16fca56fbSSascha Wildner 26fca56fbSSascha Wildner#------------------------------------------------------------------------------ 3*614728caSSascha Wildner# $File: tplink,v 1.7 2021/04/26 15:56:00 christos Exp $ 46fca56fbSSascha Wildner# tplink: File magic for openwrt firmware files 56fca56fbSSascha Wildner 66fca56fbSSascha Wildner# URL: https://wiki.openwrt.org/doc/techref/header 76fca56fbSSascha Wildner# Reference: https://git.openwrt.org/?p=openwrt.git;a=blob;f=tools/firmware-utils/src/mktplinkfw.c 86fca56fbSSascha Wildner# From: Joerg Jenderek 96fca56fbSSascha Wildner# check for valid header version 1 or 2 106fca56fbSSascha Wildner0 ulelong <3 116fca56fbSSascha Wildner>0 ulelong !0 126fca56fbSSascha Wildner# test for header padding with nulls 136fca56fbSSascha Wildner>>0x100 long 0 146fca56fbSSascha Wildner# skip Norton Commander Cleanup Utility NCCLEAN.INI by looking for valid vendor 156fca56fbSSascha Wildner>>>4 ubelong >0x1F000000 16c990e5baSDaniel Fojt# skip user.dbt by looking for positive hardware id 17c990e5baSDaniel Fojt>>>>0x40 ubeshort >0 18c990e5baSDaniel Fojt>>>>>0 use firmware-tplink 196fca56fbSSascha Wildner 206fca56fbSSascha Wildner0 name firmware-tplink 216fca56fbSSascha Wildner>0 ubyte x firmware 226fca56fbSSascha Wildner!:mime application/x-tplink-bin 236fca56fbSSascha Wildner!:ext bin 246fca56fbSSascha Wildner# hardware id like 10430001 07410001 09410004 09410006 256fca56fbSSascha Wildner>0x40 ubeshort x %x 266fca56fbSSascha Wildner>0x42 ubeshort x v%x 276fca56fbSSascha Wildner# hardware revision like 1 286fca56fbSSascha Wildner>0x44 ubelong !1 (revision %u) 296fca56fbSSascha Wildner# vendor_name[24] like OpenWrt or TP-LINK Technologies 306fca56fbSSascha Wildner>4 string x %.24s 316fca56fbSSascha Wildner# fw_version[36] like r49389 or ver. 1.0 326fca56fbSSascha Wildner>0x1c string x %.36s 336fca56fbSSascha Wildner# header version 1 or 2 346fca56fbSSascha Wildner>0 ubyte !1 V%X 356fca56fbSSascha Wildner# ver_hi.ver_mid.ver_lo 366fca56fbSSascha Wildner>0x98 long !0 \b, version 376fca56fbSSascha Wildner>>0x98 ubeshort x %u 386fca56fbSSascha Wildner>>0x9A ubeshort x \b.%u 396fca56fbSSascha Wildner>>0x9C ubeshort x \b.%u 406fca56fbSSascha Wildner# region code 0~universal 1~US 416fca56fbSSascha Wildner>0x48 ubelong x 426fca56fbSSascha Wildner#>>0x48 ubelong 0 (universal) 436fca56fbSSascha Wildner>>0x48 ubelong 1 (US) 446fca56fbSSascha Wildner>>0x48 ubelong >1 (region %u) 456fca56fbSSascha Wildner# total length of the firmware. not always true 466fca56fbSSascha Wildner>0x7C ubelong x \b, %u bytes or less 476fca56fbSSascha Wildner# unknown 1 48*614728caSSascha Wildner>0x48 ubelong !0 \b, UNKNOWN1 %#x 496fca56fbSSascha Wildner# md5sum1[16] 506fca56fbSSascha Wildner#>0x4c ubequad x \b, MD5 %llx 516fca56fbSSascha Wildner#>>0x54 ubequad x \b%llx 526fca56fbSSascha Wildner# unknown 2 53*614728caSSascha Wildner>0x5c ubelong !0 \b, UNKNOWN2 %#x 546fca56fbSSascha Wildner# md5sum2[16] 556fca56fbSSascha Wildner#>0x60 ubequad !0 \b, 2nd MD5 %llx 566fca56fbSSascha Wildner#>>0x68 ubequad x \b%llx 576fca56fbSSascha Wildner# unknown 3 58*614728caSSascha Wildner>0x70 ubelong !0 \b, UNKNOWN3 %#x 596fca56fbSSascha Wildner# kernel load address 60*614728caSSascha Wildner#>0x74 ubelong x \b, %#x load 616fca56fbSSascha Wildner# kernel entry point 62*614728caSSascha Wildner#>0x78 ubelong x \b, %#x entry 636fca56fbSSascha Wildner# kernel data offset. 200h means direct after header 64*614728caSSascha Wildner>0x80 ubelong x \b, at %#x 656fca56fbSSascha Wildner# kernel data length and 1 space 666fca56fbSSascha Wildner>0x84 ubelong x %u bytes 676fca56fbSSascha Wildner# look for kernel type (gzip compressed vmlinux.bin by ./compress) 686fca56fbSSascha Wildner>(0x80.L) indirect x 696fca56fbSSascha Wildner# root file system data offset 706fca56fbSSascha Wildner# WRONG in 5.35 with above indirect expression 71*614728caSSascha Wildner>0x88 ubelong x \b, at %#x 726fca56fbSSascha Wildner# rootfs data length and 1 space 736fca56fbSSascha Wildner>0x8C ubelong x %u bytes 746fca56fbSSascha Wildner# in 5.32 only true for offset ~< FILE_BYTES_MAX=9 MB defined in ../../src/file.h 756fca56fbSSascha Wildner>(0x88.L) indirect x 766fca56fbSSascha Wildner# 'qshs' for wr940nv1_en_3_13_7_up(111228).bin 776fca56fbSSascha Wildner#>(0x88.L) string x \b, file system '%.4s' 78*614728caSSascha Wildner#>(0x88.L) ubequad x \b, file system %#llx 796fca56fbSSascha Wildner# bootloader data offset 80*614728caSSascha Wildner>0x90 ubelong !0 \b, at %#x 81970935fdSSascha Wildner# bootloader data length only reasonable if bootloader offset not null 826fca56fbSSascha Wildner>>0x94 ubelong !0 %u bytes 836fca56fbSSascha Wildner# pad[354] should be 354 null bytes. 84*614728caSSascha Wildner#>0x9E ubequad !0 \b, padding %#llx 856fca56fbSSascha Wildner# But at 0x120 18 non null bytes in examples like 866fca56fbSSascha Wildner# wr940nv4_eu_3_16_9_up_boot(160620).bin 876fca56fbSSascha Wildner# wr940nv6_us_3_18_1_up_boot(171030).bin 88*614728caSSascha Wildner#>0x120 ubequad !0 \b, other padding %#llx 89