2 * Copyright (C) 2009 Gabor Juhos <juhosg@openwrt.org>
4 * This tool was based on:
5 * TP-Link WR941 V2 firmware checksum fixing tool.
6 * Copyright (C) 2008,2009 Wang Jian <lark@linux.net.cn>
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License version 2 as published
10 * by the Free Software Foundation.
18 #include <unistd.h> /* for unlink() */
20 #include <getopt.h> /* for getopt() */
25 #include <arpa/inet.h>
26 #include <netinet/in.h>
30 #define ALIGN(x,a) ({ typeof(a) __a = (a); (((x) + __a - 1) & ~(__a - 1)); })
32 #define HEADER_VERSION_V2 0x02000000
34 #define HWID_TD_W8970_V1 0x89700001
39 char *file_name; /* name of the file */
40 uint32_t file_size; /* length of the file */
44 uint32_t version; /* 0x00: header version */
45 char fw_version[48]; /* 0x04: fw version string */
46 uint32_t hw_id; /* 0x34: hardware id */
47 uint32_t hw_rev; /* 0x38: FIXME: hardware revision? */
48 uint32_t unk1; /* 0x3c: 0x00000000 */
49 uint8_t md5sum1[MD5SUM_LEN]; /* 0x40 */
50 uint32_t unk2; /* 0x50: 0x00000000 */
51 uint8_t md5sum2[MD5SUM_LEN]; /* 0x54 */
52 uint32_t unk3; /* 0x64: 0xffffffff */
54 uint32_t kernel_la; /* 0x68: kernel load address */
55 uint32_t kernel_ep; /* 0x6c: kernel entry point */
56 uint32_t fw_length; /* 0x70: total length of the image */
57 uint32_t kernel_ofs; /* 0x74: kernel data offset */
58 uint32_t kernel_len; /* 0x78: kernel data length */
59 uint32_t rootfs_ofs; /* 0x7c: rootfs data offset */
60 uint32_t rootfs_len; /* 0x80: rootfs data length */
61 uint32_t boot_ofs; /* 0x84: FIXME: seems to be unused */
62 uint32_t boot_len; /* 0x88: FIXME: seems to be unused */
63 uint16_t unk4; /* 0x8c: 0x55aa */
64 uint8_t sver_hi; /* 0x8e */
65 uint8_t sver_lo; /* 0x8f */
66 uint8_t unk5; /* 0x90: magic: 0xa5 */
67 uint8_t ver_hi; /* 0x91 */
68 uint8_t ver_mid; /* 0x92 */
69 uint8_t ver_lo; /* 0x93 */
71 } __attribute__ ((packed));
92 static char *progname;
93 static char *vendor = "TP-LINK Technologies";
94 static char *version = "ver. 1.0";
95 static char *fw_ver = "0.0.0";
96 static char *sver = "1.0";
98 static char *board_id;
99 static struct board_info *board;
100 static char *layout_id;
101 static struct flash_layout *layout;
102 static char *opt_hw_id;
103 static uint32_t hw_id;
104 static char *opt_hw_rev;
105 static uint32_t hw_rev;
106 static int fw_ver_lo;
107 static int fw_ver_mid;
108 static int fw_ver_hi;
111 static struct file_info kernel_info;
112 static uint32_t kernel_la = 0;
113 static uint32_t kernel_ep = 0;
114 static uint32_t kernel_len = 0;
115 static struct file_info rootfs_info;
116 static uint32_t rootfs_ofs = 0;
117 static uint32_t rootfs_align;
118 static struct file_info boot_info;
120 static int strip_padding;
121 static int add_jffs2_eof;
122 static unsigned char jffs2_eof_mark[4] = {0xde, 0xad, 0xc0, 0xde};
124 static struct file_info inspect_info;
125 static int extract = 0;
127 char md5salt_normal[MD5SUM_LEN] = {
128 0xdc, 0xd7, 0x3a, 0xa5, 0xc3, 0x95, 0x98, 0xfb,
129 0xdc, 0xf9, 0xe7, 0xf4, 0x0e, 0xae, 0x47, 0x37,
132 char md5salt_boot[MD5SUM_LEN] = {
133 0x8c, 0xef, 0x33, 0x5b, 0xd5, 0xc5, 0xce, 0xfa,
134 0xa7, 0x9c, 0x28, 0xda, 0xb2, 0xe9, 0x0f, 0x42,
137 static struct flash_layout layouts[] = {
140 .fw_max_len = 0x7a0000,
141 .kernel_la = 0x80002000,
142 .kernel_ep = 0x80002000,
143 .rootfs_ofs = 0x140000,
145 /* terminating entry */
149 static struct board_info boards[] = {
152 .hw_id = HWID_TD_W8970_V1,
154 .layout_id = "8Mltq",
