2 * nmrpflash - Netgear Unbrick Utility
3 * Copyright (C) 2016 Joseph Lehner <joseph.c.lehner@gmail.com>
5 * nmrpflash is free software: you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation, either version 3 of the License, or
8 * (at your option) any later version.
10 * nmrpflash is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with nmrpflash. If not, see <http://www.gnu.org/licenses/>.
29 #define NMRP_HDR_LEN 6
30 #define NMRP_OPT_HDR_LEN 4
31 #define NMRP_MIN_PKT_LEN (sizeof(struct eth_hdr) + NMRP_HDR_LEN)
33 #define ETH_P_NMRP 0x0912
36 #define PACKED __attribute__((__packed__))
39 #ifdef NMRPFLASH_WINDOWS
40 #define setenv(name, value, overwrite) SetEnvironmentVariable(name, value)
50 NMRP_C_KEEP_ALIVE_REQ = 6,
51 NMRP_C_KEEP_ALIVE_ACK = 7,
52 NMRP_C_TFTP_UL_REQ = 16
56 NMRP_O_MAGIC_NO = 0x0001,
57 NMRP_O_DEV_IP = 0x0002,
58 NMRP_O_DEV_REGION = 0x0004,
59 NMRP_O_FW_UP = 0x0101,
60 NMRP_O_ST_UP = 0x0102,
61 NMRP_O_FILE_NAME = 0x0181
83 static const char *msg_code_str(uint16_t code)
85 #define MSG_CODE(x) case NMRP_C_ ## x: return #x
94 MSG_CODE(KEEP_ALIVE_REQ);
95 MSG_CODE(KEEP_ALIVE_ACK);
96 MSG_CODE(TFTP_UL_REQ);
98 snprintf(buf, sizeof(buf), "%04x", ntohs(code));
104 static uint16_t to_region_code(const char *region)
106 #define REGION_CODE(r, c) if (!strcasecmp(region, r)) return htons(c)
107 REGION_CODE("NA", 0x0001);
108 REGION_CODE("WW", 0x0002);
109 REGION_CODE("GR", 0x0003);
110 REGION_CODE("PR", 0x0004);
111 REGION_CODE("RU", 0x0005);
112 REGION_CODE("BZ", 0x0006);
113 REGION_CODE("IN", 0x0007);
114 REGION_CODE("KO", 0x0008);
115 REGION_CODE("JP", 0x0009);
120 static void msg_dump(struct nmrp_msg *msg)
124 fprintf(stderr, "res=0x%04x, code=0x%02x, id=0x%02x, len=%u",
125 ntohs(msg->reserved), msg->code, msg->id, ntohs(msg->len));
127 rem = ntohs(msg->len) - NMRP_HDR_LEN;
128 fprintf(stderr, "%s\n", rem ? "" : " (no opts)");
131 static void *msg_opt(struct nmrp_msg *msg, uint16_t type, uint16_t* len)
133 struct nmrp_opt* opt = (struct nmrp_opt*)msg->opts;
134 size_t rem = ntohs(msg->len) - NMRP_HDR_LEN;
138 olen = ntohs(opt->len);
139 if (olen < NMRP_OPT_HDR_LEN || olen > rem) {
143 if (ntohs(opt->type) == type) {
151 opt = (struct nmrp_opt*)(((char *)opt) + olen);
158 static char *msg_filename(struct nmrp_msg *msg)
160 static char buf[256];
162 char *p = msg_opt(msg, NMRP_O_FILE_NAME, &len);
164 len = MIN(sizeof(buf) - 1, len);
173 static inline void msg_init(struct nmrp_msg *msg, uint16_t code)
175 memset(msg, 0, sizeof(*msg));
176 msg->len = htons(NMRP_HDR_LEN);
180 static char *msg_mkopt(struct nmrp_msg *msg, char *p, uint16_t type, const void *val, size_t len)
182 struct nmrp_opt* opt = (struct nmrp_opt*)p;
186 msg->len = ntohs(msg->len);
188 if ((msg->len + len > sizeof(*msg))) {
189 fprintf(stderr, "Error: invalid option - this is a bug\n");
193 opt->type = htons(type);
194 opt->len = NMRP_OPT_HDR_LEN + len;
197 memcpy(opt->val, val, len);
200 msg->len += opt->len;
203 msg->len = htons(msg->len);
204 opt->len = htons(opt->len);
209 static void msg_mkadvertise(struct nmrp_msg *msg, const char *magic)
211 msg_init(msg, NMRP_C_ADVERTISE);
212 msg_mkopt(msg, msg->opts, NMRP_O_MAGIC_NO, magic, strlen(magic));
215 static void msg_mkconfack(struct nmrp_msg *msg, uint32_t ipaddr, uint32_t ipmask, uint16_t region)
218 uint32_t ip[2] = { ipaddr, ipmask };
220 msg_init(msg, NMRP_C_CONF_ACK);
221 p = msg_mkopt(msg, msg->opts, NMRP_O_DEV_IP, &ip, 8);
