2 * mtd - simple memory technology device manipulation tool
4 * Copyright (C) 2005 Waldemar Brodkorb <wbx@dass-it.de>,
5 * Copyright (C) 2005-2009 Felix Fietkau <nbd@nbd.name>
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License v2
9 * as published by the Free Software Foundation.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
21 * The code is based on the linux-mtd examples.
33 #include <sys/ioctl.h>
34 #include <sys/syscall.h>
39 #include <sys/ioctl.h>
40 #include <sys/types.h>
41 #include <sys/param.h>
42 #include <sys/mount.h>
44 #include <sys/reboot.h>
45 #include <linux/reboot.h>
46 #include <mtd/mtd-user.h>
51 #include <libubox/md5.h>
54 #define JFFS2_DEFAULT_DIR "" /* directory name without /, empty means root dir */
56 #define TRX_MAGIC 0x48445230 /* "HDR0" */
57 #define SEAMA_MAGIC 0x5ea3a417
58 #define WRG_MAGIC 0x20040220
59 #define WRGG03_MAGIC 0x20080321
61 #if !defined(__BYTE_ORDER)
62 #error "Unknown byte order"
65 #if __BYTE_ORDER == __BIG_ENDIAN
66 #define cpu_to_be32(x) (x)
67 #define be32_to_cpu(x) (x)
68 #define le32_to_cpu(x) bswap_32(x)
69 #elif __BYTE_ORDER == __LITTLE_ENDIAN
70 #define cpu_to_be32(x) bswap_32(x)
71 #define be32_to_cpu(x) bswap_32(x)
72 #define le32_to_cpu(x) (x)
74 #error "Unsupported endianness"
77 enum mtd_image_format {
78 MTD_IMAGE_FORMAT_UNKNOWN,
80 MTD_IMAGE_FORMAT_SEAMA,
82 MTD_IMAGE_FORMAT_WRGG03,
85 static char *buf = NULL;
86 static char *imagefile = NULL;
87 static enum mtd_image_format imageformat = MTD_IMAGE_FORMAT_UNKNOWN;
88 static char *jffs2file = NULL, *jffs2dir = JFFS2_DEFAULT_DIR;
89 static char *tpl_uboot_args_part;
90 static int buflen = 0;
95 int jffs2_skip_bytes=0;
98 int mtd_open(const char *mtd, bool block)
104 int flags = O_RDWR | O_SYNC;
107 snprintf(name, sizeof(name), "\"%s\"", mtd);
108 if ((fp = fopen("/proc/mtd", "r"))) {
109 while (fgets(dev, sizeof(dev), fp)) {
110 if (sscanf(dev, "mtd%d:", &i) && strstr(dev, name)) {
111 snprintf(dev, sizeof(dev), "/dev/mtd%s/%d", (block ? "block" : ""), i);
112 if ((ret=open(dev, flags))<0) {
113 snprintf(dev, sizeof(dev), "/dev/mtd%s%d", (block ? "block" : ""), i);
114 ret=open(dev, flags);
123 return open(mtd, flags);
126 int mtd_check_open(const char *mtd)
128 struct mtd_info_user mtdInfo;
131 fd = mtd_open(mtd, false);
133 fprintf(stderr, "Could not open mtd device: %s\n", mtd);
137 if(ioctl(fd, MEMGETINFO, &mtdInfo)) {
138 fprintf(stderr, "Could not get MTD device info from %s\n", mtd);
142 mtdsize = mtdInfo.size;
143 erasesize = mtdInfo.erasesize;
144 mtdtype = mtdInfo.type;
149 int mtd_block_is_bad(int fd, int offset)
154 if (mtdtype == MTD_NANDFLASH)
156 r = ioctl(fd, MEMGETBADBLOCK, &o);
159 fprintf(stderr, "Failed to get erase block status\n");
166 int mtd_erase_block(int fd, int offset)
168 struct erase_info_user mtdEraseInfo;
170 mtdEraseInfo.start = offset;
171 mtdEraseInfo.length = erasesize;
172 ioctl(fd, MEMUNLOCK, &mtdEraseInfo);
173 if (ioctl (fd, MEMERASE, &mtdEraseInfo) < 0)
179 int mtd_write_buffer(int fd, const char *buf, int offset, int length)
181 lseek(fd, offset, SEEK_SET);
182 write(fd, buf, length);
187 image_check(int imagefd, const char *mtd)
193 while (buflen < sizeof(magic)) {
