[ECOS] Odd RedBoot installation found - tips needed

Gary Thomas gary@mlbassoc.com
Mon Jan 28 12:37:00 GMT 2008

Joakim Wennergren wrote:
> Hi,
> I've stated to dismantle a new hardware I've got (a small 
> firewall/router), and managed to attach a serial cable to it. When it 
> boots up I get RedBoot, but it's an odd version, It calls itself:
> RedBoot(tm) bootstrap and debug environment [ROM]
> Non-certified release, version v2_0 - built 22:17:05, Dec 22 2005
> So it seems to be a modified RedBoot, nothing new there. But when I 
> checked what commands I had, there were only a short list; "channel", 
> "help", "ip_address", "linux", "load", "switch", "wdog" and "flash".  No 
> fis commands :(
> As far as I can tell there is no list of partitions on the flash at all, 
> just the Linux kernel and then the file system appended to the end of 
> it... An the Linux kernel seems to unpack an area of the flash into RAM 
> and using it as a ramdrive.
> So what I need help with is where to burn my own images. I compiled the 
> vendors released kernel, but as usual when vendors are forced to release 
> the kernel under GPL they stripped it bare. When I installed it using 
> the web interface it boots Linux but failed to unpack the ramdisk and is 
> pretty much useless.
> The Linux boots up using the RedBoot command
> linux -b 0x400000 -l 0x0010f9c4 -s 0x001a50e9 -c "console=ttyS0,38400"
> And the "help" output from RedBoot is:
> RedBoot> help
> Display/switch console channel
>   channel [<channel number>]
> Help about help?
>   help [<topic>]
> Set/change IP addresses
>   ip_address [-l <local_ip_address>] [-h <server_address>]
> Execute a Linux image
>   linux [-w timeout] [-b <base address> [-l <image length>]]
>        [-r <ramdisk addr> [-s <ramdisk length>]]
>        [-c "kernel command line"]
> Load a file
>   load [-r] [-v] [-h <host>] [-m <varies>] [-c <channel_number>]
>        [-b <base_address>] <file_name>
> cat switch value
>   switch no
> set watchdog
>   wdog no
> flash upgrade
>   flash [-s <source>][-d <destination>][-l <image length>]
> So I guess it reads the kernel from 0x400000, but what that address 
> means I have no clue :( I can't write to it using "flash", so it's not 
> the start of the flash. And I don't want to try addresses randomly since 
> I might overwrite RedBoot and brick the router completely.
> So any tips on where to burn the image? "load" works just fine so I can 
> load images, but I don't know where to burn it.
> I managed to "hack" their released firmware so I have access to the 
> contents of their file system, but all flash burning tools are compiled 
> binaries so I can't find any addresses there.

Is this something other than the RedBoot code?

> In worst case I could maybe figure out the JTAG pins on the hardware, 
> but I don't have any JTAG burning stuff, I'd have to borrow some. And 
> considering how non-standard the serial port was the pins are probably 
> all jumbled... I'd rather not go that way.

You should be able to build a RAM version of RedBoot and run that.
Using this version, you can experiment a little, try updating the
Linux kernel pieces, etc.  Once comfortable, you should be able
to build and update the ROM (or ROMRAM) code.

You've mentioned that you got sources, but they are "stripped".
What do you mean by this?  The GPL doesn't allow for the vendor
to provide some pieces and not others (for the code that corresponds
to what's in your router).  You should *absolutely* be capable of
rebuilding the RedBoot that's in your box from the sources provided,
or else the vendor is not living up to their GPL responsibilities.

What's the underlying target/architecture?

Gary Thomas                 |  Consulting for the
MLB Associates              |    Embedded world

Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss

More information about the Ecos-discuss mailing list