If you like BoxMatrix then please contribute Supportdata-Probes, Firmware-Probes and/or Hardware-Probes (get in touch).
My metamonk@yahoo.com is not reachable by me since september. Please use hippie2000@webnmail.de instead.

FIT-Image

From BoxMatrix
BoxMatrix >> Development >> FIT-Image @ BoxMatrix   -   IRC-Chat   -   Translate: de es fr it nl pl
News Selectors Models Accessories Components Environment Config Commands System Webif Software Develop Lexicon Community Project Gallery
Tarballs FW-Probes FW-History FW-News Supportdata Hardware SVN Trac Freetz-News Freetz-Timeline Freetz-Releases Freetz-Mirror OpenWRT Research

Introduction[edit]

Some new models do not contain kernel.image and filesystem.image in their firmware image any more but use a new fit-image instead.

FIT stands for Flattened Image Tree and is a container which can store multiple kernels, filesystems and device trees and metadata about these. FIT is also supported by the Uboot bootloader[1], but AVM uses an own derivative of the format, which so far has been a blackbox.

After analyzing the format I coded fitimg which permits to list, test, extract and recompose fit-image files.

Initally intended to just extract fit-images for the BoxMatrix Firmware-Scanner the Replace command opens the door to modifications of the Fritzbox 4060, 5530, 7530ax and Repeater 1200ax and 6000 models, once it works. Latest Recovery.exe scans showed there may be more models to switch over to fit-images as you can see here: put-fitimage.

Download[edit]

Latest version of fitimg could be found here:

Requirements[edit]

  • Perl 5.6 or newer and the modules Getopt::Std (comes with Perl[2]) and String::CRC32
  • If you get an error Can't locate String/CRC32.pm ... install this module from CPAN (no need to be root, works for all systems):
cpan install String::CRC32
  • Depending on your system you can also install as root by one of these methods:
apt-get install libstring-crc32-perl
yum install perl-String-CRC32

Usage[edit]

Here a list of fitimg commands and options, including some usage examples:

List[edit]

The list command -l shows the memory region, size and name of each file in the fit-image. 

Usage:

  fitimg -l <infile> [-f] [-q]
    List all binaries contained in fit-image <infile>.
    Option -f (freetz mode) uses filesystem/kernel.image etc instead of the stored names.
    Option -q could be used to silently test the image structure.

List in normal mode: 

$ fitimg -l 6000.fit
41208000-41527046  3272774 qcaarmv8_HW253_kernel
41c30000-41c33cdd    15581 qcaarmv8_HW253_flat_dt_0
41c30000-41c33d0e    15630 qcaarmv8_HW253_flat_dt_2
43000000-44000000 16777216 qcaarmv8_HW253_squashFS_filesystem

$ fitimg -l 5530.fit
88000000-88122c69  1191017 prxB_HW0257_kernel
884e2000-884e2444     1092 prxB_HW0257_flat_dt_0
8b000000-8b19f361  1700705 prxB_HW0257_ramdisk
70000000-703216dc  3282652 prxI_HW257_kernel
70fe4000-70fe5eed     7917 prxI_HW257_flat_dt_0_aon
70fe4000-70fe5ecc     7884 prxI_HW257_flat_dt_0_pon
90000000-921d0c2d 35458093 prxI_HW257_ramdisk

$ fitimg -l 7530ax.fit
10800000-1082ef13   192275 brcma9TZ_HW256_kernel
10000000-10000257      599 brcma9TZ_HW256_flat_dt_0
c0008000-c0294542  2671938 brcma9_HW256_kernel
c07ab000-c07abee7     3815 brcma9_HW256_flat_dt_1
c07ab000-c07abee9     3817 brcma9_HW256_flat_dt_0
19c00000-1ba62000 31858688 brcma9_HW256_squashFS_filesystem

List in freetz mode: 

$ fitimg -l 6000.fit -f
41208000-41527046  3272774 kernel.image
41c30000-41c33cdd    15581 flatdt_0.image
41c30000-41c33d0e    15630 flatdt_2.image
43000000-44000000 16777216 filesystem.image

