1/* 2 * imagetag.c 3 * 4 * Copyright (C) 2005 Mike Baker 5 * Copyright (C) 2008 Felix Fietkau <nbd@nbd.name> 6 * Copyrigth (C) 2010 Daniel Dickinson <openwrt@cshore.neomailbox.net> 7 * 8 * This program is free software; you can redistribute it and/or 9 * modify it under the terms of the GNU General Public License 10 * as published by the Free Software Foundation; either version 2 11 * of the License, or (at your option) any later version. 12 * 13 * This program is distributed in the hope that it will be useful, 14 * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 * GNU General Public License for more details. 17 * 18 * You should have received a copy of the GNU General Public License 19 * along with this program; if not, write to the Free Software 20 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. 21 */ 22 23#include <stdio.h> 24#include <stdlib.h> 25#include <stddef.h> 26#include <unistd.h> 27#include <fcntl.h> 28#include <sys/mman.h> 29#include <sys/stat.h> 30#include <string.h> 31#include <errno.h> 32 33#include <sys/ioctl.h> 34#include <mtd/mtd-user.h> 35 36#include "mtd.h" 37#include "crc32.h" 38 39#define TAGVER_LEN 4 /* Length of Tag Version */ 40#define TAGLAYOUT_LEN 4 /* Length of FlashLayoutVer */ 41#define SIG1_LEN 20 /* Company Signature 1 Length */ 42#define SIG2_LEN 14 /* Company Signature 2 Length */ 43#define BOARDID_LEN 16 /* Length of BoardId */ 44#define ENDIANFLAG_LEN 2 /* Endian Flag Length */ 45#define CHIPID_LEN 6 /* Chip Id Length */ 46#define IMAGE_LEN 10 /* Length of Length Field */ 47#define ADDRESS_LEN 12 /* Length of Address field */ 48#define DUALFLAG_LEN 2 /* Dual Image flag Length */ 49#define INACTIVEFLAG_LEN 2 /* Inactie Flag Length */ 50#define RSASIG_LEN 20 /* Length of RSA Signature in tag */ 51#define TAGINFO1_LEN 30 /* Length of vendor information field1 in tag */ 52#define FLASHLAYOUTVER_LEN 4 /* Length of Flash Layout Version String tag */ 53#define TAGINFO2_LEN 16 /* Length of vendor information field2 in tag */ 54#define ALTTAGINFO_LEN 54 /* Alternate length for vendor information; Pirelli */ 55 56#define NUM_PIRELLI 2 57#define IMAGETAG_CRC_START 0xFFFFFFFF 58 59#define PIRELLI_BOARDS { \ 60 "AGPF-S0", \ 61 "DWV-S0", \ 62} 63/* 64 * The broadcom firmware assumes the rootfs starts the image, 65 * therefore uses the rootfs start (flash_image_address) 66 * to determine where to flash the image. Since we have the kernel first 67 * we have to give it the kernel address, but the crc uses the length 68 * associated with this address (root_length), which is added to the kernel 69 * length (kernel_length) to determine the length of image to flash and thus 70 * needs to be rootfs + deadcode (jffs2 EOF marker) 71*/ 72 73struct bcm_tag { 74 /* 0-3: Version of the image tag */ 75 char tag_version[TAGVER_LEN]; 76 /* 4-23: Company Line 1 */ 77 char sig_1[SIG1_LEN]; 78 /* 24-37: Company Line 2 */ 79 char sig_2[SIG2_LEN]; 80 /* 38-43: Chip this image is for */ 81 char chip_id[CHIPID_LEN]; 82 /* 44-59: Board name */ 83 char board_id[BOARDID_LEN]; 84 /* 60-61: Map endianness -- 1 BE 0 LE */ 85 char big_endian[ENDIANFLAG_LEN]; 86 /* 62-71: Total length of image */ 87 char