Weissnix4711/flash_layout

Info

Sources available here. The firmware version for this device is 5.5.2, though the other (V5.5.4) may also be of interest.

Hardware

DeviWiki page

CPU: BCM3380GKFSBG
Ethernet: BCM53114KFBG
Flash: FL064PIF

Flash layout

The bootloader has been locked down, so it's impossible to use it to print out the partition table. Linux boot logs are also unavailable (because I later found out it doesn't run linux at all, only eCos. Many routers will run eCos and linux simultaneously, not this one.)

From reading the flash with an SPI prorgammer and inspecting the reults in a hex editor, I have come up with the following layout.

Offset	Size	Description
0x000000	0x010000	Bootloader
0x010000	0x010000	perm
0x020000	0x3E0000	Image 1
0x400000	0x3E0000	Image 2
0x7E0000	0x010000	?
0x7F0000	0x010000	dynnv

The permnv and dynnv partitions are described in detail here and can be read with bcm2cfg.

Interestingly, many settings are missing from the perm config. As suggested by this article, it may simply be used to rebuild the config during a factory reset.

perm

cg3101d_flash_perm.bin
type    : dyn
profile : (unknown)
checksum: bc17c165 (ok)
size    : 14320 (ok)

failed to parse group bfc
failed to parse group userif
failed to parse group bcmwifi
failed to parse group cmlog
failed to parse group rstl
failed to parse group dhcp
failed to parse group firewall
failed to parse group guestwifi
{
  bfc = {
  }
  userif = {
  }
  halif = {
  }
  bcmwifi = {
  }
  grp_802s = {
  }
  grp_fact = {
  }
  grp_prnt = {
  }
  bpi = {
    code_access_start = 00:8C:30:81:89:02:81:81:00:D2:B6:12
    cvc_access_start = 82:4B:A7:E5:6B:8B:6B:7E:B4:95:C5:B4
  }
  grp_bpih = {
  }
  grp_d0c20100 = {
  }
  grp_d0c20300 = {
  }
  cmlog = {
  }
  grp_snmp = {
  }
  grp_dnst = {
  }
  grp_dns1 = {
  }
  grp_upst = {
  }
  grp_ups1 = {
  }
  grp_ups2 = {
  }
  grp_ups3 = {
  }
  grp_ppan = {
  }
  rstl = {
  }
  grp_ntgr = {
  }
  grp_psv = {
  }
  grp_cap = {
  }
  dhcp = {
  }
  grp_csp = {
  }
  rg = {
    router_mode = yes
  }
  grp_cmp = {
  }
  grp_chev = {
  }
  grp_cqp2 = {
  }
  firewall = {
  }
  grp_vpng = {
  }
  grp_ppps = {
  }
  guestwifi = {
  }
}

dyn

failed to parse group firewall
cg3101d_flash_dyn.bin
type    : dyn
profile : (unknown)
checksum: 0678f5fc (bad)
size    : 55374 (ok)

Won't post all contents here, but all groups aside from firewall are filled.

Logs

OEM

P
BCM338031 TP0 
1
Sync:1 
346890
MemSize:             64 M

BootLoader Version: 2.3.0beta7 Pre-release Gnu pcminit spiboot reduced DDR drive
Build Date: Jul  2 2010
Build Time: 14:01:07
SPI flash ID 0x010216, size 8MB, block size 64KB, write buffer 256, busy bit 1

Signature/PID: a0e7

Reset BCM53115 - Low GPIO-16 5ms
Image 1 Program Header:
   Signature: a0e7
     Control: 0005
   Major Rev: 0003
   Minor Rev: 0000
  Build Time: 2014/9/22 08:40:42 Z
 File Length: 3322126 bytes
Load Address: 80004000
    Filename: CG3101D-2VGUKS_V2.39.02u.bin
         HCS: 71d0
         CRC: 0fcc3057


Found image 1 at offset 20000
. 

Performing CRC on Image 1...
CRC time = 52507655
Detected LZMA compressed image... decompressing... 
Target Address: 0x80004000
decompressSpace is 0x4000000
Elapsed time 991624930

Decompressed length: 16049828

Executing Image 1...


 eCos - hal_diag_init
Init device '/dev/BrcmTelnetIoDriver'
Init device '/dev/ttydiag'
Init tty channel: 80f52138
Init device '/dev/tty0'
Init tty channel: 80f52158
Init device '/dev/haldiag'
HAL/diag SERIAL init
Init device '/dev/ser0'
BCM 33XX SERIAL init - dev: 0.2
Set output buffer - buf: 0x81112770 len: 4096
Set input buffer - buf: 0x81113770 len: 4096
BCM 33XX SERIAL config
LsSpiInit 3380
[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Configuring/Loading Flash driver...
detecting flash3...
[00:00:00 01/01/1970] [tStartup] BcmSpiFlashDevice::DetectFlash:  (SPI Flash Device Factory) WARNING - Detected SPI flash with JEDEC ID =0x10216
[00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions:  (Flash Driver C API) WARNING - Permanent NonVol would fit in the boot block of this flash device, but I found existing NonVol in the following block; using this location instead...
[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Loading BootloaderStore driver...
[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Loading ProgramStore driver...
ProgramStoreDeviceDriver::ProgramStoreDriverInit:  INFO - Initializing...
[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Loading NonVol driver...
[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Storage drivers initialized successfully.
[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitDeviceAbstractions:  (BFC Target) Creating singletons for ProgramStore/BootloaderStore/NonVol devices...
Detecting the next image number that we will store to by default...
Bootloader indicates we are running image 1
By default, we will dload to image number 2!

[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitDeviceAbstractions:  (BFC Target) Device abstraction singletons created successfully.

[Virgin] Init US V1 Table 0
[Virgin] Init US V1 Table 1
[Virgin] Init US V1 Table 2
[Virgin] Init US V1 Table 3
BcmCapNonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!

Reading Permanent settings from non-vol...
[Thermal Debug] GPIO 33 = 2
[CG3101D] Power Down Enable On Port 1 to Port 4.
Checksum for permanent settings:  0x8ee49e38
Settings were read and verified.


Reading Dynamic settings from non-vol...
Checksum for dynamic settings:  0x36470c3f



 we found one in the table already!!!!
Settings were read and verified.

OEM (second device)

BCM338031 TP0 
1
Sync:1 
346890
MemSize:             64 M

BootLoader Version: 2.3.0beta7 Pre-release Gnu pcminit spiboot reduced DDR drive
Build Date: Jul  2 2010
Build Time: 14:01:07
SPI flash ID 0x010216, size 8MB, block size 64KB, write buffer 256, busy bit 1

Signature/PID: a0e7

Reset BCM53115 - Low GPIO-16 5ms
Image 1 Program Header:
   Signature: a0e7
     Control: 0005
   Major Rev: 0003
   Minor Rev: 0000
  Build Time: 2014/9/22 08:40:42 Z
 File Length: 3322126 bytes
Load Address: 80004000
    Filename: CG3101D-2VGUKS_V2.39.02u.bin
         HCS: 71d0
         CRC: 0fcc3057


Found image 1 at offset 20000
Image 2 Program Header:
   Signature: a0e7
     Control: 0005
   Major Rev: 0003
   Minor Rev: 0000
  Build Time: 2014/9/22 08:40:42 Z
 File Length: 3322126 bytes
Load Address: 80004000
    Filename: CG3101D-2VGUKS_V2.39.02u.bin
         HCS: 71d0
         CRC: 0fcc3057


Found image 2 at offset 400000
. 

Performing CRC on Image 2...
CRC time = 52507740
Detected LZMA compressed image... decompressing... 
Target Address: 0x80004000
decompressSpace is 0x4000000
Elapsed time 992936926

Decompressed length: 16049828

Executing Image 2...


 eCos - hal_diag_init
Init device '/dev/BrcmTelnetIoDriver'
Init device '/dev/ttydiag'
Init tty channel: 80f52138
Init device '/dev/tty0'
Init tty channel: 80f52158
Init device '/dev/haldiag'
HAL/diag SERIAL init
Init device '/dev/ser0'
BCM 33XX SERIAL init - dev: 0.2
Set output buffer - buf: 0x81112770 len: 4096
Set input buffer - buf: 0x81113770 len: 4096
BCM 33XX SERIAL config
LsSpiInit 3380
[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Configuring/Loading Flash driver...
detecting flash3...
[00:00:00 01/01/1970] [tStartup] BcmSpiFlashDevice::DetectFlash:  (SPI Flash Device Factory) WARNING - Detected SPI flash with JEDEC ID =0x10216
[00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions:  (Flash Driver C API) WARNING - Permanent NonVol would fit in the boot block of this flash device, but I found existing NonVol in the following block; using this location instead...
[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Loading BootloaderStore driver...
[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Loading ProgramStore driver...
ProgramStoreDeviceDriver::ProgramStoreDriverInit:  INFO - Initializing...
[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Loading NonVol driver...
[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Storage drivers initialized successfully.
[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitDeviceAbstractions:  (BFC Target) Creating singletons for ProgramStore/BootloaderStore/NonVol devices...
Detecting the next image number that we will store to by default...
Bootloader indicates we are running image 2
By default, we will dload to image number 1!

[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitDeviceAbstractions:  (BFC Target) Device abstraction singletons created successfully.

[Virgin] Init US V1 Table 0
[Virgin] Init US V1 Table 1
[Virgin] Init US V1 Table 2
[Virgin] Init US V1 Table 3
BcmCapNonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!

Reading Permanent settings from non-vol...
[Thermal Debug] GPIO 33 = 2
[CG3101D] Power Down Enable On Port 1 to Port 4.
Checksum for permanent settings:  0xbc17c165
[00:00:00 01/01/1970] [tStartup] BcmeRouterNonVolSettings::IsDefault:  (eRouter NonVol Settings) Permanent settings are default!

*
*
* One or more of the settings groups was missing, possibly as a result of a code upgrade.
*
*

*
*
* One or more of the settings groups was upgraded.
*
*
Settings were read and verified.


Reading Dynamic settings from non-vol...
Checksum for dynamic settings:  0xe221d035



 we found one in the table already!!!!
Settings were read and verified.

Pulse attemps

By connecting a pulse switch between flash HOLD and GND, then toggling it at various intervals in the boot sequence, you may be able to reach a prompt. Similar trick works with the EPC3208. Sadly, I was not able to access a prompt.

