diff --git a/quirks/mfgbios.md b/quirks/mfgbios.md index 9ea78a8..164ad87 100755 --- a/quirks/mfgbios.md +++ b/quirks/mfgbios.md @@ -7,7 +7,7 @@ level stuff and high-level things like the web panel. ### What this does to the system? Due to the closed-source nature of the module everything is a suspicion. However, lack of many of the interfaces will -surely make the later layers (i.e. the whole DSM) unhappy. Immediatelly after the module loads kernel log is being +surely make the latter layers (i.e. the whole DSM) unhappy. Immediatelly after the module loads kernel log is being filled with: ``` @@ -47,6 +47,9 @@ ffffffffa01dd410 t DS3611xsInitModuleType [bromolow_synobios] ffffffffa01dd570 t DS2414xsInitModuleType [bromolow_synobios] ``` +Additionally, many parts of the system use `ioctl` to communicate with the `/dev/synobios` device to perform various +actions. See + ### How does it play with loaders? Based on the analysis of Jun's module and symbols provided by the bios module itself we can find a table in memory. The table contains a list of multiple pointers. As the module exports all symbols necessary, there's no need for disassembly @@ -116,7 +119,8 @@ modules are loaded and how certain parts of kernel's memory are protected (from See https://github.com/RedPill-TTG/redpill-lkm/blob/master/shim/bios_shim.c for details. -#### Appendix: official `synobios_ops` structure +### Appendices +#### Appendix A: official `synobios_ops` structure While Synobios itself isn't GPLed it actually used to open source. Intentionally or not Synology included its full source with some of their releases. See more in the [GPL section](gpl.md). While the code is not explicitly marked as @@ -127,7 +131,7 @@ It contains not only the list but also function declarations making the identifi `ds.broadwell-7.0.dev.txz/usr/local/include/synobios/synobios.h`: ```C -//Formatting adjusted here +// Formatting adjusted here // Copyright (c) 2000-2003 Synology Inc. All rights reserved. struct synobios_ops { struct module *owner; @@ -187,4 +191,109 @@ struct synobios_ops { int (*get_sys_current)(unsigned long*); int (*get_disk_intf)(SYNO_DISK_INTF_INFO *); }; -``` \ No newline at end of file +``` + +#### Appendix B: ioctl control over `synobios` +Userland applications don't usually communicate with the hardware directly but ask the `/dev/synobios` to perform a +certain subset of actions. These actions are performed via `ioctl` mechanism. All commands are specified in a userland +header file `synobios/synobios.h`, available in `.dev` toolkits (e.g. `ds.broadwell-7.0.dev.txz`) under +`usr/local/include/synobios/synobios.h`: + +``` +// Formatting adjusted here +// Extracted using: grep -E '_IO(R|W|WR)?