fvollmer / GS108Tv2-reverse-engineering

MIT License
16 stars 1 forks source link

Netgear GS108Tv2 reverse engineering

Device Details

General Observations:

Regarding Booting OpenWRT:

I created a some hacks and patches that work around the some problems: https://github.com/fvollmer/GS108Tv2-openwrt. This is just a very crude hack and definitly needs a complete rewrite. Nonetheless it allows to boot openwrt without crashing (New boot log). I have yet to see what else is broken. It appears like the network isn't working, which is most likely due to the pci bus not working. There are some more (and better) patches needed for the ssb driver.

ecos

Building the ecos Sources

The stock firmware is based on the gpl licensed ecos operating system. These sources are provided by netgear. After some minor modifications (see commits at the github repository) I was able to build the sources using an old toolchain (recent versions are broken). I updated the build instruction to make building easier.

Reading the SSB Bus Registers from ecos

The device should be correctly initialized if we use the ecos source code. This means we can check if the ssb registers with an ecos applicaton. I build a quick test and compiled it with the example. According to the output the id high and low registers are 0. It looks like there simply isn't an id.

Boot Initialization of the Stock Firmware

One idea for the mentioned SSB bus problem was that maybe there is some initialization wrong. Therefore I took a closer look at the boot an initialization process. This depends on the loaded packages. The configuration file should be mips_raptor_netgear.ecc. The most important packages seem to be HAL_MIPS, HAL_MIPS_BCM47xx and HAL_MIPS_BCM953710.

A rough overview of the boot and initialization process:

Especially interesting appear board_draminit and hal_platform_init. The ecos system appears to allocate the cores staticallly at sb_doattach.

Miscellaneous Stuff:

The Excetion handler

The default exception handler looks like this:

**Exception 32: EPC=8027A97C, Cause=0000001C (BusErrD  )
                RA=8027D8F0, VAddr=00000000

        0  ($00) = 00000000     AT ($01) = 10000000
        v0 ($02) = B8000000     v1 ($03) = 806421E4
        a0 ($04) = 8064223C     a1 ($05) = B8005F18
        a2 ($06) = 00000000     a3 ($07) = 000006E0
        t0 ($08) = 00000000     t1 ($09) = 00000000
        t2 ($10) = 00000007     t3 ($11) = 00000000
        t4 ($12) = 0000002C     t5 ($13) = 804B0000
        t6 ($14) = 00000000     t7 ($15) = 00000000
        s0 ($16) = 8064223C     s1 ($17) = 8064223C
        s2 ($18) = 806421E4     s3 ($19) = 00000006
        s4 ($20) = 00000001     s5 ($21) = 00000001
        s6 ($22) = 8064223C     s7 ($23) = 804785C0
        t8 ($24) = 00000002     t9 ($25) = 00000000
        k0 ($26) = 804A0000     k1 ($27) = 804B0000
        gp ($28) = 804A4000     sp ($29) = 804A5D38
        fp ($30) = 80642218     ra ($31) = 8027D8F0

To better undertand the meaning of the registers please see MIPS calling convention. First four call arguments in $a0-$a3, return argument(s) in $v0-$v1.

EPC is the error programm counter, and RA is the return address. Both can be used with gdb to get information about the crash:

gdb ./build_dir/target-mips_mips32_musl/linux-brcm47xx_generic/vmlinux.debug 
GNU gdb (Ubuntu 8.2.91.20190405-0ubuntu3) 8.2.91.20190405-git
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./build_dir/target-mips_mips32_musl/linux-brcm47xx_generic/vmlinux.debug...
(gdb) list *0x8027A97C
0x8027a97c is in ssb_host_soc_read32 (./arch/mips/include/asm/io.h:434).
429 __BUILD_MEMORY_PFX(, bwlq, type)                    \
430 __BUILD_MEMORY_PFX(__mem_, bwlq, type)                  \
431 
432 BUILDIO_MEM(b, u8)
433 BUILDIO_MEM(w, u16)
434 BUILDIO_MEM(l, u32)
435 BUILDIO_MEM(q, u64)
436 
437 #define __BUILD_IOPORT_PFX(bus, bwlq, type)             \
438     __BUILD_IOPORT_SINGLE(bus, bwlq, type, ,)           \
(gdb) list *0x8027D8F0
0x8027d8f0 is in ssb_sflash_cmd (./include/linux/ssb/ssb.h:599).
594 {
595     dev->ops->write16(dev, offset, value);
596 }
597 static inline void ssb_write32(struct ssb_device *dev, u16 offset, u32 value)
598 {
599     dev->ops->write32(dev, offset, value);
600 }
601 #ifdef CONFIG_SSB_BLOCKIO
602 static inline void ssb_block_read(struct ssb_device *dev, void *buffer,
603                   size_t count, u16 offset, u8 reg_width)
(gdb) 

Related Devices

The GS700TR appears to be especially interesting device. The source code release contains linux sources for the bcm56218. These sources are very similar to the ecos sources and the ssb core mapping appears to be the same. Needs further investigation.

Special Thanks

Thanks for the useful advices at the #openwrt-devel IRC channel. Especially to KanjiMonster who helped me with informations regarding the MIPS architecture and the SSB bus. The GS700TR sources were als discovered by KanjiMonster.

Related Links