Preliminary page.

Inventel DV3210-WS

Inventel DV3210-WS - top Inventel DV3210-WS - bottom Inventel DV3210-WS partlist - tool to decrypt configuration files

Reflash with JTAG

Inventel DV3210-WS - JTAG Notes Disclaimer: I am not responsible for any damage to your hardware. Numbers written here are mostly in hexadecimal and they are pretty obvious numbers. Firmware version v5.05.5-fr is assumed to be installed. But it will probably work with others too. The wrt54g debrick utility is a bit quirky with flash detection and byte ordering. Dma mode doesn't seem to work properly, so we use nodma here. It is megaslow though. In case JTAG fails, try pushing the reset button which is located between button "2" and USB host connector. Based on wether the CPU has been initialized correctly, the flash window address is either 1e400000 or 1fc00000. Requirements Xilinx-compatible JTAG cable (build it yourself for cheap, see Google) Soldering equipment (for attaching the JTAG cable) USB A-B cable special serial cable (if you want to login with a serial terminal and have debugging information) HairyDairyMaid WRT54G Debrick Utility v4.5 cramfsck & mkcramfs (Cygwin package "cramfs") redim (for byte reordering) nice (optional. for flashing at lower CPU priority) DWBFlash (from Livebox CD. used to flash the filesystem via USB) Firmware_v5.05.5-fr.dwb (for extracting the install script) dwbtool (for creating firmware file for use with DWBFlash) redboot - Pre-patched redboot loader using both methods. (If you don't want to do it manually) Flash memory layout *** Found a AMD 29lv320MB 2Mx16 BotB (4MB) Flash Chip *** (wrong!) - Flash Chip Window Start .... : 1e400000 - Flash Chip Window Length ... : 00400000 (wrong!) - Selected Area Start ........ : 1e400000 - Selected Area Length ....... : 00800000 (correct!) FIS directory (FIS = FLASH Image System) 000000 RedBoot 030000 user_fs (compressed filesystem) size=720000 750000 jffs_system size=A0000 750000 empty (except 12 bytes tag) 760000 empty (except 12 bytes tag) 770000 configuration 7A0000 empty (except 12 bytes tag) 7B0000 empty (except 12 bytes tag) 7C0000 empty (except 12 bytes tag) 7D0000 empty (except 12 bytes tag) 7E0000 configuration 7F0000 FIS directory 7FF000 RedBoot config 7FFFF8 some ID+cheksum? perhaps unlock bits Backup whole flash and extract filesystem nice wrt54g -backup:custom /window:1e400000 /start:1e400000 /length:800000 /silent /notimestamp redim *,-4 -i CUSTOM.BIN -o full_backup.bin redim *,-4 -i CUSTOM.BIN -o cramfs.bin -s 0x30000 cramfsck -x cramfs cramfs.bin del cramfs.bin del CUSTOM.BIN Redboot signature check patch method 1 copy /y full_backup.bin patched.bin in patched.bin, replace the following instructions with zero's (NOP instructions): ROM:00004570 54 40 00 0E bnezl $v0, crypt_verify_failed ROM:00009AB4 14 40 FF D9 bnez $v0, crypt_verify_failed2 Data must be flashed per 0x10000. redim *,2,-2 -i patched.bin -o CUSTOM.BIN nice wrt54g -flash:custom /window:1fc00000 /start:1fc00000 /length:10000 /silent /nodma Redboot signature check patch method 2 copy /y full_backup.bin patched.bin The redboot loader contains some public keys. @ 2B148 pubkey_inventel_bootloader_only @ 2B2F8 pubkey_inventel_bootloader_only_len @ 2B2FC pubkey_release_wanadoo_fr @ 2B4A8 pubkey_release_wanadoo_fr_len Replace the original keys and lengths with mykey starting from "94 00 03 00 ..." but not including the private key which starts with "xx 00 00 00 xx xx ...". In the provided mykey, the length without private key is 0x1AB bytes. Data must be flashed per 0x10000. It takes a long time with cheap JTAG cable and /nodma but we can offset it to skip some. With offset redim *,2,-2 -i patched.bin -o CUSTOM.BIN -s 0x20000 nice wrt54g -flash:custom /window:1fc20000 /start:1fc20000 /length:10000 /silent /nodma Without offset (takes longer to flash) redim *,2,-2 -i patched.bin -o CUSTOM.BIN nice wrt54g -flash:custom /window:1fc00000 /start:1fc00000 /length:30000 /silent /nodma Extracting filesystem from dwb Extract dwb dwbtool -x Firmware_v5.05.5-fr.dwb Firmware_v5.05.5-fr.script Firmware_v5.05.5-fr.cramfs Extract filesystem image cramfsck -v -x Firmware_v5.05.5-fr-mod Firmware_v5.05.5-fr.cramfs For mkcramfs with cygwin, you can process the output to a suitable device list. Modify the filesystem Remove root password from etc_ro_fs/passwd root::0:0:root:/root:/bin/sh Clean up etc_ro_fs/init.d/update_ft (called from ip-down, ip-up, ip-updown) #!/bin/sh Clean up etc_ro_fs/init.d/autoupdate (called from ip-down, ip-up, ip-updown) #!/bin/sh Change update IP address in etc_ro_fs/autoconf.conf CONFIG_DEFAULT_UPDATE_MACHINE="" Change update IP address in etc_ro_fs/firm.conf UPDATE_MACHINE= #force Hex-edit regexps in sbin/adsld Hmz... I can't seem to find those regexps some were talking about. Nevermind then. Create modified filesystem image and flash Create and verify filesystem image (using Firmware_v5.05.5-fr-mod as source directory) #For cygwin port of mkcramfs, you might need to remove the dev subfolder. # mkcramfs -v -q -D Firmware_v5.05.5-fr-mod Firmware_v5.05.5-fr-mod.cramfs # cramfsck -v Firmware_v5.05.5-fr.cramfs Use mkcramfs under linux since Cygwin port is kind of broken: mkcramfs -v Firmware_v5.05.5-fr-mod Firmware_v5.05.5-fr-mod.cramfs cramfsck -v Firmware_v5.05.5-fr.cramfs Create and verify dwb (assuming you have extracted Firmware_v5.05.5-fr.script already) dwbtool -c Firmware_v5.05.5-fr-mod.dwb Firmware_v5.05.5-fr.script Firmware_v5.05.5-fr-mod.cramfs dwbtool -v Firmware_v5.05.5-fr-mod.dwb Start DWBFlash and select the modified dwb file. Hold button "1" while powering up to put Livebox into USB programmation mode. Click "Programmation" button when it reports "Interface ready". TODO: Investigate

Serial port

Inventel DV3210-WS USB to MMJ serial port (pin 1 is marked with a black spot) Pin-out: 1 data in (3V) 2 data out (3V) 3 button "2" input 4 button "1" input 5 +5V 6 ground Parameters: 115200 baud, 8 databits, no parity, 1 stopbit

Sagem BASE F@st 3202

Sagem BASE F@st 3202 partlist