2 Copyright (c) 2014, Matthias Schiffer <mschiffer@universe-factory.net>
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
8 1. Redistributions of source code must retain the above copyright notice,
9 this list of conditions and the following disclaimer.
10 2. Redistributions in binary form must reproduce the above copyright notice,
11 this list of conditions and the following disclaimer in the documentation
12 and/or other materials provided with the distribution.
14 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
15 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
17 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
18 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
20 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
21 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
22 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 Image generation tool for the TP-LINK SafeLoader as seen on
31 TP-LINK Pharos devices (CPE210/220/510/520)
45 #include <arpa/inet.h>
47 #include <sys/types.h>
53 #define ALIGN(x,a) ({ typeof(a) __a = (a); (((x) + __a - 1) & ~(__a - 1)); })
56 #define MAX_PARTITIONS 32
58 /** An image partition table entry */
59 struct image_partition_entry
{
65 /** A flash partition table entry */
66 struct flash_partition_entry
{
72 /** Firmware layout description */
76 const char *support_list
;
79 const struct flash_partition_entry partitions
[MAX_PARTITIONS
+1];
80 const char *first_sysupgrade_partition
;
81 const char *last_sysupgrade_partition
;
84 /** The content of the soft-version structure */
85 struct __attribute__((__packed__
)) soft_version
{
89 uint8_t version_major
;
90 uint8_t version_minor
;
91 uint8_t version_patch
;
101 static const uint8_t jffs2_eof_mark
[4] = {0xde, 0xad, 0xc0, 0xde};
105 Salt for the MD5 hash
107 Fortunately, TP-LINK seems to use the same salt for most devices which use
108 the new image format.
110 static const uint8_t md5_salt
[16] = {
111 0x7a, 0x2b, 0x15, 0xed,
112 0x9b, 0x98, 0x59, 0x6d,
113 0xe5, 0x04, 0xab, 0x44,
114 0xac, 0x2a, 0x9f, 0x4e,
118 /** Firmware layout table */
119 static struct device_info boards
[] = {
120 /** Firmware layout for the CPE210/220 */
123 .vendor
= "CPE510(TP-LINK|UN|N300-5):1.0\r\n",
126 "CPE210(TP-LINK|UN|N300-2):1.0\r\n"
127 "CPE210(TP-LINK|UN|N300-2):1.1\r\n"
128 "CPE210(TP-LINK|US|N300-2):1.1\r\n"
129 "CPE210(TP-LINK|EU|N300-2):1.1\r\n"
130 "CPE220(TP-LINK|UN|N300-2):1.1\r\n"
131 "CPE220(TP-LINK|US|N300-2):1.1\r\n"
132 "CPE220(TP-LINK|EU|N300-2):1.1\r\n",
133 .support_trail
= '\xff',
137 {"fs-uboot", 0x00000, 0x20000},
138 {"partition-table", 0x20000, 0x02000},
139 {"default-mac", 0x30000, 0x00020},
140 {"product-info", 0x31100, 0x00100},
141 {"signature", 0x32000, 0x00400},
142 {"os-image", 0x40000, 0x170000},
143 {"soft-version", 0x1b0000, 0x00100},
144 {"support-list", 0x1b1000, 0x00400},
145 {"file-system", 0x1c0000, 0x600000},
146 {"user-config", 0x7c0000, 0x10000},
147 {"default-config", 0x7d0000, 0x10000},
148 {"log", 0x7e0000, 0x10000},
149 {"radio", 0x7f0000, 0x10000},
153 .first_sysupgrade_partition
= "os-image",
154 .last_sysupgrade_partition
= "file-system",
157 /** Firmware layout for the CPE510/520 */
160 .vendor
= "CPE510(TP-LINK|UN|N300-5):1.0\r\n",
163 "CPE510(TP-LINK|UN|N300-5):1.0\r\n"
164 "CPE510(TP-LINK|UN|N300-5):1.1\r\n"
165 "CPE510(TP-LINK|UN|N300-5):1.1\r\n"
166 "CPE510(TP-LINK|US|N300-5):1.1\r\n"
167 "CPE510(TP-LINK|EU|N300-5):1.1\r\n"
168 "CPE520(TP-LINK|UN|N300-5):1.1\r\n"
169 "CPE520(TP-LINK|US|N300-5):1.1\r\n"
170 "CPE520(TP-LINK|EU|N300-5):1.1\r\n",
171 .support_trail
= '\xff',
175 {"fs-uboot", 0x00000, 0x20000},
176 {"partition-table", 0x20000, 0x02000},
177 {"default-mac", 0x30000, 0x00020},
178 {"product-info", 0x31100, 0x00100},
179 {"signature", 0x32000, 0x00400},
180 {"os-image", 0x40000, 0x170000},
181 {"soft-version", 0x1b0000, 0x00100},
182 {"support-list", 0x1b1000, 0x00400},
183 {"file-system", 0x1c0000, 0x600000},
184 {"user-config", 0x7c0000, 0x10000},
185 {"default-config", 0x7d0000, 0x10000},
186 {"log", 0x7e0000, 0x10000},
187 {"radio", 0x7f0000, 0x10000},
