├── qemu-run
├── .gitignore
├── gen-breakpoints.sh
├── gdbrun.sh
├── set-nandsim.sh
├── qr
├── cm.gdb
└── sv.gdb
├── .gitignore
├── ext-tree
├── Config.in
├── external.mk
├── board
│ └── dvaemu
│ │ ├── overlay
│ │ └── etc
│ │ │ └── profile.d
│ │ │ └── set-prompt.sh
│ │ ├── post-build.sh
│ │ └── kernel-defconfig
├── external.desc
├── package
│ └── klish
│ │ ├── Config.in
│ │ ├── klish.mk
│ │ └── 0001-klish-help-param-optional.patch
├── patches
│ └── linux
│ │ ├── 0002-module.h-remove-p2v8-from-module-id-string.patch
│ │ ├── 0006-jffs2_make_lzma_high_priority.patch
│ │ └── 0005-jffs2_eofdetect.patch
└── configs
│ ├── dvaemu-emu_arm_vexpress_defconfig
│ └── uClibc-0.9.33.config
├── docker
├── dockbuild.sh
├── startup.sh
├── dockrun.sh
└── Dockerfile
├── pub-key
├── .gitignore
├── mysig_verify.sh
├── pubkey-def.asn1
└── pubkey-gen.sh
├── misc
├── router-console-upgrade.log
└── router-console-boot.log
├── 001-buildroot-2014-02-fix-bzip2url.patch
├── set-aliases
├── set-env.sh
├── LICENSE
├── brmake
├── br-armv7-config.sh
└── README.md
/qemu-run/.gitignore:
--------------------------------------------------------------------------------
1 | *.bin
2 | *.xml
3 | *~
4 | *.orig
5 |
6 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | *.bin
2 | *.xml
3 | *~
4 | *.orig
5 | push-to-brtst.sh
6 |
--------------------------------------------------------------------------------
/ext-tree/Config.in:
--------------------------------------------------------------------------------
1 | source "$BR2_EXTERNAL/package/klish/Config.in"
2 |
3 |
--------------------------------------------------------------------------------
/ext-tree/external.mk:
--------------------------------------------------------------------------------
1 | include $(sort $(wildcard $(BR2_EXTERNAL)/package/*/*.mk))
2 |
--------------------------------------------------------------------------------
/docker/dockbuild.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | docker build -t="digiampietro/buildroot-armv7" .
3 |
--------------------------------------------------------------------------------
/ext-tree/board/dvaemu/overlay/etc/profile.d/set-prompt.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | export PS1='\u@\h:\w\$ '
3 |
--------------------------------------------------------------------------------
/ext-tree/external.desc:
--------------------------------------------------------------------------------
1 | name: DVAEMU
2 | desc: D-Link DVA 5592 very limited emulation environment
3 |
--------------------------------------------------------------------------------
/pub-key/.gitignore:
--------------------------------------------------------------------------------
1 | *.bin
2 | *.xml
3 | *~
4 | *.orig
5 | *.out
6 | pubkey.der
7 | pubkey.pem
8 |
9 |
--------------------------------------------------------------------------------
/misc/router-console-upgrade.log:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/digiampietro/buildroot-armv7/HEAD/misc/router-console-upgrade.log
--------------------------------------------------------------------------------
/ext-tree/package/klish/Config.in:
--------------------------------------------------------------------------------
1 | config BR2_PACKAGE_KLISH
2 | bool "klish"
3 | depends on BR2_PACKAGE_LIBROXML || BR2_PACKAGE_LIBXML2 || BR2_PACKAGE_EXPAT
4 | help
5 | The klish is a framework for implementing a CISCO-like CLI on a UNIX systems.
6 | It is configurable by XML files.
7 |
8 | http://klish.libcode.org
9 |
--------------------------------------------------------------------------------
/qemu-run/gen-breakpoints.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
3 | . $MYDIR/../set-env.sh > /dev/null
4 |
5 | echo "set breakpoint pending on"
6 | for i in `$TOOLBIN/arm-linux-readelf --sym -D $1 \
7 | |grep FUNC \
8 | |grep UND \
9 | |awk '{print $9}'`
10 | do echo break $i
11 | done
12 |
--------------------------------------------------------------------------------
/qemu-run/gdbrun.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
3 | . $MYDIR/../set-env.sh > /dev/null
4 |
5 | #cd $TOOLBIN
6 | $TOOLBIN/arm-linux-gdb --ex="target remote :9000" \
7 | --ex="set sysroot $SYSROOT" \
8 | --ex="directory $MYDIR" \
9 | --ex="directory $TOOLBIN" \
10 | $*
11 |
12 |
--------------------------------------------------------------------------------
/ext-tree/patches/linux/0002-module.h-remove-p2v8-from-module-id-string.patch:
--------------------------------------------------------------------------------
1 | --- a/arch/arm/include/asm/module.h.orig 2018-07-16 08:53:43.653548106 +0200
2 | +++ b/arch/arm/include/asm/module.h 2018-07-16 08:54:15.617549634 +0200
3 | @@ -31,7 +31,7 @@
4 |
5 | /* Add __virt_to_phys patching state as well */
6 | #ifdef CONFIG_ARM_PATCH_PHYS_VIRT
7 | -#define MODULE_ARCH_VERMAGIC_P2V "p2v8 "
8 | +#define MODULE_ARCH_VERMAGIC_P2V ""
9 | #else
10 | #define MODULE_ARCH_VERMAGIC_P2V ""
11 | #endif
12 |
--------------------------------------------------------------------------------
/pub-key/mysig_verify.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | TMPDATA=$(mktemp /tmp/data-XXXX.tmp)
3 | TMPSIG=$(mktemp /tmp/sig-XXXX.tmp)
4 | FIRMFILE=$1
5 | FIRMFULLSIZE=`wc -c < $FIRMFILE`
6 | FIRMDATASIZE=$(($FIRMFULLSIZE - 256))
7 |
8 | #echo "full size: $FIRMFULLSIZE"
9 | #echo "data size: $FIRMDATASIZE"
10 |
11 | cp $FIRMFILE $TMPDATA
12 | truncate -s $FIRMDATASIZE $TMPDATA
13 | dd if=$FIRMFILE bs=1 skip=$FIRMDATASIZE of=$TMPSIG 2>/dev/null
14 |
15 | openssl dgst -sha1 -verify pubkey.pem -signature $TMPSIG $TMPDATA
16 | rm $TMPSIG $TMPDATA
17 |
18 |
19 |
--------------------------------------------------------------------------------
/ext-tree/patches/linux/0006-jffs2_make_lzma_high_priority.patch:
--------------------------------------------------------------------------------
1 | diff -ruN a/fs/jffs2/compr.h b/fs/jffs2/compr.h
2 | --- a/fs/jffs2/compr.h 2018-07-31 16:21:27.608789305 +0200
3 | +++ b/fs/jffs2/compr.h 2018-07-31 16:22:36.028792576 +0200
4 | @@ -29,7 +29,7 @@
5 | #define JFFS2_DYNRUBIN_PRIORITY 20
6 | #define JFFS2_LZARI_PRIORITY 30
7 | #define JFFS2_RTIME_PRIORITY 50
8 | -#define JFFS2_LZMA_PRIORITY 70
9 | +#define JFFS2_LZMA_PRIORITY 95
10 | #define JFFS2_ZLIB_PRIORITY 80
11 | #define JFFS2_LZO_PRIORITY 90
12 |
13 |
--------------------------------------------------------------------------------
/docker/startup.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | #
3 | # add current user and user's primary group
4 | #
5 | groupadd -g $GGID $GGROUP
6 | useradd -u $GUID -s $GSHELL -c $GUSERNAME -g $GGID -M -d $GHOME $GUSERNAME
7 | usermod -a -G sudo $GUSERNAME
8 | echo $GUSERNAME:docker | chpasswd
9 | if [ "$GRUNXTERM" = "1" ]
10 | then
11 | # become the current user and start a shell
12 | su -l -c lxterminal $GUSERNAME
13 | # another root shel
14 | lxterminal
15 | else
16 | # become the current user and start a shell
17 | su -l $GUSERNAME
18 | # another root shell
19 | /bin/bash
20 | fi
21 |
--------------------------------------------------------------------------------
/001-buildroot-2014-02-fix-bzip2url.patch:
--------------------------------------------------------------------------------
1 | diff -uNr a/package/bzip2/bzip2.mk b/package/bzip2/bzip2.mk
2 | --- a/package/bzip2/bzip2.mk 2014-02-27 21:51:23.000000000 +0100
3 | +++ b/package/bzip2/bzip2.mk 2018-09-24 16:03:14.480558086 +0200
4 | @@ -5,7 +5,8 @@
5 | ################################################################################
6 |
7 | BZIP2_VERSION = 1.0.6
8 | -BZIP2_SITE = http://www.bzip.org/$(BZIP2_VERSION)
9 | +#BZIP2_SITE = http://www.bzip.org/$(BZIP2_VERSION)
10 | +BZIP2_SITE = https://fossies.org/linux/misc
11 | BZIP2_INSTALL_STAGING = YES
12 | BZIP2_LICENSE = bzip2 license
13 | BZIP2_LICENSE_FILES = LICENSE
14 |
--------------------------------------------------------------------------------
/pub-key/pubkey-def.asn1:
--------------------------------------------------------------------------------
1 | # ref: https://stackoverflow.com/questions/11541192/creating-a-rsa-public-key-from-its-modulus-and-exponent
2 | # Start with a SEQUENCE
3 | asn1=SEQUENCE:pubkeyinfo
4 |
5 | # pubkeyinfo contains an algorithm identifier and the public key wrapped
6 | # in a BIT STRING
7 | [pubkeyinfo]
8 | algorithm=SEQUENCE:rsa_alg
9 | pubkey=BITWRAP,SEQUENCE:rsapubkey
10 |
11 | # algorithm ID for RSA is just an OID and a NULL
12 | [rsa_alg]
13 | algorithm=OID:rsaEncryption
14 | parameter=NULL
15 |
16 | # Actual public key: modulus and exponent
17 | [rsapubkey]
18 | n=INTEGER:0x%%MODULUS%%
19 |
20 | e=INTEGER:0x%%EXPONENT%%
21 |
--------------------------------------------------------------------------------
/qemu-run/set-nandsim.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | #
3 | # the following line simulate a NAND Flash with 256MBbytes, 2048 bytes per page, 128Kb erasesize
4 | # 7 partitions are created, as in the DVA 5592 router, with the size described below
5 | #
6 | modprobe nandsim first_id_byte=0x20 second_id_byte=0xaa third_id_byte=0x00 fourth_id_byte=0x15 parts=1,16,982,998,16,2,16
7 | #
8 | flash_erase /dev/mtd1 0 1 # 128K CFE
9 | flash_erase /dev/mtd2 0 16 # 2M bootfs_1
10 | flash_erase /dev/mtd3 0 982 # 122M rootfs_1
11 | flash_erase /dev/mtd4 0 998 # 124M upgrade
12 | flash_erase /dev/mtd5 0 16 # 2M conf_fs
13 | flash_erase /dev/mtd6 0 2 # 256K conf_factory
14 | flash_erase /dev/mtd7 0 16 # 2M bbt
15 |
--------------------------------------------------------------------------------
/set-aliases:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | function pathmunge () {
4 | if ! echo "$PATH" | /bin/grep -Eq "(^|:)$1($|:)" ; then
5 | if [ "$2" = "after" ] ; then
6 | PATH="$PATH:$1"
7 | else
8 | PATH="$1:$PATH"
9 | fi
10 | fi
11 | }
12 |
13 | export DVAEMUDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
14 | . $DVAEMUDIR/set-env.sh > /dev/null
15 |
16 | pathmunge $BRDIR/output/host/usr/bin after
17 |
18 | alias cdbr="cd $DVAEMUDIR" # Build Root custom folder
19 | alias cdqr="cd $DVAEMUDIR/qemu-run" # Qemu Run folder
20 | alias cdjr="cd $DVAROOT" # Jffs2 Root file system
21 | alias cdeb="cd $BR2EXT/board/dvaemu" # External tree Board folder
22 |
--------------------------------------------------------------------------------
/set-env.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | export DVAEMUDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
3 | export DVAEMUPARENT="$( cd $DVAEMUDIR/.. && pwd )"
4 | export BR2EXT="$DVAEMUDIR/ext-tree"
5 | export BRDIR="$( cd $DVAEMUDIR/../buildroot-2* && pwd )"
6 | export BRIMAGES=$BRDIR/output/images
7 | export DVAFIRM=$DVAEMUPARENT/firmware
8 | export DVAROOT=$DVAFIRM/root
9 | export SYSROOT=$BRDIR/output/target
10 | export TOOLBIN=$BRDIR/output/host/usr/bin
11 |
12 | echo "DVAEMUDIR: $DVAEMUDIR"
13 | echo "DVAEMUPARENT: $DVAEMUPARENT"
14 | echo "BR2EXT: $BR2EXT"
15 | echo "BRDIR: $BRDIR"
16 | echo "BRIMAGES: $BRIMAGES"
17 | echo "DVAFIRM: $DVAFIRM"
18 | echo "DVAROOT: $DVAROOT"
19 | echo "SYSROOT: $SYSROOT"
20 | echo "TOOLBIN: $TOOLBIN"
21 |
22 |
23 |
--------------------------------------------------------------------------------
/ext-tree/package/klish/klish.mk:
--------------------------------------------------------------------------------
1 | #############################################################
2 | #
3 | # klish
4 | # http://libcode.org/attachments/52/klish-2.0.2.tar.xz
5 | # http://libcode.org/attachments/download/52/klish-2.0.2.tar.xz
6 | #############################################################
7 |
8 | KLISH_VERSION = 2.0.2
9 | KLISH_SOURCE = klish-$(KLISH_VERSION).tar.xz
10 | KLISH_SITE = http://libcode.org/attachments/download/52
11 |
12 | KLISH_DEPENDENCIES =
13 | KLISH_CONF_OPT = --disable-gpl --without-tcl
14 |
15 | ifeq ($(BR2_PACKAGE_LIBROXML),y)
16 | KLISH_DEPENDENCIES += libroxml
17 | KLISH_CONF_OPT += --with-libroxml
18 | endif
19 |
20 | ifeq ($(BR2_PACKAGE_LIBXML2),y)
21 | KLISH_DEPENDENCIES += libxml2
22 | KLISH_CONF_OPT += --with-libxml2
23 | endif
24 |
25 | ifeq ($(BR2_PACKAGE_EXPAT),y)
26 | KLISH_DEPENDENCIES += expat
27 | KLISH_CONF_OPT += --with-libexpat
28 | endif
29 |
30 | $(eval $(autotools-package))
31 |
--------------------------------------------------------------------------------
/qemu-run/qr:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
3 | . $MYDIR/../set-env.sh
4 | cd $MYDIR
5 | export QEMU_AUDIO_DRV="none"
6 | qemu-system-arm -M vexpress-a9 \
7 | -cpu cortex-a9 \
8 | -m 1024 \
9 | -nographic \
10 | -kernel $BRIMAGES/zImage \
11 | -drive file=$BRIMAGES/rootfs.ext2,index=0,media=disk,format=raw,if=sd \
12 | -dtb $BRIMAGES/vexpress-v2p-ca9.dtb \
13 | -net nic \
14 | -net user,hostfwd=tcp::2222-:22,hostfwd=tcp::9000-:9000 \
15 | -append "rw console=ttyAMA0 console=tty root=/dev/mmcblk0"
16 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2018 Valerio Di Giampietro
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/pub-key/pubkey-gen.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #
3 | # Generate a pem file based on the following inputs
4 | # 1. asn1 definition file
5 | # 2. binary file with Multi Precision Integer modulus
6 | # 3. binary file with Multi Precision Integer exponent
7 | # Output files:
8 | # pubkey.der (in DER format)
9 | # pubkey.pem (in PEM format)
10 | #
11 | ASN=$1
12 | MOD=$2
13 | EXP=$3
14 |
15 | if [ "$ASN" == "" ]
16 | then
17 | echo "Missing argument files"
18 | exit 1
19 | fi
20 |
21 |
22 | if [ ! -e $ASN ]
23 | then
24 | echo "$ASN not found"
25 | exit 1
26 | fi
27 |
28 | if [ ! -e $MOD ]
29 | then
30 | echo "$MOD not found"
31 | exit 1
32 | fi
33 |
34 | if [ ! -e $MOD ]
35 | then
36 | echo "$MOD not found"
37 | exit 1
38 | fi
39 |
40 | MODSIZE=`wc -c < $MOD`
41 | EXPSIZE=`wc -c < $EXP`
42 | echo modsize: $MODSIZE
43 | echo expsize: $EXPSIZE
44 |
45 | # generate ASN file
46 |
47 | cat $ASN | sed "s/%%MODULUS%%/$(xxd -ps -c $MODSIZE $MOD)/" \
48 | | sed "s/%%EXPONENT%%/$(xxd -ps -c $EXPSIZE $EXP)/" \
49 | > $ASN.out
50 |
51 | openssl asn1parse -genconf $ASN.out -out pubkey.der -noout
52 | openssl rsa -in pubkey.der -inform der -pubin -out pubkey.pem
53 |
--------------------------------------------------------------------------------
/docker/dockrun.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | export GDISPLAY=unix/$DISPLAY # forward X11 display to the host machine
4 | export GUSERNAME=`id -u -n` # current user's username
5 | export GUID=`id -u` # current user's user id
6 | export GGROUP=`id -g -n` # current user's primary group name
7 | export GGID=`id -g` # current user's primary group id
8 | export GHOME=$HOME # current user's home directory
9 | export GSHELL=$SHELL # current user's shell
10 | export GRUNXTERM=0 # flag to start lxterminal, useful in windows
11 | export GPWD=`pwd` # current working directory
12 |
13 | docker run -h BRHOST \
14 | --rm \
15 | -v /tmp/.X11-unix:/tmp/.X11-unix \
16 | -v $HOME:$HOME \
17 | -e DISPLAY=$GDISPLAY \
18 | -e GUSERNAME=$GUSERNAME \
19 | -e GUID=$GUID \
20 | -e GGROUP=$GGROUP \
21 | -e GGID=$GGID \
22 | -e GHOME=$GHOME \
23 | -e GSHELL=$SHELL \
24 | -e GRUNXTERM=$GRUNXTERM \
25 | -e GPWD=$GPWD \
26 | -it digiampietro/buildroot-armv7
27 |
28 |
--------------------------------------------------------------------------------
/brmake:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | MYHOSTNAME=`hostname`
3 | #-----------------------------------------------------------------------
4 | # execute this script only on the docker host
5 | #-----------------------------------------------------------------------
6 | if [ "$MYHOSTNAME" != "BRHOST" ]
7 | then
8 | echo "brmake and make must be executed on docker brhost"
9 | exit
10 | fi
11 | #-----------------------------------------------------------------------
12 | export DVAEMUDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
13 | . $DVAEMUDIR/set-env.sh
14 | echo "-----> change dir to $BRDIR"
15 | cd $BRDIR
16 | echo "-----> executing: make BR2_EXTERNAL=$BR2EXT $*"
17 |
18 | #-----------------------------------------------------------------------
19 | if [ "$*" == "savedefconfig" ]
20 | then
21 | #-----------------------------------------------------------------------
22 | # savedefconfig
23 | #-----------------------------------------------------------------------
24 | make BR2_EXTERNAL=$BR2EXT BR2_DEFCONFIG="$BR2EXT/configs/dvaemu-emu_arm_vexpress_defconfig" $*
25 | elif [ "$*" == "uclibc-update-defconfig" ]
26 | then
27 | #-----------------------------------------------------------------------
28 | # uclibc-update-defconfig
29 | #-----------------------------------------------------------------------
30 | cat $BRDIR/output/build/uclibc-0.9.33.2/.config | sed "s,$BRDIR,\$\(TOPDIR\),g" > $BR2EXT/configs/uClibc-0.9.33.config
31 | else
32 | make BR2_EXTERNAL=$BR2EXT $*
33 | fi
34 |
--------------------------------------------------------------------------------
/docker/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM debian/eol:wheezy
2 | MAINTAINER Valerio Di Giampietro "valerio@digiampietro.com"
3 | #
4 | # increase the version to force recompilation of everything
5 | #
6 | ENV BUILDROOT_ARMV7 0.8.1
7 | #
8 | # ------------------------------------------------------------------
9 | # environment variables to avoid that dpkg-reconfigure
10 | # tries to ask the user any questions
11 | #
12 | ENV DEBIAN_FRONTEND noninteractive
13 | ENV DEBCONF_NONINTERACTIVE_SEEN true
14 | #
15 | # -----------------------------------------------------------------
16 | # install needed packages to build and run buildroot and related sw
17 | #
18 | RUN apt-get update
19 |
20 | RUN apt-get upgrade
21 |
22 | RUN apt-get install -y -q \
23 | bash \
24 | bc \
25 | binutils \
26 | build-essential \
27 | bzip2 \
28 | ca-certificates \
29 | cpio \
30 | debianutils \
31 | g++ \
32 | gcc \
33 | gzip \
34 | libncurses5-dev \
35 | locales \
36 | make \
37 | patch \
38 | perl \
39 | python \
40 | rsync \
41 | sed \
42 | tar \
43 | unzip \
44 | wget \
45 | git \
46 | fakeroot \
47 | login \
48 | libqt4-dev \
49 | pkg-config \
50 | libqt4-dev-bin
51 |
52 | RUN sed -i "s/^# en_US.UTF-8/en_US.UTF-8/" /etc/locale.gen && locale-gen && update-locale LANG=en_US.UTF-8
53 | #
54 | # prepare startup files in /src/misc
55 | #
56 | RUN mkdir -p /src/misc
57 | ADD startup.sh /src/misc/startup.sh
58 | RUN chmod a+x /src/misc/startup.sh
59 | ENTRYPOINT cd /src/misc ; ./startup.sh
60 |
--------------------------------------------------------------------------------
/ext-tree/package/klish/0001-klish-help-param-optional.patch:
--------------------------------------------------------------------------------
1 | diff -uNr a/clish/shell/shell_xml.c b/clish/shell/shell_xml.c
2 | --- a/clish/shell/shell_xml.c 2015-01-12 16:05:48.000000000 +0100
3 | +++ b/clish/shell/shell_xml.c 2018-09-11 12:04:33.364212393 +0200
4 | @@ -430,10 +430,10 @@
5 | fprintf(stderr, CLISH_XML_ERROR_ATTR("name"));
6 | goto error;
7 | }
8 | - if (!help) {
9 | - fprintf(stderr, CLISH_XML_ERROR_ATTR("help"));
10 | - goto error;
11 | - }
12 | + //if (!help) {
13 | + // fprintf(stderr, CLISH_XML_ERROR_ATTR("help"));
14 | + // goto error;
15 | + //}
16 |
17 | /* check this command doesn't already exist */
18 | old = clish_view_find_command(v, name, BOOL_FALSE);
19 | @@ -648,10 +648,10 @@
20 | fprintf(stderr, CLISH_XML_ERROR_ATTR("name"));
21 | goto error;
22 | }
23 | - if (!help) {
24 | - fprintf(stderr, CLISH_XML_ERROR_ATTR("help"));
25 | - goto error;
26 | - }
27 | + //if (!help) {
28 | + // fprintf(stderr, CLISH_XML_ERROR_ATTR("help"));
29 | + // goto error;
30 | + //}
31 | if (!ptype) {
32 | fprintf(stderr, CLISH_XML_ERROR_ATTR("ptype"));
33 | goto error;
34 | diff -uNr a/clish.xsd b/clish.xsd
35 | --- a/clish.xsd 2015-01-12 12:04:08.000000000 +0100
36 | +++ b/clish.xsd 2018-09-11 11:49:04.244182706 +0200
37 | @@ -63,7 +63,7 @@
38 | -->
39 |
40 |
41 | -
42 | +
43 |
44 | filename: %s\n",$r0
14 | printf "----->filemode: %d\n",$r1
15 | end
16 |
17 | # print info for the read function
18 | define cmdread
19 | printf "----->filedesc: %d\n",$r0
20 | printf "----->buf: 0x%x\n",$r1
21 | printf "----->len: %d\n",$r2
22 | set variable $rbuf=$r1
23 | set variable $rlen=$r2
24 | print "----->Bytes read and stored in buf (truncated at 256 bytes max)<-----"
25 | if $rlen > 256
26 | set variable $rlen = 256
27 | end
28 | finish
29 | shell sleep 2
30 | xxd $rbuf $rlen
31 | end
32 |
33 | # print the gcrypt_mpi_t number pointed by arg_ptr in the gcry_sexp_build function (%m)
34 | define mpiprint
35 | set variable $myp=*(long int *)arg_ptr
36 | printf "----->arg_ptr: 0x%x\n",(int *)arg_ptr
37 | print "----->gcry_mpi_t variable nr. 1<-----"
38 | print/x *(gcry_mpi_t)$myp
39 | set variable $mypd=(*(gcry_mpi_t)$myp).d
40 | set variable $mynd=(*(gcry_mpi_t)$myp).alloced
41 | print "----->MPI Multi Precision Integer"
42 | xxd $mypd $mynd
43 | print "----->-----.-----.-----.-----.-<-----"
44 | print "----->gcry_mpi_t variable nr. 2<-----"
45 | set variable $myp=*((long int *)arg_ptr + 1)
46 | print/x *(gcry_mpi_t)$myp
47 | set variable $mypd=(*(gcry_mpi_t)$myp).d
48 | set variable $mynd=(*(gcry_mpi_t)$myp).alloced
49 | print "----->MPI Multi Precision Integer"
50 | xxd $mypd $mynd
51 | end
52 |
53 | # print the %b number pointed by arg_ptr in the gcry_sexp_build function (%b)
54 | define bprint
55 | set variable $myl=*(long int *)arg_ptr
56 | printf "----->arg_ptr: 0x%x\n",(int *)arg_ptr
57 | print "----->%b variable<-----"
58 | printf "-----> len: 0x%x\n",*(long int *)arg_ptr
59 | printf "-----> buf: 0x%x\n",*((long int *)arg_ptr + 1)
60 | print "----->buffer<-----"
61 | set variable $myp=*((long int *)arg_ptr + 1)
62 | xxd $myp $myl
63 | end
64 |
65 | # set breakpoint for the open function in _dl_find_hash
66 | define setbopen
67 | finish
68 | break *$r0
69 | commands
70 | cmdopen
71 | end
72 | end
73 |
74 | # set breakpoint for the read function in _dl_find_hash
75 | define setbread
76 | finish
77 | break *$r0
78 | commands
79 | cmdread
80 | end
81 | # the breakpoint on _dl_find_hash is no more needed
82 | print "-----> removing breakpoint on _dl_find_hash"
83 | clear _dl_find_hash
84 | end
85 |
86 | #print the gcrypt_md_read data
87 | define pmdread
88 | finish
89 | print "-----> Message Digest <-----"
90 | x/20bx $r0
91 | end
92 |
93 | #save mpi Multi Precision Integer
94 | define savempi
95 | dump binary memory $arg0 buffer buffer+buflen
96 | end
97 |
98 | #print sexp_build related data
99 | define sexpprint
100 | next
101 | if format[32] == 'b'
102 | bprint
103 | end
104 | if format[18] == 'b'
105 | bprint
106 | end
107 | if format[21] == 'm'
108 | mpiprint
109 | end
110 | set variable $myretsexp=retsexp
111 | finish
112 | printf "-----> *retsexp: 0x%x\n",*$myretsexp
113 | end
114 |
115 | set breakpoint pending on
116 |
117 | break __fgetc_unlocked
118 |
119 | break __uClibc_main
120 | commands
121 | print "----->Arguments<-----"
122 | set $i=0
123 | while $i < argc
124 | print argv[$i]
125 | set $i = $i + 1
126 | end
127 | end
128 |
129 | break abort
130 | break close
131 | break exit
132 | break fdopen
133 | break fgetc
134 | break fprintf
135 | break fputs
136 | break fread
137 |
138 | #break free
139 |
140 | break fseek
141 | break ftell
142 | break ftruncate
143 | break gcry_check_version
144 |
145 | break gcry_md_ctl
146 | commands
147 | print "----->cmd=5: GCRYCTL_FINALIZE"
148 | end
149 |
150 | break gcry_md_get_algo_dlen
151 | commands
152 | finish
153 | end
154 |
155 | break gcry_md_open
156 | commands
157 | if algo == 2
158 | print "----->algo=2: GCRY_MD_SHA1"
159 | end
160 | if algo == 0
161 | print "----->flag=0: none"
162 | end
163 | end
164 |
165 | break gcry_md_read
166 | commands
167 | pmdread
168 | end
169 |
170 |
171 | break gcry_md_write
172 | commands
173 | set variable $rbuf=buffer
174 | set variable $rlen=length
175 | if $rlen > 256
176 | set variable $rlen = 256
177 | end
178 | print "----->buffer content (truncated to first 256 bytes)<-----"
179 | xxd $rbuf $rlen
180 | end
181 |
182 | break gcry_mpi_scan
183 | commands
184 | print "----->buffer content<-----"
185 | xxd buffer buflen
186 | end
187 |
188 | break gcry_pk_verify
189 |
190 | break gcry_sexp_build
191 | commands
192 | sexpprint
193 | end
194 |
195 | break lseek
196 | commands
197 | if whence == 0
198 | print "----->whence=0: SEEK_SET The offset is set to offset bytes"
199 | end
200 | if whence == 2
201 | print "----->whence=2: SEEK_END The offset is set to the size of the file plus offset bytes"
202 | end
203 | end
204 |
205 | #break malloc
206 |
207 | break open
208 | break printf
209 | break read
210 | break sscanf
211 |
212 | # break strcmp
213 |
214 | #break strlen
215 |
216 | #break strncmp
217 |
218 | break fopen
219 | commands
220 | x/s fname_or_mode
221 | end
222 |
223 |
224 | break __GI_open
225 | break __GI_read
226 |
227 | #break fcntl
228 | break _stdio_fopen
229 | commands
230 | printf "----->fname_or_mode: %s\n",fname_or_mode
231 | end
232 |
233 | continue
234 |
235 | break _dl_find_hash if ((char)*name) == 'o' || ((char)*name) == 'r'
236 | commands
237 | if ((char)*name) == 'o'
238 | setbopen
239 | end
240 | if ((char)*name) == 'r'
241 | setbread
242 | end
243 | end
244 |
--------------------------------------------------------------------------------
/br-armv7-config.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #
3 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
4 | . $MYDIR/set-env.sh
5 | ERASESIZE=$((128 * 1024))
6 | cd $MYDIR
7 |
8 | # ---------------------------------------------------------------
9 | # create directories in parent directory
10 | # ---------------------------------------------------------------
11 | for i in download firmware
12 | do
13 | if [ -d "$DVAEMUPARENT/$i" ]
14 | then
15 | echo "-----> directory $DVAEMUPARENT/$i already exists"
16 | else
17 | echo "-----> creating dir: $DVAEMUPARENT/$i"
18 | mkdir $DVAEMUPARENT/$i
19 | if [ "$?" != "0" ]
20 | then
21 | echo "-----> ERROR in mkdir, aborting"
22 | exit 1
23 | fi
24 | fi
25 | done
26 |
27 | # ---------------------------------------------------------------
28 | # check for wget sha1sum binwalk jefferson unzip
29 | # ---------------------------------------------------------------
30 | for i in wget sha1sum binwalk jefferson unzip dd
31 | do which $i
32 | ret=$?
