Skip to content

Flash HintsDIR825C1

Jump to bottom
Sean Bruno edited this page May 22, 2014 · 1 revision

Example of how to derive the needed kernel hints for flash offsets

This will require direct access to the router in question. I recommend attaching a serial console with a TTL rs232 adapter on it. You'll need to identify your serial port pins and do some soldering to get a functional serial console on this one. The serial pin layout is on the netbooting guide to get you to the point where we can snoop and inspect the flash.

Details

  • Capture a copy of the MTD parts from uboot's boot up sequence. This is what uboot advertises to the linux/bsd kernels on bootup.

    Booting image at 9f020000 ...

     Image Name:   Linux Kernel Image
 Created:      2012-01-19   9:23:35 UTC
 Image Type:   MIPS Linux Kernel Image (lzma compressed)
 Data Size:    1250437 Bytes =  1.2 MB
 Load Address: 80002000
 Entry Point:  80298c70
 Verifying Checksum at 0x9f020040 ...OK
 Uncompressing Kernel Image ... OK

    No initrd

    Transferring control to Linux (at address 80298c70) ...

    bootargs 0: console=ttyS0,115200 root=31:03 rootfstype=squashfs,jffs2 init=/sbin/init mtdparts=ath-nor0:128k(u-boot),64k(nvram),1536k(linux),6144k(rootfs),192k(LANG),64k(MAC),64k(ART)...

    bootargs @A7F87FB0: console=ttyS0,115200 root=31:03 rootfstype=squashfs,jffs2 init=/sbin/init mtdparts=ath-nor0:64k(u-boot),64k(nvram),15936k(linux),14656k@0x00160000(rootfs),192k(LANG),64k(MAC),64k(ART)...

    Giving linux memsize in bytes, 134217728

  • Capture a copy of the MTD parts as the vendor firmware (linux) specifies. This is what the vendor firwmare does with the flash device. It can be different so make sure to note the differences. Starting kernel ...

    Booting Atheros AR934x Linux version 2.6.31--LSDK-9.2.0.312 ([email protected]) (gcc version 4.3.3 (GCC) ) #1 Thu Jan 19 16:28:27 CST 2012 flash_size passed from bootloader = 16 arg 1: console=ttyS0,115200 arg 2: root=31:03 arg 3: rootfstype=squashfs,jffs2 arg 4: init=/sbin/init arg 5: mtdparts=ath-nor0:64k(u-boot),64k(nvram),15936k(linux),14656k@0x00160000(rootfs),192k(LANG),64k(MAC),64k(ART) arg 6: mem=128M CPU revision is: 0001974c (MIPS 74Kc) ath_sys_frequency: cpu srif ddr srif cpu 560 ddr 480 ahb 240 Determined physical RAM map: memory: 02000000 @ 00000000 (usable) User-defined physical RAM map: memory: 08000000 @ 00000000 (usable) Initrd not found or empty - disabling initrd Zone PFN ranges: Normal 0x00000000 -> 0x00008000 Movable zone start PFN for each node early_node_map[1] active PFN ranges 0: 0x00000000 -> 0x00008000 Built 1 zonelists in Zone order, mobility grouping on. Total pages: 32512 Kernel command line: console=ttyS0,115200 root=31:03 rootfstype=squashfs,jffs2 init=/sbin/init mtdparts=ath-nor0:64k(u-boot),64k(nvram),15936k(linux),14656k@0x00160000(rootfs),192k(LANG),64k(MAC),64k(ART) mem=128M

  • copy flash via dd | nc

  • Set up the router so that it is connected to your test/tftpserver and assign the server's IP address to 192.168.0.107/24. This will make netbooting and other things much simpler later.

