[PATCH] tplink-safeloader: add TP-Link Deco S4 v2 support

Nick French nickfrench at gmail.com
Sun Aug 14 04:59:13 PDT 2022 

On Sun, Aug 14, 2022 at 08:04:01AM +0200, Sander Vanheule wrote:
> Hi,
> 
> On Sat, 2022-08-13 at 13:51 -0500, Nick French wrote:
> > Support creating images for TP-Link Deco S4R v2.
> > 
> > Original partition layout from OEM image:
> >  partition fs-uboot base 0x00000 size 0x80000
> >  partition product-info base 0x80000 size 0x05000
> >  partition default-mac base 0x85000 size 0x01000
> >  partition device-id base 0x86000 size 0x01000
> >  partition support-list base 0x87000 size 0x10000
> >  partition user-config base 0xa7000 size 0x10000
> >  partition device-config base 0xb7000 size 0x10000
> >  partition group-info base 0xc7000 size 0x10000
> >  partition partition-table base 0xd7000 size 0x02000
> >  partition soft-version base 0xd9000 size 0x10000
> >  partition profile base 0xe9000 size 0x10000
> >  partition default-config base 0xf9000 size 0x10000
> >  partition url-sig base 0x1e0000 size 0x10000
> >  partition radio base 0x1f0000 size 0x10000
> >  partition os-image base 0x200000 size 0x200000
> >  partition file-system base 0x400000 size 0xc00000
> > 
> > The 'os-image' and 'file-system' partitions were merged into 'firmware'
> > to make use of the automatic mtd split.
> > 
> > Signed-off-by: Nick French <nickfrench at gmail.com>
> > ---
> >  src/tplink-safeloader.c | 43 +++++++++++++++++++++++++++++++++++++++++
> >  1 file changed, 43 insertions(+)
> > 
> > diff --git a/src/tplink-safeloader.c b/src/tplink-safeloader.c
> > index 7a31ac2..7f9081d 100644
> > --- a/src/tplink-safeloader.c
> > +++ b/src/tplink-safeloader.c
> > @@ -1577,6 +1577,49 @@ static struct device_info boards[] = {
> >                 .last_sysupgrade_partition = "file-system",
> >         },
> >  
> > +       /** Firmware layout for the Deco S4 v2 */
> > +       {
> > +               .id     = "DECO-S4-V2",
> > +               .vendor = "",
> > +               .support_list =
> > +                       "SupportList:\n"
> > +                       "{product_name:S4,product_ver:1.0.0,special_id:5553000
> > 0}\n"
> > +                       "{product_name:S4,product_ver:1.0.0,special_id:4555000
> > 0}\n"
> > +                       "{product_name:S4,product_ver:1.0.0,special_id:4341000
> > 0}\n"
> > +                       "{product_name:S4,product_ver:1.0.0,special_id:4A50000
> > 0}\n"
> > +                       "{product_name:S4,product_ver:1.0.0,special_id:4155000
> > 0}\n"
> > +                       "{product_name:S4,product_ver:1.0.0,special_id:4B52000
> > 0}\n"
> > +                       "{product_name:S4,product_ver:2.0.0,special_id:5553000
> > 0}\n"
> > +                       "{product_name:S4,product_ver:2.0.0,special_id:4555000
> > 0}\n"
> > +                       "{product_name:S4,product_ver:2.0.0,special_id:4341000
> > 0}\n"
> > +                       "{product_name:S4,product_ver:2.0.0,special_id:4A50000
> > 0}\n"
> > +                       "{product_name:S4,product_ver:2.0.0,special_id:4155000
> > 0}\n"
> > +                       "{product_name:S4,product_ver:2.0.0,special_id:4B52000
> > 0}\n",
> 
> Looking at the FW images that can be downloaded from TP-Link's website, the
> support-list partition appears to be a binary blob instead of a plaintext table.
> Any idea what's going on here?
> 
> Best,
> Sander
> 

Yes, the firmware implements an encryption scheme for several
of the config partitions.

Decryption was reverse engineered and a tool was submitted separately
via github: https://github.com/openwrt/openwrt/pull/10445
(tools: deco-decrypt: add package to decrypt Deco S4 config)

As an example use of the tool, you can run it on the firmware file
directly such as:

$ deco_decrypt S4_1.5.1.bin $((0x1014 + 0x1000)) $((0x2d1))
SupportList:
{product_name:S4,product_ver:1.0.0,special_id:55530000}
{product_name:S4,product_ver:1.0.0,special_id:45550000}
{product_name:S4,product_ver:1.0.0,special_id:43410000}
{product_name:S4,product_ver:1.0.0,special_id:4A500000}
{product_name:S4,product_ver:1.0.0,special_id:41550000}
{product_name:S4,product_ver:1.0.0,special_id:4B520000}
{product_name:S4,product_ver:2.0.0,special_id:55530000}
{product_name:S4,product_ver:2.0.0,special_id:45550000}
{product_name:S4,product_ver:2.0.0,special_id:43410000}
{product_name:S4,product_ver:2.0.0,special_id:4A500000}
{product_name:S4,product_ver:2.0.0,special_id:41550000}
{product_name:S4,product_ver:2.0.0,special_id:4B520000}

- Nick

> > +               .part_trail = 0x00,
> > +               .soft_ver = SOFT_VER_DEFAULT,
> > +
> > +               .partitions = {
> > +                       {"fs-uboot", 0x00000, 0x80000},
> > +                       {"product-info", 0x80000, 0x05000},
> > +                       {"default-mac", 0x85000, 0x01000},
> > +                       {"device-id", 0x86000, 0x01000},
> > +                       {"support-list", 0x87000, 0x10000},
> > +                       {"user-config", 0xa7000, 0x10000},
> > +                       {"device-config", 0xb7000, 0x10000},
> > +                       {"group-info", 0xc7000, 0x10000},
> > +                       {"partition-table", 0xd7000, 0x02000},
> > +                       {"soft-version", 0xd9000, 0x10000},
> > +                       {"profile", 0xe9000, 0x10000},
> > +                       {"default-config", 0xf9000, 0x10000},
> > +                       {"url-sig", 0x1e0000, 0x10000},
> > +                       {"radio", 0x1f0000, 0x10000},
> > +                       {"firmware", 0x200000, 0xe00000},
> > +                       {NULL, 0, 0}
> > +               },
> > +               .first_sysupgrade_partition = "os-image",
> > +               .last_sysupgrade_partition = "file-system",
> > +       },
> > +
> >         /** Firmware layout for the EAP120 */
> >         {
> >                 .id     = "EAP120",
>

More information about the openwrt-devel mailing list