2 Copyright (c) 2014, Matthias Schiffer <mschiffer@universe-factory.net>
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
8 1. Redistributions of source code must retain the above copyright notice,
9 this list of conditions and the following disclaimer.
10 2. Redistributions in binary form must reproduce the above copyright notice,
11 this list of conditions and the following disclaimer in the documentation
12 and/or other materials provided with the distribution.
14 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
15 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
17 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
18 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
20 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
21 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
22 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 Image generation tool for the TP-LINK SafeLoader as seen on
31 TP-LINK Pharos devices (CPE210/220/510/520)
45 #include <arpa/inet.h>
47 #include <sys/types.h>
53 #define ALIGN(x,a) ({ typeof(a) __a = (a); (((x) + __a - 1) & ~(__a - 1)); })
56 /** An image partition table entry */
57 struct image_partition_entry {
63 /** A flash partition table entry */
64 struct flash_partition_entry {
72 const char *support_list;
74 const struct flash_partition_entry *partitions;
75 void *(*generate_sysupgrade_image)(const struct flash_partition_entry *flash_parts, const struct image_partition_entry *image_parts, size_t *len);
78 /** The content of the soft-version structure */
79 struct __attribute__((__packed__)) soft_version {
83 uint8_t version_major;
84 uint8_t version_minor;
85 uint8_t version_patch;
95 static const uint8_t jffs2_eof_mark[4] = {0xde, 0xad, 0xc0, 0xde};
101 Fortunately, TP-LINK seems to use the same salt for most devices which use
102 the new image format.
104 static const uint8_t md5_salt[16] = {
105 0x7a, 0x2b, 0x15, 0xed,
106 0x9b, 0x98, 0x59, 0x6d,
107 0xe5, 0x04, 0xab, 0x44,
108 0xac, 0x2a, 0x9f, 0x4e,
112 /** Vendor information for CPE210/220/510/520 */
113 static const char cpe510_vendor[] = "CPE510(TP-LINK|UN|N300-5):1.0\r\n";
115 /** Vendor information for C2600 */
116 static const char c2600_vendor[] = "";
118 /** Vendor information for EAP120 */
119 static const char eap120_vendor[] = "EAP120(TP-LINK|UN|N300-2):1.0\r\n";
122 The flash partition table for CPE210/220/510/520;
123 it is the same as the one used by the stock images.
125 static const struct flash_partition_entry cpe510_partitions[] = {
126 {"fs-uboot", 0x00000, 0x20000},
127 {"partition-table", 0x20000, 0x02000},
128 {"default-mac", 0x30000, 0x00020},
129 {"product-info", 0x31100, 0x00100},
130 {"signature", 0x32000, 0x00400},
131 {"os-image", 0x40000, 0x170000},
132 {"soft-version", 0x1b0000, 0x00100},
133 {"support-list", 0x1b1000, 0x00400},
134 {"file-system", 0x1c0000, 0x600000},
135 {"user-config", 0x7c0000, 0x10000},
136 {"default-config", 0x7d0000, 0x10000},
137 {"log", 0x7e0000, 0x10000},
138 {"radio", 0x7f0000, 0x10000},
143 The flash partition table for C2600;
144 it is the same as the one used by the stock images.
