Introduce rbutil/mkzenboot, a replacement for tools/mkzenboot

The old tools/mkzenboot has a number of problems: very hard to maintain,
poor integration with rbutil. Restart from scratch by recycling all the
crypto and descrambling code, rewrite the actual firmware modification part
to handle all scenarios in a much clearer way. The code is ready to be
integrated into Rockbox Utility, by using the very similar interface to
mkimxboot.
I copied all the keys from the old mkzenboot, so it can potentially support
the older Creative ports, but since this is untested, I prefer not do so
at the moment. However, I did add a "mixed" boot option to support the
dualboot style used in the older ports.

Change-Id: I80cfc48fa78187baa1b1692e8a30ec7137cea37b

1 files changed, 689 insertions, 0 deletions

diff --git a/rbutil/mkzenboot/mkzenboot.c b/rbutil/mkzenboot/mkzenboot.c
new file mode 100644
index 0000000000..396357e6fe
--- /dev/null
+++ b/rbutil/mkzenboot/mkzenboot.c
@@ -0,0 +1,689 @@
+/***************************************************************************
+ *             __________               __   ___.
+ *   Open      \______   \ ____   ____ |  | _\_ |__   _______  ___
+ *   Source     |       _//  _ \_/ ___\|  |/ /| __ \ /  _ \  \/  /
+ *   Jukebox    |    |   (  <_> )  \___|    < | \_\ (  <_> > <  <
+ *   Firmware   |____|_  /\____/ \___  >__|_ \|___  /\____/__/\_ \
+ *                     \/            \/     \/    \/            \/
+ * $Id$
+ *
+ * Copyright (C) 2008 by Maurus Cuelenaere
+ * Based on zenutils by Rasmus Ry <rasmus.ry{at}gmail.com>
+ * Copyright (C) 2013 by Amaury Pouly
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ****************************************************************************/
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include "mkzenboot.h"
+#include "utils.h"
+#include "dualboot.h"
+
+/**
+ * Keys used by players
+ */
+static const char null_key_v1[]  = "CTL:N0MAD|PDE0.SIGN.";
+static const char null_key_v2[]  = "CTL:N0MAD|PDE0.DPMP.";
+static const char null_key_v3[]  = "CTL:N0MAD|PDE0.DPFP.";
+static const char null_key_v4[]  = "CTL:Z3N07|PDE0.DPMP.";
+
+static const char tl_zvm_key[]   = "1sN0TM3D az u~may th1nk*"
+                                   "Creative Zen Vision:M";
+static const char tl_zvm60_key[] = "1sN0TM3D az u~may th1nk*"
+                                   "Creative Zen Vision:M (D"
+                                   "VP-HD0004)";
+static const char tl_zen_key[]   = "1sN0TM3D az u~may th1nk*"
+                                   "Creative ZEN";
+static const char tl_zenxf_key[] = "1sN0TM3D az u~may th1nk*"
+                                   "Creative ZEN X-Fi";
+static const char tl_zenmo_key[] = "1sN0TM3D az u~may th1nk*"
+                                   "Creative ZEN Mozaic";
+static const char tl_zv_key[]    = "1sN0TM3D az u~may th1nk*"
+                                   "Creative Zen Vision";
+static const char tl_zvw_key[]   = "1sN0TM3D az u~may th1nk*"
+                                   "Creative ZEN Vision W";
+static const char tl_zm_key[]    = "1sN0TM3D az u~may th1nk*"
+                                   "Creative Zen Micro";
+static const char tl_zmp_key[]   = "1sN0TM3D az u~may th1nk*"
+                                   "Creative Zen MicroPhoto";
+static const char tl_zs_key[]    = "1sN0TM3D az u~may th1nk*"
+                                   "Creative Zen Sleek";