191 .first_sysupgrade_partition
= "os-image",
192 .last_sysupgrade_partition
= "file-system",
197 .vendor
= "CPE510(TP-LINK|UN|N300-5):1.0\r\n",
200 "WBS210(TP-LINK|UN|N300-2):1.20\r\n"
201 "WBS210(TP-LINK|US|N300-2):1.20\r\n"
202 "WBS210(TP-LINK|EU|N300-2):1.20\r\n",
203 .support_trail
= '\xff',
207 {"fs-uboot", 0x00000, 0x20000},
208 {"partition-table", 0x20000, 0x02000},
209 {"default-mac", 0x30000, 0x00020},
210 {"product-info", 0x31100, 0x00100},
211 {"signature", 0x32000, 0x00400},
212 {"os-image", 0x40000, 0x170000},
213 {"soft-version", 0x1b0000, 0x00100},
214 {"support-list", 0x1b1000, 0x00400},
215 {"file-system", 0x1c0000, 0x600000},
216 {"user-config", 0x7c0000, 0x10000},
217 {"default-config", 0x7d0000, 0x10000},
218 {"log", 0x7e0000, 0x10000},
219 {"radio", 0x7f0000, 0x10000},
223 .first_sysupgrade_partition
= "os-image",
224 .last_sysupgrade_partition
= "file-system",
229 .vendor
= "CPE510(TP-LINK|UN|N300-5):1.0\r\n",
232 "WBS510(TP-LINK|UN|N300-5):1.20\r\n"
233 "WBS510(TP-LINK|US|N300-5):1.20\r\n"
234 "WBS510(TP-LINK|EU|N300-5):1.20\r\n",
235 .support_trail
= '\xff',
239 {"fs-uboot", 0x00000, 0x20000},
240 {"partition-table", 0x20000, 0x02000},
241 {"default-mac", 0x30000, 0x00020},
242 {"product-info", 0x31100, 0x00100},
243 {"signature", 0x32000, 0x00400},
244 {"os-image", 0x40000, 0x170000},
245 {"soft-version", 0x1b0000, 0x00100},
246 {"support-list", 0x1b1000, 0x00400},
247 {"file-system", 0x1c0000, 0x600000},
248 {"user-config", 0x7c0000, 0x10000},
249 {"default-config", 0x7d0000, 0x10000},
250 {"log", 0x7e0000, 0x10000},
251 {"radio", 0x7f0000, 0x10000},
255 .first_sysupgrade_partition
= "os-image",
256 .last_sysupgrade_partition
= "file-system",
259 /** Firmware layout for the C2600 */
265 "{product_name:Archer C2600,product_ver:1.0.0,special_id:00000000}\r\n",
266 .support_trail
= '\x00',
270 {"SBL1", 0x00000, 0x20000},
271 {"MIBIB", 0x20000, 0x20000},
272 {"SBL2", 0x40000, 0x20000},
273 {"SBL3", 0x60000, 0x30000},
274 {"DDRCONFIG", 0x90000, 0x10000},
275 {"SSD", 0xa0000, 0x10000},
276 {"TZ", 0xb0000, 0x30000},
277 {"RPM", 0xe0000, 0x20000},
278 {"fs-uboot", 0x100000, 0x70000},
279 {"uboot-env", 0x170000, 0x40000},
280 {"radio", 0x1b0000, 0x40000},
281 {"os-image", 0x1f0000, 0x200000},
282 {"file-system", 0x3f0000, 0x1b00000},
283 {"default-mac", 0x1ef0000, 0x00200},
284 {"pin", 0x1ef0200, 0x00200},
285 {"product-info", 0x1ef0400, 0x0fc00},
286 {"partition-table", 0x1f00000, 0x10000},
287 {"soft-version", 0x1f10000, 0x10000},
288 {"support-list", 0x1f20000, 0x10000},
289 {"profile", 0x1f30000, 0x10000},
290 {"default-config", 0x1f40000, 0x10000},
291 {"user-config", 0x1f50000, 0x40000},
292 {"qos-db", 0x1f90000, 0x40000},
293 {"usb-config", 0x1fd0000, 0x10000},
294 {"log", 0x1fe0000, 0x20000},
298 .first_sysupgrade_partition
= "os-image",
299 .last_sysupgrade_partition
= "file-system"
302 /** Firmware layout for the C25v1 */
304 .id
= "ARCHER-C25-V1",
307 "{product_name:ArcherC25,product_ver:1.0.0,special_id:00000000}\n"
308 "{product_name:ArcherC25,product_ver:1.0.0,special_id:55530000}\n"
309 "{product_name:ArcherC25,product_ver:1.0.0,special_id:45550000}\n",
310 .support_trail
= '\x00',
311 .soft_ver
= "soft_ver:1.0.0\n",
314 We use a bigger os-image partition than the stock images (and thus
315 smaller file-system), as our kernel doesn't fit in the stock firmware's
319 {"factory-boot", 0x00000, 0x20000},
320 {"fs-uboot", 0x20000, 0x10000},
321 {"os-image", 0x30000, 0x180000}, /* Stock: base 0x30000 size 0x100000 */
322 {"file-system", 0x1b0000, 0x620000}, /* Stock: base 0x130000 size 0x6a0000 */
323 {"user-config", 0x7d0000, 0x04000},
324 {"default-mac", 0x7e0000, 0x00100},
325 {"device-id", 0x7e0100, 0x00100},
326 {"extra-para", 0x7e0200, 0x00100},
327 {"pin", 0x7e0300, 0x00100},
328 {"support-list", 0x7e0400, 0x00400},
329 {"soft-version", 0x7e0800, 0x00400},
330 {"product-info", 0x7e0c00, 0x01400},
331 {"partition-table", 0x7e2000, 0x01000},
332 {"profile", 0x7e3000, 0x01000},
333 {"default-config", 0x7e4000, 0x04000},
334 {"merge-config", 0x7ec000, 0x02000},
335 {"qos-db", 0x7ee000, 0x02000},
