projects / openwrt / staging / lynxis.git / blob
? search:


eb99241136b2f1c82d0e8ae43f7f66f768c18098
[openwrt/staging/lynxis.git] / tools / firmware-utils / src / tplink-safeloader.c
1 /*
2 Copyright (c) 2014, Matthias Schiffer <mschiffer@universe-factory.net>
3 All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 1. Redistributions of source code must retain the above copyright notice,
9 this list of conditions and the following disclaimer.
10 2. Redistributions in binary form must reproduce the above copyright notice,
11 this list of conditions and the following disclaimer in the documentation
12 and/or other materials provided with the distribution.
13
14 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
15 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
17 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
18 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
20 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
21 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
22 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26
27 /*
28 tplink-safeloader
29
30 Image generation tool for the TP-LINK SafeLoader as seen on
31 TP-LINK Pharos devices (CPE210/220/510/520)
32 */
33
34
35 #include <assert.h>
36 #include <errno.h>
37 #include <stdbool.h>
38 #include <stdio.h>
39 #include <stdint.h>
40 #include <stdlib.h>
41 #include <string.h>
42 #include <time.h>
43 #include <unistd.h>
44
45 #include <arpa/inet.h>
46
47 #include <sys/types.h>
48 #include <sys/stat.h>
49 #include <limits.h>
50
51 #include "md5.h"
52
53
54 #define ALIGN(x,a) ({ typeof(a) __a = (a); (((x) + __a - 1) & ~(__a - 1)); })
55
56
57 #define MAX_PARTITIONS 32
58
59 /** An image partition table entry */
60 struct image_partition_entry {
61 const char *name;
62 size_t size;
63 uint8_t *data;
64 };
65
66 /** A flash partition table entry */
67 struct flash_partition_entry {
68 const char *name;
69 uint32_t base;
70 uint32_t size;
71 };
72
73 /** Firmware layout description */
74 struct device_info {
75 const char *id;
76 const char *vendor;
77 const char *support_list;
78 char support_trail;
79 const char *soft_ver;
80 const struct flash_partition_entry partitions[MAX_PARTITIONS+1];
81 const char *first_sysupgrade_partition;
82 const char *last_sysupgrade_partition;
83 };
84
85 /** The content of the soft-version structure */
86 struct __attribute__((__packed__)) soft_version {
87 uint32_t magic;
88 uint32_t zero;
89 uint8_t pad1;
90 uint8_t version_major;
91 uint8_t version_minor;
92 uint8_t version_patch;
93 uint8_t year_hi;
94 uint8_t year_lo;
95 uint8_t month;
96 uint8_t day;
97 uint32_t rev;
98 uint8_t pad2;
99 };
100
101
102 static const uint8_t jffs2_eof_mark[4] = {0xde, 0xad, 0xc0, 0xde};
103
104
105 /**
106 Salt for the MD5 hash
107
108 Fortunately, TP-LINK seems to use the same salt for most devices which use
109 the new image format.
110 */
111 static const uint8_t md5_salt[16] = {
112 0x7a, 0x2b, 0x15, 0xed,
113 0x9b, 0x98, 0x59, 0x6d,
114 0xe5, 0x04, 0xab, 0x44,
115 0xac, 0x2a, 0x9f, 0x4e,
116 };
117
118
119 /** Firmware layout table */
120 static struct device_info boards[] = {
121 /** Firmware layout for the CPE210/220 */
122 {
123 .id = "CPE210",
124 .vendor = "CPE510(TP-LINK|UN|N300-5):1.0\r\n",
125 .support_list =
126 "SupportList:\r\n"
127 "CPE210(TP-LINK|UN|N300-2):1.0\r\n"
128 "CPE210(TP-LINK|UN|N300-2):1.1\r\n"
129 "CPE210(TP-LINK|US|N300-2):1.1\r\n"
130 "CPE210(TP-LINK|EU|N300-2):1.1\r\n"
131 "CPE220(TP-LINK|UN|N300-2):1.1\r\n"
132 "CPE220(TP-LINK|US|N300-2):1.1\r\n"
133 "CPE220(TP-LINK|EU|N300-2):1.1\r\n",
134 .support_trail = '\xff',
135 .soft_ver = NULL,
136
137 .partitions = {
138 {"fs-uboot", 0x00000, 0x20000},
139 {"partition-table", 0x20000, 0x02000},
140 {"default-mac", 0x30000, 0x00020},
141 {"product-info", 0x31100, 0x00100},
142 {"signature", 0x32000, 0x00400},
143 {"os-image", 0x40000, 0x170000},
144 {"soft-version", 0x1b0000, 0x00100},
145 {"support-list", 0x1b1000, 0x00400},
146 {"file-system", 0x1c0000, 0x600000},
147 {"user-config", 0x7c0000, 0x10000},
148 {"default-config", 0x7d0000, 0x10000},
149 {"log", 0x7e0000, 0x10000},
150 {"radio", 0x7f0000, 0x10000},
151 {NULL, 0, 0}
152 },
153
154 .first_sysupgrade_partition = "os-image",
155 .last_sysupgrade_partition = "file-system",
156 },
157
158 /** Firmware layout for the CPE510/520 */
159 {
160 .id = "CPE510",
161 .vendor = "CPE510(TP-LINK|UN|N300-5):1.0\r\n",
162 .support_list =
163 "SupportList:\r\n"
164 "CPE510(TP-LINK|UN|N300-5):1.0\r\n"
165 "CPE510(TP-LINK|UN|N300-5):1.1\r\n"
166 "CPE510(TP-LINK|UN|N300-5):1.1\r\n"
167 "CPE510(TP-LINK|US|N300-5):1.1\r\n"
168 "CPE510(TP-LINK|EU|N300-5):1.1\r\n"
169 "CPE520(TP-LINK|UN|N300-5):1.1\r\n"
170 "CPE520(TP-LINK|US|N300-5):1.1\r\n"
171 "CPE520(TP-LINK|EU|N300-5):1.1\r\n",
172 .support_trail = '\xff',
173 .soft_ver = NULL,
174
175 .partitions = {
176 {"fs-uboot", 0x00000, 0x20000},
177 {"partition-table", 0x20000, 0x02000},
178 {"default-mac", 0x30000, 0x00020},
179 {"product-info", 0x31100, 0x00100},
180 {"signature", 0x32000, 0x00400},
181 {"os-image", 0x40000, 0x170000},
182 {"soft-version", 0x1b0000, 0x00100},
183 {"support-list", 0x1b1000, 0x00400},
184 {"file-system", 0x1c0000, 0x600000},
185 {"user-config", 0x7c0000, 0x10000},
186 {"default-config", 0x7d0000, 0x10000},
187 {"log", 0x7e0000, 0x10000},
188 {"radio", 0x7f0000, 0x10000},
189 {NULL, 0, 0}
190 },
191
192 .first_sysupgrade_partition = "os-image",
193 .last_sysupgrade_partition = "file-system",
194 },
195
196 {
197 .id = "WBS210",
198 .vendor = "CPE510(TP-LINK|UN|N300-5):1.0\r\n",
199 .support_list =
200 "SupportList:\r\n"
201 "WBS210(TP-LINK|UN|N300-2):1.20\r\n"
202 "WBS210(TP-LINK|US|N300-2):1.20\r\n"
203 "WBS210(TP-LINK|EU|N300-2):1.20\r\n",
204 .support_trail = '\xff',
205 .soft_ver = NULL,
206
207 .partitions = {
208 {"fs-uboot", 0x00000, 0x20000},
209 {"partition-table", 0x20000, 0x02000},
210 {"default-mac", 0x30000, 0x00020},
211 {"product-info", 0x31100, 0x00100},
212 {"signature", 0x32000, 0x00400},
213 {"os-image", 0x40000, 0x170000},
214 {"soft-version", 0x1b0000, 0x00100},
215 {"support-list", 0x1b1000, 0x00400},
216 {"file-system", 0x1c0000, 0x600000},
217 {"user-config", 0x7c0000, 0x10000},
218 {"default-config", 0x7d0000, 0x10000},
219 {"log", 0x7e0000, 0x10000},
220 {"radio", 0x7f0000, 0x10000},
221 {NULL, 0, 0}
222 },
223
224 .first_sysupgrade_partition = "os-image",
225 .last_sysupgrade_partition = "file-system",
226 },
227
228 {
229 .id = "WBS510",
230 .vendor = "CPE510(TP-LINK|UN|N300-5):1.0\r\n",
231 .support_list =
232 "SupportList:\r\n"
233 "WBS510(TP-LINK|UN|N300-5):1.20\r\n"
234 "WBS510(TP-LINK|US|N300-5):1.20\r\n"
235 "WBS510(TP-LINK|EU|N300-5):1.20\r\n",
236 .support_trail = '\xff',
237 .soft_ver = NULL,
238
239 .partitions = {
240 {"fs-uboot", 0x00000, 0x20000},
241 {"partition-table", 0x20000, 0x02000},
242 {"default-mac", 0x30000, 0x00020},
243 {"product-info", 0x31100, 0x00100},
244 {"signature", 0x32000, 0x00400},
245 {"os-image", 0x40000, 0x170000},
246 {"soft-version", 0x1b0000, 0x00100},
247 {"support-list", 0x1b1000, 0x00400},
248 {"file-system", 0x1c0000, 0x600000},
249 {"user-config", 0x7c0000, 0x10000},
250 {"default-config", 0x7d0000, 0x10000},
251 {"log", 0x7e0000, 0x10000},
252 {"radio", 0x7f0000, 0x10000},