146 static const struct flash_partition_entry c2600_partitions[] = {
147 {"SBL1", 0x00000, 0x20000},
148 {"MIBIB", 0x20000, 0x20000},
149 {"SBL2", 0x40000, 0x20000},
150 {"SBL3", 0x60000, 0x30000},
151 {"DDRCONFIG", 0x90000, 0x10000},
152 {"SSD", 0xa0000, 0x10000},
153 {"TZ", 0xb0000, 0x30000},
154 {"RPM", 0xe0000, 0x20000},
155 {"fs-uboot", 0x100000, 0x70000},
156 {"uboot-env", 0x170000, 0x40000},
157 {"radio", 0x1b0000, 0x40000},
158 {"os-image", 0x1f0000, 0x200000},
159 {"file-system", 0x3f0000, 0x1b00000},
160 {"default-mac", 0x1ef0000, 0x00200},
161 {"pin", 0x1ef0200, 0x00200},
162 {"product-info", 0x1ef0400, 0x0fc00},
163 {"partition-table", 0x1f00000, 0x10000},
164 {"soft-version", 0x1f10000, 0x10000},
165 {"support-list", 0x1f20000, 0x10000},
166 {"profile", 0x1f30000, 0x10000},
167 {"default-config", 0x1f40000, 0x10000},
168 {"user-config", 0x1f50000, 0x40000},
169 {"qos-db", 0x1f90000, 0x40000},
170 {"usb-config", 0x1fd0000, 0x10000},
171 {"log", 0x1fe0000, 0x20000},
175 static const struct flash_partition_entry c5_partitions[] = {
176 {"fs-uboot", 0x00000, 0x40000},
177 {"os-image", 0x40000, 0x200000},
178 {"file-system", 0x240000, 0xc00000},
179 {"default-mac", 0xe40000, 0x00200},
180 {"pin", 0xe40200, 0x00200},
181 {"product-info", 0xe40400, 0x00200},
182 {"partition-table", 0xe50000, 0x10000},
183 {"soft-version", 0xe60000, 0x00200},
184 {"support-list", 0xe61000, 0x0f000},
185 {"profile", 0xe70000, 0x10000},
186 {"default-config", 0xe80000, 0x10000},
187 {"user-config", 0xe90000, 0x50000},
188 {"log", 0xee0000, 0x100000},
189 {"radio_bk", 0xfe0000, 0x10000},
190 {"radio", 0xff0000, 0x10000},
194 /** The flash partition table for EAP120;
195 it is the same as the one used by the stock images.
197 static const struct flash_partition_entry eap120_partitions[] = {
198 {"fs-uboot", 0x00000, 0x20000},
199 {"partition-table", 0x20000, 0x02000},
200 {"default-mac", 0x30000, 0x00020},
201 {"support-list", 0x31000, 0x00100},
202 {"product-info", 0x31100, 0x00100},
203 {"soft-version", 0x32000, 0x00100},
204 {"os-image", 0x40000, 0x180000},
205 {"file-system", 0x1c0000, 0x600000},
206 {"user-config", 0x7c0000, 0x10000},
207 {"backup-config", 0x7d0000, 0x10000},
208 {"log", 0x7e0000, 0x10000},
209 {"radio", 0x7f0000, 0x10000},
214 The support list for CPE210/220
216 static const char cpe210_support_list[] =
218 "CPE210(TP-LINK|UN|N300-2):1.0\r\n"
219 "CPE210(TP-LINK|UN|N300-2):1.1\r\n"
220 "CPE220(TP-LINK|UN|N300-2):1.0\r\n"
221 "CPE220(TP-LINK|UN|N300-2):1.1\r\n";
223 The support list for CPE210/220/510/520
225 static const char cpe510_support_list[] =
227 "CPE510(TP-LINK|UN|N300-5):1.0\r\n"
228 "CPE510(TP-LINK|UN|N300-5):1.1\r\n"
229 "CPE520(TP-LINK|UN|N300-5):1.0\r\n"
230 "CPE520(TP-LINK|UN|N300-5):1.1\r\n";
233 The support list for C2600
235 static const char c2600_support_list[] =
237 "{product_name:Archer C2600,product_ver:1.0.0,special_id:00000000}\r\n";
239 static const char c9_support_list[] =
241 "{product_name:ArcherC9,"
243 "special_id:00000000}\n";
246 The support list for EAP120
248 static const char eap120_support_list[] =
250 "EAP120(TP-LINK|UN|N300-2):1.0\r\n";
252 #define error(_ret, _errno, _str, ...) \
254 fprintf(stderr, _str ": %s\n", ## __VA_ARGS__, \
261 /** Stores a uint32 as big endian */
262 static inline void put32(uint8_t *buf, uint32_t val) {
269 /** Allocates a new image partition */
270 static struct image_partition_entry alloc_image_partition(const char *name, size_t len) {
271 struct image_partition_entry entry = {name, len, malloc(len)};
