mktplinkfw.c 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642
  1. /*
  2. * Copyright (C) 2009 Gabor Juhos <juhosg@openwrt.org>
  3. *
  4. * This tool was based on:
  5. * TP-Link WR941 V2 firmware checksum fixing tool.
  6. * Copyright (C) 2008,2009 Wang Jian <lark@linux.net.cn>
  7. *
  8. * This program is free software; you can redistribute it and/or modify it
  9. * under the terms of the GNU General Public License version 2 as published
  10. * by the Free Software Foundation.
  11. *
  12. */
  13. #include <stdio.h>
  14. #include <stdlib.h>
  15. #include <stdint.h>
  16. #include <string.h>
  17. #include <unistd.h> /* for unlink() */
  18. #include <libgen.h>
  19. #include <getopt.h> /* for getopt() */
  20. #include <stdarg.h>
  21. #include <stdbool.h>
  22. #include <endian.h>
  23. #include <errno.h>
  24. #include <sys/stat.h>
  25. #include <arpa/inet.h>
  26. #include <netinet/in.h>
  27. #include "md5.h"
  28. #include "mktplinkfw-lib.h"
  29. #define HEADER_VERSION_V1 0x01000000
  30. #define HEADER_VERSION_V2 0x02000000
  31. struct fw_header {
  32. uint32_t version; /* header version */
  33. char vendor_name[24];
  34. char fw_version[36];
  35. uint32_t hw_id; /* hardware id */
  36. uint32_t hw_rev; /* hardware revision */
  37. uint32_t region_code; /* region code */
  38. uint8_t md5sum1[MD5SUM_LEN];
  39. uint32_t unk2;
  40. uint8_t md5sum2[MD5SUM_LEN];
  41. uint32_t unk3;
  42. uint32_t kernel_la; /* kernel load address */
  43. uint32_t kernel_ep; /* kernel entry point */
  44. uint32_t fw_length; /* total length of the firmware */
  45. uint32_t kernel_ofs; /* kernel data offset */
  46. uint32_t kernel_len; /* kernel data length */
  47. uint32_t rootfs_ofs; /* rootfs data offset */
  48. uint32_t rootfs_len; /* rootfs data length */
  49. uint32_t boot_ofs; /* bootloader data offset */
  50. uint32_t boot_len; /* bootloader data length */
  51. uint16_t ver_hi;
  52. uint16_t ver_mid;
  53. uint16_t ver_lo;
  54. uint8_t pad[130];
  55. char region_str1[32];
  56. char region_str2[32];
  57. uint8_t pad2[160];
  58. } __attribute__ ((packed));
  59. struct fw_region {
  60. char name[4];
  61. uint32_t code;
  62. };
  63. /*
  64. * Globals
  65. */
  66. char *ofname;
  67. char *progname;
  68. static char *vendor = "TP-LINK Technologies";
  69. static char *version = "ver. 1.0";
  70. static char *fw_ver = "0.0.0";
  71. static uint32_t hdr_ver = HEADER_VERSION_V1;
  72. static char *layout_id;
  73. struct flash_layout *layout;
  74. static char *opt_hw_id;
  75. static uint32_t hw_id;
  76. static char *opt_hw_rev;
  77. static uint32_t hw_rev;
  78. static uint32_t opt_hdr_ver = 1;
  79. static char *country;
  80. static const struct fw_region *region;
  81. static int fw_ver_lo;
  82. static int fw_ver_mid;
  83. static int fw_ver_hi;
  84. struct file_info kernel_info;
  85. static uint32_t kernel_la = 0;
  86. static uint32_t kernel_ep = 0;
  87. uint32_t kernel_len = 0;
  88. struct file_info rootfs_info;
  89. uint32_t rootfs_ofs = 0;
  90. uint32_t rootfs_align;
