DSM-G600, DNS-3xx and NSA-220 Hack Forum
Unfortunately no one can be told what fun_plug is - you have to see it for yourself.
You are not logged in.
Announcement
• DSM-G600: Wiki - Main Page |
Downloads |
SVN
•
DNS-323: Wiki |
Downloads
•
IRC Channel #funplug on irc.freenode.org
IRC Channel #funplug on irc.freenode.org
#1 2009-03-16 12:50:50
Flash custom kernel
Code:
ATCB copy from FLASH ROM to working buffer ATBTx block0 write enable (1=enable, other=disable) ATSB save working buffer to FLASH ROM ATIP[x][,y][,z] Setup IP address; x is Server/Remote IP, y is Host/Local IP, z is netmask ATTCx,y upload file y from TFTP server to RAM address x (length of filename<=20) ATERx,y erase flash rom from block x to y ATWFx,y,z copy data from ram addr x to flash addr y, length z
Example use of these commands:
Code:
Bootbase V20061226 | 12/26/2006 10:58:17
DRAM0 Size: 128 MB
DRAM POST: Testing: 130976K...OK
DRAM0 Test SUCCESS !
System Memory Mapping
RAM0: 0x00000000~0x07FFFFFF (128 MB)
Bootbase: 0x00000000~0x00006547
Stack: 0x00006548~0x00018D47
Found 28F128J3 at address 0xF8000000
Boot-up Bootext...
Bootext V20081118 | 11/18/2008 20:03:45
Flash Detect....
Found Intel 28F128J3 flash at memory address 0xf8000000
System Memory Mapping
Flash0: Intel 28F128J3 at 0xF8000000 (16MB; Block0~Block127)
RAM0: 0x00000000~0x07ffffff (128MB)
Bootloader: 0x00020000~0x00045783
Stack: 0x00045784~0x0005d283
Flash Temp Buffer: 0x07fe0000~0x07ffffff (128KB)
vendername = ZyXEL Communications Corp.
productname = ZyXEL NSA220
featurebit [0] [1] = D1 01
MAC = 00 19 CB 82 93 3B
CountryCode = FF
EngDebugFlag = 01
Hit ESC key to stop boot-up kernel... 2
ATCmd> atcb
OK
ATCmd> atbt1
OK
ATCmd> atsb
Erase block127, address 0xf8fe0000, length 0x20000...Done
Program block127, address 0xf8fe0000, length 0x20000...100%
OK
ATCmd> atip 192.168.9.20,192.168.9.11,255.255.255.0
MAC Address is 00:19:CB:82:93:3B
Host/Local IP is 192.168.9.11
Server/Remote IP is 192.168.9.20
Net Mask is 255.255.255.0
OK
ATCmd> attc 0x989680,/tftproot/zImage.bin
Using MAC Address 00:19:CB:82:93:3B
Server IP is 192.168.9.20; Local IP is 192.168.9.11
Filename: /tftproot/zImage.bin; Load address: 0x00989680
################################################################################
Received 1687816 (0x19c108) bytes
OK
ATCmd> ater 3,18
Erase block3, address 0xf8060000, length 0x20000...Done
Erase block4, address 0xf8080000, length 0x20000...Done
Erase block5, address 0xf80a0000, length 0x20000...Done
Erase block6, address 0xf80c0000, length 0x20000...Done
Erase block7, address 0xf80e0000, length 0x20000...Done
Erase block8, address 0xf8100000, length 0x20000...Done
Erase block9, address 0xf8120000, length 0x20000...Done
Erase block10, address 0xf8140000, length 0x20000...Done
Erase block11, address 0xf8160000, length 0x20000...Done
Erase block12, address 0xf8180000, length 0x20000...Done
Erase block13, address 0xf81a0000, length 0x20000...Done
Erase block14, address 0xf81c0000, length 0x20000...Done
Erase block15, address 0xf81e0000, length 0x20000...Done
Erase block16, address 0xf8200000, length 0x20000...Done
Erase block17, address 0xf8220000, length 0x20000...Done
Erase block18, address 0xf8240000, length 0x20000...Done
OK
ATCmd> atwf 0x989680,0xf8060000,0x19c108
Program block3, address 0xf8060000, length 0x20000...100%
Program block4, address 0xf8080000, length 0x20000...100%
Program block5, address 0xf80a0000, length 0x20000...100%
Program block6, address 0xf80c0000, length 0x20000...100%
Program block7, address 0xf80e0000, length 0x20000...100%
Program block8, address 0xf8100000, length 0x20000...100%
Program block9, address 0xf8120000, length 0x20000...100%
Program block10, address 0xf8140000, length 0x20000...100%
Program block11, address 0xf8160000, length 0x20000...100%
Program block12, address 0xf8180000, length 0x20000...100%
Program block13, address 0xf81a0000, length 0x20000...100%
Program block14, address 0xf81c0000, length 0x20000...100%
Program block15, address 0xf81e0000, length 0x20000...100%
OK
ATCmd> (power off and power on)zImage.bin must be made with ram2bin utility, which you can get from NSA-220 gpl sources.
Code:
ram2bin -i zImage -o zImage.bin -e "2.6.18" -t 4
You will see kernel length after tftp upload is finished. In this case it is 0x19c108
Code:
Received 1687816 (0x19c108) bytes
Before jumping in on this I see only one problem.
Memory map table includes checksum values for each firmware part. Right now I am not sure where these values are used. So far I only know that zyxel firmware reads these values using mmct_get and saves output to /etc in number of checksum files.
Code:
Model 1 D101 CoreChecksum 486C ZldChecksum EB4E RomChecksum 3466 FwVersion V2009-03-16_11:08:26(AFB.0)C0 FwRevision
Technically it is possible to rewrite memory map table with correct values (checksum value will be generated with ram2bin unility).
//update
I did find out that bootext also looks these checksum values and will complain about it if they do not mach with flash content. Other than that, for me it is just an a error to ignore because kernel is still booting without any problems.
Code:
EngDebugFlag = 01 Hit ESC key to stop boot-up kernel... 3 2 1 signature error! (2) Boot-up Linux...2.6.18.6 Uncompressing Linux........................................................................................................ done, booting the kernel. Linux version 2.6.18.6 (sala@dunst) (gcc version 4.3.2 (Sourcery G++ Lite 2008q3-66) ) #5 Mon Mar 16 18:23:36 EET 2009 CPU: ARM926EJ-Sid(wb) [41069260] revision 0 (ARMv5TEJ), cr=b0053177 Machine: MV-88fxx81 parse_tag_initrd2: phys_initrd_start->0x2000000 ,phys_initrd_size->0xc00000 Memory policy: ECC disabled, Data cache writeback end_pfn -> 0x8000
Last edited by sala (2009-09-04 20:49:00)
• DSM-G600 - NetBSD hdd-boot - 80GB Samsung SP0802N
• NSA-220 - Gentoo armv5tel 20110121 hdd-boot - 2x 2TB WD WD20EADS
Offline