273 error(1, errno, "malloc");
278 /** Frees an image partition */
279 static void free_image_partition(struct image_partition_entry entry) {
283 /** Generates the partition-table partition */
284 static struct image_partition_entry make_partition_table(const struct flash_partition_entry *p) {
285 struct image_partition_entry entry = alloc_image_partition("partition-table", 0x800);
287 char *s = (char *)entry.data, *end = (char *)(s+entry.size);
295 for (i = 0; p[i].name; i++) {
297 size_t w = snprintf(s, len, "partition %s base 0x%05x size 0x%05x\n", p[i].name, p[i].base, p[i].size);
300 error(1, 0, "flash partition table overflow?");
307 memset(s, 0xff, end-s);
313 /** Generates a binary-coded decimal representation of an integer in the range [0, 99] */
314 static inline uint8_t bcd(uint8_t v) {
315 return 0x10 * (v/10) + v%10;
319 /** Generates the soft-version partition */
320 static struct image_partition_entry make_soft_version(uint32_t rev) {
321 struct image_partition_entry entry = alloc_image_partition("soft-version", sizeof(struct soft_version));
322 struct soft_version *s = (struct soft_version *)entry.data;
326 if (time(&t) == (time_t)(-1))
327 error(1, errno, "time");
329 struct tm *tm = localtime(&t);
331 s->magic = htonl(0x0000000c);
335 s->version_major = 0;
336 s->version_minor = 0;
337 s->version_patch = 0;
339 s->year_hi = bcd((1900+tm->tm_year)/100);
340 s->year_lo = bcd(tm->tm_year%100);
341 s->month = bcd(tm->tm_mon+1);
342 s->day = bcd(tm->tm_mday);
350 /** Generates the support-list partition */
351 static struct image_partition_entry make_support_list(struct device_info *info) {
352 size_t len = strlen(info->support_list);
353 struct image_partition_entry entry = alloc_image_partition("support-list", len + 9);
355 put32(entry.data, len);
356 memset(entry.data+4, 0, 4);
357 memcpy(entry.data+8, info->support_list, len);
358 entry.data[len+8] = info->support_trail;
363 /** Creates a new image partition with an arbitrary name from a file */
364 static struct image_partition_entry read_file(const char *part_name, const char *filename, bool add_jffs2_eof) {
367 if (stat(filename, &statbuf) < 0)
368 error(1, errno, "unable to stat file `%s'", filename);
370 size_t len = statbuf.st_size;
373 len = ALIGN(len, 0x10000) + sizeof(jffs2_eof_mark);
375 struct image_partition_entry entry = alloc_image_partition(part_name, len);
377 FILE *file = fopen(filename, "rb");
379 error(1, errno, "unable to open file `%s'", filename);
381 if (fread(entry.data, statbuf.st_size, 1, file) != 1)
382 error(1, errno, "unable to read file `%s'", filename);
385 uint8_t *eof = entry.data + statbuf.st_size, *end = entry.data+entry.size;
387 memset(eof, 0xff, end - eof - sizeof(jffs2_eof_mark));
388 memcpy(end - sizeof(jffs2_eof_mark), jffs2_eof_mark, sizeof(jffs2_eof_mark));
398 Copies a list of image partitions into an image buffer and generates the image partition table while doing so
400 Example image partition table:
402 fwup-ptn partition-table base 0x00800 size 0x00800
403 fwup-ptn os-image base 0x01000 size 0x113b45
404 fwup-ptn file-system base 0x114b45 size 0x1d0004
405 fwup-ptn support-list base 0x2e4b49 size 0x000d1
407 Each line of the partition table is terminated with the bytes 09 0d 0a ("\t\r\n"),
408 the end of the partition table is marked with a zero byte.
410 The firmware image must contain at least the partition-table and support-list partitions
411 to be accepted. There aren't any alignment constraints for the image partitions.
