Information/MIPSelBootLoader
From NAS-Central Buffalo - The Linkstation Wiki
| Line 46: | Line 46: | ||
I have managed to get to the state of having decrypted both the header and the kernel | I have managed to get to the state of having decrypted both the header and the kernel | ||
image, which is really BZipped! I have also uncompressed the image, but so far I have failed to open the initial ramdisk, which is appended to the image. | image, which is really BZipped! I have also uncompressed the image, but so far I have failed to open the initial ramdisk, which is appended to the image. | ||
| + | |||
| + | |||
| + | [[Category:LS2]] | ||
Revision as of 00:50, 26 June 2006
mipsel-hdhlan boot loader seems like customized IDTboot with added "encryption."
The bootloader itself is inside mtd0 and during boot, it is mapped at virtual address 0xBFC00000. It copies the mtd1 into ram, decrypts it, decompresses and starts the kernel.
| offset | len | description |
| 0 | 4 | Don't know (value=6) |
| 4 | 0x10 | Header key |
| 0x14 | 0x5c | Crypted header |
| 0x14 | 0x20 | Label ("HD-HLAN(IENOBU)") |
| 0x34 | 2 | release major? (value=2) |
| 0x36 | 2 | release minor? (value=2) |
| 0x38 | 0x10 | flash label ("FLASH 1.0") |
| 0x48 | 0x08 | ?? |
| 0x50 | 0x04 | compressed length |
| 0x54 | 0x04 | compressed offset (0x70) |
| 0x58 | 0x04 | compressed part checksum |
| 0x5c | 0x10 | compressed part key |
| 0x6c | 0x04 | ?? |
| 0x70 | var | crypted/BZiped kernel+ramdisk |
Now to the encryption:
The bootloader contains a pseudo-random number generator (statically seeded inside
the bootloader, so in fact completely predictable). The output of the generator
is used to select a byte from the key for decryption (read: "xor") of a byte
of the encrypted content, byte by byte.
I have managed to get to the state of having decrypted both the header and the kernel image, which is really BZipped! I have also uncompressed the image, but so far I have failed to open the initial ramdisk, which is appended to the image.
