2 Copyright (c) 2014, Matthias Schiffer <mschiffer@universe-factory.net>
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
8 1. Redistributions of source code must retain the above copyright notice,
9 this list of conditions and the following disclaimer.
10 2. Redistributions in binary form must reproduce the above copyright notice,
11 this list of conditions and the following disclaimer in the documentation
12 and/or other materials provided with the distribution.
14 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
15 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
17 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
18 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
20 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
21 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
22 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 Image generation tool for the TP-LINK SafeLoader as seen on
31 TP-LINK Pharos devices (CPE210/220/510/520)
45 #include <arpa/inet.h>
47 #include <sys/types.h>
53 #define ALIGN(x,a) ({ typeof(a) __a = (a); (((x) + __a - 1) & ~(__a - 1)); })
56 #define MAX_PARTITIONS 32
58 /** An image partition table entry */
59 struct image_partition_entry {
65 /** A flash partition table entry */
66 struct flash_partition_entry {
72 /** Firmware layout description */
76 const char *support_list;
79 const struct flash_partition_entry partitions[MAX_PARTITIONS+1];
80 const char *first_sysupgrade_partition;
81 const char *last_sysupgrade_partition;
84 /** The content of the soft-version structure */
85 struct __attribute__((__packed__)) soft_version {
89 uint8_t version_major;
90 uint8_t version_minor;
91 uint8_t version_patch;
101 static const uint8_t jffs2_eof_mark[4] = {0xde, 0xad, 0xc0, 0xde};
105 Salt for the MD5 hash
107 Fortunately, TP-LINK seems to use the same salt for most devices which use
108 the new image format.
110 static const uint8_t md5_salt[16] = {
111 0x7a, 0x2b, 0x15, 0xed,
112 0x9b, 0x98, 0x59, 0x6d,
113 0xe5, 0x04, 0xab, 0x44,
114 0xac, 0x2a, 0x9f, 0x4e,
118 /** Firmware layout table */
119 static struct device_info boards[] = {
120 /** Firmware layout for the CPE210/220 */
123 .vendor = "CPE510(TP-LINK|UN|N300-5):1.0\r\n",
126 "CPE210(TP-LINK|UN|N300-2):1.0\r\n"
127 "CPE210(TP-LINK|UN|N300-2):1.1\r\n"
128 "CPE210(TP-LINK|US|N300-2):1.1\r\n"
129 "CPE210(TP-LINK|EU|N300-2):1.1\r\n"
130 "CPE220(TP-LINK|UN|N300-2):1.1\r\n"
131 "CPE220(TP-LINK|US|N300-2):1.1\r\n"
132 "CPE220(TP-LINK|EU|N300-2):1.1\r\n",
133 .support_trail = '\xff',
137 {"fs-uboot", 0x00000, 0x20000},
138 {"partition-table", 0x20000, 0x02000},
139 {"default-mac", 0x30000, 0x00020},
140 {"product-info", 0x31100, 0x00100},
141 {"signature", 0x32000, 0x00400},
142 {"os-image", 0x40000, 0x170000},
143 {"soft-version", 0x1b0000, 0x00100},
144 {"support-list", 0x1b1000, 0x00400},
145 {"file-system", 0x1c0000, 0x600000},
146 {"user-config", 0x7c0000, 0x10000},
147 {"default-config", 0x7d0000, 0x10000},
148 {"log", 0x7e0000, 0x10000},
149 {"radio", 0x7f0000, 0x10000},
153 .first_sysupgrade_partition = "os-image",
154 .last_sysupgrade_partition = "file-system",
157 /** Firmware layout for the CPE510/520 */
160 .vendor = "CPE510(TP-LINK|UN|N300-5):1.0\r\n",
163 "CPE510(TP-LINK|UN|N300-5):1.0\r\n"
164 "CPE510(TP-LINK|UN|N300-5):1.1\r\n"
165 "CPE510(TP-LINK|UN|N300-5):1.1\r\n"
166 "CPE510(TP-LINK|US|N300-5):1.1\r\n"
