summaryrefslogtreecommitdiff
path: root/tools
diff options
context:
space:
mode:
authorblogic <blogic@3c298f89-4303-0410-b956-a3cf2f4a3e73>2013-08-01 14:30:46 +0000
committerblogic <blogic@3c298f89-4303-0410-b956-a3cf2f4a3e73>2013-08-01 14:30:46 +0000
commit9022ccd275f1e6d047f282d3daca247318fd7b00 (patch)
treef48c90c9881ee281ea17b46f44988ba593cee0c1 /tools
parent58d8c082ee240d5c6062cf8afcb35ba13b51ecbc (diff)
ramips: add basics for Poray devices
This commit adds the basic elements to support Poray brand routers. It contains a tool to do the encryption/obfuscation that is used in Poray routers. Support for Poray devices was worked on by: Felix Kaechele <heffer@fedoraproject.org> Luis Soltero <lsoltero@globalmarinenet.com> Michel Stempin <michel.stempin@wanadoo.fr> Signed-off-by: Felix Kaechele <heffer@fedoraproject.org> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@37635 3c298f89-4303-0410-b956-a3cf2f4a3e73
Diffstat (limited to 'tools')
-rw-r--r--tools/firmware-utils/Makefile1
-rw-r--r--tools/firmware-utils/src/mkporayfw.c753
2 files changed, 754 insertions, 0 deletions
diff --git a/tools/firmware-utils/Makefile b/tools/firmware-utils/Makefile
index 70edd48df7..c0d577e6b2 100644
--- a/tools/firmware-utils/Makefile
+++ b/tools/firmware-utils/Makefile
@@ -63,6 +63,7 @@ define Host/Compile
$(call cc,seama md5)
$(call cc,fix-u-media-header cyg_crc32,-Wall)
$(call cc,hcsmakeimage bcmalgo)
+ $(call cc,mkporayfw, -Wall)
endef
define Host/Install
diff --git a/tools/firmware-utils/src/mkporayfw.c b/tools/firmware-utils/src/mkporayfw.c
new file mode 100644
index 0000000000..b4d5d78417
--- /dev/null
+++ b/tools/firmware-utils/src/mkporayfw.c
@@ -0,0 +1,753 @@
+/*
+ * Builder/viewer/extractor utility for Poray firmware image files
+ *
+ * Copyright (C) 2013 Michel Stempin <michel.stempin@wanadoo.fr>
+ * Copyright (C) 2013 Felix Kaechele <felix@fetzig.org>
+ * Copyright (C) 2013 <admin@openschemes.com>
+ *
+ * This tool is based on:
+ * TP-Link firmware upgrade tool.
+ * Copyright (C) 2009 Gabor Juhos <juhosg@openwrt.org>
+ *
+ * Itself based on:
+ * TP-Link WR941 V2 firmware checksum fixing tool.
+ * Copyright (C) 2008,2009 Wang Jian <lark@linux.net.cn>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 as published
+ * by the Free Software Foundation.
