Using ZyXEL/Netgear/... router as ARM7 development platform
Kolja Waschk
The ZyXEL Prestige 100 (for example) or similar models with Samsung
S3C4510 Controller (ARM7TDMI plus Ethernet MAC) could be used as a cheap
development platform (sold at eBay at prices below EUR20; I got a RT311
for EUR16).
The bootloader that is installed on these devices features a Debug Mode,
which allows to inspect memory or start program execution at arbitrary
addresses over a console port (serial) using AT commands.
After peeking around in the memory, finding help texts that aren't
displayed by default, I'm confident that commands to WRITE to RAM exist as
well (beside uploading a whole firmware image to Flash).
They would enable me to write _small_ pieces of code and try them on that
device, without any hassle regarding DRAM or UART setup etc.
But these aren't available by default. Their availability seems to depend
on contents of some Debug Flag, which may be altered using a specific AT
command (ATEN) with a password. This password may have to be computed
based on a seed that is output in response to another command (ATSE).
If you have more information about the ZyNOS BootExtension and its
capabilities, especially how to enable the WRITE commands like ATWB, ATWW
or ATWL, please, please let me know how I could make use of it - it's
purely for personal use: I'd sign a NDA if required.
Kolja
Kolja Waschk
> seems to depend on contents of some Debug Flag, which may be altered
> using a specific AT command (ATEN) with a password
Found out on my own by decoding ZyNOS BootExt.
Successfully booted uCLinux on my RT311 after uploading via serial console.
If anyone is interested: mail
Kolja
Nick
I'm sure many will be now and in the future as they come across your posting.
why don't you post your finding here ?
/NN
Kolja Waschk
>>> uploading a whole firmware image to Flash). [....] Their availability
>>> seems to depend on contents of some Debug Flag, which may be altered
>>> using a specific AT command (ATEN) with a password
>> Found out on my own by decoding ZyNOS BootExt.
> I'm sure many will be now and in the future as they come across your posting.
> why don't you post your finding here ?
I'm a little paranoid regarding possible copyright issues.
To enable the write-to-RAM commands, a (numerical) password is needed;
the code to compute this password clearly is copyrighted.
Maybe I can make up a "valid firmware" to be accepted as a regular
update by the router, with an application that provides RAM upload
and debug features. But then I would have to use ZyNOS code to compute
valid checksums to be included in the firmware...
Hm; it may be legally allowed to publish a set of passwords usable for any
ZyXEL router... Due to a conceptual flaw, a the list wouldn't consist of
more than eight entries, at least for firmware similar to that in my RT311.
Okay, assume I bought a Netgear RT311 router and executed some code I
found on the router, with MAC address of LAN interface as its parameter
(see ATSH output). Unless the "ATSE" command was issued before, the
output of this code is:
10F0A563 if MAC address ends in 0 or 8
887852B1 ... 1 or 9 (the above value, ROR #1)
C43C2958 ... 2 or A (the above value, ROR #2)
621E14AC ... 3 or B (...)
310F0A56 ... 4 or C
1887852B ... 5 or D
8C43C295 ... 6 or E
C621E14A ... 7 or F
With that output y, issue the ATEN1,y command, and DebugFlag gets set.
Try ATHE now to learn about the new possibilities.
ATMP tells you about the memory layout.
I'm yet working on adapting uCLinux;
at first I succeeded with a (uncompressed) 2.4.22-uc0 upload to 0x20000:
./Makefile
ARCH := armnommu
./arch/armnommu/Makefile
TEXTADDR = 0x00020000
Regarding the configuration:
System type:
(Samsung) ARM system type
[X] Generate big endian code
[ ] Set flash/sdram size and base addr
(RAM) Kernel executes from
(S3C4510-SNDS100) Board Implementation
Character devices:
[X] Samsung serial port support
[X] Support for console on Samsung serial port (19200 bps)
There's still a lot to do. I'm yet up to build a configuration with
a ROMFS or INITRD attached to the kernel. And yet I didn't succeed to
make a compressed zImage that actually starts from RAM.
My goal currently is to build a valid firmware package for the router with
uClinux + initrd instead of ZyNOS RasCode.
I'm very interested to read about application of the hints above,
success, failure, ... it might be applicable on several ZyXEL Prestige
routers, Netgear routers, even D-Link (DI-106), Lucent and Teledat...
Which ones do have a console port ("manager" port) available?
Regards,
Kolja
Lewin A.R.W. Edwards
Your email address suggests that you are in Germany. Only in the
United States do we have the rampant obscenity that is the DMCA (and
hopefully parts of it will be rotting off the vine soon).
You are not, in any case, breaching copyright - as you have not copied
any work. The kind of reverse-engineering you are doing is explicitly
protected in law.
Nick
> >>> I'm confident that commands to WRITE to RAM exist as well (beside
> >>> uploading a whole firmware image to Flash). [....] Their availability
> >>> seems to depend on contents of some Debug Flag, which may be altered
> >>> using a specific AT command (ATEN) with a password
> >> Found out on my own by decoding ZyNOS BootExt.
>
> > I'm sure many will be now and in the future as they come across your posting.
> > why don't you post your finding here ?
>
> I'm a little paranoid regarding possible copyright issues.
Kolja you are _not_ doing anyhing illegal. You cannot be doing
anything illegal it is _your_ kit aftter all, you paid for it. It is
like changing the pistons of _your_ car !!!
keep us posted ;-)
(for as long as we're still free to learn and engineer)
/NN
Greg Holdren
:> I'm confident that commands to WRITE to RAM exist as well (beside
Post it. :) Join the Hardware Recycling Initiative and the the list about it.
https://lists.sourceforge.net/lists/listinfo/hri-devel
--
Greg Holdren
greg (dot) holdren (at) <initials of company> (dot) com
Kolja Waschk
> Post it
See my previous posting (within this same thread, 2003-12-23,
<pan.2003.12.23...@20031222.ixo.de> ) regarding the
information required to enable the upload-to-RAM commands.
Other tidbits required to make uClinux run on the RT311/P310 are on their
way into the uClinux CVS repository. As of today, selecting armnommu as
the target when compiling uClinux 2.4.22 from CVS with SNDS100 board
implementation and "Support ZyXEL BootExtension" enabled in the .config
will result in a kernel zImage that can be loaded and started (at 0x20000)
at least on my router and probably a lot of related devices.
I'm currently working on clean code to support the Ethernet interfaces.
The WAN port (implemented with a RTL8019AS) works (I can use a DHCP server
for initial setup, and mount a root FS via NFS), the LAN port (using the
S3C4510X's internal EMAC) support is work-in-progress. Anyway - that code
isn't yet ready for integration in mainstream uClinux.
Stay tuned on the uClinux-developers mailing list for updates.
I think I have all the information collected which is required to build a
"valid" firmware image (with uClinux instead of ZyNOS), i.e. a file that
would be accepted by the router as a firmware update - but yet I haven't
actually tried to do so, and I'm still not completely convinced that
publishing that information (or a tool that uses this information) would
be legal.
Kolja