Attempt 1

P
BCM338031 TP0 
1
Sync:1 
346890
MemSize:             64 M

BootLoader Version: 2.3.0beta7 Pre-release Gnu pcminit spiboot reduced DDR drive
Build Date: Jul  2 2010
Build Time: 14:01:07
SPI flash ID 0x010216, size 8MB, block size 64KB, write buffer 256, busy bit 1

Signature/PID: a0e7

Reset BCM53115 - Low GPIO-16 5ms
Image 1 Program Header:
   Signature: a0e7
     Control: 0005
   Major Rev: 0003
   Minor Rev: 0000
  Build Time: 2014/9/22 08:40:42 Z
 File Length: 3322126 bytes
Load Address: 80004000
    Filename: CG3101D-2VGUKS_V2.39.02u.bin
         HCS: 71d0
         CRC: 0fcc3057


Found image 1 at offset 20000
. 

Performing CRC on Image 1...
CRC time = 52507671
Detected LZMA compressed image... decompressing... 
Target Address: 0x80004000
decompressSpace is 0x4000000
Elapsed time 991623955

Decompressed length: 16049828

Executing Image 1...


 eCos - hal_diag_init
Init device '/dev/BrcmTelnetIoDriver'
Init device '/dev/ttydiag'
Init tty channel: 80f52138
Init device '/dev/tty0'
Init tty channel: 80f52158
Init device '/dev/haldiag'
HAL/diag SERIAL init
Init device '/dev/ser0'
BCM 33XX SERIAL init - dev: 0.2
Set output buffer - buf: 0x81112770 len: 4096
Set input buffer - buf: 0x81113770 len: 4096
BCM 33XX SERIAL config
LsSpiInit 3380
[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Configuring/Loading Flash driver...
detecting flash3...
[00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::FlashDriverInit:  (Flash Driver C API) WARNING - Fai
******************** CRASH ********************


Exception code/type: 2 / TLB (load/fetch)    TP0

r0/zero=00000000 r1/at  =fffffffe r2/v0  =00000000 r3/v1  =00000000
r4/a0  =00000004 r5/a1  =811153c8 r6/a2  =00000000 r7/a3  =811a4560
r8/t0  =810d1078 r9/t1  =00000000 r10/t2 =00000000 r11/t3 =c8000000
r12/t4 =00000407 r13/t5 =00000000 r14/t6 =06000000 r15/t7 =00000000
r16/s0 =803a0000 r17/s1 =11110011 r18/s2 =83fab180 r19/s3 =11110013
r20/s4 =11110014 r21/s5 =11110015 r22/s6 =11110016 r23/s7 =11110017
r24/t8 =00000000 r25/t9 =00000003 r26/k0 =83fab180 r27/k1 =11110013
r28/gp =80f5a3b0 r29/sp =810d1170 r30/fp =810d12b0 r31/ra =800a10d8

PC   : 0x800a11c8    error addr: 0x00000004
cause: 0x00000008    status:     0x1000ff03

BCM interrupt enable: 00000007, status: 00000000
Instruction at PC: 0x8c440004
iCache Instruction at PC: 0x3402ffff

entry 800a0ea0    called from 8009ea10
entry 8009e9b8    called from 80616688
entry 80616670    called from 80946d88
entry 80946d50    called from 80946d48
entry 80946d50  Return address (00000000) invalid or not found.  Trace stops.

Current thread = 810da2e8
Current time is 01/01/1970 00:00:00
Current free space on the heap is 48066736
led to detect flash device 0 using SPI!
[00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::FlashDriverInit:  (Flash Driver C API) ERROR - Failed to retrieve the memory window associated with flash device 0/CS0!
[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) ERROR - Failed to initialize the Flash driver!
[00:00:00 01/01/1970] [tStartup] BcmEpsCmDocsisSystem::Initialize:  (BFC System) ERROR - Failed to init low level storage drivers!
[00:00:00 01/01/1970] [tStartup] BcmEpsCmDocsisSystem::Start:  (BFC System) ERROR - Failed to initialize the system.
+-----------------------------------------------------------------------+
| Portions of this product contain open source software and are subject |
| to terms of the applicable license as specified in the release notes. |
+-----------------------------------------------------------------------+



                          *
                         * *
                         * *
                        *   *
                        *   *
                       *     *
                       *     *
                       *     *
                      *       *
                      *       *
                      *       *
                     *         *
                     *         *
                     *         *
                     *         *
                    *           *
          *         *           *         *
        *   *       *           *       *   *          ***
*     *      *     *             *     *      *     *       *******************
   *          *   *               *   *          *
                *                   *

Broadcom Corporation Reference Design

 +----------------------------------------------------------------------------+
 | Build Date:  Sep 22 2014                                                   |
 | Build Time:  16:40:34 (+0800)                                              |
 | Built By:    cynthia                                                       |
 +----------------------------------------------------------------------------+

BcmBfcAppNonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!

Here is another attempt. From what I could tell, the device continued to boot normally after I stopped, although without any more serial logs.

Pulse attempt 2

P
BCM338031 TP0 
1
Sync:1 
346890
MemSize:             64 M

BootLoader Version: 2.3.0beta7 Pre-release Gnu pcminit spiboot reduced DDR drive
Build Date: Jul  2 2010
Build Time: 14:01:07
SPI flash ID 0x010216, size 8MB, block size 64KB, write buffer 256, busy bit 1

Signature/PID: a0e7

Reset BCM53115 - Low GPIO-16 5ms
Image 1 Program Header:
   Signature: a0e7
     Control: 0005
   Major Rev: 0003
   Minor Rev: 0000
  Build Time: 2014/9/22 08:40:42 Z
 File Length: 3322126 bytes
Load Address: 80004000
    Filename: CG3101D-2VGUKS_V2.39.02u.bin
         HCS: 71d0
         CRC: 0fcc3057


Found image 1 at offset 20000
. 

Performing CRC on Image 1...
Image 1 CRC failed!
Unable to load selected image.
. 

Performing CRC on Image 1...
CRC time = 52494132
Detected LZMA compressed image... decompressing... 
Target Address: 0x80004000
decompressSpace is 0x4000000
Elapsed time 991625048

Decompressed length: 16049828

Executing Image 1...


 eCos - hal_diag_init
Init device '/dev/BrcmTelnetIoDriver'
Init device '/dev/ttydiag'
Init tty channel: 80f52138
Init device '/dev/tty0'
Init tty channel: 80f52158
Init device '/dev/haldiag'
HAL/diag SERIAL init
Init device '/dev/ser0'
BCM 33XX SERIAL init - dev: 0.2
Set output buffer - buf: 0x81112770 len: 4096
Set input buffer - buf: 0x81113770 len: 4096
BCM 33XX SERIAL config
LsSpiInit 3380
[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Configuring/Loading Flash driver...
detecting flash3...
[00:00:00 01/01/1970] [tStartup] BcmSpiFlashDevice::DetectFlash:  (SPI Flash Device Factory) WARNING - Detected SPI flash with JEDEC ID =0x10216
[00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions:  (Flash Driver C API) WARNING - Permanent NonVol would fit in the boot block of this flash device, but I found existing NonVol in the following block; using this location instead...
[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Loading BootloaderStore driver...
[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Loading ProgramStore driver...
ProgramStoreDeviceDriver::ProgramStoreDriverInit:  INFO - Initializing...
[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Loading NonVol driver...
[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Storage drivers initialized successfully.
[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitDeviceAbstractions:  (BFC Target) Creating singletons for ProgramStore/BootloaderStore/NonVol devices...
Detecting the next image number that we will store to by default...
Bootloader indicates we are running image 1
By default, we will dload to image number 2!

[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitDeviceAbstractions:  (BFC Target) Device abstraction singletons created successfully.

[Virgin] Init US V1 Table 0
[Virgin] Init US V1 Table 1
[Virgin] Init US V1 Table 2
[Virgin] Init US V1 Table 3
BcmCapNonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!

Reading Permanent settings from non-vol...
[Thermal Debug] GPIO 33 = 2
[CG3101D] Power Down Enable On Port 1 to Port 4.
NonVolDeviceDriver::ReadTrueSegmentSizeBytes:  WARNING - Segment Size in segment control word not valid; returning 0!
NonVolDeviceDriver::NonVolDriverRead:  ERROR - Failed to query the segment size (returned 0 bytes)!  There is no valid data to read.
[00:00:00 01/01/1970] [tStartup] BcmNonVolDeviceDriverBridge::ReadImpl:  (NonVol Device) ERROR - Failed to read the length from the settings data!
[00:00:00 01/01/1970] [tStartup] BcmNonVolDeviceDriverBridge::Read:  (NonVol Device) ERROR - Failed to read the buffer from the device!  Resetting the entire section to defaults.
[00:00:00 01/01/1970] [tStartup] BcmHalIfNonVolSettings::ResetDefaults:  (HalIf NonVol Settings) WARNING - Resetting Permanent Settings to defaults!  MAC addresses and other settings are now invalid!
[00:00:00 01/01/1970] [tStartup] BcmCmBpiNonVolSettings::ResetDefaults:  (CM BPI NonVol Settings) WARNING - Permanent settings (BPI Keys and other unique values) are being reset to their default values!
[00:00:00 01/01/1970] [tStartup] BcmCmHybridBpiNonVolSettings::ResetDefaults:  (CM HYBRID BPI NonVol Settings) WARNING - Permanent settings (BPI Keys and other unique values) are being reset to their default values!
[00:00:00 01/01/1970] [tStartup] CmSnmpNonVolSettings::ResetDefaults:  (CM SNMP NonVol Settings) WARNING - Resetting all Permanent Settings!  The serial number and other Sys Info items are probably invalid!
[00:00:00 01/01/1970] [tStartup] BcmCmpNonVolSettings::ResetDefaults:  (Cmp NonVol Settings) WARNING - Resetting all Permanent Settings!  The serial number and other Sys Info items are probably invalid!

*
*
* Failed to read non-vol settings from the device!
*
*

Reading Dynamic settings from non-vol...
Checksum for dynamic settings:  0x36470c3f



 we found one in the table already!!!!
Settings were read and verified.

[00:00:00 01/01/1970] [tStartup] BcmEpsCmDocsisSystem::Initialize:  (BFC System) ERROR - Disable console port now!

This appears to have killed my first device. Subsequent boot attempts have no serial output. Also, LEDs flash for ~1s then only LED402 and LED404 (red) remain lit.