$ fitimg -l 5530.fit -f
88000000-88122c69  1191017 kernel2.image
884e2000-884e2444     1092 flatdt2_0.image
8b000000-8b19f361  1700705 filesystem2.image
70000000-703216dc  3282652 kernel.image
70fe4000-70fe5eed     7917 flatdt_0_aon.image
70fe4000-70fe5ecc     7884 flatdt_0_pon.image
90000000-921d0c2d 35458093 filesystem.image

$ fitimg -l 7530ax.fit -f
10800000-1082ef13   192275 kernel2.image
10000000-10000257      599 flatdt2_0.image
c0008000-c0294542  2671938 kernel.image
c07ab000-c07abee7     3815 flatdt_1.image
c07ab000-c07abee9     3817 flatdt_0.image
19c00000-1ba62000 31858688 filesystem.image

Test[edit]

The test command -t lists and validates the stored and computed CRC32 checksums of each file in the fit-image. 

Usage:

  fitimg -t <infile> [-f] [-q]
    Test the integrity of all binaries contained in fit-image <infile>. Performs CRC32 validation.
    Option -f (freetz mode) uses filesystem/kernel.image etc instead of the stored names.
    Option -q could be used to silently test the image structure and checksum integrity.

Test in normal mode: 

$ fitimg -t 5530.fit
OK: b4761fdd b4761fdd  1191017 prxB_HW0257_kernel
OK: 3c53ca34 3c53ca34     1092 prxB_HW0257_flat_dt_0
OK: 0ef19ad8 0ef19ad8  1700705 prxB_HW0257_ramdisk
OK: aa110233 aa110233  3282652 prxI_HW257_kernel
OK: cf9e37b4 cf9e37b4     7917 prxI_HW257_flat_dt_0_aon
OK: b9298e1b b9298e1b     7884 prxI_HW257_flat_dt_0_pon
OK: 9b59e2d4 9b59e2d4 35458093 prxI_HW257_ramdisk
no errors in 7 files

Test in freetz mode: 

$ fitimg -t 5530.fit -f
OK: b4761fdd b4761fdd  1191017 kernel2.image
OK: 3c53ca34 3c53ca34     1092 flatdt2_0.image
OK: 0ef19ad8 0ef19ad8  1700705 filesystem2.image
OK: aa110233 aa110233  3282652 kernel.image
OK: cf9e37b4 cf9e37b4     7917 flatdt_0_aon.image
OK: b9298e1b b9298e1b     7884 flatdt_0_pon.image
OK: 9b59e2d4 9b59e2d4 35458093 filesystem.image
no errors in 7 files

Extract[edit]

The extract command -x extracts files from the fit-image.

Usage:

  fitimg -x <infile> [-d <dir>] [-n] [-f] [-q]
    Extract all contents of fit-image <infile> to current directory or <dir>.
    Option -n suppresses extracting device tree files.
    Option -f (freetz mode) uses filesystem/kernel.image etc instead of the stored names.
    Option -q suppresses listing which files were extracted.

Extract in normal mode: 

$ fitimg -x 5530.fit -d temp 
OK: b4761fdd b4761fdd  1191017 prxB_HW0257_kernel
OK: 3c53ca34 3c53ca34     1092 prxB_HW0257_flat_dt_0
OK: 0ef19ad8 0ef19ad8  1700705 prxB_HW0257_ramdisk
OK: aa110233 aa110233  3282652 prxI_HW257_kernel
OK: cf9e37b4 cf9e37b4     7917 prxI_HW257_flat_dt_0_aon
OK: b9298e1b b9298e1b     7884 prxI_HW257_flat_dt_0_pon
OK: 9b59e2d4 9b59e2d4 35458093 prxI_HW257_ramdisk
extracted 7 files

Extract in freetz mode: 

$ fitimg -x 5530.fit -d temp -f
OK: b4761fdd b4761fdd  1191017 kernel2.image
OK: 3c53ca34 3c53ca34     1092 flatdt2_0.image
OK: 0ef19ad8 0ef19ad8  1700705 filesystem2.image
OK: aa110233 aa110233  3282652 kernel.image
OK: cf9e37b4 cf9e37b4     7917 flatdt_0_aon.image
OK: b9298e1b b9298e1b     7884 flatdt_0_pon.image
OK: 9b59e2d4 9b59e2d4 35458093 filesystem.image
extracted 7 files

Extract in freetz mode, no device tree files: 

$ fitimg -x 5530.fit -d temp -n -f
OK: b4761fdd b4761fdd  1191017 kernel2.image
OK: 0ef19ad8 0ef19ad8  1700705 filesystem2.image
OK: aa110233 aa110233  3282652 kernel.image
OK: 9b59e2d4 9b59e2d4 35458093 filesystem.image
extracted 4 files

Replace[edit]

The replace command -r creates a new image from the fit-image, replacing files in it. 