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <unistd.h>
+#include <libgen.h>
+#include <getopt.h>
+#include <stdarg.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <arpa/inet.h>
+#include <netinet/in.h>
+
+#if (__BYTE_ORDER == __BIG_ENDIAN)
+# define HOST_TO_BE32(x) (x)
+# define BE32_TO_HOST(x) (x)
+# define HOST_TO_LE32(x) bswap_32(x)
+# define LE32_TO_HOST(x) bswap_32(x)
+#else
+# define HOST_TO_BE32(x) bswap_32(x)
+# define BE32_TO_HOST(x) bswap_32(x)
+# define HOST_TO_LE32(x) (x)
+# define LE32_TO_HOST(x) (x)
+#endif
+
+/* Fixed header flags */
+#define HEADER_FLAGS 0x020e0000
+
+/* Recognized Hardware ID magic */
+#define HWID_HAME_MPR_A1_L8 0x32473352
+#define HWID_PORAY_R50B 0x31353033
+#define HWID_PORAY_R50D 0x33353033
+#define HWID_PORAY_R50E 0x34353033
+#define HWID_PORAY_M3 0x31353335
+#define HWID_PORAY_M4 0x32353335
+#define HWID_PORAY_Q3 0x33353335
+#define HWID_PORAY_X5_X6 0x35353335
+#define HWID_PORAY_X8 0x36353335
+#define HWID_PORAY_X1 0x38353335
+
+/* Recognized XOR obfuscation keys */
+#define KEY_HAME 0
+#define KEY_PORAY_1 1
+#define KEY_PORAY_2 2
+#define KEY_PORAY_3 3
+#define KEY_PORAY_4 4
+
+/* XOR key length */
+#define KEY_LEN 15
+
+struct file_info {
+ char *file_name; /* Name of the file */
+ uint32_t file_size; /* Length of the file */
+};
+
+struct fw_header {
+ uint32_t hw_id; /* Hardware id */
+ uint32_t firmware_len; /* Firmware data length */
+ uint32_t flags; /* Header flags */
+ uint8_t pad[16];
+} __attribute__ ((packed));
+
+struct flash_layout {
+ char *id;
+ uint32_t fw_max_len;
+};
+
+struct board_info {
+ char *id;
+ uint32_t hw_id;
+ char *layout_id;
+ uint32_t key;
+};
+
+/*
+ * Globals
+ */
+static char *ofname;
+static char *progname;
+
+static char *board_id;
+static struct board_info *board;
+static char *layout_id;
+static struct flash_layout *layout;
+static char *opt_hw_id;
+static uint32_t hw_id;
+static struct file_info firmware_info;
+static uint32_t firmware_len = 0;
+
+static int inspect = 0;
+static int extract = 0;
+
+static uint8_t key[][KEY_LEN] = {
+ {0xC8, 0x3C, 0x3A, 0x93, 0xA2, 0x95, 0xC3, 0x63, 0x48, 0x45, 0x58, 0x09, 0x12, 0x03, 0x08},
+ {0x89, 0x6B, 0x5A, 0x93, 0x92, 0x95, 0xC3, 0x63, 0xD0, 0xA3, 0x9C, 0x92, 0x2E, 0xE6, 0xC7},
+ {0xC9, 0x1C, 0x3A, 0x93, 0x92, 0x95, 0xC3, 0x63, 0xD0, 0xA3, 0x9C, 0x92, 0x2E, 0xE6, 0xC7},
+ {0x19, 0x1B, 0x3A, 0x93, 0x92, 0x95, 0xC3, 0x63, 0xD0, 0xA3, 0x9C, 0x92, 0x2E, 0xE6, 0xC7},
+ {0x79, 0x7B, 0x7A, 0x93, 0x92, 0x95, 0xC3, 0x63, 0xD0, 0xA3, 0x9C, 0x92, 0x2E, 0xE6, 0xC7},
+};
+
+static struct flash_layout layouts[] = {
+ {
+ .id = "4M",
+ .fw_max_len = 0x3c0000,
+ }, {
+ .id = "8M",
+ .fw_max_len = 0x7c0000,
+ }, {
+ /* terminating entry */
+ }
+};
+
+static struct board_info boards[] = {
+ {
+ .id = "MPR-A1",
+ .hw_id = HWID_HAME_MPR_A1_L8,
+ .layout_id = "4M",
+ .key = KEY_HAME,
+ }, {
+ .id = "MPR-L8",
+ .hw_id = HWID_HAME_MPR_A1_L8,
+ .layout_id = "4M",
+ .key = KEY_HAME,
+ }, {
+ .id = "R50B",
+ .hw_id = HWID_PORAY_R50B,
+ .layout_id = "4M",