167 "CPE510(TP-LINK|EU|N300-5):1.1\r\n"
168 "CPE520(TP-LINK|UN|N300-5):1.1\r\n"
169 "CPE520(TP-LINK|US|N300-5):1.1\r\n"
170 "CPE520(TP-LINK|EU|N300-5):1.1\r\n",
171 .support_trail = '\xff',
175 {"fs-uboot", 0x00000, 0x20000},
176 {"partition-table", 0x20000, 0x02000},
177 {"default-mac", 0x30000, 0x00020},
178 {"product-info", 0x31100, 0x00100},
179 {"signature", 0x32000, 0x00400},
180 {"os-image", 0x40000, 0x170000},
181 {"soft-version", 0x1b0000, 0x00100},
182 {"support-list", 0x1b1000, 0x00400},
183 {"file-system", 0x1c0000, 0x600000},
184 {"user-config", 0x7c0000, 0x10000},
185 {"default-config", 0x7d0000, 0x10000},
186 {"log", 0x7e0000, 0x10000},
187 {"radio", 0x7f0000, 0x10000},
191 .first_sysupgrade_partition = "os-image",
192 .last_sysupgrade_partition = "file-system",
197 .vendor = "CPE510(TP-LINK|UN|N300-5):1.0\r\n",
200 "WBS210(TP-LINK|UN|N300-2):1.20\r\n"
201 "WBS210(TP-LINK|US|N300-2):1.20\r\n"
202 "WBS210(TP-LINK|EU|N300-2):1.20\r\n",
203 .support_trail = '\xff',
207 {"fs-uboot", 0x00000, 0x20000},
208 {"partition-table", 0x20000, 0x02000},
209 {"default-mac", 0x30000, 0x00020},
210 {"product-info", 0x31100, 0x00100},
211 {"signature", 0x32000, 0x00400},
212 {"os-image", 0x40000, 0x170000},
213 {"soft-version", 0x1b0000, 0x00100},
214 {"support-list", 0x1b1000, 0x00400},
215 {"file-system", 0x1c0000, 0x600000},
216 {"user-config", 0x7c0000, 0x10000},
217 {"default-config", 0x7d0000, 0x10000},
218 {"log", 0x7e0000, 0x10000},
219 {"radio", 0x7f0000, 0x10000},
223 .first_sysupgrade_partition = "os-image",
224 .last_sysupgrade_partition = "file-system",
229 .vendor = "CPE510(TP-LINK|UN|N300-5):1.0\r\n",
232 "WBS510(TP-LINK|UN|N300-5):1.20\r\n"
233 "WBS510(TP-LINK|US|N300-5):1.20\r\n"
234 "WBS510(TP-LINK|EU|N300-5):1.20\r\n",
235 .support_trail = '\xff',
239 {"fs-uboot", 0x00000, 0x20000},
240 {"partition-table", 0x20000, 0x02000},
241 {"default-mac", 0x30000, 0x00020},
242 {"product-info", 0x31100, 0x00100},
243 {"signature", 0x32000, 0x00400},
244 {"os-image", 0x40000, 0x170000},
245 {"soft-version", 0x1b0000, 0x00100},
246 {"support-list", 0x1b1000, 0x00400},
247 {"file-system", 0x1c0000, 0x600000},
248 {"user-config", 0x7c0000, 0x10000},
249 {"default-config", 0x7d0000, 0x10000},
250 {"log", 0x7e0000, 0x10000},
251 {"radio", 0x7f0000, 0x10000},
255 .first_sysupgrade_partition = "os-image",
256 .last_sysupgrade_partition = "file-system",
259 /** Firmware layout for the C2600 */
265 "{product_name:Archer C2600,product_ver:1.0.0,special_id:00000000}\r\n",
266 .support_trail = '\x00',
270 {"SBL1", 0x00000, 0x20000},
271 {"MIBIB", 0x20000, 0x20000},
272 {"SBL2", 0x40000, 0x20000},
273 {"SBL3", 0x60000, 0x30000},
274 {"DDRCONFIG", 0x90000, 0x10000},
275 {"SSD", 0xa0000, 0x10000},
276 {"TZ", 0xb0000, 0x30000},
277 {"RPM", 0xe0000, 0x20000},
278 {"fs-uboot", 0x100000, 0x70000},
279 {"uboot-env", 0x170000, 0x40000},
280 {"radio", 0x1b0000, 0x40000},
281 {"os-image", 0x1f0000, 0x200000},
282 {"file-system", 0x3f0000, 0x1b00000},
283 {"default-mac", 0x1ef0000, 0x00200},
284 {"pin", 0x1ef0200, 0x00200},
285 {"product-info", 0x1ef0400, 0x0fc00},
286 {"partition-table", 0x1f00000, 0x10000},
287 {"soft-version", 0x1f10000, 0x10000},
288 {"support-list", 0x1f20000, 0x10000},
289 {"profile", 0x1f30000, 0x10000},
290 {"default-config", 0x1f40000, 0x10000},
291 {"user-config", 0x1f50000, 0x40000},
292 {"qos-db", 0x1f90000, 0x40000},
293 {"usb-config", 0x1fd0000, 0x10000},