413 The partition-table partition contains the actual flash layout; partitions
414 from the image partition table are mapped to the corresponding flash partitions during
415 the firmware upgrade. The support-list partition contains a list of devices supported by
418 The base offsets in the firmware partition table are relative to the end
419 of the vendor information block, so the partition-table partition will
420 actually start at offset 0x1814 of the image.
422 I think partition-table must be the first partition in the firmware image.
424 static void put_partitions(uint8_t *buffer, const struct image_partition_entry *parts) {
426 char *image_pt = (char *)buffer, *end = image_pt + 0x800;
429 for (i = 0; parts[i].name; i++) {
430 memcpy(buffer + base, parts[i].data, parts[i].size);
432 size_t len = end-image_pt;
433 size_t w = snprintf(image_pt, len, "fwup-ptn %s base 0x%05x size 0x%05x\t\r\n", parts[i].name, (unsigned)base, (unsigned)parts[i].size);
436 error(1, 0, "image partition table overflow?");
440 base += parts[i].size;
445 memset(image_pt, 0xff, end-image_pt);
448 /** Generates and writes the image MD5 checksum */
449 static void put_md5(uint8_t *md5, uint8_t *buffer, unsigned int len) {
453 MD5_Update(&ctx, md5_salt, (unsigned int)sizeof(md5_salt));
454 MD5_Update(&ctx, buffer, len);
455 MD5_Final(md5, &ctx);
460 Generates the firmware image in factory format
466 0000-0003 Image size (4 bytes, big endian)
467 0004-0013 MD5 hash (hash of a 16 byte salt and the image data starting with byte 0x14)
468 0014-0017 Vendor information length (without padding) (4 bytes, big endian)
469 0018-1013 Vendor information (4092 bytes, padded with 0xff; there seem to be older
470 (VxWorks-based) TP-LINK devices which use a smaller vendor information block)
471 1014-1813 Image partition table (2048 bytes, padded with 0xff)
472 1814-xxxx Firmware partitions
474 static void * generate_factory_image(const char *vendor, const struct image_partition_entry *parts, size_t *len) {
478 for (i = 0; parts[i].name; i++)
479 *len += parts[i].size;
481 uint8_t *image = malloc(*len);
483 error(1, errno, "malloc");
487 size_t vendor_len = strlen(vendor);
488 put32(image+0x14, vendor_len);
489 memcpy(image+0x18, vendor, vendor_len);
490 memset(image+0x18+vendor_len, 0xff, 4092-vendor_len);
492 put_partitions(image + 0x1014, parts);
493 put_md5(image+0x04, image+0x14, *len-0x14);
499 Generates the firmware image in sysupgrade format
501 This makes some assumptions about the provided flash and image partition tables and
502 should be generalized when TP-LINK starts building its safeloader into hardware with
503 different flash layouts.
