Sky ER110 Router teardown

This is a quick teardown of the Sky ER110 Router with a copy of the extracted firmware, UART Dump and a list of all components.   The design and layout is identical to the ER115 but uses an onboad PSU.   The teardown procedure is also the same, see here.

Before you extract your own firmware you will need a copy of a Kali Linux (for ease or use), soldering iron, microscope, sharp knife and a RT809H or equivalent.

A copy of the firmware can be found here https://drive.google.com/file/d/1CUR8xfGLhg8buqRIW6D697yPIGLKJ6jU/view?usp=sharing

1. Front view

SKY ER110 Front View

2. Rear view

SKY ER110 Rear View

3. Rear PCB.

Sky Q Hub ER110 Rear PCB
NoPart NumberDescription
1FL256SA1H30 627BB119 A Cypress 32MB BGA24 4x6 SPI Flash Memory

4. Front PCB

Sky Q Hub ER110 Front PCB
NoPart NumberDescription
1ATHEROS AR1540-AL3C C AASA KR fully-differential amplifier
2ATHEROS AR7420 -AL3C NU62725H 1627MAC/PHY Transceiver
3B50612E B1KMLG TE1631 P21 611338 3 WSINGLE GIGABIT PHY 3E
4BCM63168UKFEBG TT1626 P40 601842-07 N1ABroadcom SOC
5BCM6303 KMLG P31 CN1624 602355 3BSingle-chip multi-mode ADSL2+/VDSL2 IAD
6SAMSUNG 625 K4B2616460-BCK0 EGD0872PC1GB DDR3 RAM?
7UART (3,4) & JTAG 
8BCM4360KMLG TE1622 P20 594896-04 3 WIC RF TXRX WIFI SINGLE CHIP
9VUBI TI 55 529F3-17V 3A Step-Down Converter in 3x3 QFN Package
10UART (disabled) 
11FMF 4591 QSVG ???

5.  Spansion/Cypress FL256SA1H30 pinout.

FL256SA1H30 pinout

6.  Front PCB traces.

Sky Q Hub ER110 Front Flash Chip

7.  Rear PCB traces.

Sky Q Hub ER110 Flash Chip Rear

8. UART Dump

HELO
CPUI
L1CI
HELO
CPUI
L1CI
4.1404-1.0.38-200 118.002 116
DRAM
----
PHYS
STRF
400H
PHYE
DDR3
SIZ4
SIZ3
DINT
USYN
LSYN
MFAS
LMBE
RACE
PASS
----
ZBSS
CODE
DATA
L12F
MAIN


Base: 4.14_04
CFE version 1.0.38-118.116 for BCM963268 (32bit,SP,BE)
Build Date: Tue Aug 19 16:58:53 BST 2014 (tomasz@iris)
Copyright (C) 2000-2013 Broadcom Corporation.

Chip ID: BCM63168D0, MIPS: 400MHz, DDR: 400MHz, Bus: 200MHz
Main Thread: TP0
Memory Test Passed
Total Memory: 268435456 bytes (256MB)
Boot Address: 0xb8000000

HS Serial flash device: S25FL256, id 0x0119 size 32768KB
Total Flash size: 32768K with 512 sectors
reserved at bottom=128KB
Flash split 10 : AuxFS[3407872]
FLASH_BASE                    =0xb8000000

fInfo->flash_rootfs_start_offset =0x00080000

fInfo->flash_meta_start_blk = 510

fInfo->flash_syslog_start_blk  = 0
fInfo->flash_syslog_number_blk = 0
fInfo->flash_syslog_length=0x0

fInfo->flash_backup_psi_start_blk = 0
fInfo->flash_backup_psi_number_blk = 0

sp startAddr = b9fe4000
fInfo->flash_scratch_pad_start_blk = 510
fInfo->flash_scratch_pad_number_blk = 1
fInfo->flash_scratch_pad_length = 0x2000
fInfo->flash_scratch_pad_blk_offset = 0x4000

psi startAddr = b9fe6000
fInfo->flash_persistent_start_blk = 510
fInfo->flash_persistent_number_blk = 1
fInfo->flash_persistent_length=0xa000
fInfo->flash_persistent_blk_offset = 0x6000