294 {"log", 0x1fe0000, 0x20000},
298 .first_sysupgrade_partition = "os-image",
299 .last_sysupgrade_partition = "file-system"
302 /** Firmware layout for the C25v1 */
304 .id = "ARCHER-C25-V1",
307 "{product_name:ArcherC25,product_ver:1.0.0,special_id:00000000}\n"
308 "{product_name:ArcherC25,product_ver:1.0.0,special_id:55530000}\n"
309 "{product_name:ArcherC25,product_ver:1.0.0,special_id:45550000}\n",
310 .support_trail = '\x00',
311 .soft_ver = "soft_ver:1.0.0\n",
314 We use a bigger os-image partition than the stock images (and thus
315 smaller file-system), as our kernel doesn't fit in the stock firmware's
319 {"factory-boot", 0x00000, 0x20000},
320 {"fs-uboot", 0x20000, 0x10000},
321 {"os-image", 0x30000, 0x180000}, /* Stock: base 0x30000 size 0x100000 */
322 {"file-system", 0x1b0000, 0x620000}, /* Stock: base 0x130000 size 0x6a0000 */
323 {"user-config", 0x7d0000, 0x04000},
324 {"default-mac", 0x7e0000, 0x00100},
325 {"device-id", 0x7e0100, 0x00100},
326 {"extra-para", 0x7e0200, 0x00100},
327 {"pin", 0x7e0300, 0x00100},
328 {"support-list", 0x7e0400, 0x00400},
329 {"soft-version", 0x7e0800, 0x00400},
330 {"product-info", 0x7e0c00, 0x01400},
331 {"partition-table", 0x7e2000, 0x01000},
332 {"profile", 0x7e3000, 0x01000},
333 {"default-config", 0x7e4000, 0x04000},
334 {"merge-config", 0x7ec000, 0x02000},
335 {"qos-db", 0x7ee000, 0x02000},
336 {"radio", 0x7f0000, 0x10000},
340 .first_sysupgrade_partition = "os-image",
341 .last_sysupgrade_partition = "file-system",
344 /** Firmware layout for the C59v1 */
346 .id = "ARCHER-C59-V1",
350 "{product_name:Archer C59,product_ver:1.0.0,special_id:00000000}\r\n"
351 "{product_name:Archer C59,product_ver:1.0.0,special_id:45550000}\r\n"
352 "{product_name:Archer C59,product_ver:1.0.0,special_id:55530000}\r\n",
353 .support_trail = '\x00',
354 .soft_ver = "soft_ver:1.0.0\n",
357 {"fs-uboot", 0x00000, 0x10000},
358 {"default-mac", 0x10000, 0x00200},
359 {"pin", 0x10200, 0x00200},
360 {"device-id", 0x10400, 0x00100},
361 {"product-info", 0x10500, 0x0fb00},
362 {"os-image", 0x20000, 0x180000},
363 {"file-system", 0x1a0000, 0xcb0000},
364 {"partition-table", 0xe50000, 0x10000},
365 {"soft-version", 0xe60000, 0x10000},
366 {"support-list", 0xe70000, 0x10000},
367 {"profile", 0xe80000, 0x10000},
368 {"default-config", 0xe90000, 0x10000},
369 {"user-config", 0xea0000, 0x40000},
370 {"usb-config", 0xee0000, 0x10000},
371 {"certificate", 0xef0000, 0x10000},
372 {"qos-db", 0xf00000, 0x40000},
373 {"log", 0xfe0000, 0x10000},
374 {"radio", 0xff0000, 0x10000},
378 .first_sysupgrade_partition = "os-image",
379 .last_sysupgrade_partition = "file-system",
382 /** Firmware layout for the C60v1 */
384 .id = "ARCHER-C60-V1",
388 "{product_name:Archer C60,product_ver:1.0.0,special_id:00000000}\r\n"
389 "{product_name:Archer C60,product_ver:1.0.0,special_id:45550000}\r\n"
390 "{product_name:Archer C60,product_ver:1.0.0,special_id:55530000}\r\n",
391 .support_trail = '\x00',
392 .soft_ver = "soft_ver:1.0.0\n",
395 {"fs-uboot", 0x00000, 0x10000},
396 {"default-mac", 0x10000, 0x00200},
397 {"pin", 0x10200, 0x00200},
398 {"product-info", 0x10400, 0x00100},
399 {"partition-table", 0x10500, 0x00800},
400 {"soft-version", 0x11300, 0x00200},
401 {"support-list", 0x11500, 0x00100},
402 {"device-id", 0x11600, 0x00100},
403 {"profile", 0x11700, 0x03900},
404 {"default-config", 0x15000, 0x04000},
405 {"user-config", 0x19000, 0x04000},
