Skip to main content: Skip to navigation
The C Shore
Daniel Dickinson's Website
  Skip to top : Skip to navigation

BCM63xx Imagtag for OpenWRT

Information for the image tag formats for Broadcom 63xx known to OpenWRT.

Image tag generator for Broadcom bcm63xx chipset routers.

Allows one to take stock rootfs+kernel image and create a firmware image that can be flashed onto the device (via the CFE using tftp, using JTAG, or the stock firmware web or tftp interfaces)

Requires:

  • The rootfs+kernel image to include (e.g. KERNE64k.BIN from HairyDairyMaid’s Debrick, or by doing dd if=/dev/mtdX of=rootfs+kernel.bin) in bigendian format.
  • The board ID (e.g. 96345GW-10)
  • The Chip ID (e.g. 6345)
  • Address where the kernel expects to be loaded (default is 0x80010000)
  • Address of the kernel entry point (after loading into RAM)
  • Size of the kernel in bytes
  • Offset of the kernel (from beginning of flash)

To obtain this information one needs to record the bootlogs with the firmware for which a tag will be created in the flash. This means obtaining the information before flashing with OpenWRT. (Unless you have a copy of the firmware to put back on later, but then you probably don’t need this utility). It also means you will require a serial console. If there is no serial console connector on your router (and you don’t know how to add one) or you don’t know how to make the appropriate serial cable, it is recommended that you not use OpenWRT on a bcm63xx chipset route at this time (2009-02-20) as it is in early development.

The relevant information in the stock firmware bootlog is:

Code Address: 0x80010000, Entry Address: 0x8001046c
Decompression OK!
Entry at 0x8001046c
Closing network.
Starting program at 0x8001046c

Which is the first thing you will see after the CFE messages.

The relevant information in the OpenWRT bootlog is:

 bcm963xx_flash: Partition 0 is CFE offset 0 and length 10000
 bcm963xx_flash: Partition 1 is kernel offset 22f100 and length 656d3
 bcm963xx_flash: Partition 2 is rootfs offset 10100 and length 35f000
 bcm963xx_flash: Partition 3 is nvram offset 3f0000 and length 10000
 Creating 4 MTD partitions on "bcm963xx":
 0x00000000-0x00010000 : "CFE"
 0x0022f100-0x002947d3 : "kernel"
 mtd: partition "kernel" doesn't start on an erase block boundary -- force read-only
 0x00010100-0x0036f100 : "rootfs"
 mtd: partition "rootfs" doesn't start on an erase block boundary -- force read-only
 mtd: partition "rootfs" set to be root filesystem
 split_squashfs: no squashfs found in "bcm963xx"
 0x003f0000-0x00400000 : "nvram"

From these messages we can see that for the firmware used in this example the kernel load address is 0x80010000, the kernel entry point is 0x8001046c, the size of the kernel is 0x656d3 bytes (length of “kernel” flash partition), and the kernel is at offset 0x22f100. The board id should be in the CFE, or from the hardware information on the OpenWRT wiki.

Download File iconimagetag-rootfs+kernel-0.2.0.tar.gz


BCM63xx Firmware Image Analyzer

The following code can be compiled on Linux (and possibly BSD and Mac) with gcc -o analyzetag analyzetag.c to create program called analyzetag that can be used to find information about the specified imagetag file.

The full command information is:

analyzetag -i <inputfile> -t <tagid> [-s <flashstart>] [-n <fwoffset>]

 -i <inputfile>	Name of firmware image file
 -t <tagid>		Tag id type to use (use -t list to see available 
                    choices)
 -s <flashstart>    Address of the start of the firmware image
 -n <fwoffset>      Offset of the firmware from flashstart

Download the code: File iconanalyzetag.c (24.87 KiB)


Information about the Broadcom 63xx imagetag format

There are different version of the imagetag, depending on the version of the Broadcom code the imagetag was written for. This information is for the OpenWRT versions of the tags used for each version.

