2 * nmrpflash - Netgear Unbrick Utility
3 * Copyright (C) 2016 Joseph Lehner <joseph.c.lehner@gmail.com>
5 * nmrpflash is free software: you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation, either version 3 of the License, or
8 * (at your option) any later version.
10 * nmrpflash is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with nmrpflash. If not, see <http://www.gnu.org/licenses/>.
29 #define NMRP_HDR_LEN 6
30 #define NMRP_OPT_HDR_LEN 4
31 #define NMRP_MIN_PKT_LEN (sizeof(struct eth_hdr) + NMRP_HDR_LEN)
33 #define ETH_P_NMRP 0x0912
36 #define PACKED __attribute__((__packed__))
39 #ifdef NMRPFLASH_WINDOWS
40 #define setenv(name, value, overwrite) SetEnvironmentVariable(name, value)
50 NMRP_C_KEEP_ALIVE_REQ = 6,
51 NMRP_C_KEEP_ALIVE_ACK = 7,
52 NMRP_C_TFTP_UL_REQ = 16
56 NMRP_O_MAGIC_NO = 0x0001,
57 NMRP_O_DEV_IP = 0x0002,
58 NMRP_O_DEV_REGION = 0x0004,
59 NMRP_O_FW_UP = 0x0101,
60 NMRP_O_ST_UP = 0x0102,
61 NMRP_O_FILE_NAME = 0x0181
83 static const char *msg_code_str(uint16_t code)
85 #define MSG_CODE(x) case NMRP_C_ ## x: return #x
94 MSG_CODE(KEEP_ALIVE_REQ);
95 MSG_CODE(KEEP_ALIVE_ACK);
96 MSG_CODE(TFTP_UL_REQ);
98 snprintf(buf, sizeof(buf), "%04x", ntohs(code));
104 static uint16_t to_region_code(const char *region)
106 #define REGION_CODE(r, c) if (!strcasecmp(region, r)) return htons(c)
107 REGION_CODE("NA", 0x0001);
108 REGION_CODE("WW", 0x0002);
109 REGION_CODE("GR", 0x0003);
110 REGION_CODE("PR", 0x0004);
111 REGION_CODE("RU", 0x0005);
112 REGION_CODE("BZ", 0x0006);
113 REGION_CODE("IN", 0x0007);
114 REGION_CODE("KO", 0x0008);
115 REGION_CODE("JP", 0x0009);
120 static void msg_dump(struct nmrp_msg *msg)
124 fprintf(stderr, "res=0x%04x, code=0x%02x, id=0x%02x, len=%u",
125 ntohs(msg->reserved), msg->code, msg->id, ntohs(msg->len));
127 rem = ntohs(msg->len) - NMRP_HDR_LEN;
128 fprintf(stderr, "%s\n", rem ? "" : " (no opts)");
131 static void *msg_opt(struct nmrp_msg *msg, uint16_t type, uint16_t* len)
133 struct nmrp_opt* opt = (struct nmrp_opt*)msg->opts;
134 size_t rem = ntohs(msg->len) - NMRP_HDR_LEN;
138 olen = ntohs(opt->len);
139 if (olen < NMRP_OPT_HDR_LEN || olen > rem) {
143 if (ntohs(opt->type) == type) {
157 static char *msg_filename(struct nmrp_msg *msg)
159 static char buf[256];
161 char *p = msg_opt(msg, NMRP_O_FILE_NAME, &len);
163 len = MIN(sizeof(buf) - 1, len);
172 static inline void msg_init(struct nmrp_msg *msg, uint16_t code)
174 memset(msg, 0, sizeof(*msg));
175 msg->len = htons(NMRP_HDR_LEN);
179 static char *msg_mkopt(struct nmrp_msg *msg, char *p, uint16_t type, const void *val, size_t len)
181 struct nmrp_opt* opt = (struct nmrp_opt*)p;
185 msg->len = ntohs(msg->len);
187 if ((msg->len + len > sizeof(*msg))) {
188 fprintf(stderr, "Error: invalid option - this is a bug\n");
192 opt->type = htons(type);
193 opt->len = NMRP_OPT_HDR_LEN + len;
196 memcpy(opt->val, val, len);
199 msg->len += opt->len;
202 msg->len = htons(msg->len);
203 opt->len = htons(opt->len);
