Wawrzyniec Piotrzkowski - strona EDIMAX'a BR-6204Wg i innych

Strona EDIMAX'ów (my Edimaxes page):

Software "roadmap":

Disassembling EDIMAX-supplied firmware (BR-6204Wg):
	V1.37 WARNING: It's in Chinese!	V1.48
Download source:	http://www.edimax.com.tw/download/firmware/BR6204Wg_V1.37C.zip (1.8MB)	http://www.edimax.com.tw/download/firmware/BR-6204Wg_V148.zip (1.4MB)
Local copy:	EdiTChBR6204Wg_1.37.bin	EdiEngBR6204Wg_1.48.bin
Disassembly steps:	1). unzip file into: EdiTchBR6204Wg_1.37.bin 2). dd if=EdiTchBR6204Wg_1.37.bin of=edi1.bz2 bs=38932 skip=1 3). bunzip2 edi1.bz2 4). dd if=edi1 of=edi1.ext2 bs=1892352 skip=1 5). mount -o loop edi1.ext2 /mnt/disk (point to your local mount point)	1). unzip file into: EdiEngBR6204Wg_1.48.bin 2). dd if=EdiEngBR6204Wg_1.48.bin of=edi1.lzma bs=34836 skip=1 3). lzma d edi1.lzma edi1.out 4). dd if=edi1.out of=edi1.ext2 bs=2162688 skip=1 5). mount -o loop edi1.ext2 /mnt/disk (point to your local mount point).
Remarks:	ad2). How the first BS was found: bzip2 image have signature "BZh91" ad4). same as right side. ad5). same.	ad2). How the first BS was found: lzma image seems to have signature 0x5D, 0x00, 0x00, 0x80. ad3). LZMA v 4.06. Have found this on OpenWRT site. ad4). How the second BS was found: look into image for "AAAAAA" chain, scan forward to nearby 0x00, 0x05, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00 signature, then 0x400 bytes backward. (Method provided by EDMIAN). ad5). Voila ;) you have root filesystem mounted on your PC.
Now we have root filesystem on our hdd, we need to copy (to some directory for later use) the shell scripts (/bin/.sh), web pages (/web/, /web/file/), config (/etc/) and for the moment at least 2 utilities: /bin/flash, and /bin/webs webserver. Why? Because EDIMAX-supplied toolchain for BR-6204Wg does NOT contain above. Moreover, expanded image DOES NOT contain several (16) links to /bin/busybox (like sh, sleep, ps, rm, etc) BE EXTREMLY CAUTIOUS, LACKING ONE FILE/link MAY RENDER YOUR ROUTER TO A BRICK.

Bootloader work ;)
IPCONFIG xxx.xxx.xxx.xxx

tftp (on PC), to xxx.xxx.xxx.xxx, mode binary (!), put filename (with image).

Second published trial of "regenerating" flash utility (making it Open Source).
Source tarballs for flash / webs utilities (as taken from BR-6104K), thanks to Sergio & Edmian.
And finally my private roadmap with Edimax'es.
First published version of Polish firmware.

Disassembling EDIMAX-supplied firmware (BR-6304Wg):
	V1.91
Download source:	http://www.edimax.com.tw/download/firmware/BR-6304Wg_V191.zip
Local copy:	EdiEngBR6304WG_1.91.bin
Disassembly steps:	1). unzip file into: EdiEngBR6304Wg_1.91.bin 2). dd if=EdiEngBR6304Wg_1.91.bin of=edi1.bz2 bs=38932 skip=1 3). bunzip2 edi1.bz2 4). dd if=edi1 of=edi1.sqfs bs=2142208 skip=1 5). unsquashfs edi1.sqfs
Remarks:	ad2). How the first BS was found: bzip2 image have signature "BZh91" ad4). How the second BS was found: look into image for "AAAAAA" chain, scan forward to 'sqsh' signature. ad5). SquashFS tools found at http://squashfs.sourceforge.net/.

Great help in disassembling provided by EDMIAN from rtł8186.sourceforge.net forum.

Last updated : 2007.04.17.