336 {"radio", 0x7f0000, 0x10000},
340 .first_sysupgrade_partition
= "os-image",
341 .last_sysupgrade_partition
= "file-system",
344 /** Firmware layout for the C58v1 */
346 .id
= "ARCHER-C58-V1",
350 "{product_name:Archer C58,product_ver:1.0.0,special_id:00000000}\r\n"
351 "{product_name:Archer C58,product_ver:1.0.0,special_id:45550000}\r\n"
352 "{product_name:Archer C58,product_ver:1.0.0,special_id:55530000}\r\n",
353 .support_trail
= '\x00',
354 .soft_ver
= "soft_ver:1.0.0\n",
357 {"fs-uboot", 0x00000, 0x10000},
358 {"default-mac", 0x10000, 0x00200},
359 {"pin", 0x10200, 0x00200},
360 {"product-info", 0x10400, 0x00100},
361 {"partition-table", 0x10500, 0x00800},
362 {"soft-version", 0x11300, 0x00200},
363 {"support-list", 0x11500, 0x00100},
364 {"device-id", 0x11600, 0x00100},
365 {"profile", 0x11700, 0x03900},
366 {"default-config", 0x15000, 0x04000},
367 {"user-config", 0x19000, 0x04000},
368 {"os-image", 0x20000, 0x150000},
369 {"file-system", 0x170000, 0x678000},
370 {"certyficate", 0x7e8000, 0x08000},
371 {"radio", 0x7f0000, 0x10000},
375 .first_sysupgrade_partition
= "os-image",
376 .last_sysupgrade_partition
= "file-system",
379 /** Firmware layout for the C59v1 */
381 .id
= "ARCHER-C59-V1",
385 "{product_name:Archer C59,product_ver:1.0.0,special_id:00000000}\r\n"
386 "{product_name:Archer C59,product_ver:1.0.0,special_id:45550000}\r\n"
387 "{product_name:Archer C59,product_ver:1.0.0,special_id:52550000}\r\n"
388 "{product_name:Archer C59,product_ver:1.0.0,special_id:55530000}\r\n",
389 .support_trail
= '\x00',
390 .soft_ver
= "soft_ver:1.0.0\n",
393 {"fs-uboot", 0x00000, 0x10000},
394 {"default-mac", 0x10000, 0x00200},
395 {"pin", 0x10200, 0x00200},
396 {"device-id", 0x10400, 0x00100},
397 {"product-info", 0x10500, 0x0fb00},
398 {"os-image", 0x20000, 0x180000},
399 {"file-system", 0x1a0000, 0xcb0000},
400 {"partition-table", 0xe50000, 0x10000},
401 {"soft-version", 0xe60000, 0x10000},
402 {"support-list", 0xe70000, 0x10000},
403 {"profile", 0xe80000, 0x10000},
404 {"default-config", 0xe90000, 0x10000},
405 {"user-config", 0xea0000, 0x40000},
406 {"usb-config", 0xee0000, 0x10000},
407 {"certificate", 0xef0000, 0x10000},
408 {"qos-db", 0xf00000, 0x40000},
409 {"log", 0xfe0000, 0x10000},
410 {"radio", 0xff0000, 0x10000},
414 .first_sysupgrade_partition
= "os-image",
415 .last_sysupgrade_partition
= "file-system",
418 /** Firmware layout for the C60v1 */
420 .id
= "ARCHER-C60-V1",
424 "{product_name:Archer C60,product_ver:1.0.0,special_id:00000000}\r\n"
425 "{product_name:Archer C60,product_ver:1.0.0,special_id:45550000}\r\n"
426 "{product_name:Archer C60,product_ver:1.0.0,special_id:55530000}\r\n",
427 .support_trail
= '\x00',
428 .soft_ver
= "soft_ver:1.0.0\n",
431 {"fs-uboot", 0x00000, 0x10000},
432 {"default-mac", 0x10000, 0x00200},
433 {"pin", 0x10200, 0x00200},
434 {"product-info", 0x10400, 0x00100},
435 {"partition-table", 0x10500, 0x00800},
436 {"soft-version", 0x11300, 0x00200},
437 {"support-list", 0x11500, 0x00100},
438 {"device-id", 0x11600, 0x00100},
439 {"profile", 0x11700, 0x03900},
440 {"default-config", 0x15000, 0x04000},
441 {"user-config", 0x19000, 0x04000},
442 {"os-image", 0x20000, 0x150000},
443 {"file-system", 0x170000, 0x678000},
444 {"certyficate", 0x7e8000, 0x08000},
445 {"radio", 0x7f0000, 0x10000},
449 .first_sysupgrade_partition
= "os-image",
450 .last_sysupgrade_partition
= "file-system",
453 /** Firmware layout for the C5 */
455 .id
= "ARCHER-C5-V2",
459 "{product_name:ArcherC5,product_ver:2.0.0,special_id:00000000}\r\n"
460 "{product_name:ArcherC5,product_ver:2.0.0,special_id:55530000}\r\n"
461 "{product_name:ArcherC5,product_ver:2.0.0,special_id:4A500000}\r\n", /* JP version */
462 .support_trail
= '\x00',
466 {"fs-uboot", 0x00000, 0x40000},
467 {"os-image", 0x40000, 0x200000},
468 {"file-system", 0x240000, 0xc00000},
469 {"default-mac", 0xe40000, 0x00200},
470 {"pin", 0xe40200, 0x00200},
471 {"product-info", 0xe40400, 0x00200},
472 {"partition-table", 0xe50000, 0x10000},
473 {"soft-version", 0xe60000, 0x00200},
474 {"support-list", 0xe61000, 0x0f000},
475 {"profile", 0xe70000, 0x10000},