Usage:

  fitimg -r <infile> -o <outfile> [-d <dir>] [-f] [-p <num>] [-q]
    Replace all contens of fit-image <infile> which exist in current directory or <dir> and write it to <outfile>.
    Files which do not exist in current directory or <dir> will not be replaced.
    Option -f (freetz mode) uses filesystem/kernel.image etc instead of the stored names.
    This is just an abstraction, the fit-image always stores the original names.
    Option -p ovverrides the default padding size of 64 (0 - 1024) in kB  (fitimg 0.5+)
    Option -q suppresses listing which files were replaced.

Replacing with the original files extracted above:
Note that starting with fitimg 0.5 you need to pass -p 0 for the md5 test. 

$ fitimg -r 5530.fit -o temp/5530.fit -d temp -f
Replacing:  1191017-> 1191017 kernel2.image
Replacing:     1092->    1092 flatdt2_0.image
Replacing:  1700705-> 1700705 filesystem2.image
Replacing:  3282652-> 3282652 kernel.image
Replacing:     7917->    7917 flatdt_0_aon.image
Replacing:     7884->    7884 flatdt_0_pon.image
Replacing: 35458093->35458093 filesystem.image
replaced 7 files

$ md5sum 5530.fit temp/5530.fit
91952d629306e88791399a868c4491d9  5530.fit
91952d629306e88791399a868c4491d9  temp/5530.fit

Replacing with a modified filesystem.image:
Note that starting with fitimg 0.5 you need to pass -p 0 for the md5 test. 

$ dd if=/dev/zero of=temp/filesystem.image bs=1024 count=16
16+0 records in
16+0 records out
16384 bytes (16 kB) copied, 0.0249391 s, 657 kB/s

$ fitimg -r 5530.fit -o temp/5530.fit -d temp -f
Replacing:  1191017-> 1191017 kernel2.image
Replacing:     1092->    1092 flatdt2_0.image
Replacing:  1700705-> 1700705 filesystem2.image
Replacing:  3282652-> 3282652 kernel.image
Replacing:     7917->    7917 flatdt_0_aon.image
Replacing:     7884->    7884 flatdt_0_pon.image
Replacing: 35458093->   16384 filesystem.image
replaced 7 files

$ md5sum 5530.fit temp/5530.fit
91952d629306e88791399a868c4491d9  5530.fit
4dfbe2a3f91037e7fed4832a93ef814c  temp/5530.fit

$ fitimg -l temp/5530.fit -f
88000000-88122c69  1191017 kernel2.image
884e2000-884e2444     1092 flatdt2_0.image
8b000000-8b19f361  1700705 filesystem2.image
70000000-703216dc  3282652 kernel.image
70fe4000-70fe5eed     7917 flatdt_0_aon.image
70fe4000-70fe5ecc     7884 flatdt_0_pon.image
90000000-90004000    16384 filesystem.image

$ fitimg -t temp/5530.fit -f
OK: b4761fdd b4761fdd  1191017 kernel2.image
OK: 3c53ca34 3c53ca34     1092 flatdt2_0.image
OK: 0ef19ad8 0ef19ad8  1700705 filesystem2.image
OK: aa110233 aa110233  3282652 kernel.image
OK: cf9e37b4 cf9e37b4     7917 flatdt_0_aon.image
OK: b9298e1b b9298e1b     7884 flatdt_0_pon.image
OK: ab54d286 ab54d286    16384 filesystem.image
no errors in 7 files

Copy[edit]

The copy command -c creates a new unaltered image from the fit-image and tests it. (fitimg 0.2+)
This is mainly useful to extract and validate a fit-image from a Recovery.exe or firmware.image, or to add padding. 