AuxFs.start_blk = 458
AuxFs,number_blk = 52
AuxFs.total_len = 0x340000
AuxFs.sect_size = 0x10000
fInfo->flash_sky_scratch_pad_start_blk = 511
fInfo->flash_sky_scratch_pad_number_blk = 1
fInfo->flash_sky_scratch_pad_length = 0x100
fInfo->flash_sky_scratch_pad_blk_offset = 0xff00

Board IP address                  : 192.168.0.1:ffffff00
Host IP address                   : 192.168.0.100
Gateway IP address                :
Run from flash/host/tftp (f/h/c)  : f
Default host run file name        : vmlinux
Default host flash file name      : bcm963xx_fs_kernel
Boot delay (0-9 seconds)          : 1
Boot image (0=latest, 1=previous) : 0
Default host ramdisk file name    :
Default ramdisk store address     :
Board Id (0-33)                   : BSKYB_VIPER
Number of MAC Addresses (1-32)    : 10
Base MAC Address                  : 00:10:18:00:00:00
PSI Size (1-64) KBytes            : 40
Enable Backup PSI [0|1]           : 0
System Log Size (0-256) KBytes    : 0
Auxillary File System Size Percent: 10
Main Thread Number [0|1]          : 0

Booting from latest image (0xb8e60000) ...

Signature@Offset: [0x019e35e4]

FLASH IMAGE SIGNATURE OK
Code Address: 0x80752B90, Entry Address: 0x803a3c40
RootFS & Kernel CRCs are correct.
Decompression OK!
Entry at 0x803a3c40
Closing network.
Disabling Switch ports.
Flushing Receive Buffers...
0 buffers found
Closing DMA Channels
Starting program at 0x803a3c40

9.  binwalk outputs the following:

14308         0x37E4          LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 254944 bytes
524288        0x80000         Broadcom 96345 firmware header, header size: 256, firmware version: "68", board id: "SKYB_VIPER", ~CRC32 header checksum: 0x3C514052, ~CRC32 data checksum: 0x45C2FC04
524544        0x80100         Squashfs filesystem, little endian, version 4.0, compression:xz, size: 10465800 bytes, 1182 inodes, blocksize: 131072 bytes, created: 2016-11-21 17:07:07
10993932      0xA7C10C        LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 4682720 bytes
15073280      0xE60000        Broadcom 96345 firmware header, header size: 256, firmware version: "68", board id: "SKYB_VIPER", ~CRC32 header checksum: 0x2BE94B0C, ~CRC32 data checksum: 0x4061B89C
15073536      0xE60100        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 10513640 bytes, 1185 inodes, blocksize: 131072 bytes, created: 2016-12-13 19:08:28
25587980      0x186710C       LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 4682720 bytes

10.  7zip opens the file just fine but if you want to use what bin walk produces to extract the image then use these commands:

dd if=ER110.BIN of=sky1.bin bs=1 count=14308  skip=0
dd if=ER110.BIN of=sky2.bin bs=1 count=524288  skip=14308
dd if=ER110.BIN of=sky3.bin bs=1 count=524544  skip=524288
dd if=ER110.BIN of=sky4.bin bs=1 count=10993932  skip=524544
dd if=ER110.BIN of=sky5.bin bs=1 count=15073280  skip=10993932
dd if=ER110.BIN of=sky6.bin bs=1 count=15073536  skip=15073280
dd if=ER110.BIN of=sky7.bin bs=1 count=25587980  skip=15073536
dd if=ER110.BIN of=sky8.bin bs=1 count=33554431  skip=25587980