HuangYe Posted December 10, 2017 Share #1 Posted December 10, 2017 (edited) currently I bought asrock j4205 mb and in-win ms04 chassis. I found that DS918+ 's CPU is j3455 (which is close to J4205). but there's no hack loader. so I mod the loader from Jun's ds916+ loader (v1.02b). I download the dsgpl kernel code: 4.4.15 version (which is the kernel used in 6.1.4 synology dsm) use this scripts: https://github.com/kref/scripts I build the kernel with following change: cp synoconfigs/apollolake .config Define XPENOLOGY macro tty: Enable virtual console .config: Enable more SATA controllers. Enable more ethernet drivers. Add kernel parameters to customize synoboot pid & vid. (support pid= and vid= ) config: Add support for OHCI driver Fix function exporting. - syno_libata_index_get disable write to GPIO in syno_sata_mv_gpio_write / syno_sata_mv_gpio_read function. ... also, I mod the grub.cfg , set the right vid and pid and mac1. also I change grub command param to: syno_hw_version=DS918+ then replace the extra.lzma of ds916+ loader (v1.02b) with the new generated jun.lzma and replace zImage with the build one. replace rd.gz with the one extracted from the newest ds918+ pat file. than I write to my sandisk USB disk and it boot successfuly. but when I upload the ds918+ pat file (the file is OK,I calculated the md5 checksum). when the upload is done, it start the installation and just failed. I got some related request and response from chrome dev tool: http://192.168.6.8:5000/webman/get_install_progress.cgi?_dc=1512675049583&_dc=1512675215755 {"success": true, "data": {"stage": "install"}} http://192.168.6.8:5000/webman/get_install_progress.cgi?_dc=1512675049583&_dc=1512675220911 {"success": false, "data": {}, "errinfo": {"sec": "wizard","key": "err_patch","line":13}} I do not know what the error "err_patch" mean. the web ui said that "Failed to install the file. The file is probably corrupted. (13)" , but I'm quit sure that my VID/PID is correct. pat file I used: https://global.download.synology.com/download/DSM/release/6.1.4/15217/DSM_DS918%2B_15217.pat I know that this error information was generated by /usr/syno/bin/scemd (install.cgi) I disambled the scemd elf file use IDA pro, but code is hard to read, and I can not find which function call get the "err_patch" error. Edited December 10, 2017 by HuangYe Quote Link to comment Share on other sites More sharing options...
HuangYe Posted December 10, 2017 Author Share #2 Posted December 10, 2017 Thanks @liwei 's github repo. which help me a lot . Quote Link to comment Share on other sites More sharing options...
x01015918 Posted December 11, 2017 Share #3 Posted December 11, 2017 If you manage to do this you are my hero. I have the same board. I tried it myself but still got the (13) error. what I also did, was to make a diff -u patch between jun's rd.gz and the synology one for 916 boot-loader to see what are the extra changes in the ramdisk. I am missing is the modprobe, did you use the one in jun's patch or you compiled a new one? Quote Link to comment Share on other sites More sharing options...
HuangYe Posted December 11, 2017 Author Share #4 Posted December 11, 2017 11 minutes ago, x01015918 said: If you manage to do this you are my hero. I have the same board. I tried it myself but still got the (13) error. what I also did, was to make a diff -u patch between jun's rd.gz and the synology one for 916 boot-loader to see what are the extra changes in the ramdisk. I am missing is the modprobe, did you use the one in jun's patch or you compiled a new one? the modprobe is just a binary program to load needed kernel module . I do not think there's hacking tech in the file. also, I investigated jun's ds3615xs patch, the VERSION file in rd.gz shows that: majorversion="6" minorversion="1" productversion="6.1" buildphase="GM" buildnumber="15047" smallfixnumber="0" packing="repack" packing_id="1" builddate="2017/02/18" buildtime="19:43:05" unique="synology_bromolow_3615xs" extractsize=712716 so, I downloaded the original pat file: https://archive.synology.com/download/DSM/release/6.1/15047/DSM_DS3615xs_15047.pat compare the stock kernel image: hacklog … ds3615 extract DSM_DS3615xs_15047 file zImage zImage: Linux kernel x86 boot executable bzImage, version 3.10.102 (root@build1) #15047 SMP Thu Feb 23 02:24:19 CST 2017, RO-rootFS, swap_dev 0x2, Normal VGA to which jun's : jun's kernel: hacklog … ds3615 extract part2 file zImage zImage: Linux kernel x86 boot executable bzImage, version 3.10.102 (root@build1) #15047 SMP Sat Feb 18 17:34:10 CST 2017, RO-rootFS, swap_dev 0x2, Normal VGA so , I guess the only possible hack might be in the kernel (or extra modules). the "rd.gz" file in stock pat file and jun's patch are both the same. so there's nothing to do. Quote Link to comment Share on other sites More sharing options...
