Information/HGFlashROM
From NAS-Central Buffalo - The Linkstation Wiki
(→Flash ROM analysis) |
|||
| Line 23: | Line 23: | ||
|'''Function''' | |'''Function''' | ||
|- | |- | ||
| - | |[[Information/HGFlashROM# | + | |[[Information/HGFlashROM#.2Fdev.2Fmtd0|/dev/mtd0]] |
|90 | |90 | ||
|0 | |0 | ||
| Line 30: | Line 30: | ||
|Stores firmimg.bin (firminfo.txt, vmlinux.gz, ramdisk.image.gz). | |Stores firmimg.bin (firminfo.txt, vmlinux.gz, ramdisk.image.gz). | ||
|- | |- | ||
| - | |[[Information/HGFlashROM# | + | |[[Information/HGFlashROM#.2Fdev.2Fmtd1|/dev/mtd1]] |
|90 | |90 | ||
|2 | |2 | ||
| Line 37: | Line 37: | ||
|Boot loader (bootcode.bin). | |Boot loader (bootcode.bin). | ||
|- | |- | ||
| - | |[[Information/HGFlashROM# | + | |[[Information/HGFlashROM#.2Fdev.2Fmtd2|/dev/mtd2]] |
|90 | |90 | ||
|4 | |4 | ||
Revision as of 08:28, 17 June 2006
Major number | The major number in a special file entry identifies the device driver. Each driver in a Linux or Unix kernel has a number. The major number just selects the driver, e.g. if a serial port driver or a hard disk driver should be associated with the name in the file system
Minor number | The minor number in a special file entry is interpreted individually by a particular device driver. For example a serial driver might use it to compute the I/O address of a UART, or a hard disk driver might use it to address a particular disk on the periphery bus
First some background. 'mtd' stands for memory technology device. Traditionally Unix (and Linux) just has two device types
- Block special files
- Character special files
The interfaces of these special files is and was primarily geared at communicating with devices like hard disks, tapes, or terminals. Flash memory, or other 'memory technology' doesn't match to well to the classic device interfaces. For example, writing to a flash device should usually be more controlled to avoid excessive wear and tear of the memory (flash memory allows just a limited number of re-writes). So a particular mtd interface was created in the kernel to support these devices better. In addition, for backward-compatibility with non-mtd-aware software and tools (most are not mtd-aware) the mtd interface was mapped back to the classic block and character special device interfaces. The LinkStation firmware contains the necessary mtd device driver and matching file entries under /dev.
The following information only applies to firmwares 1.41 and newer. Firmwares prior to 1.41 function the same as powerpc-hdhlan firmwares.
Contents |
Flash ROM analysis
| Device | Major | Minor | End | Size | Function |
| /dev/mtd0 | 90 | 0 | ??? | 3MB | Stores firmimg.bin (firminfo.txt, vmlinux.gz, ramdisk.image.gz). |
| /dev/mtd1 | 90 | 2 | ??? | 448KB | Boot loader (bootcode.bin). |
| /dev/mtd2 | 90 | 4 | ??? | 64KB | Boot status ("OKOK" - normal boot, "NGNG" - EM mode). |
| /dev/mtd3 | 90 | 6 | ??? | 512KB | Stores configuration files as conf_save.tar.gz (written by as_flash). |
| /dev/mtd4 | 90 | 8 | ??? | 4MB | Entire Flash ROM (in the order mtd0, mtd1, mtd2, mtd3). |
| /dev/mtdblock0 | 90 | 0 | ??? | 3MB | Block special file version of mtd0. |
| /dev/mtdblock1 | 90 | 2 | ??? | 448KB | Block special file version of mtd1. |
| /dev/mtdblock2 | 90 | 4 | ??? | 64KB | Block special file version of mtd2. |
| /dev/mtdblock3 | 90 | 6 | ??? | 512KB | Block special file version of mtd3. |
| /dev/mtdblock4 | 90 | 8 | ??? | 4MB | Block special file version of mtd4. |
Note: If the flash devices do not already exist, they can easily be created by mknod:
mknod /dev/mtd0 c 90 0 mknod /dev/mtd1 c 90 2 mknod /dev/mtd2 c 90 4 mknod /dev/mtd3 c 90 6 mknod /dev/mtd4 c 90 8 mknod /dev/mtdblock0 b 90 0 mknod /dev/mtdblock1 b 90 2 mknod /dev/mtdblock2 b 90 4 mknod /dev/mtdblock3 b 90 6 mknod /dev/mtdblock4 b 90 8
/dev/mtd0
firmimg.bin contains 3 parts:
- firminfo.txt - The 108 byte firmware header.
- vmlinux.gz - The kernel.
- ramdisk.image.gz - The ramdisk.
firminfo.txt:
| Offset | Size | Field | Content - 1.45b |
| 0 | 4 | Version | 1 |
| 4 | 4 | Firmware ID | 4 |
| 8 | 32 | Firmware Name (padding with 0x00) | HD-HGLAN(IEMITSU) |
| 40 | 32 | Sub Version (padding with 0x00) | FLASH 1.2 |
| 72 | 2 | Major Version | 2 |
| 74 | 2 | Minor Version | 6 |
| 76 | 2 | Build Number | 0 |
| 78 | 6 | Build Date | 2005/8/3 9:32:3 |
| 84 | 4 | firmimg.bin size | 2903237 bytes |
| 88 | 4 | Checksum | 3288296390 |
| 92 | 4 | vmlinux.gz offset | 108 bytes |
| 96 | 4 | vmlinux.gz size | 855915 bytes |
| 100 | 4 | ramdisk.image.gz offset | 856023 bytes |
| 104 | 4 | ramdisk.image.gz size | 2047214 bytes |
The following script analyzes firmimg.bin and provides the preceding information:
#! /usr/bin/perl
read(STDIN, $tmp, 108, 0);
@tmp = unpack("LLA32A32SSSC6LLLLLL", $tmp);
print "Version ". $tmp[0]."\n"; print "Firmware ID ". $tmp[1]."\n"; print "Firmware Name ". $tmp[2]."\n"; print "Sub Version ". $tmp[3]."\n"; print "Major Version ". $tmp[4]."\n"; print "Minor Version ". $tmp[5]."\n"; print "Build Number ". $tmp[6]."\n"; printf "Build Date %d/%d/%d %d:%d:%d\n", $tmp[7] + 1900, $tmp[8], $tmp[9], $tmp[10], $tmp[11], $tmp[12]; print "firmimg.bin size ". $tmp[13]."\n"; print "Checksum ". $tmp[14]."\n"; print "vmlinux.gz offset ". $tmp[15]."\n"; print "vmlinux.gz size ". $tmp[16]."\n"; print "ramdisk.image.gz offset ". $tmp[17]."\n"; print "ramdisk.image.gz size ". $tmp[18]."\n";
The script can read the firmware information directly from the flash ROM:
./showflash.pl < /dev/mtd0
The script also can be used to read the firmware information from firmimg.bin:
./showflash.pl < firmimg.bin
You can extract firmimg.bin from /dev/mtd0 by using head:
head -c 2903237 /dev/mtd0 > firmimg.bin
firminfo.txt, vmlinux.gz, and ramdisk.image.gz can be extracted from firmimg.bin:
head -c 108 firmimg.bin > firminfo.txt tail -c 2903129 firmimg.bin > temp; head -c 855915 temp > vmlinux.gz; rm temp tail -c 2047214 firmimg.bin > ramdisk.image.gz
vmlinux.gz:
Linux kernel.
ramdisk.image.gz:
You can mount the ramdisk as follows:
mount ramdisk.image /mnt/ramdisk -o loop
Raw listing of 1.45b ramdisk contents.
/dev/mtd1
Contains bootcode.bin (created by "make zImage")
/dev/mtd2
Contains boot status ("OKOK" - normal boot, "NGNG" - EM mode).
Normal boot:
00000000 00 00 41 82 4f 4b 4f 4b 00 00 00 00 00 00 00 00 |..A.OKOK........ | 00000010 62 6f 6f 74 70 61 72 6d 3d 72 6f 6f 74 3d 2f 64 |bootparm=root=/d| 00000020 65 76 2f 68 64 61 31 00 00 00 00 00 00 00 00 00 |ev/hda1......... | 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000100 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................ | * 00010000
EM mode:
00000000 4e 47 4e 47 4e 47 4e 47 00 00 00 00 00 00 00 00 |NGNGNGNG........ | 00000010 62 6f 6f 74 70 61 72 6d 3d 72 6f 6f 74 3d 2f 64 |bootparm=root=/d| 00000020 65 76 2f 72 61 6d 30 00 00 00 00 00 00 00 00 00 |ev/ram0......... | 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000100 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................ | * 00010000
To read the boot status:
od -xc /dev/mtd2
You can change the boot status by using write_ng and write_ok. To change the boot status to normal:
write_ok
To change the boot status to EM mode:
write_ng
Be very careful when changing the boot status to EM mode! You can easily lock yourself out of the LinkStation and possibly brick the unit. Always change the boot status to normal before rebooting.
/dev/mtd3
Contents of conf_save.tar.gz:
???
You can read and write conf_save.tar.gz to and from /dev/mtd3 by using /usr/bin/as_flash:
as_flash [device] [add|del|get|init] [options] add -n <filename> add file image to end of flash del [-n <filename>|-i <block number>] delete Entered file name or block number of block data from flash get [-n <filename>|-i <block number>] [--output <filename>] read Entered file name or block number of block data from flash, and store output filename init clear device by zero
For example:
as_flash /dev/mtd3 get -n /tmp/conf_save.tar.gz --output /tmp/conf_save.tar.gz
There is a "hidden" feature to list the contents of the flash bank:
as_flash /dev/mtd3 list
Some of this information courtesy of http://www.yamasita.jp/linkstation.en/index.html.
