diff options
-rw-r--r-- | doc/dumping | 47 | ||||
-rw-r--r-- | src/console.c | 43 | ||||
-rw-r--r-- | src/dump.c | 265 | ||||
-rw-r--r-- | src/main.c | 7 | ||||
-rw-r--r-- | src/main.h | 1 |
5 files changed, 231 insertions, 132 deletions
diff --git a/doc/dumping b/doc/dumping index 3f22a82..f0441b5 100644 --- a/doc/dumping +++ b/doc/dumping @@ -3,25 +3,7 @@ This technique consists on reconstructing a firmware image dumping pieces at certains offsets of the device internal memory. - -<b>End user details:</b> - - * Extract the firmware pieces from a running device - * - * This functionality is useful to extract backups of your system - * firmware. This is really useful when you're on a desert island - * without an internet connection. - * - * This tool needs more testing, so take care and don't blame me if - * it breaks your system. It *is* to your responsability, use at - * your own risk - * - * NOTE: It's theorically possible to flash the device on the fly from - * the running OS, but this has not yet been tested. Keep tuned for - * updates and newz. - * - * Have fun! - +<b></b> <b>Technical details:</b> @@ -46,3 +28,30 @@ pieces at certains offsets of the device internal memory. mtd3 - initfs.jffs2 (2M) aka 0x200000 vs 0x3900000 mtd4 - rootfs.jffs2 (a fucking copy of the above rootfs?) + + +// Extra notes // + +[MTD] NAND Consolidate oobinfo handling + +The info structure for out of band data was copied into +the mtd structure. Make it a pointer and remove the ability +to set it from userspace. The position of ecc bytes is +defined by the hardware and should not be changed by software. + +// The oob stuff + +In mtd3 the OOB data is 64 bytes aka 0x40, and this oob stuff +appears every 2KB aka 0x800 bytes. + +/* + * Obsolete legacy interface. Keep it in order not to break userspace + * interfaces + */ +struct nand_oobinfo { + uint32_t useecc; + uint32_t eccbytes; + uint32_t oobfree[8][2]; + uint32_t eccpos[32]; +}; + diff --git a/src/console.c b/src/console.c index 977ffba..f0fbfb4 100644 --- a/src/console.c +++ b/src/console.c @@ -32,12 +32,13 @@ void cmd_exit(char *line) void cmd_help(char *line) { - printf("connect connects via usb to nolo\n"); - printf("info shows info of the remote system\n"); - printf("linfo shows info of the local system\n"); - printf("shell opens a shell (/bin/sh)\n"); - printf("dump [dir] dumps the contents of /dev/mtd to dir\n"); - printf("exit exits the shell\n"); + printf("connect connects via usb to nolo\n"); + printf("info shows info of the remote system\n"); + printf("linfo shows info of the local system\n"); + printf("shell opens a shell (/bin/sh)\n"); + printf("badblocks [dev] checks bad blocks on mtd (/dev/mtd1)\n"); + printf("dump [dir] dumps the contents of /dev/mtd to dir\n"); + printf("exit exits the shell\n"); fflush(stdout); } @@ -56,9 +57,20 @@ void cmd_dump(char *line) printf("Usage: dump [path]\n"); return; } + while(line[0]==' ') line = line +1; reverse_extract_pieces(line); } +void cmd_badblocks(char *line) +{ + if (!line[0]) { + printf("Usage: dump [path]\n"); + return; + } + while(line[0]==' ') line = line +1; + check_badblocks(line); +} + void cmd_connect(char *line) { connect_via_usb(); @@ -69,7 +81,7 @@ void cmd_shell(char *line) system("/bin/sh"); } -#define CMDS 8 +#define CMDS 9 #define IS_CMD(x) !strcmp(console_commands[i].name, x) #define CALL_CMD(x) console_commands[x].callback((char *)line) #define FOREACH_CMD(x) for(x=0;x<CMDS;x++) @@ -78,14 +90,15 @@ struct cmd_t { char *name; void (*callback)(char *); } console_commands[CMDS] = { - { .name = "exit", .callback = &cmd_exit }, - { .name = "q", .callback = &cmd_exit }, - { .name = "connect", .callback = &cmd_connect }, - { .name = "help", .callback = &cmd_help }, - { .name = "?", .callback = &cmd_help }, - { .name = "info", .callback = &cmd_info }, - { .name = "dump", .callback = &cmd_dump }, - { .name = "shell", .callback = &cmd_shell } + { .name = "exit", .callback = &cmd_exit }, + { .name = "q", .callback = &cmd_exit }, + { .name = "connect", .callback = &cmd_connect }, + { .name = "badblocks", .callback = &cmd_badblocks}, + { .name = "help", .callback = &cmd_help }, + { .name = "?", .callback = &cmd_help }, + { .name = "info", .callback = &cmd_info }, + { .name = "dump", .callback = &cmd_dump }, + { .name = "shell", .callback = &cmd_shell } }; static int console_command(const char *line) @@ -19,6 +19,7 @@ */ #include "main.h" +#include "hexdump.h" #include <usb.h> #include <stdio.h> #include <stdlib.h> @@ -85,68 +86,191 @@ __rf_extract_exit: #include <asm/types.h> #include <mtd/mtd-user.h> +#define M_RDONLY 0x00000001 +#define M_RDRW 0x00000002 +#define M_OMITOOB 0x00000010 +#define M_OMITBAD 0x00000011 +#define M_OMITECC 0x00000012 + +int mtd_open(char *file, mtd_info_t *meminfo, int *oobinfochanged, + struct nand_oobinfo *old_oobinfo, int *eccstats, int flags) +{ + int fd; + *oobinfochanged = 0 ; + + fd = open(file, (flags&M_RDONLY)?O_RDONLY:O_RDWR); + if (fd == -1) { + perror("mtd_open"); + return -1; + } + /* Fill in MTD device capability structure */ + if (ioctl(fd, MEMGETINFO, meminfo) != 0) { + perror("MEMGETINFO"); + close(fd); + return 1; + } + + /* Make sure device page sizes are valid */ + if (!(meminfo->oobsize == 64 && meminfo->writesize == 2048) && + !(meminfo->oobsize == 16 && meminfo->writesize == 512) && + !(meminfo->oobsize == 8 && meminfo->writesize == 256)) { + fprintf(stderr, "Unknown flash (not normal NAND)\n"); + close(fd); + return -1; + } + + + return fd; +} + +int mtd_close(int fd, struct nand_oobinfo *old_oobinfo, int oobinfochanged) +{ + /* reset oobinfo */ + if (oobinfochanged == 1) { + if (ioctl (fd, MEMSETOOBSEL, &old_oobinfo) != 0) { + perror ("MEMSETOOBSEL"); + close(fd); + return 1; + } + } + /* Close the output file and MTD device */ + return close(fd); +} + // configuration for nanddump // -int ignoreerrors = 1; // ignore errors -int pretty_print = 0; // print nice in ascii -int noecc = 0; // don't error correct +//int noecc = 0; // don't error correct int omitoob = 1; // omit oob data int omitbad = 1; // configuration for nanddump // +#define CONFIGURE_FLAGS(x) \ +omitoob = x & M_OMITOOB; \ +omitbad = x & M_OMITBAD; + +int check_badblocks(char *mtddev) +{ + int fd; + int oobinfochanged = 0 ; + int badblock = 0; + int badblocks = 1; + int eccstats = 0; + unsigned long int i; + unsigned long long blockstart = 1; + unsigned char oobbuf[64]; + struct nand_oobinfo old_oobinfo; + struct mtd_oob_buf oob = {0, 16, oobbuf}; + struct mtd_ecc_stats stat1, stat2; + mtd_info_t meminfo; + + fd = mtd_open(mtddev, &meminfo, &oobinfochanged, &old_oobinfo, &eccstats, M_RDONLY); + + fprintf(stderr, "Block size %u, page size %u, OOB size %u\n", + meminfo.erasesize, meminfo.writesize, meminfo.oobsize); + fprintf(stderr, "Size %u, flags %u, type 0x%x\n", + meminfo.size, meminfo.flags, (int)meminfo.type); + + oob.length = meminfo.oobsize; + for(i = 0; i < meminfo.size; i+= meminfo.writesize) { + + // new eraseblock , check for bad block + if (blockstart != (i & (~meminfo.erasesize + 1))) { + blockstart = i & (~meminfo.erasesize + 1); + if ((badblock = ioctl(fd, MEMGETBADBLOCK, &blockstart)) < 0) { + perror("ioctl(MEMGETBADBLOCK)"); + goto closeall; + } + } + + if (badblock) { + if (omitbad) { + printf("Bad block found at 0x%lx\n", i); + continue; + } + } else { + char readbuf[2048]; // XXX hardcoded like mtd-utils?? ugly! + // dummy -- should be removed + if (pread(fd, readbuf, meminfo.writesize, i) != meminfo.writesize) { + perror("pread"); + goto closeall; + } + } + + /* ECC stats available ? */ + if (eccstats) { + if (ioctl(fd, ECCGETSTATS, &stat2)) { + perror("ioctl(ECCGETSTATS)"); + goto closeall; + } + if (stat1.failed != stat2.failed) + fprintf(stderr, "ECC: %d uncorrectable bitflip(s)" + " at offset 0x%08lx\n", + stat2.failed - stat1.failed, i); + if (stat1.corrected != stat2.corrected) + fprintf(stderr, "ECC: %d corrected bitflip(s) at" + " offset 0x%08lx\n", + stat2.corrected - stat1.corrected, i); + stat1 = stat2; + } + + if (badblock) { + printf("Oops badblock %d at 0x%lx !\n", badblocks++, i); + } else { + /* Read OOB data and exit on failure */ + oob.start = i; + if (ioctl(fd, MEMREADOOB, &oob) != 0) { + perror("ioctl(MEMREADOOB)"); + goto closeall; + } + } + + /* Write out OOB data */ + if (badblock) + D dump_bytes(oobbuf, meminfo.oobsize); + } + + mtd_close(fd, &old_oobinfo, oobinfochanged); + return 0; + +closeall: + mtd_close(fd, &old_oobinfo, oobinfochanged); + return 1; +} + int nanddump(char *mtddev, unsigned long start_addr, unsigned long length, char *dumpfile) { unsigned char readbuf[2048]; + int oobinfochanged = 0 ; unsigned char oobbuf[64]; + unsigned long ofs, end_addr = 0; + unsigned long long blockstart = 1; struct nand_oobinfo none_oobinfo = { .useecc = MTD_NANDECC_OFF, }; - unsigned long ofs, end_addr = 0; - unsigned long long blockstart = 1; - int i, fd, ofd, bs, badblock = 0; + int fd, ofd, bs, badblock = 0; struct mtd_oob_buf oob = {0, 16, oobbuf}; mtd_info_t meminfo; - char pretty_buf[80]; - int oobinfochanged = 0 ; int badblocks = 1; struct nand_oobinfo old_oobinfo; - struct mtd_ecc_stats stat1, stat2; int eccstats = 0; + struct mtd_ecc_stats stat1, stat2; + int flags = M_RDONLY; printf("\nExtracting %s from %s...