diff options
author | Amaury Pouly <amaury.pouly@gmail.com> | 2013-10-22 00:48:33 +0200 |
---|---|---|
committer | Amaury Pouly <amaury.pouly@gmail.com> | 2013-10-22 00:48:33 +0200 |
commit | 2e0c558064ad6c92624a0a826721a83321b227af (patch) | |
tree | 6a579d0f24e3b3de023bd3241092f0c89598e1fb /rbutil/mkzenboot/mkzenboot.c | |
parent | 5cfb148ae275993d6b9bc8d59355196c5f4f7dc1 (diff) | |
download | rockbox-2e0c558064ad6c92624a0a826721a83321b227af.tar.gz rockbox-2e0c558064ad6c92624a0a826721a83321b227af.zip |
Introduce rbutil/mkzenboot, a replacement for tools/mkzenboot
The old tools/mkzenboot has a number of problems: very hard to maintain,
poor integration with rbutil. Restart from scratch by recycling all the
crypto and descrambling code, rewrite the actual firmware modification part
to handle all scenarios in a much clearer way. The code is ready to be
integrated into Rockbox Utility, by using the very similar interface to
mkimxboot.
I copied all the keys from the old mkzenboot, so it can potentially support
the older Creative ports, but since this is untested, I prefer not do so
at the moment. However, I did add a "mixed" boot option to support the
dualboot style used in the older ports.
Change-Id: I80cfc48fa78187baa1b1692e8a30ec7137cea37b
Diffstat (limited to 'rbutil/mkzenboot/mkzenboot.c')
-rw-r--r-- | rbutil/mkzenboot/mkzenboot.c | 689 |
1 files changed, 689 insertions, 0 deletions
diff --git a/rbutil/mkzenboot/mkzenboot.c b/rbutil/mkzenboot/mkzenboot.c new file mode 100644 index 0000000000..396357e6fe --- /dev/null +++ b/rbutil/mkzenboot/mkzenboot.c | |||
@@ -0,0 +1,689 @@ | |||
1 | /*************************************************************************** | ||
2 | * __________ __ ___. | ||
3 | * Open \______ \ ____ ____ | | _\_ |__ _______ ___ | ||
4 | * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ / | ||
5 | * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < < | ||
6 | * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \ | ||
7 | * \/ \/ \/ \/ \/ | ||
8 | * $Id$ | ||
9 | * | ||
10 | * Copyright (C) 2008 by Maurus Cuelenaere | ||
11 | * Based on zenutils by Rasmus Ry <rasmus.ry{at}gmail.com> | ||
12 | * Copyright (C) 2013 by Amaury Pouly | ||
13 | * | ||
14 | * This program is free software; you can redistribute it and/or | ||
15 | * modify it under the terms of the GNU General Public License | ||
16 | * as published by the Free Software Foundation; either version 2 | ||
17 | * of the License, or (at your option) any later version. | ||
18 | * | ||
19 | * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY | ||
20 | * KIND, either express or implied. | ||
21 | * | ||
22 | ****************************************************************************/ | ||
23 | #include <stdio.h> | ||
24 | #include <stdlib.h> | ||
25 | #include <stdarg.h> | ||
26 | #include <string.h> | ||
27 | #include "mkzenboot.h" | ||
28 | #include "utils.h" | ||
29 | #include "dualboot.h" | ||
30 | |||
31 | /** | ||
32 | * Keys used by players | ||
33 | */ | ||
34 | static const char null_key_v1[] = "CTL:N0MAD|PDE0.SIGN."; | ||
35 | static const char null_key_v2[] = "CTL:N0MAD|PDE0.DPMP."; | ||
36 | static const char null_key_v3[] = "CTL:N0MAD|PDE0.DPFP."; | ||
37 | static const char null_key_v4[] = "CTL:Z3N07|PDE0.DPMP."; | ||
