[ECOS] Odd RedBoot installation found - tips needed

[ECOS] Odd RedBoot installation found - tips needed

[Joakim Wennergren]

Hi,

I've stated to dismantle a new hardware I've got (a small 
firewall/router), and managed to attach a serial cable to it. When it 
boots up I get RedBoot, but it's an odd version, It calls itself:

RedBoot(tm) bootstrap and debug environment [ROM]
Non-certified release, version v2_0 - built 22:17:05, Dec 22 2005

So it seems to be a modified RedBoot, nothing new there. But when I 
checked what commands I had, there were only a short list; "channel", 
"help", "ip_address", "linux", "load", "switch", "wdog" and "flash".  No 
fis commands :(

As far as I can tell there is no list of partitions on the flash at all, 
just the Linux kernel and then the file system appended to the end of 
it... An the Linux kernel seems to unpack an area of the flash into RAM 
and using it as a ramdrive.

So what I need help with is where to burn my own images. I compiled the 
vendors released kernel, but as usual when vendors are forced to release 
the kernel under GPL they stripped it bare. When I installed it using 
the web interface it boots Linux but failed to unpack the ramdisk and is 
pretty much useless.

The Linux boots up using the RedBoot command
linux -b 0x400000 -l 0x0010f9c4 -s 0x001a50e9 -c "console=ttyS0,38400"

And the "help" output from RedBoot is:
RedBoot> help
Display/switch console channel
   channel [<channel number>]
Help about help?
   help [<topic>]
Set/change IP addresses
   ip_address [-l <local_ip_address>] [-h <server_address>]
Execute a Linux image
   linux [-w timeout] [-b <base address> [-l <image length>]]
        [-r <ramdisk addr> [-s <ramdisk length>]]
        [-c "kernel command line"]
Load a file
   load [-r] [-v] [-h <host>] [-m <varies>] [-c <channel_number>]
        [-b <base_address>] <file_name>
cat switch value
   switch no
set watchdog
   wdog no
flash upgrade
   flash [-s <source>][-d <destination>][-l <image length>]


So I guess it reads the kernel from 0x400000, but what that address 
means I have no clue :( I can't write to it using "flash", so it's not 
the start of the flash. And I don't want to try addresses randomly since 
I might overwrite RedBoot and brick the router completely.

So any tips on where to burn the image? "load" works just fine so I can 
load images, but I don't know where to burn it.

I managed to "hack" their released firmware so I have access to the 
contents of their file system, but all flash burning tools are compiled 
binaries so I can't find any addresses there.


In worst case I could maybe figure out the JTAG pins on the hardware, 
but I don't have any JTAG burning stuff, I'd have to borrow some. And 
considering how non-standard the serial port was the pins are probably 
all jumbled... I'd rather not go that way.



regards
Joakim Wennergren

This email was Anti Virus checked by Astaro Security Gateway.


-- 
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss

Re: [ECOS] Odd RedBoot installation found - tips needed

[Gary Thomas]

