2 Copyright (c) 2014, Matthias Schiffer <mschiffer@universe-factory.net>
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
8 1. Redistributions of source code must retain the above copyright notice,
9 this list of conditions and the following disclaimer.
10 2. Redistributions in binary form must reproduce the above copyright notice,
11 this list of conditions and the following disclaimer in the documentation
12 and/or other materials provided with the distribution.
14 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
15 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
17 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
18 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
20 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
21 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
22 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 Image generation tool for the TP-LINK SafeLoader as seen on
31 TP-LINK Pharos devices (CPE210/220/510/520)
45 #include <arpa/inet.h>
47 #include <sys/types.h>
53 #define ALIGN(x,a) ({ typeof(a) __a = (a); (((x) + __a - 1) & ~(__a - 1)); })
56 #define MAX_PARTITIONS 32
58 /** An image partition table entry */
59 struct image_partition_entry {
65 /** A flash partition table entry */
66 struct flash_partition_entry {
72 /** Firmware layout description */
76 const char *support_list;
78 const struct flash_partition_entry partitions[MAX_PARTITIONS+1];
79 const char *first_sysupgrade_partition;
80 const char *last_sysupgrade_partition;
83 /** The content of the soft-version structure */
84 struct __attribute__((__packed__)) soft_version {
88 uint8_t version_major;
89 uint8_t version_minor;
90 uint8_t version_patch;
100 static const uint8_t jffs2_eof_mark[4] = {0xde, 0xad, 0xc0, 0xde};
104 Salt for the MD5 hash
106 Fortunately, TP-LINK seems to use the same salt for most devices which use
107 the new image format.
109 static const uint8_t md5_salt[16] = {
110 0x7a, 0x2b, 0x15, 0xed,
111 0x9b, 0x98, 0x59, 0x6d,
112 0xe5, 0x04, 0xab, 0x44,
113 0xac, 0x2a, 0x9f, 0x4e,
117 /** Firmware layout table */
118 static struct device_info boards[] = {
119 /** Firmware layout for the CPE210/220 */
122 .vendor = "CPE510(TP-LINK|UN|N300-5):1.0\r\n",
125 "CPE210(TP-LINK|UN|N300-2):1.0\r\n"
126 "CPE210(TP-LINK|UN|N300-2):1.1\r\n"
127 "CPE210(TP-LINK|US|N300-2):1.1\r\n"
128 "CPE210(TP-LINK|EU|N300-2):1.1\r\n"
129 "CPE220(TP-LINK|UN|N300-2):1.1\r\n"
130 "CPE220(TP-LINK|US|N300-2):1.1\r\n"
131 "CPE220(TP-LINK|EU|N300-2):1.1\r\n",
132 .support_trail = '\xff',
135 {"fs-uboot", 0x00000, 0x20000},
136 {"partition-table", 0x20000, 0x02000},
137 {"default-mac", 0x30000, 0x00020},
138 {"product-info", 0x31100, 0x00100},
139 {"signature", 0x32000, 0x00400},
140 {"os-image", 0x40000, 0x170000},
141 {"soft-version", 0x1b0000, 0x00100},
142 {"support-list", 0x1b1000, 0x00400},
143 {"file-system", 0x1c0000, 0x600000},
144 {"user-config", 0x7c0000, 0x10000},