+static const char tl_zsp_key[]   = "1sN0TM3D az u~may th1nk*"
+                                   "Creative Zen Sleek Photo";
+static const char tl_zt_key[]    = "1sN0TM3D az u~may th1nk*"
+                                   "Creative Zen Touch";
+static const char tl_zx_key[]    = "1sN0TM3D az u~may th1nk*"
+                                   "NOMAD Jukebox Zen Xtra";
+static const char tl_zenv_key[]  = "1sN0TM3D az u~may th1nk*"
+                                   "Creative ZEN V";
+static const char tl_zenvp_key[] = "1sN0TM3D az u~may th1nk*"
+                                   "Creative ZEN V Plus";
+static const char tl_zenvv_key[] = "1sN0TM3D az u~may th1nk*"
+                                   "Creative ZEN V (Video)";
+
+struct player_info_t
+{
+    const char* name;
+    const char* null_key;  /* HMAC-SHA1 key */
+    const char* tl_key;    /* BlowFish key */
+    bool big_endian;
+    char *cinf;
+};
+
+static struct player_info_t zen_players[] =
+{
+    {"Zen Vision:M", null_key_v2, tl_zvm_key, false, NULL},
+    {"Zen Vision:M 60GB", null_key_v2, tl_zvm60_key, false, NULL},
+    {"Zen", null_key_v4, tl_zen_key, false, "Creative ZEN"},
+    {"Zen X-Fi", null_key_v4, tl_zenxf_key, false, "Creative ZEN X-Fi"},
+    {"Zen Mozaic", null_key_v4, tl_zenmo_key, false, "Creative ZEN Mozaic"},
+    {"Zen Vision", null_key_v2, tl_zv_key, false, NULL},
+    {"Zen Vision W", null_key_v2, tl_zvw_key, false, NULL},
+    {"Zen Micro", null_key_v1, tl_zm_key, true, NULL},
+    {"Zen MicroPhoto", null_key_v1, tl_zmp_key, true, NULL},
+    {"Zen Sleek", null_key_v1, tl_zs_key, true, NULL},
+    {"Zen SleekPhoto", null_key_v1, tl_zsp_key, true, NULL},
+    {"Zen Touch", null_key_v1, tl_zt_key, true, NULL},
+    {"Zen Xtra", null_key_v1, tl_zx_key, true, NULL},
+    {"Zen V", null_key_v3, tl_zenv_key, false, NULL},
+    {"Zen V Plus", null_key_v3, tl_zenvp_key, false, NULL},
+    {"Zen V Video", null_key_v3, tl_zenvv_key, false, NULL},
+    {NULL, NULL, NULL, false, NULL}
+};
+
+/**
+ * Information on how to patch firmwares
+ */
+struct zen_model_desc_t
+{
+    /* Descriptive name of this model (must match player in zen_players[]) */
+    const char *model_name;
+    /* Model name used in the Rockbox header in ".zen" files - these match the
+       -add parameter to the "scramble" tool */
+    const char *rb_model_name;
+    /* Model number used to initialise the checksum in the Rockbox header in
+       ".zen" files - these are the same as MODEL_NUMBER in config-target.h */
+    const int rb_model_num;
+    /* Bootloader load address */
+    uint32_t bootloader_addr;
+    /* Dualboot code for this model */
+    const unsigned char *dualboot;
+    /* Size of dualboot functions for this model */
+    int dualboot_size;
+};
+
+/* keep this consistent with the address in dualboot.lds */
+static const struct zen_model_desc_t zen_models[] =
+{
+    [MODEL_UNKNOWN] =
+    {
+        "Unknown", "    ", 0, 0, NULL, 0
+    },
+    [MODEL_ZENV] =
+    {
+        "Zen V", "zenv", 85, 0x60000000, NULL, 0
+    },
+    [MODEL_ZENXFI] =
+    {
+        "Zen X-Fi", "zxfi", 86, 0x41000000, dualboot_zenxfi, sizeof(dualboot_zenxfi)
+    },
+    [MODEL_ZENMOZAIC] =
+    {
+        "Zen Mozaic", "zmoz", 87, 0x41000000, dualboot_zenmozaic, sizeof(dualboot_zenmozaic)
+    },
+    [MODEL_ZEN] =
+    {
+        "Zen", "zen", 90, 0x41000000, dualboot_zen, sizeof(dualboot_zen)
+    },
+};
+
+/**
+ * MD5 knowledge base
+ */
+
+struct zen_md5sum_t
