Information/PPCFlashROM

From NAS-Central Buffalo - The Linkstation Wiki

(Difference between revisions)
Jump to: navigation, search
(Flash ROM analysis)
m
 
(14 intermediate revisions not shown)
Line 1: Line 1:
-
Major number | The ''major'' number in a special file entry identifies the device driver. Each driver in a Linux or Unix kernel has a number. The major number just selects the driver, e.g. if a serial port driver or a hard disk driver should be associated with the name in the file system
+
{{Template:Articles}}
-
 
+
''<font color=red><small>
-
 
+
This article originally
-
Minor number | The ''minor'' number in a special file entry is interpreted individually by a particular device driver. For example a serial driver might use it to compute the I/O address of a UART, or a hard disk driver might use it to address a particular disk on the periphery bus
+
based on work done by Frontalot
-
 
+
at Linkstationwiki.org
 +
</small></font>''<br>
 +
This page is specific to the LS1.  The HG has its own [[Information/HGFlashROM|FlashROM page]].  There is also a [[Flash_ROM|Generic FlashROM page]].
 +
{| align=right
 +
|-
 +
|{{Postit|Major number | The ''major'' number in a special file entry identifies the device driver. Each driver in a Linux or Unix kernel has a number. The major number just selects the driver, e.g. if a serial port driver or a hard disk driver should be associated with the name in the file system}}
 +
|-
 +
|{{Postit|Minor number | The ''minor'' number in a special file entry is interpreted individually by a particular device driver. For example a serial driver might use it to compute the I/O address of a UART, or a hard disk driver might use it to address a particular disk on the periphery bus}}
 +
|}
== Flash ROM analysis ==  
== Flash ROM analysis ==  
<center>(all information based on English firmware 1.47 and Japanese firmware 1.51):</center>
<center>(all information based on English firmware 1.47 and Japanese firmware 1.51):</center>
-
{| style="width:75%; background:#E0FFFF" border="1" align=center
+
{| style="width:75%; background:#DDDDDD;" align=center
-
|'''Device'''
+
|style="background:#CCCCCC; color:green"|'''Device'''
-
| '''Major'''
+
|style="background:#CCCCCC; color:green"|'''Major'''
-
| '''Minor'''
+
|style="background:#CCCCCC; color:green"|'''Minor'''
-
| '''End'''
+
|style="background:#CCCCCC; color:green"|'''Start'''
-
| '''Size'''
+
|style="background:#CCCCCC; color:green"| '''Size'''
-
| '''Function'''
+
|style="background:#CCCCCC; color:green"| '''Function'''
|-
|-
|[[Information/PPCFlashROM#.2Fdev.2Ffl0|/dev/fl0]]
|[[Information/PPCFlashROM#.2Fdev.2Ffl0|/dev/fl0]]
Line 140: Line 148:
== firminfo.txt: ==
== firminfo.txt: ==
-
{| style="width:75%; background:#E0FFFF" border="1" align=center
+
{| style="width:75%; background:#DDDDDD;" align=center
-
|'''Offset'''
+
|style="background:#CCCCCC; color:green"|'''Offset'''
-
|'''Size'''
+
|style="background:#CCCCCC; color:green"|'''Size'''
-
|'''Field'''
+
|style="background:#CCCCCC; color:green"|'''Field'''
-
|'''Content - 1.47'''
+
|style="background:#CCCCCC; color:green"|'''Content - 1.47'''
-
|'''Content - 1.51'''
+
|style="background:#CCCCCC; color:green"|'''Content - 1.51'''
|-
|-
| 0
| 0
Line 231: Line 239:
| 2086688 bytes
| 2086688 bytes
|}
|}
 +
 +
[[Image:Firmimg_bin_hex_LS1.jpg]]
The following script analyzes firmimg.bin and provides the preceding information:
The following script analyzes firmimg.bin and provides the preceding information:
Line 277: Line 287:
   mount ramdisk.image /mnt/ramdisk -o loop
   mount ramdisk.image /mnt/ramdisk -o loop
-
Raw listing of [[LinkStationWiki:downloads/powerpc-hdhlan/fw147-ramdisk.txt | 1.47 ramdisk]] or [[LinkStationWiki:downloads/powerpc-hdhlan/fw151-ramdisk.txt | 1.51 ramdisk]] contents.
+
Raw listing of [http://downloads.nas-central.org/powerpc-hdhlan/fw147-ramdisk.txt 1.47 ramdisk] or [http://downloads.nas-central.org/powerpc-hdhlan/fw151-ramdisk.txt 1.51 ramdisk] contents.
-
 
