| /*************************************************************************** |
| * __________ __ ___. |
| * Open \______ \ ____ ____ | | _\_ |__ _______ ___ |
| * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ / |
| * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < < |
| * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \ |
| * \/ \/ \/ \/ \/ |
| * $Id$ |
| * |
| * Copyright (C) 2011 by Amaury Pouly |
| * |
| * This program is free software; you can redistribute it and/or |
| * modify it under the terms of the GNU General Public License |
| * as published by the Free Software Foundation; either version 2 |
| * of the License, or (at your option) any later version. |
| * |
| * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY |
| * KIND, either express or implied. |
| * |
| ****************************************************************************/ |
| #include <stdio.h> |
| #include <stdlib.h> |
| #include <stdarg.h> |
| #include <string.h> |
| #include <ctype.h> |
| #include "mkimxboot.h" |
| #include "sb.h" |
| #include "dualboot.h" |
| #include "md5.h" |
| #include "elf.h" |
| |
| /* abstract structure to represent a Rockbox firmware. It can be a scrambled file |
| * or an ELF file or whatever. */ |
| struct rb_fw_t |
| { |
| int nr_insts; |
| struct sb_inst_t *insts; |
| int entry_idx; |
| }; |
| |
| /* A firmware upgrade can contains several variants like recovery image, or |
| * images for different models */ |
| struct imx_fw_variant_desc_t |
| { |
| /* Offset within file */ |
| size_t offset; |
| /* Total size of the firmware */ |
| size_t size; |
| }; |
| |
| /* Map a MD5 sum of the whole file to a model and describe the variants in it */ |
| struct imx_md5sum_t |
| { |
| /* Device model */ |
| enum imx_model_t model; |
| /* md5sum of the file */ |
| char *md5sum; |
| /* Version string */ |
| const char *version; |
| /* Variant descriptions */ |
| struct imx_fw_variant_desc_t fw_variants[VARIANT_COUNT]; |
| }; |
| |
| /* Describe how to produce a bootloader image for a specific model */ |
| struct imx_model_desc_t |
| { |
| /* Descriptive name of this model */ |
| const char *model_name; |
| /* Dualboot code for this model */ |
| const unsigned char *dualboot; |
| /* Size of dualboot functions for this model */ |
| int dualboot_size; |
| /* Model name used in the Rockbox header in ".sansa" files - these match the |
| -add parameter to the "scramble" tool */ |
| const char *rb_model_name; |
| /* Model number used to initialise the checksum in the Rockbox header in |
| ".sansa" files - these are the same as MODEL_NUMBER in config-target.h */ |
| const int rb_model_num; |
| /* Array of NULL-terminated keys */ |
| struct crypto_key_t **keys; |
| /* Dualboot load address */ |
| uint32_t dualboot_addr; |
| /* Bootloader load address */ |
| uint32_t bootloader_addr; |
| }; |
| |
| /* Friendly names for variants */ |
| static const char *imx_fw_variant[] = |
| { |
| [VARIANT_DEFAULT] = "default", |
| [VARIANT_ZENXFI2_RECOVERY] = "ZEN X-Fi2 Recovery", |
| [VARIANT_ZENXFI2_NAND] = "ZEN X-Fi2 NAND", |
| [VARIANT_ZENXFI2_SD] = "ZEN X-Fi2 eMMC/SD", |
| [VARIANT_ZENXFISTYLE_RECOVERY] = "ZEN X-Fi Style Recovery", |
| [VARIANT_ZENSTYLE_RECOVERY] = "ZEN Style 100/300 Recovery", |
| }; |
| |
| /* List of known MD5 sums for firmware upgrades */ |
| static const struct imx_md5sum_t imx_sums[] = |
| { |
| /** Fuze+ */ |
| { |
| /* Version 2.38.6 */ |
| MODEL_FUZEPLUS, "c3e27620a877dc6b200b97dcb3e0ecc7", "2.38.6", |
| { [VARIANT_DEFAULT] = { 0, 34652624 } } |
| }, |
| /** Zen X-Fi2 */ |
| { |
| /* Version 1.23.01 */ |
| MODEL_ZENXFI2, "e37e2c24abdff8e624d0a29f79157850", "1.23.01", |
| { |
| [VARIANT_ZENXFI2_RECOVERY] = { 602128, 684192}, |
| [VARIANT_ZENXFI2_NAND] = { 1286320, 42406608 }, |
| [VARIANT_ZENXFI2_SD] = { 43692928, 42304208 } |
| } |
| }, |
| { |
| /* Version 1.23.01e */ |
| MODEL_ZENXFI2, "2beff2168212d332f13cfc36ca46989d", "1.23.01e", |
| { |
| [VARIANT_ZENXFI2_RECOVERY] = { 0x93010, 684192}, |
| [VARIANT_ZENXFI2_NAND] = { 0x13a0b0, 42410704 }, |
| [VARIANT_ZENXFI2_SD] = { 0x29ac380, 42304208 } |
| } |
| }, |
| /** Zen X-Fi3 */ |
| { |
| /* Version 1.00.15e */ |
| MODEL_ZENXFI3, "658a24eeef5f7186ca731085d8822a87", "1.00.15e", |
| { [VARIANT_DEFAULT] = {0, 18110576} } |
| }, |
| { |
| /* Version 1.00.22e */ |
| MODEL_ZENXFI3, "a5114cd45ea4554ec221f51a71083862", "1.00.22e", |
| { [VARIANT_DEFAULT] = {0, 18110576} } |
| }, |
| { |
| /* Version 1.00.25 */ |
| MODEL_ZENXFI3, "a41a3a78f86a4ac2879d194c6d528059", "1.00.25", |
