Strona EDIMAX'ów (my Edimaxes page):



Hardware story

Software "roadmap":

Disassembling EDIMAX-supplied firmware (BR-6204Wg):

V1.37 WARNING: It's in Chinese!
V1.48
Download source:
http://www.edimax.com.tw/download/firmware/BR6204Wg_V1.37C.zip (1.8MB)
http://www.edimax.com.tw/download/firmware/BR-6204Wg_V148.zip (1.4MB)
Local copy:
EdiTChBR6204Wg_1.37.bin
EdiEngBR6204Wg_1.48.bin
Disassembly steps:
1). unzip file into: EdiTchBR6204Wg_1.37.bin

2). dd if=EdiTchBR6204Wg_1.37.bin of=edi1.bz2 bs=38932 skip=1

3). bunzip2 edi1.bz2

4). dd if=edi1 of=edi1.ext2 bs=1892352 skip=1

5). mount -o loop edi1.ext2 /mnt/disk (point to your local mount point)
1). unzip file into: EdiEngBR6204Wg_1.48.bin

2). dd if=EdiEngBR6204Wg_1.48.bin of=edi1.lzma bs=34836 skip=1

3). lzma d edi1.lzma edi1.out

4). dd if=edi1.out of=edi1.ext2 bs=2162688 skip=1

5). mount -o loop edi1.ext2 /mnt/disk (point to your local mount point).
Remarks:
ad2). How the first BS was found: bzip2 image have signature "BZh91"




ad4). same as right side.



ad5). same.
ad2). How the first BS was found: lzma image seems to have signature 0x5D, 0x00, 0x00, 0x80.

ad3). LZMA v 4.06. Have found this on OpenWRT site.

ad4). How the second BS was found: look into image for "AAAAAA" chain, scan forward to nearby 0x00, 0x05, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00 signature, then 0x400 bytes backward. (Method provided by EDMIAN).

ad5). Voila ;) you have root filesystem mounted on your PC.
Now we have root filesystem on our hdd, we need to copy (to some directory for later use) the shell scripts (/bin/*.sh), web pages (/web/*, /web/file/*), config (/etc/*) and for the moment at least 2 utilities: /bin/flash, and /bin/webs webserver. Why? Because EDIMAX-supplied toolchain for BR-6204Wg does NOT contain above. Moreover, expanded image DOES NOT contain several (16) links to /bin/busybox (like sh, sleep, ps, rm, etc) BE EXTREMLY CAUTIOUS, LACKING ONE FILE/link MAY RENDER YOUR ROUTER TO A BRICK.

Bootloader work ;)
IPCONFIG xxx.xxx.xxx.xxx

tftp (on PC), to xxx.xxx.xxx.xxx, mode binary (!), put filename (with image).


Second published trial of "regenerating" flash utility (making it Open Source).
Source tarballs for flash / webs utilities (as taken from BR-6104K), thanks to Sergio & Edmian.
And finally my private roadmap with Edimax'es.
First published version of Polish firmware.


Disassembling EDIMAX-supplied firmware (BR-6304Wg):

V1.91
Download source:
http://www.edimax.com.tw/download/firmware/BR-6304Wg_V191.zip
Local copy:
EdiEngBR6304WG_1.91.bin
Disassembly steps:
1). unzip file into: EdiEngBR6304Wg_1.91.bin

2). dd if=EdiEngBR6304Wg_1.91.bin of=edi1.bz2 bs=38932 skip=1

3). bunzip2 edi1.bz2

4). dd if=edi1 of=edi1.sqfs bs=2142208 skip=1

5). unsquashfs edi1.sqfs
Remarks:
ad2). How the first BS was found: bzip2 image have signature "BZh91"




ad4). How the second BS was found: look into image for "AAAAAA" chain, scan forward to 'sqsh' signature.




ad5). SquashFS tools found at http://squashfs.sourceforge.net/.


Great help in disassembling provided by EDMIAN from rtł8186.sourceforge.net forum.

Last updated : 2007.04.17.