  • Setup the router's IP to 192.168.0.1/24

  • If your vendor firmware has dd and nc installed and is running a linux 2.6 variant on it then you're in luck. You should be able to dd if=/dev/mtdr0 bs=64k | nc 192.168.0.107 10000

  • while you listen on your server with nc -l 10000

  • If you don't have these tools at your disposal, then generate a netboot image and boot the router from FreeBSD. Assign the router's IP to 192.168.0.1/24:

  • /sbin/ifconfig arge0 192.168.0.1/24

  • startup a nc instance on your server

  • nc -l 10000 > flash.bin

  • nc the flash image off the device

  • dd if=/dev/flash/spi0 bs=64k | nc 192.168.0.107 10000

  • use hexdump to check uboot mtdpart offsets.

  • hexdump -C flash.bin | more

  • We are interested in the contents of the flash at the offsets specified in the MTD information gleaned earlier. Specifically, does the uboot/uboot-env end at 64k chunks? Is the ART (wireless calibration data) in the last 64k of the flash? Can I overwrite the "lang" part for user cfg data? Where does the kernel end and rootfs begin?

  • Use some simple math to figure out where to look.

  • uboot begins at 0x00000000 and ends at 0x00010000 because the MTD part was 64k 00000000 10 00 00 ff 00 00 00 00 10 00 00 fd 00 00 00 00 |................| 00000010 10 00 02 0e 00 00 00 00 10 00 02 0c 00 00 00 00 |................| 00000020 10 00 02 0a 00 00 00 00 10 00 02 08 00 00 00 00 |................| 00000030 10 00 02 06 00 00 00 00 10 00 02 04 00 00 00 00 |................| 00000040 10 00 02 02 00 00 00 00 10 00 02 00 00 00 00 00 |................| 00000050 10 00 01 fe 00 00 00 00 10 00 01 fc 00 00 00 00 |................| 00000060 10 00 01 fa 00 00 00 00 10 00 01 f8 00 00 00 00 |................| 00000070 10 00 01 f6 00 00 00 00 10 00 01 f4 00 00 00 00 |................| 00000080 10 00 01 f2 00 00 00 00 10 00 01 f0 00 00 00 00 |................| ---- snip ---- 0000ef60 e6 68 67 d7 1f b0 3f 1e 56 6a 75 7d 83 81 ab 2c |.hg...?.Vju}...,| 0000ef70 32 61 df 69 d2 ca dc 8c ee 3a e0 69 b0 ac ef 6f |2a.i.....:.i...o| 0000ef80 e2 cb 89 93 b9 e2 22 b9 63 b1 12 67 90 86 6c e1 |......".c..g..l.| 0000ef90 08 2d 1d d6 a4 58 da 14 51 55 56 2b bc c7 97 30 |.-...X..QUV+...0| 0000efa0 98 76 97 ca 13 f8 65 a0 c3 eb 11 49 53 61 84 89 |.v....e....ISa..| 0000efb0 3b 98 9e 87 8d 44 42 31 32 30 41 52 39 33 34 34 |;....DB120AR9344| 0000efc0 2d 52 54 2d 31 30 31 32 31 34 2d 30 30 ff ff ff |-RT-101214-00...| 0000efd0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| * 00010000 48 53 4c 46 00 00 8b fc 00 00 01 15 7f ab 31 a0 |HSLF..........1.| 00010010 7f ab 2c d8 64 68 63 70 64 5f 72 65 73 65 72 76 |..,.dhcpd_reserv| 00010020 65 5f 31 38 3d 00 73 63 68 65 64 75 6c 65 5f 72 |e_18=.schedule_r| 00010030 75 6c 65 5f 33 31 3d 00 69 6e 62 6f 75 6e 64 5f |ule_31=.inbound_| 00010040 66 69 6c 74 65 72 5f 69 70 5f 31 34 5f 41 3d 00 |filter_ip_14_A=.| 00010050 66 69 72 65 77 61 6c 6c 5f 72 75 6c 65 5f 32 39 |firewall_rule_29|

  • notice the empty data after 0x000efd0 - 0x00010000. hexdump will let us know that this is empty data with the "*" marker.

  • this will translate into the following code in the kernel config hints file, e.g.

