Differences

This shows you the differences between two versions of the page.

--- docs:techref:bootloader:cfe [2018/02/20 18:50] – ↷ Page moved from doc:techref:bootloader:cfe to docs:techref:bootloader:cfe bobafetthotmail
+++ docs:techref:bootloader:cfe [2023/10/12 16:42] (current) – [Table] systemcrash
@@ Line 1: / Line 1: @@
 ====== CFE ======
-  * [[wp>Common Firmware Environment]]
+{{page>meta:infobox:wip&noheader&nofooter&noeditbtn}}
-  * [[http://www.linux-mips.org/wiki/Common_Firmware_Environment]]
-  * [[http://www.broadcom.com/docs/SiByte/README-1.4.2.txt]]
+  * [[wp>Common Firmware Environment]]
+  * [[http://www.linux-mips.org/wiki/Common_Firmware_Environment]] (registration dead)
+  * Broadcom CFE sources for some test boards
+    * [[https://web.archive.org/web/20090510103115if_/http://www.broadcom.com/docs/SiByte/README-1.4.2.txt|README-1.4.2.txt]] (readme)
+    * [[https://docs.broadcom.com/docs-and-downloads/docs/eula_download/cfe-1.4.2-src.tar.bz2|cfe-1.4.2-src.tar.bz2]] ''1.9M'' (source)
+    * [[https://docs.broadcom.com/docs-and-downloads/docs/eula_download/samplesw-1.3.tar.bz2|samplesw-1.3.tar.bz2]] ''0.3M'' (examples in C and [[../instructionset/mips64_mips64|MIPS64]] assembly)
+    * [[https://docs.broadcom.com/docs-and-downloads/docs/eula_download/broadcom_2006a_410_RELEASE-NOTES.txt|broadcom_2006a_410_RELEASE-NOTES.txt]] (tool readme)
+    * [[https://docs.broadcom.com/docs-and-downloads/docs/eula_download/broadcom_2006a_410.src.tar.bz2|broadcom_2006a_410.src.tar.bz2]] ''69.2M'' (tool source)
 ===== Using the CFE =====
-http://melbourne.wireless.org.au/files/wrt54/cfe.pdf
+[[https://web.archive.org/web/20071114051120if_/http://melbourne.wireless.org.au/files/wrt54/cfe.pdf|CFE Functional Specification]]
+[[https://github.com/blackfuel/asuswrt-rt-ax88u/blob/master/release/src-rt-5.02axhnd/docs/customerDocs/BCM963XX_bootloader_appnote-963XX-AN102-SWRDS.pdf|BCM963XX Bootloader Appnote]]
+[[https://github.com/blackfuel/asuswrt-rt-ax88u/blob/master/release/src-rt-5.02axhnd/docs/customerDocs/NAND_Flash-CPE-AN1102-SWRDS.pdf|BCM63XX/BCM68XX NAND Flash Support]]
 ===== bcm47xx CFE =====
+CFE on bcm47xx devices allows running/installing firmware using a lot of different methods. Usually only few of them are available, depending on the choice of manufacturer who compiled and installed CFE. Most of the methods require access to the CFE console which means you need to attach a [[docs:techref:hardware:port.serial|serial]] console. To get a prompt just keep CTRL+C pressed (or ESC for some models) while powering the device up.
-CFE on bcm47xx devices allows running/installing firmware using a lot of different methods. Usually only few of them are available, depending on the choice of manufacturer who compiled and installed CFE. Most of the methods require access to the CFE console which means you need to attach a [[doc:hardware:port.serial|serial]] console. To get a prompt just keep CTRL+C pressed (or ESC for some models) while powering the device up.
 Below is the (hopefully) completed list of methods. The best idea is to find a one looking the best/easiest and check if it works on your device.