406 {"os-image", 0x20000, 0x150000},
407 {"file-system", 0x170000, 0x678000},
408 {"certyficate", 0x7e8000, 0x08000},
409 {"radio", 0x7f0000, 0x10000},
413 .first_sysupgrade_partition = "os-image",
414 .last_sysupgrade_partition = "file-system",
417 /** Firmware layout for the C5 */
419 .id = "ARCHER-C5-V2",
423 "{product_name:ArcherC5,"
425 "special_id:00000000}\r\n",
426 .support_trail = '\x00',
430 {"fs-uboot", 0x00000, 0x40000},
431 {"os-image", 0x40000, 0x200000},
432 {"file-system", 0x240000, 0xc00000},
433 {"default-mac", 0xe40000, 0x00200},
434 {"pin", 0xe40200, 0x00200},
435 {"product-info", 0xe40400, 0x00200},
436 {"partition-table", 0xe50000, 0x10000},
437 {"soft-version", 0xe60000, 0x00200},
438 {"support-list", 0xe61000, 0x0f000},
439 {"profile", 0xe70000, 0x10000},
440 {"default-config", 0xe80000, 0x10000},
441 {"user-config", 0xe90000, 0x50000},
442 {"log", 0xee0000, 0x100000},
443 {"radio_bk", 0xfe0000, 0x10000},
444 {"radio", 0xff0000, 0x10000},
448 .first_sysupgrade_partition = "os-image",
449 .last_sysupgrade_partition = "file-system"
452 /** Firmware layout for the C9 */
458 "{product_name:ArcherC9,"
460 "special_id:00000000}\n",
461 .support_trail = '\x00',
465 {"fs-uboot", 0x00000, 0x40000},
466 {"os-image", 0x40000, 0x200000},
467 {"file-system", 0x240000, 0xc00000},
468 {"default-mac", 0xe40000, 0x00200},
469 {"pin", 0xe40200, 0x00200},
470 {"product-info", 0xe40400, 0x00200},
471 {"partition-table", 0xe50000, 0x10000},
472 {"soft-version", 0xe60000, 0x00200},
473 {"support-list", 0xe61000, 0x0f000},
474 {"profile", 0xe70000, 0x10000},
475 {"default-config", 0xe80000, 0x10000},
476 {"user-config", 0xe90000, 0x50000},
477 {"log", 0xee0000, 0x100000},
478 {"radio_bk", 0xfe0000, 0x10000},
479 {"radio", 0xff0000, 0x10000},
483 .first_sysupgrade_partition = "os-image",
484 .last_sysupgrade_partition = "file-system"
487 /** Firmware layout for the EAP120 */
490 .vendor = "EAP120(TP-LINK|UN|N300-2):1.0\r\n",
493 "EAP120(TP-LINK|UN|N300-2):1.0\r\n",
494 .support_trail = '\xff',
498 {"fs-uboot", 0x00000, 0x20000},
499 {"partition-table", 0x20000, 0x02000},
500 {"default-mac", 0x30000, 0x00020},
501 {"support-list", 0x31000, 0x00100},
502 {"product-info", 0x31100, 0x00100},
503 {"soft-version", 0x32000, 0x00100},
504 {"os-image", 0x40000, 0x180000},
505 {"file-system", 0x1c0000, 0x600000},
506 {"user-config", 0x7c0000, 0x10000},
507 {"backup-config", 0x7d0000, 0x10000},
508 {"log", 0x7e0000, 0x10000},
509 {"radio", 0x7f0000, 0x10000},
513 .first_sysupgrade_partition = "os-image",
514 .last_sysupgrade_partition = "file-system"
517 /** Firmware layout for the TL-WA850RE v2 */
523 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:55530000}\n"
524 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:00000000}\n"
525 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:55534100}\n"
526 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:45550000}\n"
527 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:4B520000}\n"
528 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:42520000}\n"
529 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:4A500000}\n"
530 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:43410000}\n"
531 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:41550000}\n"
532 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:52550000}\n",
533 .support_trail = '\x00',