    64KiB u-boot

    hint.map.0.at="flash/spi0" hint.map.0.start=0x00000000 hint.map.0.end= 0x00010000 # 64 u-boot hint.map.0.name="u-boot" hint.map.0.readonly=1

  • now we see plaintext things, uboot configuration, starting at 0x00001000 and stretching all the way to 0x0002000, another 64k as the MTD part specified 0000efd0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| * 00010000 48 53 4c 46 00 00 8b fc 00 00 01 15 7f ab 31 a0 |HSLF..........1.| 00010010 7f ab 2c d8 64 68 63 70 64 5f 72 65 73 65 72 76 |..,.dhcpd_reserv| 00010020 65 5f 31 38 3d 00 73 63 68 65 64 75 6c 65 5f 72 |e_18=.schedule_r| 00010030 75 6c 65 5f 33 31 3d 00 69 6e 62 6f 75 6e 64 5f |ule_31=.inbound_| 00010040 66 69 6c 74 65 72 5f 69 70 5f 31 34 5f 41 3d 00 |filter_ip_14_A=.| 00010050 66 69 72 65 77 61 6c 6c 5f 72 75 6c 65 5f 32 39 |firewall_rule_29| 00010060 3d 00 66 69 72 65 77 61 6c 6c 5f 72 75 6c 65 5f |=.firewall_rule_| 00010070 31 36 36 3d 00 77 6c 61 6e 30 5f 76 61 70 31 5f |166=.wlan0_vap1_| 00010080 65 61 70 5f 72 61 64 69 75 73 5f 73 65 72 76 65 |eap_radius_serve| 00010090 72 5f 31 3d 30 2e 30 2e 30 2e 30 2f 31 38 31 32 |r_1=0.0.0.0/1812| 000100a0 2f 00 64 68 63 70 64 5f 72 65 73 65 72 76 65 5f |/.dhcpd_reserve_| 000100b0 31 39 3d 00 77 61 6e 5f 6c 32 74 70 5f 73 65 72 |19=.wan_l2tp_ser| 000100c0 76 65 72 5f 69 70 3d 00 69 6e 62 6f 75 6e 64 5f |ver_ip=.inbound_| 000100d0 66 69 6c 74 65 72 5f 69 70 5f 31 34 5f 42 3d 00 |filter_ip_14_B=.| ---- snip ---- 00018bc0 00 77 6c 61 6e 31 5f 72 74 73 5f 74 68 72 65 73 |.wlan1_rts_thres| 00018bd0 68 6f 6c 64 3d 32 33 34 37 00 69 70 76 36 5f 67 |hold=2347.ipv6_g| 00018be0 75 65 73 74 5f 64 68 63 70 64 5f 73 74 61 72 74 |uest_dhcpd_start| 00018bf0 3d 3a 3a 30 30 30 31 00 00 00 00 00 ff ff ff ff |=::0001.........| 00018c00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| * 00020000 27 05 19 56 9b 5b 91 b1 4f 17 e1 17 00 13 14 85 |'..V.[..O.......| 00020010 80 00 20 00 80 29 8c 70 8d 42 22 8f 05 05 02 03 |.. ..).p.B".....| 00020020 4c 69 6e 75 78 20 4b 65 72 6e 65 6c 20 49 6d 61 |Linux Kernel Ima| 00020030 67 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |ge..............| 00020040 5d 00 00 80 00 00 e2 37 00 00 00 00 00 00 00 6f |]......7.......o|

  • Again, note that there is a little empty space from 0x00018c00 - 0x0002000

  • this will translate into the following code in the kernel config hints file, e.g.

    64KiB u-boot-env

    hint.map.1.at="flash/spi0" hint.map.1.start=0x00010000 hint.map.1.end= 0x00020000 # 64k u-boot-env hint.map.1.name="u-boot-env" hint.map.1.readonly=1

  • Note now we see the real kernel boot image start to appear, the "Linux Kernel Image" is a dead give away that we are at the right place. This is going to be the start of our kernel. We need to figure out how much absolute space we have from here down and make sure we don't overwrite something useful.

