2 Copyright (c) 2014, Matthias Schiffer <mschiffer@universe-factory.net>
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
8 1. Redistributions of source code must retain the above copyright notice,
9 this list of conditions and the following disclaimer.
10 2. Redistributions in binary form must reproduce the above copyright notice,
11 this list of conditions and the following disclaimer in the documentation
12 and/or other materials provided with the distribution.
14 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
15 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
17 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
18 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
20 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
21 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
22 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 Image generation tool for the TP-LINK SafeLoader as seen on
31 TP-LINK Pharos devices (CPE210/220/510/520)
45 #include <arpa/inet.h>
47 #include <sys/types.h>
53 #define ALIGN(x,a) ({ typeof(a) __a = (a); (((x) + __a - 1) & ~(__a - 1)); })
56 /** An image partition table entry */
57 struct image_partition_entry {
63 /** A flash partition table entry */
64 struct flash_partition_entry {
71 /** The content of the soft-version structure */
72 struct __attribute__((__packed__)) soft_version {
76 uint8_t version_major;
77 uint8_t version_minor;
78 uint8_t version_patch;
88 static const uint8_t jffs2_eof_mark[4] = {0xde, 0xad, 0xc0, 0xde};
94 Fortunately, TP-LINK seems to use the same salt for most devices which use
97 static const uint8_t md5_salt[16] = {
98 0x7a, 0x2b, 0x15, 0xed,
99 0x9b, 0x98, 0x59, 0x6d,
100 0xe5, 0x04, 0xab, 0x44,
101 0xac, 0x2a, 0x9f, 0x4e,
105 /** Vendor information for CPE210/220/510/520 */
106 static const char cpe510_vendor[] = "CPE510(TP-LINK|UN|N300-5):1.0\r\n";
108 /** Vendor information for C2600 */
109 static const char c2600_vendor[] = "";
112 The flash partition table for CPE210/220/510/520;
113 it is the same as the one used by the stock images.
115 static const struct flash_partition_entry cpe510_partitions[] = {
116 {"fs-uboot", 0x00000, 0x20000},
117 {"partition-table", 0x20000, 0x02000},
118 {"default-mac", 0x30000, 0x00020},
119 {"product-info", 0x31100, 0x00100},
120 {"signature", 0x32000, 0x00400},
121 {"os-image", 0x40000, 0x170000},
122 {"soft-version", 0x1b0000, 0x00100},
123 {"support-list", 0x1b1000, 0x00400},
124 {"file-system", 0x1c0000, 0x600000},
125 {"user-config", 0x7c0000, 0x10000},
126 {"default-config", 0x7d0000, 0x10000},
127 {"log", 0x7e0000, 0x10000},
128 {"radio", 0x7f0000, 0x10000},
133 The flash partition table for C2600;
134 it is the same as the one used by the stock images.
