Re: [OpenWrt-Devel] [PATCH][RESEND.3] ar71xx:stops qihoo c301 booting into backup firmware
On 22 September 2014 16:42, swigger wrote:
> NO, not seama. Seama is only a container, not an encrypted format.
>
> The original OEM firmware is encrypted by AES ECB mode and have a
> RSA-1024 signuature.
> The aes key is base64_decode("lbhySwdj31NGnuebNn9FmQ==");
>
> The oem's upgrade firmware web page ONLY allows encrypted firmware
> while the u-boot allows only decrypted.
>
Got it. At least flashing through U-Boot is available :)
> There is a program in OEM firwmare whose path is /usr/sbin/rom_decrypt
> to decrypt OEM firmware.
>
> Encrypted OEM firmware can be downloaded at
> http://luyou.360.cn/rom.html (Simplified Chinese Only).
>
Thank you for the information. It's really useful and saves me a lot of time.
Regards.
yousong
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH][RESEND.3] ar71xx:stops qihoo c301 booting into backup firmware
Flashing back to OEM through OpenWrt's sysupgrade process is also OK, but you should cut-off extra seama header from the decrypted OEM firmware. then just run: mtd -r write your-decrypted-oem-firmware firmware On Mon, Sep 22, 2014 at 4:10 PM, Yousong Zhou wrote: > Just got the device... Wow > > On 22 September 2014 15:47, swigger wrote: >> Well, it's a good idea. >> But I don't know how to create a wiki page. >> >> QIhoo 360 C301 (http://luyou.360.cn/parameter.html, Simplified Chinese >> ONLY), has two 16M flash. >> The first flash is full functional, and the second has just a backup >> firmware. >> U-boot will boot into the second flash when it believes firmware on >> the first is broken. >> > > Yeah, when (image1trynum > imagemaxtry) with imagemaxtry defaults to > 3, and in this case, image1status would be set to 1 to mark it as not > viable. > >> To flash openwrt, disconnect power source, hold down the reset button >> and power on, keep holding reset button for about 20 seconds. >> Go to http://192.168.1.1 and upload the openwrt firmware to flash. >> > > Good. > >> To flash back to OEM firmware from openwrt, use the same instructions >> above and upload a decrypted OEM firmware which can be founded >> somewhere by a search engine. >> > > How about flashing back through OpenWrt's sysupgrade process? > >> There is also some tools for decrypting OEM firmware (no tool for >> encrypting yet), but they are not part of openwrt, so it is not >> necessary to discuss here. > > You mean seama? That code is already in OpenWrt. > > I think I have a better patch for working with this U-Boot. Please > hold on for a moment. > > Regards > >yousong ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH][RESEND.3] ar71xx:stops qihoo c301 booting into backup firmware
NO, not seama. Seama is only a container, not an encrypted format.
The original OEM firmware is encrypted by AES ECB mode and have a
RSA-1024 signuature.
The aes key is base64_decode("lbhySwdj31NGnuebNn9FmQ==");
The oem's upgrade firmware web page ONLY allows encrypted firmware
while the u-boot allows only decrypted.
There is a program in OEM firwmare whose path is /usr/sbin/rom_decrypt
to decrypt OEM firmware.
Encrypted OEM firmware can be downloaded at
http://luyou.360.cn/rom.html (Simplified Chinese Only).
On Mon, Sep 22, 2014 at 4:10 PM, Yousong Zhou wrote:
> Just got the device... Wow
>
> On 22 September 2014 15:47, swigger wrote:
>> Well, it's a good idea.
>> But I don't know how to create a wiki page.
>>
>> QIhoo 360 C301 (http://luyou.360.cn/parameter.html, Simplified Chinese
>> ONLY), has two 16M flash.
>> The first flash is full functional, and the second has just a backup
>> firmware.
>> U-boot will boot into the second flash when it believes firmware on
>> the first is broken.
>>
>
> Yeah, when (image1trynum > imagemaxtry) with imagemaxtry defaults to
> 3, and in this case, image1status would be set to 1 to mark it as not
> viable.
>
>> To flash openwrt, disconnect power source, hold down the reset button
>> and power on, keep holding reset button for about 20 seconds.
>> Go to http://192.168.1.1 and upload the openwrt firmware to flash.
>>
>
> Good.
>
>> To flash back to OEM firmware from openwrt, use the same instructions
>> above and upload a decrypted OEM firmware which can be founded
>> somewhere by a search engine.
