Category: CFE BootLoader

ASUS WL-500GP v2: flash firmware using CFE

I had a bricked router Asus WL500GP v2, luckily the CFE bootloader was still reachable through serial port. After setup a TFTP server and downloaded the appropriate upgraded firmware from OpenWrt, the CFE command was:

flash -noheader 192.168.1.100:openwrt.trx flash1.trx

where:

  • flash1.trx is the destination flash (and not flash0.trx as I saw in some tutorials)
  • 192.168.1.100 is the TFTP server IP
  • openwrt.trx is the firmware image
  • -no header is that option to override header verification

CFE Bootloader dump with OpenWrt

It is always a good idea to dump the original CFE bootloader of your router because playing too much you might brick it. For instance when you flash a new image firmware, CFE doesn’t check the image size before flashing and if the size exceeds its flash size, the CFE bootloader will be corrupted.

MTD blocks list

Connect to your router using the serial port or through telnet or ssh.

First of all check which MTD block cointains the CFE bootloader. Here I am using a D-Link DSL-2640B, but this guide, broadly speaking, should work on all routers.

cat /proc/mtd

dev: size erasesize name
 mtd0: 00010000 00002000 "CFE"
 mtd1: 000dff00 00010000 "kernel"
 mtd2: 00300000 00010000 "rootfs"
 mtd3: 00090000 00010000 "rootfs_data"
 mtd4: 00010000 00010000 "nvram"
 mtd5: 003e0000 00010000 "linux"

Dump the bootloader

The CFE bootloader is contained in block0, dump it with dd

dd if=/dev/mtdblock0 of=/tmp/cfedump.bin

128+0 records in
128+0 records out

We can check our personal settings written at the beginning

hexdump -C -s 1200 -n 1000 cfedump.bin

000004b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000004e0  43 46 45 31 43 46 45 31  00 00 00 00 00 00 00 00  |CFE1CFE1........|
000004f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000500  10 00 02 ac 00 00 00 00  43 46 45 31 43 46 45 31  |........CFE1CFE1|
00000510  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000570  63 66 65 2d 76 01 00 25  0a 02 00 00 00 00 00 00  |cfe-v..%........|
00000580  00 00 00 04 65 3d 31 39  32 2e 31 36 38 2e 32 2e  |....e=192.168.2.|
00000590  33 36 20 68 3d 31 39 32  2e 31 36 38 2e 32 2e 37  |36 h=192.168.2.7|
000005a0  31 20 67 3d 31 39 32 2e  31 36 38 2e 32 2e 32 32  |1 g=192.168.2.22|
000005b0  30 20 72 3d 66 20 66 3d  76 6d 6c 69 6e 75 78 20  |0 r=f f=vmlinux |
000005c0  69 3d 62 63 6d 39 36 33  78 78 5f 66 73 5f 6b 65  |i=bcm963xx_fs_ke|
000005d0  72 6e 65 6c 20 64 3d 34  20 70 3d 30 20 00 00 00  |rnel d=4 p=0 ...|
000005e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000680  00 00 00 00 44 2d 34 50  2d 57 00 00 00 00 00 00  |....D-4P-W......|
00000690  00 00 00 00 00 00 00 01  00 00 00 00 00 00 00 18  |................|
000006a0  00 21 91 1a aa 14 00 00  b1 0f 4d 44 00 00 00 00  |.!........MD....|
000006b0  00 00 00 30 00 00 00 00  00 00 00 00 00 00 00 00  |...0............|
000006c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

MIPS CPUs are big endian so the dump file will be with the same endiannes. In case you have to restore the CFE remember to convert it to the appropriate endiannes, in fact the majority of JTAG flash utilities work with little endian only.

Copy locally the image

Before using scp you must have your root password set. If not you can set it easily with

passwd

Then from your local computer

scp root@192.168.2.36:/tmp/cfedump.bin .

 

WordPress Themes