33 | if [ ! "$ret" = "0" ]
34 | then
35 | echo "-----> $i not present, aborting"
36 | echo "-----> please install it"
37 | if [ "$i" = "jefferson" ]
38 | then
39 | echo "-----> look at https://github.com/sviehb/jefferson"
40 | fi
41 | exit 1
42 | else
43 | echo "-----> $i found"
44 | fi
45 | done
46 |
47 | # ---------------------------------------------------------------
48 | # download buildroot, firmware and specific kernel file
49 | # ---------------------------------------------------------------
50 | DOWNFILE[0]="buildroot-2014.02.tar.gz"
51 | DOWNURL[0]="https://buildroot.org/downloads/buildroot-2014.02.tar.gz"
52 | DOWNCKSUM[0]="6f52bfcabc5ab967d16c99215b88bffa4b0ca7fa"
53 |
54 | DOWNFILE[1]="DVA-5592_A1_WI_20180405.zip"
55 | DOWNURL[1]="https://media.dlink.eu/ftp/products/dva/dva-5592/driver_software/DVA-5592_A1_WI_20180405.zip"
56 | DOWNCKSUM[1]="59d65fbd94e1c313f40abb45c0e360d908ebd547"
57 |
58 | DOWNFILE[2]="linux-3.4.11-rt19.tar.gz"
59 | DOWNURL[2]="https://git.kernel.org/pub/scm/linux/kernel/git/rt/linux-stable-rt.git/snapshot/linux-stable-rt-3.4.11-rt19.tar.gz"
60 | DOWNCKSUM[2]="fc1b1151a2c402001a0d197ba1ecb8e662ef2ce8"
61 |
62 | for i in ${!DOWNFILE[*]}
63 | do
64 | F=$DVAEMUPARENT/download/${DOWNFILE[$i]}
65 | FCK=""
66 | URLCK=${DOWNCKSUM[$i]}
67 | if [ -e $F ]
68 | then
69 | FCK=`sha1sum $F | awk '{print $1}'`
70 | echo "-----> `basename $F` exits with checksum $FCK"
71 | fi
72 | if [ "$FCK" == "$URLCK" ]
73 | then
74 | echo "-----> `basename $F` alread downloaded, not downloading"
75 | else
76 | echo "-----> Downloading ${DOWNURL[$i]} to $F"
77 | wget -O $F ${DOWNURL[$i]}
78 | if [ "$?" != "0" ]
79 | then
80 | echo "-----> ERROR downloading ${DOWNURL[$i]}, aborting"
81 | exit 1
82 | fi
83 | FCK=`sha1sum $F | awk '{print $1}'`
84 | if [ "$FCK" != "$URLCK" ]
85 | then
86 | echo "-----> ERROR downloading ${DOWNURL[$i]}, bad checksum, aborting"
87 | exit 1
88 | fi
89 | fi
90 | done
91 |
92 | # ---------------------------------------------------------------
93 | # extract buildroot
94 | # ---------------------------------------------------------------
95 | BRDIR=`echo ${DOWNFILE[0]}|sed "s/.tar.gz//"`
96 | if [ -d "$DVAEMUPARENT/$BRDIR" ]
97 | then
98 | echo "-----> $DVAEMUPARENT/$BRDIR"
99 | echo "-----> already exists, skip untarring. Remove it to force untarring ${DOWNFILE[0]}"
100 | else
101 | echo "-----> untarring ${DOWNFILE[0]}"
102 | tar -C $DVAEMUPARENT/ -xvf $DVAEMUPARENT/download/${DOWNFILE[0]}
103 | if [ "$?" != "0" ]
104 | then
105 | echo "-----> ERROR untarring ${DOWNFILE[0]}, aborting"
106 | exit 1
107 | fi
108 | echo "-----> patching buildroot"
109 | pushd "$DVAEMUPARENT/$BRDIR"
110 | patch -N -p1 < $MYDIR/001-buildroot-2014-02-fix-bzip2url.patch
111 | popd
112 | fi
113 |
114 |
115 | # ---------------------------------------------------------------
116 | # extract firmware
117 | # ---------------------------------------------------------------
118 | FIRMFILE=`echo $DVAFIRM/${DOWNFILE[1]}|sed 's/.zip/.sig/'`
119 | if [ -d $DVAFIRM/root ]
120 | then
121 | echo "-----> firmware file already extracted"
122 | echo "-----> to force re-extraction remove $DVAFIRM/root and"
123 | echo "-----> remove $DVAFIRM/boot"
124 | else
125 | echo "-----> extracting firmware, requires some time"
126 | unzip -o -d $DVAFIRM -e $DVAEMUPARENT/download/${DOWNFILE[1]}
127 | binwalk -e -C $DVAFIRM $FIRMFILE
128 | # ------ fix extracted root file system
129 | echo "-----> fix extracted root file system"
130 | CURRWD=`pwd`
131 | cd $DVAFIRM/_`basename ${FIRMFILE}`.extracted/jffs2-root/fs_3
132 | for i in `find . -maxdepth 1 -type l -print`;do mv $i ../fs_2/sbin/;done
133 | for i in `find . -maxdepth 1 -type f -print`;do mv $i ../fs_2/sbin/;done
134 | mv conf ../fs_2/www/
135 | mv sbin ../fs_2/usr/
136 | mv bin ../fs_2/usr/
137 | mv htdocs ../fs_2/www/
138 | mv lib ../fs_2/usr/
139 | mv nls ../fs_2/www/
140 | mv pages ../fs_2/www/
141 | mv share ../fs_2/usr/
142 | mv yapl ../fs_2/www/
143 | cd $DVAFIRM
144 | mv $DVAFIRM/_`basename ${FIRMFILE}`.extracted/jffs2-root/fs_2 root
145 | mv $DVAFIRM/_`basename ${FIRMFILE}`.extracted/jffs2-root/fs_1 boot
146 | rmdir $DVAFIRM/_`basename ${FIRMFILE}`.extracted/jffs2-root/fs_3
147 | rmdir $DVAFIRM/_`basename ${FIRMFILE}`.extracted/jffs2-root
148 | rm -rf $DVAFIRM/_`basename ${FIRMFILE}`.extracted
149 | cp -p $DVAFIRM/root/bin/busybox $DVAFIRM/root/sbin/init
150 | chmod 755 $DVAFIRM/root/sbin/init
151 | # ------ extract boot and root fs from firmware file
152 | echo "-----> extract boot and root fs from firmware file"
153 | dd if=${FIRMFILE} bs=256 skip=514 count=94720 of=$DVAFIRM/boot-root-fs.bin
154 |
155 | # ------ split boot and root partitions
156 | echo "-----> split boot and root partitions"
157 | PSPOS=`grep --byte-offset --only-matching --text YAPS-PartitionSplit $DVAFIRM/boot-root-fs.bin|awk -F: '{print $1}'`
158 | SPLITPOS=$(($PSPOS+256))
159 | BOOTROOTSIZE=`wc -c $DVAFIRM/boot-root-fs.bin|awk '{print $1}'`
160 | ROOTEND=$(($BOOTROOTSIZE - $ERASESIZE))
161 | ROOTLEN=$(($ROOTEND - $SPLITPOS))
162 | echo " SPLITPOS: $SPLITPOS"
163 | echo " PSPOS: $PSPOS"
164 | echo " BOOTROOTSIZE: $BOOTROOTSIZE"
165 | echo " ROOTEND: $ROOTEND"
166 | echo " ROOTLEN: $ROOTLEN"
167 |
168 | # ------ extract boot partition image
169 | echo "-----> extract boot partition image"
170 | dd if=$DVAFIRM/boot-root-fs.bin of=$DVAFIRM/boot-fs.bin bs=256 count=$(($SPLITPOS / 256))
171 |
172 | # ------ extract root partition image, takes some time
173 | echo "-----> extract root partition image, takes some time"
174 | dd if=$DVAFIRM/boot-root-fs.bin of=$DVAFIRM/root-fs.bin bs=256 skip=$(($SPLITPOS / 256)) count=$(($ROOTLEN /256 ))
175 |
176 | # ------ extract end of file system marker
177 | echo "-----> extract end of file system marker"
178 | dd if=$DVAFIRM/boot-root-fs.bin of=$DVAFIRM/eofs.bin bs=256 skip=$(($ROOTEND / 256))
179 | fi
180 |
181 | cd $CURRWD
182 |
183 |
184 |
--------------------------------------------------------------------------------
/ext-tree/configs/uClibc-0.9.33.config:
--------------------------------------------------------------------------------
1 | #
2 | # Automatically generated make config: don't edit
3 | # Version: 0.9.33.2
4 | # Sat Sep 15 18:38:03 2018
5 | #
6 | # TARGET_alpha is not set
7 | TARGET_arm=y
8 | # TARGET_avr32 is not set
9 | # TARGET_bfin is not set
10 | # TARGET_c6x is not set
11 | # TARGET_cris is not set
12 | # TARGET_e1 is not set
13 | # TARGET_frv is not set
14 | # TARGET_h8300 is not set
15 | # TARGET_hppa is not set
16 | # TARGET_i386 is not set
17 | # TARGET_i960 is not set
18 | # TARGET_ia64 is not set
19 | # TARGET_m68k is not set
20 | # TARGET_microblaze is not set
21 | # TARGET_mips is not set
22 | # TARGET_nios is not set
23 | # TARGET_nios2 is not set
24 | # TARGET_powerpc is not set
25 | # TARGET_sh is not set
26 | # TARGET_sh64 is not set
27 | # TARGET_sparc is not set
28 | # TARGET_v850 is not set
29 | # TARGET_vax is not set
30 | # TARGET_x86_64 is not set
31 | # TARGET_xtensa is not set
32 |
33 | #
34 | # Target Architecture Features and Options
35 | #
36 | TARGET_ARCH="arm"
37 | FORCE_OPTIONS_FOR_ARCH=y
38 | CONFIG_ARM_EABI=y
39 | # COMPILE_IN_THUMB_MODE is not set
40 | USE_BX=y
41 | TARGET_SUBARCH=""
42 |
43 | #
44 | # Using ELF file format
45 | #
46 | ARCH_ANY_ENDIAN=y
47 | ARCH_LITTLE_ENDIAN=y
48 | # ARCH_WANTS_BIG_ENDIAN is not set
49 | ARCH_WANTS_LITTLE_ENDIAN=y
50 | ARCH_HAS_MMU=y
51 | ARCH_USE_MMU=y
52 | UCLIBC_HAS_FLOATS=y
53 | UCLIBC_HAS_FPU=y
54 | DO_C99_MATH=y
55 | # DO_XSI_MATH is not set
56 | # UCLIBC_HAS_FENV is not set
57 | KERNEL_HEADERS="$(TOPDIR)/output/host/usr/arm-buildroot-linux-uclibcgnueabihf/sysroot/usr/include"
58 | HAVE_DOT_CONFIG=y
59 |
60 | #
61 | # General Library Settings
62 | #
63 | DOPIC=y
64 | HAVE_SHARED=y
65 | # FORCE_SHAREABLE_TEXT_SEGMENTS is not set
66 | LDSO_LDD_SUPPORT=y
67 | # LDSO_CACHE_SUPPORT is not set
68 | LDSO_PRELOAD_ENV_SUPPORT=y
69 | # LDSO_PRELOAD_FILE_SUPPORT is not set
70 | # LDSO_STANDALONE_SUPPORT is not set
71 | # LDSO_PRELINK_SUPPORT is not set
72 | # UCLIBC_STATIC_LDCONFIG is not set
73 | LDSO_RUNPATH=y
74 | LDSO_SEARCH_INTERP_PATH=y
75 | LDSO_LD_LIBRARY_PATH=y
76 | # LDSO_NO_CLEANUP is not set
77 | UCLIBC_CTOR_DTOR=y
78 | # LDSO_GNU_HASH_SUPPORT is not set
79 | # HAS_NO_THREADS is not set
80 | # LINUXTHREADS_OLD is not set
81 | # LINUXTHREADS_NEW is not set
82 | UCLIBC_HAS_THREADS_NATIVE=y
83 | UCLIBC_HAS_THREADS=y
84 | UCLIBC_HAS_TLS=y
85 | # PTHREADS_DEBUG_SUPPORT is not set
86 | UCLIBC_HAS_SYSLOG=y
87 | UCLIBC_HAS_LFS=y
88 | # MALLOC is not set
89 | # MALLOC_SIMPLE is not set
90 | MALLOC_STANDARD=y
91 | MALLOC_GLIBC_COMPAT=y
92 | UCLIBC_DYNAMIC_ATEXIT=y
93 | # COMPAT_ATEXIT is not set
94 | UCLIBC_SUSV3_LEGACY=y
95 | # UCLIBC_SUSV3_LEGACY_MACROS is not set
96 | UCLIBC_SUSV4_LEGACY=y
97 | # UCLIBC_STRICT_HEADERS is not set
98 | # UCLIBC_HAS_STUBS is not set
99 | UCLIBC_HAS_SHADOW=y
100 | UCLIBC_HAS_PROGRAM_INVOCATION_NAME=y
101 | UCLIBC_HAS___PROGNAME=y
102 | UCLIBC_HAS_PTY=y
103 | ASSUME_DEVPTS=y
104 | UNIX98PTY_ONLY=y
105 | UCLIBC_HAS_GETPT=y
106 | UCLIBC_HAS_LIBUTIL=y
107 | UCLIBC_HAS_TM_EXTENSIONS=y
108 | UCLIBC_HAS_TZ_CACHING=y
109 | UCLIBC_HAS_TZ_FILE=y
110 | UCLIBC_HAS_TZ_FILE_READ_MANY=y
111 | UCLIBC_TZ_FILE_PATH="/etc/TZ"
112 | UCLIBC_FALLBACK_TO_ETC_LOCALTIME=y
113 |
114 | #
115 | # Advanced Library Settings
116 | #
117 | UCLIBC_PWD_BUFFER_SIZE=256
118 | UCLIBC_GRP_BUFFER_SIZE=256
119 |
120 | #
121 | # Support various families of functions
122 | #
123 | UCLIBC_LINUX_MODULE_26=y
124 | # UCLIBC_LINUX_MODULE_24 is not set
125 | UCLIBC_LINUX_SPECIFIC=y
126 | UCLIBC_HAS_GNU_ERROR=y
127 | UCLIBC_BSD_SPECIFIC=y
128 | UCLIBC_HAS_BSD_ERR=y
129 | # UCLIBC_HAS_OBSOLETE_BSD_SIGNAL is not set
130 | # UCLIBC_HAS_OBSOLETE_SYSV_SIGNAL is not set
131 | # UCLIBC_NTP_LEGACY is not set
132 | # UCLIBC_SV4_DEPRECATED is not set
133 | UCLIBC_HAS_REALTIME=y
134 | UCLIBC_HAS_ADVANCED_REALTIME=y
135 | UCLIBC_HAS_EPOLL=y
136 | UCLIBC_HAS_XATTR=y
137 | UCLIBC_HAS_PROFILING=y
138 | UCLIBC_HAS_CRYPT_IMPL=y
139 | # UCLIBC_HAS_SHA256_CRYPT_IMPL is not set
140 | # UCLIBC_HAS_SHA512_CRYPT_IMPL is not set
141 | UCLIBC_HAS_CRYPT=y
142 | UCLIBC_HAS_NETWORK_SUPPORT=y
143 | UCLIBC_HAS_SOCKET=y
144 | UCLIBC_HAS_IPV4=y
145 | # UCLIBC_HAS_IPV6 is not set
146 | # UCLIBC_HAS_RPC is not set
147 | UCLIBC_USE_NETLINK=y
148 | UCLIBC_SUPPORT_AI_ADDRCONFIG=y
149 | # UCLIBC_HAS_BSD_RES_CLOSE is not set
150 | UCLIBC_HAS_COMPAT_RES_STATE=y
151 | # UCLIBC_HAS_EXTRA_COMPAT_RES_STATE is not set
152 | UCLIBC_HAS_RESOLVER_SUPPORT=y
153 | UCLIBC_HAS_LIBRESOLV_STUB=y
154 | UCLIBC_HAS_LIBNSL_STUB=y
155 |
156 | #
157 | # String and Stdio Support
158 | #
159 | # UCLIBC_HAS_STRING_GENERIC_OPT is not set
160 | UCLIBC_HAS_STRING_ARCH_OPT=y
161 | UCLIBC_HAS_CTYPE_TABLES=y
162 | UCLIBC_HAS_CTYPE_SIGNED=y
163 | # UCLIBC_HAS_CTYPE_UNSAFE is not set
164 | UCLIBC_HAS_CTYPE_CHECKED=y
165 | # UCLIBC_HAS_CTYPE_ENFORCED is not set
166 | UCLIBC_HAS_WCHAR=y
167 | # UCLIBC_HAS_LOCALE is not set
168 | UCLIBC_HAS_HEXADECIMAL_FLOATS=y
169 | UCLIBC_HAS_GLIBC_CUSTOM_PRINTF=y
170 | UCLIBC_PRINTF_SCANF_POSITIONAL_ARGS=9
171 | # UCLIBC_HAS_STDIO_BUFSIZ_NONE is not set
172 | # UCLIBC_HAS_STDIO_BUFSIZ_256 is not set
173 | # UCLIBC_HAS_STDIO_BUFSIZ_512 is not set
174 | # UCLIBC_HAS_STDIO_BUFSIZ_1024 is not set
175 | # UCLIBC_HAS_STDIO_BUFSIZ_2048 is not set
176 | UCLIBC_HAS_STDIO_BUFSIZ_4096=y
177 | # UCLIBC_HAS_STDIO_BUFSIZ_8192 is not set
178 | # UCLIBC_HAS_STDIO_BUILTIN_BUFFER_NONE is not set
179 | # UCLIBC_HAS_STDIO_BUILTIN_BUFFER_4 is not set
180 | UCLIBC_HAS_STDIO_BUILTIN_BUFFER_8=y
181 | # UCLIBC_HAS_STDIO_SHUTDOWN_ON_ABORT is not set
182 | UCLIBC_HAS_STDIO_GETC_MACRO=y
183 | UCLIBC_HAS_STDIO_PUTC_MACRO=y
184 | UCLIBC_HAS_STDIO_AUTO_RW_TRANSITION=y
185 | # UCLIBC_HAS_FOPEN_LARGEFILE_MODE is not set
186 | UCLIBC_HAS_FOPEN_EXCLUSIVE_MODE=y
187 | # UCLIBC_HAS_FOPEN_CLOSEEXEC_MODE is not set
188 | UCLIBC_HAS_GLIBC_CUSTOM_STREAMS=y
189 | UCLIBC_HAS_PRINTF_M_SPEC=y
190 | UCLIBC_HAS_ERRNO_MESSAGES=y
191 | # UCLIBC_HAS_SYS_ERRLIST is not set
192 | UCLIBC_HAS_SIGNUM_MESSAGES=y
193 | # UCLIBC_HAS_SYS_SIGLIST is not set
194 | UCLIBC_HAS_GNU_GETOPT=y
195 | UCLIBC_HAS_STDIO_FUTEXES=y
196 | # UCLIBC_HAS_GNU_GETSUBOPT is not set
197 |
198 | #
199 | # Big and Tall
200 | #
201 | UCLIBC_HAS_REGEX=y
202 | # UCLIBC_HAS_REGEX_OLD is not set
203 | UCLIBC_HAS_FNMATCH=y
204 | # UCLIBC_HAS_FNMATCH_OLD is not set
205 | # UCLIBC_HAS_WORDEXP is not set
206 | UCLIBC_HAS_NFTW=y
207 | UCLIBC_HAS_FTW=y
208 | # UCLIBC_HAS_FTS is not set
209 | UCLIBC_HAS_GLOB=y
210 | UCLIBC_HAS_GNU_GLOB=y
211 | UCLIBC_HAS_UTMPX=y
212 |
213 | #
214 | # Library Installation Options
215 | #
216 | RUNTIME_PREFIX="/"
217 | DEVEL_PREFIX="/usr"
218 | MULTILIB_DIR="lib"
219 | HARDWIRED_ABSPATH=y
220 |
221 | #
222 | # Security options
223 | #
224 | # UCLIBC_BUILD_PIE is not set
225 | # UCLIBC_HAS_ARC4RANDOM is not set
226 | # UCLIBC_HAS_SSP is not set
227 | UCLIBC_BUILD_RELRO=y
228 | UCLIBC_BUILD_NOW=y
229 | UCLIBC_BUILD_NOEXECSTACK=y
230 |
231 | #
232 | # Development/debugging options
233 | #
234 | CROSS_COMPILER_PREFIX="$(TOPDIR)/output/host/usr/bin/arm-buildroot-linux-uclibcgnueabihf-"
235 | UCLIBC_EXTRA_CFLAGS="-ggdb"
236 | # DODEBUG is not set
237 | # DOSTRIP is not set
238 | # DOASSERTS is not set
239 | # SUPPORT_LD_DEBUG is not set
240 | # SUPPORT_LD_DEBUG_EARLY is not set
241 | # UCLIBC_MALLOC_DEBUGGING is not set
242 | # UCLIBC_HAS_BACKTRACE is not set
243 | WARNINGS="-Wall -ggdb"
244 | # EXTRA_WARNINGS is not set
245 | # DOMULTI is not set
246 | # UCLIBC_MJN3_ONLY is not set
247 |
--------------------------------------------------------------------------------
/misc/router-console-boot.log:
--------------------------------------------------------------------------------
1 | =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2018.06.22 01:12:23 =~=~=~=~=~=~=~=~=~=~=~=
2 | HELO
3 | CPU0
4 | PMCM
5 | PMCS
6 | PMCD
7 | CODE
8 | L1CD
9 | MMUI
10 | ZBBS
11 | MAIN
12 | 4.1605_114353_121572_132983_136203_142485-1.0.38-118.3
13 |
DRAM
14 | NVRAM memcfg 0x2327
15 |
MCB chksum 0xf5402a88
16 |
DDR3-1600 CL11 256MB
17 |
Changed Byte Lane LDE
18 |
Changed Byte Lane LDE
19 |
PASS
20 | FPS0
21 | BT04
22 | 0001
23 | BT05
24 | 1016
25 | NAN3
26 | RFS2
27 | NAN5
28 |
29 |
30 | Base: 4.16_05_114353_121572_132983_136203_142485
31 | CFE version 1.0.38-118.3-S for BCM963138 (32bit,SP,LE) generic
32 | Build Date: Wed Apr 11 12:28:32 CEST 2018 (l.fornalczyk@quelo)
33 | Copyright (C) 2000-2015 Broadcom Corporation.
