bcm2-utils icon indicating copy to clipboard operation
bcm2-utils copied to clipboard

Published 20 hours ago verified publisher icon jclehner

Add CM500 profile

Open redawl opened this issue 10 months ago • 3 comments

Hi, I have tested this on my CM500 modem, and am able to dump ram in with patched dump.

I think this is ready to be merged, but I will continue hacking on this profile.

My main hurdle right now is the bootloader on the CM500 is missing the 'p' command, so bcm2-utils cannot read the memory map.

Any ideas on how to move forward would be great! I have identified SpiFlashRead and SpiFlashWrite, but am unable to use them so far.

redawl avatar Apr 07 '24 02:04 redawl

Any ideas on how to move forward would be great! I have identified SpiFlashRead and SpiFlashWrite, but am unable to use them so far.

What flash chip does this modem use? Can you post the full boot log from the serial console?

jclehner avatar Apr 10 '24 13:04 jclehner

screenlog.txt bootloader2.txt

Interesting that deviwiki says 3384, while the bootlog shows 3843. Maybe a typo in the firmware? I will fix :)

flashchip is 25Q64FVAIG

redawl avatar Apr 10 '24 13:04 redawl

I have tried dumping the flash chip with bus pirate, but the modem boots when I power VCC, and interferes with read operations. I do not have a soldering kit to try lifting the VCC pin, but when I get one I will try that.

redawl avatar Apr 10 '24 13:04 redawl

Any updates on getting this merged?

In the meantime I have been able to dump the flash chip with my bus pirate, it turned out the bp firmware I had was bad, so an older firmware version allowed dumping the flash.

redawl avatar May 28 '24 18:05 redawl

Sorry, forgot about that. At the minimum, please add a "flash" section under spaces, including a blocksize of 64k.

A partition map, and the .blsig would be nice, but we can add that later. Can you send me a dump of the bootloader? Or upload it to https://github.com/jclehner/bcm2-dumps?

jclehner avatar May 29 '24 08:05 jclehner

screenlog.txt bootloader2.txt

Interesting that deviwiki says 3384, while the bootlog shows 3843. Maybe a typo in the firmware? I will fix :)

flashchip is 25Q64FVAIG

I attatched bootloader and boot logs to this message here.

Partition map doesn't work because the bootloader menu does not have a 'p' command to print the partition table. I believe I had the same issue with flash space, but I can retest.

redawl avatar May 29 '24 16:05 redawl

looks like github nuked the original file, I will upload to bcm2-dumps

redawl avatar May 29 '24 16:05 redawl

PR with flash dump and bootloader dump from cm500: https://github.com/jclehner/bcm2-dumps/pull/4

redawl avatar May 29 '24 16:05 redawl

Please add a .blsig of 0x3384, and the partition layout I've posted in your PR in bcm2-dumps.

Then it's ready to be merged.

jclehner avatar May 31 '24 10:05 jclehner

Added flash partition map and .blsig, sorry for the delay.

Dumping via flash does not work however, since there is no 'p' command as discussed above in my first comment.

Let me know what else is needed for this to get merged

redawl avatar Jun 28 '24 16:06 redawl

Merged, thanks.

Dumping via flash does not work however, since there is no 'p' command as discussed above in my first comment.

That command is only required to get an idea of the partition layout, but we've figured that out already.

Dumping flash from the bootloader identification of the bootloader's printf function, plus a function that reads from flash into a specified buffer. See this example.

A tutorial can be found here.

jclehner avatar Jun 30 '24 11:06 jclehner