Joakim Wennergren wrote:
> Hi,
> 
> I've stated to dismantle a new hardware I've got (a small 
> firewall/router), and managed to attach a serial cable to it. When it 
> boots up I get RedBoot, but it's an odd version, It calls itself:
> 
> RedBoot(tm) bootstrap and debug environment [ROM]
> Non-certified release, version v2_0 - built 22:17:05, Dec 22 2005
> 
> So it seems to be a modified RedBoot, nothing new there. But when I 
> checked what commands I had, there were only a short list; "channel", 
> "help", "ip_address", "linux", "load", "switch", "wdog" and "flash".  No 
> fis commands :(
> 
> As far as I can tell there is no list of partitions on the flash at all, 
> just the Linux kernel and then the file system appended to the end of 
> it... An the Linux kernel seems to unpack an area of the flash into RAM 
> and using it as a ramdrive.
> 
> So what I need help with is where to burn my own images. I compiled the 
> vendors released kernel, but as usual when vendors are forced to release 
> the kernel under GPL they stripped it bare. When I installed it using 
> the web interface it boots Linux but failed to unpack the ramdisk and is 
> pretty much useless.
> 
> The Linux boots up using the RedBoot command
> linux -b 0x400000 -l 0x0010f9c4 -s 0x001a50e9 -c "console=ttyS0,38400"
> 
> And the "help" output from RedBoot is:
> RedBoot> help
> Display/switch console channel
>   channel [<channel number>]
> Help about help?
>   help [<topic>]
> Set/change IP addresses
>   ip_address [-l <local_ip_address>] [-h <server_address>]
> Execute a Linux image
>   linux [-w timeout] [-b <base address> [-l <image length>]]
>        [-r <ramdisk addr> [-s <ramdisk length>]]
>        [-c "kernel command line"]
> Load a file
>   load [-r] [-v] [-h <host>] [-m <varies>] [-c <channel_number>]
>        [-b <base_address>] <file_name>
> cat switch value
>   switch no
> set watchdog
>   wdog no
> flash upgrade
>   flash [-s <source>][-d <destination>][-l <image length>]
> 
> 
> So I guess it reads the kernel from 0x400000, but what that address 
> means I have no clue :( I can't write to it using "flash", so it's not 
> the start of the flash. And I don't want to try addresses randomly since 
> I might overwrite RedBoot and brick the router completely.
> 
> So any tips on where to burn the image? "load" works just fine so I can 
> load images, but I don't know where to burn it.
> 
> I managed to "hack" their released firmware so I have access to the 
> contents of their file system, but all flash burning tools are compiled 
> binaries so I can't find any addresses there.
> 

Is this something other than the RedBoot code?

> 
> In worst case I could maybe figure out the JTAG pins on the hardware, 
> but I don't have any JTAG burning stuff, I'd have to borrow some. And 
> considering how non-standard the serial port was the pins are probably 
> all jumbled... I'd rather not go that way.

You should be able to build a RAM version of RedBoot and run that.
Using this version, you can experiment a little, try updating the
Linux kernel pieces, etc.  Once comfortable, you should be able
to build and update the ROM (or ROMRAM) code.

You've mentioned that you got sources, but they are "stripped".
What do you mean by this?  The GPL doesn't allow for the vendor
to provide some pieces and not others (for the code that corresponds
to what's in your router).  You should *absolutely* be capable of
rebuilding the RedBoot that's in your box from the sources provided,
or else the vendor is not living up to their GPL responsibilities.

What's the underlying target/architecture?



-- 
------------------------------------------------------------
Gary Thomas                 |  Consulting for the
MLB Associates              |    Embedded world
------------------------------------------------------------

-- 
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss

Re: [ECOS] Odd RedBoot installation found - tips needed

[Joakim Wennergren]

