[OpenWrt-Devel] [PATCH] lantiq: vr9-vdsl-fw: update w921v firmware version

Daniel Golle daniel at makrotopia.org
Tue Mar 3 08:33:03 EST 2015

Hi John,

On Mon, Mar 02, 2015 at 08:29:45PM +0100, John Crispin wrote:
> i tried this before and it did not work

I must admit that I didn't see that <magic>...</magic> in the
code of the extractor... (though this seems to be fine, changing
MAGIC or MAGIC_SZ results in LZMA decompression errors which do not
occur with the current values).

It seems like the vdsl rom extracted from the new w901v firmware binary
is shifted by 24 bytes and kinda got a lot of 'T' (0x54) characters
scattered all over the header which do not occur in the working vdsl
firmware rom I got (from bt).
Thus I tried to stick the header (up to 0x90) of my existing rom onto
the body (starting from 0xA8) of the newly extracted rom, resulting in
something very much resembling the old rom. diff'ing the hexdumps shows
that whole sections are now identical and at identical offsets --
however, it doesn't work (VDSL line remains in state 0xff Idle request)

TAPI seems fine though and identical to the previous release, the MD5
matches. Given that the TAPI binary is much harder to find elsewhere,
I reckon we could use at least that (if it actually happens to be
identical for all boards/slics/codecs).

My feeling is that the extractor works fine, but the vdsl firmware
header was changed a bit and maybe some more obfuscation was added to
the existing magic. It can't be too crazy though, as large cunks of the
rom remained identical, thus I suspect only the header and/or checksums
being obfuscated and that shouldn't be diffcult to figure out...
I'll meditate a bit more over it and will let you know what I'm finding.

More eyepairs could also help finding the needle in that haystack...


openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list