Show pagesourceOld revisionsBacklinksBack to top × Table of Contents BCM63xx Firmware Image Information BCM63xx Firmware Image Analyzer Information about the Broadcom 63xx imagetag format Broadcom Generic CFE Broadcom Code Version 2.2x Broadcom Code Version 3.00 - 3.08 Broadcom Code Version 3.06, Pirelli Modifed Version Broadcom Code Version 3.10+ TP-Link custom CFE OpenWRT Broadcom 63xx Firmware Image README Old imagetag routers Redboot routers Table of Broadcom Version for Various Routers BCM63xx Firmware Image Information BCM63xx Firmware Image Analyzer The following code can be compiled on Linux (and possibly BSD and Mac) with `gcc -o analyzetag analyzetag.c` to create program called `analyzetag` that can be used to find information about the specified imagetag file. The full command information is: analyzetag -i <inputfile> -t <tagid> [-s <flashstart>] [-n <fwoffset>] -i <inputfile> Name of firmware image file -t <tagid> Tag id type to use (use -t list to see available choices) -s <flashstart> Address of the start of the firmware image -n <fwoffset> Offset of the firmware from flashstart Download the code: analyzetag.c Information about the Broadcom 63xx imagetag format There are different version of the imagetag, depending on the version of the Broadcom code the imagetag was written for. This information is for the [OpenWrt](http://www.openwrt.org/) versions of the tags used for each version. Broadcom Generic CFE unsigned char tagVersion[TAGVER_LEN]; 0-3: Version of the image tag unsigned char sig_1[20]; 4-23: Company Line 1 unsigned char sig_2[14]; 24-37: Company Line 2 unsigned char chipid[6]; 38-43: Chip this image is for unsigned char boardid[16]; 44-59: Board name unsigned char big_endian[2]; 60-61: Map endianness -- 1 BE 0 LE unsigned char totalLength[IMAGE_LEN]; 62-71: Total length of image unsigned char cfeAddress[ADDRESS_LEN]; 72-83: Address in memory of CFE unsigned char cfeLength[IMAGE_LEN]; 84-93: Size of CFE unsigned char rootAddress[ADDRESS_LEN]; 94-105: Address in memory of rootfs unsigned char rootLength[IMAGE_LEN]; 106-115: Size of rootfs unsigned char kernelAddress[ADDRESS_LEN]; 116-127: Address in memory of kernel unsigned char kernelLength[IMAGE_LEN]; 128-137: Size of kernel unsigned char dualImage[2]; 138-139: Unused at present unsigned char inactiveFlag[2]; 140-141: Unused at present unsigned char information1[TAGINFO_LEN]; 142-161: Unused at present unsigned char tagId[TAGID_LEN]; 162-167: Identifies which type of tag this is, currently two-letter company code, and then three digits for version of broadcom code in which this tag was first introduced unsigned char tagIdCRC[4]; 168-171: CRC32 of tagId unsigned char reserved1[44]; 172-215: Reserved area not in use unsigned char imageCRC[4]; 216-219: CRC32 of images unsigned char reserved2[16]; 220-235: Unused at present unsigned char headerCRC[4]; 236-239: CRC32 of header excluding tagVersion unsigned char reserved3[16]; 240-255: Unused at present Broadcom Code Version 2.2x unsigned char tagVersion[TAGVER_LEN]; 0-3: Version of the image tag unsigned char sig_1[20]; 4-23: Company Line 1 unsigned char sig_2[14]; 24-37: Company Line 2 unsigned char chipid[6]; 38-43: Chip this image is for unsigned char boardid[16]; 44-59: Board name unsigned char big_endian[2]; 60-61: Map endianness -- 1 BE 0 LE unsigned char totalLength[IMAGE_LEN]; 62-71: Total length of image unsigned char cfeAddress[ADDRESS_LEN]; 72-83: Address in memory of CFE unsigned char cfeLength[IMAGE_LEN]; 84-93: Size of CFE unsigned char flashImageStart[ADDRESS_LEN]; 94-105: Address in memory of kernel (start of image) unsigned char flashRootLength[IMAGE_LEN]; 106-115: Size of rootfs + deadcode (web flash uses this + kernelLength to determine the size of the kernel+rootfs flash image) unsigned char kernelAddress[ADDRESS_LEN]; 116-127: Address in memory of kernel unsigned char kernelLength[IMAGE_LEN]; 128-137: Size of kernel unsigned char dualImage[2]; 138-139: Unused at present unsigned char inactiveFlag[2]; 140-141: Unused at present unsigned char rsa_signature[TAGINFO_LEN]; 142-161: RSA Signature (unused at present; some vendors may use this) unsigned char reserved5[2]; 162-163: Unused at present unsigned char tagId[TAGID_LEN]; 164-169: Identifies which type of tag this is, currently