2 Copyright (c) 2014, Matthias Schiffer <mschiffer@universe-factory.net>
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
8 1. Redistributions of source code must retain the above copyright notice,
9 this list of conditions and the following disclaimer.
10 2. Redistributions in binary form must reproduce the above copyright notice,
11 this list of conditions and the following disclaimer in the documentation
12 and/or other materials provided with the distribution.
14 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
15 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
17 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
18 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
20 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
21 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
22 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 Image generation tool for the TP-LINK SafeLoader as seen on
31 TP-LINK Pharos devices (CPE210/220/510/520)
45 #include <arpa/inet.h>
47 #include <sys/types.h>
54 #define ALIGN(x,a) ({ typeof(a) __a = (a); (((x) + __a - 1) & ~(__a - 1)); })
57 #define MAX_PARTITIONS 32
59 /** An image partition table entry */
60 struct image_partition_entry {
66 /** A flash partition table entry */
67 struct flash_partition_entry {
73 /** Firmware layout description */
77 const char *support_list;
80 struct flash_partition_entry partitions[MAX_PARTITIONS+1];
81 const char *first_sysupgrade_partition;
82 const char *last_sysupgrade_partition;
85 /** The content of the soft-version structure */
86 struct __attribute__((__packed__)) soft_version {
90 uint8_t version_major;
91 uint8_t version_minor;
92 uint8_t version_patch;
102 static const uint8_t jffs2_eof_mark[4] = {0xde, 0xad, 0xc0, 0xde};
106 Salt for the MD5 hash
108 Fortunately, TP-LINK seems to use the same salt for most devices which use
109 the new image format.
111 static const uint8_t md5_salt[16] = {
112 0x7a, 0x2b, 0x15, 0xed,
113 0x9b, 0x98, 0x59, 0x6d,
114 0xe5, 0x04, 0xab, 0x44,
115 0xac, 0x2a, 0x9f, 0x4e,
119 /** Firmware layout table */
120 static struct device_info boards[] = {
121 /** Firmware layout for the CPE210/220 */
124 .vendor = "CPE510(TP-LINK|UN|N300-5):1.0\r\n",
127 "CPE210(TP-LINK|UN|N300-2):1.0\r\n"
128 "CPE210(TP-LINK|UN|N300-2):1.1\r\n"
129 "CPE210(TP-LINK|US|N300-2):1.1\r\n"
130 "CPE210(TP-LINK|EU|N300-2):1.1\r\n"
131 "CPE220(TP-LINK|UN|N300-2):1.1\r\n"
132 "CPE220(TP-LINK|US|N300-2):1.1\r\n"
133 "CPE220(TP-LINK|EU|N300-2):1.1\r\n",
134 .support_trail = '\xff',
138 {"fs-uboot", 0x00000, 0x20000},
139 {"partition-table", 0x20000, 0x02000},
140 {"default-mac", 0x30000, 0x00020},
141 {"product-info", 0x31100, 0x00100},
142 {"signature", 0x32000, 0x00400},
143 {"os-image", 0x40000, 0x1c0000},
144 {"file-system", 0x200000, 0x5b0000},
145 {"soft-version", 0x7b0000, 0x00100},
146 {"support-list", 0x7b1000, 0x00400},
147 {"user-config", 0x7c0000, 0x10000},
148 {"default-config", 0x7d0000, 0x10000},
149 {"log", 0x7e0000, 0x10000},
150 {"radio", 0x7f0000, 0x10000},
154 .first_sysupgrade_partition = "os-image",
155 .last_sysupgrade_partition = "support-list",
158 /** Firmware layout for the CPE210 V2 */
161 .vendor = "CPE210(TP-LINK|UN|N300-2|00000000):2.0\r\n",
164 "CPE210(TP-LINK|EU|N300-2|00000000):2.0\r\n"
165 "CPE210(TP-LINK|EU|N300-2|45550000):2.0\r\n"
166 "CPE210(TP-LINK|EU|N300-2|55530000):2.0\r\n"
167 "CPE210(TP-LINK|UN|N300-2|00000000):2.0\r\n"
168 "CPE210(TP-LINK|UN|N300-2|45550000):2.0\r\n"
169 "CPE210(TP-LINK|UN|N300-2|55530000):2.0\r\n"
170 "CPE210(TP-LINK|US|N300-2|55530000):2.0\r\n"
171 "CPE210(TP-LINK|UN|N300-2):2.0\r\n"
172 "CPE210(TP-LINK|EU|N300-2):2.0\r\n"
173 "CPE210(TP-LINK|US|N300-2):2.0\r\n",
174 .support_trail = '\xff',
178 {"fs-uboot", 0x00000, 0x20000},
179 {"partition-table", 0x20000, 0x02000},
180 {"default-mac", 0x30000, 0x00020},
181 {"product-info", 0x31100, 0x00100},
182 {"device-info", 0x31400, 0x00400},
183 {"signature", 0x32000, 0x00400},
184 {"device-id", 0x33000, 0x00100},
185 {"os-image", 0x40000, 0x1c0000},
186 {"file-system", 0x200000, 0x5b0000},
187 {"soft-version", 0x7b0000, 0x00100},
188 {"support-list", 0x7b1000, 0x01000},
189 {"user-config", 0x7c0000, 0x10000},
190 {"default-config", 0x7d0000, 0x10000},
191 {"log", 0x7e0000, 0x10000},
192 {"radio", 0x7f0000, 0x10000},
196 .first_sysupgrade_partition = "os-image",
197 .last_sysupgrade_partition = "support-list",
200 /** Firmware layout for the CPE510/520 */
203 .vendor = "CPE510(TP-LINK|UN|N300-5):1.0\r\n",
206 "CPE510(TP-LINK|UN|N300-5):1.0\r\n"
207 "CPE510(TP-LINK|UN|N300-5):1.1\r\n"
208 "CPE510(TP-LINK|UN|N300-5):1.1\r\n"
209 "CPE510(TP-LINK|US|N300-5):1.1\r\n"
210 "CPE510(TP-LINK|EU|N300-5):1.1\r\n"
211 "CPE520(TP-LINK|UN|N300-5):1.1\r\n"
212 "CPE520(TP-LINK|US|N300-5):1.1\r\n"
213 "CPE520(TP-LINK|EU|N300-5):1.1\r\n"
214 "CPE510(TP-LINK|EU|N300-5|00000000):2.0\r\n"
215 "CPE510(TP-LINK|EU|N300-5|45550000):2.0\r\n"
216 "CPE510(TP-LINK|EU|N300-5|55530000):2.0\r\n"
217 "CPE510(TP-LINK|UN|N300-5|00000000):2.0\r\n"
218 "CPE510(TP-LINK|UN|N300-5|45550000):2.0\r\n"
219 "CPE510(TP-LINK|UN|N300-5|55530000):2.0\r\n"
220 "CPE510(TP-LINK|US|N300-5|55530000):2.0\r\n"
221 "CPE510(TP-LINK|UN|N300-5):2.0\r\n"
222 "CPE510(TP-LINK|EU|N300-5):2.0\r\n"
223 "CPE510(TP-LINK|US|N300-5):2.0\r\n",
224 .support_trail = '\xff',
228 {"fs-uboot", 0x00000, 0x20000},
229 {"partition-table", 0x20000, 0x02000},
230 {"default-mac", 0x30000, 0x00020},
231 {"product-info", 0x31100, 0x00100},
232 {"signature", 0x32000, 0x00400},
233 {"os-image", 0x40000, 0x1c0000},
234 {"file-system", 0x200000, 0x5b0000},
235 {"soft-version", 0x7b0000, 0x00100},
236 {"support-list", 0x7b1000, 0x00400},
237 {"user-config", 0x7c0000, 0x10000},
238 {"default-config", 0x7d0000, 0x10000},
239 {"log", 0x7e0000, 0x10000},
240 {"radio", 0x7f0000, 0x10000},
244 .first_sysupgrade_partition = "os-image",
245 .last_sysupgrade_partition = "support-list",
250 .vendor = "CPE510(TP-LINK|UN|N300-5):1.0\r\n",
253 "WBS210(TP-LINK|UN|N300-2):1.20\r\n"
254 "WBS210(TP-LINK|US|N300-2):1.20\r\n"
255 "WBS210(TP-LINK|EU|N300-2):1.20\r\n",
256 .support_trail = '\xff',
260 {"fs-uboot", 0x00000, 0x20000},
261 {"partition-table", 0x20000, 0x02000},
262 {"default-mac", 0x30000, 0x00020},
263 {"product-info", 0x31100, 0x00100},
264 {"signature", 0x32000, 0x00400},
265 {"os-image", 0x40000, 0x1c0000},
266 {"file-system", 0x200000, 0x5b0000},
267 {"soft-version", 0x7b0000, 0x00100},
268 {"support-list", 0x7b1000, 0x00400},
269 {"user-config", 0x7c0000, 0x10000},
270 {"default-config", 0x7d0000, 0x10000},
271 {"log", 0x7e0000, 0x10000},
272 {"radio", 0x7f0000, 0x10000},
276 .first_sysupgrade_partition = "os-image",
277 .last_sysupgrade_partition = "support-list",
282 .vendor = "CPE510(TP-LINK|UN|N300-5):1.0\r\n",
285 "WBS510(TP-LINK|UN|N300-5):1.20\r\n"
286 "WBS510(TP-LINK|US|N300-5):1.20\r\n"
287 "WBS510(TP-LINK|EU|N300-5):1.20\r\n",
288 .support_trail = '\xff',
292 {"fs-uboot", 0x00000, 0x20000},
293 {"partition-table", 0x20000, 0x02000},
294 {"default-mac", 0x30000, 0x00020},
295 {"product-info", 0x31100, 0x00100},
296 {"signature", 0x32000, 0x00400},
297 {"os-image", 0x40000, 0x1c0000},
298 {"file-system", 0x200000, 0x5b0000},
299 {"soft-version", 0x7b0000, 0x00100},
300 {"support-list", 0x7b1000, 0x00400},
301 {"user-config", 0x7c0000, 0x10000},
302 {"default-config", 0x7d0000, 0x10000},
303 {"log", 0x7e0000, 0x10000},
304 {"radio", 0x7f0000, 0x10000},
308 .first_sysupgrade_partition = "os-image",
309 .last_sysupgrade_partition = "support-list",
312 /** Firmware layout for the C2600 */
318 "{product_name:Archer C2600,product_ver:1.0.0,special_id:00000000}\r\n",
319 .support_trail = '\x00',
323 We use a bigger os-image partition than the stock images (and thus
324 smaller file-system), as our kernel doesn't fit in the stock firmware's
325 2 MB os-image since kernel 4.14.