253 {NULL, 0, 0}
254 },
255
256 .first_sysupgrade_partition = "os-image",
257 .last_sysupgrade_partition = "file-system",
258 },
259
260 /** Firmware layout for the C2600 */
261 {
262 .id = "C2600",
263 .vendor = "",
264 .support_list =
265 "SupportList:\r\n"
266 "{product_name:Archer C2600,product_ver:1.0.0,special_id:00000000}\r\n",
267 .support_trail = '\x00',
268 .soft_ver = NULL,
269
270 .partitions = {
271 {"SBL1", 0x00000, 0x20000},
272 {"MIBIB", 0x20000, 0x20000},
273 {"SBL2", 0x40000, 0x20000},
274 {"SBL3", 0x60000, 0x30000},
275 {"DDRCONFIG", 0x90000, 0x10000},
276 {"SSD", 0xa0000, 0x10000},
277 {"TZ", 0xb0000, 0x30000},
278 {"RPM", 0xe0000, 0x20000},
279 {"fs-uboot", 0x100000, 0x70000},
280 {"uboot-env", 0x170000, 0x40000},
281 {"radio", 0x1b0000, 0x40000},
282 {"os-image", 0x1f0000, 0x200000},
283 {"file-system", 0x3f0000, 0x1b00000},
284 {"default-mac", 0x1ef0000, 0x00200},
285 {"pin", 0x1ef0200, 0x00200},
286 {"product-info", 0x1ef0400, 0x0fc00},
287 {"partition-table", 0x1f00000, 0x10000},
288 {"soft-version", 0x1f10000, 0x10000},
289 {"support-list", 0x1f20000, 0x10000},
290 {"profile", 0x1f30000, 0x10000},
291 {"default-config", 0x1f40000, 0x10000},
292 {"user-config", 0x1f50000, 0x40000},
293 {"qos-db", 0x1f90000, 0x40000},
294 {"usb-config", 0x1fd0000, 0x10000},
295 {"log", 0x1fe0000, 0x20000},
296 {NULL, 0, 0}
297 },
298
299 .first_sysupgrade_partition = "os-image",
300 .last_sysupgrade_partition = "file-system"
301 },
302
303 /** Firmware layout for the C25v1 */
304 {
305 .id = "ARCHER-C25-V1",
306 .support_list =
307 "SupportList:\n"
308 "{product_name:ArcherC25,product_ver:1.0.0,special_id:00000000}\n"
309 "{product_name:ArcherC25,product_ver:1.0.0,special_id:55530000}\n"
310 "{product_name:ArcherC25,product_ver:1.0.0,special_id:45550000}\n",
311 .support_trail = '\x00',
312 .soft_ver = "soft_ver:1.0.0\n",
313
314 /**
315 We use a bigger os-image partition than the stock images (and thus
316 smaller file-system), as our kernel doesn't fit in the stock firmware's
317 1MB os-image.
318 */
319 .partitions = {
320 {"factory-boot", 0x00000, 0x20000},
321 {"fs-uboot", 0x20000, 0x10000},
322 {"os-image", 0x30000, 0x180000}, /* Stock: base 0x30000 size 0x100000 */
323 {"file-system", 0x1b0000, 0x620000}, /* Stock: base 0x130000 size 0x6a0000 */
324 {"user-config", 0x7d0000, 0x04000},
325 {"default-mac", 0x7e0000, 0x00100},
326 {"device-id", 0x7e0100, 0x00100},
327 {"extra-para", 0x7e0200, 0x00100},
328 {"pin", 0x7e0300, 0x00100},
329 {"support-list", 0x7e0400, 0x00400},
330 {"soft-version", 0x7e0800, 0x00400},
331 {"product-info", 0x7e0c00, 0x01400},
332 {"partition-table", 0x7e2000, 0x01000},
333 {"profile", 0x7e3000, 0x01000},
334 {"default-config", 0x7e4000, 0x04000},
335 {"merge-config", 0x7ec000, 0x02000},
336 {"qos-db", 0x7ee000, 0x02000},
337 {"radio", 0x7f0000, 0x10000},
338 {NULL, 0, 0}
339 },
340
341 .first_sysupgrade_partition = "os-image",
342 .last_sysupgrade_partition = "file-system",
343 },
344
345 /** Firmware layout for the C58v1 */
346 {
347 .id = "ARCHER-C58-V1",
348 .vendor = "",
349 .support_list =
350 "SupportList:\r\n"
351 "{product_name:Archer C58,product_ver:1.0.0,special_id:00000000}\r\n"
352 "{product_name:Archer C58,product_ver:1.0.0,special_id:45550000}\r\n"
353 "{product_name:Archer C58,product_ver:1.0.0,special_id:55530000}\r\n",
354 .support_trail = '\x00',
355 .soft_ver = "soft_ver:1.0.0\n",
356
357 .partitions = {
358 {"fs-uboot", 0x00000, 0x10000},
359 {"default-mac", 0x10000, 0x00200},
360 {"pin", 0x10200, 0x00200},
361 {"product-info", 0x10400, 0x00100},
362 {"partition-table", 0x10500, 0x00800},
363 {"soft-version", 0x11300, 0x00200},
364 {"support-list", 0x11500, 0x00100},
365 {"device-id", 0x11600, 0x00100},
366 {"profile", 0x11700, 0x03900},
367 {"default-config", 0x15000, 0x04000},
368 {"user-config", 0x19000, 0x04000},
369 {"os-image", 0x20000, 0x180000},
370 {"file-system", 0x1a0000, 0x648000},
371 {"certyficate", 0x7e8000, 0x08000},
372 {"radio", 0x7f0000, 0x10000},
373 {NULL, 0, 0}
374 },
375
376 .first_sysupgrade_partition = "os-image",
377 .last_sysupgrade_partition = "file-system",
378 },
379
380 /** Firmware layout for the C59v1 */
381 {
382 .id = "ARCHER-C59-V1",
383 .vendor = "",
384 .support_list =
385 "SupportList:\r\n"
386 "{product_name:Archer C59,product_ver:1.0.0,special_id:00000000}\r\n"
387 "{product_name:Archer C59,product_ver:1.0.0,special_id:45550000}\r\n"
388 "{product_name:Archer C59,product_ver:1.0.0,special_id:52550000}\r\n"
389 "{product_name:Archer C59,product_ver:1.0.0,special_id:55530000}\r\n",
390 .support_trail = '\x00',
391 .soft_ver = "soft_ver:1.0.0\n",
392
393 .partitions = {
394 {"fs-uboot", 0x00000, 0x10000},
395 {"default-mac", 0x10000, 0x00200},
396 {"pin", 0x10200, 0x00200},
397 {"device-id", 0x10400, 0x00100},
398 {"product-info", 0x10500, 0x0fb00},
399 {"os-image", 0x20000, 0x180000},
400 {"file-system", 0x1a0000, 0xcb0000},
401 {"partition-table", 0xe50000, 0x10000},
402 {"soft-version", 0xe60000, 0x10000},
403 {"support-list", 0xe70000, 0x10000},
404 {"profile", 0xe80000, 0x10000},
405 {"default-config", 0xe90000, 0x10000},
406 {"user-config", 0xea0000, 0x40000},
407 {"usb-config", 0xee0000, 0x10000},
408 {"certificate", 0xef0000, 0x10000},
409 {"qos-db", 0xf00000, 0x40000},
410 {"log", 0xfe0000, 0x10000},
411 {"radio", 0xff0000, 0x10000},
412 {NULL, 0, 0}
413 },
414
415 .first_sysupgrade_partition = "os-image",
416 .last_sysupgrade_partition = "file-system",
417 },
418
419 /** Firmware layout for the C60v1 */
420 {
421 .id = "ARCHER-C60-V1",
422 .vendor = "",
423 .support_list =
424 "SupportList:\r\n"
425 "{product_name:Archer C60,product_ver:1.0.0,special_id:00000000}\r\n"
426 "{product_name:Archer C60,product_ver:1.0.0,special_id:45550000}\r\n"
427 "{product_name:Archer C60,product_ver:1.0.0,special_id:55530000}\r\n",
428 .support_trail = '\x00',
429 .soft_ver = "soft_ver:1.0.0\n",
430
431 .partitions = {
432 {"fs-uboot", 0x00000, 0x10000},
433 {"default-mac", 0x10000, 0x00200},
434 {"pin", 0x10200, 0x00200},
435 {"product-info", 0x10400, 0x00100},
436 {"partition-table", 0x10500, 0x00800},
437 {"soft-version", 0x11300, 0x00200},
438 {"support-list", 0x11500, 0x00100},
439 {"device-id", 0x11600, 0x00100},
440 {"profile", 0x11700, 0x03900},
441 {"default-config", 0x15000, 0x04000},
442 {"user-config", 0x19000, 0x04000},
443 {"os-image", 0x20000, 0x180000},
444 {"file-system", 0x1a0000, 0x648000},
445 {"certyficate", 0x7e8000, 0x08000},
446 {"radio", 0x7f0000, 0x10000},
447 {NULL, 0, 0}
448 },
449
450 .first_sysupgrade_partition = "os-image",
451 .last_sysupgrade_partition = "file-system",
452 },
453
454 /** Firmware layout for the C5 */
455 {
456 .id = "ARCHER-C5-V2",
457 .vendor = "",
458 .support_list =
459 "SupportList:\r\n"
460 "{product_name:ArcherC5,product_ver:2.0.0,special_id:00000000}\r\n"
461 "{product_name:ArcherC5,product_ver:2.0.0,special_id:55530000}\r\n"
462 "{product_name:ArcherC5,product_ver:2.0.0,special_id:4A500000}\r\n", /* JP version */
463 .support_trail = '\x00',
464 .soft_ver = NULL,
465
466 .partitions = {
467 {"fs-uboot", 0x00000, 0x40000},
468 {"os-image", 0x40000, 0x200000},
469 {"file-system", 0x240000, 0xc00000},
470 {"default-mac", 0xe40000, 0x00200},
471 {"pin", 0xe40200, 0x00200},
472 {"product-info", 0xe40400, 0x00200},
