Difference between revisions of "Information/MIPSelBootLoader"

From NAS-Central Buffalo - The Linkstation Wiki
Jump to: navigation, search
Line 12: Line 12:
<center>mtd1 layout:</center>
<center>mtd1 layout:</center>
{| style="width:75%; background:#E0FFFF" border="1" align=center
{| style="width:75%; background:#DDDDDD;" align=center
| offset || len ||| description  
|style="background:#CCCCCC; color:green"| '''offset'''
|style="background:#CCCCCC; color:green"| '''len '''
|style="background:#CCCCCC; color:green"| '''description'''
| 0 || 4 ||| Don't know (value=6)  
| 0 || 4 ||| Don't know (value=6)  

Revision as of 20:47, 6 September 2006

This article Last edited by frontalot. Originally by Nenik. at Linkstationwiki.org
mipsel-hdhlan boot loader seems like customized IDTboot with added "encryption."

The bootloader itself is inside mtd0 and during boot, it is mapped at virtual address 0xBFC00000. It copies the mtd1 into ram, decrypts it, decompresses and starts the kernel.

mtd1 layout:
offset len description
0 4 Don't know (value=6)
4 0x10 Header key
0x14 0x5c Crypted header
0x14 0x20 Label ("HD-HLAN(IENOBU)")
0x34 2 release major? (value=2)
0x36 2 release minor? (value=2)
0x38 0x10 flash label ("FLASH 1.0")
0x48 0x08  ??
0x50 0x04 compressed length
0x54 0x04 compressed offset (0x70)
0x58 0x04 compressed part checksum
0x5c 0x10 compressed part key
0x6c 0x04  ??
0x70 var crypted/BZiped kernel+ramdisk

Now to the encryption: The bootloader contains a pseudo-random number generator (statically seeded inside the bootloader, so in fact completely predictable). The output of the generator is used to select a byte from the key for decryption (read: "xor") of a byte of the encrypted content, byte by byte.

I have managed to get to the state of having decrypted both the header and the kernel image, which is really BZipped! I have also uncompressed the image, but so far I have failed to open the initial ramdisk, which is appended to the image.