34 |
35 | Boot Strap Register: 0x7dfffc2f
36 | Chip ID: BCM63136B0, ARM Cortex A9 Dual Core: 1000MHz
37 | Total Memory: 268435456 bytes (256MB)
38 | NAND ECC BCH-4, page size 0x800 bytes, spare size used 64 bytes
39 | NAND flash device: , id 0xc2da block 128KB size 262144KB
40 | pmc_init:PMC using DQM mode
41 | Board IP address : 192.168.1.1:ffffff00
42 | Host IP address : 192.168.1.100
43 | Gateway IP address :
44 | Run from flash/host/tftp (f/h/c) : f
45 | Default host run file name : vmlinux
46 | Default host flash file name : bcm963xx_fs_kernel
47 | Boot delay (0-9 seconds) : 1
48 | Boot image (0=latest, 1=previous) : 0
49 | Default host ramdisk file name :
50 | Default ramdisk store address :
51 | Board Id (0-9) : 963138_VD5920
52 | Number of MAC Addresses (1-32) : 10
53 | Base MAC Address : 00:10:18:00:00:00
54 | PSI Size (1-128) KBytes : 24
55 | Enable Backup PSI [0|1] : 0
56 | System Log Size (0-256) KBytes : 0
57 | Auxillary File System Size Percent: 0
58 | MC memory allocation (MB) : 4
59 | TM memory allocation (MB) : 20
60 | DHD 0 memory allocation (MB) : 0
61 | DHD 1 memory allocation (MB) : 0
62 | DHD 2 memory allocation (MB) : 0
63 | WLan Feature : 0x00
64 | Voice Board Configuration (0-1) : ZL88801
65 | Partition 1 Size (MB) :
66 | Partition 2 Size (MB) :
67 | Partition 3 Size (MB) :
68 | Partition 4 Size (MB) (Data) : 1MB
69 |
70 | *** Press any key to stop auto run (1 seconds) ***
71 | Auto run second count down: 1�1�0
72 | Booting from latest image (address 0x07f00000, flash offset 0x07f00000) ...
73 | new kernel image format
74 | Verifying kernel signature...
75 | Signature OK
76 | Decompression LZMA Image OK!
77 | Entry at 0x00008000
78 | Starting program at 0x00008000
79 | [ 0.000000] Booting Linux on physical CPU 0
80 |
[ 0.000000] Initializing cgroup subsys cpuset
81 |
[ 0.000000] Initializing cgroup subsys cpu
82 |
[ 0.000000] Linux version 3.4.11-rt19 (l.fornalczyk@quelo) (gcc version 4.5.4 20120306 (prerelease) (Linaro GCC 4.5-2012.03) ) #1 SMP PREEMPT Wed Apr 11 12:39:45 CEST 2018
83 |
[ 0.000000] CPU: ARMv7 Processor [414fc091] revision 1 (ARMv7), cr=10c53c7d
84 |
[ 0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
85 |
[ 0.000000] Machine: BCM963138
86 |
[ 0.000000] Ignoring unrecognised tag 0x41000603
87 |
[ 0.000000] bootconsole [earlycon0] enabled
88 |
[ 0.000000] Memory policy: ECC disabled, Data cache writealloc
89 |
[ 0.000000] creating a MT_MEMORY_NONCACHED device at physical address of 0x0fe00000 to virtual address at 0xcfe00000 with size of 0x200000 byte for DSL
90 |
[ 0.000000] creating a MT_MEMORY_NONCACHED device at physical address of 0x0ea00000 to virtual address at 0xcea00000 with size of 0x1400000 byte for RDPA tm
91 |
[ 0.000000] creating a MT_MEMORY_NONCACHED device at physical address of 0x0e600000 to virtual address at 0xce600000 with size of 0x400000 byte for RDPA mc
92 |
[ 0.000000] On node 0 totalpages: 58880
93 |
[ 0.000000] free_area_init_node: node 0, pgdat c034bde0, node_mem_map c1000000
94 |
[ 0.000000] DMA zone: 32 pages used for memmap
95 |
[ 0.000000] DMA zone: 0 pages reserved
96 |
[ 0.000000] DMA zone: 4064 pages, LIFO batch:0
97 |
[ 0.000000] Normal zone: 480 pages used for memmap
98 |
[ 0.000000] Normal zone: 54304 pages, LIFO batch:15
99 |
[ 0.000000] pmc_init:PMC using DQM mode
100 |
[ 0.000000] pmc_init:fe1e 3620361 4b004b
101 |
[ 0.000000] L310 cache controller enabled
102 |
[ 0.000000] l2x0: 16 ways, CACHE_ID 0x410000c9, AUX_CTRL 0x6a450000, Cache size: 524288 B
103 |
[ 0.000000] PERCPU: Embedded 7 pages/cpu @c1204000 s5344 r8192 d15136 u32768
104 |
[ 0.000000] pcpu-alloc: s5344 r8192 d15136 u32768 alloc=8*4096
105 |
[ 0.000000] pcpu-alloc: [0] 0 [0] 1
106 |
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 58368
107 |
[ 0.000000] Kernel command line: console=ttyS0,115200 earlyprintk debug root=mtd:rootfs_1 rw rootfstype=jffs2
108 |
[ 0.000000] PID hash table entries: 1024 (order: 0, 4096 bytes)
109 |
[ 0.000000] Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
110 |
[ 0.000000] Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
111 |
[ 0.000000] Memory: 230MB = 230MB total
112 |
[ 0.000000] Memory: 229596k/229596k available, 32548k reserved, 0K highmem
113 |
[ 0.000000] Virtual kernel memory layout:
114 |
[ 0.000000] vector : 0xffff0000 - 0xffff1000 ( 4 kB)
115 |
[ 0.000000] fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
116 |
[ 0.000000] vmalloc : 0xd0800000 - 0xff000000 ( 744 MB)
117 |
[ 0.000000] lowmem : 0xc0000000 - 0xd0000000 ( 256 MB)
118 |
[ 0.000000] modules : 0xbf000000 - 0xc0000000 ( 16 MB)
119 |
[ 0.000000] .text : 0xc0008000 - 0xc02f1d04 (2984 kB)
120 |
[ 0.000000] .init : 0xc02f2000 - 0xc030d4e0 ( 110 kB)
121 |
[ 0.000000] .data : 0xc030e000 - 0xc034c940 ( 251 kB)
122 |
[ 0.000000] .bss : 0xc034c964 - 0xc037fcac ( 205 kB)
123 |
[ 0.000000] Preemptible hierarchical RCU implementation.
124 |
[ 0.000000] Dump stacks of tasks blocking RCU-preempt GP.
125 |
[ 0.000000] NR_IRQS:256
126 |
[ 0.000000] Cortex A9 MPCORE GIC init
127 |
[ 0.000000] DIST at fc01f000, CPU_IF at fc01e100
128 |
[ 0.000000] map_hw_timer_interrupt,132: interrupt_id 96
129 |
[ 0.000000] map_hw_timer_interrupt,132: interrupt_id 97
130 |
[ 0.000000] map_hw_timer_interrupt,132: interrupt_id 98
131 |
[ 0.000000] map_hw_timer_interrupt,132: interrupt_id 99
132 |
[ 0.000000] sched_clock: 32 bits at 1kHz, resolution 1000000ns, wraps every 4294967295ms
133 |
[ 0.000000] console [ttyS0] enabled, bootconsole disabled
134 |
[ 0.000000] console [ttyS0] enabled, bootconsole disabled
135 |
[ 0.002000] Calibrating delay loop... 1980.41 BogoMIPS (lpj=990208)
136 |
[ 0.010000] pid_max: default: 32768 minimum: 301
137 |
[ 0.011000] Mount-cache hash table entries: 512
138 |
[ 0.012000] --Kernel Config--
139 |
[ 0.013000] SMP=1
140 |
[ 0.014000] PREEMPT=1
141 |
[ 0.015000] DEBUG_SPINLOCK=0
142 |
[ 0.016000] DEBUG_MUTEXES=0
143 |
[ 0.017000] Initializing cgroup subsys cpuacct
144 |
[ 0.018000] Initializing cgroup subsys devices
145 |
[ 0.019000] Initializing cgroup subsys freezer
146 |
[ 0.020000] CPU: Testing write buffer coherency: ok
147 |
[ 0.022000] Broadcom Logger v0.1 Apr 11 2018 12:39:38
148 |
[ 0.036000] Setting up static identity map for 0x271498 - 0x2714cc
149 |
[ 0.057000] CPU1: Booted secondary processor
150 |
[ 0.065000] CPU1: Unknown IPI message 0x1
151 |
[ 0.065000] Brought up 2 CPUs
152 |
[ 0.065000] SMP: Total of 2 processors activated (3971.07 BogoMIPS).
153 |
[ 0.086000] NET: Registered protocol family 16
154 |
[ 0.112000] bcm63xx_pcie: setting resistor calibration value to 0xa
155 |
[ 0.118000] bcm63xx_pcie: applying serdes parameters
156 |
[ 0.178000] PCIE port 0 SSC Disabled
157 |
[ 0.706000] PCIE port 0 link-up
158 |
[ 0.713000] PCIE port 0 SSC Enabled
159 |
[ 0.714000] PCI host bridge to bus 0000:00
160 |
[ 0.715000] pci_bus 0000:00: root bus resource [mem 0x90000000-0x9fffffff]
161 |
[ 0.716000] pci 0000:00:00.0: [14e4:6313] type 01 class 0x060400
162 |
[ 0.718000] pci 0000:00:00.0: PME# supported from D0 D3hot
163 |
[ 0.719000] PCI: bus0: Fast back to back transfers disabled
164 |
[ 0.720000] pci 0000:01:00.0: [14e4:a8db] type 00 class 0x028000
165 |
[ 0.721000] pci 0000:01:00.0: reg 10: [mem 0x00000000-0x00007fff 64bit]
166 |
[ 0.722000] pci 0000:01:00.0: supports D1 D2
167 |
[ 0.723000] pci 0000:00:00.0: Checking PCIe ASPM for vendor 14e4 device a8db
168 |
[ 0.726000] PCI: bus1: Fast back to back transfers disabled
169 |
[ 0.727000] pci 0000:00:00.0: BAR 8: assigned [mem 0x90000000-0x900fffff]
170 |
[ 0.728000] pci 0000:01:00.0: BAR 0: assigned [mem 0x90000000-0x90007fff 64bit]
171 |
[ 0.729000] pci 0000:00:00.0: PCI bridge to [bus 01-01]
172 |
[ 0.730000] pci 0000:00:00.0: bridge window [mem 0x90000000-0x900fffff]
173 |
[ 0.731000] PCI: enabling device 0000:00:00.0 (0140 -> 0143)
174 |
[ 0.755000] bcm63xx_pcie: setting resistor calibration value to 0xa
175 |
[ 0.761000] bcm63xx_pcie: applying serdes parameters
176 |
[ 0.821000] PCIE port 1 SSC Disabled
177 |
[ 1.348000] PCIE port 1 link-up
178 |
[ 1.355000] PCIE port 1 SSC Enabled
179 |
[ 1.356000] PCI host bridge to bus 0001:00
180 |
[ 1.357000] pci_bus 0001:00: root bus resource [mem 0xa0000000-0xafffffff]
181 |
[ 1.358000] pci 0001:00:00.0: [14e4:6313] type 01 class 0x060400
182 |
[ 1.359000] pci 0001:00:00.0: PME# supported from D0 D3hot
183 |
[ 1.360000] PCI: bus0: Fast back to back transfers disabled
184 |
[ 1.361000] pci 0001:01:00.0: [14e4:4365] type 00 class 0x028000
185 |
[ 1.362000] pci 0001:01:00.0: reg 10: [mem 0x00000000-0x00007fff 64bit]
186 |
[ 1.363000] pci 0001:01:00.0: reg 18: [mem 0x00000000-0x007fffff 64bit]
187 |
[ 1.364000] pci 0001:01:00.0: reg 20: [mem 0x00000000-0x000fffff 64bit pref]
188 |
[ 1.365000] pci 0001:01:00.0: supports D1 D2
189 |
[ 1.366000] pci 0001:00:00.0: Checking PCIe ASPM for vendor 14e4 device 4365
190 |
[ 1.367000] pci 0001:00:00.0: Disabling PCIe ASPM for vendor 14e4 device 4365
191 |
[ 1.368000] PCI: bus1: Fast back to back transfers disabled
192 |
[ 1.369000] pci 0001:00:00.0: BAR 8: assigned [mem 0xa0000000-0xa0bfffff]
193 |
[ 1.370000] pci 0001:00:00.0: BAR 9: assigned [mem 0xa0c00000-0xa0cfffff 64bit pref]
194 |
[ 1.371000] pci 0001:01:00.0: BAR 2: assigned [mem 0xa0000000-0xa07fffff 64bit]
195 |
[ 1.372000] pci 0001:01:00.0: BAR 4: assigned [mem 0xa0c00000-0xa0cfffff 64bit pref]
196 |
[ 1.373000] pci 0001:01:00.0: BAR 0: assigned [mem 0xa0800000-0xa0807fff 64bit]
197 |
[ 1.374000] pci 0001:00:00.0: PCI bridge to [bus 01-01]
198 |
[ 1.375000] pci 0001:00:00.0: bridge window [mem 0xa0000000-0xa0bfffff]
199 |
[ 1.376000] pci 0001:00:00.0: bridge window [mem 0xa0c00000-0xa0cfffff 64bit pref]
200 |
[ 1.377000] PCI: enabling device 0001:00:00.0 (0140 -> 0143)
201 |
[ 1.381000] bio: create slab at 0
202 |
[ 1.383000] usbcore: registered new interface driver usbfs
203 |
[ 1.384000] usbcore: registered new interface driver hub
204 |
[ 1.386000] usbcore: registered new device driver usb
205 |
[ 1.387000] bcmhs_spi bcmhs_spi.1: master is unqueued, this is deprecated
206 |
[ 1.388000] skb_free_task created successfully
207 |
[ 1.389000] gbpm_do_work scheduled
208 |
[ 1.389000] �[0;34mBLOG v3.0 Initialized�[0m
209 |
[ 1.397000] BLOG Rule v1.0 Initialized
210 |
[ 1.398000] Broadcom IQoS v0.1 Apr 11 2018 12:39:42 initialized
211 |
[ 1.399000] Broadcom GBPM v0.1 Apr 11 2018 12:39:42 initialized
212 |
[ 1.400000] NET: Registered protocol family 8
213 |
[ 1.401000] NET: Registered protocol family 20
214 |
[ 1.402000] Switching to clocksource timer_cs
215 |
[ 1.404000] NET: Registered protocol family 2
216 |
[ 1.405000] IP route cache hash table entries: 2048 (order: 1, 8192 bytes)
217 |
[ 1.406000] TCP established hash table entries: 8192 (order: 4, 65536 bytes)
218 |
[ 1.407000] TCP bind hash table entries: 8192 (order: 4, 98304 bytes)
219 |
[ 1.408000] TCP: Hash tables configured (established 8192 bind 8192)
220 |
[ 1.409000] TCP: reno registered
221 |
[ 1.411000] UDP hash table entries: 128 (order: 0, 4096 bytes)
222 |
[ 1.412000] UDP-Lite hash table entries: 128 (order: 0, 4096 bytes)
223 |
[ 1.413000] NET: Registered protocol family 1
224 |
[ 1.416000] jffs2: version 2.2 (NAND) (SUMMARY) (ZLIB) (LZMA) (RTIME) (c) 2001-2006 Red Hat, Inc.
225 |
[ 1.417000] msgmni has been set to 448
226 |
[ 1.419000] io scheduler noop registered (default)
227 |
[ 1.423000] printk_dump_dev: read_boot_params - mem_size = 0
228 |
[ 1.424000] printk_dump_dev: error in init_persistent_buffer - Invalid memory size
229 |
[ 1.425000] printk_dump_dev: error in printk_dump_dev_init - failed to create persistent memory buffer
230 |
[ 1.426000] brd: module loaded
231 |
[ 1.428000] loop: module loaded
232 |
[ 1.429000] >> nand_flash_init - entry
233 |
[ 1.430000] Broadcom NAND controller (BrcmNand Controller)
234 |
[ 1.431000] mtd->oobsize=0, mtd->eccOobSize=0
235 |
[ 1.432000] NAND_CS_NAND_XOR=00000000
236 |
[ 1.434000] B4: NandSelect=40000001, nandConfig=26152300, chipSelect=0
237 |
[ 1.435000] brcmnand_read_id: CS0: dev_id=c2da9095
238 |
[ 1.436000] After: NandSelect=00000001, nandConfig=26152300
239 |
[ 1.437000] DevId c2da9095 may not be supported. Will use config info
240 |
[ 1.438000] Spare Area Size = 16B/512B
241 |
[ 1.439000] Block size=00020000, erase shift=17
242 |
[ 1.440000] NAND Config: Reg=26152300, chipSize=256 MB, blockSize=128K, erase_shift=11
243 |
[ 1.441000] busWidth=1, pageSize=2048B, page_shift=11, page_mask=000007ff
244 |
[ 1.442000] ECC level changed to 4
245 |
[ 1.443000] OOB size changed to 16
246 |
[ 1.444000] BrcmNAND mfg 0 0 UNSUPPORTED NAND CHIP 256MB on CS0
247 |
[ 1.445000]
248 |
[ 1.445000] Found NAND on CS0: ACC=c3840010, cfg=26152300, flashId=c2da9095, tim1=65324458, tim2=80000e54
249 |
[ 1.446000] BrcmNAND version = 0x80000700 256MB @00000000
250 |
[ 1.447000] brcmnand_scan: B4 nand_select = 00000001
251 |
[ 1.448000] brcmnand_scan: After nand_select = 00000001
252 |
[ 1.449000] handle_acc_control: default CORR ERR threshold 3 bits
253 |
[ 1.450000] ACC: 16 OOB bytes per 512B ECC step; from ID probe: 16
254 |
[ 1.451000] page_shift=11, bbt_erase_shift=17, chip_shift=28, phys_erase_shift=17
255 |
[ 1.452000] Brcm NAND controller version = 7.0 NAND flash size 256MB @10000000
256 |
[ 1.453000] ECC layout=brcmnand_oob_bch4_2k
257 |
[ 1.454000] brcmnand_scan: mtd->oobsize=64
258 |
[ 1.455000] brcmnand_scan: oobavail=35, eccsize=512, writesize=2048
259 |
[ 1.456000] brcmnand_scan, eccsize=512, writesize=2048, eccsteps=4, ecclevel=4, eccbytes=7
260 |
[ 1.457000] -->brcmnand_default_bbt
261 |
[ 1.458000] brcmnand_default_bbt: bbt_td = bbt_slc_bch4_main_descr
262 |
[ 1.459000] Bad block table Bbt0 found at page 0001ffc0, version 0x01 for chip on CS0
263 |
[ 1.460000] Bad block table 1tbB found at page 0001ff80, version 0x01 for chip on CS0
264 |
[ 1.461000] brcmnand_reset_corr_threshold: default CORR ERR threshold 3 bits for CS0
265 |
[ 1.462000] nand_read_bbt: Bad block at 0x013c0000
266 |
[ 1.463000] nand_read_bbt: Bad block at 0x0c1e0000
267 |
[ 1.464000] nand_read_bbt: Bad block at 0x0ddc0000
268 |
[ 1.465000] nand_read_bbt: Bad block at 0x0f320000
269 |
[ 1.466000] rescanning ....
270 |
[ 2.493000] ----- Contents of BBT -----
271 |
[ 2.494000] Bad block at 13c0000
272 |
[ 2.495000] Bad block at c1e0000
273 |
[ 2.496000] Bad block at ddc0000
274 |
[ 2.497000] Bad block at f320000
275 |
[ 2.498000] ----- END Contents of BBT -----
276 |
[ 2.502000] ***** Found YAPS PartitionSplit Marker at 0x080FFF00
277 |
[ 2.503000] Creating 8 MTD partitions on "brcmnand.0":
278 |
[ 2.504000] 0x000000000000-0x000000020000 : "CFE"
279 |
[ 2.506000] 0x000007f00000-0x000008100000 : "bootfs_1"
280 |
[ 2.508000] 0x000008100000-0x00000fbc0000 : "rootfs_1"
281 |
[ 2.510000] 0x000000020000-0x000007ce0000 : "upgrade"
282 |
[ 2.512000] 0x00000fbc0000-0x00000fdc0000 : "conf_fs"
283 |
[ 2.513000] 0x00000fdc0000-0x00000fe00000 : "conf_factory"
284 |
[ 2.515000] 0x00000fe00000-0x000010000000 : "bbt"
285 |
[ 2.517000] 0x000000000000-0x000010000000 : "flash"
286 |
[ 2.520000] PPP generic driver version 2.4.2
287 |
[ 2.521000] PPP BSD Compression module registered
288 |
[ 2.522000] PPP Deflate Compression module registered
289 |
[ 2.523000] NET: Registered protocol family 24
290 |
[ 2.524000] brcmboard: brcm_board_init entry
291 |
[ 2.525000] SES: Button Interrupt 0x2 is enabled
292 |
[ 2.526000] WIFI: Button Interrupt 0x1 is enabled
293 |
[ 2.527000] SES: LED GPIO 0x8014 is enabled
294 |
[ 2.555000] DYING GASP IRQ Initialized and Enabled
295 |
[ 2.556000] Serial: BCM63XX driver $Revision: 3.00 $
296 |
[ 2.557000] �[0;33mMagic SysRq with Auxilliary trigger char enabled (type ^ h for list of supported commands)�[0m
297 |
[ 2.558000] ttyS0 at MMIO 0xfffe8600 (irq = 64) is a BCM63XX
298 |
[ 2.559000] ttyS1 at MMIO 0xfffe8620 (irq = 65) is a BCM63XX
299 |
[ 2.560000] GACT probability NOT on
300 |
[ 2.561000] Mirror/redirect action on
301 |
[ 2.562000] u32 classifier
302 |
[ 2.563000] input device check on
303 |
[ 2.564000] Actions configured
304 |
[ 2.566000] TCP: cubic registered
305 |
[ 2.567000] Initializing XFRM netlink socket
306 |
[ 2.568000] NET: Registered protocol family 17
307 |
[ 2.569000] NET: Registered protocol family 15
308 |
[ 2.570000] 8021q: 802.1Q VLAN Support v1.8
309 |
[ 4.176000] VFS: Mounted root (jffs2 filesystem) on device 31:2.
310 |
[ 4.182000] Freeing init memory: 108K
311 |
init started: BusyBox v1.17.3 (2018-04-11 12:29:54 CEST)
312 |
init: setting virtual memory limit 16777216 -1
313 |
314 |
starting pid 235, tty '': '/etc/init.d/rcS S boot'
315 | Starting boot.sh ...
316 | Restore passwd ....
317 | Restore group ....
318 | mount virtual fs...
319 | [ 4.827000] udevd (261): /proc/261/oom_adj is deprecated, please use /proc/261/oom_score_adj instead.
320 |
Wed Apr 11 10:29:41 UTC 2018
321 | Starting /etc/rc.d/S11services.sh ...
322 |
starting pid 274, tty '/dev/ttyS0': '/bin/login'
323 |
324 | Please press Enter to activate this console.
325 |
326 | -- �[1;44m Base System Init �[m [�[1;33m6.12�[m]
327 |
328 | [�[1;34m*�[m] �[36mStarting Event Controller�[m
329 | [�[1;34m*�[m] �[36mLoading Drivers and Kernel Modules�[m
330 | [�[1;34m*�[m] �[36mStarting Configuration Load�[m
331 | [ 6.212000] Bridge firewalling registered
332 |
[�[1;34m*�[[ 6.216000] Initializing MCPD Module
333 |
m] �[36mStarting Configuration Manager (B)�[m
334 | [ 6.226000] chipinfo: module license 'proprietary' taints kernel.
335 |
[ 6.232000] Disabling lock debugging due to kernel taint
336 |
[ 6.238000] brcmchipinfo: brcm_chipinfo_init entry
337 |
[ 6.280000] ip_tables: (C) 2000-2006 Netfilter Core Team
338 |
[ 6.496000] NET: Registered protocol family 10
339 |
[ 6.512000] BPM: tot_mem_size=268435456B (256MB), buf_mem_size <15%> =40265310B (38MB), num of buffers=19358, buf size=2080
340 |
[ 6.522000] Broadcom BPM Module Char Driver v0.1 Apr 11 2018 12:28:12 Registered<244>�[0m
341 |
starting pid 365, tty '/dev/null': 'logd'
342 |
reporting service status with 'cmclient SET -u boot Device.X_ADB_SystemLog.[Enable=true].Enable true'
343 |
starting pid 368, tty '/dev/null': 'ec'
344 | [ 6.731000] nf_conntrack version 0.5.0 (3589 buckets, 14356 max)
345 |
ERROR #5 Device.X_ADB_SystemLog.[Enable=true].Enable
346 | [ 7.459000] tm_base_addr 0xcea00000, size 20971520, tm_base_addr_phys 0x0ea00000
347 |
[ 7.466000] mc_base_addr 0xce600000, size 4194304, mc_base_addr_phys 0x0e600000
348 |
[ 7.474000]
349 |
[ 7.474000] RDP TM memory = 20MB : Max Possible Bufs <6144> of size <2560>; Allocating <5120> bufs; RDP enum <1>
350 |
[ 7.489000] ++++Runner gso_desc_pool created successfully
351 |
[ 7.523000] bcmxtmrt: Broadcom BCM3136B0 ATM/PTM Network Device v0.9 Apr 11 2018 12:27:58
352 |
[ 7.531000] Creating CPU ring for queue number 5 with 256 packets descriptor=0xbf1b9664
353 |
[ 7.531000] Done initializing Ring 5 Base=0xffdf2000 End=0xffdf3000 calculated entries= 256 RDD Base=0x00c06000 descriptor=0xbf1b9664
354 |
[ 7.552000] Creating CPU ring for queue number 6 with 256 packets descriptor=0xbf1b96b0
355 |
[ 7.552000] Done initializing Ring 6 Base=0xffdf0000 End=0xffdf1000 calculated entries= 256 RDD Base=0x00c0c000 descriptor=0xbf1b96b0
356 |
[ 7.609000] yatta: Unknown symbol yatta__nf_ct_ext_add (err 0)
357 |
[ 7.637000] i2c /dev entries driver
358 |
[ 7.692000] NBUFF v1.0 Initialized
359 |
[ 7.707000] �[0;36;44mInitialized fcache state�[0m
360 |
[ 7.712000] �[0;36;44mBroadcom Packet Flow Cache Char Driver v3.0 Apr 11 2018 12:28:21 Registered<242>�[0m
361 |
[ 7.722000] Created Proc FS /procfs/fcache
362 |
[ 7.726000] �[0;36;44mBroadcom Packet Flow Cache registered with netdev chain�[0m
363 |
[ 7.734000] �[0;36;44mBroadcom Packet Flow Cache learning via BLOG enabled.�[0m
364 |
[ 7.741000] �[0;35m[FHW] pktDbgLvl[0xbf204740]=0�[0m
365 |
[ 7.746000] �[0;34m[FHW] fhw_construct: �[0m
366 |
[ 7.751000] �[0;36;44mInitialized Fcache HW accelerator layer state�[0m
367 |
[ 7.764000] flwStatsThread created
368 |
[ 7.768000] �[0;36;44mConstructed Broadcom Packet Flow Cache v3.0 Apr 11 2018 12:28:21�[0m
369 |
[ 7.809000] bcmxtmcfg: bcmxtmcfg_init entry
370 |
[ 7.841000]
371 |
[ 7.841000] ippt_mod_init:registering device ippt0
372 |
[ 7.920000] pmc_switch_power_up: Rgmii Tx clock zone1 enable 0 zone2 enable 0.