Pulse attempt 3

P
BCM338031 000�000�080��2082 8���0C��F�2� 0 1 0
 0
00 0 0000000800810C 1CB FBCF0C���0� ~0? �Hx�0�0
 00 0�����8C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C08F000 F10  
00 0
 00 00�000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 00000&�00018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 ���F?CB0F0C00F000 F10  
00 0
 00 00000f�0001�C0 1BC4�CA0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 00000800018C0 1BCF CB0F0C�F000 �10���00�0�
                                               0�~�̘00080001��0 1BC� ���F0C00F�00 F10  
00 0
 00 0000008000�80 1�CF CB0F�C00F000 F10  
�00 �H�00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1����FC00~00��1&� 
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F��0 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C 1~�F�C�F0C�F0�0 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C01C0 00B0F8C002080 FB0 FC0 0
000F0 0 0000000800810C2 8 BFBCF0C0000F02F0 0 1��0
00 0옘�00008010C1 C��FBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C1 C BFBCF0C0000F00F 0 0 1
 0
00 0 0000000800810C2 8 BFBCF0C0000F00F 0 1 0
 0
00 0 0000000800810C 1CB FBCF0C0000F00 F01  
0 0
00 0 0000000800810C 1CB FBCF0C0000F00 F01  
0 0
00 0 0000000800810C 1CB FBCF0C0000F00 F01  
0 0
00 0 0000000800810C 1CB FBCF0C0000F00 F01  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 000000800018C0 1BCF CB0F0C00F000 F10  
00 0
 00 00000080001n�0 1BCF CB0F0C00F000 F10

Bootloader

~~The bootloader is a modified CFE.~~ At first I presumed the bootloader to be CFE, but after looking into it, it seems quite similar to Broadcom's aeolus bootloader (used to boot the zephyr).. It may have been the closed source forerunner to aeolus, I am not sure. Also, the same bootloader appears to be used on other netgear CG3xxx devices. *

While it is possible to select an image to boot, there is no prompt to do so, and the other usual option p does not work. (Note to self: try s, hell even try randomly pressing every key possible). In addition to this, I have been unable to access a CM> prompt, even after modifying and fashing the dyn settings. Note that the dyn settings were read correctly and the device continued to boot (seemingly) normally.

* Others have had success simply switching the bootloader to one from another device. See this. Maybe I could try this approach. If possible, I would be able to do more debugging with options such as reading memory (and taking a RAM dump). Might help decompilation, rather than working only off ROM.

Firmware reverse engineering

The compressed images can be found at offsets 0x020000 and 0x400000. A simple way to extract them would be to use flashrom and the attached layout file. Or, dump the entire contents of the rom and copy the relevant sections using some dd trickery. Both images can be decompressed using this tool by Broadcom.

On device #2 both images were identical. I have not yet even bothered making a dump of the dead device's flash.

Going back to what I said earlier, this device does not run linux. However, similar devices by netgear (CG3100*) may. The netgear sources list an alternative firmware version V5.5.4, which includes linux sources, hence why I said they may be of interest. In theory, the hardware is identical, so the sources could help porting linux to the CG3101D.

First attempts to run linux

I tried compiling the firmware for the CG3100 (from netgear's website). Take note of the two files commented in the Makefile:

	#ProgramStore2 -f vmlinux.bin -f2 rootfs.img -o $(FS_KERNEL_IMAGE_NAME) -v 002.17h -a 0x84010000 -n2 -p 65536 -c 4 -s 0x$(BRCM_CHIP);\
	#ProgramStore2 -f vmlinux.bin -f2 rootfs.img -o $(FS_KERNEL_IMAGE_NAME).mr0 -v 002.17h -a 0x80010000 -n2 -p 65536 -c 4 -s 0x$(BRCM_CHIP)

Compiled successfully, however I ran into trouble with ProgramStore. I was using this version which did not support a n2 flag, so no idea what that's about. I tried without, seemed to work. Note in the next logs, I did not bother with signature or version, hence the weird numbers.

After having compressed the image using ProgramStore, I padded them correctly so I could rewrite the flash with flashrom. Note: I did not mess witht the bootloader or any other partitions, only image1. Boot attempt:

P
BCM338031 TP0 
1
Sync:1 
346890
MemSize:             64 M

BootLoader Version: 2.3.0beta7 Pre-release Gnu pcminit spiboot reduced DDR drive
Build Date: Jul  2 2010
Build Time: 14:01:07
SPI flash ID 0x010216, size 8MB, block size 64KB, write buffer 256, busy bit 1

Signature/PID: a0e7

Reset BCM53115 - Low GPIO-16 5ms
WARNING: Signatures do not match!  This may be a bad image!
Image sig = 3350, chip sig = a0e7
Image 1 Program Header:
   Signature: 3350
     Control: 0105
   Major Rev: 0000
   Minor Rev: 0000
  Build Time: 2021/8/11 16:45:19 Z
 File Length: 1543888 bytes
Load Address: 84010000
    Filename: programstoreout.bin
         HCS: 59fa
         CRC: 77e09e0a

WARNING: Signatures do not match!  This may be a bad image!
Image sig = 3350, chip sig = a0e7

Found image 1 at offset 20000
Image 2 Program Header:
   Signature: a0e7
     Control: 0005
   Major Rev: 0003
   Minor Rev: 0000
  Build Time: 2014/9/22 08:40:42 Z
 File Length: 3322126 bytes
Load Address: 80004000
    Filename: CG3101D-2VGUKS_V2.39.02u.bin
         HCS: 71d0
         CRC: 0fcc3057


Found image 2 at offset 400000
. 

Performing CRC on Image 1...
CRC time = 24409222
Detected dual image header.  Decompressing first image...
Detected LZMA compressed image... decompressing... 
Target Address: 0x84010000
decompressSpace is 0x4000000
Elapsed time 429545173

Decompression failed... 1
Unable to load selected image.


Performing CRC on Image 1...
Image 1 CRC failed!
Unable to load selected image.


Performing CRC on Image 1...
Image 1 CRC failed!
Unable to load selected image.


Performing CRC on Image 1...
Image 1 CRC failed!
Unable to load selected image.


Performing CRC on Image 1...
Image 1 CRC failed!
Unable to load selected image.


Performing CRC on Image 1...
Image 1 CRC failed!
Unable to load selected image.
Failed to load an image!  Rebooting...

After some more fucking about trying to purposely crash the thing (otherwise it would just continue and boot the second still original image left in flash), I accidentally discovered this:

P
BCM338031 TP0 
1
Sync:1 
346890
MemSize:             64 M

BootLoader Version: 2.3.0beta7 Pre-release Gnu pcminit spiboot reduced DDR drive
Build Date: Jul  2 2010
Build Time: 14:01:07
SPI flash ID 0x010216, size 8MB, block size 64KB, write buffer 256, busy bit 1

Signature/PID: a0e7

Reset BCM53115 - Low GPIO-16 5ms
Image 1 Program Header:
   Signature: a0e7
     Control: 0105
   Major Rev: 0003
   Minor Rev: 0000
  Build Time: 2021/8/11 17:40:36 Z
 File Length: 1543888 bytes
Load Address: 80010000
    Filename: programstoreout.bin
         HCS: ba11
         CRC: 77e09e0a


Found image 1 at offset 20000
Image 2 Program Header:
   Signature: a0e7
     Control: 0005
   Major Rev: 0003
   Minor Rev: 0000
  Build Time: 2014/9/22 08:40:42 Z
 File Length: 3322126 bytes
Load Address: 80004000
    Filename: CG3101D-2VGUKS_V2.39.02u.bin
         HCS: 71d0
         CRC: 0fcc3057


Found image 2 at offset 400000
. 

Performing CRC on Image 1...
CRC time = 24409267
Detected dual image header.  Decompressing first image...
Detected LZMA compressed image... decompressing... 
Target Address: 0x80010000
decompressSpace is 0x4000000
Elapsed time 429543413

Decompression failed... 1
Unable to load selected image.


Performing CRC on Image 1...
Image 1 CRC failed!
Unable to load selected image.


Board IP Address  [0.0.0.0]:           hjhgjhgjghjghjghjhgjfhgfhjghjjhgj
Board IP Mask     [255.255.255.0]:     
Board IP Gateway  [0.0.0.0]:           
Board MAC Address [00:10:18:ff:ff:ff]: 

Internal/External phy? (e/i)[i] 
Waiting for link up...


Main Menu:
==========
  b) Boot from flash
  g) Download and run from RAM
  d) Download and save to flash
  e) Erase flash sector
  m) Set mode
  s) Store bootloader parameters to flash
  i) Re-init ethernet
  r) Read memory
  w) Write memory
  j) Jump to arbitrary address
  z) Reset


Link up: 1G full


Mode Configuration Bits
=======================
 0x8000 Boot
 0x4000 Load-N-Go
 0x0004 Boot image 1
 0x0002 Verify image CRC
 0x0001 Prompt

Phy Selection
-------------
 0x0000  Default PHY
 0x0100  Internal EPHY
 0x0200  External EPHY

Enter hex value of desired features
MODE=8003: Enter new value: 


Main Menu:
==========
  b) Boot from flash
  g) Download and run from RAM
  d) Download and save to flash
  e) Erase flash sector
  m) Set mode
  s) Store bootloader parameters to flash
  i) Re-init ethernet
  r) Read memory
  w) Write memory
  j) Jump to arbitrary address
  z) Reset



Mode Configuration Bits
=======================
 0x8000 Boot
 0x4000 Load-N-Go
 0x0004 Boot image 1
 0x0002 Verify image CRC
 0x0001 Prompt

Phy Selection
-------------
 0x0000  Default PHY
 0x0100  Internal EPHY
 0x0200  External EPHY

Enter hex value of desired features
MODE=8003: Enter new value: 8001
Updating MODE: 8001



Main Menu:
==========
  b) Boot from flash
  g) Download and run from RAM
  d) Download and save to flash
  e) Erase flash sector
  m) Set mode
  s) Store bootloader parameters to flash
  i) Re-init ethernet
  r) Read memory
  w) Write memory
  j) Jump to arbitrary address
  z) Reset

Saving permanent non-vol...
Erasing sector at 00000000...

As it turns out pressing or holding 'g' during boot enters this menu. Next, I tried to bypass CRC and see if it would decompress and run my image.

