[OpenWrt-Devel] [PATCH 1/6] ramips: Add a tool to create JCG factory images
John Crispin
blogic at openwrt.org
Thu Mar 3 15:14:59 EST 2016
On 03/03/2016 21:13, John Crispin wrote:
> Hi,
>
> comments inline ...
>
the other patches look good so just resend this one please, i'll leave
the others inside patchwork
John
> On 03/03/2016 16:49, reinhard at m4x.de wrote:
>> From: Reinhard Max <reinhard at m4x.de>
>>
>> This tool creates factory images for JCG routers.
>> Details can be found in the header comment of jcgimage.c.
>>
>> Signed-off-by: Reinhard Max <reinhard at m4x.de>
>> Reviewed-by: Torsten Duwe <duwe at lst.de>
>> ---
>> tools/firmware-utils/Makefile | 1 +
>> tools/firmware-utils/src/jcgimage.c | 392 ++++++++++++++++++++++++++++++++++++
>> 2 files changed, 393 insertions(+)
>> create mode 100644 tools/firmware-utils/src/jcgimage.c
>>
>> diff --git a/tools/firmware-utils/Makefile b/tools/firmware-utils/Makefile
>> index 2573d8c..ec814b0 100644
>> --- a/tools/firmware-utils/Makefile
>> +++ b/tools/firmware-utils/Makefile
>> @@ -75,6 +75,7 @@ define Host/Compile
>> $(call cc,dgn3500sum)
>> $(call cc,edimax_fw_header, -Wall)
>> $(call cc,mkmerakifw sha1, -Wall)
>> + $(call cc,jcgimage, -lz -Wall)
>> endef
>>
>> define Host/Install
>> diff --git a/tools/firmware-utils/src/jcgimage.c b/tools/firmware-utils/src/jcgimage.c
>> new file mode 100644
>> index 0000000..c98b0b5
>> --- /dev/null
>> +++ b/tools/firmware-utils/src/jcgimage.c
>> @@ -0,0 +1,392 @@
>> +/*
>> + * jcgimage - Create a JCG firmware image
>> + *
>> + * Copyright (C) 2015 Reinhard Max <reinhard at m4x.de>
>> + *
>> + * This program is free software; you can redistribute it and/or
>> + * modify it under the terms of the GNU General Public License
>> + * as published by the Free Software Foundation; either version 2
>> + * of the License, or (at your option) any later version.
>> + *
>> + * This program is distributed in the hope that it will be useful,
>> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
>> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
>> + * GNU General Public License for more details.
>> + *
>> + * You should have received a copy of the GNU General Public License
>> + * along with this program; if not, write to the Free Software
>> + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
>> + *
>> + */
>> +
>> +/*
>> + * JCG firmware update images consist of a 512 byte header and a
>> + * modified uImage (details below) as the payload.
>> + *
>> + * The payload is obfuscated by XORing it with a key that is generated
>> + * from parts of the header. Fortunately only non-essential parts of
>> + * the header are used for this and zeroing them results in a zero
>> + * key, effectively disabling the obfuscation and allowing us to use
>> + * clear text payloads.
>> + *
>> + * The mandatory parts of the header are:
>> + *
>> + * - A magic string of "YSZJ" at offset 0.
>> + * - A value of 1 at offset 39 (header format version?)
>> + * - A CRC32 checksum of the payload at offset 504.
>> + * - A CRC32 checksum of the header at offset 508.
>> + *
>> + * An image constructed by these rules will be accepted by JCG's
>> + * U-Boot in resuce mode via TFTP and the payload will be written to
>> + * the flash starting at offset 0x00050000.
>> + *
>> + * JCG's U-Boot does check the content or size of the payload
>> + * image. If it is too large, it wraps around and overwrites U-Boot,
>> + * requiring JTAG to revive the board. To prevent such bricking from
>> + * happening, this tool refuses to build such overlong images.
>> + *
>> + * Two more conditions have to be met for a JCG image to be accepted
>> + * as a valid update by the web interface of the stock firware:
>> + *
>> + * - The bytes at offsets 109 and 111 in the header must be a binary
>> + * representation of the first two components of the firmware
>> + * version as displayed in the update web form, or it will be
>> + * rejected as "incorrect product".
>> + *
>> + * - The payload must start with a valid uImage header whose data
>> + * CRC checksum matches the whole rest of the update file rather
>> + * than just the number of bytes specified in the size field of the
>> + * header.
