Home Page

	Sign In Sign-Up

Router Boxes being Analyzed

Home Page
Opened Boxes
My Robots

Visitors :

Analyzing Router Platforms

My goal here was inspired by seeing the many sites implementing public source/firmwares for assorted routers (besides other devices). I had wanted to add my own ideas and modifications into my own router, such as for I/O Devices, and possibly use it for a developement platform. After studying some of these, I found it a major task (needing to compile the whole router system firmware under Linux -varying about 100MB).

My goal is to develop a simple Assembler and C-Compiler for these Platforms. So that developers can compile patches to quickly embed into their own Platforms using Serial-Port or JTAG.

DIR-615 Router

Chips found :
* Cpu : Marvel 88F5180NB1-C500 - ARM926E 500MHz
* Ram : a2s28d40ctp (x2) - DDR SDRAM (2x)16Mx8
* Flash Ls28f640 - Flash 16Mx8/x16
* LAN : 88e6061-Laj1
* WAN : PCI / 88w8361p-bem1

* Pad 'CON4' : 'CON4' 20pin ICE ?
* Pad 'CON5' : 'CON5:1VCC,TX,RX,GND' 4pin - UART:115200,8N1

DIR-615 Router Web Page
Marvel 88F5180 Processor Web Page

UART Serial Boot Loader Output :

<0>

U-Boot 1.1.1 (Jan 19 2007 - 11:08:07)
CAMEO uBoot Linux Loader version: 1.3.0.0

DRAM CS[0] base 0x00000000   size  32MB 
DRAM Total size  32MB 
before entry mvFlashInit 
Flash: flashStructGet manu 0x89 id 0x17 
INTEL 28F640J3A (64 Mbit)
Size:  8 MB,Bus Width: 1, device Width: 1.
Flash base: 0xff800000,Number of Sectors: 64 Type: REGULAR.
  Sector Start Addresses:
    00000000      00020000      00040000      00060000      00080000     
    000a0000      000c0000      000e0000      00100000      00120000     
    00140000      00160000      00180000      001a0000      001c0000     
    001e0000      00200000      00220000      00240000      00260000     
    00280000      002a0000      002c0000      002e0000      00300000     
    00320000      00340000      00360000      00380000      003a0000     
    003c0000      003e0000      00400000      00420000      00440000     
    00460000      00480000      004a0000      004c0000      004e0000     
    00500000      00520000      00540000      00560000      00580000     
    005a0000      005c0000      005e0000      00600000      00620000     
    00640000      00660000      00680000      006a0000      006c0000     
    006e0000      00700000      00720000      00740000      00760000 (RO)
    00780000 (RO) 007a0000 (RO) 007c0000 (RO) 007e0000 (RO)
[8192kB@ff800000] Flash:  8 MB
Addresses 20M - 0M are saved for the U-Boot usage.
Mem malloc Initialization (20M - 16M): Done
*** Warning - bad CRC, using default environment

Soc: 88F5181 B1
CPU: ARM926 (Rev 0) running @ 500Mhz 
SysClock = 166Mhz , TClock = 166Mhz

USB 0: host mode
PCI 0: PCI Express Root Complex Interface
PCI 1: Conventional PCI, speed = 33000000
Net:   egiga0 [PRIME]
Hit any key to stop autoboot:  0 
### JFFS2 loading 'uImage' to 0x400000
Scanning JFFS2 FS: ..... done.

### JFFS2 load complete: 1099492 bytes loaded to 0x400000
## Booting image at 00400000 ...
   Image Name:   Linux-2.4.27-vrs1
   Created:      2007-07-26   6:29:23 UTC
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    1099428 Bytes =  1 MB
   Load Address: 00008000
   Entry Point:  00008000
   Verifying Checksum ... OK
OK

Starting kernel ...

Uncompressing Linux.......................................................................... done, booting the kernel.
ZLinux version 2.4.27-vrs1 (root@localhost.localdomain) (gcc version 3.4.4 (release) (CodeSourcery ARM 2005q3-1)) #2 Thu Jul 26 14:28:55 CST 2007
CPU: ARM926EJ-Sid(wb) revision 0
Machine: MV-88fxx81
Using UBoot passing parameters structure
Sys Clk = 166000000, Tclk = 166000000

- Warning - This LSP release was tested only with U-Boot release 1.7.0

On node 0 totalpages: 8192
zone(0): 8192 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: console=ttyS0,115200 mtdparts=phys_mapped_flash:6m(root),1m@6m(nvram),1m@7m(uboot)ro root=/dev/mtdblock1 rw ip=192.168.0.1:192.168.0.100:::DB88FXX81:eth0:none
Calibrating delay loop... 331.77 BogoMIPS
Memory: 32MB 0MB 0MB 0MB = 32MB total
Memory: 29884KB available (2034K code, 366K data, 88K init)
Dentry cache hash table entries: 4096 (order: 3, 32768 bytes)
Inode cache hash table entries: 2048 (order: 2, 16384 bytes)
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 8192 (order: 3, 32768 bytes)
CPU: Testing write buffer: pass
POSIX conformance testing by UNIFIX
init hw started.

