HuangYe

DS918+ Bootloader hacking need help

Recommended Posts

  currently I bought asrock j4205  mb and in-win ms04 chassis.  I found that DS918+ 's CPU is j3455 (which is close to J4205).

but there's no hack loader. so I mod the loader from Jun's ds916+ loader (v1.02b).

 

I download the dsgpl kernel code: 4.4.15 version (which is the kernel used in  6.1.4 synology dsm)

 

use this scripts:  https://github.com/kref/scripts

 

I build the kernel with following change:

cp synoconfigs/apollolake .config

Define XPENOLOGY macro

 tty: Enable virtual console

.config: Enable more SATA controllers.

Enable more ethernet drivers.

Add kernel parameters to customize synoboot pid & vid. (support pid= and vid= )

config: Add support for OHCI driver

Fix function exporting. - syno_libata_index_get

disable write to GPIO in syno_sata_mv_gpio_write / syno_sata_mv_gpio_read function.

...

 

also, I mod the grub.cfg , set the right vid and pid and mac1.

 

also I change grub command param to:

syno_hw_version=DS918+

 

then

replace the extra.lzma of ds916+ loader (v1.02b) with the new generated jun.lzma

 

and replace zImage with the build one.

 

replace rd.gz  with the one extracted from the newest ds918+ pat file.

 

than I write to my sandisk USB disk and it boot successfuly.

 

but when I upload the ds918+ pat file (the file is OK,I calculated the md5 checksum).

 

when the upload is done, it start the installation and just failed.

 

I got some related  request and response from chrome dev tool:
 

http://192.168.6.8:5000/webman/get_install_progress.cgi?_dc=1512675049583&_dc=1512675215755

{"success": true, "data": {"stage": "install"}}

http://192.168.6.8:5000/webman/get_install_progress.cgi?_dc=1512675049583&_dc=1512675220911

{"success": false, "data": {}, "errinfo": {"sec": "wizard","key": "err_patch","line":13}}

 

I do not know what the error "err_patch" mean.

 

the web ui said that "Failed to install the file. The file is probably corrupted. (13)" , but I'm quit sure that my VID/PID is correct.

 

pat file I used:

https://global.download.synology.com/download/DSM/release/6.1.4/15217/DSM_DS918%2B_15217.pat

 

I know that this  error information was generated by  /usr/syno/bin/scemd (install.cgi)

 

I disambled the scemd elf file use IDA pro, but code is hard to read, and I can not find which function call get the "err_patch" error.

 

Edited by HuangYe

Share this post


Link to post
Share on other sites

If you manage to do this you are my hero. I have the same board. I tried it myself but still got the (13) error. what I also did, was to make a diff -u patch between jun's rd.gz and the synology one for 916 boot-loader to see what are the extra changes in the ramdisk. I am missing is the modprobe, did you use the one in jun's patch or you compiled a new one?

Share this post


Link to post
Share on other sites
11 minutes ago, x01015918 said:

If you manage to do this you are my hero. I have the same board. I tried it myself but still got the (13) error. what I also did, was to make a diff -u patch between jun's rd.gz and the synology one for 916 boot-loader to see what are the extra changes in the ramdisk. I am missing is the modprobe, did you use the one in jun's patch or you compiled a new one?

 

the modprobe is just a binary program to load needed kernel module . I do not think there's hacking tech in the file.

 

also, I investigated jun's ds3615xs patch,  the VERSION file in rd.gz shows that:

majorversion="6"
minorversion="1"
productversion="6.1"
buildphase="GM"
buildnumber="15047"
smallfixnumber="0"
packing="repack"
packing_id="1"
builddate="2017/02/18"
buildtime="19:43:05"
unique="synology_bromolow_3615xs"
extractsize=712716

so, I downloaded the original pat file: 

https://archive.synology.com/download/DSM/release/6.1/15047/DSM_DS3615xs_15047.pat

compare the stock kernel image:

