routerbootpart: hard_config partition can be larger than a single block on MikroTik devices

Thibaut hacks at slashdirt.org
Fri Apr 30 23:07:39 BST 2021 

Hi Baptiste,

> Le 30 avr. 2021 à 23:05, Baptiste Jonglez <baptiste at bitsofnetworks.org> a écrit :
> 
> Hi Thibault,
> 
> I was debugging why OpenWrt could not find the radio calibration data on
> one of my hAP-ac2 devices: the /sys/firmware/mikrotik/hard_config/wlan_data/
> directory is created but stays empty.
> 
> It turns out that the compressed data does not fit in a single block
> (i.e. 4 KB), and the hard_config partition spans two blocks.  However, the
> routerbootpart parser assumes that this partition only spans a single block.
> 
> As a result, the rb_hardconfig drivers tries to parse the compressed blob,
> see that it extends beyond the (wrongly assumed) boundary of the
> hard_config partition, and aborts here:
> 
>    /* Caller ensure tlen > 0. tofs is aligned */
>    if ((tofs + tlen) > hc_buflen)
>                return -EIO;
> 
> Here, hc_buflen is 4096 (the wrongly assumed size of the hard_config
> partition), while the offset is 0x144 and the length of the blob is x0fbc.
> As a result, tofs + tlen = 4352 and the check fails.
> 
> Here is the mtd mapping as computed by the kernel:
> 
> [    0.746135] spi-nor spi0.0: w25q128jv (16384 Kbytes)
> [    0.746199] 3 fixed-partitions partitions found on MTD device spi0.0
> [    0.751062] Creating 3 MTD partitions on "spi0.0":
> [    0.757427] 0x000000000000-0x000000080000 : "Qualcomm"
> [    0.763004] 0x000000080000-0x000000100000 : "RouterBoot"
> [    0.772971] 3 routerbootpart partitions found on MTD device RouterBoot
> [    0.773003] Creating 3 MTD partitions on "RouterBoot":
> [    0.778977] 0x00000000e000-0x00000000f000 : "hard_config"
> [    0.784993] 0x000000010000-0x000000017bbc : "dtb_config"
> [    0.790390] 0x00000003d000-0x00000003e000 : "soft_config"
> [    0.795860] 0x000000100000-0x000001000000 : "firmware"
> 
> The hard_config partition should actually span 0x00000000e000-0x000000010000 in this case.

Thanks for the thorough forensics.

> Do you see a clean way to support this without breaking support for other
> boards?  Do you think we can determine this size from somewhere else in
> the flash, or should I just set "size = <0x2000>" in the DTS and hope that
> it's valid for all hap-ac2 boards?

No, please don't. I can already tell you that this is not the case.

My hap-ac2 has a 4K hard_config, and from my understanding so do the ones that were tested in PR#3037, like every other mikrotik boards known at the time the driver was last updated. Of course it was only a matter of time before Mikrotik pulled that rug under our feet.

Can you provide me with a dump of the Routerboot partition?

I’ll take a look at what can be « sanely » done.

Thanks,
Thibaut

More information about the openwrt-devel mailing list