473 {"partition-table", 0xe50000, 0x10000},
474 {"soft-version", 0xe60000, 0x00200},
475 {"support-list", 0xe61000, 0x0f000},
476 {"profile", 0xe70000, 0x10000},
477 {"default-config", 0xe80000, 0x10000},
478 {"user-config", 0xe90000, 0x50000},
479 {"log", 0xee0000, 0x100000},
480 {"radio_bk", 0xfe0000, 0x10000},
481 {"radio", 0xff0000, 0x10000},
482 {NULL, 0, 0}
483 },
484
485 .first_sysupgrade_partition = "os-image",
486 .last_sysupgrade_partition = "file-system"
487 },
488
489 /** Firmware layout for the C7 */
490 {
491 .id = "ARCHER-C7-V4",
492 .support_list =
493 "SupportList:\n"
494 "{product_name:Archer C7,product_ver:4.0.0,special_id:00000000}\n"
495 "{product_name:Archer C7,product_ver:4.0.0,special_id:41550000}\n"
496 "{product_name:Archer C7,product_ver:4.0.0,special_id:45550000}\n"
497 "{product_name:Archer C7,product_ver:4.0.0,special_id:4B520000}\n"
498 "{product_name:Archer C7,product_ver:4.0.0,special_id:42520000}\n"
499 "{product_name:Archer C7,product_ver:4.0.0,special_id:4A500000}\n"
500 "{product_name:Archer C7,product_ver:4.0.0,special_id:52550000}\n"
501 "{product_name:Archer C7,product_ver:4.0.0,special_id:54570000}\n"
502 "{product_name:Archer C7,product_ver:4.0.0,special_id:55530000}\n"
503 "{product_name:Archer C7,product_ver:4.0.0,special_id:43410000}\n",
504 .support_trail = '\x00',
505 .soft_ver = "soft_ver:1.0.0\n",
506
507 /**
508 We use a bigger os-image partition than the stock images (and thus
509 smaller file-system), as our kernel doesn't fit in the stock firmware's
510 1MB os-image.
511 */
512 .partitions = {
513 {"factory-boot", 0x00000, 0x20000},
514 {"fs-uboot", 0x20000, 0x20000},
515 {"os-image", 0x40000, 0x180000}, /* Stock: base 0x40000 size 0x120000 */
516 {"file-system", 0x1c0000, 0xd40000}, /* Stock: base 0x160000 size 0xda0000 */
517 {"default-mac", 0xf00000, 0x00200},
518 {"pin", 0xf00200, 0x00200},
519 {"device-id", 0xf00400, 0x00100},
520 {"product-info", 0xf00500, 0x0fb00},
521 {"soft-version", 0xf10000, 0x00100},
522 {"extra-para", 0xf11000, 0x01000},
523 {"support-list", 0xf12000, 0x0a000},
524 {"profile", 0xf1c000, 0x04000},
525 {"default-config", 0xf20000, 0x10000},
526 {"user-config", 0xf30000, 0x40000},
527 {"qos-db", 0xf70000, 0x40000},
528 {"certificate", 0xfb0000, 0x10000},
529 {"partition-table", 0xfc0000, 0x10000},
530 {"log", 0xfd0000, 0x20000},
531 {"radio", 0xff0000, 0x10000},
532 {NULL, 0, 0}
533 },
534
535 .first_sysupgrade_partition = "os-image",
536 .last_sysupgrade_partition = "file-system",
537 },
538
539 /** Firmware layout for the C9 */
540 {
541 .id = "ARCHERC9",
542 .vendor = "",
543 .support_list =
544 "SupportList:\n"
545 "{product_name:ArcherC9,"
546 "product_ver:1.0.0,"
547 "special_id:00000000}\n",
548 .support_trail = '\x00',
549 .soft_ver = NULL,
550
551 .partitions = {
552 {"fs-uboot", 0x00000, 0x40000},
553 {"os-image", 0x40000, 0x200000},
554 {"file-system", 0x240000, 0xc00000},
555 {"default-mac", 0xe40000, 0x00200},
556 {"pin", 0xe40200, 0x00200},
557 {"product-info", 0xe40400, 0x00200},
558 {"partition-table", 0xe50000, 0x10000},
559 {"soft-version", 0xe60000, 0x00200},
560 {"support-list", 0xe61000, 0x0f000},
561 {"profile", 0xe70000, 0x10000},
562 {"default-config", 0xe80000, 0x10000},
563 {"user-config", 0xe90000, 0x50000},
564 {"log", 0xee0000, 0x100000},
565 {"radio_bk", 0xfe0000, 0x10000},
566 {"radio", 0xff0000, 0x10000},
567 {NULL, 0, 0}
568 },
569
570 .first_sysupgrade_partition = "os-image",
571 .last_sysupgrade_partition = "file-system"
572 },
573
574 /** Firmware layout for the EAP120 */
575 {
576 .id = "EAP120",
577 .vendor = "EAP120(TP-LINK|UN|N300-2):1.0\r\n",
578 .support_list =
579 "SupportList:\r\n"
580 "EAP120(TP-LINK|UN|N300-2):1.0\r\n",
581 .support_trail = '\xff',
582 .soft_ver = NULL,
583
584 .partitions = {
585 {"fs-uboot", 0x00000, 0x20000},
586 {"partition-table", 0x20000, 0x02000},
587 {"default-mac", 0x30000, 0x00020},
588 {"support-list", 0x31000, 0x00100},
589 {"product-info", 0x31100, 0x00100},
590 {"soft-version", 0x32000, 0x00100},
591 {"os-image", 0x40000, 0x180000},
592 {"file-system", 0x1c0000, 0x600000},
593 {"user-config", 0x7c0000, 0x10000},
594 {"backup-config", 0x7d0000, 0x10000},
595 {"log", 0x7e0000, 0x10000},
596 {"radio", 0x7f0000, 0x10000},
597 {NULL, 0, 0}
598 },
599
600 .first_sysupgrade_partition = "os-image",
601 .last_sysupgrade_partition = "file-system"
602 },
603
604 /** Firmware layout for the TL-WA850RE v2 */
605 {
606 .id = "TLWA850REV2",
607 .vendor = "",
608 .support_list =
609 "SupportList:\n"
610 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:55530000}\n"
611 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:00000000}\n"
612 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:55534100}\n"
613 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:45550000}\n"
614 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:4B520000}\n"
615 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:42520000}\n"
616 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:4A500000}\n"
617 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:43410000}\n"
618 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:41550000}\n"
619 "{product_name:TL-WA850RE,product_ver:2.0.0,special_id:52550000}\n",
620 .support_trail = '\x00',
621 .soft_ver = NULL,
622
623 /**
624 576KB were moved from file-system to os-image
625 in comparison to the stock image
626 */
627 .partitions = {
628 {"fs-uboot", 0x00000, 0x20000},
629 {"os-image", 0x20000, 0x150000},
630 {"file-system", 0x170000, 0x240000},
631 {"partition-table", 0x3b0000, 0x02000},
632 {"default-mac", 0x3c0000, 0x00020},
633 {"pin", 0x3c0100, 0x00020},
634 {"product-info", 0x3c1000, 0x01000},
635 {"soft-version", 0x3c2000, 0x00100},
636 {"support-list", 0x3c3000, 0x01000},
637 {"profile", 0x3c4000, 0x08000},
638 {"user-config", 0x3d0000, 0x10000},
639 {"default-config", 0x3e0000, 0x10000},
640 {"radio", 0x3f0000, 0x10000},
641 {NULL, 0, 0}
642 },
643
644 .first_sysupgrade_partition = "os-image",
645 .last_sysupgrade_partition = "file-system"
646 },
647
648 /** Firmware layout for the TL-WA855RE v1 */
649 {
650 .id = "TLWA855REV1",
651 .vendor = "",
652 .support_list =
653 "SupportList:\n"
654 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:00000000}\n"
655 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:55530000}\n"
656 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:45550000}\n"
657 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:4B520000}\n"
658 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:42520000}\n"
659 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:4A500000}\n"
660 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:43410000}\n"
661 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:41550000}\n"
662 "{product_name:TL-WA855RE,product_ver:1.0.0,special_id:52550000}\n",
663 .support_trail = '\x00',
664 .soft_ver = NULL,
665
666 .partitions = {
667 {"fs-uboot", 0x00000, 0x20000},
668 {"os-image", 0x20000, 0x150000},
669 {"file-system", 0x170000, 0x240000},
670 {"partition-table", 0x3b0000, 0x02000},
671 {"default-mac", 0x3c0000, 0x00020},
672 {"pin", 0x3c0100, 0x00020},
673 {"product-info", 0x3c1000, 0x01000},
674 {"soft-version", 0x3c2000, 0x00100},
675 {"support-list", 0x3c3000, 0x01000},