328 {"SBL1", 0x00000, 0x20000},
329 {"MIBIB", 0x20000, 0x20000},
330 {"SBL2", 0x40000, 0x20000},
331 {"SBL3", 0x60000, 0x30000},
332 {"DDRCONFIG", 0x90000, 0x10000},
333 {"SSD", 0xa0000, 0x10000},
334 {"TZ", 0xb0000, 0x30000},
335 {"RPM", 0xe0000, 0x20000},
336 {"fs-uboot", 0x100000, 0x70000},
337 {"uboot-env", 0x170000, 0x40000},
338 {"radio", 0x1b0000, 0x40000},
339 {"os-image", 0x1f0000, 0x400000}, /* Stock: base 0x1f0000 size 0x200000 */
340 {"file-system", 0x5f0000, 0x1900000}, /* Stock: base 0x3f0000 size 0x1b00000 */
341 {"default-mac", 0x1ef0000, 0x00200},
342 {"pin", 0x1ef0200, 0x00200},
343 {"product-info", 0x1ef0400, 0x0fc00},
344 {"partition-table", 0x1f00000, 0x10000},
345 {"soft-version", 0x1f10000, 0x10000},
346 {"support-list", 0x1f20000, 0x10000},
347 {"profile", 0x1f30000, 0x10000},
348 {"default-config", 0x1f40000, 0x10000},
349 {"user-config", 0x1f50000, 0x40000},
350 {"qos-db", 0x1f90000, 0x40000},
351 {"usb-config", 0x1fd0000, 0x10000},
352 {"log", 0x1fe0000, 0x20000},
356 .first_sysupgrade_partition = "os-image",
357 .last_sysupgrade_partition = "file-system"
360 /** Firmware layout for the C25v1 */
362 .id = "ARCHER-C25-V1",
365 "{product_name:ArcherC25,product_ver:1.0.0,special_id:00000000}\n"
366 "{product_name:ArcherC25,product_ver:1.0.0,special_id:55530000}\n"
367 "{product_name:ArcherC25,product_ver:1.0.0,special_id:45550000}\n",
368 .support_trail = '\x00',
369 .soft_ver = "soft_ver:1.0.0\n",
371 /* We're using a dynamic kernel/rootfs split here */
373 {"factory-boot", 0x00000, 0x20000},
374 {"fs-uboot", 0x20000, 0x10000},
375 {"firmware", 0x30000, 0x7a0000}, /* Stock: name os-image base 0x30000 size 0x100000 */
376 /* Stock: name file-system base 0x130000 size 0x6a0000 */
377 {"user-config", 0x7d0000, 0x04000},
378 {"default-mac", 0x7e0000, 0x00100},
379 {"device-id", 0x7e0100, 0x00100},
380 {"extra-para", 0x7e0200, 0x00100},
381 {"pin", 0x7e0300, 0x00100},
382 {"support-list", 0x7e0400, 0x00400},
383 {"soft-version", 0x7e0800, 0x00400},
384 {"product-info", 0x7e0c00, 0x01400},
385 {"partition-table", 0x7e2000, 0x01000},
386 {"profile", 0x7e3000, 0x01000},
387 {"default-config", 0x7e4000, 0x04000},
388 {"merge-config", 0x7ec000, 0x02000},
389 {"qos-db", 0x7ee000, 0x02000},
390 {"radio", 0x7f0000, 0x10000},
394 .first_sysupgrade_partition = "os-image",
395 .last_sysupgrade_partition = "file-system",
398 /** Firmware layout for the C58v1 */
400 .id = "ARCHER-C58-V1",
404 "{product_name:Archer C58,product_ver:1.0.0,special_id:00000000}\r\n"
405 "{product_name:Archer C58,product_ver:1.0.0,special_id:45550000}\r\n"
406 "{product_name:Archer C58,product_ver:1.0.0,special_id:55530000}\r\n",
407 .support_trail = '\x00',
408 .soft_ver = "soft_ver:1.0.0\n",
411 {"fs-uboot", 0x00000, 0x10000},
412 {"default-mac", 0x10000, 0x00200},
413 {"pin", 0x10200, 0x00200},
414 {"product-info", 0x10400, 0x00100},
415 {"partition-table", 0x10500, 0x00800},
416 {"soft-version", 0x11300, 0x00200},
417 {"support-list", 0x11500, 0x00100},
418 {"device-id", 0x11600, 0x00100},
419 {"profile", 0x11700, 0x03900},
420 {"default-config", 0x15000, 0x04000},
421 {"user-config", 0x19000, 0x04000},
422 {"firmware", 0x20000, 0x7c8000},
423 {"certyficate", 0x7e8000, 0x08000},
424 {"radio", 0x7f0000, 0x10000},
428 .first_sysupgrade_partition = "os-image",
429 .last_sysupgrade_partition = "file-system",
432 /** Firmware layout for the C59v1 */
434 .id = "ARCHER-C59-V1",
438 "{product_name:Archer C59,product_ver:1.0.0,special_id:00000000}\r\n"
439 "{product_name:Archer C59,product_ver:1.0.0,special_id:45550000}\r\n"
440 "{product_name:Archer C59,product_ver:1.0.0,special_id:52550000}\r\n"
441 "{product_name:Archer C59,product_ver:1.0.0,special_id:55530000}\r\n",
442 .support_trail = '\x00',
443 .soft_ver = "soft_ver:1.0.0\n",
445 /* We're using a dynamic kernel/rootfs split here */
447 {"fs-uboot", 0x00000, 0x10000},
448 {"default-mac", 0x10000, 0x00200},
449 {"pin", 0x10200, 0x00200},
450 {"device-id", 0x10400, 0x00100},
451 {"product-info", 0x10500, 0x0fb00},
452 {"firmware", 0x20000, 0xe30000},
453 {"partition-table", 0xe50000, 0x10000},
454 {"soft-version", 0xe60000, 0x10000},
455 {"support-list", 0xe70000, 0x10000},
456 {"profile", 0xe80000, 0x10000},
457 {"default-config", 0xe90000, 0x10000},
458 {"user-config", 0xea0000, 0x40000},
459 {"usb-config", 0xee0000, 0x10000},
460 {"certificate", 0xef0000, 0x10000},
461 {"qos-db", 0xf00000, 0x40000},
462 {"log", 0xfe0000, 0x10000},
463 {"radio", 0xff0000, 0x10000},
467 .first_sysupgrade_partition = "os-image",
468 .last_sysupgrade_partition = "file-system",
471 /** Firmware layout for the C59v2 */
473 .id = "ARCHER-C59-V2",
477 "{product_name:Archer C59,product_ver:2.0.0,special_id:00000000}\r\n"
478 "{product_name:Archer C59,product_ver:2.0.0,special_id:45550000}\r\n"
479 "{product_name:Archer C59,product_ver:2.0.0,special_id:55530000}\r\n",
480 .support_trail = '\x00',
481 .soft_ver = "soft_ver:2.0.0 Build 20161206 rel.7303\n",
483 /** We're using a dynamic kernel/rootfs split here */
485 {"factory-boot", 0x00000, 0x20000},
486 {"fs-uboot", 0x20000, 0x10000},
487 {"default-mac", 0x30000, 0x00200},
488 {"pin", 0x30200, 0x00200},
489 {"device-id", 0x30400, 0x00100},
490 {"product-info", 0x30500, 0x0fb00},
491 {"firmware", 0x40000, 0xe10000},
492 {"partition-table", 0xe50000, 0x10000},
493 {"soft-version", 0xe60000, 0x10000},
494 {"support-list", 0xe70000, 0x10000},
495 {"profile", 0xe80000, 0x10000},
496 {"default-config", 0xe90000, 0x10000},
497 {"user-config", 0xea0000, 0x40000},
498 {"usb-config", 0xee0000, 0x10000},
499 {"certificate", 0xef0000, 0x10000},
500 {"extra-para", 0xf00000, 0x10000},
501 {"qos-db", 0xf10000, 0x30000},
502 {"log", 0xfe0000, 0x10000},
503 {"radio", 0xff0000, 0x10000},
507 .first_sysupgrade_partition = "os-image",
508 .last_sysupgrade_partition = "file-system",
511 /** Firmware layout for the C60v1 */
513 .id = "ARCHER-C60-V1",
517 "{product_name:Archer C60,product_ver:1.0.0,special_id:00000000}\r\n"
518 "{product_name:Archer C60,product_ver:1.0.0,special_id:45550000}\r\n"
519 "{product_name:Archer C60,product_ver:1.0.0,special_id:55530000}\r\n",
520 .support_trail = '\x00',
521 .soft_ver = "soft_ver:1.0.0\n",
524 {"fs-uboot", 0x00000, 0x10000},
525 {"default-mac", 0x10000, 0x00200},
526 {"pin", 0x10200, 0x00200},
527 {"product-info", 0x10400, 0x00100},
528 {"partition-table", 0x10500, 0x00800},
529 {"soft-version", 0x11300, 0x00200},
530 {"support-list", 0x11500, 0x00100},
531 {"device-id", 0x11600, 0x00100},
532 {"profile", 0x11700, 0x03900},
533 {"default-config", 0x15000, 0x04000},
534 {"user-config", 0x19000, 0x04000},
535 {"firmware", 0x20000, 0x7c8000},
536 {"certyficate", 0x7e8000, 0x08000},
537 {"radio", 0x7f0000, 0x10000},
541 .first_sysupgrade_partition = "os-image",