  • Scroll through this large chunk of memory making sure there are no breaks or other weirdness that indicates partial images and jumping around in flash. The DLink DIR825C1 does not do this, and everything is contiguous to the end of the kernel area. 00018c00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| * 00020000 27 05 19 56 9b 5b 91 b1 4f 17 e1 17 00 13 14 85 |'..V.[..O.......| 00020010 80 00 20 00 80 29 8c 70 8d 42 22 8f 05 05 02 03 |.. ..).p.B".....| 00020020 4c 69 6e 75 78 20 4b 65 72 6e 65 6c 20 49 6d 61 |Linux Kernel Ima| 00020030 67 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |ge..............| 00020040 5d 00 00 80 00 00 e2 37 00 00 00 00 00 00 00 6f |]......7.......o| 00020050 fd ff ff a3 b7 7f 63 c5 55 7e b6 b7 c0 21 eb 9d |......c.U~...!..| 00020060 0f 18 3d 7c 69 63 c8 b0 6c 53 54 d9 27 1c 7b f2 |..=|ic..lST.'.{.| 00020070 66 64 6b c0 0b 92 2c af a8 b8 68 e2 1f c1 32 ae |fdk...,...h...2.| 00020080 71 13 54 ac d9 b6 0e aa f4 b2 ad 7a ea 01 f2 63 |q.T........z...c| 00020090 6c bb 71 ae f1 1a 7f 30 20 d6 c5 a5 1b 5d 36 e2 |l.q....0 ....]6.| 000200a0 dc b0 f5 71 19 76 ea 1b 77 8a bd 5b 3c 70 8c a9 |...q.v..w..[<p..| ---- snip ---- 00151490 30 f2 81 2a 73 78 72 c2 3b 5d 6b 01 b7 0f b9 54 |0..*sxr.;]k....T| 001514a0 bf bb d6 4c 9a b5 8b 31 dd 31 58 4a 09 1f 16 44 |...L...1.1XJ...D| 001514b0 10 0c 52 64 08 ed 11 62 d8 b9 12 fd 7a 57 5c 59 |..Rd...b....zW\Y| 001514c0 b0 e4 69 05 b8 00 00 00 00 00 00 00 00 00 00 00 |..i.............| 001514d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00160000 68 73 71 73 31 04 00 00 31 e1 17 4f 00 00 01 00 |hsqs1...1..O....| 00160010 73 00 00 00 02 00 10 00 c0 00 01 00 04 00 00 00 |s...............| 00160020 e8 0e 85 21 00 00 00 00 bb bb 71 00 00 00 00 00 |...!......q.....| 00160030 b3 bb 71 00 00 00 00 00 ff ff ff ff ff ff ff ff |..q.............| 00160040 aa 61 71 00 00 00 00 00 47 87 71 00 00 00 00 00 |.aq.....G.q.....| 00160050 46 b3 71 00 00 00 00 00 9d bb 71 00 00 00 00 00 |F.q.......q.....|

  • Again, notice that there is space from 0x001514d0 - 0x00160000. This is a good sign that the range of 0x0002000 - 0x00160000 is how much space uboot expects our kernel to take up.

  • The build scripts don't obey the end hint, so we need to provide the FreeBSD kernel a way to know that its at the end of the kernel image. The easiest way is to use the geom_compress trickery of search to find the beginning of the rootfs partition and let the geom_compress module figure out the rest on startup. The value 0x00100000 is arbitrary as I assume no compressed FreeBSD kernel image could be smaller than 1MB in size. The 0x10000 argument instructs geom_uncompress to step through flash 64K at a time looking for our search string. The reason why !/bin/sh works is beyond the scope of this document. Press the I believe button here.

  • this will translate into the following code in the kernel config hints file, e.g.

