Got this box from Bredbandsbolaget. As with any equipment not running OpenWRT I don't trust it. It's nothing personal, just not OpenWRT.
There is a datasheet with some condensed information from Technicolor (ex. Thomson). They also have an open source website but it was missing the source code for TG784n v3.
I requested source code for the router and on 2016-09-30 they came back with partial code dump that excludes some kernel files from Broadcom. After some help from Linux Foundation I have obtained the full sources as per 2016-10-06.
The internal web-UI on the device displays something like this:
Gateway Global Information Product Vendor: Technicolor Product Name: Technicolor TG784n v3 Software Version: 15.1 Firmware Version: 15.24.6119-1029002-20150623154030 Hardware Version: DANT-U Serial Number: xxxxxxxxxxx MAC Address: xx:xx:xx:xx:xx:xx Uptime: 4min 36sec System Time: 1970-01-01 01:04:36 Network Time: Disabled Current Timezone: Europe/Stockholm
Inspecting the board
We find the following components:
- SoC: obscured by cooling but seems to be a BCM6368 from the cache characteristics
- Flash: 64 MB (512Mbit) STMicroelectronics NAND512W3A2SN6
- RAM: 128 MB (1Gbit) SK Hynix H5PS1G63KFR S5C 448A
Identifying the serial port
This was very straight forward. It was bleeding obvious that four pins in a header on the board was the serial port. Then I used this method to identify which pin was which and connected a serial converter. Yay. See illustrations.
Identifying the JTAG port
The JTAG port is obviously on the lower left edge of the board. This is evidently the same 8 pin header 1 row connector found in Thomson routers and described on the OpenWRT JTAG info page.
I haven't tried my luck with this yet.
Unmodified bootlog from serial port
If you don't do anything, the firmware (MIPS Linux, of course) boots up. This is the bootlog on the console with an unmodified firmware:
Decompressing Bootloader................................. Gateway initialization sequence started. Version BL: 1.1.3Booting bank 2 Multicore enable; Booting Linux kernel pfuncjmp = A0001840 JTAG select tp0 BOOTING THE LINUX KERNEL Starting the kernel @ 0x8039ed20 Extra parameters passed to Linux: [0]: bootloader [1]: memsize=0x7EDD000 [2]: btab=0xc004060c [3]: btab_bootid=2 [4]: tbbt_addr=0x3eb4000 [ 0.000000] Linux version 3.4.11-rt19 (cpecomptst@cplx118.edegem.eu.thmulti.com) (gcc version 4.6.3 20120201 (prerelease) (Linaro GCC 4.6-2012.02) ) #1 SMP PREEMPT Sun Jun 14 19:01:54 CEST 2015 [ 0.000000] DANT-U prom init [ 0.000000] CPU revision is: 0002a070 (Broadcom BMIPS4350) [ 0.000000] Reserving DSL memory: 010CE000-011FFFFF [ 0.000000] Determined physical RAM map: [ 0.000000] memory: 010cc000 @ 00002000 (usable) [ 0.000000] memory: 06cdf000 @ 01200000 (usable) [ 0.000000] Wasting 64 bytes for tracking 2 unused pages [ 0.000000] Zone PFN ranges: [ 0.000000] DMA 0x00000002 -> 0x00001000 [ 0.000000] Normal 0x00001000 -> 0x00007edf [ 0.000000] Movable zone start PFN for each node [ 0.000000] Early memory PFN ranges [ 0.000000] 0: 0x00000002 -> 0x000010ce [ 0.000000] 0: 0x00001200 -> 0x00007edf [ 0.000000] On node 0 totalpages: 32171 [ 0.000000] free_area_init_node: node 0, pgdat 8048c6e0, node_mem_map 81200040 [ 0.000000] DMA zone: 32 pages used for memmap [ 0.000000] DMA zone: 0 pages reserved [ 0.000000] DMA zone: 4062 pages, LIFO batch:0 [ 0.000000] Normal zone: 222 pages used for memmap [ 0.000000] Normal zone: 27855 pages, LIFO batch:7 [ 0.000000] PERCPU: Embedded 7 pages/cpu @81303000 s5360 r8192 d15120 u32768 [ 0.000000] pcpu-alloc: s5360 r8192 d15120 u32768 alloc=8*4096 [ 0.000000] pcpu-alloc: [0] 0 [0] 1 [ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 31917 [ 0.000000] Kernel command line: root=31:0 ro noinitrd memsize=0x7EDD000 btab=0xc004060c btab_bootid=2 tbbt_addr=0x3eb4000 console=ttyS0,115200 root=/dev/mtdblock1 rootfstype=squashfs irqaffinity=0 console=ttyS0,115200 root=/dev/mtdblock1 rootfstype=squashfs irqaffinity=0 [ 0.000000] PID hash table entries: 512 (order: -1, 2048 bytes) [ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes) [ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes) [ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 16 bytes. [ 0.000000] Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes [ 0.000000] Memory: 122348k/128684k available (3697k kernel code, 6336k reserved, 898k data, 208k init, 0k highmem) [ 0.000000] Preemptible hierarchical RCU implementation. [ 0.000000] NR_IRQS:128 [ 0.000000] console [ttyS0] enabled [ 0.000000] Allocating memory for DSP module core and initialization code [ 0.000000] Allocated DSP module memory - CORE=0x0 SIZE=0, INIT=0x0 SIZE=0 [ 0.004000] Calibrating delay loop... 397.31 BogoMIPS (lpj=198656) [ 0.016000] pid_max: default: 32768 minimum: 301 [ 0.017000] Mount-cache hash table entries: 512 [ 0.018000] --Kernel Config-- [ 0.019000] SMP=1 [ 0.020000] PREEMPT=1 [ 0.021000] DEBUG_SPINLOCK=0 [ 0.022000] DEBUG_MUTEXES=0 [ 0.023000] Broadcom Logger v0.1 Jun 14 2015 18:59:46 [ 0.032000] CPU revision is: 0002a070 (Broadcom BMIPS4350) [ 0.032000] Primary instruction cache 64kB, VIPT, 4-way, linesize 16 bytes. [ 0.032000] Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes [ 0.042000] Brought up 2 CPUs [ 0.051000] NET: Registered protocol family 16 [ 0.054000] Enabling watchdog [ 0.166000] registering PCI controller with io_map_base unset [ 0.379000] registering PCI controller with io_map_base unset [ 0.380000] gpiochip_add: registered GPIOs 0 to 47 on device: bcm963xx-gpio [ 0.396000] bio: create slabat 0 [ 0.399000] SCSI subsystem initialized [ 0.400000] usbcore: registered new interface driver usbfs [ 0.401000] usbcore: registered new interface driver hub [ 0.402000] usbcore: registered new device driver usb [ 0.403000] PCI host bridge to bus 0000:00 [ 0.404000] pci_bus 0000:00: root bus resource [mem 0x10f00000-0x10ffffff] [ 0.405000] pci_bus 0000:00: root bus resource [io 0x12000000-0x1200ffff] [ 0.406000] pci 0000:00:00.0: [14e4:435f] type 00 class 0x028000 [ 0.407000] pci 0000:00:00.0: reg 10: [mem 0x10004000-0x10005fff] [ 0.408000] pci 0000:00:09.0: [14e4:6300] type 00 class 0x0c0310 [ 0.409000] pci 0000:00:09.0: reg 10: [mem 0x10002600-0x100026ff] [ 0.410000] pci 0000:00:0a.0: [14e4:6300] type 00 class 0x0c0320 [ 0.411000] pci 0000:00:0a.0: reg 10: [mem 0x10002500-0x100025ff] [ 0.413000] PCI host bridge to bus 0000:01 [ 0.414000] pci_bus 0000:01: root bus resource [mem 0xa0000000-0xa0ffffff] [ 0.415000] pci_bus 0000:01: root bus resource [??? 