Livebox (Inventel DV4210) Writing to Flash

There are two main options for writing to the flash, either using the RedBoot commands or using the Linux commands. There is a third option, using JTAG but it takes hours to write an image. I would only ever use that method to recover the RedBoot on a bricked Livebox and then use RedBoot to flash the images.

RedBoot Commands

Using the RedBoot commands requires that you have a copy of RedBoot installed on the Livebox that allows you to break into the boot process. The earlier versions would allow you to break into the boot process by typing Ctrl-C during the initial loading of RedBoot. Later versions removed this. Also, the latest versions used in the Livebox now run a checksum on the root filesystem and refuse to complete the boot if the checksum is wrong.

Unfortunately, none of the older versions understand the squashfs filesystem used by the latest firmwares. This makes things difficult but not impossible. If you have your own local PC that you can use as a TFTP server and have installed a JTAG connection on the Livebox, you can use JTAG or Linux comands to flash an old version of RedBoot to the Livebox which you can break into via the serial port with Ctrl-C, then flash the image you want and finally use TFTP to load the kernel to the Livebox for booting. This is the method that I currently use on my Livebox. The following assumes that the IP address of the TFTP Server is 10.7.58.114 (the default for Livebox RedBoot tftp).

You can use the Linux commands to flash a copy of RedBoot, but you cannot use RedBoot to flash a copy of RedBoot (I tried) as it overwrites itself and creates a brick!!. From this the only recovery, as I found out, is via JTAG.

To use the RedBoot commands you need to do the following,

Copy the file to be flashed to the TFTP Servers default tftp directory. Ensure file is readable by all.

Via the serial port, halt the RedBoot startup by hitting Ctrl-C immediately after powering up the Livebox.

From the RedBoot command line type,

load -r -v -h 10.7.58.114 -m tftp -b 0x80800000 file_to_flash

You now need the write the image to the flash and its location depends on which image it is that you are flashing, similar to using the Linux commands.

For CRAMFS, the partitions are laid out like this,

RedBoot 0xBE400000 0xBE400000 0x00030000 0x00000000 user_fs 0xBE430000 0xBE430000 0x00720000 0x80800000 jffs_system 0xBEB50000 0xBEB50000 0x000A0000 0x80800000 FIS directory 0xBEBF0000 0xBEBF0000 0x0000F000 0x00000000 RedBoot config 0xBEBFF000 0xBEBFF000 0x00001000 0x00000000

For SQUASHFS, the partitions are laid out like this,

RedBoot 0xBE400000 0xBE400000 0x00030000 0x00000000 user_fs 0xBE430000 0xBE430000 0x00390000 0x80800000 user_2_fs 0xBE7C0000 0xBE7C0000 0x00390000 0x80800000 jffs_system 0xBEB50000 0xBEB50000 0x000A0000 0x80800000 FIS directory 0xBEBF0000 0xBEBF0000 0x0000F000 0x00000000 RedBoot config 0xBEBFF000 0xBEBFF000 0x00001000 0x00000000

and so to write the user_2_fs on a Squashfs firmware, the command is,

fis create -b 0x80800000 -l 0x00390000 -f 0xBE7C0000 user_2_fs

If you have changed a SQUASHFS image, you need to boot the Linux kernel over tftp by doing the following,

load -r -v -h 10.7.58.114 -m tftp -b 0x80010000 Image

where Image is the Linux kernel to boot and then,

exec -c "boot_loader=RedBoot root=1F01 mem=16M" 0x80010000

to boot the kernel.

On my system, I modified the boot_script to do the load and exec on every boot. This can be done by doing the following at the RedBoot prompt,

fconfig boot_script true fconfig boot_script timeout 20 fconfig boot_script data

now enter the following two lines followed by a blank line.

load -r -v -h 10.7.58.114 -m tftp -b 0x80010000 Image exec -c "boot_loader=RedBoot root=1F01 mem=16M" 0x80010000

The Livebox will now boot automatically via tftp every time it is reset.

Linux Commands

Using the Linux commands requires you to have access to the command line on the Livebox. Unfortunately, unless you have already hacked the Livebox, I am not sure how you would get to a command prompt on the latest versions of firmware. This is something I need to investigate again. On versions of firmware that are less than v5.05.1-uk you can get to a command line by changing the Broadband Username to

;echo root::0:0:root:/root:/bin/sh >/etc/passwd

and clicking submit, then rebooting the Livebox. This removes the root password and so, when you login at the serial port with username root and hit enter you get a command prompt. If you don't have a serial port cable, you can get access via telnet on firmware versions less than v5.05.1-uk by following this. If you can get to a command prompt, you can use the fcp command to write to the flash in the following manner.

From the command line type,

/etc/init.d/ramdisk start 16 cd /mnt/ramdisk/rd1

and then use,

wget http://url_to_get/to/filename

to copy the image from a local server before using,

fcp -v imagename /dev/mtdX

where imagename is the name of the file to use and for CRAMFS, X is,

0 for RedBoot 1 for CRAMFS image (user_fs) 2 for jffs_system (r/w /etc directory) 3 for FIS directory 4 for RedBoot config

but for SQUASHFS,

0 for RedBoot 1 for SQSHFS image (user_fs) 2 for SQSHFS image (user_2_fs) 3 for jffs_system (r/w /etc directory) 4 for FIS directory 5 for RedBoot config

Once the flash copy has completed you will need to manually reboot the Livebox and it then should reboot using the new image.

Please note that on the SQUASHFS filesystems, there is a check in /etc/init.d/normal_boot called flash_verify that checks to see if the checksum of the user_2_fs is correct or not (ie have you changed it). The version of RedBoot that comes with the later firmwares checks the user_fs for the same and refuses to boot if altered. This means that we cannot change any of the filesystems if we want to use the later RedBoot, or we need to use an old version of RedBoot and tftp to boot with modified filesystems.

AndyP