Untested (i.e. will almost certainly brick your device if you attempt to use it) first attempt at making mkamsboot store the original firmware as a UCL compressed image. If it works, then this means we have about 40KB (depending on target and OF version) for our bootloader code. I repeat: This is UNTESTED and needs reviewing fully before attempting to install on a device.

git-svn-id: svn://svn.rockbox.org/rockbox/trunk@18675 a1c6a512-1295-4272-9138-f99709370657

5 files changed, 304 insertions, 95 deletions

diff --git a/utils/AMS/hacking/Makefile b/utils/AMS/hacking/Makefile
index 7a10c20ae4..8f48d611c8 100644
--- a/utils/AMS/hacking/Makefile
+++ b/utils/AMS/hacking/Makefile
@@ -1,4 +1,3 @@
-
 # Change INFILE to point to your original firmware file
 INFILE=$(HOME)/FW/AMS/CLIP/m300a-1.1.17A.bin
 
@@ -6,6 +5,8 @@ INFILE=$(HOME)/FW/AMS/CLIP/m300a-1.1.17A.bin
 # (e.g.) m300a.bin
 OUTFILE=patched.bin
 
+# The uclpack command
+UCLPACK=../../../tools/uclpack
 
 all: amsinfo $(OUTFILE)
 
@@ -15,6 +16,9 @@ amsinfo: amsinfo.c
 mkamsboot: mkamsboot.c
         gcc -o mkamsboot -W -Wall mkamsboot.c
 
+extract_fw: extract_fw.c
+        gcc -o extract_fw -W -Wall extract_fw.c
+
 # Rules for our test ARM application - assemble, link, then extract
 # the binary code
 
@@ -22,13 +26,34 @@ test.o: test.S
         arm-elf-as -o test.o test.S
 
 test.elf: test.o
-        arm-elf-ld -e 0 -o test.elf test.o
+        arm-elf-ld -e 0 -Ttext=0 -o test.elf test.o
 
 test.bin: test.elf
         arm-elf-objcopy -O binary test.elf test.bin
 
-$(OUTFILE): mkamsboot test.bin $(INFILE)
-        ./mkamsboot $(INFILE) test.bin $(OUTFILE)
+# Rules for the ucl unpack function - this is inserted in the padding at 
+# the end of the original firmware block
+nrv2e_d8.o: nrv2e_d8.S
+        arm-elf-gcc -DPURE_THUMB -c -o nrv2e_d8.o nrv2e_d8.S
+
+# NOTE: this function has no absolute references, so the link address (-e)
+# is irrelevant.  We just link at address 0.
+nrv2e_d8.elf: nrv2e_d8.o
+        arm-elf-ld -e 0 -Ttext=0 -o nrv2e_d8.elf nrv2e_d8.o
+
+nrv2e_d8.bin: nrv2e_d8.elf
+        arm-elf-objcopy -O binary nrv2e_d8.elf nrv2e_d8.bin
+
+firmware_block.ucl: firmware_block.bin
+        $(UCLPACK) --best --2e firmware_block.bin firmware_block.ucl
+
+firmware_block.bin: $(INFILE) extract_fw
+        ./extract_fw $(INFILE) firmware_block.bin
+
+$(OUTFILE): mkamsboot firmware_block.ucl test.bin nrv2e_d8.bin $(INFILE)
+        ./mkamsboot $(INFILE) firmware_block.ucl test.bin nrv2e_d8.bin $(OUTFILE)
 