 ==== Using auto-starting CFE TFTP server ====
 Some CFEs start TFTP server for few seconds right after hardware initialization. This is probably the only method of installing firmware with CFE that doesn't require serial console. You simply have to give CFE 1-3 seconds to initialize the switch and then set your IP and start sending the firmware. If you have a serial console, you can identify TFTP server running with the following messages:
 <code>
@@ Line 25: / Line 32: @@
 Unfortunately even if this method is available for you, it may not work. For example on Linksys E900 it fails after uploading firmware with the:
 <code>
 CMD: [boot -raw -z -addr=0x80001000 -max=0x1851e50 -fs=memory :0x807ae1b0]
@@ Line 32: / Line 40: @@
 Please note that CFE may require a device specific firmware image (with a special header), otherwise (when using a generic .trx) it may fail with the:
 <code>
 CMD: [flash -ctheader -mem -size=0x4c1000 0x807ae1b0 flash1.trx]
@@ Line 39: / Line 48: @@
 ==== Using CFE TFTP manually ====
 CFE almost always contains ''flash'' command that may behave like both: TFTP client and server. The generic usage is following:
 <code>
@@ Line 55: / Line 63: @@
 === TFTP client ===
 In this scenario we will tell CFE to connect to the remote TFTP server, download firmware and install it on the flash. This means that ''source-file'' should be set to ''host:path/firmware.bin'' format. Example usage:
 <code>
@@ Line 65: / Line 72: @@
 === TFTP server ===
 It's also possible to make ''flash'' start a TFTP server that will accept firmware for few seconds. The trick is to put '':'' as a ''source-file''. Example usage:
 <code>
@@ Line 74: / Line 80: @@
 ==== Using upgrade command ====
 Some manufacturers provide an ''upgrade'' command that is usually just an alias to the parametrized ''flash'' executed in a loop. Of course it's much less flexible that the ''flash'' command, but also has some advantages like:
   * Setting parameters automatically
@@ Line 80: / Line 85: @@
 The most common (and probably safe) usage is to call it with ''code.bin'' parameter:
 <code>
 CFE> upgrade code.bin
@@ Line 88: / Line 94: @@
 Another possible parameters:
 <code>
 boot.bin		Usually works the same way as code.bin
@@ Line 95: / Line 102: @@
 ==== Using web (http) server ====
 Unfortunately only few manufacturers decide to enable it, but it's probably the most user friendly way of installing firmware.
 {{:media:cfe.miniweb.server.png|}}
 ==== Changing CFE defaults ====
+Every bcm47xx CFE has a small NVRAM backup that is used to restore the main NVRAM when it gets deleted or corrupted. If you want to modify that backup NVRAM, see [[docs:techref:bootloader:cfe:changing.defaults|changing defaults]] page.
-Every bcm47xx CFE has a small NVRAM backup that is used to restore the main NVRAM when it gets deleted or corrupted. If you want to modify that backup NVRAM, see [[doc:techref:bootloader:cfe:changing.defaults|changing defaults]] page.
 ===== bcm63xx CFE =====
-bcm63xx CFE is totally different when compared with bcm47xx. The NVRAM is totally different, without any settings stored outside the CFE partition, they are totally embedded into CFE. The CLI has different commands, probably with less options. And almost always there is a web server available for flashing. Less options but more fool-proof.
+bcm63xx CFE is totally different to bcm47xx. The NVRAM is different, with no settings stored outside the CFE partition, they are embedded into CFE. The CLI has different commands, probably with fewer options. And almost always there is a web server available for flashing. Fewer options but more fool-proof.
-To access CFE you need to attach a [[doc:hardware:port.serial|serial]] console. To get a prompt just press any key while powering the device up.
+To access CFE you need to attach a [[docs:techref:hardware:port.serial|serial]] console. To get a prompt just press any key while powering the device up.
 This is a typical output when starting up the CFE and entering the CLI:
-| ''DGND3700 Boot Code V1.0.8
+<code>DGND3700 Boot Code V1.0.8
 CFE version 1.0.37-104.4 for BCM96368 (32bit,SP,BE)
 Build Date: Mon Feb 21 17:59:46 CST 2011 (finerain@moonlight)
@@ Line 144: / Line 146: @@
 Auto run second count down: 1
 CFE>
-CFE>'' |
+CFE>
+</code>
 ==== Using CFE web (http) server ====
 It's probably the most user friendly way of installing firmware. But sometimes some manufacturers decide to disable it (very uncommon).