x01015918 Posted December 11, 2017 Share #5 Posted December 11, 2017 can you compare linuxrc.syno for example in ramdisk, I think is different in the hack loader, for example ETRONDriver line is removed, this part is also removed if [ $KERNEL_VCODE -ge $(KernelVersionCode "3.10") ]; then if [ "${ENABLE_ETRON_SSC}" == "yes" ]; then...... about modprobe if you pen it with a text editor you can see this, BOOT_IMAGE= loglevel= elevator= uevent vendor device resource irq class config DS916+ DS3615xs DS3617xs I have limited knowledge with linux but maybe my finding are helpfull. Can you share with me how you managed to compile the kernel with kref scripts? for kernel 3.10 is working but for kernel 4.4 was not working with output dir, I managed to compile it only inside source dir. Quote Link to comment Share on other sites More sharing options...
HuangYe Posted December 11, 2017 Author Share #6 Posted December 11, 2017 1 minute ago, x01015918 said: can you compare linuxrc.syno for example in ramdisk, I think is different in the hack loader, for example ETRONDriver line is removed, this part is also removed if [ $KERNEL_VCODE -ge $(KernelVersionCode "3.10") ]; then if [ "${ENABLE_ETRON_SSC}" == "yes" ]; then...... about modprobe if you pen it with a text editor you can see this, BOOT_IMAGE= loglevel= elevator= uevent vendor device resource irq class config DS916+ DS3615xs DS3617xs I have limited knowledge with linux but maybe my finding are helpfull. Can you share with me how you managed to compile the kernel with kref scripts? for kernel 3.10 is working but for kernel 4.4 was not working with output dir, I managed to compile it only inside source dir. thanks, I'll come to see the "magic" modprobe file. for kernel 4.4, you need to remove the O=xxx param in the build script. Quote Link to comment Share on other sites More sharing options...
x01015918 Posted December 11, 2017 Share #7 Posted December 11, 2017 what else I tried, after installation failed I connected with telnet , user:root, password blank, and tried to make the installation manually with "sudo synoupgrade --download/ sudo synoupgrade --start" but didn't succeed. Quote Link to comment Share on other sites More sharing options...
HuangYe Posted December 11, 2017 Author Share #8 Posted December 11, 2017 (edited) 4 minutes ago, x01015918 said: what else I tried, after installation failed I connected with telnet , user:root, password blank, and tried to make the installation manually with "sudo synoupgrade --download/ sudo synoupgrade --start" but didn't succeed. I think synoupgrade is for system upgrade. not for pure installation. after analyze the /usr/syno/bin/scemd (install.cgi) . I found the all the installation process was done in this file. also the err_patch error was generated by it: {"success": false, "data": {}, "errinfo": {"sec": "wizard","key": "err_patch","line":13}} which translated to text is: "Failed to install the file. The file is probably corrupted. (13)" Edited December 11, 2017 by HuangYe Quote Link to comment Share on other sites More sharing options...
x01015918 Posted December 11, 2017 Share #9 Posted December 11, 2017 this part? did you have the whole file readable? Upgrade by the uploaded patch %s fail. %s:%d Upgrade by the uploaded patch fail. AA OA OA OA VA rA rA VA rA HA rA ]A dA kA IsNeedRedirect CheckManualIPConfig recover.c %s:%d Mount %s on %s fail %s:%d recover %s by %s fail error_recover {"success": false, "data": {}, "errinfo": {"sec": "%s","key": "%s","line":%d}} %s:%d Set RTC fail error_download boot_damaged err_patch wizard error_model error_version error_apply_lock error_mkfs no_space error_upload ©A æ¨A æ¨A ߨA ߨA æ¨A ߨA ߨA Ó¨A 5©A 5©A ©A 5©A 5©A Ó¨A Ó¨A 5©A 5©A 5©A 5©A 5©A 5©A 5©A 5©A 5©A 5©A 5©A 5©A 5©A 5©A ù¨A 5©A 5©A 5©A ù¨A 5©A í¨A 5©A 5©A 5©A ̨A À¨A ©A 5©A 5©A 5©A 5©A 5©A 5©A )©A s Quote Link to comment Share on other sites More sharing options...
