2 * Copyright (C) 2009 Gabor Juhos <juhosg@openwrt.org>
4 * This tool was based on:
5 * TP-Link WR941 V2 firmware checksum fixing tool.
6 * Copyright (C) 2008,2009 Wang Jian <lark@linux.net.cn>
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License version 2 as published
10 * by the Free Software Foundation.
18 #include <unistd.h> /* for unlink() */
20 #include <getopt.h> /* for getopt() */
27 #include <arpa/inet.h>
28 #include <netinet/in.h>
31 #include "mktplinkfw-lib.h"
34 uint32_t version; /* 0x00: header version */
35 char fw_version[48]; /* 0x04: fw version string */
36 uint32_t hw_id; /* 0x34: hardware id */
37 uint32_t hw_rev; /* 0x38: FIXME: hardware revision? */
38 uint32_t hw_ver_add; /* 0x3c: additional hardware version */
39 uint8_t md5sum1[MD5SUM_LEN]; /* 0x40 */
40 uint32_t unk2; /* 0x50: 0x00000000 */
41 uint8_t md5sum2[MD5SUM_LEN]; /* 0x54 */
42 uint32_t unk3; /* 0x64: 0xffffffff */
44 uint32_t kernel_la; /* 0x68: kernel load address */
45 uint32_t kernel_ep; /* 0x6c: kernel entry point */
46 uint32_t fw_length; /* 0x70: total length of the image */
47 uint32_t kernel_ofs; /* 0x74: kernel data offset */
48 uint32_t kernel_len; /* 0x78: kernel data length */
49 uint32_t rootfs_ofs; /* 0x7c: rootfs data offset */
50 uint32_t rootfs_len; /* 0x80: rootfs data length */
51 uint32_t boot_ofs; /* 0x84: bootloader offset */
52 uint32_t boot_len; /* 0x88: bootloader length */
53 uint16_t unk4; /* 0x8c: 0x55aa */
54 uint8_t sver_hi; /* 0x8e */
55 uint8_t sver_lo; /* 0x8f */
56 uint8_t unk5; /* 0x90: magic: 0xa5 */
57 uint8_t ver_hi; /* 0x91 */
58 uint8_t ver_mid; /* 0x92 */
59 uint8_t ver_lo; /* 0x93 */
61 } __attribute__ ((packed));
63 #define FLAG_LE_KERNEL_LA_EP 0x00000001 /* Little-endian used for kernel load address & entry point */
80 static char *vendor = "TP-LINK Technologies";
81 static char *version = "ver. 1.0";
82 static char *fw_ver = "0.0.0";
83 static char *sver = "1.0";
84 static uint32_t hdr_ver = 2;
86 static struct board_info custom_board;
88 static struct board_info *board;
89 static char *layout_id;
90 struct flash_layout *layout;
91 static char *opt_hw_id;
92 static char *opt_hw_rev;
93 static char *opt_hw_ver_add;
95 static int fw_ver_mid;
99 struct file_info kernel_info;
100 static uint32_t kernel_la = 0;
101 static uint32_t kernel_ep = 0;
102 uint32_t kernel_len = 0;
103 struct file_info rootfs_info;
104 uint32_t rootfs_ofs = 0;
105 uint32_t rootfs_align;
106 static struct file_info boot_info;
111 static struct file_info inspect_info;
112 static int extract = 0;
114 char md5salt_normal[MD5SUM_LEN] = {
115 0xdc, 0xd7, 0x3a, 0xa5, 0xc3, 0x95, 0x98, 0xfb,
116 0xdc, 0xf9, 0xe7, 0xf4, 0x0e, 0xae, 0x47, 0x37,
119 char md5salt_boot[MD5SUM_LEN] = {
120 0x8c, 0xef, 0x33, 0x5f, 0xd5, 0xc5, 0xce, 0xfa,
121 0xac, 0x9c, 0x28, 0xda, 0xb2, 0xe9, 0x0f, 0x42,
124 static struct flash_layout layouts[] = {
127 .fw_max_len = 0x3c0000,
128 .kernel_la = 0x80000000,
129 .kernel_ep = 0x80000000,
130 .rootfs_ofs = 0x140000,
133 .fw_max_len = 0x7a0000,
134 .kernel_la = 0x80002000,
135 .kernel_ep = 0x80002000,
136 .rootfs_ofs = 0x140000,
139 .fw_max_len = 0xf90000,
140 .kernel_la = 0x80002000,
141 .kernel_ep = 0x800061b0,
142 .rootfs_ofs = 0x140000,