@@ Line 159: / Line 161: @@
   - Wait some seconds
   - <color green>Release</color> the **RESET** button
-  - Browse to http://192.168.1.1
+  - Browse to ''%%http://192.168.1.1%%''
   - Send the new firmware and wait some minutes until the firmware upgrade finish.
 **Note**: The RESET button doesn't work in some routers. There are some alternatives to stop CFE before loading the current firmware when the RESET button didn't work:
-  * Attach a [[doc:hardware:port.serial|serial]] console (serial TTL cable adapter required). Press any key at the console when starting up the router. This is the better choice.
+  * Attach a [[docs:techref:hardware:port.serial|serial]] console (serial TTL cable adapter required). Press any key at the console when starting up the router. This is the better choice.
   * Shortcircuit TX and RX serial pins some seconds when powering on the router to simulate keyboard buttons pressing; this is ugly but it should work.
   * Delete existing firmware, if the current firmware allows to delete partitions.
   * Or upgrade the router with a new fake firmware (filled with zeroes). This will force CFE to stop for requesting a new firmware.
   * Download tftp by http://tftpd32.jounin.net and connect the ethernet and give static ip, default gateway usually 192.168.1.1 after that open tftp.exe by downloading and in the tftp client put the openwrt firmware then after some second click break, then in the browser keep on hitting default gateway by powering off and pressing reset while powering on, it goes on cfe.Worked for me.
+==== CFE Secure Boot ====
+In modern SoC releases, Broadcom is integrating a [[[wp>Unified_Extensible_Firmware_Interface#Secure_Boot|Secure Boot]] system based in a [[[wp>Chain_of_trust|chain of trust]].
+The following information is deduced from the sources available and therefore must be taken with caution.
+Up to date, there are three generations of Secure Boot that embraces the following models:
+  * GEN1: 63268
+  * GEN2: 63138, 63148, 63381, 6838 and 6848
+  * GEN3: 63158, 4908, 6858, 6856, 6846, 6878, 63178 and 47622
+=== Mechanism ===
+  - The SoC has as factory settings, most probably in the OTP fuses, the private key unique per each model and also 2 keys AES CBC (ek & iv). This is the Root of Trust which is known by OEM.
+  - During boot, the //PBL// (Primary Boot Loader coded in the SoC) will search for storage peripherals e.g. NAND or NOR SPI. If found then loads a small portion from start of storage into memory. Exact amount may depend on model and storage but most typically 64kb. In the sources this chunk is called CFEROM.
+  - Once loaded the CFEROM, the PBL will analyse the structure, which is a compound of different chunks: valid header, magic numbers, signed credentials, CRC32, actual compiled code, etc. In the end, the PBL will decide if CFEROM meets the structure required and it is properly signed. If this is so, then the PBL will execute the compiled code encapsulated. Note that this code is usually not encrypted and therefore can be detected with naked eyes.
+  - Typically, CFEROM will start PLL's and full memory span. Most probably doesn't need to run a storage driver since it is already working. Then it will jump to CFERAM location as coded
+  - CFERAM binary is encoded in JFFS2 filesystem. It must meet a certain structure as CFEROM. The compiled code is usually LZMA compressed and AES CBC encrypted, rendering the resulting binary absolutely meaningless.