Broadcom Generic CFE

unsigned char tagVersion[TAGVER_LEN];           // 0-3: Version of the image tag
unsigned char sig_1[20];                        // 4-23: Company Line 1
unsigned char sig_2[14];                        // 24-37: Company Line 2
unsigned char chipid[6];                        // 38-43: Chip this image is for
unsigned char boardid[16];                      // 44-59: Board name
unsigned char big_endian[2];                    // 60-61: Map endianness -- 1 BE 0 LE
unsigned char totalLength[IMAGE_LEN];           // 62-71: Total length of image
unsigned char cfeAddress[ADDRESS_LEN];          // 72-83: Address in memory of CFE
unsigned char cfeLength[IMAGE_LEN];             // 84-93: Size of CFE
unsigned char rootAddress[ADDRESS_LEN];         // 94-105: Address in memory of rootfs
unsigned char rootLength[IMAGE_LEN];            // 106-115: Size of rootfs
unsigned char kernelAddress[ADDRESS_LEN];       // 116-127: Address in memory of kernel
unsigned char kernelLength[IMAGE_LEN];          // 128-137: Size of kernel
unsigned char dualImage[2];                     // 138-139: Unused at present
unsigned char inactiveFlag[2];                  // 140-141: Unused at present
    unsigned char information1[TAGINFO_LEN];        // 142-161: Unused at present
    unsigned char tagId[TAGID_LEN];                 // 162-167: Identifies which type of tag this is, currently two-letter company code, and then three digits for version of broadcom code in which this tag was first introduced
    unsigned char tagIdCRC[4];                      // 168-171: CRC32 of tagId
unsigned char reserved1[44];                    // 172-215: Reserved area not in use
unsigned char imageCRC[4];                      // 216-219: CRC32 of images
    unsigned char reserved2[16];                    // 220-235: Unused at present
    unsigned char headerCRC[4];                     // 236-239: CRC32 of header excluding tagVersion
    unsigned char reserved3[16];                    // 240-255: Unused at present

Broadcom Code Version 2.2x

unsigned char tagVersion[TAGVER_LEN];           // 0-3: Version of the image tag
unsigned char sig_1[20];                        // 4-23: Company Line 1
unsigned char sig_2[14];                        // 24-37: Company Line 2
unsigned char chipid[6];                        // 38-43: Chip this image is for
unsigned char boardid[16];                      // 44-59: Board name
unsigned char big_endian[2];                    // 60-61: Map endianness -- 1 BE 0 LE
unsigned char totalLength[IMAGE_LEN];           // 62-71: Total length of image
unsigned char cfeAddress[ADDRESS_LEN];          // 72-83: Address in memory of CFE
unsigned char cfeLength[IMAGE_LEN];             // 84-93: Size of CFE
unsigned char flashImageStart[ADDRESS_LEN];     // 94-105: Address in memory of kernel (start of image)
unsigned char flashRootLength[IMAGE_LEN];       // 106-115: Size of rootfs + deadcode (web flash uses this + kernelLength to determine the size of the kernel+rootfs flash image)
unsigned char kernelAddress[ADDRESS_LEN];       // 116-127: Address in memory of kernel
unsigned char kernelLength[IMAGE_LEN];          // 128-137: Size of kernel
unsigned char dualImage[2];                     // 138-139: Unused at present
unsigned char inactiveFlag[2];                  // 140-141: Unused at present
    unsigned char rsa_signature[TAGINFO_LEN];       // 142-161: RSA Signature (unused at present; some vendors may use this)
    unsigned char reserved5[2];                     // 162-163: Unused at present
    unsigned char tagId[TAGID_LEN];                 // 164-169: Identifies which type of tag this is, currently two-letter company code, and then three digits for version of broadcom code in which this tag was first introduced
    unsigned char rootAddress[ADDRESS_LEN];         // 170-181: Address in memory of rootfs partition
    unsigned char rootLength[IMAGE_LEN];            // 182-191: Size of rootfs partition
    unsigned char flashLayoutVer[4];                // 192-195: Version flash layout
    unsigned char kernelCRC[4];                     // 196-199: Guessed to be kernel CRC
    unsigned char reserved4[16];                    // 200-215: Reserved area; unused at present
unsigned char imageCRC[4];                      // 216-219: CRC32 of images
    unsigned char reserved2[12];                    // 220-231: Unused at present
    unsigned char tagIdCRC[4];                      // 232-235: CRC32 to ensure validity of tagId
    unsigned char headerCRC[4];                     // 236-239: CRC32 of header excluding tagVersion
    unsigned char reserved3[16];                    // 240-255: Unused at present