542 .last_sysupgrade_partition = "file-system",
545 /** Firmware layout for the C60v2 */
547 .id = "ARCHER-C60-V2",
551 "{product_name:Archer C60,product_ver:2.0.0,special_id:42520000}\r\n"
552 "{product_name:Archer C60,product_ver:2.0.0,special_id:45550000}\r\n"
553 "{product_name:Archer C60,product_ver:2.0.0,special_id:55530000}\r\n",
554 .support_trail = '\x00',
555 .soft_ver = "soft_ver:2.0.0\n",
558 {"factory-boot", 0x00000, 0x1fb00},
559 {"default-mac", 0x1fb00, 0x00200},
560 {"pin", 0x1fd00, 0x00100},
561 {"product-info", 0x1fe00, 0x00100},
562 {"device-id", 0x1ff00, 0x00100},
563 {"fs-uboot", 0x20000, 0x10000},
564 {"firmware", 0x30000, 0x7a0000},
565 {"soft-version", 0x7d9500, 0x00100},
566 {"support-list", 0x7d9600, 0x00100},
567 {"extra-para", 0x7d9700, 0x00100},
568 {"profile", 0x7d9800, 0x03000},
569 {"default-config", 0x7dc800, 0x03000},
570 {"partition-table", 0x7df800, 0x00800},
571 {"user-config", 0x7e0000, 0x0c000},
572 {"certificate", 0x7ec000, 0x04000},
573 {"radio", 0x7f0000, 0x10000},
577 .first_sysupgrade_partition = "os-image",
578 .last_sysupgrade_partition = "file-system",
581 /** Firmware layout for the C5 */
583 .id = "ARCHER-C5-V2",
587 "{product_name:ArcherC5,product_ver:2.0.0,special_id:00000000}\r\n"
588 "{product_name:ArcherC5,product_ver:2.0.0,special_id:55530000}\r\n"
589 "{product_name:ArcherC5,product_ver:2.0.0,special_id:4A500000}\r\n", /* JP version */
590 .support_trail = '\x00',
594 {"fs-uboot", 0x00000, 0x40000},
595 {"os-image", 0x40000, 0x200000},
596 {"file-system", 0x240000, 0xc00000},
597 {"default-mac", 0xe40000, 0x00200},
598 {"pin", 0xe40200, 0x00200},
599 {"product-info", 0xe40400, 0x00200},
600 {"partition-table", 0xe50000, 0x10000},
601 {"soft-version", 0xe60000, 0x00200},
602 {"support-list", 0xe61000, 0x0f000},
603 {"profile", 0xe70000, 0x10000},
604 {"default-config", 0xe80000, 0x10000},
605 {"user-config", 0xe90000, 0x50000},
606 {"log", 0xee0000, 0x100000},
607 {"radio_bk", 0xfe0000, 0x10000},
608 {"radio", 0xff0000, 0x10000},
612 .first_sysupgrade_partition = "os-image",
613 .last_sysupgrade_partition = "file-system"
616 /** Firmware layout for the C7 */
618 .id = "ARCHER-C7-V4",
621 "{product_name:Archer C7,product_ver:4.0.0,special_id:00000000}\n"
622 "{product_name:Archer C7,product_ver:4.0.0,special_id:41550000}\n"
623 "{product_name:Archer C7,product_ver:4.0.0,special_id:45550000}\n"
624 "{product_name:Archer C7,product_ver:4.0.0,special_id:4B520000}\n"
625 "{product_name:Archer C7,product_ver:4.0.0,special_id:42520000}\n"
626 "{product_name:Archer C7,product_ver:4.0.0,special_id:4A500000}\n"
627 "{product_name:Archer C7,product_ver:4.0.0,special_id:52550000}\n"
628 "{product_name:Archer C7,product_ver:4.0.0,special_id:54570000}\n"
629 "{product_name:Archer C7,product_ver:4.0.0,special_id:55530000}\n"
630 "{product_name:Archer C7,product_ver:4.0.0,special_id:43410000}\n",
631 .support_trail = '\x00',
632 .soft_ver = "soft_ver:1.0.0\n",
634 /* We're using a dynamic kernel/rootfs split here */
636 {"factory-boot", 0x00000, 0x20000},
637 {"fs-uboot", 0x20000, 0x20000},
638 {"firmware", 0x40000, 0xEC0000}, /* Stock: name os-image base 0x40000 size 0x120000 */
639 /* Stock: name file-system base 0x160000 size 0xda0000 */
640 {"default-mac", 0xf00000, 0x00200},
641 {"pin", 0xf00200, 0x00200},
642 {"device-id", 0xf00400, 0x00100},
643 {"product-info", 0xf00500, 0x0fb00},
644 {"soft-version", 0xf10000, 0x00100},
645 {"extra-para", 0xf11000, 0x01000},
646 {"support-list", 0xf12000, 0x0a000},
647 {"profile", 0xf1c000, 0x04000},
648 {"default-config", 0xf20000, 0x10000},
649 {"user-config", 0xf30000, 0x40000},
650 {"qos-db", 0xf70000, 0x40000},
651 {"certificate", 0xfb0000, 0x10000},
652 {"partition-table", 0xfc0000, 0x10000},
653 {"log", 0xfd0000, 0x20000},
654 {"radio", 0xff0000, 0x10000},
658 .first_sysupgrade_partition = "os-image",
659 .last_sysupgrade_partition = "file-system",
662 /** Firmware layout for the C7 v5*/
664 .id = "ARCHER-C7-V5",
667 "{product_name:Archer C7,product_ver:5.0.0,special_id:00000000}\n"
668 "{product_name:Archer C7,product_ver:5.0.0,special_id:45550000}\n"
669 "{product_name:Archer C7,product_ver:5.0.0,special_id:55530000}\n"
670 "{product_name:Archer C7,product_ver:5.0.0,special_id:43410000}\n"
671 "{product_name:Archer C7,product_ver:5.0.0,special_id:4A500000}\n"
672 "{product_name:Archer C7,product_ver:5.0.0,special_id:54570000}\n",
674 .support_trail = '\x00',
675 .soft_ver = "soft_ver:1.0.0\n",
677 /* We're using a dynamic kernel/rootfs split here */
679 {"factory-boot", 0x00000, 0x20000},
680 {"fs-uboot", 0x20000, 0x20000},
681 {"partition-table", 0x40000, 0x10000},
682 {"radio", 0x50000, 0x10000},
683 {"default-mac", 0x60000, 0x00200},
684 {"pin", 0x60200, 0x00200},
685 {"device-id", 0x60400, 0x00100},
686 {"product-info", 0x60500, 0x0fb00},
687 {"soft-version", 0x70000, 0x01000},
688 {"extra-para", 0x71000, 0x01000},
689 {"support-list", 0x72000, 0x0a000},
690 {"profile", 0x7c000, 0x04000},
691 {"user-config", 0x80000, 0x40000},
694 {"firmware", 0xc0000, 0xf00000}, /* Stock: name os-image base 0xc0000 size 0x120000 */
695 /* Stock: name file-system base 0x1e0000 size 0xde0000 */
697 {"log", 0xfc0000, 0x20000},
698 {"certificate", 0xfe0000, 0x10000},
699 {"default-config", 0xff0000, 0x10000},
704 .first_sysupgrade_partition = "os-image",
705 .last_sysupgrade_partition = "file-system",
708 /** Firmware layout for the C9 */
714 "{product_name:ArcherC9,"
716 "special_id:00000000}\n",
717 .support_trail = '\x00',
721 {"fs-uboot", 0x00000, 0x40000},
722 {"os-image", 0x40000, 0x200000},
723 {"file-system", 0x240000, 0xc00000},
724 {"default-mac", 0xe40000, 0x00200},
725 {"pin", 0xe40200, 0x00200},
726 {"product-info", 0xe40400, 0x00200},
727 {"partition-table", 0xe50000, 0x10000},
728 {"soft-version", 0xe60000, 0x00200},
729 {"support-list", 0xe61000, 0x0f000},
730 {"profile", 0xe70000, 0x10000},
731 {"default-config", 0xe80000, 0x10000},
732 {"user-config", 0xe90000, 0x50000},
733 {"log", 0xee0000, 0x100000},
734 {"radio_bk", 0xfe0000, 0x10000},
735 {"radio", 0xff0000, 0x10000},
739 .first_sysupgrade_partition = "os-image",
740 .last_sysupgrade_partition = "file-system"
743 /** Firmware layout for the EAP120 */
746 .vendor = "EAP120(TP-LINK|UN|N300-2):1.0\r\n",
749 "EAP120(TP-LINK|UN|N300-2):1.0\r\n",
750 .support_trail = '\xff',
754 {"fs-uboot", 0x00000, 0x20000},
755 {"partition-table", 0x20000, 0x02000},
756 {"default-mac", 0x30000, 0x00020},
757 {"support-list", 0x31000, 0x00100},
758 {"product-info", 0x31100, 0x00100},
759 {"soft-version", 0x32000, 0x00100},
760 {"os-image", 0x40000, 0x180000},
761 {"file-system", 0x1c0000, 0x600000},
762 {"user-config", 0x7c0000, 0x10000},
763 {"backup-config", 0x7d0000, 0x10000},
764 {"log", 0x7e0000, 0x10000},