476 {"default-config", 0xe80000, 0x10000},
477 {"user-config", 0xe90000, 0x50000},
478 {"log", 0xee0000, 0x100000},
479 {"radio_bk", 0xfe0000, 0x10000},
480 {"radio", 0xff0000, 0x10000},
484 .first_sysupgrade_partition
= "os-image",
485 .last_sysupgrade_partition
= "file-system"
488 /** Firmware layout for the C9 */
494 "{product_name:ArcherC9,"
496 "special_id:00000000}\n",
497 .support_trail
= '\x00',
501 {"fs-uboot", 0x00000, 0x40000},
502 {"os-image", 0x40000, 0x200000},
503 {"file-system", 0x240000, 0xc00000},
504 {"default-mac", 0xe40000, 0x00200},
505 {"pin", 0xe40200, 0x00200},
506 {"product-info", 0xe40400, 0x00200},
507 {"partition-table", 0xe50000, 0x10000},
508 {"soft-version", 0xe60000, 0x00200},
509 {"support-list", 0xe61000, 0x0f000},
510 {"profile", 0xe70000, 0x10000},
511 {"default-config", 0xe80000, 0x10000},
512 {"user-config", 0xe90000, 0x50000},
513 {"log", 0xee0000, 0x100000},
514 {"radio_bk", 0xfe0000, 0x10000},
515 {"radio", 0xff0000, 0x10000},
519 .first_sysupgrade_partition
= "os-image",
520 .last_sysupgrade_partition
= "file-system"
523 /** Firmware layout for the EAP120 */
526 .vendor
= "EAP120(TP-LINK|UN|N300-2):1.0\r\n",
529 "EAP120(TP-LINK|UN|N300-2):1.0\r\n",
530 .support_trail
= '\xff',
534 {"fs-uboot", 0x00000, 0x20000},
535 {"partition-table", 0x20000, 0x02000},
536 {"default-mac", 0x30000, 0x00020},
537 {"support-list", 0x31000, 0x00100},
538 {"product-info", 0x31100, 0x00100},
539 {"soft-version", 0x32000, 0x00100},
540 {"os-image", 0x40000, 0x180000},
541 {"file-system", 0x1c0000, 0x600000},
542 {"user-config", 0x7c0000, 0x10000},
543 {"backup-config", 0x7d0000, 0x10000},
544 {"log", 0x7e0000, 0x10000},
545 {"radio", 0x7f0000, 0x10000},
549 .first_sysupgrade_partition
= "os-image",
550 .last_sysupgrade_partition
= "file-system"
553 /** Firmware layout for the TL-WA850RE v2 */
559 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:55530000}\n"
560 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:00000000}\n"
561 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:55534100}\n"
562 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:45550000}\n"
563 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:4B520000}\n"
564 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:42520000}\n"
565 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:4A500000}\n"
566 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:43410000}\n"
567 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:41550000}\n"
568 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:52550000}\n",
569 .support_trail
= '\x00',
573 576KB were moved from file-system to os-image
574 in comparison to the stock image
577 {"fs-uboot", 0x00000, 0x20000},
578 {"os-image", 0x20000, 0x150000},
579 {"file-system", 0x170000, 0x240000},
580 {"partition-table", 0x3b0000, 0x02000},
581 {"default-mac", 0x3c0000, 0x00020},
582 {"pin", 0x3c0100, 0x00020},
583 {"product-info", 0x3c1000, 0x01000},
584 {"soft-version", 0x3c2000, 0x00100},
585 {"support-list", 0x3c3000, 0x01000},
586 {"profile", 0x3c4000, 0x08000},
587 {"user-config", 0x3d0000, 0x10000},
588 {"default-config", 0x3e0000, 0x10000},
589 {"radio", 0x3f0000, 0x10000},
593 .first_sysupgrade_partition
= "os-image",
594 .last_sysupgrade_partition
= "file-system"
597 /** Firmware layout for the TL-WA855RE v1 */
603 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:00000000}\n"
604 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:55530000}\n"
605 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:45550000}\n"
606 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:4B520000}\n"
607 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:42520000}\n"
608 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:4A500000}\n"
609 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:43410000}\n"
610 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:41550000}\n"
611 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:52550000}\n",
612 .support_trail
= '\x00',
616 {"fs-uboot", 0x00000, 0x20000},
617 {"os-image", 0x20000, 0x150000},
618 {"file-system", 0x170000, 0x240000},