+ .key = KEY_PORAY_2,
+ }, {
+ .id = "R50D",
+ .hw_id = HWID_PORAY_R50D,
+ .layout_id = "4M",
+ .key = KEY_PORAY_3,
+ }, {
+ .id = "R50E",
+ .hw_id = HWID_PORAY_R50E,
+ .layout_id = "4M",
+ .key = KEY_PORAY_4,
+ }, {
+ .id = "M3",
+ .hw_id = HWID_PORAY_M3,
+ .layout_id = "4M",
+ .key = KEY_PORAY_1,
+ }, {
+ .id = "M4",
+ .hw_id = HWID_PORAY_M4,
+ .layout_id = "4M",
+ .key = KEY_PORAY_1,
+ }, {
+ .id = "Q3",
+ .hw_id = HWID_PORAY_Q3,
+ .layout_id = "4M",
+ .key = KEY_PORAY_1,
+ }, {
+ .id = "X5 or X6",
+ .hw_id = HWID_PORAY_X5_X6,
+ .layout_id = "8M",
+ .key = KEY_PORAY_1,
+ }, {
+ .id = "X5",
+ .hw_id = HWID_PORAY_X5_X6,
+ .layout_id = "8M",
+ .key = KEY_PORAY_1,
+ }, {
+ .id = "X6",
+ .hw_id = HWID_PORAY_X5_X6,
+ .layout_id = "8M",
+ .key = KEY_PORAY_1,
+ }, {
+ .id = "X8",
+ .hw_id = HWID_PORAY_X8,
+ .layout_id = "8M",
+ .key = KEY_PORAY_1,
+ }, {
+ .id = "X1",
+ .hw_id = HWID_PORAY_X1,
+ .layout_id = "8M",
+ .key = KEY_PORAY_1,
+ }, {
+ /* terminating entry */
+ }
+};
+
+/*
+ * Message macros
+ */
+#define ERR(fmt, ...) do { \
+ fflush(0); \
+ fprintf(stderr, "[%s] *** error: " fmt "\n", \
+ progname, ## __VA_ARGS__ ); \
+} while (0)
+
+#define ERRS(fmt, ...) do { \
+ int save = errno; \
+ fflush(0); \
+ fprintf(stderr, "[%s] *** error: " fmt ":%s\n", \
+ progname, ## __VA_ARGS__, strerror(save)); \
+} while (0)
+
+#define DBG(fmt, ...) do { \
+ fprintf(stderr, "[%s] " fmt "\n", progname, ## __VA_ARGS__ ); \
+} while (0)
+
+/*
+ * Find a board by its name
+ */
+static struct board_info *find_board(char *id)
+{
+ struct board_info *ret;
+ struct board_info *board;
+
+ ret = NULL;
+ for (board = boards; board->id != NULL; board++){
+ if (strcasecmp(id, board->id) == 0) {
+ ret = board;
+ break;
+ }
+ };
+
+ return ret;
+}
+
+/*
+ * Find a board by its hardware ID
+ */
+static struct board_info *find_board_by_hwid(uint32_t hw_id)
+{
+ struct board_info *board;
+
+ for (board = boards; board->id != NULL; board++) {
+ if (hw_id == board->hw_id)
+ return board;
+ };
+
+ return NULL;
+}
+
+/*
+ * Find a Flash memory layout by its name
+ */
+static struct flash_layout *find_layout(char *id)
+{
+ struct flash_layout *ret;
+ struct flash_layout *l;
+
+ ret = NULL;
+ for (l = layouts; l->id != NULL; l++){
+ if (strcasecmp(id, l->id) == 0) {
+ ret = l;
+ break;
+ }
+ };
+
+ return ret;
+}
+
+/*
+ * Display usage
+ */
+static void usage(int status)
+{
+ FILE *stream = (status != EXIT_SUCCESS) ? stderr : stdout;
+
+ fprintf(stream, "Usage: %s [OPTIONS...]\n", progname);
+ fprintf(stream,
+"\n"
+"Options:\n"
+" -B <board> create image for the board specified with <board>\n"
+" -H <hwid> use hardware id specified with <hwid>\n"
+" -F <id> use flash layout specified with <id>\n"
+" -f <file> read firmware image from the file <file>\n"
+" -o <file> write output to the file <file>\n"
+" -i inspect given firmware file (requires -f)\n"
+" -x extract combined kernel and rootfs while inspecting (implies -i)\n"
+" -h show this screen\n"
+ );
+
+ exit(status);
+}
+
+/*
+ * Get file statistics