CPU Interface
-------------
SDRAM_CS0 ....base 00000000, size  32MB 
SDRAM_CS1 ....disable
SDRAM_CS2 ....disable
SDRAM_CS3 ....disable
PEX0_MEM ....base e0000000, size 128MB 
PEX0_IO ....base f2000000, size   1MB 
PCI0_MEM ....base e8000000, size 128MB 
PCI0_IO ....base f2100000, size   1MB 
INTER_REGS ....base f1000000, size   1MB 
DEVICE_CS0 ....no such
DEVICE_CS1 ....no such
DEVICE_CS2 ....no such
DEV_BOOCS ....base f4000000, size  16MB 
PCI: bus0: Fast back to back transfers enabled
HW already initialized.
PCI: bus1: Fast back to back transfers enabled
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
 bankwidth 1, base f4000000, size 1000000

Marvell Development Board (LSP Version 0.0.102)-- RD-88F5181L-VOIP-FE

Detected Tclk 166000000 and SysClk 166000000 
Starting kswapd
Journalled Block Device driver loaded
NTFS driver v1.1.22 [Flags: R/O]
JFFS2 version 2.1. (C) 2001 Red Hat, Inc., designed by Axis Communications AB.
pty: 256 Unix98 ptys configured
Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled
ttyS00 at 0xf1012000 (irq = 3) is a 16550A
HDLC line discipline: version $Revision: 1.1.1.1 $, maxframe=4096
N_HDLC line discipline registered.
Marvell Gigabit Ethernet Driver 'egiga':
  o Ethernet descriptors in DRAM
  o DRAM SW cache-coherency
  o Loading network interface 
  o Using switch header mode
qdInit 
qdStart: CPU port 0x5 
Switch driver initialized
Can't get netConfig: Use default
UNM is not initialized yet
2 VLANs created: CpuPortMask = 0x1f
vid=0:  DISABLED(0), portMask=0x7c0, portNum=5
vid=1:       VLAN_1, portMask=0x10, portNum=1
vid=2:       VLAN_2, portMask=0x0f, portNum=4
vid=12: ISOLATED(12), portMask=0x00, portNum=0
Port - Vlan
 0  - VLAN_2
 1  - VLAN_2
 2  - VLAN_2
 3  - VLAN_2
 4  - VLAN_1
 5  - VLAN_ALL
load virtual interface vid = 1
 register if with name  
Init the hal
: Ilegal MTU value 1500,  rounding MTU to: 1506 
 if eth0 registered
load virtual interface vid = 2
 register if with name  
 if eth1 registered
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
SCSI subsystem driver Revision: 1.00
physmap flash device: 1000000 at f4000000
cfi_cmdset_0001: Erase suspend on write enabled
Using buffer write method
Using covid = 1 mvBindings[priv->vid]->header[0] = 24 
IP-Config: Guessing netmask 255.255.255.0
IP-Config: Complete:
      device=eth0, addr=192.168.0.1, mask=255.255.255.0, gw=255.255.255.255,
     host=DB88FXX81, domain=, nis-domain=(none),
     bootserver=192.168.0.100, rootserver=192.168.0.100, rootpath=
ip_conntrack version 2.1 (256 buckets, 2048 max) - 308 bytes per conntrack
ip_conntrack_rtsp v0.01 loading
ip_nat_rtsp v0.01 loading
ip_conntrack_pptp version 1.9 loaded
ip_nat_pptp version 1.5 loaded
ip_tables: (C) 2000-2002 Netfilter core team
ipt_time loading
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
NET4: Ethernet Bridge 008 for NET4.0
Fast Floating Point Emulator V0.94M by Peter Teichmann.
cramfs: wrong magic
FAT: bogus logical sector size 34276
UMSDOS: msdos_read_super failed, mount aborted.
FAT: bogus logical sector size 34276
FAT: bogus logical sector size 34276
CLEANMARKER node found at 0x00010000, not first node in block (0x00000000)
CLEANMARKER node found at 0x00030000, not first node in block (0x00020000)
CLEANMARKER node found at 0x00050000, not first node in block (0x00040000)
CLEANMARKER node found at 0x00070000, not first node in block (0x00060000)
CLEANMARKER node found at 0x00090000, not first node in block (0x00080000)
CLEANMARKER node found at 0x000b0000, not first node in block (0x000a0000)
CLEANMARKER node found at 0x000d0000, not first node in block (0x000c0000)
CLEANMARKER node found at 0x000f0000, not first node in block (0x000e0000)
CLEANMARKER node found at 0x00110000, not first node in block (0x00100000)
CLEANMARKER node found at 0x00130000, not first node in block (0x00120000)
CLEANMARKER node found at 0x00150000, not first node in block (0x00140000)
CLEANMARKER node found at 0x00170000, not first node in block (0x00160000)
CLEANMARKER node found at 0x00190000, not first node in block (0x00180000)
CLEANMARKER node found at 0x001b0000, not first node in block (0x001a0000)
CLEANMARKER node found at 0x001d0000, not first node in block (0x001c0000)
CLEANMARKER node found at 0x001f0000, not first node in block (0x001e0000)
CLEANMARKER node found at 0x00210000, not first node in block (0x00200000)
CLEANMARKER node found at 0x00230000, not first node in block (0x00220000)
CLEANMARKER node found at 0x00250000, not first node in block (0x00240000)
CLEANMARKER node found at 0x00270000, not first node in block (0x00260000)
CLEANMARKER node found at 0x00290000, not first node in block (0x00280000)
CLEANMARKER node found at 0x002b0000, not first node in block (0x002a0000)
CLEANMARKER node found at 0x002d0000, not first node in block (0x002c0000)
CLEANMARKER node found at 0x002f0000, not first node in block (0x002e0000)
CLEANMARKER node found at 0x00310000, not first node in block (0x00300000)
CLEANMARKER node found at 0x00330000, not first node in block (0x00320000)
CLEANMARKER node found at 0x00350000, not first node in block (0x00340000)
CLEANMARKER node found at 0x00370000, not first node in block (0x00360000)
CLEANMARKER node found at 0x00390000, not first node in block (0x00380000)
CLEANMARKER node found at 0x003b0000, not first node in block (0x003a0000)
CLEANMARKER node found at 0x003d0000, not first node in block (0x003c0000)
CLEANMARKER node found at 0x003f0000, not first node in block (0x003e0000)
CLEANMARKER node found at 0x00410000, not first node in block (0x00400000)
CLEANMARKER node found at 0x00430000, not first node in block (0x00420000)
CLEANMARKER node found at 0x00450000, not first node in block (0x00440000)
VFS: Mounted root (jffs2 filesystem).
Freeing init memory: 88K
8ZZZZ

