TalkTalk Business Wi-Fi Hub FAST 5364 Sagemcon Teardown
The Sagemcon TalkTalk Wi-Fi Hub FAST 5364 is a VDSL/ADSL Router with 4 port hub, 2.4GHz Wi-Fi (802.11 b/g/n) and 5GHz Wi-Fi (802.11 a/n/ac). The firmware seems to based largely on openwrt. While this router is better than previous TalkTalk routers in terms of build quality it still lacks decent antennas. The business model and home model are identical apart from the firmware.
As usual the aim of the teardown is to extract the firmware, if you want to cut to the chase you can download it hear:-
https://drive.google.com/file/d/12t2AtB8GHkXsILovY6ZVEGQ6HjYHEl0X/view?usp=sharing
The firmware can be extracted via JTAG, UART header or directly dumping the RAW NAND chip.
First of all here are some pretty pictures of the FAST 5364
Front
Rear
To get inside, shim the front of the router then pull the top plastic forward and pull off.
Remove the 4 screws circled in red.
Top PCB
Bottom PCB
To remove the RF shields use a flat head screw driver and gently pry upwards around the edges avoiding the traces.
Front PCB RF sheild removed
| No. | Part Number | Description |
| 1 | 4552 67M7 | 5GHz RF Front End Module |
| 2 | MP111 K961741 MPS 48 | Dying Gasp Storage and Release Control IC |
| 3 | FPE G24102MK 2007v | 100/1000BASE-T SINGLE TRANSFORMER MODULES |
| 4 | JWD SG48001G 2006 | 100/1000 BASE-T |
| 5 | BCM63137UKFSBG TK1948 P20 CWA-17 N2A | Broadcom SOC MIPS CPU |
| 6 | Zentel A3T2GF30BBF -GML 948ZEN1T 9B0420B3G-F | DDR3L-1600 256Mx8 SDRAM FBGA-78 |
| 7 | BCM8303 KMLG P31 CN1943 201 38 W | ???? |
| 8 | BCM43602KMLGTE1946 P11 077-11 3 W | 3x3 MIMO 802.11ac SoC, ARM Cortex-M3 |
| 9 | SKY11 86310 944GE | Power Amplifier IC |
| 10 | BCM4366EKMMLW16 TET938 P30 016-24 3H | 4x4 2.4/5G single chip 802.11ac SoC |
| 11 | UART |
Partial BCM63137UKFSBG SOC pinout
Rear PCB RF sheild removed
| No. | Part Number | Description |
| 1 | 8958 9C34C | Dual N & P-Channel PowerTrench MOSFET |
| 2 | RT9059 GSP6LC8W | 3A, Ultra-Low Dropout Voltage Regulator |
| 3 | MXIC X194611 MX30LF4G18AC-XKI 8F631000 | 512Mb 3V SLC NAND Flash memory BGA63 |
| 4 | JTAG |
JTAG pads are connected. Above the NAND chip are the pads for an SPI IC, all capacitors and resistors are populated.
NAND Pinout
Firmware dump
To extract the firmware I removed the NAND chip and dumped the entire contents using a RT809H. This is not necessary you can use JTAG or UART/TFTP. For a guide on dumping via UART follow this link:-
https://forum.openwrt.org/t/openwrt-based-talktalk-sagemcom-fast-5364-tinkering/49961/97
To be able to get any data from the raw NAND flash you must first read the UART dump to get the partition offsets.
HELO
CPU0
PMCM
PMCS
PMCD
CODE
L1CD
MMUI
ZBBS
MAIN
5.0203-1.0.38-161.184
DRAM
NVRAM memcfg 0x407
MCB chksum 0xf64e52b4
DDR3-1600 CL11 256MBx2
PASS
Version cfe-rom: 0.9.1
FPS0
J2EP
Base: 5.2_03
CFE version 1.0.38-161.184 for BCM963138 (32bit,SP,LE)
Build Date: Wed Dec 13 18:07:04 CET 2017 (g603230@rmm-p1196234pl)
Copyright (C) 2000-2015 Broadcom Corporation.
Version cfe-ram: 0.9.1
Boot Strap Register: 0x7dfffc2f
Chip ID: BCM63137_B0, ARM Cortex A9 Dual Core: 1000MHz
Total Memory: 536870912 bytes (512MB)
NAND ECC BCH-4, page size 0x800 bytes, spare size used 64 bytes
NAND flash device: , id 0xc2dc block 128KB size 524288KB
pmc_init:PMC using DQM mode
Board IP address : 192.168.1.1
Host IP address : 192.168.1.10
Gateway IP address :
Run from flash/host/tftp (f/h/c) : f
Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel
Boot delay (0-9 seconds) : 1
Default host ramdisk file name :
Default ramdisk store address :
Default DTB file name :
Board Id : FAST5364v3
Number of MAC Addresses (1-64) : 10
Base MAC Address : 48:d2:4f:18:46:e4
PSI Size (1-128) KBytes : 128
Enable Backup PSI [0|1] : 0
System Log Size (0-256) KBytes : 0
Auxillary File System Size Percent: 0
MC memory allocation (MB) : 4
TM memory allocation (MB) : 44
DHD 0 memory allocation (MB) : 14
DHD 1 memory allocation (MB) : 7
DHD 2 memory allocation (MB) : 0
WLan Feature : 0x00
Partition 1 Size (MB) :
Partition 2 Size (MB) :
Partition 3 Size (MB) :
Partition 4 Size (MB) (Data) : 4MB
Initalizing switch low level hardware.
pmc_switch_power_up: Rgmii Tx clock zone1 enable 0 zone2 enable 0.
Software Resetting Switch ... Done.
Waiting MAC port Rx/Tx to be enabled by hardware ...Done
Disable Switch All MAC port Rx/Tx
*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 0
Initializing UBI and starting U-Boot...
Looking for UBI...
Looking for U-Boot...
Found valid GSDF
Starting U-Boot from UBI at 0x00080000
U-Boot 2017.07@sc-0.16.0 (Dec 13 2017 - 18:07:18 +0100) sc_f5364v3
CPU: BCM63xx
Model: Sagemcom F5364v3
DRAM: 512 MiB
NAND: 512 MiB
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=2", size 8 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 70, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 5, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 5/0, WL threshold: 4096, image sequence number: 0
ubi0: available PEBs: 0, total reserved PEBs: 70, PEBs reserved for bad PEB hand ling: 29
Volume bootenv not found!
** Unable to read env from boot:bootenv **
Using default environment
In: serial
Out: serial
Err: serial
Version: 2017.07@sc-0.16.0
Board: FAST5364v3
Mode: standard
ubi0: detaching mtd1
ubi0: mtd1 is detached
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=2", size 8 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 70, bad PEBs: 0, corrupted PEBs: 0
ubi0: user volume: 5, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 5/0, WL threshold: 4096, image sequence number: 0
ubi0: available PEBs: 0, total reserved PEBs: 70, PEBs reserved for bad PEB hand ling: 29
ERROR: sc: invalid LAN base MAC address in PP
Net: brcm_rddeth
Autoboot in 5 seconds. Press <SPACE> to abort.
sbp: check net command
nmc: waiting command for 2 seconds
sbp: boot operational
sb3: booting 'operational'
ubi0: detaching mtd1
ubi0: mtd1 is detached
ubi0: attaching mtd1
ubi0: scanning is finished
ubi0: attached mtd1 (name "mtd=3", size 191 MiB)
ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
ubi0: good PEBs: 1529, bad PEBs: 1, corrupted PEBs: 0
ubi0: user volume: 4, internal volumes: 1, max. volumes count: 128
ubi0: max/mean erase counter: 10/7, WL threshold: 4096, image sequence number: 0
ubi0: available PEBs: 378, total reserved PEBs: 1151, PEBs reserved for bad PEB handling: 39
sb3: loaded image 'operational' (22474752 bytes) at 0x01000000
sb3: image 'operational' type is 'gsdf'
sb3: image 'operational' signature is OK
sb3: no pre-boot command found
## Booting kernel from Legacy Image at 0101f000 ...
Image Name: scOS SG4K1100014 (6.72.44.7_Prod
Image Type: ARM Linux Kernel Image (gzip compressed)
Data Size: 3145728 Bytes = 3 MiB
Load Address: 00008000
Entry Point: 00008000
Verifying Checksum ... OK
Uncompressing Kernel Image ... OK
Starting kernel ...
