If you never stop trying, you will get there eventually. August 20, Some time ago I decided to learn how to attack, gain privilege access and perform modifications to hardware such as routers or IoT devices. In these collection of posts, I will be doing a walkthrough on how to reverse engineer a router, in concrete the following one:.

Router: ComtrendARun. The first we are going to do is analyzing the PCB and gather information about the components and find if there is any visible debug port. Debug ports were designed by the engineers and left in the PCB for debugging the systems and physical connections between the pins.

Datasheet: BCM Datasheet: MX25L The best way to do this, is using a multimeter and checking the voltage behavior in the pins just after the router is switched on:. I am using this simple logic analyzer:. In the program, you will need configure the baudrate so it can decode the serial communication.

I used baudrate tool from devttys0 to get the baudrate, but you can get this value by seeing the symbols and the Tx time of them to get this value.

Datasheet: FTH. Now its time to connect to port:. BusyBox v1. Wait a minute or so until the system has boot up and type help or whatever:. You can use tools like JohnTheRipper to crack these passwords:. August 11, June 08, This is an interesanting web challenge where the user needs to bypass the command input in order to execute commands and get the flag.The Linux kernel team at MIPS actively upstreams patches for released kernels, current cores and semiconductor devices based upon them to head of tree at kernel.

New developments should use the newest stable kernel version available on kernel. These are hosted on in-house repositories before upstreaming.

Support for MIPS processor cores and development systems is included in the following kernel releases. After cloning the git repository, you can then locally check out the branch you are going to work from. You should always check pending patches before submitting a new patch request. For example, to start developing with the 4. You can then configure and build the kernel.

MIPS Linux

Released kernels, released cores. Staging repository for MIPS patches. MIPS engineering kernels. New feature support before upstreaming. I, P, M MIPS backported kernels. Core support from 4. I, P, interAptiv. Released kernel. Released kernel For latest updates use Engineering Kernel. Boston, Malta. Released kernel on kernel. Early support in v4.We use optional third-party analytics cookies to understand how you use GitHub. Learn more. You can always update your selection by clicking Cookie Preferences at the bottom of the page.

For more information, see our Privacy Statement. We use essential cookies to perform essential website functions, e.


We use analytics cookies to understand how you use our websites so we can make them better, e. Skip to content. Instantly share code, notes, and snippets. Code Revisions 1. Embed What would you like to do?

Embed Embed this gist in your website. Share Copy sharable link for this gist. Learn more about clone URLs. Download ZIP. Decompression OK! Entry at 0x80a Closing network. Disabling Switch ports. Flushing Receive Buffers Closing DMA Channels. Starting program at 0x80a [ 0. DG AN1 [ 0. Total pages: [ 0. This comment has been minimized. Sign in to view. Copy link Quote reply. Obrigado, cumprimentos. Sign up for free to join this conversation on GitHub.GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.

Work fast with our official CLI.


Learn more. If nothing happens, download GitHub Desktop and try again.

Sercomm RV6688v2

If nothing happens, download Xcode and try again. If nothing happens, download the GitHub extension for Visual Studio and try again. Install the Device Tree Compiler, either from source or from a distribution package, e. After building zephyr. Then make sure your serial ports are set up correctly:. Edit the IP addresses at the top of the file to taste.


Sample boot logs: CM consoleLinux console. When the chip is powered on, the Viper is released from reset and performs a number of helpful tasks, including:. When you build zephyr. The kernel's builtin DTB is used as a fallback only. The DTB provided by Aeolus will accurately reflect the system's memory configuration and the kernel command line arguments configured through the CM console.

It is also possible for different builds of Aeolus for different boards to incorporate board-specific changes in device tree e.

Default htmode

Various macros and code snippets were copied from the Linux tree GPLv2. We use optional third-party analytics cookies to understand how you use GitHub. You can always update your selection by clicking Cookie Preferences at the bottom of the page.

For more information, see our Privacy Statement. We use essential cookies to perform essential website functions, e. We use analytics cookies to understand how you use our websites so we can make them better, e.

Skip to content. Bootloader for bcm GPL Code Issues Pull requests Security Insights. Dismiss Join GitHub today GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together. Sign up. Go back. Launching Xcode If nothing happens, download Xcode and try again. Latest commit. Git stats 52 commits.It is one of the most successful xDSL platforms due to the simplicity of migrating old platforms e.

BCM only uses 1 core. Spite there being SMP code for using two cores in the kernel see smp-bmips. Hardware random number generator. GPL supported. BCM63xx SoCs have cryptographic hardware accelerators.

