#include <errno.h>
#include <sys/stat.h>
+#include <arpa/inet.h>
+#include <netinet/in.h>
+
#include "md5.h"
-#if (__BYTE_ORDER == __BIG_ENDIAN)
-# define HOST_TO_BE32(x) (x)
-# define BE32_TO_HOST(x) (x)
-#else
-# define HOST_TO_BE32(x) bswap_32(x)
-# define BE32_TO_HOST(x) bswap_32(x)
-#endif
+#define ALIGN(x,a) ({ typeof(a) __a = (a); (((x) + __a - 1) & ~(__a - 1)); })
#define HEADER_VERSION_V1 0x01000000
+#define HWID_TL_MR3220_V1 0x32200001
+#define HWID_TL_MR3420_V1 0x34200001
#define HWID_TL_WA901ND_V1 0x09010001
+#define HWID_TL_WA901ND_V2 0x09010002
+#define HWID_TL_WR703N_V1 0x07030101
#define HWID_TL_WR741ND_V1 0x07410001
+#define HWID_TL_WR741ND_V4 0x07410004
+#define HWID_TL_WR740N_V1 0x07400001
+#define HWID_TL_WR740N_V3 0x07400003
+#define HWID_TL_WR743ND_V1 0x07430001
#define HWID_TL_WR841N_V1_5 0x08410002
#define HWID_TL_WR841ND_V3 0x08410003
#define HWID_TL_WR841ND_V5 0x08410005
+#define HWID_TL_WR841ND_V7 0x08410007
#define HWID_TL_WR941ND_V2 0x09410002
#define HWID_TL_WR941ND_V4 0x09410004
#define HWID_TL_WR1043ND_V1 0x10430001
static char *board_id;
static struct board_info *board;
static struct file_info kernel_info;
+static uint32_t kernel_la = 0;
+static uint32_t kernel_ep = 0;
+static uint32_t kernel_len = 0;
static struct file_info rootfs_info;
+static uint32_t rootfs_ofs = 0;
+static uint32_t rootfs_align;
static struct file_info boot_info;
static int combined;
static int strip_padding;
+static struct file_info inspect_info;
+static int extract = 0;
+
char md5salt_normal[MD5SUM_LEN] = {
0xdc, 0xd7, 0x3a, 0xa5, 0xc3, 0x95, 0x98, 0xfb,
0xdd, 0xf9, 0xe7, 0xf4, 0x0e, 0xae, 0x47, 0x38,
static struct board_info boards[] = {
{
+ .id = "TL-MR3220v1",
+ .hw_id = HWID_TL_MR3220_V1,
+ .hw_rev = 1,
+ .fw_max_len = 0x3c0000,
+ .kernel_la = 0x80060000,
+ .kernel_ep = 0x80060000,
+ .rootfs_ofs = 0x140000,
+ }, {
+ .id = "TL-MR3420v1",
+ .hw_id = HWID_TL_MR3420_V1,
+ .hw_rev = 1,
+ .fw_max_len = 0x3c0000,
+ .kernel_la = 0x80060000,
+ .kernel_ep = 0x80060000,
+ .rootfs_ofs = 0x140000,
+ }, {
.id = "TL-WA901NDv1",
.hw_id = HWID_TL_WA901ND_V1,
.hw_rev = 1,
.kernel_la = 0x80060000,
.kernel_ep = 0x80060000,
.rootfs_ofs = 0x140000,
+ }, {
+ .id = "TL-WA901NDv2",
+ .hw_id = HWID_TL_WA901ND_V2,
+ .hw_rev = 1,
+ .fw_max_len = 0x3c0000,
+ .kernel_la = 0x80060000,
+ .kernel_ep = 0x80060000,
+ .rootfs_ofs = 0x140000,
}, {
.id = "TL-WR741NDv1",
.hw_id = HWID_TL_WR741ND_V1,
.kernel_la = 0x80060000,
.kernel_ep = 0x80060000,
.rootfs_ofs = 0x140000,
+ }, {
+ .id = "TL-WR741NDv4",
+ .hw_id = HWID_TL_WR741ND_V4,
+ .hw_rev = 1,
+ .fw_max_len = 0x3c0000,
+ .kernel_la = 0x80060000,
+ .kernel_ep = 0x80060000,
+ .rootfs_ofs = 0x100000,
+ }, {
+ .id = "TL-WR740Nv1",
+ .hw_id = HWID_TL_WR740N_V1,
+ .hw_rev = 1,
+ .fw_max_len = 0x3c0000,
+ .kernel_la = 0x80060000,
+ .kernel_ep = 0x80060000,
+ .rootfs_ofs = 0x140000,
+ }, {
+ .id = "TL-WR740Nv3",
+ .hw_id = HWID_TL_WR740N_V3,
+ .hw_rev = 1,
+ .fw_max_len = 0x3c0000,
+ .kernel_la = 0x80060000,
+ .kernel_ep = 0x80060000,
