Some tools for hacking Sansa V2 (AMS) firmware files and injecting our own code.

git-svn-id: svn://svn.rockbox.org/rockbox/trunk@17464 a1c6a512-1295-4272-9138-f99709370657
diff --git a/utils/AMS/hacking/Makefile b/utils/AMS/hacking/Makefile
new file mode 100644
index 0000000..7a10c20
--- /dev/null
+++ b/utils/AMS/hacking/Makefile
@@ -0,0 +1,34 @@
+
+# Change INFILE to point to your original firmware file
+INFILE=$(HOME)/FW/AMS/CLIP/m300a-1.1.17A.bin
+
+# OUTFILE is the file you copy to your device's root and rename to
+# (e.g.) m300a.bin
+OUTFILE=patched.bin
+
+
+all: amsinfo $(OUTFILE)
+
+amsinfo: amsinfo.c
+	gcc -o amsinfo -W -Wall amsinfo.c
+
+mkamsboot: mkamsboot.c
+	gcc -o mkamsboot -W -Wall mkamsboot.c
+
+# Rules for our test ARM application - assemble, link, then extract
+# the binary code
+
+test.o: test.S
+	arm-elf-as -o test.o test.S
+
+test.elf: test.o
+	arm-elf-ld -e 0 -o test.elf test.o
+
+test.bin: test.elf
+	arm-elf-objcopy -O binary test.elf test.bin
+
+$(OUTFILE): mkamsboot test.bin $(INFILE)
+	./mkamsboot $(INFILE) test.bin $(OUTFILE)
+
+clean:
+	rm -fr amsinfo mkamsboot test.bin test.o test.elf $(OUTFILE) *~
diff --git a/utils/AMS/hacking/README b/utils/AMS/hacking/README
new file mode 100644
index 0000000..ce16f95
--- /dev/null
+++ b/utils/AMS/hacking/README
@@ -0,0 +1,16 @@
+This directory contains the following tools related to the Sansa V2
+(AMS) firmware files:
+
+1) amsinfo
+
+A tool that dumps information from an AMS firmware file.
+
+2) mkamsboot
+
+A tool to inject some code (contained in test.S) into a firmware file.
+
+Edit the INFILE variable in the Makefile to point to the original
+firmware file you want to patch, edit "test.S" appropriately, and then
+type "make".
+
+
diff --git a/utils/AMS/hacking/amsinfo.c b/utils/AMS/hacking/amsinfo.c
new file mode 100644
index 0000000..0ebfb94
--- /dev/null
+++ b/utils/AMS/hacking/amsinfo.c
@@ -0,0 +1,175 @@
+/*
+
+amsinfo - a tool for examining AMS firmware files
+
+Copyright (C) Dave Chapman 2007
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110, USA
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+
+/* Win32 compatibility */
+#ifndef O_BINARY
+#define O_BINARY 0
+#endif
+
+
+#define PAD_TO_BOUNDARY(x) ((x) + 0x1ff) & ~0x1ff;
+
+
+static off_t filesize(int fd) {
+    struct stat buf;
+
+    if (fstat(fd,&buf) < 0) {
+        perror("[ERR]  Checking filesize of input file");
+        return -1;
+    } else {
+        return(buf.st_size);
+    }
+}
+
+static uint32_t get_uint32le(unsigned char* p)
+{
+    return p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
+}
+
+static uint16_t get_uint16le(unsigned char* p)
+{
+    return p[0] | (p[1] << 8);
+}
+
+static int calc_checksum(unsigned char* buf, int n)
+{
+    int sum = 0;
+    int i;
+
+    for (i=0;i<n;i+=4)
+        sum += get_uint32le(buf + 0x400 + i);
+
+    return sum;
+}
+
+
+static void dump_header(unsigned char* buf, int i)
+{
+    printf("0x%08x:\n",i);
+    printf("  HEADER: 0x%08x\n",i);;
+    printf("    FirmwareHeaderIndex:     0x%08x\n",get_uint32le(&buf[i]));
+    printf("    FirmwareChecksum:        0x%08x\n",get_uint32le(&buf[i+0x04]));
+    printf("    CodeBlockSizeMultiplier: 0x%08x\n",get_uint32le(&buf[i+0x08]));
+    printf("    FirmwareSize:            0x%08x\n",get_uint32le(&buf[i+0x0c]));
+    printf("    Unknown1:                0x%08x\n",get_uint32le(&buf[i+0x10]));