+
-
 
+
=== /dev/fl2 ===
=== /dev/fl2 ===
Line 301: Line 309:
  0200000
  0200000
-
!!!! EM mode:
+
==== [[EM mode]] ====
  0000000 4e47 4e47 4e47 4e47 4e47 4e47 4e47 4e47
  0000000 4e47 4e47 4e47 4e47 4e47 4e47 4e47 4e47
           N  G  N  G  N  G  N  G  N  G  N  G  N  G  N  G
           N  G  N  G  N  G  N  G  N  G  N  G  N  G  N  G
Line 319: Line 327:
  write_ng
  write_ng
-
Be very careful when changing the boot status to EM mode! You can easily lock yourself out of the LinkStation and possibly brick the unit. Always change the boot status to normal before rebooting.
+
{{Brick|Be very careful when changing the boot status to [[EM mode]]! You can easily lock yourself out of the LinkStation and possibly [[brick]] the unit. Always change the boot status to normal before rebooting.}}
Some of this information courtesy of http://www.yamasita.jp/linkstation.en/index.html.
Some of this information courtesy of http://www.yamasita.jp/linkstation.en/index.html.
 +
 +
[[Category:LS1]]

Latest revision as of 02:33, 11 September 2007

This article originally based on work done by Frontalot at Linkstationwiki.org
This page is specific to the LS1. The HG has its own FlashROM page. There is also a Generic FlashROM page.

Major number
Image:Bar.png
The major number in a special file entry identifies the device driver. Each driver in a Linux or Unix kernel has a number. The major number just selects the driver, e.g. if a serial port driver or a hard disk driver should be associated with the name in the file system


Minor number
Image:Bar.png
The minor number in a special file entry is interpreted individually by a particular device driver. For example a serial driver might use it to compute the I/O address of a UART, or a hard disk driver might use it to address a particular disk on the periphery bus


Contents

Flash ROM analysis

(all information based on English firmware 1.47 and Japanese firmware 1.51):
Device Major Minor Start Size Function
/dev/fl0 250 0 0xFFF80000 512KB Stores configuration files as conf_save.tar.gz (written by as_flash).
/dev/fl1 250 1 0xFFC00000 3MB Stores firmimg.bin (firminfo.txt, vmlinux.gz, ramdisk.image.gz).
/dev/fl2 250 2 0xFFF00000 448KB Boot loader (bootcode.bin).
/dev/fl3 250 3 0xFFF70000 64KB Boot status ("OKOK" - normal boot, "NGNG" - EM mode).
/dev/fl4 250 4 0xFFC00000 4MB Entire Flash ROM (in the order fl1, fl2, fl3, fl0).


Note: If the flash devices do not already exist, they can easily be created by mknod: 

mknod /dev/fl0 b 250 0
mknod /dev/fl1 b 250 1
mknod /dev/fl2 b 250 2
mknod /dev/fl3 b 250 3
mknod /dev/fl4 b 250 4


/dev/fl0

Contents of conf_save.tar.gz: 

etc/network/interfaces
etc/samba/
etc/samba/smbusers
etc/samba/smb.conf
etc/samba/lmhosts
etc/samba/smbpasswd
etc/samba/secrets.tdb
etc/samba/smb.conf.bak
etc/atalk/
etc/atalk/atalkd.conf
etc/atalk/AppleVolumes.default
etc/atalk/AppleVolumes.system
etc/atalk/afpd.conf
etc/atalk/config
etc/atalk/papd.conf
etc/atalk/config.papd
etc/melco/
etc/melco/timer_sleep
etc/melco/timer_backup
etc/melco/timer_backup.cron
etc/melco/timer_status
etc/melco/info
etc/melco/shareinfo
etc/melco/usercount
etc/melco/userinfo
etc/melco/printer
etc/melco/groupinfo
etc/melco/ver
etc/melco/pcast_mp2000
etc/melco/ftpstatus
etc/melco/pdcuserinfo
etc/melco/pdcuserinfo.base
etc/melco/backup_error_status
etc/melco/timer_backup_folder
etc/melco/ntp
etc/melco/ntp_result
etc/melco/pdcgroupinfo
etc/melco/shareinfo.bak
etc/passwd
etc/group
etc/hosts
www/.htpasswd
www/cgi-bin/.htpasswd
www/script/.htpasswd
etc/ap_servd.log
etc/printcap
etc/pcast/pcastd.conf

You can read and write conf_save.tar.gz to and from /dev/fl0 by using /usr/bin/as_flash: 

as_flash [device] [add|del|get|init] [options]
add -n <filename>
 add file image to end of flash
del [-n <filename>|-i <block number>]
 delete Entered file name or block number of block data from flash
get [-n <filename>|-i <block number>] [--output <filename>]
 read Entered file name or block number of block data from flash, and store output filename
init
 clear device by zero

For example: 

as_flash /dev/fl0</ get -n /tmp/conf_save.tar.gz --output /tmp/conf_save.tar.gz

There is a "hidden" feature to list the contents of the flash bank: 

as_flash /dev/fl0 list


/dev/fl1

firmimg.bin contains 3 parts:

  1. firminfo.txt - The 108 byte firmware header.
  2. vmlinux.gz - The kernel.
  3. ramdisk.image.gz - The ramdisk.

firminfo.txt:

Offset Size Field Content - 1.47 Content - 1.51
0 4 Version 1 1
4 4 Firmware ID 3 3
8 32 Firmware Name (padding with 0x00) HD-HLAN(HIDETADA) HD-HLAN(HIDETADA)
40 32 Sub Version (padding with 0x00) FLASH 1.1 FLASH 1.4
72 2 Major Version 1 1
74 2 Minor Version 5 6
76 2 Build Number 0 0
78 6 Build Date 2004/5/21 13:41:0 2005/2/25 19:31:10
84 4 firmimg.bin size 2879996 bytes 2933224 bytes
88 4 Checksum 658752272 4191046432
92 4 vmlinux.gz offset 108 bytes 108 bytes
96 4 vmlinux.gz size 838590 bytes 846428 bytes
100 4 ramdisk.image.gz offset 838698 bytes 846536 bytes
104 4 ramdisk.image.gz size 2041298 bytes 2086688 bytes

Image:Firmimg_bin_hex_LS1.jpg

The following script analyzes firmimg.bin and provides the preceding information: 

#! /usr/bin/perl

read(STDIN, $tmp, 108, 0);
@tmp = unpack("LLA32A32SSSC6LLLLLL", $tmp);

print "Version                  ". $tmp[0]."\n";
print "Firmware ID              ". $tmp[1]."\n";
print "Firmware Name            ". $tmp[2]."\n";
print "Sub Version              ". $tmp[3]."\n";
print "Major Version            ". $tmp[4]."\n";
print "Minor Version            ". $tmp[5]."\n";
print "Build Number             ". $tmp[6]."\n";
printf "Build Date              %d/%d/%d %d:%d:%d\n", $tmp[7] + 1900, $tmp[8], $tmp[9],   
$tmp[10], $tmp[11], $tmp[12];
print "firmimg.bin size         ". $tmp[13]."\n";
print "Checksum                 ". $tmp[14]."\n";
print "vmlinux.gz offset        ". $tmp[15]."\n";
print "vmlinux.gz size          ". $tmp[16]."\n";
print "ramdisk.image.gz offset  ". $tmp[17]."\n";
print "ramdisk.image.gz size    ". $tmp[18]."\n";

The script can read the firmware information directly from the flash ROM: 

./showflash.pl < /dev/fl1

The script also can be used to read the firmware information from firmimg.bin: 

./showflash.pl < firmimg.bin

You can extract firmimg.bin from <tt>/dev/fl1 by using head: 

head -c 2879996 /dev/fl1 > firmimg.bin

firminfo.txt, vmlinux.gz, and ramdisk.image.gz can be extracted from firmimg.bin: 

head -c 108 firmimg.bin > firminfo.txt
tail -c 2879888 firmimg.bin > temp; head -c 838590 temp > vmlinux.gz; rm temp
tail -c 2041298 firmimg.bin > ramdisk.image.gz

vmlinux.gz:

Linux kernel.

ramdisk.image.gz:

You can mount the ramdisk as follows: 

 mount ramdisk.image /mnt/ramdisk -o loop

Raw listing of 1.47 ramdisk or 1.51 ramdisk contents.

/dev/fl2

Contains bootcode.bin (created by "make zImage")


/dev/fl3

Contains boot status ("OKOK" - normal boot, "NGNG" - EM mode).

Normal boot 

0000000 4f4b 4f4b 4f4b 4f4b 4f4b 4f4b 4f4b 4f4b
          O   K   O   K   O   K   O   K   O   K   O   K   O   K   O   K
*
0000400 ffff ffff ffff ffff ffff ffff ffff ffff
        377 377 377 377 377 377 377 377 377 377 377 377 377 377 377 377
*
0200000

EM mode 

0000000 4e47 4e47 4e47 4e47 4e47 4e47 4e47 4e47
          N   G   N   G   N   G   N   G   N   G   N   G   N   G   N   G
*
0000400 ffff ffff ffff ffff ffff ffff ffff ffff
        377 377 377 377 377 377 377 377 377 377 377 377 377 377 377 377
*
0200000

To read the boot status: 

od -xc /dev/fl3

You can change the boot status by using write_ng and write_ok. To change the boot status to normal: 

write_ok

To change the boot status to EM mode: 

write_ng
Image:Kurobrick.png
WARNING!

There is a possibility that you could brick your NAS with these instructions. Please make sure that you read the entire page carefully. Be very careful when changing the boot status to EM mode! You can easily lock yourself out of the LinkStation and possibly brick the unit. Always change the boot status to normal before rebooting.



Some of this information courtesy of http://www.yamasita.jp/linkstation.en/index.html.

Retrieved from "http://buffalo.nas-central.org/wiki/Information/PPCFlashROM"
Personal tools