2 * Builder/viewer/extractor utility for Poray firmware image files
4 * Copyright (C) 2013 Michel Stempin <michel.stempin@wanadoo.fr>
5 * Copyright (C) 2013 Felix Kaechele <felix@fetzig.org>
6 * Copyright (C) 2013 <admin@openschemes.com>
8 * This tool is based on:
9 * TP-Link firmware upgrade tool.
10 * Copyright (C) 2009 Gabor Juhos <juhosg@openwrt.org>
13 * TP-Link WR941 V2 firmware checksum fixing tool.
14 * Copyright (C) 2008,2009 Wang Jian <lark@linux.net.cn>
16 * This program is free software; you can redistribute it and/or modify it
17 * under the terms of the GNU General Public License version 2 as published
18 * by the Free Software Foundation.
32 #include <arpa/inet.h>
33 #include <netinet/in.h>
35 #if (__BYTE_ORDER == __BIG_ENDIAN)
36 # define HOST_TO_BE32(x) (x)
37 # define BE32_TO_HOST(x) (x)
38 # define HOST_TO_LE32(x) bswap_32(x)
39 # define LE32_TO_HOST(x) bswap_32(x)
41 # define HOST_TO_BE32(x) bswap_32(x)
42 # define BE32_TO_HOST(x) bswap_32(x)
43 # define HOST_TO_LE32(x) (x)
44 # define LE32_TO_HOST(x) (x)
47 /* Fixed header flags */
48 #define HEADER_FLAGS 0x020e0000
50 /* Recognized Hardware ID magic */
51 #define HWID_HAME_MPR_A1_L8 0x32473352
52 #define HWID_PORAY_R50B 0x31353033
53 #define HWID_PORAY_R50D 0x33353033
54 #define HWID_PORAY_R50E 0x34353033
55 #define HWID_PORAY_M3 0x31353335
56 #define HWID_PORAY_M4 0x32353335
57 #define HWID_PORAY_Q3 0x33353335
58 #define HWID_PORAY_X5_X6 0x35353335
59 #define HWID_PORAY_X8 0x36353335
60 #define HWID_PORAY_X1 0x38353335
62 /* Recognized XOR obfuscation keys */
73 char *file_name; /* Name of the file */
74 uint32_t file_size; /* Length of the file */
78 uint32_t hw_id; /* Hardware id */
79 uint32_t firmware_len; /* Firmware data length */
80 uint32_t flags; /* Header flags */
82 } __attribute__ ((packed));
100 static char *progname;
102 static char *board_id;
103 static struct board_info *board;
104 static char *layout_id;
105 static struct flash_layout *layout;
106 static char *opt_hw_id;
107 static uint32_t hw_id;
108 static struct file_info firmware_info;
109 static uint32_t firmware_len = 0;
111 static int inspect = 0;
112 static int extract = 0;
114 static uint8_t key[][KEY_LEN] = {
115 {0xC8, 0x3C, 0x3A, 0x93, 0xA2, 0x95, 0xC3, 0x63, 0x48, 0x45, 0x58, 0x09, 0x12, 0x03, 0x08},
116 {0x89, 0x6B, 0x5A, 0x93, 0x92, 0x95, 0xC3, 0x63, 0xD0, 0xA3, 0x9C, 0x92, 0x2E, 0xE6, 0xC7},
117 {0xC9, 0x1C, 0x3A, 0x93, 0x92, 0x95, 0xC3, 0x63, 0xD0, 0xA3, 0x9C, 0x92, 0x2E, 0xE6, 0xC7},
118 {0x19, 0x1B, 0x3A, 0x93, 0x92, 0x95, 0xC3, 0x63, 0xD0, 0xA3, 0x9C, 0x92, 0x2E, 0xE6, 0xC7},
119 {0x79, 0x7B, 0x7A, 0x93, 0x92, 0x95, 0xC3, 0x63, 0xD0, 0xA3, 0x9C, 0x92, 0x2E, 0xE6, 0xC7},
122 static struct flash_layout layouts[] = {
125 .fw_max_len = 0x3c0000,
128 .fw_max_len = 0x7c0000,
130 /* terminating entry */
134 static struct board_info boards[] = {
137 .hw_id = HWID_HAME_MPR_A1_L8,
142 .hw_id = HWID_HAME_MPR_A1_L8,
147 .hw_id = HWID_PORAY_R50B,
152 .hw_id = HWID_PORAY_R50D,
157 .hw_id = HWID_PORAY_R50E,
162 .hw_id = HWID_PORAY_M3,
167 .hw_id = HWID_PORAY_M4,
172 .hw_id = HWID_PORAY_Q3,
177 .hw_id = HWID_PORAY_X5_X6,
182 .hw_id = HWID_PORAY_X5_X6,
187 .hw_id = HWID_PORAY_X5_X6,
192 .hw_id = HWID_PORAY_X8,
197 .hw_id = HWID_PORAY_X1,
201 /* terminating entry */
208 #define ERR(fmt, ...) do { \
210 fprintf(stderr, "[%s] *** error: " fmt "\n", \
211 progname, ## __VA_ARGS__ ); \
214 #define ERRS(fmt, ...) do { \
217 fprintf(stderr, "[%s] *** error: " fmt ":%s\n", \
218 progname, ## __VA_ARGS__, strerror(save)); \
221 #define DBG(fmt, ...) do { \
222 fprintf(stderr, "[%s] " fmt "\n", progname, ## __VA_ARGS__ ); \
226 * Find a board by its name
228 static struct board_info *find_board(char *id)
230 struct board_info *ret;
231 struct board_info *board;
234 for (board = boards; board->id != NULL; board++){
235 if (strcasecmp(id, board->id) == 0) {
245 * Find a board by its hardware ID
247 static struct board_info *find_board_by_hwid(uint32_t hw_id)