194 bufread = read(imagefd, buf + buflen, sizeof(magic) - buflen);
201 if (buflen < sizeof(magic)) {
202 fprintf(stdout, "Could not get image magic\n");
206 magic = ((uint32_t *)buf)[0];
208 if (be32_to_cpu(magic) == TRX_MAGIC)
209 imageformat = MTD_IMAGE_FORMAT_TRX;
210 else if (be32_to_cpu(magic) == SEAMA_MAGIC)
211 imageformat = MTD_IMAGE_FORMAT_SEAMA;
212 else if (le32_to_cpu(magic) == WRG_MAGIC)
213 imageformat = MTD_IMAGE_FORMAT_WRG;
214 else if (le32_to_cpu(magic) == WRGG03_MAGIC)
215 imageformat = MTD_IMAGE_FORMAT_WRGG03;
217 switch (imageformat) {
218 case MTD_IMAGE_FORMAT_TRX:
220 ret = trx_check(imagefd, mtd, buf, &buflen);
222 case MTD_IMAGE_FORMAT_SEAMA:
223 case MTD_IMAGE_FORMAT_WRG:
224 case MTD_IMAGE_FORMAT_WRGG03:
228 if (!strcmp(mtd, "firmware"))
237 static int mtd_check(const char *mtd)
243 if (strchr(mtd, ':')) {
249 next = strchr(mtd, ':');
255 fd = mtd_check_open(mtd);
260 buf = malloc(erasesize);
273 mtd_unlock(const char *mtd)
275 struct erase_info_user mtdLockInfo;
280 if (strchr(mtd, ':')) {
286 next = strchr(mtd, ':');
292 fd = mtd_check_open(mtd);
294 fprintf(stderr, "Could not open mtd device: %s\n", mtd);
299 fprintf(stderr, "Unlocking %s ...\n", mtd);
301 mtdLockInfo.start = 0;
302 mtdLockInfo.length = mtdsize;
303 ioctl(fd, MEMUNLOCK, &mtdLockInfo);
315 mtd_erase(const char *mtd)
318 struct erase_info_user mtdEraseInfo;
321 fprintf(stderr, "Erasing %s ...\n", mtd);
323 fd = mtd_check_open(mtd);
325 fprintf(stderr, "Could not open mtd device: %s\n", mtd);
329 mtdEraseInfo.length = erasesize;
331 for (mtdEraseInfo.start = 0;
332 mtdEraseInfo.start < mtdsize;
333 mtdEraseInfo.start += erasesize) {
334 if (mtd_block_is_bad(fd, mtdEraseInfo.start)) {
336 fprintf(stderr, "\nSkipping bad block at 0x%x ", mtdEraseInfo.start);
338 ioctl(fd, MEMUNLOCK, &mtdEraseInfo);
339 if(ioctl(fd, MEMERASE, &mtdEraseInfo))
340 fprintf(stderr, "Failed to erase block on %s at 0x%x\n", mtd, mtdEraseInfo.start);
350 mtd_dump(const char *mtd, int part_offset, int size)
352 int ret = 0, offset = 0;
357 fprintf(stderr, "Dumping %s ...\n", mtd);
359 fd = mtd_check_open(mtd);
361 fprintf(stderr, "Could not open mtd device: %s\n", mtd);
369 lseek(fd, part_offset, SEEK_SET);
371 buf = malloc(erasesize);
376 int len = (size > erasesize) ? (erasesize) : (size);
377 int rlen = read(fd, buf, len);
385 if (!rlen || rlen != len)
387 if (mtd_block_is_bad(fd, offset)) {
388 fprintf(stderr, "skipping bad block at 0x%08x\n", offset);
402 mtd_verify(const char *mtd, char *file)
404 uint32_t f_md5[4], m_md5[4];
411 fprintf(stderr, "Verifying %s against %s ...\n", mtd, file);
413 if (stat(file, &s) || md5sum(file, f_md5) < 0) {
414 fprintf(stderr, "Failed to hash %s\n", file);
418 fd = mtd_check_open(mtd);
420 fprintf(stderr, "Could not open mtd device: %s\n", mtd);
427 int len = (s.st_size > sizeof(buf)) ? (sizeof(buf)) : (s.st_size);
428 int rlen = read(fd, buf, len);
438 md5_hash(buf, rlen, &ctx);
440 } while (s.st_size > 0);
442 md5_end(m_md5, &ctx);
444 fprintf(stderr, "%08x%08x%08x%08x - %s\n", m_md5[0], m_md5[1], m_md5[2], m_md5[3], mtd);
445 fprintf(stderr, "%08x%08x%08x%08x - %s\n", f_md5[0], f_md5[1], f_md5[2], f_md5[3], file);