Booting Linux on physical CPU 0
Linux version 3.4.11-rt19 (rmm-svce-urd2int04@compil-atr-1) (gcc version 4.6.2 ( GCC) ) #5 SMP PREEMPT Tue Feb 4 14:41:39 CET 2020
CPU: ARMv7 Processor [414fc091] revision 1 (ARMv7), cr=10c53c7d
CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
Machine: BCM963138
Configured DHD pools size (in Bytes): [0]=0xe00000 [1]=0x700000 [2]=0x0
bootconsole [earlycon0] enabled
Memory policy: ECC disabled, Data cache writealloc
creating a MT_MEMORY_NONCACHED device at physical address of 0x0fe00000 to virtu al address at 0xcfe00000 with size of 0x200000 byte for DSL
creating a MT_MEMORY_NONCACHED device at physical address of 0x0d200000 to virtu al address at 0xcd200000 with size of 0x2c00000 byte for RDPA tm
creating a MT_MEMORY_NONCACHED device at physical address of 0x0ce00000 to virtu al address at 0xcce00000 with size of 0x400000 byte for RDPA mc
creating a MT_MEMORY_NONCACHED device at physical address of 0x0c000000 to virtu al address at 0xcc000000 with size of 0xe00000 byte for DHD dhd0
creating a MT_MEMORY_NONCACHED device at physical address of 0x0b800000 to virtu al address at 0xcb800000 with size of 0x700000 byte for DHD dhd1
On node 0 totalpages: 112896
free_area_init_node: node 0, pgdat c05bbd60, node_mem_map c1000000
DMA zone: 32 pages used for memmap
DMA zone: 0 pages reserved
DMA zone: 4064 pages, LIFO batch:0
Normal zone: 992 pages used for memmap
Normal zone: 107808 pages, LIFO batch:31
pmc_init:PMC using DQM mode
pmc_init:2db 3350339 4b004b
L310 cache controller enabled
l2x0: 16 ways, CACHE_ID 0x410000c9, AUX_CTRL 0x6a450000, Cache size: 524288 B
PERCPU: Embedded 7 pages/cpu @c1405000 s6304 r8192 d14176 u32768
pcpu-alloc: s6304 r8192 d14176 u32768 alloc=8*4096
pcpu-alloc: [0] 0 [0] 1
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 111872
Kernel command line: root=mtd:rootfs earlyprintk debug init=/etc/preinit ro root fstype=squashfs console=ttyS0,115200 rootfs_offset=0x326000 rootfs_size=0x124900 0 mtdparts=nand.0:128k(nvram),640k(cfe),8960k(boot),195840k(ubi),-(data) ubi.mt d=ubi,0 part_main=ubi part_boot=boot image_ubivol=operational board_type=0003008 5
UBI image volume: "operational"
PID hash table entries: 2048 (order: 1, 8192 bytes)
Dentry cache hash table entries: 65536 (order: 6, 262144 bytes)
Inode-cache hash table entries: 32768 (order: 5, 131072 bytes)
Memory: 184MB 1MB 256MB = 441MB total
Memory: 440896k/440896k available, 83392k reserved, 0K highmem
Virtual kernel memory layout:
vector : 0xffff0000 - 0xffff1000 ( 4 kB)
fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
vmalloc : 0xe0800000 - 0xff000000 ( 488 MB)
lowmem : 0xc0000000 - 0xe0000000 ( 512 MB)
pkmap : 0xbfe00000 - 0xc0000000 ( 2 MB)
modules : 0xbf000000 - 0xbfe00000 ( 14 MB)
.text : 0xc0008000 - 0xc055986c (5447 kB)
.init : 0xc055a000 - 0xc057f8a0 ( 151 kB)
.data : 0xc0580000 - 0xc05bcbe0 ( 243 kB)
.bss : 0xc05bcc04 - 0xc05f39c8 ( 220 kB)
Preemptible hierarchical RCU implementation.
Dump stacks of tasks blocking RCU-preempt GP.
NR_IRQS:256
Cortex A9 MPCORE GIC init
DIST at fc01f000, CPU_IF at fc01e100
map_hw_timer_interrupt,132: interrupt_id 96
map_hw_timer_interrupt,132: interrupt_id 97
map_hw_timer_interrupt,132: interrupt_id 98
map_hw_timer_interrupt,132: interrupt_id 99
sched_clock: 32 bits at 1kHz, resolution 1000000ns, wraps every 4294967295ms
console [ttyS0] enabled, bootconsole disabled
console [ttyS0] enabled, bootconsole disabled
Calibrating delay loop... 1990.65 BogoMIPS (lpj=995328)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
--Kernel Config--
SMP=1
PREEMPT=1
DEBUG_SPINLOCK=0
DEBUG_MUTEXES=0
CPU: Testing write buffer coherency: ok
Broadcom Logger v0.1 Feb 4 2020 13:24:05
Setting up static identity map for 0x41c738 - 0x41c76c
CPU1: Booted secondary processor
CPU1: Unknown IPI message 0x1
Brought up 2 CPUs
SMP: Total of 2 processors activated (3981.31 BogoMIPS).
NET: Registered protocol family 16
bcm63xx_pcie: setting resistor calibration value to 0x8
bcm63xx_pcie: applying serdes parameters
PCIE port 0 SSC Disabled
PCIE port 0 link-up
PCIE port 0 SSC Enabled
PCI host bridge to bus 0000:00
pci_bus 0000:00: root bus resource [mem 0x90000000-0x9fffffff]
pci 0000:00:00.0: [14e4:6313] type 01 class 0x060400
pci 0000:00:00.0: PME# supported from D0 D3hot
PCI: bus0: Fast back to back transfers disabled
pci 0000:01:00.0: [14e4:4365] type 00 class 0x028000
pci 0000:01:00.0: reg 10: [mem 0x00000000-0x00007fff 64bit]
pci 0000:01:00.0: reg 18: [mem 0x00000000-0x007fffff 64bit]
pci 0000:01:00.0: reg 20: [mem 0x00000000-0x000fffff 64bit pref]
pci 0000:01:00.0: supports D1 D2
pci 0000:00:00.0: Checking PCIe ASPM for vendor 14e4 device 4365
pci 0000:00:00.0: Disabling PCIe ASPM for vendor 14e4 device 4365
PCI: bus1: Fast back to back transfers disabled
pci 0000:00:00.0: BAR 8: assigned [mem 0x90000000-0x90bfffff]
pci 0000:00:00.0: BAR 9: assigned [mem 0x90c00000-0x90cfffff 64bit pref]
pci 0000:01:00.0: BAR 2: assigned [mem 0x90000000-0x907fffff 64bit]
pci 0000:01:00.0: BAR 4: assigned [mem 0x90c00000-0x90cfffff 64bit pref]
pci 0000:01:00.0: BAR 0: assigned [mem 0x90800000-0x90807fff 64bit]
pci 0000:00:00.0: PCI bridge to [bus 01-01]
pci 0000:00:00.0: bridge window [mem 0x90000000-0x90bfffff]
pci 0000:00:00.0: bridge window [mem 0x90c00000-0x90cfffff 64bit pref]
PCI: enabling device 0000:00:00.0 (0140 -> 0143)
bcm63xx_pcie: setting resistor calibration value to 0x8
bcm63xx_pcie: applying serdes parameters
PCIE port 1 SSC Disabled
PCIE port 1 link-up
PCIE port 1 SSC Enabled
PCI host bridge to bus 0001:00
pci_bus 0001:00: root bus resource [mem 0xa0000000-0xafffffff]
pci 0001:00:00.0: [14e4:6313] type 01 class 0x060400
pci 0001:00:00.0: PME# supported from D0 D3hot
PCI: bus0: Fast back to back transfers disabled
pci 0001:01:00.0: [14e4:aa52] type 00 class 0x028000
pci 0001:01:00.0: reg 10: [mem 0x00000000-0x00007fff 64bit]
pci 0001:01:00.0: reg 18: [mem 0x00000000-0x003fffff 64bit]
pci 0001:01:00.0: supports D1 D2
pci 0001:00:00.0: Checking PCIe ASPM for vendor 14e4 device aa52
pci 0001:00:00.0: Disabling PCIe ASPM for vendor 14e4 device aa52
PCI: bus1: Fast back to back transfers disabled
pci 0001:00:00.0: BAR 8: assigned [mem 0xa0000000-0xa05fffff]
pci 0001:01:00.0: BAR 2: assigned [mem 0xa0000000-0xa03fffff 64bit]
pci 0001:01:00.0: BAR 0: assigned [mem 0xa0400000-0xa0407fff 64bit]
pci 0001:00:00.0: PCI bridge to [bus 01-01]
pci 0001:00:00.0: bridge window [mem 0xa0000000-0xa05fffff]
PCI: enabling device 0001:00:00.0 (0140 -> 0143)
bio: create slab <bio-0> at 0
SCSI subsystem initialized
bcmhs_spi bcmhs_spi.1: master is unqueued, this is deprecated
skb_free_task created successfully
gbpm_do_work scheduled
BLOG v3.0 Initialized
BLOG Rule v1.0 Initialized
Broadcom IQoS v0.1 Feb 4 2020 13:27:28 initialized
Broadcom GBPM v0.1 Feb 4 2020 13:27:28 initialized
NET: Registered protocol family 8
NET: Registered protocol family 20
Switching to clocksource timer_cs
NET: Registered protocol family 2
IP route cache hash table entries: 4096 (order: 2, 16384 bytes)
TCP established hash table entries: 16384 (order: 5, 131072 bytes)
TCP bind hash table entries: 16384 (order: 5, 196608 bytes)
TCP: Hash tables configured (established 16384 bind 16384)
TCP: reno registered
UDP hash table entries: 256 (order: 1, 8192 bytes)
UDP-Lite hash table entries: 256 (order: 1, 8192 bytes)
NET: Registered protocol family 1
squashfs: version 4.0 (2009/01/31) Phillip Lougher
Registering unionfs 2.5.12 (for 3.4.70)
NTFS driver 2.1.30 [Flags: R/W].
jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
fuse init (API version 7.18)
SGI XFS with security attributes, large block/inode numbers, no debug enabled
msgmni has been set to 861
io scheduler noop registered (default)
brd: module loaded
loop: module loaded
Broadcom NAND controller (BrcmNand Controller)
mtd->oobsize=0, mtd->eccOobSize=0
NAND_CS_NAND_XOR=00000000
B4: NandSelect=20000000, nandConfig=27152300, chipSelect=0
brcmnand_read_id: CS0: dev_id=c2dc9095
After: NandSelect=00000100, nandConfig=27152300
DevId c2dc9095 may not be supported. Will use config info
Spare Area Size = 16B/512B
Block size=00020000, erase shift=17
NAND Config: Reg=27152300, chipSize=512 MB, blockSize=128K, erase_shift=11
busWidth=1, pageSize=2048B, page_shift=11, page_mask=000007ff
ECC level changed to 4
OOB size changed to 16
BrcmNAND mfg 0 0 UNSUPPORTED NAND CHIP 512MB on CS0
Found NAND on CS0: ACC=c3840010, cfg=27152300, flashId=c2dc9095, tim1=65324458, tim2=80000e54
BrcmNAND version = 0x80000700 512MB @00000000
brcmnand_scan: B4 nand_select = 00000100
brcmnand_scan: After nand_select = 00000100
handle_acc_control: default CORR ERR threshold 3 bits
ACC: 16 OOB bytes per 512B ECC step; from ID probe: 16
page_shift=11, bbt_erase_shift=17, chip_shift=29, phys_erase_shift=17
Brcm NAND controller version = 7.0 NAND flash size 512MB @00000000
ECC layout=brcmnand_oob_bch4_2k
brcmnand_scan: mtd->oobsize=64
brcmnand_scan: oobavail=35, eccsize=512, writesize=2048
brcmnand_scan, eccsize=512, writesize=2048, eccsteps=4, ecclevel=4, eccbytes=7
-->brcmnand_default_bbt
brcmnand_default_bbt: bbt_td = bbt_slc_bch4_main_descr
Bad block table Bbt0 not found for chip on CS0
Bad block table 1tbB not found for chip on CS0
Scanning device for bad blocks, options=00008000
brcmnand_reset_corr_threshold: default CORR ERR threshold 3 bits for CS0
Bad eraseblock 893 at 0x06fa0000
-->brcmnand_isbad_raw(offs=1ffe0000
Bad block table written to 0x1ffe0000, version 0x01
-->brcmnand_isbad_raw(offs=1ffc0000
Bad block table written to 0x1ffc0000, version 0x01
Master size=20000000
rootfs_ofs=0xffffffff, part1ofs=0x00000080, part2ofs=0x0001f600
Part[0] name=bcmfs, size=20000, ofs=0
Part[1] name=bcmfs_update, size=a0000, ofs=20000
Part[2] name=ubi, size=fa40000, ofs=c0000
Part[3] name=data, size=400000, ofs=fb00000
Part[4] name=nvram, size=20000, ofs=0
5 cmdlinepart partitions found on MTD device nand.0
Creating 5 MTD partitions on "nand.0":
0x000000000000-0x000000020000 : "nvram"
0x000000020000-0x0000000c0000 : "cfe"
0x0000000c0000-0x000000980000 : "boot"
0x000000980000-0x00000c8c0000 : "ubi"
0x00000c8c0000-0x000020000000 : "data"
UBI: attaching mtd3 to ubi0
UBI: physical eraseblock size: 131072 bytes (128 KiB)
UBI: logical eraseblock size: 126976 bytes
UBI: smallest flash I/O unit: 2048
UBI: VID header offset: 2048 (aligned 2048)
UBI: data offset: 4096
UBI: max. sequence number: 9995
UBI: attached mtd3 to ubi0
UBI: MTD device name: "ubi"
UBI: MTD device size: 191 MiB
UBI: number of good PEBs: 1529
UBI: number of bad PEBs: 1
UBI: number of corrupted PEBs: 0
UBI: max. allowed volumes: 128
UBI: wear-leveling threshold: 4096
UBI: number of internal volumes: 1
UBI: number of user volumes: 4
UBI: available PEBs: 402
UBI: total number of reserved PEBs: 1127
UBI: number of PEBs reserved for bad PEB handling: 15
UBI: max/mean erase counter: 10/7
UBI: image sequence number: 0
UBI: background thread "ubi_bgt0d" started, PID 228
Add UBI volume partitions: name=filesystem1
Add UBI volume partitions: name=gui
Creating 2 MTD partitions on "gui":
0x000000000000-0x00000001f000 : "gui_header"
mtd: partition "gui_header" is out of reach -- disabled
0x000000000000-0x000000000000 : "guifs"
mtd: partition "guifs" is out of reach -- disabled
Add UBI volume partitions: name=operational
Creating 3 MTD partitions on "operational":
0x000000000000-0x00000001f000 : "firm_header"
0x00000001f000-0x000000345000 : "kernel"
0x000000326000-0x00000156f000 : "rootfs"
Add UBI volume partitions: name=rescue
tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
PPP generic driver version 2.4.2
PPP BSD Compression module registered
PPP Deflate Compression module registered
NET: Registered protocol family 24
i2c /dev entries driver
brcmboard: brcm_board_init entry
DYING GASP IRQ Initialized and Enabled
Serial: BCM63XX driver $Revision: 3.00 $
Magic SysRq with Auxilliary trigger char enabled (type ^ h for list of supported commands)
ttyS0 at MMIO 0xfffe8600 (irq = 64) is a BCM63XX
ttyS1 at MMIO 0xfffe8620 (irq = 65) is a BCM63XX
BPM: tot_mem_size=536870912B (512MB), buf_mem_size <8%> =42949672B (40MB), num o f buffers=16570, buf size=2592
Broadcom BPM Module Char Driver v0.1 Feb 4 2020 13:26:45 Registered<244>
Mirror/redirect action on
u32 classifier
input device check on
Actions configured
IPv4 over IPv4 tunneling driver
gre: GRE over IPv4 demultiplexor driver
ip_gre: GRE over IPv4 tunneling driver
TCP: cubic registered
Initializing XFRM netlink socket
NET: Registered protocol family 10
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
NET: Registered protocol family 15
Bridge firewalling registered
Initializing MCPD Module
Ebtables v2.0 registered
ebt_time registered
ebt_ftos registered
ebt_wmm_mark registered
8021q: 802.1Q VLAN Support v1.8
VFS: Mounted root (squashfs filesystem) readonly on device 31:12.
Freeing init memory: 148K
kernel.hotplug = /sbin/mdev
- preinit -
- regular preinit -
- init -
mkdir: can't create directory '/opt/conf': No such file or directory
remove filesystem2
Mount filesystem1
UBIFS: recovery needed
UBIFS: recovery completed
UBIFS: mounted UBI device 0, volume 0, name "filesystem1"
UBIFS: file system size: 30347264 bytes (29636 KiB, 28 MiB, 239 LEBs)
UBIFS: journal size: 1523712 bytes (1488 KiB, 1 MiB, 12 LEBs)
UBIFS: media format: w4/r0 (latest is w4/r0)
UBIFS: default compressor: lzo
UBIFS: reserved for root: 1433376 bytes (1399 KiB)
filesystem2 linked on filesystem1
Switch root file system to unionfs
Mount smackfs ok !
Init smack configuration ok !