+ .rootfs_ofs = 0x140000,
+ }, {
+ .id = "TL-WR743NDv1",
+ .hw_id = HWID_TL_WR743ND_V1,
+ .hw_rev = 1,
+ .fw_max_len = 0x3c0000,
+ .kernel_la = 0x80060000,
+ .kernel_ep = 0x80060000,
+ .rootfs_ofs = 0x140000,
}, {
.id = "TL-WR841Nv1.5",
.hw_id = HWID_TL_WR841N_V1_5,
.kernel_la = 0x80060000,
.kernel_ep = 0x80060000,
.rootfs_ofs = 0x140000,
+ }, {
+ .id = "TL-WR841NDv7",
+ .hw_id = HWID_TL_WR841ND_V7,
+ .hw_rev = 1,
+ .fw_max_len = 0x3c0000,
+ .kernel_la = 0x80060000,
+ .kernel_ep = 0x80060000,
+ .rootfs_ofs = 0x140000,
}, {
.id = "TL-WR941NDv2",
.hw_id = HWID_TL_WR941ND_V2,
.kernel_la = 0x80060000,
.kernel_ep = 0x80060000,
.rootfs_ofs = 0x140000,
+ }, {
+ .id = "TL-WR703Nv1",
+ .hw_id = HWID_TL_WR703N_V1,
+ .hw_rev = 1,
+ .fw_max_len = 0x3c0000,
+ .kernel_la = 0x80060000,
+ .kernel_ep = 0x80060000,
+ .rootfs_ofs = 0x100000,
}, {
/* terminating entry */
}
return ret;
}
+static struct board_info *find_board_by_hwid(uint32_t hw_id)
+{
+ struct board_info *board;
+
+ for (board = boards; board->id != NULL; board++) {
+ if (hw_id == board->hw_id)
+ return board;
+ };
+
+ return NULL;
+}
+
+
static void usage(int status)
{
FILE *stream = (status != EXIT_SUCCESS) ? stderr : stdout;
"Options:\n"
" -B <board> create image for the board specified with <board>\n"
" -c use combined kernel image\n"
+" -E <ep> overwrite kernel entry point with <ep> (hexval prefixed with 0x)\n"
+" -L <la> overwrite kernel load address with <la> (hexval prefixed with 0x)\n"
" -k <file> read kernel image from the file <file>\n"
" -r <file> read rootfs image from the file <file>\n"
+" -a <align> align the rootfs start on an <align> bytes boundary\n"
+" -R <offset> overwrite rootfs offset with <offset> (hexval prefixed with 0x)\n"
" -o <file> write output to the file <file>\n"
" -s strip padding from the end of the image\n"
" -N <vendor> set image vendor to <vendor>\n"
" -V <version> set image version to <version>\n"
+" -i <file> inspect given firmware file <file>\n"
+" -x extract kernel and rootfs while inspecting (requires -i)\n"
" -h show this screen\n"
);
{
int ret;
+ if (inspect_info.file_name) {
+ ret = get_file_stat(&inspect_info);
+ if (ret)
+ return ret;
+
+ return 0;
+ } else if (extract) {
+ ERR("no firmware for inspection specified");
+ return -1;
+ }
+
if (board_id == NULL) {
ERR("no board specified");
return -1;
ERR("unknown/unsupported board id \"%s\"", board_id);
return -1;
}
+ if (!kernel_la)
+ kernel_la = board->kernel_la;
+ if (!kernel_ep)
+ kernel_ep = board->kernel_ep;
+ if (!rootfs_ofs)
+ rootfs_ofs = board->rootfs_ofs;
if (kernel_info.file_name == NULL) {
ERR("no kernel image specified");
if (ret)
return ret;
+ kernel_len = kernel_info.file_size;
+
if (combined) {
if (kernel_info.file_size >
board->fw_max_len - sizeof(struct fw_header)) {
return -1;
}
} else {
- if (kernel_info.file_size >
- board->rootfs_ofs - sizeof(struct fw_header)) {
- ERR("kernel image is too big");
- return -1;
- }
if (rootfs_info.file_name == NULL) {
ERR("no rootfs image specified");