156 /* terminating entry */
163 #define ERR(fmt, ...) do { \
165 fprintf(stderr, "[%s] *** error: " fmt "\n", \
166 progname, ## __VA_ARGS__ ); \
169 #define ERRS(fmt, ...) do { \
172 fprintf(stderr, "[%s] *** error: " fmt "\n", \
173 progname, ## __VA_ARGS__, strerror(save)); \
176 #define DBG(fmt, ...) do { \
177 fprintf(stderr, "[%s] " fmt "\n", progname, ## __VA_ARGS__ ); \
180 static struct board_info *find_board(char *id)
182 struct board_info *ret;
183 struct board_info *board;
186 for (board = boards; board->id != NULL; board++){
187 if (strcasecmp(id, board->id) == 0) {
196 static struct board_info *find_board_by_hwid(uint32_t hw_id)
198 struct board_info *board;
200 for (board = boards; board->id != NULL; board++) {
201 if (hw_id == board->hw_id)
208 static struct flash_layout *find_layout(char *id)
210 struct flash_layout *ret;
211 struct flash_layout *l;
214 for (l = layouts; l->id != NULL; l++){
215 if (strcasecmp(id, l->id) == 0) {
224 static void usage(int status)
226 FILE *stream = (status != EXIT_SUCCESS) ? stderr : stdout;
227 struct board_info *board;
229 fprintf(stream, "Usage: %s [OPTIONS...]\n", progname);
233 " -B <board> create image for the board specified with <board>\n"
234 " -c use combined kernel image\n"
235 " -E <ep> overwrite kernel entry point with <ep> (hexval prefixed with 0x)\n"
236 " -L <la> overwrite kernel load address with <la> (hexval prefixed with 0x)\n"
237 " -H <hwid> use hardware id specified with <hwid>\n"
238 " -W <hwrev> use hardware revision specified with <hwrev>\n"
239 " -F <id> use flash layout specified with <id>\n"
240 " -k <file> read kernel image from the file <file>\n"
241 " -r <file> read rootfs image from the file <file>\n"
242 " -a <align> align the rootfs start on an <align> bytes boundary\n"
243 " -R <offset> overwrite rootfs offset with <offset> (hexval prefixed with 0x)\n"
244 " -o <file> write output to the file <file>\n"
245 " -s strip padding from the end of the image\n"
246 " -j add jffs2 end-of-filesystem markers\n"
247 " -V <version> set image version to <version>\n"
248 " -v <version> set firmware version to <version>\n"
249 " -y <version> set secondary version to <version>\n"
250 " -i <file> inspect given firmware file <file>\n"
251 " -x extract kernel and rootfs while inspecting (requires -i)\n"
252 " -h show this screen\n"
258 static int get_md5(char *data, int size, char *md5)
263 MD5_Update(&ctx, data, size);
264 MD5_Final(md5, &ctx);
267 static int get_file_stat(struct file_info *fdata)
272 if (fdata->file_name == NULL)
275 res = stat(fdata->file_name, &st);
277 ERRS("stat failed on %s", fdata->file_name);
281 fdata->file_size = st.st_size;
285 static int read_to_buf(struct file_info *fdata, char *buf)
288 int ret = EXIT_FAILURE;
290 f = fopen(fdata->file_name, "r");
292 ERRS("could not open \"%s\" for reading", fdata->file_name);
297 fread(buf, fdata->file_size, 1, f);
299 ERRS("unable to read from file \"%s\"", fdata->file_name);
311 static int check_options(void)
315 if (inspect_info.file_name) {
316 ret = get_file_stat(&inspect_info);
321 } else if (extract) {
322 ERR("no firmware for inspection specified");
326 if (board_id == NULL && opt_hw_id == NULL) {
327 ERR("either board or hardware id must be specified");
332 board = find_board(board_id);
334 ERR("unknown/unsupported board id \"%s\"", board_id);
337 if (layout_id == NULL)
338 layout_id = board->layout_id;
340 hw_id = board->hw_id;