two-letter company code, and then three digits for version of broadcom code in which this tag was first introduced unsigned char rootAddress[ADDRESS_LEN]; 170-181: Address in memory of rootfs partition unsigned char rootLength[IMAGE_LEN]; 182-191: Size of rootfs partition unsigned char flashLayoutVer[4]; 192-195: Version flash layout unsigned char kernelCRC[4]; 196-199: Guessed to be kernel CRC unsigned char reserved4[16]; 200-215: Reserved area; unused at present unsigned char imageCRC[4]; 216-219: CRC32 of images unsigned char reserved2[12]; 220-231: Unused at present unsigned char tagIdCRC[4]; 232-235: CRC32 to ensure validity of tagId unsigned char headerCRC[4]; 236-239: CRC32 of header excluding tagVersion unsigned char reserved3[16]; 240-255: Unused at present Broadcom Code Version 3.00 - 3.08 unsigned char tagVersion[TAGVER_LEN]; 0-3: Version of the image tag unsigned char sig_1[20]; 4-23: Company Line 1 unsigned char sig_2[14]; 24-37: Company Line 2 unsigned char chipid[6]; 38-43: Chip this image is for unsigned char boardid[16]; 44-59: Board name unsigned char big_endian[2]; 60-61: Map endianness -- 1 BE 0 LE unsigned char totalLength[IMAGE_LEN]; 62-71: Total length of image unsigned char cfeAddress[ADDRESS_LEN]; 72-83: Address in memory of CFE unsigned char cfeLength[IMAGE_LEN]; 84-93: Size of CFE unsigned char flashImageStart[ADDRESS_LEN]; 94-105: Address in memory of kernel (start of image) unsigned char flashRootLength[IMAGE_LEN]; 106-115: Size of rootfs + deadcode (web flash uses this + kernelLength to determine the size of the kernel+rootfs flash image) unsigned char kernelAddress[ADDRESS_LEN]; 116-127: Address in memory of kernel unsigned char kernelLength[IMAGE_LEN]; 128-137: Size of kernel unsigned char dualImage[2]; 138-139: Unused at present unsigned char inactiveFlag[2]; 140-141: Unused at present unsigned char information1[TAGINFO_LEN]; 142-161: Unused at present unsigned char tagId[TAGID_LEN]; 162-167: Identifies which type of tag this is, currently two-letter company code, and then three digits for version of broadcom code in which this tag was first introduced unsigned char tagIdCRC[4]; 168-173: CRC32 to ensure validity of tagId unsigned char rootAddress[ADDRESS_LEN]; 174-183: Address in memory of rootfs partition unsigned char rootLength[IMAGE_LEN]; 184-193: Size of rootfs partition unsigned char reserved1[22]; 194-215: Reserved area not in use unsigned char imageCRC[4]; 216-219: CRC32 of images unsigned char reserved2[16]; 220-235: Unused at present unsigned char headerCRC[4]; 236-239: CRC32 of header excluding tagVersion unsigned char reserved3[16]; 240-255: Unused at present Broadcom Code Version 3.06, Pirelli Modifed Version unsigned char tagVersion[TAGVER_LEN]; 0-3: Version of the image tag unsigned char sig_1[20]; 4-23: Company Line 1 unsigned char sig_2[14]; 24-37: Company Line 2 unsigned char chipid[6]; 38-43: Chip this image is for unsigned char boardid[16]; 44-59: Board name unsigned char big_endian[2]; 60-61: Map endianness -- 1 BE 0 LE unsigned char totalLength[IMAGE_LEN]; 62-71: Total length of image unsigned char cfeAddress[ADDRESS_LEN]; 72-83: Address in memory of CFE unsigned char cfeLength[IMAGE_LEN]; 84-93: Size of CFE unsigned char flashImageStart[ADDRESS_LEN]; 94-105: Address in memory of kernel (start of image) unsigned char flashRootLength[IMAGE_LEN]; 106-115: Size of rootfs + deadcode (web flash uses this + kernelLength to determine the size of the kernel+rootfs flash image) unsigned char kernelAddress[ADDRESS_LEN]; 116-127: Address in memory of kernel unsigned char kernelLength[IMAGE_LEN]; 128-137: Size of kernel unsigned char dualImage[2]; 138-139: Unused at present unsigned char inactiveFlag[2]; 140-141: Unused at present unsigned char information1[TAGINFO_LEN]; 142-161: Unused at present unsigned char information2[54]; 162-215: Compilation and related information (not generated/used by OpenWRT) unsigned char kernelCRC[4] ; 216-219: CRC32 of images unsigned char rootAddress[ADDRESS_LEN]; 220-231: Address in memory of rootfs partition unsigned char tagIdCRC[4]; 232-235: Checksum to ensure validity of tagId unsigned char headerCRC[4]; 236-239: CRC32 of header excluding tagVersion unsigned char rootLength[IMAGE_LEN]; 240-249: Size of rootfs unsigned char tagId[TAGID_LEN]; 