Usage:

  fitimg -c <infile> -o <outfile> [-f] [-p <num>] [-q]
    Copy an unaltered fit-image from <infile> to <outfile> while testing its integrity.
    This is mainly useful to extract and validate a fit-image from a recovery.exe or firmware.image.
    Option -f (freetz mode) lists filesystem/kernel.image etc instead of the stored names.
    This is just an abstraction, the fit-image always stores the original names.
    Option -p ovverrides the default padding size of 64 (0 - 1024) in kB  (fitimg 0.5+)
    Option -q suppresses listing which files were copied and tested.

Copy and test a fit-image file:
Note that starting with fitimg 0.5 you need to pass -p 0 for the md5 test. 

$ fitimg -c 7530ax.fit -o temp/7530ax.fit -f
OK: f653ffe8 f653ffe8   192275 kernel2.image
OK: 2040d9dd 2040d9dd      599 flatdt2_0.image
OK: 34ac9b5e 34ac9b5e  2671938 kernel.image
OK: 5edb6c64 5edb6c64     3815 flatdt_1.image
OK: a7ded150 a7ded150     3817 flatdt_0.image
OK: 29c318fc 29c318fc 31858688 filesystem.image
no errors copying fit image containing 6 files

$ md5sum 7530ax.fit temp/7530ax.fit
e41eafa4dc0c4ee6e46f5313dfce737f  7530ax.fit
e41eafa4dc0c4ee6e46f5313dfce737f  temp/7530ax.fit

Copy and test a fit-image from a firmware.image file:
Note that starting with fitimg 0.5 you need to pass -p 0 for the md5 test. 

$ fitimg -c 7530ax.image -o temp/7530ax.fit -f
OK: f653ffe8 f653ffe8   192275 kernel2.image
OK: 2040d9dd 2040d9dd      599 flatdt2_0.image
OK: 34ac9b5e 34ac9b5e  2671938 kernel.image
OK: 5edb6c64 5edb6c64     3815 flatdt_1.image
OK: a7ded150 a7ded150     3817 flatdt_0.image
OK: 29c318fc 29c318fc 31858688 filesystem.image
no errors copying fit image containing 6 files

$ md5sum 7530ax.fit temp/7530ax.fit
e41eafa4dc0c4ee6e46f5313dfce737f  7530ax.fit
e41eafa4dc0c4ee6e46f5313dfce737f  temp/7530ax.fit

Copy and test a fit-image from a recovery.exe file:
Note that starting with fitimg 0.5 you need to pass -p 0 for the md5 test. 

$ fitimg -c 7530ax.exe -o temp/7530ax.fit -f
OK: f653ffe8 f653ffe8   192275 kernel2.image
OK: 2040d9dd 2040d9dd      599 flatdt2_0.image
OK: 34ac9b5e 34ac9b5e  2671938 kernel.image
OK: 5edb6c64 5edb6c64     3815 flatdt_1.image
OK: a7ded150 a7ded150     3817 flatdt_0.image
OK: 29c318fc 29c318fc 31858688 filesystem.image
no errors copying fit image containing 6 files

$ md5sum 7530ax.fit temp/7530ax.fit
e41eafa4dc0c4ee6e46f5313dfce737f  7530ax.fit
e41eafa4dc0c4ee6e46f5313dfce737f  temp/7530ax.fit

Show[edit]

The show command -s shows the hunk structure of a fit-image, including hex offsets in the file. (fitimg 0.2+)
Hunks are given names as far as they are known, otherwise 'todo'. So far all hunknames of the 7530ax, 5530 and 6000 are known.
This command is useful to read metatada of all stored files and to understand the fit-format to improve this program. 

Usage:

  fitimg -s <infile> [-h] [-q] (fitimg 0.2+)
    Show the complete hunk structure of the fit-image <infile>.
    Option -h adds a hexdump of all hunks, binaries clipped to 64 bytes
    Option -q could be used to silently test the image structure

Hunk structure listings are pretty long, that's why they are separate listings of all FIT models:

Hexdump[edit]

The hexdump command -h is a variant of the show command with an extra column listing every single byte in hex. (fitimg 0.5+)
The hunk payloads like binary blobs are clipped to 128 bytes. This is enough to not clip embedded kernel-args strings.
This command is useful for deeper inspection of the fit-format, and to add support for new models and hunk types in future. 

Usage:

  fitimg -h <infile> [-q]  (fitimg 0.5+)
    Hexdump and show the complete structure of the fit-image <infile>.
    Hunk payload like binaries is clipped to 128 bytes, enough bytes to not clip kernel-args.
    Option -q could be used to silently test the image structure

Hexdumps are long, that's why these are separate listings of all FIT models:

Help[edit]

The help command --help prints a short help text and terminates. 