136 static const struct flash_partition_entry c2600_partitions[] = {
137 {"SBL1", 0x00000, 0x20000},
138 {"MIBIB", 0x20000, 0x20000},
139 {"SBL2", 0x40000, 0x20000},
140 {"SBL3", 0x60000, 0x30000},
141 {"DDRCONFIG", 0x90000, 0x10000},
142 {"SSD", 0xa0000, 0x10000},
143 {"TZ", 0xb0000, 0x30000},
144 {"RPM", 0xe0000, 0x20000},
145 {"fs-uboot", 0x100000, 0x70000},
146 {"uboot-env", 0x170000, 0x40000},
147 {"radio", 0x1b0000, 0x40000},
148 {"os-image", 0x1f0000, 0x200000},
149 {"file-system", 0x3f0000, 0x1b00000},
150 {"default-mac", 0x1ef0000, 0x00200},
151 {"pin", 0x1ef0200, 0x00200},
152 {"product-info", 0x1ef0400, 0x0fc00},
153 {"partition-table", 0x1f00000, 0x10000},
154 {"soft-version", 0x1f10000, 0x10000},
155 {"support-list", 0x1f20000, 0x10000},
156 {"profile", 0x1f30000, 0x10000},
157 {"default-config", 0x1f40000, 0x10000},
158 {"user-config", 0x1f50000, 0x40000},
159 {"qos-db", 0x1f90000, 0x40000},
160 {"usb-config", 0x1fd0000, 0x10000},
161 {"log", 0x1fe0000, 0x20000},
166 The support list for CPE210/220
168 static const char cpe210_support_list[] =
170 "CPE210(TP-LINK|UN|N300-2):1.0\r\n"
171 "CPE210(TP-LINK|UN|N300-2):1.1\r\n"
172 "CPE220(TP-LINK|UN|N300-2):1.0\r\n"
173 "CPE220(TP-LINK|UN|N300-2):1.1\r\n";
175 The support list for CPE210/220/510/520
177 static const char cpe510_support_list[] =
179 "CPE510(TP-LINK|UN|N300-5):1.0\r\n"
180 "CPE510(TP-LINK|UN|N300-5):1.1\r\n"
181 "CPE520(TP-LINK|UN|N300-5):1.0\r\n"
182 "CPE520(TP-LINK|UN|N300-5):1.1\r\n";
185 The support list for C2600
187 static const char c2600_support_list[] =
189 "{product_name:Archer C2600,product_ver:1.0.0,special_id:00000000}\r\n";
191 #define error(_ret, _errno, _str, ...) \
193 fprintf(stderr, _str ": %s\n", ## __VA_ARGS__, \
200 /** Stores a uint32 as big endian */
201 static inline void put32(uint8_t *buf, uint32_t val) {
208 /** Allocates a new image partition */
209 static struct image_partition_entry alloc_image_partition(const char *name, size_t len) {
210 struct image_partition_entry entry = {name, len, malloc(len)};
212 error(1, errno, "malloc");
217 /** Frees an image partition */
218 static void free_image_partition(struct image_partition_entry entry) {
222 /** Generates the partition-table partition */
223 static struct image_partition_entry make_partition_table(const struct flash_partition_entry *p) {
224 struct image_partition_entry entry = alloc_image_partition("partition-table", 0x800);
226 char *s = (char *)entry.data, *end = (char *)(s+entry.size);
234 for (i = 0; p[i].name; i++) {
236 size_t w = snprintf(s, len, "partition %s base 0x%05x size 0x%05x\n", p[i].name, p[i].base, p[i].size);
239 error(1, 0, "flash partition table overflow?");
246 memset(s, 0xff, end-s);
252 /** Generates a binary-coded decimal representation of an integer in the range [0, 99] */
253 static inline uint8_t bcd(uint8_t v) {
254 return 0x10 * (v/10) + v%10;
258 /** Generates the soft-version partition */
259 static struct image_partition_entry make_soft_version(uint32_t rev) {
260 struct image_partition_entry entry = alloc_image_partition("soft-version", sizeof(struct soft_version));
261 struct soft_version *s = (struct soft_version *)entry.data;
265 if (time(&t) == (time_t)(-1))
266 error(1, errno, "time");
268 struct tm *tm = localtime(&t);
270 s->magic = htonl(0x0000000c);
274 s->version_major = 0;
275 s->version_minor = 0;
276 s->version_patch = 0;
278 s->year_hi = bcd((1900+tm->tm_year)/100);
279 s->year_lo = bcd(tm->tm_year%100);
280 s->month = bcd(tm->tm_mon+1);
281 s->day = bcd(tm->tm_mday);
289 /** Generates the support-list partition */
290 static struct image_partition_entry make_support_list(const char *support_list, bool trailzero) {
291 size_t len = strlen(support_list);
292 struct image_partition_entry entry = alloc_image_partition("support-list", len + 9);
294 put32(entry.data, len);
295 memset(entry.data+4, 0, 4);
296 memcpy(entry.data+8, support_list, len);
297 entry.data[len+8] = trailzero ? '\x00' : '\xff';
302 /** Creates a new image partition with an arbitrary name from a file */