0x00000000 flags 0x0] [ 0.416000] pci 0000:01:00.0: [14e4:6362] type 01 class 0x060400 [ 0.417000] pci 0000:01:00.0: PME# supported from D0 D3hot [ 0.419000] pci 0000:01:00.0: PCI bridge to [bus 02-02] [ 0.420000] bcmhs_spi bcmhs_spi.1: master is unqueued, this is deprecated [ 0.421000] bcmleg_spi bcmleg_spi.0: master is unqueued, this is deprecated [ 0.424000] skbFreeTask created successfully [ 0.425000] gbpm_do_work scheduled [ 0.426000] BLOG v3.0 Initialized [ 0.427000] BLOG Rule v1.0 Initialized [ 0.428000] Broadcom IQoS v0.1 Jun 14 2015 19:01:21 initialized [ 0.429000] Broadcom GBPM v0.1 Jun 14 2015 19:01:22 initialized [ 0.430000] NET: Registered protocol family 8 [ 0.431000] NET: Registered protocol family 20 [ 0.432000] Switching to clocksource MIPS [ 0.438000] NET: Registered protocol family 2 [ 0.442000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes) [ 0.450000] TCP established hash table entries: 4096 (order: 3, 32768 bytes) [ 0.457000] TCP bind hash table entries: 4096 (order: 3, 32768 bytes) [ 0.463000] TCP: Hash tables configured (established 4096 bind 4096) [ 0.470000] TCP: reno registered [ 0.473000] UDP hash table entries: 128 (order: 0, 4096 bytes) [ 0.479000] UDP-Lite hash table entries: 128 (order: 0, 4096 bytes) [ 0.486000] NET: Registered protocol family 1 [ 0.490000] PCI: CLS mismatch (64 != 16), using 16 bytes [ 0.496000] bcm_tstamp initialized, (hpt_freq=200000000 2us_div=200 2ns_mult=5 2ns_shift=0) [ 0.507000] squashfs: version 4.0 (2009/01/31) Phillip Lougher [ 0.513000] jffs2: version 2.2 (NAND) (SUMMARY) (ZLIB) (RTIME) (CMODE_PRIORITY) © 2001-2006 Red Hat, Inc. [ 0.523000] fuse init (API version 7.18) [ 0.527000] msgmni has been set to 238 [ 0.533000] io scheduler noop registered (default) [ 0.543000] Broadcom NAND controller (BrcmNand Controller) [ 0.548000] mtd->oobsize=0, mtd->eccOobSize=0 [ 0.552000] NAND_CS_NAND_XOR=00000001 [ 0.556000] Disabling XOR: Before: SEL=40000001, XOR=00000001 [ 0.562000] Disabling XOR: After: SEL=40000000, XOR=00000000 [ 0.568000] B4: NandSelect=40000000, nandConfig=04042300, chipSelect=0 [ 0.574000] brcmnand_read_id: CS0: dev_id=20762076 [ 0.579000] After: NandSelect=40000000, nandConfig=04042300 [ 0.585000] Block size=00004000, erase shift=14 [ 0.590000] NAND Config: Reg=04042300, chipSize=64 MB, blockSize=16K, erase_shift=e [ 0.598000] busWidth=1, pageSize=512B, page_shift=9, page_mask=000001ff [ 0.604000] timing1 not adjusted: 5363444f [ 0.609000] timing2 not adjusted: 00000fc6 [ 0.613000] BrcmNAND mfg 20 76 ST ST_NAND512W3A 64MB on CS0 [ 0.619000] [ 0.619000] Found NAND on CS0: ACC=f3000000, cfg=04042300, flashId=20762076, tim1=5363444f, tim2=00000fc6 [ 0.630000] BrcmNAND version = 0x0202 64MB @00000000 [ 0.635000] B4: NandSelect=40000000, nandConfig=04042300, chipSelect=0 [ 0.642000] brcmnand_read_id: CS0: dev_id=20762076 [ 0.647000] After: NandSelect=40000000, nandConfig=04042300 [ 0.652000] Found NAND flash on Chip Select 0, chipSize=64MB, usable size=64MB, base=0 [ 0.661000] brcmnand_scan: B4 nand_select = 40000000 [ 0.666000] brcmnand_scan: After nand_select = 40000000 [ 0.671000] page_shift=9, bbt_erase_shift=14, chip_shift=26, phys_erase_shift=14 [ 0.679000] Brcm NAND controller version = 2.2 NAND flash size 64MB @1c000000 [ 0.686000] brcmnand_scan: mtd->oobsize=16 [ 0.690000] brcmnand_scan: oobavail=12, eccsize=512, writesize=512 [ 0.697000] brcmnand_scan, eccsize=512, writesize=512, eccsteps=1, ecclevel=15, eccbytes=3 [ 0.708000] Gateway flash mapping [ 0.712000] [NAND] : tBBT loaded [ 0.712000] [ 0.716000] Technicolor nand flash translation layer initialized. [ 0.723000] flash mapping initialized, size=64 Mb [ 0.728000] parse_btab: num_banks (5) [ 0.731000] Creating 1 MTD partitions on "technicolor-nand-tl": [ 0.737000] 0x000002c54000-0x000003ea4000 : "rootfs" [ 0.746000] Creating 5 MTD partitions on "technicolor-nand-tl": [ 0.752000] 0x000000080000-0x000001600000 : "rootfs_data" [ 0.762000] 0x000001600000-0x000002a54000 : "bank_1" [ 0.770000] 0x000002a54000-0x000003ea8000 : "bank_2" [ 0.779000] 0x000000020000-0x000000040000 : "eripv2" [ 0.786000] 0x000000040000-0x000000080000 : "rawstorage" [ 0.793000] Creating 1 MTD partitions on "technicolor-nand-tl": [ 0.798000] 0x00000001fffd-0x000000020000 : "blversion" [ 0.809000] PPP generic driver version 2.4.2 [ 0.814000] PPP BSD Compression module registered [ 0.818000] PPP Deflate Compression module registered [ 0.823000] NET: Registered protocol family 24 [ 0.828000] brcmboard: brcm_board_init entry [ 0.832000] DYING GASP IRQ initialized [ 0.836000] Serial: BCM63XX driver $Revision: 3.00 $ [ 0.841000] Magic SysRq with Auxilliary trigger char enabled (type ^ h for list of supported commands) [ 0.852000] ttyS0 at MMIO 0xb0000100 (irq = 11) is a BCM63XX [ 0.858000] ttyS1 at MMIO 0xb0000120 (irq = 12) is a BCM63XX [ 0.864000] Total # RxBds=2845 [ 0.866000] bcmPktDmaBds_init: Broadcom Packet DMA BDs initialized [ 0.866000] [ 0.874000] bcmPktDma_init: Broadcom Packet DMA Library initialized [ 0.881000] IPSEC SPU: SUCCEEDED [ 0.884000] GACT probability NOT on [ 0.888000] Mirror/redirect action on [ 0.891000] u32 classifier [ 0.894000] input device check on [ 0.898000] Actions configured [ 0.902000] TCP: cubic registered [ 0.905000] Initializing XFRM netlink socket [ 0.910000] NET: Registered protocol family 10 [ 0.916000] IPv6 over IPv4 tunneling driver [ 0.923000] NET: Registered protocol family 17 [ 0.927000] NET: Registered protocol family 15 [ 0.932000] Bridge firewalling registered [ 0.936000] Initializing MCPD Module [ 0.940000] Ebtables v2.0 registered [ 0.944000] ebt_time registered [ 0.947000] ebt_ftos registered [ 0.950000] ebt_wmm_mark registered [ 0.953000] 8021q: 802.1Q VLAN Support v1.8 [ 0.967000] VFS: Mounted root (squashfs filesystem) readonly on device 31:1. [ 0.975000] Freeing unused kernel memory: 208k freed - preinit - - regular preinit - [ 4.793000] jffs2: notice: (345) jffs2_build_xattr_subsystem: complete building xattr subsystem, 3 of xdatum (1 unchecked, 1 orphan) and 70 of xref (0 dead, 10 orphan) found. switching to jffs2 HOMEWARE_CONFIG_ON_ACTIVE_BANK Dual bank, overlay on /overlay/bank_2 [ 5.816000] tommath: module license 'unspecified' taints kernel. [ 5.822000] Disabling lock debugging due to kernel taint [ 6.065000] Dsl Annex A board [ 6.067000] Set board (DANT-U) - init - [ 7.598000] gre: GRE over IPv4 demultiplexor driver [ 7.714000] ip_gre: GRE over IPv4 tunneling driver [ 7.745000] ip6_gre: GRE over IPv6 tunneling driver [ 7.776000] ip_tables: (C) 2000-2006 Netfilter Core Team [ 8.212000] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver [ 8.218000] PCI: Enabling device 0000:00:0a.0 (0000 -> 0002) [ 8.224000] ehci_hcd 0000:00:0a.0: setting latency timer to 64 [ 8.230000] ehci_hcd 0000:00:0a.0: EHCI Host Controller [ 8.236000] ehci_hcd 0000:00:0a.0: new USB bus registered, assigned bus number 1 [ 8.243000] ehci_hcd 0000:00:0a.0: Enabling legacy PCI PM [ 8.270000] ehci_hcd 0000:00:0a.0: irq 18, io mem 0x10002500 [ 8.281000] ehci_hcd 0000:00:0a.0: USB f.f started, EHCI 1.00 [ 8.287000] hub 1-0:1.0: USB hub found [ 8.290000] hub 1-0:1.0: 2 ports detected [ 8.436000] nf_conntrack version 0.5.0 (1914 buckets, 7656 max) [ 9.464000] xt_time: kernel timezone is -0000 [ 10.445000] Netfilter messages via NETLINK v0.30. [ 11.043000] ip6_tables: (C) 2000-2006 Netfilter Core Team [ 11.452000] ctnetlink v0.93: registering with nfnetlink. [ 11.515000] bcmxtmrt: Broadcom BCM6362B0 ATM/PTM Network Device v0.3 Jun 14 2015 18:31:56 [ 11.547000] NF_TPROXY: Transparent proxy support initialized, version 4.1.0 [ 11.554000] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd. [ 11.886000] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver [ 11.892000] PCI: Enabling device 0000:00:09.0 (0000 -> 0002) [ 11.898000] ohci_hcd 