return -1;
if (ret)
return ret;
- if (rootfs_info.file_size >
- (board->fw_max_len - board->rootfs_ofs)) {
- ERR("rootfs image is too big");
- return -1;
+ if (rootfs_align) {
+ kernel_len += sizeof(struct fw_header);
+ kernel_len = ALIGN(kernel_len, rootfs_align);
+ kernel_len -= sizeof(struct fw_header);
+
+ DBG("kernel length aligned to %u", kernel_len);
+
+ if (kernel_len + rootfs_info.file_size >
+ board->fw_max_len - sizeof(struct fw_header)) {
+ ERR("images are too big");
+ return -1;
+ }
+ } else {
+ if (kernel_info.file_size >
+ rootfs_ofs - sizeof(struct fw_header)) {
+ ERR("kernel image is too big");
+ return -1;
+ }
+
+ if (rootfs_info.file_size >
+ (board->fw_max_len - rootfs_ofs)) {
+ ERR("rootfs image is too big");
+ return -1;
+ }
}
}
memset(hdr, 0, sizeof(struct fw_header));
- hdr->version = HOST_TO_BE32(HEADER_VERSION_V1);
+ hdr->version = htonl(HEADER_VERSION_V1);
strncpy(hdr->vendor_name, vendor, sizeof(hdr->vendor_name));
strncpy(hdr->fw_version, version, sizeof(hdr->fw_version));
- hdr->hw_id = HOST_TO_BE32(board->hw_id);
- hdr->hw_rev = HOST_TO_BE32(board->hw_rev);
+ hdr->hw_id = htonl(board->hw_id);
+ hdr->hw_rev = htonl(board->hw_rev);
if (boot_info.file_size == 0)
memcpy(hdr->md5sum1, md5salt_normal, sizeof(hdr->md5sum1));
else
memcpy(hdr->md5sum1, md5salt_boot, sizeof(hdr->md5sum1));
- hdr->kernel_la = HOST_TO_BE32(board->kernel_la);
- hdr->kernel_ep = HOST_TO_BE32(board->kernel_ep);
- hdr->fw_length = HOST_TO_BE32(board->fw_max_len);
- hdr->kernel_ofs = HOST_TO_BE32(sizeof(struct fw_header));
- hdr->kernel_len = HOST_TO_BE32(kernel_info.file_size);
+ hdr->kernel_la = htonl(kernel_la);
+ hdr->kernel_ep = htonl(kernel_ep);
+ hdr->fw_length = htonl(board->fw_max_len);
+ hdr->kernel_ofs = htonl(sizeof(struct fw_header));
+ hdr->kernel_len = htonl(kernel_len);
if (!combined) {
- hdr->rootfs_ofs = HOST_TO_BE32(board->rootfs_ofs);
- hdr->rootfs_len = HOST_TO_BE32(rootfs_info.file_size);
+ hdr->rootfs_ofs = htonl(rootfs_ofs);
+ hdr->rootfs_len = htonl(rootfs_info.file_size);
}
get_md5(buf, len, hdr->md5sum1);
if (ret)
goto out_free_buf;
- writelen = kernel_info.file_size;
+ writelen = sizeof(struct fw_header) + kernel_len;
if (!combined) {
- p = buf + board->rootfs_ofs;
+ if (rootfs_align)
+ p = buf + writelen;
+ else
+ p = buf + rootfs_ofs;
ret = read_to_buf(&rootfs_info, p);
if (ret)
goto out_free_buf;
- writelen = board->rootfs_ofs + rootfs_info.file_size;
+ if (rootfs_align)
+ writelen += rootfs_info.file_size;
+ else
+ writelen = rootfs_ofs + rootfs_info.file_size;
}
if (!strip_padding)
return ret;
}
+/* Helper functions to inspect_fw() representing different output formats */
+static inline void inspect_fw_pstr(char *label, char *str)
+{
+ printf("%-23s: %s\n", label, str);
+}
+
+static inline void inspect_fw_phex(char *label, uint32_t val)
+{
+ printf("%-23s: 0x%08x\n", label, val);
+}
+
+static inline void inspect_fw_phexpost(char *label,
+ uint32_t val, char *post)
+{
+ printf("%-23s: 0x%08x (%s)\n", label, val, post);
