Some Russian d-link routers require that their firmware be signed with a
salted md5 checksum followed by the bytes 0x00 0xc0 0xff 0xee. This tool
signs factory images the OEM's firmware accepts them.
Signed-off-by: Andrew Pikler <andrew.pikler@gmail.com>
Because some padding values in the TP-Link safeloader image generation
were hardcoded, different values were sometimes used throughout a
factory image. TP-Link's upgrade images use the same value everywhere,
so let's do the same here.
Although a lot of TP-Link's safeloader images have padded partition
payloads, images for the EAP-series of AC devices don't. This padding is
therefore also made optional.
By replacing the type of the padding value byte with a wider datatype,
new values outside of the previously valid range become available. Use
these new values to denote that padding should not be performed.
Because char might be signed, also replace the char literals by a
numeric literal. Otherwise '\xff' might be sign extended to 0xffff.
This results in factory images differing by 1 byte for:
* C2600
* ARCHER-C5-V2
* ARCHERC9
* TLWA850REV2
* TLWA855REV1
* TL-WPA8630P-V2-EU
* TL-WPA8630P-V2-INT
* TL-WPA8630P-V2.1-EU
* TLWR1043NDV4
* TL-WR902AC-V1
* TLWR942NV1
* RE200-V2
* RE200-V3
* RE220-V2
* RE305-V1
* RE350-V1
* RE350K-V1
* RE355
* RE450
* RE450-V2
* RE450-V3
* RE500-V1
* RE650-V1
The following factory images no longer have padding, shrinking the
factory images by a few bytes for:
* EAP225-OUTDOOR-V1
* EAP225-V3
* EAP225-WALL-V2
* EAP245-V1
* EAP245-V3
Signed-off-by: Sander Vanheule <sander@svanheule.net>
TP-Link safeloader firmware images contain a number of (small)
partitions with information about the device. These consist of:
* The data length as a 32-bit integer
* A 32-bit zero padding
* The partition data, with its length set in the first field
The OpenWrt factory image partitions that follow this structure are
soft-version, support-list, and extra-para. Refactor the code to put all
common logic into one allocation call, and let the rest of the data be
filled in by the original functions.
Due to the extra-para changes, this patch results in factory images that
change by 2 bytes (not counting the checksum) for three devices:
* ARCHER-A7-V5
* ARCHER-C7-V4
* ARCHER-C7-V5
These were the devices where the extra-para blob didn't match the common
format. The hardcoded data also didn't correspond to TP-Link's (recent)
upgrade images, which actually matches the meta-partition format.
A padding byte is also added to the extra-para partition for EAP245-V3.
Signed-off-by: Sander Vanheule <sander@svanheule.net>
this patch fixes/improves follows:
- PATTERN_LEN is defined as a macro but unused
- redundant logic in count-up for "ptn"
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
This adds support for the TP-Link TL-WPA8630P (EU) in its v2.1
version. The only unique aspect for the firmware compared to v2
layout is the partition layout.
Note that while the EU version has different partitioning for
v2.0 and v2.1, the v2.1 (AU) is supported by the v2-int image.
If you plan to use this device, make sure you have a look at
the Wiki page to check whether the device is supported and
which image needs to be taken.
Specifications
--------------
- QCA9563 750MHz, 2.4GHz WiFi
- QCA9888 5GHz WiFi
- 8MiB SPI Flash
- 128MiB RAM
- 3 GBit Ports (QCA8337)
- PLC (QCA7550)
Installation
------------
Installation is possible from the OEM web interface. Make sure to
install the latest OEM firmware first, so that the PLC firmware is
at the latest version. However, please also check the Wiki page
for hints according to altered partitioning between OEM firmware
revisions.
Notes
-----
The OEM firmware has 0x620000 to 0x680000 unassigned, so we leave
this empty as well. It is complicated enough already ...
Signed-off-by: Joe Mullally <jwmullally@gmail.com>
[improve partitions, use v2 DTSI, add entry in 02_network, rewrite
and extend commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The kernel has become too big again for the ar9344-based TP-Link
CPE/WBS devices which still have no firmware-partition splitter.
Current buildbots produce a kernel size of about 2469 kiB, while
the partition is only 2048 kiB (0x200000). Therefore, increase it
to 0x300000 to provide enough room for this and, hopefully, the
next kernel.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
By using localtime() to determine the timestamp that goes into factory
images, the resulting image depends on the timezone of the build system.
Use gmtime() instead, which results in more reproducible images.
Signed-off-by: Sander Vanheule <sander@svanheule.net>
There is no versioning information in the firmware-utils code nor the
Makefile. Consider it as first release by adding PKG_RELEASE.
Motivation is the tracking of changes in the buildsystem, which requires
versioning of packages.
Also update copyright.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Add GPT support to ptgen, so we can generate EFI bootable images.
