[LEDE-DEV] bcm53xx: MD5 checksum over too few bytes of firmware breaks kernel booting

Rafał Miłecki zajec5 at gmail.com
Mon Jun 20 05:33:08 PDT 2016


My DIR-885L has following partitions:

[    1.034740] Creating 1 MTD partitions on "brcmnand.0":
[    1.039896] 0x000000000000-0x000008000000 : "firmware"
[    1.075568] 2 seama-fw partitions found on MTD device firmware
[    1.081429] 0x000000000040-0x000000400000 : "kernel"
[    1.086983] 0x000000400000-0x000008000000 : "ubi"

As you can guess kernel's content doesn't change and ubi's content
does. It means we should calculate firmware checksum over 0x40000 -
0x40 = 0x3fffc0 bytes.

Unfortunately after executing:
mtd -c 0x3fffc0 fixseama firmware
and rebooting, LEDE's kernel doesn't boot anymore. It hangs as the
last CFE message:
Starting program at 0x00008000

Executing any of following:
mtd -c 0x73ffc0 fixseama firmware
mtd -c 0x72ffc0 fixseama firmware
mtd -c 0x70ffc0 fixseama firmware
mtd -c 0x4fffc0 fixseama firmware
mtd -c 0x4bffc0 fixseama firmware
mtd -c 0x4affc0 fixseama firmware
mtd -c 0x49ffc0 fixseama firmware
mtd -c 0x48ffc0 fixseama firmware
doesn't break anything.

Executing any following:
mtd -c 0x47ffc0 fixseama firmware
mtd -c 0x46ffc0 fixseama firmware
mtd -c 0x45ffc0 fixseama firmware
mtd -c 0x3fffc0 fixseama firmware
breaks kernel booting.

CFE never complains about image, MD5 is always OK:
  image size : 4194240 bytes
verify_seama: signature=[(null)], type=[firmware]
  checksum   : FFC3A82405FB59C67825A0BEAE79BAA2
  digest     : FFC3A82405FB59C67825A0BEAE79BAA2

I also dumped 0x400000 B of firmware data after both commands:
mtd -c 0x48ffc0 fixseama firmware (WORKING)
mtd -c 0x47ffc0 fixseama firmware (NOT WORKING)
and the only difference is size and MD5 in a header.

-- 
Rafał



More information about the Lede-dev mailing list