Broadcom CFE backup

From DD-WRT Wiki

Jump to: navigation, search


Contents

[edit] How to backup your CFE

In case of a bricked router due to bootloader (mtd 0) overwrite, or to make modifications, this guide shows how to backup and write the CFE bootloader used in Broadcom devices. For a broken Linksys WRT54G/GL/GS CFE, try the (archive of http://www.wlan-skynet.de/download/index.shtml) Skynet repairkit to make a new one. CFEs for these and other various models may also be found at CFE collection project and the "old" one.

Note that as of 11/25/2023 the URLs in the dd-wrt forums threads are all dead. A mirror of the barryware archive was collected and is located on ftp://gakinaction.ddns.net however it is not browsable via web browser, and a copy of this was collected by me on 11/25/2023 and placed on http://www.mittelstaedt.us/cfe/gakinaction.ddns.net/cfe_collection_project/ and that is browsable. I have added some additional CFE's to http://www.mittelstaedt.us/cfe/additional-cfes/ Another archive of the Barryware CFE project is located here https://www.linksysinfo.org/index.php?threads/bootloader-collection-project.75258/#post-322731

There are several methods to backup the CFE (always open the CFE with a HEX editor to verify the contents):

[edit] by web interface (preferred method)

CFE backup is easy via web browser (this works since svn8428, post-RC5):

http://{router IP address}/backup/cfe.bin

E.g. for the DD-WRT default IP address (192.168.1.1):

http://192.168.1.1/backup/cfe.bin

[edit] by telnet/SSH

For non-micro builds, connect to the router via telnet or ssh (SSH must be enabled!) and enter the following:

dd if=/dev/mtd/0 of=/tmp/cfe.bin
  • Or paste into Commands at the Administration->Commands tab (Diagnostics.asp) and click Run Commands.

Then get the cfe.bin file from the /tmp directory with FTP, SFTP or SCP (using, for example, WinSCP).

[edit] by cfe.jpg trick

This method is required for micro builds, but also works for all builds and is very simple:

cat /dev/mtd/0 > /tmp/www/cfe.jpg

Then point your browser to http://routerip/user/cfe.jpg and do a File->"Save Page/As" to cfe.bin to the local disk drive. The resulting file should be 256K in size for a cfe.bin file, but varies by router and model.

  • Note: "/user/cfe.jpg" points to "/tmp/www/cfe.jpg"

The same can be done for mtd/1 linux (firmware including kernel), mtd/2, mtd/3, and others.

  • Run `cat /proc/mtd` to see the mtd partitions.

[edit] by JTAG

Connect a JTAG-Adapter cable to the router and use the following command:

wrt54g -backup:cfe

The same can be done with the nvram, kernel, etc.

[edit] Restoring the CFE

WARNING: Do not flash the CFE (mtd 0) by telnet/SSH unless the risk is understood, as this could render the router unbootable. Only JTAG or soldering a new flash chip could fix it from that point.

[edit] by telnet/SSH

First copy the CFE file to the router's /tmp directory (e.g. using something like WinSCP or wget), then:

mtd unlock cfe
mtd write -f /tmp/cfe_new.bin cfe

[edit] by JTAG

Use JTAG to restore the unit's CFE. For example:

tjtag -flash:cfe