Joined: 26 Jan 2008 Posts: 13049 Location: Behind The Reset Button
Posted: Thu May 17, 2012 1:13 Post subject: RT-N66U Dumps & info
I thought it may be best to start a new thread so we can get this whole nvram thing figured out instead of piling on to the other rt-66 thread.
LOM wanted the nvram partition dumped with the old asus 32k firmware, and the new asus 64k nvram firmware to look at what is being done..
I crashed and burned trying to just use telnet to copy the nvram mtd partition to a usb stick. Not sure why. I have done it many times but this time I was having problems.. I just got empty files. I opened up the router (no more warranty) and used serial and the cfe save commands to dump the wholeflash.
According to the boot capture via serial, nvram on both asus firmware's is supposed to start at offset 0x01fe0000.. Well.. looking at the wholeflash dumps, there is nothing there.. all FF's
The old firmware (108), nvram starts at offset 0x01ff8000.
The new 64k firmware, nvram starts at offset 0x01ff0000
The diff between the two address's is 32K but they are starting the nvram partition 32k sooner.
I am confused.. I wanted to share.
There is a zip file on my ftp server if you wish to download it and see for yourself. The file is 45 MB.. It has the wholeflash dumps as well as boot logs for the 32k firmware, and the 64k (new). My upload speed sucks (1mbs) so it may take a few minutes to download. I am keeping this separate from the cfe ftp access.
Joined: 31 Aug 2009 Posts: 2448 Location: Third Rock from the Sun
Posted: Thu May 17, 2012 5:24 Post subject:
LOM wrote:
The new cfe is, except for a few default variables, identical to the old one.
The new cfe is made for 32kb nvram and not for 64kb.
It will be interesting to see what the nvram mtd partition looks like.
Some of the DEV's on Tomato tryed enabling the 64k via firmware, it worked but once you got past 32k the router crashed. _________________ Peacock Thread-FAQ -- dd-wrt Wiki
Asus has only done half of the job, they have increased the nvram in the firmware from 32 to 64kb.
What they have not done is increasing the nvram in the CFE code so that it matches the firmware and that is likely to cause big problems.
I wonder what happens on a router running the 64kb nvram firmware when you do a long reset with the reset button.. _________________ Kernel panic: Aiee, killing interrupt handler!
Joined: 26 Jan 2008 Posts: 13049 Location: Behind The Reset Button
Posted: Thu May 17, 2012 12:52 Post subject:
LOM wrote:
Asus has only done half of the job, they have increased the nvram in the firmware from 32 to 64kb.
What they have not done is increasing the nvram in the CFE code so that it matches the firmware and that is likely to cause big problems.
I wonder what happens on a router running the 64kb nvram firmware when you do a long reset with the reset button..
That should be easy enough to test.. I'll do some configuring.. the reset via gui, reset button, and telnet (erase nvram).. we'll see what happens.. _________________ [Moderator Deleted]
Joined: 26 Jan 2008 Posts: 13049 Location: Behind The Reset Button
Posted: Fri May 18, 2012 14:24 Post subject:
@LOM..
I plan to mess with the 66 over the weekend in regards to what happens during clearing nvram with the stock asus firmware that supports 64k.
I think it is a waste of time but I am curious.
Using the reset button, will prolly clear nvram and rebuild it but because the router will reboot, it will get rebuilt and show nothing cool (maybe). The same thing will prolly happen using the gui to reset to factory defaults.
I may be able to stop the boot (re-boot) via serial and dump the nvram before it rebuilds.
using the cfe to erase nvram, may yeild something of interest..
Now for my question(s)..
Under you expert guidance and tutelage in the past, you tought me the flash chip data is available at 0xbc000000.
So if I don't want to dump the whole flash, just add the starting address to 0xbc~?
the 64k nvram starts at offset 0x01ff0000. So add that to 0xbc000000.. that means the data I want starts @ 0xbdff000. I want the data to the end of the flash chip (length). 64k = 0x00010000.
Yes but I think the save cmd needs to be told that it is hex values, ie 0xbdff0000 and 0x10000 _________________ Kernel panic: Aiee, killing interrupt handler!
Joined: 26 Jan 2008 Posts: 13049 Location: Behind The Reset Button
Posted: Fri May 18, 2012 15:54 Post subject:
LOM wrote:
barryware wrote:
so.. save <tftp server ip>:64k.bin bdff000 10000
yes?
Yes but I think the save cmd needs to be told that it is hex values, ie 0xbdff0000 and 0x10000
With this router / cfe, I don't need to use the 0x prefix.. just the address in hex. At least I didn't for the wholeflash. _________________ [Moderator Deleted]
Yes but I think the save cmd needs to be told that it is hex values, ie 0xbdff0000 and 0x10000
With this router / cfe, I don't need to use the 0x prefix.. just the address in hex. At least I didn't for the wholeflash.
you can dump just the nvram partition by:
cat /proc/mtd/mtd1 > /tmp/nvram.bin
mtd0 is cfe
mtd1 is nvram
I think you are right they are doing a tomato type approach to increasing the nvram space. You would think that if they did update the CFE itself they would get new code from broadcom, a (C)2008 CFE looks almost the same as the N16.
Lol even the E900 64k cfe would suffice given they had the correct parameters.
Joined: 26 Jan 2008 Posts: 13049 Location: Behind The Reset Button
Posted: Fri May 18, 2012 16:09 Post subject:
Fractal wrote:
you can dump just the nvram partition by:
cat /proc/mtd/mtd1 > /tmp/nvram.bin
mtd0 is cfe
mtd1 is nvram
Thanks for that.. I dumped wholeflash cuz I wanted to see where nvram went (location). As stated earlier, boot log states nvram is located @ 0x01fe0000.. However, it is really @ 0x01ff0000
I guess none of it matters.. we know how they are doing it. Doesn't look like it is dd-wrt friendly and digging any further seems to be a waste of time. _________________ [Moderator Deleted]
Thanks for that.. I dumped wholeflash cuz I wanted to see where nvram went (location). As stated earlier, boot log states nvram is located @ 0x01fe0000.. However, it is really @ 0x01ff0000
What you see in the boot log is partition names/aliases but there is no requirement that data must start at the first byte in a partition.
The partition in which nvram resided is 128KB because that is the flash blocksize, the smallest amount one can erase in the type of flash used in RT-N66U.
nvram data does traditionally occupy the last 32KB in the last flash sector which for most routers means that the the mtd partition is 64 KB and 32KB is wasted before nvram data starts.
It is those wasted 32KB that is being used for nv64k routers and it is 28KB of them that is being used in nv60k routers.
If the blocksize of the flash is 128KB instead of 64KB, then there is an additional 64KB wasted. _________________ Kernel panic: Aiee, killing interrupt handler!
01ff0000 is after 01fe0000 so either way, it is still taking up the last sectors of the flash chip.. Kinda like you said _________________ [Moderator Deleted]