| { [VARIANT_DEFAULT] = {0, 18110576 } } |
| }, |
| { |
| /* Version 1.00.25e */ |
| MODEL_ZENXFI3, "c180f57e2b2d62620f87a1d853f349ff", "1.00.25e", |
| { [VARIANT_DEFAULT] = {0, 18110576 } } |
| }, |
| /** Zen X-Fi Style */ |
| { |
| /* Version 1.03.04e */ |
| MODEL_ZENXFISTYLE, "32a731b7f714e9f99a95991003759c98", "1.03.04", |
| { |
| [VARIANT_DEFAULT] = {842960, 29876944}, |
| [VARIANT_ZENXFISTYLE_RECOVERY] = {610272, 232688}, |
| } |
| }, |
| { |
| /* Version 1.03.04e */ |
| MODEL_ZENXFISTYLE, "2c7ee52d9984d85dd39aa49b3331e66c", "1.03.04e", |
| { |
| [VARIANT_DEFAULT] = {842960, 29876944}, |
| [VARIANT_ZENXFISTYLE_RECOVERY] = {610272, 232688}, |
| } |
| }, |
| { |
| /* Version 1.03.04e */ |
| MODEL_ZENSTYLE, "dbebec8fe666412061d9740ff68605dd", "1.03.04e", |
| { |
| [VARIANT_DEFAULT] = {758848, 6641344}, |
| [VARIANT_ZENSTYLE_RECOVERY] = {610272, 148576}, |
| } |
| }, |
| /** Sony NWZ-E370 */ |
| { |
| /* Version 1.00.00 */ |
| MODEL_NWZE370, "a615fdb70b3e1bfb0355a5bc2bf237ab", "1.00.00", |
| { [VARIANT_DEFAULT] = {0, 16056320 } } |
| }, |
| { |
| /* Version 1.00.01 */ |
| MODEL_NWZE370, "ee83f3c6026cbcc07097867f06fd585f", "1.00.01", |
| { [VARIANT_DEFAULT] = {0, 16515072 } } |
| }, |
| /** Sony NWZ-E360 */ |
| { |
| /* Version 1.00.00 */ |
| MODEL_NWZE360, "d0047f8a87d456a0032297b3c802a1ff", "1.00.00", |
| { [VARIANT_DEFAULT] = {0, 20652032 } } |
| }, |
| /** Sony NWZ-E380 */ |
| { |
| /* Version 1.00.00 */ |
| MODEL_NWZE370, "412f8ccd453195c0bebcc1fd8376322f", "1.00.00", |
| { [VARIANT_DEFAULT] = {0, 16429056 } } |
| }, |
| { |
| /* Version 1.00.200 */ |
| MODEL_NWZE370, "75cfa51078261c547717e11a4676f1af", "1.00.200", |
| { [VARIANT_DEFAULT] = {0, 16429056 } } |
| } |
| }; |
| |
| static struct crypto_key_t zero_key = |
| { |
| .method = CRYPTO_KEY, |
| .u.key = {0} |
| }; |
| |
| static struct crypto_key_t *list_zero_key[] = { &zero_key, NULL }; |
| static struct crypto_key_t *list_all_keys[] = { &zero_key, NULL }; |
| |
| static const struct imx_model_desc_t imx_models[] = |
| { |
| [MODEL_FUZEPLUS] = {"Fuze+", dualboot_fuzeplus, sizeof(dualboot_fuzeplus), |
| "fuz+", 72, list_zero_key, 0, 0x40000000 }, |
| [MODEL_ZENXFI2] = {"Zen X-Fi2", dualboot_zenxfi2, sizeof(dualboot_zenxfi2), |
| "zxf2", 82, list_zero_key, 0, 0x40000000 }, |
| [MODEL_ZENXFI3] = {"Zen X-Fi3", dualboot_zenxfi3, sizeof(dualboot_zenxfi3), |
| "zxf3", 83, list_zero_key, 0, 0x40000000 }, |
| [MODEL_ZENXFISTYLE] = {"Zen X-Fi Style", dualboot_zenxfistyle, sizeof(dualboot_zenxfistyle), |
| "zxfs", 94, list_zero_key, 0, 0x40000000 }, |
| [MODEL_ZENSTYLE] = {"Zen Style 100/300", NULL, 0, "", -1, list_zero_key, 0, 0x40000000 }, |
| [MODEL_NWZE370] = {"NWZ-E370", dualboot_nwze370, sizeof(dualboot_nwze370), |
| "e370", 88, list_zero_key, 0, 0x40000000 }, |
| [MODEL_NWZE360] = {"NWZ-E360", dualboot_nwze360, sizeof(dualboot_nwze360), |
| "e360", 89, list_zero_key, 0, 0x40000000 }, |
| }; |
| |
| #define NR_IMX_SUMS (sizeof(imx_sums) / sizeof(imx_sums[0])) |
| #define NR_IMX_MODELS (sizeof(imx_models) / sizeof(imx_models[0])) |
| |
| #define MAGIC_ROCK 0x726f636b /* 'rock' */ |
| #define MAGIC_RECOVERY 0xfee1dead |
| #define MAGIC_NORMAL 0xcafebabe |
| #define MAGIC_CHARGE 0x67726863 /* 'chrg' */ |
| |
| static void add_key_list(struct crypto_key_t **list) |
| { |
| while(*list != NULL) |
| add_keys(*list++, 1); |
| } |
| |
| static int rb_fw_get_sb_inst_count(struct rb_fw_t *fw) |
| { |
| return fw->nr_insts; |
| } |
| |
| /* fill sb instruction for the firmware, fill fill rb_fw_get_sb_inst_count() instructions */ |
| static void rb_fw_fill_sb(struct rb_fw_t *fw, struct sb_inst_t *inst, |
| uint32_t entry_arg) |
| { |
| memcpy(inst, fw->insts, fw->nr_insts * sizeof(struct sb_inst_t)); |
| /* copy data if needed */ |
| for(int i = 0; i < fw->nr_insts; i++) |
| if(fw->insts[i].inst == SB_INST_LOAD) |
| fw->insts[i].data = memdup(fw->insts[i].data, fw->insts[i].size); |
| /* replace call argument of the entry point */ |
| inst[fw->entry_idx].argument = entry_arg; |
| } |
| |
| static enum imx_error_t patch_std_zero_host_play(int jump_before, |
| struct imx_option_t opt, struct sb_file_t *sb_file, struct rb_fw_t boot_fw) |
| { |
| /* We assume the file has three boot sections: ____, host, play and one |
| * resource section rsrc. |
| * |
| * Dual Boot: |
| * ---------- |
| * We patch the file by inserting the dualboot code before the <jump_before>th |
| * call in the ____ section. We give it as argument the section name 'rock' |
| * and add a section called 'rock' after rsrc which contains the bootloader. |
| * |
