Using ZyXEL/Netgear/... router as ARM7 development platform

Found out on my own by decoding ZyNOS BootExt. Successfully booted uCLinux on my RT311 after uploading via serial console. If anyone is interested: mail

Kolja

I'm sure many will be now and in the future as they come across your posting. why don't you post your finding here ?

/NN

I'm a little paranoid regarding possible copyright issues.

To enable the write-to-RAM commands, a (numerical) password is needed; the code to compute this password clearly is copyrighted.

Maybe I can make up a "valid firmware" to be accepted as a regular update by the router, with an application that provides RAM upload and debug features. But then I would have to use ZyNOS code to compute valid checksums to be included in the firmware...

Hm; it may be legally allowed to publish a set of passwords usable for any ZyXEL router... Due to a conceptual flaw, a the list wouldn't consist of more than eight entries, at least for firmware similar to that in my RT311.

Okay, assume I bought a Netgear RT311 router and executed some code I found on the router, with MAC address of LAN interface as its parameter (see ATSH output). Unless the "ATSE" command was issued before, the output of this code is:

10F0A563 if MAC address ends in 0 or 8 887852B1 ... 1 or 9 (the above value, ROR #1) C43C2958 ... 2 or A (the above value, ROR #2) 621E14AC ... 3 or B (...) 310F0A56 ... 4 or C 1887852B ... 5 or D 8C43C295 ... 6 or E C621E14A ... 7 or F

With that output y, issue the ATEN1,y command, and DebugFlag gets set. Try ATHE now to learn about the new possibilities. ATMP tells you about the memory layout.

I'm yet working on adapting uCLinux; at first I succeeded with a (uncompressed) 2.4.22-uc0 upload to 0x20000:

./Makefile ARCH := armnommu

./arch/armnommu/Makefile

TEXTADDR = 0x00020000

Regarding the configuration:

System type: (Samsung) ARM system type [X] Generate big endian code [ ] Set flash/sdram size and base addr (RAM) Kernel executes from (S3C4510-SNDS100) Board Implementation Character devices: [X] Samsung serial port support [X] Support for console on Samsung serial port (19200 bps)

There's still a lot to do. I'm yet up to build a configuration with a ROMFS or INITRD attached to the kernel. And yet I didn't succeed to make a compressed zImage that actually starts from RAM.

My goal currently is to build a valid firmware package for the router with uClinux + initrd instead of ZyNOS RasCode.

I'm very interested to read about application of the hints above, success, failure, ... it might be applicable on several ZyXEL Prestige routers, Netgear routers, even D-Link (DI-106), Lucent and Teledat... Which ones do have a console port ("manager" port) available?

Regards, Kolja

Your email address suggests that you are in Germany. Only in the United States do we have the rampant obscenity that is the DMCA (and hopefully parts of it will be rotting off the vine soon).

You are not, in any case, breaching copyright - as you have not copied any work. The kind of reverse-engineering you are doing is explicitly protected in law.

Kolja you are _not_ doing anyhing illegal. You cannot be doing anything illegal it is _your_ kit aftter all, you paid for it. It is like changing the pistons of _your_ car !!!

keep us posted ;-) (for as long as we're still free to learn and engineer)

/NN

See my previous posting (within this same thread, 2003-12-23, ) regarding the information required to enable the upload-to-RAM commands.

Other tidbits required to make uClinux run on the RT311/P310 are on their way into the uClinux CVS repository. As of today, selecting armnommu as the target when compiling uClinux 2.4.22 from CVS with SNDS100 board implementation and "Support ZyXEL BootExtension" enabled in the .config will result in a kernel zImage that can be loaded and started (at 0x20000) at least on my router and probably a lot of related devices.

I'm currently working on clean code to support the Ethernet interfaces.

The WAN port (implemented with a RTL8019AS) works (I can use a DHCP server for initial setup, and mount a root FS via NFS), the LAN port (using the S3C4510X's internal EMAC) support is work-in-progress. Anyway - that code isn't yet ready for integration in mainstream uClinux.

Stay tuned on the uClinux-developers mailing list for updates.

I think I have all the information collected which is required to build a "valid" firmware image (with uClinux instead of ZyNOS), i.e. a file that would be accepted by the router as a firmware update - but yet I haven't actually tried to do so, and I'm still not completely convinced that publishing that information (or a tool that uses this information) would be legal.

Kolja