676 {"profile", 0x3c4000, 0x08000},
677 {"user-config", 0x3d0000, 0x10000},
678 {"default-config", 0x3e0000, 0x10000},
679 {"radio", 0x3f0000, 0x10000},
680 {NULL, 0, 0}
681 },
682
683 .first_sysupgrade_partition = "os-image",
684 .last_sysupgrade_partition = "file-system"
685 },
686
687 /** Firmware layout for the TL-WR1043 v5 */
688 {
689 .id = "TLWR1043NV5",
690 .vendor = "",
691 .support_list =
692 "SupportList:\n"
693 "{product_name:TL-WR1043N,product_ver:5.0.0,special_id:45550000}\n"
694 "{product_name:TL-WR1043N,product_ver:5.0.0,special_id:55530000}\n",
695 .support_trail = '\x00',
696 .soft_ver = "soft_ver:1.0.0\n",
697 .partitions = {
698 {"factory-boot", 0x00000, 0x20000},
699 {"fs-uboot", 0x20000, 0x20000},
700 {"os-image", 0x40000, 0x180000},
701 {"file-system", 0x1c0000, 0xd40000},
702 {"default-mac", 0xf00000, 0x00200},
703 {"pin", 0xf00200, 0x00200},
704 {"device-id", 0xf00400, 0x00100},
705 {"product-info", 0xf00500, 0x0fb00},
706 {"soft-version", 0xf10000, 0x01000},
707 {"extra-para", 0xf11000, 0x01000},
708 {"support-list", 0xf12000, 0x0a000},
709 {"profile", 0xf1c000, 0x04000},
710 {"default-config", 0xf20000, 0x10000},
711 {"user-config", 0xf30000, 0x40000},
712 {"qos-db", 0xf70000, 0x40000},
713 {"certificate", 0xfb0000, 0x10000},
714 {"partition-table", 0xfc0000, 0x10000},
715 {"log", 0xfd0000, 0x20000},
716 {"radio", 0xff0000, 0x10000},
717 {NULL, 0, 0}
718 },
719 .first_sysupgrade_partition = "os-image",
720 .last_sysupgrade_partition = "file-system"
721 },
722
723 /** Firmware layout for the TL-WR1043 v4 */
724 {
725 .id = "TLWR1043NDV4",
726 .vendor = "",
727 .support_list =
728 "SupportList:\n"
729 "{product_name:TL-WR1043ND,product_ver:4.0.0,special_id:45550000}\n",
730 .support_trail = '\x00',
731 .soft_ver = NULL,
732
733 /**
734 We use a bigger os-image partition than the stock images (and thus
735 smaller file-system), as our kernel doesn't fit in the stock firmware's
736 1MB os-image.
737 */
738 .partitions = {
739 {"fs-uboot", 0x00000, 0x20000},
740 {"os-image", 0x20000, 0x180000},
741 {"file-system", 0x1a0000, 0xdb0000},
742 {"default-mac", 0xf50000, 0x00200},
743 {"pin", 0xf50200, 0x00200},
744 {"product-info", 0xf50400, 0x0fc00},
745 {"soft-version", 0xf60000, 0x0b000},
746 {"support-list", 0xf6b000, 0x04000},
747 {"profile", 0xf70000, 0x04000},
748 {"default-config", 0xf74000, 0x0b000},
749 {"user-config", 0xf80000, 0x40000},
750 {"partition-table", 0xfc0000, 0x10000},
751 {"log", 0xfd0000, 0x20000},
752 {"radio", 0xff0000, 0x10000},
753 {NULL, 0, 0}
754 },
755
756 .first_sysupgrade_partition = "os-image",
757 .last_sysupgrade_partition = "file-system"
758 },
759
760 /** Firmware layout for the TL-WR902AC v1 */
761 {
762 .id = "TL-WR902AC-V1",
763 .vendor = "",
764 .support_list =
765 "SupportList:\n"
766 "{product_name:TL-WR902AC,product_ver:1.0.0,special_id:45550000}\n"
767 "{product_name:TL-WR902AC,product_ver:1.0.0,special_id:55530000}\n",
768 .support_trail = '\x00',
769 .soft_ver = NULL,
770
771 /**
772 384KB were moved from file-system to os-image
773 in comparison to the stock image
774 */
775 .partitions = {
776 {"fs-uboot", 0x00000, 0x20000},
777 {"os-image", 0x20000, 0x180000},
778 {"file-system", 0x1a0000, 0x5b0000},
779 {"default-mac", 0x750000, 0x00200},
780 {"pin", 0x750200, 0x00200},
781 {"product-info", 0x750400, 0x0fc00},
782 {"soft-version", 0x760000, 0x0b000},
783 {"support-list", 0x76b000, 0x04000},
784 {"profile", 0x770000, 0x04000},
785 {"default-config", 0x774000, 0x0b000},
786 {"user-config", 0x780000, 0x40000},
787 {"partition-table", 0x7c0000, 0x10000},
788 {"log", 0x7d0000, 0x20000},
789 {"radio", 0x7f0000, 0x10000},
790 {NULL, 0, 0}
791 },
792
793 .first_sysupgrade_partition = "os-image",
794 .last_sysupgrade_partition = "file-system",
795 },
796
797 /** Firmware layout for the TL-WR942N V1 */
798 {
799 .id = "TLWR942NV1",
800 .vendor = "",
801 .support_list =
802 "SupportList:\r\n"
803 "{product_name:TL-WR942N,product_ver:1.0.0,special_id:00000000}\r\n"
804 "{product_name:TL-WR942N,product_ver:1.0.0,special_id:52550000}\r\n",
805 .support_trail = '\x00',
806 .soft_ver = NULL,
807
808 .partitions = {
809 {"fs-uboot", 0x00000, 0x20000},
810 {"os-image", 0x20000, 0x180000},
811 {"file-system", 0x1a0000, 0xca0000},
812 {"default-mac", 0xe40000, 0x00200},
813 {"pin", 0xe40200, 0x00200},
814 {"product-info", 0xe40400, 0x0fc00},
815 {"partition-table", 0xe50000, 0x10000},
816 {"soft-version", 0xe60000, 0x10000},
817 {"support-list", 0xe70000, 0x10000},
818 {"profile", 0xe80000, 0x10000},
819 {"default-config", 0xe90000, 0x10000},
820 {"user-config", 0xea0000, 0x40000},
821 {"qos-db", 0xee0000, 0x40000},
822 {"certificate", 0xf20000, 0x10000},
823 {"usb-config", 0xfb0000, 0x10000},
824 {"log", 0xfc0000, 0x20000},
825 {"radio-bk", 0xfe0000, 0x10000},
826 {"radio", 0xff0000, 0x10000},
827 {NULL, 0, 0}
828 },
829
830 .first_sysupgrade_partition = "os-image",
831 .last_sysupgrade_partition = "file-system",
832 },
833
834 /** Firmware layout for the RE350 v1 */
835 {
836 .id = "RE350-V1",
837 .vendor = "",
838 .support_list =
839 "SupportList:\n"
840 "{product_name:RE350,product_ver:1.0.0,special_id:45550000}\n"
841 "{product_name:RE350,product_ver:1.0.0,special_id:00000000}\n"
842 "{product_name:RE350,product_ver:1.0.0,special_id:41550000}\n"
843 "{product_name:RE350,product_ver:1.0.0,special_id:55530000}\n"
844 "{product_name:RE350,product_ver:1.0.0,special_id:43410000}\n"
845 "{product_name:RE350,product_ver:1.0.0,special_id:4b520000}\n"
846 "{product_name:RE350,product_ver:1.0.0,special_id:4a500000}\n",
847 .support_trail = '\x00',
848 .soft_ver = NULL,
849
850 /**
851 The original os-image partition is too small,
852 so we enlarge it to 1.6M
853 */
854 .partitions = {
855 {"fs-uboot", 0x00000, 0x20000},
856 {"os-image", 0x20000, 0x1a0000},
857 {"file-system", 0x1c0000, 0x440000},
858 {"partition-table", 0x600000, 0x02000},
859 {"default-mac", 0x610000, 0x00020},
860 {"pin", 0x610100, 0x00020},
861 {"product-info", 0x611100, 0x01000},
862 {"soft-version", 0x620000, 0x01000},
863 {"support-list", 0x621000, 0x01000},
864 {"profile", 0x622000, 0x08000},
865 {"user-config", 0x630000, 0x10000},
866 {"default-config", 0x640000, 0x10000},
867 {"radio", 0x7f0000, 0x10000},
868 {NULL, 0, 0}
869 },
870
871 .first_sysupgrade_partition = "os-image",
872 .last_sysupgrade_partition = "file-system"
873 },
874
875 /** Firmware layout for the RE355 */
876 {
877 .id = "RE355",
878 .vendor = "",
879 .support_list =
880 "SupportList:\r\n"
881 "{product_name:RE355,product_ver:1.0.0,special_id:00000000}\r\n"
882 "{product_name:RE355,product_ver:1.0.0,special_id:55530000}\r\n"
883 "{product_name:RE355,product_ver:1.0.0,special_id:45550000}\r\n"
884 "{product_name:RE355,product_ver:1.0.0,special_id:4A500000}\r\n"
885 "{product_name:RE355,product_ver:1.0.0,special_id:43410000}\r\n"
886 "{product_name:RE355,product_ver:1.0.0,special_id:41550000}\r\n"
887 "{product_name:RE355,product_ver:1.0.0,special_id:4B520000}\r\n"
888 "{product_name:RE355,product_ver:1.0.0,special_id:55534100}\r\n",
889 .support_trail = '\x00',
890 .soft_ver = NULL,
891
892 /**
893 The flash partition table for RE355;
894 it is almost the same as the one used by the stock images,
895 576KB were moved from file-system to os-image.
