Broadcom CFE backup

From DD-WRT Wiki

Jump to: navigation, search


[edit] How to backup your CFE

In case of a bricked router due to bootloader (mtd 0) overwrite, or to make modifications, this guide shows how to backup and write the CFE bootloader used in Broadcom devices. For a broken Linksys WRT54G/GL/GS CFE, try the Skynet repairkit to make a new one. CFEs for these and other various models may also be found at CFE collection project and the "old" one.

There are several methods to backup the CFE (always open the CFE with a HEX editor to verify the contents):

[edit] by web interface (preferred method)

CFE backup is easy via web browser (this works since svn8428, post-RC5):

http://{router IP address}/backup/cfe.bin

E.g. for the DD-WRT default IP address (

[edit] by telnet/SSH

For non-micro builds, connect to the router via telnet or ssh (SSH must be enabled!) and enter the following:

dd if=/dev/mtd/0 of=/tmp/cfe.bin
  • Or paste into Commands at the Administration->Commands tab (Diagnostics.asp) and click Run Commands.

Then get the cfe.bin file from the /tmp directory with FTP, SFTP or SCP (using, for example, WinSCP).

[edit] by cfe.jpg trick

This method is required for micro builds, but also works for all builds and is very simple:

cat /dev/mtd/0 > /tmp/www/cfe.jpg

Then point your browser to http://routerip/user/cfe.jpg and do a File->"Save Page/As" to cfe.bin to the local disk drive. The resulting file should be 256K in size for a cfe.bin file, but varies by router and model.

  • Note: "/user/cfe.jpg" points to "/tmp/www/cfe.jpg"

The same can be done for mtd/1 linux (firmware including kernel), mtd/2, mtd/3, and others.

  • Run `cat /proc/mtd` to see the mtd partitions.

[edit] by JTAG

Connect a JTAG-Adapter cable to the router and use the following command:

wrt54g -backup:cfe

The same can be done with the nvram, kernel, etc.

[edit] Restoring the CFE

WARNING: Do not flash the CFE (mtd 0) by telnet/SSH unless the risk is understood, as this could render the router unbootable. Only JTAG or soldering a new flash chip could fix it from that point.

[edit] by telnet/SSH

First copy the CFE file to the router's /tmp directory (e.g. using something like WinSCP or wget), then:

mtd unlock cfe
mtd write -f /tmp/cfe_new.bin cfe

[edit] by JTAG

Use JTAG to restore the unit's CFE. For example:

tjtag -flash:cfe