+{
+    /* Device model */
+    enum zen_model_t model;
+    /* md5sum of the file */
+    char *md5sum;
+    /* Version string */
+    const char *version;
+};
+
+static const struct zen_md5sum_t zen_sums[] =
+{
+    /** Zen Mozaic */
+    {
+        /* Version 1.06.01e */
+        MODEL_ZENMOZAIC, "88a856f8273b2bc3fcacf1f067a44aa8", "1.06.01e"
+    },
+    /** Zen X-Fi */
+    {
+        /* Version 1.04.08e */
+        MODEL_ZENXFI, "f07e2e75069289a2aa14c6583bd9643b", "1.04.08e"
+    },
+    /** Zen V */
+    {
+        /* Version 1.32.01e */
+        MODEL_ZENV, "2f6d3e619557583c30132ac87221bc3e", "1.32.01e"
+    },
+    /** Zen */
+    {
+        /* Version 1.21.03e */
+        MODEL_ZEN, "1fe28f587f87ac3c280281db28c42465", "1.21.03e"
+    }
+};
+
+#define NR_ZEN_PLAYERS  (sizeof(zen_players) / sizeof(zen_players[0]))
+#define NR_ZEN_SUMS     (sizeof(zen_sums) / sizeof(zen_sums[0]))
+#define NR_ZEN_MODELS   (sizeof(zen_models) / sizeof(zen_models[0]))
+
+#define MAGIC_ROCK      0x726f636b /* 'rock' */
+#define MAGIC_RECOVERY  0xfee1dead
+#define MAGIC_NORMAL    0xcafebabe
+
+/**
+ * Stolen from various places in our codebase
+ */
+
+/**
+ * EDOC file format
+ */
+struct edoc_header_t
+{
+    char magic[4];
+    uint32_t total_size;
+    uint32_t zero;
+};
+
+struct edoc_section_header_t
+{
+    uint32_t addr;
+    uint32_t size;
+    uint32_t checksum;
+};
+
+uint32_t edoc_checksum(void *buffer, size_t size)
+{
+    uint32_t c = 0;
+    uint32_t *p = buffer;
+    while(size >= 4)
+    {
+        c += *p + (*p >> 16);
+        p++;
+        size -= 4;
+    }
+    if(size != 0)
+        printf("[WARN] EDOC Checksum section size is not a multiple of 4 bytes, result is undefined!\n");
+    return c & 0xffff;
+}
+
+#define errorf(err, ...) do { printf(__VA_ARGS__); return err; } while(0)
+
+/**
+ * How does patching code work
+ * ---------------------------
+ *
+ * All Creative firmwares work the same: they start at 0 and the code sequence at
+ * 0 always contains the vector table with ldr with offsets:
+ *   0:       e59ff018        ldr     pc, [pc, #24]   ; 0x20
+ *   4:       e59ff018        ldr     pc, [pc, #24]   ; 0x24
+ *   8:       e59ff018        ldr     pc, [pc, #24]   ; 0x28
+ *   c:       e59ff018        ldr     pc, [pc, #24]   ; 0x2c
+ *  10:       e59ff018        ldr     pc, [pc, #24]   ; 0x30
+ *  14:       e59ff018        ldr     pc, [pc, #24]   ; 0x34
+ *  18:       e59ff018        ldr     pc, [pc, #24]   ; 0x38
+ *  1c:       e59ff018        ldr     pc, [pc, #24]   ; 0x3c
+ *  20:       0000dbd4        .word start
+ *  24:       0000dcac        .word undef_instr_handler
+ *  28:       0000dcb0        .word software_int_handler
+ *  2c:       0000dcb4        .word prefetch_abort_handler
+ *  30:       0000dcb8        .word data_abort_handler
+ *  34:       0000dcbc        .word reserved_handler
+ *  38:       0000dcc0        .word irq_handler
+ *  3c:       0000dd08        .word fiq_handler
+ *
+ * To build a dual-boot image, we modify the start address to point to some
+ * code we added to the image. Specifically we first add the stub, then
+ * the rockbox image. We also write the old start address to this
+ * stub so that it can either decide to run rockbox or patch back the
+ * start address and jump to 0.
+ * Singleboot and recovery is handled the same way except that both targets use
+ * the same address and we drop the OF, so we create a fake vector table!