341 hw_rev = board->hw_rev;
343 if (layout_id == NULL) {
344 ERR("flash layout is not specified");
347 hw_id = strtoul(opt_hw_id, NULL, 0);
350 hw_rev = strtoul(opt_hw_rev, NULL, 0);
355 layout = find_layout(layout_id);
356 if (layout == NULL) {
357 ERR("unknown flash layout \"%s\"", layout_id);
362 kernel_la = layout->kernel_la;
364 kernel_ep = layout->kernel_ep;
366 rootfs_ofs = layout->rootfs_ofs;
368 if (kernel_info.file_name == NULL) {
369 ERR("no kernel image specified");
373 ret = get_file_stat(&kernel_info);
377 kernel_len = kernel_info.file_size;
380 if (kernel_info.file_size >
381 layout->fw_max_len - sizeof(struct fw_header)) {
382 ERR("kernel image is too big");
386 if (rootfs_info.file_name == NULL) {
387 ERR("no rootfs image specified");
391 ret = get_file_stat(&rootfs_info);
396 kernel_len += sizeof(struct fw_header);
397 kernel_len = ALIGN(kernel_len, rootfs_align);
398 kernel_len -= sizeof(struct fw_header);
400 DBG("kernel length aligned to %u", kernel_len);
402 if (kernel_len + rootfs_info.file_size >
403 layout->fw_max_len - sizeof(struct fw_header)) {
404 ERR("images are too big");
408 if (kernel_info.file_size >
409 rootfs_ofs - sizeof(struct fw_header)) {
410 ERR("kernel image is too big");
414 if (rootfs_info.file_size >
415 (layout->fw_max_len - rootfs_ofs)) {
416 ERR("rootfs image is too big");
422 if (ofname == NULL) {
423 ERR("no output file specified");
427 ret = sscanf(fw_ver, "%d.%d.%d", &fw_ver_hi, &fw_ver_mid, &fw_ver_lo);
429 ERR("invalid firmware version '%s'", fw_ver);
433 ret = sscanf(sver, "%d.%d", &sver_hi, &sver_lo);
435 ERR("invalid secondary version '%s'", sver);
442 static void fill_header(char *buf, int len)
444 struct fw_header *hdr = (struct fw_header *)buf;
447 memset(hdr, '\xff', sizeof(struct fw_header));
449 hdr->version = htonl(HEADER_VERSION_V2);
450 ver_len = strlen(version);
451 if (ver_len > (sizeof(hdr->fw_version) - 1))
452 ver_len = sizeof(hdr->fw_version) - 1;
454 memcpy(hdr->fw_version, version, ver_len);
455 hdr->fw_version[ver_len] = 0;
457 hdr->hw_id = htonl(hw_id);
458 hdr->hw_rev = htonl(hw_rev);
460 if (boot_info.file_size == 0) {
461 memcpy(hdr->md5sum1, md5salt_normal, sizeof(hdr->md5sum1));
462 hdr->boot_ofs = htonl(0);
463 hdr->boot_len = htonl(0);
465 memcpy(hdr->md5sum1, md5salt_boot, sizeof(hdr->md5sum1));
466 hdr->boot_ofs = htonl(rootfs_ofs + rootfs_info.file_size);
467 hdr->boot_len = htonl(rootfs_info.file_size);
470 hdr->kernel_la = htonl(kernel_la);
471 hdr->kernel_ep = htonl(kernel_ep);
472 hdr->fw_length = htonl(layout->fw_max_len);
473 hdr->kernel_ofs = htonl(sizeof(struct fw_header));
474 hdr->kernel_len = htonl(kernel_len);
476 hdr->rootfs_ofs = htonl(rootfs_ofs);
477 hdr->rootfs_len = htonl(rootfs_info.file_size);
480 hdr->boot_ofs = htonl(0);
481 hdr->boot_len = htonl(boot_info.file_size);
483 hdr->unk1 = htonl(0);
484 hdr->unk2 = htonl(0);
485 hdr->unk3 = htonl(0xffffffff);
486 hdr->unk4 = htons(0x55aa);
489 hdr->sver_hi = sver_hi;
490 hdr->sver_lo = sver_lo;
492 hdr->ver_hi = fw_ver_hi;
493 hdr->ver_mid = fw_ver_mid;
494 hdr->ver_lo = fw_ver_lo;
496 get_md5(buf, len, hdr->md5sum1);
499 static int pad_jffs2(char *buf, int currlen)
505 pad_mask = (64 * 1024);
506 while ((len < layout->fw_max_len) && (pad_mask != 0)) {
510 for (i = 10; i < 32; i++) {
516 len = ALIGN(len, mask);
518 for (i = 10; i < 32; i++) {
520 if ((len & (mask - 1)) == 0)
524 for (i = 0; i < sizeof(jffs2_eof_mark); i++)