Legacy NVRAM does not use mfg_data
UBI: attaching mtd2 to ubi1
UBI: physical eraseblock size: 131072 bytes (128 KiB)
UBI: logical eraseblock size: 126976 bytes
UBI: smallest flash I/O unit: 2048
UBI: VID header offset: 2048 (aligned 2048)
UBI: data offset: 4096
UBI: max. sequence number: 17
UBI: attached mtd2 to ubi1
UBI: MTD device name: "boot"
UBI: MTD device size: 8 MiB
UBI: number of good PEBs: 70
UBI: number of bad PEBs: 0
UBI: number of corrupted PEBs: 0
UBI: max. allowed volumes: 128
UBI: wear-leveling threshold: 4096
UBI: number of internal volumes: 1
UBI: number of user volumes: 5
UBI: available PEBs: 27
UBI: total number of reserved PEBs: 43
UBI: number of PEBs reserved for bad PEB handling: 2
UBI: max/mean erase counter: 5/0
UBI: image sequence number: 0
UBI: background thread "ubi_bgt1d" started, PID 446
Add UBI volume partitions: name=secondaryboot
Add UBI volume partitions: name=uboot
Add UBI volume partitions: name=uboot-rescue
Add UBI volume partitions: name=permanent_param
Add UBI volume partitions: name=aes_key_operator
Tue Jan 1 00:00:00 UTC 2013
unionfs: new lower inode mtime (bindex=1, name=tmp)
pktflow: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
pktflow: Unknown symbol bcmxtmrt_update_hw_stats (err 0)
tm_base_addr 0xcd200000, size 46137344, tm_base_addr_phys 0x0d200000
mc_base_addr 0xcce00000, size 4194304, mc_base_addr_phys 0x0ce00000
RDP TM memory = 44MB : Max Possible Bufs <15974> of size <2560>; Allocating <15 360> bufs; RDP enum <5>
++++Runner gso_desc_pool created successfully
pktrunner: Unknown symbol fhw_bind_hw (err 0)
RDPA DS WAN UDP Filter Command Driver
[HAL-BSP]: get_board_data[65]: !!!!!!!!!!!!!!!!!!!!!!!!!!!! BSP data no board fo und. Will use the default board !!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Driver LED and BUTTON init .....
[HAL-BSP]: kSysButtonManaged[41]: WARNING -> Button name >= Max(9)
[HAL-BSP]: kSysButtonManaged[41]: WARNING -> Button name >= Max(9)
[HAL-BSP]: kSysButtonManaged[41]: WARNING -> Button name >= Max(9)
Driver LED and BUTTON ok .....
pmc_switch_power_up: Rgmii Tx clock zone1 enable 0 zone2 enable 0.
LINK DOWN IMP Port
Runner Port#0 (Internal MUX Port#2) connects to Crossbar Port#1
Switch Port#3 (Internal MUX Port#0) connects to Crossbar Port#4
Unused MUX Internal Port#1 connects to Crossbar External Port#0
Cross Bar MUX Config : Internal Port 00 maps to External Port 04 <reg_val : 0x00 00000c>
Cross Bar MUX Config : Internal Port 01 maps to External Port 00 <reg_val : 0x00 000004>
Cross Bar MUX Config : Internal Port 02 maps to External Port 01 <reg_val : 0x00 000044>
Broadcom BCM63137B0 Ethernet Network Device v0.1 Feb 4 2020 13:05:06
dgasp: kerSysRegisterDyingGaspHandler: bcmsw registered
++++ disabling GSO on logical_port=0 dev=eth0
eth0: <Int sw port: 0> <Logical : 00> PHY_ID <0x0007f00c : 0x0c> MAC : 00:00:00: 00:00:01
eth1: <Ext sw port: 0> <Logical : 08> PHY_ID <0x0007f008 : 0x08> MAC : 00:00:00: 00:00:01
eth2: <Ext sw port: 1> <Logical : 09> PHY_ID <0x0007f009 : 0x09> MAC : 00:00:00: 00:00:01
eth3: <Ext sw port: 2> <Logical : 10> PHY_ID <0x0007f00a : 0x0a> MAC : 00:00:00: 00:00:01
eth4: <Ext sw port: 3> <Logical : 11> PHY_ID <0x0007f00b : 0x0b> MAC : 00:00:00: 00:00:01
Ethernet Auto Power Down and Sleep: Enabled
Cross bar port 1 of Int switch port 0; Adv capability change : MII=0x01e1, GMII= 0x0f00
Ext switch port 0; Adv capability change : MII=0x01e1, GMII=0x0f00
Ext switch port 1; Adv capability change : MII=0x01e1, GMII=0x0f00
Ext switch port 2; Adv capability change : MII=0x01e1, GMII=0x0f00
Cross bar port 4 of Ext switch port 3; Adv capability change : MII=0x01e1, GMII= 0x0f00
All Port Bit Map: 0x0f01: eth0,eth1,eth2,eth3,eth4
Chip WAN Only Ports 0001, Defined WAN Only Ports 0000, WAN Only Port Result: 0x0001:eth0
Chip WAN Preffered Ports 0000, Defined WAN Preffered Ports 0000, WAN Preffere d Port Result: 0x0000:
Chip LAN Only Ports 0f00, Defined LAN Only Ports 0000, LAN Only Port Result: 0x0f00:eth1,eth2,eth3,eth4
WAN/LAN Both Capable Ports 0x0000:
Creating Enet CPU ring for queue number 1 with 512 packets,Descriptor base=ffdf0 000
Creating Enet CPU ring for queue number 0 with 512 packets,Descriptor base=ffde c000
===> Activate Deep Green Mode
bf37f56c bf37f56c
Starting firewall-utils: OK
Loading drivers and kernel modules...
insmod: can't insert '/lib/modules/3.4.11-rt19/bdmf.ko': File exists
insmod: can't insert '/lib/modules/3.4.11-rt19/rdpa_gpl.ko': File exists
insmod: can't insert '/lib/modules/3.4.11-rt19/rdpa.ko': File exists
insmod: can't insert '/lib/modules/3.4.11-rt19/rdpa_mw.ko': File exists
brcmchipinfo: brcm_chipinfo_init entry
bcmxtmrt: Broadcom BCM3137B0 ATM/PTM Network Device v0.9 Feb 4 2020 13:05:11
Creating CPU ring for queue number 5 with 256 packets descriptor=0xbf15879c
Done initializing Ring 5 Base=0xffdea000 End=0xffdeb000 calculated entries= 256 RDD Base=0x00c06000 descriptor=0xbf15879c
Creating CPU ring for queue number 6 with 256 packets descriptor=0xbf1587e8
Done initializing Ring 6 Base=0xffde8000 End=0xffde9000 calculated entries= 256 RDD Base=0x00c14000 descriptor=0xbf1587e8
NBUFF v1.0 Initialized
Initialized fcache state
Broadcom Packet Flow Cache Char Driver v3.0 Feb 4 2020 13:02:19 Registered<242 >
Created Proc FS /procfs/fcache
Broadcom Packet Flow Cache registered with netdev chain
Broadcom Packet Flow Cache learning via BLOG enabled.
[FHW] pktDbgLvl[0xbf500d64]=0
[FHW] fhw_construct:
Initialized Fcache HW accelerator layer state
flwStatsThread created
Constructed Broadcom Packet Flow Cache v3.0 Feb 4 2020 13:02:19
bcmxtmcfg: bcmxtmcfg_init entry
adsl: adsl_init entry
insmod: can't insert '/lib/modules/3.4.11-rt19/bcm_enet.ko': File exiInitialized Runner Host Layer
Initialized Runner Unicast Layer
Initialized Runner L2 Unicast Layer
Initialized Runner Multicast Layer
sts
Broadcom Packet Flow Cache HW acceleration enabled.
Enabled Runner binding to Flow Cache
Initialized Runner Protocol Layer (700)
Broadcom Runner Blog Driver Char Driver v0.1 Feb 4 2020 13:02:21 Registered <25 2>
Wifi Forwarding Driver is initialized!
PCIe[0] Card preinit Status = GOOD
DHD_FKB_POOL size is:1280 and entry size:2592
fkbpool address range: da800000 <-> dab2a000
DHD_PKTTAG POOL size is:1280 and entry size:64
dhd_module_init in
dhd_queue_budget = 256
dhd_sta_threshold = 2048
dhd_if_threshold = 65536
no wifi platform data, skip
PCIe[0] card status = INIT
PCIe[0] card status Set to BOOT1
PCI_PROBE: bus 1, slot 0,vendor 14E4, device 4365(good PCI location)
dhdpcie_init: can't find adapter info for this chip
PCI: enabling device 0000:01:00.0 (0140 -> 0142)
DHD: dongle ram size is set to 1835008(orig 1835008) at 0x200000
dhd:0: fw path:/etc/wlan/dhd nv path:(null)
Creating CPU ring for queue number 7 with 128 packets descriptor=0xbf158834
Done initializing Ring 7 Base=0xffdfe000 End=0xffdfe800 calculated entries= 128 RDD Base=0x00c13000 descriptor=0xbf158834
RDPA returned tx wakeup reg = <0x80299004>, val = <0x10000000>
RDPA returned rx wakeup reg = <0x8029a004>, val = <0x26000000>
dhd_runner_attach: Rx Offload - Enabled, Ring Size = 1024
dhd_attach: wl0: pre-allocated buffer mode is disabled (allocskbsz=0)
dhd_attach(): thread:dhd_watchdog_thread:2db started
dhd_deferred_work_init: work queue initialized
Creating CPU ring for queue number 0 with 1024 packets descriptor=0xbf658820
Creating CPU ring for queue number 1 with 1024 packets descriptor=0xbf65883c
wfd_bind: Dev wl%d wfd_idx 0 wl_radio_idx 0 Type fkb configured WFD thread wfd 0-thrd minQId/maxQId (8/9), status (0) qmask 0x3
Instantiating WFD 0 thread
dhd:0: fw path:/etc/wlan/dhd nv path:(null)
dhd_bus_download_firmware: firmware path=/etc/wlan/dhd, nvram path=
dhdpcie_ramsize_adj: Enter
dhdpcie_ramsize_adj: Adjust dongle RAMSIZE to 0x240000
dhdpcie_download_code_file: download firmware /etc/wlan/dhd/4366c0/rtecdc.bin
wl:srom/otp not programmed, using main memory mapped srom info(wombo board)
wl: ID=pci/0/1/0/
wl: ID=pci/0/1/0/
wl: loading /etc/wlan/bcm43664_map.bin
wl: updating srom from flash...