\(' './usr/local/include/synobios/synobios.h' +// Copyright (c) 2000-2003 Synology Inc. All rights reserved + +#define SYNOIO_EXDISPLAY _IOWR(SYNOBIOS_IOC_MAGIC, 1, struct _SynoMsgPkt) +#define SYNOIO_NEXTEVENT _IOWR(SYNOBIOS_IOC_MAGIC, 2, u_int) +#define SYNOIO_RTC_CONTROL_READ _IOWR(SYNOBIOS_IOC_MAGIC, 3, struct _SynoRtcControlPkt) +#define SYNOIO_RTC_CONTROL_WRITE _IOWR(SYNOBIOS_IOC_MAGIC, 4, struct _SynoRtcControlPkt) +#define SYNOIO_RTC_TIME_READ _IOWR(SYNOBIOS_IOC_MAGIC, 5, struct _SynoRtcTimePkt) +#define SYNOIO_RTC_TIME_WRITE _IOWR(SYNOBIOS_IOC_MAGIC, 6, struct _SynoRtcTimePkt) +#define SYNOIO_BUTTON_POWER _IOWR(SYNOBIOS_IOC_MAGIC, 7, int) +#define SYNOIO_BUTTON_RESET _IOWR(SYNOBIOS_IOC_MAGIC, 8, int) +#define SYNOIO_BUTTON_USB _IOWR(SYNOBIOS_IOC_MAGIC, 9, int) +#define SYNOIO_SET_DISK_LED _IOWR(SYNOBIOS_IOC_MAGIC, 10, DISKLEDSTATUS) +#define SYNOIO_GET_FAN_STATUS _IOWR(SYNOBIOS_IOC_MAGIC, 11, FANSTATUS) +#define SYNOIO_SET_FAN_STATUS _IOWR(SYNOBIOS_IOC_MAGIC, 12, FANSTATUS) +#define SYNOIO_GET_DS_MODEL _IOWR(SYNOBIOS_IOC_MAGIC, 13, int) +#define SYNOIO_GET_DS_BRAND _IOWR(SYNOBIOS_IOC_MAGIC, 14, int) +#define SYNOIO_GET_CPLD_VERSION _IOWR(SYNOBIOS_IOC_MAGIC, 15, int) +#define SYNOIO_GET_TEMPERATURE _IOWR(SYNOBIOS_IOC_MAGIC, 16, int) +#define SYNOIO_GET_CPLD_REG _IOWR(SYNOBIOS_IOC_MAGIC, 17, CPLDREG) +#define SYNOIO_GET_AUTO_POWERON _IOWR(SYNOBIOS_IOC_MAGIC, 18, SYNO_AUTO_POWERON) +#define SYNOIO_SET_AUTO_POWERON _IOWR(SYNOBIOS_IOC_MAGIC, 19, SYNO_AUTO_POWERON) +#define SYNOIO_GET_MEM_BYTE _IOWR(SYNOBIOS_IOC_MAGIC, 20, MEMORY_BYTE) +#define SYNOIO_SET_MEM_BYTE _IOWR(SYNOBIOS_IOC_MAGIC, 21, MEMORY_BYTE) +#define SYNOIO_SET_ALARM_LED _IOWR(SYNOBIOS_IOC_MAGIC, 22, unsigned char) +#define SYNOIO_GET_HW_CAPABILITY _IOWR(SYNOBIOS_IOC_MAGIC, 23, CAPABILITY) +#define SYNOIO_GET_FAN_NUM _IOWR(SYNOBIOS_IOC_MAGIC, 24, int) +#define SYNOIO_GET_POWER_STATUS _IOWR(SYNOBIOS_IOC_MAGIC, 25, POWER_INFO) +#define SYNOIO_SHUTDOWN_LOG _IOWR(SYNOBIOS_IOC_MAGIC, 26, SYNO_SHUTDOWN_LOG) +#define