WGR826V - Alternate Firmware

The goal of this blog is to help me with the documentation of progress on my quest to install an alternate firmware on the now discontinued Netgear WGR826V.

Tuesday, March 11, 2008

More backups!!

I had doubts of the integrity of the backups so I decided to re-do them based on the output of fis list. With this I may be able to restore the data in case I would like to revert to the original firmware.



RedBoot> fis list -c                                                          
Name              FLASH addr  Checksum    Length      Entry point             
RedBoot           0x50000000  0x00000000  0x00040000  0x00000000              
RedBoot config    0x50FC0000  0x00000000  0x00001000  0x00000000              
FIS directory     0x50FE0000  0x00000000  0x00020000  0x00000000              
appimg1           0x50040000  0x74FB22F9  0x00760000  0x00000000              
appimg2           0x507A0000  0x74FB22F9  0x00760000  0x00000000              
igwmisc           0x50F00000  0x6BA0CE01  0x00020000  0x00000000              
dhcpdl            0x50F20000  0x6BA0CE01  0x00020000  0x00000000              
igwpri            0x50F40000  0x6BA0CE01  0x00020000  0x00000000              
igwsec            0x50F60000  0x6BA0CE01  0x00020000  0x00000000              
prvcacfg          0x50F80000  0x6BA0CE01  0x00020000  0x00000000              
prvauth           0x50FA0000  0x6BA0CE01  0x00020000  0x00000000              
RedBoot>

jtag> readmem 0x50000000 0x00040000 RedBoot
address: 0x50000000
length:  0x00040000
reading:
addr: 0x50040000
Done.
jtag> readmem 0x50FC0000 0x00001000 RedBoot_config
address: 0x50FC0000
length:  0x00001000
reading:
addr: 0x50FC1000
Done.
jtag> readmem 0x50FE0000 0x00020000 FIS_directory
address: 0x50FE0000
length:  0x00020000
reading:
addr: 0x51000000
Done.
jtag> readmem 0x50F00000 0x00020000 igwmisc
address: 0x50F00000
length:  0x00020000
reading:
addr: 0x50F20000
Done.
jtag> readmem 0x50F20000 0x00020000 dhcpdl
address: 0x50F20000
length:  0x00020000
reading:
addr: 0x50F40000
Done.
jtag> readmem 0x50F40000 0x00020000 igwpri
address: 0x50F40000
length:  0x00020000
reading:
addr: 0x50F60000
Done.
jtag> readmem 0x50F60000 0x00020000 igwsec
address: 0x50F60000
length:  0x00020000
reading:
addr: 0x50F80000
Done.
jtag> readmem 0x50F80000 0x00020000 prvcacfg
address: 0x50F80000
length:  0x00020000
reading:
addr: 0x50FA0000
Done.
jtag> readmem 0x50FA0000 0x00020000 prvauth
address: 0x50FA0000
length:  0x00020000
reading:
addr: 0x50FC0000
Done.
jtag> readmem 0x50040000 0x00760000 appimg1
address: 0x50040000
length:  0x00760000
reading:
addr: 0x507A0000
Done.
jtag> readmem  0x507A0000  0x00760000 appimg2
address: 0x507A0000
length:  0x00760000
reading:
addr: 0x50F00000
Done.
jtag>
I made them in Big Endian and Little Endian.
Posted by at
Labels: , , , , ,

1 comment:

Anonymous said...

You should be able to load the flash sections into memory using RedBoot commands, such as:

> fis load appimg2

(it looks like it is configured to load into RAM at 0x1600000.) Then to output the data over the serial console:

> x -b 0x1600000 -l 0x760000

This will give a hex dump which can be reassembled into a binary file with a simple perl script.

March 14, 2008 at 4:25 AM

Post a Comment

Subscribe to: Post Comments (Atom)

Archive