Information/PPCFlashROM
From NAS-Central Buffalo - The Linkstation Wiki
This article originally
based on work done by Frontalot
at Linkstationwiki.org
This page is specific to the LS1. The HG has its own FlashROM page. There is also a Generic FlashROM page.
| |||
|
Contents |
Flash ROM analysis
| Device | Major | Minor | Start | Size | Function |
| /dev/fl0 | 250 | 0 | 0xFFF80000 | 512KB | Stores configuration files as conf_save.tar.gz (written by as_flash). |
| /dev/fl1 | 250 | 1 | 0xFFC00000 | 3MB | Stores firmimg.bin (firminfo.txt, vmlinux.gz, ramdisk.image.gz). |
| /dev/fl2 | 250 | 2 | 0xFFF00000 | 448KB | Boot loader (bootcode.bin). |
| /dev/fl3 | 250 | 3 | 0xFFF70000 | 64KB | Boot status ("OKOK" - normal boot, "NGNG" - EM mode). |
| /dev/fl4 | 250 | 4 | 0xFFC00000 | 4MB | Entire Flash ROM (in the order fl1, fl2, fl3, fl0). |
Note: If the flash devices do not already exist, they can easily be created by mknod:
mknod /dev/fl0 b 250 0 mknod /dev/fl1 b 250 1 mknod /dev/fl2 b 250 2 mknod /dev/fl3 b 250 3 mknod /dev/fl4 b 250 4
/dev/fl0
Contents of conf_save.tar.gz:
etc/network/interfaces etc/samba/ etc/samba/smbusers etc/samba/smb.conf etc/samba/lmhosts etc/samba/smbpasswd etc/samba/secrets.tdb etc/samba/smb.conf.bak etc/atalk/ etc/atalk/atalkd.conf etc/atalk/AppleVolumes.default etc/atalk/AppleVolumes.system etc/atalk/afpd.conf etc/atalk/config etc/atalk/papd.conf etc/atalk/config.papd etc/melco/ etc/melco/timer_sleep etc/melco/timer_backup etc/melco/timer_backup.cron etc/melco/timer_status etc/melco/info etc/melco/shareinfo etc/melco/usercount etc/melco/userinfo etc/melco/printer etc/melco/groupinfo etc/melco/ver etc/melco/pcast_mp2000 etc/melco/ftpstatus etc/melco/pdcuserinfo etc/melco/pdcuserinfo.base etc/melco/backup_error_status etc/melco/timer_backup_folder etc/melco/ntp etc/melco/ntp_result etc/melco/pdcgroupinfo etc/melco/shareinfo.bak etc/passwd etc/group etc/hosts www/.htpasswd www/cgi-bin/.htpasswd www/script/.htpasswd etc/ap_servd.log etc/printcap etc/pcast/pcastd.conf
You can read and write conf_save.tar.gz to and from /dev/fl0 by using /usr/bin/as_flash:
as_flash [device] [add|del|get|init] [options] add -n <filename> add file image to end of flash del [-n <filename>|-i <block number>] delete Entered file name or block number of block data from flash get [-n <filename>|-i <block number>] [--output <filename>] read Entered file name or block number of block data from flash, and store output filename init clear device by zero
For example:
as_flash /dev/fl0</ get -n /tmp/conf_save.tar.gz --output /tmp/conf_save.tar.gz
There is a "hidden" feature to list the contents of the flash bank:
as_flash /dev/fl0 list
/dev/fl1
firmimg.bin contains 3 parts:
- firminfo.txt - The 108 byte firmware header.
- vmlinux.gz - The kernel.