0000:00:09.0: setting latency timer to 64 [ 11.904000] ohci_hcd 0000:00:09.0: OHCI Host Controller [ 11.909000] ohci_hcd 0000:00:09.0: new USB bus registered, assigned bus number 2 [ 11.917000] ohci_hcd 0000:00:09.0: irq 17, io mem 0x10002600 [ 11.978000] hub 2-0:1.0: USB hub found [ 11.982000] hub 2-0:1.0: 2 ports detected [ 12.070000] Broadcom Ingress QoS Module Char Driver v0.1 Jun 14 2015 18:27:50 Registered<243> [ 12.079000] [ 12.079000] Broadcom Ingress QoS ver 0.1 initialized [ 12.111000] BPM: tot_mem_size=134217728B (128MB), buf_mem_size <15%> =20132655B (19MB), num of buffers=9986, buf size=2016 [ 12.121000] Broadcom BPM Module Char Driver v0.1 Jun 14 2015 18:26:55 Registered<244> [ 12.344000] NBUFF v1.0 Initialized [ 12.361000] Initialized fcache state [ 12.365000] Broadcom Packet Flow Cache Char Driver v2.2 Jun 14 2015 18:27:51 Registered<242> [ 12.375000] Created Proc FS /procfs/fcache [ 12.379000] Broadcom Packet Flow Cache registered with netdev chain [ 12.387000] Broadcom Packet Flow Cache learning via BLOG enabled. [ 12.394000] [FHW] pktDbgLvl[0xc05cb010]=0 [ 12.399000] [FHW] fhw_construct: [ 12.404000] Initialized Fcache HW accelerator layer state [ 12.412000] flwStatsThread created [ 12.426000] Constructed Broadcom Packet Flow Cache v2.2 Jun 14 2015 18:27:51 [ 12.684000] chipId 0x636220B0 [ 12.686000] Broadcom Forwarding Assist Processor (FAP) Char Driver v0.1 Jun 14 2015 18:27:35 Registered <241> [ 12.696000] Enabling SMISBUS PHYS_FAP_BASE[0] is 0x14001000 [ 12.722000] FAP Soft Reset Done [ 12.725000] 4ke Reset Done [ 12.735000] FAP Debug values at 0xa5122640 0xa5122640 [ 12.741000] fapGso_LoopBkThread created successfully [ 12.745000] Allocated FAP0 SWQ_HOST2FAP_GSO_LOOPBACK_Q mem=a57b4000 : 16384 bytes [ 12.753000] Allocated FAP0 SWQ_FAP2HOST_GSO_LOOPBACK_Q mem=a5040000 : 16384 bytes [ 12.761000] GSO LOOPBACK Cached HOST2FAP Q INFO: [ 12.761000] Swq =b1015fc4 qStart=a57b4000 qEnd=a57b8000 msgSize=4 dqm=18 fapId=0 [ 12.773000] GSO LOOPBACK Cached FAP2HOST Q INFO: [ 12.773000] Swq =b1015f94 qStart=a5040000 qEnd=a5044000 msgSize=2 dqm=19 fapId=0 [ 12.786000] Allocated FAP0 SWQ_FAP2HOST_WFD_Q mem=a72de000 : 7200 bytes [ 12.792000] Allocated FAP0 SWQ_FAP2HOST_WFD_Q mem=a50ee000 : 7200 bytes [ 12.800000] Allocated FAP0 TM SDRAM Queue Storage (a51336d0) : 341376 bytes @ a5180000 [ 12.808000] [NTC fapProto] fapReset : Reset FAP Protocol layer [ 12.814000] [FAP0] DSPRAM : stack <0x80004000><1536>, global <0x80004600><4192>, free <2464>, total<8192> [ 12.824000] [FAP0] PSM : addr<0xE0010000>, used <24676>, free <8092>, total <32768> [ 12.832000] [FAP0] DQM : availableMemory 14668 bytes, nextByteAddress 0xE0004610 [ 12.840000] [FAP0] Initializing FAP4KE GSO LOOPBACK on fapIdx=0 ... [ 12.846000] [FAP0] SWQ: HOST2FAP_GSO_LOOPBACK [ 12.851000] [FAP0] >>>>------------------ [ 12.855000] [FAP0] swq =e0015fc4 msgSize =4 words , maxDepth=1024 [ 12.861000] [FAP0] qStart =a57b4000 qEnd=a57b8000 [ 12.866000] [FAP0] rdPtr =a57b4000 wrPtr=a57b4000 count=0 [ 12.871000] [FAP0] swq->interrupts 0 processed =0 dropped =0 [ 12.877000] [FAP0] Associated DQM=18 dir HOST2FAP [ 12.882000] [FAP0] ------------------<<<< [ 12.887000] [FAP0] SWQ: FAP2HOST_GSO_LOOPBACK [ 12.891000] [FAP0] >>>>------------------ [ 12.895000] [FAP0] swq =e0015f94 msgSize =2 words , maxDepth=2048 [ 12.902000] [FAP0] qStart =a5040000 qEnd=a5044000 [ 12.906000] [FAP0] rdPtr =a5040000 wrPtr=a5040000 count=0 [ 12.912000] [FAP0] swq->interrupts 0 processed =0 dropped =0 [ 12.918000] [FAP0] Associated DQM=19 dir FAP2HOST [ 12.923000] [FAP0] ------------------<<<< [ 12.927000] [FAP0] FAP4KE GSO LOOPBACK Init Done... [ 12.932000] [FAP0] IC Timer started [ 12.936000] [FAP0] FAP4KE WFD Init Done... [ 12.940000] [FAP0] FAP BPM Initialized. [ 12.944000] Broadcom Packet Flow Cache HW acceleration enabled. [ 12.951000] fapDrv_construct: FAP0: pManagedMemory=b1010650. wastage 8 bytes [ 12.958000] bcmPktDma_bind: FAP Driver binding successfull [ 12.964000] [FAP0] FAP TM: ON [ 13.165000] Broadcom BCM6362B0 Ethernet Network Device v0.1 Jun 14 2015 18:31:39 [ 13.172000] fapDrv_psmAlloc: fapIdx=0, size: 4800, offset=b1010650 bytes remaining 7000 [ 13.180000] ETH Init: Ch:0 - 200 tx BDs at 0xb1010650 [ 13.185000] fapDrv_psmAlloc: wastage 8 bytes [ 13.190000] fapDrv_psmAlloc: fapIdx=0, size: 4808, offset=b1011910 bytes remaining 2184 [ 13.198000] ETH Init: Ch:0 - 600 rx BDs at 0xb1011910 [ 13.203000] [FAP0] enetRxChannel 0 [ 13.210000] ETH Init: Ch:1 - 1997 rx BDs at 0xa79c0000 [ 13.255000] dgasp: kerSysRegisterDyingGaspHandler: bcmsw registered [ 13.263000] eth0: PHY_ID <0x00000004 : 0x04> MAC : 30:91:8F:A3:DA:8C [ 13.273000] eth1: PHY_ID <0x00000003 : 0x03> MAC : 30:91:8F:A3:DA:8C [ 13.284000] eth2: PHY_ID <0x00000002 : 0x02> MAC : 30:91:8F:A3:DA:8C [ 13.295000] eth3: PHY_ID <0x01880019 : 0x19> MAC : 30:91:8F:A3:DA:8C [ 13.305000] eth4: PHY_ID <0x02080058 : 0x18> MAC : 30:91:8F:A3:DA:8C [ 13.363000] Chip WAN Only Port 00000000, Defined WAN Only Port 00000000, WAN Only Port Result: 0x00000000 [ 13.372000] Chip WAN Preffered Port 00000000, Defined WAN Preffered Port 00000000, WAN Preffered Port Result: 0x00000000 [ 13.383000] Chip LAN Only Port 00000000, Defined LAN Only Port 00000000, LAN Only Port Result: 0x00000000 [ 13.525000] Broadcom 802.1Q VLAN Interface, v0.1 [ 13.659000] Wifi Forwarding Driver is initialized! [ 16.356000] --SMP support [ 16.358000] wl: dsl_tx_pkt_flush_len=338 [ 16.362000] wl: norm_wmark_tot=3643, pktc_wmark_tot=3643 [ 16.368000] wl 0000:00:00.0: setting latency timer to 64 [ 16.373000] wl: passivemode=1 [ 16.376000] wl0: creating kthread wl0-kthrd [ 16.392000] wl: napimode=0 [ 16.399000] Neither SPROM nor OTP has valid image [ 16.403000] wl:srom/otp not programmed, using main memory mapped srom info(wombo board) [ 16.411000] wl: ID=sb/0/ [ 16.414000] wl: ID=sb/0/ [ 16.516000] wl: loading /etc/wlan/bcm6362_map.bin [ 16.520000] srom rev:8 [ 16.529000] wl: reading /etc/wlan/bcmcmn_nvramvars.bin, file size=32 [ 16.570000] wl0: allocskbmode=1 currallocskbsz=1024 [ 16.583000] wfd_bind: Dev wl%d wfd_idx 0 Type skb configured WFD thread wfd0-thrd RxQId (20), status (0) number_of_queues 1 qmask 0x1 [ 16.583000] Instantiating WFD 0 thread [ 16.600000] +++++ Added gso loopback support for dev=wl0 <85022000> [ 16.607000] wl0: Broadcom BCM435f 802.11 Wireless Controller 7.14.89.14.cpe4.16L03.0-kdb [ 16.614000] dgasp: kerSysRegisterDyingGaspHandler: wl0 registered [ 16.750000] bcmxtmcfg: bcmxtmcfg_init entry [ 16.949000] adsl: adsl_init entry [ 17.119000] usbcore: registered new interface driver usbserial [ 17.124000] usbserial: USB Serial Driver core [ 17.242000] usbcore: registered new interface driver sierra [ 17.247000] USB Serial support registered for Sierra USB modem [ 17.278000] usbcore: registered new interface driver sierra_net [ 17.317000] Initializing USB Mass Storage driver... [ 17.321000] usbcore: registered new interface driver usb-storage [ 17.327000] USB Mass Storage support registered. [ 17.460000] usbcore: registered new interface driver cdc_wdm [ 17.584000] PCIe: No device found - Powering down [ 17.618000] usbcore: registered new interface driver