$ fitimg --help
fitimg version 0.5 - (C) 2021 Ralf Steines aka Hippie2000 - <metamonk@yahoo.com>
Handle and manipulate firmware images in AVM /var/tmp/fit-image format. GPLv2+.
Docs and latest version can be found at https://boxmatrix.info/wiki/FIT-Image

Usage:
  fitimg -l <infile> [-f] [-q]
    List all binaries contained in fit-image <infile>.
    Option -q could be used to silently test the image structure.

  fitimg -t <infile> [-f] [-q]
    Test the integrity of all binaries contained in fit-image <infile>. Performs CRC32 validation.
    Option -q could be used to silently test the image structure and checksum integrity.

  fitimg -x <infile> [-d <dir>] [-n] [-f] [-q]
    Extract all contents of fit-image <infile> or just <file> to current directory or <dir>.
    Option -n suppresses extracting device tree files.
    Option -q suppresses listing which files were extracted.

  fitimg -r <infile> -o <outfile> [-d <dir>] [-f] [-p <num>] [-q]
    Replace all contens of fit-image <infile> which exist in current directory or <dir> and write it to <outfile>.
    Files which do not exist in current directory or <dir> will not be replaced.
    Option -p ovverrides the default padding size of 64 (0 - 1024) in kB  (fitimg 0.5+)
    Option -q suppresses listing which files were replaced.

  fitimg -c <infile> -o <outfile> [-f] [-p <num>] [-q]  (fitimg 0.2+)
    Copy an unaltered fit-image from <infile> to <outfile> while testing its integrity.
    This is mainly useful to extract and validate a fit-image from a recovery.exe or firmware.image.
    Option -p ovverrides the default padding size of 64 (0 - 1024) in kB  (fitimg 0.5+)
    Option -q could be used to silently copy and test the image structure and checksum integrity.

  fitimg -s <infile> [-q]  (fitimg 0.2+)
    Show the complete hunk structure of the fit-image <infile>.
    Option -q could be used to silently test the image structure

  fitimg -h <infile> [-q]  (fitimg 0.5+)
    Hexdump and show the complete structure of the fit-image <infile>.
    Hunk payload like binaries is clipped to 128 bytes, enough bytes to not clip kernel-args.
    Option -q could be used to silently test the image structure

Options:
  <infile> can be a fit-image, a firmware.image or a recovery.exe.  (fitimg 0.2+)
  -f activates Freetz mode using filesystem[2].image and kernel[2].image etc instead of the stored names.

  -? (fitimg 0.2+) or --help print this help text and terminates.
  -v (fitimg 0.2+) or --version print this program's version and terminates.

Result:
	Returns 1 on error, otherwise 0.

Version[edit]

The version command --version prints the program version and terminates. 

$ fitimg --version
fitimg version 0.2 - (C) 2021 Ralf Steines aka Hippie2000 - <metamonk@yahoo.com>
Handle and manipulate firmware images in AVM /var/tmp/fit-image format.
Latest version can be found at https://boxmatrix.info/wiki/FIT-Image

Feedback[edit]

For bugreports or feature requests please get in touch or use this forum thread (german or english language please):

History[edit]

fitimg-todo - future 

- TODO: Support for hex filesystem length in embedded kernel-args for replace (-r) command
- TODO: Add a 4-char ASCII column to hexdump mode
- TODO: Add adaption of the 5530 prx_I kernel entryaddr on freetz replace kernel to (-r) command

fitimg-0.7 - work in progress 

- Added: Now also lists the FIT header structure in hexdump (-h) mode, including known infos
- Added: Now takes the hunk names from the fit image, no more HWR senstitive config 
         for new fit models besides freetz names and new hunk types
- Added: The value of integer hunks is now listed in hex and decimal in show and in hexdump mode
- Added: The test, extract and copy commands now support inner fit-images without stored crc (1200ax)
- Added: The stored or freetz filename of an inner fit-image now gets a '.fit' extension 
         to avoid name collisions between inner and outer fit-image files (1200ax)
- Added: Now can distinguish between inner and outer fit-image (1200ax)

fitimg-0.6 - released 2021-07-16 

- Added: Now also supports the new 4060 image.

