From NAS-Central Buffalo - The Linkstation Wiki
Last edited by frontalot.
Originally by Nenik.
mipsel-hdhlan boot loader seems like customized IDTboot with added "encryption."
The bootloader itself is inside mtd0 and during boot, it is mapped at virtual address 0xBFC00000. It copies the mtd1 into ram, decrypts it, decompresses and starts the kernel.
|0||4||Don't know (value=6)|
|0x34||2||release major? (value=2)|
|0x36||2||release minor? (value=2)|
|0x38||0x10||flash label ("FLASH 1.0")|
|0x54||0x04||compressed offset (0x70)|
|0x58||0x04||compressed part checksum|
|0x5c||0x10||compressed part key|
Now to the encryption: The bootloader contains a pseudo-random number generator (statically seeded inside the bootloader, so in fact completely predictable). The output of the generator is used to select a byte from the key for decryption (read: "xor") of a byte of the encrypted content, byte by byte.
I have managed to get to the state of having decrypted both the header and the kernel image, which is really BZipped! I have also uncompressed the image, but so far I have failed to open the initial ramdisk, which is appended to the image.