    1280KiB kernel

    hint.map.2.at="flash/spi0" hint.map.2.start=0x00020000 hint.map.2.end= "search:0x00100000:0x10000:.!/bin/sh" hint.map.2.name="kernel" hint.map.2.readonly=1

  • Repeat the process again for the rootfs partition. Its super tedious, but you never know what vendors might do. So, take your time and scroll through all 14MB and make sure that what you think is there is actually there. 001514c0 b0 e4 69 05 b8 00 00 00 00 00 00 00 00 00 00 00 |..i.............| 001514d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00160000 68 73 71 73 31 04 00 00 31 e1 17 4f 00 00 01 00 |hsqs1...1..O....| 00160010 73 00 00 00 02 00 10 00 c0 00 01 00 04 00 00 00 |s...............| 00160020 e8 0e 85 21 00 00 00 00 bb bb 71 00 00 00 00 00 |...!......q.....| 00160030 b3 bb 71 00 00 00 00 00 ff ff ff ff ff ff ff ff |..q.............| 00160040 aa 61 71 00 00 00 00 00 47 87 71 00 00 00 00 00 |.aq.....G.q.....| 00160050 46 b3 71 00 00 00 00 00 9d bb 71 00 00 00 00 00 |F.q.......q.....| 00160060 6d 00 00 00 01 00 3f 91 45 84 60 08 46 3f 70 a4 |m.....?.E.`.F?p.| 00160070 f0 9e 89 9e 91 da f0 64 b6 10 69 e4 e3 2a 4a b3 |.......d..i..*J.| 00160080 a5 84 9f d4 2e 03 ac b7 4a c4 98 73 56 07 9e 85 |........J..sV...| 00160090 86 2f f5 21 fe 9e 2e 37 2f 5f b6 a9 43 a7 36 61 |./.!...7/_..C.6a| 001600a0 72 aa 59 57 a1 63 7e a3 7b 09 94 f0 d5 43 07 d1 |r.YW.c~.{....C..| 001600b0 0e c2 19 da 73 0d 06 33 23 eb 20 07 56 d6 8e 94 |....s..3#. .V...| 001600c0 fe 6b 55 b2 3b 9c 7f d4 f9 50 29 a9 d8 8a 05 73 |.kU.;....P)....s| 001600d0 ec 15 47 2c 71 76 55 1d e5 f7 b6 3c f3 ac fd bc |..G,qvU....<....| 001600e0 67 1d ec 03 9b 81 83 15 29 f5 83 9e 17 59 91 a9 |g.......)....Y..| 001600f0 3e 44 73 90 0a 7f 51 18 10 f1 08 f7 d2 ec e8 04 |>Ds...Q.........| ---- snip ---- 0087bb70 47 96 74 4f cc c3 37 3e 9c 8e 0c 63 73 94 96 c6 |G.tO..7>...cs...| 0087bb80 a8 5d 53 74 81 f3 4d 9d c2 3c 83 1d 55 ab b4 a7 |.]St..M..<..U...| 0087bb90 14 a2 65 b2 cc 50 c6 ff ff 74 35 16 00 4e b3 71 |..e..P...t5..N.q| 0087bba0 00 00 00 00 00 0b bb 71 00 00 00 00 00 04 80 00 |.......q........| 0087bbb0 00 00 00 ad bb 71 00 00 00 00 00 00 00 00 00 00 |.....q..........| 0087bbc0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00faffe0 00 00 00 00 00 00 30 30 44 42 31 32 30 41 52 39 |......00DB120AR9| 00fafff0 33 34 34 2d 52 54 2d 31 30 31 32 31 34 2d 30 30 |344-RT-101214-00| 00fb0000 0a ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| 00fb0010 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| * 00fd0000 71 42 e1 ea c7 cb 5d 3d da 2d 93 ad 74 b0 90 49 |qB....]=.-..t..I| 00fd0010 31 83 8f 22 3b f0 93 2b 88 a4 c8 a8 f9 d1 e2 c6 |1..";..+........| 00fd0020 1d 58 85 08 a5 a8 51 e1 7a 5b 95 76 3f db 45 d7 |.X....Q.z[.v?.E.|

  • Here we get to see that the provided rootfs actually ends around 0x0087bbc0 but has a signature at the very end of a bunch of empty data. This text string is used to validate the rootfs about to be loaded.