447 ret = memcmp(f_md5, m_md5, sizeof(m_md5));
449 fprintf(stderr, "Success\n");
451 fprintf(stderr, "Failed\n");
459 indicate_writing(const char *mtd)
462 fprintf(stderr, "\nWriting from %s to %s ... ", imagefile, mtd);
465 fprintf(stderr, " [ ]");
469 mtd_write(int imagefd, const char *mtd, char *fis_layout, size_t part_offset)
478 int jffs2_replaced = 0;
479 int skip_bad_blocks = 0;
482 static struct fis_part new_parts[MAX_ARGS];
483 static struct fis_part old_parts[MAX_ARGS];
484 struct fis_part *cur_part = NULL;
485 int n_new = 0, n_old = 0;
488 const char *tmp = mtd;
492 memset(&old_parts, 0, sizeof(old_parts));
493 memset(&new_parts, 0, sizeof(new_parts));
495 cur_part = new_parts;
498 next = strchr(tmp, ':');
500 next = (char *) tmp + strlen(tmp);
502 memcpy(old_parts[n_old].name, tmp, next - tmp);
508 for (word = strtok_r(fis_layout, ",", &brkt);
510 word = strtok_r(NULL, ",", &brkt)) {
512 tmp = strtok(word, ":");
513 strncpy((char *) new_parts[n_new].name, tmp, sizeof(new_parts[n_new].name) - 1);
515 tmp = strtok(NULL, ":");
519 new_parts[n_new].size = strtoul(tmp, NULL, 0);
521 tmp = strtok(NULL, ":");
525 new_parts[n_new].loadaddr = strtoul(tmp, NULL, 16);
529 ret = fis_validate(old_parts, n_old, new_parts, n_new);
531 fprintf(stderr, "Failed to validate the new FIS partition table\n");
539 if (strchr(mtd, ':')) {
547 next = strchr(mtd, ':');
553 fd = mtd_check_open(mtd);
555 fprintf(stderr, "Could not open mtd device: %s\n", mtd);
558 if (part_offset > 0) {
559 fprintf(stderr, "Seeking on mtd device '%s' to: %zu\n", mtd, part_offset);
560 lseek(fd, part_offset, SEEK_SET);
563 /* Write TP-Link recovery flag */
564 if (tpl_uboot_args_part && mtd_tpl_recoverflag_write) {
566 fprintf(stderr, "Writing recovery flag to %s\n", tpl_uboot_args_part);
567 result = mtd_tpl_recoverflag_write(tpl_uboot_args_part, true);
569 fprintf(stderr, "Could not write TP-Link recovery flag to %s: %i", mtd, result);
574 indicate_writing(mtd);
578 /* buffer may contain data already (from trx check or last mtd partition write attempt) */
579 while (buflen < erasesize) {
580 r = read(imagefd, buf + buflen, erasesize - buflen);
582 if ((errno == EINTR) || (errno == EAGAIN))
602 if (buflen < erasesize) {
603 /* Pad block to eraseblock size */
604 memset(&buf[buflen], 0xff, erasesize - buflen);
613 indicate_writing(mtd);
618 if (jffs2file && w >= jffs2_skip_bytes) {
619 if (memcmp(buf, JFFS2_EOF, sizeof(JFFS2_EOF) - 1) == 0) {
621 fprintf(stderr, "\b\b\b ");
623 fprintf(stderr, "\nAppending jffs2 data from %s to %s..\n.", jffs2file, mtd);
624 /* got an EOF marker - this is the place to add some jffs2 data */
625 skip = mtd_replace_jffs2(mtd, fd, e, jffs2file);
628 /* don't add it again */
639 /* no EOF marker, make sure we figure out the last inode number
640 * before appending some data */
641 mtd_parse_jffs2data(buf, jffs2dir);
644 /* need to erase the next block before writing data to it */
647 while (w + buflen > e - skip_bad_blocks) {
649 fprintf(stderr, "\b\b\b[e]");
651 if (mtd_block_is_bad(fd, e)) {
653 fprintf(stderr, "\nSkipping bad block at 0x%08zx ", e);
655 skip_bad_blocks += erasesize;
658 // Move the file pointer along over the bad block.