303 static struct image_partition_entry read_file(const char *part_name, const char *filename, bool add_jffs2_eof) {
306 if (stat(filename, &statbuf) < 0)
307 error(1, errno, "unable to stat file `%s'", filename);
309 size_t len = statbuf.st_size;
312 len = ALIGN(len, 0x10000) + sizeof(jffs2_eof_mark);
314 struct image_partition_entry entry = alloc_image_partition(part_name, len);
316 FILE *file = fopen(filename, "rb");
318 error(1, errno, "unable to open file `%s'", filename);
320 if (fread(entry.data, statbuf.st_size, 1, file) != 1)
321 error(1, errno, "unable to read file `%s'", filename);
324 uint8_t *eof = entry.data + statbuf.st_size, *end = entry.data+entry.size;
326 memset(eof, 0xff, end - eof - sizeof(jffs2_eof_mark));
327 memcpy(end - sizeof(jffs2_eof_mark), jffs2_eof_mark, sizeof(jffs2_eof_mark));
337 Copies a list of image partitions into an image buffer and generates the image partition table while doing so
339 Example image partition table:
341 fwup-ptn partition-table base 0x00800 size 0x00800
342 fwup-ptn os-image base 0x01000 size 0x113b45
343 fwup-ptn file-system base 0x114b45 size 0x1d0004
344 fwup-ptn support-list base 0x2e4b49 size 0x000d1
346 Each line of the partition table is terminated with the bytes 09 0d 0a ("\t\r\n"),
347 the end of the partition table is marked with a zero byte.
349 The firmware image must contain at least the partition-table and support-list partitions
350 to be accepted. There aren't any alignment constraints for the image partitions.
352 The partition-table partition contains the actual flash layout; partitions
353 from the image partition table are mapped to the corresponding flash partitions during
354 the firmware upgrade. The support-list partition contains a list of devices supported by
357 The base offsets in the firmware partition table are relative to the end
358 of the vendor information block, so the partition-table partition will
359 actually start at offset 0x1814 of the image.
361 I think partition-table must be the first partition in the firmware image.
363 static void put_partitions(uint8_t *buffer, const struct image_partition_entry *parts) {
365 char *image_pt = (char *)buffer, *end = image_pt + 0x800;
368 for (i = 0; parts[i].name; i++) {
369 memcpy(buffer + base, parts[i].data, parts[i].size);
371 size_t len = end-image_pt;
372 size_t w = snprintf(image_pt, len, "fwup-ptn %s base 0x%05x size 0x%05x\t\r\n", parts[i].name, (unsigned)base, (unsigned)parts[i].size);
375 error(1, 0, "image partition table overflow?");
379 base += parts[i].size;
384 memset(image_pt, 0xff, end-image_pt);
387 /** Generates and writes the image MD5 checksum */
388 static void put_md5(uint8_t *md5, uint8_t *buffer, unsigned int len) {
392 MD5_Update(&ctx, md5_salt, (unsigned int)sizeof(md5_salt));
393 MD5_Update(&ctx, buffer, len);
394 MD5_Final(md5, &ctx);
399 Generates the firmware image in factory format
405 0000-0003 Image size (4 bytes, big endian)
406 0004-0013 MD5 hash (hash of a 16 byte salt and the image data starting with byte 0x14)
407 0014-0017 Vendor information length (without padding) (4 bytes, big endian)
408 0018-1013 Vendor information (4092 bytes, padded with 0xff; there seem to be older
409 (VxWorks-based) TP-LINK devices which use a smaller vendor information block)
410 1014-1813 Image partition table (2048 bytes, padded with 0xff)
411 1814-xxxx Firmware partitions
413 static void * generate_factory_image(const char *vendor, const struct image_partition_entry *parts, size_t *len) {
417 for (i = 0; parts[i].name; i++)
418 *len += parts[i].size;
420 uint8_t *image = malloc(*len);
422 error(1, errno, "malloc");
426 size_t vendor_len = strlen(vendor);
427 put32(image+0x14, vendor_len);
428 memcpy(image+0x18, vendor, vendor_len);
429 memset(image+0x18+vendor_len, 0xff, 4092-vendor_len);
431 put_partitions(image + 0x1014, parts);
432 put_md5(image+0x04, image+0x14, *len-0x14);
438 Generates the firmware image in sysupgrade format
440 This makes some assumptions about the provided flash and image partition tables and
441 should be generalized when TP-LINK starts building its safeloader into hardware with
442 different flash layouts.