  91. static struct file_info boot_info;
  92. int combined;
  93. int strip_padding;
  94. int add_jffs2_eof;
  95. static uint32_t fw_max_len;
  96. static uint32_t reserved_space;
  97. static struct file_info inspect_info;
  98. static int extract = 0;
  99. static bool endian_swap = false;
  100. static bool rootfs_ofs_calc = false;
  101. static const char md5salt_normal[MD5SUM_LEN] = {
  102. 0xdc, 0xd7, 0x3a, 0xa5, 0xc3, 0x95, 0x98, 0xfb,
  103. 0xdd, 0xf9, 0xe7, 0xf4, 0x0e, 0xae, 0x47, 0x38,
  104. };
  105. static const char md5salt_boot[MD5SUM_LEN] = {
  106. 0x8c, 0xef, 0x33, 0x5b, 0xd5, 0xc5, 0xce, 0xfa,
  107. 0xa7, 0x9c, 0x28, 0xda, 0xb2, 0xe9, 0x0f, 0x42,
  108. };
  109. static struct flash_layout layouts[] = {
  110. {
  111. .id = "4M",
  112. .fw_max_len = 0x3c0000,
  113. .kernel_la = 0x80060000,
  114. .kernel_ep = 0x80060000,
  115. .rootfs_ofs = 0x140000,
  116. }, {
  117. .id = "4Mlzma",
  118. .fw_max_len = 0x3c0000,
  119. .kernel_la = 0x80060000,
  120. .kernel_ep = 0x80060000,
  121. .rootfs_ofs = 0x100000,
  122. }, {
  123. .id = "8M",
  124. .fw_max_len = 0x7c0000,
  125. .kernel_la = 0x80060000,
  126. .kernel_ep = 0x80060000,
  127. .rootfs_ofs = 0x140000,
  128. }, {
  129. .id = "8Mlzma",
  130. .fw_max_len = 0x7c0000,
  131. .kernel_la = 0x80060000,
  132. .kernel_ep = 0x80060000,
  133. .rootfs_ofs = 0x100000,
  134. }, {
  135. .id = "16M",
  136. .fw_max_len = 0xf80000,
  137. .kernel_la = 0x80060000,
  138. .kernel_ep = 0x80060000,
  139. .rootfs_ofs = 0x140000,
  140. }, {
  141. .id = "16Mlzma",
  142. .fw_max_len = 0xf80000,
  143. .kernel_la = 0x80060000,
  144. .kernel_ep = 0x80060000,
  145. .rootfs_ofs = 0x100000,
  146. }, {
  147. .id = "16Mppc",
  148. .fw_max_len = 0xf80000,
  149. .kernel_la = 0x00000000 ,
  150. .kernel_ep = 0xc0000000,
  151. .rootfs_ofs = 0x2a0000,
  152. }, {
  153. /* terminating entry */
  154. }
  155. };
  156. static const struct fw_region regions[] = {
  157. /* Default region (universal) uses code 0 as well */
  158. {"US", 1},
  159. {"EU", 0},
  160. {"BR", 0},
  161. };
  162. static const struct fw_region * find_region(const char *country) {
  163. size_t i;
  164. for (i = 0; i < ARRAY_SIZE(regions); i++) {
  165. if (strcasecmp(regions[i].name, country) == 0)
  166. return &regions[i];
  167. }
  168. return NULL;
  169. }
  170. static void usage(int status)
  171. {
  172. fprintf(stderr, "Usage: %s [OPTIONS...]\n", progname);
  173. fprintf(stderr,
  174. "\n"
  175. "Options:\n"
  176. " -c use combined kernel image\n"
  177. " -e swap endianness in kernel load address and entry point\n"
  178. " -E <ep> overwrite kernel entry point with <ep> (hexval prefixed with 0x)\n"
  179. " -L <la> overwrite kernel load address with <la> (hexval prefixed with 0x)\n"
  180. " -H <hwid> use hardware id specified with <hwid>\n"
  181. " -W <hwrev> use hardware revision specified with <hwrev>\n"
  182. " -C <country> set region code to <country>\n"
  183. " -F <id> use flash layout specified with <id>\n"
  184. " -k <file> read kernel image from the file <file>\n"
