Modify Edimax BR-6104K / Sweex LB000021 firmware

FAQ   Forum   Download

Disclaimer:
Modifying and Flashing firmware can lead to fatal errors or even destroys your router! Make sure you have the proper router and proceed at your own risk!

Edimax and Sweex broadband routers use embedded Linux as their operating system. By taking the firmware upgrade file apart you can modify the ram image (initrd) part and build a new firmware upgrade file. You need a Linux operating system to modify the ram image. If you are not familiar with hex editors, Linux, iptables and DOS commands this might not be the place for you.

In order to modify the firmware of your router, please refer to the table below and make sure you have the proper router.

Edimax Sweex Processor Firmware Supported
BR-6104 LB000020 Conexant 0.59a NO
BR-6104S LB000020 Samsung S5N8947 0.10 NO
BR-6104K LB000021 ADMtek 5120P 2.59/2.65 YES
BR-6104K LB000021 ADMtek 5120P 2.75 YES

This update can only be used with the BR-6104K or LB000021 router using the ADMtek 5120P processor and firmware 2.65 or 2.75!
Firmware version 2.75 has a similar layout, but the offsets are different and the tmpimg.img file is compressed with bzip2 instead of gzip.

The Edimax and Sweex firmware upgrade files (version 2.65/2.75) have the following layout:

       V2.65                            Block name                   V2.75
+--------------------+ 0x00                 +             0x00+--------------------+
| Header             |                      |                 | Header             |
+--------------------+ 0x0c                 |             0x0c+--------------------+
|                    |                      |                 |                    |
|                    |                      |                 |                    |
| webpages-6104k.bin |                 webpages.bin           | webpages-6104k.bin |
| gzipped            |                      |                 | gzipped            |
|                    |                      |                 |                    |
+--------------------+                      |                 +--------------------+
| padding            |                      |                 | padding            |
+--------------------+ 0x20000              +          0x10000+--------------------+
| CSYS header        |                  csys.bin              | CSYS header        |
+--------------------+ 0x2000c              +          0x1000c+--------------------+
|                    |                      |                 |                    |
|                    |                      |                 |                    |
| vmlinux.bin        |                vmlinux.bin.gz          | vmlinux.bin        |
| gzipped            |                      |                 | gzipped            |
|                    |                      |                 |                    |
|                    |                      |                 |                    |
+--------------------+                      +                 +--------------------+
CSYS header is 12 bytes long: 'C' 'S' 'Y' 'S' 0x00 0x00 0x50 0x80 0x1a 0x3f 0x1b 0x00
The last 4 bytes contain the file length of vmlinux.bin.gz, in this case 0x1b3f1a (1785626) bytes.

vmlinux.bin (unzipped) has the following layout:

       V2.65                                                         V2.75
+--------------------+ 0x00                 +             0x00+--------------------+
|                    |                      |                 |                    |
| Kernel             |                  kernel.bin            | Kernel             |
|                    |                      |                 |                    |
+--------------------+ 0x16d000             +         0x172000+--------------------+
| tmpimg.img         |                      |                 | tmpimg.img         |
| gzipped            | --> ram image  tmpimg.img.gz (bz2)     | bzip2              |
| +padding           |                      |                 | +padding           |
+--------------------+ 0x28f000             +         0x27c000+--------------------+

Using a hex editor you can extract the various blocks (can be done on Linux or Windows)
Copy these blocks to a safe location since we need them later to build the new upgrade file.

Offset Length
0x00 0x20000 web pages block containing webpages-6104k.bin (gzipped)
0x20000 0x0c CSYS header
0x2000c eof kernel block containing vmlinux.bin (gzipped)

After unzipping the kernel block into vmlinux.bin you get 2 additional blocks

Offset Length
0x00 0x16d000 kernel
0x16d000 0x122000 RAM image block containing tmpimg.img (gzipped)

You can download a file here that contains these extracted blocks and some tools to put them back together again.

After unzipping the ram image block into tmpimg.img you are ready to modify this file (must be done on Linux)

Note:
All actions take place from the Linux directory where tmpimg.img is located. If these commands are not familiar to you, please bail out! If you only want to have a look at this file under Windows, you can by using the ext2 explorer. (alternate location).

Copy the tmpimg.img file to a directory on your Linux box, this is your working directory
Create 2 directories: tmpimg and newimg

Mount the tmpimg.img file.
mount -t ext2 -o loop tmpimg.img tmpimg -o noexec
Change into the tmpimg directory and make any changes.
etc directory contains the version file if you want to update this
bin directory contain the various iptables scripts you can modify

When you're done, build a new image file. This sequence must be followed each time you make changes to tmpimg.
# create an empty image file with exactly the same
# size as the original image file. count = filesize / 1024
# V2.75: count=5120
dd if=/dev/zero of=newimg.img bs=1k count=4500
# change it into an ext2 file system
mke2fs -F -m 0 -b 1024 newimg.img
# optional, force the fs never to be checked
tune2fs -c 0 newimg.img
# mount the new image file
mount -o loop newimg.img newimg
# copy everything from the old fs to the new fs
cp -a tmpimg/* newimg
# make sure root is owner of all the files
chown -R root.root newimg
# unmount the new image file
sleep 2
umount newimg

The newimg.img file can now be used to build the new firmware upgrade file. Make sure it is renamed to tmpimg.img before proceeding so copy it to a location where the other blocks are also stored. Instructions make use of some win32 tools that can be found here.

rem Zip the new tmpimg.img file (use -9 compression option)
rem Be aware that some images are compressed using gzip and
rem some using bzip2. 
rem V2.75: use bzip2 -9 tmpimg.img

gzip -9 tmpimg.img

rem Apply 0x00 padding bytes to the end of the file to make the
rem filelength exact 0x122000 (1187840) bytes.
rem V2.75 length: 0x10a000 (1089536) file: tmpimg.img.bz2
rem Padding bytes are actual used to fill a complete 4Kb block

padfile tmpimg.img.gz 1187840

rem Copy the kernel block + the new tmpimg file to a new file

copy /b kernel.bin /b + tmpimg.img.gz /b vmlinux.bin /b

rem Zip the vmlinux.bin file, always using gzip

gzip vmlinux.bin

rem Build a new CSYS header (set the correct file size at offset 0x08)

mksyshdr csys.bin vmlinux.bin.gz

rem Copy the remaining files into the new firmware upgrade file

copy /b webpages.bin /b + csys.bin /b + vmlinux.bin.gz /b firmware.bin /b

You can now use the firmware.bin file to upgrade your router!

Remarks:

Gzip sometimes gives a warning during decompressesion:

decompression OK, trailing garbage ignored.
This is due to the fact that some blocks contain padding characters at the end of the zipped file.

The current firmware is about 1.9 Mb. The flash rom is 2 Mb which means you don't have that much room left to play with. Be careful not to exceed the 2 Mb since I don't know what will happen.

All hardware and software products mentioned are trademarks or registered trademarks of their respective owners. NoRocketScience cannot be held responsible for any wrong information given on this page.