DI-604 Flash Reverse Engineering
硬件:D-Link DI-604 (兩年前的塑膠殼新機) CPU: Conexant CX84200-11 的網路處理器 (ARM 9 CPU + 整合式網路晶片), RAM: Hynix HY57V643220, flash
ROM: MX 29LV800BTC
Flash image with firmaware version 2.10 flash.bin
Encoding: little
Flash memory map:
- 0x0000.0000 - 0x0002.0000 - bootloader (permanent) (used up to 0x1.39e0)
- 0x0000.0000 - 0x0000.1800 - initialisation code
- 0x0000.1800 - 0x0000.3000 - uncompression code (ARJ), copied to the 0x2030.0000 prior to execution
- 0x0000.3000 - 0x0001.0000 - ARJ compressed "factory setting" restoration image
- 0x0001.0000 - 0x0001.39e0 - text strings/ configuration data ???
- 0x0001.39e0 - 0x0002.0000 - empty space ??
- 0x0002.0000 - 0x0010.0000 - ARJ compressed firmware image - upgradable via HTTP or TFTP (current version is 2.10)
- 0x2000.0000 - SDRAM start
- 0x2038.0000 - 0x2039.477b
- 2038.3884 - ??
- 2038.3964 - ??
Firmware Format
Info from Chris Windibank, 01/Mar/04
The firmware file is always 917,504 (0xe0000) bytes in length, presumably because it's a 1MB flash and the bootloader, backup firmware and settings area is 131,072 (0x20000) which leaves exacly that amount!
It is checksummed by the attached code. They decided to xor all bytes together and check it against a know value. I'm not really an expert in checksums so I can't say if this is unusual or not but it's certainly not a mainstream algorithm.
The first part of the file is the actual firmware in ARJ format using the -m1 compression mode and the archive consists of a single file named NML.MEM. The unused area after the firmware is zeroed and finally a signature and checksum is attached at the end. The signature is constant and the checksum can be calculated by xoring all the bytes in the file minus the checksum area and then xoring the result with 0xaabbbbaa.
The attached file can be used to generate a valid flash binary. I am a WindowsXP user and it was tested with Visual Studio 6.0 but it only contains C standard library calls so it should compile fine with GCC. It's usage is as follows:
mkflash outfile - where outfile is the name of the output file (I use di604_firmware_ucl.bin)
It expects to find a file name NML.ARJ in the current directory (the first version took and input file but I got tired of typing it). I have been renaming zImage NML.MEM and then using the following to make the archive for mkflash.
arj32 a -m1 NML.ARJ NML.MEM
I'm not sure if the firmware checks to see if the arjed file in the archive is actually name NML.MEM but that is the way DLink does it so I did the same.
The bootloader expands the archived firmware sitting at 0x20000 in flash ROM to 0x20000000 in RAM. It then flips the RAM/ROM address spaces and jumps to address 0 which is the begginning of RAM after the flip.
At this point the router will start to execute zImage which is a compressed kernal and ramdisk. It should decompress the kernal and ramdisk and then jump to the entry point of the decompressed kernal. I chose to go with the compressed kernal because it's an easy way to get the ramdisk into memory from a single arjed archive. It may be better to try something different later when the kernal is actually working!
Bootloader decoding
| Address | Description | Calls | Called by |
| 0x0000 | Exceptions vectors. | Reset/IRQ | - |
| 0x0048 - 0x007c | Switch between 0 address from Flash mem to SDRAM. | - | 0x2E0 |
| 0x0080 - 0x0254 | Initialisation:
| 0x500 | 0x0000 |
| 0x0268 - 0x0268 | Endless loop | - | 0x324 |
| 0x026C - 0x028C | read input value of the GPIO[6] (CONFIG RESET TO FACTORY). return 1 if input 0; | - | 0x324 |
| 0x0290 - 0x02DC | XOR starting from start_addr(r0) for bytes(r1) length Return 0 if ==0xaabbbbaa else return -1 | - | 0x324 |
| 0x02E0 - 0x320 | memcpy(src,dst,len) | - | 0x324 |
| 0x0324 - 0x03D0 | check SRC of the main firware (0x2000)
check reset buttom
load uncompression code to SDRAM
if RESET load from 0x03000
if no RESET load from 0x20000
if uncompression return 1 - then switch memory and start from 0
| - | 0x0874 |
| 0x03D4 - 0x042c | UART | - | 0x46C |
| 0x0430 - 0x043c | Read UART0 flag register for "receive FIFO full" | - | 0x46C |
| 0x0440 - 0x0468 | - | - | 0x46C |
| 0x046c - 0x04dc | no direct call | - | call itself ?? |
| 0x04E0 - 0x04fc | no direct call!! | - | - |
| 0x0500 - 0x0870 | Calculates relocated addreses Clean mem region 0x20380000(0x1477B bytes) memcpy(0x11a9,0x1145,0x24) copy to flash???? call 0x0874 | indirect 0x0874 | 0x80 |
| 0x0874 - 0x09c0 | do nothing; call 0x324; call 0xA08; | 0x09c4 0x0e20 0x0db0 0x0324 0x0a08 | indirect call 0x0500 |
| 0x09C4 - 0x09E0 | void f_0x9c4()
{
f_0xebc(16,-1);
return;
} | - | 0x0874 |
| 0x09E4 - 0x0A04 | - | - | - |
| 0x0A08 - 0x0AC8 | - | - | - |
| 0xacc - 0xae4 | - | - | no direct call |
| 0xae8 - 0xd24 | memcpy(src,dst,len) | - | indirect call 0x500 |
| 0xd28 - 0xdac | memset(addres, char , len) - set memory region with a specific byte | - | indirect call 0x500 |
| 0x0db0 - | return 20383884; | - | indirect call 0xEDC |
| 0x0ebc - 0x0ed8 | *20383884 = r0; return -1; | - | 0x09c4 |
| 0x0edc - 0x0f20 | if(!f_0x00db0)
return 20383964;
else
return f_0x0db0(); // 20383884
| - | 0x0f24 |
| 0x0f24 - 0x0f44 | void f_0x0f24(word val){
{
word *addr;
addr = f_0x0edc();
if(addr!=0)
*addr = val;
return;
}
| - | 0x0ebc |
| 0x0f48 - | - | - | - |
| 0x1134 | indirect function call (call addr in IP register | IP defined address | multiple |
| 0x1138 | function to do nothing???? OR first parameter to itself and exit. What the big deal?? | - | 0x0ebc |
| - | - | - | - |
| 0x29C4 - 0x2F9C | last function | - | - |
indirectly called functions 0x4e0
0xacc - 0xae4
0xae8 - 0xd24
0xd28 - 0xdac
$Id: flash_mem.html,v 1.5 2004/03/14 11:07:16 bcabral Exp $
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