222 p = msg_mkopt(msg, p, NMRP_O_FW_UP, NULL, 0);
224 #ifdef NMRPFLASH_SET_REGION
226 p = msg_mkopt(msg, p, NMRP_O_DEV_REGION, ®ion, 2);
231 #ifdef NMRPFLASH_FUZZ
232 #define NMRP_INITIAL_TIMEOUT 0
233 #define ethsock_create(a, b) ((struct ethsock*)1)
234 #define ethsock_get_hwaddr(a) ethsock_get_hwaddr_fake(a)
235 #define ethsock_recv(sock, buf, len) read(STDIN_FILENO, buf, len)
236 #define ethsock_send(a, b, c) (0)
237 #define ethsock_set_timeout(a, b) (0)
238 #define ethsock_arp_add(a, b, c, d) (0)
239 #define ethsock_arp_del(a, b) (0)
240 #define ethsock_ip_add(a, b, c, d) (0)
241 #define ethsock_ip_del(a, b) (0)
242 #define ethsock_close(a) (0)
243 #define tftp_put(a) (0)
245 static uint8_t *ethsock_get_hwaddr_fake(struct ethsock* sock)
247 static uint8_t hwaddr[6] = { 0xfa, 0xfa, 0xfa, 0xfa, 0xfa, 0xfa };
251 #define NMRP_INITIAL_TIMEOUT 60
254 static int pkt_send(struct ethsock *sock, struct nmrp_pkt *pkt)
256 return ethsock_send(sock, pkt, sizeof(*pkt));
259 static int pkt_recv(struct ethsock *sock, struct nmrp_pkt *pkt)
263 memset(pkt, 0, sizeof(*pkt));
264 bytes = ethsock_recv(sock, pkt, sizeof(*pkt));
271 mlen = ntohs(pkt->msg.len);
273 if (bytes < (mlen + sizeof(pkt->eh))
274 || bytes < NMRP_MIN_PKT_LEN
275 || mlen < NMRP_HDR_LEN) {
276 fprintf(stderr, "Short packet (%d raw, %d message)\n",
277 (int)bytes, (int)mlen);
279 } else if (mlen > sizeof(pkt->msg)) {
280 printf("Truncating %d byte message.\n", (int)mlen);
281 pkt->msg.len = htons(sizeof(pkt->msg));
287 static int mac_parse(const char *str, uint8_t *hwaddr)
292 sscanf(str, "%02x:%02x:%02x:%02x:%02x:%02x%n",
293 data, data + 1, data + 2, data + 3, data + 4, data + 5, &i);
295 if (i == strlen(str)) {
296 for (i = 0; i != 6; ++i) {
301 hwaddr[i] = data[i] & 0xff;
311 struct is_valid_ip_arg
313 struct in_addr *ipaddr;
314 struct in_addr *ipmask;
318 static int is_valid_ip_cb(struct ethsock_ip_callback_args *args)
320 #define SUBNET(x) ((x)->ipaddr->s_addr & (x)->ipmask->s_addr)
321 struct is_valid_ip_arg *arg = args->arg;
322 if (SUBNET(args) == SUBNET(arg)) {
323 arg->result = args->ipaddr->s_addr != arg->ipaddr->s_addr;
331 static int is_valid_ip(struct ethsock *sock, struct in_addr *ipaddr,
332 struct in_addr *ipmask)
335 struct is_valid_ip_arg arg = {
341 status = ethsock_for_each_ip(sock, is_valid_ip_cb, &arg);
342 return status < 0 ? status : arg.result;
345 static void sigh(int sig)
350 static const char *spinner = "\\|/-";
352 int nmrp_do(struct nmrpd_args *args)
354 struct nmrp_pkt tx, rx;
355 uint8_t *src, dest[6];
359 int i, timeout, status, ulreqs, expect, upload_ok, autoip, ka_reqs, fake;
360 struct ethsock *sock;
361 struct ethsock_ip_undo *ip_undo = NULL;
362 struct ethsock_arp_undo *arp_undo = NULL;
363 uint32_t intf_addr = 0;
364 void (*sigh_orig)(int);
365 struct in_addr ipaddr;
366 struct in_addr ipmask;
368 if (args->op != NMRP_UPLOAD_FW) {
369 fprintf(stderr, "Operation not implemented.\n");
373 if (!mac_parse(args->mac, dest)) {
374 fprintf(stderr, "Invalid MAC address '%s'.\n", args->mac);
378 ipmask.s_addr = inet_addr(args->ipmask);
379 if (ipmask.s_addr == INADDR_NONE
380 || netmask(bitcount(ipmask.s_addr)) != ipmask.s_addr) {
381 fprintf(stderr, "Invalid subnet mask '%s'.\n", args->ipmask);
387 /* A random IP address. The MAC of the first device that was
388 * used to test this utility starts with a4:2b:8c, so we use
389 * 164 (0xa4) and 183 (0x2b + 0x8c).