IG-88 Posted December 12, 2017 Share #10 Posted December 12, 2017 afaik zImage and rd.gz are the original from dsm pat file, they will be replaced with other newer files when updating dsm so whatever you are looking for is in modprobe i guess Quote Link to comment Share on other sites More sharing options...
Polanskiman Posted December 12, 2017 Share #11 Posted December 12, 2017 What you are trying to do will not work. Allow me to elaborate. The actual hack, which basically is the modprob module, needs to be modified for the hack to work on DS918+. Jun never released the source code so unless you are confortable in creating the hack from scratch (or reverse engineer Jun's hack), your approach of using the modprob as is will not work. Quote Link to comment Share on other sites More sharing options...
HuangYe Posted December 12, 2017 Author Share #12 Posted December 12, 2017 (edited) @Polanskiman @IG-88 thank U very much. This information is very helpful to me Edited December 12, 2017 by HuangYe fix typo Quote Link to comment Share on other sites More sharing options...
Huberer Posted December 12, 2017 Share #13 Posted December 12, 2017 Good morning, but what about to ask @jun to help in this matter. I guess that a lot of guys here (me too) are very interested to get a DS918+ bootloader which support the new kernel. Just my two cents. Quote Link to comment Share on other sites More sharing options...
HuangYe Posted December 12, 2017 Author Share #14 Posted December 12, 2017 5 minutes ago, Huberer said: Good morning, but what about to ask @jun to help in this matter. I guess that a lot of guys here (me too) are very interested to get a DS918+ bootloader which support the new kernel. Just my two cents. I mailed Jun, but got no response. so , I don't know if he has time to hack 918+ himself or help us hack 918+. hope Jun can do this for us. 1 Quote Link to comment Share on other sites More sharing options...
Huberer Posted December 12, 2017 Share #15 Posted December 12, 2017 That would be great. Hopefully he can support you and the community. Quote Link to comment Share on other sites More sharing options...
x01015918 Posted December 12, 2017 Share #16 Posted December 12, 2017 I hope he can help us, or at least let us know if it's possible. Thanks everyone. Quote Link to comment Share on other sites More sharing options...
HuangYe Posted December 12, 2017 Author Share #17 Posted December 12, 2017 (edited) I think the flow may like this: grub loader => load the orig linux kernel => initrd rd.gz extra.lzma extra.lzma replaced the original init file with it's own. (the new init file will patch syno config files in rd.gz and then run the real init program provided by busybox) seems that, the magic modprobe will run in /usr/syno/hotplug/hotplug.functions (hotplug.functions(69): MODPROBE="/sbin/modprobe -s") but I dit not find /sbin/modprobe in rd.gz so, it it like @Polanskiman @IG-88 said, the work was done in modprobe if you load modprobe in IDA pro. you 'll see nothing but a _start() function. it is hard to reverse engineer Jun's hack Edited December 12, 2017 by HuangYe Quote Link to comment Share on other sites More sharing options...
