Both sides previous revisionPrevious revisionNext revision | Previous revision |
projects:zsun-wifi-card-reader:factory-update [2016/01/26 21:46] – informatic | projects:zsun-wifi-card-reader:factory-update [2016/02/19 18:22] (current) – informatic |
---|
====== Zsun Card Reader Firmware Update Format ====== | ====== Zsun Card Reader Firmware Update Format ====== |
| |
| **2016/02/19 Note:** This method has been tested multiple times on our devices and worked without problem, however at least three unexpected bricks have been reported! (sounding like failed rootfs flash) |
| |
**TL;DR** | **TL;DR** |
| - Insert FAT32-formatted microSD card (128MB is more than enough) |
- Connect to WiFi | - Connect to WiFi |
- http://10.168.168.1:8080/goform/Setcardworkmode?workmode=0 | - http://10.168.168.1:8080/goform/Setcardworkmode?workmode=0 |
- Copy ''SD100-update.tar.gz'' to ''.update'' on SMB/Windows Share | - Create ''.update'' directory on Zsun SMB/Windows Share (on Windows call it ''.update.'', don't ask why - it'll work) and copy ''SD100-openwrt.tar.gz'' (https://hackerspace.pl/~informatic/SD100-openwrt.tar.gz) there |
- http://10.168.168.1:8080/goform/upFirmWare | - http://10.168.168.1:8080/goform/upFirmWare |
| - Wait for long LED flash, then multiple fast flashes - now OpenWRT is booting for the first time. |
- ... PROFIT! | - ... PROFIT! |
| |
| **Automatic flasher and builder:** https://code.hackerspace.pl/informatic/zsun-fw-tools |
| |
==== Description ==== | ==== Technical description ==== |
| |
Many interesting features are available on http://10.168.168.1:8080/ which is served by ''/var/webs/webs'' binary, for instance http://10.168.168.1:8080/goform/Setcardworkmode or http://10.168.168.1:8080/goform/upFirmWare. | Many interesting features are available on http://10.168.168.1:8080/ which is served by ''/var/webs/webs'' binary, for instance http://10.168.168.1:8080/goform/Setcardworkmode (connects card reader to AR9331 SoC) or http://10.168.168.1:8080/goform/upFirmWare. |
| |
''/goform/upFirmWare'' reads update tarball from ''.update/'' directory on microSD card. (''/etc/disk/.update'') Sadly that directory is removed on mount by ''/sbin/lbd_mount'', thus it has to be uploaded using SMB/Windows Network Shares. ''/goform/upFirmWare'' handler is at ''.text:0x00405E04'' address in ''/var/webs/webs'' binary. It does multiple checks and then executes ''/etc/ath/update.sh'' which handles all the actual update. After that device is rebooted. | ''/goform/upFirmWare'' reads update tarball from ''.update/'' directory on microSD card. (''/etc/disk/.update'') Sadly that directory is removed on mount by ''/sbin/lbd_mount'', thus it has to be uploaded using SMB/Windows Network Shares. ''/goform/upFirmWare'' handler is at ''.text:0x00405E04'' address in ''/var/webs/webs'' binary. It does multiple checks and then executes ''/etc/ath/update.sh'' which handles all the actual update. After that device is rebooted. |
| |
| Furthermore ''S'' update action executes ''./mtd_write'' after entering ''/etc/disk/.update'' thus we have to bundle that with update package too. After flashing rootfs ''/sbin/reboot'' will fail. This is why we have minimal statically linked reboot executable. (''minreboot'') |
| |
| What we are basically doing is hijacking ''./mtd_write'' execution and doing our own calls to ''./mtd_write.actual'' (yes, actual ''mtd_write'' binary), and then just running ''/tmp/minreboot'' (copied there at the beginning of update script, since ''/tmp'' stays in ramfs) |
| |
Expected update file format is: | Expected update file format is: |
$work == U - mkdir -p $path ; cp -f $filename $path | $work == U - mkdir -p $path ; cp -f $filename $path |
$work == D - rm -rf $path/$filename | $work == D - rm -rf $path/$filename |
$work == S - mtd_write $filename $path | $work == S - /mtd_write $filename $path |
| |
Lines starting with # are ignored. | Lines starting with # are ignored. |
| -3 | MD5 mismatch | | | -3 | MD5 mismatch | |
| 1 | Invalid version (''/etc/ver'', try to add 1) | | | 1 | Invalid version (''/etc/ver'', try to add 1) | |
| 2 | **Update successful** | | | 2 | **Update successful** (also returned if ''update.sh'' failed!) | |