total_length[IMAGE_LEN]; 88 /* 72-83: Address in memory of CFE */ 89 char cfe__address[ADDRESS_LEN]; 90 /* 84-93: Size of CFE */ 91 char cfe_length[IMAGE_LEN]; 92 /* 94-105: Address in memory of image start 93 * (kernel for OpenWRT, rootfs for stock firmware) 94 */ 95 char flash_image_start[ADDRESS_LEN]; 96 /* 106-115: Size of rootfs */ 97 char root_length[IMAGE_LEN]; 98 /* 116-127: Address in memory of kernel */ 99 char kernel_address[ADDRESS_LEN]; 100 /* 128-137: Size of kernel */ 101 char kernel_length[IMAGE_LEN]; 102 /* 138-139: Unused at the moment */ 103 char dual_image[DUALFLAG_LEN]; 104 /* 140-141: Unused at the moment */ 105 char inactive_flag[INACTIVEFLAG_LEN]; 106 /* 142-161: RSA Signature (not used; some vendors may use this) */ 107 char rsa_signature[RSASIG_LEN]; 108 /* 162-191: Compilation and related information (not used in OpenWrt) */ 109 char information1[TAGINFO1_LEN]; 110 /* 192-195: Version flash layout */ 111 char flash_layout_ver[FLASHLAYOUTVER_LEN]; 112 /* 196-199: kernel+rootfs CRC32 */ 113 __u32 fskernel_crc; 114 /* 200-215: Unused except on Alice Gate where is is information */ 115 char information2[TAGINFO2_LEN]; 116 /* 216-219: CRC32 of image less imagetag (kernel for Alice Gate) */ 117 __u32 image_crc; 118 /* 220-223: CRC32 of rootfs partition */ 119 __u32 rootfs_crc; 120 /* 224-227: CRC32 of kernel partition */ 121 __u32 kernel_crc; 122 /* 228-231: Image sequence number */ 123 char image_sequence[4]; 124 /* 222-235: Openwrt: real rootfs length */ 125 __u32 real_rootfs_length; 126 /* 236-239: CRC32 of header excluding last 20 bytes */ 127 __u32 header_crc; 128 /* 240-255: Unused at present */ 129 char reserved2[16]; 130}; 131ssize_t pread(int fd, void *buf, size_t count, off_t offset); 132ssize_t pwrite(int fd, const void *buf, size_t count, off_t offset); 133 134#define CRC_START 0xFFFFFFFF 135 136static uint32_t strntoul(char *str, char **endptr, int base, size_t len) { 137 char *newstr; 138 uint32_t res = 0; 139 140 newstr = calloc(len + 1, sizeof(char)); 141 if (newstr) { 142 strncpy(newstr, str, len); 143 res = strtoul(newstr, endptr, base); 144 free(newstr); 145 } 146 return res; 147} 148 149uint32_t compute_crc32(uint32_t crc, off_t start, size_t compute_len, int fd) 150{ 151 uint8_t readbuf[1024]; 152 ssize_t res; 153 off_t offset = start; 154 155 /* Read a buffer's worth of bytes */ 156 while (fd && (compute_len >= sizeof(readbuf))) { 157 res = pread(fd, readbuf, sizeof(readbuf), offset); 158 crc = crc32(crc, readbuf, res); 159 compute_len = compute_len - res; 160 offset += res; 161 } 162 163 /* Less than buffer-size bytes remains, read compute_len bytes */ 164 if (fd && (compute_len > 0)) { 165 res = pread(fd, readbuf, compute_len, offset); 166 crc = crc32(crc, readbuf, res); 167 } 168 169 return crc; 170} 171 172int 173trx_fixup(int fd, const char *name) 174{ 175 struct mtd_info_user mtdInfo; 176 unsigned long len; 177 void *ptr, *scan; 178 int bfd; 179 struct bcm_tag *tag; 180 ssize_t res; 181 uint32_t cfelen, imagelen, imagestart, rootfslen; 182 uint32_t imagecrc, rootfscrc, headercrc; 183 uint32_t offset = 0; 184 cfelen = imagelen = imagestart = imagecrc = rootfscrc = headercrc = rootfslen = 0; 185 186 187 if (ioctl(fd, MEMGETINFO, &mtdInfo) < 0) { 188 fprintf(stderr, "Failed to get mtd info\n"); 189 goto err; 190 } 191 192 len = mtdInfo.size; 193 if (mtdInfo.size <= 0) { 194 fprintf(stderr, "Invalid MTD device size\n"); 195 goto err; 196 } 197 198 bfd = mtd_open(name, true); 199 ptr = mmap(NULL, len, PROT_READ|PROT_WRITE, MAP_SHARED, bfd, 0); 200 if (!ptr || (ptr == (void *) -1)) { 201 perror("mmap"); 202 goto err1; 203 } 204 205 tag = (struct bcm_tag *) (ptr); 206 207 cfelen = strntoul(&tag->cfe_length[0], NULL, 10, IMAGE_LEN); 208 if (cfelen) { 209 fprintf(stderr, "Non-zero CFE length. This is currently unsupported.\n"); 210 exit(1); 211 } 212 213 headercrc = compute_crc32(CRC_START, offset, offsetof(struct bcm_tag, header_crc), fd); 214 if (headercrc != *(uint32_t *)(&tag->header_crc)) { 215 fprintf(stderr, "Tag verify failed. This may not be a valid image.\n"); 216 exit(1); 217 } 218 219 sprintf(&tag->root_length[0], "%u", 0); 220 strncpy(&tag->total_length[0], &tag->kernel_length[0], IMAGE_LEN); 221 222 imagestart = sizeof(tag); 223 memcpy(&tag->image_crc, &tag->kernel_crc, sizeof(uint32_t)); 224 memcpy(&tag->fskernel_crc, &tag->kernel_crc, sizeof(uint32_t)); 225 rootfscrc = CRC_START; 226 memcpy(&tag->rootfs_crc, &rootfscrc, sizeof(uint32_t)); 227 headercrc = crc32(CRC_START, tag, offsetof(struct bcm_tag, header_crc)); 228 memcpy(&tag->header_crc, &headercrc, sizeof(uint32_t)); 229 230 msync(ptr, sizeof(struct bcm_tag), MS_SYNC|MS_INVALIDATE); 231 munmap(ptr, len); 232 close(bfd); 233 return 0; 234 235err1: 236 close(bfd); 237err: 238 fprintf(stderr, "Error fixing up imagetag header\n"); 239 return -1; 240} 241 242 243int 244trx_check(int imagefd, const char *mtd, char *buf, int *len) 245{ 246 struct bcm_tag *tag = (const struct bcm_tag *) buf; 247 int fd; 248 uint32_t headerCRC; 249 uint32_t imageLen; 250 251 if (strcmp(mtd, "linux") != 0) 252 return 1; 253 254 *len = read(imagefd, buf, sizeof(struct bcm_tag)); 255 if (*len < sizeof(struct bcm_tag)) { 256 fprintf(stdout, "Could not get image header, file too small (%d bytes)\n", *len); 257 return 0; 258 } 259 headerCRC = crc32buf(buf, offsetof(struct bcm_tag, header_crc)); 260 if (*(uint32_t *)(&tag->header_crc) != headerCRC) { 261 262 if (quiet < 2) { 263 fprintf(stderr, "Bad header CRC got %08x, calculated %08x\n", 264 *(uint32_t *)(&tag->header_crc), headerCRC); 265 fprintf(stderr, "This is not the correct file format; refusing to flash.\n" 266 "Please specify the correct file or use -f to force.\n"); 267 } 268 return 0; 269 } 270 271 /* check if image fits to mtd device */ 272 fd = mtd_check_open(mtd); 273 if(fd < 0) { 274 fprintf(stderr, "Could not open mtd device: %s\n", mtd); 275 exit(1); 276 } 277 278 imageLen = strntoul(&tag->total_length[0], NULL, 10, IMAGE_LEN); 279 280 if(mtdsize < imageLen) { 281 fprintf(stderr, "Image too big for partition: %s\n", mtd); 282 close(fd); 283 return 0; 284 } 285 286 close(fd); 287 return 1; 288} 289 290int 291mtd_fixtrx(const char *mtd, size_t offset, size_t data_size) 292{ 293 int fd; 294 struct bcm_tag *tag; 295 char *buf; 296 ssize_t res; 297 size_t block_offset; 298 uint32_t cfelen, imagelen, imagestart, rootfslen; 299 uint32_t imagecrc, rootfscrc, headercrc; 300 cfelen = imagelen = imagestart = imagecrc = rootfscrc = headercrc = rootfslen = 0; 301 302 if (data_size) 303 fprintf(stderr, "Specifying data size in unsupported for imagetag\n"); 304 305 if (quiet < 2) 306 fprintf(stderr, "Trying to fix trx header in %s at 0x%x...