>>
>
> How about flashing back through OpenWrt's sysupgrade process?
>
>> There is also some tools for decrypting OEM firmware (no tool for
>> encrypting yet), but they are not part of openwrt, so it is not
>> necessary to discuss here.
>
> You mean seama? That code is already in OpenWrt.
>
> I think I have a better patch for working with this U-Boot. Please
> hold on for a moment.
>
> Regards
>
>yousong
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH][RESEND.3] ar71xx:stops qihoo c301 booting into backup firmware
Just got the device... Wow On 22 September 2014 15:47, swigger wrote: > Well, it's a good idea. > But I don't know how to create a wiki page. > > QIhoo 360 C301 (http://luyou.360.cn/parameter.html, Simplified Chinese > ONLY), has two 16M flash. > The first flash is full functional, and the second has just a backup firmware. > U-boot will boot into the second flash when it believes firmware on > the first is broken. > Yeah, when (image1trynum > imagemaxtry) with imagemaxtry defaults to 3, and in this case, image1status would be set to 1 to mark it as not viable. > To flash openwrt, disconnect power source, hold down the reset button > and power on, keep holding reset button for about 20 seconds. > Go to http://192.168.1.1 and upload the openwrt firmware to flash. > Good. > To flash back to OEM firmware from openwrt, use the same instructions > above and upload a decrypted OEM firmware which can be founded > somewhere by a search engine. > How about flashing back through OpenWrt's sysupgrade process? > There is also some tools for decrypting OEM firmware (no tool for > encrypting yet), but they are not part of openwrt, so it is not > necessary to discuss here. You mean seama? That code is already in OpenWrt. I think I have a better patch for working with this U-Boot. Please hold on for a moment. Regards yousong ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH][RESEND.3] ar71xx:stops qihoo c301 booting into backup firmware
Well, it's a good idea. But I don't know how to create a wiki page. QIhoo 360 C301 (http://luyou.360.cn/parameter.html, Simplified Chinese ONLY), has two 16M flash. The first flash is full functional, and the second has just a backup firmware. U-boot will boot into the second flash when it believes firmware on the first is broken. To flash openwrt, disconnect power source, hold down the reset button and power on, keep holding reset button for about 20 seconds. Go to http://192.168.1.1 and upload the openwrt firmware to flash. To flash back to OEM firmware from openwrt, use the same instructions above and upload a decrypted OEM firmware which can be founded somewhere by a search engine. There is also some tools for decrypting OEM firmware (no tool for encrypting yet), but they are not part of openwrt, so it is not necessary to discuss here. On Mon, Sep 22, 2014 at 2:01 PM, Yousong Zhou wrote: >>> On 2014/9/20 17:18, swigger wrote: Openwrt recently adds Qihoo [NYSE:QIHU] C301 router support. However, this router has a backup firmware in the second flash and the current trunk can only boot 3 times before u-boot boots into that backup firmware. This is a stratgy for unbricking. This patch makes u-boot happy. > > I do not have a device of this, but looks like it has some quirks that > needs to be taken care of. How about creating a wiki page for this > and documenting your findings about the backup firmware, instructions > on how to flash OpenWrt from OEM and to restore to OEM firmware, etc? > > > Regards. > >yousong ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH][RESEND.3] ar71xx:stops qihoo c301 booting into backup firmware
>> On 2014/9/20 17:18, swigger wrote: >>> Openwrt recently adds Qihoo [NYSE:QIHU] C301 router support. >>> However, this router has a backup firmware in the second flash and the >>> current trunk can only boot 3 times before u-boot boots into that backup >>> firmware. This is a stratgy for unbricking. >>> >>> This patch makes u-boot happy. >>> I do not have a device of this, but looks like it has some quirks that needs to be taken care of. How about creating a wiki page for this and documenting your findings about the backup firmware, instructions on how to flash OpenWrt from OEM and to restore to OEM firmware, etc? Regards. yousong ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH][RESEND.3] ar71xx:stops qihoo c301 booting into backup firmware
thanks. I have done.
On Sat, Sep 20, 2014 at 5:39 PM, Weijie Gao wrote:
> Hi,
>
> You need to register a account at patchwork.openwrt.org, and mark your
> previous patches Superseded.
>
> Weijie Gao
>
>
> On 2014/9/20 17:18, swigger wrote:
>> Openwrt recently adds Qihoo [NYSE:QIHU] C301 router support.
>> However, this router has a backup firmware in the second flash and the
>> current trunk can only boot 3 times before u-boot boots into that backup
>> firmware. This is a stratgy for unbricking.
