Nwr04b Checksum

This explains the firmware checksum for the Nwr04bChecksum router (at least, as far as I've been able to figure it out so far).

0x00

lanware: 00000000  06 00 00 ea 02 00 00 00  03 00 00 00 03 0b 00 08  |................|
repotec: 00000000  06 00 00 ea 02 00 00 00  0a 00 00 00 02 12 00 1b  |................|
runtop:  00000000  06 00 00 ea 02 00 00 00  03 00 00 00 03 13 00 02  |................|
network: 00000000  06 00 00 ea 05 00 00 00  03 00 00 00 01 02 00 01  |................|

0x00: disarm -r shows this is "B &00000020". Assuming that's 0x20, not decimal 20, that would get the CPU to skip over the next few bytes. Thus, we can ignore bytes 0x00-0x04 as far as a checksum is concerned.

0x04: Same except for Network Everywhere. Some part of version number?

0x08: 0x08-0x0b identical for lanware, NE and runtop; repotec different.

0x0c: This would appear to match command-line version number (thanks to Hugh Redelmeier for this). Expansion of that: Runtop firmware is 3.19.0000; this would appear to match. Lanware firmware command line version is 3.11.0008, which matches. Repotec should be 2.18. This may explain why Runtop would not let me install Repotec firmware: lower major revision number.

0x10

lanware: 00000010  02 00 00 00 98 ea 0b 00  12 ec 37 06 e5 02 00 00  |..........7.....|
repotec: 00000010  02 00 00 00 6c 6b 09 00  26 27 e7 04 55 02 00 00  |....lk..&'..U...|
runtop:  00000010  02 00 00 00 5f 6c 0a 00  cd 33 6e 05 67 02 00 00  |...._l...3n.g...|
network  00000010  02 00 00 00 9a a8 0b 00  cf be 14 06 02 03 00 00  |................|

0x10: identical. No idea what's going on here.

0x14: image length - 32. (ie, image length from offset 0x20)

0x18: Sum of bytes w/offset 32 (0x20) into file.

0x1c: Sum of bytes from 0x04 through 0x1b.

0x20

lanware: 00000020  13 00 00 ea 02 00 00 00  03 00 00 00 03 0b 00 08  |................|
repotec: 00000020  13 00 00 ea 02 00 00 00  0a 00 00 00 02 12 00 1b  |................|
runtop:  00000020  13 00 00 ea 02 00 00 00  03 00 00 00 03 13 00 02  |................|
network: 00000020  00 30 0f e1 1f 30 c3 e3  13 30 83 e3 c0 30 83 e3  |.0...0...0...0..|

NE is the odd man out here: it looks like this is where the checksum ends and the booting process continues after the first branch. disarm -r says that the other three are "b &00000074". NE is using a different checksum, but we knew that. Will ignore NE from 0x20 on.

As for the others: this is a second checksum here, identical in structure to the first.

0x20: branch &00000074.

0x24-0x2c: Identical to 0x04-0x0c, so assume revision, etc repeated.

0x30

lanware: 00000030  02 00 00 00 78 ea 0b 00  e8 e6 37 06 95 03 00 00  |....x.....7.....|
repotec: 00000030  02 00 00 00 4c 6b 09 00  05 24 e7 04 11 02 00 00  |....Lk...$......|
runtop:  00000030  02 00 00 00 3f 6c 0a 00  4b 30 6e 05 c2 01 00 00  |....?l..K0n.....|
network: 00000030  03 f0 29 e1 0f 60 a0 e1  08 60 46 e2 84 d0 9f e5  |..)..`...`F.....|

0x30: matches 0x10. Still no idea.

0x34: image length - 64 (ie, image length from offset 0x40);

0x38: Sum of bytes w/offset 64 (0x40) into file.

0x3c: Sum of bytes from 0x24 through 0x3b.


$Log: Nwr04bChecksum.html,v $
Revision 1.2 2005/03/30 22:00:22 aardvark
Fix formatting.