Broadcom Code Version 3.00 - 3.08

unsigned char tagVersion[TAGVER_LEN];           // 0-3: Version of the image tag
unsigned char sig_1[20];                        // 4-23: Company Line 1
unsigned char sig_2[14];                        // 24-37: Company Line 2
unsigned char chipid[6];                        // 38-43: Chip this image is for
unsigned char boardid[16];                      // 44-59: Board name
unsigned char big_endian[2];                    // 60-61: Map endianness -- 1 BE 0 LE
unsigned char totalLength[IMAGE_LEN];           // 62-71: Total length of image
unsigned char cfeAddress[ADDRESS_LEN];          // 72-83: Address in memory of CFE
unsigned char cfeLength[IMAGE_LEN];             // 84-93: Size of CFE
unsigned char flashImageStart[ADDRESS_LEN];     // 94-105: Address in memory of kernel (start of image)
unsigned char flashRootLength[IMAGE_LEN];       // 106-115: Size of rootfs + deadcode (web flash uses this + kernelLength to determine the size of the kernel+rootfs flash image)
unsigned char kernelAddress[ADDRESS_LEN];       // 116-127: Address in memory of kernel
unsigned char kernelLength[IMAGE_LEN];          // 128-137: Size of kernel
unsigned char dualImage[2];                     // 138-139: Unused at present
unsigned char inactiveFlag[2];                  // 140-141: Unused at present
    unsigned char information1[TAGINFO_LEN];        // 142-161: Unused at present
    unsigned char tagId[TAGID_LEN];                 // 162-167: Identifies which type of tag this is, currently two-letter company code, and then three digits for version of broadcom code in which this tag was first introduced
    unsigned char tagIdCRC[4];                      // 168-173: CRC32 to ensure validity of tagId
    unsigned char rootAddress[ADDRESS_LEN];         // 174-183: Address in memory of rootfs partition
    unsigned char rootLength[IMAGE_LEN];            // 184-193: Size of rootfs partition
unsigned char reserved1[22];                    // 194-215: Reserved area not in use
unsigned char imageCRC[4];                      // 216-219: CRC32 of images
    unsigned char reserved2[16];                    // 220-235: Unused at present
    unsigned char headerCRC[4];                     // 236-239: CRC32 of header excluding tagVersion
    unsigned char reserved3[16];                    // 240-255: Unused at present