373 |
[ 7.941000]
374 |
[ 7.941000] LINK DOWN IMP Port
375 |
[ 7.948000] Runner Port#0 (Internal MUX Port#2) connects to Crossbar Port#0
376 |
[ 7.955000] Switch Port#4 (Internal MUX Port#1) connects to Crossbar Port#1
377 |
[ 7.962000] Switch Port#3 (Internal MUX Port#0) connects to Crossbar Port#4
378 |
[ 7.969000] Cross Bar MUX Config : Internal Port 00 maps to External Port 04
379 |
[ 7.978000] Cross Bar MUX Config : Internal Port 01 maps to External Port 01
380 |
[ 7.988000] Cross Bar MUX Config : Internal Port 02 maps to External Port 00
381 |
[ 7.997000] Cross Bar MUX Config : Internal Port 02 maps to External Port 00
382 |
[ 8.008000] GPIO 36 is assigned to Serdes Fiber Signal Detection.
383 |
[ 8.014000] Setting SGMII Calibration value to 0xa
384 |
[ 8.019000] SFP Module Plugged in
385 |
[ 8.022000] fiberTurnOn: enabling TX for fiber optics
386 |
- �[33m CM TR-181 ready�[m
387 | - �[33m CM TR-98 ready�[m
388 | [Configuration Load ready]
389 | [�[1;34m*�[m] �[36mStarting LEDs (B)�[m
390 | [�[1;34m*�[m] �[36mProbing for usb devices...�[m
391 | [�[1;34m*�[m] �[36mEpicentro Software Version: DVA-5592_A1_WI_20180405�[m
392 | [�[1;34m*�[m] �[36mEpicentro Platform Version: 6.0.0.0028�[m
393 | [�[1;34m*�[m] �[36mCleaning dynamic entries...�[m
394 | [LEDs (B) ready]
395 | [ 12.255000] GPIO Pin 24 is configured as SPF MOD_ABS for module insertion detection
396 |
[ 12.263000] Broadcom BCM63136B0 Ethernet Network Device v0.1 Apr 11 2018 12:29:44
397 |
[ 12.271000] dgasp: kerSysRegisterDyingGaspHandler: bcmsw registered
398 |
[ 12.343000] ++++ disabling GSO on logical_port=0 dev=eth0
399 |
[ 12.349000] eth0: PHY_ID <0x06180006 : 0x06> MAC : 00:10:18:00:00:00
400 |
[ 12.366000] eth1: PHY_ID <0x0007f008 : 0x08> MAC : 00:10:18:00:00:00
401 |
[ 12.382000] eth2: PHY_ID <0x0007f009 : 0x09> MAC : 00:10:18:00:00:00
402 |
[ 12.398000] eth3: PHY_ID <0x0007f00a : 0x0a> MAC : 00:10:18:00:00:00
403 |
[ 12.420000] eth4: PHY_ID <0x0007f00b : 0x0b> MAC : 00:10:18:00:00:00
404 |
[ 12.437000] eth5: PHY_ID <0x0007f00c : 0x0c> MAC : 00:10:18:00:00:00
405 |
[ 12.449000] Ethernet Auto Power Down and Sleep: Enabled
406 |
[ 12.454000] Ext switch port 0; Adv capability change : MII=0x01e1, GMII=0x0f00
407 |
[ 12.462000] Ext switch port 1; Adv capability change : MII=0x01e1, GMII=0x0f00
408 |
[ 12.469000] Ext switch port 2; Adv capability change : MII=0x01e1, GMII=0x0f00
409 |
[ 12.477000] Cross bar port 4 of Ext switch port 3; Adv capability change : MII=0x01e1, GMII=0x0f00
410 |
[ 12.486000] Cross bar port 1 of Ext switch port 4; Adv capability change : MII=0x01e1, GMII=0x0f00
411 |
[ 12.496000] All Port Bit Map: 0x1f01: eth0,eth1,eth2,eth3,eth4,eth5
412 |
[ 12.502000] Chip WAN Only Ports 0001, Defined WAN Only Ports 0000, WAN Only Port Result: 0x0001:eth0
413 |
[ 12.511000] Chip WAN Preffered Ports 0000, Defined WAN Preffered Ports 0000, WAN Preffered Port Result: 0x0000:
414 |
[ 12.522000] Chip LAN Only Ports 1f00, Defined LAN Only Ports 0000, LAN Only Port Result: 0x1f00:eth1,eth2,eth3,eth4,eth5
415 |
[ 12.534000] WAN/LAN Both Capable Ports 0x0000:
416 |
[ 12.553000] Energy Efficient Ethernet: Enabled
417 |
[ 12.557000] SFP module unplugged
418 |
[ 12.557000] Creating Enet CPU ring for queue number 1 with 512 packets,Descriptor base=ffdec000
419 |
[ 12.557000] Creating Enet CPU ring for queue number 0 with 512 packets,Descriptor base=ffde8000
420 |
[ 12.557000] ===> Activate Deep Green Mode
421 |
[ 12.560000] fiberTurnOff: disabling TX for fiber optics
422 |
[ 12.580000] Initialized Runner Host Layer
423 |
[ 12.584000] Initialized Runner Unicast Layer
424 |
[ 12.587000] Initialized Runner L2 Unicast Layer
425 |
[ 12.592000] Initialized Runner Multicast Layer
426 |
[ 12.598000] �[0;36;44mBroadcom Packet Flow Cache HW acceleration enabled.�[0m
427 |
[ 12.607000] Enabled Runner binding to Flow Cache
428 |
[ 12.617000] Initialized Runner Protocol Layer (700)
429 |
[ 12.622000] Broadcom Runner Blog Driver Char Driver v0.1 Apr 11 2018 12:28:21 Registered <252>
430 |
[ 12.676000] SCSI subsystem initialized
431 |
[ 12.777000] RDPA DS WAN UDP Filter Command Driver
432 |
[ 12.797000] �[1m�[34mWifi Forwarding Driver is initialized!�[0m
433 |
[ 12.811000] Initializing WLCSM Module
434 |
[ 12.814000] WLCSM Module loaded successfully
435 |
[ 13.035000] DHD_FKB_POOL size is:1280 and entry size:2080
436 |
[ 13.037000] fkbpool address range: c8800000 <-> c8a8a000
437 |
[ 13.039000] DHD_PKTTAG POOL size is:8000 and entry size:64
438 |
[ 13.043000] dhd_module_init in
439 |
[ 13.044000] dhd_queue_budget = 256
440 |
[ 13.045000] dhd_sta_threshold = 2048
441 |
[ 13.046000] dhd_if_threshold = 65536
442 |
[ 13.047000] no wifi platform data, skip
443 |
[ 13.048000] dhdpcie_chipmatch: Unsupported vendor 14e4 device a8db
444 |
[ 13.049000] dhdpcie_pci_probe: chipmatch failed!!
445 |
[ 13.050000] PCI_PROBE: bus 1, slot 0,vendor 14E4, device 4365(good PCI location)
446 |
[ 13.051000] dhdpcie_init: can't find adapter info for this chip
447 |
[ 13.052000] PCI: enabling device 0001:01:00.0 (0140 -> 0142)
448 |
[ 13.173000] DHD: dongle ram size is set to 1835008(orig 1835008) at 0x200000
449 |
[ 13.174000] dhd:0: fw path:/etc/wlan/dhd nv path:(null)
450 |
[ 13.175000] Creating CPU ring for queue number 7 with 128 packets descriptor=0xbf1b96fc
451 |
[ 13.175000] Done initializing Ring 7 Base=0xffdfe000 End=0xffdfe800 calculated entries= 128 RDD Base=0x00c17000 descriptor=0xbf1b96fc
452 |
[ 13.179000] RDPA returned tx wakeup reg = <0x80299004>, val = <0x10000000>
453 |
[ 13.180000] RDPA returned rx wakeup reg = <0x8029a004>, val = <0x26000000>
454 |
[ 13.182000] Scratch pad is not initialized.
455 |
[ 13.183000] dhd_runner_attach: Rx Offload - Enabled, Ring Size = 1024
456 |
[ 13.187000] dhd_attach: wl0: pre-allocated buffer mode is disabled (allocskbsz=0)
457 |
[ 13.188000] dhd_attach(): thread:dhd_watchdog_thread:2f7 started
458 |
[ 13.190000] dhd_attach(): thread:dhd0_dpc:2fb started
459 |
[ 13.191000] dhd_deferred_work_init: work queue initialized
460 |
[ 13.192000] Creating CPU ring for queue number 0 with 1024 packets descriptor=0xbf2cfa78
461 |
[ 13.192000] Creating CPU ring for queue number 1 with 1024 packets descriptor=0xbf2cfa94
462 |
[ 13.194000] �[1m�[34m wfd_bind: Dev wl%d wfd_idx 0 wl_radio_idx 0 Type fkb configured WFD thread wfd0-thrd minQId/maxQId (8/9), status (0) qmask 0x3�[0m
463 |
[ 13.195000] Instantiating WFD 0 thread
464 |
[ 13.196000] dhd:0: fw path:/etc/wlan/dhd nv path:(null)
465 |
[ 13.197000] dhd_bus_download_firmware: firmware path=/etc/wlan/dhd, nvram path=
466 |
[ 13.199000] dhdpcie_ramsize_adj: Enter
467 |
[ 13.202000] fiberTurnOff: disabling TX for fiber optics
468 |
[ 13.374000] dhdpcie_ramsize_adj: Adjust dongle RAMSIZE to 0x240000
469 |
[ 13.380000] dhdpcie_download_code_file: download firmware /etc/wlan/dhd/4366c0/rtecdc.bin
470 |
[ 13.857000] wl:srom/otp not programmed, using main memory mapped srom info(wombo board)
471 |
[ 13.858000] wl: ID=pci/1/1/0/
472 |
[ 13.859000] wl: ID=pci/1/1/0/
473 |
[ 13.862000] wl: loading /etc/wlan/bcm43664_map.bin
474 |
[ 13.871000] wl: reading /etc/wlan/bcmcmn_nvramvars.bin, file size=20
475 |
[ 13.873000] wl: reading /etc/wlan/bcm43664_nvramvars.bin, file size=20
476 |
[ 13.874000] Replace or append with internal Mac Address
477 |
[ 13.878000] dhdpcie_bus_write_vars: Download, Upload and compare of NVRAM succeeded.
478 |
[ 13.932000] PCIe shared addr (0x002a6fbc) read took 53023 usec before dongle is ready
479 |
[ 13.939000] DMA RX offset from shared Area 0
480 |
[ 13.944000] dhdpcie_readshared: Dongle advertizes 2 size indices
481 |
[ 13.946000] dhdpcie_readshared: Host support DMAing indices: H2D:1 - D2H:1. FW supports it
482 |
[ 13.947000] H2D DMA WR INDX : array size 544 = 2 * 266
483 |
[ 13.948000] D2H DMA RD INDX : array size 32 = 2 * 3
484 |
[ 13.949000] D2H DMA WR INDX : array size 32 = 2 * 3
485 |
[ 13.950000] H2D DMA RD INDX : array size 544 = 2 * 266
486 |
[ 13.951000] ring_info_raw: 56
487 |
[ 13.952000] e0 6a 43 00 b0 7b 43 00 c4 7d 43 00 d8 7f 43 00
488 |
[ 13.958000] de 7f 43 00 00 00 00 00 00 00 00 00 00 00 00 00
489 |
[ 13.963000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
490 |
[ 13.968000] 00 00 00 00 0a 01 00 00
491 |
[ 13.971000] dhdpcie_readshared: max H2D queues 266
492 |
[ 13.972000] dhd_bus_start: Initializing 266 h2drings
493 |
[ 13.974000] Scratch pad is not initialized.
494 |
[ 13.976000] Scratch pad is not initialized.
495 |
[ 13.978000] Scratch pad is not initialized.
496 |
[ 13.979000] Scratch pad is not initialized.
497 |
[ 13.980000] dhd_runner_profile_init: N+M profile = 3 01:1024 -1:2048 -1:1024 -1:0512 01:0512
498 |
[ 13.981000] Scratch pad is not initialized.
499 |
[ 13.982000] dhd_runner_policy_init: N+M Policy = 0 1 (HW)
500 |
[ 14.030000] dhd_bus_cmn_writeshared:
501 |
[ 14.031000] 0000: 00 c0 ae 0d 00 00 00 00
502 |
[ 14.032000] dhd_bus_cmn_writeshared:
503 |
[ 14.033000] 0000: 00 00 c2 00 00 00 00 00
504 |
[ 14.034000] dhd_bus_cmn_writeshared:
505 |
[ 14.035000] 0000: 00 60 5d 09 00 00 00 00
506 |
[ 14.037000] dhd_bus_cmn_writeshared:
507 |
[ 14.038000] 0000: 00 40 7e 09 00 00 00 00
508 |
[ 14.039000] dhd_bus_cmn_writeshared:
509 |
[ 14.044000] 0000: 00 80 c2 00 00 00 00 00
510 |
[ 14.047000] dhd_bus_cmn_writeshared:
511 |
[ 14.051000] 0000: 00 00 60 08 00 00 00 00
512 |
[ 14.055000] dhd_bus_cmn_writeshared:
513 |
[ 14.059000] 0000: 00 10 14 00
514 |
[ 14.062000] dhd_bus_cmn_writeshared:
515 |
[ 14.066000] 0000: 00 48 57 09 00 00 00 00
516 |
[ 14.071000] dhd_bus_cmn_writeshared:
517 |
[ 14.074000] 0000: 00 4c 57 09 00 00 00 00
518 |
[ 14.079000] dhd_bus_cmn_writeshared:
519 |
[ 14.082000] 0000: 00 40 57 09 00 00 00 00
520 |
[ 14.087000] dhd_bus_cmn_writeshared:
521 |
[ 14.090000] 0000: 00 44 57 09 00 00 00 00
522 |
[ 14.095000] Attach flowrings pool for 264 rings
523 |
[ 14.100000] �[0;33;40mRunner DHD PCIE: vendor<0x14e4> device<0x4365> bus<1> slot<0>�[0m
524 |
[ 14.108000] Initial configuration
525 |
[ 14.111000] =================================
526 |
[ 14.115000] rx_post_flow_ring_base_addr : c0c20000
527 |
[ 14.120000] tx_post_flow_ring_base_addr : 0
528 |
[ 14.125000] rx_complete_flow_ring_base_addr : c0c28000
529 |
[ 14.130000] tx_complete_flow_ring_base_addr : 0
530 |
[ 14.135000]
531 |
[ 14.137000] r2d_wr_arr_base_addr : ffde0000
532 |
[ 14.141000] d2r_rd_arr_base_addr : ffde0402
533 |
[ 14.145000] r2d_rd_arr_base_addr : ffde0c00
534 |
[ 14.150000] d2r_wr_arr_base_addr : ffde0802
535 |
[ 14.154000] tx_post_mgmt_arr_base_addr : ffde1000
536 |
[ 14.159000] tx_post_mgmt_arr_base_phys_addr : 9575000
537 |
[ 14.164000]
538 |
[ 14.166000] r2d_wr_arr_base_phys_addr : 9574000
539 |
[ 14.171000] d2r_rd_arr_base_phys_addr : 9574402
540 |
[ 14.175000] r2d_rd_arr_base_phys_addr : 9574c00
541 |
[ 14.180000] d2r_wr_arr_base_phys_addr : 9574802
542 |
[ 14.185000]
543 |
[ 14.186000] Doorbell ISR : bf2edc54
544 |
[ 14.190000] Doorbell CTX : c9568c00
545 |
[ 14.194000] �[0;33;40mRunner DHD Offload initialization complete�[0m
546 |
[ 14.202000] dhd_rx_frame: net device is NOT registered. drop event packet
547 |
[ 14.203000] dhd_rx_frame: net device is NOT registered. drop event packet
548 |
[ 14.204000] CUR_ETHERADDR : 6
549 |
[ 14.207000] 00 10 18 00 00 01
550 |
[ 14.211000] dhd_sync_with_dongle: GET_REVINFO device 0x43c5, vendor 0x14e4, chipnum 0xaa90
551 |
[ 14.220000]
552 |
[ 14.220000] Dongle Host Driver, version 7.14.164.19.cpe4.16L05_114353_121572_132983_136203_142485.1-kdb
553 |
[ 14.225000] wfd_registerdevice Successfully registered dev wl0 ifidx 0 wfd_idx 0
554 |
[ 14.233000] Broadcom PCI Device 0x6313 has allocated with driver pcieport
555 |
[ 14.243000] Broadcom PCI Device 0x6313 has allocated with driver pcieport
556 |
[ 14.251000] dhd_module_init out
557 |
[ 14.713000] Creating CPU ring for queue number 2 with 256 packets descriptor=0xbf1b9580
558 |
[ 14.713000] Done initializing Ring 2 Base=0xffdde000 End=0xffddf000 calculated entries= 256 RDD Base=0x00c3e000 descriptor=0xbf1b9580
559 |
[ 14.768000] tun: Universal TUN/TAP device driver, 1.6
560 |
[ 14.773000] tun: (C) 1999-2004 Max Krasnyansky
561 |
[ 14.816000] PPP MPPE Compression module registered
562 |
[ 14.846000] IPv4 over IPv4 tunneling driver
563 |
[ 14.867000] IPv6 over IPv4 tunneling driver
564 |
[ 14.910000] zram: num_devices not specified. Using default: 1
565 |
[ 14.911000] zram: Creating 1 devices ...
566 |
[ 14.972000] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
567 |
[ 15.037000] ++++ Powering up SATA block
568 |
[ 15.044000] writing PORT0_SATA3_PCB_BLOCK_ADDR
569 |
[ 15.048000] INFO: PLL lock for port0 detected 9100...
570 |
[ 15.071000] ++++ Powering up USB blocks
571 |
[ 15.079000] ++++ USB POWER ON ++++
572 |
[ 15.433000] ehci-platform ehci-platform.0: Generic Platform EHCI Controller
573 |
[ 15.439000] ehci-platform ehci-platform.0: new USB bus registered, assigned bus number 1
574 |
[ 15.448000] ehci-platform ehci-platform.0: irq 105, io mem 0x8000c300
575 |
[ 15.462000] ehci-platform ehci-platform.0: USB 2.0 started, EHCI 1.00
576 |
[ 15.479000] hub 1-0:1.0: USB hub found
577 |
[ 15.483000] hub 1-0:1.0: 2 ports detected
578 |
[ 15.645000] Loading independent TCP/IPv6 endpoint filter target
579 |
[ 15.833000] xt_time: kernel timezone is -0000
580 |
[ 15.970000] Ebtables v2.0 registered
581 |
[ 16.094000] ip6_tables: (C) 2000-2006 Netfilter Core Team
582 |
[ 16.226000] NF_TPROXY: Transparent proxy support initialized, version 4.1.0
583 |
[ 16.227000] NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
584 |
[ 16.288000] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
585 |
[ 16.296000] ohci-platform ohci-platform.0: Generic Platform OHCI Controller
586 |
[ 16.307000] ohci-platform ohci-platform.0: new USB bus registered, assigned bus number 2
587 |
[ 16.314000] ohci-platform ohci-platform.0: irq 104, io mem 0x8000c400
588 |
[�[1;34m*�[m] �[36mStarting Swap Disk (RAM)�[m
589 | [Swap Disk (RAM) ready]
590 | [�[1;34m*�[m] �[36mStarting Yatta Transport Fast Forwarding�[m
591 | [ 16.339000] Adding 3068k swap on /dev/zram0. Priority:-1 extents:1 across:3068k SS
592 |
[ 16.355000] --SMP support
593 |
[ 16.356000] wl: dsl_tx_pkt_flush_len=338
594 |
[ 16.361000] wl: norm_wmark_tot=12582, pktc_wmark_tot=12582
595 |
[ 16.363000] PCI: enabling device 0000:01:00.0 (0140 -> 0142)
596 |
[ 16.365000] wl: passivemode=1
597 |
[ 16.366000] wl1: creating kthread wl1-kthrd
598 |
[ 16.370000] wl: napimode=0
599 |
[Yatta Transport Fast Forwarding ready]
600 | [ 16.386000] hub 2-0:1.0: USB hub found
601 |
[ 16.390000] hub 2-0:1.0: 2 ports detected
602 |
[ 16.396000] initvars_cis_pci: Not CIS format
603 |
[ 16.397000] Neither SPROM nor OTP has valid image
604 |
[ 16.399000] wl:srom/otp not programmed, using main memory mapped srom info(wombo board)
605 |
[ 16.400000] wl: ID=pci/0/1/0/
606 |
[ 16.401000] wl: ID=pci/0/1/0/
607 |
[ 16.408000] wl: loading /etc/wlan/bcm43217_map.bin
608 |
[ 16.415000] srom rev:8
609 |
[ 16.419000] wl: reading /etc/wlan/bcmcmn_nvramvars.bin, file size=20
610 |
[ 16.481000] wl1: allocskbmode=0 currallocskbsz=0
611 |
[ 16.485000] Creating CPU ring for queue number 2 with 1024 packets descriptor=0xbf2cfab0
612 |
[ 16.485000]
613 |
[ 16.485000] xhci-hcd xhci-hcd.0: xHCI Host Controller
614 |
[ 16.485000] xhci-hcd xhci-hcd.0: new USB bus registered, assigned bus number 3
615 |
[ 16.485000] xhci-hcd xhci-hcd.0: irq 106, io mem 0x8000d000
616 |
[ 16.487000] Creating CPU ring for queue number 3 with 1024 packets descriptor=0xbf2cfacc
617 |
[ 16.487000]
618 |
[ 16.493000] �[1m�[34m wfd_bind: Dev wl%d wfd_idx 1 wl_radio_idx 1 Type skb configured WFD thread wfd1-thrd minQId/maxQId (10/11), status (0) qmask 0xc�[0m
619 |
[ 16.493000] hub 3-0:1.0: USB hub found
620 |
[ 16.493000] hub 3-0:1.0: 0 ports detected
621 |
[ 16.493000] xhci-hcd xhci-hcd.0: xHCI Host Controller
622 |
[ 16.493000] xhci-hcd xhci-hcd.0: new USB bus registered, assigned bus number 4
623 |
[ 16.493000] Instantiating WFD 1 thread
624 |
[ 16.505000] hub 4-0:1.0: USB hub found
625 |
[ 16.508000] hub 4-0:1.0: 2 ports detected
626 |
[ 16.516000] wfd_registerdevice Successfully registered dev wl1 ifidx 0 wfd_idx 1
627 |
[ 16.517000] wl1: Broadcom BCM43227 802.11 Wireless Controller 7.14.164.19.cpe4.16L05_114353_121572_132983_136203_142485.1-kdb
628 |
[ 16.519000] dgasp: kerSysRegisterDyingGaspHandler: wl1 registered
629 |
[ 16.560000] Loading modules backported from Linux version v4.2-rc1-0-gd770e55
630 |
[ 16.577000] Backport generated by backports.git v4.2-rc1-1-0-g83a2518
631 |
[ 16.701000] usbcore: registered new interface driver cdc_wdm
632 |
[ 16.771000] usbcore: registered new interface driver usblp
633 |
[ 16.793000] usbcore: registered new interface driver usbserial
634 |
[ 16.796000] usbcore: registered new interface driver usbserial_generic
635 |
[ 16.808000] USB Serial support registered for generic
636 |
[ 16.810000] usbserial: USB Serial Driver core
637 |
[ 16.871000] usbcore: registered new interface driver cdc_ncm
638 |
[ 16.896000] usbcore: registered new interface driver huawei_cdc_ncm
639 |
[ 17.064000] wfd_registerdevice Successfully registered dev wl0.1 ifidx 1 wfd_idx 0
640 |
[ 17.071000] BRCM TRNG registered
641 |
[ 17.100000] wfd_registerdevice Successfully registered dev wl1.1 ifidx 1 wfd_idx 1
642 |
[ 17.109000] usbcore: registered new interface driver option
643 |
[ 17.111000] USB Serial support registered for GSM modem (1-port)
644 |
[ 17.118000] Broadcom 63138 WatchDog Timer Driver
645 |
[ 17.123000] initialized. heartbeat=30 sec
646 |
[ 17.184000] adsl: adsl_init entry
647 |
- �[33mInit DSL Line�[m
648 | [ 17.221000] bcmxtmcfg: ChipId Rev-b0
649 |
[ 17.224000] bcmxtmcfg: DS xDSL G.inp Mode = DISABLED
650 |
[ 17.229000] bcmxtmcfg: xDSL G.Fast Mode = DISABLED
651 |
[ 17.234000] bcmxtmrt: PTM/ATM Non-Bonding Mode configured in system
652 |
[ 17.241000] bcmxtmcfg: Out of sequence call to XTM_ASM_HANDLER::Uninitialize(). Recovering.