145 {"default-config", 0x7d0000, 0x10000},
146 {"log", 0x7e0000, 0x10000},
147 {"radio", 0x7f0000, 0x10000},
151 .first_sysupgrade_partition = "os-image",
152 .last_sysupgrade_partition = "file-system",
155 /** Firmware layout for the CPE510/520 */
158 .vendor = "CPE510(TP-LINK|UN|N300-5):1.0\r\n",
161 "CPE510(TP-LINK|UN|N300-5):1.0\r\n"
162 "CPE510(TP-LINK|UN|N300-5):1.1\r\n"
163 "CPE510(TP-LINK|UN|N300-5):1.1\r\n"
164 "CPE510(TP-LINK|US|N300-5):1.1\r\n"
165 "CPE510(TP-LINK|EU|N300-5):1.1\r\n"
166 "CPE520(TP-LINK|UN|N300-5):1.1\r\n"
167 "CPE520(TP-LINK|US|N300-5):1.1\r\n"
168 "CPE520(TP-LINK|EU|N300-5):1.1\r\n",
169 .support_trail = '\xff',
172 {"fs-uboot", 0x00000, 0x20000},
173 {"partition-table", 0x20000, 0x02000},
174 {"default-mac", 0x30000, 0x00020},
175 {"product-info", 0x31100, 0x00100},
176 {"signature", 0x32000, 0x00400},
177 {"os-image", 0x40000, 0x170000},
178 {"soft-version", 0x1b0000, 0x00100},
179 {"support-list", 0x1b1000, 0x00400},
180 {"file-system", 0x1c0000, 0x600000},
181 {"user-config", 0x7c0000, 0x10000},
182 {"default-config", 0x7d0000, 0x10000},
183 {"log", 0x7e0000, 0x10000},
184 {"radio", 0x7f0000, 0x10000},
188 .first_sysupgrade_partition = "os-image",
189 .last_sysupgrade_partition = "file-system",
194 .vendor = "CPE510(TP-LINK|UN|N300-5):1.0\r\n",
197 "WBS210(TP-LINK|UN|N300-2):1.20\r\n"
198 "WBS210(TP-LINK|US|N300-2):1.20\r\n"
199 "WBS210(TP-LINK|EU|N300-2):1.20\r\n",
200 .support_trail = '\xff',
203 {"fs-uboot", 0x00000, 0x20000},
204 {"partition-table", 0x20000, 0x02000},
205 {"default-mac", 0x30000, 0x00020},
206 {"product-info", 0x31100, 0x00100},
207 {"signature", 0x32000, 0x00400},
208 {"os-image", 0x40000, 0x170000},
209 {"soft-version", 0x1b0000, 0x00100},
210 {"support-list", 0x1b1000, 0x00400},
211 {"file-system", 0x1c0000, 0x600000},
212 {"user-config", 0x7c0000, 0x10000},
213 {"default-config", 0x7d0000, 0x10000},
214 {"log", 0x7e0000, 0x10000},
215 {"radio", 0x7f0000, 0x10000},
219 .first_sysupgrade_partition = "os-image",
220 .last_sysupgrade_partition = "file-system",
225 .vendor = "CPE510(TP-LINK|UN|N300-5):1.0\r\n",
228 "WBS510(TP-LINK|UN|N300-5):1.20\r\n"
229 "WBS510(TP-LINK|US|N300-5):1.20\r\n"
230 "WBS510(TP-LINK|EU|N300-5):1.20\r\n",
231 .support_trail = '\xff',
234 {"fs-uboot", 0x00000, 0x20000},
235 {"partition-table", 0x20000, 0x02000},
236 {"default-mac", 0x30000, 0x00020},
237 {"product-info", 0x31100, 0x00100},
238 {"signature", 0x32000, 0x00400},
239 {"os-image", 0x40000, 0x170000},
240 {"soft-version", 0x1b0000, 0x00100},
241 {"support-list", 0x1b1000, 0x00400},
242 {"file-system", 0x1c0000, 0x600000},
243 {"user-config", 0x7c0000, 0x10000},
244 {"default-config", 0x7d0000, 0x10000},
245 {"log", 0x7e0000, 0x10000},
246 {"radio", 0x7f0000, 0x10000},
250 .first_sysupgrade_partition = "os-image",
251 .last_sysupgrade_partition = "file-system",
254 /** Firmware layout for the C2600 */
