dlink-flash.c 10 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327
  1. /* dlink-flash - Flash D-Link DIR505 (and potentially other D-Links)
  2. * using recovery web flashing without using Internet Explorer 8
  3. *
  4. * SuperGlue project | http://superglue.it
  5. * Danja Vasiliev <danja@k0a1a.net> | 2014
  6. * Based on original work by Daniel Dickinson, 2014
  7. *
  8. * - Compile this tool:
  9. *
  10. * $ gcc -o dlink-flash dlink-flash.c
  11. *
  12. * - Boot your DIR-505 unit while holding Reset until red LED begins to blink slowly
  13. * - Configure your host network interface:
  14. *
  15. * # ifconfig eth0 192.168.0.2 netmask 255.255.255.0 up
  16. *
  17. * - Upload desired (original) firmware:
  18. *
  19. * $ ./dlink-flash firmware.bin
  20. *
  21. * - Allow a few minutes for flashing (no indication provided)
  22. * - Power cycle the unit to boot to new firmware
  23. *
  24. * This program is free software: you can redistribute it and/or modify
  25. * it under the terms of the GNU General Public License as published by
  26. * the Free Software Foundation, either version 3 of the License, or
  27. * (at your option) any later version.
  28. *
  29. * This program is distributed in the hope that it will be useful,
  30. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  31. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  32. * GNU General Public License for more details.
  33. *
  34. * You should have received a copy of the GNU General Public License
  35. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  36. */
  37. #include <sys/types.h>
  38. #include <sys/socket.h>
  39. #include <unistd.h>
  40. #include <stdlib.h>
  41. #include <regex.h>
  42. #include <stdint.h>
  43. #include <string.h>
  44. #include <stdio.h>
  45. #include <netinet/in.h>
  46. #include <netinet/tcp.h>
  47. #include <arpa/inet.h>
  48. #include <errno.h>
  49. void build_post_bin(uint8_t **post, size_t *post_len, uint8_t *newdata, size_t datalen) {
  50. uint8_t *newpost = NULL;
  51. newpost = malloc((*post_len + datalen) * sizeof(uint8_t));
  52. if (*post) {
  53. memcpy(newpost, *post, *post_len);
  54. } else {
  55. *post_len = 0;
  56. }
  57. memcpy(newpost + *post_len, newdata, datalen);
  58. *post_len += datalen;
  59. if (*post)
  60. free(*post);
  61. *post = newpost;
  62. }
  63. void build_post(uint8_t **post, size_t *post_len, char *newchar, size_t *content_len) {
  64. uint8_t *newpost = NULL;
  65. size_t nlen;
  66. build_post_bin(post, post_len, newchar, strlen(newchar));
  67. if (content_len) {
  68. *content_len += strlen(newchar);
  69. }
  70. }
  71. void usage(char *exename) {
  72. printf("Usage: %s <filename> [-d]\n", exename);
  73. printf(" Interface attached to D-Link must have IP addres 192.168.0.2");
  74. exit(1);
  75. }
  76. int open_socket(void) {
  77. /* we need TCP window to be 1024 bytes long */
  78. int sock = socket(AF_INET, SOCK_STREAM, 0);
  79. unsigned int tcpflush = 1;
  80. unsigned int recvbufsz = 1024;
  81. unsigned int smallwindow = 1024;
  82. unsigned int mss = 2048;
  83. setsockopt(sock, SOL_SOCKET, SO_RCVBUF, &recvbufsz, sizeof(recvbufsz));
  84. setsockopt(sock, SOL_SOCKET, SO_SNDBUF, &recvbufsz, sizeof(recvbufsz));
  85. setsockopt(sock, IPPROTO_IP, TCP_NODELAY, &tcpflush, sizeof(tcpflush));
  86. setsockopt(sock, IPPROTO_IP, TCP_MAXSEG, &mss, sizeof(mss));
  87. setsockopt(sock, IPPROTO_IP, TCP_WINDOW_CLAMP, &smallwindow, sizeof(smallwindow));
  88. struct sockaddr_in ipaddr;
  89. /* D-Link default recovery IP */
  90. in_addr_t hostip = inet_addr("192.168.0.1");
  91. ipaddr.sin_family = AF_INET;