896 */
897 .partitions = {
898 {"fs-uboot", 0x00000, 0x20000},
899 {"os-image", 0x20000, 0x180000},
900 {"file-system", 0x1a0000, 0x460000},
901 {"partition-table", 0x600000, 0x02000},
902 {"default-mac", 0x610000, 0x00020},
903 {"pin", 0x610100, 0x00020},
904 {"product-info", 0x611100, 0x01000},
905 {"soft-version", 0x620000, 0x01000},
906 {"support-list", 0x621000, 0x01000},
907 {"profile", 0x622000, 0x08000},
908 {"user-config", 0x630000, 0x10000},
909 {"default-config", 0x640000, 0x10000},
910 {"radio", 0x7f0000, 0x10000},
911 {NULL, 0, 0}
912 },
913
914 .first_sysupgrade_partition = "os-image",
915 .last_sysupgrade_partition = "file-system"
916 },
917
918 /** Firmware layout for the RE450 */
919 {
920 .id = "RE450",
921 .vendor = "",
922 .support_list =
923 "SupportList:\r\n"
924 "{product_name:RE450,product_ver:1.0.0,special_id:00000000}\r\n"
925 "{product_name:RE450,product_ver:1.0.0,special_id:55530000}\r\n"
926 "{product_name:RE450,product_ver:1.0.0,special_id:45550000}\r\n"
927 "{product_name:RE450,product_ver:1.0.0,special_id:4A500000}\r\n"
928 "{product_name:RE450,product_ver:1.0.0,special_id:43410000}\r\n"
929 "{product_name:RE450,product_ver:1.0.0,special_id:41550000}\r\n"
930 "{product_name:RE450,product_ver:1.0.0,special_id:4B520000}\r\n"
931 "{product_name:RE450,product_ver:1.0.0,special_id:55534100}\r\n",
932 .support_trail = '\x00',
933 .soft_ver = NULL,
934
935 /**
936 The flash partition table for RE450;
937 it is almost the same as the one used by the stock images,
938 576KB were moved from file-system to os-image.
939 */
940 .partitions = {
941 {"fs-uboot", 0x00000, 0x20000},
942 {"os-image", 0x20000, 0x180000},
943 {"file-system", 0x1a0000, 0x460000},
944 {"partition-table", 0x600000, 0x02000},
945 {"default-mac", 0x610000, 0x00020},
946 {"pin", 0x610100, 0x00020},
947 {"product-info", 0x611100, 0x01000},
948 {"soft-version", 0x620000, 0x01000},
949 {"support-list", 0x621000, 0x01000},
950 {"profile", 0x622000, 0x08000},
951 {"user-config", 0x630000, 0x10000},
952 {"default-config", 0x640000, 0x10000},
953 {"radio", 0x7f0000, 0x10000},
954 {NULL, 0, 0}
955 },
956
957 .first_sysupgrade_partition = "os-image",
958 .last_sysupgrade_partition = "file-system"
959 },
960
961 {}
962 };
963
964 #define error(_ret, _errno, _str, ...) \
965 do { \
966 fprintf(stderr, _str ": %s\n", ## __VA_ARGS__, \
967 strerror(_errno)); \
968 if (_ret) \
969 exit(_ret); \
970 } while (0)
971
972
973 /** Stores a uint32 as big endian */
974 static inline void put32(uint8_t *buf, uint32_t val) {
975 buf[0] = val >> 24;
976 buf[1] = val >> 16;
977 buf[2] = val >> 8;
978 buf[3] = val;
979 }
980
981 /** Allocates a new image partition */
982 static struct image_partition_entry alloc_image_partition(const char *name, size_t len) {
983 struct image_partition_entry entry = {name, len, malloc(len)};
984 if (!entry.data)
985 error(1, errno, "malloc");
986
987 return entry;
988 }
989
990 /** Frees an image partition */
991 static void free_image_partition(struct image_partition_entry entry) {
992 free(entry.data);
993 }
994
995 static time_t source_date_epoch = -1;
996 static void set_source_date_epoch() {
997 char *env = getenv("SOURCE_DATE_EPOCH");
998 char *endptr = env;
999 errno = 0;
1000 if (env && *env) {
1001 source_date_epoch = strtoull(env, &endptr, 10);
1002 if (errno || (endptr && *endptr != '\0')) {
1003 fprintf(stderr, "Invalid SOURCE_DATE_EPOCH");
1004 exit(1);
1005 }
1006 }
1007 }
1008
1009 /** Generates the partition-table partition */
1010 static struct image_partition_entry make_partition_table(const struct flash_partition_entry *p) {
1011 struct image_partition_entry entry = alloc_image_partition("partition-table", 0x800);
1012
1013 char *s = (char *)entry.data, *end = (char *)(s+entry.size);
1014
1015 *(s++) = 0x00;
1016 *(s++) = 0x04;
1017 *(s++) = 0x00;
1018 *(s++) = 0x00;
1019
1020 size_t i;
1021 for (i = 0; p[i].name; i++) {
1022 size_t len = end-s;
1023 size_t w = snprintf(s, len, "partition %s base 0x%05x size 0x%05x\n", p[i].name, p[i].base, p[i].size);
1024
1025 if (w > len-1)
1026 error(1, 0, "flash partition table overflow?");
1027
1028 s += w;
1029 }
1030
1031 s++;
1032
1033 memset(s, 0xff, end-s);
1034
1035 return entry;
1036 }
1037
1038
1039 /** Generates a binary-coded decimal representation of an integer in the range [0, 99] */
1040 static inline uint8_t bcd(uint8_t v) {
1041 return 0x10 * (v/10) + v%10;
1042 }
1043
1044
1045 /** Generates the soft-version partition */
1046 static struct image_partition_entry make_soft_version(uint32_t rev) {
1047 struct image_partition_entry entry = alloc_image_partition("soft-version", sizeof(struct soft_version));
1048 struct soft_version *s = (struct soft_version *)entry.data;
1049
1050 time_t t;
1051
1052 if (source_date_epoch != -1)
1053 t = source_date_epoch;
1054 else if (time(&t) == (time_t)(-1))
1055 error(1, errno, "time");
1056
1057 struct tm *tm = localtime(&t);
1058
1059 s->magic = htonl(0x0000000c);
1060 s->zero = 0;
1061 s->pad1 = 0xff;
1062
1063 s->version_major = 0;
1064 s->version_minor = 0;
1065 s->version_patch = 0;
1066
1067 s->year_hi = bcd((1900+tm->tm_year)/100);
1068 s->year_lo = bcd(tm->tm_year%100);
1069 s->month = bcd(tm->tm_mon+1);
1070 s->day = bcd(tm->tm_mday);
1071 s->rev = htonl(rev);
1072
1073 s->pad2 = 0xff;
1074
1075 return entry;
1076 }
1077
1078 static struct image_partition_entry make_soft_version_from_string(const char *soft_ver) {
1079 /** String length _including_ the terminating zero byte */
1080 uint32_t ver_len = strlen(soft_ver) + 1;
1081 /** Partition contains 64 bit header, the version string, and one additional null byte */
1082 size_t partition_len = 2*sizeof(uint32_t) + ver_len + 1;
1083 struct image_partition_entry entry = alloc_image_partition("soft-version", partition_len);
1084
1085 uint32_t *len = (uint32_t *)entry.data;
1086 len[0] = htonl(ver_len);
1087 len[1] = 0;
1088 memcpy(&len[2], soft_ver, ver_len);
1089
1090 entry.data[partition_len - 1] = 0;
1091
1092 return entry;
1093 }
1094
1095 /** Generates the support-list partition */
1096 static struct image_partition_entry make_support_list(const struct device_info *info) {