Introduced two options:
-g generate GPT partition table
-G GUID use GUID for disk and increase last bit for all partitions
We drop The alternate partition table to reduce size, This may cause
problems when generate vmdk images or vdi images. We have to pad enough
sectors when generate these images.
Signed-off-by: 李国 <uxgood.org@gmail.com>
[fixed compilation on macOS]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
src/mkfwimage.c:276:8: error: format '%lld' expects argument of type 'long long int', but argument 4 has type '__off_t' {aka 'const long int'} [-Werror=format=]
src/fw.h:71:36: error: format '%llu' expects argument of type 'long long unsigned int', but argument 6 has type '__off_t' {aka 'long int'} [-Werror=format=]
inlined from 'main' at src/mkfwimage.c:543:12:
/string_fortified.h:106:10: error: '__builtin_strncpy' output truncated before terminating nul copying 4 bytes from a string of the same length [-Werror=stringop-truncation]
inlined from 'write_part' at src/mkfwimage.c:235:2,
string_fortified.h:106:10: error: '__builtin_strncpy' specified bound 16 equals destination size [-Werror=stringop-truncation]
inlined from 'main' at src/mkfwimage.c:477:5:
string_fortified.h:106:10: error: '__builtin_strncpy' specified bound 256 equals destination size [-Werror=stringop-truncation]
inlined from 'main' at src/mkfwimage.c:496:5:
string_fortified.h:106:10: error: '__builtin_strncpy' specified bound 4096 equals destination size [-Werror=stringop-truncation]
inlined from 'main' at src/mkfwimage.c:481:5:
string_fortified.h:106:10: error: '__builtin_strncpy' specified bound 4096 equals destination size [-Werror=stringop-truncation]
inlined from 'main' at src/mkfwimage.c:485:5:
string_fortified.h:106:10: error: '__builtin_strncpy' specified bound 16 equals destination size [-Werror=stringop-truncation]
Runtested on ath79 and UBNT Bullet M XW.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Let's enforce additional automatic checks enforced by the compiler in
order to catch possible errors during compilation.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Extended mksenaofw to support new "capwap" header structure.
This supports flashing from factory 3.0.0, 3.0.1, 3.1.0 and 3.5.5
firmware.
Note that the factory image format changes for 3.1 and later firmware,
and that the 3.1.0 and 3.5.5 Engenius firmware will refuse the
factory_30.bin file. Similarly, the 3.0.0 and 3.0.1 Engenius firmware
will refuse the factory_35.bin file.
Flashing from the Engenius 3.1.0 firmware with the factory_35.bin
firmware has not been tested, as 3.1.0 firmware (Engenius "middleFW")
is only intended as part of the upgrade path to 3.5.5 firmware.
Modified ipq40xx image Makefile to appropriately invoke mksenaofw
with new parameters to configure the capwap header.
Note that there is currently no method to return to factory firmware,
so this is a one-way street.
Path from factory 3.0.0 and 3.0.1 (EnGenius) software to OpenWrt is
to navigate to 192.168.1.1 on the stock firmware and navigate to the
firmware menu. Then copy the URL you have for that page, something like
http://192.168.1.1/cgi-bin/luci/;stok=12345abcdef/admin/system/flashops
and replace the trailing /admin/system/flashops with just /easyflashops
You should then be presented with a simple "Firmware Upgrade" page.
On that page, BE SURE TO CLEAR the "Keep Settings:" checkbox.
Choose the openwrt-ipq40xx-engenius_ens620ext-squashfs-factory_30.bin,
click "Upgrade" and on the following page select "Proceed".
Path from factory 3.5.5 (EnGenius) software to OpenWrt is simply to
use the stock firmware update menu. Choose the
openwrt-ipq40xx-engenius_ens620ext-squashfs-factory_35.bin and click
"Upload" and "Proceed".
The device should then flash the OpenWrt firmware and reboot. Note
that this resets the device to a default configuration with Wi-Fi
disabled, LAN1/PoE acting as a WAN port (running DHCP client) and LAN2
acting as a LAN port with a DHCP server on 192.168.1.x (AP is at
192.168.1.1)
Signed-off-by: Steve Glennon <s.glennon@cablelabs.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
[sorry, for unfixing the 80-lines eyesores.]