huawei_ether [ 17.648000] usbcore: registered new interface driver cdc_ether [ 17.810000] input: gpio-buttons as /devices/platform/gpio-buttons.0/input/input0 [ 17.842000] Button Hotplug driver version 0.4.1 [ 17.870000] usbcore: registered new interface driver qmi_wwan [ 17.904000] usbcore: registered new interface driver option [ 17.909000] USB Serial support registered for GSM modem (1-port) [ 17.939000] usbcore: registered new interface driver qcserial [ 17.945000] USB Serial support registered for Qualcomm USB modem [ 17.974000] Loading PCM shim driver [ 20.249000] SIOCGMIIPHY : Invalid swPort: 16 [ 20.281000] SIOCGMIIPHY : Invalid swPort: 16 [ 20.307000] ETHSETSPOWERDOWN : Invalid swPort: 16 [ 26.671000] Registered led device: power:green [ 26.685000] Registered led device: power:red [ 26.689000] Registered led device: power:blue [ 26.693000] Registered led device: wireless:green [ 26.703000] Registered led device: wps:red [ 26.713000] Registered led device: wps:green [ 26.717000] Registered led device: broadband:green [ 26.722000] Registered led device: internet:red [ 26.732000] Registered led device: internet:green [ 26.736000] Registered led device: ethernet:green [ 26.741000] Registered led device: fxs1:green [ 26.745000] Registered led device: fxs2:green [ 26.750000] Registered led device: power:orange [ 26.755000] Registered led device: internet:orange [ 26.760000] Registered led device: wps:orange Note: Loading 6300 MDK (default) driver for 6362 chip Switch MDK: num_switches = 1 Switch MDK: unit = 0; phy_pbmp = 0x3e; config_pbmp = 0x3e Switch MDK link poll thread: unit=0; phypbmp=0x3e config_pbmp=0x3e [ 28.878000] Energy Efficient Ethernet: Enabled [ 28.913000] SIOCGMIIPHY : Invalid swPort: 16 [ 28.977000] SIOCGMIIPHY : Invalid swPort: 16 [ 29.037000] ETHSETSPOWERDOWN : Invalid swPort: 16 [ 32.724000] fapDrv_psmAlloc: fapIdx=0, size: 1600, offset=b1012be0 bytes remaining 584 [ 32.732000] XTM Init: 200 rx BDs at 0xb1012be0 [ 32.738000] fapDrv_psmAlloc: fapIdx=0, size: 128, offset=b1013220 bytes remaining 456 [ 32.746000] XTM Init: 16 rx BDs at 0xb1013220 [ 32.910000] monitor task is initialized pid= 1626 [ 33.407000] bcmxtmrt: MAC address: 30 91 8f a3 da 8c [ 33.412000] [DoCreateDeviceReq.3393]: register_netdev [ 33.418000] [DoCreateDeviceReq.3395]: register_netdev done [ 33.423000] [FAP0] xtmCreateDevice : devId 0, encapType 0, headerLen 10 [ 33.450000] ADDRCONF(NETDEV_UP): atm_wan: link is not ready [ 33.879000] bcmxtmrt: MAC address: 30 91 8f a3 da 8c [ 33.883000] [DoCreateDeviceReq.3393]: register_netdev [ 33.890000] [DoCreateDeviceReq.3395]: register_netdev done [ 33.895000] [FAP0] xtmCreateDevice : devId 1, encapType 0, headerLen 10 [ 33.914000] ADDRCONF(NETDEV_UP): atm_voip: link is not ready [ 34.325000] bcmxtmrt: MAC address: 30 91 8f a3 da 8c [ 34.329000] [DoCreateDeviceReq.3393]: register_netdev [ 34.336000] [DoCreateDeviceReq.3395]: register_netdev done [ 34.341000] [FAP0] xtmCreateDevice : devId 2, encapType 0, headerLen 10 [ 34.360000] ADDRCONF(NETDEV_UP): atm_iptv: link is not ready [ 37.896000] wl_event_open [ 37.898000] wl_event_open COMPLETED Hostapd starting... (1) [ 40.073000] *** dslThread dslPid=1928 [ 40.076000] BcmAdsl_Initialize=0xC11B6050, g_pFnNotifyCallback=0xC11E5500 [ 40.331000] pSdramPHY=0xA11FFFF8, 0xFFFFFFFF 0xFFFFFFFF [ 40.336000] *** XfaceOffset: 0x21F90 => 0x21F90 *** [ 40.577000] *** PhySdramSize got adjusted: 0x90870 => 0xA693C *** [ 40.582000] AdslCoreSharedMemInit: shareMemSize=366240(366240) [ 40.595000] AdslCoreHwReset: pLocSbSta=84230000 bkupThreshold=1600 [ 40.601000] AdslCoreHwReset: AdslOemDataAddr = 0xA118526C [ 40.607000] VersionInfo: A2pD039f.d26c [ 40.611000] ***BcmDiagsMgrRegisterClient: 0 *** [ 40.615000] dgasp: kerSysRegisterDyingGaspHandler: dsl0 registered [ 42.832000] AutoGreeen changed to disabled [ 42.948000] Energy Efficient Ethernet changed to disabled [ 45.972000] ADDRCONF(NETDEV_UP): eth0: link is not ready [ 45.980000] device eth0 entered promiscuous mode [ 46.010000] ADDRCONF(NETDEV_UP): br-lan: link is not ready [ 46.025000] ADDRCONF(NETDEV_UP): eth1: link is not ready [ 46.031000] device eth1 entered promiscuous mode [ 46.044000] ADDRCONF(NETDEV_UP): eth2: link is not ready [ 46.050000] device eth2 entered promiscuous mode [ 46.063000] ADDRCONF(NETDEV_UP): eth3: link is not ready [ 46.069000] device eth3 entered promiscuous mode [ 46.408000] device wl0 entered promiscuous mode [ 46.413000] br-lan: port 5(wl0) entered forwarding state [ 46.418000] br-lan: port 5(wl0) entered forwarding state [ 46.424000] ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready [ 48.425000] br-lan: port 5(wl0) entered forwarding state [ 87.613000] mapEthPortToRxIudma : Invalid Argument: port <3>, channel <3> [ 87.703000] mapEthPortToRxIudma : Invalid Argument: port <3>, channel <3> [ 87.794000] mapEthPortToRxIudma : Invalid Argument: port <3>, channel <2> [ 87.885000] mapEthPortToRxIudma : Invalid Argument: port <3>, channel <2> [ 88.334000] mapEthPortToRxIudma : Invalid Argument: port <2>, channel <3> [ 88.406000] mapEthPortToRxIudma : Invalid Argument: port <2>, channel <3> [ 88.486000] mapEthPortToRxIudma : Invalid Argument: port <2>, channel <2> [ 88.559000] mapEthPortToRxIudma : Invalid Argument: port <2>, channel <2> [ 88.908000] mapEthPortToRxIudma : Invalid Argument: port <1>, channel <3> [ 88.988000] mapEthPortToRxIudma : Invalid Argument: port <1>, channel <3> [ 89.078000] mapEthPortToRxIudma : Invalid Argument: port <1>, channel <2> [ 89.164000] mapEthPortToRxIudma : Invalid Argument: port <1>, channel <2> [ 89.645000] mapEthPortToRxIudma : Invalid Argument: port <4>, channel <3> [ 89.730000] mapEthPortToRxIudma : Invalid Argument: port <4>, channel <3> [ 89.812000] mapEthPortToRxIudma : Invalid Argument: port <4>, channel <2> [ 89.905000] mapEthPortToRxIudma : Invalid Argument: port <4>, channel <2> [ 90.259000] mapEthPortToRxIudma : Invalid Argument: port <5>, channel <3> [ 90.344000] mapEthPortToRxIudma : Invalid Argument: port <5>, channel <3> [ 90.475000] mapEthPortToRxIudma : Invalid Argument: port <5>, channel <2> [ 90.576000] mapEthPortToRxIudma : Invalid Argument: port <5>, channel <2> [ 90.975000] Done. [ 94.933000] br_netlink_mcpd.c: Setting registration type 0 pid to 3866
So this is obviously a Broadcom E63xx-based router.
Get into the firmware
The router is probably using some fork of CFE and has an embedded firmware update service. Here is where I learnt about CFE. I just guessed the router would be using it because the strings in the console seems to be altered versions of messages from CFE. You access the firmware update mode by holding the reset button (with a pen or needle or something, it is found in the hole between the two USB ports) while powering on the device. Release after a while. The green LED first goes on, then when the red LED goes on, we are in BOOTP mode and you can release the RESET button. If you have a serial port attached like I do, it will prompt:
Version BL: 1.1.3 BOOTP reason : BLFLAG_BUTTON_PUSH
And if a cable is connected to a host, also:
[ROBO] : phy_19 up [ROBO] : phy_19 fdx [ROBO] : phy_19 1Gb Ctrl: BOOTP initiated.