1097 size_t len = strlen(info->support_list);
1098 struct image_partition_entry entry = alloc_image_partition("support-list", len + 9);
1099
1100 put32(entry.data, len);
1101 memset(entry.data+4, 0, 4);
1102 memcpy(entry.data+8, info->support_list, len);
1103 entry.data[len+8] = info->support_trail;
1104
1105 return entry;
1106 }
1107
1108 /** Creates a new image partition with an arbitrary name from a file */
1109 static struct image_partition_entry read_file(const char *part_name, const char *filename, bool add_jffs2_eof) {
1110 struct stat statbuf;
1111
1112 if (stat(filename, &statbuf) < 0)
1113 error(1, errno, "unable to stat file `%s'", filename);
1114
1115 size_t len = statbuf.st_size;
1116
1117 if (add_jffs2_eof)
1118 len = ALIGN(len, 0x10000) + sizeof(jffs2_eof_mark);
1119
1120 struct image_partition_entry entry = alloc_image_partition(part_name, len);
1121
1122 FILE *file = fopen(filename, "rb");
1123 if (!file)
1124 error(1, errno, "unable to open file `%s'", filename);
1125
1126 if (fread(entry.data, statbuf.st_size, 1, file) != 1)
1127 error(1, errno, "unable to read file `%s'", filename);
1128
1129 if (add_jffs2_eof) {
1130 uint8_t *eof = entry.data + statbuf.st_size, *end = entry.data+entry.size;
1131
1132 memset(eof, 0xff, end - eof - sizeof(jffs2_eof_mark));
1133 memcpy(end - sizeof(jffs2_eof_mark), jffs2_eof_mark, sizeof(jffs2_eof_mark));
1134 }
1135
1136 fclose(file);
1137
1138 return entry;
1139 }
1140
1141 /** Creates a new image partition from arbitrary data */
1142 static struct image_partition_entry put_data(const char *part_name, const char *datain, size_t len) {
1143
1144 struct image_partition_entry entry = alloc_image_partition(part_name, len);
1145
1146 memcpy(entry.data, datain, len);
1147
1148 return entry;
1149 }
1150
1151 /**
1152 Copies a list of image partitions into an image buffer and generates the image partition table while doing so
1153
1154 Example image partition table:
1155
1156 fwup-ptn partition-table base 0x00800 size 0x00800
1157 fwup-ptn os-image base 0x01000 size 0x113b45
1158 fwup-ptn file-system base 0x114b45 size 0x1d0004
1159 fwup-ptn support-list base 0x2e4b49 size 0x000d1
1160
1161 Each line of the partition table is terminated with the bytes 09 0d 0a ("\t\r\n"),
1162 the end of the partition table is marked with a zero byte.
1163
1164 The firmware image must contain at least the partition-table and support-list partitions
1165 to be accepted. There aren't any alignment constraints for the image partitions.
1166
1167 The partition-table partition contains the actual flash layout; partitions
1168 from the image partition table are mapped to the corresponding flash partitions during
1169 the firmware upgrade. The support-list partition contains a list of devices supported by
1170 the firmware image.
1171
1172 The base offsets in the firmware partition table are relative to the end
1173 of the vendor information block, so the partition-table partition will
1174 actually start at offset 0x1814 of the image.
1175
1176 I think partition-table must be the first partition in the firmware image.
1177 */
1178 static void put_partitions(uint8_t *buffer, const struct flash_partition_entry *flash_parts, const struct image_partition_entry *parts) {
1179 size_t i, j;
1180 char *image_pt = (char *)buffer, *end = image_pt + 0x800;
1181
1182 size_t base = 0x800;
1183 for (i = 0; parts[i].name; i++) {
1184 for (j = 0; flash_parts[j].name; j++) {
1185 if (!strcmp(flash_parts[j].name, parts[i].name)) {
1186 if (parts[i].size > flash_parts[j].size)
1187 error(1, 0, "%s partition too big (more than %u bytes)", flash_parts[j].name, (unsigned)flash_parts[j].size);
1188 break;
1189 }
1190 }
1191
1192 assert(flash_parts[j].name);
1193
1194 memcpy(buffer + base, parts[i].data, parts[i].size);
1195
1196 size_t len = end-image_pt;
1197 size_t w = snprintf(image_pt, len, "fwup-ptn %s base 0x%05x size 0x%05x\t\r\n", parts[i].name, (unsigned)base, (unsigned)parts[i].size);
1198
1199 if (w > len-1)
1200 error(1, 0, "image partition table overflow?");
1201
1202 image_pt += w;
1203
1204 base += parts[i].size;
1205 }
1206 }
1207
1208 /** Generates and writes the image MD5 checksum */
1209 static void put_md5(uint8_t *md5, uint8_t *buffer, unsigned int len) {
1210 MD5_CTX ctx;
1211
1212 MD5_Init(&ctx);
1213 MD5_Update(&ctx, md5_salt, (unsigned int)sizeof(md5_salt));
1214 MD5_Update(&ctx, buffer, len);
1215 MD5_Final(md5, &ctx);
1216 }
1217
1218
1219 /**
1220 Generates the firmware image in factory format
1221
1222 Image format:
1223
1224 Bytes (hex) Usage
1225 ----------- -----
1226 0000-0003 Image size (4 bytes, big endian)
1227 0004-0013 MD5 hash (hash of a 16 byte salt and the image data starting with byte 0x14)
1228 0014-0017 Vendor information length (without padding) (4 bytes, big endian)
1229 0018-1013 Vendor information (4092 bytes, padded with 0xff; there seem to be older
1230 (VxWorks-based) TP-LINK devices which use a smaller vendor information block)
1231 1014-1813 Image partition table (2048 bytes, padded with 0xff)
1232 1814-xxxx Firmware partitions
1233 */
1234 static void * generate_factory_image(const struct device_info *info, const struct image_partition_entry *parts, size_t *len) {
1235 *len = 0x1814;
1236
1237 size_t i;
1238 for (i = 0; parts[i].name; i++)
1239 *len += parts[i].size;
1240
1241 uint8_t *image = malloc(*len);
1242 if (!image)
1243 error(1, errno, "malloc");
1244
1245 memset(image, 0xff, *len);
1246 put32(image, *len);
1247
1248 if (info->vendor) {
1249 size_t vendor_len = strlen(info->vendor);
1250 put32(image+0x14, vendor_len);
1251 memcpy(image+0x18, info->vendor, vendor_len);
1252 }
1253
1254 put_partitions(image + 0x1014, info->partitions, parts);
1255 put_md5(image+0x04, image+0x14, *len-0x14);
1256
1257 return image;
1258 }
1259
1260 /**
1261 Generates the firmware image in sysupgrade format
1262
1263 This makes some assumptions about the provided flash and image partition tables and
1264 should be generalized when TP-LINK starts building its safeloader into hardware with
1265 different flash layouts.