  185. " -r <file> read rootfs image from the file <file>\n"
  186. " -a <align> align the rootfs start on an <align> bytes boundary\n"
  187. " -R <offset> overwrite rootfs offset with <offset> (hexval prefixed with 0x)\n"
  188. " -O calculate rootfs offset for combined images\n"
  189. " -o <file> write output to the file <file>\n"
  190. " -s strip padding from the end of the image\n"
  191. " -j add jffs2 end-of-filesystem markers\n"
  192. " -N <vendor> set image vendor to <vendor>\n"
  193. " -V <version> set image version to <version>\n"
  194. " -v <version> set firmware version to <version>\n"
  195. " -m <version> set header version to <version>\n"
  196. " -i <file> inspect given firmware file <file>\n"
  197. " -x extract kernel and rootfs while inspecting (requires -i)\n"
  198. " -X <size> reserve <size> bytes in the firmware image (hexval prefixed with 0x)\n"
  199. " -h show this screen\n"
  200. );
  201. exit(status);
  202. }
  203. static int check_options(void)
  204. {
  205. int ret;
  206. int exceed_bytes;
  207. if (inspect_info.file_name) {
  208. ret = get_file_stat(&inspect_info);
  209. if (ret)
  210. return ret;
  211. return 0;
  212. } else if (extract) {
  213. ERR("no firmware for inspection specified");
  214. return -1;
  215. }
  216. if (opt_hw_id == NULL) {
  217. ERR("hardware id not specified");
  218. return -1;
  219. }
  220. hw_id = strtoul(opt_hw_id, NULL, 0);
  221. if (!combined && layout_id == NULL) {
  222. ERR("flash layout is not specified");
  223. return -1;
  224. }
  225. if (opt_hw_rev)
  226. hw_rev = strtoul(opt_hw_rev, NULL, 0);
  227. else
  228. hw_rev = 1;
  229. if (country) {
  230. region = find_region(country);
  231. if (!region) {
  232. ERR("unknown region code \"%s\"", country);
  233. return -1;
  234. }
  235. }
  236. if (combined) {
  237. if (!kernel_la || !kernel_ep) {
  238. ERR("kernel loading address and entry point must be specified for combined image");
  239. return -1;
  240. }
  241. } else {
  242. layout = find_layout(layouts, layout_id);
  243. if (layout == NULL) {
  244. ERR("unknown flash layout \"%s\"", layout_id);
  245. return -1;
  246. }
  247. if (!kernel_la)
  248. kernel_la = layout->kernel_la;
  249. if (!kernel_ep)
  250. kernel_ep = layout->kernel_ep;
  251. if (!rootfs_ofs)
  252. rootfs_ofs = layout->rootfs_ofs;
  253. if (reserved_space > layout->fw_max_len) {
  254. ERR("reserved space is not valid");
  255. return -1;
  256. }
  257. }
  258. if (kernel_info.file_name == NULL) {
  259. ERR("no kernel image specified");
  260. return -1;
  261. }
  262. ret = get_file_stat(&kernel_info);
  263. if (ret)
  264. return ret;
  265. kernel_len = kernel_info.file_size;
  266. if (!combined) {
  267. fw_max_len = layout->fw_max_len - reserved_space;
  268. if (rootfs_info.file_name == NULL) {
  269. ERR("no rootfs image specified");
  270. return -1;
  271. }
  272. ret = get_file_stat(&rootfs_info);
  273. if (ret)
  274. return ret;
  275. if (rootfs_align) {
  276. kernel_len += sizeof(struct fw_header);
