Hi,

This is just a small update. After figuring out how to interrupt the booting sequence on the router, I got this nifty prompt:

Code:
NBcf1edfs1Z
PP Boot 9.0.8.7.ALL (6th June 2005)
Copyright (c) 2003 Huawei-3Com, Inc.
SDRAM size = 0x1000000
PLL indicates clock speed set to maximum value of 96MHz
Key pressed, stopping boot.

Entered console ... User request.
]
When the router was about to boot I pressed space. Who would have guessed that the interrupt character was "Space" instead of "Ctrl + C"? Then, the help command revealed all the commands available.

Code:
]help
Commands to the console are:
 configeeprom             display EEPROM configuration information
 configflash              display FLASH configuration information
        copyimages {yes | no}       copy network booted image files
        initialise                  initialise configuration information
        listenv                     list environment variables
        mac <address>               set MAC address
        serialboot yes              boot from EEPROM
        serialboot no               boot from FLASH
        flashnetboot {yes | no}     always network boot from FLASH
        autolanrecover {yes | no}   attempt LAN recovery if FLASH not bootable
        setenv <key> <value>        set environment variable
        unsetenv <key>              unset environment variable
    The following boot modes are supported by serial EEPROM v3.0+ only:
        serialboot {yes | auto}     boot via EEPROM, auto-select Ethernet or USB
        serialboot ethernet         boot via EEPROM from Ethernet only
        serialboot usb              boot via EEPROM from USB only
        serialboot no               boot from FLASH
 dw <address> [<length>]  dump words (hex/ascii)
 enter <address>          enter an image
 erw <wrdaddress>         read a single word from EEPROM
 eww <wrdaddress> <value> write a single word to EEPROM
 fdw <address> [<length>] dump flash words (hex/ascii)
 flash config             print flash configuration
 help                     print this text
 quit                     leave the console
 reset                    reset system
 rw <address>             read a single word
 netboot [recover]        download image using netboot [in recovery mode]
 why                      reason for console entry
 ww <address> <value>     write a single word
]
Some of this commands provide nice information about the router.

Code:
]configflash
Valid configuration information found
MAC: 00:0f:e2:16:12:29
serialboot:     yes / auto
copyimages:     yes
flashfs:        auto
flashnetboot:   no
autolanrecover: yes
]
Code:
]flash config
Flash configuration: 1 chips
Chip 0 compiled size 2048k actual size 2048k on EPB @ 0xcf000000
Chip 0 ID is c249: (MXIC 29LV160ABTC 2048k bytes), unlocked (0)
Flash start offset: 0x00010000
Space for all FLASHFS partitions: 0x001f0000
found partition at 0x001e0000 ... 0x00200000, size 128kbytes
found partition at 0x00010000 ... 0x001e0000, size 1856kbytes
Found 2 valid flashfs partitions
]
To my disappointment there wasn't a xmodem command to send the firmware. It would be nice that I could send it trough the serial interface. But then again, there is the netboot command. This command allows the router to boot from Ethernet or USB. Pretty cool. Then, I downloaded Tftpd32 and the original firmware. The following is the DHCP server configuration on Tftpd32.

Code:
IP pool starting address: 192.168.7.1
Size of pool: 1
Mask: 255.255.255.0
Boot file: boot.bin
After renaming the firmware to boot.bin and moving it to the work directory of Tftpd32 I issued the netboot command.

Code:
]netboot
Starting network boot image
n

ar432-2 Network boot v4.03  (FLASH)

Phy reset line on GPIO 0x1a
MAC 00:0f:e2:16:12:29
SDRAM 0x01000000 bytes

(Hold '*' during reset for prompt)

Booting from Ethernet or USB (auto-select)
boot
boot
reply
IP 192.168.7.1
Server 192.168.7.2 ()
Booting 'boot.bin'
................................................................
................................................................
................................................................
......................
Done! (0x001b5a00 bytes)

Starting binary image
And the worst happened, the router got stuck. The firmware that I got from the manufacturer is for web interface update, so I cant get it to work since it probably has a header and other stuff that aren't needed. The manufacturer will only provide the web interface version (I think, didn't asked them too), not the binary version. So its time to do some reversing on it.

Not so different now huh??

Best regards,
saphex

https://www.openrce.org/blog/view/1234/Something_different_part_3,_or_not_quite_different