Information/MIPSelBootLoader
From NAS-Central Buffalo - The Linkstation Wiki
m |
|||
| Line 1: | Line 1: | ||
| + | {{Template:Articles}} | ||
''<font color=red><small> | ''<font color=red><small> | ||
This article | This article | ||
Revision as of 01:21, 21 July 2006
This article
Last edited by frontalot.
Originally by Nenik.
at Linkstationwiki.org
mipsel-hdhlan boot loader seems like customized IDTboot with added "encryption."
The bootloader itself is inside mtd0 and during boot, it is mapped at virtual address 0xBFC00000. It copies the mtd1 into ram, decrypts it, decompresses and starts the kernel.
| offset | len | description |
| 0 | 4 | Don't know (value=6) |
| 4 | 0x10 | Header key |
| 0x14 | 0x5c | Crypted header |
| 0x14 | 0x20 | Label ("HD-HLAN(IENOBU)") |
| 0x34 | 2 | release major? (value=2) |
| 0x36 | 2 | release minor? (value=2) |
| 0x38 | 0x10 | flash label ("FLASH 1.0") |
| 0x48 | 0x08 | ?? |
| 0x50 | 0x04 | compressed length |
| 0x54 | 0x04 | compressed offset (0x70) |
| 0x58 | 0x04 | compressed part checksum |
| 0x5c | 0x10 | compressed part key |
| 0x6c | 0x04 | ?? |
| 0x70 | var | crypted/BZiped kernel+ramdisk |
Now to the encryption:
The bootloader contains a pseudo-random number generator (statically seeded inside
the bootloader, so in fact completely predictable). The output of the generator
is used to select a byte from the key for decryption (read: "xor") of a byte
of the encrypted content, byte by byte.
I have managed to get to the state of having decrypted both the header and the kernel image, which is really BZipped! I have also uncompressed the image, but so far I have failed to open the initial ramdisk, which is appended to the image.