653 |
[ 17.250000] bcmxtmcfg: ATM Bonding configured in system. Fallback mode = Enabled
654 |
[ 17.257000] bcmxtmcfg: Bonding State is DATA_IDLE
655 |
[ 17.263000] bcmxtmcfg: SID MODE SET to 12 BIT MODE
656 |
[ 17.268000] bcmxtmcfg: ATM Bonding Mgmt Log Area = c954dd18
657 |
[�[1;34m*�[m] �[36mInterfaceMonitor Init�[m
658 | [ 19.568000] *** dslThread dslPid=1842
659 |
[ 19.569000] BcmAdsl_Initialize=0xBF952028, g_pFnNotifyCallback=0xBF988278
660 |
[ 19.570000] AdslCoreSetSDRAMBaseAddr: pAddr=0x0FE00000 sdramPageAddr=0xCFE00000
661 |
[ 19.632000] BcmAdslCoreCalibrate: (cnt1-cnt)=0x03935856, adslCoreCyclesPerMs=999800, BCMOS_MSEC_PER_TICK =1
662 |
[ 19.644000] DYING GASP IRQ Disabled
663 |
[ 19.661000] DYING GASP IRQ Enabled
664 |
[ 19.662000] AdslCoreLoadImage: Gfast PHY
665 |
[ 19.768000] AdslCoreSetSdramImageAddr: lmem2=0x10010000, pgSize=0x0 sdramSize=0xAB35C
666 |
[ 19.769000] AdslCoreSetSdramImageAddr: lmem2(0x10000) vs ADSL_PHY_SDRAM_BIAS(0x10000); origAddr=0xCFE10000 newAddr=0xCFE10000
667 |
[ 19.771000] pSdramPHY=0xCFFFFFF8, 0xAFE3F75F 0x83D532ED
668 |
[ 19.772000] AdslCoreSetSdramImageAddr: sdramPageAddr=0xcfe00000, sdramImageAddr=0xcfe10000, sdramPhyImageAddr=0x10010000
669 |
[ 19.773000] *** AdslCoreSetXfaceOffset: data[0]=0xFFF7406F data[1]=0x8BF90 ***
670 |
[ 19.775000] *** XfaceOffset: 0x6FF90 => 0x8BF90 ***
671 |
[ 19.941000] *** AdslCoreSetSdramTrueSize: data[0]=0x679CECFF data[1]=0x98631300 ***
672 |
[ 19.942000] *** AdslCoreSetSdramTrueSize: data[0]=0xFFEC9C67 data[1]=0x136398 ***
673 |
[ 19.943000] *** PhySdramSize got adjusted: 0xAB35C => 0x136398 ***
674 |
[ 19.944000] AdslCoreSharedMemInit: shareMemSize=760896(760896)
675 |
[ 19.945000] __AdslCoreHwReset: pAdslX=0xfc78bf90
676 |
[ 19.946000] __AdslCoreHwReset: pAdslX->sdramBaseAddr=0x0000e1af, pAdslX->gfcTable[]=0x0000e1cf, adslCorePhyDesc.sdramImageAddr=0xcfe10000
677 |
[ 19.962000] AdslCoreHwReset: pLocSbSta=c62a0000 bkupThreshold=3072
678 |
[ 19.963000] AdslCoreHwReset: AdslOemDataAddr = 0xCFEB0D00, time=12 ms
679 |
[ 19.967000] VersionInfo: AfH042p.d26l
680 |
[ 19.968000] ***BcmDiagsMgrRegisterClient: 0 ***
681 |
[ 19.969000] dgasp: kerSysRegisterDyingGaspHandler: dsl0 registered
682 |
**** AfH042p.d26l ****
683 | [ 22.180000] fiberTurnOn: enabling TX for fiber optics
684 |
[�[1;34m*�[m] �[36mStarting Firewall�[m
685 | [ 22.568000] *** BcmXdslCoreMaintenanceTask: Resetting XdslCore
686 |
[ 22.573000] Saving OEM data from 0xCFEB0D00
687 |
[ 22.583000] DYING GASP IRQ Disabled
688 |
[ 22.602000] DYING GASP IRQ Enabled
689 |
[ 22.603000] DYING GASP IRQ Disabled
690 |
[ 22.620000] DYING GASP IRQ Enabled
691 |
[ 22.621000] AdslCoreLoadImage: Non-Gfast PHY
692 |
[Firewall ready]
693 | [�[1;34m*�[m] �[36mStarting NAT�[m
694 | [ 22.729000] AdslCoreSetSdramImageAddr: lmem2=0x10010000, pgSize=0x0 sdramSize=0x11F5C8
695 |
[ 22.730000] AdslCoreSetSdramImageAddr: lmem2(0x10000) vs ADSL_PHY_SDRAM_BIAS(0x10000); origAddr=0xCFE10000 newAddr=0xCFE10000
696 |
[ 22.731000] pSdramPHY=0xCFFFFFF8, 0xB7C 0xDEADBEEF
697 |
[ 22.732000] AdslCoreSetSdramImageAddr: sdramPageAddr=0xcfe00000, sdramImageAddr=0xcfe10000, sdramPhyImageAddr=0x10010000
698 |
[ 22.733000] *** AdslCoreSetXfaceOffset: data[0]=0xFFF9006F data[1]=0x6FF90 ***
699 |
[ 22.734000] *** XfaceOffset: 0x8BF90 => 0x6FF90 ***
700 |
[�[1;34m*�[m] �[36mStarting Port Mapping�[m
701 | [Port Mapping ready]
702 | [NAT ready]
703 | [�[1;34m*�[m] �[36mStarting QoS�[m
704 | [ 23.133000] *** AdslCoreSetSdramTrueSize: data[0]=0xC74DE7FF data[1]=0x38B21800 ***
705 |
[ 23.134000] *** AdslCoreSetSdramTrueSize: data[0]=0xFFE74DC7 data[1]=0x18B238 ***
706 |
[ 23.135000] *** PhySdramSize got adjusted: 0x11F5C8 => 0x18B238 ***
707 |
[ 23.136000] AdslCoreSharedMemInit: shareMemSize=413088(413088)
708 |
[ 23.137000] __AdslCoreHwReset: pAdslX=0xfc76ff90
709 |
[ 23.138000] __AdslCoreHwReset: pAdslX->sdramBaseAddr=0x0000e1af, pAdslX->gfcTable[]=0x0000e1cf, adslCorePhyDesc.sdramImageAddr=0xcfe10000
710 |
[ 23.153000] AdslCoreHwReset: pLocSbSta=c62a0000 bkupThreshold=3072
711 |
[ 23.154000] AdslCoreHwReset: AdslOemDataAddr = 0xCFF0F83C, time=10 ms
712 |
[ 23.155000] VersionInfo: A2pvbH042p.d26l
713 |
**** A2pvbH042p.d26l ****
714 | [QoS ready]
715 | [ 24.202000] Initializing USB Mass Storage driver...
716 |
[ 24.207000] usbcore: registered new interface driver usb-storage
717 |
[ 24.208000] USB Mass Storage support registered.
718 |
719 |
720 | -- �[1;44m Prepare Networking �[m [�[1;33m25.55�[m]
721 |
722 | - �[33mInit USB Interfaces�[m
723 | - �[33mInit Bridges (0)�[m
724 | [ 24.377000] device eth1 entered promiscuous mode
725 |
[ 24.579000] device eth2 entered promiscuous mode
726 |
[ 24.781000] device eth3 entered promiscuous mode
727 |
[ 24.982000] device eth4 entered promiscuous mode
728 |
[ 25.183000] device wl0 entered promiscuous mode
729 |
[ 25.191000] device wl1 entered promiscuous mode
730 |
[ 25.199000] device wl0.1 entered promiscuous mode
731 |
[ 25.206000] device wl1.1 entered promiscuous mode
732 |
==[br0]== 802.1D-2004 -(eth1)--(eth2)--(eth3)--(eth4)--(wl0)--(wl1)--(wl0.1)--(wl1.1)-
733 | [ 26.062000] device br0 entered promiscuous mode
734 |
[ 26.170000] ADDRCONF(NETDEV_UP): br0: link is not ready
735 |
736 |
737 | -- �[1;44m Start Networking �[m [�[1;33m27.55�[m]
738 |
739 | [�[1;34m*�[m] �[36mStarting DNS client�[m
740 |
starting pid 2431, tty '/dev/null': 'dns'
741 | [DNS client ready]
742 | [�[1;34m*�[m] �[36mStarting DHCP server�[m
743 | [�[1;34m*�[m] �[36mLAN Ethernet Interfaces - Power UP! (B)�[m
744 | [�[1;34meth1�[m] up
745 | [�[1;34meth2�[m] up
746 | [�[1;34meth3�[m] up
747 | [�[1;34meth4�[m] up
748 |
starting pid 2607, tty '/dev/null': 'dhcps /tmp/dhcps.conf'
749 | [�[1;34m*�[m] �[36mStarting Filtering�[m
750 | [Filtering ready]
751 | [�[1;34m*�[m] �[36mStarting TR-069 agent (B)�[m
752 | [DHCP server ready]
753 | [TR-069 agent (B) ready]
754 | [�[1;34m*�[m] �[36mStarting Public Pool�[m
755 | [Public Pool ready]
756 | [�[1;34m*�[m] �[36mStarting IPv6 services�[m
757 | - �[33mDHCPv6 init�[m
758 |
759 |
760 | -- �[1;44m Start Network Services �[m [�[1;33m28.28�[m]
761 |
762 | [�[1;34m*�[m] �[36mStarting DNS forwarder�[m
763 | [DNS forwarder ready]
764 | [�[1;34m*�[m] �[36mStarting IGMP proxy�[m
765 | ### UPnP: Stopping UPnP service
766 | ### UPnP: Starting UPnP service
767 | ### miniupnpd -d -i ppp0 -a br0 -N -I 2 -t 30
768 |
starting pid 2901, tty '/dev/null': 'cwmp'
769 |
starting pid 2903, tty '/dev/null': 'inetd -f'
770 |
starting pid 2904, tty '/dev/null': 'httpd -u nobody'
771 |
starting pid 2905, tty '/dev/null': 'yamp -c /tmp/yamp.conf -p /tmp/yamp.pid'
772 |
starting pid 2907, tty '/dev/null': 'miniupnpd -d -i ppp0 -a br0 -N -I 2 -t 30'
773 | [IGMP proxy ready]
774 | [�[1;34m*�[m] �[36mStarting UPnP service�[m
775 | ### UPnP: Stopping UPnP service
776 | ### UPnP: Starting UPnP service
777 | ### miniupnpd -d -i ppp0 -a br0 -N -I 2 -t 30 -p 60579
778 | [UPnP service ready]
779 | [�[1;34m*�[m] �[36mStarting WPS/WLAN button service (B)�[m
780 | [�[1;34m*�[m] �[36mStartup Software Execution Environments�[m
781 | [�[1;34m*�[m] �[36mStarting VOIP services (B)�[m
782 |
783 |
784 | -- �[1;44m System Ready �[m [�[1;33m29.45�[m]
785 |
786 | Starting /etc/rc.d/S13acsd.sh ...
787 | Starting /etc/rc.d/S20voip.sh ...
788 | [ 28.319000] Loading PCM shim driver
789 |
[ 28.865000] Endpoint: endpoint_init entry
790 |
stopping [ 28.867000] Endpoint: endpoint_init COMPLETED
791 |
pid '2907' on miniupnpd change.
792 |
starting pid 2975, tty '/dev/null': 'miniupnpd -d -i ppp0 -a br0 -N -I 2 -t 30 -p 60579'
793 |
starting pid 2976, tty '/dev/null': '/usr/sbin/acsd'
794 |
reporting service status with 'echo failed starting ACSD >/dev/console'
795 | failed starting ACSD
796 | Starting /etc/rc.d/S60ipsec.sh ...
797 | Starting /etc/rc.d/S70vpn.sh ...
798 | Starting /etc/rc.d/S94printkd.sh ...
799 | [�[1;34m*�[m] �[36mStarting Printk Dump�[m
800 | [Printk Dump ready]
801 | Starting /etc/rc.d/S95done ...
802 | Starting /etc/rc.d/S98rngd ...
803 |
starting pid 3204, tty '/dev/null': 'voip >/dev/console'
804 | 1523442612:881999 : 3204 : AEP ENDPT - Open Broadcom Endopoint Driver
805 | 1523442613:068320 [1 voip] VOI[ 35.985000] BOS: Enter bosInit
806 |
[ 35.988000] BOS: Exit bosInit
807 |
P BASE - Failed to SIOCGIFFLAGS ifname ppp0
808 | 1523442613:068633 [1 voip] VOIP BASE - Failed to SIOCGIFFLAGS ifname ppp0
809 | 1523442613:068984 [1 voip] VOIP BASE - Start Provisioning Endpoint Configuration
810 | 1523442613:069747 [1 voip] VOIP BASE - Completed Start Provisioning Endpoint
811 | 1523442613:069828 [1 voip] VOIP BASE - Num media profiles 16 VS num channels 10
812 | 1523442613:070431 [1 voip] VOIP BASE - Init PhoneBook L[ 36.037000] ******* DSP: Found BCM63138 *******
813 |
inked List
814 | 1523442613:070474 [1 voip] VOIP BASE - Init Line Sett[ 36.048000] ******* DSP: In PCM Mode *******
815 |
[ 36.052000] ******* DSP: PCM running in 16 bit mode *******
816 |
ing Linked List
817 | [ 36.062000] gInterruptCounter = 0xBFCB2070
818 |
[ 36.072000] gInterruptErrors = 0xBFCB2074
819 |
[ 36.082000] halShimEntryCount = 0x00000002
820 |
[ 36.086000] gDectTestMode = 0xbfcb21bc
821 |
[ 36.098000] dectBuffStart = 0xbfcb21a4
822 |
[ 36.102000] gDectRxOutOfSyncCounter = 0xbfcb21c0
823 |
[ 36.112000] gDectTxOutOfSyncCounter = 0xbfcb21c4
824 |
[ 36.122000] ddrAddrTxV = 0xbfcb2148
825 |
[ 36.132000] ddrAddrRxV = 0xbfcb214c
826 |
[ 36.136000] 32 ms ECAN tail-length
827 |
[ 36.142000] *** dmaCtl[0].rx[0].descVirt = 0xFFDC7000
828 |
[ 36.152000] *** dmaCtl[0].rx[1].descVirt = 0xFFDC7008
829 |
[ 36.162000] *** dmaCtl[0].tx[0].descVirt = 0xFFDC77D0
830 |
[ 36.166000] *** dmaCtl[0].tx[1].descVirt = 0xFFDC77D8
831 |
[ 36.178000] *** buffer size: 640
832 |
[ 36.180000] *** Ownership for TX desc 1 not set. Use this buffer.
833 |
[ 36.196000] Binding 0xce0a4cc0
834 |
[ 37.762000] boardHalInit completed
835 |
[ 37.768000] DSP: Interrupt Ids
836 |
[ 37.770000] ---------------
837 |
[ 37.773000] InterruptId = 148
838 |
[ 37.887000] EndpointInit completed
839 |
[ 37.889000] dgasp: kerSysRegisterDyingGaspHandler: endpoint registered
840 |
1523442616:266069 [7 Reconf] VOIP BASE - Failed to SIOCGIFFLAGS ifname ppp0
841 | 1523442616:266371 [7 Reconf] VOIP BASE - Failed to SIOCGIFFLAGS ifname ppp0
842 | 1523442627:261816 [7 Reconf] VOIP BASE - Failed to SIOCGIFFLAGS ifname ppp0
843 | 1523442627:262085 [7 Reconf] VOIP BASE - Failed to SIOCGIFFLAGS ifname ppp0
844 | Apr 11 12:30:36 miniupnpd[2975]: (*) urn:schemas-upnp-org:device:InternetGatewayDevice:2
845 | Apr 11 12:30:36 miniupnpd[2975]: ->>>> uuid:c454964c-733d-e811-99ec-0cb6d201750c::urn:schemas-upnp-org:device:InternetGatewayDevice:2
846 | Apr 11 12:30:36 miniupnpd[2975]: SendSSDPNotifies services nt = urn:schemas-upnp-org:service:Layer3Forwarding:1
847 |
848 | Apr 11 12:30:36 miniupnpd[2975]: SendSSDPNotifies services usn = uuid:c454964c-733d-e811-99ec-0cb6d201750c::urn:schemas-upnp-org:service:Layer3Forwarding:1
849 |
850 | Apr 11 12:30:36 miniupnpd[2975]: (*) urn:schemas-upnp-org:service:Layer3Forwarding:1
851 | Apr 11 12:30:36 miniupnpd[2975]: ->>>> uuid:c454964c-733d-e811-99ec-0cb6d201750c::urn:schemas-upnp-org:service:Layer3Forwarding:1
852 | Apr 11 12:30:36 miniupnpd[2975]: SendSSDPNotifies case 2 nt = uuid:ea7e964c-733d-e811-99ec-0cb6d201750c, usn = uuid:ea7e964c-733d-e811-99ec-0cb6d201750c
853 | Apr 11 12:30:36 miniupnpd[2975]: (*) uuid:ea7e964c-733d-e811-99ec-0cb6d201750c
854 | Apr 11 12:30:36 miniupnpd[2975]: SendSSDPNotifies case 1 nt = urn:schemas-upnp-org:device:WANConnectionDevice:2, usn = uuid:4097964c-733d-e811-99ec-0cb6d201750c::urn:schemas-upnp-org:device:WANConnectionDevice:2 name = urn:schemas-upnp-org:device:WANConnectionDevice version = 2
855 | Apr 11 12:30:36 miniupnpd[2975]: (*) urn:schemas-upnp-org:device:WANConnectionDevice:2
856 | Apr 11 12:30:36 miniupnpd[2975]: ->>>> uuid:4097964c-733d-e811-99ec-0cb6d201750c::urn:schemas-upnp-org:device:WANConnectionDevice:2
857 | Apr 11 12:30:36 miniupnpd[2975]: SendSSDPNotifies services nt = urn:schemas-upnp-org:service:WANPPPConnection:1
858 |
859 | Apr 11 12:30:36 miniupnpd[2975]: SendSSDPNotifies services usn = uuid:4097964c-733d-e811-99ec-0cb6d201750c::urn:schemas-upnp-org:service:WANPPPConnection:1
860 |
861 | Apr 11 12:30:36 miniupnpd[2975]: (*) urn:schemas-upnp-org:service:WANPPPConnection:1
862 | Apr 11 12:30:36 miniupnpd[2975]: ->>>> uuid:4097964c-733d-e811-99ec-0cb6d201750c::urn:schemas-upnp-org:service:WANPPPConnection:1
863 | Apr 11 12:30:36 miniupnpd[2975]: SendSSDPNotifies services nt = urn:schemas-upnp-org:service:WANIPv6FirewallControl:1
864 |
865 | Apr 11 12:30:36 miniupnpd[2975]: SendSSDPNotifies services usn = uuid:4097964c-733d-e811-99ec-0cb6d201750c::urn:schemas-upnp-org:service:WANIPv6FirewallControl:1
866 |
867 | Apr 11 12:30:36 miniupnpd[2975]: (*) urn:schemas-upnp-org:service:WANIPv6FirewallControl:1
868 | Apr 11 12:30:36 miniupnpd[2975]: ->>>> uuid:4097964c-733d-e811-99ec-0cb6d201750c::urn:schemas-upnp-org:service:WANIPv6FirewallControl:1
869 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Description
2 |
3 | This is a work in progress, it is fully usable and runs correctly, but documentation is still incomplete.
4 |
5 | **Buildroot-armv7** is a Docker image (in wich Buildroot is not included), a set of scripts, configuration files and Buildroot external tree to easily setup an emulation environment where to run, debug and reverse engineer the *Netgear DVA 5592* router executables. This environment uses Docker, Buildroot and Qemu to build a root file system and emulate a board with an ARMv7 Cortex A9 processor, a quite old Linux kernel, version 3.4.11-rt19 with appropriate patches, uClibc 0.9.33.2, and old versions of other libraries.
6 |
7 | # Table of Contents
8 |
9 | - [Description](#description)
10 | - [Table of Contents](#table-of-contents)
11 | - [Quick Start](#quick-start)
12 | - [Building the emulation environment](#building-the-emulation-environment)
13 | - [Emulation environment requirements](#emulation-environment-requirements)
14 | - [Choosing the tool to build the Root File System](#choosing-the-tool-to-build-the-root-file-system)
15 | - [Issues to overcome](#issues-to-overcome)
16 | - [The Docker image](#the-docker-image)
17 | - [Buildroot configuration](#buildroot-configuration)
18 | - [Running Buildroot](#running-buildroot)
19 | - [Reverse Engineering Router's Binaries](#reverse-engineering-routers-binaries)
20 | - [File system and console output analysis](#file-system-and-console-output-analysis)
21 | - [Reverse Engineering `sig_verify`](#reverse-engineering-sigverify)
22 | - [Listing `sig_verify` library calls](#listing-sigverify-library-calls)
23 | - [Starting the emulated Machine](#starting-the-emulated-machine)
24 | - [Starting `gdbserver` on the emulated Machine](#starting-gdbserver-on-the-emulated-machine)
25 | - [Starting `gdb` in the host machine](#starting-gdb-in-the-host-machine)
26 | - [Generate a Public Key file in *pem* format with the MPIs in `sig_verify`](#generate-a-public-key-file-in-pem-format-with-the-mpis-in-sigverify)
27 | - [`mysig_verify`: a script that does the same job as `sig_verify`](#mysigverify-a-script-that-does-the-same-job-as-sigverify)
28 | - [Conclusion on reverse engineering `sig_verify`](#conclusion-on-reverse-engineering-sigverify)
29 |
30 | # Quick Start
31 |
32 | On a Linux box, the only OS supported:
33 |
34 | * install Docker, [this guide](https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-18-04), or similar guides, can be useful
35 | * add your username to the *docker* group with a command similar to the following (can be different in some Linux distributions):
36 | ```
37 | $ sudo adduser *yourusername* docker
38 | ```
39 | * install [Qemu](https://www.qemu.org/), using something similar to the following commands:
40 | ```
41 | $ sudo apt-get install qemu qemu-block-extra qemu-kvm qemu-slof qemu-system \
42 | qemu-system-arm qemu-system-common qemu-system-mips qemu-system-misc \
43 | qemu-system-ppc qemu-system-s390x qemu-system-sparc qemu-system-x86 \
44 | qemu-user qemu-user-binfmt qemu-utils
45 | ```
46 | * install [Binwalk](https://github.com/ReFirmLabs/binwalk), using something similar to the following commands:
47 | ```
48 | $ sudo apt-get install binwalk
49 | ```
50 | * install [Jefferson](https://github.com/sviehb/jefferson), following instructions on the GitHub repository
51 | * download this project with command similar to the followings:
52 | ```
53 | valerio@ubuntu-hp:~$ mkdir br # configuration script will create folders here
54 | valerio@ubuntu-hp:~$ cd br
55 | valerio@ubuntu-hp:~/br$ git clone https://github.com/digiampietro/buildroot-armv7.git buildroot-armv7
56 | ```
57 | * type the following commands, the `br-armv7-config.sh` script will download Buildroot, Linux kernel, router firmware and will configure the environment
58 | ```
59 | valerio@ubuntu-hp:~/br$ cd buildroot-armv7
60 | valerio@ubuntu-hp:~/br/buildroot-armv7$ ./br-armv7-config.sh
61 | ```
62 | * download the docker image from the Docker repository
63 | ```
64 | valerio@ubuntu-hp:~/br/buildroot-armv7$ docker pull digiampietro/buildroot-armv7
65 | ```
66 | * run the docker image, it is based on the old Debian Wheezy to run the old buildroot-2014-02; the current username and home directory are mapped inside the docker host. Inside the docker host the command prompt has changed, the hostname now is *BRHOST*:
67 | ```
68 | valerio@ubuntu-hp:~/br/buildroot-armv7$ cd docker/
69 | valerio@ubuntu-hp:~/br/buildroot-armv7/docker$ ./dockrun.sh
70 | valerio@BRHOST:~$ cd ~/br/buildroot-armv7
71 | ```
72 | * run the *Buildroot* make using the *brmake* shell script that sets the *BR2_EXTERNAL* environment variable to use a customized buildroot external tree:
73 | ```
74 | valerio@BRHOST:~/br/buildroot-armv7$ ./brmake dvaemu-emu_arm_vexpress_defconfig
75 | valerio@BRHOST:~/br/buildroot-armv7$ ./brmake # takes a loooong time
76 | ```
77 | * at the end of the buildroot process a root file system image has been built, ready to be used by *Qemu*, running outside the docker machine:
78 | ```
79 | valerio@BRHOST:~/br/buildroot-armv7$ exit
80 | root@BRHOST:/src/misc# exit
81 | valerio@ubuntu-hp:~/br/buildroot-armv7/docker$ cd ../qemu-run/
82 | valerio@ubuntu-hp:~/br/buildroot-armv7/qemu-run$ ./qr
83 | ...
84 | reeing init memory: 160K
85 | smsc911x 4e000000.ethernet: eth0: SMSC911x/921x identified at 0xc08c0000, IRQ: 47
86 | Welcome to Buildroot
87 | buildroot login: root
88 | root@buildroot:~# uname -a
89 | Linux buildroot 3.4.11-rt19 #1 SMP PREEMPT Fri Sep 28 18:46:38 UTC 2018 armv7l GNU/Linux
90 | root@buildroot:~#
91 | ```
92 | * an ARM virtual machine is now available to run debug and reverse engineer the most interesting router executables. The router root file system has been included in the ARM image in the folder `/dva-root`, the firmware files and file system images are included in the folder `/dva-firm`:
93 | ```
94 | root@buildroot:~# ls /dva-root/
95 | bin dev.tar.gz mnt sbin usr
96 | data etc proc sys var
97 | dev lib root tmp www
98 | root@buildroot:~# ls /dva-firm/
99 | DVA-5592_A1_WI_20180405.sig root-fs.bin
100 | boot-fs.bin set-nandsim.sh
101 | ```
102 | * to exit from the Qemu virtual machine you can type `# halt` and then press `Ctrl-A` followed by the key `X`
103 |
104 |
105 | # Building the emulation environment
106 | The purpose of the emulation environment is to run, as much as possible, router executables in a Qemu virtual machine. This means not only that the machine must have an ARM v7 Cortex-A9 processor, but that the kernel and the libraries should be the same version, or compatible versions, used in the router.