P
BCM338031 TP0 
1
Sync:1 
346890
MemSize:             64 M

BootLoader Version: 2.3.0beta7 Pre-release Gnu pcminit spiboot reduced DDR drive
Build Date: Jul  2 2010
Build Time: 14:01:07
SPI flash ID 0x010216, size 8MB, block size 64KB, write buffer 256, busy bit 1

Signature/PID: a0e7

Reset BCM53115 - Low GPIO-16 5ms
Image 1 Program Header:
   Signature: a0e7
     Control: 0105
   Major Rev: 0003
   Minor Rev: 0000
  Build Time: 2021/8/11 17:40:36 Z
 File Length: 1543888 bytes
Load Address: 80010000
    Filename: programstoreout.bin
         HCS: ba11
         CRC: 77e09e0a


Found image 1 at offset 20000
Image 2 Program Header:
   Signature: a0e7
     Control: 0005
   Major Rev: 0003
   Minor Rev: 0000
  Build Time: 2014/9/22 08:40:42 Z
 File Length: 3322126 bytes
Load Address: 80004000
    Filename: CG3101D-2VGUKS_V2.39.02u.bin
         HCS: 71d0
         CRC: 0fcc3057


Found image 2 at offset 400000


Board IP Address  [0.0.0.0]:           ggggggggggggggggggggg
Board IP Mask     [255.255.255.0]:     
Board IP Gateway  [0.0.0.0]:           
Board MAC Address [00:10:18:ff:ff:ff]: 

Internal/External phy? (e/i)[i] 
Waiting for link up...


Main Menu:
==========
  b) Boot from flash
  g) Download and run from RAM
  d) Download and save to flash
  e) Erase flash sector
  m) Set mode
  s) Store bootloader parameters to flash
  i) Re-init ethernet
  r) Read memory
  w) Write memory
  j) Jump to arbitrary address
  z) Reset



Mode Configuration Bits
=======================
 0x8000 Boot
 0x4000 Load-N-Go
 0x0004 Boot image 1
 0x0002 Verify image CRC
 0x0001 Prompt

Phy Selection
-------------
 0x0000  Default PHY
 0x0100  Internal EPHY
 0x0200  External EPHY

Enter hex value of desired features
MODE=8003: Enter new value: 8005
Updating MODE: 8005



Main Menu:
==========
  b) Boot from flash
  g) Download and run from RAM
  d) Download and save to flash
  e) Erase flash sector
  m) Set mode
  s) Store bootloader parameters to flash
  i) Re-init ethernet
  r) Read memory
  w) Write memory
  j) Jump to arbitrary address
  z) Reset


Link up: 1G full
Image 1 Program Header:
   Signature: a0e7
     Control: 0105
   Major Rev: 0003
   Minor Rev: 0000
  Build Time: 2021/8/11 17:40:36 Z
 File Length: 1543888 bytes
Load Address: 80010000
    Filename: programstoreout.bin
         HCS: ba11
         CRC: 77e09e0a


Found image 1 at offset 20000
Image 2 Program Header:
   Signature: a0e7
     Control: 0005
   Major Rev: 0003
   Minor Rev: 0000
  Build Time: 2014/9/22 08:40:42 Z
 File Length: 3322126 bytes
Load Address: 80004000
    Filename: CG3101D-2VGUKS_V2.39.02u.bin
         HCS: 71d0
         CRC: 0fcc3057


Found image 2 at offset 400000
. 

Bypassing CRC Verifiction on Image 1...
CRC time = 133
Detected dual image header.  Decompressing first image...
Detected LZMA compressed image... decompressing... 
Target Address: 0x80010000
decompressSpace is 0x4000000
Elapsed time 429576371

Decompression failed... 1
Bypassing CRC Verifiction on Image 2...
CRC time = 115
Detected dual image header.  Decompressing first image...
Loading non-compressed image 2...
Target Address: 0xFFFFFFFF
Length: -1

******************** CRASH ********************

EXCEPTION TYPE: 3/TLB (store)
TP0
r00/00 = 00000000 r01/at = 83f8b920 r02/v0 = 83f90000 r03/v1 = ffffffff 
r04/a0 = a2f0005c r05/a1 = 00000000 r06/a2 = 00000001 r07/a3 = 00000002 
r08/t0 = ffffffff r09/t1 = 00000008 r10/t2 = ffffffff r11/t3 = 5d000010 
r12/t4 = 00000004 r13/t5 = 000000a8 r14/t6 = 00000000 r15/t7 = 00000000 
r16/s0 = 83f852dc r17/s1 = ac620000 r18/s2 = 0000002b r19/s3 = 00000003 
r20/s4 = 00000002 r21/s5 = 00000000 r22/s6 = 83fffe38 r23/s7 = 000062e4 
r24/t8 = 00000002 r25/t9 = 00001021 r26/k0 = 46460a0d r27/k1 = 00322e2e 
r28/gp = 9fc00d8c r29/sp = 83fffe30 r30/fp = 0000014d r31/ra = 83f852c4 

pc   : 0x83f852dc               sr  : 0x00000002
cause: 0x0000800c               addr: 0xffffffff

It still failed to decompress the image and when it falls back onto image 2, it crashes. Do note because the mode setting wasn't saved, rebooting the device allows it to boot image 2 (the stock image) just fine again.

Random bits found in the Netgear sources

These are for a similar model, but which seems to run linux as well, unlike the VMDG480. Processor is still a BCM3380, so this might help uncover some details.

defconfig.3380

#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.30-1.0.4
# Thu May 12 15:34:19 2011
#
CONFIG_MIPS=y

#
# Machine selection
#
CONFIG_ZONE_DMA=y
# CONFIG_MACH_ALCHEMY is not set
# CONFIG_BASLER_EXCITE is not set
CONFIG_MIPS_BRCM=y
# CONFIG_BCM47XX is not set
# CONFIG_MIPS_COBALT is not set
# CONFIG_MACH_DECSTATION is not set
# CONFIG_MACH_JAZZ is not set
# CONFIG_LASAT is not set
# CONFIG_LEMOTE_FULONG is not set
# CONFIG_MIPS_MALTA is not set
# CONFIG_MIPS_SIM is not set
# CONFIG_NEC_MARKEINS is not set
# CONFIG_MACH_VR41XX is not set
# CONFIG_NXP_STB220 is not set
# CONFIG_NXP_STB225 is not set
# CONFIG_PNX8550_JBS is not set
# CONFIG_PNX8550_STB810 is not set
# CONFIG_PMC_MSP is not set
# CONFIG_PMC_YOSEMITE is not set
# CONFIG_SGI_IP22 is not set
# CONFIG_SGI_IP27 is not set
# CONFIG_SGI_IP28 is not set
# CONFIG_SGI_IP32 is not set
# CONFIG_SIBYTE_CRHINE is not set
# CONFIG_SIBYTE_CARMEL is not set
# CONFIG_SIBYTE_CRHONE is not set
# CONFIG_SIBYTE_RHONE is not set
# CONFIG_SIBYTE_SWARM is not set
# CONFIG_SIBYTE_LITTLESUR is not set
# CONFIG_SIBYTE_SENTOSA is not set
# CONFIG_SIBYTE_BIGSUR is not set
# CONFIG_SNI_RM is not set
# CONFIG_MACH_TX39XX is not set
# CONFIG_MACH_TX49XX is not set
# CONFIG_MIKROTIK_RB532 is not set
# CONFIG_WR_PPMC is not set
# CONFIG_CAVIUM_OCTEON_SIMULATOR is not set
# CONFIG_CAVIUM_OCTEON_REFERENCE_BOARD is not set
# CONFIG_BCM96368 is not set
# CONFIG_BCM96816 is not set
# CONFIG_BCM96362 is not set
# CONFIG_BCM96328 is not set
CONFIG_BCM93380=y
CONFIG_BRCM_DCACHE_SHARED=y
CONFIG_BCM_BOARD=y
CONFIG_BCM_SERIAL=y
# CONFIG_BCM_PKTFLOW is not set
# CONFIG_BCM_BCMDSP is not set
CONFIG_BCM_LOT1=y
CONFIG_BCM_VECTOR=y
# CONFIG_BCM_RAMDISK is not set
# CONFIG_BCM_T0_IDLE is not set
CONFIG_BCM_UPPER_MEM=y
# CONFIG_BCM_IOP is not set
# CONFIG_BCM_IOPLIB is not set
# CONFIG_BCM_FPM is not set
# CONFIG_BCM_VENET is not set
CONFIG_BCM_PLATFORM_DEVS=y
# CONFIG_BCM_USB_HOST is not set
CONFIG_BCM_BOARD_IMPL=1
CONFIG_BCM_SERIAL_IMPL=1
CONFIG_BCM_PKTFLOW_IMPL=1
CONFIG_BCM_BCMDSP_IMPL=0
CONFIG_BCM_VENET_IMPL=0
CONFIG_BCM_USB_HOST_IMPL=2
CONFIG_ROOTFS_SQUASHFS=y
# CONFIG_ROOTFS_CRAMFS is not set
# CONFIG_ROOTFS_UBIFS is not set
# CONFIG_ROOTFS_JFFS2 is not set
# CONFIG_ROOTFS_NFS is not set
CONFIG_ROOT_FLASHFS="root=31:0 ro noinitrd"
# CONFIG_BRCM_KTOOLS is not set
CONFIG_RWSEM_GENERIC_SPINLOCK=y
# CONFIG_ARCH_HAS_ILOG2_U32 is not set
# CONFIG_ARCH_HAS_ILOG2_U64 is not set
CONFIG_ARCH_SUPPORTS_OPROFILE=y
CONFIG_GENERIC_FIND_NEXT_BIT=y
CONFIG_GENERIC_HWEIGHT=y
CONFIG_GENERIC_CALIBRATE_DELAY=y
CONFIG_GENERIC_CLOCKEVENTS=y
CONFIG_GENERIC_TIME=y
CONFIG_GENERIC_CMOS_UPDATE=y
CONFIG_SCHED_OMIT_FRAME_POINTER=y
CONFIG_GENERIC_HARDIRQS_NO__DO_IRQ=y
CONFIG_CEVT_R4K_LIB=y
CONFIG_CEVT_R4K=y
CONFIG_CSRC_R4K_LIB=y
CONFIG_CSRC_R4K=y
CONFIG_DMA_NONCOHERENT=y
CONFIG_DMA_NEED_PCI_MAP_STATE=y
# CONFIG_HOTPLUG_CPU is not set
# CONFIG_NO_IOPORT is not set
CONFIG_CPU_BIG_ENDIAN=y
# CONFIG_CPU_LITTLE_ENDIAN is not set
CONFIG_SYS_SUPPORTS_BIG_ENDIAN=y
CONFIG_IRQ_CPU=y
CONFIG_MIPS_L1_CACHE_SHIFT=4