249 struct board_info *board;
251 for (board = boards; board->id != NULL; board++) {
252 if (hw_id == board->hw_id)
260 * Find a Flash memory layout by its name
262 static struct flash_layout *find_layout(char *id)
264 struct flash_layout *ret;
265 struct flash_layout *l;
268 for (l = layouts; l->id != NULL; l++){
269 if (strcasecmp(id, l->id) == 0) {
281 static void usage(int status)
283 FILE *stream = (status != EXIT_SUCCESS) ? stderr : stdout;
285 fprintf(stream, "Usage: %s [OPTIONS...]\n", progname);
289 " -B <board> create image for the board specified with <board>\n"
290 " -H <hwid> use hardware id specified with <hwid>\n"
291 " -F <id> use flash layout specified with <id>\n"
292 " -f <file> read firmware image from the file <file>\n"
293 " -o <file> write output to the file <file>\n"
294 " -i inspect given firmware file (requires -f)\n"
295 " -x extract combined kernel and rootfs while inspecting (implies -i)\n"
296 " -h show this screen\n"
303 * Get file statistics
305 static int get_file_stat(struct file_info *fdata)
310 if (fdata->file_name == NULL) {
313 res = stat(fdata->file_name, &st);
315 ERRS("stat failed on %s", fdata->file_name);
319 fdata->file_size = st.st_size;
324 * Read file into buffer
326 static int read_to_buf(struct file_info *fdata, uint8_t *buf)
329 int ret = EXIT_FAILURE;
331 f = fopen(fdata->file_name, "rb");
333 ERRS("could not open \"%s\" for reading", fdata->file_name);
338 fread(buf, fdata->file_size, 1, f);
340 ERRS("unable to read from file \"%s\"", fdata->file_name);
353 * Check command line options
355 static int check_options(void)
359 if (firmware_info.file_name == NULL) {
360 ERR("no firmware image specified");
364 ret = get_file_stat(&firmware_info);
371 if (board_id == NULL && opt_hw_id == NULL) {
372 ERR("either board or hardware id must be specified");
377 board = find_board(board_id);
379 ERR("unknown/unsupported board id \"%s\"", board_id);
382 if (layout_id == NULL) {
383 layout_id = board->layout_id;
385 hw_id = board->hw_id;
387 hw_id = strtoul(opt_hw_id, NULL, 0);
388 board = find_board_by_hwid(hw_id);
389 if (layout_id == NULL) {
390 layout_id = board->layout_id;
394 layout = find_layout(layout_id);
395 if (layout == NULL) {
396 ERR("unknown flash layout \"%s\"", layout_id);
400 firmware_len = firmware_info.file_size;
402 if (firmware_info.file_size >
403 layout->fw_max_len - sizeof (struct fw_header)) {
404 ERR("firmware image is too big");
408 if (ofname == NULL) {
409 ERR("no output file specified");
416 * Fill in firmware header
418 static void fill_header(uint8_t *buf)
420 struct fw_header *hdr = (struct fw_header *) buf;
422 memset(hdr, 0, sizeof (struct fw_header));
423 hdr->hw_id = HOST_TO_LE32(hw_id);
424 hdr->firmware_len = HOST_TO_LE32(firmware_len);
425 hdr->flags = HOST_TO_LE32(HEADER_FLAGS);
429 * Compute firmware checksum
431 static uint16_t checksum_fw(uint8_t *data, int len)
434 int32_t checksum = 0;
436 for (i = 0; i < len - 1; i += 2) {
437 checksum += (data[i + 1] << 8) | data[i];
442 checksum = checksum + (checksum >> 16) + 0xffff;
443 checksum = ~(checksum + (checksum >> 16)) & 0xffff;
444 return (uint16_t) checksum;
448 * (De)obfuscate firmware using an XOR operation with a fixed length key
450 static void xor_fw(uint8_t *data, int len)
454 for (i = 0; i <= len; i++) {
455 data[i] ^= key[board->key][i % KEY_LEN];
460 * Write firmware to file
462 static int write_fw(uint8_t *data, int len)
465 int ret = EXIT_FAILURE;
467 f = fopen(ofname, "wb");
469 ERRS("could not open \"%s\" for writing", ofname);
474 fwrite(data, len, 1, f);
476 ERRS("unable to write output file");
480 DBG("firmware file \"%s\" completed", ofname);
487 if (ret != EXIT_SUCCESS) {
495 * Build firmware file
497 static int build_fw(void)
501 int ret = EXIT_FAILURE;
505 buflen = layout->fw_max_len;
507 buf = (uint8_t *) malloc(buflen);
509 ERR("no memory for buffer\n");
513 memset(buf, 0xff, buflen);
514 p = buf + sizeof (struct fw_header);
