JeromePetazzoni :: DerniersChangements :: DerniersCommentaires? :: ParametresUtilisateur :: :: Vous êtes
Breaking news (2004-12-08): Siemens released a firmware source tree (that seems to be complete, but contains some binary parts) including toolchain for the BCM96345-based SE515. Look at (Files: SE 515 2.14)

NEW : GplInfringement information about this hardware.

The Broadcom 96345 is an embedded design used in some cheap routers with an integrated ADSL modem and an optional 54mbs access point. Many (if not all) of those routers run a slightly modified version of Linux. Our goal is to find out all the technical information needed to build a new firmware for those devices.

Note : if I understood correctly, 96345 is the reference number for the board (CPU + miscellaneous other components), and 6345 is the reference number of the CPU itself. It might seem that there are different versions - 6345GW and 6345R - but I think that the thing shown in /proc/cpuinfo is just a mirror of some EEPROM-written information (see this picture, the "Board ID name"...), and the only difference is the presence of a PCMCIA Wireless adapter (a BCM4306).

Which routers use this chipset ?

What are the hardware specifications ?

Il will try to open up my router some day, take some pictures, and write down the chip numbers.

Some details about the supported ADSL standards are available on Broadcom web site ; but we will mention here the "interesting" specs, that is the memory size (and maybe the CPU frequency if we see big discrepancies between different models).

How does this router perform ?

I (JeromePetazzoni) am quite happy about it ; but I'm not a hardcore ADSL user ; check this post where an emule power-user tells us what he thinks about it, after having tried other routers, too. It's interesting to know that emule, like many P2P applications, uses a lot (hundreds, even thousands) of simultaneous connections, and puts quite a stress on a connection-tracking router.

Feel free to read the post for a small description of the router and some screenshots of the telnet administration console, too.

What would be the goal of a new firmware ?

- Security fixes - if a security flaw appears to be exploitable in available firmwares, we have no warranty that the hardware vendors will fix it ; if we can recompile our kernels and/or userland programs, we could fix things ourselves
- IPV6 support
- 802.1q tagged VLAN support (for instance, to isolate WLAN traffic from the rest)
- SSH support to connect securely to the router from outside
- IPSEC support, to build secure VPNs
- learning about embedded systems :-)

What is the roadmap ?

- Compile programs for the router - DONE, with Debian ToolChain and UcLibC packages
- Upload programs to the router - DONE, with TelnetUpload trick
- Run arbitrary code with current firmwares - DONE, with the KernelChmod trick
- Build a BroadcomKernel - DONE, now that we understand the CfeKernel format
- Prepare a root filesystem image - PLANNED (should be easy)
- Understand FirmwareFormat to assemble the new kernel and filesystem so they can be flashed into the router - DONE
- Find a way to dump current firmware + persistent storage - DONE, see DumpFirmware
- Maybe find a way to connect a serial line to the router (is it technically possible?) to help development and debugging - DONE by Alfonso Acosta
- Write some scripts to split a firmware image into pieces and building an image from parts - IN PROGRESS (Alfonso Acosta did this work, see the here


First, the hardware vendors (Broadcom, US Robotics...) did a decent job in providing such a cheap router (I paid my 9106 less than 120EUR) running Linux. US Robotics, Buffalo, Siemens ... supply some code, but generally incomplete and not very well documented (if at all!) ; Broadcom seems to filter out any technical information about the chipset (the only information available is a glossy paper with "technical features", totally useless). I will try to contact them to get more useful sources, we will see if they really understood what Open Source is about ... After all, without Linux they probably wouldn't have been able to provide such a cheap and well performing router (alternatives are more expansive - which counts when you sell something about 100EUR - and don't generally perform as well).

I would also like to thank Mastabog and the other people on the emule forum ; their posts helped me to chose this router instead of another, and until now I'm very happy about it - because it works, and because I have such a great time hacking it :-)

See the SourceForge project page where folks are going on with this hacking job !


I ('ve found some kind of backdoor in dynalink rta230:

# cat /etc/passwd
userNotUsed:YNf8oSCwK/0/Y:0:0:Technical Support:/:/bin/sh

Take care of this!
My firmware version include BusyBox? v0.60.4 (2004.05.10-07:34+0000) Built-in shell (msh) on
Linux version 2.4.17 (michaelc@ADSL_SW1_LINUX) (gcc version 3.1) #1 Mon May 10 15:30:45 CST 2004
All the tricks found to execute code on the router works well. wrote:

Very well done, you did an h* *l of a job digging into this box !!!

Going ofter your steps I dowloaded the source myself and probably all your last answers ( if still remains for you ) can be found into userapps/busybox/tftpd.c and userapps/opensource/ftpd/fwsyscall.c

Keep up with it
Massimo wrote:

I coded a script to split and build the firmware files and I'm working to modify the cramfs tools to support lzma. See

I (Robert Bowler) have just got as far as unpacking the USR 9105 firmware adding a file, repackaging the firmware and then flashing the router.
rdb@lgb:~$ telnet
Connected to
Escape character is '^]'.
USR ADSL Gateway
Login: admin
> sh

BusyBox? v0.60.4 (2004.06.04-19:10+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

# cat /etc/hello
This is a small change to the firmware.
# Connection closed by foreign host.

I have written tools in C to unpack and pack firmware.
I have made the cramfs tools work with some lzma code.
The code I used is available from
I haven't yet written instructions for using the tools but it is pretty obvious how to get it working.