619 {"partition-table", 0x3b0000, 0x02000},
620 {"default-mac", 0x3c0000, 0x00020},
621 {"pin", 0x3c0100, 0x00020},
622 {"product-info", 0x3c1000, 0x01000},
623 {"soft-version", 0x3c2000, 0x00100},
624 {"support-list", 0x3c3000, 0x01000},
625 {"profile", 0x3c4000, 0x08000},
626 {"user-config", 0x3d0000, 0x10000},
627 {"default-config", 0x3e0000, 0x10000},
628 {"radio", 0x3f0000, 0x10000},
632 .first_sysupgrade_partition
= "os-image",
633 .last_sysupgrade_partition
= "file-system"
636 /** Firmware layout for the TL-WR1043 v4 */
638 .id
= "TLWR1043NDV4",
642 "{product_name:TL-WR1043ND,product_ver:4.0.0,special_id:45550000}\n",
643 .support_trail
= '\x00',
647 We use a bigger os-image partition than the stock images (and thus
648 smaller file-system), as our kernel doesn't fit in the stock firmware's
652 {"fs-uboot", 0x00000, 0x20000},
653 {"os-image", 0x20000, 0x180000},
654 {"file-system", 0x1a0000, 0xdb0000},
655 {"default-mac", 0xf50000, 0x00200},
656 {"pin", 0xf50200, 0x00200},
657 {"product-info", 0xf50400, 0x0fc00},
658 {"soft-version", 0xf60000, 0x0b000},
659 {"support-list", 0xf6b000, 0x04000},
660 {"profile", 0xf70000, 0x04000},
661 {"default-config", 0xf74000, 0x0b000},
662 {"user-config", 0xf80000, 0x40000},
663 {"partition-table", 0xfc0000, 0x10000},
664 {"log", 0xfd0000, 0x20000},
665 {"radio", 0xff0000, 0x10000},
669 .first_sysupgrade_partition
= "os-image",
670 .last_sysupgrade_partition
= "file-system"
673 /** Firmware layout for the TL-WR902AC v1 */
675 .id
= "TL-WR902AC-V1",
679 "{product_name:TL-WR902AC,product_ver:1.0.0,special_id:45550000}\n",
680 .support_trail
= '\x00',
684 384KB were moved from file-system to os-image
685 in comparison to the stock image
688 {"fs-uboot", 0x00000, 0x20000},
689 {"os-image", 0x20000, 0x160000},
690 {"file-system", 0x180000, 0x5d0000},
691 {"default-mac", 0x750000, 0x00200},
692 {"pin", 0x750200, 0x00200},
693 {"product-info", 0x750400, 0x0fc00},
694 {"soft-version", 0x760000, 0x0b000},
695 {"support-list", 0x76b000, 0x04000},
696 {"profile", 0x770000, 0x04000},
697 {"default-config", 0x774000, 0x0b000},
698 {"user-config", 0x780000, 0x40000},
699 {"partition-table", 0x7c0000, 0x10000},
700 {"log", 0x7d0000, 0x20000},
701 {"radio", 0x7f0000, 0x10000},
705 .first_sysupgrade_partition
= "os-image",
706 .last_sysupgrade_partition
= "file-system",
709 /** Firmware layout for the TL-WR942N V1 */
715 "{product_name:TL-WR942N,product_ver:1.0.0,special_id:00000000}\r\n"
716 "{product_name:TL-WR942N,product_ver:1.0.0,special_id:52550000}\r\n",
717 .support_trail
= '\x00',
721 {"fs-uboot", 0x00000, 0x20000},
722 {"os-image", 0x20000, 0x150000},
723 {"file-system", 0x170000, 0xcd0000},
724 {"default-mac", 0xe40000, 0x00200},
725 {"pin", 0xe40200, 0x00200},
726 {"product-info", 0xe40400, 0x0fc00},
727 {"partition-table", 0xe50000, 0x10000},
728 {"soft-version", 0xe60000, 0x10000},
729 {"support-list", 0xe70000, 0x10000},
730 {"profile", 0xe80000, 0x10000},
731 {"default-config", 0xe90000, 0x10000},
732 {"user-config", 0xea0000, 0x40000},
733 {"qos-db", 0xee0000, 0x40000},
734 {"certificate", 0xf20000, 0x10000},
735 {"usb-config", 0xfb0000, 0x10000},
736 {"log", 0xfc0000, 0x20000},
737 {"radio-bk", 0xfe0000, 0x10000},
738 {"radio", 0xff0000, 0x10000},
742 .first_sysupgrade_partition
= "os-image",
743 .last_sysupgrade_partition
= "file-system",
746 /** Firmware layout for the RE450 */
752 "{product_name:RE450,product_ver:1.0.0,special_id:00000000}\r\n"
753 "{product_name:RE450,product_ver:1.0.0,special_id:55530000}\r\n"
754 "{product_name:RE450,product_ver:1.0.0,special_id:45550000}\r\n"
755 "{product_name:RE450,product_ver:1.0.0,special_id:4A500000}\r\n"
756 "{product_name:RE450,product_ver:1.0.0,special_id:43410000}\r\n"
757 "{product_name:RE450,product_ver:1.0.0,special_id:41550000}\r\n"
758 "{product_name:RE450,product_ver:1.0.0,special_id:4B520000}\r\n"
759 "{product_name:RE450,product_ver:1.0.0,special_id:55534100}\r\n",
760 .support_trail
= '\x00',
764 The flash partition table for RE450;
765 it is almost the same as the one used by the stock images,
766 576KB were moved from file-system to os-image.