It then waits for something to happen. If nothing happens, it times out and says:
***Resetting the board*** [RESET] : board_reset : Debug CallStack information 81305f84 81305dd8 813147f8 81305f84 81305e58 81305e48 81305ea8 813176ac 8131767c 81306048 8131e2e4 81305ee8 8131b8c4 8131e2e4 8131e2e4 81306d70 81306c28 8131cdfc 81307cc4 8131b914 8131bf3c 8131bef4 813000c8 Decompressing Bootloader.................................
Connect an ethernet cord to one of the YELLOW connectors on the box, and to your computer. If you run tcpdump -v you will see this coming from the box:
10:46:37.057765 IP (tos 0x0, ttl 64, id 1271, offset 0, flags [none], proto UDP (17), length 328) 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from xx:xx:xx:xx:xx:xx (oui Unknown), length 300, xid 0x8fa3da8c, secs 37, Flags [Broadcast] Client-Ethernet-Address xx:xx:xx:xx:xx:xx (oui Unknown) file "DANT-U" Vendor-rfc1048 Extensions Magic Cookie 0x63825363 Vendor-Option Option 43, length 55: 83.84.5.4.146.6.1.1.3.7.64.8.49.53.48.54.84.65.66.68.86.0.0.0.0.0.0.0.9.0.1.10.0.0.0.0.0.0.0.0.0.0.0.0.11.0.6.1.1.9.0.0.0.12.255
So the machine is now in TFTP mode, asking for a file called DANT-U which is incidentally the name of the board.
So now we need to set up a BOOTP and DHCP server to serve a potential file. The firmware update service will only accept .bli file (I guess this means "boot loader image". So your DHCP configuration needs to look something like this:
subnet 169.254.1.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
range dynamic-bootp 169.254.1.10 169.254.1.100;
host tg784n {
hardware ethernet xx:xx:xx:xx:xx:xx;
default-lease-time 200000;
next-server 169.254.1.1;
filename "/tg784n.bli";
}
}
This enables us to flash a new firmware into the device by putting a valid .bli image into the TFTP root folder. I took the really old TG784nV3_10.2.6.2._gen_dant-u.bli firmware that I found online (see "downloads") so that the console login etc would still be there.
When I hold down RESET, power on the router and wait until the LED goes RED, the ethernet traffic starts (looked through tcpdump) and the following happens in the console:
Decompressing Bootloader................................. Gateway initialization sequence started. Version BL: 1.1.3 BOOTP reason : BLFLAG_BUTTON_PUSH [ROBO] : phy_19 up [ROBO] : phy_19 fdx [ROBO] : phy_19 1Gb Ctrl: BOOTP initiated. Ctrl: BOOTP Reply received! ***** Own IP = 169.254.1.10 () ***** Server = 169.254.1.1 () ***** Mask = 255.255.255.0 ***** Filename = /tg784n.bli Ctrl: TFTP started (Rx:/tg784n.bli). Ctrl: TFTP (SDRAM) finished (success). *** New build received *** [STARTADDRESS] : C0040000 [BUILDLENGTH] : 63920 kB *** FlashProgram started, please be patient! *** *** 63920 kB programmed *** *** flashing finished --> clearing FVP *** Clearing bank FVP for bank 0 Clearing bank FVP for bank 1 Clearing kernel FVP for bank 1 at address 0xc1600000 Clearing bank FVP for bank 2 Clearing kernel FVP for bank 2 at address 0xc2a54000 Bank 2 is of type BOOTABLE, but does not contain a valid kernel at address 0xc2a54000. Clearing bank FVP for bank 4 *** flashing finished --> rebooting modem *** ***Resetting the board*** [RESET] : board_reset : Debug CallStack information 81305f84 81305dd8 813147f8 81305f84 81305e58 81305e48 81305ea8 813176ac 8131767c 81306048 8131e2e4 81305ee8 8131b8c4 8131e2e4 8131e2e4 81306d70 81306c28 8131cdfc 81307cc4 8131b914 8131bf3c 8131bef4 813000c8
If we instead flash the .rbi image, this happens:
Decompressing Bootloader................................. Gateway initialization sequence started. Version BL: 1.1.3 BOOTP reason : BLFLAG_BUTTON_PUSH [ROBO] : phy_19 up [ROBO] : phy_19 fdx [ROBO] : phy_19 1Gb Ctrl: BOOTP initiated. Ctrl: BOOTP Reply received! ***** Own IP = 169.254.1.10 () ***** Server = 169.254.1.1 () ***** Mask = 255.255.255.0 ***** Filename = /tg784n.rbi Ctrl: TFTP started (Rx:/tg784n.rbi). Ctrl: TFTP (SDRAM) finished (success). *** New build received *** [STARTADDRESS] : C1600000 [BUILDLENGTH] : 20816 kB *** FlashProgram started, please be patient! *** *** 20816 kB programmed *** *** flashing finished --> clearing FVP *** Clearing bank FVP for bank 1 Clearing kernel FVP for bank 1 at address 0xc1600000 Clearing bank FVP for bank 2 Clearing kernel FVP for bank 2 at address 0xc2a54000 Bank 2 is of type BOOTABLE, but does not contain a valid kernel at address 0xc2a54000. *** flashing finished --> rebooting modem *** ***Resetting the board*** [RESET] : board_reset : Debug CallStack information 81305f84 81305dd8 813147f8 81305f84 81305e58 81305e48 81305ea8 813176ac 8131767c 81306048 8131e2e4 81305ee8 8131b8c4 8131e2e4 8131e2e4 81306d70 81306c28 8131cdfc 81307cc4 8131b914 8131bf3c 8131bef4 813000c8
It then proceeds to a much nicer old kernelboot which gives me a prompt:
Decompressing Bootloader................................. Gateway initialization sequence started. Version BL: 1.1.3Booting bank 1 Multicore enable; Booting Linux kernel pfuncjmp = A0001840 Gateway initialization sequence started. JTAG select tp0 BOOTING THE LINUX KERNEL Starting the kernel @ 0x801e6b20 Extra parameters passed to Linux: [0]: bootloader [1]: memsize=0x7EDD000 [2]: btab=0xc004020c [3]: btab_bootid=1 [4]: tbbt_addr=0x3eb4000 Linux version 2.6.30 (gcc version 3.4.6) #1 Tue Mar 5 05:24:37 CET 2013 BCM63XX prom init CPU revision is: 0002a070 (Broadcom4350) physical memory available : 129908 Kb memory reserved for GOMP core : 25600 Kb memory reserved for GOMP shared data : 4 Kb Reserving DSL memory: 00500000-005FFFFF Determined physical RAM map: memory: 004fe000 @ 00002000 (usable) memory: 05fdc000 @ 00600000 (usable) memory: 00100000 @ 87f00000 (usable) Wasting 64 bytes for tracking 2 unused pages Zone PFN ranges: DMA 0x00000002 -> 0x00001000 Normal 0x00001000 -> 0x00020000 Movable zone start PFN for each node early_node_map[2] active PFN ranges 0: 0x00000002 -> 0x00000500 0: 0x00000600 -> 0x000065dc On node 0 totalpages: 25818 free_area_init_node: node 0, pgdat 80246080, node_mem_map 81000040 DMA zone: 32 pages used for memmap DMA zone: 0 pages reserved DMA zone: 3806 pages, LIFO batch:0 Normal zone: 172 pages used for memmap Normal zone: 21808 pages, LIFO batch:3 Built 1 zonelists in Zone order, mobility grouping on. Total pages: 25614 Kernel command line: root=31:0 ro noinitrd memsize=0x7EDD000 btab=0xc004020c btab_bootid=1 tbbt_addr=0x3eb4000 console=ttyS0,115200 root=/dev/mtdblocs wait instruction: enabled Primary instruction cache 64kB, VIPT, 4-way, linesize 16 bytes. Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes NR_IRQS:128 PID hash table entries: 512 (order: 9, 2048 bytes) console [ttyS0] enabled Dentry cache hash table entries: 16384 (order: 4, 65536 bytes) Inode-cache hash table entries: 8192 (order: 3, 32768 bytes) Allocated NMON module memory - CORE=0x810e8e20 SIZE=1638400, INIT=0x0 SIZE=0 Memory: 97984k/103272k available (1909k kernel code, 5212k reserved, 359k data, 108k init, 0k highmem) Calibrating delay loop... 399.36 BogoMIPS (lpj=199680) Mount-cache hash table entries: 512 --Kernel Config-- SMP=0 PREEMPT=0 DEBUG_SPINLOCK=0 DEBUG_MUTEXES=0 net_namespace: 584 bytes NET: Registered protocol family 16 registering PCI controller with io_map_base unset registering PCI controller with io_map_base unset bio: create slabat 0 usbcore: registered new interface driver usbfs usbcore: registered new interface driver hub usbcore: registered new device driver usb pci 0000:00:00.0: reg 10 32bit mmio: [0x10004000-0x10013fff] pci 0000:00:00.0: reg 30 32bit mmio: [0x000000-0x0007ff] pci 0000:00:00.0: supports D1 D2 pci 0000:00:00.0: PME# supported from D0 D3hot D3cold pci 0000:00:00.0: PME# disabled pci 0000:00:09.0: reg 10 32bit mmio: [0x10002600-0x100026ff] pci 0000:00:0a.0: reg 10 32bit mmio: [0x10002500-0x100025ff] pci 0000:01:00.0: PME# supported from D0 D3hot pci 0000:01:00.0: PME# disabled pci 0000:01:00.0: PCI bridge, secondary bus 0000:02 pci 0000:01:00.0: IO window: disabled pci 0000:01:00.0: MEM window: disabled pci 0000:01:00.0: PREFETCH window: disabled PCI: Setting latency timer of device 0000:01:00.0 to 64 BLOG Rule v1.0 Initialized Broadcom IQoS v0.1 Mar 5 2013 05:23:41 initialized NET: Registered protocol family 2 IP route cache hash table entries: 1024 (order: 0, 4096 bytes) TCP established hash table entries: 4096 (order: 3, 32768 bytes) TCP bind hash table entries: 4096 (order: 2, 16384 bytes) TCP: Hash tables configured (established 4096 bind 4096) TCP reno registered NET: Registered protocol family 1 squashfs: version 4.0 (2009/01/31) Phillip Lougher squashfs: version 4.0 with LZMA457 ported by BRCM JFFS2 version 2.2. (NAND) �© 2001-2006 Red Hat, Inc. msgmni has been set to 191 io scheduler noop registered (default) Broadcom DSL NAND controller (BrcmNand Controller) i=0, CS[0] = 0 brcmnand_probe: CS0: dev_id=20762076 NAND Config: Reg=04042300, chipSize=64 MB, blockSize=16K, erase_shift=e busWidth=1, pageSize=512B, page_shift=9, page_mask=000001ff timing1 not adjusted: 5363444f timing2 not adjusted: 00000fc6 BrcmNAND mfg 20 76 ST ST_NAND512W3A 64MB Found NAND: ACC=f3000000, cfg=04042300, flashId=20762076, tim1=5363444f, tim2=00000fc6 BrcmNAND version = 0x0202 64MB @(null) brcmnand_probe: CS0: dev_id=20762076 1. Found NAND chip on Chip Select 0, chipSize=64MB, usable size=64MB, base=0x00000000 brcmnand_scan: B4 nand_select = 40000002 brcmnand_scan: After nand_select = 40000002 page_shift=9, bbt_erase_shift=14, chip_shift=26, phys_erase_shift=14 Brcm NAND controller version = 2.2 NAND flash size 64MB @00000000 brcmnand_scan: mtd->oobsize=16 brcmnand_scan: oobavail=12, eccsize=512, writesize=512 brcmnand_scan, eccsize=512, writesize=512, eccsteps=1, ecclevel=15, eccbytes=3 numchips=1, size=4000000 Gateway flash mapping [NAND] : tBBT loaded <5>Thomson nand flash translation layer initialized. flash mapping initialized parse_btab: num_banks (6) bank #0: 0, 80000 ( ) bank #1: 0, 1600000 ( ) bank #2: 0, 2a54000 ( ) bank #3: 0, 20000 ( ) bank #4: 0, 30000 ( ) bank #5: 0, 40000 ( ) Creating 1 MTD partitions on "thomson-nand-tl": 0x000001800000-0x000002a54000 : "rootfs" Creating 6 MTD partitions on "thomson-nand-tl": 0x000000080000-0x000001600000 : "userfs" 0x000001600000-0x000002a54000 : "bank_1" 0x000002a54000-0x000003ea8000 : "bank_2" 0x000000020000-0x000000030000 : "mtdss" 0x000000030000-0x000000040000 : "eeprom" 0x000000040000-0x000000080000 : "rawstorage" brcmboard: brcm_board_init entry Serial: BCM63XX driver $Revision: 3.00 $ ttyS0 at MMIO 0xb0000100 (irq = 11) is a BCM63XX ttyS1 at MMIO 0xb0000100 (irq = 11) is a BCM63XX ttyS2 at MMIO 0xb0000120 (irq = 12) is a BCM63XX TCP cubic registered NET: Registered protocol family 17 NET: Registered protocol family 15 VFS: Mounted root (squashfs filesystem) readonly on device 31:1. Freeing unused kernel memory: 108k freed init started: Bkserport: module license 'unspecified' taints kernel. Disabling lock debugging due to kernel taint geniodb driver: Loading ... geniodb driver: Loading finished with SUCCESS usyBox v1.00 (201B.03.05-04:25+00utton char device has been created and initialized. 00) multi-call binary init started: BusyBox v1.00 (2013.03.05-04:25+0000) multi-call binary Starting pid 129, console /dev/ttyS0: '/etc/init.d/rcS' Initializing random number generator loading geniodb kernel modules... [BCM ADSL] BcmAdsl_SetOverlayMode = 85 new=0 Initialize the IPC channels. Loading GOMP firmware : /nmon/firmware/gomp.firm loaded 5547 Kb @ 0x868A4048 Kicking off Forward Core at entry point 0x868A4048... Wait for completion.... Gateway GOMP -- CORE ID 1 initialization sequence started. Enabling SMISBUS PHYS_FAP_BASE is 0x14001000 FAP Soft Reset Done 4ke Reset Done fapDrv_construct: wastage 8 bytes bcmPktDma_bind: FAP Driver binding successfull 4KE> PACKET : ethHeader 14, bcmHeader 6, vlanHeader 4, pppoeHeader 8 ipv4Header 20, ipv6Header 0, tcpHeader 20, udpHeader 8 icsum 4, ipTuple 20, key 4, flow 48, flowInfo 32 4KE> DQM : XtmRx 16, XtmTx 16, EthRx 16, EthTx 16 4KE> MBOX : 4 4KE> DSPRAM : stack <0x80004000><1024>, global <0x80004400><6760>, free <408>, total<8192> 4KE> PSM : addr<0xE0010000>, used <32692>, free <76>, total <32768> 4KE> FAP BPM Initialized. 4KE> FAP Ingress QoS Initialized. [BCM ADSL] ------ dslFileLoadImage : OverlayMode = 0 fname=ZXD3AA pci 0000:00:00.0: firmware: requesting ZXD3AA [BCM ADSL] Firmware load : 550488 550488 LMEM=(0xB0D80000, 11764) SDRAM=(0xA0500000, 538716) pci 0000:00:00.0: firmware: requesting phy Total # RxBds=1616 bcmPktDmaBds_init: Broadcom Packet DMA BDs initialized fapDrv_psmAlloc: bytes remaining 9400 fapDrv_psmAlloc: bytes remaining 5800 fapDrv_psmAlloc: bytes remaining 1000 b6w_init FOUND WL DEVICE 0, bus=0, device=0, func=0, vendorid=14E4, deviceid=435F, regaddr=10004000, irq=15 wl:srom/otp not programmed, using main memory mapped srom info(wombo board) IPC bcm6362 : rtems core has finished init, continueing... GOMP firmware loaded and running. Linux Driver Relay v0.1 Mar 5 2013 06:15:19 loaded veth0 (): not using net_device_ops yet Forwarding Adaptation Layer v0.1 Mar 5 2013 06:15:20 NET: Registered protocol family 9 NET: Registered protocol family 6 NET: Registered protocol family 5 NET: Registered protocol family 18 NET: Registered protocol family 25 NET: Registered protocol family 10 NET: Registered protocol family 24 Device ipsec not present. Device rt_event not present. voice will be loaded Endpoint: endpoint_init entry Endpoint: endpoint_init COMPLETED Device ikanos not present. Device soc4e not present. Syncing hardware clock to system time Starting pid 410, console /dev/ttyS0: '/etc/init.d/rc' Switching to RUNLEVEL 1 ... Disabling hotplug helper route: SIOC[ADD|DEL]RT: File exists linux application start ... wait for linux_appl to initialize (1) wait for linux_appl to initialize (2) ************* ERROR RECORD ************* 000000:00:00.000000 Application NMON started after POWERON. ****************** END ***************** wait for linux_appl to initialize (3) appl_init: BUILD VERIFIED! boardname(DANT-U) wait for linux_appl to initialize (4) wait for linux_appl to initialize (5) wait for linux_appl to initialize (6) wait for linux_appl to initialize (7) [SS EMUL] ERR: opening config file /active/ss.conf failed wait for linux_appl to initialize (8) wait for linux_appl to initialize (9) SSH disabled start fseventd ... fseventd is started. start storagepl ... storagepl is started start vfspl ... vfspl is started MVFS plugin started cifs plug-in: initializing ... cifs plug-in is started upnpavpl start ... /usr/bin/fusermount Loading fuse modulefuse init (API version 7.11) . Mounting fuse control filesystem. S67stopload: wait until configuration load reaches phase 9... S67stopload: wait until configuration load reaches phase 9 (now -1, 1s) WARNING: Unknown Parameter Type (0) ifmfilter for groupname qos WARNING: Unknown Parameter Type (1) ifmfilter for groupname queue S67stopload: wait until configuration load reaches phase 9 (now -1, 2s) S67stopload: wait until configuration load reaches phase 9 (now -1, 3s) S67stopload: wait until configuration load reaches phase 9 (now -1, 4s) endpoint_open COMPLETED WARNING: Unknown