  277. rootfs_ofs = ALIGN(kernel_len, rootfs_align);
  278. kernel_len -= sizeof(struct fw_header);
  279. DBG("rootfs offset aligned to 0x%u", rootfs_ofs);
  280. exceed_bytes = kernel_len + rootfs_info.file_size - (fw_max_len - sizeof(struct fw_header));
  281. if (exceed_bytes > 0) {
  282. ERR("images are too big by %i bytes", exceed_bytes);
  283. return -1;
  284. }
  285. } else {
  286. exceed_bytes = kernel_info.file_size - (rootfs_ofs - sizeof(struct fw_header));
  287. if (exceed_bytes > 0) {
  288. ERR("kernel image is too big by %i bytes", exceed_bytes);
  289. return -1;
  290. }
  291. exceed_bytes = rootfs_info.file_size - (fw_max_len - rootfs_ofs);
  292. if (exceed_bytes > 0) {
  293. ERR("rootfs image is too big by %i bytes", exceed_bytes);
  294. return -1;
  295. }
  296. }
  297. }
  298. if (ofname == NULL) {
  299. ERR("no output file specified");
  300. return -1;
  301. }
  302. ret = sscanf(fw_ver, "%d.%d.%d", &fw_ver_hi, &fw_ver_mid, &fw_ver_lo);
  303. if (ret != 3) {
  304. ERR("invalid firmware version '%s'", fw_ver);
  305. return -1;
  306. }
  307. if (opt_hdr_ver == 1) {
  308. hdr_ver = HEADER_VERSION_V1;
  309. } else if (opt_hdr_ver == 2) {
  310. hdr_ver = HEADER_VERSION_V2;
  311. } else {
  312. ERR("invalid header version '%u'", opt_hdr_ver);
  313. return -1;
  314. }
  315. return 0;
  316. }
  317. void fill_header(char *buf, int len)
  318. {
  319. struct fw_header *hdr = (struct fw_header *)buf;
  320. memset(hdr, 0, sizeof(struct fw_header));
  321. hdr->version = htonl(hdr_ver);
  322. strncpy(hdr->vendor_name, vendor, sizeof(hdr->vendor_name));
  323. strncpy(hdr->fw_version, version, sizeof(hdr->fw_version));
  324. hdr->hw_id = htonl(hw_id);
  325. hdr->hw_rev = htonl(hw_rev);
  326. hdr->kernel_la = htonl(kernel_la);
  327. hdr->kernel_ep = htonl(kernel_ep);
  328. hdr->kernel_ofs = htonl(sizeof(struct fw_header));
  329. hdr->kernel_len = htonl(kernel_len);
  330. if (!combined) {
  331. if (boot_info.file_size == 0)
  332. memcpy(hdr->md5sum1, md5salt_normal, sizeof(hdr->md5sum1));
  333. else
  334. memcpy(hdr->md5sum1, md5salt_boot, sizeof(hdr->md5sum1));
  335. hdr->fw_length = htonl(layout->fw_max_len);
  336. hdr->rootfs_ofs = htonl(rootfs_ofs);
  337. hdr->rootfs_len = htonl(rootfs_info.file_size);
  338. }
  339. if (combined && rootfs_ofs_calc) {
  340. hdr->rootfs_ofs = htonl(sizeof(struct fw_header) + kernel_len);
  341. }
  342. hdr->ver_hi = htons(fw_ver_hi);
  343. hdr->ver_mid = htons(fw_ver_mid);
  344. hdr->ver_lo = htons(fw_ver_lo);
  345. if (region) {
  346. hdr->region_code = htonl(region->code);
  347. snprintf(
  348. hdr->region_str1, sizeof(hdr->region_str1), "00000000;%02X%02X%02X%02X;",
  349. region->name[0], region->name[1], region->name[2], region->name[3]
  350. );
  351. snprintf(
  352. hdr->region_str2, sizeof(hdr->region_str2), "%02X%02X%02X%02X",
  353. region->name[0], region->name[1], region->name[2], region->name[3]
  354. );
  355. }
  356. if (endian_swap) {
  357. hdr->kernel_la = bswap_32(hdr->kernel_la);