145 .fw_max_len = 0x7a0000,
146 .kernel_la = 0x80000000,
147 .kernel_ep = 0x80000000,
148 .rootfs_ofs = 0x140000,
151 .fw_max_len = 0x7b0000,
152 .kernel_la = 0x80000000,
153 .kernel_ep = 0x80000000,
154 .rootfs_ofs = 0x140000,
156 /* terminating entry */
160 static void usage(int status)
162 FILE *stream = (status != EXIT_SUCCESS) ? stderr : stdout;
163 struct board_info *board;
165 fprintf(stream, "Usage: %s [OPTIONS...]\n", progname);
169 " -c use combined kernel image\n"
170 " -e swap endianness in kernel load address and entry point\n"
171 " -E <ep> overwrite kernel entry point with <ep> (hexval prefixed with 0x)\n"
172 " -L <la> overwrite kernel load address with <la> (hexval prefixed with 0x)\n"
173 " -H <hwid> use hardware id specified with <hwid>\n"
174 " -W <hwrev> use hardware revision specified with <hwrev>\n"
175 " -w <hwveradd> use additional hardware version specified with <hwveradd>\n"
176 " -F <id> use flash layout specified with <id>\n"
177 " -k <file> read kernel image from the file <file>\n"
178 " -r <file> read rootfs image from the file <file>\n"
179 " -a <align> align the rootfs start on an <align> bytes boundary\n"
180 " -R <offset> overwrite rootfs offset with <offset> (hexval prefixed with 0x)\n"
181 " -o <file> write output to the file <file>\n"
182 " -s strip padding from the end of the image\n"
183 " -j add jffs2 end-of-filesystem markers\n"
184 " -N <vendor> set image vendor to <vendor>\n"
185 " -T <version> set header version to <version>\n"
186 " -V <version> set image version to <version>\n"
187 " -v <version> set firmware version to <version>\n"
188 " -y <version> set secondary version to <version>\n"
189 " -i <file> inspect given firmware file <file>\n"
190 " -x extract kernel and rootfs while inspecting (requires -i)\n"
191 " -h show this screen\n"
197 static int check_options(void)
201 if (inspect_info.file_name) {
202 ret = get_file_stat(&inspect_info);
207 } else if (extract) {
208 ERR("no firmware for inspection specified");
212 if (opt_hw_id == NULL) {
213 ERR("hardware id must be specified");
217 board = &custom_board;
219 if (layout_id == NULL) {
220 ERR("flash layout is not specified");
224 board->hw_id = strtoul(opt_hw_id, NULL, 0);
227 board->hw_ver_add = 0;
230 board->hw_rev = strtoul(opt_hw_rev, NULL, 0);
232 board->hw_ver_add = strtoul(opt_hw_ver_add, NULL, 0);
234 layout = find_layout(layouts, layout_id);
235 if (layout == NULL) {
236 ERR("unknown flash layout \"%s\"", layout_id);
241 kernel_la = layout->kernel_la;
243 kernel_ep = layout->kernel_ep;
245 rootfs_ofs = layout->rootfs_ofs;
247 if (kernel_info.file_name == NULL) {
248 ERR("no kernel image specified");
252 ret = get_file_stat(&kernel_info);
256 kernel_len = kernel_info.file_size;
259 if (kernel_info.file_size >
260 layout->fw_max_len - sizeof(struct fw_header)) {
261 ERR("kernel image is too big");
265 if (rootfs_info.file_name == NULL) {
266 ERR("no rootfs image specified");
270 ret = get_file_stat(&rootfs_info);
275 kernel_len += sizeof(struct fw_header);
276 rootfs_ofs = ALIGN(kernel_len, rootfs_align);
277 kernel_len -= sizeof(struct fw_header);
279 DBG("rootfs offset aligned to 0x%u", rootfs_ofs);
281 if (kernel_len + rootfs_info.file_size >