505 static void * generate_sysupgrade_image(const struct flash_partition_entry *flash_parts, const struct image_partition_entry *image_parts, size_t *len) {
506 const struct flash_partition_entry *flash_os_image = &flash_parts[5];
507 const struct flash_partition_entry *flash_soft_version = &flash_parts[6];
508 const struct flash_partition_entry *flash_support_list = &flash_parts[7];
509 const struct flash_partition_entry *flash_file_system = &flash_parts[8];
511 const struct image_partition_entry *image_os_image = &image_parts[3];
512 const struct image_partition_entry *image_soft_version = &image_parts[1];
513 const struct image_partition_entry *image_support_list = &image_parts[2];
514 const struct image_partition_entry *image_file_system = &image_parts[4];
516 assert(strcmp(flash_os_image->name, "os-image") == 0);
517 assert(strcmp(flash_soft_version->name, "soft-version") == 0);
518 assert(strcmp(flash_support_list->name, "support-list") == 0);
519 assert(strcmp(flash_file_system->name, "file-system") == 0);
521 assert(strcmp(image_os_image->name, "os-image") == 0);
522 assert(strcmp(image_soft_version->name, "soft-version") == 0);
523 assert(strcmp(image_support_list->name, "support-list") == 0);
524 assert(strcmp(image_file_system->name, "file-system") == 0);
526 if (image_os_image->size > flash_os_image->size)
527 error(1, 0, "kernel image too big (more than %u bytes)", (unsigned)flash_os_image->size);
528 if (image_file_system->size > flash_file_system->size)
529 error(1, 0, "rootfs image too big (more than %u bytes)", (unsigned)flash_file_system->size);
531 *len = flash_file_system->base - flash_os_image->base + image_file_system->size;
533 uint8_t *image = malloc(*len);
535 error(1, errno, "malloc");
537 memset(image, 0xff, *len);
539 memcpy(image, image_os_image->data, image_os_image->size);
540 memcpy(image + flash_soft_version->base - flash_os_image->base, image_soft_version->data, image_soft_version->size);
541 memcpy(image + flash_support_list->base - flash_os_image->base, image_support_list->data, image_support_list->size);
542 memcpy(image + flash_file_system->base - flash_os_image->base, image_file_system->data, image_file_system->size);
547 static void * generate_sysupgrade_image_c2600(const struct flash_partition_entry *flash_parts, const struct image_partition_entry *image_parts, size_t *len) {
548 const struct flash_partition_entry *flash_os_image = &flash_parts[11];
549 const struct flash_partition_entry *flash_file_system = &flash_parts[12];
551 const struct image_partition_entry *image_os_image = &image_parts[3];
552 const struct image_partition_entry *image_file_system = &image_parts[4];
554 assert(strcmp(flash_os_image->name, "os-image") == 0);
555 assert(strcmp(flash_file_system->name, "file-system") == 0);
557 assert(strcmp(image_os_image->name, "os-image") == 0);
558 assert(strcmp(image_file_system->name, "file-system") == 0);
560 if (image_os_image->size > flash_os_image->size)
561 error(1, 0, "kernel image too big (more than %u bytes)", (unsigned)flash_os_image->size);
562 if (image_file_system->size > flash_file_system->size)
563 error(1, 0, "rootfs image too big (more than %u bytes)", (unsigned)flash_file_system->size);
565 *len = flash_file_system->base - flash_os_image->base + image_file_system->size;
567 uint8_t *image = malloc(*len);
569 error(1, errno, "malloc");
571 memset(image, 0xff, *len);
573 memcpy(image, image_os_image->data, image_os_image->size);
574 memcpy(image + flash_file_system->base - flash_os_image->base, image_file_system->data, image_file_system->size);
578 static void *generate_sysupgrade_image_eap120(const struct flash_partition_entry *flash_parts, const struct image_partition_entry *image_parts, size_t *len)
580 const struct flash_partition_entry *flash_os_image = &flash_parts[6];
581 const struct flash_partition_entry *flash_file_system = &flash_parts[7];
583 const struct image_partition_entry *image_os_image = &image_parts[3];
584 const struct image_partition_entry *image_file_system = &image_parts[4];
586 assert(strcmp(flash_os_image->name, "os-image") == 0);
587 assert(strcmp(flash_file_system->name, "file-system") == 0);