+    printf("    ModelID:                 0x%04x\n",get_uint16le(&buf[i+0x14]));
+    printf("    Unknown2:                0x%04x\n",get_uint16le(&buf[i+0x16]));
+}
+
+static int dump_lib(unsigned char* buf, int i)
+{
+    int export_count;
+    int size;
+    int unknown1;
+    int baseaddr, endaddr;
+
+    baseaddr = get_uint32le(&buf[i+0x04]);
+    endaddr = get_uint32le(&buf[i+0x08]);
+    size = get_uint32le(&buf[i+0x0c]);
+    unknown1 = get_uint32le(&buf[i+0x10]);
+    export_count = get_uint32le(&buf[i+0x14]);
+
+    printf("0x%08x: \"%s\"  0x%08x  0x%08x  0x%08x  0x%08x  0x%08x\n",i, buf + i + get_uint32le(&buf[i]),baseaddr,endaddr,size,unknown1,export_count);
+
+#if 0
+    if (export_count > 1) { 
+      for (j=0;j<export_count;j++) {
+        printf("    Exports[%02d]:   0x%08x\n",j,get_uint32le(&buf[i+0x18+4*j]));
+      }
+    }
+#endif
+    return PAD_TO_BOUNDARY(size);
+}
+
+int main(int argc, char* argv[])
+{
+    int fd;
+    off_t len;
+    int n;
+    unsigned char* buf;
+    int firmware_size;
+    int i;
+
+    if (argc != 2) {
+         fprintf(stderr,"USAGE: amsinfo firmware.bin\n");
+         return 1;
+    }
+
+    fd = open(argv[1],O_RDONLY|O_BINARY);
+
+    if ((len = filesize(fd)) < 0)
+        return 1;
+
+    if ((buf = malloc(len)) == NULL) {
+        fprintf(stderr,"[ERR]  Could not allocate buffer for input file (%d bytes)\n",(int)len);
+        return 1;
+    }
+
+    n = read(fd, buf, len);
+
+    if (n != len) {
+        fprintf(stderr,"[ERR] Could not read file\n");
+        return 1;
+    }
+
+    close(fd);
+
+    /* Now we dump the firmware structure */
+
+    dump_header(buf,0);      /* First copy of header block */
+//    dump_header(buf,0x200);  /* Second copy of header block */
+
+    firmware_size = get_uint32le(&buf[0x0c]);
+
+    printf("Calculated firmware checksum: 0x%08x\n",calc_checksum(buf,firmware_size));
+
+    /* Round size up to next multiple of 0x200 */
+
+    firmware_size = PAD_TO_BOUNDARY(firmware_size);
+
+    i = firmware_size + 0x400;
+
+    printf("LIBRARY BLOCKS:\n");
+    printf("Offset      Name           BaseAddr    EndAddr     BlockSize   Unknown1    EntryCount\n");
+
+    while (get_uint32le(&buf[i]) != 0xffffffff)
+    {
+        i += dump_lib(buf,i);
+
+        while (get_uint32le(&buf[i]) == 0xefbeadde)
+           i+=4;
+    }
+
+    printf("0x%08x: PADDING BLOCK\n",i);
+ 
+    return 0;
+
+}
diff --git a/utils/AMS/hacking/mkamsboot.c b/utils/AMS/hacking/mkamsboot.c
new file mode 100644
index 0000000..a6e4e01
--- /dev/null
+++ b/utils/AMS/hacking/mkamsboot.c
@@ -0,0 +1,289 @@
+/*
+
+mkamsboot.c - a tool for merging bootloader code into an Sansa V2
+              (AMS) firmware file
+
+Copyright (C) Dave Chapman 2008
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110, USA
+
+*/
+
+
+/*
+
+Insert a Rockbox bootloader into an AMS original firmware file.
+
+The first instruction in an AMS firmware file is always of the form:
+
+   ldr     pc, [pc, #xxx]
+
+where [pc, #xxx] contains the entry point of the firmware - e.g. 0x00000138
+
+mkamsboot appends the Rockbox bootloader to the end of the original
+firmware block in the firmware file and shifts the remaining contents of the firmware file to make space for it.
+
+It also replaces the contents of [pc, #xxx] with the entry point of
+our bootloader - i.e. the length of the original firmware block plus 4
+bytes.
+
+It then stores the original entry point from [pc, #xxx] in the first
+four bytes of the Rockbox bootloader image, which is used by the
+bootloader to dual-boot.
+
+Finally, mkamsboot corrects the length and checksum in the main
+firmware headers (both copies), creating a new legal firmware file
+which can be installed on the device.
+
+*/
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <string.h>
+
+
+/* Win32 compatibility */
+#ifndef O_BINARY
+#define O_BINARY 0
+#endif
+
+
+#define PAD_TO_BOUNDARY(x) (((x) + 0x1ff) & ~0x1ff)
+
+
+static off_t filesize(int fd) {
+    struct stat buf;
+
+    if (fstat(fd,&buf) < 0) {
+        perror("[ERR]  Checking filesize of input file");
+        return -1;
+    } else {
+        return(buf.st_size);
+    }
+}
+
+static uint32_t get_uint32le(unsigned char* p)
+{
+    return p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
+}
+
+static void put_uint32le(unsigned char* p, uint32_t x)
+{
+    p[0] = x & 0xff;
+    p[1] = (x >> 8) & 0xff;
+    p[2] = (x >> 16) & 0xff;
+    p[3] = (x >> 24) & 0xff;
+}
+
+static int calc_checksum(unsigned char* buf, uint32_t n)
+{
+    uint32_t sum = 0;
+    uint32_t i;
+
+    for (i=0;i<n;i+=4)
+        sum += get_uint32le(buf + i);
+
+    return sum;
+}
+
+void usage(void)
+{
+    printf("Usage: mkamsboot <firmware file> <boot file> <output file>\n");
+
+    exit(1);
+}
+
+int main(int argc, char* argv[])
+{
+    char *infile, *bootfile, *outfile;
+    int fdin, fdboot,fdout;
+    off_t len;
+    uint32_t n;
+    unsigned char* buf;
+    uint32_t ldr;
+    uint32_t origoffset;
+    uint32_t firmware_size;
+    uint32_t firmware_paddedsize;
+    uint32_t bootloader_size;
+    uint32_t new_paddedsize;
+    uint32_t sum,filesum;
+    uint32_t new_length;
+    uint32_t i;
+
+    if(argc != 4) {
+        usage();
+    }
+
+    infile = argv[1];
+    bootfile = argv[2];
+    outfile = argv[3];
+
+    /* Open the bootloader file */
+    fdboot = open(bootfile, O_RDONLY|O_BINARY);
+    if (fdboot < 0)
+    {
+        fprintf(stderr,"[ERR]  Could not open %s for reading\n",bootfile);
+        return 1;
+    }
+
+    bootloader_size = filesize(fdboot);
+
+
+    /* Open the firmware file */
+    fdin = open(infile,O_RDONLY|O_BINARY);
+
+    if (fdin < 0) {
+        fprintf(stderr,"[ERR]  Could not open %s for reading\n",infile);
+        return 1;
+    }
+
+    if ((len = filesize(fdin)) < 0)
+        return 1;
+
+    /* We will need no more memory than the total size plus the bootloader size
+       padded to a boundary */
+    if ((buf = malloc(len + PAD_TO_BOUNDARY(bootloader_size))) == NULL) {
+        fprintf(stderr,"[ERR]  Could not allocate buffer for input file (%d bytes)\n",(int)len);
+        return 1;
+    }
+
+    n = read(fdin, buf, len);
+
+    if (n != (uint32_t)len) {
+        fprintf(stderr,"[ERR] Could not read firmware file\n");
+        return 1;
+    }
+
+    close(fdin);
+
+    /* Get the firmware size */
+    firmware_size = get_uint32le(&buf[0x0c]);
+
+    /* Round size up to next multiple of 0x200 */
+
+    firmware_paddedsize = PAD_TO_BOUNDARY(firmware_size);
+
+    /* Total new size */
+    new_paddedsize = PAD_TO_BOUNDARY(firmware_size + bootloader_size);
+
+    /* Total new size of firmware file */
+    new_length = len + (new_paddedsize - firmware_paddedsize);
+
+    fprintf(stderr,"Original firmware size - 0x%08x\n",firmware_size);
+    fprintf(stderr,"Padded firmware size - 0x%08x\n",firmware_paddedsize);
+    fprintf(stderr,"Bootloader size - 0x%08x\n",bootloader_size);
+    fprintf(stderr,"New padded size - 0x%08x\n",new_paddedsize);
+    fprintf(stderr,"Original total size of firmware - 0x%08x\n",(int)len);
+    fprintf(stderr,"New total size of firmware - 0x%08x\n",new_length);
+
+    if (firmware_paddedsize != new_paddedsize) {
+        /* Move everything after the firmare block "bootloader_size"
+           bytes forward to make room for the bootloader */
+
+        fprintf(stderr,"Calling memmove(buf + 0x%08x,buf + 0x%08x,0x%08x)\n",
+                0x400 + new_paddedsize,
+                0x400 + firmware_paddedsize,
+                (int)len - firmware_paddedsize);
+
+        memmove(buf + 0x400 + new_paddedsize,
+                buf + 0x400 + firmware_paddedsize,
+                len - firmware_paddedsize);
+    }
+
+    ldr = get_uint32le(&buf[0x400]);
+
+    if ((ldr & 0xfffff000) != 0xe59ff000) {
+        fprintf(stderr,"[ERR]  Firmware file doesn't start with an \"ldr pc, [pc, #xx]\" instruction.\n");
+        return 1;
+    }
+    origoffset = (ldr&0xfff) + 8;
+
+    printf("original firmware entry point: 0x%08x\n",get_uint32le(buf + 0x400 + origoffset));
+    printf("New entry point: 0x%08x\n", firmware_size + 4);
+
+#if 0
+    /* Replace the "Product: Express" string with "Rockbox" */
+    i = 0x400 + firmware_size - 7;
+    while ((i > 0x400) && (memcmp(&buf[i],"Express",7)!=0))
+        i--;
+
+    i = (i + 3) & ~0x3;
+
+    if (i >= 0x400) {
+        printf("Replacing \"Express\" string at offset 0x%08x\n",i);
+        memcpy(&buf[i],"Rockbox",7);
+    } else {
+        printf("Could not find \"Express\" string to replace\n");
+    }
+#endif
+
+    n = read(fdboot, buf + 0x400 + firmware_size, bootloader_size);
+
+    if (n != bootloader_size) {
+        fprintf(stderr,"[ERR] Could not bootloader file\n");
+        return 1;
+    }
+    close(fdboot);
+
+    /* Replace first word of the bootloader with the original entry point */
+    put_uint32le(buf + 0x400 + firmware_size, get_uint32le(buf + 0x400 + origoffset));
+
+#if 1
+    put_uint32le(buf + 0x400 + origoffset, firmware_size + 4);
+#endif
+
+    /* Update checksum */
+    sum = calc_checksum(buf + 0x400,firmware_size + bootloader_size);
+
+    put_uint32le(&buf[0x04], sum);
+    put_uint32le(&buf[0x204], sum);
+
+    /* Update firmware block count */
+    put_uint32le(&buf[0x08], new_paddedsize / 0x200);
+    put_uint32le(&buf[0x208], new_paddedsize / 0x200);
+
+    /* Update firmware size */
+    put_uint32le(&buf[0x0c], firmware_size + bootloader_size);
+    put_uint32le(&buf[0x20c], firmware_size + bootloader_size);
+
+    /* Update the whole-file checksum */
+    filesum = 0;
+    for (i=0;i < new_length - 4; i+=4)
+        filesum += get_uint32le(&buf[i]);
+
+    put_uint32le(buf + new_length - 4, filesum);
+
+
+    /* Write the new firmware */
+    fdout = open(outfile, O_CREAT|O_TRUNC|O_WRONLY|O_BINARY,0666);
+
+    if (fdout < 0) {
+        fprintf(stderr,"[ERR]  Could not open %s for writing\n",outfile);
+        return 1;
+    }
+
+    write(fdout, buf, new_length);
+
+    close(fdout);
+
+    return 0;
+
+}
diff --git a/utils/AMS/hacking/test.S b/utils/AMS/hacking/test.S
new file mode 100644
index 0000000..52f54bd
--- /dev/null
+++ b/utils/AMS/hacking/test.S
@@ -0,0 +1,11 @@
+
+/* This value is filled in by mkamsboot */
+originalentry:   .word   0
+
+        /* A delay loop - just to prove we're running */
+        mov   r1, #0x500000       /* Approximately 5 seconds */
+loop:   subs  r1, r1, #1
+        bne   loop
+
+        /* Now branch back to the original firmware's entry point */
+        ldr   pc, originalentry