+ */
+
+struct dualboot_footer_t
+{
+    uint32_t magic;
+    uint32_t of_addr;
+    uint32_t rb_addr;
+    uint32_t boot_arg;
+} __attribute__((packed));
+
+#define FOOTER_MAGIC    0x1ceb00da
+
+static enum zen_error_t create_fake_image(uint8_t **fw, uint32_t *fw_size)
+{
+    /** We need to create a fake EDOC image, so first a header and one section
+     * header with one data chunk. */
+    /** The fake image is as follows:
+     *   0:       e59ff018        ldr     pc, [pc, #24]   ; 0x20
+     *   4:       e59ff018        ldr     pc, [pc, #24]   ; 0x24
+     *   8:       e59ff018        ldr     pc, [pc, #24]   ; 0x28
+     *   c:       e59ff018        ldr     pc, [pc, #24]   ; 0x2c
+     *  10:       e59ff018        ldr     pc, [pc, #24]   ; 0x30
+     *  14:       e59ff018        ldr     pc, [pc, #24]   ; 0x34
+     *  18:       e59ff018        ldr     pc, [pc, #24]   ; 0x38
+     *  1c:       e59ff018        ldr     pc, [pc, #24]   ; 0x3c
+     *  20:       00000040        .word   hang
+     *  24:       00000040        .word   hang
+     *  28:       00000040        .word   hang
+     *  2c:       00000040        .word   hang
+     *  30:       00000040        .word   hang
+     *  34:       00000040        .word   hang
+     *  38:       00000040        .word   hang
+     *  3c:       00000040        .word   hang
+     *  40 <hang>:
+     *  40:       eafffffe        b       40 <hang> */
+    *fw_size = sizeof(struct edoc_header_t) + sizeof(struct edoc_section_header_t) + 0x44;
+    *fw = malloc(*fw_size);
+    if(*fw == NULL)
+        errorf(ZEN_ERROR, "[ERR] Allocation failed");
+    struct edoc_header_t *hdr = (void *)*fw;
+    memcpy(hdr->magic, "EDOC", 4);
+    hdr->total_size = *fw_size - sizeof(struct edoc_header_t) + 4;
+    hdr->zero = 0;
+    struct edoc_section_header_t *sec = (void *)(hdr + 1);
+    sec->addr = 0;
+    sec->size = 0x44;
+    uint32_t *p = (void *)(sec + 1);
+    p[0] = p[1] = p[2] = p[3] = p[4] = p[5] = p[6] = p[7] = 0xe59ff018;
+    p[8] = p[9] = p[10] = p[11] = p[12] = p[13] = p[14] = p[15] = 0x40;
+    p[16] = 0xeafffffe;
+    sec->checksum = edoc_checksum(p, 0x44);
+    return ZEN_SUCCESS;
+}
+
+static enum zen_error_t patch_firmware(uint8_t **fw, uint32_t *fw_size,
+    void *boot, size_t boot_size, struct zen_option_t opt)
+{
+    /* check if dualboot stub is available */
+    const void *dualboot = zen_models[opt.model].dualboot;
+    int dualboot_size = zen_models[opt.model].dualboot_size;
+    uint32_t dualboot_addr = zen_models[opt.model].bootloader_addr;
+    if(dualboot == NULL)
+        errorf(ZEN_DONT_KNOW_HOW_TO_PATCH, "[ERR] I don't have a dualboot stub for this model\n");
+    /* if not asked to dualboot, drop OF and create a fake image */
+    if(opt.output != ZEN_DUALBOOT)
+    {
+        enum zen_error_t ret = create_fake_image(fw, fw_size);
+        if(ret != ZEN_SUCCESS)
+            return ret;
+    }
+    /* compute final image size: add stub + bootloader in one block as a section */
+    int extra_size = sizeof(struct edoc_section_header_t) + dualboot_size + boot_size;
+    *fw_size += extra_size;
+    *fw = realloc(*fw, *fw_size);
+    if(*fw == NULL)
+        errorf(ZEN_ERROR, "[ERR] Allocation failed");
+    /* sanity check */
+    struct edoc_header_t *hdr = (void *)*fw;
+    if(memcmp(hdr->magic, "EDOC", 4) != 0)
+        errorf(ZEN_FW_INVALID, "[ERR] Firmware doesn't use EDOC format\n");