537 576KB were moved from file-system to os-image
538 in comparison to the stock image
541 {"fs-uboot", 0x00000, 0x20000},
542 {"os-image", 0x20000, 0x150000},
543 {"file-system", 0x170000, 0x240000},
544 {"partition-table", 0x3b0000, 0x02000},
545 {"default-mac", 0x3c0000, 0x00020},
546 {"pin", 0x3c0100, 0x00020},
547 {"product-info", 0x3c1000, 0x01000},
548 {"soft-version", 0x3c2000, 0x00100},
549 {"support-list", 0x3c3000, 0x01000},
550 {"profile", 0x3c4000, 0x08000},
551 {"user-config", 0x3d0000, 0x10000},
552 {"default-config", 0x3e0000, 0x10000},
553 {"radio", 0x3f0000, 0x10000},
557 .first_sysupgrade_partition = "os-image",
558 .last_sysupgrade_partition = "file-system"
561 /** Firmware layout for the TL-WR1043 v4 */
563 .id = "TLWR1043NDV4",
567 "{product_name:TL-WR1043ND,product_ver:4.0.0,special_id:45550000}\n",
568 .support_trail = '\x00',
572 We use a bigger os-image partition than the stock images (and thus
573 smaller file-system), as our kernel doesn't fit in the stock firmware's
577 {"fs-uboot", 0x00000, 0x20000},
578 {"os-image", 0x20000, 0x180000},
579 {"file-system", 0x1a0000, 0xdb0000},
580 {"default-mac", 0xf50000, 0x00200},
581 {"pin", 0xf50200, 0x00200},
582 {"product-info", 0xf50400, 0x0fc00},
583 {"soft-version", 0xf60000, 0x0b000},
584 {"support-list", 0xf6b000, 0x04000},
585 {"profile", 0xf70000, 0x04000},
586 {"default-config", 0xf74000, 0x0b000},
587 {"user-config", 0xf80000, 0x40000},
588 {"partition-table", 0xfc0000, 0x10000},
589 {"log", 0xfd0000, 0x20000},
590 {"radio", 0xff0000, 0x10000},
594 .first_sysupgrade_partition = "os-image",
595 .last_sysupgrade_partition = "file-system"
598 /** Firmware layout for the TL-WR942N V1 */
604 "{product_name:TL-WR942N,product_ver:1.0.0,special_id:00000000}\r\n"
605 "{product_name:TL-WR942N,product_ver:1.0.0,special_id:52550000}\r\n",
606 .support_trail = '\x00',
610 {"fs-uboot", 0x00000, 0x20000},
611 {"os-image", 0x20000, 0x150000},
612 {"file-system", 0x170000, 0xcd0000},
613 {"default-mac", 0xe40000, 0x00200},
614 {"pin", 0xe40200, 0x00200},
615 {"product-info", 0xe40400, 0x0fc00},
616 {"partition-table", 0xe50000, 0x10000},
617 {"soft-version", 0xe60000, 0x10000},
618 {"support-list", 0xe70000, 0x10000},
619 {"profile", 0xe80000, 0x10000},
620 {"default-config", 0xe90000, 0x10000},
621 {"user-config", 0xea0000, 0x40000},
622 {"qos-db", 0xee0000, 0x40000},
623 {"certificate", 0xf20000, 0x10000},
624 {"usb-config", 0xfb0000, 0x10000},
625 {"log", 0xfc0000, 0x20000},
626 {"radio-bk", 0xfe0000, 0x10000},
627 {"radio", 0xff0000, 0x10000},
631 .first_sysupgrade_partition = "os-image",
632 .last_sysupgrade_partition = "file-system",
635 /** Firmware layout for the RE450 */
641 "{product_name:RE450,product_ver:1.0.0,special_id:00000000}\r\n"
642 "{product_name:RE450,product_ver:1.0.0,special_id:55530000}\r\n"
643 "{product_name:RE450,product_ver:1.0.0,special_id:45550000}\r\n"
644 "{product_name:RE450,product_ver:1.0.0,special_id:4A500000}\r\n"
645 "{product_name:RE450,product_ver:1.0.0,special_id:43410000}\r\n"
646 "{product_name:RE450,product_ver:1.0.0,special_id:41550000}\r\n"
647 "{product_name:RE450,product_ver:1.0.0,special_id:4B520000}\r\n"
648 "{product_name:RE450,product_ver:1.0.0,special_id:55534100}\r\n",
649 .support_trail = '\x00',
653 The flash partition table for RE450;
654 it is almost the same as the one used by the stock images,
655 576KB were moved from file-system to os-image.