250-255: Identifies which type of tag this is, currently two-letter company code, and then three digits for version of broadcom code in which this tag was first introduced Broadcom Code Version 3.10+ unsigned char tagVersion[4]; 0-3: Version of the image tag unsigned char sig_1[20]; 4-23: Company Line 1 unsigned char sig_2[14]; 24-37: Company Line 2 unsigned char chipid[6]; 38-43: Chip this image is for unsigned char boardid[16]; 44-59: Board name unsigned char big_endian[2]; 60-61: Map endianness -- 1 BE 0 LE unsigned char totalLength[IMAGE_LEN]; 62-71: Total length of image unsigned char cfeAddress[ADDRESS_LEN]; 72-83: Address in memory of CFE unsigned char cfeLength[IMAGE_LEN]; 84-93: Size of CFE unsigned char flashImageStart[ADDRESS_LEN]; 94-105: Address in memory of kernel (start of image) unsigned char flashRootLength[IMAGE_LEN]; 106-115: Size of rootfs + deadcode (web flash uses this + kernelLength to determine the size of the kernel+rootfs flash image) unsigned char kernelAddress[ADDRESS_LEN]; 116-127: Address in memory of kernel unsigned char kernelLength[IMAGE_LEN]; 128-137: Size of kernel unsigned char dualImage[2]; 138-139: Unused at present unsigned char inactiveFlag[2]; 140-141: Unused at present unsigned char information1[TAGINFO_LEN]; 142-161: Unused at present; Some vendors use this for optional information unsigned char tagId[6]; 162-167: Identifies which type of tag this is, currently two-letter company code, and then three digits for version of broadcom code in which this tag was first introduced unsigned char tagIdCRC[4]; 168-171: CRC32 to ensure validity of tagId unsigned char rootAddress[ADDRESS_LEN]; 172-183: Address in memory of rootfs partition unsigned char rootLength[IMAGE_LEN]; 184-193: Size of rootfs partition unsigned char reserved1[22]; 193-215: Reserved area not in use unsigned char imageCRC[4]; 216-219: CRC32 of images unsigned char rootfsCRC[4]; 220-227: CRC32 of rootfs partition unsigned char kernelCRC[4]; 224-227: CRC32 of kernel partition unsigned char reserved2[8]; 228-235: Unused at present unsigned char headerCRC[4]; 235-239: CRC32 of header excluding tagVersion unsigned char reserved3[16]; 240-255: Unused at present TP-Link custom CFE The size of the image header is 512 bytes length. Offsets are at different addresses. define in kernel code header offset description unsigned long tagVersion; 0-3 Tag version number unsigned char hardwareId[16]; 4-19 HWID for cloud unsigned char firmwareId[16]; 20-35 FWID for cloud unsigned char oemId[16]; 36-51 OEMID for cloud unsigned long productId; 52-55 product id unsigned long productVer; 56-59 product version unsigned long addHver; 60-63 Addtional hardware version unsigned char imageValidToken[20]; 64-83 image validation token - md5 checksum (not used?) unsigned char rcSingature[20]; 84-103 RC singature(only for vxWorks) - RSA unsigned long kernelTextAddr; 104-107 text section address of kernel unsigned long kernelEntryPoint; 108-111 entry point address of kernel unsigned long totalImageLen; 112-115 the sum of kernelLen+rootfsLen+tagLen unsigned long kernelAddress; 116-119 starting address (offset from the beginning of FILE_TAG) of kernel image unsigned long kernelLen; 120-123 length of kernel image unsigned long rootfsAddress; 124-127 starting address (offset) of filesystem image unsigned long rootfsLen; 128-131 length of filesystem image unsigned long bootAddress; 132-135 starting address (offset) of bootloader image unsigned long bootLen; 136-139 length of bootloader image unsigned long swRevision; 140-143 software revision unsigned long platformVer; 144-147 platform version unsigned long specialVer; 148:151 special version or CRC32 for bin(kernel+rootfs) bitfliped unsigned long binCrc32; 152:155 CRC32 for bin(kernel+rootfs) bitfliped or empty unsigned long imageSequence; 156:159 DUALIMAGE, initial value is 0, valid value is [1 .. 