NSLU2-Linux
view · edit · print · history

Changing a byte in the cybertan_rom_bin data areas causes the following error:

 digest not correct
 validate module[1] error

Changing any of bytes 0x30, 0x90 or 0x110 causes the following error:

 digest error

So based on strings like "rc4_crypt" and "rc4_setup" in the tftpd binary, we think there are rc4 digests in the headers that cover the u-boot image files (and perhaps the whole firmware upgrade file).

The upgrade firmware binary file for the WRP400 has the following format (first example from version 1.00.4, second from version 1.00.6):

  • WRP400 FiRmWaRe header
 00000000: 5752 5034 3030 2020 4669 526d 5761 5265  WRP400  FiRmWaRe
 00000010: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 00000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................

 This is a magic string to denote a WRP400 encapsulated firmware image.  This bit is the same in both firmware versions.

 00000030: 4a8e c363 a34f 5e9b 85df c6be f77e 3790  J..c.O^......~7.
 00000040: ee42 39e6 0afb 2b68 2672 441b e0d2 546e  .B9...+h&rD...Tn

 00000030: 1ad5 5e56 99e5 8594 fb83 b607 708a 153d  ..^V........p..=
 00000040: 783d 17df 8756 05f1 5cbd db19 791d 150a  x=...V..\...y...

 Dunno what this block contains ... it's different in both versions.

 00000050: 0000 0080 0000 0080                      ........

 This bit is the same in both versions, and is probably the load and entry addresses.

 00000058: 0054 f114                                .T..
 00000058: 0055 87d4                                .U..

 This is the length of the encapsulated firmware file.

 0000005c: 312e 3030 2e30 342e 6300                 1.00.04.c.
 0000005c: 312e 3030 2e30 3600                      1.00.06...

 This is the firmware version number in the respective versions.

 00000066:                0000 0000 0000 0000 0000        ..........
 00000070: 0000 0000 0000 0000 0000 0000 0000 0002  ................

 Zero padding until 0x02 at offset 0x7f may be the number of encapsulated images.  This bit is the same in both firmware versions.

 00000080: 0000 0000 b8b4 d4ad 0300 0000 0000 0080  ................

 Dunno what this block contains ... but it's the same in both versions, so that four byte number cannot be a CRC or length value.

 00000090: ae50 b5a4 612b fb52 f1cc 86e9 679f d74c  .P..a+.R....g..L
 00000090: 45ff 5c6e eccf 6286 1577 ce29 1fee e46f  E.\n..b..w.)...o

 Dunno what this block contains ... it's different in both versions.

 000000a0: 0019 253c 0000 0000 312e 3000 0000 0000  ..%<....1.0.....
 000000a0: 0019 25a4 0000 0000 312e 3000 0000 0000  ..%.....1.0.....

 0x0019253c and 0x001925a4 are the size of the cybertan_half_bin image for each version, and 1.0 looks like a version number.

 000000b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 000000c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 000000d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 000000e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................

 Zero padding, same in both versions.

 000000f0: 0000 0000 0000 0000 0000 0000 0000 0dfe  ................
 000000f0: 0000 0000 0000 0000 0000 0000 0000 0d75  ...............u

 The last number is a simple 16-bit sum over the previous 0x7d bytes (i.e. 0xb8+0xb4+0xd4+0xad+...+0x31+0x2e+0x30).

 00000100: 0000 0000 c6f4 b6af 0100 0000 0000 0080  ................

 Dunno what this block contains ... but it's the same in both versions, so that four byte number cannot be a CRC or length value.

 00000110: 6fb0 a264 1f79 4cb0 4449 af85 a7ca b582  o..d.yL.DI......
 00000110: 3818 282b b9b1 18d1 385c 3f00 363a 77b7  8.(+....8\?.6:w.

 Dunno what this block contains ... it's different in both versions.

 00000120: 003b c958 0000 0000 312e 3000 0000 0000  .;.X....1.0.....
 00000120: 003c 5fb0 0000 0000 312e 3000 0000 0000  .<_.....1.0.....

 0x003bc958 and 0x003c5fb0 are the size of the cybertan_rom_bin image for each version, and 1.0 looks like a version number.

 00000130: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 00000140: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 00000150: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 00000160: 0000 0000 0000 0000 0000 0000 0000 0000  ................

 Zero padding, same in both versions.

 00000170: 0000 0000 0000 0000 0000 0000 0000 0dad  ................
 00000170: 0000 0000 0000 0000 0000 0000 0000 0ae1  ................

 The last number is again a simple 16-bit sum over the previous 0x7d bytes.

 00000180: 0000 0000 b8b4 d4ad 0300 0000 0000 0080  ................
 00000190: ae50 b5a4 612b fb52 f1cc 86e9 679f d74c  .P..a+.R....g..L
 000001a0: 0019 253c 0000 0000 312e 3000 0000 0000  ..%<....1.0.....
 000001b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 000001c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 000001d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 000001e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 000001f0: 0000 0000 0000 0000 0000 0000 0000 0dfe  ................

 00000180: 0000 0000 b8b4 d4ad 0300 0000 0000 0080  ................
 00000190: 45ff 5c6e eccf 6286 1577 ce29 1fee e46f  E.\n..b..w.)...o
 000001a0: 0019 25a4 0000 0000 312e 3000 0000 0000  ..%.....1.0.....
 000001b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 000001c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 000001d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 000001e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
 000001f0: 0000 0000 0000 0000 0000 0000 0000 0d75  ...............u

 This is a duplicate of the block at 0x80 - 0xff in each of the firmare versions.  We don't know why it's duplicated.  Perhaps this is where a language pack image header goes?
  • cybertan_half_bin uboot mult-file image (0x19253c bytes long)
 dd if=./WRP400_v1.00.04.c_ETSI.bin of=cybertan_half_bin.img bs=1 skip=512 count=1647932

 00000200: 2705 1956 5d8b 1b41 473c fcf6 0019 24fc  '..V]..AG<....$.
 00000210: 0000 8000 0000 8000 1356 508c 0502 0400  .........VP.....
 00000220: 5747 544c 6379 6265 7274 616e 5f68 616c  WGTLcybertan_hal
 00000230: 665f 6269 6e00 0000 0000 0000 0000 0000  f_bin...........

 Image Name:   cybertan_half_bin
 Created:      Fri Nov 16 12:44:14 2007
 Image Type:   ARM Linux Multi-File Image (uncompressed)
 Data Size:    1647868 Bytes (0x1924fc)
 Load Address: 0x00008000
 Entry Point:  0x00008000

 00000240: 000d 54f0 000b d000 0000 0000            ..T.........

 Image 0 @ 0x0024c (   588):   873712 Bytes (0x0d54f0)

 dd if=./WRP400_v1.00.04.c_ETSI.bin of=half-kernel.bin bs=1 skip=588 count=873712

 0000024c:                               0000 a0e1              ....
 00000250: 0000 a0e1 0000 a0e1 0000 a0e1 0000 a0e1  ................

 Image 1 @ 0xd573c (874300):   774144 Bytes (0x0bd000)

 dd if=./WRP400_v1.00.04.c_ETSI.bin of=half-rootfs.bin bs=1 skip=874300 count=774144

 000d573c:                               6873 7173              hsqs
 000d5740: 0f01 0000 0000 00f0 08a8 bfb5 d37e 0092  .............~..
  • cybertan_rom_bin uboot multi-file image (0x3bc958 bytes long)
 dd if=./WRP400_v1.00.04.c_ETSI.bin of=cybertan_rom_bin.img bs=1 skip=1648572 count=3918168 

 001927bc:                               2705 1956              '..V
 001927c0: 9d5f eaba 4785 9c4e 003b c918 0000 8000  ._..G..N.;......
 001927d0: 0000 8000 195c c8f4 0502 0400 5747 544c  .....\......WGTL
 001927e0: 6379 6265 7274 616e 5f72 6f6d 5f62 696e  cybertan_rom_bin
 001927f0: 0000 0000 0000 0000 0000 0000            ............

 Image Name:   cybertan_rom_bin
 Created:      Thu Jan 10 14:47:18 2008
 Image Type:   ARM Linux Multi-File Image (uncompressed)
 Data Size:    3918104 Bytes = (0x3bc918)
 Load Address: 0x00008000
 Entry Point:  0x00008000

 001927fc:                               000f 590c              ..Y.
 00192800: 002c 7000 0000 0000                      .,p.....

 Image 0 @ 0x192808 (1648648):  1005836 Bytes (0x0f590c)

 dd if=./WRP400_v1.00.04.c_ETSI.bin of=full-kernel.bin bs=1 skip=1648648 count=1005836

 00192808:                     0000 a0e1 0000 a0e1          ........
 00192810: 0000 a0e1 0000 a0e1 0000 a0e1 0000 a0e1  ................

 Image 1 @ 0x288114 (2654484):  2912256 Bytes (0x2c7000)

 dd if=./WRP400_v1.00.04.c_ETSI.bin of=full-rootfs.bin bs=1 skip=2654484 count=2912256

 00288114:           6873 7173 b002 0000 0000 00d0      hsqs........
 00288120: 09c8 bfb5 d37e 0092 6381 000f 8b04 08dc  .....~..c.......

Image header format:

 #define IH_MAGIC        0x27051956      /* Image Magic Number           */
 #define IH_OS_LINUX             5       /* Linux        */
 #define IH_CPU_ARM              2       /* ARM          */
 #define IH_TYPE_MULTI           4       /* Multi-File Image             */
 #define IH_COMP_NONE            0       /*  No   Compression Used       */

 typedef struct image_header {
         unsigned int    ih_magic;       /* Image Header Magic Number    */
         unsigned int    ih_hcrc;        /* Image Header CRC Checksum    */
         unsigned int    ih_time;        /* Image Creation Timestamp     */
         unsigned int    ih_size;        /* Image Data Size              */
         unsigned int    ih_load;        /* Data  Load  Address          */
         unsigned int    ih_ep;          /* Entry Point Address          */
         unsigned int    ih_dcrc;        /* Image Data CRC Checksum      */
         unsigned char   ih_os;          /* Operating System             */
         unsigned char   ih_arch;        /* CPU architecture             */
         unsigned char   ih_type;        /* Image Type                   */
         unsigned char   ih_comp;        /* Compression Type             */
         unsigned char   ih_codepattern[4];        /* Image Code Pattern */
         unsigned char   ih_name[28];              /* Image Name         */
 } image_header_t;

Multi-File Images start with a list of image sizes, each image size (in bytes) specified by an uint32_t in network byte order. This list is terminated by an (uint32_t)0. Immediately after the terminating 0 follow the images, one by one, all aligned on uint32_t boundaries (size rounded up to a multiple of 4 bytes).

view · edit · print · history · Last edited by rwhitby.
Originally by rwhitby.
Page last modified on July 11, 2008, at 06:18 AM