\n", dumpfile, mtddev); - /* Open MTD device */ - if ((fd = open(mtddev, O_RDONLY)) == -1) { - perror("open flash"); - return 1; - } - - /* Fill in MTD device capability structure */ - if (ioctl(fd, MEMGETINFO, &meminfo) != 0) { - perror("MEMGETINFO"); - close(fd); - return 1; - } + fd = mtd_open(mtddev, &meminfo, &oobinfochanged, &old_oobinfo, &eccstats, flags); - /* Make sure device page sizes are valid */ - if (!(meminfo.oobsize == 64 && meminfo.writesize == 2048) && - !(meminfo.oobsize == 16 && meminfo.writesize == 512) && - !(meminfo.oobsize == 8 && meminfo.writesize == 256)) { - fprintf(stderr, "Unknown flash (not normal NAND)\n"); - close(fd); - return 1; - } /* Read the real oob length */ oob.length = meminfo.oobsize; - if (noecc) { + if (flags & M_OMITECC) { // (noecc) switch (ioctl(fd, MTDFILEMODE, (void *) MTD_MODE_RAW)) { case -ENOTTY: - if (ioctl (fd, MEMGETOOBSEL, &old_oobinfo) != 0) { + if (ioctl (fd, MEMGETOOBSEL, old_oobinfo) != 0) { perror ("MEMGETOOBSEL"); close (fd); exit (1); } - if (ioctl (fd, MEMSETOOBSEL, &none_oobinfo) != 0) { + if (ioctl (fd, MEMSETOOBSEL, none_oobinfo) != 0) { perror ("MEMSETOOBSEL"); close (fd); exit (1); @@ -193,8 +317,11 @@ int nanddump(char *mtddev, unsigned long start_addr, unsigned long length, char bs = meminfo.writesize; /* Print informative message */ - fprintf(stderr, "Block size %u, page size %u, OOB size %u\n", - meminfo.erasesize, meminfo.writesize, meminfo.oobsize); + fprintf(stderr, "Block size %u, page size %u, OOB size %u\n", + meminfo.erasesize, meminfo.writesize, meminfo.oobsize); + fprintf(stderr, "Size %u, flags %u, type 0x%x\n", + meminfo.size, meminfo.flags, (int)meminfo.type); + fprintf(stderr, "Dumping data starting at 0x%08x and ending at 0x%08x...\n", (unsigned int) start_addr, (unsigned int) end_addr); @@ -225,6 +352,7 @@ int nanddump(char *mtddev, unsigned long start_addr, unsigned long length, char } } + // TODO exist on n800??? // remove code? /* ECC stats available ? */ if (eccstats) { if (ioctl(fd, ECCGETSTATS, &stat2)) { @@ -243,25 +371,8 @@ int nanddump(char *mtddev, unsigned long start_addr, unsigned long length, char } /* Write out page data */ - if (pretty_print) { - for (i = 0; i < bs; i += 16) { - sprintf(pretty_buf, - "0x%08x: %02x %02x %02x %02x %02x %02x %02x " - "%02x %02x %02x %02x %02x %02x %02x %02x %02x\n", - (unsigned int) (ofs + i), readbuf[i], - readbuf[i+1], readbuf[i+2], - readbuf[i+3], readbuf[i+4], - readbuf[i+5], readbuf[i+6], - readbuf[i+7], readbuf[i+8], - readbuf[i+9], readbuf[i+10], - readbuf[i+11], readbuf[i+12], - readbuf[i+13], readbuf[i+14], - readbuf[i+15]); - write(ofd, pretty_buf, 60); - } - } else - write(ofd, readbuf, bs); - + //if (pretty_print) dump_bytes(readbuf, bs); + write(ofd, readbuf, bs); if (badblock) { printf("Oops badblock %d at 0x%lx !