Collected notes on the router, it's operation, and hacks. on Sunday 09 April 2006 by mattei in Notebook > Technical hits: 8384
**Please note (for this page)** I went through this a while back with earlier firmware and wanted to get it put up. This isn't everything, what's here is incomplete, and likely contains mistakes. I hope to update and complete it as time permits.
Examining the firmware
In the reference/turnkey designs from RealTek, a 16KB plus 8KB total boot block is always configured at 0xbfc0_0000. The next 8KB block, at 0xbfc0_6000, contains 8186 hardware settings (MAC address, RF parameters, etc.). The 32KB block following at 0xbfc0_8000, organized as two identical 16KB structures, holds the default and current parameters referenced by the OS/kernel, such as IP address, SSID, channel number, etc. respectively.
RealTek selected Linux as the embedded operating system for their Access Point, Gateway, and VPN reference designs. Web-based configuration is made possible with the inclusion of an embedded system focused webserver, GoAhead Webserver. The daemon is started by the OS and serves pages allowing configuration changes via form submissions. These web pages are stored in a 64KB block located at 0xbfc1_0000.
Flash memory layout
Virtual address
Flash sector size
Usage
0xbfc0_0000
16K
Boot code
8K
0xbfc0_6000
8K
Hardware settings
0xbfc0_8000
32K
Default settings (16K) Current settings (16K)
0xbfc1_0000
64K
Web pages
0xbfc2_0000
64K (?? VPN model) or 896K - 1920K
Linux
The remainder of flash memory stores the operating system. While the size of allocated memory changes, dependent on product model and size of the flash part, the image always begins at 0xbfc2_0000. Apparently, a 1024KB read-only Squashfs root file system can be configured at 0xbfd0_0000 on some reference designs.
btcode v1.4 Flash memory layout
Virtual address
Flash sector size
Usage
0xbfc0_0000
16K
Boot code
8K
0xbfc0_6000
1K
Hardware settings
0xbfc0_6400
7K
Default settings
0xbfc0_8000
32K
Current settings
0xbfc1_0000
64K
Web pages
0xbfc2_0000
896K or 1920K
Linux
CC & C WA-2204 firmware v1.4.2
I'll be using firmware v1.4.2 here for reference. Any version changes will be marked.
Boot code
The RealTek boot loader is named btcode and is currently at version 1.4. An alternative boot loader, rtk-lxload, is available from the RTL8181 sourceforge project. It is based on the hfload open-source boot code written by Jay Carlson. In firmware versions before 1.4, direct network flashing was not possible. Since v1.4, the Linux and web page images can be written to the flash part of the device via TFTP.
btcode v1.4 checks 0xBFC1_0000, 0xBFC2_0000, and 0xBFC3_0000 for a vaild CSYS image, verifying the hardware, default, and current settings at each check. When found, the image (minus header) is copied to SDRAM, starting at the address specified in the CSYS header. After transfer, execution begins at the start of the image in SDRAM: 0x8080_0000 in the case of firmware v1.4.2.
Hardware settings
The sector begins with a 2 byte signature, "HS", and ends with a 2 byte checksum.
TODO: map settings Hardware settings are manipulated by the system using the "flash" command line binary. Individual settings, or MIBS, can be listed and are "set" or "get".This flash tool also extracts the contents of the 64KB web page area.
Configuration settings
The default settings sector begins with a 6 byte header and ends with a 2 byte checksum:
Current settings are located after default settings and use the same header layout with a "CS" signature. The current settings version must match the default settings version. To obtain a plaintext version of a saved configuration settings file, subtract each byte value of the binary default/saved image from 0xc7.
The checksum, composed of the final 2 bytes, is 23 ED. The web page binary image appears to be a bzip2 archive, leading with the magic "BZh91AY". To obtain the uncompressed web page binary image:
The final two bytes in our v1.4.2 file are CF 57, the checksum. While prior system images used gzip compression, LZMA has now replaced it.
To uncompress the system image, the CSYS header and bootloader must be removed. The resulting binary can then be decompressed as an LZMA stream. A utility to decompress LZMA streams is available for Windows in the LZMA SDK. Tukaani LZMA Tools can be used in Linux.
The boot log indicates a 6,348,800 byte (6,200 KB) RAM disk, starting at address 0x801d_8000. 6,455,296 bytes (6,304 KB) are available, leaving 104 KB.
To retrieve the ramdisk ext2 partition from the uncompressed system image:
[ mattei.ca ]