hacklog  …  ds3615  extract  DSM_DS3615xs_15047  file zImage 
zImage: Linux kernel x86 boot executable bzImage, version 3.10.102 (root@build1) #15047 SMP Thu Feb 23 02:24:19 CST 2017, RO-rootFS, swap_dev 0x2, Normal VGA

to which jun's :

jun's kernel:
hacklog  …  ds3615  extract  part2  file zImage 
zImage: Linux kernel x86 boot executable bzImage, version 3.10.102 (root@build1) #15047 SMP Sat Feb 18 17:34:10 CST 2017, RO-rootFS, swap_dev 0x2, Normal VGA

so , I guess the only possible hack might be in the kernel (or extra modules).

the  "rd.gz" file in stock pat file and  jun's patch are both the same. so there's nothing to do.

 

 

 

Share this post


Link to post
Share on other sites

can you compare linuxrc.syno for example in ramdisk, I think is different in the hack loader, for example ETRONDriver line is removed, this part is also removed if [ $KERNEL_VCODE -ge $(KernelVersionCode "3.10") ]; then
    if [ "${ENABLE_ETRON_SSC}" == "yes" ]; then......

 

about modprobe if you pen it with a text editor you can see this,  BOOT_IMAGE= loglevel= elevator= uevent vendor device resource irq class config DS916+ DS3615xs DS3617xs

 

I have limited knowledge with linux but maybe my finding are helpfull.

 

Can you share with me how you managed to compile the kernel with kref scripts? for kernel 3.10 is working but for kernel 4.4 was not working with output dir, I managed to compile it only inside source dir.

 

probe.PNG

Share this post


Link to post
Share on other sites
1 minute ago, x01015918 said:

can you compare linuxrc.syno for example in ramdisk, I think is different in the hack loader, for example ETRONDriver line is removed, this part is also removed if [ $KERNEL_VCODE -ge $(KernelVersionCode "3.10") ]; then
    if [ "${ENABLE_ETRON_SSC}" == "yes" ]; then......

 

about modprobe if you pen it with a text editor you can see this,  BOOT_IMAGE= loglevel= elevator= uevent vendor device resource irq class config DS916+ DS3615xs DS3617xs

 

I have limited knowledge with linux but maybe my finding are helpfull.

 

Can you share with me how you managed to compile the kernel with kref scripts? for kernel 3.10 is working but for kernel 4.4 was not working with output dir, I managed to compile it only inside source dir.

 

probe.PNG

 

thanks, I'll come to see the "magic" modprobe  file.

 

for kernel 4.4, you need to remove the O=xxx  param in the build script.

Share this post


Link to post
Share on other sites

what else I tried, after installation failed I connected with telnet , user:root, password blank, and tried to make the installation manually with "sudo synoupgrade --download/ sudo synoupgrade --start" but didn't succeed.

Share this post


Link to post
Share on other sites
4 minutes ago, x01015918 said:

what else I tried, after installation failed I connected with telnet , user:root, password blank, and tried to make the installation manually with "sudo synoupgrade --download/ sudo synoupgrade --start" but didn't succeed.

 

I think synoupgrade is for system upgrade. not for pure installation.

 

after analyze the  /usr/syno/bin/scemd (install.cgi) . I found the all the installation process  was done in this file. also the err_patch error was generated by it:

 

{"success": false, "data": {}, "errinfo": {"sec": "wizard","key": "err_patch","line":13}}

 

which translated to text is: "Failed to install the file. The file is probably corrupted. (13)"

 

 

Edited by HuangYe

Share this post


Link to post
Share on other sites

this part? did you have the whole file readable?

