Sky ER110 Router teardown
This is a quick teardown of the Sky ER110 Router with a copy of the extracted firmware, UART Dump and a list of all components. The design and layout is identical to the ER115 but uses an onboad PSU. The teardown procedure is also the same, see here.
Before you extract your own firmware you will need a copy of a Kali Linux (for ease or use), soldering iron, microscope, sharp knife and a RT809H or equivalent.
A copy of the firmware can be found here https://drive.google.com/file/d/1CUR8xfGLhg8buqRIW6D697yPIGLKJ6jU/view?usp=sharing
1. Front view
2. Rear view
3. Rear PCB.
| No | Part Number | Description |
| 1 | FL256SA1H30 627BB119 A | Cypress 32MB BGA24 4x6 SPI Flash Memory |
4. Front PCB
| No | Part Number | Description |
| 1 | ATHEROS AR1540-AL3C C AASA KR | fully-differential amplifier |
| 2 | ATHEROS AR7420 -AL3C NU62725H 1627 | MAC/PHY Transceiver |
| 3 | B50612E B1KMLG TE1631 P21 611338 3 W | SINGLE GIGABIT PHY 3E |
| 4 | BCM63168UKFEBG TT1626 P40 601842-07 N1A | Broadcom SOC |
| 5 | BCM6303 KMLG P31 CN1624 602355 3B | Single-chip multi-mode ADSL2+/VDSL2 IAD |
| 6 | SAMSUNG 625 K4B2616460-BCK0 EGD0872PC | 1GB DDR3 RAM? |
| 7 | UART (3,4) & JTAG | |
| 8 | BCM4360KMLG TE1622 P20 594896-04 3 W | IC RF TXRX WIFI SINGLE CHIP |
| 9 | VUBI TI 55 529F | 3-17V 3A Step-Down Converter in 3x3 QFN Package |
| 10 | UART (disabled) | |
| 11 | FMF 4591 QSVG | ??? |
5. Spansion/Cypress FL256SA1H30 pinout.
6. Front PCB traces.
7. Rear PCB traces.
8. UART Dump
HELOCPUIL1CIHELOCPUIL1CI4.1404-1.0.38-200 118.002 116DRAM----PHYSSTRF400HPHYEDDR3SIZ4SIZ3DINTUSYNLSYNMFASLMBERACEPASS----ZBSSCODEDATAL12FMAINBase: 4.14_04CFE version 1.0.38-118.116 for BCM963268 (32bit,SP,BE)Build Date: Tue Aug 19 16:58:53 BST 2014 (tomasz@iris)Copyright (C) 2000-2013 Broadcom Corporation.Chip ID: BCM63168D0, MIPS: 400MHz, DDR: 400MHz, Bus: 200MHzMain Thread: TP0Memory Test PassedTotal Memory: 268435456 bytes (256MB)Boot Address: 0xb8000000HS Serial flash device: S25FL256, id 0x0119 size 32768KBTotal Flash size: 32768K with 512 sectorsreserved at bottom=128KBFlash split 10 : AuxFS[3407872]FLASH_BASE =0xb8000000fInfo->flash_rootfs_start_offset =0x00080000fInfo->flash_meta_start_blk = 510fInfo->flash_syslog_start_blk = 0fInfo->flash_syslog_number_blk = 0fInfo->flash_syslog_length=0x0fInfo->flash_backup_psi_start_blk = 0fInfo->flash_backup_psi_number_blk = 0sp startAddr = b9fe4000fInfo->flash_scratch_pad_start_blk = 510fInfo->flash_scratch_pad_number_blk = 1fInfo->flash_scratch_pad_length = 0x2000fInfo->flash_scratch_pad_blk_offset = 0x4000psi startAddr = b9fe6000fInfo->flash_persistent_start_blk = 510fInfo->flash_persistent_number_blk = 1fInfo->flash_persistent_length=0xa000fInfo->flash_persistent_blk_offset = 0x6000AuxFs.start_blk = 458AuxFs,number_blk = 52AuxFs.total_len = 0x340000AuxFs.sect_size = 0x10000fInfo->flash_sky_scratch_pad_start_blk = 511fInfo->flash_sky_scratch_pad_number_blk = 1fInfo->flash_sky_scratch_pad_length = 0x100fInfo->flash_sky_scratch_pad_blk_offset = 0xff00Board IP address : 192.168.0.1:ffffff00Host IP address : 192.168.0.100Gateway IP address :Run from flash/host/tftp (f/h/c) : fDefault host run file name : vmlinuxDefault host flash file name : bcm963xx_fs_kernelBoot delay (0-9 seconds) : 1Boot image (0=latest, 1=previous) : 0Default host ramdisk file name :Default ramdisk store address :Board Id (0-33) : BSKYB_VIPERNumber of MAC Addresses (1-32) : 10Base MAC Address : 00:10:18:00:00:00PSI Size (1-64) KBytes : 40Enable Backup PSI [0|1] : 0System Log Size (0-256) KBytes : 0Auxillary File System Size Percent: 10Main Thread Number [0|1] : 0Booting from latest image (0xb8e60000) ...Signature@Offset: [0x019e35e4]FLASH IMAGE SIGNATURE OKCode Address: 0x80752B90, Entry Address: 0x803a3c40RootFS & Kernel CRCs are correct.Decompression OK!Entry at 0x803a3c40Closing network.Disabling Switch ports.Flushing Receive Buffers...0 buffers foundClosing DMA ChannelsStarting program at 0x803a3c40
9. binwalk outputs the following:
14308 0x37E4 LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 254944 bytes524288 0x80000 Broadcom 96345 firmware header, header size: 256, firmware version: "68", board id: "SKYB_VIPER", ~CRC32 header checksum: 0x3C514052, ~CRC32 data checksum: 0x45C2FC04524544 0x80100 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 10465800 bytes, 1182 inodes, blocksize: 131072 bytes, created: 2016-11-21 17:07:0710993932 0xA7C10C LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 4682720 bytes15073280 0xE60000 Broadcom 96345 firmware header, header size: 256, firmware version: "68", board id: "SKYB_VIPER", ~CRC32 header checksum: 0x2BE94B0C, ~CRC32 data checksum: 0x4061B89C15073536 0xE60100 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 10513640 bytes, 1185 inodes, blocksize: 131072 bytes, created: 2016-12-13 19:08:2825587980 0x186710C LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 4682720 bytes
10. 7zip opens the file just fine but if you want to use what bin walk produces to extract the image then use these commands:
dd if=ER110.BIN of=sky1.bin bs=1 count=14308 skip=0dd if=ER110.BIN of=sky2.bin bs=1 count=524288 skip=14308dd if=ER110.BIN of=sky3.bin bs=1 count=524544 skip=524288dd if=ER110.BIN of=sky4.bin bs=1 count=10993932 skip=524544dd if=ER110.BIN of=sky5.bin bs=1 count=15073280 skip=10993932dd if=ER110.BIN of=sky6.bin bs=1 count=15073536 skip=15073280dd if=ER110.BIN of=sky7.bin bs=1 count=25587980 skip=15073536dd if=ER110.BIN of=sky8.bin bs=1 count=33554431 skip=25587980