444 static void * generate_sysupgrade_image(const struct flash_partition_entry *flash_parts, const struct image_partition_entry *image_parts, size_t *len) {
445 const struct flash_partition_entry *flash_os_image = &flash_parts[5];
446 const struct flash_partition_entry *flash_soft_version = &flash_parts[6];
447 const struct flash_partition_entry *flash_support_list = &flash_parts[7];
448 const struct flash_partition_entry *flash_file_system = &flash_parts[8];
450 const struct image_partition_entry *image_os_image = &image_parts[3];
451 const struct image_partition_entry *image_soft_version = &image_parts[1];
452 const struct image_partition_entry *image_support_list = &image_parts[2];
453 const struct image_partition_entry *image_file_system = &image_parts[4];
455 assert(strcmp(flash_os_image->name, "os-image") == 0);
456 assert(strcmp(flash_soft_version->name, "soft-version") == 0);
457 assert(strcmp(flash_support_list->name, "support-list") == 0);
458 assert(strcmp(flash_file_system->name, "file-system") == 0);
460 assert(strcmp(image_os_image->name, "os-image") == 0);
461 assert(strcmp(image_soft_version->name, "soft-version") == 0);
462 assert(strcmp(image_support_list->name, "support-list") == 0);
463 assert(strcmp(image_file_system->name, "file-system") == 0);
465 if (image_os_image->size > flash_os_image->size)
466 error(1, 0, "kernel image too big (more than %u bytes)", (unsigned)flash_os_image->size);
467 if (image_file_system->size > flash_file_system->size)
468 error(1, 0, "rootfs image too big (more than %u bytes)", (unsigned)flash_file_system->size);
470 *len = flash_file_system->base - flash_os_image->base + image_file_system->size;
472 uint8_t *image = malloc(*len);
474 error(1, errno, "malloc");
476 memset(image, 0xff, *len);
478 memcpy(image, image_os_image->data, image_os_image->size);
479 memcpy(image + flash_soft_version->base - flash_os_image->base, image_soft_version->data, image_soft_version->size);
480 memcpy(image + flash_support_list->base - flash_os_image->base, image_support_list->data, image_support_list->size);
481 memcpy(image + flash_file_system->base - flash_os_image->base, image_file_system->data, image_file_system->size);
486 static void * generate_sysupgrade_image_c2600(const struct flash_partition_entry *flash_parts, const struct image_partition_entry *image_parts, size_t *len) {
487 const struct flash_partition_entry *flash_os_image = &flash_parts[11];
488 const struct flash_partition_entry *flash_file_system = &flash_parts[12];
490 const struct image_partition_entry *image_os_image = &image_parts[3];
491 const struct image_partition_entry *image_file_system = &image_parts[4];
493 assert(strcmp(flash_os_image->name, "os-image") == 0);
494 assert(strcmp(flash_file_system->name, "file-system") == 0);
496 assert(strcmp(image_os_image->name, "os-image") == 0);
497 assert(strcmp(image_file_system->name, "file-system") == 0);
499 if (image_os_image->size > flash_os_image->size)
500 error(1, 0, "kernel image too big (more than %u bytes)", (unsigned)flash_os_image->size);
501 if (image_file_system->size > flash_file_system->size)
502 error(1, 0, "rootfs image too big (more than %u bytes)", (unsigned)flash_file_system->size);
504 *len = flash_file_system->base - flash_os_image->base + image_file_system->size;
506 uint8_t *image = malloc(*len);
508 error(1, errno, "malloc");
510 memset(image, 0xff, *len);
512 memcpy(image, image_os_image->data, image_os_image->size);
