WRT54G2 V1.3 & WRT54GS V1 - Progress

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 13002
Location: Behind The Reset Button

PostPosted: Sat Oct 03, 2009 19:36    Post subject: WRT54G2 V1.3 & WRT54GS V1 - Progress Reply with quote
Wrt54g2 V1.3 & wrt54gs2 V1

We now have a CFE available that will run perfectly on the above routers. Problem is, you need jtag to flash it (for now).

History:

The wrt54g2 v1 has been supported for a while. This device required the flash of a “prep” & “killer” file. From there you could tftp a dd-wrt build. Flashing the prep & killer required only a tftp utility.

Development of a non-jtag port for the G2 V1.3 began in late May. The 1st step, was to develop a CFE that was compatible with the router. This took one of the Dev’s (Eko) a short time to find and modify a CFE for the device.

Now we have a CFE. Now we need to get it on the box without jtag.

The challenge:

For some reason, Linksys put “security checksums” in the firmware. What happens is when a user wants to flash the router, the file to be flashed must pass the “security check” before the BSP (Stock Linksys Vxworks Bootloader) will allow the flash. If the file does not pass this check, you will see “invalid file”, “invalid code”, or some other obscure error. The checksums could be an attempt to keep 3rd party firmware off the device, or insurance that some knucklehead will not flash the wrong firmware image to the device.

There are a total of six.. That’s right, six security hashes. As of now, not all six have been “cracked”. This is keeping the non-jtag port on the bench.

Why was today a major accomplishment?

The initial CFE used for testing would only allow the flash of a WRH54G micro build. If any other micro build was flashed, it would brick the router.

Today.. We have a CFE that will allow the flash of ANY Micro build. Micro, Micro Plus, Micro + SSH, Generic, etc.. (now , you don’t want the flash a WRH build).

Why Do We Care?

Including the two routers loaned to me by brother members (Streb (wrt54g2 V1.3) & (onegd4u (wrt54gs2 v1)), to work on this project, I had flashed several other G2’s (for free). Even though I put notes in the boxes, stickers on the routers, e-mails and pm’s warning not to flash any other micro build except for a WRH54G… You guessed it.. Members who bricked their routers by flashing generic or plus micro builds will go nameless. I will say that neither donator (loaner) did not deviate from instructions. AFAIK, their routers are still happily running dd-wrt.

Butt Razz … There are now a few bricks.. Nobody wants to see a bricked router (fix’en’em is fun though)

I asked the “King Of CFE’s” if he had time to develop a cfe for this device(s) that would allow the flash of any generic micro build.. He said “NO, I’m Busy”.. JUST KIDDING.. He LITERALLY had a custom built cfe file to me in a few hours.

There was one initial failure. The next attempt was a success. Then a compressed cfe was provided & tested. Perfect…

What I find amazing… The “King” had no device in front of him or on his bench. All the work that was done was by providing information, testing, and supplying data from the testing. 2nd try.. Done..

Who might the “King” be? We could guess or I can tell you. Lets guess for a bit..

Now.. Here is the deal.. Until the security checksums are cracked, you can only flash the cfe via jtag. If anyone does not want to mess with it (jtag), I will flash it for you for free (except return postage.. US only).

Jtag is not difficult (because of the utilities the "King” has given us). I am not being negative but know this.. These little nasty devices (G2 V1.3 & GS2 V1) seem to have a noise problem. There are several post on the forum on the topic. It took me hours if not days to get it figured out to be able to provide “clean” data to the dev’s when this project started.

Before you get started flashing anything, make two backups of your bsp via jtag. Compare them. If they do not compare perfectly, STOP.. Go no further until you can backup your bsp (twice) and have them compare perfectly. If you can’t get a clean backup, you will not get a clean flash. YOU HAVE BEEN WARNED!

Code:
Tjtagv3 -backup:bsp

A big Thank you to all involved in this project. We are close... BTW.. The G2 v1's are drying up. The 1.3's are still around. The GS2's seem to be what is mostly on the shelves and watch out for the G2 V1.5.. They are not supported.

Another BTW.. I just test.. The actual coding is way above my skill level or pay grade.

Here is the CFE: (rename to “cfe128.bin” )

_________________
[Moderator Deleted] Shocked


Last edited by barryware on Sun Oct 04, 2009 4:21; edited 2 times in total
Sponsor
Murrkf
DD-WRT Guru


Joined: 22 Sep 2008
Posts: 12666

PostPosted: Sat Oct 03, 2009 20:08    Post subject: Re: WRT54G2 V1.3 & WRT54GS V1 - Progress Reply with quote
barryware wrote:

Jtag is not difficult (because of the utilities the “King” has given us).


Bit of a giveaway.....

nice work. Cool

_________________
SIG:
I'm trying to teach you to fish, not give you a fish. If you just want a fish, wait for a fisherman who hands them out. I'm more of a fishing instructor.
LOM: "If you show that you have not bothered to read the forum announcements or to follow the advices in them then the level of help available for you will drop substantially, also known as Murrkf's law.."
DHC_DarkShadow
DD-WRT Guru


Joined: 22 Jun 2008
Posts: 2440
Location: Am now Dark_Shadow

PostPosted: Sat Oct 03, 2009 20:10    Post subject: Reply with quote
Would it be possible to gather some serial numbers to help avoid the 1.5?

