Information/MIPSelBootLoader

From NAS-Central Buffalo - The Linkstation Wiki

(Difference between revisions)

Latest revision as of 15:14, 15 February 2007

This article Last edited by klightspeed. Previously edited by frontalot. Originally by Nenik. at Linkstationwiki.org
mipsel-hdhlan boot loader seems like customized IDTboot with added "encryption."

The bootloader itself is inside mtd0 and during boot, it is mapped at virtual address 0xBFC00000. It copies the mtd1 into ram, decrypts it, decompresses and starts the kernel.

mtd1 layout:

offset	len	description
0x00	0x04	Product ID (value=6)
0x04	0x10	Header key
0x14	0x58	Crypted header
0x14	0x20	Label ("HD-HLAN(IENOBU)")
0x34	0x01	Firmware version (value=2)
0x35	0x01	Firmware release major
0x36	0x01	Firmware release minor
0x37	0x01	Reserved
0x38	0x10	Flash label ("FLASH 1.0" or "FLASH 1.1")
0x48	0x02	Build year
0x4a	0x01	Build month
0x4b	0x01	Build day
0x4c	0x01	Reserved
0x4d	0x01	Build hour
0x4e	0x01	Build minute
0x4f	0x01	Build second
0x50	0x04	Compressed length
0x54	0x04	Compressed offset (0x70)
0x58	0x04	Compressed part checksum
0x5c	0x10	Compressed part key
0x6c	0x04	Unencrypted null
0x70	var	Crypted/BZiped kernel

Now to the encryption: The bootloader contains a pseudo-random number generator (statically seeded inside the bootloader, so in fact completely predictable). The output of the generator is used to select a byte from the key for decryption (read: "xor") of a byte of the encrypted content, byte by byte.

frontalot: I have managed to get to the state of having decrypted both the header and the kernel image, which is really BZipped! I have also uncompressed the image, but so far I have failed to open the initial ramdisk, which is appended to the image.

klightspeed: I suspected that the decrypted mtd1 would be kept in memory, so I created an init script that dumped the memory contents to disk. Upon inspecting the memory dump (searching for "HD-HLAN"), I found that the boot loader loads and decrypts mtd1 to virtual address 0x81A00000. The kernel image is indeed a bzimage, which is just a BZipped ELF image. There is no initrd appended to the image. Instead, the gzipped ramdisk is part of the ELF image. It is present at offset 0x001D6000 in my image (virtual address 0x802D6000). The ramdisk image is a standard EXT2 filesystem. It has a cut-down version of the linkstation root filesystem, so that if it can't mount the root filesystem, it can still be flashed over the network.

@@ Line 1: / Line 1: @@
+{{Template:Articles}}
+''<font color=red><small>
+This article
+Last edited by klightspeed.
+Previously edited by frontalot.
+Originally by Nenik.
+at Linkstationwiki.org
+</small></font>''<br>
 mipsel-hdhlan boot loader seems like customized IDTboot with added "encryption."
@@ Line 5: / Line 13: @@
 <center>mtd1 layout:</center>
-{| style="width:75%; background:#E0FFFF" border="1" align=center
+{| style="width:75%; background:#DDDDDD;" align=center
-| offset || len ||| description
+|style="background:#CCCCCC; color:green"| '''offset'''
+|style="background:#CCCCCC; color:green"| '''len '''
+|style="background:#CCCCCC; color:green"| '''description'''
 |-
-| 0 || 4 ||| Don't know (value=6)
+| 0x00 || 0x04 ||| Product ID (value=6)
 |-
-| 4 || 0x10 ||| Header key
+| 0x04 || 0x10 ||| Header key
 |-
-| 0x14 || 0x5c ||| Crypted header
+| 0x14 || 0x58 ||| Crypted header
 |-
 | 0x14 || 0x20 ||| Label ("HD-HLAN(IENOBU)")
 |-
-| 0x34 || 2 ||| release major? (value=2)
+| 0x34 || 0x01 ||| Firmware version (value=2)
 |-
-| 0x36 || 2 ||| release minor? (value=2)
+| 0x35 || 0x01 ||| Firmware release major
 |-
-| 0x38 || 0x10 ||| flash label ("FLASH 1.0")
+| 0x36 || 0x01 ||| Firmware release minor
 |-
-| 0x48 || 0x08 ||| ??
+| 0x37 || 0x01 ||| Reserved
 |-
-| 0x50 || 0x04 ||| compressed length
+| 0x38 || 0x10 ||| Flash label ("FLASH 1.0" or "FLASH 1.1")
 |-
-| 0x54 || 0x04 ||| compressed offset (0x70)
+| 0x48 || 0x02 ||| Build year
 |-
-| 0x58 || 0x04 ||| compressed part checksum
+| 0x4a || 0x01 ||| Build month
 |-
-| 0x5c || 0x10 ||| compressed part key
+| 0x4b || 0x01 ||| Build day
 |-
-| 0x6c || 0x04 ||| ??
+| 0x4c || 0x01 ||| Reserved
 |-
-| 0x70 || var ||| crypted/BZiped kernel+ramdisk
+| 0x4d || 0x01 ||| Build hour
+|-
+| 0x4e || 0x01 ||| Build minute
+|-
+| 0x4f || 0x01 ||| Build second
+|-
+| 0x50 || 0x04 ||| Compressed length
+|-
+| 0x54 || 0x04 ||| Compressed offset (0x70)
+|-
+| 0x58 || 0x04 ||| Compressed part checksum
+|-
+| 0x5c || 0x10 ||| Compressed part key
+|-
+| 0x6c || 0x04 ||| Unencrypted null
+|-
+| 0x70 || var ||| Crypted/BZiped kernel
 |}
@@ Line 44: / Line 70: @@
 of the encrypted content, byte by byte.
-I have managed to get to the state of having decrypted both the header and the kernel
+'''frontalot:''' I have managed to get to the state of having decrypted both the header and the kernel
 image, which is really BZipped! I have also uncompressed the image, but so far I have failed to open the initial ramdisk, which is appended to the image.
+'''klightspeed:''' I suspected that the decrypted mtd1 would be kept in memory, so I created an init script that dumped the memory contents to disk. Upon inspecting the memory dump (searching for "HD-HLAN"), I found that the boot loader loads and decrypts mtd1 to virtual address 0x81A00000. The kernel image is indeed a bzimage, which is just a BZipped ELF image.
+There is no initrd appended to the image. Instead, the gzipped ramdisk is part of the ELF image. It is present at offset 0x001D6000 in my image (virtual address 0x802D6000).
+The ramdisk image is a standard EXT2 filesystem. It has a cut-down version of the linkstation root filesystem, so that if it can't mount the root filesystem, it can still be flashed over the network.
+[[Category:LS2]]

Information/MIPSelBootLoader

From NAS-Central Buffalo - The Linkstation Wiki

Latest revision as of 15:14, 15 February 2007

Views

Personal tools

Buffalo Portal

Main Portal

Communication

Downloads

Hacking-pages-links

Distributions

Projects

Search

Toolbox