#------------------------------------------------------------------------------ # $File: tplink,v 1.4 2019/04/19 00:42:27 christos Exp $ # tplink: File magic for openwrt firmware files # URL: https://wiki.openwrt.org/doc/techref/header # Reference: https://git.openwrt.org/?p=openwrt.git;a=blob;f=tools/firmware-utils/src/mktplinkfw.c # From: Joerg Jenderek # check for valid header version 1 or 2 0 ulelong <3 >0 ulelong !0 # test for header padding with nulls >>0x100 long 0 # skip Norton Commander Cleanup Utility NCCLEAN.INI by looking for valid vendor >>>4 ubelong >0x1F000000 >>>>0 use firmware-tplink 0 name firmware-tplink >0 ubyte x firmware !:mime application/x-tplink-bin !:ext bin # hardware id like 10430001 07410001 09410004 09410006 >0x40 ubeshort x %x >0x42 ubeshort x v%x # hardware revision like 1 >0x44 ubelong !1 (revision %u) # vendor_name[24] like OpenWrt or TP-LINK Technologies >4 string x %.24s # fw_version[36] like r49389 or ver. 1.0 >0x1c string x %.36s # header version 1 or 2 >0 ubyte !1 V%X # ver_hi.ver_mid.ver_lo >0x98 long !0 \b, version >>0x98 ubeshort x %u >>0x9A ubeshort x \b.%u >>0x9C ubeshort x \b.%u # region code 0~universal 1~US >0x48 ubelong x #>>0x48 ubelong 0 (universal) >>0x48 ubelong 1 (US) >>0x48 ubelong >1 (region %u) # total length of the firmware. not always true >0x7C ubelong x \b, %u bytes or less # unknown 1 >0x48 ubelong !0 \b, UNKNOWN1 0x%x # md5sum1[16] #>0x4c ubequad x \b, MD5 %llx #>>0x54 ubequad x \b%llx # unknown 2 >0x5c ubelong !0 \b, UNKNOWN2 0x%x # md5sum2[16] #>0x60 ubequad !0 \b, 2nd MD5 %llx #>>0x68 ubequad x \b%llx # unknown 3 >0x70 ubelong !0 \b, UNKNOWN3 0x%x # kernel load address #>0x74 ubelong x \b, 0x%x load # kernel entry point #>0x78 ubelong x \b, 0x%x entry # kernel data offset. 200h means direct after header >0x80 ubelong x \b, at 0x%x # kernel data length and 1 space >0x84 ubelong x %u bytes # look for kernel type (gzip compressed vmlinux.bin by ./compress) >(0x80.L) indirect x # root file system data offset # WRONG in 5.35 with above indirect expression >0x88 ubelong x \b, at 0x%x # rootfs data length and 1 space >0x8C ubelong x %u bytes # in 5.32 only true for offset ~< FILE_BYTES_MAX=9 MB defined in ../../src/file.h >(0x88.L) indirect x # 'qshs' for wr940nv1_en_3_13_7_up(111228).bin #>(0x88.L) string x \b, file system '%.4s' #>(0x88.L) ubequad x \b, file system 0x%llx # bootloader data offset >0x90 ubelong !0 \b, at 0x%x # bootloader data length only resonable if bootloader offset not null >>0x94 ubelong !0 %u bytes # pad[354] should be 354 null bytes. #>0x9E ubequad !0 \b, padding 0x%llx # But at 0x120 18 non null bytes in examples like # wr940nv4_eu_3_16_9_up_boot(160620).bin # wr940nv6_us_3_18_1_up_boot(171030).bin #>0x120 ubequad !0 \b, other padding 0x%llx |