  • Since we searched for the start of the rootfs partition in the hints for the kernel partition, we need to do the same for here for the start of the rootfs.

  • this will translate into the following code in the kernel config hints file, e.g.

    14656KiB rootfs

    hint.map.3.at="flash/spi0" hint.map.3.start="search:0x00100000:0x10000:.!/bin/sh" hint.map.3.end= 0x00fb0000 # 14656k rootfs hint.map.3.name="rootfs" hint.map.3.readonly=1

  • The DLink I am using as an example, has language specific files and user data stored in an MTD partition called lang from 0x00fb0000 0 0x00fe0000 (192KB). We probably want to steal this for our user cfg data, so let's see what's in here (not much for 128k): 00fb0000 0a ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| 00fb0010 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| * 00fd0000 71 42 e1 ea c7 cb 5d 3d da 2d 93 ad 74 b0 90 49 |qB....]=.-..t..I| 00fd0010 31 83 8f 22 3b f0 93 2b 88 a4 c8 a8 f9 d1 e2 c6 |1..";..+........| 00fd0020 1d 58 85 08 a5 a8 51 e1 7a 5b 95 76 3f db 45 d7 |.X....Q.z[.v?.E.| 00fd0030 5b 97 96 eb 48 c8 cb fc 42 61 ec 91 78 78 a6 70 |[...H...Ba..xx.p| 00fd0040 af bd 30 08 fb 82 39 60 d2 22 ac 5b 10 d7 9c 38 |..0...9.".[...8| 00fd0050 54 df 14 39 84 ce 42 5a ea 76 2c 46 c1 e8 ac 38 |T..9..BZ.v,F...8| 00fd0060 2a a5 13 b5 f4 ba 5d 74 4e 0a bc b5 ca a0 52 8f |*.....]tN.....R.| 00fd0070 65 8a b3 cf 7d cb 50 3d 0c 2c 44 78 b3 51 dc f1 |e...}.P=.,Dx.Q..| ---- snip ---- 00fd2370 18 ce 09 33 30 30 32 fc 87 ab 07 33 80 00 a4 4f |...3002....3...O| 00fd2380 0e 88 99 81 18 00 84 38 0c fc 17 00 78 da 63 60 |.......8....x.c| 00fd2390 80 00 26 38 cd c6 90 93 98 97 ae 97 55 0c 00 0b |..&8........U...| 00fd23a0 5a 02 b8 0b 00 78 da 33 60 40 05 00 03 10 00 31 |Z....x.3`@.....1| 00fd23b0 a3 23 02 00 00 00 00 00 04 80 00 00 00 00 b8 23 |.#.............#| 00fd23c0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00fd23d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00fdffd0 00 00 00 00 00 00 00 00 00 00 00 44 49 52 2d 38 |...........DIR-8| 00fdffe0 32 35 43 31 5f 31 2e 30 30 62 30 30 5f 43 4e 5f |25C1_1.00b00_CN_| 00fdfff0 46 72 69 2c 20 30 36 20 4a 61 6e 20 32 30 31 32 |Fri, 06 Jan 2012|

  • This appears to be some binary blob config or language translation config that is specific to this model. The first 128k are simply empty (all zero's) and the last 64k appears to be the actual config data. We're probably good here just to use the entire thing for our cfg partition. For you who are paranoid, you can use anything from 0x00fb0000 - 0x00fd0000 as a config partition so that it doesn't destructively overwrite this lang area. I however, will not be doing this.

  • this will translate into the following code in the kernel config hints file. Note that this is the first partition that we set readonly=0. This means the running o/s can modify the data inside of it.