+    /* validate image and find OF start addr */
+    uint32_t of_addr = 0;
+    struct edoc_section_header_t *sec_hdr = (void *)(hdr + 1);
+    while((void *)sec_hdr - (void *)&hdr->zero < hdr->total_size)
+    {
+        if(sec_hdr->checksum != edoc_checksum(sec_hdr + 1, sec_hdr->size))
+            errorf(ZEN_FW_INVALID, "[ERR] Firmware checksum error\n");
+        if(sec_hdr->addr == 0)
+        {
+            uint32_t *start_vector = ((void *)(sec_hdr + 1) + 0x20);
+            /* extract address */
+            of_addr = *(uint32_t *)start_vector;
+            /* patch vector */
+            *start_vector = dualboot_addr;
+            /* fix checksum */
+            sec_hdr->checksum = edoc_checksum(sec_hdr + 1, sec_hdr->size);
+        }
+        sec_hdr = (void *)(sec_hdr + 1) + sec_hdr->size;
+    }
+    if(of_addr == 0)
+        errorf(ZEN_FW_INVALID, "[ERR] Firmware doesn't have the expected format\n");
+    printf("[INFO] OF start address: %#x\n", of_addr);
+    /* add extra section */
+    sec_hdr->addr = dualboot_addr;
+    sec_hdr->size = dualboot_size + boot_size;
+    /* add extra data */
+    memcpy(sec_hdr + 1, dualboot, dualboot_size);
+    memcpy((void *)(sec_hdr + 1) + dualboot_size, boot, boot_size);
+    /* locate and patch dualboot footer */
+    struct dualboot_footer_t *footer = (void *)(sec_hdr + 1) + dualboot_size -
+        sizeof(struct dualboot_footer_t);
+    if(footer->magic != FOOTER_MAGIC)
+        errorf(ZEN_FW_INVALID, "[ERR] Footer magic mismatch\n");
+    uint32_t rb_addr = dualboot_addr + dualboot_size;
+    printf("[INFO] RB start address: %#x\n", rb_addr);
+    footer->of_addr = opt.output == ZEN_DUALBOOT ? of_addr : rb_addr;
+    footer->rb_addr = rb_addr;
+    footer->boot_arg = opt.output == ZEN_RECOVERY ? 0xfee1dead : 0xcafebabe;
+    printf("[INFO] Footer: 0x%08x 0x%08x 0x%08x\n", footer->of_addr, footer->rb_addr,
+        footer->boot_arg);
+    /* fix image */
+    sec_hdr->checksum = edoc_checksum(sec_hdr + 1, sec_hdr->size);
+    hdr->total_size += extra_size;
+    return ZEN_SUCCESS;
+}
+
+struct player_info_t *get_player_info(enum zen_model_t model)
+{
+    for(int i = 0; zen_players[i].name; i++)
+        if(strcmp(zen_models[model].model_name, zen_players[i].name) == 0)
+            return &zen_players[i];
+    return NULL;
+}
+
+enum zen_error_t build_firmware(void *exec, size_t exec_size, void *boot, size_t boot_size,
+    const char *outfile, struct zen_option_t opt)
+{
+    uint8_t *buffer = exec;
+    /** find player info */
+    struct player_info_t *player = get_player_info(opt.model);
+    if(player == NULL)
+        errorf(ZEN_UNSUPPORTED, "[ERR] There is no player info for this model\n");
+    if(player->big_endian)
+        errorf(ZEN_UNSUPPORTED, "[ERR] Big-endian players are currently unsupported\n");
+
+    /** Find Win32 PE .data section */
+    uint32_t data_ptr;
+    uint32_t data_size;
+    enum zen_error_t err = find_pe_data(exec, exec_size, &data_ptr, &data_size);
+    if(err != ZEN_SUCCESS)
+        errorf(err, "[ERR] Cannot find .data section\n");
+    printf("[INFO] .data section is at 0x%x with size 0x%x\n", data_ptr, data_size);
+
+    /** look for firmware and key in data section */
+    uint32_t fw_offset = find_firmware_offset(&buffer[data_ptr], data_size);
+    if(fw_offset == 0)
+        errorf(ZEN_FW_INVALID, "[ERR] Couldn't find firmware offset\n");
+    uint32_t fw_size = le2int(&buffer[data_ptr + fw_offset]);