38 | |||
39 | static const char tl_zvm_key[] = "1sN0TM3D az u~may th1nk*" | ||
40 | "Creative Zen Vision:M"; | ||
41 | static const char tl_zvm60_key[] = "1sN0TM3D az u~may th1nk*" | ||
42 | "Creative Zen Vision:M (D" | ||
43 | "VP-HD0004)"; | ||
44 | static const char tl_zen_key[] = "1sN0TM3D az u~may th1nk*" | ||
45 | "Creative ZEN"; | ||
46 | static const char tl_zenxf_key[] = "1sN0TM3D az u~may th1nk*" | ||
47 | "Creative ZEN X-Fi"; | ||
48 | static const char tl_zenmo_key[] = "1sN0TM3D az u~may th1nk*" | ||
49 | "Creative ZEN Mozaic"; | ||
50 | static const char tl_zv_key[] = "1sN0TM3D az u~may th1nk*" | ||
51 | "Creative Zen Vision"; | ||
52 | static const char tl_zvw_key[] = "1sN0TM3D az u~may th1nk*" | ||
53 | "Creative ZEN Vision W"; | ||
54 | static const char tl_zm_key[] = "1sN0TM3D az u~may th1nk*" | ||
55 | "Creative Zen Micro"; | ||
56 | static const char tl_zmp_key[] = "1sN0TM3D az u~may th1nk*" | ||
57 | "Creative Zen MicroPhoto"; | ||
58 | static const char tl_zs_key[] = "1sN0TM3D az u~may th1nk*" | ||
59 | "Creative Zen Sleek"; | ||
60 | static const char tl_zsp_key[] = "1sN0TM3D az u~may th1nk*" | ||
61 | "Creative Zen Sleek Photo"; | ||
62 | static const char tl_zt_key[] = "1sN0TM3D az u~may th1nk*" | ||
63 | "Creative Zen Touch"; | ||
64 | static const char tl_zx_key[] = "1sN0TM3D az u~may th1nk*" | ||
65 | "NOMAD Jukebox Zen Xtra"; | ||
66 | static const char tl_zenv_key[] = "1sN0TM3D az u~may th1nk*" | ||
67 | "Creative ZEN V"; | ||
68 | static const char tl_zenvp_key[] = "1sN0TM3D az u~may th1nk*" | ||
69 | "Creative ZEN V Plus"; | ||
70 | static const char tl_zenvv_key[] = "1sN0TM3D az u~may th1nk*" | ||
71 | "Creative ZEN V (Video)"; | ||
72 | |||
73 | struct player_info_t | ||
74 | { | ||
75 | const char* name; | ||
76 | const char* null_key; /* HMAC-SHA1 key */ | ||
77 | const char* tl_key; /* BlowFish key */ | ||
78 | bool big_endian; | ||
79 | char *cinf; | ||
80 | }; | ||
81 | |||
82 | static struct player_info_t zen_players[] = | ||
83 | { | ||
84 | {"Zen Vision:M", null_key_v2, tl_zvm_key, false, NULL}, | ||
85 | {"Zen Vision:M 60GB", null_key_v2, tl_zvm60_key, false, NULL}, | ||
86 | {"Zen", null_key_v4, tl_zen_key, false, "Creative ZEN"}, | ||
87 | {"Zen X-Fi", null_key_v4, tl_zenxf_key, false, "Creative ZEN X-Fi"}, | ||
88 | {"Zen Mozaic", null_key_v4, tl_zenmo_key, false, "Creative ZEN Mozaic"}, | ||
89 | {"Zen Vision", null_key_v2, tl_zv_key, false, NULL}, | ||
90 | {"Zen Vision W", null_key_v2, tl_zvw_key, false, NULL}, | ||
91 | {"Zen Micro", null_key_v1, tl_zm_key, true, NULL}, | ||
92 | {"Zen MicroPhoto", null_key_v1, tl_zmp_key, true, NULL}, | ||
93 | {"Zen Sleek", null_key_v1, tl_zs_key, true, NULL}, | ||
94 | {"Zen SleekPhoto", null_key_v1, tl_zsp_key, true, NULL}, | ||
95 | {"Zen Touch", null_key_v1, tl_zt_key, true, NULL}, | ||
96 | {"Zen Xtra", null_key_v1, tl_zx_key, true, NULL}, | ||
97 | {"Zen V", null_key_v3, tl_zenv_key, false, NULL}, | ||
98 | {"Zen V Plus", null_key_v3, tl_zenvp_key, false, NULL}, | ||
99 | {"Zen V Video", null_key_v3, tl_zenvv_key, false, NULL}, | ||
100 | {NULL, NULL, NULL, false, NULL} | ||
101 | }; | ||
102 | |||
103 | /** | ||
104 | * Information on how to patch firmwares | ||
105 | */ | ||
106 | struct zen_model_desc_t | ||
