Difference between revisions of "Information/MIPSelFlashROM"
m (→Flash ROM analysis)
|Line 91:||Line 91:|
=== /dev/mtd1 ===
=== /dev/mtd1 ===
=== /dev/mtd2 ===
=== /dev/mtd2 ===
Revision as of 12:07, 19 October 2006
Based on work by nix, frontalot and noName.
Originally by frontalot.
First some background. 'mtd' stands for memory technology device. Traditionally Unix (and Linux) just has two device types
- Block special files
- Character special files
The interfaces of these special files is and was primarily geared at communicating with devices like hard disks, tapes, or terminals. Flash memory, or other 'memory technology' doesn't match to well to the classic device interfaces. For example, writing to a flash device should usually be more controlled to avoid excessive wear and tear of the memory (flash memory allows just a limited number of re-writes). So a particular mtd interface was created in the kernel to support these devices better. In addition, for backward-compatibility with non-mtd-aware software and tools (most are not mtd-aware) the mtd interface was mapped back to the classic block and character special device interfaces. The LinkStation firmware contains the necessary mtd device driver and matching file entries under /dev.
Flash ROM analysis
|/dev/mtd0||90||0||?||?||Boot loader (bootcode.bin?)|
|/dev/mtd1||90||2||?||?||Stores firmimg.bin (?, vmlinux.gz, ramdisk.image.gz).|
|/dev/mtd2||90||4||?||?||Stores configuration files as conf_save.tar.gz (written by ls_flash).|
|/dev/mtdblock0||90||0||?||?||Block special file version of mtd0.|
|/dev/mtdblock1||90||2||?||?||Block special file version of mtd1.|
|/dev/mtdblock2||90||4||?||?||Block special file version of mtd2.|
Note: If the flash devices do not already exist, they can easily be created by mknod:
mknod /dev/mtd0 c 90 0 mknod /dev/mtd1 c 90 2 mknod /dev/mtd2 c 90 4 mknod /dev/mtdblock0 b 90 0 mknod /dev/mtdblock1 b 90 2 mknod /dev/mtdblock2 b 90 4
thats why firmimgtool is not able to extract the ramdisk.gz and the kernel.gz
maybe the offsets are hardcoded somehow? or maybe this firmimg.bin is scrambled?
Contents of conf_save.tar.gz:
etc/network/interfaces etc/samba/ etc/samba/smb.conf etc/samba/lmhosts etc/samba/smbpasswd etc/samba/smbusers etc/samba/recycle.conf etc/samba/secrets.tdb etc/samba/smb.conf.bak etc/atalk/ etc/atalk/atalkd.conf etc/atalk/AppleVolumes.default etc/atalk/AppleVolumes.system etc/atalk/afpd.conf etc/atalk/config etc/atalk/config.papd etc/atalk/papd.conf etc/melco/ etc/melco/info etc/melco/shareinfo etc/melco/userinfo etc/melco/groupinfo etc/melco/ntp etc/melco/ntp_result etc/melco/timer_backup.cron etc/melco/timer_status etc/melco/pcast_mp2000 etc/melco/printer etc/melco/ftpstatus etc/melco/pdcuserinfo etc/melco/backup_error_status etc/melco/timer_backup_folder etc/melco/groupinfo.bak etc/passwd etc/group etc/hosts www/.htpasswd www/cgi-bin/.htpasswd www/script/.htpasswd etc/ls_servd.log etc/shadow etc/printcap etc/pcast/pcastd.conf
You can read and write conf_save.tar.gz to and from /dev/mtdblock2 (using the block device here is slightliy more efficient) by using /usr/bin/ls_flash - However, at least in the 2.05 firmware that file in the flash partition is not used. The init.d script load_config is not referenced in any init.d run-level.
ls_flash [device] [add|del|get|init] [options] add -n <filename> add file image to end of flash del [-n <filename>|-i <block number>] delete Entered file name or block number of block data from flash get [-n <filename>|-i <block number>] [--output <filename>] read Entered file name or block number of block data from flash, and store output filename init clear device by zero
ls_flash /dev/mtdblock2 get -n /tmp/conf_save.tar.gz --output /tmp/conf_save.tar.gz
There is a "hidden" feature to list the contents of the flash bank:
ls_flash /dev/mtdblock2 list
Some of this information courtesy of http://www.yamasita.jp/linkstation.en/index.html.