 clean:
-        rm -fr amsinfo mkamsboot test.bin test.o test.elf $(OUTFILE) *~
+        rm -fr amsinfo mkamsboot test.o test.elf test.bin extract_fw \
+        nrv2e_d8.o nrv2e_d8.elf nrv2e_d8.bin firmware_block.bin \
+        firmware_block.ucl $(OUTFILE) *~ 
diff --git a/utils/AMS/hacking/extract_fw.c b/utils/AMS/hacking/extract_fw.c
new file mode 100644
index 0000000000..e91d1f8de1
--- /dev/null
+++ b/utils/AMS/hacking/extract_fw.c
@@ -0,0 +1,129 @@
+/*
+
+extract_fw.c - extract the main firmware image from a Sansa V2 (AMS) firmware
+               file
+
+Copyright (C) Dave Chapman 2008
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110, USA
+
+*/
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <string.h>
+
+
+/* Win32 compatibility */
+#ifndef O_BINARY
+#define O_BINARY 0
+#endif
+
+
+static off_t filesize(int fd) {
+    struct stat buf;
+
+    if (fstat(fd,&buf) < 0) {
+        perror("[ERR]  Checking filesize of input file");
+        return -1;
+    } else {
+        return(buf.st_size);
+    }
+}
+
+static uint32_t get_uint32le(unsigned char* p)
+{
+    return p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
+}
+
+void usage(void)
+{
+    printf("Usage: extract_fw <firmware file> <output file>\n");
+
+    exit(1);
+}
+
+int main(int argc, char* argv[])
+{
+    char *infile, *outfile;
+    int fdin, fdout;
+    off_t len;
+    uint32_t n;
+    unsigned char* buf;
+    uint32_t firmware_size;
+
+    if(argc != 3) {
+        usage();
+    }
+
+    infile = argv[1];
+    outfile = argv[2];
+
+    /* Open the firmware file */
+    fdin = open(infile,O_RDONLY|O_BINARY);
+
+    if (fdin < 0) {
+        fprintf(stderr,"[ERR]  Could not open %s for reading\n",infile);
+        return 1;
+    }
+
+    if ((len = filesize(fdin)) < 0)
+        return 1;
+
+    /* We will need no more memory than the total size plus the bootloader size
+       padded to a boundary */
+    if ((buf = malloc(len)) == NULL) {
+        fprintf(stderr,"[ERR]  Could not allocate buffer for input file (%d bytes)\n",(int)len);
+        return 1;
+    }
+
+    n = read(fdin, buf, len);
+
+    if (n != (uint32_t)len) {
+        fprintf(stderr,"[ERR] Could not read firmware file\n");
+        return 1;
+    }
+
+    close(fdin);
+
+    /* Get the firmware size */
+    firmware_size = get_uint32le(&buf[0x0c]);
+
+    fdout = open(outfile, O_CREAT|O_TRUNC|O_WRONLY|O_BINARY,0666);
+
+    if (fdout < 0) {
+        fprintf(stderr,"[ERR]  Could not open %s for writing\n",outfile);
+        return 1;
+    }
+
+    n = write(fdout, buf + 0x400, firmware_size);
+
+    if (n != (uint32_t)firmware_size) {
+        fprintf(stderr,"[ERR] Could not write firmware block\n");
+        return 1;
+    }
+
+    /* Clean up */
+    close(fdout);
+    free(buf);
+
+    return 0;
+}
diff --git a/utils/AMS/hacking/mkamsboot.c b/utils/AMS/hacking/mkamsboot.c
index 30ca66e43b..ea434bc893 100644
--- a/utils/AMS/hacking/mkamsboot.c
+++ b/utils/AMS/hacking/mkamsboot.c
@@ -26,26 +26,33 @@ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110, USA
 
 Insert a Rockbox bootloader into an AMS original firmware file.
 
-The first instruction in an AMS firmware file is always of the form:
+We replace the main firmware block (bytes 0x400..padded_firmware_size+0x400)
+with the following:
 
-   ldr     pc, [pc, #xxx]
+Bytes 0..(firmware_size-ucl_size) - Our bootloader code
+Bytes (firmware_size-ucl_size)..firmware_size - UCL compressed OF image
+Bytes firmware_size..padded_firmware_size - UCL decompress function
 
-where [pc, #xxx] contains the entry point of the firmware - e.g. 0x00000138
+mkamsboot writes the following values at offsets into our bootloader code:
 
-mkamsboot appends the Rockbox bootloader to the end of the original
-firmware block in the firmware file and shifts the remaining contents of the firmware file to make space for it.
+0x20 - Entry point (plus 1 - for thumb mode) of the ucl_unpack function
+0x24 - Location of the UCL compressed version of the original firmware block
 
-It also replaces the contents of [pc, #xxx] with the entry point of
-our bootloader - i.e. the length of the original firmware block plus 4
-bytes.
+mkamsboot then corrects the length (to include the UCL decompress
+function) and checksum in the main firmware headers (both copies),
+creating a new legal firmware file which can be installed on the
+device.
 
-It then stores the original entry point from [pc, #xxx] in the first
-four bytes of the Rockbox bootloader image, which is used by the
-bootloader to dual-boot.
+Our bootloader first checks for the "dual-boot" keypress, and then either:
 
-Finally, mkamsboot corrects the length and checksum in the main
-firmware headers (both copies), creating a new legal firmware file
-which can be installed on the device.
+a) Branches to the ucl_unpack function, which will then branch to 0x0 after 
+   decompressing the OF.
+
+b) Continues running with our test code
+
+This method uses no RAM outside the padded area of the original
+firmware block - the UCL compression can happen in-place when the
+compressed image is stored at the end of the destination buffer.
 