 

Upgrade by the uploaded patch %s fail. %s:%d Upgrade by the uploaded patch fail.           AA     OA     OA     OA     VA     rA     rA     VA     rA     HA     rA     ]A     dA     kA     IsNeedRedirect  CheckManualIPConfig recover.c %s:%d Mount %s on %s fail %s:%d recover %s by %s fail error_recover {"success": false, "data": {},             "errinfo": {"sec": "%s","key": "%s","line":%d}} %s:%d Set RTC fail error_download boot_damaged err_patch wizard error_model error_version error_apply_lock error_mkfs no_space error_upload  ©A     æ¨A     æ¨A     ߨA     ߨA     æ¨A     ߨA     ߨA     Ó¨A     5©A     5©A     ©A     5©A     5©A     Ó¨A     Ó¨A     5©A     5©A     5©A     5©A     5©A     5©A     5©A     5©A     5©A     5©A     5©A     5©A     5©A     5©A     ù¨A     5©A     5©A     5©A     ù¨A     5©A     í¨A     5©A     5©A     5©A     ̨A     À¨A     ©A     5©A     5©A     5©A     5©A     5©A     5©A     A     s

 

Share this post


Link to post
Share on other sites

afaik zImage and rd.gz are the original from dsm pat file, they will be replaced with other newer files when updating dsm

so whatever you are looking for is in modprobe i guess

Share this post


Link to post
Share on other sites

What you are trying to do will not work. Allow me to elaborate.

 

The actual hack, which basically is the modprob module, needs to be modified for the hack to work on DS918+. Jun never released the source code so unless you are confortable in creating the hack from scratch (or reverse engineer Jun's hack), your approach of using the modprob as is will not work.

 

Share this post


Link to post
Share on other sites

Good morning,

 

but what about to ask @jun to help in this matter. I guess that a lot of guys here (me too) are very interested to get a DS918+ bootloader which support the new kernel. Just my two cents.

Share this post


Link to post
Share on other sites
5 minutes ago, Huberer said:

Good morning,

 

but what about to ask @jun to help in this matter. I guess that a lot of guys here (me too) are very interested to get a DS918+ bootloader which support the new kernel. Just my two cents.

 

I mailed Jun, but got no response.  so , I don't know if he has time to hack 918+ himself or help us hack 918+.

hope Jun can do this for us.

  • Thanks 1

Share this post


Link to post
Share on other sites

I think the flow may like this:

 

grub loader => load the orig linux kernel 

=> initrd rd.gz extra.lzma

extra.lzma replaced the original init  file with it's own. (the new init file will patch syno config files in rd.gz and then run the real init program provided by busybox)

seems that, the magic modprobe will run in /usr/syno/hotplug/hotplug.functions (hotplug.functions(69): MODPROBE="/sbin/modprobe -s")

but I dit not find /sbin/modprobe in rd.gz

so, it it like @Polanskiman  @IG-88  said, the work was done in modprobe

 

if you load modprobe in IDA pro. you 'll see nothing but a _start() function.

it is hard to reverse engineer Jun's hack

Edited by HuangYe

Share this post


Link to post
Share on other sites

This is what I get with strings

 

code  

 