658 {"fs-uboot", 0x00000, 0x20000},
659 {"os-image", 0x20000, 0x150000},
660 {"file-system", 0x170000, 0x4a0000},
661 {"partition-table", 0x600000, 0x02000},
662 {"default-mac", 0x610000, 0x00020},
663 {"pin", 0x610100, 0x00020},
664 {"product-info", 0x611100, 0x01000},
665 {"soft-version", 0x620000, 0x01000},
666 {"support-list", 0x621000, 0x01000},
667 {"profile", 0x622000, 0x08000},
668 {"user-config", 0x630000, 0x10000},
669 {"default-config", 0x640000, 0x10000},
670 {"radio", 0x7f0000, 0x10000},
674 .first_sysupgrade_partition = "os-image",
675 .last_sysupgrade_partition = "file-system"
681 #define error(_ret, _errno, _str, ...) \
683 fprintf(stderr, _str ": %s\n", ## __VA_ARGS__, \
690 /** Stores a uint32 as big endian */
691 static inline void put32(uint8_t *buf, uint32_t val) {
698 /** Allocates a new image partition */
699 static struct image_partition_entry alloc_image_partition(const char *name, size_t len) {
700 struct image_partition_entry entry = {name, len, malloc(len)};
702 error(1, errno, "malloc");
707 /** Frees an image partition */
708 static void free_image_partition(struct image_partition_entry entry) {
712 /** Generates the partition-table partition */
713 static struct image_partition_entry make_partition_table(const struct flash_partition_entry *p) {
714 struct image_partition_entry entry = alloc_image_partition("partition-table", 0x800);
716 char *s = (char *)entry.data, *end = (char *)(s+entry.size);
724 for (i = 0; p[i].name; i++) {
726 size_t w = snprintf(s, len, "partition %s base 0x%05x size 0x%05x\n", p[i].name, p[i].base, p[i].size);
729 error(1, 0, "flash partition table overflow?");
736 memset(s, 0xff, end-s);
742 /** Generates a binary-coded decimal representation of an integer in the range [0, 99] */
743 static inline uint8_t bcd(uint8_t v) {
744 return 0x10 * (v/10) + v%10;
748 /** Generates the soft-version partition */
749 static struct image_partition_entry make_soft_version(uint32_t rev) {
750 struct image_partition_entry entry = alloc_image_partition("soft-version", sizeof(struct soft_version));
751 struct soft_version *s = (struct soft_version *)entry.data;
755 if (time(&t) == (time_t)(-1))
756 error(1, errno, "time");
758 struct tm *tm = localtime(&t);
760 s->magic = htonl(0x0000000c);
764 s->version_major = 0;
765 s->version_minor = 0;
766 s->version_patch = 0;
768 s->year_hi = bcd((1900+tm->tm_year)/100);
769 s->year_lo = bcd(tm->tm_year%100);
770 s->month = bcd(tm->tm_mon+1);
771 s->day = bcd(tm->tm_mday);
779 static struct image_partition_entry make_soft_version_from_string(const char *soft_ver) {
780 /** String length _including_ the terminating zero byte */
781 uint32_t ver_len = strlen(soft_ver) + 1;
782 /** Partition contains 64 bit header, the version string, and one additional null byte */
783 size_t partition_len = 2*sizeof(uint32_t) + ver_len + 1;
784 struct image_partition_entry entry = alloc_image_partition("soft-version", partition_len);
786 uint32_t *len = (uint32_t *)entry.data;
787 len[0] = htonl(ver_len);
789 memcpy(&len[2], soft_ver, ver_len);
791 entry.data[partition_len - 1] = 0;
796 /** Generates the support-list partition */
797 static struct image_partition_entry make_support_list(const struct device_info *info) {
798 size_t len = strlen(info->support_list);
799 struct image_partition_entry entry = alloc_image_partition("support-list", len + 9);
801 put32(entry.data, len);
802 memset(entry.data+4, 0, 4);
803 memcpy(entry.data+8, info->support_list, len);
804 entry.data[len+8] = info->support_trail;
809 /** Creates a new image partition with an arbitrary name from a file */
810 static struct image_partition_entry read_file(const char *part_name, const char *filename, bool add_jffs2_eof) {
813 if (stat(filename, &statbuf) < 0)
814 error(1, errno, "unable to stat file `%s'", filename);
816 size_t len = statbuf.st_size;
819 len = ALIGN(len, 0x10000) + sizeof(jffs2_eof_mark);
821 struct image_partition_entry entry = alloc_image_partition(part_name, len);
823 FILE *file = fopen(filename, "rb");
825 error(1, errno, "unable to open file `%s'", filename);
827 if (fread(entry.data, statbuf.st_size, 1, file) != 1)
828 error(1, errno, "unable to read file `%s'", filename);
831 uint8_t *eof = entry.data + statbuf.st_size, *end = entry.data+entry.size;
833 memset(eof, 0xff, end - eof - sizeof(jffs2_eof_mark));
834 memcpy(end - sizeof(jffs2_eof_mark), jffs2_eof_mark, sizeof(jffs2_eof_mark));
842 /** Creates a new image partition from arbitrary data */
843 static struct image_partition_entry put_data(const char *part_name, const char *datain, size_t len) {
845 struct image_partition_entry entry = alloc_image_partition(part_name, len);
847 memcpy(entry.data, datain, len);
853 Copies a list of image partitions into an image buffer and generates the image partition table while doing so
855 Example image partition table:
857 fwup-ptn partition-table base 0x00800 size 0x00800
858 fwup-ptn os-image base 0x01000 size 0x113b45
859 fwup-ptn file-system base 0x114b45 size 0x1d0004
860 fwup-ptn support-list base 0x2e4b49 size 0x000d1
862 Each line of the partition table is terminated with the bytes 09 0d 0a ("\t\r\n"),
863 the end of the partition table is marked with a zero byte.
