From NAS-Central Buffalo - The Linkstation Wiki
Revision as of 20:49, 30 June 2006 by Ramuk (Talk | contribs)

Jump to: navigation, search

This article Last edited by frontalot. Originally by Nenik. at
mipsel-hdhlan boot loader seems like customized IDTboot with added "encryption."

The bootloader itself is inside mtd0 and during boot, it is mapped at virtual address 0xBFC00000. It copies the mtd1 into ram, decrypts it, decompresses and starts the kernel.

mtd1 layout:
offset len description
0 4 Don't know (value=6)
4 0x10 Header key
0x14 0x5c Crypted header
0x14 0x20 Label ("HD-HLAN(IENOBU)")
0x34 2 release major? (value=2)
0x36 2 release minor? (value=2)
0x38 0x10 flash label ("FLASH 1.0")
0x48 0x08  ??
0x50 0x04 compressed length
0x54 0x04 compressed offset (0x70)
0x58 0x04 compressed part checksum
0x5c 0x10 compressed part key
0x6c 0x04  ??
0x70 var crypted/BZiped kernel+ramdisk

Now to the encryption: The bootloader contains a pseudo-random number generator (statically seeded inside the bootloader, so in fact completely predictable). The output of the generator is used to select a byte from the key for decryption (read: "xor") of a byte of the encrypted content, byte by byte.

I have managed to get to the state of having decrypted both the header and the kernel image, which is really BZipped! I have also uncompressed the image, but so far I have failed to open the initial ramdisk, which is appended to the image.