| * Single Boot & Recovery: |
| * ----------------------- |
| * We patch the file by inserting the bootloader code after the <jump_before>th |
| * call in the ____ section and get rid of everything else. In recovery mode, |
| * we give 0xfee1dead as argument */ |
| |
| /* used to manipulate entries */ |
| int nr_boot_inst = rb_fw_get_sb_inst_count(&boot_fw); |
| |
| /* first locate the good instruction */ |
| struct sb_section_t *sec = &sb_file->sections[0]; |
| int jump_idx = 0; |
| while(jump_idx < sec->nr_insts && jump_before > 0) |
| if(sec->insts[jump_idx++].inst == SB_INST_CALL) |
| jump_before--; |
| if(jump_idx == sec->nr_insts) |
| { |
| printf("[ERR] Cannot locate call in section ____\n"); |
| return IMX_DONT_KNOW_HOW_TO_PATCH; |
| } |
| |
| if(opt.output == IMX_DUALBOOT) |
| { |
| /* create a new instruction array with a hole for two instructions */ |
| struct sb_inst_t *new_insts = xmalloc(sizeof(struct sb_inst_t) * (sec->nr_insts + 2)); |
| memcpy(new_insts, sec->insts, sizeof(struct sb_inst_t) * jump_idx); |
| memcpy(new_insts + jump_idx + 2, sec->insts + jump_idx, |
| sizeof(struct sb_inst_t) * (sec->nr_insts - jump_idx)); |
| /* first instruction is be a load */ |
| struct sb_inst_t *load = &new_insts[jump_idx]; |
| memset(load, 0, sizeof(struct sb_inst_t)); |
| load->inst = SB_INST_LOAD; |
| load->size = imx_models[opt.model].dualboot_size; |
| load->addr = imx_models[opt.model].dualboot_addr; |
| /* duplicate memory because it will be free'd */ |
| load->data = memdup(imx_models[opt.model].dualboot, |
| imx_models[opt.model].dualboot_size); |
| /* second instruction is a call */ |
| struct sb_inst_t *call = &new_insts[jump_idx + 1]; |
| memset(call, 0, sizeof(struct sb_inst_t)); |
| call->inst = SB_INST_CALL; |
| call->addr = imx_models[opt.model].dualboot_addr; |
| call->argument = MAGIC_ROCK; |
| /* free old instruction array */ |
| free(sec->insts); |
| sec->insts = new_insts; |
| sec->nr_insts += 2; |
| |
| /* create a new section */ |
| struct sb_section_t rock_sec; |
| memset(&rock_sec, 0, sizeof(rock_sec)); |
| /* section can have any number of instructions */ |
| rock_sec.identifier = MAGIC_ROCK; |
| rock_sec.alignment = BLOCK_SIZE; |
| rock_sec.nr_insts = nr_boot_inst; |
| rock_sec.insts = xmalloc(nr_boot_inst * sizeof(struct sb_inst_t)); |
| rb_fw_fill_sb(&boot_fw, rock_sec.insts, MAGIC_NORMAL); |
| |
| sb_file->sections = augment_array(sb_file->sections, |
| sizeof(struct sb_section_t), sb_file->nr_sections, |
| &rock_sec, 1); |
| sb_file->nr_sections++; |
| |
| return IMX_SUCCESS; |
| } |
| else if(opt.output == IMX_SINGLEBOOT || opt.output == IMX_RECOVERY) |
| { |
| bool recovery = (opt.output == IMX_RECOVERY); |
| /* remove everything after the call and add instructions for firmware */ |
| struct sb_inst_t *new_insts = xmalloc(sizeof(struct sb_inst_t) * (jump_idx + nr_boot_inst)); |
| memcpy(new_insts, sec->insts, sizeof(struct sb_inst_t) * jump_idx); |
| for(int i = jump_idx; i < sec->nr_insts; i++) |
| sb_free_instruction(sec->insts[i]); |
| rb_fw_fill_sb(&boot_fw, &new_insts[jump_idx], recovery ? MAGIC_RECOVERY : MAGIC_NORMAL); |
| |
| free(sec->insts); |
| sec->insts = new_insts; |
| sec->nr_insts = jump_idx + nr_boot_inst; |
| /* remove all other sections */ |
| for(int i = 1; i < sb_file->nr_sections; i++) |
| sb_free_section(sb_file->sections[i]); |
| struct sb_section_t *new_sec = xmalloc(sizeof(struct sb_section_t)); |
| memcpy(new_sec, &sb_file->sections[0], sizeof(struct sb_section_t)); |
| free(sb_file->sections); |
| sb_file->sections = new_sec; |
| sb_file->nr_sections = 1; |
| |
| return IMX_SUCCESS; |
| } |
| else if(opt.output == IMX_CHARGE) |
| { |
| /* throw away everything except the dualboot stub with a special argument */ |
| struct sb_inst_t *new_insts = xmalloc(sizeof(struct sb_inst_t) * 2); |
| /* first instruction is be a load */ |
| struct sb_inst_t *load = &new_insts[0]; |
| memset(load, 0, sizeof(struct sb_inst_t)); |
| load->inst = SB_INST_LOAD; |
| load->size = imx_models[opt.model].dualboot_size; |
| load->addr = imx_models[opt.model].dualboot_addr; |
| /* duplicate memory because it will be free'd */ |
| load->data = memdup(imx_models[opt.model].dualboot, |
| imx_models[opt.model].dualboot_size); |
| /* second instruction is a call */ |
| struct sb_inst_t *call = &new_insts[1]; |
| memset(call, 0, sizeof(struct sb_inst_t)); |
| call->inst = SB_INST_CALL; |
| call->addr = imx_models[opt.model].dualboot_addr; |
| call->argument = MAGIC_CHARGE; |
| /* free old instruction array */ |
| free(sec->insts); |