107 | { | ||
108 | /* Descriptive name of this model (must match player in zen_players[]) */ | ||
109 | const char *model_name; | ||
110 | /* Model name used in the Rockbox header in ".zen" files - these match the | ||
111 | -add parameter to the "scramble" tool */ | ||
112 | const char *rb_model_name; | ||
113 | /* Model number used to initialise the checksum in the Rockbox header in | ||
114 | ".zen" files - these are the same as MODEL_NUMBER in config-target.h */ | ||
115 | const int rb_model_num; | ||
116 | /* Bootloader load address */ | ||
117 | uint32_t bootloader_addr; | ||
118 | /* Dualboot code for this model */ | ||
119 | const unsigned char *dualboot; | ||
120 | /* Size of dualboot functions for this model */ | ||
121 | int dualboot_size; | ||
122 | }; | ||
123 | |||
124 | /* keep this consistent with the address in dualboot.lds */ | ||
125 | static const struct zen_model_desc_t zen_models[] = | ||
126 | { | ||
127 | [MODEL_UNKNOWN] = | ||
128 | { | ||
129 | "Unknown", " ", 0, 0, NULL, 0 | ||
130 | }, | ||
131 | [MODEL_ZENV] = | ||
132 | { | ||
133 | "Zen V", "zenv", 85, 0x60000000, NULL, 0 | ||
134 | }, | ||
135 | [MODEL_ZENXFI] = | ||
136 | { | ||
137 | "Zen X-Fi", "zxfi", 86, 0x41000000, dualboot_zenxfi, sizeof(dualboot_zenxfi) | ||
138 | }, | ||
139 | [MODEL_ZENMOZAIC] = | ||
140 | { | ||
141 | "Zen Mozaic", "zmoz", 87, 0x41000000, dualboot_zenmozaic, sizeof(dualboot_zenmozaic) | ||
142 | }, | ||
143 | [MODEL_ZEN] = | ||
144 | { | ||
145 | "Zen", "zen", 90, 0x41000000, dualboot_zen, sizeof(dualboot_zen) | ||
146 | }, | ||
147 | }; | ||
148 | |||
149 | /** | ||
150 | * MD5 knowledge base | ||
151 | */ | ||
152 | |||
153 | struct zen_md5sum_t | ||
154 | { | ||
155 | /* Device model */ | ||
156 | enum zen_model_t model; | ||
157 | /* md5sum of the file */ | ||
158 | char *md5sum; | ||
159 | /* Version string */ | ||
160 | const char *version; | ||
161 | }; | ||
162 | |||
163 | static const struct zen_md5sum_t zen_sums[] = | ||
164 | { | ||
165 | /** Zen Mozaic */ | ||
166 | { | ||
167 | /* Version 1.06.01e */ | ||
168 | MODEL_ZENMOZAIC, "88a856f8273b2bc3fcacf1f067a44aa8", "1.06.01e" | ||
169 | }, | ||
170 | /** Zen X-Fi */ | ||
171 | { | ||
172 | /* Version 1.04.08e */ | ||
173 | MODEL_ZENXFI, "f07e2e75069289a2aa14c6583bd9643b", "1.04.08e" | ||
174 | }, | ||
175 | /** Zen V */ | ||
176 | { | ||
177 | /* Version 1.32.01e */ | ||
178 | MODEL_ZENV, "2f6d3e619557583c30132ac87221bc3e", "1.32.01e" | ||
179 | }, | ||
180 | /** Zen */ | ||
181 | { | ||
182 | /* Version 1.21.03e */ | ||
183 | MODEL_ZEN, "1fe28f587f87ac3c280281db28c42465", "1.21.03e" | ||
184 | } | ||
185 | }; | ||
186 | |||
187 | #define NR_ZEN_PLAYERS (sizeof(zen_players) / sizeof(zen_players[0])) | ||
188 | #define NR_ZEN_SUMS (sizeof(zen_sums) / sizeof(zen_sums[0])) | ||
189 | #define NR_ZEN_MODELS (sizeof(zen_models) / sizeof(zen_models[0])) | ||
190 | |||
191 | #define MAGIC_ROCK 0x726f636b /* 'rock' */ | ||
192 | #define MAGIC_RECOVERY 0xfee1dead | ||
193 | #define MAGIC_NORMAL 0xcafebabe | ||
194 | |||
195 | /** | ||
196 | * Stolen from various places in our codebase | ||
197 | */ | ||
198 | |||
199 | /** | ||
200 | * EDOC file format | ||
201 | */ | ||
202 | struct edoc_header_t | ||
203 | { | ||
204 | char magic[4]; | ||