Parameter Type (1) brgroup for groupname group adsl: adsl_open entry ADSL Line state is: DOWN [adsl] trace = 5 0 S67stopload: wait until configuration load reaches phase 9 (now -1, 5s) S67stopload: wait until configuration load reaches phase 9 (now -1, 6s) S67stopload: wait until configuration load reaches phase 9 (now -1, 7s) S67stopload: wait until configuration load reaches phase 9 (now -1, 8s) S67stopload: wait until configuration load reaches phase 9 (now 3, 9s) S67stopload: wait until configuration load reaches phase 9 (now 3, 10s) S67stopload: wait until configuration load reaches phase 9 (now 3, 11s) S67stopload: wait until configuration load reaches phase 9 (now 3, 12s) S67stopload: wait until configuration load reaches phase 9 (now 3, 13s) ADSL configuration: adslmultimode = adsl2plus syslog = disabled ADSL configuration: adslmultimode = adsl2plus syslog = disabled S67stopload: wait until configuration load reaches phase 9 (now 3, 14s) Adding new linux user Adding new linux user S67stopload: wait until configuration load reaches phase 9 (now 3, 15s) S67stopload: wait until configuration load reaches phase 9 (now 3, 16s) S67stopload: wait until configuration load reaches phase 9 (now 3, 17s) S67stopload: wait until configuration load reaches phase 9 (now 3, 18s) S67stopload: wait until configuration load reaches phase 9 (now 3, 19s) S67stopload: wait until configuration load reaches phase 9 (now 3, 20s) S67stopload: wait until configuration load reaches phase 9 (now 3, 21s) S67stopload: wait until configuration load reaches phase 9 (now 3, 22s) S67stopload: wait until configuration load reaches phase 9 (now 3, 23s) S67stopload: wait until configuration load reaches phase 9 (now 3, 24s) S67stopload: wait until configuration load reaches phase 9 (now 3, 25s) S67stopload: wait until configuration load reaches phase 9 (now 3, 26s) S67stopload: wait until configuration load reaches phase 9 (now 3, 27s) ******* DSP: Found BCM96362 ******* ******* DSP: In PCM Mode ******* ******* DSP: PCM running in 16 bit mode ******* gInterruptCounter = 0xC081BFA8 gInterruptErrors = 0xC081BFAC gNextRxDesc = 0xC081C0A4 gNextTxDesc = 0xC081C0A0 gDectTestMode = 0xc06ac9a4 dectBuffStart = 0xc06ac9b0 gDectRxOutOfSyncCounter = 0xc06ac9b4 gDectTxOutOfSyncCounter = 0xc06ac9b8 64 ms ECAN tail-length *** gStartRxDesc[0] = 0xA0C00000 *** gBufferSizeBytes = 640 *** gStartTxDesc[0] = 0xA0C01000 halPcmInit 369 nextTxDesc = 0xA0C01000 halPcmInit 369 nextTxDesc = 0xA0C01008 halPcmInit 373 Ownership for TX desc not set. Use this buffer. S67stopload: wait until configuration load reaches phase 9 (now 3, 28s) S67stopload: wait until configuration load reaches phase 9 (now 3, 29s) S67stopload: wait until configuration load reaches phase 9 (now 6, 30s) boardHalInit completed Custom configuration loaded! DSP: Interrupt Masks --------------- IrqMask = 0x00000000 IrqMask1 = 0x00000010 DSP: Interrupt Status ----------------- IrqStatus = 0x00000000 IrqStatus1 = 0x00000000 EndpointInit completed S67stopload: wait until configuration load reaches phase 9 (now 6, 31s) S67stopload: wait until configuration load reaches phase 9 (now 6, 32s) S67stopload: wait until configuration load reaches phase 9 (now 6, 33s) S67stopload: wait until configuration load reaches phase 9 (now 6, 34s) S67stopload: wait until configuration load reaches phase 9 (now 6, 35s) S67stopload: wait until configuration load reaches phase 9 (now 6, 36s) S67stopload: wait until configuration load reaches phase 9 (now 6, 37s) S67stopload: wait until configuration load reaches phase 9 (now 6, 38s) S67stopload: configuration load reached phase 9... nlplugd start ... Initializing. Starting netlink plugin Daemonize netlink plugin udhcpcd start ... monitoripd start ... anti_spoofd start ... Starting OSGi framework... /etc/rc1.d/S85launch_osgi: 48: renice: not found Starting dlistaccess ... anti_spoofd : process exit ! Intel MicroStack 1.0 - Digital Media Server (DLNA 1.5)(pid = 998), dlistaccess: running loc_generate_uuid:ad14fb70-011a-56e9-bd06-a8d00bd84afe mud ... mud start ... ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver PCI: Enabling device 0000:00:0a.0 (0000 -> 0002) PCI: Setting latency timer of device 0000:00:0a.0 to 64 ehci_hcd 0000:00:0a.0: EHCI Host Controller ehci_hcd 0000:00:0a.0: new USB bus registered, assigned bus number 1 ehci_hcd 0000:00:0a.0: Enabling legacy PCI PM ehci_hcd 0000:00:0a.0: irq 18, io mem 0x10002500 ehci_hcd 0000:00:0a.0: USB f.f started, EHCI 1.00 usb usb1: configuration #1 chosen from 1 choice hub 1-0:1.0: USB hub found hub 1-0:1.0: 2 ports detected ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver PCI: Enabling device 0000:00:09.0 (0000 -> 0002) PCI: Setting latency timer of device 0000:00:09.0 to 64 ohci_hcd 0000:00:09.0: OHCI Host Controller ohci_hcd 0000:00:09.0: new USB bus registered, assigned bus number 2 ohci_hcd 0000:00:09.0: irq 17, io mem 0x10002600 usb usb2: configuration #1 chosen from 1 choice hub 2-0:1.0: USB hub found hub 2-0:1.0: 2 ports detected usbcore: registered new interface driver usblp usbcore: registered new interface driver usbserial USB Serial support registered for generic usbcore: registered new interface driver usbserial_generic usbserial: USB Serial Driver core SCSI subsystem initialized Driver 'sd' needs updating - please use bus_type methods Initializing USB Mass Storage driver... usbcore: registered new interface driver usb-storage USB Mass Storage support registered. Starting power manager... Name: /etc/usbmgr/usbmgr.conf Username :
It is now possible to log into the router with username Administrator and a blank password (just press ENTER). And now we are here:
Username : Administrator
Password :
------------------------------------------------------------------------
______ Technicolor TG784n v3
___/_____/\
/ /\\ 10.2.6.2
_____/__ / \\
_/ /\_____/___ \ Copyright (c) 1999-2013, Technicolor
// / \ /\ \
_______//_______/ \ / _\/______
/ / \ \ / / / /\
__/ / \ \ / / / / _\__
/ / / \_______\/ / / / / /\
/_/______/___________________/ /________/ /___/ \
\ \ \ ___________ \ \ \ \ \ /
\_\ \ / /\ \ \ \ \___\/
\ \/ / \ \ \ \ /
\_____/ / \ \ \________\/
/__________/ \ \ /
\ _____ \ /_____\/
\ / /\ \ /___\/
/____/ \ \ /
\ \ /___\/
\____\/
------------------------------------------------------------------------
{Administrator}=>
{Administrator}=>help
Following commands are available :
help : Displays this help information
menu : Displays menu
? : Displays this help information
exit : Exits this shell.
.. : Exits group selection.
saveall : Saves current configuration.
ping : Send ICMP ECHO_REQUEST packets.
traceroute : Send ICMP/UDP packets to trace the ip path.
Following command groups are available :
contentsharing firewall led printersharing pwr
service connection cwmp dhcp dns
download dsd dyndns eth atm
config debug env expr grp
hostmgr ids igmp interface ip
ipqos label language mbus memm
mld mlp mobile nat ppp
pptp ptrace script snmp sntp
software statecheck syslog system tls
tunnel upgrade upnp user voice
wansensing webserver wireless xdsl
{Administrator}=>
Next we need to get from the Thomson/Technicolor menu system to a proper root prompt. An old method looked like this:
:script add name addroot command "user add name guru password guru role root descr ROOT" :script run name addroot pars "" :saveall
Then you could log in as guru/guru. Haven't got any further with this.
Understanding the .BLI or .RBI image formats
I think BLI = Boot Loader Image, and RBI = Rescue Boot Image this comes mainly from qualified guesswork.