659 lseek(fd, erasesize, SEEK_CUR);
663 if (mtd_erase_block(fd, e + part_offset) < 0) {
666 write(fd, buf + offset, e - w);
673 fprintf(stderr, "\b\b\b \n");
676 fprintf(stderr, "Failed to erase block\n");
681 /* erase the chunk */
687 fprintf(stderr, "\b\b\b[w]");
689 if ((result = write(fd, buf + offset, buflen)) < buflen) {
691 fprintf(stderr, "Error writing image.\n");
694 fprintf(stderr, "Insufficient space.\n");
701 if (cur_part && cur_part->size
702 && cur_part < &new_parts[MAX_ARGS - 1]
703 && cur_part->length + buflen_raw > cur_part->size)
706 cur_part->length += buflen_raw;
707 cur_part->crc = crc32(cur_part->crc, buf, buflen_raw);
715 if (jffs2_replaced) {
716 switch (imageformat) {
717 case MTD_IMAGE_FORMAT_TRX:
721 case MTD_IMAGE_FORMAT_SEAMA:
723 mtd_fixseama(mtd, 0, 0);
725 case MTD_IMAGE_FORMAT_WRG:
727 mtd_fixwrg(mtd, 0, 0);
729 case MTD_IMAGE_FORMAT_WRGG03:
731 mtd_fixwrgg(mtd, 0, 0);
739 fprintf(stderr, "\b\b\b\b ");
742 fprintf(stderr, "\n");
746 if (fis_remap(old_parts, n_old, new_parts, n_new) < 0)
747 fprintf(stderr, "Failed to update the FIS partition table\n");
753 /* Clear TP-Link recovery flag */
754 if (tpl_uboot_args_part && mtd_tpl_recoverflag_write) {
756 fprintf(stderr, "Removing recovery flag from %s\n", tpl_uboot_args_part);
757 result = mtd_tpl_recoverflag_write(tpl_uboot_args_part, false);
759 fprintf(stderr, "Could not clear TP-Link recovery flag to %s: %i", mtd, result);
767 static void usage(void)
769 fprintf(stderr, "Usage: mtd [<options> ...] <command> [<arguments> ...] <device>[:<device>...]\n\n"
770 "The device is in the format of mtdX (eg: mtd4) or its label.\n"
771 "mtd recognizes these commands:\n"
772 " unlock unlock the device\n"
773 " refresh refresh mtd partition\n"
774 " erase erase all data on device\n"
775 " verify <imagefile>|- verify <imagefile> (use - for stdin) to device\n"
776 " write <imagefile>|- write <imagefile> (use - for stdin) to device\n"
777 " jffs2write <file> append <file> to the jffs2 partition on the device\n");
780 " resetbc <device> reset the uboot boot counter\n");
784 " fixtrx fix the checksum in a trx header on first boot\n");
788 " fixseama fix the checksum in a seama header on first boot\n");
792 " fixwrg fix the checksum in a wrg header on first boot\n");
796 " fixwrgg fix the checksum in a wrgg header on first boot\n");
799 "Following options are available:\n"
800 " -q quiet mode (once: no [w] on writing,\n"
801 " twice: no status messages)\n"
802 " -n write without first erasing the blocks\n"
803 " -r reboot after successful command\n"
804 " -f force write without trx checks\n"
805 " -e <device> erase <device> before executing the command\n"
806 " -d <name> directory for jffs2write, defaults to \"tmp\"\n"
807 " -j <name> integrate <file> into jffs2 data when writing an image\n"
808 " -s <number> skip the first n bytes when appending data to the jffs2 partiton, defaults to \"0\"\n"
809 " -p <number> write beginning at partition offset\n"
810 " -l <length> the length of data that we want to dump\n");
813 " -o offset offset of the image header in the partition(for fixtrx)\n");
815 if (mtd_fixtrx || mtd_fixseama || mtd_fixwrg || mtd_fixwrgg) {
817 " -c datasize amount of data to be used for checksum calculation (for fixtrx / fixseama / fixwrg / fixwrgg)\n");
819 if (mtd_tpl_recoverflag_write) {
821 " -t <partition> write TP-Link recovery-flag to <partition> (for write)\n");
825 " -F <part>[:<size>[:<entrypoint>]][,<part>...]\n"