This patch enable gnu99 mode for the nec-enc utility which
fixes the following build-breaking errors on some older
architectures.
nec-enc.c: In function ‘xor_data’:
nec-enc.c:34:2: error: ‘for’ loop initial declarations are only allowed in C99 or C11 mode
for (int i = 0; i < len; i++) {
^~~
nec-enc.c:34:2: note: use option -std=c99, -std=gnu99, -std=c11 or -std=gnu11 to compile your code
nec-enc.c: In function ‘main’:
nec-enc.c:101:3: error: ‘for’ loop initial declarations are only allowed in C99 or C11 mode
for (int i = 0; i < n; i++) {
^~~
Spotted-By: Buildbot
Fixes: fac27643f0 ("firmware-utils: add nec-enc")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
nec-enc provides firmware encoding/decoding with model specific key
for NEC devices.
known devices:
- Aterm WF1200CR
- Aterm WG1200CR
- Aterm WG2600HS
usage:
nec-enc -i infile -o outfile -k key
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
[checkpatch fixes, marked usage as noreturn, added static function,
moved buf* from stack to the global data segment]
Move the zip compression into a build recipe. Pad the image using the
existing build recipes as well to remove duplicate functionality
Change the code to append header and footer in two steps. Allow to use a
fixed filename as the netgear update image does.
Use a fixed timestamp within the zip archive to make the images
reproducible.
Due to the changes we are now compatible to the gnu89 c standard used by
default on the buildbots and we don't need to force a more recent
standard anymore.
Beside all changes, the footer still looks wrong in compare to the
netgear update image.
Signed-off-by: Mathias Kresin <dev@kresin.me>
While we don't need the gnu99 option anymore, we still need to force the
c99 standard to fix the following build error on the build bots:
src/mkdlinkfw.c: In function 'find_auh_headers':
src/mkdlinkfw.c:267:3: error: 'for' loop initial declarations are only allowed in C99 or C11 mode
for (int i = 0; i < header_counter; i++) {
^
src/mkdlinkfw.c:267:3: note: use option -std=c99, -std=gnu99, -std=c11 or -std=gnu11 to compile your code
Signed-off-by: Mathias Kresin <dev@kresin.me>
Drop unused function and macros. With the cleanup the gnu extension
typeof isn't used any longer and the gnu99 compile flag can be dropped.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Drop the factory images and the firmware tool to create them. They don't
work any more, since the factory image has an uImage header covering the
whole kernel + rootfs. This way the uImage splitter will not be able to
find the rootfs and the kernel will panic later on.
The factory images were most likely added at a time the board had
distinct partitions for kernel and rootfs.
Signed-off-by: Mathias Kresin <dev@kresin.me>
The current make-ras.sh image generation script for the ZyXEL NBG6617
has portability issues with bash. Because of this, factory images are
currently not built correctly by the OpenWRT buildbots.
This commit replaces the make-ras.sh by C-written mkrasimage.
The new mkrasimage is also compatible with other ZyXEL devices using
the ras image-format.
This is not tested with the NBG6616 but it correctly builds the
header for ZyXEL factory image.
Signed-off-by: David Bauer <mail@david-bauer.net>
This adds a tool to generate a firmware file accepted
by Netgear or sercomm devices.
They use a zip-packed rootfs with header and a custom
checksum. The generated Image can be flashed via the
nmrpflash tool or the webinterface of the router.
Signed-off-by: Ludwig Thomeczek <ledesrc@wxorx.net>
This tool is used to create headers on images for the
D-Link DNS-313 in gemini target.
Will be used after switching gemini to 4.14 kernel.
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
It can be a replacement for the trx tool. The advantage is that otrx
doesn't alloc buffer for the whole TRX which can be a nice optimization
when creating big images.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
This patch carves out the duplicated code of mktplinfw.c and
mktplinkfw2.c and moves it to mktplinkfw-lib.c
This change is a semantic NOP (the code is unchanged).
To ensure compatibility with gcc-5.x and newer without changing
the code, -fgnu89-inline is added to the build flags for these
two binaries.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
As we can now use combined mode in "mktplinkfw" tool to generate the
same header/image, this tool is no longer needed.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
The sum variable need to be initialised, otherwise it will points to
random stack memory and a bogus image checksum might be calculated.
While at it, fix the segfault in case the product region code isn't
specified and enable compiler warnings which had revealed all the code
issues.
Signed-off-by: Mathias Kresin <dev@kresin.me>
some of Buffalo DHP series use slightly different trx magic, buffalo-enc,
buffalo-tag, and factory image begin with 'bgn'.
this patch adds support for building those images.
Signed-off-by: FUKAUMI Naoki <naobsd@gmail.com>
The firmware image that is used in TP-Link RE450 (and some more devices from
the RE series) is tplink-safeloader.
In the kernel partition, the kernel is compressed in a regular tp-link
firmware that is just used for booting. Since it is only used for compressing
and booting, only four fields are filled in the header:
Vendor, version, kernel load address and kernel entry point.
mktplinkfw-kernel is a simpler version of mktpolinkfw that generate such
images. It also specifies the hardware id (as it is in the product info
section), so when doing a sysupgrade - the existing code will check for
hardware compatibility.
Signed-off-by: Tal Keren <kooolk@gmail.com>
[rd@radekdostal.com: add build target to .../image/tp-link.mk]
Signed-off-by: Radek Dostál <rd@radekdostal.com>
Remove the whole board list from mktplinkfw, as OpenWrt doesn't use it and
it was severely out of sync with the list of built images for ar71xx.
Also:
* fix -Wall warnings
* add const where appropriate
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
SVN-Revision: 49214
This tool creates factory images for JCG routers.
Details can be found in the header comment of jcgimage.c.
Signed-off-by: Reinhard Max <reinhard@m4x.de>
Reviewed-by: Torsten Duwe <duwe@lst.de>
SVN-Revision: 48888
It has an important feature (compared to seama) of using multiple input
files, aligning them and padding zeroes until reaching a specified
absolute offset. This is needed for a proper flash layout on NAND. We
want kernel partition to be big enough to handle future updates without
a need to resize it and wipe whole "ubi" partition. It's important as
we don't want to lose block counters.
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
SVN-Revision: 48601
The new TP-LINK Pharos series uses a new bootloader, the "TP-LINK Safeloader".
It uses an advanced firmware image format, containing an image partition table
and a flash partition table (and image partitions are mapped to the
corresponding flash partitions). The exact image format is documented in the
source code.
Furthermore, the bootloader expects the kernel image as an ELF executable.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
SVN-Revision: 43384
This patch adds factory image building for the DGN3500, all variants,
and fixes sysupgrade images to make them play nice with the sercomm
secondary boot loader.
The factory images can be used directly in the update dialog in the
interface of the stock firmware and via the special Sercomm bootmode
and a special windows flashing utility (allegedly present in the CD
that came with the device -- but it's also compatible with the NSLU2
Upgrade_207_XP utility.) The special bootmode can be activated by
turning the device on while holding the reset button pressed, then
releasing it when the power led starts blinking red and green. Please
notice that if using the 207 utility, it will always report that the
flashing failed even though it completed successfully. Just power
cycle the router manually after the utility reports the failure and
OpenWRT will boot. This same utility (despite reporting failure in
this case too) can revert a DGN3500 (any variant) to the appropriate
stock Netgear firmware.
This patch is a heavily modified version of a package I found on the
OpenWRT forum with a couple fixes and features added -- mainly the
generation of all the different image variants to support all known
models directly, atm known variants are AnnexA-WW, AnnexA-NA and
AnnexB-DE/GR.
I tested the patch successfully on my device.
Signed-off-by: Marco Antonio Mauro <marcus90@gmail.com>
SVN-Revision: 41236
Generates webflash-compatible images for a few RT2880 routers based
on Gemtek OEM boards.
Signed-off-by: Claudio Leite <leitec@staticky.com>
SVN-Revision: 40551
This commit adds the basic elements to support Poray brand routers.
It contains a tool to do the encryption/obfuscation that is used in
Poray routers.
Support for Poray devices was worked on by:
Felix Kaechele <heffer@fedoraproject.org>
Luis Soltero <lsoltero@globalmarinenet.com>
Michel Stempin <michel.stempin@wanadoo.fr>
Signed-off-by: Felix Kaechele <heffer@fedoraproject.org>
SVN-Revision: 37635
While the disadvantage is less available flash space, it's easy and
safe to flash without opening the device.
Going back to the original firmware is also possible.
This patch add two firmware utilities, mkbrncmdline and mkbrnboot.
mkbrncmdline patches the uncompressed kernel so the registeres a0 to
a3 are initialized and the memory size is passed in.
mkbrnboot takes the lzma compressed kernel and squashfs images and
creates a firmware image that can be flashed using the BRN-BOOT
recovery kernel, which is booted by holding both buttons when
powering up the device and will listen on http://192.168.2.1.
The firmware file from bin/lantiq/ to use is
openwrt-lantiq-danube-ARV4525PW-BRNDTW502-brnImage
The BRN-BOOT recovery kernel does size-check the image, so if it's
too big to fit into flash it will complain accordingly.
A second patch is needed to make the wired network interface work
since there is no u-boot to pre-initialise it.
Signed-off-by: Tobias Diedrich <ranma+openwrt@tdiedrich.de>
SVN-Revision: 30532
Add two helpers for generating correctly tagged images for the T-Home
Speedport W 303V Typ B as well as xor'd ones as required by CFE.
Signed-off-by: Jonas Gorski <jonas.gorski+openwrt@gmail.com>
SVN-Revision: 26877
This replaces the proprietary bcmImageBuilder program from the Broadcom source
drops. It basically adds a 256 bytes header in front of the kernel + rootfs
which contains a few text signatures, the locations of the data as well as the
checksums of the data and the tag. It also adds a 12 bytes header in front of
the LZMA kernel which contains the load address, kernel entry and the size of
the compressed LZMA data.
Signed-off-by: Axel Gembe <ago@bastart.eu.org>
SVN-Revision: 11170