\n", mtd, offset); 307 308 block_offset = offset & ~(erasesize - 1); 309 offset -= block_offset; 310 311 fd = mtd_check_open(mtd); 312 if(fd < 0) { 313 fprintf(stderr, "Could not open mtd device: %s\n", mtd); 314 exit(1); 315 } 316 317 if (block_offset + erasesize > mtdsize) { 318 fprintf(stderr, "Offset too large, device size 0x%x\n", mtdsize); 319 exit(1); 320 } 321 322 buf = malloc(erasesize); 323 if (!buf) { 324 perror("malloc"); 325 exit(1); 326 } 327 328 res = pread(fd, buf, erasesize, block_offset); 329 if (res != erasesize) { 330 perror("pread"); 331 exit(1); 332 } 333 334 tag = (struct bcm_tag *) (buf + offset); 335 336 cfelen = strntoul(tag->cfe_length, NULL, 10, IMAGE_LEN); 337 if (cfelen) { 338 fprintf(stderr, "Non-zero CFE length. This is currently unsupported.\n"); 339 exit(1); 340 } 341 342 if (quiet < 2) { 343 fprintf(stderr, "Verifying we actually have an imagetag.\n"); 344 } 345 346 headercrc = compute_crc32(CRC_START, offset, offsetof(struct bcm_tag, header_crc), fd); 347 if (headercrc != *(uint32_t *)(&tag->header_crc)) { 348 fprintf(stderr, "Tag verify failed. This may not be a valid image.\n"); 349 exit(1); 350 } 351 352 if (quiet < 2) { 353 fprintf(stderr, "Checking current fixed status.\n"); 354 } 355 356 rootfslen = strntoul(&tag->root_length[0], NULL, 10, IMAGE_LEN); 357 if (rootfslen == 0) { 358 if (quiet < 2) 359 fprintf(stderr, "Header already fixed, exiting\n"); 360 close(fd); 361 return 0; 362 } 363 364 if (quiet < 2) { 365 fprintf(stderr, "Setting root length to 0.\n"); 366 } 367 368 sprintf(&tag->root_length[0], "%u", 0); 369 strncpy(&tag->total_length[0], &tag->kernel_length[0], IMAGE_LEN); 370 371 if (quiet < 2) { 372 fprintf(stderr, "Recalculating CRCs.\n"); 373 } 374 375 imagestart = sizeof(tag); 376 memcpy(&tag->image_crc, &tag->kernel_crc, sizeof(uint32_t)); 377 memcpy(&tag->fskernel_crc, &tag->kernel_crc, sizeof(uint32_t)); 378 rootfscrc = CRC_START; 379 memcpy(&tag->rootfs_crc, &rootfscrc, sizeof(uint32_t)); 380 headercrc = crc32(CRC_START, tag, offsetof(struct bcm_tag, header_crc)); 381 memcpy(&tag->header_crc, &headercrc, sizeof(uint32_t)); 382 383 if (quiet < 2) { 384 fprintf(stderr, "Erasing imagetag block\n"); 385 } 386 387 if (mtd_erase_block(fd, block_offset)) { 388 fprintf(stderr, "Can't erase block at 0x%x (%s)\n", block_offset, strerror(errno)); 389 exit(1); 390 } 391 392 if (quiet < 2) { 393 fprintf(stderr, "New image crc32: 0x%x, rewriting block\n", 394 *(uint32_t *)(&tag->image_crc)); 395 fprintf(stderr, "New header crc32: 0x%x, rewriting block\n", headercrc); 396 } 397 398 if (pwrite(fd, buf, erasesize, block_offset) != erasesize) { 399 fprintf(stderr, "Error writing block (%s)\n", strerror(errno)); 400 exit(1); 401 } 402 403 if (quiet < 2) 404 fprintf(stderr, "Done.\n"); 405 406 close (fd); 407 sync(); 408 return 0; 409 410} 411