blob: f0441b53a81f6806400639b16995e39ca8c92db5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
<b>Dumping the firmware</b>
This technique consists on reconstructing a firmware image dumping
pieces at certains offsets of the device internal memory.
<b></b>
<b>Technical details:</b>
* The internal flash memory is exposed to the system as MTD devices.
* Is possible to dump the individual sections of a flashed firmware.
*
* READ src/dump.c for detailed information.
mtd0 - contains xloader and sencodary pieces of the bootloaders
0x00000 - xloader.bin (size is 0x03600)
0x04000 - secondary.bin (size is 0x15400)
0x1FFFF - eof
mtd1 - looks like there's a pool ConF structures
mtd2 - starts with NOLO img\x5c\x13 and \x00 padding
0x00800 - zImage
> NOLO is a four byte marker, next four bytes
> can vary since it is kernel image size
mtd3 - initfs.jffs2 (2M) aka 0x200000 vs 0x3900000
mtd4 - rootfs.jffs2 (a fucking copy of the above rootfs?)
// Extra notes //
[MTD] NAND Consolidate oobinfo handling
The info structure for out of band data was copied into
the mtd structure. Make it a pointer and remove the ability
to set it from userspace. The position of ecc bytes is
defined by the hardware and should not be changed by software.
// The oob stuff
In mtd3 the OOB data is 64 bytes aka 0x40, and this oob stuff
appears every 2KB aka 0x800 bytes.
/*
* Obsolete legacy interface. Keep it in order not to break userspace
* interfaces
*/
struct nand_oobinfo {
uint32_t useecc;
uint32_t eccbytes;
uint32_t oobfree[8][2];
uint32_t eccpos[32];
};
|