107 |
108 | ## Emulation environment requirements
109 | The emulated environment should have:
110 | * an ARM v7 Cortex A9 Processor
111 | * an emulated 256Mb Nand flash memory, emulated with the *nandsim* kernel flash emulator
112 | * a Linux Kernel version 3.4.11-rt19
113 | * a root file system using uClibc, version 0.9.33.2, as standard C library
114 | * a Gnu libgcrypt crypto library version 1.5 (with library file: `libgcrypt.so.11`)
115 | * other libraries with compatible versions with the router's binaries
116 | These requirements basically means to use what was available in 2014, because the software used to build the router firmware seems coming from that year.
117 |
118 | ## Choosing the tool to build the Root File System
119 | The root file system can be built with a cross compilation toolchain able to generate binaries for the ARM architecture on an Intel based Linux PC; but building the kernel, the libraries and the needed packages can be very challenging and time consuming because of the various version dependency that each package can have with other packages and standard libraries (the so called *dependency hell*). For this reason it is better to select a build tool able to manage this *dependency hell*, the most popular building tools for embedded devices are:
120 | * [The Yocto Project](https://www.yoctoproject.org/) is very powerful, not only builds a root file system, but is able to create a custom Linux distribution for the embedded device. It's main drawback is that it has a steep learning curve
121 | * [Buildroot](https://buildroot.org/) has a more limited scope: it builds the root file system and the kernel, it is quite easy and fast to learn and has a very good user manual, not too big, neither too small
122 | * [Openwrt/LEDE Build System](https://openwrt.org/docs/guide-user/additional-software/beginners-build-guide) is tailored mainly to build a replacement router firmware, his documentation is much more scattered in the web site and so requires more time to learn.
123 |
124 | Buildroot has been the tool chosen for this reverse engineering project. It has been easy to learn ed effective in building the required root file system.
125 |
126 | ## Issues to overcome
127 | Initial idea was using the latest Buildroot version available (*buildroot-2018-05*) on the last Ubuntu version (*18.04.1 LTS, Bionic Beaver*), but this buildroot version doesn't have the option to use uClibc, it has uClibc-ng that is not fully compatible with the router's binaries compiled with uClibc; the Gnu libgcrypt crypto library is a newer version, not fully compatible wth the router's binaries. It is practically impossible to downgrade these two libraries and others because of the *dependency hell*.
128 |
129 | Another idea was to use an older Buildroot version (*buildroot-2014-02*) that has the same router's uClibc version, compatible version of Gnu libgcrypt crypto library and similar versions of other libraries. The problem is that this buildroot version, on Ubuntu 18.04, gives multiple compilation errors, almost impossible to fix; changing gcc version doesn't help to solve all the issues.
130 |
131 | The solution has been to use a Docker image, based on *Debian Wheezy* released in 2013, to run *buildroot-2014-02*; this docker image is able to run this version of buildroot without any issues.
132 |
133 | During the setup of this environment many other issues have arisen, described below in the description of various configurations.
134 |
135 | ## The Docker image
136 | The main purpose of the Docker image is to have a Linux environment able to run *buildroot-214.02* without issues, for this reason the image is based on Debian Wheezy (released in 2013) with additional packages needed to run *buildroot-2014.02*, including packages and QT libraries to do a `make xconfig` with a GUI. The [Docekerfile](https://github.com/digiampietro/buildroot-armv7/blob/master/docker/Dockerfile) is quite simple and doesn't include Buildroot.
137 |
138 | Buildroot is installed in the user's home directory because both the user and his home directory are mapped inside the Docker image using the following shell script, [`docker/dockrun.sh`](https://github.com/digiampietro/buildroot-armv7/blob/master/docker/dockrun.sh), to run the Docker image:
139 | ```shell
140 | #!/bin/sh
141 |
142 | export GDISPLAY=unix/$DISPLAY # forward X11 display to the host machine
143 | export GUSERNAME=`id -u -n` # current user's username
144 | export GUID=`id -u` # current user's user id
145 | export GGROUP=`id -g -n` # current user's primary group name
146 | export GGID=`id -g` # current user's primary group id
147 | export GHOME=$HOME # current user's home directory
148 | export GSHELL=$SHELL # current user's shell
149 | export GRUNXTERM=0 # flag start lxterminal, useful in windows
150 | export GPWD=`pwd` # current working directory
151 |
152 | docker run -h BRHOST \
153 | --rm \
154 | -v /tmp/.X11-unix:/tmp/.X11-unix \
155 | -v $HOME:$HOME \
156 | -e DISPLAY=$GDISPLAY \
157 | -e GUSERNAME=$GUSERNAME \
158 | -e GUID=$GUID \
159 | -e GGROUP=$GGROUP \
160 | -e GGID=$GGID \
161 | -e GHOME=$GHOME \
162 | -e GSHELL=$SHELL \
163 | -e GRUNXTERM=$GRUNXTERM \
164 | -e GPWD=$GPWD \
165 | -it digiampietro/buildroot-armv7
166 | ```
167 | In this script:
168 | * the user's home directory (*$HOME*) is mapped, with option `-v`, inside the running image at exactly the same path
169 | * the `-v /tmp/.X11-unix:/tmp/.X11-unix` option has the purpose do display, on the host, X11 applications running inside the Docker image
170 | * the `--rm` options terminate the Docker image process after exiting from the interactive shell; This is needed to prevent having a lot of unused stopped images
171 | * some environment variables (options `-v`) are passed from the host to the docker image with the purpose to create, on the fly, inside the image, the same user existing on the host with exact same attributes (username, uid, primary group, shell, home dir). This job is accomplished by the following **entrypoint** script `docekr/startup.sh`:
172 |
173 | ```shell
174 | #!/bin/sh
175 | #
176 | # add current user and user's primary group
177 | #
178 | groupadd -g $GGID $GGROUP
179 | useradd -u $GUID -s $GSHELL -c $GUSERNAME -g $GGID -M -d $GHOME $GUSERNAME
180 | usermod -a -G sudo $GUSERNAME
181 | echo $GUSERNAME:docker | chpasswd
182 | if [ "$GRUNXTERM" = "1" ]
183 | then
184 | # become the current user and start a shell
185 | su -l -c lxterminal $GUSERNAME
186 | # another root shel
187 | lxterminal
188 | else
189 | # become the current user and start a shell
190 | su -l $GUSERNAME
191 | # another root shell
192 | /bin/bash
193 | fi
194 | ```
195 |
196 | This Docker usage pattern allows to transparently share the user's home directory between the host and the Docker image and can be used every time there is a need to use a Docker image to transparently run software that cannot be run on the host and that will use and/or modify files in user's home directory.
197 |
198 | In this case the *Buildroot* folder is not installed inside the Docker image, but will be installed in user's home directory and, in this way, the Buildroot folder will remain persistent across Docker image invocations.
199 |
200 | ## Buildroot configuration
201 |
202 | The Buildroot configuration is stored in an external tree in the folder `ext-tree`, Buildroot itself can be launched with the shell script `brmake` that, basically, change directory in the Buildroot directory and execute a `make BR2_EXTERNAL=`.
203 |
204 | The `ext-tree` folder has the following content:
205 | ```
206 | ext-tree/
207 | ├── board
208 | │ └── dvaemu
209 | │ ├── kernel-defconfig
210 | │ ├── overlay
211 | │ │ └── etc
212 | │ │ └── profile.d
213 | │ │ └── set-prompt.sh
214 | │ └── post-build.sh
215 | ├── Config.in
216 | ├── configs
217 | │ ├── dvaemu-emu_arm_vexpress_defconfig
218 | │ └── uClibc-0.9.33.config
219 | ├── external.desc
220 | ├── external.mk
221 | ├── package
222 | │ └── klish
223 | │ ├── 0001-klish-help-param-optional.patch
224 | │ ├── Config.in
225 | │ └── klish.mk
226 | └── patches
227 | └── linux
228 | ├── 0002-module.h-remove-p2v8-from-module-id-string.patch
229 | ├── 0004-jffs2_make_lzma_available.patch
230 | ├── 0005-jffs2_eofdetect.patch
231 | └── 0006-jffs2_make_lzma_high_priority.patch
232 | ```
233 |
234 | * **ext-tree/board/dvaemu** contains files for the *fictitious* board called *dvaemu* (for DVA 5592 router emulation)
235 |
236 | * **ext-tree/board/dvaemu/kernel-defconfig** contains the kernel configuration, saved in a *defconfig* file; main differences, compared with the default kernel configuration, have been introduced to be more similar to the router's kernel and to run it in QEMU:
237 | - *General setup*
238 | - Choose SLAB allocator: SLAB, this is needed to run some binaries/Libraries
239 | - *System type*: Versatile Express platform type with Device Tree support
240 | - *Preemption Model*: Preemptible Kernel (low latency Desktop)
241 | - *Device Drivers*
242 | - NAND Device Support and Support for NAND Flash Simulator, this is very important to simulate the JFFS2 file system on the flash memory
243 | - OneNAND Device Support
244 | - Enable UBI
245 | - *File Systems*
246 | - Miscellaneous filesystems: JFFS2 support, Advanced Compression, JFFS2 LZMA compression supported
247 | - *Library routines*
248 | - CRC-CCITT functions
249 | - CRC16 functions
250 | - CRC calculations for the T10 Data Integrity Field
251 | - CRC ITU-T V.41 functions
252 |
253 | * **ext-tree/board/dvaemu/overlay** in this path's subfolder there is the `set-prompt.sh` script used to setup the prompt inside the QEMU emulated machine
254 |
255 | * **ext-tree/board/dvaemu/post-build.sh** this is the Buildroot post-build script, used mainly to copy router's root file system and firmware to the root image of the emulated machine
256 |
257 | * **ext-tree/Config.in, external.desc, external.mk** are files needed by Buildroot to use the external tree
258 |
259 | * **ext-tree/configs/dvaemu-emu_arm_vexpress_defconfig** contains the buildroot configuration, it is based on the *qemu_arm_vexpress_defconfig*, included in buildroot, to emulate a *Versatile Express ARM board* with an ARMv7 Cortex-A9 processor. The most important modified options are:
260 | - *Target Option: EABIhf*, because the router's CPU seems to support hardware floating point processing
261 | - *Build Options*, the selected options are needed to make easier the reverse engineering job:
262 | - *Build packages with debugging symbols*
263 | - *gcc debug level 2*
264 | - *strip binaries: no*
265 | - *gcc optimization level 0*
266 | - *global patch directories*, to point to the external tree patch directory
267 | - *Toolchain*, the selected options are needed to enable and facilitate debugging and to compile the 3.4.11-rt9 Kernel
268 | - Kernle Headers: 3.4.x
269 | - Enable large file support
270 | - Enable WCHAR support
271 | - Thread library debugging
272 | - Enable C++ support
273 | - Build cross GDB for the host
274 | - *Linux Kernel*, the selected options are needed to select the 3.4.11-rt9 kernel and to run it under QEMU:
275 | - Custom tarball location
276 | - Kernel configuration: using a custom config file
277 | - Device tree support
278 | - Install kernel image to /boot Target
279 | - *Compressor and Decompressor*, useful for the purpose of emulating the router environment
280 | - bzip2
281 | - xz-utils
282 | - *Debugging profiling and benchmark*, the selected options are useful for reverse engineering
283 | - gdb (gdbserver and full debugger)
284 | - ltrace
285 | - strace
286 | - *Development tools*
287 | - binutils, flex, libtools, make, pkgconf
288 | - mtd, jffs2 and ubi/ubifs tools; these are very important because are related to flash eeprom Emulation
289 | - *Libraries*, the selected options are needed to emulate binaries requiring the selected libraries
290 | - libgcrypt, expat, roxml, libxml2, Mini-XML
291 | - *Network Applications* are included to exchange files between the emulated machine and the external world
292 | - rsync, rsh-redone, socat, ncftp, iputils
293 | - *Shell and utilities*
294 | - file, sudo
295 | - *Host utilities*
296 | - host mtd, jffs2 and ubi/ubifs tools
297 | - *User provided options*
298 | - klish, to try to emulate the router's shell
299 |
300 | * **ext-tree/configs/uClibc-0.9.33.config** this is the uClibc configuration, the main differences, compared with the default, have been introduced to be compatible with the router's binaries and to include debugging symbols in the library files. The inclusion of debugging symbols has been problematic: uClibc don't obey to the general option included in the Buildroot configuration, has his own flag for this purpose; the problem is that enabling his own flag the compilation gives impossible to fix errors, for this reason a workaround, described below, has been used:
301 | - *Target Architecture Features and Options*
302 | - Build for EABI
303 | - Use BX in function return
304 | - Enable full C99 math library support
305 | - *General Library Settings*
306 | - Enable library loader preload file, not selected
307 | - Link LD Config statically, not selected
308 | - Thread support, native POSIX Threading
309 | - Build pthreads debugging support
310 | - Malloc returns live pointer for malloc(0)
311 | - Provide libutil library and functions
312 | - *String and Stdio support*
313 | - Wide character support
314 | - Support hexadecimal float notation
315 | - Support glibc's register_printf_function()
316 | - Some other glibc compatible settings
317 | - *Development/debugging options*
318 | - in Compiler Warnings add the string "-ggdb", this is the work around to compile the uClibc with debugging symbols
319 |
320 | * **ext-tree/package**, in this directory is included the *klish* package, but, unfortunately, it is not compatible with the router's *klish* configuration files, probably the *klish* application in the router has been modified in incompatible ways
321 |
322 | * **ext-tree/patches/linux**: linux patches to have the kernel more similar to the router's kernel, the patches are:
323 | - *0002-module.h-remove-p2v8-from-module-id-string.patch* to make the kernel identifying string identical to the router's kernel modules, but, unfortunately, in this way it is possible to load router's module in the emulated machine, but the kernel crashes
324 | - *0004-jffs2_make_lzma_available.patch* this patch implements the LZMA compression for the JFFS2 file system, it has been borrowed and adapted from the OpenWRT project
325 | - *0005-jffs2_eofdetect.patch* this patch implements the *end of partition detection* for JFFS2 filesystems, this patch is included in the router's kernel and automatically detect the end of a JFFS2 partition, thanks to a magic number
326 | - *0006-jffs2_make_lzma_high_priority.patch* this patch makes LZMA compression the preferred compression method for the JFFS2 partition, similar to what the router's kernel does.
327 |
328 | ## Running Buildroot
329 |
330 | The [Buildroot User's Manual](https://buildroot.org/downloads/manual/manual.html) is a very good guide on how to configure and run Buildroot; in this environment Buildroot make commands should be executed using the *brmake* script inside the *buildroot-armv7* folder, the most useful commands are:
331 |
332 | * `./brmake xconfig` (or `./brmake menu-config`) to configure Buildroot options;
333 | * `./brmake linux-xconfig` (or `./brmake linux-menuconfig`) to configure the Linux Kernel
334 | * `./brmake uclibc-menuconfig` (the *xconfig* version is not available for *uClibc*) to configure the *uClibc* library
335 | * `./brmake savedefconfig` to save the Buildroot configuration in the external tree, on the file `ext-tree/configs/dvaemu-emu_arm_vexpress_defconfig`
336 | * `./brmake linux-update-defconfig` to save the Linux Kernel configuration in the external tree, on the file `ext-tree/board/dvaemu/kernel-defconfig`
337 | * `./brmake uclibc-update-defconfig` to save the uClibc configuration in the external tree, on the file `ext-tree/configs/uClibc-0.9.33.config`
338 | * `./brmake clean` to delete all build products (including build directories, host, staging and target trees, the images and the toolchain)
339 | * `./brmake distclean` to delete everything, including configuration files; needed to build for a new target, should not be needed with this environment;
340 | * `./brmake linux-dirclean` removes the whole kernel build directory, to be used when kernel configuration changes are made;
341 | * `./brmake -s printvars` to dump all the variables known to make;
342 | * `./brmake` to build the kernel and the root file system.
343 |
344 | ## Running QEMU
345 |
346 | To run QEMU there is the `qr` script inside the `qemu-run` folder, this script runs QEMU using the root file system built by Buildroot. The script is the following:
347 | ```sh
348 | #!/bin/bash
349 | MYDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
350 | . $MYDIR/../set-env.sh
351 | cd $MYDIR
352 | export QEMU_AUDIO_DRV="none"
353 | qemu-system-arm -M vexpress-a9 \
354 | -cpu cortex-a9 \
355 | -m 1024 \
356 | -nographic \
357 | -kernel $BRIMAGES/zImage \
358 | -drive file=$BRIMAGES/rootfs.ext2,index=0,media=disk,format=raw,if=sd \
359 | -dtb $BRIMAGES/vexpress-v2p-ca9.dtb \
360 | -net nic \
361 | -net user,hostfwd=tcp::2222-:22,hostfwd=tcp::9000-:9000 \
362 | -append "rw console=ttyAMA0 console=tty root=/dev/mmcblk0"
363 | ```
364 | The first three lines set environment variables and change directory to that of the script, the fourth line disables the audio driver (the emulated board doesn't emulate audio hardware), the `qemu-system-arm` options select:
365 | * board *vexpress-a9* with processor *cortex-a9* and 1Gb of RAM
366 | * the *-nographic* option prevents the opening of another window: the console input/output go to the terminal
367 | * the *-kernel* option selects the kernel generated by Buildroot
368 | * the *-drive* option selects the root file system image generated by Buildroot emulated as an SD disk
369 | * the *-dtb* option selects the *Device Tree Blob* generated by Buildroot and describing the board devices to the kernel
370 | * the *-net* options associate an ethernet card to the emulated board and does port forwarding from the host to the qemu machine, the forwarded ports are host port 2222 to qemu machine port 22 (to do *ssh* from the host to the qemu machine) and port 9000 from the host to same port on the qemu machine (it will be used by *gdb/gdbserver*).
371 | To stop the emulated machine there is the command **`halt`** and to exit from the emulator there is the key command sequence: **`Ctrl-A`** **`X`**.
372 |
373 | # Reverse Engineering Router's Binaries
374 |
375 | The main purpose of this reverse engineering project is to modify the router firmware to be able to modify configurations, add additional software and to be able to login and become *root* on the router.
376 |
377 | To achieve this goal three main activities are needed:
378 | * **file system analysis** to analyze interesting router's script especially initial boot sequence and firmware upgrade scripts;
379 | * **console output analysis**: re-populate the serial interface on the router, attach a serial console and capture router's output during boot and during upgrade;
380 | * **reverse engineer**: select and reverse engineer interesting binaries.
381 |
382 | ## File system and console output analysis
383 |
384 | Some areas of interest in doing these analysis are:
385 |
386 | * **upgrade procedure**: looking at the console output during the upgrade process (see the file [``misc/router-console-upgrade.log``](misc/router-console-upgrade.log)) and at the related router's scripts (`/usr/sbin/upgrade-prepare.sh` and `/usr/sbin/upgrade.sh`) it is possible to understand the firmware file layout (may be not every details), where the file system root and boot images are, how these images are written to the NAND flash eeprom. It is also possible to understand that the firmware image is digitally signed and that the router's binary `/usr/sbin/sig_verify` is used to check the signature authenticity; for this reason the first interesting binary to reverse engineer is `sig_verify` to understand if it is possible to modify the firmware and make a valid fake signature; unfortunately this is not possible, but the analysis has been anyway interesting.
387 | * **klish configuration file**: it is possible to telnet or ssh to the router to get a restricted shell based on the open source [*klish*](http://libcode.org/projects/klish/) project. Looking at the `bin/clish` script and at the startup script it is possible to find that the *clish* configuration file is `/etc/clish/startup.xml`. Analyzing this configuration file it is possible to find that it is possible to enter *factory mode* and get a normal, unprivileged Linux busybox shell. (details on the [*adbtools2*](https://github.com/digiampietro/adbtools2) project).
388 | * **interesting binaries**: not being able to modify the firmware using the normal firmware upgrade process, because of the firmware signature, it is needed to find some other way to get a root shell on the router to reach the project target. The idea is to use the unprivileged access to exploit some router binary, running as root, to force it to run a specially crafted shell script to get a root shell. So the interesting binaries are those running as root in the router. Using the unprivileged access to get a list of running processes on the router:
389 | ```
390 | /root $ ps -ef
391 | PID USER VSZ STAT COMMAND
392 | 1 0 1184 S init
393 | 2 0 0 SW [kthreadd]
394 | 3 0 0 SW [ksoftirqd/0]
395 | 4 0 0 SW [kworker/0:0]
396 | 5 0 0 SW [kworker/u:0]
397 | 6 0 0 SW [migration/0]
398 | 7 0 0 SW [migration/1]
399 | 8 0 0 SW [kworker/1:0]
400 | 9 0 0 SW [ksoftirqd/1]
401 | 10 0 0 SW< [cpuset]
402 | 11 0 0 SW< [khelper]
403 | 12 0 0 SW< [netns]
404 | 13 0 0 SW [kworker/u:1]
405 | 69 0 0 SW [sync_supers]
406 | 71 0 0 SW [bdi-default]
407 | 73 0 0 SW< [kblockd]
408 | 78 0 0 SW [khubd]
409 | 87 0 0 SW [skb_free_task]
410 | 88 0 0 SW [bcmFapDrv]
411 | 105 0 0 SWN [kswapd0]
412 | 106 0 0 SW [fsnotify_mark]
413 | 107 0 0 SW< [crypto]
414 | 177 0 0 SW [kworker/1:1]
415 | 178 0 0 SW [kworker/0:1]
416 | 185 0 0 SW [mtdblock0]
417 | 190 0 0 SW [mtdblock1]
418 | 195 0 0 SW [mtdblock2]
419 | 200 0 0 SW [mtdblock3]
420 | 205 0 0 SW [mtdblock4]
421 | 210 0 0 SW [mtdblock5]
422 | 215 0 0 SW [mtdblock6]
423 | 220 0 0 SW [mtdblock7]
424 | 226 0 0 SW [cfinteractive]
425 | 229 0 0 SW< [linkwatch]
426 | 233 0 0 SW< [deferwq]
427 | 234 0 0 SWN [jffs2_gcd_mtd2]
428 | 261 0 724 S < /sbin/udevd --daemon
429 | 274 1001 1328 S /bin/clish.elf -l -x /tmp/clish
430 | 326 0 2332 S cm
431 | 365 0 1800 S logd
432 | 368 0 704 S ec
433 | 405 0 0 SW [bcmxtm_rx]
434 | 439 0 0 SW [bcmFlwStatsTask]
435 | 830 0 0 SW [bcmsw_rx]
436 | 903 0 0 SW [bcmsw]
437 | 924 0 0 SW [flush-mtd-unmap]
438 | 1032 0 0 SW [dhd_watchdog_th]
439 | 1033 0 0 SW [dhd0_dpc]
440 | 1034 0 0 SW [wfd0-thrd]
441 | 1235 0 0 SW [spu_rx]
442 | 1715 0 0 SW [wl1-kthrd]
443 | 1783 0 0 SW [wfd1-thrd]
444 | 1997 0 0 SW [dsl0]
445 | 2383 0 820 S dns
446 | 2605 0 0 SW [flush-254:0]
447 | 2630 0 2480 S cwmp
448 | 2631 0 1204 S inetd -f
449 | 2633 0 736 S yamp -c /tmp/yamp.conf -p /tmp/yamp.pid
450 | 2658 0 664 S wpspbc
451 | 3075 0 0 SW [kworker/0:2]
452 | 3089 0 2316 S hostapd -B /tmp/wlan/config/hostapd.conf.wl1 -P /var
453 | 3090 65534 3560 S httpd -u nobody
454 | 3638 0 2316 S hostapd -B /tmp/wlan/config/hostapd.conf.wl0 -P /var
455 | 3647 0 1068 S chronyd -n -f /tmp/chrony.conf
456 | 4191 0 696 S /sbin/rngd -r /dev/urandom -W 4000
457 | 4211 0 7136 S voip
458 | 4225 0 0 SW [voice-aoRT]
459 | 4232 0 0 SW [voice-HTSK]
460 | 4239 0 0 SW [voice-HRTBEAT]
461 | 4240 0 0 SW [voice-VRGDISP]
462 | 4241 0 0 SW [voice-HCAS]
463 | 4242 0 0 SW [voice-ISTW]
464 | 4243 0 0 SW [YAPS_Dsp_Event_]
465 | 4244 0 0 SW [YAPS_Dsp_Data_R]
466 | 4402 1001 0 Z [clish.elf]
467 | 4403 1001 1176 S /bin/sh -c /bin/sh /tmp/klish.fifo.5nMkcg
468 | 4404 1001 1176 S /bin/ash
469 | 4405 1001 1176 R ps -ef
470 | /root $
471 | ```
472 |
473 | A first list of interesting binaries includes: init, udevd, cm, logd, ec, dns, cwmp, inetd, yamp, wpspbc, hostapd, chronyd, rngd, voip.
474 |
475 | It is better to exclude operating systems binaries: init, udevd, logd, inetd, chronyd, rngd unless there are known vulnerabilities exploitable in the specific router usage, version and configuration.
476 |
477 | The remaining executables:
478 | * **dns**: looking at the message string in the `/etc/init.d/services.sh` it is labeled as *Start Networking*, could be interesting, but usually low level stuff are more difficult to hack, for this reason assign it a lower priority in reverse engineering;
479 | * **ec**: looking at the message string in the `/etc/init.d/services.sh` it is an *Event Controller*, could be interesting so normal priority in reverse engineering it;
480 | * **cwmp**: probably implements the *cwmp* protocol used by the remote management system based on *TR-069*; it is the system that allows the telco company to remotely manage the router. It should be a quite complicated piece of software, probably difficult to hack. So lower priority in selecting it for reverse engineering;
481 | * **yamp**: it is executed by the script `/etc/ah/IGMPProxy.sh`, so it has to do with the IGMP protocol, again low level stuff, usually difficult to hack, lower priority in reverse engineering;
482 | * **wpspbc**: seems to have to do with Wifi Protected Setup stuff, again, low level stuff difficult to hack, lower priority in reverse engineering;
483 | * **voip**: manages the voip telephone, again low level stuff difficult to hack, lower priority in reverse engineering;
484 | * **cm**: looking at the message string in the `/etc/init.d/services.sh` it is labeled as *Configuration Manager (B)* and in many many scripts there is the command *cmclient* executed many times to get information from the system and to configure parameters in the router. In the klish configuration file many tasks are carried out by a *cmclient* command, this probably means that an unprivileged *cmclient* process talks to the *cm* process to get privileged job done (as changing IP address or adding new users), for this reason this seems the most interesting binary to reverse engineer.