589 assert(strcmp(image_os_image->name, "os-image") == 0);
590 assert(strcmp(image_file_system->name, "file-system") == 0);
592 if (image_os_image->size > flash_os_image->size)
593 error(1, 0, "kernel image too big (more than %u bytes)", (unsigned)flash_os_image->size);
594 if (image_file_system->size > flash_file_system->size)
595 error(1, 0, "rootfs image too big (more than %u bytes)", (unsigned)flash_file_system->size);
597 *len = flash_file_system->base - flash_os_image->base + image_file_system->size;
599 uint8_t *image = malloc(*len);
601 error(1, errno, "malloc");
603 memset(image, 0xff, *len);
604 memcpy(image, image_os_image->data, image_os_image->size);
605 memcpy(image + flash_file_system->base - flash_os_image->base, image_file_system->data, image_file_system->size);
610 struct device_info cpe210_info = {
611 .vendor = cpe510_vendor,
612 .support_list = cpe210_support_list,
613 .support_trail = '\xff',
614 .partitions = cpe510_partitions,
615 .generate_sysupgrade_image = &generate_sysupgrade_image,
618 struct device_info cpe510_info = {
619 .vendor = cpe510_vendor,
620 .support_list = cpe510_support_list,
621 .support_trail = '\xff',
622 .partitions = cpe510_partitions,
623 .generate_sysupgrade_image = &generate_sysupgrade_image,
626 struct device_info c2600_info = {
627 .vendor = c2600_vendor,
628 .support_list = c2600_support_list,
629 .support_trail = '\x00',
630 .partitions = c2600_partitions,
631 .generate_sysupgrade_image = &generate_sysupgrade_image_c2600,
634 struct device_info e9_info = {
635 .vendor = c2600_vendor,
636 .support_list = c9_support_list,
637 .support_trail = '\x00',
638 .partitions = c5_partitions,
641 struct device_info eap120_info = {
642 .vendor = eap120_vendor,
643 .support_list = eap120_support_list,
644 .support_trail = '\xff',
645 .partitions = eap120_partitions,
646 .generate_sysupgrade_image = &generate_sysupgrade_image_eap120,
649 static void build_image(const char *output,
650 const char *kernel_image,
651 const char *rootfs_image,
655 struct device_info *info) {
656 struct image_partition_entry parts[6] = {};
658 parts[0] = make_partition_table(info->partitions);
659 parts[1] = make_soft_version(rev);
660 parts[2] = make_support_list(info);
661 parts[3] = read_file("os-image", kernel_image, false);
662 parts[4] = read_file("file-system", rootfs_image, add_jffs2_eof);
667 image = info->generate_sysupgrade_image(info->partitions, parts, &len);
669 image = generate_factory_image(info->vendor, parts, &len);
671 FILE *file = fopen(output, "wb");
673 error(1, errno, "unable to open output file");
675 if (fwrite(image, len, 1, file) != 1)
676 error(1, 0, "unable to write output file");
683 for (i = 0; parts[i].name; i++)
684 free_image_partition(parts[i]);
688 static void usage(const char *argv0) {
690 "Usage: %s [OPTIONS...]\n"
693 " -B <board> create image for the board specified with <board>\n"
694 " -k <file> read kernel image from the file <file>\n"
695 " -r <file> read rootfs image from the file <file>\n"
696 " -o <file> write output to the file <file>\n"
697 " -V <rev> sets the revision number to <rev>\n"
698 " -j add jffs2 end-of-filesystem markers\n"
699 " -S create sysupgrade instead of factory image\n"
700 " -h show this help\n",
706 int main(int argc, char *argv[]) {
707 const char *board = NULL, *kernel_image = NULL, *rootfs_image = NULL, *output = NULL;
708 bool add_jffs2_eof = false, sysupgrade = false;
710 struct device_info *info;
715 c = getopt(argc, argv, "B:k:r:o:V:jSh");
725 kernel_image = optarg;
729 rootfs_image = optarg;
737 sscanf(optarg, "r%u", &rev);
741 add_jffs2_eof = true;
759 error(1, 0, "no board has been specified");
761 error(1, 0, "no kernel image has been specified");
763 error(1, 0, "no rootfs image has been specified");
765 error(1, 0, "no output filename has been specified");
767 if (strcmp(board, "CPE210") == 0)
769 else if (strcmp(board, "CPE510") == 0)
771 else if (strcmp(board, "C2600") == 0)
773 else if (strcmp(board, "EAP120") == 0)
775 else if (strcmp(board, "ARCHERC9") == 0)
778 error(1, 0, "unsupported board %s", board);
780 build_image(output, kernel_image, rootfs_image, rev, add_jffs2_eof, sysupgrade, info);
projects / librecmc / librecmc.git / blob