525 buf[len + i] = jffs2_eof_mark[i];
527 len += sizeof(jffs2_eof_mark);
533 static int write_fw(char *data, int len)
536 int ret = EXIT_FAILURE;
538 f = fopen(ofname, "w");
540 ERRS("could not open \"%s\" for writing", ofname);
545 fwrite(data, len, 1, f);
547 ERRS("unable to write output file");
551 DBG("firmware file \"%s\" completed", ofname);
558 if (ret != EXIT_SUCCESS) {
565 static int build_fw(void)
570 int ret = EXIT_FAILURE;
573 buflen = layout->fw_max_len;
575 buf = malloc(buflen);
577 ERR("no memory for buffer\n");
581 memset(buf, 0xff, buflen);
582 p = buf + sizeof(struct fw_header);
583 ret = read_to_buf(&kernel_info, p);
587 writelen = sizeof(struct fw_header) + kernel_len;
593 p = buf + rootfs_ofs;
595 ret = read_to_buf(&rootfs_info, p);
600 writelen += rootfs_info.file_size;
602 writelen = rootfs_ofs + rootfs_info.file_size;
605 writelen = pad_jffs2(buf, writelen);
611 fill_header(buf, writelen);
612 ret = write_fw(buf, writelen);
624 /* Helper functions to inspect_fw() representing different output formats */
625 static inline void inspect_fw_pstr(char *label, char *str)
627 printf("%-23s: %s\n", label, str);
630 static inline void inspect_fw_phex(char *label, uint32_t val)
632 printf("%-23s: 0x%08x\n", label, val);
635 static inline void inspect_fw_phexpost(char *label,
636 uint32_t val, char *post)
638 printf("%-23s: 0x%08x (%s)\n", label, val, post);
641 static inline void inspect_fw_phexdef(char *label,
642 uint32_t val, uint32_t defval)
644 printf("%-23s: 0x%08x ", label, val);
647 printf("(== OpenWrt default)\n");
649 printf("(OpenWrt default: 0x%08x)\n", defval);
652 static inline void inspect_fw_phexexp(char *label,
653 uint32_t val, uint32_t expval)
655 printf("%-23s: 0x%08x ", label, val);
660 printf("(expected: 0x%08x)\n", expval);
663 static inline void inspect_fw_phexdec(char *label, uint32_t val)
665 printf("%-23s: 0x%08x / %8u bytes\n", label, val, val);
668 static inline void inspect_fw_phexdecdef(char *label,
669 uint32_t val, uint32_t defval)
671 printf("%-23s: 0x%08x / %8u bytes ", label, val, val);
674 printf("(== OpenWrt default)\n");
676 printf("(OpenWrt default: 0x%08x)\n", defval);
679 static inline void inspect_fw_pmd5sum(char *label, uint8_t *val, char *text)
683 printf("%-23s:", label);
684 for (i=0; i<MD5SUM_LEN; i++)
685 printf(" %02x", val[i]);
686 printf(" %s\n", text);
689 static int inspect_fw(void)
692 struct fw_header *hdr;
693 uint8_t md5sum[MD5SUM_LEN];
694 struct board_info *board;
695 int ret = EXIT_FAILURE;
697 buf = malloc(inspect_info.file_size);
699 ERR("no memory for buffer!\n");
703 ret = read_to_buf(&inspect_info, buf);
706 hdr = (struct fw_header *)buf;
708 inspect_fw_pstr("File name", inspect_info.file_name);
709 inspect_fw_phexdec("File size", inspect_info.file_size);
711 if (ntohl(hdr->version) != HEADER_VERSION_V2) {
712 ERR("file does not seem to have V2 header!\n");
716 inspect_fw_phexdec("Version 2 Header size", sizeof(struct fw_header));
718 if (ntohl(hdr->unk1) != 0)
719 inspect_fw_phexdec("Unknown value 1", hdr->unk1);
721 memcpy(md5sum, hdr->md5sum1, sizeof(md5sum));
722 if (ntohl(hdr->boot_len) == 0)
723 memcpy(hdr->md5sum1, md5salt_normal, sizeof(md5sum));
725 memcpy(hdr->md5sum1, md5salt_boot, sizeof(md5sum));
726 get_md5(buf, inspect_info.file_size, hdr->md5sum1);
728 if (memcmp(md5sum, hdr->md5sum1, sizeof(md5sum))) {
729 inspect_fw_pmd5sum("Header MD5Sum1", md5sum, "(*ERROR*)");