\n", badblocks++, ofs); @@ -279,56 +390,17 @@ int nanddump(char *mtddev, unsigned long start_addr, unsigned long length, char continue; /* Write out OOB data */ - if (pretty_print) { - if (meminfo.oobsize < 16) { - sprintf(pretty_buf, " OOB Data: %02x %02x %02x %02x %02x %02x " - "%02x %02x\n", - oobbuf[0], oobbuf[1], oobbuf[2], - oobbuf[3], oobbuf[4], oobbuf[5], - oobbuf[6], oobbuf[7]); - write(ofd, pretty_buf, 48); - continue; - } - - for (i = 0; i < meminfo.oobsize; i += 16) { - sprintf(pretty_buf, " OOB Data: %02x %02x %02x %02x %02x %02x " - "%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x\n", - oobbuf[i], oobbuf[i+1], oobbuf[i+2], - oobbuf[i+3], oobbuf[i+4], oobbuf[i+5], - oobbuf[i+6], oobbuf[i+7], oobbuf[i+8], - oobbuf[i+9], oobbuf[i+10], oobbuf[i+11], - oobbuf[i+12], oobbuf[i+13], oobbuf[i+14], - oobbuf[i+15]); - write(ofd, pretty_buf, 60); - } - } else - write(ofd, oobbuf, meminfo.oobsize); + D dump_bytes(oobbuf, meminfo.oobsize); + write(ofd, oobbuf, meminfo.oobsize); } - /* reset oobinfo */ - if (oobinfochanged == 1) { - if (ioctl (fd, MEMSETOOBSEL, &old_oobinfo) != 0) { - perror ("MEMSETOOBSEL"); - close(fd); - close(ofd); - return 1; - } - } - /* Close the output file and MTD device */ - close(fd); + mtd_close(fd, &old_oobinfo, oobinfochanged); close(ofd); - /* Exit happy */ return 0; closeall: - /* The new mode change is per file descriptor ! */ - if (oobinfochanged == 1) { - if (ioctl (fd, MEMSETOOBSEL, &old_oobinfo) != 0) { - perror ("MEMSETOOBSEL"); - } - } - close(fd); + mtd_close(fd, &old_oobinfo, oobinfochanged); close(ofd); return 1; } @@ -423,6 +495,7 @@ int reverse_extract_pieces(char *dir) printf("%s: secondary.bin\n", fpid_file("secondary.bin")); printf("%s: zImage\n", fpid_file("zImage")); printf("%s: initfs.jffs2\n", fpid_file("initfs.jffs2")); + printf("%s: rootfs.jffs2\n", fpid_file("rootfs.jffs2")); return 1; } @@ -84,6 +84,7 @@ void show_usage() printf(" -u [fiasco] unpack target fiasco image\n"); printf(" -U [0|1] disable/enable the usb host mode\n"); printf(" -s [serial] serial port console (minicom like terminal)\n"); + printf(" -C [/dev/mtd] check bad blocks on mtd\n"); printf(" -c console prompt mode\n"); printf(" -h show this help message\n"); printf(" -i show device information (let standby mode)\n"); @@ -151,7 +152,7 @@ int main(int argc, char **argv) { int c; - while((c = getopt(argc, argv, "cp:vVhRu:ib:U:r:e:ld:I:D:f:s:")) != -1) { + while((c = getopt(argc, argv, "C:cp:vVhRu:ib:U:r:e:ld:I:D:f:s:")) != -1) { switch(c) { case 'c': return console_prompt(); @@ -203,6 +204,8 @@ int main(int argc, char **argv) printf("%s: %s\n", fpid_file(optarg), optarg); identify = 1; break; + case 'C': + return check_badblocks(optarg); case 'i': info = 1; break; @@ -238,7 +241,7 @@ int main(int argc, char **argv) { printf("Usage: 0xFFFF [-hvVRi] [-e path] [-U 0|1] [-p [piece%%]file [-p ...]]\n"); printf(" [-b boot-args] [-I piece [-I ...]] [-u fiasco-image]\n"); - printf(" [-D 0|1|2] [-F rd flags] [-s serial-dev] [-c]\n"); + printf(" [-D 0|1|2] [-F rd flags] [-s serial-dev] [-c] [-C mtd-dev]\n"); return 1; } @@ -29,6 +29,7 @@ int console_prompt(); // void cmd_info(char *line); +int check_badblocks(char *mtddev); extern int verbose; #define D if (verbose) |