wl: reading /etc/wlan/bcmcmn_nvramvars.bin, file size=19
wl: reading /etc/wlan/bcm43664_nvramvars.bin, file size=17
Replace or append with internal Mac Address
dhdpcie_bus_write_vars: Download, Upload and compare of NVRAM succeeded.
PCIe shared addr (0x002932ec) read took 51023 usec before dongle is ready
DMA RX offset from shared Area 0
dhdpcie_readshared: Dongle advertizes 2 size indices
dhdpcie_readshared: Host support DMAing indices: H2D:1 - D2H:1. FW supports it
H2D DMA WR INDX : array size 544 = 2 * 266
D2H DMA RD INDX : array size 32 = 2 * 3
D2H DMA WR INDX : array size 32 = 2 * 3
H2D DMA RD INDX : array size 544 = 2 * 266
ring_info_raw: 56
70 53 43 00 40 64 43 00 54 66 43 00 68 68 43 00
6e 68 43 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 0a 01 00 00
dhdpcie_readshared: max H2D queues 266
dhd_bus_start: Initializing 266 h2drings
dhd_runner_flowmgr_init: bootmem name<dhd0> addr<cc000000> size<14680064>
dhd_runner_profile_init: N+M profile = 3 01:1024 -1:2048 -1:1024 -1:0512 01:0512
dhd_runner_policy_init: N+M Policy = 0 1 (HW)
dhd_bus_cmn_writeshared:
0000: 00 90 53 1c 00 00 00 00
dhd_bus_cmn_writeshared:
0000: 00 00 c2 00 00 00 00 00
dhd_bus_cmn_writeshared:
0000: 00 c0 fa 1a 00 00 00 00
dhd_bus_cmn_writeshared:
0000: 00 c0 c1 00 00 00 00 00
dhd_bus_cmn_writeshared:
0000: 00 80 c2 00 00 00 00 00
dhd_bus_cmn_writeshared:
0000: 00 00 40 1a 00 00 00 00
dhd_bus_cmn_writeshared:
0000: 00 10 14 00
dhd_bus_cmn_writeshared:
0000: 00 88 fa 1a 00 00 00 00
dhd_bus_cmn_writeshared:
0000: 00 8c fa 1a 00 00 00 00
dhd_bus_cmn_writeshared:
0000: 00 80 fa 1a 00 00 00 00
dhd_bus_cmn_writeshared:
0000: 00 84 fa 1a 00 00 00 00
Attach flowrings pool for 264 rings
Runner DHD PCIE: vendor<0x14e4> device<0x4365> bus<1> slot<0>
Initial configuration
=================================
rx_post_flow_ring_base_addr : c0c20000
tx_post_flow_ring_base_addr : cbfc4000
rx_complete_flow_ring_base_addr : c0c28000
tx_complete_flow_ring_base_addr : c0c1c000
r2d_wr_arr_base_addr : ffde0000
d2r_rd_arr_base_addr : ffde0402
r2d_rd_arr_base_addr : ffde0c00
d2r_wr_arr_base_addr : ffde0802
tx_post_mgmt_arr_base_addr : ffde1000
tx_post_mgmt_arr_base_phys_addr : 1afa9000
r2d_wr_arr_base_phys_addr : 1afa8000
d2r_rd_arr_base_phys_addr : 1afa8402
r2d_rd_arr_base_phys_addr : 1afa8c00
d2r_wr_arr_base_phys_addr : 1afa8802
Doorbell ISR : bf679298
Doorbell CTX : dc492000
Runner DHD Offload initialization complete
dhd_rx_frame: net device is NOT registered. drop event packet
dhd_rx_frame: net device is NOT registered. drop event packet
CUR_ETHERADDR : 6
00 00 00 00 00 01
dhd_sync_with_dongle: GET_REVINFO device 0x43c5, vendor 0x14e4, chipnum 0xaa90
Dongle Host Driver, version 7.14.164.19.cpe4.16L05.1-kdb
wfd_registerdevice Successfully registered dev wl0 ifidx 0 wfd_idx 0
PCIe[0] card status Set to GOOD
PCIe[1] card status = INIT
PCIe[1] card status Set to BOOT1
PCI_PROBE: bus 1, slot 0,vendor 14E4, device AA52(good PCI location)
dhdpcie_init: can't find adapter info for this chip
PCI: enabling device 0001:01:00.0 (0140 -> 0142)
DHD: dongle ram size is set to 983040(orig 983040) at 0x180000
dhd:1: fw path:/etc/wlan/dhd nv path:(null)
Creating CPU ring for queue number 1 with 128 packets descriptor=0xbf15866c
CONSOLE: 000000.000 ipxotp_init: mapping otpbase at 0x18007000 to 0x18007000
CONSOLE: 000000.000 initvars_cis_pci: Not CIS format
CONSOLE: 000000.000 ipxotp_init: mapping otpbase at 0x18007000 to 0x18007000
CONSOLE: 000000.000 ipxotp_read_region: h/w region not programmed
CONSOLE: 000000.000 Neither SPROM nor OTP has valid image
CONSOLE: 000000.000 srom rev:0
CONSOLE: 000000.000 initvars_srom_pci, SROM CRC Error
CONSOLE: 000000.000 initvars_srom_pci, Using external nvram
CONSOLE: 000000.000 Setting clocks to 800/400/200
CONSOLE: 000000.000 si_set_bb_vcofreq_frac: only work on 4360, 4350
CONSOLE: 000000.000 Enabling D-cache
CONSOLE: 026738.568 gic_dist_init max_irq 64
CONSOLE: 026738.569 c_init: Watchdog reset bit set, clearing
CONSOLE: 026738.569
CONSOLE: RTE (PCIE-MSG_BUF) 10.10.122.309 (r673690) on BCM43664 r4 @ 40.0/200.0/ 800.0MHz
CONSOLE: 026738.569 nvram_init: called again without calling nvram_exit()
CONSOLE: 026738.570 ipxotp_init: mapping otpbase at 0x18007000 to 0x18007000
CONSOLE: 026738.570 initvars_cis_pci: Not CIS format
CONSOLE: 026738.570 ipxotp_init: mapping otpbase at 0x18007000 to 0x18007000
CONSOLE: 026738.570 ipxotp_read_region: h/w region not programmed
CONSOLE: 026738.570 Neither SPROM nor OTP has valid image
CONSOLE: 026738.570 srom rev:0
CONSOLE: 026738.570 initvars_srom_pci, SROM CRC Error
CONSOLE: 026738.570 initvars_srom_pci, Using external nvram
CONSOLE: 026738.570 allocating a max of 511 rxcplid buffers
CONSOLE: 026738.570 pciemsgbuf0: Broadcom PCIE MSGBUF driver
CONSOLE: 026738.570 nvram_init: called again without calling nvram_exit()
CONSOLE: 026738.570 ipxotp_init: mapping otpbase at 0x18007000 to 0x18007000
CONSOLE: 026738.570 initvars_cis_pci: Not CIS format
CONSOLE: 026738.571 ipxotp_init: mapping otpbase at 0x18007000 to 0x18007000
CONSOLE: 026738.571 ipxotp_read_region: h/w region not programmed
CONSOLE: 026738.571 Neither SPROM nor OTP has valid image
CONSOLE: 026738.571 srom rev:0
CONSOLE: 026738.571 initvars_srom_pci, SROM CRC Error
CONSOLE: 026738.571 initvars_srom_pci, Using external nvram
CONSOLE: 026738.571 wlc_ucode_download: wl0: Loading non-MU ucode
CONSOLE: 026738.572 reclaim section 0: Returned 216 bytes to the heap
CONSOLE: 026738.572 ipxotp_init: mapping otpbase at 0x18007000 to 0x18007000
CONSOLE: 026738.572 initvars_cis_pci: Not CIS format
CONSOLE: 026738.572 ipxotp_init: mapping otpbase at 0x18007000 to 0x18007000
CONSOLE: 026738.572 ipxotp_read_region: h/w region not programmed
CONSOLE: 026738.572 Neither SPROM nor OTP has valid image
CONSOLE: 026738.572 srom rev:0
CONSOLE: 026738.573 initvars_srom_pci, SROM CRC Error
CONSOLE: 026738.573 initvars_srom_pci, Using external nvram
CONSOLE: 026738.573 wlc_bmac_attach, deviceid 0x43c5 nbands 1
CONSOLE: 026738.581 ipxotp_init: mapping otpbase at 0x18007000 to 0x18007000