865 The firmware image must contain at least the partition-table and support-list partitions
866 to be accepted. There aren't any alignment constraints for the image partitions.
868 The partition-table partition contains the actual flash layout; partitions
869 from the image partition table are mapped to the corresponding flash partitions during
870 the firmware upgrade. The support-list partition contains a list of devices supported by
873 The base offsets in the firmware partition table are relative to the end
874 of the vendor information block, so the partition-table partition will
875 actually start at offset 0x1814 of the image.
877 I think partition-table must be the first partition in the firmware image.
879 static void put_partitions(uint8_t *buffer, const struct flash_partition_entry *flash_parts, const struct image_partition_entry *parts) {
881 char *image_pt = (char *)buffer, *end = image_pt + 0x800;
884 for (i = 0; parts[i].name; i++) {
885 for (j = 0; flash_parts[j].name; j++) {
886 if (!strcmp(flash_parts[j].name, parts[i].name)) {
887 if (parts[i].size > flash_parts[j].size)
888 error(1, 0, "%s partition too big (more than %u bytes)", flash_parts[j].name, (unsigned)flash_parts[j].size);
893 assert(flash_parts[j].name);
895 memcpy(buffer + base, parts[i].data, parts[i].size);
897 size_t len = end-image_pt;
898 size_t w = snprintf(image_pt, len, "fwup-ptn %s base 0x%05x size 0x%05x\t\r\n", parts[i].name, (unsigned)base, (unsigned)parts[i].size);
901 error(1, 0, "image partition table overflow?");
905 base += parts[i].size;
909 /** Generates and writes the image MD5 checksum */
910 static void put_md5(uint8_t *md5, uint8_t *buffer, unsigned int len) {
914 MD5_Update(&ctx, md5_salt, (unsigned int)sizeof(md5_salt));
915 MD5_Update(&ctx, buffer, len);
916 MD5_Final(md5, &ctx);
921 Generates the firmware image in factory format
927 0000-0003 Image size (4 bytes, big endian)
928 0004-0013 MD5 hash (hash of a 16 byte salt and the image data starting with byte 0x14)
929 0014-0017 Vendor information length (without padding) (4 bytes, big endian)
930 0018-1013 Vendor information (4092 bytes, padded with 0xff; there seem to be older
931 (VxWorks-based) TP-LINK devices which use a smaller vendor information block)
932 1014-1813 Image partition table (2048 bytes, padded with 0xff)
933 1814-xxxx Firmware partitions
935 static void * generate_factory_image(const struct device_info *info, const struct image_partition_entry *parts, size_t *len) {
939 for (i = 0; parts[i].name; i++)
940 *len += parts[i].size;
942 uint8_t *image = malloc(*len);
944 error(1, errno, "malloc");
946 memset(image, 0xff, *len);
950 size_t vendor_len = strlen(info->vendor);
951 put32(image+0x14, vendor_len);
952 memcpy(image+0x18, info->vendor, vendor_len);
955 put_partitions(image + 0x1014, info->partitions, parts);
956 put_md5(image+0x04, image+0x14, *len-0x14);
962 Generates the firmware image in sysupgrade format
964 This makes some assumptions about the provided flash and image partition tables and
965 should be generalized when TP-LINK starts building its safeloader into hardware with
966 different flash layouts.