1266 */
1267 static void * generate_sysupgrade_image(const struct device_info *info, const struct image_partition_entry *image_parts, size_t *len) {
1268 size_t i, j;
1269 size_t flash_first_partition_index = 0;
1270 size_t flash_last_partition_index = 0;
1271 const struct flash_partition_entry *flash_first_partition = NULL;
1272 const struct flash_partition_entry *flash_last_partition = NULL;
1273 const struct image_partition_entry *image_last_partition = NULL;
1274
1275 /** Find first and last partitions */
1276 for (i = 0; info->partitions[i].name; i++) {
1277 if (!strcmp(info->partitions[i].name, info->first_sysupgrade_partition)) {
1278 flash_first_partition = &info->partitions[i];
1279 flash_first_partition_index = i;
1280 } else if (!strcmp(info->partitions[i].name, info->last_sysupgrade_partition)) {
1281 flash_last_partition = &info->partitions[i];
1282 flash_last_partition_index = i;
1283 }
1284 }
1285
1286 assert(flash_first_partition && flash_last_partition);
1287 assert(flash_first_partition_index < flash_last_partition_index);
1288
1289 /** Find last partition from image to calculate needed size */
1290 for (i = 0; image_parts[i].name; i++) {
1291 if (!strcmp(image_parts[i].name, info->last_sysupgrade_partition)) {
1292 image_last_partition = &image_parts[i];
1293 break;
1294 }
1295 }
1296
1297 assert(image_last_partition);
1298
1299 *len = flash_last_partition->base - flash_first_partition->base + image_last_partition->size;
1300
1301 uint8_t *image = malloc(*len);
1302 if (!image)
1303 error(1, errno, "malloc");
1304
1305 memset(image, 0xff, *len);
1306
1307 for (i = flash_first_partition_index; i <= flash_last_partition_index; i++) {
1308 for (j = 0; image_parts[j].name; j++) {
1309 if (!strcmp(info->partitions[i].name, image_parts[j].name)) {
1310 if (image_parts[j].size > info->partitions[i].size)
1311 error(1, 0, "%s partition too big (more than %u bytes)", info->partitions[i].name, (unsigned)info->partitions[i].size);
1312 memcpy(image + info->partitions[i].base - flash_first_partition->base, image_parts[j].data, image_parts[j].size);
1313 break;
1314 }
1315
1316 assert(image_parts[j].name);
1317 }
1318 }
1319
1320 return image;
1321 }
1322
1323 /** Generates an image according to a given layout and writes it to a file */
1324 static void build_image(const char *output,
1325 const char *kernel_image,
1326 const char *rootfs_image,
1327 uint32_t rev,
1328 bool add_jffs2_eof,
1329 bool sysupgrade,
1330 const struct device_info *info) {
1331
1332 struct image_partition_entry parts[7] = {};
1333
1334 parts[0] = make_partition_table(info->partitions);
1335 if (info->soft_ver)
1336 parts[1] = make_soft_version_from_string(info->soft_ver);
1337 else
1338 parts[1] = make_soft_version(rev);
1339
1340 parts[2] = make_support_list(info);
1341 parts[3] = read_file("os-image", kernel_image, false);
1342 parts[4] = read_file("file-system", rootfs_image, add_jffs2_eof);
1343
1344 /* Some devices need the extra-para partition to accept the firmware */
1345 if (strcasecmp(info->id, "ARCHER-C25-V1") == 0 ||
1346 strcasecmp(info->id, "TLWR1043NV5") == 0) {
1347 const char mdat[11] = {0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00};
1348 parts[5] = put_data("extra-para", mdat, 11);
1349 } else if (strcasecmp(info->id, "ARCHER-C7-V4") == 0) {
1350 const char mdat[11] = {0x01, 0x00, 0x00, 0x02, 0x00, 0x00, 0xca, 0x00, 0x01, 0x00, 0x00};
1351 parts[5] = put_data("extra-para", mdat, 11);
1352 }
1353
1354 size_t len;
1355 void *image;
1356 if (sysupgrade)
1357 image = generate_sysupgrade_image(info, parts, &len);
1358 else
1359 image = generate_factory_image(info, parts, &len);
1360
1361 FILE *file = fopen(output, "wb");
1362 if (!file)
1363 error(1, errno, "unable to open output file");
1364
1365 if (fwrite(image, len, 1, file) != 1)
1366 error(1, 0, "unable to write output file");
1367
1368 fclose(file);
1369
1370 free(image);
1371
1372 size_t i;
1373 for (i = 0; parts[i].name; i++)
1374 free_image_partition(parts[i]);
1375 }
1376
1377 /** Usage output */
1378 static void usage(const char *argv0) {
1379 fprintf(stderr,
1380 "Usage: %s [OPTIONS...]\n"
1381 "\n"
1382 "Options:\n"
1383 " -h show this help\n"
1384 "\n"
1385 "Create a new image:\n"
1386 " -B <board> create image for the board specified with <board>\n"
1387 " -k <file> read kernel image from the file <file>\n"
1388 " -r <file> read rootfs image from the file <file>\n"
1389 " -o <file> write output to the file <file>\n"
1390 " -V <rev> sets the revision number to <rev>\n"
1391 " -j add jffs2 end-of-filesystem markers\n"
1392 " -S create sysupgrade instead of factory image\n"
1393 "Extract an old image:\n"
1394 " -x <file> extract all oem firmware partition\n"
1395 " -d <dir> destination to extract the firmware partition\n"
1396 " -z <file> convert an oem firmware into a sysupgade file. Use -o for output file\n",
1397 argv0
1398 );
1399 };
1400
1401
1402 static const struct device_info *find_board(const char *id)
1403 {
1404 struct device_info *board = NULL;
1405
1406 for (board = boards; board->id != NULL; board++)
1407 if (strcasecmp(id, board->id) == 0)
1408 return board;
1409
1410 return NULL;
1411 }
1412
1413 static int add_flash_partition(
1414 struct flash_partition_entry *part_list,
1415 size_t max_entries,
1416 const char *name,
1417 unsigned long base,
1418 unsigned long size)
1419 {
1420 int ptr;
1421 /* check if the list has a free entry */
1422 for (ptr = 0; ptr < max_entries; ptr++, part_list++) {
1423 if (part_list->name == NULL &&
1424 part_list->base == 0 &&
1425 part_list->size == 0)
1426 break;
1427 }
1428
1429 if (ptr == max_entries) {
1430 error(1, 0, "No free flash part entry available.");
1431 }
1432
1433 part_list->name = calloc(1, strlen(name) + 1);
1434 memcpy((char *)part_list->name, name, strlen(name));
1435 part_list->base = base;
1436 part_list->size = size;
1437
1438 return 0;
1439 }
1440
1441 /** read the partition table into struct flash_partition_entry */
1442 static int read_partition_table(
1443 FILE *file, long offset,
1444 struct flash_partition_entry *entries, size_t max_entries,
1445 int type)
1446 {
1447 char buf[2048];
1448 char *ptr, *end;
1449 const char *parthdr = NULL;
1450 const char *fwuphdr = "fwup-ptn";
1451 const char *flashhdr = "partition";
1452
1453 /* TODO: search for the partition table */
1454
1455 switch(type) {
1456 case 0:
1457 parthdr = fwuphdr;
1458 break;
1459 case 1:
1460 parthdr = flashhdr;
1461 break;
1462 default:
1463 error(1, 0, "Invalid partition table");
1464 }
1465
1466 if (fseek(file, offset, SEEK_SET) < 0)
1467 error(1, errno, "Can not seek in the firmware");
1468
1469 if (fread(buf, 1, 2048, file) < 0)
1470 error(1, errno, "Can not read fwup-ptn from the firmware");
1471
1472 buf[2047] = '\0';
1473
1474 /* look for the partition header */
1475 if (memcmp(buf, parthdr, strlen(parthdr)) != 0) {
1476 fprintf(stderr, "DEBUG: can not find fwuphdr\n");
1477 return 1;
1478 }
1479
1480 ptr = buf;
1481 end = buf + sizeof(buf);
1482 while ((ptr + strlen(parthdr)) < end &&
1483 memcmp(ptr, parthdr, strlen(parthdr)) == 0) {
1484 char *end_part;
1485 char *end_element;
1486
1487 char name[32] = { 0 };
1488 int name_len = 0;
1489 unsigned long base = 0;
1490 unsigned long size = 0;
1491
1492 end_part = memchr(ptr, '\n', (end - ptr));
1493 if (end_part == NULL) {
1494 /* in theory this should never happen, because a partition always ends with 0x09, 0x0D, 0x0A */
1495 break;
1496 }
1497
1498 for (int i = 0; i <= 4; i++) {
1499 if (end_part <= ptr)
1500 break;
1501
1502 end_element = memchr(ptr, 0x20, (end_part - ptr));
1503 if (end_element == NULL) {
1504 error(1, errno, "Ignoring the rest of the partition entries.");
1505 break;
1506 }
1507
1508 switch (i) {
1509 /* partition header */
1510 case 0:
1511 ptr = end_element + 1;
1512 continue;
1513 /* name */
1514 case 1:
1515 name_len = (end_element - ptr) > 31 ? 31 : (end_element - ptr);
1516 strncpy(name, ptr, name_len);
1517 name[name_len] = '\0';
1518 ptr = end_element + 1;
1519 continue;
1520
1521 /* string "base" */
1522 case 2:
1523 ptr = end_element + 1;
1524 continue;
1525
1526 /* actual base */
1527 case 3:
1528 base = strtoul(ptr, NULL, 16);
1529 ptr = end_element + 1;
1530 continue;
1531
1532 /* string "size" */
1533 case 4:
1534 ptr = end_element + 1;
1535 /* actual size. The last element doesn't have a sepeartor */
1536 size = strtoul(ptr, NULL, 16);
1537 /* the part ends with 0x09, 0x0d, 0x0a */
1538 ptr = end_part + 1;
1539 add_flash_partition(entries, max_entries, name, base, size);
1540 continue;
1541 }
1542 }
1543 }
1544
1545 return 0;
1546 }
1547
1548 static void write_partition(
1549 FILE *input_file,
1550 size_t firmware_offset,