x01015918 Posted December 13, 2017 Share #18 Posted December 13, 2017 This is what I get with strings code %02x%02x %04x%04x %x %16llx 3lookup failed 0x%06x 0x%04x DRIVER=%s PCI_ID=%04X:%04X early_serial_setup update_console_cmdline ttyS 115200n8 ./H2OFFT-Lx64 usbcore usb_register_notify usb_unregister_notify 3%s: sg error synobios_model_init synobios 3device not supported 3aes alloc failed %ld /proc/cmdline 3%s: ret=%d %x %x %x %15s 3sscan error, ret = %d %04x:%02x:%02x.%d 3scg, ret = %d pci_seq_start pci_seq_next pci_seq_stop show_device /proc/bus/pci/devices hpbpd final_putname do_execve dmi_get_system_info rtc_cmos_read rtc_cmos_write syno_gpio safpd cmdline_proc_show vid= pid= syno_hw_version= elevator=__ sata_uid= sata_pcislot= alarm_day= alarm_weekdays= SasIdxMap= syno_port_thaw= gpio_to_desc syno_libata_index_get dev_attr_syno_port_thaw insn_get_length elevator_setup hspt insn_init gpio chip BOOT_IMAGE= loglevel= elevator= uevent vendor device resource class config DS916+ DS3615xs DS3617xs 0000 0010 80866f04 pcieport 0000 0012 80866f06 pcieport 0000 0018 80866f08 pcieport 0000 001a 80866f0a pcieport 0000 00f8 80868c54 lpc_ich 0000 00fb 80868c22 i801_smbus 0000 0600 1b4b1475 mv14xx 0000 0800 1b4b9235 ahci 0000 0900 80861533 igb 0000 0c00 80861533 igb 0000 0d00 80861533 igb 0000 0010 808622b1 i915 0000 00a0 808622b5 xhci_hcd 0000 00e0 808622c8 pcieport 0000 00e1 808622ca pcieport 0000 00fb 80862292 i801_smbus 0000 0100 80861539 igb 0000 0200 80861539 igb 0000 0300 1b4b9215 ahci 0000 0400 1b6f7023 etxhci_hcd 0000 0700 1b4b9235 ahci 0000 0900 1b4b9235 ahci 0000 0a00 1b4b9235 ahci 0x%016llx 0x%016llx 0x%016llx syno_libata_disk_map_table_gen license=GPL depends= vermagic=3.10.102 SMP mod_unload el000 GCC: (crosstool-NG 1.20.0) 4.9.3 20150311 (prerelease) GCC: (crosstool-NG 1.20.0) 4.9.3 20150311 (prerelease) .symtab .strtab .shstrtab .note.gnu.build-id .rela.text .rela.text.unlikely .rela.init.text .rela.exit.text .rela.rodata .rodata.str1.1 .rodata.str1.8 .modinfo .rela.data .rela.gnu.linkonce.this_module .bss .comment .note.GNU-stack dev_get_drvdata crypto_alloc_base memmove __this_module seq_release snprintf __kfifo_in scsi_bus_type cleanup_module kfree seq_lseek lookup_address path_put init_module crypto_destroy_tfm symbol_put_addr __symbol_get do_exit kallsyms_lookup_name mod_timer console_drivers strstr strncmp rtc_cmos_write strncpy rtc_cmos_read sysfs_create_group sscanf printk getname kern_path strcmp acpi_gbl_FADT jiffies sysfs_remove_group seq_read sprintf strsep seq_printf find_symbol single_release seq_open unregister_module_notifier kstrtoll register_module_notifier single_open __kfifo_out __kmalloc pci_bus_type GCC: (crosstool-NG 1.20.0) 4.9.3 20150311 (prerelease) .shstrtab .text .rodata .eh_frame .data .comment Hide Quote Link to comment Share on other sites More sharing options...
Polanskiman Posted December 13, 2017 Share #19 Posted December 13, 2017 Please use proper code tags in the future as well as spoiler tags when posting particularly long logs/code lists. Quote Link to comment Share on other sites More sharing options...
x01015918 Posted December 13, 2017 Share #20 Posted December 13, 2017 3 minutes ago, Polanskiman said: Please use proper code tags in the future as well as spoiler tags when posting particularly long logs/code lists. sry, tnks Quote Link to comment Share on other sites More sharing options...
HuangYe Posted December 13, 2017 Author Share #21 Posted December 13, 2017 (edited) @x01015918 the table like "0000 0700 1b4b9235 ahci" , this is syno daemon used to check special table for allowed devices and compares it with strings in /proc/bus/pci/devices. (thanks to @Vortex ) 1b4b9235 stand for vendor id and product id. in this case , it is 923588SE9235 PCIe 2.0 x2 4-port SATA 6 Gb/s Controller (this info get by visit https://pci-ids.ucw.cz/read/PC/1b4b ) so ,every syno product has specific pci vendors. syno has a table, it just check if the real pci devices in Linux system is exists in the table. if some devices not found, then, syno DSM system can know that, it is not running under the official syno hardware. According to previous research, If more than two devices are not found in /proc/bus/pci/devices, then drives off. plz ref to this thread: for example , gnoboot hack dsm 5.0 : https://github.com/sancome/DSM-5.0-4458_dsgpl-4418/blob/master/xpenology/patches-rd-gz-alpha9/.gnoboot/devices-append related shell script: https://github.com/sancome/DSM-5.0-4458_dsgpl-4418/blob/master/xpenology/patches-rd-gz-alpha9/.gnoboot/rc.d/xpenology #!/bin/sh source /etc/rc.subr source /.gnoboot/rc.init [ -d "${gnoBoot}" ] || exit 1 gnoBootMountPCI() { if [ -f ${gnoBoot}/devices-append ]; then if [ `grep -c pci/devices /proc/mounts` -eq 0 ]; then /bin/cp -f ${gnoBoot}/devices-append /tmp/.devices cat /proc/bus/pci/devices >> /tmp/.devices /bin/mount -n -o bind,ro /tmp/.devices /proc/bus/pci/devices fi echo "Re-generating missing device nodes..." >> ${gnoLogFile} SYNOGenAllDeviceNodes fi } gnoBootMountPCI gnoBootRegen exit 0 I think that Jun's patch implement this in a similar way Edited December 13, 2017 by HuangYe fix link Quote Link to comment Share on other sites More sharing options...
x01015918 Posted December 13, 2017 Share #22 Posted December 13, 2017 unfortunately I don't have the knowledge to peruse this further, at least if we need to add additional vendor id's we can't do it without disassemble to whole file and recompile it. I am thinking getting the j3710 board.... Quote Link to comment Share on other sites More sharing options...
HuangYe Posted December 18, 2017 Author Share #23 Posted December 18, 2017 now, I'v bought DS918+ , but I am still interested in hacking DS918+ Quote Link to comment Share on other sites More sharing options...
jackyz Posted March 16, 2018 Share #24 Posted March 16, 2018 @HuangYe i have some confusion with kref/scripts, poor descrtion information 1. clone kernel source(FIXME), compatibility util source(FIXME) and build scripts to same folder kernel source i download from sourceforge and it is linux-3.10.x about dsm6.1-15047, but what is compatibility util source 4. create config.override (extra kernel configs), grub.cfg, modules.conf(a list of extra modules), optionally info.txt i only create empty file config.override, grub.cfg, modules.conf, can you plz upload this three file for reference current directory tree view below -rw-r--r-- 1 root root 49815212 Mar 14 17:13 bromolow-gcc493_glibc220_linaro_x86_64-GPL_15047.txz drwxr-xr-x 3 root root 4096 Mar 15 17:50 build drwxr-xr-x 3 root root 4096 Mar 15 17:52 ds3615_6.1 -rw-r--r-- 1 root root 226897920 Mar 14 17:31 DSM_DS3615xs_15047.pat drwxr-xr-x 3 root root 4096 Mar 15 17:50 install dr-xr-xr-x 25 root root 4096 Mar 15 17:46 linux drwxr-xr-x 3 root root 4096 Mar 15 17:48 pat drwxr-xr-x 3 root root 4096 Mar 15 17:48 ramdisk drwxr-xr-x 3 root root 4096 Mar 15 17:48 rootfs drwxr-xr-x 2 root root 4096 Mar 15 16:48 scripts-master --> (https://github.com/kref/scripts) drwxr-xr-x 3 root root 4096 Mar 15 18:11 tool drwxr-xr-x 3 root root 4096 Mar 15 17:48 toolchain at last, modprobe build failed, the tool directory is empty make: Leaving directory `/root/dsm/linux' make: Entering directory `/root/dsm/linux' make[2]: Nothing to be done for `__fw_install'. make: Leaving directory `/root/dsm/linux' make: Entering directory `/root/dsm/linux' /root/dsm/linux/scripts/Makefile.build:44: /root/dsm/tool/Makefile: No such file or directory make[2]: *** No rule to make target `/root/dsm/tool/Makefile'. Stop. make[1]: *** [_module_/root/dsm/tool] Error 2 make: *** [sub-make] Error 2 make: Leaving directory `/root/dsm/linux' make: Entering directory `/root/dsm/tool' make: *** No targets specified and no makefile found. Stop. make: Leaving directory `/root/dsm/tool' cp: cannot stat ‘/root/dsm/tool/modprobe’: No such file or directory Quote Link to comment Share on other sites More sharing options...
E-Corp Posted February 11, 2021 Share #25 Posted February 11, 2021 syno_hdd_detect=0 to 1 skipped a part of the new installation and didn't ask for a .pat file Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.