208 static void msg_mkadvertise(struct nmrp_msg *msg, const char *magic)
210 msg_init(msg, NMRP_C_ADVERTISE);
211 msg_mkopt(msg, msg->opts, NMRP_O_MAGIC_NO, magic, strlen(magic));
214 static void msg_mkconfack(struct nmrp_msg *msg, uint32_t ipaddr, uint32_t ipmask, uint16_t region)
225 msg_init(msg, NMRP_C_CONF_ACK);
226 p = msg_mkopt(msg, msg->opts, NMRP_O_DEV_IP, &ip, 8);
227 p = msg_mkopt(msg, p, NMRP_O_FW_UP, NULL, 0);
229 #ifdef NMRPFLASH_SET_REGION
231 p = msg_mkopt(msg, p, NMRP_O_DEV_REGION, ®ion, 2);
236 #ifdef NMRPFLASH_FUZZ
237 #define NMRP_INITIAL_TIMEOUT 0
238 #define ethsock_create(a, b) ((struct ethsock*)1)
239 #define ethsock_get_hwaddr(a) ethsock_get_hwaddr_fake(a)
240 #define ethsock_recv(sock, buf, len) read(STDIN_FILENO, buf, len)
241 #define ethsock_send(a, b, c) (0)
242 #define ethsock_set_timeout(a, b) (0)
243 #define ethsock_ip_add(a, b, c, d) (0)
244 #define ethsock_ip_del(a, b) (0)
245 #define ethsock_close(a) (0)
246 #define tftp_put(a) (0)
248 static uint8_t *ethsock_get_hwaddr_fake(struct ethsock* sock)
250 static uint8_t hwaddr[6] = { 0xfa, 0xfa, 0xfa, 0xfa, 0xfa, 0xfa };
254 #define NMRP_INITIAL_TIMEOUT 60
257 static int pkt_send(struct ethsock *sock, struct nmrp_pkt *pkt)
259 return ethsock_send(sock, pkt, sizeof(*pkt));
262 static int pkt_recv(struct ethsock *sock, struct nmrp_pkt *pkt)
266 memset(pkt, 0, sizeof(*pkt));
267 bytes = ethsock_recv(sock, pkt, sizeof(*pkt));
272 } else if (bytes < NMRP_MIN_PKT_LEN) {
273 fprintf(stderr, "Short packet (%d bytes)\n", (int)bytes);
277 len = ntohs(pkt->msg.len) + sizeof(pkt->eh);
280 fprintf(stderr, "Short packet (expected %d, got %d).\n",
281 (int)len, (int)bytes);
283 } else if (bytes > sizeof(pkt->msg) + sizeof(pkt->eh)) {
284 fprintf(stderr, "Packet size exceeds maximum (got %d).\n",
291 static int mac_parse(const char *str, uint8_t *hwaddr)
296 sscanf(str, "%02x:%02x:%02x:%02x:%02x:%02x%n",
297 data, data + 1, data + 2, data + 3, data + 4, data + 5, &i);
299 if (i == strlen(str)) {
300 for (i = 0; i != 6; ++i) {
305 hwaddr[i] = data[i] & 0xff;
315 struct is_valid_ip_arg
317 struct in_addr *ipaddr;
318 struct in_addr *ipmask;
322 static int is_valid_ip_cb(struct ethsock_ip_callback_args *args)
324 #define SUBNET(x) ((x)->ipaddr->s_addr & (x)->ipmask->s_addr)
325 struct is_valid_ip_arg *arg = args->arg;
326 if (SUBNET(args) == SUBNET(arg)) {
327 arg->result = args->ipaddr->s_addr != arg->ipaddr->s_addr;
335 static int is_valid_ip(struct ethsock *sock, struct in_addr *ipaddr,
336 struct in_addr *ipmask)
339 struct is_valid_ip_arg arg = {
345 status = ethsock_for_each_ip(sock, is_valid_ip_cb, &arg);
346 return status < 0 ? status : arg.result;
349 static void sigh(int sig)
354 static const char *spinner = "\\|/-";
356 int nmrp_do(struct nmrpd_args *args)
358 struct nmrp_pkt tx, rx;
359 uint8_t *src, dest[6];
363 int i, status, ulreqs, expect, upload_ok, autoip;
364 struct ethsock *sock;
365 struct ethsock_ip_undo *ip_undo = NULL;
366 struct ethsock_arp_undo *arp_undo = NULL;
368 void (*sigh_orig)(int);