%02x%02x        %04x%04x        %x
        %16llx
3lookup failed
0x%06x
0x%04x
DRIVER=%s
PCI_ID=%04X:%04X
early_serial_setup
update_console_cmdline
ttyS
115200n8
./H2OFFT-Lx64
usbcore
usb_register_notify
usb_unregister_notify
3%s: sg error
synobios_model_init
synobios
3device not supported
3aes alloc failed %ld
/proc/cmdline
3%s: ret=%d
%x %x %x %15s
3sscan error, ret = %d
%04x:%02x:%02x.%d
3scg, ret = %d
pci_seq_start
pci_seq_next
pci_seq_stop
show_device
/proc/bus/pci/devices
hpbpd
final_putname
do_execve
dmi_get_system_info
rtc_cmos_read
rtc_cmos_write
syno_gpio
safpd
cmdline_proc_show
vid=
pid=
syno_hw_version=
elevator=__
sata_uid=
sata_pcislot=
alarm_day=
alarm_weekdays=
SasIdxMap=
syno_port_thaw=
gpio_to_desc
syno_libata_index_get
dev_attr_syno_port_thaw
insn_get_length
elevator_setup
hspt
insn_init
gpio chip
BOOT_IMAGE=
loglevel=
elevator=
uevent
vendor
device
resource
class
config
DS916+
DS3615xs
DS3617xs
0000 0010 80866f04 pcieport
0000 0012 80866f06 pcieport
0000 0018 80866f08 pcieport
0000 001a 80866f0a pcieport
0000 00f8 80868c54 lpc_ich
0000 00fb 80868c22 i801_smbus
0000 0600 1b4b1475 mv14xx
0000 0800 1b4b9235 ahci
0000 0900 80861533 igb
0000 0c00 80861533 igb
0000 0d00 80861533 igb
0000 0010 808622b1 i915
0000 00a0 808622b5 xhci_hcd
0000 00e0 808622c8 pcieport
0000 00e1 808622ca pcieport
0000 00fb 80862292 i801_smbus
0000 0100 80861539 igb
0000 0200 80861539 igb
0000 0300 1b4b9215 ahci
0000 0400 1b6f7023 etxhci_hcd
0000 0700 1b4b9235 ahci
0000 0900 1b4b9235 ahci
0000 0a00 1b4b9235 ahci
0x%016llx 0x%016llx 0x%016llx
syno_libata_disk_map_table_gen
license=GPL
depends=
vermagic=3.10.102 SMP mod_unload
el000
GCC: (crosstool-NG 1.20.0) 4.9.3 20150311 (prerelease)
GCC: (crosstool-NG 1.20.0) 4.9.3 20150311 (prerelease)
.symtab
.strtab
.shstrtab
.note.gnu.build-id
.rela.text
.rela.text.unlikely
.rela.init.text
.rela.exit.text
.rela.rodata
.rodata.str1.1
.rodata.str1.8
.modinfo
.rela.data
.rela.gnu.linkonce.this_module
.bss
.comment
.note.GNU-stack
dev_get_drvdata
crypto_alloc_base
memmove
__this_module
seq_release
snprintf
__kfifo_in
scsi_bus_type
cleanup_module
kfree
seq_lseek
lookup_address
path_put
init_module
crypto_destroy_tfm
symbol_put_addr
__symbol_get
do_exit
kallsyms_lookup_name
mod_timer
console_drivers
strstr
strncmp
rtc_cmos_write
strncpy
rtc_cmos_read
sysfs_create_group
sscanf
printk
getname
kern_path
strcmp
acpi_gbl_FADT
jiffies
sysfs_remove_group
seq_read
sprintf
strsep
seq_printf
find_symbol
single_release
seq_open
unregister_module_notifier
kstrtoll
register_module_notifier
single_open
__kfifo_out
__kmalloc
pci_bus_type
GCC: (crosstool-NG 1.20.0) 4.9.3 20150311 (prerelease)
.shstrtab
.text
.rodata
.eh_frame
.data
.comment

 

Hide  

 

Share this post


Link to post
Share on other sites
3 minutes ago, Polanskiman said:

Please use proper code tags in the future as well as spoiler tags when posting particularly long logs/code lists.

sry, tnks

Share this post


Link to post
Share on other sites

@x01015918  the table like "0000 0700 1b4b9235 ahci" ,  this is syno daemon used to check special table for allowed devices and compares it with strings in /proc/bus/pci/devices. (thanks to @Vortex )

 

1b4b9235 stand for vendor id and product id. in this case , it is 923588SE9235 PCIe 2.0 x2 4-port SATA 6 Gb/s Controller

(this info get by visit https://pci-ids.ucw.cz/read/PC/1b4b )

so ,every syno product has specific pci vendors. syno has a table, it just check if the real pci devices in Linux system is exists in the table.

if some devices not found, then, syno  DSM system can know that, it is not running under the official syno hardware. 