  92. ipaddr.sin_port = htons(80);
  93. ipaddr.sin_addr.s_addr = hostip;
  94. if (connect(sock, (struct sockaddr *)&ipaddr, sizeof(struct sockaddr)) < 0) {
  95. return -1;
  96. }
  97. return sock;
  98. }
  99. void send_get(int *sock, uint8_t *get, size_t getlen, uint8_t *post, int debug) {
  100. size_t socksent = 0;
  101. size_t curpos = 0;
  102. *sock = open_socket();
  103. if (*sock < 0) {
  104. perror("send_get");
  105. free(get);
  106. if (post)
  107. free(post);
  108. exit(7);
  109. }
  110. while (curpos < getlen) {
  111. if ((getlen - curpos) >= 1024) {
  112. socksent = send(*sock, get + curpos, 1024, 0);
  113. if (debug)
  114. fprintf(stderr, "Sent %d bytes\n", socksent);
  115. if (socksent < 0) {
  116. perror("send_get");
  117. close(*sock);
  118. free(get);
  119. if (post)
  120. free(post);
  121. exit(7);
  122. }
  123. } else {
  124. socksent = send(*sock, get + curpos, getlen - curpos, 0);
  125. if (debug)
  126. fprintf(stderr, "Sent %d bytes\n", socksent);
  127. if (socksent < 0) {
  128. perror("send_get");
  129. close(*sock);
  130. free(get);
  131. if (post)
  132. free(post);
  133. exit(7);
  134. }
  135. }
  136. curpos += socksent;
  137. printf("\r%d/%d Bytes written: GET %g%% complete ", curpos, getlen, ((float)curpos / (float)getlen) * (float)100);
  138. fflush(stdout);
  139. }
  140. printf("\nFinished sending GET. Waiting for response.\n");
  141. }
  142. int main(int argc, char *argv[]) {
  143. uint8_t *firmware = NULL;
  144. uint8_t *post = NULL;
  145. size_t postlen = 0;
  146. uint8_t *get = NULL;
  147. size_t getlen = 0;
  148. uint8_t *content = NULL;
  149. size_t contentlen = 0;
  150. size_t nonnllen = 0;
  151. size_t firmwarelen = 0;
  152. char contentlenstr[2048];
  153. size_t curpos = 0;
  154. contentlenstr[0] = 0;
  155. int debug = 0;
  156. if (argc < 2) {
  157. usage(argv[0]);
  158. }
  159. if (argc == 3) {
  160. if (!strncmp(argv[2], "-d", 2)) {
  161. debug = 1;
  162. } else {
  163. usage(argv[0]);
  164. }
  165. } else if (argc > 2) {
  166. usage(argv[0]);
  167. }
  168. printf("Load firmware file %s\n", argv[1]);
  169. int firmwarefd = open(argv[1], 0);
  170. if (firmwarefd < 0) {
  171. perror(argv[1]);
  172. exit(1);
  173. }
  174. size_t len = 0;
  175. uint8_t buf[2048];
  176. uint8_t *newfw = NULL;
  177. int sock;
  178. do {
  179. len = read(firmwarefd, &buf[0], 2048);
  180. if (len < 0) {
  181. perror(argv[1]);
  182. close(firmwarefd);
  183. if (firmware)
  184. free(firmware);
  185. exit(2);
  186. }
  187. if (len > 0) {
  188. newfw = malloc((firmwarelen + len) * sizeof(uint8_t));
  189. if (firmware)
  190. memcpy(newfw, firmware, firmwarelen);
  191. memcpy(newfw + firmwarelen, &buf[0], len);
  192. firmwarelen += len;
  193. if (firmware)
  194. free(firmware);
  195. firmware = newfw;
  196. }
  197. } while (len > 0);
  198. close(firmwarefd);
  199. printf("Firmware %u bytes long\n", firmwarelen);
  200. build_post(&content, &contentlen, "---------------------------7de1fe13304\r\n", NULL);
  201. nonnllen += 2;
  202. /* just going to keep this */
  203. build_post(&content, &contentlen, "Content-Disposition: form-data; name=\"files\"; filename=\"C:\\My Documents\\firmware.bin\"\r\n", &nonnllen);
  204. build_post(&content, &contentlen, "Content-Type: application/octet-stream\r\n", &nonnllen);
  205. build_post(&content, &contentlen, "\r\n", &nonnllen);
  206. build_post_bin(&content, &contentlen, firmware, firmwarelen);
  207. build_post(&content, &contentlen, "\r\n---------------------------7de1fe13304--\r\n", NULL);
  208. nonnllen += 4;