| sec->insts = new_insts; |
| sec->nr_insts = 2; |
| /* remove all other sections */ |
| for(int i = 1; i < sb_file->nr_sections; i++) |
| sb_free_section(sb_file->sections[i]); |
| struct sb_section_t *new_sec = xmalloc(sizeof(struct sb_section_t)); |
| memcpy(new_sec, &sb_file->sections[0], sizeof(struct sb_section_t)); |
| free(sb_file->sections); |
| sb_file->sections = new_sec; |
| sb_file->nr_sections = 1; |
| |
| return IMX_SUCCESS; |
| } |
| else |
| { |
| printf("[ERR] Bad output type !\n"); |
| return IMX_DONT_KNOW_HOW_TO_PATCH; |
| } |
| } |
| |
| static enum imx_error_t parse_subversion(const char *s, const char *end, uint16_t *ver) |
| { |
| int len = (end == NULL) ? strlen(s) : end - s; |
| if(len > 4) |
| { |
| printf("[ERR] Bad subversion override '%s' (too long)\n", s); |
| return IMX_ERROR; |
| } |
| *ver = 0; |
| for(int i = 0; i < len; i++) |
| { |
| if(!isdigit(s[i])) |
| { |
| printf("[ERR] Bad subversion override '%s' (not a digit)\n", s); |
| return IMX_ERROR; |
| } |
| *ver = *ver << 4 | (s[i] - '0'); |
| } |
| return IMX_SUCCESS; |
| } |
| |
| static enum imx_error_t parse_version(const char *s, struct sb_version_t *ver) |
| { |
| const char *dot1 = strchr(s, '.'); |
| if(dot1 == NULL) |
| { |
| printf("[ERR] Bad version override '%s' (missing dot)\n", s); |
| return IMX_ERROR; |
| } |
| const char *dot2 = strchr(dot1 + 1, '.'); |
| if(dot2 == NULL) |
| { |
| printf("[ERR] Bad version override '%s' (missing second dot)\n", s); |
| return IMX_ERROR; |
| } |
| enum imx_error_t ret = parse_subversion(s, dot1, &ver->major); |
| if(ret != IMX_SUCCESS) return ret; |
| ret = parse_subversion(dot1 + 1, dot2, &ver->minor); |
| if(ret != IMX_SUCCESS) return ret; |
| ret = parse_subversion(dot2 + 1, NULL, &ver->revision); |
| if(ret != IMX_SUCCESS) return ret; |
| return IMX_SUCCESS; |
| } |
| |
| static enum imx_error_t patch_firmware(struct imx_option_t opt, |
| struct sb_file_t *sb_file, struct rb_fw_t boot_fw) |
| { |
| if(opt.force_version) |
| { |
| enum imx_error_t err = parse_version(opt.force_version, &sb_file->product_ver); |
| if(err != IMX_SUCCESS) |
| return err; |
| err = parse_version(opt.force_version, &sb_file->component_ver); |
| if(err != IMX_SUCCESS) |
| return err; |
| } |
| switch(opt.model) |
| { |
| case MODEL_FUZEPLUS: |
| /* The Fuze+ uses the standard ____, host, play sections, patch after third |
| * call in ____ section */ |
| return patch_std_zero_host_play(3, opt, sb_file, boot_fw); |
| case MODEL_ZENXFI3: |
| /* The ZEN X-Fi3 uses the standard ____, hSst, pSay sections, patch after third |
| * call in ____ section. Although sections names use the S variant, they are standard. */ |
| return patch_std_zero_host_play(3, opt, sb_file, boot_fw); |
| case MODEL_NWZE360: |
| case MODEL_NWZE370: |
| /* The NWZ-E360/E370 uses the standard ____, host, play sections, patch after first |
| * call in ____ section. */ |
| return patch_std_zero_host_play(1, opt, sb_file, boot_fw); |
| case MODEL_ZENXFI2: |
| /* The ZEN X-Fi2 has two types of firmware: recovery and normal. |
| * Normal uses the standard ___, host, play sections and recovery only ____ */ |
| switch(opt.fw_variant) |
| { |
| case VARIANT_ZENXFI2_RECOVERY: |
| case VARIANT_ZENXFI2_NAND: |
| case VARIANT_ZENXFI2_SD: |
| return patch_std_zero_host_play(1, opt, sb_file, boot_fw); |
| default: |
| return IMX_DONT_KNOW_HOW_TO_PATCH; |
| } |
| break; |
| case MODEL_ZENXFISTYLE: |
| /* The ZEN X-Fi Style uses the standard ____, host, play sections, patch after first |
| * call in ____ section. */ |
| return patch_std_zero_host_play(1, opt, sb_file, boot_fw); |
| default: |
| return IMX_DONT_KNOW_HOW_TO_PATCH; |
| } |
| } |
| |
| static enum imx_error_t unpatch_std_zero_host_play(int jump_before, |
| struct imx_option_t opt, struct sb_file_t *sb_file) |
| { |
| /* find rockbox section */ |
| int rb_sec = -1; |
| for(int i = 0; i < sb_file->nr_sections; i++) |
| if(sb_file->sections[i].identifier == MAGIC_ROCK) |
| rb_sec = i; |
| if(rb_sec == -1) |
| { |
| printf("[ERR][INTERNAL] Cannot find rockbox section\n"); |
| return IMX_ERROR; |
| } |
| /** 1) remove rockbox section */ |
| /* free rockbox section */ |
| sb_free_section(sb_file->sections[rb_sec]); |
| /* create a new array of sections */ |
| sb_file->nr_sections--; |
| struct sb_section_t *new_sec = xmalloc(sb_file->nr_sections * sizeof(struct sb_section_t)); |
| /* copy all sections exception rockbox */ |
| memcpy(new_sec, sb_file->sections, rb_sec * sizeof(struct sb_section_t)); |
| memcpy(new_sec + rb_sec, sb_file->sections + rb_sec + 1, |
| (sb_file->nr_sections - rb_sec) * sizeof(struct sb_section_t)); |
| /* free old array and replace it */ |
| free(sb_file->sections); |
| sb_file->sections = new_sec; |
| |
| /** 2) remove patch instructions in boot section */ |
| struct sb_section_t *sec = &sb_file->sections[0]; |
| int jump_idx = 0; |
| while(jump_idx < sec->nr_insts && jump_before > 0) |
| if(sec->insts[jump_idx++].inst == SB_INST_CALL) |
| jump_before--; |
| if(jump_idx == sec->nr_insts) |
| { |
| printf("[ERR] Cannot locate call in section ____\n"); |
| return IMX_DONT_KNOW_HOW_TO_PATCH; |
| } |
| /* free two instructions */ |
| sb_free_instruction(sec->insts[jump_idx]); |
| sb_free_instruction(sec->insts[jump_idx + 1]); |
| /* create a new array of instructions */ |
| sec->nr_insts -= 2; |
| struct sb_inst_t *new_inst = xmalloc(sec->nr_insts * sizeof(struct sb_inst_t)); |
| /* copy all instructions except the two patch to remove */ |
| memcpy(new_inst, sec->insts, jump_idx * sizeof(struct sb_inst_t)); |
| memcpy(new_inst + jump_idx, sec->insts + jump_idx + 2, |
| (sec->nr_insts - jump_idx) * sizeof(struct sb_inst_t)); |
| /* free old array and replace it */ |
| free(sec->insts); |
| sec->insts = new_inst; |
| |
| return IMX_SUCCESS; |
| } |
| |
| static enum imx_error_t unpatch_firmware(struct imx_option_t opt, |
| struct sb_file_t *sb_file) |
| { |
| /* keep consistent with patch_firmware */ |
| switch(opt.model) |
| { |
| case MODEL_FUZEPLUS: |
| /* The Fuze+ uses the standard ____, host, play sections, patch after third |
| * call in ____ section */ |
| return unpatch_std_zero_host_play(3, opt, sb_file); |
| case MODEL_ZENXFI3: |
| /* The ZEN X-Fi3 uses the standard ____, hSst, pSay sections, patch after third |
| * call in ____ section. Although sections names use the S variant, they are standard. */ |
| return unpatch_std_zero_host_play(3, opt, sb_file); |
| case MODEL_NWZE360: |
| case MODEL_NWZE370: |
| /* The NWZ-E360/E370 uses the standard ____, host, play sections, patch after first |
| * call in ____ section. */ |
| return unpatch_std_zero_host_play(1, opt, sb_file); |
| case MODEL_ZENXFI2: |
| /* The ZEN X-Fi2 has two types of firmware: recovery and normal. |
| * Normal uses the standard ___, host, play sections and recovery only ____ */ |
| switch(opt.fw_variant) |
| { |
| case VARIANT_ZENXFI2_RECOVERY: |
| case VARIANT_ZENXFI2_NAND: |
| case VARIANT_ZENXFI2_SD: |
| return unpatch_std_zero_host_play(1, opt, sb_file); |
| default: |
| return IMX_DONT_KNOW_HOW_TO_PATCH; |
| } |
| break; |
| case MODEL_ZENXFISTYLE: |
| /* The ZEN X-Fi Style uses the standard ____, host, play sections, patch after first |
| * call in ____ section. */ |
| return unpatch_std_zero_host_play(1, opt, sb_file); |
| default: |
| return IMX_DONT_KNOW_HOW_TO_PATCH; |
| } |
| } |
| |
| static uint32_t get_uint32be(unsigned char *p) |
| { |
| return (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]; |
| } |
| |
| void dump_imx_dev_info(const char *prefix) |
| { |
| printf("%smkimxboot models:\n", prefix); |
| for(int i = 0; i < NR_IMX_MODELS; i++) |
| { |
| printf("%s %s: idx=%d rb_model=%s rb_num=%d\n", prefix, |
| imx_models[i].model_name, i, imx_models[i].rb_model_name, |
| imx_models[i].rb_model_num); |
| } |
| printf("%smkimxboot variants:\n", prefix); |
| for(int i = 0; i < VARIANT_COUNT; i++) |
| { |
| printf("%s %d: %s\n", prefix, i, imx_fw_variant[i]); |
| } |
| printf("%smkimxboot mapping:\n", prefix); |
| for(int i = 0; i < NR_IMX_SUMS; i++) |
| { |
| printf("%s md5sum=%s -> idx=%d, ver=%s\n", prefix, imx_sums[i].md5sum, |
| imx_sums[i].model, imx_sums[i].version); |
| for(int j = 0; j < VARIANT_COUNT; j++) |
| if(imx_sums[i].fw_variants[j].size) |
| printf("%s variant=%d -> offset=%#x size=%#x\n", prefix, |
| j, (unsigned)imx_sums[i].fw_variants[j].offset, |
| (unsigned)imx_sums[i].fw_variants[j].size); |
| } |
| } |
| |
| /* find an entry into imx_sums which matches the MD5 sum of a file */ |
| static enum imx_error_t find_model_by_md5sum(uint8_t file_md5sum[16], int *md5_idx) |
| { |
| int i = 0; |
| while(i < NR_IMX_SUMS) |
| { |
| uint8_t md5[20]; |
| if(strlen(imx_sums[i].md5sum) != 32) |
| { |
| printf("[INFO] Invalid MD5 sum in imx_sums\n"); |
| return IMX_ERROR; |
| } |
| for(int j = 0; j < 16; j++) |
| { |
| byte a, b; |
| if(convxdigit(imx_sums[i].md5sum[2 * j], &a) || convxdigit(imx_sums[i].md5sum[2 * j + 1], &b)) |
| { |
| printf("[ERR][INTERNAL] Bad checksum format: %s\n", imx_sums[i].md5sum); |
| return IMX_ERROR; |
| } |
| md5[j] = (a << 4) | b; |
| } |
| if(memcmp(file_md5sum, md5, 16) == 0) |
| break; |
| i++; |
| } |
| if(i == NR_IMX_SUMS) |
| { |
| printf("[WARN] MD5 sum doesn't match any known file\n"); |
| return IMX_NO_MATCH; |
| } |
| *md5_idx = i; |
| return IMX_SUCCESS; |
| } |
| |
| /* read a file to a buffer */ |
| static enum imx_error_t read_file(const char *file, void **buffer, size_t *size) |
| { |
| FILE *f = fopen(file, "rb"); |
| if(f == NULL) |
| { |
| printf("[ERR] Cannot open file '%s' for reading: %m\n", file); |
| return IMX_OPEN_ERROR; |
| } |
| fseek(f, 0, SEEK_END); |
| *size = ftell(f); |
| fseek(f, 0, SEEK_SET); |
| *buffer = xmalloc(*size); |
| if(fread(*buffer, *size, 1, f) != 1) |
| { |
| free(*buffer); |
| fclose(f); |
| printf("[ERR] Cannot read file '%s': %m\n", file); |
| return IMX_READ_ERROR; |
| } |
| fclose(f); |
| return IMX_SUCCESS; |
| } |
| |
| /* write a file from a buffer */ |
| static enum imx_error_t write_file(const char *file, void *buffer, size_t size) |
| { |
| FILE *f = fopen(file, "wb"); |
| if(f == NULL) |
| { |
| printf("[ERR] Cannot open file '%s' for writing: %m\n", file); |
| return IMX_OPEN_ERROR; |
| } |
| if(fwrite(buffer, size, 1, f) != 1) |
| { |
| fclose(f); |
| printf("[ERR] Cannot write file '%s': %m\n", file); |
| return IMX_WRITE_ERROR; |
| } |
| fclose(f); |
| return IMX_SUCCESS; |
| } |
| |
| /* compute MD5 sum of a buffer */ |
| static enum imx_error_t compute_md5sum_buf(void *buf, size_t sz, uint8_t file_md5sum[16]) |
| { |
| md5_context ctx; |
| md5_starts(&ctx); |
| md5_update(&ctx, buf, sz); |
| md5_finish(&ctx, file_md5sum); |
| return IMX_SUCCESS; |
| } |
| |
| /* compute MD5 sum of a buffer */ |
| static enum imx_error_t compute_soft_md5sum_buf(struct sb_file_t *sb, uint8_t file_md5sum[16]) |
| { |
| md5_context ctx; |
| md5_starts(&ctx); |
| #define hash(obj) \ |
| md5_update(&ctx, (void *)&obj, sizeof(obj)) |
| /* various header fiels */ |
| hash(sb->timestamp); |
| hash(sb->drive_tag); |
| hash(sb->drive_tag); |
| hash(sb->first_boot_sec_id); |
| hash(sb->flags); |
| hash(sb->product_ver); |
| hash(sb->component_ver); |
| |
| for(int i = 0; i < sb->nr_sections; i++) |
| { |
| struct sb_section_t *sec = &sb->sections[i]; |
| hash(sec->identifier); |
| uint32_t flags = sec->other_flags; |
| if(!sec->is_data) |
| flags |= SECTION_BOOTABLE; |
| if(sec->is_cleartext) |
| flags |= SECTION_CLEARTEXT; |
| hash(flags); |
| |
| for(int j = 0; j < sec->nr_insts; j++) |
| { |
| struct sb_inst_t *inst = &sec->insts[j]; |
| switch(inst->inst) |
| { |
| case SB_INST_NOP: |
| /* ignore them totally because they are used for padding */ |
| break; |
| case SB_INST_LOAD: |
| hash(inst->inst); |
| hash(inst->addr); |
| md5_update(&ctx, inst->data, inst->size); |
| break; |
| case SB_INST_FILL: |
| hash(inst->inst); |
| hash(inst->addr); |
| hash(inst->pattern); |
| break; |
| case SB_INST_JUMP: |
| case SB_INST_CALL: |
| hash(inst->inst); |
| hash(inst->addr); |
| hash(inst->argument); |
| break; |
| case SB_INST_MODE: |
| hash(inst->inst); |
| hash(inst->argument); |
| break; |
| case SB_INST_DATA: |
| md5_update(&ctx, inst->data, inst->size); |
| break; |
| default: |
| printf("[ERR][INTERNAL] Unexpected instruction %d\n", inst->inst); |
| return IMX_ERROR; |
| } |
| } |
| } |
| #undef hash |
| md5_finish(&ctx, file_md5sum); |
| return IMX_SUCCESS; |
| } |
| |
| /* compute MD5 of a file */ |
| enum imx_error_t compute_md5sum(const char *file, uint8_t file_md5sum[16]) |
| { |
| void *buf; |
| size_t sz; |
| enum imx_error_t err = read_file(file, &buf, &sz); |
| if(err != IMX_SUCCESS) |
| return err; |
| compute_md5sum_buf(buf, sz, file_md5sum); |
| free(buf); |
| return IMX_SUCCESS; |
| } |
| |
| /* compute soft MD5 of a file */ |
| enum imx_error_t compute_soft_md5sum(const char *file, uint8_t soft_md5sum[16]) |
| { |
| clear_keys(); |
| add_key_list(list_all_keys); |
| /* read file */ |
| enum sb_error_t err; |
| struct sb_file_t *sb = sb_read_file(file, false, NULL, generic_std_printf, &err); |
| if(sb == NULL) |
| { |
| printf("[ERR] Cannot load SB file: %d\n", err); |
| return err; |
| } |
| /* compute sum */ |
| err = compute_soft_md5sum_buf(sb, soft_md5sum); |
| /* release file */ |
| sb_free(sb); |
| return err; |
| } |
| |
| /* Load a rockbox firwmare from a buffer. Data is copied. Assume firmware is |
| * using our scramble format. */ |
| static enum imx_error_t rb_fw_load_buf_scramble(struct rb_fw_t *fw, uint8_t *buf, |
| size_t sz, enum imx_model_t model) |
| { |
| if(sz < 8) |
| { |
| printf("[ERR] Bootloader file is too small to be valid\n"); |
| return IMX_BOOT_INVALID; |
| } |
| /* check model name */ |
| uint8_t *name = buf + 4; |
| if(memcmp(name, imx_models[model].rb_model_name, 4) != 0) |
| { |
| printf("[ERR] Bootloader model doesn't match found model for input file\n"); |
| return IMX_BOOT_MISMATCH; |
| } |
| /* check checksum */ |
| uint32_t sum = imx_models[model].rb_model_num; |
| for(int i = 8; i < sz; i++) |
| sum += buf[i]; |
| if(sum != get_uint32be(buf)) |
| { |
| printf("[ERR] Bootloader checksum mismatch\n"); |
| return IMX_BOOT_CHECKSUM_ERROR; |
| } |
| /* two instructions: load and jump */ |
| fw->nr_insts = 2; |
| fw->entry_idx = 1; |
| fw->insts = xmalloc(fw->nr_insts * sizeof(struct sb_inst_t)); |
| memset(fw->insts, 0, fw->nr_insts * sizeof(struct sb_inst_t)); |
| fw->insts[0].inst = SB_INST_LOAD; |
| fw->insts[0].addr = imx_models[model].bootloader_addr; |
| fw->insts[0].size = sz - 8; |
| fw->insts[0].data = memdup(buf + 8, sz - 8); |
| fw->insts[1].inst = SB_INST_JUMP; |
| fw->insts[1].addr = imx_models[model].bootloader_addr; |
| return IMX_SUCCESS; |
| } |
| |
| struct elf_user_t |
| { |
| void *buf; |
| size_t sz; |
| }; |
| |
| static bool elf_read(void *user, uint32_t addr, void *buf, size_t count) |
| { |
| struct elf_user_t *u = user; |
| if(addr + count <= u->sz) |
| { |
| memcpy(buf, u->buf + addr, count); |
| return true; |
| } |
| else |
| return false; |
| } |
| |
| /* Load a rockbox firwmare from a buffer. Data is copied. Assume firmware is |
| * using ELF format. */ |
| static enum imx_error_t rb_fw_load_buf_elf(struct rb_fw_t *fw, uint8_t *buf, |
| size_t sz, enum imx_model_t model) |
| { |
| struct elf_params_t elf; |
| struct elf_user_t user; |
| user.buf = buf; |
| user.sz = sz; |
| elf_init(&elf); |
| if(!elf_read_file(&elf, elf_read, generic_std_printf, &user)) |
| { |
| elf_release(&elf); |
| printf("[ERR] Error parsing ELF file\n"); |
| return IMX_BOOT_INVALID; |
| } |
| fw->nr_insts = elf_get_nr_sections(&elf) + 1; |
| fw->insts = xmalloc(fw->nr_insts * sizeof(struct sb_inst_t)); |
| fw->entry_idx = fw->nr_insts - 1; |
| memset(fw->insts, 0, fw->nr_insts * sizeof(struct sb_inst_t)); |
| struct elf_section_t *sec = elf.first_section; |
| for(int i = 0; sec; i++, sec = sec->next) |
| { |
| fw->insts[i].addr = elf_translate_virtual_address(&elf, sec->addr); |
| fw->insts[i].size = sec->size; |
| if(sec->type == EST_LOAD) |
| { |
| fw->insts[i].inst = SB_INST_LOAD; |
| fw->insts[i].data = memdup(sec->section, sec->size); |
| } |
| else if(sec->type == EST_FILL) |
| { |
| fw->insts[i].inst = SB_INST_FILL; |
| fw->insts[i].pattern = sec->pattern; |
| } |
| else |
| { |
| printf("[WARN] Warning parsing ELF file: unsupported section type mapped to NOP!\n"); |
| fw->insts[i].inst = SB_INST_NOP; |
| } |
| } |
| fw->insts[fw->nr_insts - 1].inst = SB_INST_JUMP; |
| if(!elf_get_start_addr(&elf, &fw->insts[fw->nr_insts - 1].addr)) |
| { |
| elf_release(&elf); |
| printf("[ERROR] Error parsing ELF file: it has no entry point!\n"); |
| return IMX_BOOT_INVALID; |
| } |
| elf_release(&elf); |
| return IMX_SUCCESS; |
| } |
| |
| /* Load a rockbox firwmare from a buffer. Data is copied. */ |
| static enum imx_error_t rb_fw_load_buf(struct rb_fw_t *fw, uint8_t *buf, |
| size_t sz, enum imx_model_t model) |
| { |
| /* detect file format */ |
| if(sz >= 4 && buf[0] == 0x7f && memcmp(buf + 1, "ELF", 3) == 0) |
| return rb_fw_load_buf_elf(fw, buf, sz, model); |
| else |
| return rb_fw_load_buf_scramble(fw, buf, sz, model); |
| } |
| |
| /* load a rockbox firmware from a file. */ |
| static enum imx_error_t rb_fw_load(struct rb_fw_t *fw, const char *file, |
| enum imx_model_t model) |
| { |
| void *buf; |
| size_t sz; |
| int ret = read_file(file, &buf, &sz); |
| if(ret == IMX_SUCCESS) |
| { |
| ret = rb_fw_load_buf(fw, buf, sz, model); |
| free(buf); |
| } |
| return ret; |
| } |
| |
| /* free rockbox firmware */ |
| static void rb_fw_free(struct rb_fw_t *fw) |
| { |
| for(int i = 0; i < fw->nr_insts; i++) |
| sb_free_instruction(fw->insts[i]); |
| free(fw->insts); |
| memset(fw, 0, sizeof(struct rb_fw_t)); |
| } |
| |
| static bool contains_rockbox_bootloader(struct sb_file_t *sb_file) |
| { |
| for(int i = 0; i < sb_file->nr_sections; i++) |
| if(sb_file->sections[i].identifier == MAGIC_ROCK) |
| return true; |
| return false; |
| } |
| |
| /* modify sb_file to produce requested boot image */ |
| static enum imx_error_t make_boot(struct sb_file_t *sb_file, const char *bootfile, |
| struct imx_option_t opt) |
| { |
| /* things went smoothly, we have a SB image but it may not be suitable as an |
| * input image: if it contains a rockbox bootloader, we need to remove it */ |
| if(contains_rockbox_bootloader(sb_file)) |
| { |
| printf("[INFO] SB file contains a Rockbox bootloader, trying to remove it...\n"); |
| enum imx_error_t ret = unpatch_firmware(opt, sb_file); |
| if(ret != IMX_SUCCESS) |
| return ret; |
| } |
| /* if asked to produce OF, don't do anything more */ |
| if(opt.output == IMX_ORIG_FW) |
| return IMX_SUCCESS; |
| /* load rockbox file */ |
| struct rb_fw_t boot_fw; |
| enum imx_error_t ret = rb_fw_load(&boot_fw, bootfile, opt.model); |
| if(ret != IMX_SUCCESS) |
| return ret; |
| /* produce file */ |
| ret = patch_firmware(opt, sb_file, boot_fw); |
| rb_fw_free(&boot_fw); |
| return IMX_SUCCESS; |
| } |
| |
| enum imx_error_t mkimxboot(const char *infile, const char *bootfile, |
| const char *outfile, struct imx_option_t opt) |
| { |
| /* sanity check */ |
| if(opt.fw_variant >= VARIANT_COUNT || opt.model >= MODEL_COUNT) |
| return IMX_ERROR; |
| /* dump tables */ |
| dump_imx_dev_info("[INFO] "); |
| /* load file */ |
| void *buf; |
| size_t offset = 0, size = 0; |
| enum imx_error_t ret = read_file(infile, &buf, &size); |
| if(ret != IMX_SUCCESS) |
| return ret; |
| /* compute MD5 sum of the file */ |
| uint8_t file_md5sum[16]; |
| compute_md5sum_buf(buf, size, file_md5sum); |
| printf("[INFO] MD5 sum of the file: "); |
| for(int i = 0; i < 16; i++) |
| printf("%02x", file_md5sum[i]); |
| printf("\n"); |
| /* find model */ |
| int md5_idx; |
| ret = find_model_by_md5sum(file_md5sum, &md5_idx); |
| /* is this a known firmware upgrade ? */ |
| if(ret == IMX_SUCCESS) |
| { |
| enum imx_model_t model = imx_sums[md5_idx].model; |
| printf("[INFO] File is for model %d (%s, version %s)\n", model, |
| imx_models[model].model_name, imx_sums[md5_idx].version); |
| /* check the model is the expected one */ |
| if(opt.model == MODEL_UNKNOWN) |
| opt.model = model; |
| else if(opt.model != model) |
| { |
| printf("[ERR] Model mismatch, was expecting model %d (%s)\n", |
| opt.model, imx_models[opt.model].model_name); |
| free(buf); |
| return IMX_MODEL_MISMATCH; |
| } |
| /* use database values */ |
| offset = imx_sums[md5_idx].fw_variants[opt.fw_variant].offset; |
| size = imx_sums[md5_idx].fw_variants[opt.fw_variant].size; |
| if(size == 0) |
| { |
| printf("[ERR] Input file does not contain variant '%s'\n", imx_fw_variant[opt.fw_variant]); |
| free(buf); |
| return IMX_VARIANT_MISMATCH; |
| } |
| /* special case: if we need to produce the OF, just bypass read/write of |
| * the SB file and output this chunk of the file. This is faster and it |
| * also avoids modifying the OF by reconstructing it */ |
| if(opt.output == IMX_ORIG_FW) |
| { |
| printf("[INFO] Extracting original firmware...\n"); |
| ret = write_file(outfile, buf + offset, size); |
| free(buf); |
| return ret; |
| } |
| } |
| else |
| { |
| printf("[INFO] File doesn't have a known MD5 sum, assuming it's a SB image...\n"); |
| /* image didn't match, so we expect the file to be a raw SB image, either |
| * produced by mkimxboot when uninstalling bootloader or after installing RB, |
| * so load all known keys and go on */ |
| |
| /* To be more user friendly, give a nice error message if we detect |
| * the file is not a SB file */ |
| if(guess_sb_version(infile) == SB_VERSION_UNK) |
| { |
| printf("[ERR] Your firmware doesn't look like a SB file\n"); |
| printf("[ERR] This is probably a firmware upgrade\n"); |
| printf("[ERR] Unfortunately, this tool doesn't know about it yet\n"); |
| printf("[ERR] Please report to the developers to add it\n"); |
| free(buf); |
| return IMX_ERROR; |
| } |
| } |
| /* to proceed further, we need to know the model */ |
| if(opt.model == MODEL_UNKNOWN) |
| { |
| printf("[ERR] Cannot do processing of soft image without knowing the model\n"); |
| free(buf); |
| return IMX_MODEL_MISMATCH; |
| } |
| /* load image */ |
| g_debug = opt.debug; |
| clear_keys(); |
| add_key_list(imx_models[opt.model].keys); |
| enum sb_error_t err; |
| struct sb_file_t *sb_file = sb_read_memory(buf + offset, size, false, NULL, generic_std_printf, &err); |
| if(sb_file == NULL) |
| { |
| printf("[ERR] Cannot open firmware as SB file: %d\n", err); |
| free(buf); |
| return IMX_FIRST_SB_ERROR + err; |
| } |
| /* modify image */ |
| ret = make_boot(sb_file, bootfile, opt); |
| if(ret == IMX_SUCCESS) |
| { |
| /* write image */ |
| ret = sb_write_file(sb_file, outfile, NULL, generic_std_printf); |
| } |
| /* cleanup */ |
| sb_free(sb_file); |
| free(buf); |
| return ret; |
| } |