765 {"radio", 0x7f0000, 0x10000},
769 .first_sysupgrade_partition = "os-image",
770 .last_sysupgrade_partition = "file-system"
773 /** Firmware layout for the TL-WA850RE v2 */
779 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:55530000}\n"
780 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:00000000}\n"
781 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:55534100}\n"
782 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:45550000}\n"
783 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:4B520000}\n"
784 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:42520000}\n"
785 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:4A500000}\n"
786 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:43410000}\n"
787 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:41550000}\n"
788 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:52550000}\n",
789 .support_trail = '\x00',
793 576KB were moved from file-system to os-image
794 in comparison to the stock image
797 {"fs-uboot", 0x00000, 0x20000},
798 {"os-image", 0x20000, 0x150000},
799 {"file-system", 0x170000, 0x240000},
800 {"partition-table", 0x3b0000, 0x02000},
801 {"default-mac", 0x3c0000, 0x00020},
802 {"pin", 0x3c0100, 0x00020},
803 {"product-info", 0x3c1000, 0x01000},
804 {"soft-version", 0x3c2000, 0x00100},
805 {"support-list", 0x3c3000, 0x01000},
806 {"profile", 0x3c4000, 0x08000},
807 {"user-config", 0x3d0000, 0x10000},
808 {"default-config", 0x3e0000, 0x10000},
809 {"radio", 0x3f0000, 0x10000},
813 .first_sysupgrade_partition = "os-image",
814 .last_sysupgrade_partition = "file-system"
817 /** Firmware layout for the TL-WA855RE v1 */
823 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:00000000}\n"
824 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:55530000}\n"
825 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:45550000}\n"
826 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:4B520000}\n"
827 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:42520000}\n"
828 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:4A500000}\n"
829 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:43410000}\n"
830 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:41550000}\n"
831 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:52550000}\n",
832 .support_trail = '\x00',
836 {"fs-uboot", 0x00000, 0x20000},
837 {"os-image", 0x20000, 0x150000},
838 {"file-system", 0x170000, 0x240000},
839 {"partition-table", 0x3b0000, 0x02000},
840 {"default-mac", 0x3c0000, 0x00020},
841 {"pin", 0x3c0100, 0x00020},
842 {"product-info", 0x3c1000, 0x01000},
843 {"soft-version", 0x3c2000, 0x00100},
844 {"support-list", 0x3c3000, 0x01000},
845 {"profile", 0x3c4000, 0x08000},
846 {"user-config", 0x3d0000, 0x10000},
847 {"default-config", 0x3e0000, 0x10000},
848 {"radio", 0x3f0000, 0x10000},
852 .first_sysupgrade_partition = "os-image",
853 .last_sysupgrade_partition = "file-system"
856 /** Firmware layout for the TL-WR1043 v5 */
862 "{product_name:TL-WR1043N,product_ver:5.0.0,special_id:45550000}\n"
863 "{product_name:TL-WR1043N,product_ver:5.0.0,special_id:55530000}\n",
864 .support_trail = '\x00',
865 .soft_ver = "soft_ver:1.0.0\n",
867 {"factory-boot", 0x00000, 0x20000},
868 {"fs-uboot", 0x20000, 0x20000},
869 {"firmware", 0x40000, 0xec0000},
870 {"default-mac", 0xf00000, 0x00200},
871 {"pin", 0xf00200, 0x00200},
872 {"device-id", 0xf00400, 0x00100},
873 {"product-info", 0xf00500, 0x0fb00},
874 {"soft-version", 0xf10000, 0x01000},
875 {"extra-para", 0xf11000, 0x01000},
876 {"support-list", 0xf12000, 0x0a000},
877 {"profile", 0xf1c000, 0x04000},
878 {"default-config", 0xf20000, 0x10000},
879 {"user-config", 0xf30000, 0x40000},
880 {"qos-db", 0xf70000, 0x40000},
881 {"certificate", 0xfb0000, 0x10000},
882 {"partition-table", 0xfc0000, 0x10000},
883 {"log", 0xfd0000, 0x20000},
884 {"radio", 0xff0000, 0x10000},
887 .first_sysupgrade_partition = "os-image",
888 .last_sysupgrade_partition = "file-system"
891 /** Firmware layout for the TL-WR1043 v4 */
893 .id = "TLWR1043NDV4",
897 "{product_name:TL-WR1043ND,product_ver:4.0.0,special_id:45550000}\n",
898 .support_trail = '\x00',
901 /* We're using a dynamic kernel/rootfs split here */
903 {"fs-uboot", 0x00000, 0x20000},
904 {"firmware", 0x20000, 0xf30000},
905 {"default-mac", 0xf50000, 0x00200},
906 {"pin", 0xf50200, 0x00200},
907 {"product-info", 0xf50400, 0x0fc00},
908 {"soft-version", 0xf60000, 0x0b000},
909 {"support-list", 0xf6b000, 0x04000},
910 {"profile", 0xf70000, 0x04000},
911 {"default-config", 0xf74000, 0x0b000},
912 {"user-config", 0xf80000, 0x40000},
913 {"partition-table", 0xfc0000, 0x10000},
914 {"log", 0xfd0000, 0x20000},
915 {"radio", 0xff0000, 0x10000},
919 .first_sysupgrade_partition = "os-image",
920 .last_sysupgrade_partition = "file-system"
923 /** Firmware layout for the TL-WR902AC v1 */
925 .id = "TL-WR902AC-V1",
929 "{product_name:TL-WR902AC,product_ver:1.0.0,special_id:45550000}\n"
930 "{product_name:TL-WR902AC,product_ver:1.0.0,special_id:55530000}\n",
931 .support_trail = '\x00',
935 384KB were moved from file-system to os-image
936 in comparison to the stock image
939 {"fs-uboot", 0x00000, 0x20000},
940 {"firmware", 0x20000, 0x730000},
941 {"default-mac", 0x750000, 0x00200},
942 {"pin", 0x750200, 0x00200},
943 {"product-info", 0x750400, 0x0fc00},
944 {"soft-version", 0x760000, 0x0b000},
945 {"support-list", 0x76b000, 0x04000},
946 {"profile", 0x770000, 0x04000},
947 {"default-config", 0x774000, 0x0b000},
948 {"user-config", 0x780000, 0x40000},
949 {"partition-table", 0x7c0000, 0x10000},
950 {"log", 0x7d0000, 0x20000},
951 {"radio", 0x7f0000, 0x10000},
955 .first_sysupgrade_partition = "os-image",
956 .last_sysupgrade_partition = "file-system",
959 /** Firmware layout for the TL-WR942N V1 */
965 "{product_name:TL-WR942N,product_ver:1.0.0,special_id:00000000}\r\n"
966 "{product_name:TL-WR942N,product_ver:1.0.0,special_id:52550000}\r\n",
967 .support_trail = '\x00',
971 {"fs-uboot", 0x00000, 0x20000},
972 {"firmware", 0x20000, 0xe20000},
973 {"default-mac", 0xe40000, 0x00200},
974 {"pin", 0xe40200, 0x00200},
975 {"product-info", 0xe40400, 0x0fc00},
976 {"partition-table", 0xe50000, 0x10000},
977 {"soft-version", 0xe60000, 0x10000},
978 {"support-list", 0xe70000, 0x10000},
979 {"profile", 0xe80000, 0x10000},
980 {"default-config", 0xe90000, 0x10000},
981 {"user-config", 0xea0000, 0x40000},
982 {"qos-db", 0xee0000, 0x40000},
983 {"certificate", 0xf20000, 0x10000},
984 {"usb-config", 0xfb0000, 0x10000},
985 {"log", 0xfc0000, 0x20000},
986 {"radio-bk", 0xfe0000, 0x10000},
987 {"radio", 0xff0000, 0x10000},
991 .first_sysupgrade_partition = "os-image",
992 .last_sysupgrade_partition = "file-system",
995 /** Firmware layout for the RE350 v1 */
1001 "{product_name:RE350,product_ver:1.0.0,special_id:45550000}\n"
