1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Firmware Mod Kit for ADSL2MUE

Discussion in 'Other Linksys Equipment' started by mstombs, Mar 4, 2007.

  1. mstombs

    mstombs Network Guru Member

    *WARNING* don't follow this unless you understand the risk to your warranty sanity etc. I have a repaired old ADSL2MUE with serial console and working JTAG connection for emergency use. Oh and yes this is a long post...

    Inspired by the http://www.bitsum.com/firmware_mod_kit.htm published by the Jeremy Collake (who cracked the WRT54G vxworks problem), I have just found a package of Unsquashfs 1.3r3 squashfs-tools.tar.bz2 posted on the openwrt WRTP54G document page

    http://wiki.openwrt.org/OpenWrtDocs/Hardware/Linksys/ WRTP54G

    [direct link not working]

    I have tried and failed in the past to mount squashfs-lzma images under linux (need to patch and recompile kernel) but have now managed to do it from the command line without having to compile anything.

    It just happens that the Linksys 4.22 beta posted on this site

    http://www.linksysinfo.org/forums/showthread.php?t=45550

    uses a very similar version of squashfs-lzma 1.3, other versions would need custom tools.

    There's not a lot you can do with this, but changing web pages is one, adding scripts clearly possible, modules probably would have to be compiled against an identical kernel but for academic interest only here's how it can be done:-

    Note - I used as linux box, probably could do the extraction under cygwin but you really need a linux disk partition to preserve case and file properties if you want to re-squash.

    1. Split the firmware upgrade image into two parts, the first contains the header and kernel. The second the squashfs filesystem. I give the commands and the responses.

    Code:
    root:# dd if=LKS.single.annexA.upgrade.422.EU.img of=orig422knl.img ibs=1K count=476
    476+0 records in
    952+0 records out
    487424 bytes (487 kB) copied, 0.060558 seconds, 8.0 MB/s
    
    root:# dd if=LKS.single.annexA.upgrade.422.EU.img of=orig422fs.img ibs=1K skip=476
    1392+1 records in
    2784+1 records out
    1425416 bytes (1.4 MB) copied, 0.174192 seconds, 8.2 MB/s
    2. Unsquash the filesystem and show the contents now in squashfs-root are accessible

    Code:
    root:# ./unsquashfs-lzma orig422fs.img
    
    created 141 files
    created 36 directories
    created 83 symlinks
    created 0 devices
    created 0 fifos
    
    root:# ls squashfs-root
    bin/  dev/  etc/  lib/  proc/  sbin/  usr/  var/  var.tar
    
    root:# ls squashfs-root/usr/www/html
    AdminDiag-p.htm   AdminSyslog.htm   SetupBMO.htm    StatusLan.htm    dhcp_table.htm  reboot.htm
    AdminDiag.htm     AdminUpgrade.htm  SetupNETs.htm   StatusModem.htm  images/         save.htm
    AdminManage.htm   Setup1483bs.htm   SetupPPPoA.htm  blank.htm        index.html      update_result.html
    AdminRestore.htm  Setup1483r.htm    SetupPPPoE.htm  contype.htm      js/             upgrade.htm
    3. Just to check the process I don't make any changes but re-squash the filesystem

    Code:
    root:# ./mksquashfs-lzma squashfs-root nsp.annexA.squashfs.img
    Creating little endian filesystem on nsp.annexA.squashfs.img, block size 32768.
    
    Little endian filesystem, data block size 32768, compressed data, compressed metadata
    Filesystem size 1389.07 Kbytes (1.36 Mbytes)
    27.62% of uncompressed filesystem size (5030.02 Kbytes)
    Inode table size 2196 bytes (2.14 Kbytes)
    47.53% of uncompressed inode table size (4620 bytes)
    Directory table size 1970 bytes (1.92 Kbytes)
    62.11% of uncompressed directory table size (3172 bytes)
    Number of duplicate files found 5
    Number of inodes 260
    Number of files 141
    Number of symbolic links  83
    Number of device nodes 0
    Number of fifo nodes 0
    Number of socket nodes 0
    Number of directories 36
    Number of uids 2
    root (0)
    unknown (500)
    Number of gids 
    4. Add back the header and kernel section

    Code:
    cp orig422knl.img mytest.img
    
    root:# dd if=nsp.annexA.squashfs.img of=mytest.img conv=notrunc oflag=append
    2784+0 records in
    2784+0 records out
    1425408 bytes (1.4 MB) copied, 0.0962899 seconds, 14.8 MB/s
    5. Add the TI checksum, using the binary in Russian Acorp source not the perl script on the openwrt page (not tried but should work)

    Code:
    root:# ../source/nsp/tools/bin/tichksum mytest.img
    File doesn't contain the checksum, adding
    Calculated checksum is 5F2E30AF
    Added successfully
    6. Compare the new image with the original, same size but...

