bootloader doesn't have the same flash read functions as others so reading with SPI read is slow. Is there a way to make it fast?

The main bottleneck when dumping via serial console is the serial interface itself: printfd as "%x %x %x %x\r\n", each line of 16 bytes of data is 37 bytes long (worst case). At 115200 baud (roughly 11.52 KiB/s), this amounts to

(11.52 KiB/s) * (16/37) = 4.98 KiB/s

which doesn't include the overhead of calling the dump code. Using base64 encoding in the dump code, you could probably achieve around 8 KiB/s, but this would significantly complicate the dump code (the code that's uploaded and executed on the router itself), which is something I want to avoid.

This is the main reason why reading via telnet is so much faster than with the serial console.

from bcm2-utils.

I opened a PR #46
I have a couple of questions.

• Since dumping with serial is slow, is there a way to enable telnet console once again so I can dump with telnet console?
• When I dumped image2 with serial, it had lots of 0xFF bytes at the end. IIRC, when I dumped with telnet it didn't have those bytes. What's the reason for this?
• Can I send the dumped firmware back to the modem again? If so, how can I do that? I guess I have to stop with p and then use g) Download and run from RAM or d) Download and save to flash

I will appreciate it if you can share some pointers because I want to try modifying my firmware and upload it to my device.

from bcm2-utils.

Since dumping with serial is slow, is there a way to enable telnet console once again so I can dump with telnet console?

Does this device still allow downloading a GatewaySettings.bin file? If so, it's possible that it can be modified to re-enable telnet using bcm2cfg.

When I dumped image2 with serial, it had lots of 0xFF bytes at the end. IIRC, when I dumped with telnet it didn't have those bytes. What's the reason for this?

Probably the difference between running

$ bcm2dump dump <interface> flash image2 image2_with_ff.bin

and

$ bcm2dump dump <interface> flash image2,auto image2_without_ff.bin

The first command dumps the whole image2 partition, including any unused space, hence the 0xff bytes. The second
command will check if there's an image header at the beginning of the partition, and if it's found, it'll only dump the actual image data.

Can I send the dumped firmware back to the modem again? If so, how can I do that? I guess I have to stop with p and then use g) Download and run from RAM or d) Download and save to flash

I will appreciate it if you can share some pointers because I want to try modifying my firmware and upload it to my device.

Yes, you can use both commands. For that to work, you'll have to setup a TFTP server on your computer, and then specify its IP address when you run either command. If you're experimenting, g) Download and run from RAM is the much safer alternative, as it's much harder to brick the device that way!

Sorry for the late replies!

from bcm2-utils.

Does this device still allow downloading a GatewaySettings.bin file? If so, it's possible that it can be modified to re-enable telnet using bcm2cfg.

Unfortunately, they disabled downloading the GatewaySettings.bin file from the admin console. They actually removed tons of stuff from the admin console. They even removed the diagnosis menu which had ping. I can still download the file thanks to the NVRAM dump and see the credentials. I guess it should be possible to write that file with a serial console but I am not sure. I saw this issue #29 but not sure what's needed more to make it work.

Thanks once again for the replies. I have two firmware dumps. The old one and the new one. I will try to diff two files and try to find how they disabled the downloading and uploading settings files.

from bcm2-utils.