« Redboot TFTP - Just booted my first self compiled kernel »

What is inside?

9 March 2008
Written by: frank Posted under NAS, Linux

The firmware of the device is kept on a 16MB flash chip. From looking at the boot log of the linux kernel you can see that it is split up into several partitions.

SL2312 MTD Driver Init.......
SL2312 CFI Flash: Found 1 x16 devices at 0x0 in 16-bit bank
 Amd/Fujitsu Extended Query Table at 0x0040
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
Creating 7 MTD partitions on "SL2312 CFI Flash":
0x00000000-0x00020000 : "RedBoot"
0x00020000-0x00320000 : "Kernel"
0x00320000-0x00920000 : "Ramdisk"
0x00920000-0x00f20000 : "Application"
0x00f20000-0x00f40000 : "VCTL"
0x00f40000-0x00fe0000 : "CurConf"
0x00fe0000-0x01000000 : "FIS directory"
SL2312 MTD Driver Init Success ......

The first two partitions are just the boot loader and the kernel. The last one is just used to keep track on how the flash is partitioned (Flash Image System). This leaves us with four partitions to lock after.

You could try to dissect them directly on the box but i found it more convenient to copy them to my desktop. Simply plug a memory stick into one of the USB ports and mount it somewhere into the ram disk. Linux allows you to access the flash using the MTD-subsystem. You can simply copy the content of the partitions using dd (dd if=/dev/mtd3 of=/tmpmnt/mtd3.image).

MTD2 contains a compressed ext2 file system. You can decompress it using gzip. To access it’s contents it needs to be loop back mounted. 

frank@dexter:~/nas$ sudo losetup /dev/loop0 MTD2
frank@dexter:~/nas$ sudo mount /dev/loop0 /mnt
frank@dexter:~/nas$ ls /mnt
bin  etc   initrd  linuxrc     mnt   root  tmp  var      volume2
dev  home  lib     lost+found  proc  sbin  usr  volume1

It contains a very basic linux system. Most of the utilities are based on busybox. No big surprise here.

MTD3 contains a bare bzip2 compressed tar ball. Within you find some additional server programs like samba, nfs, proftpd and a DAAP server.

MTD4 is relatively small and contains some configuration data in an unknown format. A quick google search on the strings found inside didn’t get me any useful results. 

frank@dexter:~/nas$ ls -al MTD4
-rwx------ 1 frank frank 131072 2007-01-01 13:57 MTD4
frank@dexter:~/nas$ file MTD4
MTD4: data
frank@dexter:~/nas$ strings MTD4
FLFM
FLEN
00000000storlink
FLEN
S0009013FLEN
S0009012FLEN
00000000FLEN
00000000FLEN
00000000FLEN
00009900FLEN
00000000MAC1:0x0001D201E7FC:ID1:1:MAP1:0x10:MAC2:0x0050C22BD002:ID2:2:MAP2:0x0f
FLEN,
00000000SL08P32N5BN00000000US
FLENT
00000000IP:192.168.0.200 Netmask:255.255.255.0 Gateway:192.168.0.254

This leaves MTD5 which is again a compressed tar archive. This time it contains some configuration files normally to be found in /etc.


Leave a reply