282 layout->fw_max_len - sizeof(struct fw_header)) {
283 ERR("images are too big");
287 if (kernel_info.file_size >
288 rootfs_ofs - sizeof(struct fw_header)) {
289 ERR("kernel image is too big");
293 if (rootfs_info.file_size >
294 (layout->fw_max_len - rootfs_ofs)) {
295 ERR("rootfs image is too big");
301 if (ofname == NULL) {
302 ERR("no output file specified");
306 ret = sscanf(fw_ver, "%d.%d.%d", &fw_ver_hi, &fw_ver_mid, &fw_ver_lo);
308 ERR("invalid firmware version '%s'", fw_ver);
312 ret = sscanf(sver, "%d.%d", &sver_hi, &sver_lo);
314 ERR("invalid secondary version '%s'", sver);
321 void fill_header(char *buf, int len)
323 struct fw_header *hdr = (struct fw_header *)buf;
326 memset(hdr, '\xff', sizeof(struct fw_header));
328 hdr->version = htonl(bswap_32(hdr_ver));
329 ver_len = strlen(version);
330 if (ver_len > (sizeof(hdr->fw_version) - 1))
331 ver_len = sizeof(hdr->fw_version) - 1;
333 memcpy(hdr->fw_version, version, ver_len);
334 hdr->fw_version[ver_len] = 0;
336 hdr->hw_id = htonl(board->hw_id);
337 hdr->hw_rev = htonl(board->hw_rev);
338 hdr->hw_ver_add = htonl(board->hw_ver_add);
340 if (boot_info.file_size == 0) {
341 memcpy(hdr->md5sum1, md5salt_normal, sizeof(hdr->md5sum1));
342 hdr->boot_ofs = htonl(0);
343 hdr->boot_len = htonl(0);
345 memcpy(hdr->md5sum1, md5salt_boot, sizeof(hdr->md5sum1));
346 hdr->boot_ofs = htonl(rootfs_ofs + rootfs_info.file_size);
347 hdr->boot_len = htonl(rootfs_info.file_size);
350 hdr->kernel_la = htonl(kernel_la);
351 hdr->kernel_ep = htonl(kernel_ep);
352 hdr->fw_length = htonl(layout->fw_max_len);
353 hdr->kernel_ofs = htonl(sizeof(struct fw_header));
354 hdr->kernel_len = htonl(kernel_len);
356 hdr->rootfs_ofs = htonl(rootfs_ofs);
357 hdr->rootfs_len = htonl(rootfs_info.file_size);
360 hdr->boot_ofs = htonl(0);
361 hdr->boot_len = htonl(boot_info.file_size);
363 hdr->unk2 = htonl(0);
364 hdr->unk3 = htonl(0xffffffff);
365 hdr->unk4 = htons(0x55aa);
368 hdr->sver_hi = sver_hi;
369 hdr->sver_lo = sver_lo;
371 hdr->ver_hi = fw_ver_hi;
372 hdr->ver_mid = fw_ver_mid;
373 hdr->ver_lo = fw_ver_lo;
375 if (board->flags & FLAG_LE_KERNEL_LA_EP) {
376 hdr->kernel_la = bswap_32(hdr->kernel_la);
377 hdr->kernel_ep = bswap_32(hdr->kernel_ep);
380 get_md5(buf, len, hdr->md5sum1);
383 static int inspect_fw(void)
386 struct fw_header *hdr;
387 uint8_t md5sum[MD5SUM_LEN];
388 struct board_info *board;
389 int ret = EXIT_FAILURE;
391 buf = malloc(inspect_info.file_size);
393 ERR("no memory for buffer!\n");
397 ret = read_to_buf(&inspect_info, buf);
400 hdr = (struct fw_header *)buf;
402 board = &custom_board;
404 if (board->flags & FLAG_LE_KERNEL_LA_EP) {
405 hdr->kernel_la = bswap_32(hdr->kernel_la);
406 hdr->kernel_ep = bswap_32(hdr->kernel_ep);
409 inspect_fw_pstr("File name", inspect_info.file_name);
410 inspect_fw_phexdec("File size", inspect_info.file_size);
412 switch(bswap_32(ntohl(hdr->version))) {
417 ERR("file does not seem to have V2/V3 header!\n");
421 inspect_fw_phexdec("Version 2 Header size", sizeof(struct fw_header));
423 memcpy(md5sum, hdr->md5sum1, sizeof(md5sum));
424 if (ntohl(hdr->boot_len) == 0)
425 memcpy(hdr->md5sum1, md5salt_normal, sizeof(md5sum));
427 memcpy(hdr->md5sum1, md5salt_boot, sizeof(md5sum));