>> + *
>> + * This last condition is met by JCG's original firmware images,
>> + * because they have both, kernel and rootfs inside the uImage and
>> + * abuse the last four bytes of the name field to record the offset of
>> + * the file system from the start of the uImage header. This tool
>> + * produces such images when called with -k and -r, which are meant to
>> + * repack the original firmware after modifying the file systen,
>> + * e.g. to add debugging tools and enable shell access.
>> + *
>> + * In contrast, OpenWrt sysupgrade images consist of a uImage that
>> + * only contains the kernel and has the rootfs appended to it. Hence,
>> + * the CRC over kernel and file system does not match the one in the
>> + * uImage header. Fixing this by adjusting the uImage header is not
>> + * possible, because it makes the uImage unusable for booting. Instead
>> + * we append four "patch" bytes to the end of the file system, that
>> + * are calculated to force the checksum of kernel+fs to be the same as
>> + * for the kernel alone.
>> + *
>> + */
>> +
>> +#include <zlib.h>
>> +#include <stdio.h>
>> +#include <string.h>
>> +#include <sys/types.h>
>> +#include <sys/stat.h>
>> +#include <fcntl.h>
>> +#include <unistd.h>
>> +#include <libgen.h>
>> +#include <stdlib.h>
>> +#include <errno.h>
>> +#include <err.h>
>> +#include <time.h>
>> +#include <sys/mman.h>
>> +#include <arpa/inet.h>
>> +#include <assert.h>
>> +
>> +/*
>> + * JCG Firmware image header
>> + */
>> +#define JH_MAGIC 0x59535a4a /* "YSZJ" */
>> +struct jcg_header {
>> + uint32_t jh_magic;
>> + uint8_t jh_version[32]; /* Firmware version string. Fill with
>> +
>
> ^^^ there are spaces. now this breaks down to personal philosophy so
> i'll cheat and say that we try to stick to the kernel coding style which
> expects tabs and not spaces.
>
> please change it to use tabs an resend the patch
>
> John
>
> zeros to avoid encryption */
>> + uint32_t jh_type; /* must be 1 */
>> + uint8_t jh_info[64]; /* Firmware info string. Fill with
>> + zeros to avoid encryption */
>> + uint32_t jh_time; /* Image creation time in seconds since
>> + * the Epoch. Does not seem to be used
>> + * by the stock firmware. */
>> + uint16_t jh_major; /* Major fimware version */
>> + uint16_t jh_minor; /* Minor fimrmware version */
>> + uint8_t jh_unknown[392]; /* Apparently unused and all zeros */
>> + uint32_t jh_dcrc; /* CRC checksum of the payload */
>> + uint32_t jh_hcrc; /* CRC checksum of the header */
>> +};
>> +
>> +/*
>> + * JCG uses a modified uImage header that replaces the last four bytes
>> + * of the image name with the length of the kernel in the image.
>> + */
>> +#define IH_MAGIC 0x27051956 /* Image Magic Number */
>> +#define IH_NMLEN 28 /* Image Name Length */
>> +
>> +struct uimage_header {
>> + uint32_t ih_magic; /* Image Header Magic Number */
>> + uint32_t ih_hcrc; /* Image Header CRC Checksum */
>> + uint32_t ih_time; /* Image Creation Timestamp */
>> + uint32_t ih_size; /* Image Data Size */
>> + uint32_t ih_load; /* Data Load Address */
>> + uint32_t ih_ep; /* Entry Point Address */
>> + uint32_t ih_dcrc; /* Image Data CRC Checksum */
>> + uint8_t ih_os; /* Operating System */
>> + uint8_t ih_arch; /* CPU architecture */
>> + uint8_t ih_type; /* Image Type */
>> + uint8_t ih_comp; /* Compression Type */
>> + uint8_t ih_name[IH_NMLEN];/* Image Name */
>> + uint32_t ih_fsoff; /* Offset of the file system partition */
>> +};
>> +
>> +/*
>> + * Open the named file and return its size and file descriptor.
>> + * Exit in case of errors.