The Cipher engine accelerates the IPSec protocol by using dedicated hardware blocks. The driver is available with GPL. The SPU drivers has been added since Linux kernel v4.

Serial Peripheral Interface.


By default only one or two more in newer SoCs Slave Selects are available. When having more than 32 GPIOs they are splitted between 2 gpiochips. The labels in the Linux kernel are:. Snippet kernel code example: a button press triggers an IRQ, printing something on the console.

Tested on BCM, Openwrt Most of the others use cfe with a built-in LZMA decompressor. Thomson routers have their own bootloader. There is released source code for RedBoot Inventel Liveboxand probably can be modified to work with other routers.

Also there is some source code for uboot. It is thus paramount to always have at least some products available, that have OEM bootloaders that keep installing free software easy cf. And it could be interesting to port such bootloaders to devices, which happen to come with a restricted bootloader. Compare the available bootloader out there, their license, available code and feature sets.

Please also remember that available source code it NOT enough, it has to be under some license, that allow for modification and redistribution.

Currently only available for the RAM bootloader version. The CPU clock configuration is strapped from 5 pins on this interface. These 5 pins use pulldown resistors 4.

The list of related devices: bcm63xxbcmbcmbcmbcmbcmbcmbcmbcmbcmbcmbcm bcmbcmbcmbcm. Site Tools Search. Sidebar Learn about OpenWrt Supported devices.

How to de-package and expose a GPU flip chip Die

Quick start guide. User guide. Developer guide. Submitting patches. Reporting bugs.The WLAN calibration data is specific for your device. If you wipe it accidentally it will be difficult to restore, it cannot be restored by flashing back a vendor firmware. Consider this when chosing a device to buy, or when deciding to flash OpenWrt on your device because it is listed as supported. But it's harmless to flash an incorrect firmware, it won't brick it.

See version identification to know your router version. Warning : Versions The router hangs while loading the kernel caused by an IRQ bug. BUG fixed in Warning : Any version between Please check out the article flash. It contains an example and a couple of explanations. With this procedure you will flash the firmware using the bootloader web interface foolproof.

Image crc failed. CFE web interface should be used in this case. In theory each wifi chip it doesn't matter if they are exactly the same model has its own wifi calibration data. In this router the data is stored in an area of the flash chip. There is an easy way if you flash from stock firmware. Then use a few simple commands. If you have installed version The router has to have access to the internetthen we access the router by SSH and execute.

Optional : If you have installed the snapshot version, it will be useful to have Luci. If you have already installed OpenWrt and like to reflash for e.

This is a clean and safe upgrade, using the booloader web interface. Just use the OEM installation procedure. And you can't save changes. Or you are unsure if old data is messing your new firmware.

Enter OpenWrt failsafe mode if needed. Then execute this command:. Set up your Internet connection, configure wireless, configure USB port, etc. As default some firmware versions doesn't include wireless drivers. You can set a basic internet configuration with uci commands.

Assuming your main router gateway has the IP Follow these steps.The content of this topic has been archived between 12 Mar and 5 May Unfortunately there are posts — most likely complete pages — missing. Hi, In this thread there are some links that point to my wuala drive. Since wuala has ended its support for free storage, I chose so store the files on box. I put here the danitool's instructions to build the firmware image to ease the access to them. The patch for Openwrt support was added to a github repository thanks to Noltari.

I've built a firmware for the HGb. I cannot say if it works since I don't own this router. Also there is a risk of destroying the wifi calibration data. Restoring the vendor firmware won't restore this area at the flash chip. The backup may help to safely locate this offset. What could be the method for flashing? I could try a web interface flash? MAybe I could conect to the serial port? I don't have the tools for jtag.

Could you give me some serial commands to give you the output? Don't know if I will succeed but I'll try. Also it can be done installing a tftp server in your computer, putting the firmware in the tftp directory, and from CFE console executing.

But here nothing, and when I switched it worked. It seems there are some troubles with your flash memory for detecting correctly the Openwrt partitions. Based on your bootlog I assumed the problem is the CFE size, it should be 0x, not 0x In your pics I couldn't see the flash chip, it may help to know the exact model.

I kind of taken pictures of every chip I saw. Then did you already made a flash backup? I flashed the second image and itooted allright. Lan worked but wifi interfaceseemed not to work my smartphone does not see the ssid. Anyway, I put te second putty log on my wuala space.