Broadcom Code Version 3.06, Pirelli Modifed Version

unsigned char tagVersion[TAGVER_LEN];           // 0-3: Version of the image tag
unsigned char sig_1[20];                        // 4-23: Company Line 1
unsigned char sig_2[14];                        // 24-37: Company Line 2
unsigned char chipid[6];                        // 38-43: Chip this image is for
unsigned char boardid[16];                      // 44-59: Board name
unsigned char big_endian[2];                    // 60-61: Map endianness -- 1 BE 0 LE
unsigned char totalLength[IMAGE_LEN];           // 62-71: Total length of image
unsigned char cfeAddress[ADDRESS_LEN];          // 72-83: Address in memory of CFE
unsigned char cfeLength[IMAGE_LEN];             // 84-93: Size of CFE
unsigned char flashImageStart[ADDRESS_LEN];     // 94-105: Address in memory of kernel (start of image)
unsigned char flashRootLength[IMAGE_LEN];       // 106-115: Size of rootfs + deadcode (web flash uses this + kernelLength to determine the size of the kernel+rootfs flash image)
unsigned char kernelAddress[ADDRESS_LEN];       // 116-127: Address in memory of kernel
unsigned char kernelLength[IMAGE_LEN];          // 128-137: Size of kernel
unsigned char dualImage[2];                     // 138-139: Unused at present
unsigned char inactiveFlag[2];                  // 140-141: Unused at present
    unsigned char information1[TAGINFO_LEN];        // 142-161: Unused at present
unsigned char information2[54];                 // 162-215: Compilation and related information (not generated/used by OpenWRT)
unsigned char kernelCRC[4] ;                    // 216-219: CRC32 of images
    unsigned char rootAddress[ADDRESS_LEN];         // 220-231: Address in memory of rootfs partition
    unsigned char tagIdCRC[4];                      // 232-235: Checksum to ensure validity of tagId
    unsigned char headerCRC[4];                     // 236-239: CRC32 of header excluding tagVersion
unsigned char rootLength[IMAGE_LEN];            // 240-249: Size of rootfs
    unsigned char tagId[TAGID_LEN];                 // 250-255: Identifies which type of tag this is, currently two-letter company code, and then three digits for version of broadcom code in which this tag was first introduced

Broadcom Code Version 3.10+

unsigned char tagVersion[4];                    // 0-3: Version of the image tag
unsigned char sig_1[20];                        // 4-23: Company Line 1
unsigned char sig_2[14];                        // 24-37: Company Line 2
unsigned char chipid[6];                        // 38-43: Chip this image is for
unsigned char boardid[16];                      // 44-59: Board name
unsigned char big_endian[2];                    // 60-61: Map endianness -- 1 BE 0 LE
unsigned char totalLength[IMAGE_LEN];           // 62-71: Total length of image
unsigned char cfeAddress[ADDRESS_LEN];          // 72-83: Address in memory of CFE
unsigned char cfeLength[IMAGE_LEN];             // 84-93: Size of CFE
unsigned char flashImageStart[ADDRESS_LEN];     // 94-105: Address in memory of kernel (start of image)
unsigned char flashRootLength[IMAGE_LEN];       // 106-115: Size of rootfs + deadcode (web flash uses this + kernelLength to determine the size of the kernel+rootfs flash image)
unsigned char kernelAddress[ADDRESS_LEN];       // 116-127: Address in memory of kernel
unsigned char kernelLength[IMAGE_LEN];          // 128-137: Size of kernel
unsigned char dualImage[2];                     // 138-139: Unused at present
unsigned char inactiveFlag[2];                  // 140-141: Unused at present
    unsigned char information1[TAGINFO_LEN];        // 142-161: Unused at present; Some vendors use this for optional information
    unsigned char tagId[6];                         // 162-167: Identifies which type of tag this is, currently two-letter company code, and then three digits for version of broadcom code in which this tag was first introduced
    unsigned char tagIdCRC[4];                      // 168-171: CRC32 to ensure validity of tagId
    unsigned char rootAddress[ADDRESS_LEN];         // 172-183: Address in memory of rootfs partition
    unsigned char rootLength[IMAGE_LEN];            // 184-193: Size of rootfs partition
unsigned char reserved1[22];                    // 193-215: Reserved area not in use
unsigned char imageCRC[4];                      // 216-219: CRC32 of images
    unsigned char rootfsCRC[4];                     // 220-227: CRC32 of rootfs partition
    unsigned char kernelCRC[4];                     // 224-227: CRC32 of kernel partition
    unsigned char reserved2[8];                     // 228-235: Unused at present
    unsigned char headerCRC[4];                     // 235-239: CRC32 of header excluding tagVersion
    unsigned char reserved3[16];                    // 240-255: Unused at present

OpenWRT Broadcom 63xx Firmware Image Information

The image needed to flash onto a Broadcom 63xx-series board depends on the board, method you are using to flash, and, for web-based flash, on the version of the Broadcom code your router uses.