+    printf("[INFO] Firmware offset is at 0x%x with size 0x%x\n", data_ptr + fw_offset, fw_size);
+    const char *fw_key = find_firmware_key(exec, exec_size);
+    if(fw_key == NULL)
+        errorf(ZEN_FW_INVALID, "[ERR] Couldn't find firmware key\n");
+    printf("[INFO] Firmware key is %s\n", fw_key);
+
+    /** descramble firmware */
+    printf("[INFO] Descrambling firmware... ");
+    if(!crypt_firmware(fw_key, &buffer[data_ptr + fw_offset + 4], fw_size))
+        errorf(ZEN_ERROR, "Fail!\n");
+    else
+        printf("Done!\n");
+    /** decompress it */
+    uint8_t *out_buffer = malloc(fw_size * 2);
+    if(out_buffer == NULL)
+        errorf(ZEN_ERROR, "[ERR] Couldn't allocate memory");
+    memset(out_buffer, 0, fw_size * 2);
+    printf("[INFO] Decompressing firmware... ");
+    char *err_msg;
+    if(!inflate_to_buffer(&buffer[data_ptr + fw_offset + 4], fw_size, out_buffer,
+            fw_size * 2, &err_msg))
+        errorf(ZEN_ERROR, "Fail!\n[ERR] ZLib error: %s\n", err_msg);
+    else
+        printf("Done!\n");
+
+    /** check format and resize the buffer */
+    if(memcmp(out_buffer, "FFIC", 4) != 0)
+        errorf(ZEN_FW_INVALID, "[ERR] CIFF header doesn't match\n");
+    uint32_t ciff_size = le2int(&out_buffer[4]) + 8 + 28; /* CIFF block + NULL block*/
+    printf("[INFO] Total firmware size: %d\n", ciff_size);
+    out_buffer = realloc(out_buffer, ciff_size);
+    if(out_buffer == NULL)
+        errorf(ZEN_ERROR, "[ERR] Cannot resize memory block\n");
+
+    /** look for firmware file */
+    printf("[INFO] Locating encoded block... ");
+    uint32_t fw_off = 8;
+    uint8_t *cinf_ptr = NULL;
+    while(memcmp(&out_buffer[fw_off], " LT\xa9", 4) != 0 && fw_off < ciff_size)
+    {
+        if(memcmp(&out_buffer[fw_off], "FNIC", 4) == 0)
+        {
+            cinf_ptr = &out_buffer[fw_off + 8];
+            fw_off += 4 + 4 + 96;
+        }
+        else if(memcmp(&out_buffer[fw_off], "ATAD", 4) == 0)
+        {
+            fw_off += 4;
+            fw_off += le2int(&out_buffer[fw_off]);
+            fw_off += 4;
+        }
+        else
+            errorf(ZEN_FW_INVALID, "Fail!\n[ERR] Unknown block\n");
+    }
+    if(fw_off >= ciff_size || memcmp(&out_buffer[fw_off], " LT\xa9", 4) != 0)
+        errorf(ZEN_FW_INVALID, "Fail!\n[ERR] Couldn't find encoded block\n");
+    if(!cinf_ptr)
+        errorf(ZEN_FW_INVALID, "Fail!\n[ERR] Couldn't find CINF\n");
+    printf("Done!\n");
+
+    /** validate player if possible */
+    printf("[INFO] Checking player model...");
+    if(player->cinf)
+    {
+        char cinf_ascii[96];
+        for(int j = 0; j < 96; j++)
+            cinf_ascii[j] = *(unsigned short *)&cinf_ptr[2 * j];
+        if(strncmp(cinf_ascii, player->cinf, 96) != 0)
+            errorf(ZEN_FW_MISMATCH, "Fail!\n[ERR] Player mismatch: CINF indicates '%s' instead of '%s'\n",
+                cinf_ascii, player->cinf);
+        else
+            printf("Done!\n");
+    }
+    else
+        printf("Bypass!\n");
+
+    /** decrypt firmware */
+    printf("[INFO] Decrypting encoded block... ");
+    uint32_t iv[2];
+    iv[0] = 0;
+    iv[1] = swap(le2int(&out_buffer[fw_off + 4]));
+    if(!bf_cbc_decrypt((unsigned char*)player->tl_key, strlen(player->tl_key) + 1,
+            &out_buffer[fw_off + 8], le2int(&out_buffer[fw_off + 4]), (const unsigned char*)&iv))
+        errorf(ZEN_ERROR, "Fail!\n[ERR] Couldn't decrypt encoded block\n");