769 {"fs-uboot", 0x00000, 0x20000},
770 {"os-image", 0x20000, 0x150000},
771 {"file-system", 0x170000, 0x4a0000},
772 {"partition-table", 0x600000, 0x02000},
773 {"default-mac", 0x610000, 0x00020},
774 {"pin", 0x610100, 0x00020},
775 {"product-info", 0x611100, 0x01000},
776 {"soft-version", 0x620000, 0x01000},
777 {"support-list", 0x621000, 0x01000},
778 {"profile", 0x622000, 0x08000},
779 {"user-config", 0x630000, 0x10000},
780 {"default-config", 0x640000, 0x10000},
781 {"radio", 0x7f0000, 0x10000},
785 .first_sysupgrade_partition
= "os-image",
786 .last_sysupgrade_partition
= "file-system"
792 #define error(_ret, _errno, _str, ...) \
794 fprintf(stderr, _str ": %s\n", ## __VA_ARGS__, \
801 /** Stores a uint32 as big endian */
802 static inline void put32(uint8_t *buf
, uint32_t val
) {
809 /** Allocates a new image partition */
810 static struct image_partition_entry
alloc_image_partition(const char *name
, size_t len
) {
811 struct image_partition_entry entry
= {name
, len
, malloc(len
)};
813 error(1, errno
, "malloc");
818 /** Frees an image partition */
819 static void free_image_partition(struct image_partition_entry entry
) {
823 static time_t source_date_epoch
= -1;
824 static void set_source_date_epoch() {
825 char *env
= getenv("SOURCE_DATE_EPOCH");
829 source_date_epoch
= strtoull(env
, &endptr
, 10);
830 if (errno
|| (endptr
&& *endptr
!= '\0')) {
831 fprintf(stderr
, "Invalid SOURCE_DATE_EPOCH");
837 /** Generates the partition-table partition */
838 static struct image_partition_entry
make_partition_table(const struct flash_partition_entry
*p
) {
839 struct image_partition_entry entry
= alloc_image_partition("partition-table", 0x800);
841 char *s
= (char *)entry
.data
, *end
= (char *)(s
+entry
.size
);
849 for (i
= 0; p
[i
].name
; i
++) {
851 size_t w
= snprintf(s
, len
, "partition %s base 0x%05x size 0x%05x\n", p
[i
].name
, p
[i
].base
, p
[i
].size
);
854 error(1, 0, "flash partition table overflow?");
861 memset(s
, 0xff, end
-s
);
867 /** Generates a binary-coded decimal representation of an integer in the range [0, 99] */
868 static inline uint8_t bcd(uint8_t v
) {
869 return 0x10 * (v
/10) + v
%10;
873 /** Generates the soft-version partition */
874 static struct image_partition_entry
make_soft_version(uint32_t rev
) {
875 struct image_partition_entry entry
= alloc_image_partition("soft-version", sizeof(struct soft_version
));
876 struct soft_version
*s
= (struct soft_version
*)entry
.data
;
880 if (source_date_epoch
!= -1)
881 t
= source_date_epoch
;
882 else if (time(&t
) == (time_t)(-1))
883 error(1, errno
, "time");
885 struct tm
*tm
= localtime(&t
);
887 s
->magic
= htonl(0x0000000c);
891 s
->version_major
= 0;
892 s
->version_minor
= 0;
893 s
->version_patch
= 0;
895 s
->year_hi
= bcd((1900+tm
->tm_year
)/100);
896 s
->year_lo
= bcd(tm
->tm_year
%100);
897 s
->month
= bcd(tm
->tm_mon
+1);
898 s
->day
= bcd(tm
->tm_mday
);
906 static struct image_partition_entry
make_soft_version_from_string(const char *soft_ver
) {
907 /** String length _including_ the terminating zero byte */
908 uint32_t ver_len
= strlen(soft_ver
) + 1;
909 /** Partition contains 64 bit header, the version string, and one additional null byte */
910 size_t partition_len
= 2*sizeof(uint32_t) + ver_len
+ 1;
911 struct image_partition_entry entry
= alloc_image_partition("soft-version", partition_len
);
913 uint32_t *len
= (uint32_t *)entry
.data
;
914 len
[0] = htonl(ver_len
);
916 memcpy(&len
[2], soft_ver
, ver_len
);
918 entry
.data
[partition_len
- 1] = 0;
923 /** Generates the support-list partition */
924 static struct image_partition_entry
make_support_list(const struct device_info
*info
) {
925 size_t len
= strlen(info
->support_list
);
926 struct image_partition_entry entry
= alloc_image_partition("support-list", len
+ 9);
928 put32(entry
.data
, len
);
929 memset(entry
.data
+4, 0, 4);
930 memcpy(entry
.data
+8, info
->support_list
, len
);
931 entry
.data
[len
+8] = info
->support_trail
;
936 /** Creates a new image partition with an arbitrary name from a file */
937 static struct image_partition_entry
read_file(const char *part_name
, const char *filename
, bool add_jffs2_eof
) {
940 if (stat(filename
, &statbuf
) < 0)
941 error(1, errno
, "unable to stat file `%s'", filename
);
943 size_t len
= statbuf
.st_size
;
946 len
= ALIGN(len
, 0x10000) + sizeof(jffs2_eof_mark
);
948 struct image_partition_entry entry
= alloc_image_partition(part_name
, len
);
950 FILE *file
= fopen(filename
, "rb");
952 error(1, errno
, "unable to open file `%s'", filename
);
954 if (fread(entry
.data
, statbuf
.st_size
, 1, file
) != 1)
955 error(1, errno
, "unable to read file `%s'", filename
);
958 uint8_t *eof
= entry
.data
+ statbuf
.st_size
, *end
= entry
.data
+entry
.size
;
960 memset(eof
, 0xff, end
- eof
- sizeof(jffs2_eof_mark
));
961 memcpy(end
- sizeof(jffs2_eof_mark
), jffs2_eof_mark
, sizeof(jffs2_eof_mark
));
969 /** Creates a new image partition from arbitrary data */
970 static struct image_partition_entry
put_data(const char *part_name
, const char *datain
, size_t len
) {
972 struct image_partition_entry entry
= alloc_image_partition(part_name
, len
);
974 memcpy(entry
.data
, datain
, len
);
980 Copies a list of image partitions into an image buffer and generates the image partition table while doing so
982 Example image partition table:
984 fwup-ptn partition-table base 0x00800 size 0x00800
985 fwup-ptn os-image base 0x01000 size 0x113b45
986 fwup-ptn file-system base 0x114b45 size 0x1d0004
987 fwup-ptn support-list base 0x2e4b49 size 0x000d1
989 Each line of the partition table is terminated with the bytes 09 0d 0a ("\t\r\n"),
990 the end of the partition table is marked with a zero byte.