485 |
486 | ## Reverse Engineering `sig_verify`
487 |
488 | The arm executable `sig_verify` has no debugging information and has been stripped but, as almost all executables, it makes a lot of library calls. The "emulated" execution environment has been set up with debugging information on all executable and all library files, this means that to reverse engineer the `sig_verify` executable it is needed to follow the library calls it does.
489 |
490 | ### Listing `sig_verify` library calls
491 |
492 | Because the executable is stripped, the typical `readelf` command gives little information:
493 | ```
494 | valerio@ubuntu-hp:~/br/buildroot-armv7/qemu-run$ source set-aliases
495 | valerio@ubuntu-hp:~/br/buildroot-armv7/qemu-run$ arm-linux-readelf -a $DVAROOT/usr/sbin/sig_verify
496 | ELF Header:
497 | Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
498 | Class: ELF32
499 | Data: 2's complement, little endian
500 | Version: 1 (current)
501 | OS/ABI: UNIX - System V
502 | ABI Version: 0
503 | Type: EXEC (Executable file)
504 | Machine: ARM
505 | Version: 0x1
506 | Entry point address: 0x8a18
507 | Start of program headers: 52 (bytes into file)
508 | Start of section headers: 0 (bytes into file)
509 | Flags: 0x5000002, has entry point, Version5 EABI
510 | Size of this header: 52 (bytes)
511 | Size of program headers: 32 (bytes)
512 | Number of program headers: 6
513 | Size of section headers: 0 (bytes)
514 | Number of section headers: 0
515 | Section header string table index: 0
516 |
517 | There are no sections in this file.
518 |
519 | There are no sections to group in this file.
520 |
521 | Program Headers:
522 | Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
523 | PHDR 0x000034 0x00008034 0x00008034 0x000c0 0x000c0 R E 0x4
524 | INTERP 0x0000f4 0x000080f4 0x000080f4 0x00014 0x00014 R 0x1
525 | [Requesting program interpreter: /lib/ld-uClibc.so.0]
526 | LOAD 0x000000 0x00008000 0x00008000 0x0171b 0x0171b R E 0x8000
527 | LOAD 0x00171c 0x0001171c 0x0001171c 0x001f1 0x00204 RW 0x8000
528 | DYNAMIC 0x001728 0x00011728 0x00011728 0x00100 0x00100 RW 0x4
529 | GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4
530 |
531 | Dynamic section at offset 0x1728 contains 27 entries:
532 | Tag Type Name/Value
533 | 0x00000001 (NEEDED) Shared library: [libgcrypt.so.11]
534 | 0x00000001 (NEEDED) Shared library: [libgpg-error.so.0]
535 | 0x00000001 (NEEDED) Shared library: [libgcc_s.so.1]
536 | 0x00000001 (NEEDED) Shared library: [libc.so.0]
537 | 0x0000000c (INIT) 0x8874
538 | 0x0000000d (FINI) 0x936c
539 | 0x00000019 (INIT_ARRAY) 0x1171c
540 | 0x0000001b (INIT_ARRAYSZ) 4 (bytes)
541 | 0x0000001a (FINI_ARRAY) 0x11720
542 | 0x0000001c (FINI_ARRAYSZ) 4 (bytes)
543 | 0x00000004 (HASH) 0x8108
544 | 0x00000005 (STRTAB) 0x8528
545 | 0x00000006 (SYMTAB) 0x8258
546 | 0x0000000a (STRSZ) 455 (bytes)
547 | 0x0000000b (SYMENT) 16 (bytes)
548 | 0x00000015 (DEBUG) 0x0
549 | 0x00000003 (PLTGOT) 0x11828
550 | 0x00000002 (PLTRELSZ) 256 (bytes)
551 | 0x00000014 (PLTREL) REL
552 | 0x00000017 (JMPREL) 0x8774
553 | 0x00000011 (REL) 0x876c
554 | 0x00000012 (RELSZ) 8 (bytes)
555 | 0x00000013 (RELENT) 8 (bytes)
556 | 0x6ffffffe (VERNEED) 0x874c
557 | 0x6fffffff (VERNEEDNUM) 1
558 | 0x6ffffff0 (VERSYM) 0x86f0
559 | 0x00000000 (NULL) 0x0
560 |
561 | There are no relocations in this file.
562 |
563 | Histogram for bucket list length (total of 37 buckets):
564 | Length Number % of total Coverage
565 | 0 13 ( 35.1%)
566 | 1 11 ( 29.7%) 25.0%
567 | 2 8 ( 21.6%) 61.4%
568 | 3 4 ( 10.8%) 88.6%
569 | 4 0 ( 0.0%) 88.6%
570 | 5 1 ( 2.7%) 100.0%
571 |
572 | No version information found in this file.
573 |
574 | ```
575 | Anyway this command shows that it uses `libgcrypt`, `libgpg-error`, `libgcc_s` and `libc` (the last two provided by *uClibc*).
576 |
577 | The following `readelf` command (display symbols in the dynamic section) lists the library function calls and external symbols used by the executable:
578 | ```
579 | valerio@ubuntu-hp:~/br-dva-emu/dvaemu/qemu-run$ arm-linux-readelf --sym -D $DVAROOT/usr/sbin/sig_verify
580 |
581 | Symbol table for image:
582 | Num Buc: Value Size Type Bind Vis Ndx Name
583 | 28 0: 00011920 0 NOTYPE GLOBAL DEFAULT ABS __end__
584 | 20 0: 00008940 0 FUNC GLOBAL DEFAULT UND strncmp
585 | 16 0: 00008928 0 FUNC GLOBAL DEFAULT UND fseek
586 | 39 1: 00000000 0 NOTYPE WEAK DEFAULT UND _Jv_RegisterClasses
587 | 29 1: 00008994 0 FUNC GLOBAL DEFAULT UND strcmp
588 | 40 3: 000089dc 0 FUNC GLOBAL DEFAULT UND gcry_md_ctl
589 | 10 5: 000088ec 0 FUNC GLOBAL DEFAULT UND __fgetc_unlocked
590 | 32 9: 00011910 4 OBJECT GLOBAL DEFAULT bad stderr
591 | 38 11: 000089d0 0 FUNC GLOBAL DEFAULT UND fputs
592 | 23 14: 00008964 0 FUNC GLOBAL DEFAULT UND fread
593 | 2 14: 00011920 0 NOTYPE GLOBAL DEFAULT ABS _bss_end__
594 | 1 15: 00008898 0 FUNC GLOBAL DEFAULT UND printf
595 | 44 16: 00008a0c 0 FUNC GLOBAL DEFAULT UND gcry_md_get_algo_dlen
596 | 41 16: 000089e8 0 FUNC GLOBAL DEFAULT UND close
597 | 9 17: 000088e0 0 FUNC GLOBAL DEFAULT UND lseek
598 | 33 18: 00011910 0 NOTYPE GLOBAL DEFAULT ABS _edata
599 | 13 19: 00008874 0 FUNC GLOBAL DEFAULT bad _init
600 | 7 19: 000088c8 0 FUNC GLOBAL DEFAULT UND gcry_md_open
601 | 6 19: 000088bc 0 FUNC GLOBAL DEFAULT UND gcry_md_write
602 | 3 20: 000088a4 0 FUNC GLOBAL DEFAULT UND gcry_check_version
603 | 37 21: 000089c4 0 FUNC GLOBAL DEFAULT UND open
604 | 22 21: 00008958 0 FUNC GLOBAL DEFAULT UND sscanf
605 | 19 21: 00008934 0 FUNC GLOBAL DEFAULT UND read
606 | 12 23: 00008904 0 FUNC GLOBAL DEFAULT UND gcry_mpi_scan
607 | 4 23: 000088b0 0 FUNC GLOBAL DEFAULT UND malloc
608 | 27 24: 00008988 0 FUNC GLOBAL DEFAULT UND gcry_md_read
609 | 42 25: 000089f4 0 FUNC GLOBAL DEFAULT UND gcry_pk_verify
610 | 30 25: 0000936c 0 FUNC GLOBAL DEFAULT bad _fini
611 | 26 28: 0000897c 0 FUNC GLOBAL DEFAULT UND ftell
612 | 36 29: 000089b8 0 FUNC GLOBAL DEFAULT UND strlen
613 | 35 29: 000089ac 0 FUNC GLOBAL DEFAULT UND exit
614 | 18 29: 00008a18 80 FUNC GLOBAL DEFAULT bad _start
615 | 14 30: 00008910 0 FUNC GLOBAL DEFAULT UND gcry_sexp_build
616 | 8 30: 000088d4 0 FUNC GLOBAL DEFAULT UND ftruncate
617 | 43 31: 00008a00 0 FUNC GLOBAL DEFAULT UND free
618 | 34 31: 00011920 0 NOTYPE GLOBAL DEFAULT ABS _end
619 | 31 31: 000089a0 0 FUNC GLOBAL DEFAULT UND fgetc
620 | 17 31: 00011920 0 NOTYPE GLOBAL DEFAULT ABS __bss_end__
621 | 5 31: 00011910 0 NOTYPE GLOBAL DEFAULT ABS __bss_start__
622 | 21 32: 0000894c 0 FUNC GLOBAL DEFAULT UND fdo pen
623 | 15 33: 0000891c 0 FUNC GLOBAL DEFAULT UND fprintf
624 | 11 33: 000088f8 0 FUNC GLOBAL DEFAULT UND abort
625 | 25 35: 00011910 0 NOTYPE GLOBAL DEFAULT ABS __bss_start
626 | 24 35: 00008970 0 FUNC GLOBAL DEFAULT UND __uClibc_main
627 | ```
628 |
629 | To generate an initial gdb (Gnu Debugger) script that puts a breakpoint on each library call it is possible to use the script `dvaemu/qemu-run/gen-breakpoints.sh`; this script get information from the previous command.
630 |
631 | The generated gdb script has been refined with some macros and commands to run when certain breakpoints are hit and is available in `dvaemu/qemu-run/sv.gdb`; this script will be used in the debugging session.
632 |
633 | ### Starting the emulated Machine
634 |
635 | The guest emulated machine is started with the script `qr` in the `qemu-run` folder, this script launches `qemu-system-arm` with:
636 |
637 | * the emulated board *vexpress-a9*
638 | * the cpu *ARM cortex A9*
639 | * 1Gb of RAM
640 | * the file system generated by *buildroot* in an emulated *SD card*
641 | * port forwarding from host to the guest on port 22 (to be used by `ssh`) and on port 9000 (to be used by `gdb` on the host and `gdbserver` on the guest)
642 |
643 | ```
644 | valerio@ubuntu-hp:~/br/buildroot-armv7/qemu-run$ ./qr
645 | ...
646 | Uncompressing Linux... done, booting the kernel.
647 | Booting Linux on physical CPU 0
648 | Initializing cgroup subsys cpuset
649 | Linux version 3.4.11-rt19 (valerio@BRHOST) (gcc version 4.8.2 (Buildroot 2014.02) ) #1 SMP PREEMPT Sat Sep 15 18:21:45 UTC 2018
650 | CPU: ARMv7 Processor [410fc090] revision 0 (ARMv7), cr=10c53c7d
651 |
652 | ...
653 |
654 | input: ImExPS/2 Generic Explorer Mouse as /devices/motherboard.1/iofpga.2/10007000.kmi/serio1/input/input1
655 | VFS: Mounted root (ext2 filesystem) on device 179:0.
656 | devtmpfs: mounted
657 | Freeing init memory: 160K
658 | smsc911x 4e000000.ethernet: eth0: SMSC911x/921x identified at 0xc0880000, IRQ: 47
659 |
660 | Welcome to Buildroot
661 | buildroot login: root
662 | root@buildroot:~#
663 | ```
664 |
665 | ### Starting `gdbserver` on the emulated Machine
666 |
667 | The `post-build.sh` script has copied:
668 | * the DVA 5592 root file system in the folder `/dva-root` in the emulated machine
669 | * the firmware file `DVA-5592_A1_WI_20180405.sig` and jffs file system images in the folder `/dva-firm`
670 | So the `sig_verify` executable is located in `/dva-root/usr/sbin/sig_verify`. The `gdbserver` is launched with the following commands in the qemu virtual machine, the option `--readonly` is used to disallow trimming the last 256 bytes off the firmware file:
671 |
672 | ```
673 | root@buildroot:/# cd /dva-root/usr/sbin/
674 | root@buildroot:/dva-root/usr/sbin# gdbserver :9000 sig_verify --readonly /dva-fir
675 | m/DVA-5592_A1_WI_20180405.sig
676 | Process sig_verify created; pid = 511
677 | Listening on port 9000
678 | ```
679 |
680 | ### Starting `gdb` in the host machine
681 |
682 | The `gdb` in the host machine is started with the script `gdbrun.sh` in the `qemu-run` folder, this script:
683 | * sets some environment variables
684 | * sets the gdb SYSROOT directory (to locate, unstripped binaries generated by buildroot)
685 | * add the current directory (`dvaemu/qemu-run`) and the host tools directory (where `arm-linux-gdb` is located) to the list of directories where to search sources and gdb scripts
686 | * set the remote target address/port and starts `gdb` with the arguments given to the script.
687 |
688 | ```
689 | valerio@ubuntu-hp:~/br/buildroot-armv7/qemu-run$ ./gdbrun.sh -x sv.gdb
690 | GNU gdb (GDB) 7.5.1
691 | Copyright (C) 2012 Free Software Foundation, Inc.
692 | License GPLv3+: GNU GPL version 3 or later
693 | This is free software: you are free to change and redistribute it.
694 | There is NO WARRANTY, to the extent permitted by law. Type "show copying"
695 | and "show warranty" for details.
696 | This GDB was configured as "--host=x86_64-unknown-linux-gnu --target=arm-buildroot-linux-uclibcgnueabihf".
697 | For bug reporting instructions, please see:
698 | .
699 | Remote debugging using :9000
700 | 0x76ff1e3c in ?? ()
701 | Reading symbols from /home/valerio/dva-5592/mirror-nas-dva/br-dva-emu/buildroot-2014.02/output/target/lib/ld-uClibc.so.0...done.
702 | Loaded symbols for /home/valerio/dva-5592/mirror-nas-dva/br-dva-emu/buildroot-2014.02/output/target/lib/ld-uClibc.so.0
703 | Source directories searched: /home/valerio/br/buildroot-armv7/qemu-run:$cdir:$cwd
704 | Function "__fgetc_unlocked" not defined.
705 | Breakpoint 1 (__fgetc_unlocked) pending.
706 |
707 | ...
708 |
709 | warning: Could not load shared library symbols for sig_verify.
710 | Do you need "set solib-search-path" or "set sysroot"?
711 |
712 | Breakpoint 2, __uClibc_main (main=0x8fac, argc=3, argv=0x7efffd64, app_init=0x8874, app_fini=0x936c, rtld_fini=0x76ff1dd0 <_dl_fini>, stack_end=0x7efffd64)
713 | at libc/misc/internals/__uClibc_main.c:325
714 | 325 {
715 | $1 = "----->Arguments<-----"
716 | $2 = 0x7efffe61 "sig_verify"
717 | $3 = 0x7efffe6c "--readonly"
718 | $4 = 0x7efffe77 "/dva-firm/DVA-5592_A1_WI_20180405.sig"
719 | Breakpoint 32 at 0x76ff26d0: file ldso/ldso/dl-hash.c, line 276.
720 | ```
721 |
722 | The `sv.gdb` script is executed, it puts breakpoints on external library functions and start the debugging session issuing a `continue` gdb command.
723 |
724 | The remote executable stops at the `__uClibc_main` library function and gdb executes the related breakpoint commands printing the 3 arguments of this function that are the option *--readonly*, the name of the executable and the name of the firmware file to check that it has a valid signature.
725 |
726 | The `continue` command executes the program till the next breakpoint:
727 |
728 | ```
729 | Breakpoint 32, _dl_find_hash (name=name@entry=0x85c6 "open", scope=0x76ffd06c, mytpnt=0x76ffd030, type_class=type_class@entry=1, sym_ref=sym_ref@entry=0x0)
730 | at ldso/ldso/dl-hash.c:276
731 | 276 {
732 | _dl_linux_resolver (tpnt=, reloc_entry=) at ldso/ldso/arm/elfinterp.c:74
733 | 74 if (unlikely(!new_addr)) {
734 | Value returned is $5 = 0x76eef630 "(\300\037\345\f\300\237",
735 | Breakpoint 33 at 0x76eef630: file libpthread/nptl/sysdeps/unix/sysv/linux/open.S, line 8.
736 | ```
737 |
738 | In the `gv.gdb` file there are breakpoints on *open* and *read* functions, but, unfortunately, these breakpoints are never hit; this is due to the way *uClibc* manage calls to these functions. For this reason a breakpoint has been put on the *_dl_find_hash* function, with a condition to pause only when the name to lookup is *open* or *read*; when this happens, the associated commands, give a `finish` gdb command and then put a breakpoint on the return value of this function to put a breakpoint on the real *open* function. The `continue` command executes the program till the next breakpoint:
739 |
740 | ```
741 | Breakpoint 33, 0x76eef630 in open () at libpthread/nptl/sysdeps/unix/sysv/linux/open.S:8
742 | 8 PSEUDO (__libc_open, open, 3)
743 | ----->filename: /dva-firm/DVA-5592_A1_WI_20180405.sig
744 | ----->filemode: 2
745 | ```
746 |
747 | The program opens the firmware file. The `continue` command executes the program till the next breakpoint:
748 |
749 | ```
750 | Breakpoint 23, __GI_lseek (fildes=4, offset=0, whence=2) at libc/sysdeps/linux/common/lseek.c:14
751 | 14 _syscall3(__off_t, lseek, int, fildes, __off_t, offset, int, whence)
752 | $6 = "----->whence=2: SEEK_END The offset is set to the size of the file plus offset bytes"
753 | (gdb) finish
754 | Run till exit from #0 __GI_lseek (fildes=4, offset=0, whence=2) at libc/sysdeps/linux/common/lseek.c:14
755 | Cannot access memory at address 0x0
756 | Cannot access memory at address 0x0
757 | 0x0000905c in ?? ()
758 | Value returned is $7 = 24388793
759 | ```
760 |
761 | The program execute an *lseek* library function to position the file offset pointer to the end of the firmware file, this is done to get the return value, that points to the last byte of this file and gives the length of the file: 24,388,793 is exactly the length of `DVA-5592_A1_WI_20180405.sig`. The `continue` command executes the program till the next breakpoint:
762 |
763 | ```
764 | Breakpoint 23, __GI_lseek (fildes=4, offset=24388537, whence=0) at libc/sysdeps/linux/common/lseek.c:14
765 | 14 _syscall3(__off_t, lseek, int, fildes, __off_t, offset, int, whence)
766 | $8 = "----->whence=0: SEEK_SET The offset is set to offset bytes"
767 | ```
768 |
769 | This time the *lseek* library function positions the file offset pointer to the end of the file minus 256 bytes. The `continue` command executes the program till the next breakpoint:
770 |
771 | ```
772 | Breakpoint 32, _dl_find_hash (name=name@entry=0x8603 "read", scope=0x76ffd06c, mytpnt=0x76ffd030, type_class=type_class@entry=1, sym_ref=sym_ref@entry=0x0)
773 | at ldso/ldso/dl-hash.c:276
774 | 276 {
775 | _dl_linux_resolver (tpnt=, reloc_entry=) at ldso/ldso/arm/elfinterp.c:74
776 | 74 if (unlikely(!new_addr)) {
777 | Value returned is $9 = 0x76eef750 "(\300\037\345\f\300\237",
778 | Breakpoint 34 at 0x76eef750: file libpthread/nptl/sysdeps/unix/sysv/linux/read.S, line 8.
779 | ```
780 |
781 | This breakpoint at `dl_find_hash`, whit *read* as name parameter, and the associated commands has the purpose to put a breakpoint at the return value of the function that points to the real address of the *read* library function. This brakpoint is no more needed and can be remove with `delete 32`. The `continue` command executes the program till the next breakpoint:
782 |
783 | ```
784 | (gdb) delete 32
785 | (gdb) continue
786 | Continuing.
787 |
788 | Breakpoint 34, 0x76eef750 in read () at libpthread/nptl/sysdeps/unix/sysv/linux/read.S:8
789 | 8 PSEUDO (__libc_read, read, 3)
790 | ----->filedesc: 4
791 | ----->buf: 0x12008
792 | ----->len: 256
793 | $10 = "----->Bytes read and stored in buf (truncated at 256 bytes max)<-----"
794 | Cannot access memory at address 0x17424b9
795 | Cannot access memory at address 0x17424b9
796 | 0x00008dc8 in ?? ()
797 | 00000000: 9f4a 8277 8e5f 763b 3e34 6e21 6c13 d4af .J.w._v;>4n!l...
798 | 00000010: 076d 073f 5e34 5fc1 3824 5c4b 9f28 5481 .m.?^4_.8$\K.(T.
799 | 00000020: 0a1b 5fdc 5333 ddd2 0fb9 0bdb 5c9f 7ea0 .._.S3......\.~.
800 | 00000030: 0114 831a ed51 a0a1 0bdc b130 f6ff cc42 .....Q.....0...B
801 | 00000040: 15b9 da23 5b7c 3ef7 5243 3cf2 4ca5 f8da ...#[|>.RC<.L...
802 | 00000050: 9dbe fbd1 10d9 1551 412b d22e bfd3 c338 .......QA+.....8
803 | 00000060: a035 b9c6 11e1 7ec3 d19f 8c23 136f 0038 .5....~....#.o.8
804 | 00000070: 537d cb42 75ad c8b2 5ea4 ad18 d474 0646 S}.Bu...^....t.F
805 | 00000080: d273 9cbe 0182 7cb4 fb47 3044 7a3f 64e1 .s....|..G0Dz?d.
806 | 00000090: bb31 1142 6f47 b57b 7e72 0bb3 78ab d728 .1.BoG.{~r..x..(
807 | 000000a0: f226 83aa e849 7c81 736e 80f4 94ee 8b83 .&...I|.sn......
808 | 000000b0: fe50 9071 a29d e9de b7d4 b27d 8f2d 08fc .P.q.......}.-..
809 | 000000c0: 0b26 853b 1629 9257 f3ff 7f8d ae10 3440 .&.;.).W......4@
810 | 000000d0: 1cd4 5d41 4b7c 45b2 54e2 2958 9474 2ff9 ..]AK|E.T.)X.t/.
811 | 000000e0: 8d1d 20cf 7e5e ea17 973d a8b0 64ed 8b67 .. .~^...=..d..g
812 | 000000f0: b1cd 67dc 48a2 08bf 5b79 a3e4 e51f e1a7 ..g.H...[y......
813 | ```
814 |
815 | The program stops at the *read* function and, as expected after the *lseek* function, it reads the last 256 bytes of the firmware file. It is easy to verify that these are exactly the last 256 bytes of the file with the command on the host `xxd -s 24388537 DVA-5592_A1_WI_20180405.sig`.
816 |
817 | Why the program reads the last 256 bytes first? Probably because these 256 bytes are the signature to verify. The `continue` command executes the program till the next breakpoint:
818 |
819 | ```
820 | Breakpoint 23, __GI_lseek (fildes=4, offset=0, whence=0) at libc/sysdeps/linux/common/lseek.c:14
821 | 14 _syscall3(__off_t, lseek, int, fildes, __off_t, offset, int, whence)
822 | $11 = "----->whence=0: SEEK_SET The offset is set to offset bytes"
823 | ```
824 |
825 | The program calls *lseek* to position the file offset pointer at the beginning of the file. The `continue` command executes the program till the next breakpoint:
826 |
827 | ```
828 | Breakpoint 17, gcry_md_open (h=0x7efffb24, algo=2, flags=0) at visibility.c:771
829 | 771 if (!fips_is_operational ())
830 | $12 = "----->algo=2: GCRY_MD_SHA1"
831 | ```
832 |
833 | The program stops at the *libgcrypt* function *gcry_md_open*, *md* is for *Message Digest* and it is the first function to be called to start the *message digest* computation. The parameter *algo*, equal to 2, select SHA1 message digest, *flags* zero, means no special processing and *h* in an handle to this processing.
834 | The *libgcrypt* is documented in [The Libgcrypt Reference Manual](https://www.gnupg.org/documentation/manuals/gcrypt/). The `continue` command executes the program till the next breakpoint:
835 |
836 | ```
837 | Breakpoint 33, 0x76eef630 in open () at libpthread/nptl/sysdeps/unix/sysv/linux/open.S:8
838 | 8 PSEUDO (__libc_open, open, 3)
839 | ----->filename: /etc/TZ
840 | ----->filemode: 0
841 | (gdb) cont
842 | Continuing.
843 |
844 | Breakpoint 33, 0x76eef630 in open () at libpthread/nptl/sysdeps/unix/sysv/linux/open.S:8
845 | 8 PSEUDO (__libc_open, open, 3)
846 | ----->filename: /etc/localtime
847 | ----->filemode: 0
848 | (gdb) cont
849 | Continuing.
850 |
851 | Breakpoint 31, _stdio_fopen (fname_or_mode=1996318136, mode=0x76fd617c "r", stream=0x0, filedes=-2) at libc/stdio/_fopen.c:34
852 | 34 {
853 | ----->fname_or_mode: /proc/sys/crypto/fips_enabled
854 | (gdb) cont
855 | Continuing.
856 |
857 | Breakpoint 33, 0x76eef630 in open () at libpthread/nptl/sysdeps/unix/sysv/linux/open.S:8
858 | 8 PSEUDO (__libc_open, open, 3)
859 | ----->filename: /proc/sys/crypto/fips_enabled
860 | ----->filemode: 131072
861 | (gdb) cont
862 | Continuing.
863 |
864 | Breakpoint 16, gcry_md_get_algo_dlen (algo=2) at visibility.c:863
865 | 863 return _gcry_md_get_algo_dlen (algo);
866 | (gdb) finish
867 | Run till exit from #0 gcry_md_get_algo_dlen (algo=2) at visibility.c:863
868 | Cannot access memory at address 0x17424b9
869 | Cannot access memory at address 0x17424b9
870 | 0x00009180 in ?? ()
871 | Value returned is $13 = 20
872 | ```
873 |
874 | Some files are opened, presumably by *cgry_md_open*, till the breakpoint 16 where there is a call to *gcry_md_get_algo_dlen*, this function returns the number of bytes of the digest yielded by the algorithm *algo* (SHA1 in our case), the returned value is 20 bytes, as expected. The `continue` command executes the program till the next breakpoint:
875 |
876 | ```
877 | Breakpoint 34, 0x76eef750 in read () at libpthread/nptl/sysdeps/unix/sysv/linux/read.S:8
878 | 8 PSEUDO (__libc_read, read, 3)
879 | ----->filedesc: 4
880 | ----->buf: 0x7effdb24
881 | ----->len: 8192
882 | $14 = "----->Bytes read and stored in buf (truncated at 256 bytes max)<-----"
883 | Cannot access memory at address 0x17424b9
884 | Cannot access memory at address 0x17424b9
885 | 0x000091b8 in ?? ()
886 | 00000000: 7949 4d47 3100 4d55 4c54 495f 424f 4152 yIMG1.MULTI_BOAR
887 | 00000010: 4453 5f49 4400 0000 646c 696e 6b00 0000 DS_ID...dlink...
