summaryrefslogtreecommitdiffstats
path: root/doc/dumping
blob: f0441b53a81f6806400639b16995e39ca8c92db5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
<b>Dumping the firmware</b>

This technique consists on reconstructing a firmware image dumping
pieces at certains offsets of the device internal memory.

<b></b>

<b>Technical details:</b>

 * The internal flash memory is exposed to the system as MTD devices.
 * Is possible to dump the individual sections of a flashed firmware.
 *
 * READ src/dump.c for detailed information.

   mtd0 - contains xloader and sencodary pieces of the bootloaders
          0x00000 - xloader.bin    (size is 0x03600)
          0x04000 - secondary.bin  (size is 0x15400)
          0x1FFFF - eof

   mtd1 - looks like there's a pool ConF structures

   mtd2 - starts with NOLO img\x5c\x13 and \x00 padding
          0x00800 - zImage

	  > NOLO is a four byte marker, next four bytes
	  > can vary since it is kernel image size

   mtd3 - initfs.jffs2 (2M) aka 0x200000 vs 0x3900000

   mtd4 - rootfs.jffs2 (a fucking copy of the above rootfs?)


// Extra notes //

[MTD] NAND Consolidate oobinfo handling

The info structure for out of band data was copied into
the mtd structure. Make it a pointer and remove the ability
to set it from userspace. The position of ecc bytes is
defined by the hardware and should not be changed by software.

// The oob stuff

In mtd3 the OOB data is 64 bytes aka 0x40, and this oob stuff
appears every 2KB aka 0x800 bytes.

/*
 * Obsolete legacy interface. Keep it in order not to break userspace
 * interfaces
 */
struct nand_oobinfo {
        uint32_t useecc;
        uint32_t eccbytes;
        uint32_t oobfree[8][2];
        uint32_t eccpos[32];
};