826 " alter the fis partition table to create new partitions replacing\n"
827 " the partitions provided as argument to the write command\n"
828 " (only valid together with the write command)\n"
831 "Example: To write linux.trx to mtd4 labeled as linux and reboot afterwards\n"
832 " mtd -r write linux.trx linux\n\n");
836 static void do_reboot(void)
838 fprintf(stderr, "Rebooting ...\n");
841 /* try regular reboot method first */
842 system("/sbin/reboot");
845 /* if we're still alive at this point, force the kernel to reboot */
846 syscall(SYS_reboot,LINUX_REBOOT_MAGIC1,LINUX_REBOOT_MAGIC2,LINUX_REBOOT_CMD_RESTART,NULL);
849 int main (int argc, char **argv)
851 int ch, i, boot, imagefd = 0, force, unlocked;
852 char *erase[MAX_ARGS], *device = NULL;
853 char *fis_layout = NULL;
854 size_t offset = 0, data_size = 0, part_offset = 0, dump_len = 0;
876 while ((ch = getopt(argc, argv,
880 "frnqe:d:s:j:p:o:c:t:l:")) != -1)
896 jffs2_skip_bytes = strtoul(optarg, 0, 0);
898 fprintf(stderr, "-s: illegal numeric string\n");
907 while ((erase[i] != NULL) && ((i + 1) < MAX_ARGS))
918 part_offset = strtoul(optarg, 0, 0);
920 fprintf(stderr, "-p: illegal numeric string\n");
926 dump_len = strtoul(optarg, 0, 0);
928 fprintf(stderr, "-l: illegal numeric string\n");
934 offset = strtoul(optarg, 0, 0);
936 fprintf(stderr, "-o: illegal numeric string\n");
942 data_size = strtoul(optarg, 0, 0);
944 fprintf(stderr, "-c: illegal numeric string\n");
949 tpl_uboot_args_part = optarg;
966 if ((strcmp(argv[0], "unlock") == 0) && (argc == 2)) {
969 } else if ((strcmp(argv[0], "erase") == 0) && (argc == 2)) {
972 } else if (((strcmp(argv[0], "resetbc") == 0) && (argc == 2)) && mtd_resetbc) {
975 } else if (((strcmp(argv[0], "fixtrx") == 0) && (argc == 2)) && mtd_fixtrx) {
978 } else if (((strcmp(argv[0], "fixseama") == 0) && (argc == 2)) && mtd_fixseama) {
981 } else if (((strcmp(argv[0], "fixwrg") == 0) && (argc == 2)) && mtd_fixwrg) {
984 } else if (((strcmp(argv[0], "fixwrgg") == 0) && (argc == 2)) && mtd_fixwrgg) {
987 } else if ((strcmp(argv[0], "verify") == 0) && (argc == 3)) {
991 } else if ((strcmp(argv[0], "dump") == 0) && (argc == 2)) {
994 } else if ((strcmp(argv[0], "write") == 0) && (argc == 3)) {
998 if (strcmp(argv[1], "-") == 0) {
999 imagefile = "<stdin>";
1002 imagefile = argv[1];
1003 if ((imagefd = open(argv[1], O_RDONLY)) < 0) {
1004 fprintf(stderr, "Couldn't open image file: %s!\n", imagefile);
1009 if (!mtd_check(device)) {
1010 fprintf(stderr, "Can't open device for writing!\n");
1013 /* check trx file before erasing or writing anything */
1014 if (!image_check(imagefd, device) && !force) {
1015 fprintf(stderr, "Image check failed.\n");
1018 } else if ((strcmp(argv[0], "jffs2write") == 0) && (argc == 3)) {
1019 cmd = CMD_JFFS2WRITE;
1022 imagefile = argv[1];
1023 if (!mtd_check(device)) {
1024 fprintf(stderr, "Can't open device for writing!\n");
1035 while (erase[i] != NULL) {
1036 mtd_unlock(erase[i]);
1037 mtd_erase(erase[i]);
1038 if (strcmp(erase[i], device) == 0)
1049 mtd_verify(device, imagefile);
1052 mtd_dump(device, offset, dump_len);
1062 mtd_write(imagefd, device, fis_layout, part_offset);
1064 case CMD_JFFS2WRITE:
1067 mtd_write_jffs2(device, imagefile, jffs2dir);
1071 mtd_fixtrx(device, offset, data_size);
1076 mtd_resetbc(device);
1081 mtd_fixseama(device, 0, data_size);
1085 mtd_fixwrg(device, 0, data_size);
1089 mtd_fixwrgg(device, 0, data_size);