Preliminary page.
Inventel DV3210-WS
Inventel DV3210-WS partlist
cfgtool.zip - tool to decrypt configuration files
Reflash with JTAG
Notes
Disclaimer: I am not responsible for any damage to your hardware.
Numbers written here are mostly in hexadecimal and they are pretty obvious numbers.
Firmware version v5.05.5-fr is assumed to be installed. But it will probably work with others too.
The wrt54g debrick utility is a bit quirky with flash detection and byte ordering.
Dma mode doesn't seem to work properly, so we use nodma here. It is megaslow though.
In case JTAG fails, try pushing the reset button which is located between button "2" and USB host connector.
Based on wether the CPU has been initialized correctly, the flash window address is either 1e400000 or 1fc00000.
Requirements
Xilinx-compatible JTAG cable (build it yourself for cheap, see Google)
Soldering equipment (for attaching the JTAG cable)
USB A-B cable
special serial cable (if you want to login with a serial terminal and have debugging information)
HairyDairyMaid WRT54G Debrick Utility v4.5
cramfsck & mkcramfs (Cygwin package "cramfs")
redim (for byte reordering)
nice (optional. for flashing at lower CPU priority)
DWBFlash (from Livebox CD. used to flash the filesystem via USB)
Firmware_v5.05.5-fr.dwb (for extracting the install script)
dwbtool (for creating firmware file for use with DWBFlash)
redboot patch.zip - Pre-patched redboot loader using both methods. (If you don't want to do it manually)
Flash memory layout
*** Found a AMD 29lv320MB 2Mx16 BotB (4MB) Flash Chip *** (wrong!)
- Flash Chip Window Start .... : 1e400000
- Flash Chip Window Length ... : 00400000 (wrong!)
- Selected Area Start ........ : 1e400000
- Selected Area Length ....... : 00800000 (correct!)
FIS directory (FIS = FLASH Image System)
000000 RedBoot
030000 user_fs (compressed filesystem) size=720000
750000 jffs_system size=A0000
750000 empty (except 12 bytes tag)
760000 empty (except 12 bytes tag)
770000 configuration
7A0000 empty (except 12 bytes tag)
7B0000 empty (except 12 bytes tag)
7C0000 empty (except 12 bytes tag)
7D0000 empty (except 12 bytes tag)
7E0000 configuration
7F0000 FIS directory
7FF000 RedBoot config
7FFFF8 some ID+cheksum? perhaps unlock bits
Backup whole flash and extract filesystem
nice wrt54g -backup:custom /window:1e400000 /start:1e400000 /length:800000 /silent /notimestamp
redim *,-4 -i CUSTOM.BIN -o full_backup.bin
redim *,-4 -i CUSTOM.BIN -o cramfs.bin -s 0x30000
cramfsck -x cramfs cramfs.bin
del cramfs.bin
del CUSTOM.BIN
Redboot signature check patch method 1
copy /y full_backup.bin patched.bin
in patched.bin, replace the following instructions with zero's (NOP instructions):
ROM:00004570 54 40 00 0E bnezl $v0, crypt_verify_failed
ROM:00009AB4 14 40 FF D9 bnez $v0, crypt_verify_failed2
Data must be flashed per 0x10000.
redim *,2,-2 -i patched.bin -o CUSTOM.BIN
nice wrt54g -flash:custom /window:1fc00000 /start:1fc00000 /length:10000 /silent /nodma
Redboot signature check patch method 2
copy /y full_backup.bin patched.bin
The redboot loader contains some public keys.
@ 2B148 pubkey_inventel_bootloader_only
@ 2B2F8 pubkey_inventel_bootloader_only_len
@ 2B2FC pubkey_release_wanadoo_fr
@ 2B4A8 pubkey_release_wanadoo_fr_len
Replace the original keys and lengths with mykey starting from "94 00 03 00 ..." but not including the private key which starts with "xx 00 00 00 xx xx ...".
In the provided mykey, the length without private key is 0x1AB bytes.
Data must be flashed per 0x10000. It takes a long time with cheap JTAG cable and /nodma but we can offset it to skip some.
With offset
redim *,2,-2 -i patched.bin -o CUSTOM.BIN -s 0x20000
nice wrt54g -flash:custom /window:1fc20000 /start:1fc20000 /length:10000 /silent /nodma
Without offset (takes longer to flash)
redim *,2,-2 -i patched.bin -o CUSTOM.BIN
nice wrt54g -flash:custom /window:1fc00000 /start:1fc00000 /length:30000 /silent /nodma
Extracting filesystem from dwb
Extract dwb
dwbtool -x Firmware_v5.05.5-fr.dwb Firmware_v5.05.5-fr.script Firmware_v5.05.5-fr.cramfs
Extract filesystem image
cramfsck -v -x Firmware_v5.05.5-fr-mod Firmware_v5.05.5-fr.cramfs
For mkcramfs with cygwin, you can process the output to a suitable device list.
Modify the filesystem
Remove root password from etc_ro_fs/passwd
root::0:0:root:/root:/bin/sh
Clean up etc_ro_fs/init.d/update_ft (called from ip-down, ip-up, ip-updown)
#!/bin/sh
Clean up etc_ro_fs/init.d/autoupdate (called from ip-down, ip-up, ip-updown)
#!/bin/sh
Change update IP address in etc_ro_fs/autoconf.conf
CONFIG_DEFAULT_UPDATE_MACHINE="192.168.1.23"
Change update IP address in etc_ro_fs/firm.conf
UPDATE_MACHINE=192.168.1.23 #force
Hex-edit regexps in sbin/adsld
Hmz... I can't seem to find those regexps some were talking about. Nevermind then.
Create modified filesystem image and flash
Create and verify filesystem image (using Firmware_v5.05.5-fr-mod as source directory)
#For cygwin port of mkcramfs, you might need to remove the dev subfolder.
# mkcramfs -v -q -D devices.tab Firmware_v5.05.5-fr-mod Firmware_v5.05.5-fr-mod.cramfs
# cramfsck -v Firmware_v5.05.5-fr.cramfs
Use mkcramfs under linux since Cygwin port is kind of broken:
mkcramfs -v Firmware_v5.05.5-fr-mod Firmware_v5.05.5-fr-mod.cramfs
cramfsck -v Firmware_v5.05.5-fr.cramfs
Create and verify dwb (assuming you have extracted Firmware_v5.05.5-fr.script already)
dwbtool -c Firmware_v5.05.5-fr-mod.dwb Firmware_v5.05.5-fr.script Firmware_v5.05.5-fr-mod.cramfs
dwbtool -v Firmware_v5.05.5-fr-mod.dwb
Start DWBFlash and select the modified dwb file.
Hold button "1" while powering up to put Livebox into USB programmation mode.
Click "Programmation" button when it reports "Interface ready".
TODO: Investigate http://www.ioware.ca/projects/ejtag/
Serial port
(pin 1 is marked with a black spot)
Pin-out:
1 data in (3V)
2 data out (3V)
3 button "2" input
4 button "1" input
5 +5V
6 ground
Parameters: 115200 baud, 8 databits, no parity, 1 stopbit
Sagem BASE F@st 3202
Sagem BASE F@st 3202 partlist
.