730 inspect_fw_pmd5sum(" --> expected", hdr->md5sum1, "");
732 inspect_fw_pmd5sum("Header MD5Sum1", md5sum, "(ok)");
734 if (ntohl(hdr->unk2) != 0)
735 inspect_fw_phexdec("Unknown value 2", hdr->unk2);
736 inspect_fw_pmd5sum("Header MD5Sum2", hdr->md5sum2,
737 "(purpose yet unknown, unchecked here)");
739 if (ntohl(hdr->unk3) != 0xffffffff)
740 inspect_fw_phexdec("Unknown value 3", hdr->unk3);
742 if (ntohs(hdr->unk4) != 0x55aa)
743 inspect_fw_phexdec("Unknown value 4", hdr->unk4);
745 if (hdr->unk5 != 0xa5)
746 inspect_fw_phexdec("Unknown value 5", hdr->unk5);
750 inspect_fw_pstr("Firmware version", hdr->fw_version);
752 board = find_board_by_hwid(ntohl(hdr->hw_id));
754 layout = find_layout(board->layout_id);
755 inspect_fw_phexpost("Hardware ID",
756 ntohl(hdr->hw_id), board->id);
757 inspect_fw_phexexp("Hardware Revision",
758 ntohl(hdr->hw_rev), board->hw_rev);
760 inspect_fw_phexpost("Hardware ID",
761 ntohl(hdr->hw_id), "unknown");
762 inspect_fw_phex("Hardware Revision",
766 printf("%-23s: %d.%d.%d-%d.%d\n", "Software version",
767 hdr->ver_hi, hdr->ver_mid, hdr->ver_lo,
768 hdr->sver_hi, hdr->sver_lo);
772 inspect_fw_phexdec("Kernel data offset",
773 ntohl(hdr->kernel_ofs));
774 inspect_fw_phexdec("Kernel data length",
775 ntohl(hdr->kernel_len));
777 inspect_fw_phexdef("Kernel load address",
778 ntohl(hdr->kernel_la),
779 layout ? layout->kernel_la : 0xffffffff);
780 inspect_fw_phexdef("Kernel entry point",
781 ntohl(hdr->kernel_ep),
782 layout ? layout->kernel_ep : 0xffffffff);
783 inspect_fw_phexdecdef("Rootfs data offset",
784 ntohl(hdr->rootfs_ofs),
785 layout ? layout->rootfs_ofs : 0xffffffff);
787 inspect_fw_phex("Kernel load address",
788 ntohl(hdr->kernel_la));
789 inspect_fw_phex("Kernel entry point",
790 ntohl(hdr->kernel_ep));
791 inspect_fw_phexdec("Rootfs data offset",
792 ntohl(hdr->rootfs_ofs));
794 inspect_fw_phexdec("Rootfs data length",
795 ntohl(hdr->rootfs_len));
796 inspect_fw_phexdec("Boot loader data offset",
797 ntohl(hdr->boot_ofs));
798 inspect_fw_phexdec("Boot loader data length",
799 ntohl(hdr->boot_len));
800 inspect_fw_phexdec("Total firmware length",
801 ntohl(hdr->fw_length));
809 filename = malloc(strlen(inspect_info.file_name) + 8);
810 sprintf(filename, "%s-kernel", inspect_info.file_name);
811 printf("Extracting kernel to \"%s\"...\n", filename);
812 fp = fopen(filename, "w");
814 if (!fwrite(buf + ntohl(hdr->kernel_ofs),
815 ntohl(hdr->kernel_len), 1, fp)) {
816 ERR("error in fwrite(): %s", strerror(errno));
820 ERR("error in fopen(): %s", strerror(errno));
824 filename = malloc(strlen(inspect_info.file_name) + 8);
825 sprintf(filename, "%s-rootfs", inspect_info.file_name);
826 printf("Extracting rootfs to \"%s\"...\n", filename);
827 fp = fopen(filename, "w");
829 if (!fwrite(buf + ntohl(hdr->rootfs_ofs),
830 ntohl(hdr->rootfs_len), 1, fp)) {
831 ERR("error in fwrite(): %s", strerror(errno));
835 ERR("error in fopen(): %s", strerror(errno));
846 int main(int argc, char *argv[])
848 int ret = EXIT_FAILURE;
853 progname = basename(argv[0]);
858 c = getopt(argc, argv, "a:B:H:E:F:L:V:N:W:ci:k:r:R:o:xhsjv:y:");
864 sscanf(optarg, "0x%x", &rootfs_align);
873 sscanf(optarg, "0x%x", &kernel_ep);
882 sscanf(optarg, "0x%x", &kernel_la);
900 kernel_info.file_name = optarg;
903 rootfs_info.file_name = optarg;
906 sscanf(optarg, "0x%x", &rootfs_ofs);
915 inspect_info.file_name = optarg;
932 ret = check_options();
936 if (!inspect_info.file_name)
projects / openwrt.git / blob