+}
+
+static inline void inspect_fw_phexdef(char *label,
+ uint32_t val, uint32_t defval)
+{
+ printf("%-23s: 0x%08x ", label, val);
+
+ if (val == defval)
+ printf("(== OpenWrt default)\n");
+ else
+ printf("(OpenWrt default: 0x%08x)\n", defval);
+}
+
+static inline void inspect_fw_phexexp(char *label,
+ uint32_t val, uint32_t expval)
+{
+ printf("%-23s: 0x%08x ", label, val);
+
+ if (val == expval)
+ printf("(ok)\n");
+ else
+ printf("(expected: 0x%08x)\n", expval);
+}
+
+static inline void inspect_fw_phexdec(char *label, uint32_t val)
+{
+ printf("%-23s: 0x%08x / %8u bytes\n", label, val, val);
+}
+
+static inline void inspect_fw_phexdecdef(char *label,
+ uint32_t val, uint32_t defval)
+{
+ printf("%-23s: 0x%08x / %8u bytes ", label, val, val);
+
+ if (val == defval)
+ printf("(== OpenWrt default)\n");
+ else
+ printf("(OpenWrt default: 0x%08x)\n", defval);
+}
+
+static inline void inspect_fw_pmd5sum(char *label, uint8_t *val, char *text)
+{
+ int i;
+
+ printf("%-23s:", label);
+ for (i=0; i<MD5SUM_LEN; i++)
+ printf(" %02x", val[i]);
+ printf(" %s\n", text);
+}
+
+static int inspect_fw(void)
+{
+ char *buf;
+ struct fw_header *hdr;
+ uint8_t md5sum[MD5SUM_LEN];
+ struct board_info *board;
+ int ret = EXIT_FAILURE;
+
+ buf = malloc(inspect_info.file_size);
+ if (!buf) {
+ ERR("no memory for buffer!\n");
+ goto out;
+ }
+
+ ret = read_to_buf(&inspect_info, buf);
+ if (ret)
+ goto out_free_buf;
+ hdr = (struct fw_header *)buf;
+
+ inspect_fw_pstr("File name", inspect_info.file_name);
+ inspect_fw_phexdec("File size", inspect_info.file_size);
+
+ if (ntohl(hdr->version) != HEADER_VERSION_V1) {
+ ERR("file does not seem to have V1 header!\n");
+ goto out_free_buf;
+ }
+
+ inspect_fw_phexdec("Version 1 Header size", sizeof(struct fw_header));
+
+ if (ntohl(hdr->unk1) != 0)
+ inspect_fw_phexdec("Unknown value 1", hdr->unk1);
+
+ memcpy(md5sum, hdr->md5sum1, sizeof(md5sum));
+ if (ntohl(hdr->boot_len) == 0)
+ memcpy(hdr->md5sum1, md5salt_normal, sizeof(md5sum));
+ else
+ memcpy(hdr->md5sum1, md5salt_boot, sizeof(md5sum));
+ get_md5(buf, inspect_info.file_size, hdr->md5sum1);
+
+ if (memcmp(md5sum, hdr->md5sum1, sizeof(md5sum))) {
+ inspect_fw_pmd5sum("Header MD5Sum1", md5sum, "(*ERROR*)");
+ inspect_fw_pmd5sum(" --> expected", hdr->md5sum1, "");
+ } else {
+ inspect_fw_pmd5sum("Header MD5Sum1", md5sum, "(ok)");
+ }
+ if (ntohl(hdr->unk2) != 0)
+ inspect_fw_phexdec("Unknown value 2", hdr->unk2);
+ inspect_fw_pmd5sum("Header MD5Sum2", hdr->md5sum2,
+ "(purpose yet unknown, unchecked here)");
+ if (ntohl(hdr->unk3) != 0)
+ inspect_fw_phexdec("Unknown value 3", hdr->unk3);
+
+ printf("\n");
+
+ inspect_fw_pstr("Vendor name", hdr->vendor_name);
+ inspect_fw_pstr("Firmware version", hdr->fw_version);
+ board = find_board_by_hwid(ntohl(hdr->hw_id));
+ if (board) {
+ inspect_fw_phexpost("Hardware ID",
+ ntohl(hdr->hw_id), board->id);
+ inspect_fw_phexexp("Hardware Revision",
+ ntohl(hdr->hw_rev), board->hw_rev);
+ } else {