260 "{product_name:Archer C2600,product_ver:1.0.0,special_id:00000000}\r\n",
261 .support_trail = '\x00',
264 {"SBL1", 0x00000, 0x20000},
265 {"MIBIB", 0x20000, 0x20000},
266 {"SBL2", 0x40000, 0x20000},
267 {"SBL3", 0x60000, 0x30000},
268 {"DDRCONFIG", 0x90000, 0x10000},
269 {"SSD", 0xa0000, 0x10000},
270 {"TZ", 0xb0000, 0x30000},
271 {"RPM", 0xe0000, 0x20000},
272 {"fs-uboot", 0x100000, 0x70000},
273 {"uboot-env", 0x170000, 0x40000},
274 {"radio", 0x1b0000, 0x40000},
275 {"os-image", 0x1f0000, 0x200000},
276 {"file-system", 0x3f0000, 0x1b00000},
277 {"default-mac", 0x1ef0000, 0x00200},
278 {"pin", 0x1ef0200, 0x00200},
279 {"product-info", 0x1ef0400, 0x0fc00},
280 {"partition-table", 0x1f00000, 0x10000},
281 {"soft-version", 0x1f10000, 0x10000},
282 {"support-list", 0x1f20000, 0x10000},
283 {"profile", 0x1f30000, 0x10000},
284 {"default-config", 0x1f40000, 0x10000},
285 {"user-config", 0x1f50000, 0x40000},
286 {"qos-db", 0x1f90000, 0x40000},
287 {"usb-config", 0x1fd0000, 0x10000},
288 {"log", 0x1fe0000, 0x20000},
292 .first_sysupgrade_partition = "os-image",
293 .last_sysupgrade_partition = "file-system"
296 /** Firmware layout for the C59v1 */
298 .id = "ARCHER-C59-V1",
302 "{product_name:Archer C59,product_ver:1.0.0,special_id:00000000}\r\n"
303 "{product_name:Archer C59,product_ver:1.0.0,special_id:45550000}\r\n"
304 "{product_name:Archer C59,product_ver:1.0.0,special_id:55530000}\r\n",
305 .support_trail = '\x00',
308 {"fs-uboot", 0x00000, 0x10000},
309 {"default-mac", 0x10000, 0x00200},
310 {"pin", 0x10200, 0x00200},
311 {"device-id", 0x10400, 0x00100},
312 {"product-info", 0x10500, 0x0fb00},
313 {"os-image", 0x20000, 0x180000},
314 {"file-system", 0x1a0000, 0xcb0000},
315 {"partition-table", 0xe50000, 0x10000},
316 {"soft-version", 0xe60000, 0x10000},
317 {"support-list", 0xe70000, 0x10000},
318 {"profile", 0xe80000, 0x10000},
319 {"default-config", 0xe90000, 0x10000},
320 {"user-config", 0xea0000, 0x40000},
321 {"usb-config", 0xee0000, 0x10000},
322 {"certificate", 0xef0000, 0x10000},
323 {"qos-db", 0xf00000, 0x40000},
324 {"log", 0xfe0000, 0x10000},
325 {"radio", 0xff0000, 0x10000},
329 .first_sysupgrade_partition = "os-image",
330 .last_sysupgrade_partition = "file-system",
333 /** Firmware layout for the C60v1 */
335 .id = "ARCHER-C60-V1",
339 "{product_name:Archer C60,product_ver:1.0.0,special_id:00000000}\r\n"
340 "{product_name:Archer C60,product_ver:1.0.0,special_id:45550000}\r\n"
341 "{product_name:Archer C60,product_ver:1.0.0,special_id:55530000}\r\n",
342 .support_trail = '\x00',
345 {"fs-uboot", 0x00000, 0x10000},
346 {"default-mac", 0x10000, 0x00200},
347 {"pin", 0x10200, 0x00200},
348 {"product-info", 0x10400, 0x00100},
349 {"partition-table", 0x10500, 0x00800},
350 {"soft-version", 0x11300, 0x00200},
351 {"support-list", 0x11500, 0x00100},
352 {"device-id", 0x11600, 0x00100},
353 {"profile", 0x11700, 0x03900},
354 {"default-config", 0x15000, 0x04000},
355 {"user-config", 0x19000, 0x04000},
356 {"os-image", 0x20000, 0x150000},
357 {"file-system", 0x170000, 0x678000},
358 {"certyficate", 0x7e8000, 0x08000},
359 {"radio", 0x7f0000, 0x10000},
363 .first_sysupgrade_partition = "os-image",
364 .last_sysupgrade_partition = "file-system",
367 /** Firmware layout for the C5 */
369 .id = "ARCHER-C5-V2",
373 "{product_name:ArcherC5,"
375 "special_id:00000000}\r\n",
376 .support_trail = '\x00',
379 {"fs-uboot", 0x00000, 0x40000},
380 {"os-image", 0x40000, 0x200000},
381 {"file-system", 0x240000, 0xc00000},
382 {"default-mac", 0xe40000, 0x00200},
383 {"pin", 0xe40200, 0x00200},
384 {"product-info", 0xe40400, 0x00200},
385 {"partition-table", 0xe50000, 0x10000},
386 {"soft-version", 0xe60000, 0x00200},
387 {"support-list", 0xe61000, 0x0f000},
388 {"profile", 0xe70000, 0x10000},
389 {"default-config", 0xe80000, 0x10000},
390 {"user-config", 0xe90000, 0x50000},
391 {"log", 0xee0000, 0x100000},
392 {"radio_bk", 0xfe0000, 0x10000},
393 {"radio", 0xff0000, 0x10000},
397 .first_sysupgrade_partition = "os-image",
398 .last_sysupgrade_partition = "file-system"
401 /** Firmware layout for the C9 */
407 "{product_name:ArcherC9,"
409 "special_id:00000000}\n",
410 .support_trail = '\x00',
413 {"fs-uboot", 0x00000, 0x40000},
414 {"os-image", 0x40000, 0x200000},
415 {"file-system", 0x240000, 0xc00000},
416 {"default-mac", 0xe40000, 0x00200},
417 {"pin", 0xe40200, 0x00200},
418 {"product-info", 0xe40400, 0x00200},
419 {"partition-table", 0xe50000, 0x10000},
420 {"soft-version", 0xe60000, 0x00200},
421 {"support-list", 0xe61000, 0x0f000},
422 {"profile", 0xe70000, 0x10000},
423 {"default-config", 0xe80000, 0x10000},
424 {"user-config", 0xe90000, 0x50000},
425 {"log", 0xee0000, 0x100000},
426 {"radio_bk", 0xfe0000, 0x10000},
427 {"radio", 0xff0000, 0x10000},
431 .first_sysupgrade_partition = "os-image",
432 .last_sysupgrade_partition = "file-system"
435 /** Firmware layout for the EAP120 */
438 .vendor = "EAP120(TP-LINK|UN|N300-2):1.0\r\n",
441 "EAP120(TP-LINK|UN|N300-2):1.0\r\n",
442 .support_trail = '\xff',
445 {"fs-uboot", 0x00000, 0x20000},
446 {"partition-table", 0x20000, 0x02000},
447 {"default-mac", 0x30000, 0x00020},
448 {"support-list", 0x31000, 0x00100},
449 {"product-info", 0x31100, 0x00100},
450 {"soft-version", 0x32000, 0x00100},
451 {"os-image", 0x40000, 0x180000},
452 {"file-system", 0x1c0000, 0x600000},
453 {"user-config", 0x7c0000, 0x10000},
454 {"backup-config", 0x7d0000, 0x10000},
455 {"log", 0x7e0000, 0x10000},
456 {"radio", 0x7f0000, 0x10000},
460 .first_sysupgrade_partition = "os-image",
461 .last_sysupgrade_partition = "file-system"
464 /** Firmware layout for the TL-WA850RE v2 */
470 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:55530000}\n"
471 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:00000000}\n"
472 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:55534100}\n"
473 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:45550000}\n"
474 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:4B520000}\n"
475 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:42520000}\n"
476 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:4A500000}\n"
477 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:43410000}\n"
478 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:41550000}\n"
479 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:52550000}\n",
480 .support_trail = '\x00',
483 576KB were moved from file-system to os-image
484 in comparison to the stock image
487 {"fs-uboot", 0x00000, 0x20000},
488 {"os-image", 0x20000, 0x150000},
489 {"file-system", 0x170000, 0x240000},
490 {"partition-table", 0x3b0000, 0x02000},
491 {"default-mac", 0x3c0000, 0x00020},
492 {"pin", 0x3c0100, 0x00020},
493 {"product-info", 0x3c1000, 0x01000},
494 {"soft-version", 0x3c2000, 0x00100},
495 {"support-list", 0x3c3000, 0x01000},
496 {"profile", 0x3c4000, 0x08000},
497 {"user-config", 0x3d0000, 0x10000},
498 {"default-config", 0x3e0000, 0x10000},
499 {"radio", 0x3f0000, 0x10000},
503 .first_sysupgrade_partition = "os-image",
504 .last_sysupgrade_partition = "file-system"
507 /** Firmware layout for the TL-WR1043 v4 */
509 .id = "TLWR1043NDV4",
513 "{product_name:TL-WR1043ND,product_ver:4.0.0,special_id:45550000}\n",
514 .support_trail = '\x00',
517 We use a bigger os-image partition than the stock images (and thus
518 smaller file-system), as our kernel doesn't fit in the stock firmware's
522 {"fs-uboot", 0x00000, 0x20000},
523 {"os-image", 0x20000, 0x180000},
524 {"file-system", 0x1a0000, 0xdb0000},
525 {"default-mac", 0xf50000, 0x00200},
526 {"pin", 0xf50200, 0x00200},
527 {"product-info", 0xf50400, 0x0fc00},
528 {"soft-version", 0xf60000, 0x0b000},
529 {"support-list", 0xf6b000, 0x04000},
530 {"profile", 0xf70000, 0x04000},
531 {"default-config", 0xf74000, 0x0b000},
532 {"user-config", 0xf80000, 0x40000},
533 {"partition-table", 0xfc0000, 0x10000},
534 {"log", 0xfd0000, 0x20000},
535 {"radio", 0xff0000, 0x10000},
539 .first_sysupgrade_partition = "os-image",
540 .last_sysupgrade_partition = "file-system"
543 /** Firmware layout for the RE450 */
549 "{product_name:RE450,product_ver:1.0.0,special_id:00000000}\r\n"
550 "{product_name:RE450,product_ver:1.0.0,special_id:55530000}\r\n"
551 "{product_name:RE450,product_ver:1.0.0,special_id:45550000}\r\n"
552 "{product_name:RE450,product_ver:1.0.0,special_id:4A500000}\r\n"
553 "{product_name:RE450,product_ver:1.0.0,special_id:43410000}\r\n"
554 "{product_name:RE450,product_ver:1.0.0,special_id:41550000}\r\n"
555 "{product_name:RE450,product_ver:1.0.0,special_id:4B520000}\r\n"
556 "{product_name:RE450,product_ver:1.0.0,special_id:55534100}\r\n",
557 .support_trail = '\x00',
560 The flash partition table for RE450;
561 it is almost the same as the one used by the stock images,
562 576KB were moved from file-system to os-image.
565 {"fs-uboot", 0x00000, 0x20000},
566 {"os-image", 0x20000, 0x150000},
567 {"file-system", 0x170000, 0x4a0000},
568 {"partition-table", 0x600000, 0x02000},
569 {"default-mac", 0x610000, 0x00020},
570 {"pin", 0x610100, 0x00020},
571 {"product-info", 0x611100, 0x01000},
572 {"soft-version", 0x620000, 0x01000},
573 {"support-list", 0x621000, 0x01000},
574 {"profile", 0x622000, 0x08000},
575 {"user-config", 0x630000, 0x10000},
576 {"default-config", 0x640000, 0x10000},
577 {"radio", 0x7f0000, 0x10000},
581 .first_sysupgrade_partition = "os-image",
582 .last_sysupgrade_partition = "file-system"
588 #define error(_ret, _errno, _str, ...) \
590 fprintf(stderr, _str ": %s\n", ## __VA_ARGS__, \
597 /** Stores a uint32 as big endian */
598 static inline void put32(uint8_t *buf, uint32_t val) {
605 /** Allocates a new image partition */
606 static struct image_partition_entry alloc_image_partition(const char *name, size_t len) {
607 struct image_partition_entry entry = {name, len, malloc(len)};
609 error(1, errno, "malloc");
614 /** Frees an image partition */
615 static void free_image_partition(struct image_partition_entry entry) {
619 /** Generates the partition-table partition */
620 static struct image_partition_entry make_partition_table(const struct flash_partition_entry *p) {
621 struct image_partition_entry entry = alloc_image_partition("partition-table", 0x800);
623 char *s = (char *)entry.data, *end = (char *)(s+entry.size);
631 for (i = 0; p[i].name; i++) {
633 size_t w = snprintf(s, len, "partition %s base 0x%05x size 0x%05x\n", p[i].name, p[i].base, p[i].size);
636 error(1, 0, "flash partition table overflow?");
643 memset(s, 0xff, end-s);
649 /** Generates a binary-coded decimal representation of an integer in the range [0, 99] */
650 static inline uint8_t bcd(uint8_t v) {
651 return 0x10 * (v/10) + v%10;
655 /** Generates the soft-version partition */
656 static struct image_partition_entry make_soft_version(uint32_t rev) {
657 struct image_partition_entry entry = alloc_image_partition("soft-version", sizeof(struct soft_version));
658 struct soft_version *s = (struct soft_version *)entry.data;
662 if (time(&t) == (time_t)(-1))
663 error(1, errno, "time");
665 struct tm *tm = localtime(&t);
667 s->magic = htonl(0x0000000c);
671 s->version_major = 0;
672 s->version_minor = 0;
673 s->version_patch = 0;
675 s->year_hi = bcd((1900+tm->tm_year)/100);
676 s->year_lo = bcd(tm->tm_year%100);
677 s->month = bcd(tm->tm_mon+1);
678 s->day = bcd(tm->tm_mday);
686 /** Generates the support-list partition */
687 static struct image_partition_entry make_support_list(const struct device_info *info) {
688 size_t len = strlen(info->support_list);
689 struct image_partition_entry entry = alloc_image_partition("support-list", len + 9);
691 put32(entry.data, len);
692 memset(entry.data+4, 0, 4);
693 memcpy(entry.data+8, info->support_list, len);
694 entry.data[len+8] = info->support_trail;
699 /** Creates a new image partition with an arbitrary name from a file */
700 static struct image_partition_entry read_file(const char *part_name, const char *filename, bool add_jffs2_eof) {
703 if (stat(filename, &statbuf) < 0)
704 error(1, errno, "unable to stat file `%s'", filename);
706 size_t len = statbuf.st_size;
709 len = ALIGN(len, 0x10000) + sizeof(jffs2_eof_mark);
711 struct image_partition_entry entry = alloc_image_partition(part_name, len);
713 FILE *file = fopen(filename, "rb");
715 error(1, errno, "unable to open file `%s'", filename);
717 if (fread(entry.data, statbuf.st_size, 1, file) != 1)
718 error(1, errno, "unable to read file `%s'", filename);
721 uint8_t *eof = entry.data + statbuf.st_size, *end = entry.data+entry.size;
723 memset(eof, 0xff, end - eof - sizeof(jffs2_eof_mark));
724 memcpy(end - sizeof(jffs2_eof_mark), jffs2_eof_mark, sizeof(jffs2_eof_mark));
734 Copies a list of image partitions into an image buffer and generates the image partition table while doing so
736 Example image partition table:
738 fwup-ptn partition-table base 0x00800 size 0x00800
739 fwup-ptn os-image base 0x01000 size 0x113b45
740 fwup-ptn file-system base 0x114b45 size 0x1d0004
741 fwup-ptn support-list base 0x2e4b49 size 0x000d1
743 Each line of the partition table is terminated with the bytes 09 0d 0a ("\t\r\n"),
744 the end of the partition table is marked with a zero byte.
746 The firmware image must contain at least the partition-table and support-list partitions
747 to be accepted. There aren't any alignment constraints for the image partitions.
749 The partition-table partition contains the actual flash layout; partitions
750 from the image partition table are mapped to the corresponding flash partitions during
751 the firmware upgrade. The support-list partition contains a list of devices supported by
754 The base offsets in the firmware partition table are relative to the end
755 of the vendor information block, so the partition-table partition will
756 actually start at offset 0x1814 of the image.
758 I think partition-table must be the first partition in the firmware image.
760 static void put_partitions(uint8_t *buffer, const struct flash_partition_entry *flash_parts, const struct image_partition_entry *parts) {
762 char *image_pt = (char *)buffer, *end = image_pt + 0x800;
765 for (i = 0; parts[i].name; i++) {
766 for (j = 0; flash_parts[j].name; j++) {
767 if (!strcmp(flash_parts[j].name, parts[i].name)) {
768 if (parts[i].size > flash_parts[j].size)
769 error(1, 0, "%s partition too big (more than %u bytes)", flash_parts[j].name, (unsigned)flash_parts[j].size);
774 assert(flash_parts[j].name);
776 memcpy(buffer + base, parts[i].data, parts[i].size);
778 size_t len = end-image_pt;
779 size_t w = snprintf(image_pt, len, "fwup-ptn %s base 0x%05x size 0x%05x\t\r\n", parts[i].name, (unsigned)base, (unsigned)parts[i].size);
782 error(1, 0, "image partition table overflow?");
786 base += parts[i].size;
790 /** Generates and writes the image MD5 checksum */
791 static void put_md5(uint8_t *md5, uint8_t *buffer, unsigned int len) {
795 MD5_Update(&ctx, md5_salt, (unsigned int)sizeof(md5_salt));
796 MD5_Update(&ctx, buffer, len);
797 MD5_Final(md5, &ctx);
802 Generates the firmware image in factory format
808 0000-0003 Image size (4 bytes, big endian)
809 0004-0013 MD5 hash (hash of a 16 byte salt and the image data starting with byte 0x14)
810 0014-0017 Vendor information length (without padding) (4 bytes, big endian)
811 0018-1013 Vendor information (4092 bytes, padded with 0xff; there seem to be older
812 (VxWorks-based) TP-LINK devices which use a smaller vendor information block)
813 1014-1813 Image partition table (2048 bytes, padded with 0xff)
814 1814-xxxx Firmware partitions
816 static void * generate_factory_image(const struct device_info *info, const struct image_partition_entry *parts, size_t *len) {
820 for (i = 0; parts[i].name; i++)
821 *len += parts[i].size;
823 uint8_t *image = malloc(*len);
825 error(1, errno, "malloc");
827 memset(image, 0xff, *len);
831 size_t vendor_len = strlen(info->vendor);
832 put32(image+0x14, vendor_len);
833 memcpy(image+0x18, info->vendor, vendor_len);
836 put_partitions(image + 0x1014, info->partitions, parts);
837 put_md5(image+0x04, image+0x14, *len-0x14);
843 Generates the firmware image in sysupgrade format
845 This makes some assumptions about the provided flash and image partition tables and
846 should be generalized when TP-LINK starts building its safeloader into hardware with
847 different flash layouts.
849 static void * generate_sysupgrade_image(const struct device_info *info, const struct image_partition_entry *image_parts, size_t *len) {
851 size_t flash_first_partition_index = 0;
852 size_t flash_last_partition_index = 0;
853 const struct flash_partition_entry *flash_first_partition = NULL;
854 const struct flash_partition_entry *flash_last_partition = NULL;
855 const struct image_partition_entry *image_last_partition = NULL;
857 /** Find first and last partitions */
858 for (i = 0; info->partitions[i].name; i++) {
859 if (!strcmp(info->partitions[i].name, info->first_sysupgrade_partition)) {
860 flash_first_partition = &info->partitions[i];
861 flash_first_partition_index = i;
862 } else if (!strcmp(info->partitions[i].name, info->last_sysupgrade_partition)) {
863 flash_last_partition = &info->partitions[i];
864 flash_last_partition_index = i;
868 assert(flash_first_partition && flash_last_partition);
869 assert(flash_first_partition_index < flash_last_partition_index);
871 /** Find last partition from image to calculate needed size */
872 for (i = 0; image_parts[i].name; i++) {
873 if (!strcmp(image_parts[i].name, info->last_sysupgrade_partition)) {
874 image_last_partition = &image_parts[i];
879 assert(image_last_partition);
881 *len = flash_last_partition->base - flash_first_partition->base + image_last_partition->size;
883 uint8_t *image = malloc(*len);
885 error(1, errno, "malloc");
887 memset(image, 0xff, *len);
889 for (i = flash_first_partition_index; i <= flash_last_partition_index; i++) {
890 for (j = 0; image_parts[j].name; j++) {
891 if (!strcmp(info->partitions[i].name, image_parts[j].name)) {
892 if (image_parts[j].size > info->partitions[i].size)
893 error(1, 0, "%s partition too big (more than %u bytes)", info->partitions[i].name, (unsigned)info->partitions[i].size);
894 memcpy(image + info->partitions[i].base - flash_first_partition->base, image_parts[j].data, image_parts[j].size);
898 assert(image_parts[j].name);
905 /** Generates an image according to a given layout and writes it to a file */
906 static void build_image(const char *output,
907 const char *kernel_image,
908 const char *rootfs_image,
912 const struct device_info *info) {
913 struct image_partition_entry parts[6] = {};
915 parts[0] = make_partition_table(info->partitions);
916 parts[1] = make_soft_version(rev);
917 parts[2] = make_support_list(info);
918 parts[3] = read_file("os-image", kernel_image, false);
919 parts[4] = read_file("file-system", rootfs_image, add_jffs2_eof);
924 image = generate_sysupgrade_image(info, parts, &len);
926 image = generate_factory_image(info, parts, &len);
928 FILE *file = fopen(output, "wb");
930 error(1, errno, "unable to open output file");
932 if (fwrite(image, len, 1, file) != 1)
933 error(1, 0, "unable to write output file");
940 for (i = 0; parts[i].name; i++)
941 free_image_partition(parts[i]);
945 static void usage(const char *argv0) {
947 "Usage: %s [OPTIONS...]\n"
950 " -B <board> create image for the board specified with <board>\n"
951 " -k <file> read kernel image from the file <file>\n"
952 " -r <file> read rootfs image from the file <file>\n"
953 " -o <file> write output to the file <file>\n"
954 " -V <rev> sets the revision number to <rev>\n"
955 " -j add jffs2 end-of-filesystem markers\n"
956 " -S create sysupgrade instead of factory image\n"
957 " -h show this help\n",
963 static const struct device_info *find_board(const char *id)
965 struct device_info *board = NULL;
967 for (board = boards; board->id != NULL; board++)
968 if (strcasecmp(id, board->id) == 0)
974 int main(int argc, char *argv[]) {
975 const char *board = NULL, *kernel_image = NULL, *rootfs_image = NULL, *output = NULL;
976 bool add_jffs2_eof = false, sysupgrade = false;
978 const struct device_info *info;
983 c = getopt(argc, argv, "B:k:r:o:V:jSh");
993 kernel_image = optarg;
997 rootfs_image = optarg;
1005 sscanf(optarg, "r%u", &rev);
1009 add_jffs2_eof = true;
1027 error(1, 0, "no board has been specified");
1029 error(1, 0, "no kernel image has been specified");
1031 error(1, 0, "no rootfs image has been specified");
1033 error(1, 0, "no output filename has been specified");
1035 info = find_board(board);
1038 error(1, 0, "unsupported board %s", board);
1040 build_image(output, kernel_image, rootfs_image, rev, add_jffs2_eof, sysupgrade, info);
projects / librecmc / librecmc.git / blob