#
# CPU selection
#
# CONFIG_CPU_LOONGSON2 is not set
CONFIG_CPU_MIPS32_R1=y
# CONFIG_CPU_MIPS32_R2 is not set
# CONFIG_CPU_MIPS64_R1 is not set
# CONFIG_CPU_MIPS64_R2 is not set
# CONFIG_CPU_R3000 is not set
# CONFIG_CPU_TX39XX is not set
# CONFIG_CPU_VR41XX is not set
# CONFIG_CPU_R4300 is not set
# CONFIG_CPU_R4X00 is not set
# CONFIG_CPU_TX49XX is not set
# CONFIG_CPU_R5000 is not set
# CONFIG_CPU_R5432 is not set
# CONFIG_CPU_R5500 is not set
# CONFIG_CPU_R6000 is not set
# CONFIG_CPU_NEVADA is not set
# CONFIG_CPU_R8000 is not set
# CONFIG_CPU_R10000 is not set
# CONFIG_CPU_RM7000 is not set
# CONFIG_CPU_RM9000 is not set
# CONFIG_CPU_SB1 is not set
# CONFIG_CPU_CAVIUM_OCTEON is not set
CONFIG_SYS_HAS_CPU_MIPS32_R1=y
CONFIG_CPU_MIPS32=y
CONFIG_CPU_MIPSR1=y
CONFIG_SYS_SUPPORTS_32BIT_KERNEL=y
CONFIG_CPU_SUPPORTS_32BIT_KERNEL=y
CONFIG_HARDWARE_WATCHPOINTS=y

#
# Kernel type
#
CONFIG_32BIT=y
# CONFIG_64BIT is not set
CONFIG_PAGE_SIZE_4KB=y
# CONFIG_PAGE_SIZE_8KB is not set
# CONFIG_PAGE_SIZE_16KB is not set
# CONFIG_PAGE_SIZE_32KB is not set
# CONFIG_PAGE_SIZE_64KB is not set
CONFIG_CPU_HAS_PREFETCH=y
CONFIG_MIPS_MT_DISABLED=y
# CONFIG_MIPS_MT_SMP is not set
# CONFIG_MIPS_MT_SMTC is not set
CONFIG_CPU_HAS_LLSC=y
CONFIG_CPU_HAS_SYNC=y
CONFIG_GENERIC_HARDIRQS=y
CONFIG_GENERIC_IRQ_PROBE=y
CONFIG_CPU_SUPPORTS_HIGHMEM=y
CONFIG_ARCH_FLATMEM_ENABLE=y
CONFIG_ARCH_POPULATES_NODE_MAP=y
CONFIG_SELECT_MEMORY_MODEL=y
CONFIG_FLATMEM_MANUAL=y
# CONFIG_DISCONTIGMEM_MANUAL is not set
# CONFIG_SPARSEMEM_MANUAL is not set
CONFIG_FLATMEM=y
CONFIG_FLAT_NODE_MEM_MAP=y
CONFIG_PAGEFLAGS_EXTENDED=y
CONFIG_SPLIT_PTLOCK_CPUS=4
# CONFIG_PHYS_ADDR_T_64BIT is not set
CONFIG_ZONE_DMA_FLAG=1
CONFIG_BOUNCE=y
CONFIG_VIRT_TO_BUS=y
# CONFIG_UNEVICTABLE_LRU is not set
CONFIG_HAVE_MLOCK=y
# CONFIG_SMP is not set
CONFIG_SYS_SUPPORTS_SMP=y
CONFIG_NR_CPUS_DEFAULT_2=y
# CONFIG_NO_HZ is not set
# CONFIG_HIGH_RES_TIMERS is not set
CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
# CONFIG_HZ_48 is not set
# CONFIG_HZ_100 is not set
# CONFIG_HZ_128 is not set
# CONFIG_HZ_250 is not set
# CONFIG_HZ_256 is not set
CONFIG_HZ_1000=y
# CONFIG_HZ_1024 is not set
CONFIG_SYS_SUPPORTS_ARBIT_HZ=y
CONFIG_HZ=1000
# CONFIG_PREEMPT_NONE is not set
CONFIG_PREEMPT_VOLUNTARY=y
# CONFIG_PREEMPT is not set
CONFIG_PREEMPT_SOFTIRQS=y
CONFIG_BRCM_SOFTIRQ_BASE_RT_PRIO=5
# CONFIG_KEXEC is not set
# CONFIG_SECCOMP is not set
CONFIG_LOCKDEP_SUPPORT=y
CONFIG_STACKTRACE_SUPPORT=y
CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"

#
# General setup
#
CONFIG_EXPERIMENTAL=y
CONFIG_BROKEN_ON_SMP=y
CONFIG_INIT_ENV_ARG_LIMIT=32
CONFIG_LOCALVERSION=""
CONFIG_LOCALVERSION_AUTO=y
# CONFIG_SWAP is not set
CONFIG_SYSVIPC=y
CONFIG_SYSVIPC_SYSCTL=y
# CONFIG_POSIX_MQUEUE is not set
# CONFIG_BSD_PROCESS_ACCT is not set
# CONFIG_TASKSTATS is not set
# CONFIG_AUDIT is not set

#
# RCU Subsystem
#
CONFIG_CLASSIC_RCU=y
# CONFIG_TREE_RCU is not set
# CONFIG_PREEMPT_RCU is not set
# CONFIG_TREE_RCU_TRACE is not set
# CONFIG_PREEMPT_RCU_TRACE is not set
# CONFIG_IKCONFIG is not set
CONFIG_LOG_BUF_SHIFT=14
# CONFIG_GROUP_SCHED is not set
# CONFIG_CGROUPS is not set
# CONFIG_SYSFS_DEPRECATED_V2 is not set
# CONFIG_RELAY is not set
# CONFIG_NAMESPACES is not set
# CONFIG_BLK_DEV_INITRD is not set
CONFIG_CC_OPTIMIZE_FOR_SIZE=y
CONFIG_SYSCTL=y
CONFIG_EMBEDDED=y
CONFIG_SYSCTL_SYSCALL=y
CONFIG_KALLSYMS=y
CONFIG_KALLSYMS_ALL=y
CONFIG_KALLSYMS_EXTRA_PASS=y
# CONFIG_STRIP_ASM_SYMS is not set
CONFIG_HOTPLUG=y
CONFIG_PRINTK=y
CONFIG_BUG=y
# CONFIG_ELF_CORE is not set
# CONFIG_PCSPKR_PLATFORM is not set
CONFIG_BASE_FULL=y
# CONFIG_FUTEX is not set
# CONFIG_EPOLL is not set
# CONFIG_SIGNALFD is not set
# CONFIG_TIMERFD is not set
# CONFIG_EVENTFD is not set
# CONFIG_SHMEM is not set
# CONFIG_AIO is not set
CONFIG_VM_EVENT_COUNTERS=y
# CONFIG_COMPAT_BRK is not set
CONFIG_SLAB=y
# CONFIG_SLUB is not set
# CONFIG_SLOB is not set
# CONFIG_PROFILING is not set
# CONFIG_MARKERS is not set
CONFIG_HAVE_OPROFILE=y
# CONFIG_SLOW_WORK is not set
# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
CONFIG_SLABINFO=y
CONFIG_BASE_SMALL=0
CONFIG_MODULES=y
# CONFIG_MODULE_FORCE_LOAD is not set
CONFIG_MODULE_UNLOAD=y
CONFIG_MODULE_FORCE_UNLOAD=y
# CONFIG_MODVERSIONS is not set
# CONFIG_MODULE_SRCVERSION_ALL is not set
CONFIG_BLOCK=y
# CONFIG_LBD is not set
# CONFIG_BLK_DEV_BSG is not set
# CONFIG_BLK_DEV_INTEGRITY is not set

#
# IO Schedulers
#
CONFIG_IOSCHED_NOOP=y
# CONFIG_IOSCHED_AS is not set
# CONFIG_IOSCHED_DEADLINE is not set
# CONFIG_IOSCHED_CFQ is not set
# CONFIG_DEFAULT_AS is not set
# CONFIG_DEFAULT_DEADLINE is not set
# CONFIG_DEFAULT_CFQ is not set
CONFIG_DEFAULT_NOOP=y
CONFIG_DEFAULT_IOSCHED="noop"
# CONFIG_FREEZER is not set

#
# Bus options (PCI, PCMCIA, EISA, ISA, TC)
#
# CONFIG_ARCH_SUPPORTS_MSI is not set
CONFIG_MMU=y
# CONFIG_PCCARD is not set

#
# Executable file formats
#
CONFIG_BINFMT_ELF=y
# CONFIG_HAVE_AOUT is not set
# CONFIG_BINFMT_MISC is not set
CONFIG_TRAD_SIGNALS=y
# CONFIG_BRCM_CSTAT is not set
# CONFIG_BRCM_IKOS is not set