BusyBox v1.1.0 (2007.07.26-06:29+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

/ # pc : [<40146968>]    lr : [<400ca0b8>]    Not tainted
sp : befaf8a0  ip : 00000001  fp : 40079bf8
r10: 00000003  r9 : 40079bb8  r8 : 00050500
r7 : befb57d0  r6 : 00026740  r5 : befb57cf  r4 : 00026747
r3 : 00000075  r2 : 00000007  r1 : 00026741  r0 : 400ca0b7
Flags: nzCv  IRQs on  FIQs on  Mode USER_32  Segment user
Control: A005317F  Table: 01DF0000  DAC: 00000015

/ # help

Built-in commands:
-------------------
	. 	: 	alias 	bg 	break 	cd 	chdir 	continue 
	eval 	exec 	exit 	export 	false 	fg 	hash 	help 
	jobs 	kill 	let 	local 	pwd 	read 	readonly 
	return 	set	shift 	times 	trap 	true 	type 
	ulimit 	umask 	unalias 	unset 	wait

/ # ls
bin             lib             sbin            var
dev             linuxrc         tmp             wsc_config.txt
etc             mnt             uImage          www
flash           proc            usr

/ # ps
  PID  Uid     VmSize Stat Command
    1 0           548 S   init
    2 0               SW  [keventd]
    3 0               SWN [ksoftirqd_CPU0]
    4 0               SW  [kswapd]
    5 0               SW  [bdflush]
    6 0               SW  [kupdated]
    7 0               SW  [mtdblockd]
    8 0               SW  [khubd]
    9 0               SWN [jffs2_gcd_mtd1]
   16 0           704 S   /bin/sh
   21 0               SWN [jffs2_gcd_mtd2]
   27 0           640 R   ps