374 if (args->op != NMRP_UPLOAD_FW) {
375 fprintf(stderr, "Operation not implemented.\n");
379 if (!mac_parse(args->mac, dest)) {
380 fprintf(stderr, "Invalid MAC address '%s'.\n", args->mac);
384 ipconf.mask.s_addr = inet_addr(args->ipmask);
385 if (ipconf.mask.s_addr == INADDR_NONE
386 || netmask(bitcount(ipconf.mask.s_addr)) != ipconf.mask.s_addr) {
387 fprintf(stderr, "Invalid subnet mask '%s'.\n", args->ipmask);
393 /* The MAC of the device that was used to test this utility starts
394 * with a4:2b:8c, hence 164 (0xa4) and 183 (0x2b + 0x8c)
396 args->ipaddr = "10.164.183.252";
398 if (!args->ipaddr_intf) {
399 args->ipaddr_intf = "10.164.183.253";
401 } else if (args->ipaddr_intf) {
407 if ((ipconf.addr.s_addr = inet_addr(args->ipaddr)) == INADDR_NONE) {
408 fprintf(stderr, "Invalid IP address '%s'.\n", args->ipaddr);
412 if (args->ipaddr_intf && (intf_addr = inet_addr(args->ipaddr_intf)) == INADDR_NONE) {
413 fprintf(stderr, "Invalid IP address '%s'.\n", args->ipaddr_intf);
417 if (args->file_local && strcmp(args->file_local, "-") && access(args->file_local, R_OK) == -1) {
418 fprintf(stderr, "Error accessing file '%s'.\n", args->file_local);
422 if (args->file_remote) {
423 if (!tftp_is_valid_filename(args->file_remote)) {
424 fprintf(stderr, "Invalid remote filename '%s'.\n",
431 region = to_region_code(args->region);
433 fprintf(stderr, "Invalid region code '%s'.\n", args->region);
442 sock = ethsock_create(args->intf, ETH_P_NMRP);
447 sigh_orig = signal(SIGINT, sigh);
450 status = is_valid_ip(sock, &ipconf.addr, &ipconf.mask);
453 fprintf(stderr, "Address %s/%s cannot be used on interface %s.\n",
454 args->ipaddr, args->ipmask, args->intf);
460 printf("Adding %s to interface %s.\n", args->ipaddr_intf, args->intf);
463 if (ethsock_ip_add(sock, intf_addr, ipconf.mask.s_addr, &ip_undo) != 0) {
468 if (ethsock_set_timeout(sock, args->rx_timeout)) {
472 src = ethsock_get_hwaddr(sock);
477 memcpy(tx.eh.ether_shost, src, 6);
478 memcpy(tx.eh.ether_dhost, dest, 6);
479 tx.eh.ether_type = htons(ETH_P_NMRP);
481 msg_mkadvertise(&tx.msg, "NTGR");
485 beg = time_monotonic();
487 while (!g_interrupted) {
488 printf("\rAdvertising NMRP server on %s ... %c",
489 args->intf, spinner[i]);
493 if (pkt_send(sock, &tx) < 0) {
498 status = pkt_recv(sock, &rx);
499 if (status == 0 && memcmp(rx.eh.ether_dhost, src, 6) == 0) {
501 } else if (status == 1) {
504 /* because we don't want nmrpflash's exit status to be zero */
506 if ((time_monotonic() - beg) >= NMRP_INITIAL_TIMEOUT) {
507 printf("\nNo response after 60 seconds. Bailing out.\n");
515 expect = NMRP_C_CONF_REQ;
518 while (!g_interrupted) {
519 if (expect != NMRP_C_NONE && rx.msg.code != expect) {
520 fprintf(stderr, "Received %s while waiting for %s!\n",
521 msg_code_str(rx.msg.code), msg_code_str(expect));
524 msg_init(&tx.msg, NMRP_C_NONE);
528 switch (rx.msg.code) {
529 case NMRP_C_ADVERTISE:
530 printf("Received NMRP advertisement from %s.\n",
531 mac_to_str(rx.eh.ether_shost));
534 case NMRP_C_CONF_REQ:
535 msg_mkconfack(&tx.msg, ipconf.addr.s_addr, ipconf.mask.s_addr, region);
536 expect = NMRP_C_TFTP_UL_REQ;
538 printf("Received configuration request from %s.\n",
539 mac_to_str(rx.eh.ether_shost));
541 memcpy(tx.eh.ether_dhost, rx.eh.ether_shost, 6);
543 printf("Sending configuration: %s, netmask %s.\n",
544 args->ipaddr, args->ipmask);
546 if (ethsock_arp_add(sock, rx.eh.ether_shost, ipconf.addr.s_addr, &arp_undo) != 0) {
551 case NMRP_C_TFTP_UL_REQ:
554 printf("Bailing out after %d upload requests.\n",
556 tx.msg.code = NMRP_C_CLOSE_REQ;
561 printf("Ignoring extra upload request.\n");
563 ethsock_set_timeout(sock, args->ul_timeout);
564 tx.msg.code = NMRP_C_KEEP_ALIVE_REQ;
568 filename = msg_filename(&rx.msg);
570 if (!args->file_remote) {
571 args->file_remote = filename;
573 printf("Received upload request: filename '%s'.\n", filename);
574 } else if (!args->file_remote) {
575 args->file_remote = args->file_local;
576 printf("Received upload request with empty filename.\n");
582 printf("Executing '%s' ... \n", args->tftpcmd);
583 setenv("IP", inet_ntoa(ipconf.addr), 1);
584 setenv("PORT", lltostr(args->port, 10), 1);
585 setenv("MAC", mac_to_str(rx.eh.ether_shost), 1);
586 setenv("NETMASK", inet_ntoa(ipconf.mask), 1);
587 //setenv("FILENAME", args->file_remote ? args->file_remote : "", 1);
588 status = system(args->tftpcmd);
591 if (!status && args->file_local) {
593 status = is_valid_ip(sock, &ipconf.addr, &ipconf.mask);
596 } else if (!status) {
597 printf("IP address of %s has changed. Please assign a "
598 "static ip to the interface.\n", args->intf);
599 tx.msg.code = NMRP_C_CLOSE_REQ;
605 printf("Using remote filename '%s'.\n",
609 if (!strcmp(args->file_local, "-")) {
610 printf("Uploading from stdin ... ");
612 printf("Uploading %s ... ", leafname(args->file_local));
615 if (!(status = tftp_put(args))) {
622 printf("Waiting for remote to respond.\n");
624 ethsock_set_timeout(sock, args->ul_timeout);
625 tx.msg.code = NMRP_C_KEEP_ALIVE_REQ;
626 expect = NMRP_C_NONE;
627 } else if (status == -2) {
628 expect = NMRP_C_TFTP_UL_REQ;
634 case NMRP_C_KEEP_ALIVE_REQ:
635 tx.msg.code = NMRP_C_KEEP_ALIVE_ACK;
636 ethsock_set_timeout(sock, args->ul_timeout);
637 printf("Received keep-alive request.\n");
639 case NMRP_C_CLOSE_REQ:
640 tx.msg.code = NMRP_C_CLOSE_ACK;
642 case NMRP_C_CLOSE_ACK:
646 fprintf(stderr, "Unknown message code 0x%02x!\n",
651 if (tx.msg.code != NMRP_C_NONE) {
652 if (pkt_send(sock, &tx) < 0) {
657 if (tx.msg.code == NMRP_C_CLOSE_REQ) {
662 if (rx.msg.code == NMRP_C_CLOSE_REQ) {
663 printf("Remote finished. Closing connection.\n");
667 status = pkt_recv(sock, &rx);
670 fprintf(stderr, "Timeout while waiting for %s.\n",
671 msg_code_str(expect));
676 ethsock_set_timeout(sock, args->rx_timeout);
680 if (!g_interrupted) {
683 printf("Reboot your device now.\n");
685 printf("No upload request received.\n");
690 signal(SIGINT, sigh_orig);
691 ethsock_arp_del(sock, &arp_undo);
692 ethsock_ip_del(sock, &ip_undo);