1002 "{product_name:RE350,product_ver:1.0.0,special_id:00000000}\n"
1003 "{product_name:RE350,product_ver:1.0.0,special_id:41550000}\n"
1004 "{product_name:RE350,product_ver:1.0.0,special_id:55530000}\n"
1005 "{product_name:RE350,product_ver:1.0.0,special_id:43410000}\n"
1006 "{product_name:RE350,product_ver:1.0.0,special_id:4b520000}\n"
1007 "{product_name:RE350,product_ver:1.0.0,special_id:4a500000}\n",
1008 .support_trail = '\x00',
1011 /** We're using a dynamic kernel/rootfs split here */
1013 {"fs-uboot", 0x00000, 0x20000},
1014 {"firmware", 0x20000, 0x5e0000},
1015 {"partition-table", 0x600000, 0x02000},
1016 {"default-mac", 0x610000, 0x00020},
1017 {"pin", 0x610100, 0x00020},
1018 {"product-info", 0x611100, 0x01000},
1019 {"soft-version", 0x620000, 0x01000},
1020 {"support-list", 0x621000, 0x01000},
1021 {"profile", 0x622000, 0x08000},
1022 {"user-config", 0x630000, 0x10000},
1023 {"default-config", 0x640000, 0x10000},
1024 {"radio", 0x7f0000, 0x10000},
1028 .first_sysupgrade_partition = "os-image",
1029 .last_sysupgrade_partition = "file-system"
1032 /** Firmware layout for the RE355 */
1038 "{product_name:RE355,product_ver:1.0.0,special_id:00000000}\r\n"
1039 "{product_name:RE355,product_ver:1.0.0,special_id:55530000}\r\n"
1040 "{product_name:RE355,product_ver:1.0.0,special_id:45550000}\r\n"
1041 "{product_name:RE355,product_ver:1.0.0,special_id:4A500000}\r\n"
1042 "{product_name:RE355,product_ver:1.0.0,special_id:43410000}\r\n"
1043 "{product_name:RE355,product_ver:1.0.0,special_id:41550000}\r\n"
1044 "{product_name:RE355,product_ver:1.0.0,special_id:4B520000}\r\n"
1045 "{product_name:RE355,product_ver:1.0.0,special_id:55534100}\r\n",
1046 .support_trail = '\x00',
1049 /* We're using a dynamic kernel/rootfs split here */
1051 {"fs-uboot", 0x00000, 0x20000},
1052 {"firmware", 0x20000, 0x5e0000},
1053 {"partition-table", 0x600000, 0x02000},
1054 {"default-mac", 0x610000, 0x00020},
1055 {"pin", 0x610100, 0x00020},
1056 {"product-info", 0x611100, 0x01000},
1057 {"soft-version", 0x620000, 0x01000},
1058 {"support-list", 0x621000, 0x01000},
1059 {"profile", 0x622000, 0x08000},
1060 {"user-config", 0x630000, 0x10000},
1061 {"default-config", 0x640000, 0x10000},
1062 {"radio", 0x7f0000, 0x10000},
1066 .first_sysupgrade_partition = "os-image",
1067 .last_sysupgrade_partition = "file-system"
1070 /** Firmware layout for the RE450 */
1076 "{product_name:RE450,product_ver:1.0.0,special_id:00000000}\r\n"
1077 "{product_name:RE450,product_ver:1.0.0,special_id:55530000}\r\n"
1078 "{product_name:RE450,product_ver:1.0.0,special_id:45550000}\r\n"
1079 "{product_name:RE450,product_ver:1.0.0,special_id:4A500000}\r\n"
1080 "{product_name:RE450,product_ver:1.0.0,special_id:43410000}\r\n"
1081 "{product_name:RE450,product_ver:1.0.0,special_id:41550000}\r\n"
1082 "{product_name:RE450,product_ver:1.0.0,special_id:4B520000}\r\n"
1083 "{product_name:RE450,product_ver:1.0.0,special_id:55534100}\r\n",
1084 .support_trail = '\x00',
1087 /** We're using a dynamic kernel/rootfs split here */
1089 {"fs-uboot", 0x00000, 0x20000},
1090 {"firmware", 0x20000, 0x5e0000},
1091 {"partition-table", 0x600000, 0x02000},
1092 {"default-mac", 0x610000, 0x00020},
1093 {"pin", 0x610100, 0x00020},
1094 {"product-info", 0x611100, 0x01000},
1095 {"soft-version", 0x620000, 0x01000},
1096 {"support-list", 0x621000, 0x01000},
1097 {"profile", 0x622000, 0x08000},
1098 {"user-config", 0x630000, 0x10000},
1099 {"default-config", 0x640000, 0x10000},
1100 {"radio", 0x7f0000, 0x10000},
1104 .first_sysupgrade_partition = "os-image",
1105 .last_sysupgrade_partition = "file-system"
1108 /** Firmware layout for the RE450 v2 */
1114 "{product_name:RE450,product_ver:2.0.0,special_id:00000000}\r\n"
1115 "{product_name:RE450,product_ver:2.0.0,special_id:55530000}\r\n"
1116 "{product_name:RE450,product_ver:2.0.0,special_id:45550000}\r\n"
1117 "{product_name:RE450,product_ver:2.0.0,special_id:4A500000}\r\n"
1118 "{product_name:RE450,product_ver:2.0.0,special_id:43410000}\r\n"
1119 "{product_name:RE450,product_ver:2.0.0,special_id:41550000}\r\n"
1120 "{product_name:RE450,product_ver:2.0.0,special_id:41530000}\r\n"
1121 "{product_name:RE450,product_ver:2.0.0,special_id:4B520000}\r\n"
1122 "{product_name:RE450,product_ver:2.0.0,special_id:42520000}\r\n",
1123 .support_trail = '\x00',
1126 /* We're using a dynamic kernel/rootfs split here */
1128 {"fs-uboot", 0x00000, 0x20000},
1129 {"firmware", 0x20000, 0x5e0000},
1130 {"partition-table", 0x600000, 0x02000},
1131 {"default-mac", 0x610000, 0x00020},
1132 {"pin", 0x610100, 0x00020},
1133 {"product-info", 0x611100, 0x01000},
1134 {"soft-version", 0x620000, 0x01000},
1135 {"support-list", 0x621000, 0x01000},
1136 {"profile", 0x622000, 0x08000},
1137 {"user-config", 0x630000, 0x10000},
1138 {"default-config", 0x640000, 0x10000},
1139 {"radio", 0x7f0000, 0x10000},
1144 .first_sysupgrade_partition = "os-image",
1145 .last_sysupgrade_partition = "file-system"
1151 #define error(_ret, _errno, _str, ...) \
1153 fprintf(stderr, _str ": %s\n", ## __VA_ARGS__, \
1154 strerror(_errno)); \
1160 /** Stores a uint32 as big endian */
1161 static inline void put32(uint8_t *buf, uint32_t val) {
1168 /** Allocates a new image partition */
1169 static struct image_partition_entry alloc_image_partition(const char *name, size_t len) {
1170 struct image_partition_entry entry = {name, len, malloc(len)};
1172 error(1, errno, "malloc");
1177 /** Frees an image partition */
1178 static void free_image_partition(struct image_partition_entry entry) {
1182 static time_t source_date_epoch = -1;
1183 static void set_source_date_epoch() {
1184 char *env = getenv("SOURCE_DATE_EPOCH");
1188 source_date_epoch = strtoull(env, &endptr, 10);
1189 if (errno || (endptr && *endptr != '\0')) {
1190 fprintf(stderr, "Invalid SOURCE_DATE_EPOCH");
1196 /** Generates the partition-table partition */
1197 static struct image_partition_entry make_partition_table(const struct flash_partition_entry *p) {
1198 struct image_partition_entry entry = alloc_image_partition("partition-table", 0x800);
1200 char *s = (char *)entry.data, *end = (char *)(s+entry.size);
1208 for (i = 0; p[i].name; i++) {
1210 size_t w = snprintf(s, len, "partition %s base 0x%05x size 0x%05x\n", p[i].name, p[i].base, p[i].size);
1213 error(1, 0, "flash partition table overflow?");
1220 memset(s, 0xff, end-s);
1226 /** Generates a binary-coded decimal representation of an integer in the range [0, 99] */
1227 static inline uint8_t bcd(uint8_t v) {
1228 return 0x10 * (v/10) + v%10;
1232 /** Generates the soft-version partition */
1233 static struct image_partition_entry make_soft_version(uint32_t rev) {
1234 struct image_partition_entry entry = alloc_image_partition("soft-version", sizeof(struct soft_version));