205 | uint32_t total_size; | ||
206 | uint32_t zero; | ||
207 | }; | ||
208 | |||
209 | struct edoc_section_header_t | ||
210 | { | ||
211 | uint32_t addr; | ||
212 | uint32_t size; | ||
213 | uint32_t checksum; | ||
214 | }; | ||
215 | |||
216 | uint32_t edoc_checksum(void *buffer, size_t size) | ||
217 | { | ||
218 | uint32_t c = 0; | ||
219 | uint32_t *p = buffer; | ||
220 | while(size >= 4) | ||
221 | { | ||
222 | c += *p + (*p >> 16); | ||
223 | p++; | ||
224 | size -= 4; | ||
225 | } | ||
226 | if(size != 0) | ||
227 | printf("[WARN] EDOC Checksum section size is not a multiple of 4 bytes, result is undefined!\n"); | ||
228 | return c & 0xffff; | ||
229 | } | ||
230 | |||
231 | #define errorf(err, ...) do { printf(__VA_ARGS__); return err; } while(0) | ||
232 | |||
233 | /** | ||
234 | * How does patching code work | ||
235 | * --------------------------- | ||
236 | * | ||
237 | * All Creative firmwares work the same: they start at 0 and the code sequence at | ||
238 | * 0 always contains the vector table with ldr with offsets: | ||
239 | * 0: e59ff018 ldr pc, [pc, #24] ; 0x20 | ||
240 | * 4: e59ff018 ldr pc, [pc, #24] ; 0x24 | ||
241 | * 8: e59ff018 ldr pc, [pc, #24] ; 0x28 | ||
242 | * c: e59ff018 ldr pc, [pc, #24] ; 0x2c | ||
243 | * 10: e59ff018 ldr pc, [pc, #24] ; 0x30 | ||
244 | * 14: e59ff018 ldr pc, [pc, #24] ; 0x34 | ||
245 | * 18: e59ff018 ldr pc, [pc, #24] ; 0x38 | ||
246 | * 1c: e59ff018 ldr pc, [pc, #24] ; 0x3c | ||
247 | * 20: 0000dbd4 .word start | ||
248 | * 24: 0000dcac .word undef_instr_handler | ||
249 | * 28: 0000dcb0 .word software_int_handler | ||
250 | * 2c: 0000dcb4 .word prefetch_abort_handler | ||
251 | * 30: 0000dcb8 .word data_abort_handler | ||
252 | * 34: 0000dcbc .word reserved_handler | ||
253 | * 38: 0000dcc0 .word irq_handler | ||
254 | * 3c: 0000dd08 .word fiq_handler | ||
255 | * | ||
256 | * To build a dual-boot image, we modify the start address to point to some | ||
257 | * code we added to the image. Specifically we first add the stub, then | ||
258 | * the rockbox image. We also write the old start address to this | ||
259 | * stub so that it can either decide to run rockbox or patch back the | ||
260 | * start address and jump to 0. | ||
261 | * Singleboot and recovery is handled the same way except that both targets use | ||
262 | * the same address and we drop the OF, so we create a fake vector table! | ||
263 | */ | ||
264 | |||
265 | struct dualboot_footer_t | ||
266 | { | ||
267 | uint32_t magic; | ||
268 | uint32_t of_addr; | ||
269 | uint32_t rb_addr; | ||
270 | uint32_t boot_arg; | ||
271 | } __attribute__((packed)); | ||
272 | |||
273 | #define FOOTER_MAGIC 0x1ceb00da | ||
274 | |||
275 | static enum zen_error_t create_fake_image(uint8_t **fw, uint32_t *fw_size) | ||
276 | { | ||
277 | /** We need to create a fake EDOC image, so first a header and one section | ||
278 | * header with one data chunk. */ | ||
279 | /** The fake image is as follows: | ||
280 | * 0: e59ff018 ldr pc, [pc, #24] ; 0x20 | ||
281 | * 4: e59ff018 ldr pc, [pc, #24] ; 0x24 | ||
282 | * 8: e59ff018 ldr pc, [pc, #24] ; 0x28 | ||
283 | * c: e59ff018 ldr pc, [pc, #24] ; 0x2c | ||
284 | * 10: e59ff018 ldr pc, [pc, #24] ; 0x30 | ||
285 | * 14: e59ff018 ldr pc, [pc, #24] ; 0x34 | ||