>>
>> This patch makes u-boot happy.
>>
>> Signed-off-by: Xungneg li
>> ---
>> .../ar71xx/files/arch/mips/ath79/mach-qihoo-c301.c | 87
>>
>> 1 file changed, 87 insertions(+)
>>
>> diff --git a/target/linux/ar71xx/files/arch/mips/ath79/mach-qihoo-c301.c
>> b/target/linux/ar71xx/files/arch/mips/ath79/mach-qihoo-c301.c
>> index 08a602f..816a433 100644
>> --- a/target/linux/ar71xx/files/arch/mips/ath79/mach-qihoo-c301.c
>> +++ b/target/linux/ar71xx/files/arch/mips/ath79/mach-qihoo-c301.c
>> @@ -14,6 +14,8 @@
>> #include
>> #include
>> #include
>> +#include
>> +#include
>>
>> #include
>>
>> @@ -79,6 +81,7 @@ static struct gpio_keys_button qihoo_c301_gpio_keys[]
>> __initdata = {
>> },
>> };
>>
>> +static int qihoo_c301_board = 0;
>> struct flash_platform_data flash __initdata = {NULL, NULL, 0};
>>
>> static void qihoo_c301_get_mac(const char *name, char *mac)
>> @@ -98,6 +101,7 @@ static void __init qihoo_c301_setup(void)
>> u8 tmpmac[ETH_ALEN];
>>
>> ath79_register_m25p80_multi(&flash);
>> + qihoo_c301_board = 1;
>>
>> ath79_gpio_function_enable(AR934X_GPIO_FUNC_JTAG_DISABLE);
>>
>> @@ -164,3 +168,86 @@ static void __init qihoo_c301_setup(void)
>>
>> MIPS_MACHINE(ATH79_MACH_QIHOO_C301, "QIHOO-C301", "Qihoo 360 C301",
>>qihoo_c301_setup);
>> +
>> +
>> +//the following code stops qihoo's uboot booting into the backup system.
>> +static void erase_callback(struct erase_info *erase)
>> +{
>> + char * buf = (char*) erase->priv;
>> + int ret;
>> + size_t nb=0;
>> +
>> + if (erase->state == MTD_ERASE_DONE)
>> + {
>> + ret = mtd_write(erase->mtd, 0, 0x1, &nb, buf);
>> + }
>> + kfree(erase);
>> + kfree(buf);
>> +}
>> +
>> +static int qihoo_reset_trynum(void)
>> +{
>> + size_t nb = 0;
>> + char *buf=0, *p;
>> + const char * match = "image1trynum=";
>> + size_t matchlen = strlen(match);
>> + struct erase_info *erase;
>> + struct mtd_info * mtd;
>> + unsigned int newcrc;
>> + int ret;
>> +
>> + if (! qihoo_c301_board)
>> + return 0;
>> +
>> + mtd = get_mtd_device_nm("action_image_config");
>> + if (IS_ERR(mtd))
>> + {
>> + return PTR_ERR(mtd);
>> + }
>> + if (mtd->size!=0x1)
>> + {
>> + return -1;
>> + }
>> + buf = kzalloc(0x1+4, GFP_KERNEL);
>> + ret = mtd_read(mtd, 0, 0x1, &nb, buf);
>> + if (nb != 0x1)
>> + {
>> + kfree(buf);
>> + return -1;
>> + }
>> + for (p=buf+4; *p; p+=strlen(p)+1)
>> + {
>> + if (strncmp(p, match, matchlen)==0)
>> + {
>> + p += matchlen;
>> + while (*p)
>> + *p++ = '0';
>> + break;
>> + }
>> + }
>> +
>> + newcrc = crc32(~0, buf+4, 0xfffc)^0x;
>> + memcpy(buf, &newcrc, 4);
>> +
>> + erase = kzalloc(sizeof(struct erase_info), GFP_KERNEL);
>> + if (!erase)
>> + {
>> + kfree(buf);
>> + return -1;
>> + }
>> + erase->mtd = mtd;
>> + erase->callback = erase_callback;
>> + erase->addr = 0;
>> + erase->len = 0x1;
>> + erase->priv = (u_long) buf;
>> + ret = mtd_erase(mtd, erase);
>> +
>> + if (ret) {
>> + kfree(buf);
>> + kfree(erase);
>> + return ret;
>> + }
>> +
>> + return 0;
>> +}
>> +late_initcall(qihoo_reset_trynum);
>
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH][RESEND.3] ar71xx:stops qihoo c301 booting into backup firmware
Hi,
You need to register a account at patchwork.openwrt.org, and mark your previous
patches Superseded.