There are two major revisions of the Broadcom code as far as imagetags are concerned, before 3.08 and after 3.08, however there are some variations within in that, either due to vendor differences or due to changes at Broadcom (it’s not clear yet which is the case). In addtion Pirelli modified the Broadcom code, so Alice Gate models use a different imagetag than any other vendor.

The imagetag format for flashing via CFE is the same for almost all the boards, and is the same for all images generated by the imagetag utility. Images flashable using cfe are labelled openwrt-[board]-[filesystem]-cfe.bin

The imagetags for tftp/ftp flashing is based on Broadcom 3.00-3.04 imagetags and is known to be correct as the source code GPL and is available for reading.

Broadcom 3.00-3.02 flashing has been tested on Comtrend CT-5261, CT-536 and Tecom GW6000, and is the version of the flashing that was present before the imagetags were split by broadcom code version (early June 2009)

3.04 is guessed to be the same as 3.00-3.02 based on available information

Broadom 3.06 is thought to be the same as 3.00-3.02, however the only 3.06 this author (Daniel Dickinson) has seen is the Alice Gate (Pirelli) firmware which is known to be different due to vendor (Pirelli) modifications to the Broadcom code.

Broadcom 3.08 introduced changes to the imagetag to deal with TR69 (a remote router management system developed by the DSL Forum). The version we are using as 3.08 is based on the BT Voyager firmware image I looked at. It may in fact be BT Voyager-specific, and may in fact not be 3.08, but modified 3.06 and not apply to all 3.08 versions.

Broadcom 3.10 uses an imagetag that is believed to apply to all 3.10 and 3.12 versions, and has been tested on the Tecom GW6200. It is similar to 3.08.
There is a field for vendor-specific information, that at least in some cases is not optional. It is based on the hexedit of a neufbox4 firmware image, the information in https://dev.openwrt.org/ticket/4987, and the hexedit of a Tecom GW6200 image.

Some boards share the same tag format, but require vendor-specific fields in the board. In that case the tagid is shared, but the filename of the generated image reflects the router for which the image was created.