+ */
+static int get_file_stat(struct file_info *fdata)
+{
+ struct stat st;
+ int res;
+
+ if (fdata->file_name == NULL) {
+ return 0;
+ }
+ res = stat(fdata->file_name, &st);
+ if (res){
+ ERRS("stat failed on %s", fdata->file_name);
+ return res;
+ }
+
+ fdata->file_size = st.st_size;
+ return 0;
+}
+
+/*
+ * Read file into buffer
+ */
+static int read_to_buf(struct file_info *fdata, uint8_t *buf)
+{
+ FILE *f;
+ int ret = EXIT_FAILURE;
+
+ f = fopen(fdata->file_name, "rb");
+ if (f == NULL) {
+ ERRS("could not open \"%s\" for reading", fdata->file_name);
+ goto out;
+ }
+
+ errno = 0;
+ fread(buf, fdata->file_size, 1, f);
+ if (errno != 0) {
+ ERRS("unable to read from file \"%s\"", fdata->file_name);
+ goto out_close;
+ }
+
+ ret = EXIT_SUCCESS;
+
+ out_close:
+ fclose(f);
+ out:
+ return ret;
+}
+
+/*
+ * Check command line options
+ */
+static int check_options(void)
+{
+ int ret;
+
+ if (firmware_info.file_name == NULL) {
+ ERR("no firmware image specified");
+ return -1;
+ }
+
+ ret = get_file_stat(&firmware_info);
+ if (ret)
+ return ret;
+
+ if (inspect)
+ return 0;
+
+ if (board_id == NULL && opt_hw_id == NULL) {
+ ERR("either board or hardware id must be specified");
+ return -1;
+ }
+
+ if (board_id) {
+ board = find_board(board_id);
+ if (board == NULL) {
+ ERR("unknown/unsupported board id \"%s\"", board_id);
+ return -1;
+ }
+ if (layout_id == NULL) {
+ layout_id = board->layout_id;
+ }
+ hw_id = board->hw_id;
+ } else {
+ hw_id = strtoul(opt_hw_id, NULL, 0);
+ board = find_board_by_hwid(hw_id);
+ if (layout_id == NULL) {
+ layout_id = board->layout_id;
+ }
+ }
+
+ layout = find_layout(layout_id);
+ if (layout == NULL) {
+ ERR("unknown flash layout \"%s\"", layout_id);
+ return -1;
+ }
+
+ firmware_len = firmware_info.file_size;
+
+ if (firmware_info.file_size >
+ layout->fw_max_len - sizeof (struct fw_header)) {
+ ERR("firmware image is too big");
+ return -1;
+ }
+
+ if (ofname == NULL) {
+ ERR("no output file specified");
+ return -1;
+ }
+ return 0;
+}
+
+/*
+ * Fill in firmware header
+ */
+static void fill_header(uint8_t *buf)
+{
+ struct fw_header *hdr = (struct fw_header *) buf;
+
+ memset(hdr, 0, sizeof (struct fw_header));
+ hdr->hw_id = HOST_TO_LE32(hw_id);
+ hdr->firmware_len = HOST_TO_LE32(firmware_len);
+ hdr->flags = HOST_TO_LE32(HEADER_FLAGS);
+}
+
+/*
+ * Compute firmware checksum
+ */
+static uint16_t checksum_fw(uint8_t *data, int len)
+{
+ int i;
+ int32_t checksum = 0;
+
+ for (i = 0; i < len - 1; i += 2) {
+ checksum += (data[i + 1] << 8) | data[i];
+ }
+ if (i < len) {
+ checksum += data[i];
+ }
+ checksum = checksum + (checksum >> 16) + 0xffff;
+ checksum = ~(checksum + (checksum >> 16)) & 0xffff;
+ return (uint16_t) checksum;
+}
+
+/*
+ * (De)obfuscate firmware using an XOR operation with a fixed length key
+ */
+static void xor_fw(uint8_t *data, int len)
+{
+ int i;
+
+ for (i = 0; i <= len; i++) {
+ data[i] ^= key[board->key][i % KEY_LEN];
+ }
+}
+
+/*
+ * Write firmware to file
+ */
+static int write_fw(uint8_t *data, int len)