My GS2 v1.0 is CUQ0.


EDIT: also, do you edit the mac address' in the normal place or is it somewhere else in the cfe?

_________________
The New Me


Last edited by DHC_DarkShadow on Sat Oct 03, 2009 20:19; edited 2 times in total
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 13002
Location: Behind The Reset Button

PostPosted: Sat Oct 03, 2009 20:17    Post subject: Reply with quote
My recently purchased Gs2 (retail Evil or Very Mad ) has the same serial as yours (duh). I should have recorded but failed on the v1.3 I had and since returned.. Isn't there a law that says "possession is 9/10ths of the law"? Razz
_________________
[Moderator Deleted] Shocked


Last edited by barryware on Sun Oct 04, 2009 4:21; edited 1 time in total
DHC_DarkShadow
DD-WRT Guru


Joined: 22 Jun 2008
Posts: 2440
Location: Am now Dark_Shadow

PostPosted: Sat Oct 03, 2009 20:19    Post subject: Reply with quote
barryware wrote:
Who's the king?


T~

_________________
The New Me
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 13002
Location: Behind The Reset Button

PostPosted: Sat Oct 03, 2009 20:20    Post subject: Re: WRT54G2 V1.3 & WRT54GS V1 - Progress Reply with quote
Murrkf wrote:
barryware wrote:

Jtag is not difficult (because of the utilities the “King” has given us).


Bit of a giveaway.....

nice work. Cool


He is a little modest.. We aught'a be buying him drinks..

_________________
[Moderator Deleted] Shocked
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 13002
Location: Behind The Reset Button

PostPosted: Sat Oct 03, 2009 20:21    Post subject: Reply with quote
DHC_DarkShadow wrote:
barryware wrote:
Who's the king?


T~


You Beez correct! You win..

_________________
[Moderator Deleted] Shocked
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Sat Oct 03, 2009 20:21    Post subject: Reply with quote
DHC_DarkShadow wrote:
barryware wrote:
Who's the king?


T~

Thomas Edison!

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
DHC_DarkShadow
DD-WRT Guru


Joined: 22 Jun 2008
Posts: 2440
Location: Am now Dark_Shadow

PostPosted: Sat Oct 03, 2009 20:22    Post subject: Reply with quote
do you edit the mac address' in the normal place or is it somewhere else in the cfe?
_________________
The New Me
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 13002
Location: Behind The Reset Button

PostPosted: Sat Oct 03, 2009 20:25    Post subject: Reply with quote
DHC_DarkShadow wrote:
do you edit the mac address' in the normal place or is it somewhere else in the cfe?


Normal.. et0 & il0

_________________
[Moderator Deleted] Shocked


Last edited by barryware on Sun Oct 04, 2009 4:22; edited 1 time in total
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 13002
Location: Behind The Reset Button

PostPosted: Sat Oct 03, 2009 20:26    Post subject: Reply with quote
phuzi0n wrote:
DHC_DarkShadow wrote:
barryware wrote:
Who's the king?


T~

Thomas Edison!


Laughing

_________________
[Moderator Deleted] Shocked
DHC_DarkShadow
DD-WRT Guru


Joined: 22 Jun 2008
Posts: 2440
Location: Am now Dark_Shadow

PostPosted: Sat Oct 03, 2009 21:01    Post subject: Reply with quote
barryware wrote:
DHC_DarkShadow wrote:
do you edit the mac address' in the normal place or is it somewhere else in the cfe?


Normal.. et0 & il0

And yes.. Thomas Edison beez the king.


I better have a look again, I didn't see il0.

NM i got it

_________________
The New Me
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7619

PostPosted: Sat Oct 24, 2009 18:55    Post subject: Reply with quote
Is the additional checksum verification done in the cfe, in the firmware, or in both?
_________________
Kernel panic: Aiee, killing interrupt handler!
barryware
DD-WRT Guru


Joined: 26 Jan 2008
Posts: 13002
Location: Behind The Reset Button

PostPosted: Sat Oct 24, 2009 19:11    Post subject: Reply with quote
LOM wrote:
Is the additional checksum verification done in the cfe, in the firmware, or in both?


I believe the cfe.. No problem if the hashes could be figured out. Management mode, will not accept the killer.. Management mode, only the cfe is active.

You know this but for the benefit of others..

When the firmware gets flashed, the cfe checks for a proper checksum or security hash.. How ever you would like to term it.

Pass = allow the flash

Fail = invalid file

There are a total of six separate hashes that must pass. Not all six have been figured out.

_________________
[Moderator Deleted] Shocked
LOM
DD-WRT Guru


Joined: 28 Dec 2008
Posts: 7619

PostPosted: Sat Oct 24, 2009 19:18    Post subject: Reply with quote
barryware wrote:

There are a total of six separate hashes that must pass. Not all six have been figured out.


Ok, do you have an original cfe for the G2V1.3, couldn't find it on your ftp.

_________________
Kernel panic: Aiee, killing interrupt handler!
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum