Information/MIPSelBootLoader
From NAS-Central Buffalo - The Linkstation Wiki
This article
Last edited by klightspeed.
Previously edited by frontalot.
Originally by Nenik.
at Linkstationwiki.org
mipsel-hdhlan boot loader seems like customized IDTboot with added "encryption."
The bootloader itself is inside mtd0 and during boot, it is mapped at virtual address 0xBFC00000. It copies the mtd1 into ram, decrypts it, decompresses and starts the kernel.
| offset | len | description |
| 0 | 4 | Product ID (value=6) |
| 4 | 0x10 | Header key |
| 0x14 | 0x58 | Crypted header |
| 0x14 | 0x20 | Label ("HD-HLAN(IENOBU)") |
| 0x34 | 2 | release major (value=2) |
| 0x36 | 2 | release minor (value=2 or 3) |
| 0x38 | 0x10 | flash label ("FLASH 1.0" or "FLASH 1.1") |
| 0x48 | 0x08 | ?? |
| 0x50 | 0x04 | compressed length |
| 0x54 | 0x04 | compressed offset (0x70) |
| 0x58 | 0x04 | compressed part checksum |
| 0x5c | 0x10 | compressed part key |
| 0x6c | 0x04 | unencrypted null |
| 0x70 | var | crypted/BZiped kernel+ramdisk |
Now to the encryption:
The bootloader contains a pseudo-random number generator (statically seeded inside
the bootloader, so in fact completely predictable). The output of the generator
is used to select a byte from the key for decryption (read: "xor") of a byte
of the encrypted content, byte by byte.
frontalot: I have managed to get to the state of having decrypted both the header and the kernel image, which is really BZipped! I have also uncompressed the image, but so far I have failed to open the initial ramdisk, which is appended to the image.
klightspeed: I suspected that the decrypted mtd1 would be kept in memory, so I created an init script that dumped the memory contents to disk. Upon inspecting the memory dump (searching for "HD-HLAN"), I found that the boot loader loads and decrypts mtd1 to virtual address 0x81A00000. The kernel image is indeed a bzimage, which is just a BZipped ELF image. There is no initrd appended to the image. Instead, the gzipped ramdisk is part of the ELF image. It is present at offset 0x001D6000 in my image (virtual address 0x802D6000). The ramdisk image is a standard EXT2 filesystem. It has a cut-down version of the linkstation root filesystem, so that if it can't mount the root filesystem, it can still be flashed over the network.