999], for NAND flash: it's indicated by file extension of cferam.xxx in rootfs, for NOR flash: it's stored in kernel tag unsigned long reserved1[12]; 160-207 reserved for future unsigned char sig[128]; 208-335 signature for update unsigned char resSig[128]; 336-443 reserved for signature unsigned long reserved2[12]; 464-511 reserved for future OpenWRT Broadcom 63xx Firmware Image README The image needed to flash onto a Broadcom 63xx-series board depends on the board, method you are using to flash, and, for web-based flash, on the version of the Broadcom code your router uses. There are two major revisions of the Broadcom code as far as imagetags are concerned, before 3.08 and after 3.08, however there are some variations within in that, either due to vendor differences or due to changes at Broadcom (it's not clear yet which is the case). In addtion Pirelli modified the Broadcom code, so Alice Gate models use a different imagetag than any other vendor. The imagetag format for flashing via CFE is the same for almost all the boards, and is the same for all images generated by the imagetag utility. Images flashable using cfe are labelled openwrt-[board]-[filesystem]-cfe.bin The imagetags for tftp/ftp flashing is based on Broadcom 3.00-3.04 imagetags and is known to be correct as the source code GPL and is available for reading. Broadcom 3.00-3.02 flashing has been tested on Comtrend CT-5261, CT-536 and Tecom GW6000, and is the version of the flashing that was present before the imagetags were split by broadcom code version (early June 2009) 3\.04 is guessed to be the same as 3.00-3.02 based on available information Broadom 3.06 is thought to be the same as 3.00-3.02, however the only 3.06 this author (Daniel Dickinson) has seen is the Alice Gate (Pirelli) firmware which is known to be different due to vendor (Pirelli) modifications to the Broadcom code. Broadcom 3.08 introduced changes to the imagetag to deal with TR69 (a remote router management system developed by the DSL Forum). The version we are using as 3.08 is based on the BT Voyager firmware image I looked at. It may in fact be BT Voyager-specific, and may in fact not be 3.08, but modified 3.06 and not apply to all 3.08 versions. Broadcom 3.10 uses an imagetag that is believed to apply to all 3.10 and 3.12 versions, and has been tested on the Tecom GW6200. It is similar to 3.08. There is a field for vendor-specific information, that at least in some cases is not optional. It is based on the hexedit of a neufbox4 firmware image, the information in https://dev.openwrt.org/ticket/4987, and the hexedit of a Tecom GW6200 image. Some boards share the same tag format, but require vendor-specific fields in the board. In that case the tagid is shared, but the filename of the generated image reflects the router for which the image was created. router method codever tagid any cfe any bccfe any t/ftp any bc300 web 3.00-3.06bc300 web 3.10-3.12bc310 AGVoIP2+WiFi web alice3.06ag306 CT536 web 3.02 bc300 CT5621 web 3.02 bc300 DG834GT web 3.02 bc300 DG834PN web 3.02 bc300 DSL-2640B web 3.10 bc310 DSL-2740B web 3.10 bc310 F5D7633 web 3.10 bc310 F@ST2404 web ? bc300 F@ST2404 web ? bc310 GW6000 web 3.00 bc300 GW6200 web 3.10 bc310 Neufbox4 web 3.12 bc310 TD8810A web 3.06 bc300 TD8810B web 3.06 bc300 TD8811A web 3.06 bc300 TD8811B web 3.06 bc300 TD8900GB web 3.06 bc300 USR9108 web ? bc300 V2091_BTR web 2.21 bc221 V2091_ROI web 2.21 bc221 V2091_WB web 2.21 bc221 V210_BTR web 2.21 bc221 V210_ROI web 2.21 bc221 V210_WB web 2.21 bc221 V2110 web 2.21 bc221 V2110_AA web 2.21 bc221 V2110_ROI web 2.21 bc221 V2500V web 2.21 bc221 V2500V_AA web 2.21 bc221 V2500V_SIP_CLUB web2.21 bc221 Old imagetag routers Davolink DV201AMR Redboot routers Inventel Livebox Table of Broadcom Version for Various Routers Vendor Model Belkin F5D7633 British Telecom (BT) Voyager V2091_BTR British Telecom (BT) Voyager V2091_ROI British Telecom (BT) Voyager V2091_WB British Telecom (BT) Voyager V210_BTR British Telecom (BT) Voyager V210_ROI British Telecom (BT) Voyager V210_WB British Telecom (BT) Voyager V2110 British Telecom (BT) Voyager V2110_AA British Telecom (BT) Voyager V2110_ROI British Telecom (BT) Voyager V220V British Telecom (BT) Voyager V2500V British Telecom (BT) Voyager V2500V_AA British Telecom (BT) Voyager V2500V_SIP_CLUB Comtrend CT-5261 Comtrend CT-536 D-Link DSL-2640B D-Link DSL-2670B NetGear DG834GT NetGear DG834PN Neuf Cegetel Neufbox 4 Pirelli Alice Gate Wi-Fi (+VoIP models?) Pirelli DRG A125G Sagem F@ST2404 TP-Link TD-8810A TP-Link TD-8810B TP-Link TD-8811A TP-Link TD-8811B TP-Link TD-W8900GB Tecom GW6000 Tecom GW6200 USR 9108 This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2022/11/11 18:49by danitool