 */
 
@@ -106,35 +113,35 @@ static int calc_checksum(unsigned char* buf, uint32_t n)
 
 void usage(void)
 {
-    printf("Usage: mkamsboot <firmware file> <boot file> <output file>\n");
+    printf("Usage: mkamsboot <firmware file> <ucl image> <boot file> <ucl unpack file> <output file>\n");
 
     exit(1);
 }
 
 int main(int argc, char* argv[])
 {
-    char *infile, *bootfile, *outfile;
-    int fdin, fdboot,fdout;
+    char *infile, *uclfile, *bootfile, *uclunpackfile, *outfile;
+    int fdin, fducl, fdboot, fduclunpack, fdout;
     off_t len;
     uint32_t n;
     unsigned char* buf;
-    uint32_t ldr;
-    uint32_t origoffset;
     uint32_t firmware_size;
     uint32_t firmware_paddedsize;
     uint32_t bootloader_size;
-    uint32_t new_paddedsize;
+    uint32_t ucl_size;
+    uint32_t uclunpack_size;
     uint32_t sum,filesum;
-    uint32_t new_length;
     uint32_t i;
 
-    if(argc != 4) {
+    if(argc != 6) {
         usage();
     }
 
     infile = argv[1];
-    bootfile = argv[2];
-    outfile = argv[3];
+    uclfile = argv[2];
+    bootfile = argv[3];
+    uclunpackfile = argv[4];
+    outfile = argv[5];
 
     /* Open the bootloader file */
     fdboot = open(bootfile, O_RDONLY|O_BINARY);
@@ -147,6 +154,28 @@ int main(int argc, char* argv[])
     bootloader_size = filesize(fdboot);
 
 
+    /* Open the UCL-compressed image of the firmware block */
+    fduclunpack = open(uclunpackfile, O_RDONLY|O_BINARY);
+    if (fduclunpack < 0)
+    {
+        fprintf(stderr,"[ERR]  Could not open %s for reading\n",uclunpackfile);
+        return 1;
+    }
+
+    uclunpack_size = filesize(fduclunpack);
+
+
+    /* Open the UCL-compressed image of the firmware block */
+    fducl = open(uclfile, O_RDONLY|O_BINARY);
+    if (fducl < 0)
+    {
+        fprintf(stderr,"[ERR]  Could not open %s for reading\n",uclfile);
+        return 1;
+    }
+
+    ucl_size = filesize(fducl);
+
+
     /* Open the firmware file */
     fdin = open(infile,O_RDONLY|O_BINARY);
 
@@ -158,9 +187,8 @@ int main(int argc, char* argv[])
     if ((len = filesize(fdin)) < 0)
         return 1;
 
-    /* We will need no more memory than the total size plus the bootloader size
-       padded to a boundary */
-    if ((buf = malloc(len + PAD_TO_BOUNDARY(bootloader_size))) == NULL) {
+    /* Allocate memory for the OF image - we don't change the size */
+    if ((buf = malloc(len)) == NULL) {
         fprintf(stderr,"[ERR]  Could not allocate buffer for input file (%d bytes)\n",(int)len);
         return 1;
     }
@@ -181,91 +209,83 @@ int main(int argc, char* argv[])
 
     firmware_paddedsize = PAD_TO_BOUNDARY(firmware_size);
 
-    /* Total new size */
-    new_paddedsize = PAD_TO_BOUNDARY(firmware_size + bootloader_size);
-
-    /* Total new size of firmware file */
-    new_length = len + (new_paddedsize - firmware_paddedsize);
+    fprintf(stderr,"Original firmware size - %d bytes\n",firmware_size);
+    fprintf(stderr,"Padded firmware size - %d bytes\n",firmware_paddedsize);
+    fprintf(stderr,"Bootloader size - %d bytes\n",bootloader_size);
+    fprintf(stderr,"UCL image size - %d bytes\n",ucl_size);
+    fprintf(stderr,"UCL unpack function size - %d bytes\n",uclunpack_size);
+    fprintf(stderr,"Original total size of firmware - %d bytes\n",(int)len);
+
+    /* Check we have room for our bootloader - in the future, we could UCL
+       pack this image as well if we need to. */
+    if (bootloader_size > (firmware_size - ucl_size)) {
+        fprintf(stderr,"[ERR] Bootloader too large (%d bytes, %d available)\n",
+                bootloader_size, firmware_size - ucl_size);
+        return 1;
+    }
 
-    fprintf(stderr,"Original firmware size - 0x%08x\n",firmware_size);
-    fprintf(stderr,"Padded firmware size - 0x%08x\n",firmware_paddedsize);
-    fprintf(stderr,"Bootloader size - 0x%08x\n",bootloader_size);
-    fprintf(stderr,"New padded size - 0x%08x\n",new_paddedsize);
-    fprintf(stderr,"Original total size of firmware - 0x%08x\n",(int)len);
-    fprintf(stderr,"New total size of firmware - 0x%08x\n",new_length);
+    /* Check we have enough room for the UCL unpack function.  This
+       needs to be outside the firmware block, so if we wanted to
+       support every firmware version, we could store this function in
+       the main firmware block, and then copy it to an unused part of
+       RAM. */
+    if (uclunpack_size > (firmware_paddedsize - firmware_size)) {
+        fprintf(stderr,"[ERR] UCL unpack function too large (%d bytes, %d available)\n",
+                uclunpack_size, firmware_paddedsize - firmware_size);
+        return 1;
+    }
 
-    if (firmware_paddedsize != new_paddedsize) {
-        /* We don't know how to safely increase the firmware size, so abort */
+    /* Zero the original firmware area - not needed, but helps debugging */
+    memset(buf + 0x400, 0, firmware_size);
 
-        fprintf(stderr,
-                "[ERR]  Bootloader too large (%d bytes - %d bytes available), aborting.\n",
-                bootloader_size, firmware_paddedsize - firmware_size);
+    /* Locate our bootloader code at the start of the firmware block */
+    n = read(fdboot, buf + 0x400, bootloader_size);
 
+    if (n != bootloader_size) {
+        fprintf(stderr,"[ERR] Could not load bootloader file\n");
         return 1;
     }
+    close(fdboot);
 
-    ldr = get_uint32le(&buf[0x400]);
+    /* Locate the compressed image of the original firmware block at the end
+       of the firmware block */
+    n = read(fducl, buf + 0x400 + firmware_size - ucl_size, ucl_size);
 
-    if ((ldr & 0xfffff000) != 0xe59ff000) {
-        fprintf(stderr,"[ERR]  Firmware file doesn't start with an \"ldr pc, [pc, #xx]\" instruction.\n");
+    if (n != ucl_size) {
+        fprintf(stderr,"[ERR] Could not load ucl file\n");
         return 1;
     }
-    origoffset = (ldr&0xfff) + 8;
-
-    printf("original firmware entry point: 0x%08x\n",get_uint32le(buf + 0x400 + origoffset));
-    printf("New entry point: 0x%08x\n", firmware_size + 4);
-
-#if 0
-    /* Replace the "Product: Express" string with "Rockbox" */
-    i = 0x400 + firmware_size - 7;
-    while ((i > 0x400) && (memcmp(&buf[i],"Express",7)!=0))
-        i--;
+    close(fducl);
 
-    i = (i + 3) & ~0x3;
-
-    if (i >= 0x400) {
-        printf("Replacing \"Express\" string at offset 0x%08x\n",i);
-        memcpy(&buf[i],"Rockbox",7);
-    } else {
-        printf("Could not find \"Express\" string to replace\n");
-    }
-#endif
 
-    n = read(fdboot, buf + 0x400 + firmware_size, bootloader_size);
+    /* Locate our UCL unpack function in the padding after the firmware block */
+    n = read(fduclunpack, buf + 0x400 + firmware_size, uclunpack_size);
 
-    if (n != bootloader_size) {
-        fprintf(stderr,"[ERR] Could not bootloader file\n");
+    if (n != uclunpack_size) {
+        fprintf(stderr,"[ERR] Could not load uclunpack file\n");
         return 1;
     }
-    close(fdboot);
+    close(fduclunpack);
 
-    /* Replace first word of the bootloader with the original entry point */
-    put_uint32le(buf + 0x400 + firmware_size, get_uint32le(buf + 0x400 + origoffset));
-
-#if 1
-    put_uint32le(buf + 0x400 + origoffset, firmware_size + 4);
-#endif
+    put_uint32le(&buf[0x420], firmware_size + 1);  /* UCL unpack entry point */
+    put_uint32le(&buf[0x424], firmware_size - ucl_size);  /* Location of OF */
 
     /* Update checksum */
-    sum = calc_checksum(buf + 0x400,firmware_size + bootloader_size);
+    sum = calc_checksum(buf + 0x400,firmware_size + uclunpack_size);
 
     put_uint32le(&buf[0x04], sum);
     put_uint32le(&buf[0x204], sum);
 
-    /* Update firmware block count */
-    put_uint32le(&buf[0x08], new_paddedsize / 0x200);
-    put_uint32le(&buf[0x208], new_paddedsize / 0x200);
-
     /* Update firmware size */
-    put_uint32le(&buf[0x0c], firmware_size + bootloader_size);
-    put_uint32le(&buf[0x20c], firmware_size + bootloader_size);
+    put_uint32le(&buf[0x0c], firmware_size + uclunpack_size);
+    put_uint32le(&buf[0x20c], firmware_size + uclunpack_size);
 
     /* Update the whole-file checksum */
     filesum = 0;
-    for (i=0;i < new_length - 4; i+=4)
+    for (i=0;i < (unsigned)len - 4; i+=4)
         filesum += get_uint32le(&buf[i]);
 
-    put_uint32le(buf + new_length - 4, filesum);
+    put_uint32le(buf + len - 4, filesum);
 
 
     /* Write the new firmware */
@@ -276,7 +296,12 @@ int main(int argc, char* argv[])
         return 1;
     }
 
-    write(fdout, buf, new_length);
+    n = write(fdout, buf, len);
+
+    if (n != (unsigned)len) {
+        fprintf(stderr,"[ERR]  Could not write firmware file\n");
+        return 1;
+    }
 
     close(fdout);
 
diff --git a/utils/AMS/hacking/nrv2e_d8.S b/utils/AMS/hacking/nrv2e_d8.S
index 88df64a58f..89cb76dead 100644
--- a/utils/AMS/hacking/nrv2e_d8.S
+++ b/utils/AMS/hacking/nrv2e_d8.S
@@ -77,13 +77,15 @@ ucl_nrv2e_decompress_8: .globl ucl_nrv2e_decompress_8  @ ARM mode
    For SAFE mode: at call, *plen_dst must be allowed length of output buffer.
 */
         adr r12,1+.thumb_nrv2e_d8; bx r12  @ enter THUMB mode
+#endif
         .code 16  @ THUMB mode
         .thumb_func
-#endif
 
 .thumb_nrv2e_d8:
+#if 0
         push {r2,r3, r4,r5,r6,r7, lr}
 #define sp_DST0 0  /* stack offset of original dst */
+#endif
         add srclim,len,src  @ srclim= eof_src;
 #if 1==SAFE  /*{*/
         ldr tmp,[r3]  @ len_dst
@@ -103,12 +105,17 @@ bad_src_n2e:  # return value will be 1
         add src,#1
 #endif  /*}*/
 eof_n2e:
+#if 0
         pop {r3,r4}  @ r3= orig_dst; r4= plen_dst
         sub src,srclim  @ 0 if actual src length equals expected length
         sub dst,r3  @ actual dst length
         str dst,[r4]
         pop {r4,r5,r6,r7 /*,pc*/}
         pop {r1}; bx r1  @ "pop {,pc}" fails return to ARM mode on ARMv4T
+#else
+        mov  r0, #0
+        bx   r0    /* Branch to 0x0, switch to ARM mode */
+#endif
 
 get1_n2e:  @ In: Carry set [from adding 0x80000000 (1<<31) to itself]
           ldrb bits,[src]  @ zero-extend next byte
diff --git a/utils/AMS/hacking/test.S b/utils/AMS/hacking/test.S
index 52f54bdaf6..d4bb2143bb 100644
--- a/utils/AMS/hacking/test.S
+++ b/utils/AMS/hacking/test.S
@@ -1,11 +1,34 @@
+/* int ucl_nrv2e_decompress_8(const unsigned char *src, unsigned char *dst, 
+                           unsigned long *dst_len) */
 
-/* This value is filled in by mkamsboot */
-originalentry:   .word   0
+.text
+.global ucl_nrv2e_decompress_8
 
+
+/* Vectors */
+        ldr   pc, =start
+.word   0
+.word   0
+.word   0
+.word   0
+.word   0
+.word   0
+.word   0
+
+/* These values are filled in by mkamsboot - don't move them from offset 0x20 */
+ucl_unpack:      .word   0 /* Entry point (plus 1 - for thumb) of ucl_unpack */
+ucl_start:       .word   0 /* Start of the ucl-compressed OF image */
+
+
+start:
         /* A delay loop - just to prove we're running */
         mov   r1, #0x500000       /* Approximately 5 seconds */
 loop:   subs  r1, r1, #1
         bne   loop
 
-        /* Now branch back to the original firmware's entry point */
-        ldr   pc, originalentry
+        /* Call the ucl decompress function, which will branch to 0x0
+           on completion */
+        ldr   r0, ucl_start   /* Source */
+        mov   r1, #0          /* Destination */
+        ldr   r2, ucl_unpack
+        bx    r2