CONSOLE: 026738.581 wl0: wlc_bmac_attach: chiprev 4 corerev 65 cccap 0x58400009 maccap 0xf0018705 band 5G, phy_type 11 phy_rev 33
CONSOLE: 026738.581 enable 1: q0 frmcnt 0, wrdcnt 0, q1 frmcnt 0, wrdcnt 0
CONSOLE: 026738.581 enable 1: q0 frmcnt 0, wrdcnt 0, q1 frmcnt 0, wrdcnt 0
CONSOLE: 026738.583 wl0: wlc_stf_txcore_shmem_write: No clock
CONSOLE: 026738.583 wl0: wlc_ampdu_tx_set: AGG Mode = MAC+AQM txmaxpkts 512
CONSOLE: 026738.584 wl_eventq_dup_event: wl_eventq not initialized
CONSOLE: 026738.584 wl_eventq_dup_event: wl_eventq not initialized
CONSOLE: 026738.584 wl0: Broadcom BCM43664 802.11 Wireless Controller 10.10.122. 309 (r673690)
CONSOLE: 026738.584 SPLITRX_MODE_2 enabled : tcmsegsize 160
CONSOLE: 026738.584 TCAM: 512 used: 224 exceed:0
CONSOLE: 026738.585 reclaim section 1: Returned 179984 bytes to the heap
CONSOLE: 026738.585 ThreadX v5.6 initialized
CONSOLE:
CONSOLE: 026738.827 wl0: wlc_enable_probe_req: state down, deferring setting of host flags
CONSOLE: 026738.827 wl0: wlc_enable_probe_req: state down, deferring setting of host flags
Done initializing Ring 1 Base=0xffdf7000 End=0xffdf7800 calculated entries= 128 RDD Base=0x00c3d000 descriptor=0xbf15866c
RDPA returned tx wakeup reg = <0x80299004>, val = <0x11000000>
RDPA returned rx wakeup reg = <0x8029a004>, val = <0x27000000>
dhd_runner_attach: Rx Offload - Enabled, Ring Size = 1024
dhd_attach: wl1: pre-allocated buffer mode is disabled (allocskbsz=0)
dhd_attach(): thread:dhd_watchdog_thread:2e0 started
dhd_deferred_work_init: work queue initialized
Creating CPU ring for queue number 2 with 1024 packets descriptor=0xbf658858
Creating CPU ring for queue number 3 with 1024 packets descriptor=0xbf658874
wfd_bind: Dev wl%d wfd_idx 1 wl_radio_idx 1 Type fkb configured WFD thread wfd 1-thrd minQId/maxQId (10/11), status (0) qmask 0xc
Instantiating WFD 1 thread
dhd:1: fw path:/etc/wlan/dhd nv path:(null)
dhd_bus_download_firmware: firmware path=/etc/wlan/dhd, nvram path=
dhdpcie_ramsize_adj: Enter
dhdpcie_download_code_file: download firmware /etc/wlan/dhd/43602a1/rtecdc.bin
wl:srom/otp not programmed, using main memory mapped srom info(wombo board)
wl: ID=pci/1/1/0/
wl: ID=pci/1/1/0/
wl: loading /etc/wlan/bcm43602_map.bin
wl: reading /etc/wlan/bcmcmn_nvramvars.bin, file size=19
wl: reading /etc/wlan/bcm43602_nvramvars.bin, file size=18
Replace or append with internal Mac Address
dhdpcie_bus_write_vars: Download, Upload and compare of NVRAM succeeded.
PCIe shared addr (0x001e58fc) read took 41023 usec before dongle is ready
DMA RX offset from shared Area 0
dhdpcie_readshared: Dongle advertizes 2 size indices
dhdpcie_readshared: Host support DMAing indices: H2D:1 - D2H:1. FW supports it
H2D DMA WR INDX : array size 288 = 2 * 134
D2H DMA RD INDX : array size 32 = 2 * 3
D2H DMA WR INDX : array size 32 = 2 * 3
H2D DMA RD INDX : array size 288 = 2 * 134
ring_info_raw: 56
fc a3 26 00 8c ac 26 00 98 ad 26 00 a4 ae 26 00
aa ae 26 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 86 00 00 00
dhdpcie_readshared: max H2D queues 134
dhd_bus_start: Initializing 134 h2drings
dhd_runner_flowmgr_init: bootmem name<dhd1> addr<cb800000> size<7340032>
dhd_runner_profile_init: N+M profile = 3 01:1024 -1:2048 -1:1024 -1:0512 01:0512
dhd_runner_policy_init: N+M Policy = 0 1 (HW)
dhd_bus_cmn_writeshared:
0000: 00 40 df 1a 00 00 00 00
dhd_bus_cmn_writeshared:
0000: 00 80 c4 00 00 00 00 00
dhd_bus_cmn_writeshared:
0000: 00 00 64 1a 00 00 00 00
dhd_bus_cmn_writeshared:
0000: 00 40 c4 00 00 00 00 00
dhd_bus_cmn_writeshared:
0000: 00 00 c5 00 00 00 00 00
dhd_bus_cmn_writeshared:
0000: 00 00 00 1a 00 00 00 00
dhd_bus_cmn_writeshared:
0000: 00 10 14 00
dhd_bus_cmn_writeshared:
0000: 00 08 fa 1a 00 00 00 00
dhd_bus_cmn_writeshared:
0000: 00 0c fa 1a 00 00 00 00
dhd_bus_cmn_writeshared:
0000: 00 00 fa 1a 00 00 00 00
dhd_bus_cmn_writeshared:
0000: 00 04 fa 1a 00 00 00 00
Attach flowrings pool for 132 rings
Runner DHD PCIE: vendor<0x14e4> device<0xaa52> bus<1> slot<0>
Initial configuration
=================================
rx_post_flow_ring_base_addr : c0c48000
tx_post_flow_ring_base_addr : cb7c4000
rx_complete_flow_ring_base_addr : c0c50000
tx_complete_flow_ring_base_addr : c0c44000
r2d_wr_arr_base_addr : ffdc8000
d2r_rd_arr_base_addr : ffdc8402
r2d_rd_arr_base_addr : ffdc8c00
d2r_wr_arr_base_addr : ffdc8802
tx_post_mgmt_arr_base_addr : ffdc9000
tx_post_mgmt_arr_base_phys_addr : 1afa1000
r2d_wr_arr_base_phys_addr : 1afa0000
d2r_rd_arr_base_phys_addr : 1afa0402
r2d_rd_arr_base_phys_addr : 1afa0c00
d2r_wr_arr_base_phys_addr : 1afa0802
Doorbell ISR : bf679298
Doorbell CTX : db7b4a00
Runner DHD Offload initialization complete
CUR_ETHERADDR : 6
00 00 00 00 00 01
dhd_sync_with_dongle: GET_REVINFO device 0x43bb, vendor 0x14e4, chipnum 0xaa52
Dongle Host Driver, version 7.14.164.19.cpe4.16L05.1-kdb
wfd_registerdevice Successfully registered dev wl1 ifidx 0 wfd_idx 1
PCIe[1] card status Set to GOOD
Broadcom PCI Device 0x6313 has allocated with driver pcieport
Broadcom PCI Device 0x6313 has allocated with driver pcieport
dhd_module_init out
PCIe[0] Card postinit Staus = GOOD
insmod: can't insert '/lib/modules/3.4.11-rt19/bcmvlan.ko': File exists
insmod: can't insert '/lib/modules/3.4.11-rt19/pwrmngtd.ko': File exists
insmod: can't insert '/lib/modules/3.4.11-rt19/rdpa_cmd.ko': File exists
Bad rebount count =1
CONSOLE: hndarm_armr addr: 0x18002000, cr4_idx: 0
CONSOLE: 000000.001
Check resCONSOLE: RTE (PCIE-MSG_BUF) 7.73.8 (r671878) on BCM43602 r1 @ 40.0/160. 0/160.0MHz
CONSOLE: 000000.002 allocating a max of 511 rxcplid buffers
CONSOLE: 000000.003 pciemsgbuf0: Broadcom PCIE MSGBUF driver
CONSOLE: 000000.005 reclaim section 0: Returned 48284 bytes to the heap
CONSOLE: 000000.033 wl1: Broadcom BCM43602 802.11 Wireless Controller 7.73.8 (r6 71878)
CONSOLE: 000000.033 TCAM: 256 used: 225 exceed:0
CONSOLE: 000000.034 reclaim section 1: Returned 142124 bytes to the heap
CONSOLE:
tore default by button
POLARITY = Low
BUT_STATE = 1
Check restore default by flags
/etc/rc.common: /etc/gui-core.conf: line 9: v1.10.1: not found