#
# Power management options
#
CONFIG_ARCH_SUSPEND_POSSIBLE=y
# CONFIG_PM is not set
CONFIG_NET=y

#
# Networking options
#
CONFIG_PACKET=y
# CONFIG_PACKET_MMAP is not set
CONFIG_UNIX=y
CONFIG_XFRM=y
CONFIG_XFRM_USER=y
# CONFIG_XFRM_SUB_POLICY is not set
# CONFIG_XFRM_MIGRATE is not set
# CONFIG_XFRM_STATISTICS is not set
CONFIG_NET_KEY=y
# CONFIG_NET_KEY_MIGRATE is not set
CONFIG_INET=y
# CONFIG_BLOG is not set
# CONFIG_BLOG_IPV6 is not set
# CONFIG_BLOG_MCAST is not set
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_ASK_IP_FIB_HASH=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
# CONFIG_IP_ROUTE_MULTIPATH is not set
# CONFIG_IP_ROUTE_VERBOSE is not set
# CONFIG_IP_PNP is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
CONFIG_IP_MROUTE=y
# CONFIG_IP_PIMSM_V1 is not set
# CONFIG_IP_PIMSM_V2 is not set
# CONFIG_ARPD is not set
# CONFIG_SYN_COOKIES is not set
CONFIG_INET_AH=y
CONFIG_INET_ESP=y
# CONFIG_INET_IPCOMP is not set
# CONFIG_INET_XFRM_TUNNEL is not set
# CONFIG_INET_TUNNEL is not set
CONFIG_INET_XFRM_MODE_TRANSPORT=y
CONFIG_INET_XFRM_MODE_TUNNEL=y
# CONFIG_INET_XFRM_MODE_BEET is not set
# CONFIG_INET_LRO is not set
CONFIG_INET_DIAG=y
CONFIG_INET_TCP_DIAG=y
# CONFIG_TCP_CONG_ADVANCED is not set
CONFIG_TCP_CONG_CUBIC=y
CONFIG_DEFAULT_TCP_CONG="cubic"
# CONFIG_TCP_MD5SIG is not set
# CONFIG_IPV6 is not set
# CONFIG_NETWORK_SECMARK is not set
# CONFIG_NETFILTER is not set
# CONFIG_IP_DCCP is not set
# CONFIG_IP_SCTP is not set
# CONFIG_TIPC is not set
CONFIG_ATM=y
# CONFIG_ATM_CLIP is not set
# CONFIG_ATM_LANE is not set
# CONFIG_ATM_BR2684 is not set
CONFIG_STP=y
CONFIG_BRIDGE=y
CONFIG_BR_IGMP_SNOOP=y
CONFIG_BR_IGMP_SNOOP_SWITCH_PATCH=y
# CONFIG_BR_MLD_SNOOP is not set
# CONFIG_NET_DSA is not set
CONFIG_VLAN_8021Q=y
# CONFIG_VLAN_8021Q_GVRP is not set
# CONFIG_DECNET is not set
CONFIG_LLC=y
# CONFIG_LLC2 is not set
# CONFIG_IPX is not set
# CONFIG_ATALK is not set
# CONFIG_X25 is not set
# CONFIG_LAPB is not set
# CONFIG_ECONET is not set
# CONFIG_WAN_ROUTER is not set
# CONFIG_PHONET is not set
CONFIG_NET_SCHED=y

#
# Queueing/Scheduling
#
CONFIG_NET_SCH_CBQ=y
CONFIG_NET_SCH_HTB=y
# CONFIG_NET_SCH_HFSC is not set
# CONFIG_NET_SCH_ATM is not set
CONFIG_NET_SCH_PRIO=y
# CONFIG_NET_SCH_MULTIQ is not set
# CONFIG_NET_SCH_RED is not set
CONFIG_NET_SCH_SFQ=y
# CONFIG_NET_SCH_TEQL is not set
CONFIG_NET_SCH_TBF=y
# CONFIG_NET_SCH_GRED is not set
CONFIG_NET_SCH_DSMARK=y
# CONFIG_NET_SCH_NETEM is not set
# CONFIG_NET_SCH_DRR is not set
CONFIG_NET_SCH_INGRESS=y

#
# Classification
#
CONFIG_NET_CLS=y
# CONFIG_NET_CLS_BASIC is not set
CONFIG_NET_CLS_TCINDEX=y
CONFIG_NET_CLS_ROUTE4=y
CONFIG_NET_CLS_ROUTE=y
CONFIG_NET_CLS_FW=y
CONFIG_NET_CLS_U32=y
# CONFIG_CLS_U32_PERF is not set
# CONFIG_CLS_U32_MARK is not set
# CONFIG_NET_CLS_RSVP is not set
# CONFIG_NET_CLS_RSVP6 is not set
# CONFIG_NET_CLS_FLOW is not set
# CONFIG_NET_EMATCH is not set
CONFIG_NET_CLS_ACT=y
CONFIG_NET_ACT_POLICE=y
# CONFIG_NET_ACT_GACT is not set
CONFIG_NET_ACT_MIRRED=y
# CONFIG_NET_ACT_NAT is not set
# CONFIG_NET_ACT_PEDIT is not set
# CONFIG_NET_ACT_SIMP is not set
# CONFIG_NET_ACT_SKBEDIT is not set
CONFIG_NET_CLS_IND=y
CONFIG_NET_SCH_FIFO=y
# CONFIG_DCB is not set

#
# Network testing
#
# CONFIG_NET_PKTGEN is not set
# CONFIG_HAMRADIO is not set
# CONFIG_CAN is not set
# CONFIG_IRDA is not set
# CONFIG_BT is not set
# CONFIG_AF_RXRPC is not set
CONFIG_FIB_RULES=y
# CONFIG_WIRELESS is not set
# CONFIG_WIMAX is not set
# CONFIG_RFKILL is not set
# CONFIG_NET_9P is not set

#
# Device Drivers
#

#
# Generic Driver Options
#
CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
CONFIG_STANDALONE=y
CONFIG_PREVENT_FIRMWARE_BUILD=y
# CONFIG_FW_LOADER is not set
# CONFIG_DEBUG_DRIVER is not set
# CONFIG_DEBUG_DEVRES is not set
# CONFIG_SYS_HYPERVISOR is not set
# CONFIG_CONNECTOR is not set
CONFIG_MTD=y
# CONFIG_MTD_DEBUG is not set
# CONFIG_MTD_CONCAT is not set
# CONFIG_MTD_PARTITIONS is not set
# CONFIG_MTD_TESTS is not set

#
# User Modules And Translation Layers
#
# CONFIG_MTD_CHAR is not set
CONFIG_MTD_BLKDEVS=y
# CONFIG_MTD_BLOCK is not set
CONFIG_MTD_BLOCK_RO=y
# CONFIG_FTL is not set
# CONFIG_NFTL is not set
# CONFIG_INFTL is not set
# CONFIG_RFD_FTL is not set
# CONFIG_SSFDC is not set
# CONFIG_MTD_OOPS is not set

#
# RAM/ROM/Flash chip drivers
#
# CONFIG_MTD_CFI is not set
# CONFIG_MTD_JEDECPROBE is not set
CONFIG_MTD_MAP_BANK_WIDTH_1=y
CONFIG_MTD_MAP_BANK_WIDTH_2=y
CONFIG_MTD_MAP_BANK_WIDTH_4=y
# CONFIG_MTD_MAP_BANK_WIDTH_8 is not set
# CONFIG_MTD_MAP_BANK_WIDTH_16 is not set
# CONFIG_MTD_MAP_BANK_WIDTH_32 is not set
CONFIG_MTD_CFI_I1=y
CONFIG_MTD_CFI_I2=y
# CONFIG_MTD_CFI_I4 is not set
# CONFIG_MTD_CFI_I8 is not set
# CONFIG_MTD_RAM is not set
CONFIG_MTD_ROM=y
# CONFIG_MTD_ABSENT is not set

#
# Mapping drivers for chip access
#
CONFIG_MTD_COMPLEX_MAPPINGS=y
# CONFIG_MTD_PHYSMAP is not set
CONFIG_MTD_BCM963XX=y
# CONFIG_MTD_PLATRAM is not set

#
# Self-contained MTD device drivers
#
# CONFIG_MTD_DATAFLASH is not set
# CONFIG_MTD_M25P80 is not set
# CONFIG_MTD_SLRAM is not set
# CONFIG_MTD_PHRAM is not set
# CONFIG_MTD_MTDRAM is not set
# CONFIG_MTD_BLOCK2MTD is not set

#
# Disk-On-Chip Device Drivers
#
# CONFIG_MTD_DOC2000 is not set
# CONFIG_MTD_DOC2001 is not set
# CONFIG_MTD_DOC2001PLUS is not set
# CONFIG_MTD_NAND is not set
# CONFIG_MTD_ONENAND is not set

#
# LPDDR flash memory drivers
#
# CONFIG_MTD_LPDDR is not set

#
# UBI - Unsorted block images
#
# CONFIG_MTD_UBI is not set
# CONFIG_MTD_BRCMNAND is not set
# CONFIG_PARPORT is not set
CONFIG_BLK_DEV=y
# CONFIG_BLK_DEV_COW_COMMON is not set
# CONFIG_BLK_DEV_LOOP is not set
# CONFIG_BLK_DEV_NBD is not set
# CONFIG_BLK_DEV_RAM is not set
# CONFIG_CDROM_PKTCDVD is not set
# CONFIG_ATA_OVER_ETH is not set
# CONFIG_BLK_DEV_HD is not set
CONFIG_MISC_DEVICES=y
# CONFIG_ENCLOSURE_SERVICES is not set
# CONFIG_C2PORT is not set

#
# EEPROM support
#
# CONFIG_EEPROM_AT25 is not set
# CONFIG_EEPROM_93CX6 is not set
CONFIG_HAVE_IDE=y
# CONFIG_IDE is not set

#
# SCSI device support
#
# CONFIG_RAID_ATTRS is not set
CONFIG_SCSI=y
CONFIG_SCSI_DMA=y
CONFIG_SCSI_TGT=y
# CONFIG_SCSI_NETLINK is not set
CONFIG_SCSI_PROC_FS=y

#
# SCSI support type (disk, tape, CD-ROM)
#
CONFIG_BLK_DEV_SD=m
# CONFIG_CHR_DEV_ST is not set
# CONFIG_CHR_DEV_OSST is not set
CONFIG_BLK_DEV_SR=m
# CONFIG_BLK_DEV_SR_VENDOR is not set
CONFIG_CHR_DEV_SG=m
# CONFIG_CHR_DEV_SCH is not set

#
# Some SCSI devices (e.g. CD jukebox) support multiple LUNs
#
# CONFIG_SCSI_MULTI_LUN is not set
# CONFIG_SCSI_CONSTANTS is not set
CONFIG_SCSI_LOGGING=y
# CONFIG_SCSI_SCAN_ASYNC is not set
CONFIG_SCSI_WAIT_SCAN=m

#
# SCSI Transports
#
# CONFIG_SCSI_SPI_ATTRS is not set
# CONFIG_SCSI_FC_ATTRS is not set
# CONFIG_SCSI_ISCSI_ATTRS is not set
# CONFIG_SCSI_SAS_LIBSAS is not set
# CONFIG_SCSI_SRP_ATTRS is not set
# CONFIG_SCSI_LOWLEVEL is not set
# CONFIG_SCSI_DH is not set
# CONFIG_SCSI_OSD_INITIATOR is not set
# CONFIG_ATA is not set
# CONFIG_MD is not set
CONFIG_NETDEVICES=y
CONFIG_COMPAT_NET_DEV_OPS=y
CONFIG_IFB=y
# CONFIG_DUMMY is not set
# CONFIG_BONDING is not set
# CONFIG_MACVLAN is not set
# CONFIG_EQUALIZER is not set
# CONFIG_TUN is not set
# CONFIG_VETH is not set
# CONFIG_PHYLIB is not set
CONFIG_NET_ETHERNET=y
CONFIG_MII=m
# CONFIG_AX88796 is not set
# CONFIG_SMC91X is not set
# CONFIG_DM9000 is not set
# CONFIG_ENC28J60 is not set
# CONFIG_ETHOC is not set
# CONFIG_DNET is not set
# CONFIG_IBM_NEW_EMAC_ZMII is not set
# CONFIG_IBM_NEW_EMAC_RGMII is not set
# CONFIG_IBM_NEW_EMAC_TAH is not set
# CONFIG_IBM_NEW_EMAC_EMAC4 is not set
# CONFIG_IBM_NEW_EMAC_NO_FLOW_CTRL is not set
# CONFIG_IBM_NEW_EMAC_MAL_CLR_ICINTSTAT is not set
# CONFIG_IBM_NEW_EMAC_MAL_COMMON_ERR is not set
# CONFIG_B44 is not set
CONFIG_NETDEV_1000=y
CONFIG_NETDEV_10000=y