992 The firmware image must contain at least the partition-table and support-list partitions
993 to be accepted. There aren't any alignment constraints for the image partitions.
995 The partition-table partition contains the actual flash layout; partitions
996 from the image partition table are mapped to the corresponding flash partitions during
997 the firmware upgrade. The support-list partition contains a list of devices supported by
1000 The base offsets in the firmware partition table are relative to the end
1001 of the vendor information block, so the partition-table partition will
1002 actually start at offset 0x1814 of the image.
1004 I think partition-table must be the first partition in the firmware image.
1006 static void put_partitions(uint8_t *buffer
, const struct flash_partition_entry
*flash_parts
, const struct image_partition_entry
*parts
) {
1008 char *image_pt
= (char *)buffer
, *end
= image_pt
+ 0x800;
1010 size_t base
= 0x800;
1011 for (i
= 0; parts
[i
].name
; i
++) {
1012 for (j
= 0; flash_parts
[j
].name
; j
++) {
1013 if (!strcmp(flash_parts
[j
].name
, parts
[i
].name
)) {
1014 if (parts
[i
].size
> flash_parts
[j
].size
)
1015 error(1, 0, "%s partition too big (more than %u bytes)", flash_parts
[j
].name
, (unsigned)flash_parts
[j
].size
);
1020 assert(flash_parts
[j
].name
);
1022 memcpy(buffer
+ base
, parts
[i
].data
, parts
[i
].size
);
1024 size_t len
= end
-image_pt
;
1025 size_t w
= snprintf(image_pt
, len
, "fwup-ptn %s base 0x%05x size 0x%05x\t\r\n", parts
[i
].name
, (unsigned)base
, (unsigned)parts
[i
].size
);
1028 error(1, 0, "image partition table overflow?");
1032 base
+= parts
[i
].size
;
1036 /** Generates and writes the image MD5 checksum */
1037 static void put_md5(uint8_t *md5
, uint8_t *buffer
, unsigned int len
) {
1041 MD5_Update(&ctx
, md5_salt
, (unsigned int)sizeof(md5_salt
));
1042 MD5_Update(&ctx
, buffer
, len
);
1043 MD5_Final(md5
, &ctx
);
1048 Generates the firmware image in factory format
1054 0000-0003 Image size (4 bytes, big endian)
1055 0004-0013 MD5 hash (hash of a 16 byte salt and the image data starting with byte 0x14)
1056 0014-0017 Vendor information length (without padding) (4 bytes, big endian)
1057 0018-1013 Vendor information (4092 bytes, padded with 0xff; there seem to be older
1058 (VxWorks-based) TP-LINK devices which use a smaller vendor information block)
1059 1014-1813 Image partition table (2048 bytes, padded with 0xff)
1060 1814-xxxx Firmware partitions
1062 static void * generate_factory_image(const struct device_info
*info
, const struct image_partition_entry
*parts
, size_t *len
) {
1066 for (i
= 0; parts
[i
].name
; i
++)
1067 *len
+= parts
[i
].size
;
1069 uint8_t *image
= malloc(*len
);
1071 error(1, errno
, "malloc");
1073 memset(image
, 0xff, *len
);
1077 size_t vendor_len
= strlen(info
->vendor
);
1078 put32(image
+0x14, vendor_len
);
1079 memcpy(image
+0x18, info
->vendor
, vendor_len
);
1082 put_partitions(image
+ 0x1014, info
->partitions
, parts
);
1083 put_md5(image
+0x04, image
+0x14, *len
-0x14);
1089 Generates the firmware image in sysupgrade format
1091 This makes some assumptions about the provided flash and image partition tables and
1092 should be generalized when TP-LINK starts building its safeloader into hardware with
1093 different flash layouts.