  358. hdr->kernel_ep = bswap_32(hdr->kernel_ep);
  359. }
  360. if (!combined)
  361. get_md5(buf, len, hdr->md5sum1);
  362. }
  363. static int inspect_fw(void)
  364. {
  365. char *buf;
  366. struct fw_header *hdr;
  367. uint8_t md5sum[MD5SUM_LEN];
  368. int ret = EXIT_FAILURE;
  369. buf = malloc(inspect_info.file_size);
  370. if (!buf) {
  371. ERR("no memory for buffer!\n");
  372. goto out;
  373. }
  374. ret = read_to_buf(&inspect_info, buf);
  375. if (ret)
  376. goto out_free_buf;
  377. hdr = (struct fw_header *)buf;
  378. inspect_fw_pstr("File name", inspect_info.file_name);
  379. inspect_fw_phexdec("File size", inspect_info.file_size);
  380. if ((ntohl(hdr->version) != HEADER_VERSION_V1) &&
  381. (ntohl(hdr->version) != HEADER_VERSION_V2)) {
  382. ERR("file does not seem to have V1/V2 header!\n");
  383. goto out_free_buf;
  384. }
  385. inspect_fw_phexdec("Version 1 Header size", sizeof(struct fw_header));
  386. memcpy(md5sum, hdr->md5sum1, sizeof(md5sum));
  387. if (ntohl(hdr->boot_len) == 0)
  388. memcpy(hdr->md5sum1, md5salt_normal, sizeof(md5sum));
  389. else
  390. memcpy(hdr->md5sum1, md5salt_boot, sizeof(md5sum));
  391. get_md5(buf, inspect_info.file_size, hdr->md5sum1);
  392. if (memcmp(md5sum, hdr->md5sum1, sizeof(md5sum))) {
  393. inspect_fw_pmd5sum("Header MD5Sum1", md5sum, "(*ERROR*)");
  394. inspect_fw_pmd5sum(" --> expected", hdr->md5sum1, "");
  395. } else {
  396. inspect_fw_pmd5sum("Header MD5Sum1", md5sum, "(ok)");
  397. }
  398. if (ntohl(hdr->unk2) != 0)
  399. inspect_fw_phexdec("Unknown value 2", hdr->unk2);
  400. inspect_fw_pmd5sum("Header MD5Sum2", hdr->md5sum2,
  401. "(purpose yet unknown, unchecked here)");
  402. if (ntohl(hdr->unk3) != 0)
  403. inspect_fw_phexdec("Unknown value 3", hdr->unk3);
  404. printf("\n");
  405. inspect_fw_pstr("Vendor name", hdr->vendor_name);
  406. inspect_fw_pstr("Firmware version", hdr->fw_version);
  407. inspect_fw_phex("Hardware ID", ntohl(hdr->hw_id));
  408. inspect_fw_phex("Hardware Revision", ntohl(hdr->hw_rev));
  409. inspect_fw_phex("Region code", ntohl(hdr->region_code));
  410. printf("\n");
  411. inspect_fw_phexdec("Kernel data offset",
  412. ntohl(hdr->kernel_ofs));
  413. inspect_fw_phexdec("Kernel data length",
  414. ntohl(hdr->kernel_len));
  415. inspect_fw_phex("Kernel load address",
  416. ntohl(hdr->kernel_la));
  417. inspect_fw_phex("Kernel entry point",
  418. ntohl(hdr->kernel_ep));
  419. inspect_fw_phexdec("Rootfs data offset",
  420. ntohl(hdr->rootfs_ofs));
  421. inspect_fw_phexdec("Rootfs data length",
  422. ntohl(hdr->rootfs_len));
  423. inspect_fw_phexdec("Boot loader data offset",
  424. ntohl(hdr->boot_ofs));
  425. inspect_fw_phexdec("Boot loader data length",
  426. ntohl(hdr->boot_len));
  427. inspect_fw_phexdec("Total firmware length",
  428. ntohl(hdr->fw_length));
  429. if (extract) {
  430. FILE *fp;
  431. char *filename;
  432. printf("\n");
  433. filename = malloc(strlen(inspect_info.file_name) + 8);
  434. sprintf(filename, "%s-kernel", inspect_info.file_name);