/ # ls bin
addgroup    date        ln          mv          rm          umount
adduser     dmesg       login       netstat     sh          uname
ash         dumpleases  ls          nvram       sleep       usleep
busybox     echo        mkdir       pidof       sync
cat         hostapd     mknod       ping        touch
chmod       hostname    mktemp      ps          true
cp          kill        mount       pwd         udhcpc

/ # ls /usr/bin
[          cmp        head       killall    readlink   test       uniq
[[         deallocvt  hexdump    logger     reset      time       uptime
basename   env        id         openvt     tail       tr         wc
chvt       free       install    passwd     tee        tty        which

/ # free
              total         used         free       shared      buffers
  Mem:        29972         4156        25816            0            0
 Swap:            0            0            0
Total:        29972         4156        25816

/ # ls sbin
bpalogin          iptables          ntpclient         route
brctl             iptables-restore  ntptime           swapoff
dcc               iptables-save     pivot_root        swapon
dnsmasq           klogd             pppd              syslogd
gpio              l2tp-control      pppoe             tftpd
httpd             l2tpd             pppoe-discovery   udhcpd
ifconfig          lanmon            pptp              upnpd
igmpproxy         lld2d             rc                wcnd
init              lsmod             reboot
insmod            noip2             rmmod

/ # ls proc
1              8              filesystems    meminfo        scsi
16             9              fs             misc           self
2              bus            interrupts     modules        slabinfo
21             cmdline        iomem          mounts         stat
3              cpu            ioports        mtd            swaps
37             cpuinfo        kcore          net            sys
4              crypto         kmsg           partitions     sysvipc
5              devices        ksyms          pci            tty
6              driver         loadavg        resource_dump  uptime
7              execdomains    locks          rgcfgio        version

/ # ls tmp
dev       log       net-snmp  sbin      var
etc       misc      run       tmp       wsc

/ #

/ # ls tmp
 dev       log       net-snmp  sbin      var
 etc       misc      run       tmp       wsc
/ # echo "test" > /tmp/test
/ # cat /tmp/test
 test
/ # echo "more..." >> /tmp/test
/ # cat /tmp/test
 test
 more...
/ # ls tmp
 dev       log       net-snmp  sbin      tmp       wsc
 etc       misc      run       test      var

/ #

/ # tftpd
TFTP main
standard_tftp_server launched on port 69.
Ctrl-C

/ #

/ # gpio get USB_LED

/ # gpio set STATUS_LED on

/ #

Writing Programs/Code :

You can write ASM Command Programs by using the 'echo' command as shown at the end of the Box above.
echo "test" > /tmp/test
But, you need to use \Escape codes to enter the code as Hex.
echo "\0101 prints an A"
You also need to embed your code into an EXE Code Block. I had dissassembled a number of Programs from /bin to find a standard format. (I believe the first 512 bytes were Header Data and not Code) Seems complicated, but I was successful. I just need to dig up my notes and find it.

To Disassemble some EXE files, use the hexdump command :
/usr/bin/hexdump /bin/rm
-or-
/usr/bin/hexdump /bin/ps
Can somebody dump a bunch of these files onto the UART -and post them or email them to me ?

Common OpCodes :

EA FF FF FE B (-2)
0A .. .. .. BEQ _
1A .. .. .. BNE _
8A .. .. .. BHI _
EB .. .. .. BL _
E2 80 30 nn ADD R3,R0,#nn
E2 03 30 nn AND R3,R3,#nn
E2 4B B0 01 SUB R11,R11,#1
E3 50 00 nn CMP R0,#nn
E3 53 00 nn CMP R3,#nn
E3 A0 B0 DB LDR R11,#DB
E5 95 30 00 LDR R3,[R5]
E5 D4 00 nn LDRB R0,[R4,#nn]
E5 87 00 00 STR R0,[R7]
E1 50 00 01 MOV R0,R0,#1
E2 80 00 04 ADD R0,R0,#4
E3 83 30 0C ORR R3,R3,#0C
E1 A0 00 00 NOP
E1 A0 F0 0E RET

Also check for updates here: OpenWrt DIR615

Send an email

Links to Related Sites :

- Links -

Notes
Note: All of the notes here are taken from unfinished Analysis, and may include Inaccuracies or Errors or missing info. No resposibility or guarantee are assumed from Info on this page nor from the author.

Help would be appreciated
Looking for Binaries such as Bootloader for analysis. Also looking for specs for CPUs in these these Routers, including OpCodes for the Assembler. The Assemblers and C-Compilers are hoped to be posted here in the future.

Any Questions:

http://jlc.iwarp.com/home.html