81d9f79f5207320bf8e44f65df651aaf393edb5a
2 * jcgimage - Create a JCG firmware image
4 * Copyright (C) 2015 Reinhard Max <reinhard@m4x.de>
5 * Copyright (C) 2019 Davide Fioravanti <pantanastyle@gmail.com>
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version 2
10 * of the License, or (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
24 * JCG firmware update images consist of a 512 byte header and a
25 * modified uImage (details below) as the payload.
27 * The payload is obfuscated by XORing it with a key that is generated
28 * from parts of the header. Fortunately only non-essential parts of
29 * the header are used for this and zeroing them results in a zero
30 * key, effectively disabling the obfuscation and allowing us to use
31 * clear text payloads.
33 * The mandatory parts of the header are:
35 * - A magic string of "YSZJ" at offset 0.
36 * - A value of 1 at offset 39 (header format version?)
37 * - A CRC32 checksum of the payload at offset 504.
38 * - A CRC32 checksum of the header at offset 508.
40 * An image constructed by these rules will be accepted by JCG's
41 * U-Boot in resuce mode via TFTP and the payload will be written to
42 * the flash starting at offset 0x00050000.
44 * JCG's U-Boot does check the content or size of the payload
45 * image. If it is too large, it wraps around and overwrites U-Boot,
46 * requiring JTAG to revive the board. To prevent such bricking from
47 * happening, this tool refuses to build such overlong images.
49 * Using -m is possible to set the maximum size of the payload.
50 * Otherwise the default MAXSIZE will be used.
51 * For an 8Mb flash, the corresponding maxsize is:
52 * 8 * 1024 * 1024 - 5 * 64 * 1024 = 8388608 - 327680 = 8060928
54 * Two more conditions have to be met for a JCG image to be accepted
55 * as a valid update by the web interface of the stock firware:
57 * - The bytes at offsets 109 and 111 in the header must be a binary
58 * representation of the first two components of the firmware
59 * version as displayed in the update web form, or it will be
60 * rejected as "incorrect product".
62 * - The payload must start with a valid uImage header whose data
63 * CRC checksum matches the whole rest of the update file rather
64 * than just the number of bytes specified in the size field of the
67 * This last condition is met by JCG's original firmware images,
68 * because they have both, kernel and rootfs inside the uImage and
69 * abuse the last four bytes of the name field to record the offset of
70 * the file system from the start of the uImage header. This tool
71 * produces such images when called with -k and -r, which are meant to
72 * repack the original firmware after modifying the file systen,
73 * e.g. to add debugging tools and enable shell access.
75 * In contrast, OpenWrt sysupgrade images consist of a uImage that
76 * only contains the kernel and has the rootfs appended to it. Hence,
77 * the CRC over kernel and file system does not match the one in the
78 * uImage header. Fixing this by adjusting the uImage header is not
79 * possible, because it makes the uImage unusable for booting. Instead
80 * we append four "patch" bytes to the end of the file system, that
81 * are calculated to force the checksum of kernel+fs to be the same as
82 * for the kernel alone.
89 #include <sys/types.h>
99 #include <arpa/inet.h>
101 #include <inttypes.h>
104 * JCG Firmware image header
106 #define JH_MAGIC 0x59535a4a /* "YSZJ" */
109 uint8_t jh_version
[32]; /* Firmware version string.
110 Fill with zeros to avoid encryption */
111 uint32_t jh_type
; /* must be 1 */
112 uint8_t jh_info
[64]; /* Firmware info string. Fill with
113 zeros to avoid encryption */
114 uint32_t jh_time
; /* Image creation time in seconds since
115 * the Epoch. Does not seem to be used
116 * by the stock firmware. */
117 uint16_t jh_major
; /* Major fimware version */
118 uint16_t jh_minor
; /* Minor fimrmware version */
119 uint8_t jh_unknown
[392]; /* Apparently unused and all zeros */
120 uint32_t jh_dcrc
; /* CRC checksum of the payload */
121 uint32_t jh_hcrc
; /* CRC checksum of the header */
125 * JCG uses a modified uImage header that replaces the last four bytes
126 * of the image name with the length of the kernel in the image.
