From NAS-Central Buffalo - The Linkstation Wiki
Jump to: navigation, search

This article Last edited by klightspeed. Previously edited by frontalot. Originally by Nenik. at
mipsel-hdhlan boot loader seems like customized IDTboot with added "encryption."

The bootloader itself is inside mtd0 and during boot, it is mapped at virtual address 0xBFC00000. It copies the mtd1 into ram, decrypts it, decompresses and starts the kernel.

mtd1 layout:
offset len description
0x00 0x04 Product ID (value=6)
0x04 0x10 Header key
0x14 0x58 Crypted header
0x14 0x20 Label ("HD-HLAN(IENOBU)")
0x34 0x01 Firmware version (value=2)
0x35 0x01 Firmware release major
0x36 0x01 Firmware release minor
0x37 0x01 Reserved
0x38 0x10 Flash label ("FLASH 1.0" or "FLASH 1.1")
0x48 0x02 Build year
0x4a 0x01 Build month
0x4b 0x01 Build day
0x4c 0x01 Reserved
0x4d 0x01 Build hour
0x4e 0x01 Build minute
0x4f 0x01 Build second
0x50 0x04 Compressed length
0x54 0x04 Compressed offset (0x70)
0x58 0x04 Compressed part checksum
0x5c 0x10 Compressed part key
0x6c 0x04 Unencrypted null
0x70 var Crypted/BZiped kernel

Now to the encryption: The bootloader contains a pseudo-random number generator (statically seeded inside the bootloader, so in fact completely predictable). The output of the generator is used to select a byte from the key for decryption (read: "xor") of a byte of the encrypted content, byte by byte.

frontalot: I have managed to get to the state of having decrypted both the header and the kernel image, which is really BZipped! I have also uncompressed the image, but so far I have failed to open the initial ramdisk, which is appended to the image.

klightspeed: I suspected that the decrypted mtd1 would be kept in memory, so I created an init script that dumped the memory contents to disk. Upon inspecting the memory dump (searching for "HD-HLAN"), I found that the boot loader loads and decrypts mtd1 to virtual address 0x81A00000. The kernel image is indeed a bzimage, which is just a BZipped ELF image. There is no initrd appended to the image. Instead, the gzipped ramdisk is part of the ELF image. It is present at offset 0x001D6000 in my image (virtual address 0x802D6000). The ramdisk image is a standard EXT2 filesystem. It has a cut-down version of the linkstation root filesystem, so that if it can't mount the root filesystem, it can still be flashed over the network.