router 101
How Routers Boot Up or What the Heck is Going On?
It is hoped that this page will take some of the mystery out of what a router is doing when it boots up and why there are so many ways to flash a router.
Router Flash and RAM
A router can be thought of as a small computer as it has a similar hardware layout. Both have a storage medium that retains data even when the power is turned off as the computer has a hard drive and the router has flash memory. Both also have a certain amount of RAM which loses it's data when the power is turned off. And both start up the same way.
When a router or a computer boots up the first thing they do is copy a small program from the storage medium into RAM and run that. This program then starts up the main program, the computer's Operating System or the router's firmware.
On a router the program that is run when it first boots up is called a bootloader and in it's most basic form it loads the router's firmware program from the flash memory into RAM and runs that. It is just that simple. The important thing to note here is that programs stored in flash memory are not run there but are first copied to RAM and then run. This is identical to how a computer works as it doesn't run programs from the hard drive but first copies them to RAM and then runs them.
- The firmware program is not run in flash memory but is copied to RAM and run there.
With older bootloaders this is all they did, copy the firmware into RAM and run that program. Because flash memory is quite small you can only fit a certain sized firmware program into it. But as more features were added to routers there was a need to cram larger firmware programs into the same space. Enter compression.
Firmware programs were compressed just like a Zip file so they took up less space in the flash memory and you could fit a bigger program in the same space. At this point the bootloader program was modified so it would decompress the firmware program as it copied it into RAM. This can be confirmed by looking at the RAM usage on a router. A router with 16 meg of flash memory can require 60 meg of RAM when the firmware is decompressed into it.
- The firmware program is compressed in flash memory and is expanded when put into RAM.
And this is where the basic bootloader program stopped. It loaded the firmware program out of flash memory, decompressed it into RAM, then ran it.
One side effect of this process is it allowed the firmware program to be updated quite easily. This is what is known as flashing the router. In this process we replace the firmware program in flash memory with a new one and then make the router reboot so it loads that into RAM instead of the old program. Remember that the flash program is running in RAM so any changes we make to flash memory will not have any effect on it until we reboot. This is why the firmware can be changed using the old firmware program. It may appear we are overwriting the firmware program but we are not. We are using a program in RAM to change the data in the flash memory.
- Copying a new firmware program to flash memory does not affect the firmware program running in RAM until we reboot.
And this is how a router's firmware is updated using the current firmware's GUI. The file containing the new firmware is upload by the GUI and placed into some area of free RAM. That is then copied to the proper location in flash memory and the router is rebooted. This also puts a limit on the size of the new firmware as it must fit into free RAM space. If a router's new firmware file is 16 meg in size then there must be at least 16 meg of free RAM available or the process will fail. Routers with only 64 meg of RAM may not have that much free RAM if the firmware program is already using 50 meg of RAM.
Now that we have looked at the way that a router boots up and how the firmware can be changed we will look at the way that flash memory is laid out.
Not all routers use this flash layout but they are all very much the same. We have the following sections or partitions in flash memory.
- Bootloader - this is usually less than 256K in size and contains the bootloader program.
- Data Storage - this area holds data that is unique to this router such as the various MAC addresses and wifi calibration data.
- Firmware Program - this takes up the largest amount of flash memory and holds the router's firmware program.
- Firmware Changes - this are holds all the changes that are made to the firmware program.
The Firmware Changes partition is an interesting one. It is possible to access the router's file system and make changes to the scripts and files there. These changes take place in the firmware program that is running in RAM. If these changes are to be retained after a reboot they must also be applied to the firmware program in the flash memory. But because the firmware program in flash memory is compressed we can not directly change it. Instead what is done is an area is set aside that holds all of the changed files and they are marked as changed. When the router is rebooted the bootloader checks these changed files and copies them into RAM at the proper location.
The actual firmware program in flash memory is never altered but any altered files are copied into RAM during decompression so they appear in the RAM version of the firmware. For this reason it is not possible to free up any space in flash memory as the firmware program there is never altered. You can save some space in RAM by deleting files from the firmware but at the expense of filling up the Firmware Changes partition.
Bootloader Advancements
At this point we know how a router boots up and how the flash memoery is laid out. It is now time to look at changes that have been made to the bootloader over the years.
The basic bootloader is quite simple as all it does is copy and decompress the firmware program into RAM and the execute it. While that may have been good enough for the manufacturers at the time, router users wanted more features to make life easier when they altered the stock firmware. Enter the third party bootloader.
A number of individuals took it upon themselves to alter the factory bootloader for various routers and make this available to everyone. Because the features they added were so useful many smaller manufacturers starting using them rather than the older more limited programs. And the large manufacturers modified their bootloader to include many of these features as well. This leads us to today where many of the routers supported by ROOter use these third party bootloaders or have a bootloader with the same features.
Probably the biggest feature that was added is the Recovery GUI. This allows flashing a router even if the current firmware program is unusable. The implementation of this feature is pretty much the same across most bootloaders and is as follows.