>> + */
>> +int
>> +opensize(char *name, size_t *size)
>> +{
>> + struct stat s;
>> + int fd = open(name, O_RDONLY);
>> + if (fd < 0) {
>> + err(1, "cannot open \"%s\"", name);
>> + }
>> + if (fstat(fd, &s) == -1) {
>> + err(1, "cannot stat \"%s\"", name);
>> + }
>> + *size = s.st_size;
>> + return fd;
>> +}
>> +
>> +/*
>> + * Write the JCG header
>> + */
>> +void
>> +mkjcgheader(struct jcg_header *h, size_t psize, char *version)
>> +{
>> + uLong crc;
>> + uint16_t major = 0, minor = 0;
>> + void *payload = (void *)h + sizeof(*h);
>> +
>> + if (version != NULL) {
>> + if (sscanf(version, "%hu.%hu", &major, &minor) != 2) {
>> + err(1, "cannot parse version \"%s\"", version);
>> + }
>> + }
>> +
>> + memset(h, 0, sizeof(*h));
>> + h->jh_magic = htonl(JH_MAGIC);
>> + h->jh_type = htonl(1);
>> + h->jh_time = htonl(time(NULL));
>> + h->jh_major = htons(major);
>> + h->jh_minor = htons(minor);
>> +
>> + /* CRC over JCG payload (uImage) */
>> + crc = crc32(0L, Z_NULL, 0);
>> + crc = crc32(crc, payload, psize);
>> + h->jh_dcrc = htonl(crc);
>> +
>> + /* CRC over JCG header */
>> + crc = crc32(0L, Z_NULL, 0);
>> + crc = crc32(crc, (void *)h, sizeof(*h));
>> + h->jh_hcrc = htonl(crc);
>> +}
>> +
>> +/*
>> + * Write the uImage header
>> + */
>> +void
>> +mkuheader(struct uimage_header *h, size_t ksize, size_t fsize)
>> +{
>> + uLong crc;
>> + void *payload = (void *)h + sizeof(*h);
>> +
>> + // printf("mkuheader: %p, %zd, %zd\n", h, ksize, fsize);
>> + memset(h, 0, sizeof(*h));
>> + h->ih_magic = htonl(IH_MAGIC);
>> + h->ih_time = htonl(time(NULL));
>> + h->ih_size = htonl(ksize + fsize);
>> + h->ih_load = htonl(0x80000000);
>> + h->ih_ep = htonl(0x80292000);
>> + h->ih_os = 0x05;
>> + h->ih_arch = 0x05;
>> + h->ih_type = 0x02;
>> + h->ih_comp = 0x03;
>> + h->ih_fsoff = htonl(sizeof(*h) + ksize);
>> + strcpy((char *)h->ih_name, "Linux Kernel Image");
>> +
>> + /* CRC over uImage payload (kernel and file system) */
>> + crc = crc32(0L, Z_NULL, 0);
>> + crc = crc32(crc, payload, ntohl(h->ih_size));
>> + h->ih_dcrc = htonl(crc);
>> + printf("CRC1: %08lx\n", crc);
>> +
>> + /* CRC over uImage header */
>> + crc = crc32(0L, Z_NULL, 0);
>> + crc = crc32(crc, (void *)h, sizeof(*h));
>> + h->ih_hcrc = htonl(crc);
>> + printf("CRC2: %08lx\n", crc);
>> +}
>> +
>> +/*
>> + * Calculate a "patch" value and write it into the last four bytes of
>> + * buf, so that the CRC32 checksum of the whole buffer is dcrc.
>> + *
>> + * Based on: SAR-PR-2006-05: Reversing CRC – Theory and Practice.
>> + * Martin Stigge, Henryk Plötz, Wolf Müller, Jens-Peter Redlich.
>> + * http://sar.informatik.hu-berlin.de/research/publications/#SAR-PR-2006-05
>> + */
>> +void
>> +craftcrc(uint32_t dcrc, uint8_t *buf, size_t len)
>> +{
>> + int i;
>> + uint32_t a;
>> + uint32_t patch = 0;
>> + uint32_t crc = crc32(0L, Z_NULL, 0);
>> +
>> + a = ~dcrc;
>> + for (i = 0; i < 32; i++) {
>> + if (patch & 1) {
>> + patch = (patch >> 1) ^ 0xedb88320L;
>> + } else {
>> + patch >>= 1;
>> + }
>> + if (a & 1) {
>> + patch ^= 0x5b358fd3L;
>> + }
>> + a >>= 1;
>> + }
>> + patch ^= ~crc32(crc, buf, len - 4);
>> + for (i = 0; i < 4; i++) {
>> + buf[len - 4 + i] = patch & 0xff;
>> + patch >>= 8;
>> + }
>> + /* Verify that we actually get the desired result */
>> + crc = crc32(0L, Z_NULL, 0);
>> + crc = crc32(crc, buf, len);
>> + if (crc != dcrc) {
>> + errx(1, "CRC patching is broken: wanted %08x, but got %08x.", dcrc, crc);
>> + }
>> +}
>> +
>> +void
>> +usage() {
>> + fprintf(stderr, "Usage:\n"
>> + " jcgimage -o outputfile -u uImage [-v version]\n"
>> + " jcgimage -o outputfile -k kernel -f rootfs [-v version]\n");
>> + exit(1);
>> +}
>> +
>> +#define MODE_UNKNOWN 0
>> +#define MODE_UIMAGE 1
>> +#define MODE_KR 2
>> +
>> +/* The output image must not be larger than 4MiB - 5*64kiB */
>> +#define MAXSIZE (size_t)(4 * 1024 * 1024 - 5 * 64 * 1024)
>> +
>> +int
>> +main(int argc, char **argv)
>> +{
>> + struct jcg_header *jh;
>> + struct uimage_header *uh;
>> + int c;
>> + char *imagefile = NULL;
>> + char *file1 = NULL;
>> + char *file2 = NULL;
>> + char *version = NULL;
>> + int mode = MODE_UNKNOWN;
>> + int fdo, fd1, fd2;
>> + size_t size1, size2, sizeu, sizeo, off1, off2;
>> + void *map;
>> +
>> + /* Make sure the headers have the right size */
>> + assert(sizeof(struct jcg_header) == 512);
>> + assert(sizeof(struct uimage_header) == 64);
>> +
>> + while ((c = getopt(argc, argv, "o:k:f:u:v:h")) != -1) {
>> + switch (c) {
>> + case 'o':
>> + imagefile = optarg;
>> + break;
>> + case 'k':
>> + if (mode == MODE_UIMAGE)
>> + errx(1,"-k cannot be combined with -u");
>> + mode = MODE_KR;
>> + file1 = optarg;
>> + break;
>> + case 'f':
>> + if (mode == MODE_UIMAGE)
>> + errx(1,"-f cannot be combined with -u");
>> + mode = MODE_KR;
>> + file2 = optarg;
>> + break;
>> + case 'u':
>> + if (mode == MODE_KR)
>> + errx(1,"-u cannot be combined with -k and -r");
>> + mode = MODE_UIMAGE;
>> + file1 = optarg;
>> + break;
>> + case 'v':
>> + version = optarg;
>> + break;
>> + case 'h':
>> + default:
>> + usage();
>> + }
>> + }
>> + if (optind != argc) {
>> + errx(1, "illegal arg \"%s\"", argv[optind]);
>> + }
>> + if (imagefile == NULL) {
>> + errx(1, "no output file specified");
>> + }
>> + if (mode == MODE_UNKNOWN)
>> + errx(1, "specify either -u or -k and -r");
>> + if (mode == MODE_KR) {
>> + if (file1 == NULL || file2 == NULL)
>> + errx(1,"need -k and -r");
>> + fd2 = opensize(file2, &size2);
>> + }
>> + fd1 = opensize(file1, &size1);
>> + if (mode == MODE_UIMAGE) {
>> + off1 = sizeof(*jh);
>> + sizeu = size1 + 4;
>> + sizeo = sizeof(*jh) + sizeu;
>> + } else {
>> + off1 = sizeof(*jh) + sizeof(*uh);
>> + off2 = sizeof(*jh) + sizeof(*uh) + size1;
>> + sizeu = sizeof(*uh) + size1 + size2;
>> + sizeo = sizeof(*jh) + sizeu;
>> + }
>> +
>> + if (sizeo > MAXSIZE)
>> + errx(1,"payload too large: %zd > %zd\n", sizeo, MAXSIZE);
>> +
>> + fdo = open(imagefile, O_RDWR | O_CREAT | O_TRUNC, 00644);
>> + if (fdo < 0)
>> + err(1, "cannot open \"%s\"", imagefile);
>> +
>> + if (ftruncate(fdo, sizeo) == -1) {
>> + err(1, "cannot grow \"%s\" to %zd bytes", imagefile, sizeo);
>> + }
>> + map = mmap(NULL, sizeo, PROT_READ|PROT_WRITE, MAP_SHARED, fdo, 0);
>> + uh = map + sizeof(*jh);
>> + if (map == MAP_FAILED) {
>> + err(1, "cannot mmap \"%s\"", imagefile);
>> + }
>> +
>> + if (read(fd1, map + off1, size1) != size1)
>> + err(1, "cannot copy %s", file1);
>> +
>> + if (mode == MODE_KR) {
>> + if (read(fd2, map+off2, size2) != size2)
>> + err(1, "cannot copy %s", file2);
>> + mkuheader(uh, size1, size2);
>> + } else if (mode == MODE_UIMAGE) {
>> + craftcrc(ntohl(uh->ih_dcrc), (void*)uh + sizeof(*uh),
>> + sizeu - sizeof(*uh));
>> + }
>> + mkjcgheader(map, sizeu, version);
>> + munmap(map, sizeo);
>> + close(fdo);
>> + return 0;
>> +}
>> +
>>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
>
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list