Joakim Wennergren wrote:
Hi,
I've stated to dismantle a new hardware I've got (a small
firewall/router), and managed to attach a serial cable to it. When it
boots up I get RedBoot, but it's an odd version, It calls itself:
RedBoot(tm) bootstrap and debug environment [ROM]
Non-certified release, version v2_0 - built 22:17:05, Dec 22 2005
So it seems to be a modified RedBoot, nothing new there. But when I
checked what commands I had, there were only a short list; "channel",
"help", "ip_address", "linux", "load", "switch", "wdog" and "flash".
No fis commands :(
As far as I can tell there is no list of partitions on the flash at
all, just the Linux kernel and then the file system appended to the
end of it... An the Linux kernel seems to unpack an area of the flash
into RAM and using it as a ramdrive.
So what I need help with is where to burn my own images. I compiled
the vendors released kernel, but as usual when vendors are forced to
release the kernel under GPL they stripped it bare. When I installed
it using the web interface it boots Linux but failed to unpack the
ramdisk and is pretty much useless.
The Linux boots up using the RedBoot command
linux -b 0x400000 -l 0x0010f9c4 -s 0x001a50e9 -c "console=ttyS0,38400"
And the "help" output from RedBoot is:
RedBoot> help
Display/switch console channel
channel [<channel number>]
Help about help?
help [<topic>]
Set/change IP addresses
ip_address [-l <local_ip_address>] [-h <server_address>]
Execute a Linux image
linux [-w timeout] [-b <base address> [-l <image length>]]
[-r <ramdisk addr> [-s <ramdisk length>]]
[-c "kernel command line"]
Load a file
load [-r] [-v] [-h <host>] [-m <varies>] [-c <channel_number>]
[-b <base_address>] <file_name>
cat switch value
switch no
set watchdog
wdog no
flash upgrade
flash [-s <source>][-d <destination>][-l <image length>]
So I guess it reads the kernel from 0x400000, but what that address
means I have no clue :( I can't write to it using "flash", so it's not
the start of the flash. And I don't want to try addresses randomly
since I might overwrite RedBoot and brick the router completely.
So any tips on where to burn the image? "load" works just fine so I
can load images, but I don't know where to burn it.
I managed to "hack" their released firmware so I have access to the
contents of their file system, but all flash burning tools are
compiled binaries so I can't find any addresses there.
Is this something other than the RedBoot code?
In worst case I could maybe figure out the JTAG pins on the hardware,
but I don't have any JTAG burning stuff, I'd have to borrow some. And
considering how non-standard the serial port was the pins are probably
all jumbled... I'd rather not go that way.
You should be able to build a RAM version of RedBoot and run that.
Using this version, you can experiment a little, try updating the
Linux kernel pieces, etc. Once comfortable, you should be able
to build and update the ROM (or ROMRAM) code.
You've mentioned that you got sources, but they are "stripped".
What do you mean by this? The GPL doesn't allow for the vendor
to provide some pieces and not others (for the code that corresponds
to what's in your router). You should *absolutely* be capable of
rebuilding the RedBoot that's in your box from the sources provided,
or else the vendor is not living up to their GPL responsibilities.