+ inspect_fw_phexpost("Hardware ID",
+ ntohl(hdr->hw_id), "unknown");
+ inspect_fw_phex("Hardware Revision",
+ ntohl(hdr->hw_rev));
+ }
+
+ printf("\n");
+
+ inspect_fw_phexdec("Kernel data offset",
+ ntohl(hdr->kernel_ofs));
+ inspect_fw_phexdec("Kernel data length",
+ ntohl(hdr->kernel_len));
+ if (board) {
+ inspect_fw_phexdef("Kernel load address",
+ ntohl(hdr->kernel_la),
+ board->kernel_la);
+ inspect_fw_phexdef("Kernel entry point",
+ ntohl(hdr->kernel_ep),
+ board->kernel_ep);
+ inspect_fw_phexdecdef("Rootfs data offset",
+ ntohl(hdr->rootfs_ofs),
+ board->rootfs_ofs);
+ } else {
+ inspect_fw_phex("Kernel load address",
+ ntohl(hdr->kernel_la));
+ inspect_fw_phex("Kernel entry point",
+ ntohl(hdr->kernel_ep));
+ inspect_fw_phexdec("Rootfs data offset",
+ ntohl(hdr->rootfs_ofs));
+ }
+ inspect_fw_phexdec("Rootfs data length",
+ ntohl(hdr->rootfs_len));
+ inspect_fw_phexdec("Boot loader data offset",
+ ntohl(hdr->boot_ofs));
+ inspect_fw_phexdec("Boot loader data length",
+ ntohl(hdr->boot_len));
+ inspect_fw_phexdec("Total firmware length",
+ ntohl(hdr->fw_length));
+
+ if (extract) {
+ FILE *fp;
+ char *filename;
+
+ printf("\n");
+
+ filename = malloc(strlen(inspect_info.file_name) + 8);
+ sprintf(filename, "%s-kernel", inspect_info.file_name);
+ printf("Extracting kernel to \"%s\"...\n", filename);
+ fp = fopen(filename, "w");
+ if (fp) {
+ if (!fwrite(buf + ntohl(hdr->kernel_ofs),
+ ntohl(hdr->kernel_len), 1, fp)) {
+ ERR("error in fwrite(): %s", strerror(errno));
+ }
+ fclose(fp);
+ } else {
+ ERR("error in fopen(): %s", strerror(errno));
+ }
+ free(filename);
+
+ filename = malloc(strlen(inspect_info.file_name) + 8);
+ sprintf(filename, "%s-rootfs", inspect_info.file_name);
+ printf("Extracting rootfs to \"%s\"...\n", filename);
+ fp = fopen(filename, "w");
+ if (fp) {
+ if (!fwrite(buf + ntohl(hdr->rootfs_ofs),
+ ntohl(hdr->rootfs_len), 1, fp)) {
+ ERR("error in fwrite(): %s", strerror(errno));
+ }
+ fclose(fp);
+ } else {
+ ERR("error in fopen(): %s", strerror(errno));
+ }
+ free(filename);
+ }
+
+ out_free_buf:
+ free(buf);
+ out:
+ return ret;
+}
+
int main(int argc, char *argv[])
{
int ret = EXIT_FAILURE;
while ( 1 ) {
int c;
- c = getopt(argc, argv, "B:V:N:ck:r:o:hs");
+ c = getopt(argc, argv, "a:B:E:L:V:N:ci:k:r:R:o:xhs");
if (c == -1)
break;
switch (c) {
+ case 'a':
+ sscanf(optarg, "0x%x", &rootfs_align);
+ break;
case 'B':
board_id = optarg;
break;
+ case 'E':
+ sscanf(optarg, "0x%x", &kernel_ep);
+ break;
+ case 'L':
+ sscanf(optarg, "0x%x", &kernel_la);
+ break;
case 'V':
version = optarg;
break;
case 'r':
rootfs_info.file_name = optarg;
break;
+ case 'R':
+ sscanf(optarg, "0x%x", &rootfs_ofs);
+ break;
case 'o':
ofname = optarg;
break;
case 's':
strip_padding = 1;
break;
+ case 'i':
+ inspect_info.file_name = optarg;
+ break;
+ case 'x':
+ extract = 1;
+ break;
case 'h':
usage(EXIT_SUCCESS);
break;
if (ret)
goto out;
- ret = build_fw();
+ if (!inspect_info.file_name)
+ ret = build_fw();
+ else
+ ret = inspect_fw();
out:
return ret;