Category: DSL-2640B (D-Link)

CFE Bootloader dump with OpenWrt

It is always a good idea to dump the original CFE bootloader of your router because playing too much you might brick it. For instance when you flash a new image firmware, CFE doesn’t check the image size before flashing and if the size exceeds its flash size, the CFE bootloader will be corrupted.

MTD blocks list

Connect to your router using the serial port or through telnet or ssh.

First of all check which MTD block cointains the CFE bootloader. Here I am using a D-Link DSL-2640B, but this guide, broadly speaking, should work on all routers.

cat /proc/mtd

dev: size erasesize name
 mtd0: 00010000 00002000 "CFE"
 mtd1: 000dff00 00010000 "kernel"
 mtd2: 00300000 00010000 "rootfs"
 mtd3: 00090000 00010000 "rootfs_data"
 mtd4: 00010000 00010000 "nvram"
 mtd5: 003e0000 00010000 "linux"

Dump the bootloader

The CFE bootloader is contained in block0, dump it with dd

dd if=/dev/mtdblock0 of=/tmp/cfedump.bin

128+0 records in
128+0 records out

We can check our personal settings written at the beginning

hexdump -C -s 1200 -n 1000 cfedump.bin

000004b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000004e0  43 46 45 31 43 46 45 31  00 00 00 00 00 00 00 00  |CFE1CFE1........|
000004f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000500  10 00 02 ac 00 00 00 00  43 46 45 31 43 46 45 31  |........CFE1CFE1|
00000510  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000570  63 66 65 2d 76 01 00 25  0a 02 00 00 00 00 00 00  |cfe-v..%........|
00000580  00 00 00 04 65 3d 31 39  32 2e 31 36 38 2e 32 2e  |....e=192.168.2.|
00000590  33 36 20 68 3d 31 39 32  2e 31 36 38 2e 32 2e 37  |36 h=192.168.2.7|
000005a0  31 20 67 3d 31 39 32 2e  31 36 38 2e 32 2e 32 32  |1 g=192.168.2.22|
000005b0  30 20 72 3d 66 20 66 3d  76 6d 6c 69 6e 75 78 20  |0 r=f f=vmlinux |
000005c0  69 3d 62 63 6d 39 36 33  78 78 5f 66 73 5f 6b 65  |i=bcm963xx_fs_ke|
000005d0  72 6e 65 6c 20 64 3d 34  20 70 3d 30 20 00 00 00  |rnel d=4 p=0 ...|
000005e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000680  00 00 00 00 44 2d 34 50  2d 57 00 00 00 00 00 00  |....D-4P-W......|
00000690  00 00 00 00 00 00 00 01  00 00 00 00 00 00 00 18  |................|
000006a0  00 21 91 1a aa 14 00 00  b1 0f 4d 44 00 00 00 00  |.!........MD....|
000006b0  00 00 00 30 00 00 00 00  00 00 00 00 00 00 00 00  |...0............|
000006c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

MIPS CPUs are big endian so the dump file will be with the same endiannes. In case you have to restore the CFE remember to convert it to the appropriate endiannes, in fact the majority of JTAG flash utilities work with little endian only.

Copy locally the image

Before using scp you must have your root password set. If not you can set it easily with

passwd

Then from your local computer

scp root@192.168.2.36:/tmp/cfedump.bin .

 

OpenWrt D-Link DSL-2640B

I was given a D-Link DSL-2640B router for which I decided to change the firmware in order to enable several options not available on the original one, for instance the possibility to modify the wifi RF power and having an OpenVPN server.

Following are the basic steps to compile OpenWrt Backfire branch. I also tried previously the latest Attitude Adjustment release but I experienced an embarrassing slow speed and a recurring instability of LuCI web interface.

For additional information about this router: http://wiki.openwrt.org/toh/d-link/dsl-2640u

Get the sources

svn co svn://svn.openwrt.org/openwrt/branches/backfire
cd backfire

Install and update all the packages

./scripts/feeds update -a
./scripts/feeds install -a

Launch the configuration menu and set the appropriate options

make menuconfig

Main configuration

Target System (Broadcom BCM947xx/953xx [2.4]) ---> (X) Broadcom BCM63xx
Target Profile (Broadcom WiFi (default))  ---> (X) Broadcom WiFi (default)

Disable the jffs2 image since we will use only squashfs

deselect Target Images ---> [ ] jffs2

in order to have only [*] squashfs (NEW) enabled

Reduce the image size (optional)

Global build settings  --->
check                       [*] Remove ipkg/opkg status data files in final image
uncheck                     [ ] Compile the kernel with Debug FileSystem enabled
check                       [*] Strip unnecessary exports from the kernel image

Enable LuCI and the applications you might need

LuCI  --->  1. Collections  ---> <*> luci
            3. Applications ---> <*> luci-app-ddns........................... Dynamic DNS configuration module
                                 <*> luci-app-openvpn................................ LuCI Support for OpenVPN
                                 <*> luci-app-qos..................... Quality of Service configuration module
                                 <*> luci-app-wol................................ LuCI Support for Wake-on-LAN

Utilities  ---> Editors  ---> <*> nano........................... An enhanced clone of the Pico text editor

Exit and save

Custom configuration (optional)

In some cases, you may want to have a custom image that has been pre-configured. If so, place your custom files in <buildroot dir>/files/

For example, I prefer to have already specified the physical WAN and LAN ports in the network settings. Two VLANs are then defined, WAN is assigned to ethernet connector #4.

mkdir -p /files/etc/config/
touch /files/etc/config/network

This is my network file content

config 'switch' 'eth1'
 option 'enable' '1'
 option 'enable_vlan' '1'
 option 'reset' '1'
config 'switch_vlan' 'vlan0'
 option 'vlan' '0'
 option 'device' 'eth1'
 option 'ports' '1 2 3 5*'
config 'switch_vlan' 'vlan1'
 option 'vlan' '1'
 option 'device' 'eth1'
 option 'ports' '0 5t'
config 'interface' 'loopback'
 option 'ifname' 'lo'
 option 'proto' 'static'
 option 'ipaddr' '127.0.0.1'
 option 'netmask' '255.0.0.0'
config 'interface' 'lan'
 option 'type' 'bridge'
 option 'ifname' 'eth1.0'
 option 'nat' '1'
 option 'proto' 'static'
 option 'netmask' '255.255.255.0'
 option 'ipaddr' '192.168.2.100'
config 'interface' 'wan'
 option 'ifname' 'eth1.1'
 option 'proto' 'static'
 option 'netmask' '255.255.255.0'
 option 'ipaddr' '192.168.1.10'
 option 'gateway' '192.168.1.2'
 option 'dns' '192.168.1.2'

Build the image

The build process can be accelerated by running multiple concurrent job processes using the -j option, be careful because sometimes it may fail (it happened to me with Attitude Adjustment). On my multicore i7 cpu will be

make -j 8

The image will be found in /bin/bcrm63xx/openwrt-DSL2640B-squashfs-cfe.bin

I usually flash the image using the CFE bootloader through the serial port (available in the back of the router), remember to check the image size which must not be greater than approx 4MByte otherwise it will corrupt the bootloader bricking the router.

 

WordPress Themes