routermethodcodevertagidfilename
anycfeanybccfeopenwrt-[board]-[fs]-bccfe-cfe.bin
anyt/ftpanybc300openwrt-[board]-[fs]-bc300-cfe.bin
web3.00-3.06bc300openwrt-[board]-[fs]-bc300-cfe.bin
web3.10-3.12bc310openwrt-[board]-[fs]-bc310-cfe.bin
AGVoIP2+WiFiwebalice3.06ag306openwrt-AGPF-S0-[fs]-agv2+w-cfe.bin
CT536web3.02bc300openwrt-96348GW-11-[fs]-bc300-cfe.bin
CT5621web3.02bc300openwrt-96348GW-11-[fs]-bc300-cfe.bin
DG834GTweb3.02bc300openwrt-96348GW-10-[fs]-bc300-cfe.bin
DG834PNweb3.02bc300openwrt-96348GW-10-[fs]-bc300-cfe.bin
DSL-2640Bweb3.10bc310openwrt-D-4P-W-[fs]-bc310-cfe.bin
DSL-2740Bweb3.10bc310openwrt-96358GW-[fs]-dsl2740b-cfe.bin
F5D7633web3.10bc310openwrt-96348GW-10-[fs]-bc310-cfe.bin
F@ST2404web?bc300openwrt-F@ST2404-[fs]-bc300-cfe.bin
F@ST2404web?bc310openwrt-F@ST2404-[fs]-bc310-cfe.bin
GW6000web3.00bc300openwrt-96348GW-[fs]-bc300-cfe.bin
GW6200web3.10bc310openwrt-96348GW-[fs]-gw6200-cfe.bin
Neufbox4web3.12bc310openwrt-96358VW-[fs]-nb4-cfe.bin
TD8810Aweb3.06bc300openwrt-8L-2M-8M-[fs]-bc306-cfe.bin
TD8810Bweb3.06bc300openwrt-8L-2M-8M-[fs]-bc306-cfe.bin
TD8811Aweb3.06bc300openwrt-8L-2M-8M-[fs]-bc306-cfe.bin
TD8811Bweb3.06bc300openwrt-8L-2M-8M-[fs]-bc306-cfe.bin
TD8900GBweb3.06bc300openwrt-96348GW-11-[fs]-td8900gb-cfe.bin
USR9108web?bc300openwrt-96348GW-A-[fs]-bc300-cfe.bin
V2091_BTRweb2.21bc221openwrt-V2091_BB-[fs]-btvgr-cfe.bin
V2091_ROIweb2.21bc221openwrt-V2091-[fs]-btvgr-cfe.bin
V2091_WBweb2.21bc221openwrt-V2091-[fs]-btvgr-cfe.bin
V210_BTRweb2.21bc221openwrt-V210_BB-[fs]-btvgr-cfe.bin
V210_ROIweb2.21bc221openwrt-V210-[fs]-btvgr-cfe.bin
V210_WBweb2.21bc221openwrt-V210-[fs]-btvgr-cfe.bin
V2110web2.21bc221openwrt-V2110-[fs]-btvgr-cfe.bin
V2110_AAweb2.21bc221openwrt-V2110-[fs]-btvgr-cfe.bin
V2110_ROIweb2.21bc221openwrt-V2110-[fs]-btvgr-cfe.bin
V2500Vweb2.21bc221openwrt-V2500V_BB-[fs]-btvgr-cfe.bin
V2500V_AAweb2.21bc221openwrt-V2500V_BB-[fs]-btvgr-cfe.bin
V2500V_SIP_CLUBweb2.21bc221openwrt-V2500V_BB-[fs]-btvgr-cfe.bin

Old imagetag routers

Davolink DV201AMR

Redboot routers

Inventel Livebox

Table of Broadcoms Version for Various Routers

VendorModelCode Ver
BelkinF5D76333.10
British Telecom (BT)Voyager V2091_BTR2.21
British Telecom (BT)Voyager V2091_ROI2.21
British Telecom (BT)Voyager V2091_WB2.21
British Telecom (BT)Voyager V210_BTR2.21
British Telecom (BT)Voyager V210_ROI2.21
British Telecom (BT)Voyager V210_WB2.21
British Telecom (BT)Voyager V21102.21
British Telecom (BT)Voyager V2110_AA2.21
British Telecom (BT)Voyager V2110_ROI2.21
British Telecom (BT)Voyager V220V2.21
British Telecom (BT)Voyager V2500V2.21
British Telecom (BT)Voyager V2500V_AA2.21
British Telecom (BT)Voyager V2500V_SIP_CLUB2.21
ComtrendCT-52613.02
ComtrendCT-5363.02
D-LinkDSL-2640B3.10
D-LinkDSL-2670B3.10
NetGearDG834GT3.02
NetGearDG834PN3.02
Neuf CegetelNeufbox 43.12
PirelliAlice Gate Wi-Fi (+VoIP models?)ag 3.06
SagemF@ST2404?
TP-LinkTD-8810A3.06
TP-LinkTD-8810B3.06
TP-LinkTD-8811A3.06
TP-LinkTD-8811B3.06
TP-LinkTD-W8900GB3.06
TecomGW60003.00
TecomGW62003.10
USR9108?
 
 
[Icon for Best Viewed with Any Browser Campaign]
[Valid XHTML 1.0 Strict icon]
 
Generated by
	  webgen
Sunday, January 24 20:27:05 EST 2010
Skip to top : Skip to main content

This page Copyright 2007-2009 Daniel Dickinson. See Copyright and licensing information for information on how you can use this document.

Last modified Sun Jan 03 09:03:22 -0500 2010.