find: /usr/share/gui-*/www/gui/version.txt: No such file or directory
Invalid RSA or empty external GUI image
'checkfirmware' unavailable, not checking image
/etc/rc.common: line 78: btrmcfg: not found
Run swmdk
Ethernet Auto Power Down and Sleep: Enabled
Starting halwifid: OK
Run hg6d
br_netlink_mcpd.c: Setting registration type 0 pid to 887
CONSOLE: 026751.352 wl0: wl_open
CONSOLE: 026751.356 reclaim section ucodes: Returned 105376 bytes to the heap
CONSOLE: 026751.356 wlc_ucode_download: wl0: Loading non-MU ucode
CONSOLE: 026751.371 wl0: CORE INIT : nfifo 32 mu_tx_enab 0
CONSOLE: 026751.372 wl0: CORE INIT : mode 2 pktclassify 1 rxsplit 0 hdr conve 0 DMA_CT Enabled
CONSOLE: 026751.388 reclaim section postattach: Returned 103120 bytes to the hea p
CONSOLE: 026751.389 wl0: wlc_enable_probe_req: state down, deferring setting of host flags
CONSOLE: 026751.389 enable 1: q0 frmcnt 0, wrdcnt 0, q1 frmcnt 0, wrdcnt 0
CONSOLE: 000011.772 wl1: wlc_enable_probe_req: state down, deferring setting of host flags
CONSOLE: 000012.366 wl1: wlc_enable_probe_req: state down, deferring setting of host flags
CONSOLE: 026752.162 wl0: wl_open
CONSOLE: 026752.163 wlc_ucode_download: wl0: Loading non-MU ucode
CONSOLE: 026752.178 wl0: CORE INIT : nfifo 32 mu_tx_enab 0
CONSOLE: 026752.179 wl0: CORE INIT : mode 2 pktclassify 1 rxsplit 0 hdr conve 0 DMA_CT Enabled
CONSOLE: 026752.191 wl0: wlc_enable_probe_req: state down, deferring setting of host flags
CONSOLE: 026752.191 enable 1: q0 frmcnt 0, wrdcnt 0, q1 frmcnt 0, wrdcnt 0
bcmxtmcfg: ChipId Rev-b0
bcmxtmcfg: DS xDSL G.inp Mode = DISABLED
bcmxtmcfg: xDSL G.Fast Mode = DISABLED
bcmxtmrt: PTM/ATM Non-Bonding Mode configured in system
bcmxtmcfg: Out of sequence call to XTM_ASM_HANDLER::Uninitialize(). Recovering.
bcmxtmcfg: ATM Bonding configured in system. Fallback mode = Enabled
bcmxtmcfg: Bonding State is DATA_IDLE
bcmxtmcfg: SID MODE SET to 12 BIT MODE
bcmxtmcfg: ATM Bonding Mgmt Log Area = dafef518
*** dslThread dslPid=1006
BcmAdsl_Initialize=0xBF521028, g_pFnNotifyCallback=0xBF55B484
AdslCoreSetSDRAMBaseAddr: pAddr=0x0FE00000 sdramPageAddr=0xCFE00000
BcmAdslCoreCalibrate: (cnt1-cnt)=0x03925fde, adslCoreCyclesPerMs=998740, BCMOS_M SEC_PER_TICK =1
DYING GASP IRQ Disabled
DYING GASP IRQ Enabled
AdslCoreLoadImage: Gfast PHY
AdslCoreSetSdramImageAddr: lmem2=0x10010000, pgSize=0x0 sdramSize=0xAB6AC
AdslCoreSetSdramImageAddr: lmem2(0x10000) vs ADSL_PHY_SDRAM_BIAS(0x10000); origA ddr=0xCFE10000 newAddr=0xCFE10000
pSdramPHY=0xCFFFFFF8, 0x10000020 0x2000
AdslCoreSetSdramImageAddr: sdramPageAddr=0xcfe00000, sdramImageAddr=0xcfe10000, sdramPhyImageAddr=0x10010000
*** AdslCoreSetXfaceOffset: data[0]=0xFFF7406F data[1]=0x8BF90 ***
*** XfaceOffset: 0x6FF90 => 0x8BF90 ***
*** AdslCoreSetSdramTrueSize: data[0]=0x1799ECFF data[1]=0xE8661300 ***
*** AdslCoreSetSdramTrueSize: data[0]=0xFFEC9917 data[1]=0x1366E8 ***
*** PhySdramSize got adjusted: 0xAB6AC => 0x1366E8 ***
AdslCoreSharedMemInit: shareMemSize=760048(760048)
__AdslCoreHwReset: pAdslX=0xfc78bf90
__AdslCoreHwReset: pAdslX->sdramBaseAddr=0x0000e1af, pAdslX->gfcTable[]=0x0000e1 cf, adslCorePhyDesc.sdramImageAddr=0xcfe10000
AdslCoreHwReset: pLocSbSta=da7c0000 bkupThreshold=3072
AdslCoreHwReset: AdslOemDataAddr = 0xCFEB1050, time=12 ms
VersionInfo: AfH042p1.d26m
***BcmDiagsMgrRegisterClient: 0 ***
dgasp: kerSysRegisterDyingGaspHandler: dsl0 registered
BcmAdslCoreDiagCmd: Executing dbgcmd=48 1 0
CONSOLE: 000014.266 wl1: wlc_enable_probe_req: state down, deferring setting of host flags
CONSOLE: 026753.945 wl0: wl_open
CONSOLE: 026753.946 wlc_ucode_download: wl0: Loading non-MU ucode
CONSOLE: 026753.962 wl0: CORE INIT : nfifo 32 mu_tx_enab 0
CONSOLE: 026753.962 wl0: CORE INIT : mode 2 pktclassify 1 rxsplit 0 hdr conve 0 DMA_CT Enabled
CONSOLE: 026753.975 wl0: wlc_enable_probe_req: state down, deferring setting of host flags
CONSOLE: 026753.975 enable 1: q0 frmcnt 0, wrdcnt 0, q1 frmcnt 0, wrdcnt 0
Saving OEM data from 0xCFEB1050
DYING GASP IRQ Disabled
DYING GASP IRQ Enabled
DYING GASP IRQ Disabled
DYING GASP IRQ Enabled
AdslCoreLoadImage: Non-Gfast PHY
AdslCoreSetSdramImageAddr: lmem2=0x10010000, pgSize=0x0 sdramSize=0x11F5C8
AdslCoreSetSdramImageAddr: lmem2(0x10000) vs ADSL_PHY_SDRAM_BIAS(0x10000); origA ddr=0xCFE10000 newAddr=0xCFE10000
pSdramPHY=0xCFFFFFF8, 0x9E7 0xDEADBEEF
AdslCoreSetSdramImageAddr: sdramPageAddr=0xcfe00000, sdramImageAddr=0xcfe10000, sdramPhyImageAddr=0x10010000
*** AdslCoreSetXfaceOffset: data[0]=0xFFF9006F data[1]=0x6FF90 ***
*** XfaceOffset: 0x8BF90 => 0x6FF90 ***
*** AdslCoreSetSdramTrueSize: data[0]=0xC74DE7FF data[1]=0x38B21800 ***
*** AdslCoreSetSdramTrueSize: data[0]=0xFFE74DC7 data[1]=0x18B238 ***
*** PhySdramSize got adjusted: 0x11F5C8 => 0x18B238 ***
AdslCoreSharedMemInit: shareMemSize=413088(413088)
__AdslCoreHwReset: pAdslX=0xfc76ff90
__AdslCoreHwReset: pAdslX->sdramBaseAddr=0x0000e1af, pAdslX->gfcTable[]=0x0000e1 cf, adslCorePhyDesc.sdramImageAddr=0xcfe10000
AdslCoreHwReset: pLocSbSta=da7c0000 bkupThreshold=3072
AdslCoreHwReset: AdslOemDataAddr = 0xCFF0F83C, time=10 ms
VersionInfo: A2pvbH042p.d26m
CONSOLE: 026756.301 flow_create : bitmap_size=512 maxitems=512
CONSOLE: 026756.498 wl0: wlc_enable_probe_req: state down, deferring setting of host flags
CONSOLE: 026756.694 wl0: wl_open
dhd_wmf_igs_broadcast: WMF: send failure
IGMP Query send failed
CONSOLE: 026756.746 wl0: wlc_ampdu_tx_set: AGG Mode = MAC+AQM txmaxpkts 512
CONSOLE: 026756.763 wl0: wl_open
CONSOLE: 026756.927 wl0: wlc_enable_probe_req: state down, deferring setting of host flags
CONSOLE: 026756.963 wlc_ucode_download: wl0: Loading MU ucode
CONSOLE: 026756.979 wl0: CORE INIT : nfifo 32 mu_tx_enab 1
CONSOLE: 026756.979 wl0: CORE INIT : mode 2 pktclassify 1 rxsplit 0 hdr conve 0 DMA_CT Enabled
CONSOLE: 026756.992 wl0: wlc_enable_probe_req: state down, deferring setting of host flags
CONSOLE: 026757.372 enable 1: q0 frmcnt 0, wrdcnt 0, q1 frmcnt 0, wrdcnt 0
CONSOLE: 026757.376 wl0: link up (wl0)
CONSOLE: 026757.376 wl0: link up (wl0)
dhd_wmf_igs_broadcast: WMF: send failure
IGMP Query send failed