513 memcpy(image + flash_file_system->base - flash_os_image->base, image_file_system->data, image_file_system->size);
518 /** Generates an image for CPE210/220/510/520 and writes it to a file */
519 static void do_cpe(const char *output,
520 const char *kernel_image,
521 const char *rootfs_image,
525 const char *support_list) {
526 struct image_partition_entry parts[6] = {};
528 parts[0] = make_partition_table(cpe510_partitions);
529 parts[1] = make_soft_version(rev);
530 parts[2] = make_support_list(support_list, false);
531 parts[3] = read_file("os-image", kernel_image, false);
532 parts[4] = read_file("file-system", rootfs_image, add_jffs2_eof);
537 image = generate_sysupgrade_image(cpe510_partitions, parts, &len);
539 image = generate_factory_image(cpe510_vendor, parts, &len);
541 FILE *file = fopen(output, "wb");
543 error(1, errno, "unable to open output file");
545 if (fwrite(image, len, 1, file) != 1)
546 error(1, 0, "unable to write output file");
553 for (i = 0; parts[i].name; i++)
554 free_image_partition(parts[i]);
557 /** Generates an image for C2600 and writes it to a file */
558 static void do_c2600(const char *output, const char *kernel_image, const char *rootfs_image, uint32_t rev, bool add_jffs2_eof, bool sysupgrade) {
559 struct image_partition_entry parts[6] = {};
561 parts[0] = make_partition_table(c2600_partitions);
562 parts[1] = make_soft_version(rev);
563 parts[2] = make_support_list(c2600_support_list, true);
564 parts[3] = read_file("os-image", kernel_image, false);
565 parts[4] = read_file("file-system", rootfs_image, add_jffs2_eof);
570 image = generate_sysupgrade_image_c2600(c2600_partitions, parts, &len);
572 image = generate_factory_image(c2600_vendor, parts, &len);
574 FILE *file = fopen(output, "wb");
576 error(1, errno, "unable to open output file");
578 if (fwrite(image, len, 1, file) != 1)
579 error(1, 0, "unable to write output file");
586 for (i = 0; parts[i].name; i++)
587 free_image_partition(parts[i]);
592 static void usage(const char *argv0) {
594 "Usage: %s [OPTIONS...]\n"
597 " -B <board> create image for the board specified with <board>\n"
598 " -k <file> read kernel image from the file <file>\n"
599 " -r <file> read rootfs image from the file <file>\n"
600 " -o <file> write output to the file <file>\n"
601 " -V <rev> sets the revision number to <rev>\n"
602 " -j add jffs2 end-of-filesystem markers\n"
603 " -S create sysupgrade instead of factory image\n"
604 " -h show this help\n",
610 int main(int argc, char *argv[]) {
611 const char *board = NULL, *kernel_image = NULL, *rootfs_image = NULL, *output = NULL;
612 bool add_jffs2_eof = false, sysupgrade = false;
618 c = getopt(argc, argv, "B:k:r:o:V:jSh");
628 kernel_image = optarg;
632 rootfs_image = optarg;
640 sscanf(optarg, "r%u", &rev);
644 add_jffs2_eof = true;
662 error(1, 0, "no board has been specified");
664 error(1, 0, "no kernel image has been specified");
666 error(1, 0, "no rootfs image has been specified");
668 error(1, 0, "no output filename has been specified");
670 if (strcmp(board, "CPE210") == 0)
671 do_cpe(output, kernel_image, rootfs_image, rev, add_jffs2_eof, sysupgrade, cpe210_support_list);
672 else if (strcmp(board, "CPE510") == 0)
673 do_cpe(output, kernel_image, rootfs_image, rev, add_jffs2_eof, sysupgrade, cpe510_support_list);
674 else if (strcmp(board, "C2600") == 0)
675 do_c2600(output, kernel_image, rootfs_image, rev, add_jffs2_eof, sysupgrade);
677 error(1, 0, "unsupported board %s", board);
projects / librecmc / librecmc.git / blob