+{
+ FILE *f;
+ int ret = EXIT_FAILURE;
+
+ f = fopen(ofname, "wb");
+ if (f == NULL) {
+ ERRS("could not open \"%s\" for writing", ofname);
+ goto out;
+ }
+
+ errno = 0;
+ fwrite(data, len, 1, f);
+ if (errno) {
+ ERRS("unable to write output file");
+ goto out_flush;
+ }
+
+ DBG("firmware file \"%s\" completed", ofname);
+
+ ret = EXIT_SUCCESS;
+
+ out_flush:
+ fflush(f);
+ fclose(f);
+ if (ret != EXIT_SUCCESS) {
+ unlink(ofname);
+ }
+ out:
+ return ret;
+}
+
+/*
+ * Build firmware file
+ */
+static int build_fw(void)
+{
+ int buflen;
+ uint8_t *buf, *p;
+ int ret = EXIT_FAILURE;
+ int writelen = 0;
+ uint16_t checksum;
+
+ buflen = layout->fw_max_len;
+
+ buf = (uint8_t *) malloc(buflen);
+ if (!buf) {
+ ERR("no memory for buffer\n");
+ goto out;
+ }
+
+ memset(buf, 0xff, buflen);
+ p = buf + sizeof (struct fw_header);
+ ret = read_to_buf(&firmware_info, p);
+ if (ret) {
+ goto out_free_buf;
+ }
+ writelen = sizeof (struct fw_header) + firmware_len + 2;
+
+ /* Fill in header */
+ fill_header(buf);
+
+ /* Compute firmware checksum */
+ checksum = checksum_fw(buf + sizeof (struct fw_header), firmware_len);
+
+ /* Cannot use network order function because checksum is not word-aligned */
+ buf[writelen - 1] = checksum >> 8;
+ buf[writelen - 2] = checksum & 0xff;
+
+ /* XOR obfuscate firmware */
+ xor_fw(buf + sizeof (struct fw_header), firmware_len + 2);
+
+ /* Write firmware file */
+ ret = write_fw(buf, writelen);
+ if (ret) {
+ goto out_free_buf;
+ }
+ ret = EXIT_SUCCESS;
+
+ out_free_buf:
+ free(buf);
+ out:
+ return ret;
+}
+
+/* Helper functions to inspect_fw() representing different output formats */
+static inline void inspect_fw_pstr(char *label, char *str)
+{
+ printf("%-23s: %s\n", label, str);
+}
+
+static inline void inspect_fw_phex(char *label, uint32_t val)
+{
+ printf("%-23s: 0x%08x\n", label, val);
+}
+
+static inline void inspect_fw_phexpost(char *label,
+ uint32_t val, char *post)
+{
+ printf("%-23s: 0x%08x (%s)\n", label, val, post);
+}
+
+static inline void inspect_fw_phexdef(char *label,
+ uint32_t val, uint32_t defval)
+{
+ printf("%-23s: 0x%08x ", label, val);
+
+ if (val == defval) {
+ printf("(== OpenWrt default)\n");
+ } else {
+ printf("(OpenWrt default: 0x%08x)\n", defval);
+ }
+}
+
+static inline void inspect_fw_phexexp(char *label,
+ uint32_t val, uint32_t expval)
+{
+ printf("%-23s: 0x%08x ", label, val);
+
+ if (val == expval) {
+ printf("(ok)\n");
+ } else {
+ printf("(expected: 0x%08x)\n", expval);
+ }
+}
+
+static inline void inspect_fw_phexdec(char *label, uint32_t val)
+{
+ printf("%-23s: 0x%08x / %8u bytes\n", label, val, val);
+}
+
+static inline void inspect_fw_pchecksum(char *label,
+ uint16_t val, uint16_t expval)
+{
+ printf("%-23s: 0x%04x ", label, val);
+ if (val == expval) {
+ printf("(ok)\n");
+ } else {
+ printf("(expected: 0x%04x)\n", expval);
+ }
+}
+
+static int inspect_fw(void)
+{
+ uint8_t *buf;
+ struct fw_header *hdr;
+ int ret = EXIT_FAILURE;
+ uint16_t computed_checksum, file_checksum;