1235 struct soft_version *s = (struct soft_version *)entry.data;
1239 if (source_date_epoch != -1)
1240 t = source_date_epoch;
1241 else if (time(&t) == (time_t)(-1))
1242 error(1, errno, "time");
1244 struct tm *tm = localtime(&t);
1246 s->magic = htonl(0x0000000c);
1250 s->version_major = 0;
1251 s->version_minor = 0;
1252 s->version_patch = 0;
1254 s->year_hi = bcd((1900+tm->tm_year)/100);
1255 s->year_lo = bcd(tm->tm_year%100);
1256 s->month = bcd(tm->tm_mon+1);
1257 s->day = bcd(tm->tm_mday);
1258 s->rev = htonl(rev);
1265 static struct image_partition_entry make_soft_version_from_string(const char *soft_ver) {
1266 /** String length _including_ the terminating zero byte */
1267 uint32_t ver_len = strlen(soft_ver) + 1;
1268 /** Partition contains 64 bit header, the version string, and one additional null byte */
1269 size_t partition_len = 2*sizeof(uint32_t) + ver_len + 1;
1270 struct image_partition_entry entry = alloc_image_partition("soft-version", partition_len);
1272 uint32_t *len = (uint32_t *)entry.data;
1273 len[0] = htonl(ver_len);
1275 memcpy(&len[2], soft_ver, ver_len);
1277 entry.data[partition_len - 1] = 0;
1282 /** Generates the support-list partition */
1283 static struct image_partition_entry make_support_list(struct device_info *info) {
1284 size_t len = strlen(info->support_list);
1285 struct image_partition_entry entry = alloc_image_partition("support-list", len + 9);
1287 put32(entry.data, len);
1288 memset(entry.data+4, 0, 4);
1289 memcpy(entry.data+8, info->support_list, len);
1290 entry.data[len+8] = info->support_trail;
1295 /** Creates a new image partition with an arbitrary name from a file */
1296 static struct image_partition_entry read_file(const char *part_name, const char *filename, bool add_jffs2_eof, struct flash_partition_entry *file_system_partition) {
1297 struct stat statbuf;
1299 if (stat(filename, &statbuf) < 0)
1300 error(1, errno, "unable to stat file `%s'", filename);
1302 size_t len = statbuf.st_size;
1305 if (file_system_partition)
1306 len = ALIGN(len + file_system_partition->base, 0x10000) + sizeof(jffs2_eof_mark) - file_system_partition->base;
1308 len = ALIGN(len, 0x10000) + sizeof(jffs2_eof_mark);
1310 struct image_partition_entry entry = alloc_image_partition(part_name, len);
1312 FILE *file = fopen(filename, "rb");
1314 error(1, errno, "unable to open file `%s'", filename);
1316 if (fread(entry.data, statbuf.st_size, 1, file) != 1)
1317 error(1, errno, "unable to read file `%s'", filename);
1319 if (add_jffs2_eof) {
1320 uint8_t *eof = entry.data + statbuf.st_size, *end = entry.data+entry.size;
1322 memset(eof, 0xff, end - eof - sizeof(jffs2_eof_mark));
1323 memcpy(end - sizeof(jffs2_eof_mark), jffs2_eof_mark, sizeof(jffs2_eof_mark));
1331 /** Creates a new image partition from arbitrary data */
1332 static struct image_partition_entry put_data(const char *part_name, const char *datain, size_t len) {
1334 struct image_partition_entry entry = alloc_image_partition(part_name, len);
1336 memcpy(entry.data, datain, len);
1342 Copies a list of image partitions into an image buffer and generates the image partition table while doing so
1344 Example image partition table:
1346 fwup-ptn partition-table base 0x00800 size 0x00800
1347 fwup-ptn os-image base 0x01000 size 0x113b45
1348 fwup-ptn file-system base 0x114b45 size 0x1d0004
1349 fwup-ptn support-list base 0x2e4b49 size 0x000d1
1351 Each line of the partition table is terminated with the bytes 09 0d 0a ("\t\r\n"),
1352 the end of the partition table is marked with a zero byte.
1354 The firmware image must contain at least the partition-table and support-list partitions
1355 to be accepted. There aren't any alignment constraints for the image partitions.
1357 The partition-table partition contains the actual flash layout; partitions
1358 from the image partition table are mapped to the corresponding flash partitions during
1359 the firmware upgrade. The support-list partition contains a list of devices supported by
1362 The base offsets in the firmware partition table are relative to the end
1363 of the vendor information block, so the partition-table partition will
1364 actually start at offset 0x1814 of the image.
1366 I think partition-table must be the first partition in the firmware image.
1368 static void put_partitions(uint8_t *buffer, const struct flash_partition_entry *flash_parts, const struct image_partition_entry *parts) {
1370 char *image_pt = (char *)buffer, *end = image_pt + 0x800;
1372 size_t base = 0x800;
1373 for (i = 0; parts[i].name; i++) {
1374 for (j = 0; flash_parts[j].name; j++) {
1375 if (!strcmp(flash_parts[j].name, parts[i].name)) {
1376 if (parts[i].size > flash_parts[j].size)
1377 error(1, 0, "%s partition too big (more than %u bytes)", flash_parts[j].name, (unsigned)flash_parts[j].size);
1382 assert(flash_parts[j].name);
1384 memcpy(buffer + base, parts[i].data, parts[i].size);
1386 size_t len = end-image_pt;
1387 size_t w = snprintf(image_pt, len, "fwup-ptn %s base 0x%05x size 0x%05x\t\r\n", parts[i].name, (unsigned)base, (unsigned)parts[i].size);
1390 error(1, 0, "image partition table overflow?");
1394 base += parts[i].size;
1398 /** Generates and writes the image MD5 checksum */
1399 static void put_md5(uint8_t *md5, uint8_t *buffer, unsigned int len) {
1403 MD5_Update(&ctx, md5_salt, (unsigned int)sizeof(md5_salt));
1404 MD5_Update(&ctx, buffer, len);
1405 MD5_Final(md5, &ctx);
1410 Generates the firmware image in factory format
1416 0000-0003 Image size (4 bytes, big endian)
1417 0004-0013 MD5 hash (hash of a 16 byte salt and the image data starting with byte 0x14)
1418 0014-0017 Vendor information length (without padding) (4 bytes, big endian)
1419 0018-1013 Vendor information (4092 bytes, padded with 0xff; there seem to be older
1420 (VxWorks-based) TP-LINK devices which use a smaller vendor information block)
1421 1014-1813 Image partition table (2048 bytes, padded with 0xff)
1422 1814-xxxx Firmware partitions
1424 static void * generate_factory_image(struct device_info *info, const struct image_partition_entry *parts, size_t *len) {
1428 for (i = 0; parts[i].name; i++)
1429 *len += parts[i].size;
1431 uint8_t *image = malloc(*len);
1433 error(1, errno, "malloc");
1435 memset(image, 0xff, *len);
1439 size_t vendor_len = strlen(info->vendor);
1440 put32(image+0x14, vendor_len);
1441 memcpy(image+0x18, info->vendor, vendor_len);
1444 put_partitions(image + 0x1014, info->partitions, parts);
1445 put_md5(image+0x04, image+0x14, *len-0x14);
1451 Generates the firmware image in sysupgrade format
1453 This makes some assumptions about the provided flash and image partition tables and
1454 should be generalized when TP-LINK starts building its safeloader into hardware with
1455 different flash layouts.
1457 static void * generate_sysupgrade_image(struct device_info *info, const struct image_partition_entry *image_parts, size_t *len) {
1459 size_t flash_first_partition_index = 0;
1460 size_t flash_last_partition_index = 0;
1461 const struct flash_partition_entry *flash_first_partition = NULL;
1462 const struct flash_partition_entry *flash_last_partition = NULL;
1463 const struct image_partition_entry *image_last_partition = NULL;
1465 /** Find first and last partitions */
1466 for (i = 0; info->partitions[i].name; i++) {
1467 if (!strcmp(info->partitions[i].name, info->first_sysupgrade_partition)) {
1468 flash_first_partition = &info->partitions[i];
1469 flash_first_partition_index = i;
1470 } else if (!strcmp(info->partitions[i].name, info->last_sysupgrade_partition)) {
1471 flash_last_partition = &info->partitions[i];
1472 flash_last_partition_index = i;
1476 assert(flash_first_partition && flash_last_partition);
1477 assert(flash_first_partition_index < flash_last_partition_index);
1479 /** Find last partition from image to calculate needed size */
1480 for (i = 0; image_parts[i].name; i++) {
1481 if (!strcmp(image_parts[i].name, info->last_sysupgrade_partition)) {
1482 image_last_partition = &image_parts[i];
1487 assert(image_last_partition);
1489 *len = flash_last_partition->base - flash_first_partition->base + image_last_partition->size;
1491 uint8_t *image = malloc(*len);
1493 error(1, errno, "malloc");
1495 memset(image, 0xff, *len);
1497 for (i = flash_first_partition_index; i <= flash_last_partition_index; i++) {
1498 for (j = 0; image_parts[j].name; j++) {
1499 if (!strcmp(info->partitions[i].name, image_parts[j].name)) {
1500 if (image_parts[j].size > info->partitions[i].size)
1501 error(1, 0, "%s partition too big (more than %u bytes)", info->partitions[i].name, (unsigned)info->partitions[i].size);
1502 memcpy(image + info->partitions[i].base - flash_first_partition->base, image_parts[j].data, image_parts[j].size);
1506 assert(image_parts[j].name);
1513 /** Generates an image according to a given layout and writes it to a file */
1514 static void build_image(const char *output,
1515 const char *kernel_image,
1516 const char *rootfs_image,
1520 struct device_info *info) {
1524 struct image_partition_entry parts[7] = {};
1526 struct flash_partition_entry *firmware_partition = NULL;
1527 struct flash_partition_entry *os_image_partition = NULL;
1528 struct flash_partition_entry *file_system_partition = NULL;
1529 size_t firmware_partition_index = 0;
1531 for (i = 0; info->partitions[i].name; i++) {
1532 if (!strcmp(info->partitions[i].name, "firmware"))
1534 firmware_partition = &info->partitions[i];
1535 firmware_partition_index = i;
1539 if (firmware_partition)
1541 os_image_partition = &info->partitions[firmware_partition_index];
1542 file_system_partition = &info->partitions[firmware_partition_index + 1];
1545 if (stat(kernel_image, &kernel) < 0)
1546 error(1, errno, "unable to stat file `%s'", kernel_image);
1548 if (kernel.st_size > firmware_partition->size)
1549 error(1, 0, "kernel overflowed firmware partition\n");
1551 for (i = MAX_PARTITIONS-1; i >= firmware_partition_index + 1; i--)
1552 info->partitions[i+1] = info->partitions[i];
1554 file_system_partition->name = "file-system";
1555 file_system_partition->base = firmware_partition->base + kernel.st_size;
1557 /* Align partition start to erase blocks for factory images only */
1559 file_system_partition->base = ALIGN(firmware_partition->base + kernel.st_size, 0x10000);
1561 file_system_partition->size = firmware_partition->size - file_system_partition->base;
1563 os_image_partition->name = "os-image";
1564 os_image_partition->size = kernel.st_size;
1567 parts[0] = make_partition_table(info->partitions);
1569 parts[1] = make_soft_version_from_string(info->soft_ver);
1571 parts[1] = make_soft_version(rev);
1573 parts[2] = make_support_list(info);
1574 parts[3] = read_file("os-image", kernel_image, false, NULL);
1575 parts[4] = read_file("file-system", rootfs_image, add_jffs2_eof, file_system_partition);
1577 /* Some devices need the extra-para partition to accept the firmware */
1578 if (strcasecmp(info->id, "ARCHER-C25-V1") == 0 ||
1579 strcasecmp(info->id, "ARCHER-C59-V2") == 0 ||
1580 strcasecmp(info->id, "ARCHER-C60-V2") == 0 ||
1581 strcasecmp(info->id, "TLWR1043NV5") == 0) {
1582 const char mdat[11] = {0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00};
1583 parts[5] = put_data("extra-para", mdat, 11);
1584 } else if (strcasecmp(info->id, "ARCHER-C7-V4") == 0 || strcasecmp(info->id, "ARCHER-C7-V5") == 0) {
1585 const char mdat[11] = {0x01, 0x00, 0x00, 0x02, 0x00, 0x00, 0xca, 0x00, 0x01, 0x00, 0x00};
1586 parts[5] = put_data("extra-para", mdat, 11);
1592 image = generate_sysupgrade_image(info, parts, &len);
1594 image = generate_factory_image(info, parts, &len);
1596 FILE *file = fopen(output, "wb");
1598 error(1, errno, "unable to open output file");
1600 if (fwrite(image, len, 1, file) != 1)
1601 error(1, 0, "unable to write output file");
1607 for (i = 0; parts[i].name; i++)
1608 free_image_partition(parts[i]);
1612 static void usage(const char *argv0) {
1614 "Usage: %s [OPTIONS...]\n"
1617 " -h show this help\n"
1619 "Create a new image:\n"
1620 " -B <board> create image for the board specified with <board>\n"
1621 " -k <file> read kernel image from the file <file>\n"
1622 " -r <file> read rootfs image from the file <file>\n"
1623 " -o <file> write output to the file <file>\n"
1624 " -V <rev> sets the revision number to <rev>\n"
1625 " -j add jffs2 end-of-filesystem markers\n"
1626 " -S create sysupgrade instead of factory image\n"
1627 "Extract an old image:\n"
1628 " -x <file> extract all oem firmware partition\n"
1629 " -d <dir> destination to extract the firmware partition\n"
1630 " -z <file> convert an oem firmware into a sysupgade file. Use -o for output file\n",
1636 static struct device_info *find_board(const char *id)
1638 struct device_info *board = NULL;
1640 for (board = boards; board->id != NULL; board++)
1641 if (strcasecmp(id, board->id) == 0)
1647 static int add_flash_partition(
1648 struct flash_partition_entry *part_list,
1655 /* check if the list has a free entry */
1656 for (ptr = 0; ptr < max_entries; ptr++, part_list++) {
1657 if (part_list->name == NULL &&
1658 part_list->base == 0 &&
1659 part_list->size == 0)
1663 if (ptr == max_entries) {
1664 error(1, 0, "No free flash part entry available.");
1667 part_list->name = calloc(1, strlen(name) + 1);
1668 if (!part_list->name) {
1669 error(1, 0, "Unable to allocate memory");
1672 memcpy((char *)part_list->name, name, strlen(name));
1673 part_list->base = base;
1674 part_list->size = size;
1679 /** read the partition table into struct flash_partition_entry */
1680 static int read_partition_table(
1681 FILE *file, long offset,
1682 struct flash_partition_entry *entries, size_t max_entries,
1687 const char *parthdr = NULL;
1688 const char *fwuphdr = "fwup-ptn";
1689 const char *flashhdr = "partition";
1691 /* TODO: search for the partition table */
1701 error(1, 0, "Invalid partition table");
1704 if (fseek(file, offset, SEEK_SET) < 0)
1705 error(1, errno, "Can not seek in the firmware");
1707 if (fread(buf, 1, 2048, file) < 0)
1708 error(1, errno, "Can not read fwup-ptn from the firmware");
1712 /* look for the partition header */
1713 if (memcmp(buf, parthdr, strlen(parthdr)) != 0) {
1714 fprintf(stderr, "DEBUG: can not find fwuphdr\n");
1719 end = buf + sizeof(buf);
1720 while ((ptr + strlen(parthdr)) < end &&
1721 memcmp(ptr, parthdr, strlen(parthdr)) == 0) {
1725 char name[32] = { 0 };
1727 unsigned long base = 0;
1728 unsigned long size = 0;
1730 end_part = memchr(ptr, '\n', (end - ptr));
1731 if (end_part == NULL) {
1732 /* in theory this should never happen, because a partition always ends with 0x09, 0x0D, 0x0A */
1736 for (int i = 0; i <= 4; i++) {
1737 if (end_part <= ptr)
1740 end_element = memchr(ptr, 0x20, (end_part - ptr));
1741 if (end_element == NULL) {
1742 error(1, errno, "Ignoring the rest of the partition entries.");
1747 /* partition header */
1749 ptr = end_element + 1;
1753 name_len = (end_element - ptr) > 31 ? 31 : (end_element - ptr);
1754 strncpy(name, ptr, name_len);
1755 name[name_len] = '\0';
1756 ptr = end_element + 1;
1761 ptr = end_element + 1;
1766 base = strtoul(ptr, NULL, 16);
1767 ptr = end_element + 1;
1772 ptr = end_element + 1;
1773 /* actual size. The last element doesn't have a sepeartor */
1774 size = strtoul(ptr, NULL, 16);
1775 /* the part ends with 0x09, 0x0d, 0x0a */
1777 add_flash_partition(entries, max_entries, name, base, size);
1786 static void write_partition(
1788 size_t firmware_offset,
1789 struct flash_partition_entry *entry,
1795 fseek(input_file, entry->base + firmware_offset, SEEK_SET);
1797 for (offset = 0; sizeof(buf) + offset <= entry->size; offset += sizeof(buf)) {
1798 if (fread(buf, sizeof(buf), 1, input_file) < 0)
1799 error(1, errno, "Can not read partition from input_file");
1801 if (fwrite(buf, sizeof(buf), 1, output_file) < 0)
1802 error(1, errno, "Can not write partition to output_file");
1804 /* write last chunk smaller than buffer */
1805 if (offset < entry->size) {
1806 offset = entry->size - offset;
1807 if (fread(buf, offset, 1, input_file) < 0)
1808 error(1, errno, "Can not read partition from input_file");
1809 if (fwrite(buf, offset, 1, output_file) < 0)
1810 error(1, errno, "Can not write partition to output_file");
1814 static int extract_firmware_partition(FILE *input_file, size_t firmware_offset, struct flash_partition_entry *entry, const char *output_directory)
1817 char output[PATH_MAX];
1819 snprintf(output, PATH_MAX, "%s/%s", output_directory, entry->name);
1820 output_file = fopen(output, "wb+");
1821 if (output_file == NULL) {
1822 error(1, errno, "Can not open output file %s", output);
1825 write_partition(input_file, firmware_offset, entry, output_file);
1827 fclose(output_file);
1832 /** extract all partitions from the firmware file */
1833 static int extract_firmware(const char *input, const char *output_directory)
1835 struct flash_partition_entry entries[16] = { 0 };
1836 size_t max_entries = 16;
1837 size_t firmware_offset = 0x1014;
1840 struct stat statbuf;
1842 /* check input file */
1843 if (stat(input, &statbuf)) {
1844 error(1, errno, "Can not read input firmware %s", input);
1847 /* check if output directory exists */
1848 if (stat(output_directory, &statbuf)) {
1849 error(1, errno, "Failed to stat output directory %s", output_directory);
1852 if ((statbuf.st_mode & S_IFMT) != S_IFDIR) {
1853 error(1, errno, "Given output directory is not a directory %s", output_directory);
1856 input_file = fopen(input, "rb");
1858 if (read_partition_table(input_file, firmware_offset, entries, 16, 0) != 0) {
1859 error(1, 0, "Error can not read the partition table (fwup-ptn)");
1862 for (int i = 0; i < max_entries; i++) {
1863 if (entries[i].name == NULL &&
1864 entries[i].base == 0 &&
1865 entries[i].size == 0)
1868 extract_firmware_partition(input_file, firmware_offset, &entries[i], output_directory);
1874 static struct flash_partition_entry *find_partition(
1875 struct flash_partition_entry *entries, size_t max_entries,
1876 const char *name, const char *error_msg)
1878 for (int i = 0; i < max_entries; i++, entries++) {
1879 if (strcmp(entries->name, name) == 0)
1883 error(1, 0, "%s", error_msg);
1887 static void write_ff(FILE *output_file, size_t size)
1892 memset(buf, 0xff, sizeof(buf));
1894 for (offset = 0; offset + sizeof(buf) < size ; offset += sizeof(buf)) {
1895 if (fwrite(buf, sizeof(buf), 1, output_file) < 0)
1896 error(1, errno, "Can not write 0xff to output_file");
1899 /* write last chunk smaller than buffer */
1900 if (offset < size) {
1901 offset = size - offset;
1902 if (fwrite(buf, offset, 1, output_file) < 0)
1903 error(1, errno, "Can not write partition to output_file");
1907 static void convert_firmware(const char *input, const char *output)
1909 struct flash_partition_entry fwup[MAX_PARTITIONS] = { 0 };
1910 struct flash_partition_entry flash[MAX_PARTITIONS] = { 0 };
1911 struct flash_partition_entry *fwup_os_image = NULL, *fwup_file_system = NULL;
1912 struct flash_partition_entry *flash_os_image = NULL, *flash_file_system = NULL;
1913 struct flash_partition_entry *fwup_partition_table = NULL;
1914 size_t firmware_offset = 0x1014;
1915 FILE *input_file, *output_file;
1917 struct stat statbuf;
1919 /* check input file */
1920 if (stat(input, &statbuf)) {
1921 error(1, errno, "Can not read input firmware %s", input);
1924 input_file = fopen(input, "rb");
1926 error(1, 0, "Can not open input firmware %s", input);
1928 output_file = fopen(output, "wb");
1930 error(1, 0, "Can not open output firmware %s", output);
1932 if (read_partition_table(input_file, firmware_offset, fwup, MAX_PARTITIONS, 0) != 0) {
1933 error(1, 0, "Error can not read the partition table (fwup-ptn)");
1936 fwup_os_image = find_partition(fwup, MAX_PARTITIONS,
1937 "os-image", "Error can not find os-image partition (fwup)");
1938 fwup_file_system = find_partition(fwup, MAX_PARTITIONS,
1939 "file-system", "Error can not find file-system partition (fwup)");
1940 fwup_partition_table = find_partition(fwup, MAX_PARTITIONS,
1941 "partition-table", "Error can not find partition-table partition");
1943 /* the flash partition table has a 0x00000004 magic haeder */
1944 if (read_partition_table(input_file, firmware_offset + fwup_partition_table->base + 4, flash, MAX_PARTITIONS, 1) != 0)
1945 error(1, 0, "Error can not read the partition table (flash)");
1947 flash_os_image = find_partition(flash, MAX_PARTITIONS,
1948 "os-image", "Error can not find os-image partition (flash)");
1949 flash_file_system = find_partition(flash, MAX_PARTITIONS,
1950 "file-system", "Error can not find file-system partition (flash)");
1952 /* write os_image to 0x0 */
1953 write_partition(input_file, firmware_offset, fwup_os_image, output_file);
1954 write_ff(output_file, flash_os_image->size - fwup_os_image->size);
1956 /* write file-system behind os_image */
1957 fseek(output_file, flash_file_system->base - flash_os_image->base, SEEK_SET);
1958 write_partition(input_file, firmware_offset, fwup_file_system, output_file);
1959 write_ff(output_file, flash_file_system->size - fwup_file_system->size);
1961 fclose(output_file);
1965 int main(int argc, char *argv[]) {
1966 const char *board = NULL, *kernel_image = NULL, *rootfs_image = NULL, *output = NULL;
1967 const char *extract_image = NULL, *output_directory = NULL, *convert_image = NULL;
1968 bool add_jffs2_eof = false, sysupgrade = false;
1970 struct device_info *info;
1971 set_source_date_epoch();
1976 c = getopt(argc, argv, "B:k:r:o:V:jSh:x:d:z:");
1986 kernel_image = optarg;
1990 rootfs_image = optarg;
1998 sscanf(optarg, "r%u", &rev);
2002 add_jffs2_eof = true;
2014 output_directory = optarg;
2018 extract_image = optarg;
2022 convert_image = optarg;
2031 if (extract_image || output_directory) {
2033 error(1, 0, "No factory/oem image given via -x <file>. Output directory is only valid with -x");
2034 if (!output_directory)
2035 error(1, 0, "Can not extract an image without output directory. Use -d <dir>");
2036 extract_firmware(extract_image, output_directory);
2037 } else if (convert_image) {
2039 error(1, 0, "Can not convert a factory/oem image into sysupgrade image without output file. Use -o <file>");
2040 convert_firmware(convert_image, output);
2043 error(1, 0, "no board has been specified");
2045 error(1, 0, "no kernel image has been specified");
2047 error(1, 0, "no rootfs image has been specified");
2049 error(1, 0, "no output filename has been specified");
2051 info = find_board(board);
2054 error(1, 0, "unsupported board %s", board);
2056 build_image(output, kernel_image, rootfs_image, rev, add_jffs2_eof, sysupgrade, info);