  209. sprintf(contentlenstr, "%d\r\n", nonnllen + firmwarelen);
  210. build_post(&post, &postlen, "POST /cgi/index HTTP/1.1\r\n", NULL);
  211. build_post(&post, &postlen, "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*\r\n", NULL);
  212. build_post(&post, &postlen, "Referer: http://192.168.0.1\r\n", NULL);
  213. build_post(&post, &postlen, "Accept-Language: en-US\r\n", NULL);
  214. build_post(&post, &postlen, "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\r\n", NULL);
  215. build_post(&post, &postlen, "Content-Type: multipart/form-data; boundary=---------------------------7de1fe13304\r\n", NULL);
  216. build_post(&post, &postlen, "Accept-Encoding: gzip, deflate\r\n", NULL);
  217. build_post(&post, &postlen, "Host: 192.168.0.1\r\n", NULL);
  218. build_post(&post, &postlen, "Content-Length: ", NULL);
  219. build_post(&post, &postlen, contentlenstr, NULL);
  220. build_post(&post, &postlen, "Connection: Keep-Alive\r\n", NULL);
  221. build_post(&post, &postlen, "Cache-Control: no-cache\r\n", NULL);
  222. build_post(&post, &postlen, "\r\n", NULL);
  223. build_post_bin(&post, &postlen, content, contentlen);
  224. free(content);
  225. free(firmware);
  226. int gotlen = 0;
  227. char recvbuf[2048];
  228. int recvlen = recv(sock, &recvbuf[0], 1024, MSG_WAITALL);
  229. int newrecvlen;
  230. printf("Initiating transfer....");
  231. fflush(stdout);
  232. sock = open_socket();
  233. if (sock < 0) {
  234. perror(argv[1]);
  235. free(post);
  236. }
  237. size_t socksent = 0;
  238. curpos = 0;
  239. while (curpos < postlen) {
  240. if ((postlen - curpos) >= 1024) {
  241. socksent = send(sock, post + curpos, 1024, 0);
  242. if (debug)
  243. fprintf(stderr, "Sent %d bytes\n", socksent);
  244. if (socksent < 0) {
  245. perror(argv[1]);
  246. close(sock);
  247. free(post);
  248. exit(5);
  249. }
  250. } else {
  251. socksent = send(sock, post + curpos, postlen - curpos, 0);
  252. if (debug)
  253. fprintf(stderr, "Sent %d bytes\n", socksent);
  254. if (socksent < 0) {
  255. perror(argv[1]);
  256. close(sock);
  257. free(post);
  258. exit(5);
  259. }
  260. }
  261. curpos += socksent;
  262. printf("\r%d/%d Bytes written: Upload %g%% complete ", curpos, postlen, ((float)curpos / (float)postlen) * (float)100);
  263. fflush(stdout);
  264. }
  265. printf("\nFinished sending post. Waiting for response.\n");
  266. free(post);
  267. regex_t pattern;
  268. if (regcomp(&pattern, "count_down", REG_NOSUB)) {
  269. printf("Error compiling expression to detect success or failure\n");
  270. close(sock);
  271. exit(7);
  272. }
  273. recvbuf[0] = 0;
  274. recvlen = recv(sock, &recvbuf[0], 1024, MSG_WAITALL);
  275. if (debug) {
  276. fprintf(stderr, "Got %d bytes\n", recvlen);
  277. fprintf(stderr, "%s", &recvbuf[0]);
  278. }
  279. int firstpacket = 1;
  280. do {
  281. if (recvlen < 0) {
  282. perror(argv[1]);
  283. close(sock);
  284. exit(6);
  285. } else if (recvlen > 0) {
  286. if (!regexec(&pattern, &recvbuf[0], 0, NULL, 0)) {
  287. printf("Firmware successfully sent. Please wait for device to reboot.\n");
  288. break;
  289. if (firstpacket) {
  290. printf("Error sending firmware to device. Response is:\n");
  291. }
  292. printf("%s", &recvbuf[0]);
  293. }
  294. recvlen = recv(sock, &recvbuf[0], 1024, MSG_WAITALL);
  295. if (debug) {
  296. fprintf(stderr, "Got %d data\n", newrecvlen);
  297. if (recvlen > 0)
  298. fprintf(stderr, "%s", &recvbuf[0]);
  299. }
  300. }
  301. firstpacket = 0;
  302. } while (recvlen > 0);
  303. regfree(&pattern);
  304. shutdown(sock, SHUT_RDWR);
  305. close(sock);
  306. return 0;
  307. }