SYNOIO_UNINITIALIZE _IOWR(SYNOBIOS_IOC_MAGIC, 27, int) +#define SYNOIO_GET_SYS_STATUS _IOWR(SYNOBIOS_IOC_MAGIC, 28, SYNO_SYS_STATUS) +#define SYNOIO_SET_SYS_STATUS _IOWR(SYNOBIOS_IOC_MAGIC, 29, sys_comp_stat_t) +#define SYNOIO_GET_MODULE_TYPE _IOWR(SYNOBIOS_IOC_MAGIC, 30, module_t) +#define SYNOIO_GET_BUZZER_CLEARED _IOWR(SYNOBIOS_IOC_MAGIC, 31, unsigned char) +#define SYNOIO_GET_BACKPLANE_STATUS _IOWR(SYNOBIOS_IOC_MAGIC, 32, BACKPLANE_STATUS) +#define SYNOIO_SET_UART2 _IOWR(SYNOBIOS_IOC_MAGIC, 33, unsigned char) +#define SYNOIO_GET_CPU_TEMPERATURE _IOWR(SYNOBIOS_IOC_MAGIC, 34, SYNOCPUTEMP) +#define SYNOIO_SET_CPU_FAN_STATUS _IOWR(SYNOBIOS_IOC_MAGIC, 35, FANSTATUS) +#define SYNOIO_SET_PHY_LED _IOWR(SYNOBIOS_IOC_MAGIC, 36, SYNO_LED) +#define SYNOIO_SET_HDD_LED _IOWR(SYNOBIOS_IOC_MAGIC, 37, SYNO_LED) +#define SYNOIO_SET_PWR_LED _IOWR(SYNOBIOS_IOC_MAGIC, 38, SYNO_LED) +#define SYNOIO_PWM_CTL _IOWR(SYNOBIOS_IOC_MAGIC, 39, SynoPWMCTL) +#define SYNOIO_CHECK_MICROP_ID _IO (SYNOBIOS_IOC_MAGIC, 40) +//#define SYNOIO_GET_EUNIT_TYPE _IOR (SYNOBIOS_IOC_MAGIC, 41, EUNIT_PWRON_TYPE) // Move into kernel +#define SYNOIO_SET_BUZZER_CLEAR _IOWR(SYNOBIOS_IOC_MAGIC, 42, unsigned char) +#define SYNOIO_WRITE_MEM _IOWR(SYNOBIOS_IOC_MAGIC, 43, SYNO_MEM_ACCESS) +#define SYNOIO_READ_MEM _IOWR(SYNOBIOS_IOC_MAGIC, 44, SYNO_MEM_ACCESS) +#define SYNOIO_SET_AHA_LED _IOWR(SYNOBIOS_IOC_MAGIC, 45, SYNO_AHA_LED) +#define SYNOIO_GET_COPY_BUTTON _IOWR(SYNOBIOS_IOC_MAGIC, 46, int) // for matching userspace usage, button pressed = 0, else = 1 +#define SYNOIO_SET_AND_GET_UART2 _IOWR(SYNOBIOS_IOC_MAGIC, 47, unsigned char) +#define SYNOIO_GET_UART2 _IOWR(SYNOBIOS_IOC_MAGIC, 48, unsigned char) +#define SYNOIO_UART_DEBUG_CONTROL _IOWR(SYNOBIOS_IOC_MAGIC, 49, unsigned char) +#define SYNOIO_GET_SYS_CURRENT _IOWR(SYNOBIOS_IOC_MAGIC, 50, unsigned long) +#define SYNOIO_POWER_OFF _IOWR(SYNOBIOS_IOC_MAGIC, 65, int) +#define SYNOIO_MANUTIL_MODE _IOWR(SYNOBIOS_IOC_MAGIC, 128, int) +#define SYNOIO_RECORD_EVENT _IOWR(SYNOBIOS_IOC_MAGIC, 129, int) +#define SYNOIO_GPIO_PIN_READ _IOWR(SYNOBIOS_IOC_MAGIC, 205, GPIO_PIN) +#define SYNOIO_GPIO_PIN_WRITE _IOWR(SYNOBIOS_IOC_MAGIC, 206, GPIO_PIN) +#define SYNOIO_GPIO_PIN_READ _IOWR(SYNOBIOS_IOC_MAGIC, 205, int) +#define SYNOIO_GPIO_PIN_WRITE _IOWR(SYNOBIOS_IOC_MAGIC, 206, int) +#define SYNOIO_RTC_READ _IOWR(SYNOBIOS_IOC_MAGIC, 208, struct _SynoRtcPkt) +#define SYNOIO_RTC_READ_3 _IOWR(SYNOBIOS_IOC_MAGIC, 209, struct _SynoRtcPkt) +#define SYNOIO_SDA_SDL_READ _IOWR(SYNOBIOS_IOC_MAGIC, 210, int) +#define DISK_BADSECTOR_ON _IOWR(SYNOBIOS_IOC_MAGIC, 211, int) +#define DISK_BADSECTOR_OFF _IOWR(SYNOBIOS_IOC_MAGIC, 212, int) +#define DISK_BADSECTOR_SET _IOWR(SYNOBIOS_IOC_MAGIC, 213, struct disk_bs_map_ctlcmd) +#define DISK_BADSECTOR_GET _IOWR(SYNOBIOS_IOC_MAGIC, 214, struct disk_bs_map_ctlcmd) +#define DISK_BADSECTOR_RESET _IOWR(SYNOBIOS_IOC_MAGIC, 215, int) +#define HWMON_GET_SUPPORT _IOWR(SYNOBIOS_IOC_MAGIC, 301, SYNO_HWMON_SUPPORT) +#define HWMON_GET_CPU_TEMPERATURE _IOWR(SYNOBIOS_IOC_MAGIC, 302, SYNO_HWMON_SENSOR_TYPE) +#define HWMON_GET_FAN_SPEED_RPM _IOWR(SYNOBIOS_IOC_MAGIC, 303, SYNO_HWMON_SENSOR_TYPE) +#define HWMON_GET_PSU_STATUS _IOWR(SYNOBIOS_IOC_MAGIC, 304, SYNO_HWMON_SENSOR_TYPE) +#define HWMON_GET_SYS_VOLTAGE _IOWR(SYNOBIOS_IOC_MAGIC, 305, SYNO_HWMON_SENSOR_TYPE) +#define HWMON_GET_SYS_THERMAL _IOWR(SYNOBIOS_IOC_MAGIC, 306, SYNO_HWMON_SENSOR_TYPE) +#define HWMON_GET_HDD_BACKPLANE _IOWR(SYNOBIOS_IOC_MAGIC, 307, SYNO_HWMON_SENSOR_TYPE) +#define HWMON_GET_SYS_CURRENT _IOWR(SYNOBIOS_IOC_MAGIC, 308, SYNO_HWMON_SENSOR_TYPE) +#define SYNOIO_SUPERIO_READ _IOWR(SYNOBIOS_IOC_MAGIC, 216, SYNO_SUPERIO_PACKAGE) +#define SYNOIO_SUPERIO_WRITE _IOWR(SYNOBIOS_IOC_MAGIC, 217, SYNO_SUPERIO_PACKAGE) +#define SYNOIO_IS_FULLY_SUPPORT_EUP _IOWR(SYNOBIOS_IOC_MAGIC, 218, SYNO_EUP_SUPPORT) +#define SYNOIO_SET_OK_TO_REMOVE_LED _IOWR(SYNOBIOS_IOC_MAGIC, 219, unsigned char) +#define SYNOIO_CHECK_DISK_INTF _IOWR(SYNOBIOS_IOC_MAGIC, 220, SYNO_DISK_INTF_INFO) +#define SYNOIO_HWSTATUS _IOR ('A', 102, struct _Synohw) +#define SYNOIO_TESTING _IOW ('P', 104, int) +#define SYNOIO_SERIAL _IOR ('A', 105, int) +#define SYNOIO_HDBACK _IOW ('P', 106, int) +#define SYNOIO_SYNOVER _IOR ('A', 107, unsigned long) +#define SYNOIO_GETSERIALNUM _IOR ('A', 108, off_t) +#define SYNOIO_SETHWSTATUS _IOW ('P', 109, HWBLOCK) +#define SYNOIO_HWHDSUPPORT _IOR ('A', 110, int) +#define SYNOIO_HWTHERMALSUPPORT _IOR ('A', 111, int) +#define SYNOIO_POWEROFF _IO ('A', 114) +#define SYNOIO_SETHWSTATUS_INIT _IOW ('P', 111, HWBLOCK) +#define SYNOIO_HWSTATUS_CUSTOM _IOR ('A', 112, struct _Synohw_custom) +#define SYNOIO_SET_EVENT _IOW ('P', 113, u_int) +#define SYNOIO_BIOSVER _IOWR('P', 115, BVS) +```