128 #define IH_MAGIC 0x27051956 /* Image Magic Number */
129 #define IH_NMLEN 28 /* Image Name Length */
131 struct uimage_header
{
132 uint32_t ih_magic
; /* Image Header Magic Number */
133 uint32_t ih_hcrc
; /* Image Header CRC Checksum */
134 uint32_t ih_time
; /* Image Creation Timestamp */
135 uint32_t ih_size
; /* Image Data Size */
136 uint32_t ih_load
; /* Data Load Address */
137 uint32_t ih_ep
; /* Entry Point Address */
138 uint32_t ih_dcrc
; /* Image Data CRC Checksum */
139 uint8_t ih_os
; /* Operating System */
140 uint8_t ih_arch
; /* CPU architecture */
141 uint8_t ih_type
; /* Image Type */
142 uint8_t ih_comp
; /* Compression Type */
143 uint8_t ih_name
[IH_NMLEN
];/* Image Name */
144 uint32_t ih_fsoff
; /* Offset of the file system
145 partition from the start of
150 * Open the named file and return its size and file descriptor.
151 * Exit in case of errors.
154 opensize(char *name
, size_t *size
)
157 int fd
= open(name
, O_RDONLY
);
159 err(1, "cannot open \"%s\"", name
);
161 if (fstat(fd
, &s
) == -1)
162 err(1, "cannot stat \"%s\"", name
);
168 static time_t source_date_epoch
= -1;
169 static void set_source_date_epoch() {
170 char *env
= getenv("SOURCE_DATE_EPOCH");
174 source_date_epoch
= strtoull(env
, &endptr
, 10);
175 if (errno
|| (endptr
&& *endptr
!= '\0')) {
176 fprintf(stderr
, "Invalid SOURCE_DATE_EPOCH");
183 * Write the JCG header
186 mkjcgheader(struct jcg_header
*h
, size_t psize
, char *version
)
189 uint16_t major
= 0, minor
= 0;
190 void *payload
= (void *)h
+ sizeof(*h
);
193 if (source_date_epoch
!= -1)
194 t
= source_date_epoch
;
195 else if ((time(&t
) == (time_t)(-1)))
196 err(1, "time call failed");
200 if (sscanf(version
, "%hu.%hu", &major
, &minor
) != 2)
201 err(1, "cannot parse version \"%s\"", version
);
203 memset(h
, 0, sizeof(*h
));
204 h
->jh_magic
= htonl(JH_MAGIC
);
205 h
->jh_type
= htonl(1);
206 h
->jh_time
= htonl(t
);
207 h
->jh_major
= htons(major
);
208 h
->jh_minor
= htons(minor
);
210 /* CRC over JCG payload (uImage) */
211 crc
= crc32(0L, Z_NULL
, 0);
212 crc
= crc32(crc
, payload
, psize
);
213 h
->jh_dcrc
= htonl(crc
);
215 /* CRC over JCG header */
216 crc
= crc32(0L, Z_NULL
, 0);
217 crc
= crc32(crc
, (void *)h
, sizeof(*h
));
218 h
->jh_hcrc
= htonl(crc
);
222 * Write the uImage header
225 mkuheader(struct uimage_header
*h
, size_t ksize
, size_t fsize
)
228 void *payload
= (void *)h
+ sizeof(*h
);
230 // printf("mkuheader: %p, %zd, %zd\n", h, ksize, fsize);
231 memset(h
, 0, sizeof(*h
));
232 h
->ih_magic
= htonl(IH_MAGIC
);
233 h
->ih_time
= htonl(time(NULL
));
234 h
->ih_size
= htonl(ksize
+ fsize
);
235 h
->ih_load
= htonl(0x80000000);
236 h
->ih_ep
= htonl(0x80292000);
241 h
->ih_fsoff
= htonl(sizeof(*h
) + ksize
);
242 strcpy((char *)h
->ih_name
, "Linux Kernel Image");
244 /* CRC over uImage payload (kernel and file system) */
245 crc
= crc32(0L, Z_NULL
, 0);
246 crc
= crc32(crc
, payload
, ntohl(h
->ih_size
));
247 h
->ih_dcrc
= htonl(crc
);
248 printf("CRC1: %08lx\n", crc
);
250 /* CRC over uImage header */
251 crc
= crc32(0L, Z_NULL
, 0);
252 crc
= crc32(crc
, (void *)h
, sizeof(*h
));
253 h
->ih_hcrc
= htonl(crc
);
254 printf("CRC2: %08lx\n", crc
);
258 * Calculate a "patch" value and write it into the last four bytes of
259 * buf, so that the CRC32 checksum of the whole buffer is dcrc.
261 * Based on: SAR-PR-2006-05: Reversing CRC – Theory and Practice.
262 * Martin Stigge, Henryk Plötz, Wolf Müller, Jens-Peter Redlich.