These firmware images are AES 256-encrypted images. The public key is stored in ROM in the device, and is known. A tool called bli223dcrypt can be used to decrypt them. After this, binwalk can be used to analyze the images.
python bliparser.py TG784nV3_10.5.2.Q_generic_demo.bli decrypted : 00000000: 01 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ 00000010: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ 00000020: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ 00000030: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ 00000040: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ 00000050: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ 00000060: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ 00000070: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ 00000080: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ 00000090: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ 000000A0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ 000000B0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ 000000C0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ 000000D0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................ 000000E0: FF FF FF FF FF FF FF FF FF FF 00 F3 A7 E9 0F 7A ...............z 000000F0: A9 17 B8 2A F5 65 2D 93 02 EF B1 B5 46 DD E1 ...*.e-.....F.. decrypted2: 00000000: 48 F5 3B 43 92 25 71 CF 7A 16 B7 53 1B EA 05 05 H.;C.%q.z..S.... 00000010: 6A F1 24 42 FC 88 BE 26 C6 73 9D 93 30 2F 45 38 j.$B...&.s..0/E8 00000020: 7C E3 D1 37 3C 1A 19 79 90 F1 69 0E 22 CF 51 B2 |..7<..y..i.".Q. 00000030: 57 4A F4 2B 68 CA E2 E6 41 90 28 2E F8 4B BF 30 WJ.+h...A.(..K.0 00000040: 77 90 8E 09 05 80 17 18 AD 50 D4 9A D3 AF 38 56 w........P....8V 00000050: 30 7D 22 18 B4 11 FC C8 15 C7 1A 65 FB 4C 98 1E 0}"........e.L.. 00000060: 48 1E 3B C6 DC F9 2E E9 4B 71 EE 3B 55 17 A9 83 H.;.....Kq.;U... 00000070: F0 A3 A7 A9 37 6D 6E 7C B0 D0 50 1B 4E 14 9C 82 ....7mn|..P.N... 00000080: A4 C1 1E 02 A5 83 DC 44 1E E9 B6 B7 39 16 56 68 .......D....9.Vh 00000090: A7 67 8A EA F6 7E 65 34 0D C2 DC FE 43 6F 79 26 .g...~e4....Coy& 000000A0: D3 79 E3 59 D2 BE 2F 46 4B 52 05 FE 26 DE 06 5A .y.Y../FKR..&..Z 000000B0: 7C 60 67 E6 5A 0B 6A C6 49 2D CA BA B7 86 6A E9 |`g.Z.j.I-....j. 000000C0: 74 87 1B 93 9A 3B 7C BD 4C E2 8D B2 51 40 B4 0E t....;|.L...Q@.. 000000D0: 44 35 DE 85 1E 45 AA 62 D5 E8 2A 42 BC 42 F0 25 D5...E.b..*B.B.% 000000E0: 5C 28 10 FF 35 1B 2C 52 83 0F E6 B3 1D 0E FB 9B \(..5.,R........ 000000F0: C2 92 A1 3E 55 39 CD 32 F9 4A 23 2C 51 23 13 F9 ...>U9.2.J#,Q#.. aeskey: 00000000: FC 88 BE 26 C6 73 9D 93 30 2F 45 38 7C E3 D1 37 ...&.s..0/E8|..7 00000010: 3C 1A 19 79 90 F1 69 0E 22 CF 51 B2 57 4A F4 2B <..y..i.".Q.WJ.+ ********* fw fixed header decoding ********************************************************************* [ptr : ] filname : TG784nV3_10.5.2.Q_generic_demo.bli [ptr : 000 ] imagetype : BLI223WK0 [ptr : 006 ] FIACODE : WK [ptr : 020 ] branding : 0 [ptr : 028 ] flag?? : 00000000 [ptr : 032 ] version : 10.5.2.Q [ptr : 040 ] hdrlength : 0x0000016f [ptr : 044 ] datalength : 0x00c9c11f [ptr : 048 ] crc32 : bf2b3ce3 [ptr : ] computedhash : f3a7e90f7aa917b82af5652d9302efb1b546dde1 [ptr : ] decryptedhash : f3a7e90f7aa917b82af5652d9302efb1b546dde1 [ptr : ] integritycheck : True [ptr : ] aeskey : fc88be26c6739d93302f45387ce3d1373c1a197990f1690e22cf51b2574af42b [prt : 0xc9c28e ] footer : [ptr : 368 ] imagetype : MUTE [ptr : 310 ] board : DANT-U [ptr : 318 ] model1 : Technicolor TG784n v3 [ptr : 341 ] model2 : TG784n v3 [ptr : 352 ] ????? : 200 [ptr : 357 ] flashaddr : c0040000 ********************************************************************************************************
OK let's extract it:
python bli223dcryptex.py TG784nV3_10.5.2.Q_generic_demo.bli fdata len : 0xc9c298 hdr len : 0x16f data len : 0xc9c11f totallen : 0xc9c28e diffsizes : 0x10 b2mutelen : 0xc9c115 b2posend : 0x179 ptr1dec : 0x179 00000000: 01 FF FF FF FF FF FF FF FF 00 B1 4D 55 54 45 0A ...........MUTE. 00000010: 00 C9 C0 D4 37 36 39 33 31 66 61 63 39 64 61 62 ....76931fac9dab 00000020: 32 62 33 36 63 32 34 38 62 38 37 64 36 61 65 33 2b36c248b87d6ae3 00000030: 33 66 39 61 BA 86 D4 55 D0 49 9D DC 2B EB C2 F1 3f9a...U.I..+... 00000040: 64 9A A0 91 56 87 15 52 31 36 BB 8B C7 6F F3 BD d...V..R16...o.. 00000050: CC CE DE 8B 3F 20 89 F0 C6 A8 C0 69 0B 09 5F 60 ....? .....i.._` 00000060: 0F 1E FB 7C B1 8E 6F A0 D2 52 8E 98 8E 4A F6 D7 ...|..o..R...J.. 00000070: F6 B4 90 27 FB AB E2 B9 EA E9 48 E8 55 45 13 EA ...'......H.UE.. 00000080: 7F 3A 98 1C 5D A2 0B 9D C5 39 5E 38 BD E3 F1 94 .:..]....9^8.... 00000090: E7 04 68 3B FC 31 45 13 5A F6 5E E3 9B 88 49 77 ..h;.1E.Z.^...Iw 000000A0: 99 17 D5 11 40 9B 24 84 79 DF 4C 4A B1 38 2C EE ....@.$.y.LJ.8,. 000000B0: 53 13 A1 C1 6E 9C 88 E5 22 F1 3C 93 A3 E2 DA 26 S...n...".<....& 000000C0: 5D A3 3B 97 2A F9 B4 B1 A6 25 ED 36 E1 6A B4 70 ].;.*....%.6.j.p 000000D0: 9D C9 B7 9D 60 1F 86 2F 18 7F F0 98 5D 17 0E B4 ....`../....]... 000000E0: 1A B2 9C 44 25 EC E5 CE A1 2E 37 FD 27 9B 12 81 ...D%.....7.'... 000000F0: BE 06 3B 3B 18 67 FC 7E 42 80 00 0B E1 10 37 ..;;.g.~B.....7 ------------------------------------------- 00000000: 72 7C 5A C0 1B 3A A9 CE C7 B5 3F 79 73 89 E1 27 r|Z..:....?ys..' 00000010: 88 E8 82 46 F3 B9 9D 66 C1 2B D3 E1 7E 7D C2 BD ...F...f.+..~}.. 00000020: 3C CC F8 A6 9D FE 14 03 22 90 2C 11 79 FA C0 25 <.......".,.y..% 00000030: 18 E1 7E 8C D8 EE E9 68 5F F1 A0 D2 05 94 EB 08 ..~....h_....... 00000040: 54 2F 20 E6 79 3F F1 18 DB C3 62 27 3D E2 67 5E T/ .y?....b'=.g^ 00000050: A7 36 B2 63 5E CD 0E 1D CE 7F 4D AB 15 5F CE 71 .6.c^.....M.._.q 00000060: 66 11 DB FC A2 C6 B2 DF D1 4B BD 79 42 61 57 29 f........K.yBaW) 00000070: DA 2D D3 8C 14 30 86 23 AA E3 1E 22 F7 5C 5E 39 .-...0.#...".\^9 00000080: D5 2A 8E 89 32 85 42 BB 2B 68 20 6F 2B B1 23 A5 .*..2.B.+h o+.#. 00000090: 8B 45 EE AB 23 9A 0E 2E C6 0B D1 D5 B5 45 10 8A .E..#........E.. 000000A0: 14 B1 14 DD 98 98 10 72 26 3A DC 48 05 2B E6 E5 .......r&:.H.+.. 000000B0: 06 00 5F 75 D6 EF AD EA 8B A2 65 83 B2 B1 6C CB .._u......e...l. 000000C0: 19 DB B0 AC F8 14 02 40 0C 63 46 3D 6A AE B5 CA .......@.cF=j... 000000D0: 0D 36 49 38 09 55 6F 08 F7 6C A2 88 6B 38 CB 3C .6I8.Uo..l..k8.< 000000E0: F1 35 C3 F8 FB EB 3C 48 62 CA 4C 05 DA 0E 97 83 .5....000000F0: 60 EA B5 03 71 B7 E6 6E 99 EC 39 38 8D D9 E2 AF `...q..n..98.... 0xc9c2b9 ***** PASS binwalk on this : inflated_TG784nV3_10.5.2.Q_generic_demo.bli
Then we can use binwalk to indentify the firmware contents:
$ binwalk TG784nV3_10.5.2.Q_generic_demo.bli DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- [linus@genomnajs bli223dcryptex]$ binwalk inflated_TG784nV3_10.5.2.Q_generic_demo.bli DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 262150 0x40006 JFFS2 filesystem, big endian 22806560 0x15C0020 LZMA compressed data, properties: 0x5D, dictionary size: 2097152 bytes, uncompressed size: 2740508 bytes 23855110 0x16C0006 Squashfs filesystem, little endian, non-standard signature, version 4.0, compression:gzip, size: 12304877 bytes, 1342 inodes, blocksize: 65536 bytes, created: 2014-07-01 12:34:57
So we see a JFFS2 filesystem, an LZMA compressed kernel image, and a squashfs image. This is so close to the OpenWRT flash layout that it's hardly a coincidence.