1551 struct flash_partition_entry *entry,
1552 FILE *output_file)
1553 {
1554 char buf[4096];
1555 size_t offset;
1556
1557 fseek(input_file, entry->base + firmware_offset, SEEK_SET);
1558
1559 for (offset = 0; sizeof(buf) + offset <= entry->size; offset += sizeof(buf)) {
1560 if (fread(buf, sizeof(buf), 1, input_file) < 0)
1561 error(1, errno, "Can not read partition from input_file");
1562
1563 if (fwrite(buf, sizeof(buf), 1, output_file) < 0)
1564 error(1, errno, "Can not write partition to output_file");
1565 }
1566 /* write last chunk smaller than buffer */
1567 if (offset < entry->size) {
1568 offset = entry->size - offset;
1569 if (fread(buf, offset, 1, input_file) < 0)
1570 error(1, errno, "Can not read partition from input_file");
1571 if (fwrite(buf, offset, 1, output_file) < 0)
1572 error(1, errno, "Can not write partition to output_file");
1573 }
1574 }
1575
1576 static int extract_firmware_partition(FILE *input_file, size_t firmware_offset, struct flash_partition_entry *entry, const char *output_directory)
1577 {
1578 FILE *output_file;
1579 char output[PATH_MAX];
1580
1581 snprintf(output, PATH_MAX, "%s/%s", output_directory, entry->name);
1582 output_file = fopen(output, "wb+");
1583 if (output_file == NULL) {
1584 error(1, errno, "Can not open output file %s", output);
1585 }
1586
1587 write_partition(input_file, firmware_offset, entry, output_file);
1588
1589 fclose(output_file);
1590
1591 return 0;
1592 }
1593
1594 /** extract all partitions from the firmware file */
1595 static int extract_firmware(const char *input, const char *output_directory)
1596 {
1597 struct flash_partition_entry entries[16] = { 0 };
1598 size_t max_entries = 16;
1599 size_t firmware_offset = 0x1014;
1600 FILE *input_file;
1601
1602 struct stat statbuf;
1603
1604 /* check input file */
1605 if (stat(input, &statbuf)) {
1606 error(1, errno, "Can not read input firmware %s", input);
1607 }
1608
1609 /* check if output directory exists */
1610 if (stat(output_directory, &statbuf)) {
1611 error(1, errno, "Failed to stat output directory %s", output_directory);
1612 }
1613
1614 if ((statbuf.st_mode & S_IFMT) != S_IFDIR) {
1615 error(1, errno, "Given output directory is not a directory %s", output_directory);
1616 }
1617
1618 input_file = fopen(input, "rb");
1619
1620 if (read_partition_table(input_file, firmware_offset, entries, 16, 0) != 0) {
1621 error(1, 0, "Error can not read the partition table (fwup-ptn)");
1622 }
1623
1624 for (int i = 0; i < max_entries; i++) {
1625 if (entries[i].name == NULL &&
1626 entries[i].base == 0 &&
1627 entries[i].size == 0)
1628 continue;
1629
1630 extract_firmware_partition(input_file, firmware_offset, &entries[i], output_directory);
1631 }
1632
1633 return 0;
1634 }
1635
1636 static struct flash_partition_entry *find_partition(
1637 struct flash_partition_entry *entries, size_t max_entries,
1638 const char *name, const char *error_msg)
1639 {
1640 for (int i = 0; i < max_entries; i++, entries++) {
1641 if (strcmp(entries->name, name) == 0)
1642 return entries;
1643 }
1644
1645 error(1, 0, "%s", error_msg);
1646 return NULL;
1647 }
1648
1649 static void write_ff(FILE *output_file, size_t size)
1650 {
1651 char buf[4096];
1652 int offset;
1653
1654 memset(buf, 0xff, sizeof(buf));
1655
1656 for (offset = 0; offset + sizeof(buf) < size ; offset += sizeof(buf)) {
1657 if (fwrite(buf, sizeof(buf), 1, output_file) < 0)
1658 error(1, errno, "Can not write 0xff to output_file");
1659 }
1660
1661 /* write last chunk smaller than buffer */
1662 if (offset < size) {
1663 offset = size - offset;
1664 if (fwrite(buf, offset, 1, output_file) < 0)
1665 error(1, errno, "Can not write partition to output_file");
1666 }
1667 }
1668
1669 static void convert_firmware(const char *input, const char *output)
1670 {
1671 struct flash_partition_entry fwup[MAX_PARTITIONS] = { 0 };
1672 struct flash_partition_entry flash[MAX_PARTITIONS] = { 0 };
1673 struct flash_partition_entry *fwup_os_image = NULL, *fwup_file_system = NULL;
1674 struct flash_partition_entry *flash_os_image = NULL, *flash_file_system = NULL;
1675 struct flash_partition_entry *fwup_partition_table = NULL;
1676 size_t firmware_offset = 0x1014;
1677 FILE *input_file, *output_file;
1678
1679 struct stat statbuf;
1680
1681 /* check input file */
1682 if (stat(input, &statbuf)) {
1683 error(1, errno, "Can not read input firmware %s", input);
1684 }
1685
1686 input_file = fopen(input, "rb");
1687 if (!input_file)
1688 error(1, 0, "Can not open input firmware %s", input);
1689
1690 output_file = fopen(output, "wb");
1691 if (!output_file)
1692 error(1, 0, "Can not open output firmware %s", output);
1693
1694 if (read_partition_table(input_file, firmware_offset, fwup, MAX_PARTITIONS, 0) != 0) {
1695 error(1, 0, "Error can not read the partition table (fwup-ptn)");
1696 }
1697
1698 fwup_os_image = find_partition(fwup, MAX_PARTITIONS,
1699 "os-image", "Error can not find os-image partition (fwup)");
1700 fwup_file_system = find_partition(fwup, MAX_PARTITIONS,
1701 "file-system", "Error can not find file-system partition (fwup)");
1702 fwup_partition_table = find_partition(fwup, MAX_PARTITIONS,
1703 "partition-table", "Error can not find partition-table partition");
1704
1705 /* the flash partition table has a 0x00000004 magic haeder */
1706 if (read_partition_table(input_file, firmware_offset + fwup_partition_table->base + 4, flash, MAX_PARTITIONS, 1) != 0)
1707 error(1, 0, "Error can not read the partition table (flash)");
1708
1709 flash_os_image = find_partition(flash, MAX_PARTITIONS,
1710 "os-image", "Error can not find os-image partition (flash)");
1711 flash_file_system = find_partition(flash, MAX_PARTITIONS,
1712 "file-system", "Error can not find file-system partition (flash)");
1713
1714 /* write os_image to 0x0 */
1715 write_partition(input_file, firmware_offset, fwup_os_image, output_file);
1716 write_ff(output_file, flash_os_image->size - fwup_os_image->size);
1717
1718 /* write file-system behind os_image */
1719 fseek(output_file, flash_file_system->base - flash_os_image->base, SEEK_SET);
1720 write_partition(input_file, firmware_offset, fwup_file_system, output_file);
1721 write_ff(output_file, flash_file_system->size - fwup_file_system->size);
1722
1723 fclose(output_file);
1724 fclose(input_file);
1725 }
1726
1727 int main(int argc, char *argv[]) {
1728 const char *board = NULL, *kernel_image = NULL, *rootfs_image = NULL, *output = NULL;
1729 const char *extract_image = NULL, *output_directory = NULL, *convert_image = NULL;
1730 bool add_jffs2_eof = false, sysupgrade = false;
1731 unsigned rev = 0;
1732 const struct device_info *info;
1733 set_source_date_epoch();
1734
1735 while (true) {
1736 int c;
1737
1738 c = getopt(argc, argv, "B:k:r:o:V:jSh:x:d:z:");
1739 if (c == -1)
1740 break;
1741
1742 switch (c) {
1743 case 'B':
1744 board = optarg;
1745 break;
1746
1747 case 'k':
1748 kernel_image = optarg;
1749 break;
1750
1751 case 'r':
1752 rootfs_image = optarg;
1753 break;
1754
1755 case 'o':
1756 output = optarg;
1757 break;
1758
1759 case 'V':
1760 sscanf(optarg, "r%u", &rev);
1761 break;
1762
1763 case 'j':
1764 add_jffs2_eof = true;
1765 break;
1766
1767 case 'S':
1768 sysupgrade = true;
1769 break;
1770
1771 case 'h':
1772 usage(argv[0]);
1773 return 0;
1774
1775 case 'd':
1776 output_directory = optarg;
1777 break;
1778
1779 case 'x':
1780 extract_image = optarg;
1781 break;
1782
1783 case 'z':
1784 convert_image = optarg;
1785 break;
1786
1787 default:
1788 usage(argv[0]);
1789 return 1;
1790 }
1791 }
1792
1793 if (extract_image || output_directory) {
1794 if (!extract_image)
1795 error(1, 0, "No factory/oem image given via -x <file>. Output directory is only valid with -x");
1796 if (!output_directory)
1797 error(1, 0, "Can not extract an image without output directory. Use -d <dir>");
1798 extract_firmware(extract_image, output_directory);
1799 } else if (convert_image) {
1800 if (!output)
1801 error(1, 0, "Can not convert a factory/oem image into sysupgrade image without output file. Use -o <file>");
1802 convert_firmware(convert_image, output);
1803 } else {
1804 if (!board)
1805 error(1, 0, "no board has been specified");
1806 if (!kernel_image)
1807 error(1, 0, "no kernel image has been specified");
1808 if (!rootfs_image)
1809 error(1, 0, "no rootfs image has been specified");
1810 if (!output)
1811 error(1, 0, "no output filename has been specified");
1812
1813 info = find_board(board);
1814
1815 if (info == NULL)
1816 error(1, 0, "unsupported board %s", board);
1817
1818 build_image(output, kernel_image, rootfs_image, rev, add_jffs2_eof, sysupgrade, info);
1819 }
1820
1821 return 0;
1822 }
lynxis staging tree