1095 static void * generate_sysupgrade_image(const struct device_info
*info
, const struct image_partition_entry
*image_parts
, size_t *len
) {
1097 size_t flash_first_partition_index
= 0;
1098 size_t flash_last_partition_index
= 0;
1099 const struct flash_partition_entry
*flash_first_partition
= NULL
;
1100 const struct flash_partition_entry
*flash_last_partition
= NULL
;
1101 const struct image_partition_entry
*image_last_partition
= NULL
;
1103 /** Find first and last partitions */
1104 for (i
= 0; info
->partitions
[i
].name
; i
++) {
1105 if (!strcmp(info
->partitions
[i
].name
, info
->first_sysupgrade_partition
)) {
1106 flash_first_partition
= &info
->partitions
[i
];
1107 flash_first_partition_index
= i
;
1108 } else if (!strcmp(info
->partitions
[i
].name
, info
->last_sysupgrade_partition
)) {
1109 flash_last_partition
= &info
->partitions
[i
];
1110 flash_last_partition_index
= i
;
1114 assert(flash_first_partition
&& flash_last_partition
);
1115 assert(flash_first_partition_index
< flash_last_partition_index
);
1117 /** Find last partition from image to calculate needed size */
1118 for (i
= 0; image_parts
[i
].name
; i
++) {
1119 if (!strcmp(image_parts
[i
].name
, info
->last_sysupgrade_partition
)) {
1120 image_last_partition
= &image_parts
[i
];
1125 assert(image_last_partition
);
1127 *len
= flash_last_partition
->base
- flash_first_partition
->base
+ image_last_partition
->size
;
1129 uint8_t *image
= malloc(*len
);
1131 error(1, errno
, "malloc");
1133 memset(image
, 0xff, *len
);
1135 for (i
= flash_first_partition_index
; i
<= flash_last_partition_index
; i
++) {
1136 for (j
= 0; image_parts
[j
].name
; j
++) {
1137 if (!strcmp(info
->partitions
[i
].name
, image_parts
[j
].name
)) {
1138 if (image_parts
[j
].size
> info
->partitions
[i
].size
)
1139 error(1, 0, "%s partition too big (more than %u bytes)", info
->partitions
[i
].name
, (unsigned)info
->partitions
[i
].size
);
1140 memcpy(image
+ info
->partitions
[i
].base
- flash_first_partition
->base
, image_parts
[j
].data
, image_parts
[j
].size
);
1144 assert(image_parts
[j
].name
);
1151 /** Generates an image according to a given layout and writes it to a file */
1152 static void build_image(const char *output
,
1153 const char *kernel_image
,
1154 const char *rootfs_image
,
1158 const struct device_info
*info
) {
1160 struct image_partition_entry parts
[7] = {};
1162 parts
[0] = make_partition_table(info
->partitions
);
1164 parts
[1] = make_soft_version_from_string(info
->soft_ver
);
1166 parts
[1] = make_soft_version(rev
);
1168 parts
[2] = make_support_list(info
);
1169 parts
[3] = read_file("os-image", kernel_image
, false);
1170 parts
[4] = read_file("file-system", rootfs_image
, add_jffs2_eof
);
1172 if (strcasecmp(info
->id
, "ARCHER-C25-V1") == 0) {
1173 const char mdat
[11] = {0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00};
1174 parts
[5] = put_data("extra-para", mdat
, 11);
1180 image
= generate_sysupgrade_image(info
, parts
, &len
);
1182 image
= generate_factory_image(info
, parts
, &len
);
1184 FILE *file
= fopen(output
, "wb");
1186 error(1, errno
, "unable to open output file");
1188 if (fwrite(image
, len
, 1, file
) != 1)
1189 error(1, 0, "unable to write output file");
1196 for (i
= 0; parts
[i
].name
; i
++)
1197 free_image_partition(parts
[i
]);
1201 static void usage(const char *argv0
) {
1203 "Usage: %s [OPTIONS...]\n"
1206 " -B <board> create image for the board specified with <board>\n"
1207 " -k <file> read kernel image from the file <file>\n"
1208 " -r <file> read rootfs image from the file <file>\n"
1209 " -o <file> write output to the file <file>\n"
1210 " -V <rev> sets the revision number to <rev>\n"
1211 " -j add jffs2 end-of-filesystem markers\n"
1212 " -S create sysupgrade instead of factory image\n"
1213 " -h show this help\n",
1219 static const struct device_info
*find_board(const char *id
)
1221 struct device_info
*board
= NULL
;
1223 for (board
= boards
; board
->id
!= NULL
; board
++)
1224 if (strcasecmp(id
, board
->id
) == 0)
1230 int main(int argc
, char *argv
[]) {
1231 const char *board
= NULL
, *kernel_image
= NULL
, *rootfs_image
= NULL
, *output
= NULL
;
1232 bool add_jffs2_eof
= false, sysupgrade
= false;
1234 const struct device_info
*info
;
1235 set_source_date_epoch();
1240 c
= getopt(argc
, argv
, "B:k:r:o:V:jSh");
1250 kernel_image
= optarg
;
1254 rootfs_image
= optarg
;
1262 sscanf(optarg
, "r%u", &rev
);
1266 add_jffs2_eof
= true;
1284 error(1, 0, "no board has been specified");
1286 error(1, 0, "no kernel image has been specified");
1288 error(1, 0, "no rootfs image has been specified");
1290 error(1, 0, "no output filename has been specified");
1292 info
= find_board(board
);
1295 error(1, 0, "unsupported board %s", board
);
1297 build_image(output
, kernel_image
, rootfs_image
, rev
, add_jffs2_eof
, sysupgrade
, info
);