  435. printf("Extracting kernel to \"%s\"...\n", filename);
  436. fp = fopen(filename, "w");
  437. if (fp) {
  438. if (!fwrite(buf + ntohl(hdr->kernel_ofs),
  439. ntohl(hdr->kernel_len), 1, fp)) {
  440. ERR("error in fwrite(): %s", strerror(errno));
  441. }
  442. fclose(fp);
  443. } else {
  444. ERR("error in fopen(): %s", strerror(errno));
  445. }
  446. free(filename);
  447. filename = malloc(strlen(inspect_info.file_name) + 8);
  448. sprintf(filename, "%s-rootfs", inspect_info.file_name);
  449. printf("Extracting rootfs to \"%s\"...\n", filename);
  450. fp = fopen(filename, "w");
  451. if (fp) {
  452. if (!fwrite(buf + ntohl(hdr->rootfs_ofs),
  453. ntohl(hdr->rootfs_len), 1, fp)) {
  454. ERR("error in fwrite(): %s", strerror(errno));
  455. }
  456. fclose(fp);
  457. } else {
  458. ERR("error in fopen(): %s", strerror(errno));
  459. }
  460. free(filename);
  461. }
  462. out_free_buf:
  463. free(buf);
  464. out:
  465. return ret;
  466. }
  467. int main(int argc, char *argv[])
  468. {
  469. int ret = EXIT_FAILURE;
  470. progname = basename(argv[0]);
  471. while ( 1 ) {
  472. int c;
  473. c = getopt(argc, argv, "a:H:E:F:L:m:V:N:W:C:ci:k:r:R:o:OxX:ehsjv:");
  474. if (c == -1)
  475. break;
  476. switch (c) {
  477. case 'a':
  478. sscanf(optarg, "0x%x", &rootfs_align);
  479. break;
  480. case 'H':
  481. opt_hw_id = optarg;
  482. break;
  483. case 'E':
  484. sscanf(optarg, "0x%x", &kernel_ep);
  485. break;
  486. case 'F':
  487. layout_id = optarg;
  488. break;
  489. case 'W':
  490. opt_hw_rev = optarg;
  491. break;
  492. case 'C':
  493. country = optarg;
  494. break;
  495. case 'L':
  496. sscanf(optarg, "0x%x", &kernel_la);
  497. break;
  498. case 'm':
  499. sscanf(optarg, "%u", &opt_hdr_ver);
  500. break;
  501. case 'V':
  502. version = optarg;
  503. break;
  504. case 'v':
  505. fw_ver = optarg;
  506. break;
  507. case 'N':
  508. vendor = optarg;
  509. break;
  510. case 'c':
  511. combined++;
  512. break;
  513. case 'k':
  514. kernel_info.file_name = optarg;
  515. break;
  516. case 'r':
  517. rootfs_info.file_name = optarg;
  518. break;
  519. case 'R':
  520. sscanf(optarg, "0x%x", &rootfs_ofs);
  521. break;
  522. case 'o':
  523. ofname = optarg;
  524. break;
  525. case 'O':
  526. rootfs_ofs_calc = 1;
  527. break;
  528. case 's':
  529. strip_padding = 1;
  530. break;
  531. case 'i':
  532. inspect_info.file_name = optarg;
  533. break;
  534. case 'j':
  535. add_jffs2_eof = 1;
  536. break;
  537. case 'x':
  538. extract = 1;
  539. break;
  540. case 'e':
  541. endian_swap = true;
  542. break;
  543. case 'h':
  544. usage(EXIT_SUCCESS);
  545. break;
  546. case 'X':
  547. sscanf(optarg, "0x%x", &reserved_space);
  548. break;
  549. default:
  550. usage(EXIT_FAILURE);
  551. break;
  552. }
  553. }
  554. ret = check_options();
  555. if (ret)
  556. goto out;
  557. if (!inspect_info.file_name)
  558. ret = build_fw(sizeof(struct fw_header));
  559. else
  560. ret = inspect_fw();
  561. out:
  562. return ret;
  563. }