968 static void * generate_sysupgrade_image(const struct device_info *info, const struct image_partition_entry *image_parts, size_t *len) {
970 size_t flash_first_partition_index = 0;
971 size_t flash_last_partition_index = 0;
972 const struct flash_partition_entry *flash_first_partition = NULL;
973 const struct flash_partition_entry *flash_last_partition = NULL;
974 const struct image_partition_entry *image_last_partition = NULL;
976 /** Find first and last partitions */
977 for (i = 0; info->partitions[i].name; i++) {
978 if (!strcmp(info->partitions[i].name, info->first_sysupgrade_partition)) {
979 flash_first_partition = &info->partitions[i];
980 flash_first_partition_index = i;
981 } else if (!strcmp(info->partitions[i].name, info->last_sysupgrade_partition)) {
982 flash_last_partition = &info->partitions[i];
983 flash_last_partition_index = i;
987 assert(flash_first_partition && flash_last_partition);
988 assert(flash_first_partition_index < flash_last_partition_index);
990 /** Find last partition from image to calculate needed size */
991 for (i = 0; image_parts[i].name; i++) {
992 if (!strcmp(image_parts[i].name, info->last_sysupgrade_partition)) {
993 image_last_partition = &image_parts[i];
998 assert(image_last_partition);
1000 *len = flash_last_partition->base - flash_first_partition->base + image_last_partition->size;
1002 uint8_t *image = malloc(*len);
1004 error(1, errno, "malloc");
1006 memset(image, 0xff, *len);
1008 for (i = flash_first_partition_index; i <= flash_last_partition_index; i++) {
1009 for (j = 0; image_parts[j].name; j++) {
1010 if (!strcmp(info->partitions[i].name, image_parts[j].name)) {
1011 if (image_parts[j].size > info->partitions[i].size)
1012 error(1, 0, "%s partition too big (more than %u bytes)", info->partitions[i].name, (unsigned)info->partitions[i].size);
1013 memcpy(image + info->partitions[i].base - flash_first_partition->base, image_parts[j].data, image_parts[j].size);
1017 assert(image_parts[j].name);
1024 /** Generates an image according to a given layout and writes it to a file */
1025 static void build_image(const char *output,
1026 const char *kernel_image,
1027 const char *rootfs_image,
1031 const struct device_info *info) {
1033 struct image_partition_entry parts[7] = {};
1035 parts[0] = make_partition_table(info->partitions);
1037 parts[1] = make_soft_version_from_string(info->soft_ver);
1039 parts[1] = make_soft_version(rev);
1041 parts[2] = make_support_list(info);
1042 parts[3] = read_file("os-image", kernel_image, false);
1043 parts[4] = read_file("file-system", rootfs_image, add_jffs2_eof);
1045 if (strcasecmp(info->id, "ARCHER-C25-V1") == 0) {
1046 const char mdat[11] = {0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00};
1047 parts[5] = put_data("extra-para", mdat, 11);
1053 image = generate_sysupgrade_image(info, parts, &len);
1055 image = generate_factory_image(info, parts, &len);
1057 FILE *file = fopen(output, "wb");
1059 error(1, errno, "unable to open output file");
1061 if (fwrite(image, len, 1, file) != 1)
1062 error(1, 0, "unable to write output file");
1069 for (i = 0; parts[i].name; i++)
1070 free_image_partition(parts[i]);
1074 static void usage(const char *argv0) {
1076 "Usage: %s [OPTIONS...]\n"
1079 " -B <board> create image for the board specified with <board>\n"
1080 " -k <file> read kernel image from the file <file>\n"
1081 " -r <file> read rootfs image from the file <file>\n"
1082 " -o <file> write output to the file <file>\n"
1083 " -V <rev> sets the revision number to <rev>\n"
1084 " -j add jffs2 end-of-filesystem markers\n"
1085 " -S create sysupgrade instead of factory image\n"
1086 " -h show this help\n",
1092 static const struct device_info *find_board(const char *id)
1094 struct device_info *board = NULL;
1096 for (board = boards; board->id != NULL; board++)
1097 if (strcasecmp(id, board->id) == 0)
1103 int main(int argc, char *argv[]) {
1104 const char *board = NULL, *kernel_image = NULL, *rootfs_image = NULL, *output = NULL;
1105 bool add_jffs2_eof = false, sysupgrade = false;
1107 const struct device_info *info;
1112 c = getopt(argc, argv, "B:k:r:o:V:jSh");
1122 kernel_image = optarg;
1126 rootfs_image = optarg;
1134 sscanf(optarg, "r%u", &rev);
1138 add_jffs2_eof = true;
1156 error(1, 0, "no board has been specified");
1158 error(1, 0, "no kernel image has been specified");
1160 error(1, 0, "no rootfs image has been specified");
1162 error(1, 0, "no output filename has been specified");
1164 info = find_board(board);
1167 error(1, 0, "unsupported board %s", board);
1169 build_image(output, kernel_image, rootfs_image, rev, add_jffs2_eof, sysupgrade, info);
projects / oweals / openwrt.git / blob