+    printf("Done!\n");
+
+    /** sanity checks on firmware */
+    uint32_t jrm_size = le2int(&out_buffer[fw_off + 8]);
+    if(jrm_size > le2int(&out_buffer[fw_off + 4]) * 3)
+        errorf(ZEN_FW_INVALID, "[ERR] Decrypted length of encoded block is unexpectedly large: 0x%08x\n", jrm_size);
+    printf("[INFO] Firmware size: %d\n", jrm_size);
+    uint8_t *jrm = malloc(jrm_size);
+    if(jrm == NULL)
+        errorf(ZEN_ERROR, "[ERR] Couldn't allocate memory\n");
+    memset(buffer, 0, jrm_size);
+
+    /** decompress firmware */
+    printf("[INFO] Decompressing encoded block... ");
+    if(!cenc_decode(&out_buffer[fw_off + 12], le2int(&out_buffer[fw_off + 4]) - 4, jrm, jrm_size))
+        errorf(ZEN_ERROR, "Fail!\n[ERR] Couldn't decompress the encoded block\n");
+    printf("Done!\n");
+
+    /** Copy OF because patching might modify it */
+    void *jrm_save = malloc(jrm_size);
+    uint32_t jrm_save_size = jrm_size;
+    if(jrm_save == NULL)
+        errorf(ZEN_ERROR, "[ERR] Couldn't allocate memory");
+    memcpy(jrm_save, jrm, jrm_size);
+
+    /** Patch firmware */
+    err = patch_firmware(&jrm, &jrm_size, boot, boot_size, opt);
+    if(err != ZEN_SUCCESS)
+        errorf(err, "[ERR] Couldn't patch firmware\n");
+
+    /** Rebuild archive */
+    bool keep_old_bits = opt.output == ZEN_DUALBOOT || opt.output == ZEN_MIXEDBOOT;
+    bool keep_of = opt.output == ZEN_MIXEDBOOT;
+    /* if we keep old stuff, keep everything up to LT block, otherwise just CIFF header */
+    uint32_t off = keep_old_bits ? fw_off : 8;
+    /* move the rest of the archive if keeping old stuff */
+    if(keep_old_bits)
+    {
+        uint32_t copy_off = fw_off + 8 + le2int(&out_buffer[fw_off + 4]);
+        uint32_t copy_size = ciff_size - fw_off - 8 - le2int(&out_buffer[fw_off + 4]) - 28;
+        memmove(&out_buffer[off], &out_buffer[copy_off], copy_size);
+        off += copy_size;
+    }
+    /* if we keep the OF, put a copy of it after renaming it to Hcreativeos.jrm */
+    if(keep_of)
+    {
+        out_buffer = realloc(out_buffer, off + jrm_save_size + 40);
+        if(out_buffer == NULL)
+            errorf(ZEN_ERROR, "[ERR] Couldn't resize memory block\n");
+        printf("[INFO] Renaming encoded block to Hcreativeos.jrm... ");
+        memcpy(&out_buffer[off], "ATAD", 4);
+        int2le(jrm_save_size + 32, &out_buffer[off + 4]);
+        memset(&out_buffer[off + 8], 0, 32);
+        memcpy(&out_buffer[off + 8], "H\0c\0r\0e\0a\0t\0i\0v\0e\0o\0s\0.\0j\0r\0m", 30);
+        memcpy(&out_buffer[off + 40], jrm_save, jrm_save_size);
+        off += jrm_save_size + 40;
+        printf("Done!\n");
+    }
+    /* put modified firmware */
+    out_buffer = realloc(out_buffer, off + jrm_size + 40);
+    if(out_buffer == NULL)
+        errorf(ZEN_ERROR, "[ERR] Couldn't resize memory block\n");
+    printf("[INFO] Adding Hjukebox2.jrm... ");
+    memcpy(&out_buffer[off], "ATAD", 4);
+    int2le(jrm_size + 32, &out_buffer[off + 4]);
+    memset(&out_buffer[off + 8], 0, 32);
+    memcpy(&out_buffer[off + 8], "H\0j\0u\0k\0e\0b\0o\0x\0""2\0.\0j\0r\0m", 26);
+    memcpy(&out_buffer[off + 40], jrm, jrm_size);
+    off += jrm_size + 40;
+    printf("Done!\n");
+
+    /** fix header */
+    int2le(off - 8, &out_buffer[4]);
+
+    /** update checksum */
+    printf("[INFO] Updating checksum... ");
+    out_buffer = realloc(out_buffer, off + 28);
+    if(out_buffer == NULL)
+        errorf(ZEN_ERROR, "[ERR] Couldn't resize memory block\n");
+    memcpy(&out_buffer[off], "LLUN", 4);
+    int2le(20, &out_buffer[off + 4]);
+    hmac_sha1((unsigned char*)player->null_key, strlen(player->null_key), out_buffer,
+        off, &out_buffer[off + 8]);
+    off += 28;
+    printf("Done!\n");
+
+    err = write_file(outfile, out_buffer, off);
+
+    free(jrm);
+    free(jrm_save);
+    free(out_buffer);
+    return err;
+}
+
+/* find an entry into zen_sums which matches the MD5 sum of a file */
+static enum zen_error_t find_model_by_md5sum(uint8_t file_md5sum[16], int *md5_idx)
+{
+    int i = 0;
+    while(i < NR_ZEN_SUMS)
+    {
+        uint8_t md5[20];
+        if(strlen(zen_sums[i].md5sum) != 32)
+            errorf(ZEN_ERROR, "[ERR][INTERNAL] Invalid MD5 sum in zen_sums\n");
+        for(int j = 0; j < 16; j++)
+        {
+            uint8_t a, b;
+            if(convxdigit(zen_sums[i].md5sum[2 * j], &a) || convxdigit(zen_sums[i].md5sum[2 * j + 1], &b))
+                errorf(ZEN_ERROR, "[ERR][INTERNAL] Bad checksum format: %s\n", zen_sums[i].md5sum);
+            md5[j] = (a << 4) | b;
+        }
+        if(memcmp(file_md5sum, md5, 16) == 0)
+            break;
+        i++;
+    }
+    if(i == NR_ZEN_SUMS)
+        errorf(ZEN_NO_MATCH, "[ERR] MD5 sum doesn't match any known file\n");
+    *md5_idx = i;
+    return ZEN_SUCCESS;
+}
+
+enum zen_error_t mkzenboot(const char *infile, const char *bootfile,
+    const char *outfile, struct zen_option_t opt)
+{
+    /* determine firmware model */
+    void *fw;
+    size_t fw_size;
+    enum zen_error_t err = read_file(infile, &fw, &fw_size);
+    uint8_t file_md5sum[16];
+    err = compute_md5sum_buf(fw, fw_size, file_md5sum);
+    if(err != ZEN_SUCCESS)
+    {
+        free(fw);
+        return err;
+    }
+    printf("[INFO] MD5 sum of the file: ");
+    for(int i = 0; i < 16; i++)
+        printf("%02X ", file_md5sum[i]);
+    printf("\n");
+    if(opt.model == MODEL_UNKNOWN)
+    {
+        int idx;
+        err = find_model_by_md5sum(file_md5sum, &idx);
+        if(err != ZEN_SUCCESS)
+        {
+            free(fw);
+            errorf(err, "[ERR] Cannot determine model type\n");
+        }
+        opt.model = zen_sums[idx].model;
+        printf("[INFO] MD5 matches %s, version %s\n",
+            zen_models[opt.model].model_name, zen_sums[idx].version);
+    }
+    printf("[INFO] Model is: %s\n", zen_models[opt.model].model_name);
+    /* load rockbox file */
+    uint8_t *boot;
+    size_t boot_size;
+    err = read_file(bootfile, (void **)&boot, &boot_size);
+    if(err != ZEN_SUCCESS)
+    {
+        free(fw);
+        errorf(err, "[ERR] Cannot read boot file\n");
+    }
+    /* validate checksum */
+    if(memcmp(boot + 4, zen_models[opt.model].rb_model_name, 4) != 0)
+    {
+        free(fw);
+        free(boot);
+        errorf(ZEN_BOOT_MISMATCH, "[ERR] Boot model mismatch\n");
+    }
+    printf("[INFO] Bootloader file matches model\n");
+    uint32_t sum = zen_models[opt.model].rb_model_num;
+    for(int i = 8; i < boot_size; i++)
+        sum += boot[i];
+    if(sum != be2int(boot))
+    {
+        free(fw);
+        free(boot);
+        errorf(ZEN_BOOT_CHECKSUM_ERROR, "[ERR] Checksum mismatch\n");
+    }
+    printf("[INFO] Bootloader file checksum is correct\n");
+    /* produce file */
+    err = build_firmware(fw, fw_size, boot + 8, boot_size - 8, outfile, opt);
+    free(boot);
+    free(fw);
+    return err;
+}