515 ret = read_to_buf(&firmware_info, p);
519 writelen = sizeof (struct fw_header) + firmware_len + 2;
524 /* Compute firmware checksum */
525 checksum = checksum_fw(buf + sizeof (struct fw_header), firmware_len);
527 /* Cannot use network order function because checksum is not word-aligned */
528 buf[writelen - 1] = checksum >> 8;
529 buf[writelen - 2] = checksum & 0xff;
531 /* XOR obfuscate firmware */
532 xor_fw(buf + sizeof (struct fw_header), firmware_len + 2);
534 /* Write firmware file */
535 ret = write_fw(buf, writelen);
547 /* Helper functions to inspect_fw() representing different output formats */
548 static inline void inspect_fw_pstr(char *label, char *str)
550 printf("%-23s: %s\n", label, str);
553 static inline void inspect_fw_phex(char *label, uint32_t val)
555 printf("%-23s: 0x%08x\n", label, val);
558 static inline void inspect_fw_phexpost(char *label,
559 uint32_t val, char *post)
561 printf("%-23s: 0x%08x (%s)\n", label, val, post);
564 static inline void inspect_fw_phexdef(char *label,
565 uint32_t val, uint32_t defval)
567 printf("%-23s: 0x%08x ", label, val);
570 printf("(== OpenWrt default)\n");
572 printf("(OpenWrt default: 0x%08x)\n", defval);
576 static inline void inspect_fw_phexexp(char *label,
577 uint32_t val, uint32_t expval)
579 printf("%-23s: 0x%08x ", label, val);
584 printf("(expected: 0x%08x)\n", expval);
588 static inline void inspect_fw_phexdec(char *label, uint32_t val)
590 printf("%-23s: 0x%08x / %8u bytes\n", label, val, val);
593 static inline void inspect_fw_pchecksum(char *label,
594 uint16_t val, uint16_t expval)
596 printf("%-23s: 0x%04x ", label, val);
600 printf("(expected: 0x%04x)\n", expval);
604 static int inspect_fw(void)
607 struct fw_header *hdr;
608 int ret = EXIT_FAILURE;
609 uint16_t computed_checksum, file_checksum;
611 buf = (uint8_t *) malloc(firmware_info.file_size);
613 ERR("no memory for buffer!\n");
617 ret = read_to_buf(&firmware_info, buf);
621 hdr = (struct fw_header *)buf;
623 inspect_fw_pstr("File name", firmware_info.file_name);
624 inspect_fw_phexdec("File size", firmware_info.file_size);
628 inspect_fw_phexdec("Header size", sizeof (struct fw_header));
629 board = find_board_by_hwid(LE32_TO_HOST(hdr->hw_id));
631 layout = find_layout(board->layout_id);
632 inspect_fw_phexpost("Hardware ID",
633 LE32_TO_HOST( hdr->hw_id), board->id);
635 inspect_fw_phexpost("Hardware ID",
636 LE32_TO_HOST(hdr->hw_id), "unknown");
638 inspect_fw_phexdec("Firmware data length",
639 LE32_TO_HOST(hdr->firmware_len));
641 inspect_fw_phexexp("Flags",
642 LE32_TO_HOST(hdr->flags), HEADER_FLAGS);
645 /* XOR unobfuscate firmware */
646 xor_fw(buf + sizeof (struct fw_header), LE32_TO_HOST(hdr->firmware_len) + 2);
648 /* Compute firmware checksum */
649 computed_checksum = checksum_fw(buf + sizeof (struct fw_header), LE32_TO_HOST(hdr->firmware_len));
651 /* Cannot use network order function because checksum is not word-aligned */
652 file_checksum = (buf[firmware_info.file_size - 1] << 8) | buf[firmware_info.file_size - 2];
653 inspect_fw_pchecksum("Firmware checksum", computed_checksum, file_checksum);
655 /* Verify checksum */
656 if (computed_checksum != file_checksum) {
658 ERR("checksums do not match");
668 if (ofname == NULL) {
669 filename = malloc(strlen(firmware_info.file_name) + 10);
670 sprintf(filename, "%s-firmware", firmware_info.file_name);
674 printf("Extracting firmware to \"%s\"...\n", filename);
675 fp = fopen(filename, "wb");
677 if (!fwrite(buf + sizeof (struct fw_header),
678 LE32_TO_HOST(hdr->firmware_len), 1, fp)) {
679 ERRS("error in fwrite(): %s", strerror(errno));
683 ERRS("error in fopen(): %s", strerror(errno));
685 if (ofname == NULL) {
700 int main(int argc, char *argv[])
702 int ret = EXIT_FAILURE;
704 progname = basename(argv[0]);
708 while ((c = getopt(argc, argv, "B:H:F:f:o:ixh")) != -1) {
720 firmware_info.file_name = optarg;
741 ret = check_options();
projects / openwrt.git / blob