263 * http://sar.informatik.hu-berlin.de/research/publications/#SAR-PR-2006-05
266 craftcrc(uint32_t dcrc
, uint8_t *buf
, size_t len
)
271 uint32_t crc
= crc32(0L, Z_NULL
, 0);
274 for (i
= 0; i
< 32; i
++) {
276 patch
= (patch
>> 1) ^ 0xedb88320L
;
281 patch
^= 0x5b358fd3L
;
285 patch
^= ~crc32(crc
, buf
, len
- 4);
286 for (i
= 0; i
< 4; i
++) {
287 buf
[len
- 4 + i
] = patch
& 0xff;
290 /* Verify that we actually get the desired result */
291 crc
= crc32(0L, Z_NULL
, 0);
292 crc
= crc32(crc
, buf
, len
);
294 errx(1, "CRC patching is broken: wanted %08x, but got %08x.",
301 fprintf(stderr
, "Usage:\n"
302 "jcgimage -o outfile -u uImage [-m maxsize] [-v version]\n"
303 "jcgimage -o outfile -k kernel -f rootfs [-m maxsize] [-v version]\n");
307 #define MODE_UNKNOWN 0
308 #define MODE_UIMAGE 1
311 /* The output image must not be larger than 4MiB - 5*64kiB */
312 #define MAXSIZE (size_t)(4 * 1024 * 1024 - 5 * 64 * 1024)
315 main(int argc
, char **argv
)
317 struct jcg_header
*jh
;
318 struct uimage_header
*uh
;
320 char *imagefile
= NULL
;
323 char *version
= NULL
;
324 size_t maxsize
= MAXSIZE
;
326 int mode
= MODE_UNKNOWN
;
328 size_t size1
, size2
, sizeu
, sizeo
, off1
, off2
;
331 /* Make sure the headers have the right size */
332 assert(sizeof(struct jcg_header
) == 512);
333 assert(sizeof(struct uimage_header
) == 64);
334 set_source_date_epoch();
336 while ((c
= getopt(argc
, argv
, "o:k:f:u:v:m:h")) != -1) {
342 if (mode
== MODE_UIMAGE
)
343 errx(1,"-k cannot be combined with -u");
349 if (mode
== MODE_UIMAGE
)
350 errx(1,"-f cannot be combined with -u");
357 errx(1,"-u cannot be combined with -k and -r");
364 maxsize
= strtoimax(optarg
, &endptr
, 10);
376 errx(1, "illegal arg \"%s\"", argv
[optind
]);
378 if (imagefile
== NULL
)
379 errx(1, "no output file specified");
381 if (mode
== MODE_UNKNOWN
)
382 errx(1, "specify either -u or -k and -r");
384 if (mode
== MODE_KR
) {
385 if (file1
== NULL
|| file2
== NULL
)
386 errx(1, "need -k and -r");
388 fd2
= opensize(file2
, &size2
);
390 fd1
= opensize(file1
, &size1
);
391 if (mode
== MODE_UIMAGE
) {
394 sizeo
= sizeof(*jh
) + sizeu
;
396 off1
= sizeof(*jh
) + sizeof(*uh
);
397 off2
= sizeof(*jh
) + sizeof(*uh
) + size1
;
398 sizeu
= sizeof(*uh
) + size1
+ size2
;
399 sizeo
= sizeof(*jh
) + sizeu
;
403 errx(1, "payload too large: %zd > %zd\n", sizeo
, maxsize
);
406 fdo
= open(imagefile
, O_RDWR
| O_CREAT
| O_TRUNC
, 00644);
408 err(1, "cannot open \"%s\"", imagefile
);
411 if (ftruncate(fdo
, sizeo
) == -1)
412 err(1, "cannot grow \"%s\" to %zd bytes", imagefile
, sizeo
);
414 map
= mmap(NULL
, sizeo
, PROT_READ
|PROT_WRITE
, MAP_SHARED
, fdo
, 0);
415 uh
= map
+ sizeof(*jh
);
416 if (map
== MAP_FAILED
)
417 err(1, "cannot mmap \"%s\"", imagefile
);
420 if (read(fd1
, map
+ off1
, size1
) != size1
)
421 err(1, "cannot copy %s", file1
);
424 if (mode
== MODE_KR
) {
425 if (read(fd2
, map
+off2
, size2
) != size2
)
426 err(1, "cannot copy %s", file2
);
428 mkuheader(uh
, size1
, size2
);
429 } else if (mode
== MODE_UIMAGE
)
430 craftcrc(ntohl(uh
->ih_dcrc
), (void*)uh
+ sizeof(*uh
),
431 sizeu
- sizeof(*uh
));
433 mkjcgheader(map
, sizeu
, version
);