- ramdisk.image.gz - The ramdisk.
firminfo.txt:
| Offset | Size | Field | Content - 1.47 | Content - 1.51 |
| 0 | 4 | Version | 1 | 1 |
| 4 | 4 | Firmware ID | 3 | 3 |
| 8 | 32 | Firmware Name (padding with 0x00) | HD-HLAN(HIDETADA) | HD-HLAN(HIDETADA) |
| 40 | 32 | Sub Version (padding with 0x00) | FLASH 1.1 | FLASH 1.4 |
| 72 | 2 | Major Version | 1 | 1 |
| 74 | 2 | Minor Version | 5 | 6 |
| 76 | 2 | Build Number | 0 | 0 |
| 78 | 6 | Build Date | 2004/5/21 13:41:0 | 2005/2/25 19:31:10 |
| 84 | 4 | firmimg.bin size | 2879996 bytes | 2933224 bytes |
| 88 | 4 | Checksum | 658752272 | 4191046432 |
| 92 | 4 | vmlinux.gz offset | 108 bytes | 108 bytes |
| 96 | 4 | vmlinux.gz size | 838590 bytes | 846428 bytes |
| 100 | 4 | ramdisk.image.gz offset | 838698 bytes | 846536 bytes |
| 104 | 4 | ramdisk.image.gz size | 2041298 bytes | 2086688 bytes |
The following script analyzes firmimg.bin and provides the preceding information:
#! /usr/bin/perl
read(STDIN, $tmp, 108, 0);
@tmp = unpack("LLA32A32SSSC6LLLLLL", $tmp);
print "Version ". $tmp[0]."\n";
print "Firmware ID ". $tmp[1]."\n";
print "Firmware Name ". $tmp[2]."\n";
print "Sub Version ". $tmp[3]."\n";
print "Major Version ". $tmp[4]."\n";
print "Minor Version ". $tmp[5]."\n";
print "Build Number ". $tmp[6]."\n";
printf "Build Date %d/%d/%d %d:%d:%d\n", $tmp[7] + 1900, $tmp[8], $tmp[9],
$tmp[10], $tmp[11], $tmp[12];
print "firmimg.bin size ". $tmp[13]."\n";
print "Checksum ". $tmp[14]."\n";
print "vmlinux.gz offset ". $tmp[15]."\n";
print "vmlinux.gz size ". $tmp[16]."\n";
print "ramdisk.image.gz offset ". $tmp[17]."\n";
print "ramdisk.image.gz size ". $tmp[18]."\n";
The script can read the firmware information directly from the flash ROM:
./showflash.pl < /dev/fl1
The script also can be used to read the firmware information from firmimg.bin:
./showflash.pl < firmimg.bin
You can extract firmimg.bin from <tt>/dev/fl1 by using head:
head -c 2879996 /dev/fl1 > firmimg.bin
firminfo.txt, vmlinux.gz, and ramdisk.image.gz can be extracted from firmimg.bin:
head -c 108 firmimg.bin > firminfo.txt tail -c 2879888 firmimg.bin > temp; head -c 838590 temp > vmlinux.gz; rm temp tail -c 2041298 firmimg.bin > ramdisk.image.gz
vmlinux.gz:
Linux kernel.
ramdisk.image.gz:
You can mount the ramdisk as follows:
mount ramdisk.image /mnt/ramdisk -o loop
Raw listing of 1.47 ramdisk or 1.51 ramdisk contents.
/dev/fl2
Contains bootcode.bin (created by "make zImage")
/dev/fl3
Contains boot status ("OKOK" - normal boot, "NGNG" - EM mode).
Normal boot
0000000 4f4b 4f4b 4f4b 4f4b 4f4b 4f4b 4f4b 4f4b
O K O K O K O K O K O K O K O K
*
0000400 ffff ffff ffff ffff ffff ffff ffff ffff
377 377 377 377 377 377 377 377 377 377 377 377 377 377 377 377
*
0200000
EM mode
0000000 4e47 4e47 4e47 4e47 4e47 4e47 4e47 4e47
N G N G N G N G N G N G N G N G
*
0000400 ffff ffff ffff ffff ffff ffff ffff ffff
377 377 377 377 377 377 377 377 377 377 377 377 377 377 377 377
*
0200000
To read the boot status:
od -xc /dev/fl3
You can change the boot status by using write_ng and write_ok. To change the boot status to normal:
write_ok
To change the boot status to EM mode:
write_ng
|
Some of this information courtesy of http://www.yamasita.jp/linkstation.en/index.html.