 

According to previous research, If more than two devices are not found in /proc/bus/pci/devices, then drives off.  plz ref to this thread: 

 

for example , gnoboot hack dsm 5.0 :

https://github.com/sancome/DSM-5.0-4458_dsgpl-4418/blob/master/xpenology/patches-rd-gz-alpha9/.gnoboot/devices-append

 

related shell script:

https://github.com/sancome/DSM-5.0-4458_dsgpl-4418/blob/master/xpenology/patches-rd-gz-alpha9/.gnoboot/rc.d/xpenology

 

#!/bin/sh
source /etc/rc.subr
source /.gnoboot/rc.init

[ -d "${gnoBoot}" ] || exit 1

gnoBootMountPCI()
{
	if [ -f ${gnoBoot}/devices-append ]; then
		if [ `grep -c pci/devices /proc/mounts` -eq 0 ]; then
			/bin/cp -f ${gnoBoot}/devices-append /tmp/.devices
			cat /proc/bus/pci/devices >> /tmp/.devices
			/bin/mount -n -o bind,ro /tmp/.devices /proc/bus/pci/devices
		fi 
		echo "Re-generating missing device nodes..." >> ${gnoLogFile}
		SYNOGenAllDeviceNodes
	fi
}

gnoBootMountPCI
gnoBootRegen

exit 0

I think that Jun's patch implement this in a similar way

Edited by HuangYe
fix link

Share this post


Link to post
Share on other sites

unfortunately I don't have the knowledge to peruse this further, at least if we need to add additional vendor id's we can't do it without disassemble to whole file and recompile it. I am thinking getting the j3710 board....

Share this post


Link to post
Share on other sites

@HuangYe

 

i have some confusion with kref/scripts, poor descrtion information

 

1. clone kernel source(FIXME), compatibility util source(FIXME) and build scripts to same folder

kernel source i download from sourceforge and it is linux-3.10.x about dsm6.1-15047, but what is compatibility util source

 

4. create config.override (extra kernel configs), grub.cfg, modules.conf(a list of extra modules), optionally info.txt

i only create empty file config.override, grub.cfg, modules.conf, can you plz upload this three file for reference

 

current directory tree view below

-rw-r--r--  1 root root  49815212 Mar 14 17:13 bromolow-gcc493_glibc220_linaro_x86_64-GPL_15047.txz
drwxr-xr-x  3 root root      4096 Mar 15 17:50 build
drwxr-xr-x  3 root root      4096 Mar 15 17:52 ds3615_6.1
-rw-r--r--  1 root root 226897920 Mar 14 17:31 DSM_DS3615xs_15047.pat
drwxr-xr-x  3 root root      4096 Mar 15 17:50 install
dr-xr-xr-x 25 root root      4096 Mar 15 17:46 linux
drwxr-xr-x  3 root root      4096 Mar 15 17:48 pat
drwxr-xr-x  3 root root      4096 Mar 15 17:48 ramdisk
drwxr-xr-x  3 root root      4096 Mar 15 17:48 rootfs
drwxr-xr-x  2 root root      4096 Mar 15 16:48 scripts-master  --> (https://github.com/kref/scripts)
drwxr-xr-x  3 root root      4096 Mar 15 18:11 tool
drwxr-xr-x  3 root root      4096 Mar 15 17:48 toolchain

at last,  modprobe build failed, the tool directory is empty

make: Leaving directory `/root/dsm/linux'
make: Entering directory `/root/dsm/linux'
make[2]: Nothing to be done for `__fw_install'.
make: Leaving directory `/root/dsm/linux'
make: Entering directory `/root/dsm/linux'
/root/dsm/linux/scripts/Makefile.build:44: /root/dsm/tool/Makefile: No such file or directory
make[2]: *** No rule to make target `/root/dsm/tool/Makefile'.  Stop.
make[1]: *** [_module_/root/dsm/tool] Error 2
make: *** [sub-make] Error 2
make: Leaving directory `/root/dsm/linux'
make: Entering directory `/root/dsm/tool'
make: *** No targets specified and no makefile found.  Stop.
make: Leaving directory `/root/dsm/tool'
cp: cannot stat ‘/root/dsm/tool/modprobe’: No such file or directory

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now