428 get_md5(buf, inspect_info.file_size, hdr->md5sum1);
430 if (memcmp(md5sum, hdr->md5sum1, sizeof(md5sum))) {
431 inspect_fw_pmd5sum("Header MD5Sum1", md5sum, "(*ERROR*)");
432 inspect_fw_pmd5sum(" --> expected", hdr->md5sum1, "");
434 inspect_fw_pmd5sum("Header MD5Sum1", md5sum, "(ok)");
436 if (ntohl(hdr->unk2) != 0)
437 inspect_fw_phexdec("Unknown value 2", hdr->unk2);
438 inspect_fw_pmd5sum("Header MD5Sum2", hdr->md5sum2,
439 "(purpose yet unknown, unchecked here)");
441 if (ntohl(hdr->unk3) != 0xffffffff)
442 inspect_fw_phexdec("Unknown value 3", hdr->unk3);
444 if (ntohs(hdr->unk4) != 0x55aa)
445 inspect_fw_phexdec("Unknown value 4", hdr->unk4);
447 if (hdr->unk5 != 0xa5)
448 inspect_fw_phexdec("Unknown value 5", hdr->unk5);
452 inspect_fw_pstr("Firmware version", hdr->fw_version);
453 inspect_fw_phex("Hardware ID", ntohl(hdr->hw_id));
454 inspect_fw_phex("Hardware Revision",
456 inspect_fw_phex("Additional HW Version",
457 ntohl(hdr->hw_ver_add));
459 printf("%-23s: %d.%d.%d-%d.%d\n", "Software version",
460 hdr->ver_hi, hdr->ver_mid, hdr->ver_lo,
461 hdr->sver_hi, hdr->sver_lo);
465 inspect_fw_phexdec("Kernel data offset",
466 ntohl(hdr->kernel_ofs));
467 inspect_fw_phexdec("Kernel data length",
468 ntohl(hdr->kernel_len));
469 inspect_fw_phex("Kernel load address",
470 ntohl(hdr->kernel_la));
471 inspect_fw_phex("Kernel entry point",
472 ntohl(hdr->kernel_ep));
473 inspect_fw_phexdec("Rootfs data offset",
474 ntohl(hdr->rootfs_ofs));
475 inspect_fw_phexdec("Rootfs data length",
476 ntohl(hdr->rootfs_len));
477 inspect_fw_phexdec("Boot loader data offset",
478 ntohl(hdr->boot_ofs));
479 inspect_fw_phexdec("Boot loader data length",
480 ntohl(hdr->boot_len));
481 inspect_fw_phexdec("Total firmware length",
482 ntohl(hdr->fw_length));
490 filename = malloc(strlen(inspect_info.file_name) + 8);
491 sprintf(filename, "%s-kernel", inspect_info.file_name);
492 printf("Extracting kernel to \"%s\"...\n", filename);
493 fp = fopen(filename, "w");
495 if (!fwrite(buf + ntohl(hdr->kernel_ofs),
496 ntohl(hdr->kernel_len), 1, fp)) {
497 ERR("error in fwrite(): %s", strerror(errno));
501 ERR("error in fopen(): %s", strerror(errno));
505 filename = malloc(strlen(inspect_info.file_name) + 8);
506 sprintf(filename, "%s-rootfs", inspect_info.file_name);
507 printf("Extracting rootfs to \"%s\"...\n", filename);
508 fp = fopen(filename, "w");
510 if (!fwrite(buf + ntohl(hdr->rootfs_ofs),
511 ntohl(hdr->rootfs_len), 1, fp)) {
512 ERR("error in fwrite(): %s", strerror(errno));
516 ERR("error in fopen(): %s", strerror(errno));
527 int main(int argc, char *argv[])
529 int ret = EXIT_FAILURE;
531 progname = basename(argv[0]);
536 c = getopt(argc, argv, "a:H:E:F:L:V:N:W:w:ci:k:r:R:o:xhsjv:y:T:e");
542 sscanf(optarg, "0x%x", &rootfs_align);
548 sscanf(optarg, "0x%x", &kernel_ep);
557 opt_hw_ver_add = optarg;
560 sscanf(optarg, "0x%x", &kernel_la);
578 kernel_info.file_name = optarg;
581 rootfs_info.file_name = optarg;
584 sscanf(optarg, "0x%x", &rootfs_ofs);
593 inspect_info.file_name = optarg;
602 hdr_ver = atoi(optarg);
605 custom_board.flags = FLAG_LE_KERNEL_LA_EP;
616 ret = check_options();
620 if (!inspect_info.file_name)
621 ret = build_fw(sizeof(struct fw_header));
projects / oweals / openwrt.git / blob