CONSOLE: 000018.276 wl1: wlc_enable_probe_req: state down, deferring setting of host flags
CONSOLE: 026758.373 wlc_ucode_download: wl0: Loading non-MU ucode
CONSOLE: 026758.388 wl0: CORE INIT : nfifo 32 mu_tx_enab 0
CONSOLE: 026758.389 wl0: CORE INIT : mode 2 pktclassify 1 rxsplit 0 hdr conve 0 DMA_CT Enabled
CONSOLE: 026758.407 pciedev_send_ltr:Giving up:0x302
CONSOLE: 026758.407 wl0: link up (wl0)
CONSOLE: 000018.993 wl1: wlc_enable_probe_req: state down, deferring setting of host flags
CONSOLE: 000019.035 wl1: wlc_enable_probe_req: state down, deferring setting of host flags
CONSOLE: 026758.912 flow_create : bitmap_size=512 maxitems=512
CONSOLE: 026759.128 wl0: wl_open
CONSOLE: 026759.129 wlc_ucode_download: wl0: Loading MU ucode
CONSOLE: 026759.145 wl0: CORE INIT : nfifo 32 mu_tx_enab 1
CONSOLE: 026759.145 wl0: CORE INIT : mode 2 pktclassify 1 rxsplit 0 hdr conve 0 DMA_CT Enabled
CONSOLE: 026759.158 wl0: wlc_enable_probe_req: state down, deferring setting of host flags
CONSOLE: 026759.159 enable 1: q0 frmcnt 0, wrdcnt 0, q1 frmcnt 0, wrdcnt 0
CONSOLE: 026759.197 wl0: wlc_ampdu_tx_set: AGG Mode = MAC+AQM txmaxpkts 512
CONSOLE: 026759.214 wl0: wl_open
CONSOLE: 026759.215 wlc_ucode_download: wl0: Loading MU ucode
CONSOLE: 026759.231 wl0: CORE INIT : nfifo 32 mu_tx_enab 1
CONSOLE: 026759.232 wl0: CORE INIT : mode 2 pktclassify 1 rxsplit 0 hdr conve 0 DMA_CT Enabled
CONSOLE: 026759.244 wl0: wlc_enable_probe_req: state down, deferring setting of host flags
CONSOLE: 026759.244 enable 1: q0 frmcnt 0, wrdcnt 0, q1 frmcnt 0, wrdcnt 0
CONSOLE: 026759.831 wl0: link up (wl0)
CONSOLE: 026760.245 wlc_ucode_download: wl0: Loading non-MU ucode
CONSOLE: 026760.260 wl0: CORE INIT : nfifo 32 mu_tx_enab 0
CONSOLE: 026760.261 wl0: CORE INIT : mode 2 pktclassify 1 rxsplit 0 hdr conve 0 DMA_CT Enabled
CONSOLE: 026760.278 pciedev_send_ltr:Giving up:0x302
CONSOLE: 026760.278 wl0: link up (wl0)
CONSOLE: 026760.353 bcm_pack_xtlv_entry: no space tlv_buf: requested:28, availab le:16
CONSOLE: 026781.245 wlc_mimops_action_ht_complete(): no ACK received!
I recommend using Kali Linux to extract the data as all the tools needed are already installed. I used a Virtual Box instance of Kali.
1. Create a directory to store the raw NAND dump etc.
mkdir /home/kali/Desktop/dump/
2. Go to the directory
cd /home/kali/Desktop/dump/
3. Create a virtual NAND device. You must read the datasheet to get the id bytes. The MX30LF4G18AC id's can be found on page 33 of the datasheet. Byte0 is first_id_byte, Byte1 is second_id_byte and so on. bch is ECC level requirement and can be found on page 34 of the datasheet.
sudo modprobe nandsim bch=4 first_id_byte=0xC2 second_id_byte=0xDC third_id_byte=0x90 fourth_id_byte=0x95
4. Load the MTD and UBI kernel modules. By looking at the UART dump you can see that the NAND is formatted using UBI, you can also find this by looking at the raw image with a HEX editor and seeing the ubi# and ubi! tags.
sudo modprobe mtd
sudo modprobe ubi
5. Write the raw NAND image to the virtual NAND device using -o to tell it that oob data is present and -N not to skip bad blocks.
sudo nandwrite -o -N /dev/mtd0 MX30LF4G18AC@BGA63_2728.BIN
6. Extract the different partitions as defined the UART dump. --omitoob removes OOB data.
sudo nanddump --omitoob --bb=dumpbad -s 0 -l 131072 -f nvram.bin /dev/mtd0
sudo nanddump --omitoob --bb=dumpbad -s 131072 -l 655360 -f cfe.bin /dev/mtd0
sudo nanddump --omitoob --bb=dumpbad -s 786432 -l 9175040 -f boot.bin /dev/mtd0
sudo nanddump --omitoob --bb=dumpbad -s 9961472 -l 200540160 -f ubi.bin /dev/mtd0
sudo nanddump --omitoob --bb=dumpbad -s 210501632 -l 326369280 -f data.bin /dev/mtd0
7. Restart computer or VM as its easier and more reliable than erasing the virtual device, pluss I'm allergic to typing.
8. Create a place to mount filesystem1. By looking at the UART dump we can see that the ubi partition contains an Unsorted Block Image File System (UBIFS) with a volume name of filesystem1.
sudo mkdir /mnt/filesystem1
cd /home/kali/Desktop/dump/
9. Create a virtual NAND device as before.
sudo modprobe nandsim bch=4 first_id_byte=0xC2 second_id_byte=0xDC third_id_byte=0x90 fourth_id_byte=0x95
sudo modprobe mtd
sudo modprobe ubi
10. Write the ubi.bin image to the virtual NAND.
sudo nandwrite -N /dev/mtd0 ubi.bin
11. Attach MTD to UBI. The 2048 offset is referenced in the UART dump. I'm unsure what this actually is but it is also the block size referenced in the datasheet.
sudo ubiattach --mtdn=0 --vid-hdr-offset=2048
12. Mount the UBI device.
sudo mount -t ubifs ubi0_0 /mnt/filesystem1
13. Go to /dev/filesystem1 to view the files.
14. There are other UBI paritions present but need carving up as they contain none UBIFS data. You can see the ubi partitions (ubi0_0 - ubi0_5) by going to the dev folder in Kali.
sudo ubireader_extract_images /dev/mtd0
sudo chown kali: ubifs-root
15. A folder named ubifs-root will have been created with the extracted partitions inside. Rename the files something meaningful and move them to the working directory and delete the empty folder.
rm -r ubifs-root
16. If we look at the UART dump we can see that the carved files need carving up once again.
dd if=operational.bin of=firm_header.bin bs=1 count=126976 skip=0
dd if=operational.bin of=kernel.bin bs=1 count=3428352 skip=126976
dd if=operational.bin of=rootfs.sqfs bs=1 count=22474752 skip=3301376
17. rootfs.sqfs can either be mounted or opened with 7zip.
18. Carve up the boot image, rename the extracted files if needed.
sudo ubireader_extract_images boot.bin
Further reading:-
- https://github.com/SySS-Research/nand-dump-tools
- https://github.com/Hitsxx/NandTool
- http://www.linux-mtd.infradead.org/faq/ubi.html
- https://www.coresecurity.com/core-labs/articles/next-generation-ubi-and-ubifs
- https://github.com/nlitsme/ubidump
- https://github.com/jrspruitt/ubi_reader
- https://github.com/Rodney-O-C-Melby/JTTS2-UBI-FILESYSTEM-REVERSE-ENGINEERING
- http://souktha.github.io/misc/squashfs-ubi/
- https://www.j-michel.org/blog/2014/05/27/from-nand-chip-to-files