fitimg-0.5 - released 2021-02-10 

- Added: The fitimg release archive now contains a readme.txt with the output of fitimg --help.
- Added: The new hexdump command (-h) is a variant of the show command for deeper inspection of the fit-image.
- Added: Now outputs a warning if an embedded kernel-args string of a replaced (-r) blob couldn't be adapted.
- Added: The 64kB default padding can be overridden using the -p <num> switch (0-1024, in kB, -r and -c mode).
- Added: Now creates 64kB padded images in replace (-r) and copy (-c) mode, as required by push_firmware later.
- Fixed: Zero sized integer hunks are now listed '<empty>' in show (-s) mode, ie: 'avm,addresses' on a 5530.
- Fixed: 'avm,variants' hunk is no longer an integer but a string in show (-s) mode, ie: 'aon, pon' on a 5530.

fitimg-0.4 - released 2021-02-08 

- Fixed: Bug which computed wrong padding of new blob in replace mode.
- Fixed: Bug which reported missing blob if last blob in image grew in replace mode.
- Fixed: Bug which reported numerous "Use of uninitialized value" messages in replace mode.

fitimg-0.3 - released 2021-02-05 

- Fixed: The kernel args stored in 7530ax and 6000 image now reflect the size of the modified filesystem (-r).
- Checked: Does loadaddr and entrypoint need adaption in replace (-r) command? - no - see research below.

fitimg-0.2 - released 2021-01-13 

- Added: The show command (-s) now knows all hunknames of the 7530ax, 5360 and 6000.
- Added: A new show command (-s) can show the hunk structure of a fit-image. Useful for development.
- Added: A new copy command (-c) can extract a fit-image from a fit-image, firmware.image or recovery.exe.
- Changed: All commands now work on fit-image, firmware.image and recovery.exe files for the <infile>.
- Fixed: A nasty bug calculated wrong offsets in Replace (-r) when the fit-image filesize changes.
- Fixed: Removed wrong info in docs and help text which showed a [<file>] filter for the -x command. 
- Fixed: Bug which reported "Use of uninitialized value" if called without arguments.
- Fixed: The release archive now contains a versioned subfolder (in favour of the prior bin folder).

fitimg-0.1 - released 2021-01-02 

Initial release.

Research[edit]

7530ax[edit]

Partition layout in Bootloader-Environment: 

firstfreeaddress	0x1CE00000
flashsize	nor_size=0MB sflash_size=0KB nand_size=128MB
linux_fs_start    1
memsize	0x40000000
...
mtd0    0x0,0x0
mtd1    0xB00000,0x3D00000 = 50MB = fit0/fit1
mtd2    0x100000,0x300000 = 2MB = urlader
mtd3    0x300000,0xB00000 = 8MB = nand-tffs
mtd4    0x3D00000,0x6F00000 = 50MB = fit1/fit0
mtd5    0x0,0x100000 = 1MB = nvram
mtd6    0x6F00000,0x7F00000  = 16MB = ubi

The 128MB NAND is splitted into 50+50MB fit + 2MB urlader + 8MB nand-tffs + 1MB nvram + 16MB ubi = 127MB. 1MB is lost/hidden for whatever purposes.

Partition layout in Linux-Partitions: 

major minor  #blocks  name
   1        0       8192 ram0 = 8MB = ramdisk oder kernel?
  31        0      31112 mtdblock0 = 30,4MB = rootfs_ram (ram-filesystem, squashfs)
  31        1      51200 mtdblock1 = 50MB = fit0 (brcmnand, fit-image)
  31        2       2048 mtdblock2 = 2MB = urlader (brcmnand)
  31        3       8192 mtdblock3 = 8MB = nand-tffs (brcmnand, tffs3-nand)
  31        4      51200 mtdblock4 = 50MB = fit1 (brcmnand, fit-image)
  31        5       1024 mtdblock5 = 1MB = nvram (brcmnand)
  31        6      16384 mtdblock6  = 16MB = ubi (brcmnand, ubi)
  31        7       2108 mtdblock7 = 2,05MB = [ubi_intern] (ubifs)
  31        8      12772 mtdblock8  = 12,5MB = avm_userdata (ubifs)

Structure of the fit-image:

Kernel-args in fit-image: 

env: firstfreeaddress 0x1CE00000      =>   0x1CE00000 − 0x19c00000 = 0x3200000 = 50MB = max fit0/fit1 partition size

0211fb80  hunk 3 #95 [4] - loadaddr = 0x19c00000
0211fb90  hunk 3 #117 [97] - avm,kernel-args = 'mtdram=ram-filesystem,0x19c00000,0x1bb00000 mtdparts_ext=ram-filesystem:31858688@0x0(rootfs_ram)'

021229e4  hunk 3 #95 [4] - loadaddr = 0x19c00000
021229f4  hunk 3 #117 [97] - avm,kernel-args = 'mtdram=ram-filesystem,0x19c00000,0x1bb00000 mtdparts_ext=ram-filesystem:31870976@0x0(rootfs_ram)'

The difference between the loadaddr and hex start addr in kernel args to the firstfreeaddress in env is exactly the 50MB max filesysten size.
This means startaddr and loadaddr remain static, endaddr must change, padded to 0x100000 / 1MB boundaries. The decimal size at the end of kernel args must change too, unpadded.

Recovery upload: 

env: memsize 0x20000000     =>   0x20000000 - 34733863 = 0x1DEE00D9
fit-image: 34733863 = 0x211FF27

SETENV memsize 0x1dee0000
SETENV kernel_args_tmp "avm_fwupdate mtdram1=0x1dee0000,0x20000000 mtdparts_ext=update-image.0:0x2120000@0x0(fit-image)"
TYPE I
MEDIA SDRAM
P@SW
STOR 0x1dee0000 0x20000000

Here the second hex number endaddr stays static, taking the memsize value from environment.
The first hex number is the original memsize minus the fit-image size, padded to 0x10000 / 64kB boundaries.
This value is also used to set the new memsize, to protect the 'allocated' portion of RAM.
The third hex number is the fit-image size, padded to 0x10000 / 64kB boundaries.
Since EVA could not know the real size of the fit-image the upload has to be padded to 0x10000 / 64kB boundaries too.

7530ax flashing method research is finished.

5530[edit]

Partition layout in Bootloader-Environment: 

firstfreeaddress	0x6043F420
flashsize	nor_size=0MB sflash_size=0KB nand_size=128MB
linux_fs_start    0
memsize	0x40000000
...
mtd0	0x0,0x0
mtd1	0x980000,0x3B80000 = 50MB = fit0/fit1
mtd2	0x0,0x180000 = 1.5MB = urlader
mtd3	0x180000,0x980000 = 8MB = nand-tffs
mtd4	0x3B80000,0x6D80000 = 50MB = fit1/fit0
mtd5	0x6D80000,0x8000000 = 18.5MB = ubi

The 128MB NAND is splitted into 50+50MB fit + 1.5MB urlader + 8MB nand-tffs + 18.5MB ubi = 128MB.

Partition layout in Linux-Partitions:

There's no mtd device listing so we take the bootlog: 

[    7.523648] Creating 5 MTD partitions on "nand.0":
[    7.528426] 0x000000980000-0x000003b80000 : "fit0"
[    7.535728] 0x000000000000-0x000000180000 : "urlader"
[    7.541332] 0x000000180000-0x000000980000 : "nand-tffs"
[    7.547264] 0x000003b80000-0x000006d80000 : "fit1"
[    7.552870] 0x000006d80000-0x000008000000 : "ubi"
...
[   12.074234] ubi0: attached mtd4 (name "ubi", size 18 MiB)
[   12.078226] ubi0: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[   12.085046] ubi0: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[   12.091811] ubi0: VID header offset: 2048 (aligned 2048), data offset: 4096
[   12.098755] ubi0: good PEBs: 148, bad PEBs: 0, corrupted PEBs: 0
[   12.104746] ubi0: user volume: 0, internal volumes: 1, max. volumes count: 128

Structure of the fit-image:

Kernel-args in fit-image:

There are no embedded kernel-args in 5530 fit.