+=== Secure modes ===
+Several modes can be chosen inside the CFEROM, putting appropiate headers:
+  * UNSECURE. The chain of trust is consciously dropped. The compiled code will be executed as trusted. **This is potentially very interesting in order to develop other bootloaders like U-Boot**
+  * SECURE. This sets the kind of encryption and keys used, which in turn can be:
+      * GEN2 = MFG
+      * GEN3 = MFG or FLD
+=== CFEROM structure ===
+The actual implementation differs depending on the generation and the storage media, but roughly this guidelines are true:
+== GEN1 ==
+WIP
+== GEN2 ==
+^ Offset    ^ Length   ^ Chunk         ^ Element        ^ Value      ^ Comments ^
+| 0x0       | 0x14     | Unauth header |                |            |                                                                                                      |
+| 0x0       | 0x4      | :::           | Magic number 1 | 0x0001B669 | In decimal = 112233                                                                                                    |
+| 0x4       | 0x4      | :::           | Magic number 2 | 0x0006CC7E | In decimal = 445566                                                                                                     |
+| 0x8       | 0x4      | :::           | Version        | 0x00000001 |                                                                                                      |
+| 0x0c      | 0x4      | :::           | SBI_length     | variable   | Length in bytes of Unauth Header + SBI                                                                     |
+| 0x10      | 0x4      | :::           | JAM CRC32      | variable   | JAM CRC32 of all the previous elements                                                               |
+| 0x14      | variable |      SBI      |                |            |                                                                                                      |
+| 0x14      | 0x2      | :::              | type           | 0x00       | This seems a legacy field                                                                            |
+| 0x16      | 0x2      | :::              | ver            | 0x00       | This seems a legacy field                                                                            |
+| 0x18      | 0x2      | :::              | len            | 0x00       | This seems a legacy field                                                                            |
+| 0x1a      | 0x2      | :::              | config         | 0x00       | This seems a legacy field                                                                            |
+| 0x1c      | 0x180    | :::              | mfg.oem.bin    | variable   | Actual structure has been reversed.                                                                  |
+| 0x19c     | 0x100    | :::              | mfg.oem.sig    | variable   | SHA256 signature of mfg.oem.bin. Key must be in SoC                                                  |
+| 0x29c     | 0x180    | :::              | op.cot.bin     | variable   | Unknown meaning "OP"                                                                                 |
+| 0x41c     | 0x100    | :::              | op.cot.sig     | variable   | SHA256 signature of op.cot.bin. Key must be in SoC                                                                       |
+| 0x51c     | variable | :::              | cferom.bin     | variable   | This is the actual machine code that will be executed                                                |
+| SBI_length-0x104 | 0x100    | :::              | SHA256 sig     | variable   | This is the SHA256 signature of all the previous SBI elements. Key is the one declared in mfg.oem.bin |
+| SBI_length-0x4   | 0x4      | :::              | JAM CRC32      | variable   | This is the JAM CRC32 of all the previous SBI elements except SHA256 sig.                            |
+From the sources, we can reverse the structure of mfg.oem.bin:
+^ Offset    ^ Length   ^ Chunk         ^ Element        ^ Value      ^ Comments ^
+| 0x0    | 0x148  | mfg.oem.bin |                  |                |                                                                                        |
+| 0x0    | 0x6    | :::            | Signature header | 0x000000010242 | This seems like a magic word                                                           |
+| 0x6    | 0x2    | :::            | Mid              | 0x1234         | This value must match the SoC. We know for instance that bcm68380 has 0xffd0              |
+| 0x8    | 0x100  | :::            | KrsaMfgPub.bin   | variable       | Modulus of the new public key that we want to use                                      |
+| 0x108  | 0x20   | :::            | mfg.ek.enc       |                | This is an encrypted file of the new AES CBC key. The encryption key must be in SoC |
+| 0x128  | 0x20   | :::            | mfg.iv.enc       |                | This is an encrypted file of the new AES CBC key. The encryption key must be in SoC |
+== GEN3 ==
+WIP
+\\
+=== In the search of the RoT password ===
+If the PBL password was known, **we could develop any bootloader** with or without the CoT characteristic. It is most likely that this will never be exposed being Broadcom so obscure with their products.
+However, we must remain attentive to the GPL bundles that pop up from time to time.
+More precisely, in the following repo [[https://github.com/blackfuel/asuswrt-rt-ax88u/tree/master/release/src-rt-5.02axhnd/cfe/cfe/board/bcm63xx_btrm/data/gen3_common/mfg_creds_req/rot|RoT]] lies a capital piece of information.
+Basically the [[https://github.com/blackfuel/asuswrt-rt-ax88u/blob/master/release/src-rt-5.02axhnd/cfe/cfe/board/bcm63xx_btrm/data/gen3_common/mfg_creds_req/rot/readme.txt|readme.txt]] file is saying that at least for GEN3:
+<code>
+The file Krot-mfg-encrypted.pem is aes-128-cbc encrypted with the same pass-phrase that encrypts the files bcm63xx_encr*.c located in the cfe/cfe/board/bcm63xx_btrm/src direcotry. After the file is decrypted, the pem file contains both the private and public portion of the RSA key Krot-mfg.
+</code>
+This means:
+  * The PBL MFG password is encrypted in the file Krot-mfg-encrypted.pem
+  * The password must be declared in the files bcm63xx_encr*.c, lying in /src
+  * Analysing the script [[https://github.com/blackfuel/asuswrt-rt-ax88u/blob/master/release/src-rt-5.02axhnd/cfe/cfe/board/bcm63xx_btrm/data/gen3_common/mfg_creds_req/rot/make_new_target.sh|make_new_target.sh]], a possible name for this file is "bcm63xx_encr3_clr.c"
+Therefore **we must focus on finding "bcm63xx_encr3_clr.c"** in order to support GEN3 CoT. We might think that there must be a file "bcm63xx_encr2_clr.c" for GEN2 and so on.
+\\
+=== Sources ===
+  * [[https://github.com/RMerl/asuswrt-merlin.ng/tree/master/release/src-rt-5.02axhnd.675x/hostTools/SecureBootUtils|Secure Boot folder]]
+  * [[https://github.com/RMerl/asuswrt-merlin.ng/tree/master/release/src-rt-5.02axhnd.675x/hostTools/PerlLib/BRCM|BCM Perl library folder]]
+  * [[https://github.com/blackfuel/asuswrt-rt-ax88u/tree/master/release/src-rt-5.02axhnd/cfe/cfe/board/bcm63xx_btrm/data/gen3_common/mfg_creds_req/rot|RoT]]
 ==== Using CFE TFTP client ====
 If you want to install a firmware using TFTP, follow these steps (as an alternative to the above install process).
-  * Connect a [[doc:hardware:port.serial|serial]] TTL cable to send commands to CFE via serial console software, for loading the firmware via TFTP.
+  * Connect a [[docs:techref:hardware:port.serial|serial]] TTL cable to send commands to CFE via serial console software, for loading the firmware via TFTP.
   * Start a TFTP server in your PC. Copy the //**firmware.bin**// file to the TFTP server's directory.
   * Set the IP at your pc to 192.168.1.35 (or any compatible), and connect the ethernet cable to the router.
@@ Line 192: / Line 285: @@
 ==== CFE HEADER ====
 At the begining of CFE, outside the NVRAM area there exist three interesting parameters:
-^ Offsets ^ parameter ^ possible values ^^ size ^
+^ Offsets      ^ parameter                           ^ possible values                                                                                                                                         |^ size                       ^
-| 0x010-0x013 | **BpGetSdramSize** | 8MB 1 CHIP\\ 16MB 1 CHIP\\ 32MB 1 CHIP\\ 64MB 2 CHIP\\ 32MB 2 CHIP\\ 16MB 2 CHIP\\ 64MB 1 CHIP | **0**\\ **1**\\ **2**\\ **3**\\ **4**\\ **5**\\ **6** | 4 bytes\\ (unsigned long) |
+| 0x010-0x013  | **BpGetSdramSize**                  | 8MB 1 CHIP\\ 16MB 1 CHIP\\ 32MB 1 CHIP\\ 64MB 2 CHIP\\ 32MB 2 CHIP\\ 16MB 2 CHIP\\ 64MB 1 CHIP  | **0**\\ **1**\\ **2**\\ **3**\\ **4**\\ **5**\\ **6**  | 4 bytes\\ (unsigned long)  |
-| 0x014-0x017 | **BpGetCMTThread**\\ (Main Thread) | core0\\ core1 | **0**\\ **1** | 4 bytes\\ (unsigned long) |
+| 0x014-0x017  | **BpGetCMTThread**\\ (Main Thread)  | core0\\ core1                                                                                   | **0**\\ **1**                                          | 4 bytes\\ (unsigned long)  |
-| 0x570 | **CFE Version** | any |  |
+| 0x570        | **CFE Version**                     | any e.g. "cfe-v"                                                                                |                                                        | 5                          |
+| 0x575        | **CFE Version Number**              | any                                                                                             | 1.0.38-114.101                                         | 5                          |
+| 0x57A        | **unused**                          |                                                                                                 |                                                        | 6                          |
 === NVRAM ===
@@ Line 217: / Line 311: @@
 | {{:meta:48px-dialog-warning.svg.png|}} | Not all bcm63xx CFEs share this structure, some CFEs seem to have additional parameters like **PsiSize**, **Country**, **SerialNumber**, etc. As a result of this the CheckSum maybe located at different offsets and therefore the calculation is different. The **EMPTY** space isn't used to calculate the CheckSum |
-^ NVRAM version>=5 (usually found in BCM6328, BCM6362, BCM6368, BCM6816) ^^^^
+^ NVRAM version>=5 (usually found in BCM6328, BCM6362, BCM6368, BCM6816)                                                                                                                                                                                                                                                                                        ||||
-^ Offsets ^ parameter ^^ size (bytes) ^
+^ Offsets                                                                 ^ parameter                                                                                                                                                                                                                                                             |^ size (bytes)  ^
-| 0x580 | **NVRAM Version** || 4 |
+| 0x580                                                                   | **NVRAM Version**                                                                                                                                                                                                                                                     || 4             |
-| 0x584 | **BOOT LINE** | e=192.168.1.1 (Board IP)\\ h=192.168.1.100 (Host IP)\\ g=  (Gateway IP)\\  r=f/h (run from flash/host)\\ f=vmlinux (if r=h)\\ i=bcm963xx_fs_kernel\\ d=3 (delay, 0=forever prompt)\\ p=0 (boot image, 0=latest, 1=previous) | 256 |
+| 0x584                                                                   | **BOOT LINE**                           | e=192.168.1.1 (Board IP)\\ h=192.168.1.100 (Host IP)\\ g=  (Gateway IP)\\  r=f/h (run from flash/host)\\ f=vmlinux (if r=h)\\ i=bcm963xx_fs_kernel\\ d=3 (delay, 0=forever prompt)\\ p=0 (boot image, 0=latest, 1=previous)  | 256           |
-| 0x684 | **Board ID** || 16 |
+| 0x684                                                                   | **Board ID**                            | e.g. "96328avng"                                                                                                                                                                                                             | 16            |
-| 0x694 | **Main Thread** || 4 |
+| 0x694                                                                   | **Main Thread**                                                                                                                                                                                                                                                       || 4             |
-| 0x698 | **Psi size** || 4 |
+| 0x698                                                                   | **Psi size**                                                                                                                                                                                                                                                          || 4             |
-| 0x69C | **Number MAC Addresses** || 4 |
+| 0x69C                                                                   | **Number MAC Addresses**                | 1-32                                                                                                                                                                                                                         | 4             |
-| 0x6A0 | **Base MAC Address** || 6 |
+| 0x6A0                                                                   | **Base MAC Address**                                                                                                                                                                                                                                                  || 6             |
-| 0x6A6 | **reserved** || 2 |
+| 0x6A6                                                                   | **is default set flag**                                                                                                                                                                                                                                               || 1             |
-| 0x6A8 | **old CheckSum** || 4 |
+| 0x6A7                                                                   | **allocate space for backup PSI flag**  |                                                                                                                                                                                                                              | 1             |
-| 0x6AC | **gpon Serial Number** || 13 |
+| 0x6A8                                                                   | **old v4 CheckSum**                                                                                                                                                                                                                                                   || 4             |
-| 0x6B9 | **gpon Password** || 11 |
+| 0x6AC                                                                   | **gpon Serial Number**                                                                                                                                                                                                                                                || 13            |
-| 0x6C4 | **wps Device Pin** || 8 |
+| 0x6B9                                                                   | **gpon Password**                                                                                                                                                                                                                                                     || 11            |
-| 0x6CC | **wlan Params** || 256 |
+| 0x6C4                                                                   | **WPS Device Pin**                                                                                                                                                                                                                                                    || 8             |
-| 0x7CC | **Syslog Size** || 4 |
+| 0x6CC                                                                   | **WLAN Params**                                                                                                                                                                                                                                                       || 256           |
-| 0x7D0 | **Nand Part Ofs Kb** || 20 |
+| 0x7CC                                                                   | **Syslog Size**                                                                                                                                                                                                                                                       || 4             |
-| 0x7E4 | **Nand Part Size Kb** || 20 |
+| 0x7D0                                                                   | **NAND Part Ofs Kb**                                                                                                                                                                                                                                                  || 20            |
-| 0x7F8 | **Voice Board Id** || 16 |
+| 0x7E4                                                                   | **NAND Part Size Kb**                                                                                                                                                                                                                                                 || 20            |
-| 0x808 | **afe Id** || 8 |
+| 0x7F8                                                                   | **Voice Board ID**                                                                                                                                                                                                                                                    || 16            |
-| 0x810 | **Unused** || 364 |
+| 0x808                                                                   | **AFE ID**                              | Primary AFE ID + Bonding AFE ID (4+4)                                                                                                                                                                                        | 8             |
-| 0x97C | **CheckSum** || 4 |
+| 0x810                                                                   | **OptoRxPower Reading**                                                                                                                                                                                                                                               || 2             |
+| 0x812                                                                   | **OptoRxPower Offset**                                                                                                                                                                                                                                                || 2             |
+| 0x814                                                                   | **OptoTxPower Reading**                                                                                                                                                                                                                                               || 2             |
+| 0x816                                                                   | **unused**                                                                                                                                                                                                                                                            || 58            |
+| 0x850                                                                   | **Flash Block Size**                                                                                                                                                                                                                                                  || 1             |
+| 0x851                                                                   | **AuxFS Size Percentage**                                                                                                                                                                                                                                             || 1             |
+| 0x852                                                                   | **unused**                              |                                                                                                                                                                                                                              | 169           |
+| 0x8FB                                                                   | **Reset to Default CFG Flag**                                                                                                                                                                                                                                         || 1             |
+| 0x8FC                                                                   | **Model Name**                                                                                                                                                                                                                                                        || 32            |
+| 0x91C                                                                   | **DES Key**                                                                                                                                                                                                                                                           || 32            |
+| 0x93C                                                                   | **WEP Key**                                                                                                                                                                                                                                                           || 32            |
+| 0x95C                                                                   | **Serial Number**                       | e.g. "684624H153031359"                                                                                                                                                                                                      | 32            |
+| 0x97C                                                                   | **CheckSum**                                                                                                                                                                                                                                                          || 4             |
+| 0x980                                                                   | --end--                                                                                                                                                                                                                                                               || Total: 1024   |
 NVRAM versions >=5 always have the checksum placed at the end of the NVRAM.
 ==== PSI ====
 At the end of the flash outside the CFE, there exists a PSI partition (Profile Storage Information), about 16KB size. In Openwrt this area is **protected with a partition called nvram**. Do not confuse with the CFE NVRAM!!
 There isn't any interaction between CFE and PSI except for restoring it to defaults or erasing this area. The settings present in this area are only used by the OEM firmware.
-----
-{{tag>bootloader wip}}