#
# Wireless LAN
#
# CONFIG_WLAN_PRE80211 is not set
# CONFIG_WLAN_80211 is not set

#
# Enable WiMAX (Networking options) to see the WiMAX drivers
#
# CONFIG_WAN is not set
CONFIG_ATM_DRIVERS=y
# CONFIG_ATM_DUMMY is not set
# CONFIG_ATM_TCP is not set
CONFIG_PPP=y
# CONFIG_PPP_MULTILINK is not set
CONFIG_PPP_FILTER=y
# CONFIG_PPP_ASYNC is not set
# CONFIG_PPP_SYNC_TTY is not set
# CONFIG_PPP_DEFLATE is not set
# CONFIG_PPP_BSDCOMP is not set
# CONFIG_PPP_MPPE is not set
CONFIG_PPPOE=y
# CONFIG_PPPOATM is not set
# CONFIG_PPPOL2TP is not set
# CONFIG_SLIP is not set
CONFIG_SLHC=y
# CONFIG_NETCONSOLE is not set
# CONFIG_NETPOLL is not set
# CONFIG_NET_POLL_CONTROLLER is not set
# CONFIG_ISDN is not set
# CONFIG_PHONE is not set

#
# Input device support
#
# CONFIG_INPUT is not set

#
# Hardware I/O ports
#
# CONFIG_SERIO is not set
# CONFIG_GAMEPORT is not set

#
# Character devices
#
# CONFIG_VT is not set
CONFIG_DEVKMEM=y
# CONFIG_SERIAL_NONSTANDARD is not set

#
# Serial drivers
#
CONFIG_BCM_SERIAL_CONSOLE=y
# CONFIG_SERIAL_8250 is not set

#
# Non-8250 serial port support
#
# CONFIG_SERIAL_MAX3100 is not set
CONFIG_SERIAL_CORE=y
CONFIG_SERIAL_CORE_CONSOLE=y
# CONFIG_UNIX98_PTYS is not set
CONFIG_LEGACY_PTYS=y
CONFIG_LEGACY_PTY_COUNT=2
# CONFIG_IPMI_HANDLER is not set
# CONFIG_HW_RANDOM is not set
# CONFIG_R3964 is not set
# CONFIG_RAW_DRIVER is not set
# CONFIG_TCG_TPM is not set
# CONFIG_I2C is not set
CONFIG_SPI=y
# CONFIG_SPI_DEBUG is not set
CONFIG_SPI_MASTER=y

#
# SPI Master Controller Drivers
#
# CONFIG_SPI_BITBANG is not set

#
# SPI Protocol Masters
#
# CONFIG_SPI_SPIDEV is not set
# CONFIG_SPI_TLE62X0 is not set
# CONFIG_W1 is not set
# CONFIG_POWER_SUPPLY is not set
# CONFIG_HWMON is not set
# CONFIG_THERMAL is not set
# CONFIG_THERMAL_HWMON is not set
# CONFIG_WATCHDOG is not set
CONFIG_SSB_POSSIBLE=y

#
# Sonics Silicon Backplane
#
# CONFIG_SSB is not set

#
# Multifunction device drivers
#
# CONFIG_MFD_CORE is not set
# CONFIG_MFD_SM501 is not set
# CONFIG_HTC_PASIC3 is not set
# CONFIG_MFD_TMIO is not set
# CONFIG_REGULATOR is not set

#
# Multimedia devices
#

#
# Multimedia core support
#
# CONFIG_VIDEO_DEV is not set
# CONFIG_DVB_CORE is not set
# CONFIG_VIDEO_MEDIA is not set

#
# Multimedia drivers
#
# CONFIG_DAB is not set

#
# Graphics support
#
# CONFIG_VGASTATE is not set
# CONFIG_VIDEO_OUTPUT_CONTROL is not set
# CONFIG_FB is not set
# CONFIG_BACKLIGHT_LCD_SUPPORT is not set

#
# Display device support
#
# CONFIG_DISPLAY_SUPPORT is not set
# CONFIG_SOUND is not set
CONFIG_USB_SUPPORT=y
# CONFIG_USB_ARCH_HAS_HCD is not set
# CONFIG_USB_ARCH_HAS_OHCI is not set
# CONFIG_USB_ARCH_HAS_EHCI is not set
# CONFIG_USB_OTG_WHITELIST is not set
# CONFIG_USB_OTG_BLACKLIST_HUB is not set

#
# Enable Host or Gadget support to see Inventra options
#

#
# NOTE: USB_STORAGE depends on SCSI but BLK_DEV_SD may
#
# CONFIG_USB_GADGET is not set

#
# OTG and related infrastructure
#
# CONFIG_MMC is not set
# CONFIG_MEMSTICK is not set
# CONFIG_NEW_LEDS is not set
# CONFIG_ACCESSIBILITY is not set
CONFIG_RTC_LIB=y
# CONFIG_RTC_CLASS is not set
# CONFIG_DMADEVICES is not set
# CONFIG_AUXDISPLAY is not set
# CONFIG_UIO is not set
# CONFIG_STAGING is not set

#
# File systems
#
# CONFIG_EXT2_FS is not set
CONFIG_EXT3_FS=y
# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
CONFIG_EXT3_FS_XATTR=y
# CONFIG_EXT3_FS_POSIX_ACL is not set
# CONFIG_EXT3_FS_SECURITY is not set
# CONFIG_EXT4_FS is not set
CONFIG_JBD=y
CONFIG_FS_MBCACHE=y
# CONFIG_REISERFS_FS is not set
# CONFIG_JFS_FS is not set
# CONFIG_FS_POSIX_ACL is not set
CONFIG_FILE_LOCKING=y
# CONFIG_XFS_FS is not set
# CONFIG_OCFS2_FS is not set
# CONFIG_BTRFS_FS is not set
# CONFIG_DNOTIFY is not set
# CONFIG_INOTIFY is not set
# CONFIG_QUOTA is not set
# CONFIG_AUTOFS_FS is not set
# CONFIG_AUTOFS4_FS is not set
CONFIG_FUSE_FS=y

#
# Caches
#
# CONFIG_FSCACHE is not set

#
# CD-ROM/DVD Filesystems
#
# CONFIG_ISO9660_FS is not set
# CONFIG_UDF_FS is not set

#
# DOS/FAT/NT Filesystems
#
CONFIG_FAT_FS=y
# CONFIG_MSDOS_FS is not set
CONFIG_VFAT_FS=y
CONFIG_FAT_DEFAULT_CODEPAGE=437
CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1"
# CONFIG_NTFS_FS is not set

#
# Pseudo filesystems
#
CONFIG_PROC_FS=y
CONFIG_PROC_KCORE=y
CONFIG_PROC_SYSCTL=y
CONFIG_PROC_PAGE_MONITOR=y
CONFIG_SYSFS=y
CONFIG_TMPFS=y
# CONFIG_TMPFS_POSIX_ACL is not set
# CONFIG_HUGETLB_PAGE is not set
# CONFIG_CONFIGFS_FS is not set
CONFIG_MISC_FILESYSTEMS=y
# CONFIG_ADFS_FS is not set
# CONFIG_AFFS_FS is not set
# CONFIG_HFS_FS is not set
# CONFIG_HFSPLUS_FS is not set
# CONFIG_BEFS_FS is not set
# CONFIG_BFS_FS is not set
# CONFIG_EFS_FS is not set
# CONFIG_JFFS2_FS is not set
# CONFIG_CRAMFS is not set
CONFIG_SQUASHFS=y
CONFIG_SQUASHFS_EMBEDDED=y
CONFIG_SQUASHFS_BLOCK_SIZE=65536
CONFIG_SQUASHFS_FRAGMENT_CACHE_SIZE=1
# CONFIG_VXFS_FS is not set
# CONFIG_MINIX_FS is not set
# CONFIG_OMFS_FS is not set
# CONFIG_HPFS_FS is not set
# CONFIG_QNX4FS_FS is not set
# CONFIG_ROMFS_FS is not set
# CONFIG_SYSV_FS is not set
# CONFIG_UFS_FS is not set
# CONFIG_NILFS2_FS is not set
CONFIG_NETWORK_FILESYSTEMS=y
CONFIG_NFS_FS=y
CONFIG_NFS_V3=y
# CONFIG_NFS_V3_ACL is not set
# CONFIG_NFS_V4 is not set
# CONFIG_NFSD is not set
CONFIG_LOCKD=y
CONFIG_LOCKD_V4=y
CONFIG_NFS_COMMON=y
CONFIG_SUNRPC=y
# CONFIG_RPCSEC_GSS_KRB5 is not set
# CONFIG_RPCSEC_GSS_SPKM3 is not set
# CONFIG_SMB_FS is not set
# CONFIG_CIFS is not set
# CONFIG_NCP_FS is not set
# CONFIG_CODA_FS is not set
# CONFIG_AFS_FS is not set