391 * These addresses should not cause collisions on most networks,
392 * and if they do, the user is probably "poweruser" enough to
393 * be able to use the -a and -A options.
395 args->ipaddr = "10.164.183.252";
397 if (!args->ipaddr_intf) {
398 args->ipaddr_intf = "10.164.183.253";
400 } else if (args->ipaddr_intf) {
406 if ((ipaddr.s_addr = inet_addr(args->ipaddr)) == INADDR_NONE) {
407 fprintf(stderr, "Invalid IP address '%s'.\n", args->ipaddr);
411 if (args->ipaddr_intf && (intf_addr = inet_addr(args->ipaddr_intf)) == INADDR_NONE) {
412 fprintf(stderr, "Invalid IP address '%s'.\n", args->ipaddr_intf);
416 if (args->file_local && strcmp(args->file_local, "-") && access(args->file_local, R_OK) == -1) {
417 fprintf(stderr, "Error accessing file '%s'.\n", args->file_local);
421 if (args->file_remote) {
422 if (!tftp_is_valid_filename(args->file_remote)) {
423 fprintf(stderr, "Invalid remote filename '%s'.\n",
430 region = to_region_code(args->region);
432 fprintf(stderr, "Invalid region code '%s'.\n", args->region);
441 sock = ethsock_create(args->intf, ETH_P_NMRP);
446 sigh_orig = signal(SIGINT, sigh);
449 status = is_valid_ip(sock, &ipaddr, &ipmask);
452 fprintf(stderr, "Address %s/%s cannot be used on interface %s.\n",
453 args->ipaddr, args->ipmask, args->intf);
459 printf("Adding %s to interface %s.\n", args->ipaddr_intf, args->intf);
462 if (ethsock_ip_add(sock, intf_addr, ipmask.s_addr, &ip_undo) != 0) {
467 if (ethsock_set_timeout(sock, args->rx_timeout)) {
471 src = ethsock_get_hwaddr(sock);
476 memcpy(tx.eh.ether_shost, src, 6);
477 memcpy(tx.eh.ether_dhost, dest, 6);
478 tx.eh.ether_type = htons(ETH_P_NMRP);
480 msg_mkadvertise(&tx.msg, "NTGR");
485 timeout = args->blind ? 10 : NMRP_INITIAL_TIMEOUT;
486 beg = time_monotonic();
488 while (!g_interrupted) {
489 printf("\rAdvertising NMRP server on %s ... %c",
490 args->intf, spinner[i]);
494 if (pkt_send(sock, &tx) < 0) {
498 status = pkt_recv(sock, &rx);
500 if (memcmp(rx.eh.ether_dhost, src, 6) == 0) {
502 } else if (verbosity) {
503 printf("\nIgnoring bogus response: %s -> %s.\n",
504 mac_to_str(rx.eh.ether_shost),
505 mac_to_str(rx.eh.ether_dhost));
507 } else if (status == 1) {
510 /* because we don't want nmrpflash's exit status to be zero */
512 if ((time_monotonic() - beg) >= timeout) {
513 printf("\nNo response after %d seconds. ", timeout);
515 printf("Bailing out.\n");
518 // we're blind, so fake a response from the MAC specified by -m
519 memcpy(rx.eh.ether_shost, dest, 6);
520 msg_init(&rx.msg, NMRP_C_CONF_REQ);
521 printf("Continuing blindly.");
531 memcpy(tx.eh.ether_dhost, rx.eh.ether_shost, 6);
533 if (ethsock_arp_add(sock, rx.eh.ether_shost, ipaddr.s_addr, &arp_undo) != 0) {
537 expect = NMRP_C_CONF_REQ;
541 while (!g_interrupted) {
542 if (expect != NMRP_C_NONE && rx.msg.code != expect) {
543 fprintf(stderr, "Received %s while waiting for %s!\n",
544 msg_code_str(rx.msg.code), msg_code_str(expect));
547 msg_init(&tx.msg, NMRP_C_NONE);
551 switch (rx.msg.code) {
552 case NMRP_C_ADVERTISE:
553 printf("Received NMRP advertisement from %s.\n",
554 mac_to_str(rx.eh.ether_shost));
557 case NMRP_C_CONF_REQ:
558 msg_mkconfack(&tx.msg, ipaddr.s_addr, ipmask.s_addr, region);
559 expect = NMRP_C_TFTP_UL_REQ;
562 printf("Received configuration request from %s.\n",
563 mac_to_str(rx.eh.ether_shost));
566 printf("Sending configuration: %s/%d.\n",
567 args->ipaddr, bitcount(ipmask.s_addr));
570 case NMRP_C_TFTP_UL_REQ:
573 printf("Bailing out after %d upload requests.\n",
575 tx.msg.code = NMRP_C_CLOSE_REQ;
580 printf("Ignoring extra upload request.\n");
582 ethsock_set_timeout(sock, args->ul_timeout);
583 tx.msg.code = NMRP_C_KEEP_ALIVE_REQ;
587 filename = msg_filename(&rx.msg);
589 if (!args->file_remote) {
590 args->file_remote = filename;
592 printf("Received upload request: filename '%s'.\n", filename);
593 } else if (!args->file_remote) {
594 args->file_remote = leafname(args->file_local);
596 printf("Received upload request without filename.\n");
603 printf("Executing '%s' ... \n", args->tftpcmd);
604 setenv("IP", inet_ntoa(ipaddr), 1);
605 setenv("PORT", lltostr(args->port, 10), 1);
606 setenv("MAC", mac_to_str(rx.eh.ether_shost), 1);
607 setenv("NETMASK", inet_ntoa(ipmask), 1);
608 //setenv("FILENAME", args->file_remote ? args->file_remote : "", 1);
609 status = system(args->tftpcmd);
612 if (!status && args->file_local) {
614 status = is_valid_ip(sock, &ipaddr, &ipmask);
617 } else if (!status) {
618 printf("IP address of %s has changed. Please assign a "
619 "static ip to the interface.\n", args->intf);
620 tx.msg.code = NMRP_C_CLOSE_REQ;
626 printf("Using remote filename '%s'.\n",
630 if (!strcmp(args->file_local, "-")) {
631 printf("Uploading from stdin ... ");
633 printf("Uploading %s ... ", leafname(args->file_local));
636 if (!(status = tftp_put(args))) {
647 printf("Waiting for remote to respond.\n");
649 ethsock_set_timeout(sock, args->ul_timeout);
650 tx.msg.code = NMRP_C_KEEP_ALIVE_REQ;
651 expect = NMRP_C_NONE;
652 } else if (status == -2) {
653 expect = NMRP_C_TFTP_UL_REQ;
659 case NMRP_C_KEEP_ALIVE_REQ:
660 tx.msg.code = NMRP_C_KEEP_ALIVE_ACK;
661 ethsock_set_timeout(sock, args->ul_timeout);
662 printf("\rReceived keep-alive request (%d). ", ++ka_reqs);
664 case NMRP_C_CLOSE_REQ:
665 tx.msg.code = NMRP_C_CLOSE_ACK;
667 case NMRP_C_CLOSE_ACK:
671 fprintf(stderr, "Unknown message code 0x%02x!\n",
676 if (tx.msg.code != NMRP_C_NONE) {
677 if (pkt_send(sock, &tx) != 0 || tx.msg.code == NMRP_C_CLOSE_REQ) {
682 if (rx.msg.code == NMRP_C_CLOSE_REQ) {
687 printf("Remote finished. Closing connection.\n");
691 status = pkt_recv(sock, &rx);
695 fprintf(stderr, "Timeout while waiting for %s.\n",
696 msg_code_str(expect));
701 msg_init(&rx.msg, expect);
702 memcpy(rx.eh.ether_shost, tx.eh.ether_dhost, 6);
711 ethsock_set_timeout(sock, args->rx_timeout);
715 if (!g_interrupted) {
718 printf("Reboot your device now.\n");
720 printf("No upload request received.\n");
725 signal(SIGINT, sigh_orig);
726 ethsock_arp_del(sock, &arp_undo);
727 ethsock_ip_del(sock, &ip_undo);
projects / oweals / nmrpflash.git / blob