When the bootloader is first started up, instead of going directly to copying and decompressing the firmware program, it check the state of the router's reset button. If that button is held in then the bootloader waits for a certain amount of time and, if it is held in all that time, will start a small web server on the router. The bootloader uses the Leds on the router to indicate that the reset button is being held in. In some bootloaders (Gl.iNet for instance) you must release the button after a specific time as indicated by the number of times the Leds flash. Otherwise the web server will not start. Other bootloaders just wait for a certain amount of time with the reset button held in and then start the web server (ZBT).
Once the bootloader knows that you want the Recovery GUI it will start a web server so you can access a web page on the router. This is normally at http://192.168.1.1/index.html although some bootloaders use a different IP Address. When you use your browser to go to this web page you are given the option to upload a new firmware file and have it flashed to the router. The bootloader does this in exactly the same way as outlined above. It uploads the file to RAM and then copies it into the flash program area of flash memory. The big thing here is no checking is done on the file it uploads so you can place anything into the firmware program area. This is useful when you can't use the normal GUI to flash the router.
- The Recovery GUI makes it possible flash a router even if the current firmware is unusable. It effectively makes the router unbrickable.
The implementation of the Recovery GUI was a big step forward in bootloaders but some bootloaders don't use it but have other methods to flash a new firmware program. These usually involve tftp so we will look at that first.
Trivial File Transfer Protocol or tftp is a technology that is used to transfer files between devices using Ethernet. It uses client and server software with the server hosting the file and the client requesting a file from the server. Both the client and server devices have a specific IP Address so the client knows where to look for the file and the server knows who is looking for it. In bootloader tftp the bootloader specifies the IP Addresses of both the client and server.
One common method of flashing a router that doesn't have a Recovery GUI is for the bootloader to start a tftp client and request a specific file from a tftp server. If it doesn't receive the file in a certain amount of time it continues with it's normal routine. Each bootloader that does this has a different IP address for the router, for the device that hosts the server and for the file name so some information is needed ahead of time to set it up correctly. For example, the bootloader may decide that its client IP will be 192.168.31.1. This has nothing to do with the IP that the router's firmware uses. It is looking for a server at 192.168.31.100 and the file it wants is called firmware.bin. If all this is in place then it will upload the file to RAM and then copy it into the frimware program part of the flash memory. The bootloader then starts it's normal routine of copying and decompressing the firmware.
A variation on this method has the bootloader check the reset button when it starts and, if it is held down for a certain amount of time, start the tftp client and look for the firmware file. If it doesn't receive it in a specified amount of time it goes on it's normal routine. Mikrotik and Asus use this method of flashing. Again the client and server IP Address are fixed. In the case of some Mikrotik routers the file is not requested by name but leaves it up to the server to know which file should be sent to that IP Address. Other routers require a specific file name.
- Although more complicated than the Recovery GUI, tftp can be used to flash a router whose firmware is unusable.
At this point we have looked at how the bootloader works and the different methods that can be used to flash the router if using the normal GUI is not available. But what do we do if the bootloader doesn't have a Recovery GUI or doesn't look for a file automatically via tftp at boot time? This happens with routers from large manufacturers who haven't implemented the same features found in third party bootloaders. Enter the USB to TTL serial adapter.
Almost all bootloader implement a serial console where the bootloader can send it's output and accept input. It is like a terminal where you can interacte with the bootloader as it goes about it's business. These routers have pads (or pins if you are lucky) for the terminal to connect to. These are 3.3 volt TTL lines and you must use a USB to TTL adapter to connect the router to a computer's USB port. This adapter has a special driver so you can use a terminal program like Putty to talk to the router's bootloader. This method is not for everyone as it requires you to open the router case and, in many cases, solder pins to the board.
When you have a serial console hooked to the router you can boot it up and see what the bootloader is doing. Along with everything else, it will look for a key input from the serial console and will act on that input in various ways. If no input is received in a very short period it goes about it's normal routine. While different bootloaders have different commands they will have a command that will manually start a tftp client like we described above and use that to upload and flash a new firmware using the Ethernet. This method will work with a router that doesn't have an automatic start of a tftp client.
- As a last resort, a serial console can be used to manually start a tftp session and upload and flash a firmware..
Why These Methods Exist
You are probably wonderng why all these different methods exist that use the bootloader to flash the router. Can't you just use the normal GUI and flash it from there? The answer is : Sometimes.
When you want to flash a router from the factory firmware to ROOter, in many cases the factory firmware will not allow it. Every firmware has checks built into it to stop an incorrect firmware from being used. These involve things like firmware name, checksums and special data in the firmware. In some cases the firmware created by ROOter has an image that is specially designed to meet all of these requirements so you can use that to flash from factory to ROOter. But many routers don't have this image so other methods have to be used to flash them to ROOter. This is where the bootloader methods come into play.
This is a flowchart that shows the steps to determine which method needs to be used to flash a router.
We have gone from looking at how the router boots up and how the flash memory is laid out to looking at the flashing methods that are used by the various bootloaders. Hopefully this increases the understanding of what is being done to a router when flashing it to ROOter.