    Code:
    root:# ls -l LKS.single.annexA.upgrade.422.EU.img mytest.img
    -rwxr--r-- 1 user user 1912840 2005-09-30 01:14 LKS.single.annexA.upgrade.422.EU.img*
    -rw-r--r-- 1 root root 1912840 2007-03-04 11:59 mytest.img
    
    root:# diff LKS.single.annexA.upgrade.422.EU.img mytest.img
    Binary files LKS.single.annexA.upgrade.422.EU.img and mytest.img differ
    
    7. Try it anyway, load from web interface, this is what is reported on the serial console:-

    Code:
    ****************** NSP Firmware Upgrade ******************
    Mounting PROC on /var/proc...OK
    Mounting DEV on /var/dev...OK
    Pivoting / to /var...OK
    Changing work dir to / ...OK
    Unmounting /flash/proc...OK
    Unmounting /flash/dev...OK
    Unmounting /flash...OK
    Upgrading flash memory...
    FLASH /tmp/fw.bin...
    Progress: |********************************|  100%
    SETMTDS /tmp/fw.bin : /dev/mtdblock/4.
    MTD4 = 0x90020000,0x90400000
    MTD1 = 0x90020090,0x90097000
    MTD0 = 0x90097000,0x90400000
    REBOOT.
    Restarting system.
    
    Minimal POST completed...     Success.
    Last reset cause: Software reset (memory controller also reset)
    
    PSPBoot1.2 rev: 1.2.0.4
    (c) Copyright 2002-2004 Texas Instruments, Inc. All Rights Reserved.
    
    Press ESC for monitor... 1
    
    
    (psbl)
    
    Booting...
    Launching kernel decompressor.
    Starting LZMA Uncompression Algorithm.
    Copyright (C) 2003 Texas Instruments Incorporated; Copyright (C) 1999-2003 Igor Pavlov.
    Compressed file is LZMA format.
    Kernel decompressor was successful ... launching kernel.
    
    LINUX started...
    Config serial console: ttyS0,38400
    Auto Detection SANGAM chip
    This SOC has MDIX cababilities on chip.
    CPU revision is: 00018448
    Primary instruction cache 16kb, linesize 16 bytes (4 ways)
    Primary data cache 16kb, linesize 16 bytes (4 ways)
    Number of TLB entries 16.
    Linux version 2.4.17_mvl21-malta-mips_fp_le (root@localhost.localdomain) (gcc version 2.95.3 20010315 (release/MontaVista)) #1 Mon Aug 8 16:09:32 CST 2005
    ...
    
    8. Do a hard reset, enter ISP details, it seems to work

    Now can I add back those web pages that were seen in version 2.17Ti, enable half bridge mode and snmp etc...?
     
  2. mstombs

    mstombs Network Guru Member

    Yes, had to encode password and change version number on first screen, everything seems to work but 2.17 didn't know about ADSL2+ so still need to patch connection display

    Not yet

    Yes just needed the web interface, "The Dude" say invalid id, but all I did was tick enable and it does show me stats, couple of screenies attached
     

    Attached Files:

  3. mstombs

    mstombs Network Guru Member

    Update.

    I have now found how to turn the ADSL2MUE into a half bridge modem, not using NAT, passing the ISP supplied IP address, netmask and Gateway to an upstream router and have implemented this as a 'proof of concept' bash script on top of Routertech 2.2 firmware - the Linksys 4.22 'bash' doesn't have all the features needed - but the routing commands are all standard Linux, with no need to modify the kernel. Hopefully they will pick this up and add it as an option to a future version:

    details here:

    http://www.routertech.org/viewtopic.php?p=19330
     
  4. mstombs

    mstombs Network Guru Member

    Routertech 2.3

    A version of the half-bridge script is now in Routertech 2.3, released today. This offers a number of new features to ADSL2MUE users as it includes a special version for 4Mb flash 1 port PSPBoot AR7 routers. Not sure they are any other than 2MUE - non-wireless boxes tend to have only 2Mb flash and only 6 or 8 MB ram - my 2MUE has 16Mb ram. So ssh and selectable DSL ver 6 or 7 drivers are now selectable (previously only for wireless dsl routers).

    Still no snmp, but could now try running a binary from a /cifs share.

    One useful new feature is the ability to turn unused flash into a non volatile directory more than 512k available for 2MUE users. SSH and SCP allow the use of winscp to manage files on the router, so if the half-bridge script built into the firmware doesn't work for you - make a copy and edit it till it does, storing the result in /nvram - and then post it somewhere for others to use!
     
  5. mstombs

    mstombs Network Guru Member

    Similar approach to title of this thread seems to have been used to produce a number of alternative versions of firmware for the ADSL2MUE, (which is v similar to the D-LINK DSL320T), index page (in Italian)

    http://forum.noxirc.net/supporto-fi...-302t-320t-originali-modificati-recovery.html

    ftp site for images

    ftp://cci_rcc_adsl:adsl4all@213.255.34.42/

    An update to the toolset in the first post is needed to do this yourself as the squashfs-lzma has been upgraded to version 2 and 3 in the recent firmware releases, passing on a tip I have been given: - in forum.ixbt.com/topic.cgi?id=14:34671-144 there is a link to

    p-tau.com/NSP_Set.tgz

    You want squashfs3-tools/unsquashfs-lzma for example, there is also some code to automatically break the firmware into its constituent parts(not tested).
     
  6. wlkn

    wlkn Addicted to LI Member

    FTP link broken
     
  7. mstombs

    mstombs Network Guru Member

  8. bovirus

    bovirus Addicted to LI Member

    I made some changes to Acor/Routertech firmware.

    I will post the links.
     
  9. wlkn

    wlkn Addicted to LI Member

    @mstombs Thank you!

    @bovirus When are you going to post links?

    Why not write your posts when you can post links? instead of always talking with "will" ?
     

Share This Page