Weijie Gao
On 2014/9/20 17:18, swigger wrote:
> Openwrt recently adds Qihoo [NYSE:QIHU] C301 router support.
> However, this router has a backup firmware in the second flash and the
> current trunk can only boot 3 times before u-boot boots into that backup
> firmware. This is a stratgy for unbricking.
>
> This patch makes u-boot happy.
>
> Signed-off-by: Xungneg li
> ---
> .../ar71xx/files/arch/mips/ath79/mach-qihoo-c301.c | 87
>
> 1 file changed, 87 insertions(+)
>
> diff --git a/target/linux/ar71xx/files/arch/mips/ath79/mach-qihoo-c301.c
> b/target/linux/ar71xx/files/arch/mips/ath79/mach-qihoo-c301.c
> index 08a602f..816a433 100644
> --- a/target/linux/ar71xx/files/arch/mips/ath79/mach-qihoo-c301.c
> +++ b/target/linux/ar71xx/files/arch/mips/ath79/mach-qihoo-c301.c
> @@ -14,6 +14,8 @@
> #include
> #include
> #include
> +#include
> +#include
>
> #include
>
> @@ -79,6 +81,7 @@ static struct gpio_keys_button qihoo_c301_gpio_keys[]
> __initdata = {
> },
> };
>
> +static int qihoo_c301_board = 0;
> struct flash_platform_data flash __initdata = {NULL, NULL, 0};
>
> static void qihoo_c301_get_mac(const char *name, char *mac)
> @@ -98,6 +101,7 @@ static void __init qihoo_c301_setup(void)
> u8 tmpmac[ETH_ALEN];
>
> ath79_register_m25p80_multi(&flash);
> + qihoo_c301_board = 1;
>
> ath79_gpio_function_enable(AR934X_GPIO_FUNC_JTAG_DISABLE);
>
> @@ -164,3 +168,86 @@ static void __init qihoo_c301_setup(void)
>
> MIPS_MACHINE(ATH79_MACH_QIHOO_C301, "QIHOO-C301", "Qihoo 360 C301",
>qihoo_c301_setup);
> +
> +
> +//the following code stops qihoo's uboot booting into the backup system.
> +static void erase_callback(struct erase_info *erase)
> +{
> + char * buf = (char*) erase->priv;
> + int ret;
> + size_t nb=0;
> +
> + if (erase->state == MTD_ERASE_DONE)
> + {
> + ret = mtd_write(erase->mtd, 0, 0x1, &nb, buf);
> + }
> + kfree(erase);
> + kfree(buf);
> +}
> +
> +static int qihoo_reset_trynum(void)
> +{
> + size_t nb = 0;
> + char *buf=0, *p;
> + const char * match = "image1trynum=";
> + size_t matchlen = strlen(match);
> + struct erase_info *erase;
> + struct mtd_info * mtd;
> + unsigned int newcrc;
> + int ret;
> +
> + if (! qihoo_c301_board)
> + return 0;
> +
> + mtd = get_mtd_device_nm("action_image_config");
> + if (IS_ERR(mtd))
> + {
> + return PTR_ERR(mtd);
> + }
> + if (mtd->size!=0x1)
> + {
> + return -1;
> + }
> + buf = kzalloc(0x1+4, GFP_KERNEL);
> + ret = mtd_read(mtd, 0, 0x1, &nb, buf);
> + if (nb != 0x1)
> + {
> + kfree(buf);
> + return -1;
> + }
> + for (p=buf+4; *p; p+=strlen(p)+1)
> + {
> + if (strncmp(p, match, matchlen)==0)
> + {
> + p += matchlen;
> + while (*p)
> + *p++ = '0';
> + break;
> + }
> + }
> +
> + newcrc = crc32(~0, buf+4, 0xfffc)^0x;
> + memcpy(buf, &newcrc, 4);
> +
> + erase = kzalloc(sizeof(struct erase_info), GFP_KERNEL);
> + if (!erase)
> + {
> + kfree(buf);
> + return -1;
> + }
> + erase->mtd = mtd;
> + erase->callback = erase_callback;
> + erase->addr = 0;
> + erase->len = 0x1;
> + erase->priv = (u_long) buf;
> + ret = mtd_erase(mtd, erase);
> +
> + if (ret) {
> + kfree(buf);
> + kfree(erase);
> + return ret;
> + }
> +
> + return 0;
> +}
> +late_initcall(qihoo_reset_trynum);
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH][RESEND.3] ar71xx:stops qihoo c301 booting into backup firmware
Openwrt recently adds Qihoo [NYSE:QIHU] C301 router support.