Note (

Latest news from me:
- The Dynalink firmware uses squashfs filesystem, not cramfs. Only the latest version of the firmware use a loader, previous versions don't;
- someone is using the siemens source code to create a new firmware: Source code for ses515 doesn't compile, he simply removed portion of code referring to proprietary broadcom code (but broadcom inserted his code inside the kernel tree, so it is violating gpl without releasing it).
-Backdoor is confirmed, see if interested

Note (Alfonso Acosta)

Me and a friend of mine have disassembled a 9106 router and made some photos of the process, you have a link to the photos at It seems that an unsolded USB connector is aviable at the board.

Note (Robert Bowler)

Thanks for doing the photos. My 9105 looks the much same as the 9106 except that my mini-pci solder pads are empty where a socket should be.
I've tidied up the my firmware tools, so that the compression code is compiled in to mkramfs and made it is easier to get the model strings correct for a 9106.
To test it all I flashed a firmware with a picture of a penguin on every web page.
Has anyone compiled and then flashed a new kernel yet?

Note (Alfonso Acosta)

Don't you guys think its time to get organized and create at least a mailing list? Or maybe open a project in sourceforge, savannah ....?

I have some arguments to do so:

1) Its quite creepy to use a wiki as a message board
2) If we don't get organized work dupplication happens (for example both Robert and I have coded different modified versions of cramfs tools and a a program to split and build firmware files)

Note (Jens Beyer)

(To Alfonso: definetly yes)

I have an SE515 and found these pages to be the best collected resources for the bcm-based ADSL systems.

Something not mentioned here: Siemens did put parts of their source code public, see . Besides a lot rcs version diffs the kernel inside is basically the same as the one provided by USR, some diffs on USB stuff, more net_filter but missing same parts (../targets etc).

I found out that all of your stuff work for the SE515 too, just minor changes are needed like modifying the DumpFirmware-module (SE515 has 4 MB flash).

In the last 16KB of the dumped Firmware I can see all my PW'S in clear text including wep-key for wlan. The SE515 has 2 supplementary user (support pw:siemens4, user pw unknown) with which i didnt manage to log in.

Note (Alfonso Acosta)

I made a project request in sourceforge, I'll tell you if they finally approved it in the following two days.

Note (Jens Beyer)

I'm running dropbear ( now :-)
khan@lucky:/usr/src/openssh-3.9p1> ./ssh admin@
admin@'s password:
BusyBox? v0.60.4 (2004.03.15-06:10+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

Note (Alfonso Acosta)

(To Jens: once again we duplicated the efforts, :( , see but I have good news ... )

Sourceforge staff accepted the project,

If you all agree we can continue with our discussion using its brand new mailing list Please subscribe! :)

Note (Gianluca Sforna)

I am really interested in hacking on the 9106 I have so I already joined the mailing list. See you there!!!

Note (Alec Voropay)

The 3Com's OfficeConnect SecureRouter? (3CR860-95) and OfficeConnect VPN Firewall (3CR870-95) is based on the "sister" chip: BCM6350

3COM provides Linux sources for this devicee and MIPS BE Toolchains

Note (

There is very little information on the Internet about hacking the 3Com OfficeConnect products. I am posting some information on OfficeConnect.

Note (agp_at_dsl_dot_pipex_dot_com)

SINUS 1054 ADSL Modem Router also uses the BCM6345 chip. Source is available and appears to build OK although it also has binary parts.
Belkin F5D7633 uses BCM6348 chips with a very similar file format. All file tricks work on it. Source was available but has disappeared. Have requested that Belkin
repost the source.

Note (

Hello ! Anyone have tried to flash a Dynalink RTA230 with the USR9105 firmware ?
Work ?
At the address there are source code for many USR ADSL router :)

Comment by VOid: don't work if upload from tftp. Flash hang up and drop to BootLoader? in WEB GUI. IMHO because LZMA in 9105 firmware.

Note (

-- for RTA230 owners --
16 july 2005: latest firmware at
New function: "Voice Quality" under QoS? menu :) and also ADSL2/READSL2 support

19 july 2005: italian mailing list about RTA230 at , Wiki for RTA230 at

Note (bcm96348 [at] nebster _dot_ hacked -dot- in)

I have made a program which at the moment splits the firmware up into various parts. I have tested it on the F5D7633 firmware. If someone has somewhere for me to upload it, please send me an email. This compiles in Linux and in theory, windows XP using GCC, maybe VC++. It currently splits it up into header, loader, rootfs, and kernel. It doesn't currently rebuild it but I may add it in the next few days
Il n'y a pas de commentaire sur cette page. [Afficher commentaires/formulaire]