Gary Thomas wrote:
> Joakim Wennergren wrote:
>> Hi,
>>
>> I've stated to dismantle a new hardware I've got (a small 
>> firewall/router), and managed to attach a serial cable to it. When it 
>> boots up I get RedBoot, but it's an odd version, It calls itself:
>>
>> RedBoot(tm) bootstrap and debug environment [ROM]
>> Non-certified release, version v2_0 - built 22:17:05, Dec 22 2005
>>
>> So it seems to be a modified RedBoot, nothing new there. But when I 
>> checked what commands I had, there were only a short list; "channel", 
>> "help", "ip_address", "linux", "load", "switch", "wdog" and "flash".  
>> No fis commands :(
>>
>> As far as I can tell there is no list of partitions on the flash at 
>> all, just the Linux kernel and then the file system appended to the 
>> end of it... An the Linux kernel seems to unpack an area of the flash 
>> into RAM and using it as a ramdrive.
>>
>> So what I need help with is where to burn my own images. I compiled 
>> the vendors released kernel, but as usual when vendors are forced to 
>> release the kernel under GPL they stripped it bare. When I installed 
>> it using the web interface it boots Linux but failed to unpack the 
>> ramdisk and is pretty much useless.
>>
>> The Linux boots up using the RedBoot command
>> linux -b 0x400000 -l 0x0010f9c4 -s 0x001a50e9 -c "console=ttyS0,38400"
>>
>> And the "help" output from RedBoot is:
>> RedBoot> help
>> Display/switch console channel
>>   channel [<channel number>]
>> Help about help?
>>   help [<topic>]
>> Set/change IP addresses
>>   ip_address [-l <local_ip_address>] [-h <server_address>]
>> Execute a Linux image
>>   linux [-w timeout] [-b <base address> [-l <image length>]]
>>        [-r <ramdisk addr> [-s <ramdisk length>]]
>>        [-c "kernel command line"]
>> Load a file
>>   load [-r] [-v] [-h <host>] [-m <varies>] [-c <channel_number>]
>>        [-b <base_address>] <file_name>
>> cat switch value
>>   switch no
>> set watchdog
>>   wdog no
>> flash upgrade
>>   flash [-s <source>][-d <destination>][-l <image length>]
>>
>>
>> So I guess it reads the kernel from 0x400000, but what that address 
>> means I have no clue :( I can't write to it using "flash", so it's not 
>> the start of the flash. And I don't want to try addresses randomly 
>> since I might overwrite RedBoot and brick the router completely.
>>
>> So any tips on where to burn the image? "load" works just fine so I 
>> can load images, but I don't know where to burn it.
>>
>> I managed to "hack" their released firmware so I have access to the 
>> contents of their file system, but all flash burning tools are 
>> compiled binaries so I can't find any addresses there.
>>
> 
> Is this something other than the RedBoot code?
> 

Yes, the firmware provided on their site contains a packed ext2 
partition with the linux file system. It contains all the programs the 
router uses.

Note that the source code package provided on their site does NOT 
contain these files.

>>
>> In worst case I could maybe figure out the JTAG pins on the hardware, 
>> but I don't have any JTAG burning stuff, I'd have to borrow some. And 
>> considering how non-standard the serial port was the pins are probably 
>> all jumbled... I'd rather not go that way.
> 
> You should be able to build a RAM version of RedBoot and run that.
> Using this version, you can experiment a little, try updating the
> Linux kernel pieces, etc.  Once comfortable, you should be able
> to build and update the ROM (or ROMRAM) code.
> 
> You've mentioned that you got sources, but they are "stripped".
> What do you mean by this?  The GPL doesn't allow for the vendor
> to provide some pieces and not others (for the code that corresponds
> to what's in your router).  You should *absolutely* be capable of
> rebuilding the RedBoot that's in your box from the sources provided,
> or else the vendor is not living up to their GPL responsibilities.

They are providing a source code package that includes the linux kernel 
and a couple of programs, but it's not the same as when I unpack their 
official firmware.

RedBoot is not included in the source code package at all.

Also, the RedBoot shipped on the hardware is a stripped down version 
that lacks almost all features. I can load an image (tftp) into RAM and 
burn it to flash, but that's it. Overwriting the installed RedBoot seems 
like it could fail easily, and if I fail once, the router is bricked. :(

> What's the underlying target/architecture?

The router has a RTC R3210 SoC, 4 MB flash and 32Mb RAM. OpenWRT had 
some version ("RDCPort") that should run on similar routers, but I don't 
know how to configure it to actually use RDCPort... I'm working on it.

It's similar (even the redboot and bootlog) to the one here:
http://wiki.openwrt.org/OpenWrtDocs/Hardware/Sitecom/WL-153

Meanwhile I'd like to be able to at least replace the stock firmware 
with one I've compiled, since the stock firmware has a login password 
that I haven't managed to break yet.


This email was Anti Virus checked by Astaro Security Gateway.


-- 
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss