BCM63xx Firmware Image Information

The following code can be compiled on Linux (and possibly BSD and Mac) with `gcc -o analyzetag analyzetag.c` to create program called `analyzetag` that can be used to find information about the specified imagetag file.

The full command information is:

  analyzetag -i <inputfile> -t <tagid> [-s <flashstart>] [-n <fwoffset>]
  
   -i <inputfile>	Name of firmware image file
   -t <tagid>		Tag id type to use (use -t list to see available 
                      choices)
   -s <flashstart>    Address of the start of the firmware image
   -n <fwoffset>      Offset of the firmware from flashstart

Download the code: analyzetag.c

There are different version of the imagetag, depending on the version of the Broadcom code the imagetag was written for. This information is for the [OpenWrt](http://www.openwrt.org/) versions of the tags used for each version.

unsigned char tagVersion[TAGVER_LEN]; 0-3: Version of the image tag
unsigned char sig_1[20]; 4-23: Company Line 1
unsigned char sig_2[14]; 24-37: Company Line 2
unsigned char chipid[6]; 38-43: Chip this image is for
unsigned char boardid[16]; 44-59: Board name
unsigned char big_endian[2]; 60-61: Map endianness -- 1 BE 0 LE
unsigned char totalLength[IMAGE_LEN]; 62-71: Total length of image
unsigned char cfeAddress[ADDRESS_LEN]; 72-83: Address in memory of CFE
unsigned char cfeLength[IMAGE_LEN]; 84-93: Size of CFE
unsigned char rootAddress[ADDRESS_LEN]; 94-105: Address in memory of rootfs
unsigned char rootLength[IMAGE_LEN]; 106-115: Size of rootfs
unsigned char kernelAddress[ADDRESS_LEN]; 116-127: Address in memory of kernel
unsigned char kernelLength[IMAGE_LEN]; 128-137: Size of kernel
unsigned char dualImage[2]; 138-139: Unused at present
unsigned char inactiveFlag[2]; 140-141: Unused at present
unsigned char information1[TAGINFO_LEN]; 142-161: Unused at present
unsigned char tagId[TAGID_LEN]; 162-167: Identifies which type of tag this is, currently two-letter company code, and then three digits for version of broadcom code in which this tag was first introduced
unsigned char tagIdCRC[4]; 168-171: CRC32 of tagId
unsigned char reserved1[44]; 172-215: Reserved area not in use
unsigned char imageCRC[4]; 216-219: CRC32 of images
unsigned char reserved2[16]; 220-235: Unused at present
unsigned char headerCRC[4]; 236-239: CRC32 of header excluding tagVersion
unsigned char reserved3[16]; 240-255: Unused at present
unsigned char tagVersion[TAGVER_LEN]; 0-3: Version of the image tag
unsigned char sig_1[20]; 4-23: Company Line 1
unsigned char sig_2[14]; 24-37: Company Line 2
unsigned char chipid[6]; 38-43: Chip this image is for
unsigned char boardid[16]; 44-59: Board name
unsigned char big_endian[2]; 60-61: Map endianness -- 1 BE 0 LE
unsigned char totalLength[IMAGE_LEN]; 62-71: Total length of image
unsigned char cfeAddress[ADDRESS_LEN]; 72-83: Address in memory of CFE
unsigned char cfeLength[IMAGE_LEN]; 84-93: Size of CFE
unsigned char flashImageStart[ADDRESS_LEN]; 94-105: Address in memory of kernel (start of image)
unsigned char flashRootLength[IMAGE_LEN]; 106-115: Size of rootfs + deadcode (web flash uses this + kernelLength to determine the size of the kernel+rootfs flash image)
unsigned char kernelAddress[ADDRESS_LEN]; 116-127: Address in memory of kernel
unsigned char kernelLength[IMAGE_LEN]; 128-137: Size of kernel
unsigned char dualImage[2]; 138-139: Unused at present
unsigned char inactiveFlag[2]; 140-141: Unused at present
unsigned char rsa_signature[TAGINFO_LEN]; 142-161: RSA Signature (unused at present; some vendors may use this)
unsigned char reserved5[2]; 162-163: Unused at present
unsigned char tagId[TAGID_LEN]; 164-169: Identifies which type of tag this is, currently two-letter company code, and then three digits for version of broadcom code in which this tag was first introduced
unsigned char rootAddress[ADDRESS_LEN]; 170-181: Address in memory of rootfs partition
unsigned char rootLength[IMAGE_LEN]; 182-191: Size of rootfs partition
unsigned char flashLayoutVer[4]; 192-195: Version flash layout
unsigned char kernelCRC[4]; 196-199: Guessed to be kernel CRC
unsigned char reserved4[16]; 200-215: Reserved area; unused at present
unsigned char imageCRC[4]; 216-219: CRC32 of images
unsigned char reserved2[12]; 220-231: Unused at present
unsigned char tagIdCRC[4]; 232-235: CRC32 to ensure validity of tagId
unsigned char headerCRC[4]; 236-239: CRC32 of header excluding tagVersion
unsigned char reserved3[16]; 240-255: Unused at present
unsigned char tagVersion[TAGVER_LEN]; 0-3: Version of the image tag
unsigned char sig_1[20]; 4-23: Company Line 1
unsigned char sig_2[14]; 24-37: Company Line 2
unsigned char chipid[6]; 38-43: Chip this image is for
unsigned char boardid[16]; 44-59: Board name
unsigned char big_endian[2]; 60-61: Map endianness -- 1 BE 0 LE
unsigned char totalLength[IMAGE_LEN]; 62-71: Total length of image
unsigned char cfeAddress[ADDRESS_LEN]; 72-83: Address in memory of CFE
unsigned char cfeLength[IMAGE_LEN]; 84-93: Size of CFE
unsigned char flashImageStart[ADDRESS_LEN]; 94-105: Address in memory of kernel (start of image)
unsigned char flashRootLength[IMAGE_LEN]; 106-115: Size of rootfs + deadcode (web flash uses this + kernelLength to determine the size of the kernel+rootfs flash image)
unsigned char kernelAddress[ADDRESS_LEN]; 116-127: Address in memory of kernel
unsigned char kernelLength[IMAGE_LEN]; 128-137: Size of kernel
unsigned char dualImage[2]; 138-139: Unused at present
unsigned char inactiveFlag[2]; 140-141: Unused at present
unsigned char information1[TAGINFO_LEN]; 142-161: Unused at present
unsigned char tagId[TAGID_LEN]; 162-167: Identifies which type of tag this is, currently two-letter company code, and then three digits for version of broadcom code in which this tag was first introduced
unsigned char tagIdCRC[4]; 168-173: CRC32 to ensure validity of tagId
unsigned char rootAddress[ADDRESS_LEN]; 174-183: Address in memory of rootfs partition
unsigned char rootLength[IMAGE_LEN]; 184-193: Size of rootfs partition
unsigned char reserved1[22]; 194-215: Reserved area not in use
unsigned char imageCRC[4]; 216-219: CRC32 of images
unsigned char reserved2[16]; 220-235: Unused at present
unsigned char headerCRC[4]; 236-239: CRC32 of header excluding tagVersion
unsigned char reserved3[16]; 240-255: Unused at present
unsigned char tagVersion[TAGVER_LEN]; 0-3: Version of the image tag
unsigned char sig_1[20]; 4-23: Company Line 1
unsigned char sig_2[14]; 24-37: Company Line 2
unsigned char chipid[6]; 38-43: Chip this image is for
unsigned char boardid[16]; 44-59: Board name
unsigned char big_endian[2]; 60-61: Map endianness -- 1 BE 0 LE
unsigned char totalLength[IMAGE_LEN]; 62-71: Total length of image
unsigned char cfeAddress[ADDRESS_LEN]; 72-83: Address in memory of CFE
unsigned char cfeLength[IMAGE_LEN]; 84-93: Size of CFE
unsigned char flashImageStart[ADDRESS_LEN]; 94-105: Address in memory of kernel (start of image)
unsigned char flashRootLength[IMAGE_LEN]; 106-115: Size of rootfs + deadcode (web flash uses this + kernelLength to determine the size of the kernel+rootfs flash image)
unsigned char kernelAddress[ADDRESS_LEN]; 116-127: Address in memory of kernel
unsigned char kernelLength[IMAGE_LEN]; 128-137: Size of kernel
unsigned char dualImage[2]; 138-139: Unused at present
unsigned char inactiveFlag[2]; 140-141: Unused at present
unsigned char information1[TAGINFO_LEN]; 142-161: Unused at present
unsigned char information2[54]; 162-215: Compilation and related information (not generated/used by OpenWRT)
unsigned char kernelCRC[4] ; 216-219: CRC32 of images
unsigned char rootAddress[ADDRESS_LEN]; 220-231: Address in memory of rootfs partition
unsigned char tagIdCRC[4]; 232-235: Checksum to ensure validity of tagId
unsigned char headerCRC[4]; 236-239: CRC32 of header excluding tagVersion
unsigned char rootLength[IMAGE_LEN]; 240-249: Size of rootfs
unsigned char tagId[TAGID_LEN]; 250-255: Identifies which type of tag this is, currently two-letter company code, and then three digits for version of broadcom code in which this tag was first introduced
unsigned char tagVersion[4]; 0-3: Version of the image tag
unsigned char sig_1[20]; 4-23: Company Line 1
unsigned char sig_2[14]; 24-37: Company Line 2
unsigned char chipid[6]; 38-43: Chip this image is for
unsigned char boardid[16]; 44-59: Board name
unsigned char big_endian[2]; 60-61: Map endianness -- 1 BE 0 LE
unsigned char totalLength[IMAGE_LEN]; 62-71: Total length of image
unsigned char cfeAddress[ADDRESS_LEN]; 72-83: Address in memory of CFE
unsigned char cfeLength[IMAGE_LEN]; 84-93: Size of CFE
unsigned char flashImageStart[ADDRESS_LEN]; 94-105: Address in memory of kernel (start of image)
unsigned char flashRootLength[IMAGE_LEN]; 106-115: Size of rootfs + deadcode (web flash uses this + kernelLength to determine the size of the kernel+rootfs flash image)
unsigned char kernelAddress[ADDRESS_LEN]; 116-127: Address in memory of kernel
unsigned char kernelLength[IMAGE_LEN]; 128-137: Size of kernel
unsigned char dualImage[2]; 138-139: Unused at present
unsigned char inactiveFlag[2]; 140-141: Unused at present
unsigned char information1[TAGINFO_LEN]; 142-161: Unused at present; Some vendors use this for optional information
unsigned char tagId[6]; 162-167: Identifies which type of tag this is, currently two-letter company code, and then three digits for version of broadcom code in which this tag was first introduced
unsigned char tagIdCRC[4]; 168-171: CRC32 to ensure validity of tagId
unsigned char rootAddress[ADDRESS_LEN]; 172-183: Address in memory of rootfs partition
unsigned char rootLength[IMAGE_LEN]; 184-193: Size of rootfs partition
unsigned char reserved1[22]; 193-215: Reserved area not in use
unsigned char imageCRC[4]; 216-219: CRC32 of images
unsigned char rootfsCRC[4]; 220-227: CRC32 of rootfs partition
unsigned char kernelCRC[4]; 224-227: CRC32 of kernel partition
unsigned char reserved2[8]; 228-235: Unused at present
unsigned char headerCRC[4]; 235-239: CRC32 of header excluding tagVersion
unsigned char reserved3[16]; 240-255: Unused at present

The size of the image header is 512 bytes length. Offsets are at different addresses.

define in kernel code header offset description
unsigned long tagVersion; 0-3 Tag version number
unsigned char hardwareId[16]; 4-19 HWID for cloud
unsigned char firmwareId[16]; 20-35 FWID for cloud
unsigned char oemId[16]; 36-51 OEMID for cloud
unsigned long productId; 52-55 product id
unsigned long productVer; 56-59 product version
unsigned long addHver; 60-63 Addtional hardware version
unsigned char imageValidToken[20]; 64-83 image validation token - md5 checksum (not used?)
unsigned char rcSingature[20]; 84-103 RC singature(only for vxWorks) - RSA
unsigned long kernelTextAddr; 104-107 text section address of kernel
unsigned long kernelEntryPoint; 108-111 entry point address of kernel
unsigned long totalImageLen; 112-115 the sum of kernelLen+rootfsLen+tagLen
unsigned long kernelAddress; 116-119 starting address (offset from the beginning of FILE_TAG) of kernel image
unsigned long kernelLen; 120-123 length of kernel image
unsigned long rootfsAddress; 124-127 starting address (offset) of filesystem image
unsigned long rootfsLen; 128-131 length of filesystem image
unsigned long bootAddress; 132-135 starting address (offset) of bootloader image
unsigned long bootLen; 136-139 length of bootloader image
unsigned long swRevision; 140-143 software revision
unsigned long platformVer; 144-147 platform version
unsigned long specialVer; 148:151 special version or CRC32 for bin(kernel+rootfs) bitfliped
unsigned long binCrc32; 152:155 CRC32 for bin(kernel+rootfs) bitfliped or empty
unsigned long imageSequence; 156:159 DUALIMAGE, initial value is 0, valid value is [1 .. 999], for NAND flash: it's indicated by file extension of cferam.xxx in rootfs, for NOR flash: it's stored in kernel tag
unsigned long reserved1[12]; 160-207 reserved for future
unsigned char sig[128]; 208-335 signature for update
unsigned char resSig[128]; 336-443 reserved for signature
unsigned long reserved2[12]; 464-511 reserved for future

The image needed to flash onto a Broadcom 63xx-series board depends on the board, method you are using to flash, and, for web-based flash, on the version of the Broadcom code your router uses.

There are two major revisions of the Broadcom code as far as imagetags are concerned, before 3.08 and after 3.08, however there are some variations within in that, either due to vendor differences or due to changes at Broadcom (it's not clear yet which is the case). In addtion Pirelli modified the Broadcom code, so Alice Gate models use a different imagetag than any other vendor.

The imagetag format for flashing via CFE is the same for almost all the boards, and is the same for all images generated by the imagetag utility. Images flashable using cfe are labelled openwrt-[board]-[filesystem]-cfe.bin

The imagetags for tftp/ftp flashing is based on Broadcom 3.00-3.04 imagetags and is known to be correct as the source code GPL and is available for reading.

Broadcom 3.00-3.02 flashing has been tested on Comtrend CT-5261, CT-536 and Tecom GW6000, and is the version of the flashing that was present before the imagetags were split by broadcom code version (early June 2009)

3\.04 is guessed to be the same as 3.00-3.02 based on available information

Broadom 3.06 is thought to be the same as 3.00-3.02, however the only 3.06 this author (Daniel Dickinson) has seen is the Alice Gate (Pirelli) firmware which is known to be different due to vendor (Pirelli) modifications to the Broadcom code.

Broadcom 3.08 introduced changes to the imagetag to deal with TR69 (a remote router management system developed by the DSL Forum). The version we are using as 3.08 is based on the BT Voyager firmware image I looked at. It may in fact be BT Voyager-specific, and may in fact not be 3.08, but modified 3.06 and not apply to all 3.08 versions.

Broadcom 3.10 uses an imagetag that is believed to apply to all 3.10 and 3.12 versions, and has been tested on the Tecom GW6200. It is similar to 3.08. There is a field for vendor-specific information, that at least in some cases is not optional. It is based on the hexedit of a neufbox4 firmware image, the information in https://dev.openwrt.org/ticket/4987, and the hexedit of a Tecom GW6200 image.

Some boards share the same tag format, but require vendor-specific fields in the board. In that case the tagid is shared, but the filename of the generated image reflects the router for which the image was created.

router method codever tagid
any cfe any bccfe
any t/ftp any bc300
web 3.00-3.06bc300
web 3.10-3.12bc310
AGVoIP2+WiFi web alice3.06ag306
CT536 web 3.02 bc300
CT5621 web 3.02 bc300
DG834GT web 3.02 bc300
DG834PN web 3.02 bc300
DSL-2640B web 3.10 bc310
DSL-2740B web 3.10 bc310
F5D7633 web 3.10 bc310
F@ST2404 web ? bc300
F@ST2404 web ? bc310
GW6000 web 3.00 bc300
GW6200 web 3.10 bc310
Neufbox4 web 3.12 bc310
TD8810A web 3.06 bc300
TD8810B web 3.06 bc300
TD8811A web 3.06 bc300
TD8811B web 3.06 bc300
TD8900GB web 3.06 bc300
USR9108 web ? bc300
V2091_BTR web 2.21 bc221
V2091_ROI web 2.21 bc221
V2091_WB web 2.21 bc221
V210_BTR web 2.21 bc221
V210_ROI web 2.21 bc221
V210_WB web 2.21 bc221
V2110 web 2.21 bc221
V2110_AA web 2.21 bc221
V2110_ROI web 2.21 bc221
V2500V web 2.21 bc221
V2500V_AA web 2.21 bc221
V2500V_SIP_CLUB web2.21 bc221

Davolink DV201AMR

Inventel Livebox

Vendor Model
Belkin F5D7633
British Telecom (BT) Voyager V2091_BTR
British Telecom (BT) Voyager V2091_ROI
British Telecom (BT) Voyager V2091_WB
British Telecom (BT) Voyager V210_BTR
British Telecom (BT) Voyager V210_ROI
British Telecom (BT) Voyager V210_WB
British Telecom (BT) Voyager V2110
British Telecom (BT) Voyager V2110_AA
British Telecom (BT) Voyager V2110_ROI
British Telecom (BT) Voyager V220V
British Telecom (BT) Voyager V2500V
British Telecom (BT) Voyager V2500V_AA
British Telecom (BT) Voyager V2500V_SIP_CLUB
Comtrend CT-5261
Comtrend CT-536
D-Link DSL-2640B
D-Link DSL-2670B
NetGear DG834GT
NetGear DG834PN
Neuf Cegetel Neufbox 4
Pirelli Alice Gate Wi-Fi (+VoIP models?)
Pirelli DRG A125G
Sagem F@ST2404
TP-Link TD-8810A
TP-Link TD-8810B
TP-Link TD-8811A
TP-Link TD-8811B
TP-Link TD-W8900GB
Tecom GW6000
Tecom GW6200
USR 9108
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2022/11/11 23:49
  • by danitool