+
+ buf = (uint8_t *) malloc(firmware_info.file_size);
+ if (!buf) {
+ ERR("no memory for buffer!\n");
+ goto out;
+ }
+
+ ret = read_to_buf(&firmware_info, buf);
+ if (ret) {
+ goto out_free_buf;
+ }
+ hdr = (struct fw_header *)buf;
+
+ inspect_fw_pstr("File name", firmware_info.file_name);
+ inspect_fw_phexdec("File size", firmware_info.file_size);
+
+ printf("\n");
+
+ inspect_fw_phexdec("Header size", sizeof (struct fw_header));
+ board = find_board_by_hwid(LE32_TO_HOST(hdr->hw_id));
+ if (board) {
+ layout = find_layout(board->layout_id);
+ inspect_fw_phexpost("Hardware ID",
+ LE32_TO_HOST( hdr->hw_id), board->id);
+ } else {
+ inspect_fw_phexpost("Hardware ID",
+ LE32_TO_HOST(hdr->hw_id), "unknown");
+ }
+ inspect_fw_phexdec("Firmware data length",
+ LE32_TO_HOST(hdr->firmware_len));
+
+ inspect_fw_phexexp("Flags",
+ LE32_TO_HOST(hdr->flags), HEADER_FLAGS);
+ printf("\n");
+
+ /* XOR unobfuscate firmware */
+ xor_fw(buf + sizeof (struct fw_header), LE32_TO_HOST(hdr->firmware_len) + 2);
+
+ /* Compute firmware checksum */
+ computed_checksum = checksum_fw(buf + sizeof (struct fw_header), LE32_TO_HOST(hdr->firmware_len));
+
+ /* Cannot use network order function because checksum is not word-aligned */
+ file_checksum = (buf[firmware_info.file_size - 1] << 8) | buf[firmware_info.file_size - 2];
+ inspect_fw_pchecksum("Firmware checksum", computed_checksum, file_checksum);
+
+ /* Verify checksum */
+ if (computed_checksum != file_checksum) {
+ ret = -1;
+ ERR("checksums do not match");
+ goto out_free_buf;
+ }
+
+ printf("\n");
+
+ if (extract) {
+ FILE *fp;
+ char *filename;
+
+ if (ofname == NULL) {
+ filename = malloc(strlen(firmware_info.file_name) + 10);
+ sprintf(filename, "%s-firmware", firmware_info.file_name);
+ } else {
+ filename = ofname;
+ }
+ printf("Extracting firmware to \"%s\"...\n", filename);
+ fp = fopen(filename, "wb");
+ if (fp) {
+ if (!fwrite(buf + sizeof (struct fw_header),
+ LE32_TO_HOST(hdr->firmware_len), 1, fp)) {
+ ERRS("error in fwrite(): %s", strerror(errno));
+ }
+ fclose(fp);
+ } else {
+ ERRS("error in fopen(): %s", strerror(errno));
+ }
+ if (ofname == NULL) {
+ free(filename);
+ }
+ printf("\n");
+ }
+
+ out_free_buf:
+ free(buf);
+ out:
+ return ret;
+}
+
+/*
+ * Main entry point
+ */
+int main(int argc, char *argv[])
+{
+ int ret = EXIT_FAILURE;
+
+ progname = basename(argv[0]);
+
+ int c;
+
+ while ((c = getopt(argc, argv, "B:H:F:f:o:ixh")) != -1) {
+ switch (c) {
+ case 'B':
+ board_id = optarg;
+ break;
+ case 'H':
+ opt_hw_id = optarg;
+ break;
+ case 'F':
+ layout_id = optarg;
+ break;
+ case 'f':
+ firmware_info.file_name = optarg;
+ break;
+ case 'o':
+ ofname = optarg;
+ break;
+ case 'i':
+ inspect = 1;
+ break;
+ case 'x':
+ inspect = 1;
+ extract = 1;
+ break;
+ case 'h':
+ usage(EXIT_SUCCESS);
+ break;
+ default:
+ usage(EXIT_FAILURE);
+ break;
+ }
+ }
+
+ ret = check_options();
+ if (ret) {
+ goto out;
+ }
+ if (!inspect) {
+ ret = build_fw();
+ } else {
+ ret = inspect_fw();
+ }
+
+ out:
+ return ret;
+}