However, this router has a backup firmware in the second flash and the
current trunk can only boot 3 times before u-boot boots into that backup
firmware. This is a stratgy for unbricking.
This patch makes u-boot happy.
Signed-off-by: Xungneg li
---
.../ar71xx/files/arch/mips/ath79/mach-qihoo-c301.c | 87
1 file changed, 87 insertions(+)
diff --git a/target/linux/ar71xx/files/arch/mips/ath79/mach-qihoo-c301.c
b/target/linux/ar71xx/files/arch/mips/ath79/mach-qihoo-c301.c
index 08a602f..816a433 100644
--- a/target/linux/ar71xx/files/arch/mips/ath79/mach-qihoo-c301.c
+++ b/target/linux/ar71xx/files/arch/mips/ath79/mach-qihoo-c301.c
@@ -14,6 +14,8 @@
#include
#include
#include
+#include
+#include
#include
@@ -79,6 +81,7 @@ static struct gpio_keys_button qihoo_c301_gpio_keys[]
__initdata = {
},
};
+static int qihoo_c301_board = 0;
struct flash_platform_data flash __initdata = {NULL, NULL, 0};
static void qihoo_c301_get_mac(const char *name, char *mac)
@@ -98,6 +101,7 @@ static void __init qihoo_c301_setup(void)
u8 tmpmac[ETH_ALEN];
ath79_register_m25p80_multi(&flash);
+ qihoo_c301_board = 1;
ath79_gpio_function_enable(AR934X_GPIO_FUNC_JTAG_DISABLE);
@@ -164,3 +168,86 @@ static void __init qihoo_c301_setup(void)
MIPS_MACHINE(ATH79_MACH_QIHOO_C301, "QIHOO-C301", "Qihoo 360 C301",
qihoo_c301_setup);
+
+
+//the following code stops qihoo's uboot booting into the backup system.
+static void erase_callback(struct erase_info *erase)
+{
+ char * buf = (char*) erase->priv;
+ int ret;
+ size_t nb=0;
+
+ if (erase->state == MTD_ERASE_DONE)
+ {
+ ret = mtd_write(erase->mtd, 0, 0x1, &nb, buf);
+ }
+ kfree(erase);
+ kfree(buf);
+}
+
+static int qihoo_reset_trynum(void)
+{
+ size_t nb = 0;
+ char *buf=0, *p;
+ const char * match = "image1trynum=";
+ size_t matchlen = strlen(match);
+ struct erase_info *erase;
+ struct mtd_info * mtd;
+ unsigned int newcrc;
+ int ret;
+
+ if (! qihoo_c301_board)
+ return 0;
+
+ mtd = get_mtd_device_nm("action_image_config");
+ if (IS_ERR(mtd))
+ {
+ return PTR_ERR(mtd);
+ }
+ if (mtd->size!=0x1)
+ {
+ return -1;
+ }
+ buf = kzalloc(0x1+4, GFP_KERNEL);
+ ret = mtd_read(mtd, 0, 0x1, &nb, buf);
+ if (nb != 0x1)
+ {
+ kfree(buf);
+ return -1;
+ }
+ for (p=buf+4; *p; p+=strlen(p)+1)
+ {
+ if (strncmp(p, match, matchlen)==0)
+ {
+ p += matchlen;
+ while (*p)
+ *p++ = '0';
+ break;
+ }
+ }
+
+ newcrc = crc32(~0, buf+4, 0xfffc)^0x;
+ memcpy(buf, &newcrc, 4);
+
+ erase = kzalloc(sizeof(struct erase_info), GFP_KERNEL);
+ if (!erase)
+ {
+ kfree(buf);
+ return -1;
+ }
+ erase->mtd = mtd;
+ erase->callback = erase_callback;
+ erase->addr = 0;
+ erase->len = 0x1;
+ erase->priv = (u_long) buf;
+ ret = mtd_erase(mtd, erase);
+
+ if (ret) {
+ kfree(buf);
+ kfree(erase);
+ return ret;
+ }
+
+ return 0;
+}
+late_initcall(qihoo_reset_trynum);
--
1.7.10.4
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