888 | 00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
889 | 00000030: 4456 412d 3535 3932 5f41 315f 5749 5f32 DVA-5592_A1_WI_2
890 | 00000040: 3230 3138 2d30 342d 3131 2031 323a 3432 2018-04-11 12:42
891 | 00000050: 4d00 0000 3235 3600 0000 0000 0000 3234 M...256.......24
892 | 00000060: 3337 3936 3438 0000 0000 0000 0000 0000 379648..........
893 | 00000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
894 | 00000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
895 | 00000090: 4200 0000 3234 3337 3939 3034 0000 3838 B...24379904..88
896 | 000000a0: 0000 0000 0000 0000 5000 0000 3234 3337 ........P...2437
897 | 000000b0: 3939 3932 0000 3835 3435 0000 0000 0000 9992..8545......
898 | 000000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
899 | 000000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
900 | 000000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
901 | 000000f0: c77e 2e79 9194 2f6f 8c88 3b67 7d26 2874 .~.y../o..;g}&(t
902 | ```
903 |
904 | The first 8192 bytes are read from the firmware file starting at the beginning, as expected based on last *lseek* function call. The `continue` command executes the program till the next breakpoint:
905 |
906 | ```
907 | Breakpoint 19, gcry_md_write (hd=0x12610, buffer=0x7effdb24, length=8192) at visibility.c:822
908 | 822 if (!fips_is_operational ())
909 | $15 = "----->buffer content (truncated to first 256 bytes)<-----"
910 | 00000000: 7949 4d47 3100 4d55 4c54 495f 424f 4152 yIMG1.MULTI_BOAR
911 | 00000010: 4453 5f49 4400 0000 646c 696e 6b00 0000 DS_ID...dlink...
912 | 00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
913 | 00000030: 4456 412d 3535 3932 5f41 315f 5749 5f32 DVA-5592_A1_WI_2
914 | 00000040: 3230 3138 2d30 342d 3131 2031 323a 3432 2018-04-11 12:42
915 | 00000050: 4d00 0000 3235 3600 0000 0000 0000 3234 M...256.......24
916 | 00000060: 3337 3936 3438 0000 0000 0000 0000 0000 379648..........
917 | 00000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
918 | 00000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
919 | 00000090: 4200 0000 3234 3337 3939 3034 0000 3838 B...24379904..88
920 | 000000a0: 0000 0000 0000 0000 5000 0000 3234 3337 ........P...2437
921 | 000000b0: 3939 3932 0000 3835 3435 0000 0000 0000 9992..8545......
922 | 000000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
923 | 000000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
924 | 000000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
925 | 000000f0: c77e 2e79 9194 2f6f 8c88 3b67 7d26 2874 .~.y../o..;g}&(t
926 | ```
927 |
928 | The pointer to the read buffer and his length is passed to the *gcry_md_write* function to update the digest value. These file reads and call to *gcry_md_write* function will continue till the end of the firmware file minus the 256 bytes of the signature. So we can expect (file size - 256)/length calls to *open* and to *gcry_md_write*: `(24,388,793 - 256) / 8,192 = 2,977.116333` this means 2,977 reads of 8,192 bytes plus one read of 953 bytes. To move forward to the end of the file reads disable the breakpoint 34 (on *read* function) and stop at the 2,977nth read (one read already done):
929 |
930 | ```
931 | (gdb) disable 34
932 | (gdb) continue 2976
933 | Will ignore next 2975 crossings of breakpoint 19. Continuing.
934 |
935 | Breakpoint 19, gcry_md_write (hd=0x12610, buffer=0x7effdb24, length=8192) at visibility.c:822
936 | 822 if (!fips_is_operational ())
937 | $16 = "----->buffer content (truncated to first 256 bytes)<-----"
938 | 00000000: 0000 0000 0000 0000 0000 0000 0000 0000 ................
939 | 00000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................
940 | 00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
941 | 00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
942 | 00000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
943 | 00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
944 | 00000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
945 | 00000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
946 | 00000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
947 | 00000090: 0000 0000 0000 0000 0000 0000 0000 0000 ................
948 | 000000a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
949 | 000000b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
950 | 000000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
951 | 000000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
952 | 000000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
953 | 000000f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
954 | (gdb) cont
955 | Continuing.
956 |
957 | Breakpoint 19, gcry_md_write (hd=0x12610, buffer=0x7effdb24, length=953) at visibility.c:822
958 | 822 if (!fips_is_operational ())
959 | $17 = "----->buffer content (truncated to first 256 bytes)<-----"
960 | 00000000: 6262 f6da c21f a25d 47e5 9c3d 556c 1243 bb.....]G..=Ul.C
961 | 00000010: 6f2a c659 9804 e958 d868 7ae9 db8b 8bfb o*.Y...X.hz.....
962 | 00000020: 44f3 aa1c 81c8 db5e 27e6 e0c0 e55a ac69 D......^'....Z.i
963 | 00000030: 4899 46c7 b486 47f8 79fb 477e e03a e0b6 H.F...G.y.G~.:..
964 | 00000040: 1df1 994c c9f3 5c67 3264 e4af 057b 437f ...L..\g2d...{C.
965 | 00000050: 5c68 d1df 5b18 eaa0 3c38 72a3 c145 cdc6 \h..[...<8r..E..
966 | 00000060: 34d6 ba4b 1156 dfff 069b 0cec 2e5b 82ec 4..K.V.......[..
967 | 00000070: 2c8a c7be 89b5 4c16 2414 937a 454b 9469 ,.....L.$..zEK.i
968 | 00000080: fe85 ae1c 05db ca4f b5d9 a982 49a8 e9d1 .......O....I...
969 | 00000090: 88c2 3176 4195 8653 5e17 ab43 cdb4 0a0f ..1vA..S^..C....
970 | 000000a0: 4454 9d2b 1983 7db5 ae59 5d21 60e3 cdba DT.+..}..Y]!`...
971 | 000000b0: d2b4 94c2 f88f 1ee2 484b 6b1d e88a d3fe ........HKk.....
972 | 000000c0: fd61 e1fd afcd b927 f02b d845 8f85 eb7c .a.....'.+.E...|
973 | 000000d0: 8ab7 bebd 07c3 881a a847 1a23 8929 0f82 .........G.#.)..
974 | 000000e0: 67f6 b777 0841 d2db 4e1d cc26 83db d772 g..w.A..N..&...r
975 | 000000f0: 7d9d ae52 4af6 056a 74ce 620a d3f6 fc9a }..RJ..jt.b.....
976 | ```
977 |
978 | As expected the last read is of the last 953 bytes of the firmware file, before the 256 bytes of signature. The `continue` command executes the program till the next breakpoint:
979 |
980 | ```
981 | Breakpoint 15, gcry_md_ctl (hd=0x12610, cmd=5, buffer=0x0, buflen=0) at visibility.c:814
982 | 814 if (!fips_is_operational ())
983 | $18 = "----->cmd=5: GCRYCTL_FINALIZE"
984 | ```
985 |
986 | The program stops at the *gcry_md_ctl* function to finalize the message digest computation. The `continue` command executes the program till the next breakpoint:
987 |
988 | ```
989 | Breakpoint 18, gcry_md_read (hd=0x12610, algo=2) at visibility.c:833
990 | 833 return _gcry_md_read (hd, algo);
991 | Cannot access memory at address 0x17424b9
992 | Cannot access memory at address 0x17424b9
993 | 0x0000920c in ?? ()
994 | Value returned is $19 = (unsigned char *) 0x12a70 "&\372\344|\200\264\035kk\274lM2\213v\366O\365\345+"
995 | $20 = "-----> Message Digest <-----"
996 | 0x12a70: 0x26 0xfa 0xe4 0x7c 0x80 0xb4 0x1d 0x6b
997 | 0x12a78: 0x6b 0xbc 0x6c 0x4d 0x32 0x8b 0x76 0xf6
998 | 0x12a80: 0x4f 0xf5 0xe5 0x2b
999 | ```
1000 |
1001 | The program calls *gcry_md_read* to read the 20 bytes of the SHA1 message digest, the returned value is exactly the SHA1 message digest of the firmware file minus the last 256 bytes. It is easy to verify that this is exactly the SHA1 of the firmware file, minus the 256 bytes, with the command in the host (takes some time):
1002 |
1003 | ```
1004 | valerio@ubuntu-hp:~/$ dd if=DVA-5592_A1_WI_20180405.sig bs=1 count=24388537 | sha1sum -
1005 | 24388537+0 records in
1006 | 24388537+0 records out
1007 | 24388537 bytes (24 MB, 23 MiB) copied, 39,1201 s, 623 kB/s
1008 | 26fae47c80b41d6b6bbc6c4d328b76f64ff5e52b -
1009 | ```
1010 | The `continue` command, in the debugging session, executes the program till the next breakpoint:
1011 |
1012 | ```
1013 | Breakpoint 14, gcry_check_version (req_version=0x0) at visibility.c:68
1014 | 68 return _gcry_check_version (req_version);
1015 | ```
1016 |
1017 | The *gcry_check_version* initialize some subsystems used by Libgcrypt and must be invoked before any other crypto functions. The `continue` command executes the program till the next breakpoint:
1018 |
1019 | ```
1020 | Breakpoint 22, gcry_sexp_build (retsexp=0x7efffb24, erroff=0x0, format=0x9634 "(data (flags pkcs1) (hash sha1 %b))") at visibility.c:114
1021 | 114 va_start (arg_ptr, format);
1022 | 115 err = _gcry_sexp_vbuild (retsexp, erroff, format, arg_ptr);
1023 | (gdb) bprint
1024 | ----->arg_ptr: 0x7efffb04
1025 | $21 = "----->%b variable<-----"
1026 | -----> len: 14
1027 | -----> buf: 12a70
1028 | $22 = "----->buffer<-----"
1029 | 00000000: 26fa e47c 80b4 1d6b 6bbc 6c4d 328b 76f6 &..|...kk.lM2.v.
1030 | 00000010: 4ff5 e52b O..+
1031 | Cannot access memory at address 0x17424b9
1032 | Cannot access memory at address 0x17424b9
1033 | 0x00009270 in ?? ()
1034 | Value returned is $22 = 0
1035 | -----> *retsexp: 0x12ab8
1036 | ```
1037 |
1038 | The program stops at the *gcry_sexp_build* used to build an internal representation of an s-expression used in public/private key computations. In the `sv.gdb` there is the macro `bprint` to print the `%b` argument, based on Libgcrypt documentation. It is easy to spot that this s-expression is the SHA1 message digest of the file, minus the last 256 bytes. The handle (`*retsexp`) of this s-expression is **0x12ab8**. The `continue` command executes the program till the next breakpoint:
1039 |
1040 | ```
1041 | Breakpoint 22, gcry_sexp_build (retsexp=0x7efffb20, erroff=0x0, format=0x967b "(sig-val (rsa (s %b)))") at visibility.c:114
1042 | 114 va_start (arg_ptr, format);
1043 | 115 err = _gcry_sexp_vbuild (retsexp, erroff, format, arg_ptr);
1044 | (gdb) bprint
1045 | ----->arg_ptr: 0x7efffb04
1046 | $24 = "----->%b variable<-----"
1047 | -----> len: 100
1048 | -----> buf: 12008
1049 | $25 = "----->buffer<-----"
1050 | 00000000: 9f4a 8277 8e5f 763b 3e34 6e21 6c13 d4af .J.w._v;>4n!l...
1051 | 00000010: 076d 073f 5e34 5fc1 3824 5c4b 9f28 5481 .m.?^4_.8$\K.(T.
1052 | 00000020: 0a1b 5fdc 5333 ddd2 0fb9 0bdb 5c9f 7ea0 .._.S3......\.~.
1053 | 00000030: 0114 831a ed51 a0a1 0bdc b130 f6ff cc42 .....Q.....0...B
1054 | 00000040: 15b9 da23 5b7c 3ef7 5243 3cf2 4ca5 f8da ...#[|>.RC<.L...
1055 | 00000050: 9dbe fbd1 10d9 1551 412b d22e bfd3 c338 .......QA+.....8
1056 | 00000060: a035 b9c6 11e1 7ec3 d19f 8c23 136f 0038 .5....~....#.o.8
1057 | 00000070: 537d cb42 75ad c8b2 5ea4 ad18 d474 0646 S}.Bu...^....t.F
1058 | 00000080: d273 9cbe 0182 7cb4 fb47 3044 7a3f 64e1 .s....|..G0Dz?d.
1059 | 00000090: bb31 1142 6f47 b57b 7e72 0bb3 78ab d728 .1.BoG.{~r..x..(
1060 | 000000a0: f226 83aa e849 7c81 736e 80f4 94ee 8b83 .&...I|.sn......
1061 | 000000b0: fe50 9071 a29d e9de b7d4 b27d 8f2d 08fc .P.q.......}.-..
1062 | 000000c0: 0b26 853b 1629 9257 f3ff 7f8d ae10 3440 .&.;.).W......4@
1063 | 000000d0: 1cd4 5d41 4b7c 45b2 54e2 2958 9474 2ff9 ..]AK|E.T.)X.t/.
1064 | 000000e0: 8d1d 20cf 7e5e ea17 973d a8b0 64ed 8b67 .. .~^...=..d..g
1065 | 000000f0: b1cd 67dc 48a2 08bf 5b79 a3e4 e51f e1a7 ..g.H...[y......
1066 | Cannot access memory at address 0x17424b9
1067 | Cannot access memory at address 0x17424b9
1068 | 0x00009294 in ?? ()
1069 | Value returned is $25 = 0
1070 | -----> *retsexp: 0x12b20
1071 | ```
1072 |
1073 | The program stops again at the *gcry_sexp_build*, but this time the s-expression is the signature (last 256 bytes of the firmware file). The handle of this s-expression is **0x12b20**. The `continue` command executes the program till the next breakpoint:
1074 |
1075 | ```
1076 | Breakpoint 20, gcry_mpi_scan (ret_mpi=0x7efffb18, format=GCRYMPI_FMT_USG, buffer=0x937c, buflen=3, nscanned=0x0) at visibility.c:299
1077 | 299 return _gcry_mpi_scan (ret_mpi, format, buffer, buflen, nscanned);
1078 | $26 = "----->buffer content<-----"
1079 | 00000000: 0100 01 ...
1080 | (gdb) dump binary memory exponent.bin buffer buffer+buflen
1081 | ```
1082 |
1083 | The program stops at the *gcry_mpi_scan* function that is used to store an internal representation of an MPI (Multi Precision Integer) passed as parameter. In this case the MPI is a not so big integer, probably it is the *exponent* (the public key contains two MPIs: the exponent and the modulus). For later use this MPI is saved in the file `exponent.bin`. The `continue` command executes the program till the next breakpoint:
1084 |
1085 | ```
1086 | Breakpoint 20, gcry_mpi_scan (ret_mpi=0x7efffb14, format=GCRYMPI_FMT_USG, buffer=0x94d3, buflen=256, nscanned=0x0) at visibility.c:299
1087 | 299 return _gcry_mpi_scan (ret_mpi, format, buffer, buflen, nscanned);
1088 | $27 = "----->buffer content<-----"
1089 | 00000000: cd95 2148 7977 6b6d 68ce ae09 7148 e9d5 ..!Hywkmh...qH..
1090 | 00000010: 38b9 9f74 e7cf 7b25 ea48 7e74 af5a 28b2 8..t..{%.H~t.Z(.
1091 | 00000020: 6162 c9e0 f35d 3dfe 6a41 20b5 7f13 e9db ab...]=.jA .....
1092 | 00000030: 3972 eaac 6af6 2492 abaf 38c0 6756 e0f7 9r..j.$...8.gV..
1093 | 00000040: 86e9 5d01 30c9 5098 09e4 457a 8eb5 7ef1 ..].0.P...Ez..~.
1094 | 00000050: 7dda 782b ea9a a927 d3f0 d954 52cb 61cf }.x+...'...TR.a.
1095 | 00000060: 5cb8 c0e5 214c 21ec ea01 da43 3b76 6813 \...!L!....C;vh.
1096 | 00000070: 6612 6eba cc5a e680 3ea6 0460 bb4b f5d4 f.n..Z..>..`.K..
1097 | 00000080: 300c c6cb 7ad6 5f10 bddd ff71 868b 3c8e 0...z._....q..<.
1098 | 00000090: 6b1e f3fd 0c76 c040 af47 aac1 a0a5 e899 k....v.@.G......
1099 | 000000a0: 3131 12d1 f658 4264 2e48 0fba 0b65 ba1a 11...XBd.H...e..
1100 | 000000b0: eace 42a7 2789 e8c7 b968 4c86 7c86 0f93 ..B.'....hL.|...
1101 | 000000c0: dcbf 3e88 9581 bcc1 ad5b 26bf 0d4c d3e0 ..>......[&..L..
1102 | 000000d0: eb14 0849 4947 4002 6944 b0c9 014f ab4a ...IIG@.iD...O.J
1103 | 000000e0: e9d1 b14a 0185 b665 4b54 6545 72ea e898 ...J...eKTeEr...
1104 | 000000f0: b020 1bee 011c ea31 5f5f 9919 9b2a bf9f . .....1__...*..
1105 | (gdb) dump binary memory modulus.bin buffer buffer+buflen
1106 | ```
1107 |
1108 | The program stops again at the *gcry_mpi_scan* function, but this time to store the *modulus*, the second, and last, MPI associated to the public key. For later use this MPI is saved in the file `modulus.bin`. The `continue` command executes the program till the next breakpoint:
1109 |
1110 | ```
1111 | Breakpoint 22, gcry_sexp_build (retsexp=0x7efffb1c, erroff=0x0, format=0x96d8 "(public-key (rsa (n %m) (e %m)))") at visibility.c:114
1112 | 114 va_start (arg_ptr, format);
1113 | 115 err = _gcry_sexp_vbuild (retsexp, erroff, format, arg_ptr);
1114 | (gdb) mpiprint
1115 | ----->arg_ptr: 0x7efffb04
1116 | $28 = "----->gcry_mpi_t variable nr. 1<-----"
1117 | $29 = {alloced = 0x40, nlimbs = 0x40, sign = 0x0, flags = 0x0, d = 0x12d88}
1118 | $30 = "----->MPI Multi Precision Integer"
1119 | 00000000: 9fbf 2a9b 1999 5f5f 31ea 1c01 ee1b 20b0 ..*...__1..... .
1120 | 00000010: 98e8 ea72 4565 544b 65b6 8501 4ab1 d1e9 ...rEeTKe...J...
1121 | 00000020: 4aab 4f01 c9b0 4469 0240 4749 4908 14eb J.O...Di.@GII...
1122 | 00000030: e0d3 4c0d bf26 5bad c1bc 8195 883e bfdc ..L..&[......>..
1123 | 00000040: 930f 867c 864c 68b9 c7e8 8927 a742 ceea ...|.Lh....'.B..
1124 | 00000050: 1aba 650b ba0f 482e 6442 58f6 d112 3131 ..e...H.dBX...11
1125 | 00000060: 99e8 a5a0 c1aa 47af 40c0 760c fdf3 1e6b ......G.@.v....k
1126 | 00000070: 8e3c 8b86 71ff ddbd 105f d67a cbc6 0c30 .<..q...._.z...0
1127 | 00000080: d4f5 4bbb 6004 a63e 80e6 5acc ba6e 1266 ..K.`..>..Z..n.f
1128 | 00000090: 1368 763b 43da 01ea ec21 4c21 e5c0 b85c .hv;C....!L!...\
1129 | 000000a0: cf61 cb52 54d9 f0d3 27a9 9aea 2b78 da7d .a.RT...'...+x.}
1130 | 000000b0: f17e b58e 7a45 e409 9850 c930 015d e986 .~..zE...P.0.]..
1131 | 000000c0: f7e0 5667 c038 afab 9224 f66a acea 7239 ..Vg.8...$.j..r9
1132 | 000000d0: dbe9 137f b520 416a fe3d 5df3 e0c9 6261 ..... Aj.=]...ba
1133 | 000000e0: b228 5aaf 747e 48ea 257b cfe7 749f b938 .(Z.t~H.%{..t..8
1134 | 000000f0: d5e9 4871 09ae ce68 6d6b 7779 4821 95cd ..Hq...hmkwyH!..
1135 | $31 = "----->", '-' , "<-----"
1136 | $32 = "----->gcry_mpi_t variable nr. 2<-----"
1137 | $33 = {alloced = 0x1, nlimbs = 0x1, sign = 0x0, flags = 0x0, d = 0x12d60}
1138 | $34 = "----->MPI Multi Precision Integer"
1139 | 00000000: 0100 0100 ....
1140 | Cannot access memory at address 0x17424b9
1141 | Cannot access memory at address 0x17424b9
1142 | 0x00009314 in ?? ()
1143 | Value returned is $35 = 0
1144 | -----> *retsexp: 0x12e90
1145 | ```
1146 |
1147 | The programs stops at the *gcry_sexp_build* to build the third, and last, s-expression. This s-expression is the *Public Key* s-expression. The macro `mpiprint` prints the two mpi in `%m` format and it is easy to spot that this are the modulus and the exponent, but written in reverse byte order because the internal representation put most significant bytes first. The handle of this s-expression is **0x12e90***. The `continue` command executes the program till the next breakpoint:
1148 |
1149 | ```
1150 | Breakpoint 21, gcry_pk_verify (sigval=0x12b20, data=0x12ab8, pkey=0x12e90) at visibility.c:666
1151 | 666 if (!fips_is_operational ())
1152 | (gdb) finish
1153 | Run till exit from #0 gcry_pk_verify (sigval=0x12b20, data=0x12ab8, pkey=0x12e90) at visibility.c:666
1154 | Cannot access memory at address 0x17424b9
1155 | Cannot access memory at address 0x17424b9
1156 | 0x00009330 in ?? ()
1157 | Value returned is $35 = 0
1158 | ```
1159 |
1160 | The program call the *gcry_pk_verify* function that take as parameters:
1161 | * sigval, the signature s-expression (**0x12b20**)
1162 | * data, the SHA1 message digest s-expression (**0x12ab8**)
1163 | * pkey, the Public Key s-expression (**0x12e90**)
1164 | This function verify if the signature is valid, it returns `0` that means that the signature is valid. The `continue` command executes the program till the next breakpoint:
1165 |
1166 | ```
1167 | Breakpoint 5, __GI_exit (rv=0) at libc/stdlib/_atexit.c:338
1168 | 338 {
1169 | (gdb) continue
1170 | Continuing.
1171 | [Inferior 1 (process 511) exited normally]
1172 | ```
1173 |
1174 | The program stops at the *exit* library calls and exits with `0` as error level meaning that the file signature has been successfully verified.
1175 |
1176 | ### Generate a Public Key file in *pem* format with the MPIs in `sig_verify`
1177 |
1178 | At breakpoint 20, hit two times, the MPIs (Multi Precision Integers) of the Public Key have been saved on file `exponent.bin` and `modulus.bin`; using these MPIs it is possible to generate a Public Key in a standard PEM or DER format; to do so there is the script `pub-key/pubkey-gen.sh` that, using openssl and an ASN1 template, generate the Public Key files `pub-key/pubkey.der` and `pub-key/pubkey.pem` with the following commands:
1179 |
1180 | ```
1181 | valerio@ubuntu-hp:~/dva-5592/mirror-nas-dva/br-dva-emu/dvaemu$ cd pub-key/
1182 | valerio@ubuntu-hp:~/br/buildroot-armv7/pub-key$ ./pubkey-gen.sh pubkey-def.asn1 ../qemu-run/modulus.bin ../qemu-run/exponent.bin
1183 | modsize: 256
1184 | expsize: 3
1185 | writing RSA key
1186 | valerio@ubuntu-hp:~/br/buildroot-armv7/pub-key$ ls -l pubkey.der pubkey.pem
1187 | -rwxr-xr-x 1 valerio valerio 294 set 21 22:41 pubkey.der
1188 | -rwxr-xr-x 1 valerio valerio 451 set 21 22:41 pubkey.pem
1189 | ```
1190 |
1191 | ### `mysig_verify`: a script that does the same job as `sig_verify`
1192 |
1193 | The script `pub-key/mysig_verify`, using *openssl* and the Public Key in *pem* format, generated in the previous paragraph, does exactly the same job of `sig_verify`: it checks if the file, passed as argument, has a valid signature:
1194 |
1195 | ```
1196 | valerio@ubuntu-hp:~/dva-5592/mirror-nas-dva/br-dva-emu/dvaemu$ cd pub-key/
1197 | valerio@ubuntu-hp:~/br/buildroot-armv7/pub-key$ ./mysig_verify.sh ~/mod-kit/input/DVA
1198 | DVA-5592_A1_WI_20180405.sig DVA.con DVA.sig
1199 | valerio@ubuntu-hp:~/br/buildroot-armv7/pub-key$ ./mysig_verify.sh ~/mod-kit/input/DVA-5592_A1_WI_20180405.sig
1200 | Verified OK
1201 | valerio@ubuntu-hp:~/br/buildroot-armv7/pub-key$
1202 | ```
1203 |
1204 | ### Conclusion on reverse engineering `sig_verify`
1205 |
1206 | The executable `sig_verify` has no debugging information and is stripped, but following many of the library calls it makes, it has been possible to completely understand what it is doing and it has been possible to make a script, using *openssl* that does exactly the same job. The reverse engineering process has been successfully completed.
1207 |
1208 | Unfortunately this success has not given a solution to the problem of creating a firmware file that can be successfully loaded into the router because, without the Private Key, it is not possible to successfully sign an unofficial firmware.
1209 |
1210 | In the folder `/etc/certs/` of the router there are some Private Key files but none of them correspond to the Public Key embedded in the `sig_verify` executable.
1211 |
1212 | Checking all the files, in the router root file system, to find the binary sequence of the MPI modulus it is possible to find the these MPIs are embedded in the boot loader and in the package manager `opkg`; this package manager is used, locally, in the last phase of the firmware update. This probably means that both the kernel and the packages added at the end of the firmware upgrade process are signed with the supplier's private key.
1213 |
--------------------------------------------------------------------------------