#
# Partition Types
#
CONFIG_PARTITION_ADVANCED=y
# CONFIG_ACORN_PARTITION is not set
# CONFIG_OSF_PARTITION is not set
# CONFIG_AMIGA_PARTITION is not set
# CONFIG_ATARI_PARTITION is not set
# CONFIG_MAC_PARTITION is not set
CONFIG_MSDOS_PARTITION=y
# CONFIG_BSD_DISKLABEL is not set
# CONFIG_MINIX_SUBPARTITION is not set
# CONFIG_SOLARIS_X86_PARTITION is not set
# CONFIG_UNIXWARE_DISKLABEL is not set
CONFIG_LDM_PARTITION=y
# CONFIG_LDM_DEBUG is not set
# CONFIG_SGI_PARTITION is not set
# CONFIG_ULTRIX_PARTITION is not set
# CONFIG_SUN_PARTITION is not set
# CONFIG_KARMA_PARTITION is not set
# CONFIG_EFI_PARTITION is not set
# CONFIG_SYSV68_PARTITION is not set
CONFIG_NLS=y
CONFIG_NLS_DEFAULT="iso8859-1"
CONFIG_NLS_CODEPAGE_437=y
# CONFIG_NLS_CODEPAGE_737 is not set
# CONFIG_NLS_CODEPAGE_775 is not set
# CONFIG_NLS_CODEPAGE_850 is not set
# CONFIG_NLS_CODEPAGE_852 is not set
# CONFIG_NLS_CODEPAGE_855 is not set
# CONFIG_NLS_CODEPAGE_857 is not set
# CONFIG_NLS_CODEPAGE_860 is not set
# CONFIG_NLS_CODEPAGE_861 is not set
# CONFIG_NLS_CODEPAGE_862 is not set
# CONFIG_NLS_CODEPAGE_863 is not set
# CONFIG_NLS_CODEPAGE_864 is not set
# CONFIG_NLS_CODEPAGE_865 is not set
# CONFIG_NLS_CODEPAGE_866 is not set
# CONFIG_NLS_CODEPAGE_869 is not set
# CONFIG_NLS_CODEPAGE_936 is not set
# CONFIG_NLS_CODEPAGE_950 is not set
# CONFIG_NLS_CODEPAGE_932 is not set
# CONFIG_NLS_CODEPAGE_949 is not set
# CONFIG_NLS_CODEPAGE_874 is not set
# CONFIG_NLS_ISO8859_8 is not set
# CONFIG_NLS_CODEPAGE_1250 is not set
# CONFIG_NLS_CODEPAGE_1251 is not set
# CONFIG_NLS_ASCII is not set
CONFIG_NLS_ISO8859_1=y
# CONFIG_NLS_ISO8859_2 is not set
# CONFIG_NLS_ISO8859_3 is not set
# CONFIG_NLS_ISO8859_4 is not set
# CONFIG_NLS_ISO8859_5 is not set
# CONFIG_NLS_ISO8859_6 is not set
# CONFIG_NLS_ISO8859_7 is not set
# CONFIG_NLS_ISO8859_9 is not set
# CONFIG_NLS_ISO8859_13 is not set
# CONFIG_NLS_ISO8859_14 is not set
# CONFIG_NLS_ISO8859_15 is not set
# CONFIG_NLS_KOI8_R is not set
# CONFIG_NLS_KOI8_U is not set
# CONFIG_NLS_UTF8 is not set
# CONFIG_DLM is not set

#
# Kernel hacking
#
CONFIG_TRACE_IRQFLAGS_SUPPORT=y
# CONFIG_PRINTK_TIME is not set
# CONFIG_ENABLE_WARN_DEPRECATED is not set
CONFIG_ENABLE_MUST_CHECK=y
CONFIG_FRAME_WARN=1024
# CONFIG_MAGIC_SYSRQ is not set
# CONFIG_UNUSED_SYMBOLS is not set
# CONFIG_DEBUG_FS is not set
# CONFIG_HEADERS_CHECK is not set
CONFIG_DEBUG_KERNEL=y
# CONFIG_DEBUG_SHIRQ is not set
CONFIG_DETECT_SOFTLOCKUP=y
# CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC is not set
CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC_VALUE=0
CONFIG_DETECT_HUNG_TASK=y
# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
CONFIG_SCHED_DEBUG=y
# CONFIG_SCHEDSTATS is not set
# CONFIG_TIMER_STATS is not set
# CONFIG_DEBUG_OBJECTS is not set
# CONFIG_DEBUG_SLAB is not set
# CONFIG_DEBUG_SPINLOCK is not set
# CONFIG_DEBUG_MUTEXES is not set
# CONFIG_DEBUG_LOCK_ALLOC is not set
# CONFIG_PROVE_LOCKING is not set
# CONFIG_LOCK_STAT is not set
# CONFIG_DEBUG_SPINLOCK_SLEEP is not set
# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
# CONFIG_DEBUG_KOBJECT is not set
# CONFIG_DEBUG_INFO is not set
# CONFIG_DEBUG_VM is not set
# CONFIG_DEBUG_WRITECOUNT is not set
# CONFIG_DEBUG_MEMORY_INIT is not set
# CONFIG_DEBUG_LIST is not set
# CONFIG_DEBUG_SG is not set
# CONFIG_DEBUG_NOTIFIERS is not set
# CONFIG_BOOT_PRINTK_DELAY is not set
# CONFIG_RCU_TORTURE_TEST is not set
CONFIG_RCU_CPU_STALL_DETECTOR=y
# CONFIG_BACKTRACE_SELF_TEST is not set
# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
# CONFIG_FAULT_INJECTION is not set
CONFIG_SYSCTL_SYSCALL_CHECK=y
# CONFIG_PAGE_POISONING is not set
CONFIG_TRACING_SUPPORT=y

#
# Tracers
#
# CONFIG_IRQSOFF_TRACER is not set
# CONFIG_SCHED_TRACER is not set
# CONFIG_CONTEXT_SWITCH_TRACER is not set
# CONFIG_EVENT_TRACER is not set
# CONFIG_BOOT_TRACER is not set
# CONFIG_TRACE_BRANCH_PROFILING is not set
# CONFIG_KMEMTRACE is not set
# CONFIG_WORKQUEUE_TRACER is not set
# CONFIG_BLK_DEV_IO_TRACE is not set
# CONFIG_SAMPLES is not set
CONFIG_HAVE_ARCH_KGDB=y
# CONFIG_KGDB is not set
CONFIG_CMDLINE="console=ttyS0,115200"
# CONFIG_DEBUG_STACK_USAGE is not set
# CONFIG_RUNTIME_DEBUG is not set

#
# Security options
#
# CONFIG_KEYS is not set
# CONFIG_SECURITY is not set
# CONFIG_SECURITYFS is not set
# CONFIG_SECURITY_FILE_CAPABILITIES is not set
CONFIG_CRYPTO=y

#
# Crypto core or helper
#
# CONFIG_CRYPTO_FIPS is not set
CONFIG_CRYPTO_ALGAPI=y
CONFIG_CRYPTO_ALGAPI2=y
CONFIG_CRYPTO_AEAD=y
CONFIG_CRYPTO_AEAD2=y
CONFIG_CRYPTO_BLKCIPHER=y
CONFIG_CRYPTO_BLKCIPHER2=y
CONFIG_CRYPTO_HASH=y
CONFIG_CRYPTO_HASH2=y
CONFIG_CRYPTO_RNG2=y
CONFIG_CRYPTO_PCOMP=y
CONFIG_CRYPTO_MANAGER=y
CONFIG_CRYPTO_MANAGER2=y
# CONFIG_CRYPTO_GF128MUL is not set
CONFIG_CRYPTO_NULL=y
CONFIG_CRYPTO_WORKQUEUE=y
# CONFIG_CRYPTO_CRYPTD is not set
CONFIG_CRYPTO_AUTHENC=y
# CONFIG_CRYPTO_TEST is not set

#
# Authenticated Encryption with Associated Data
#
# CONFIG_CRYPTO_CCM is not set
# CONFIG_CRYPTO_GCM is not set
# CONFIG_CRYPTO_SEQIV is not set

#
# Block modes
#
CONFIG_CRYPTO_CBC=y
# CONFIG_CRYPTO_CTR is not set
# CONFIG_CRYPTO_CTS is not set
CONFIG_CRYPTO_ECB=m
# CONFIG_CRYPTO_LRW is not set
CONFIG_CRYPTO_PCBC=m
# CONFIG_CRYPTO_XTS is not set

#
# Hash modes
#
CONFIG_CRYPTO_HMAC=y
# CONFIG_CRYPTO_XCBC is not set

#
# Digest
#
# CONFIG_CRYPTO_CRC32C is not set
# CONFIG_CRYPTO_MD4 is not set
CONFIG_CRYPTO_MD5=y
# CONFIG_CRYPTO_MICHAEL_MIC is not set
# CONFIG_CRYPTO_RMD128 is not set
# CONFIG_CRYPTO_RMD160 is not set
# CONFIG_CRYPTO_RMD256 is not set
# CONFIG_CRYPTO_RMD320 is not set
CONFIG_CRYPTO_SHA1=y
# CONFIG_CRYPTO_SHA256 is not set
# CONFIG_CRYPTO_SHA512 is not set
# CONFIG_CRYPTO_TGR192 is not set
# CONFIG_CRYPTO_WP512 is not set

#
# Ciphers
#
CONFIG_CRYPTO_AES=y
# CONFIG_CRYPTO_ANUBIS is not set
# CONFIG_CRYPTO_ARC4 is not set
# CONFIG_CRYPTO_BLOWFISH is not set
# CONFIG_CRYPTO_CAMELLIA is not set
# CONFIG_CRYPTO_CAST5 is not set
# CONFIG_CRYPTO_CAST6 is not set
CONFIG_CRYPTO_DES=y
# CONFIG_CRYPTO_FCRYPT is not set
# CONFIG_CRYPTO_KHAZAD is not set
# CONFIG_CRYPTO_SALSA20 is not set
# CONFIG_CRYPTO_SEED is not set
# CONFIG_CRYPTO_SERPENT is not set
# CONFIG_CRYPTO_TEA is not set
# CONFIG_CRYPTO_TWOFISH is not set

#
# Compression
#
# CONFIG_CRYPTO_DEFLATE is not set
# CONFIG_CRYPTO_ZLIB is not set
# CONFIG_CRYPTO_LZO is not set

#
# Random Number Generation
#
# CONFIG_CRYPTO_ANSI_CPRNG is not set
# CONFIG_CRYPTO_HW is not set
# CONFIG_BINARY_PRINTF is not set

#
# Library routines
#
CONFIG_BITREVERSE=m
CONFIG_GENERIC_FIND_LAST_BIT=y
CONFIG_CRC_CCITT=y
# CONFIG_CRC16 is not set
# CONFIG_CRC_T10DIF is not set
# CONFIG_CRC_ITU_T is not set
CONFIG_CRC32=m
# CONFIG_CRC7 is not set
# CONFIG_LIBCRC32C is not set
CONFIG_HAS_IOMEM=y
CONFIG_HAS_IOPORT=y
CONFIG_HAS_DMA=y
CONFIG_NLATTR=y

	000000:00ffff bootloader
	010000:01ffff perm
	020000:3fffff image1
	400000:7dffff image2
	7f0000:7fffff dyn