Recovery upload:

Strings from the recovery: 

SETENV memsize 0x%x
SETENV kernel_args_tmp mtdram%u=0x%x,0x%x   =>  filesystem + kernel image ram upload
avm_fwupdate   =>  %s for the following:
SETENV kernel_args_tmp "%smtdram1=0x%x,0x%x mtdparts_ext=update-image.0:0x%x@0x0(fit-image)"  =>  fit-image ram upload
  • TODO:There is no recovery dump yet

6000[edit]

Partition layout in Bootloader-Environment: 

firstfreeaddress	0x50500000
flashsize nor_size=0MB sflash_size=0KB nand_size=0MB emmc_size=1888MB
linux_fs_start 0
memsize	0x40000000
...
mtd0	0x0,0x0
mtd1	0x3000000,0x8000000 = 80MB = fit0/1
mtd2	0x0,0x2000000 = 32MB = urlader - wtf
mtd3	0x2000000,0x3000000 = 16MB = nand-tffs
mtd4	0x8000000,0xD000000 = 80MB = fit1/0
mtd5	0xD000000,0x75FFBE00 = 1680MB (1679.98389MB) = not ubi!

The 1888MB NAND is splitted into 80+80MB fit + 32MB urlader + 16MB nand-tffs + 1680MB not ubi = 1888MB.
This layout looks pretty unusual, maybe it's from a developer box.

Partition layout in Linux-Partitions:

  • There's no partition info in supportdata, neither in bootlog nor does a mtd device listing exist. What a pity.

Structure of the fit-image:

Kernel-args in fit-image: 

env: firstfreeaddress 0x50500000      =>   0x50500000 - 0x43000000 = 0xD500000 = 213MB = hmmmm!?!

01326f3c  hunk 3 #95 [4] - loadaddr = 0x43000000
01326f4c  hunk 3 #267 [97] - avm,kernel-args = 'mtdram=ram-filesystem,0x43000000,0x44100000 mtdparts_ext=ram-filesystem:16777216@0x0(rootfs_ram)'

Recovery upload: 

env: memsize 0x40000000     =>   0x40000000 - 19988559 = 0x3ECEFFB1
fit-image: 19988559 = 0x131004F

SETENV memsize 0x3ece0000
SETENV kernel_args_tmp "avm_fwupdate mtdram1=0x7ece0000,0x80000000 mtdparts_ext=update-image.0:0x1320000@0x0(fit-image)"
TYPE I
MEDIA SDRAM
P@SW
STOR 0x7ece0000 0x80000000

Here the second hex number endaddr stays static, taking the memsize value from environment plus the memory base address 0x40000000.
The first hex number is the original memsize plus base address minus the fit-image size, padded to 0x10000 / 64kB boundaries.
This value is also used to set the new memsize, to protect the 'allocated' portion of RAM.
The third hex number is the fit-image size, padded to 0x10000 / 64kB boundaries.
Since EVA could not know the real size of the fit-image the upload has to be padded to 0x10000 / 64kB boundaries too.

6000 flashing method research is finished.

4060[edit]

Partition layout in Bootloader-Environment:

  • TODO

Partition layout in Linux-Partitions:

  • TODO

Structure of the fit-image:

Kernel-args in fit-image: 

01cb9f6c  hunk 3 #95 [4] - loadaddr = 0x43000000
01cb9f7c  hunk 3 #267 [97] - avm,kernel-args = 'mtdram=ram-filesystem,0x43000000,0x44a00000 mtdparts_ext=ram-filesystem:26726400@0x0(rootfs_ram)'

Recovery upload:

  • TODO

1200ax[edit]

Partition layout in Bootloader-Environment:

  • TODO

Partition layout in Linux-Partitions:

  • TODO

Structure of the fit-image:

The 1200ax uses a nested fit-image. The outer image consists of SquashFS and Kernel binaries, the Kernel part (type "avm,fit") is not checksummed and is an inner FIT image, containing the real Kernal and Flat Device-Tree binaries. fitimg requires adaption to test, extract and modify blobs which are not checksummed.

Kernel-args in OUTER fit-image: 

0154634c  hunk 3 #95 [4] - loadaddr = 0x43000000
0154635c  hunk 3 #115 [97] - avm,kernel-args = 'mtdram=ram-filesystem,0x43000000,0x44200000 mtdparts_ext=ram-filesystem:18735104@0x0(rootfs_ram)'

Recovery upload:

  • TODO

References
  1. Uboot source: image.h include file
  2. Perl core modules
Retrieved from "https://boxmatrix.info/w/index.php?title=FIT-Image&oldid=100895"