Flash image with firmware version 2.12a flash.bin
Upgradable portion of the flash created by downloading (via WEB of TFTP) of 7004VWBR_FWv121a.zip
| Area | Start Address | Size | Link |
| Boot | 0x00000000 | 128K | BOOT |
| Configuration | 0x00020000 | 64K | CONF |
| Web Image | 0x00030000 | 192K | FileSystem |
| Code Image | 0x00060000 | 576K | CODE |
| Params Area | 0x000F0000 | 64K | PARAM |
Largely based on Petr Novak analisis of SMC7004ABR
The format of the flash areas is the following:
The web and firmware areas are zipped (PKZIP, Infozip etc), 1 file per archive. The other areas are raw data. At the end of each flash area, there is a checksum and signature - in the last 3 dwords in little endian.
For the area 2 (Filesystem), imagine the following: entire ZIP file, followed by signature (see below), then bytes 0xFF until x.FFF4. Then (at x.FFF4) dword (size of ZIP plus signature's length), then magic dword (0x12345678), finishing with CRC32 dword (of ZIP file and not of zip file contents! + signature bytes).
Area 3 (CODE) is a bit different: entire ZIP file, then bytes 0xff until x.FFF4. Then (at x.FFF4) dword containing the size of the valid data (this is the size of the zip file, for instance), the next dword is a signature of 0x12345678 (again) and the last dword is the CRC32 of the valid bytes (that is of the whole compressed archive in case of ZIP file, not the content of the ZIPped data).
The CRC32 is identical to that used by ZIP and can be extracted from gzip/gunzip or infozip sources (they are not copyrighted).
Finally, the signature (again), making a total of 786.442 bytes.
So, the firmware download file (xxxx.bin) is constructed as follows:
unsigned char signature[] = { 'B', 'R', 'N', 'A', 'W', 0, 0, 0, 0, 0, };
This generated file will be happily installed and run on the router. Here is the modified mkfirm utility to make a firmware image from 2 ZIP files, stuffing the 0xFFs and computing the CRC32 sums and the other small details -- based on Petr Novak's version for SMC7004ABR.
Usage: mkfirm pfs.zip soho.zip > newfirm.bin
It is good to notice that zip -9 and zip -9k to compress soho.bin will cause area 3 not to be loaded correctly and unit to HANG. It appears that pfs.img can be zipped with any of -9 or -9k without problems. Better to use zip pfs pfs.img and zip soho soho.bin (without compression parameters) on both files to avoid problems!
It appears the internal names are checked on SMC7004VWBR. Better mantain the standard! (pfs.img for ramdisk and soho.bin for kernel)
Regular boot sequence Booting1.txt
(see another example at Booting2.txt)
Normal boot sequence may be interrupted by key press:
===========================================================
LAN Router BRN Loader V1.06 build Jun 04 2002 16:57:22
Broad Net Technology, INC.
===========================================================
INTEL TE28F800B3-B bottom boot 16-bit mode found
Copying boot params.....DONE
Press any key to enter command mode ...
[BRN Boot]:h (Press ! for supervisor mode)
======================
[U] Upload to Flash
[E] Erase Flash
[G] Run Runtime Code
[A] Set MAC Address
[#] Set Serial Number
[V] Set Board Version
[S] Serial Test
[I] Parallel Test
[P] Print Boot Params
======================
Additional BootLoader commands - not yet fully tested
R - DUMPS MEMORY CONTENTS
a - arp table
c - wireless on/off
b - routing table
k -
g - dns debug
y - autoscan
r - reset
i - store configuration
Encoding: little
Execution sequence:
we'll use a original flash addresses for simplicity (shift - 0x6800)
Here are some comments on the SMC bootloader as found on your project page: there is one more undocumented bootloader command - R - it dumps memory. The logic is as follows: 1. the chip is initialized (Flash and SDRAM controller, disables Ethernet switch...) 2. the first 64K of flash is copied to SDRAM 3. SDRAM is remapped to 0, flash to 0x2000000, the system now runs from RAM 4. the bootloader is copied from 0x800 to 0x7000 and executed from 0x7000 The actual bootloader: 5. sets UART0 to 115200, 8n1 (the load/add you have in your comments is 115200 decimal) 6. checks and prints flash chip type 7. checks for char from console, if so, enters command mode 8. checks for valid PKZIP files in flash banks #2 and #3, if valid, decompresses them (#2 - disk to 0x7600000, #3 - software to 0x400000) and runs it from 0x400000. 9. if the #2 and #3 flash banks are not OK (check includes signature and CRC), loads PKZIPed mini-images included in Bootloader at 0x1e800 (PFS.IMG) and 0x8000 (SOHO.BIN) to the same addresses as above (PFS to 0x7600000 and code to 0x400000) and then runs the mini-firmware from 0x400000. The upload protocol is XMODEM with CRC16. The commands you mention as additional BOOT commands are only valid once the main firmware is executed, the BOOT does not know any other commands. The command letters are case insensitive in BOOT. There are no exception vectors, all interrupts are turned off in the bootloader. Resume: 0x0000.0000 = SDRAM start 0x0004.0000 = 256KB 0x0076.0000 = 7.552KB 0x0080.0000 = 8MB (8192KB) -- End of RAM 0x0100.0000 = 16MB boundary 0x2000.0000 = 512MB -- flash start The images are in flash and are decompressed to RAM to the addresses 0x76.0000 and 0x4.0000.