    192KiB lang/cfg

    hint.map.4.at="flash/spi0" hint.map.4.start=0x00fb0000 hint.map.4.end= 0x00fe0000 # 192k cfg hint.map.4.name="cfg" hint.map.4.readonly=0

  • The next partition is labeled "mac" and contains the suggested mac addresses for the two wired ethernet bridge interfaces on this machine. 00fe0000 43 31 00 ff 42 38 3a 41 33 3a 38 36 3a 36 31 3a |C1..B8:A3:86:61:| 00fe0010 42 30 3a 41 34 00 ff ff 42 38 3a 41 33 3a 38 36 |B0:A4...B8:A3:86| 00fe0020 3a 36 31 3a 42 30 3a 41 35 00 ff ff 30 78 33 41 |:61:B0:A5...0x3A| 00fe0030 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| 00fe0040 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|

  • this will translate into the following code in the kernel config hints file, e.g.

    64KiB mac

    hint.map.5.at="flash/spi0" hint.map.5.start=0x00fe0000 hint.map.5.end= 0x00ff0000 # 64k mac hint.map.5.name="mac" hint.map.5.readonly=1

  • And finally, the whole reason why we're doing this in first place. The ART partition that contains our router unique RF calibration data. Destroying this makes our router a brick. The data inside it is unique to each machine and I suggest that in the initial stages of hacking and playing you BACK THIS UP. If you've followed this how to guide, you now have a complete image of the firmware anyway, so you should be able to restore it to the flash partition, but I'll leave that for a later FAQ. 00ff0000 43 31 00 11 30 30 3a 31 38 3a 45 37 3a 39 35 3a |C1..00:18:E7:95:| 00ff0010 36 31 3a 32 39 00 ff ff 30 30 3a 31 38 3a 45 37 |61:29...00:18:E7| 00ff0020 3a 39 35 3a 36 31 3a 32 41 00 ff ff 30 78 33 61 |:95:61:2A...0x3a| 00ff0030 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| 00ff0040 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| * 00ff1000 02 02 00 18 e7 95 61 29 44 42 31 32 30 2d 30 33 |......a)DB120-03| 00ff1010 33 2d 44 34 32 30 35 00 39 00 6c 00 00 00 1f 00 |3-D4205.9.l.....| 00ff1020 33 02 00 00 00 00 04 00 08 00 4d 04 03 00 08 ff |3.........M.....| 00ff1030 20 01 00 00 00 20 02 00 00 dd dd 0d 00 50 01 50 | .... .......P.P| 00ff1040 01 50 01 00 00 00 00 00 00 32 00 a4 00 00 00 00 |.P.......2......| 00ff1050 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f |................| 00ff1060 0e 0e 03 00 2c e2 00 02 0e 1c e0 e0 00 0c e0 e0 |....,...........| 00ff1070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| ---- snip ---- 00ff8740 58 3d 30 0a 57 50 41 5f 49 53 5f 48 45 58 5f 32 |X=0.WPA_IS_HEX_2| 00ff8750 3d 30 0a 57 50 41 5f 49 53 5f 48 45 58 5f 33 3d |=0.WPA_IS_HEX_3=| 00ff8760 30 0a 57 50 41 5f 49 53 5f 48 45 58 5f 34 3d 30 |0.WPA_IS_HEX_4=0| 00ff8770 0a 57 50 41 5f 49 53 5f 48 45 58 5f 35 3d 30 0a |.WPA_IS_HEX_5=0.| 00ff8780 57 50 41 5f 49 53 5f 48 45 58 5f 36 3d 30 0a 57 |WPA_IS_HEX_6=0.W| 00ff8790 50 41 5f 49 53 5f 48 45 58 5f 37 3d 30 0a 57 50 |PA_IS_HEX_7=0.WP| 00ff87a0 41 5f 49 53 5f 48 45 58 5f 38 3d 30 0a 00 00 00 |A_IS_HEX_8=0....| 00ff87b0 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff |................| 00ff87c0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| * 01000000

  • This is a mandatory entry in our kernel config, the ath(4) driver will not function correctly if it cannot find this AFAIK.

    64KiB art

    hint.map.6.at="flash/spi0" hint.map.6.start=0x00ff0000 hint.map.6.end= 0x01000000 # 64k art hint.map.6.name="art" hint.map.6.readonly=1

Clone this wiki locally