diff options
author | Cástor Muñoz <cmvidal@gmail.com> | 2016-02-04 23:05:17 +0100 |
---|---|---|
committer | Cástor Muñoz <cmvidal@gmail.com> | 2017-04-14 00:03:42 +0200 |
commit | 346423c040fe4ac31dae7c1afcb1d853cc80635c (patch) | |
tree | bd8dd4c55f083a1162f7019188977213a20dc41c /rbutil/mks5lboot/dualboot/dualboot.c | |
parent | eefc7c73e2495decdc6f242515696fe0e3f85609 (diff) | |
download | rockbox-346423c040fe4ac31dae7c1afcb1d853cc80635c.tar.gz rockbox-346423c040fe4ac31dae7c1afcb1d853cc80635c.zip |
mks5lboot v1.0 - dualboot installer for s5l8702 targetsmks5lboot_1.0
A tool to install/uninstall a bootloader into a s5l8702 based device:
- iPod Classic 6G
- iPod Nano 3G (TODO)
See mks5lboot/README for detailed info.
Change-Id: I451d2aaff34509ebd356e4660647e5222c5d3409
Diffstat (limited to 'rbutil/mks5lboot/dualboot/dualboot.c')
-rw-r--r-- | rbutil/mks5lboot/dualboot/dualboot.c | 287 |
1 files changed, 287 insertions, 0 deletions
diff --git a/rbutil/mks5lboot/dualboot/dualboot.c b/rbutil/mks5lboot/dualboot/dualboot.c new file mode 100644 index 0000000000..b8167ec124 --- /dev/null +++ b/rbutil/mks5lboot/dualboot/dualboot.c | |||
@@ -0,0 +1,287 @@ | |||
1 | /*************************************************************************** | ||
2 | * __________ __ ___. | ||
3 | * Open \______ \ ____ ____ | | _\_ |__ _______ ___ | ||
4 | * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ / | ||
5 | * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < < | ||
6 | * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \ | ||
7 | * \/ \/ \/ \/ \/ | ||
8 | * $Id$ | ||
9 | * | ||
10 | * Copyright (C) 2015 by Cástor Muñoz | ||
11 | * | ||
12 | * This program is free software; you can redistribute it and/or | ||
13 | * modify it under the terms of the GNU General Public License | ||
14 | * as published by the Free Software Foundation; either version 2 | ||
15 | * of the License, or (at your option) any later version. | ||
16 | * | ||
17 | * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY | ||
18 | * KIND, either express or implied. | ||
19 | * | ||
20 | ****************************************************************************/ | ||
21 | #include <stdint.h> | ||
22 | #include <string.h> | ||
23 | |||
24 | #include "config.h" | ||
25 | #include "system.h" | ||
26 | #include "button.h" | ||
27 | |||
28 | #include "s5l8702.h" | ||
29 | #include "clocking-s5l8702.h" | ||
30 | #include "spi-s5l8702.h" | ||
31 | #include "nor-target.h" | ||
32 | #include "piezo.h" | ||
33 | |||
34 | /* How it works: | ||
35 | * | ||
36 | * - dualboot-installer: installs or updates a RB bootloader, the bootloader | ||
37 | * to install/update is already included into dualboot-installer.dfu file, | ||
38 | * once it is executed by the iPod device: | ||
39 | * | ||
40 | * 1) locates an original NORBOOT (ONB): first it looks at offset=32KB, if | ||
41 | * a NORBOOT is found but it is not an ONB then it is supposed it is a | ||
42 | * RB bootloader (that should be updated), then the ONB is loaded from | ||
43 | * offset=32KB+old_BLSIZE). | ||
44 | * 2) write ONB at 32KB+new_BLSIZE, if it fails then: | ||
45 | * 2a) try to restore ONB to its 'pristine' place (offset=32KB), if it | ||
46 | * also fails then the NOR got corrupted (ONB probably destroyed) | ||
47 | * and iTunes should be used to restore the iPod. | ||
48 | * 3) write new (included) RB bootloader at offset=32KB, it it fails then | ||
49 | * goto 2a) | ||
50 | * | ||
51 | * - dualboot-uninstaller: uninstall RB bootloader from NOR, leaving it at | ||
52 | * it's previous (pristine) state. | ||
53 | * | ||
54 | * See bootloader/ipod6g.c for notes on how the RB bootloader works. | ||
55 | * | ||
56 | * | ||
57 | * Pristine NOR Rockboxed NOR | ||
58 | * 1MB ______________ | ||
59 | * | | | ||
60 | * | flsh DIR | | ||
61 | * 1MB-0x200 |______________| | ||
62 | * | | | ||
63 | * | File 1 | | ||
64 | * |..............| | ||
65 | * | | | ||
66 | * . . | ||
67 | * . . | ||
68 | * . . | ||
69 | * | | | ||
70 | * |..............| | ||
71 | * | | . . | ||
72 | * | File N | . . | ||
73 | * |______________| |______________| | ||
74 | * | | | | | ||
75 | * | | | | | ||
76 | * | | | Unused | | ||
77 | * | | | | | ||
78 | * | Unused | 160KB+BLSZ |______________| | ||
79 | * | | | | | ||
80 | * | | | Original | | ||
81 | * | | | NOR boot | | ||
82 | * 160KB |______________| | (decrypted) | | ||
83 | * | | | | | ||
84 | * | | 32KB+BLSZ |______________| | ||
85 | * | Original | | | | ||
86 | * | NOR boot | | Decrypted | | ||
87 | * | (encrypted) | | Rockbox | | ||
88 | * | | | Bootloader | | ||
89 | * 32KB |______________| 32KB |______________| | ||
90 | * | | | | | ||
91 | * | | . . | ||
92 | * | | . . | ||
93 | * |______________| | ||
94 | * | | | ||
95 | * | SysCfg | | ||
96 | * 0 |______________| | ||
97 | * | ||
98 | */ | ||
99 | |||
100 | #define OF_LOADADDR IRAM1_ORIG | ||
101 | |||
102 | /* tone sequences: period (uS), duration (ms), silence (ms) */ | ||
103 | static uint16_t alive[] = { 500,100,0, 0 }; | ||
104 | static uint16_t happy[] = { 1000,100,0, 500,150,0, 0 }; | ||
105 | static uint16_t fatal[] = { 3000,500,500, 3000,500,500, 3000,500,0, 0 }; | ||
106 | #define sad2 (&fatal[3]) | ||
107 | #define sad (&fatal[6]) | ||
108 | |||
109 | /* iPod Classic: decrypted hashes for known OFs */ | ||
110 | static unsigned char of_sha[][SIGN_SZ] = { | ||
111 | "\x66\x66\x76\xDC\x1D\x32\xB2\x46\xA6\xC9\x7D\x5A\x61\xD3\x49\x4C", /* v1.1.2 */ | ||
112 | "\x1E\xF0\xD9\xDE\xC2\x7E\xEC\x02\x7C\x15\x76\xBB\x5C\x4F\x2D\x95", /* v2.0.1 */ | ||
113 | "\x06\x85\xDF\x28\xE4\xD7\xF4\x82\xC0\x73\xB0\x53\x26\xFC\xB0\xFE", /* v2.0.4 */ | ||
114 | "\x60\x80\x7D\x33\xA8\xDE\xF8\x49\xBB\xBE\x01\x45\xFF\x62\x40\x19" /* v2.0.5 */ | ||
115 | }; | ||
116 | #define N_OF (int)(sizeof(of_sha)/SIGN_SZ) | ||
117 | |||
118 | /* we can assume that unknown FW is a RB bootloader */ | ||
119 | #define FW_RB N_OF | ||
120 | |||
121 | static int identify_fw(struct Im3Info *hinfo) | ||
122 | { | ||
123 | unsigned char hash[SIGN_SZ]; | ||
124 | int of; | ||
125 | |||
126 | /* decrypt hash to identify OF */ | ||
127 | memcpy(hash, hinfo->u.enc12.data_sign, SIGN_SZ); | ||
128 | hwkeyaes(HWKEYAES_DECRYPT, HWKEYAES_UKEY, hash, SIGN_SZ); | ||
129 | |||
130 | for (of = 0; of < N_OF; of++) | ||
131 | if (memcmp(hash, of_sha[of], SIGN_SZ) == 0) | ||
132 | break; | ||
133 | |||
134 | return of; | ||
135 | } | ||
136 | |||
137 | #ifdef DUALBOOT_UNINSTALL | ||
138 | /* Uninstall RB bootloader */ | ||
139 | void main(void) | ||
140 | { | ||
141 | struct Im3Info *hinfo; | ||
142 | void *fw_addr; | ||
143 | uint16_t *status; | ||
144 | unsigned bl_nor_sz; | ||
145 | |||
146 | usec_timer_init(); | ||
147 | piezo_seq(alive); | ||
148 | spi_clkdiv(SPI_PORT, 4); /* SPI clock = 27/5 MHz. */ | ||
149 | |||
150 | hinfo = (struct Im3Info*)OF_LOADADDR; | ||
151 | fw_addr = (void*)hinfo + IM3HDR_SZ; | ||
152 | |||
153 | if (im3_read(NORBOOT_OFF, hinfo, NULL) != 0) { | ||
154 | status = sad; | ||
155 | goto bye; /* no FW found */ | ||
156 | } | ||
157 | |||
158 | if (identify_fw(hinfo) != FW_RB) { | ||
159 | status = happy; | ||
160 | goto bye; /* RB bootloader not installed, nothing to do */ | ||
161 | } | ||
162 | |||
163 | /* if found FW is a RB bootloader, OF should start just behind it */ | ||
164 | bl_nor_sz = im3_nor_sz(hinfo); | ||
165 | if ((im3_read(NORBOOT_OFF + bl_nor_sz, hinfo, fw_addr) != 0) | ||
166 | || (identify_fw(hinfo) == FW_RB)) { | ||
167 | status = sad; | ||
168 | goto bye; /* OF not found */ | ||
169 | } | ||
170 | |||
171 | /* decrypted OF correctly loaded, encrypt it before restoration */ | ||
172 | im3_crypt(HWKEYAES_ENCRYPT, hinfo, fw_addr); | ||
173 | |||
174 | /* restore OF to it's original place */ | ||
175 | if (!im3_write(NORBOOT_OFF, hinfo)) { | ||
176 | status = fatal; | ||
177 | goto bye; /* corrupted NOR, use iTunes to restore */ | ||
178 | } | ||
179 | |||
180 | /* erase freed NOR blocks */ | ||
181 | bootflash_init(SPI_PORT); | ||
182 | bootflash_erase_blocks(SPI_PORT, | ||
183 | (NORBOOT_OFF + im3_nor_sz(hinfo)) >> 12, bl_nor_sz >> 12); | ||
184 | bootflash_close(SPI_PORT); | ||
185 | |||
186 | status = happy; | ||
187 | |||
188 | bye: | ||
189 | /* minimum time between the initial and the final beeps */ | ||
190 | while (USEC_TIMER < 2000000); | ||
191 | piezo_seq(status); | ||
192 | WDTCON = 0x100000; /* WDT reset */ | ||
193 | while (1); | ||
194 | } | ||
195 | |||
196 | #else | ||
197 | /* Install RB bootloader */ | ||
198 | struct Im3Info bl_hinfo __attribute__((section(".im3info.data"))) = | ||
199 | { | ||
200 | .ident = IM3_IDENT, | ||
201 | .version = IM3_VERSION, | ||
202 | .enc_type = 2, | ||
203 | }; | ||
204 | |||
205 | static uint32_t get_uint32le(unsigned char *p) | ||
206 | { | ||
207 | return p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24); | ||
208 | } | ||
209 | |||
210 | void main(void) | ||
211 | { | ||
212 | uint16_t *status = happy; | ||
213 | int single_boot; | ||
214 | struct Im3Info *hinfo; | ||
215 | void *fw_addr; | ||
216 | unsigned bl_nor_sz; | ||
217 | |||
218 | usec_timer_init(); | ||
219 | piezo_seq(alive); | ||
220 | spi_clkdiv(SPI_PORT, 4); /* SPI clock = 27/5 MHz. */ | ||
221 | |||
222 | /* check for single boot installation, is is configured when | ||
223 | mks5lboot.exe builds the .dfu image */ | ||
224 | single_boot = bl_hinfo.info_sign[0]; | ||
225 | |||
226 | /* sign RB bootloader (data and header), but don't encrypt it, | ||
227 | use current decrypted image for faster load */ | ||
228 | im3_sign(HWKEYAES_UKEY, (void*)&bl_hinfo + IM3HDR_SZ, | ||
229 | get_uint32le(bl_hinfo.data_sz), bl_hinfo.u.enc12.data_sign); | ||
230 | im3_sign(HWKEYAES_UKEY, &bl_hinfo, IM3INFOSIGN_SZ, bl_hinfo.info_sign); | ||
231 | |||
232 | if (single_boot) { | ||
233 | if (!im3_write(NORBOOT_OFF, &bl_hinfo)) | ||
234 | status = sad; | ||
235 | goto bye; | ||
236 | } | ||
237 | |||
238 | hinfo = (struct Im3Info*)OF_LOADADDR; | ||
239 | fw_addr = (void*)hinfo + IM3HDR_SZ; | ||
240 | |||
241 | if (im3_read(NORBOOT_OFF, hinfo, fw_addr) != 0) { | ||
242 | status = sad; | ||
243 | goto bye; /* no FW found */ | ||
244 | } | ||
245 | |||
246 | if (identify_fw(hinfo) == FW_RB) { | ||
247 | /* FW found, but not OF, assume it is a RB bootloader, | ||
248 | already decrypted OF should be located just behind */ | ||
249 | int nor_offset = NORBOOT_OFF + im3_nor_sz(hinfo); | ||
250 | if ((im3_read(nor_offset, hinfo, fw_addr) != 0) | ||
251 | || (identify_fw(hinfo) == FW_RB)) { | ||
252 | status = sad; | ||
253 | goto bye; /* OF not found, use iTunes to restore */ | ||
254 | } | ||
255 | } | ||
256 | |||
257 | bl_nor_sz = im3_nor_sz(&bl_hinfo); | ||
258 | /* safety check - verify we are not going to overwrite useful data */ | ||
259 | if (flsh_get_unused() < bl_nor_sz) { | ||
260 | status = sad2; | ||
261 | goto bye; /* no space if flash, use iTunes to restore */ | ||
262 | } | ||
263 | |||
264 | /* write decrypted OF and RB bootloader, if any of these fails we | ||
265 | will try to retore OF to its original place */ | ||
266 | if (!im3_write(NORBOOT_OFF + bl_nor_sz, hinfo) | ||
267 | || !im3_write(NORBOOT_OFF, &bl_hinfo)) { | ||
268 | im3_crypt(HWKEYAES_ENCRYPT, hinfo, fw_addr); | ||
269 | if (!im3_write(NORBOOT_OFF, hinfo)) { | ||
270 | /* corrupted NOR, use iTunes to restore */ | ||
271 | status = fatal; | ||
272 | } | ||
273 | else { | ||
274 | /* RB bootloader not succesfully intalled, but device | ||
275 | was restored and should be working as before */ | ||
276 | status = sad; | ||
277 | } | ||
278 | } | ||
279 | |||
280 | bye: | ||
281 | /* minimum time between the initial and the final beeps */ | ||
282 | while (USEC_TIMER < 2000000); | ||
283 | piezo_seq(status); | ||
284 | WDTCON = 0x100000; /* WDT reset */ | ||
285 | while (1); | ||
286 | } | ||
287 | #endif /* DUALBOOT_UNINSTALL */ | ||