286 | * 18: e59ff018 ldr pc, [pc, #24] ; 0x38 | ||
287 | * 1c: e59ff018 ldr pc, [pc, #24] ; 0x3c | ||
288 | * 20: 00000040 .word hang | ||
289 | * 24: 00000040 .word hang | ||
290 | * 28: 00000040 .word hang | ||
291 | * 2c: 00000040 .word hang | ||
292 | * 30: 00000040 .word hang | ||
293 | * 34: 00000040 .word hang | ||
294 | * 38: 00000040 .word hang | ||
295 | * 3c: 00000040 .word hang | ||
296 | * 40 <hang>: | ||
297 | * 40: eafffffe b 40 <hang> */ | ||
298 | *fw_size = sizeof(struct edoc_header_t) + sizeof(struct edoc_section_header_t) + 0x44; | ||
299 | *fw = malloc(*fw_size); | ||
300 | if(*fw == NULL) | ||
301 | errorf(ZEN_ERROR, "[ERR] Allocation failed"); | ||
302 | struct edoc_header_t *hdr = (void *)*fw; | ||
303 | memcpy(hdr->magic, "EDOC", 4); | ||
304 | hdr->total_size = *fw_size - sizeof(struct edoc_header_t) + 4; | ||
305 | hdr->zero = 0; | ||
306 | struct edoc_section_header_t *sec = (void *)(hdr + 1); | ||
307 | sec->addr = 0; | ||
308 | sec->size = 0x44; | ||
309 | uint32_t *p = (void *)(sec + 1); | ||
310 | p[0] = p[1] = p[2] = p[3] = p[4] = p[5] = p[6] = p[7] = 0xe59ff018; | ||
311 | p[8] = p[9] = p[10] = p[11] = p[12] = p[13] = p[14] = p[15] = 0x40; | ||
312 | p[16] = 0xeafffffe; | ||
313 | sec->checksum = edoc_checksum(p, 0x44); | ||
314 | return ZEN_SUCCESS; | ||
315 | } | ||
316 | |||
317 | static enum zen_error_t patch_firmware(uint8_t **fw, uint32_t *fw_size, | ||
318 | void *boot, size_t boot_size, struct zen_option_t opt) | ||
319 | { | ||
320 | /* check if dualboot stub is available */ | ||
321 | const void *dualboot = zen_models[opt.model].dualboot; | ||
322 | int dualboot_size = zen_models[opt.model].dualboot_size; | ||
323 | uint32_t dualboot_addr = zen_models[opt.model].bootloader_addr; | ||
324 | if(dualboot == NULL) | ||
325 | errorf(ZEN_DONT_KNOW_HOW_TO_PATCH, "[ERR] I don't have a dualboot stub for this model\n"); | ||
326 | /* if not asked to dualboot, drop OF and create a fake image */ | ||
327 | if(opt.output != ZEN_DUALBOOT) | ||
328 | { | ||
329 | enum zen_error_t ret = create_fake_image(fw, fw_size); | ||
330 | if(ret != ZEN_SUCCESS) | ||
331 | return ret; | ||
332 | } | ||
333 | /* compute final image size: add stub + bootloader in one block as a section */ | ||
334 | int extra_size = sizeof(struct edoc_section_header_t) + dualboot_size + boot_size; | ||
335 | *fw_size += extra_size; | ||
336 | *fw = realloc(*fw, *fw_size); | ||
337 | if(*fw == NULL) | ||
338 | errorf(ZEN_ERROR, "[ERR] Allocation failed"); | ||
339 | /* sanity check */ | ||
340 | struct edoc_header_t *hdr = (void *)*fw; | ||
341 | if(memcmp(hdr->magic, "EDOC", 4) != 0) | ||
342 | errorf(ZEN_FW_INVALID, "[ERR] Firmware doesn't use EDOC format\n"); | ||
343 | /* validate image and find OF start addr */ | ||
344 | uint32_t of_addr = 0; | ||
345 | struct edoc_section_header_t *sec_hdr = (void *)(hdr + 1); | ||
346 | while((void *)sec_hdr - (void *)&hdr->zero < hdr->total_size) | ||
347 | { | ||
348 | if(sec_hdr->checksum != edoc_checksum(sec_hdr + 1, sec_hdr->size)) | ||
349 | errorf(ZEN_FW_INVALID, "[ERR] Firmware checksum error\n"); | ||
350 | if(sec_hdr->addr == 0) | ||
351 | { | ||
352 | uint32_t *start_vector = ((void *)(sec_hdr + 1) + 0x20); | ||
353 | /* extract address */ | ||
354 | of_addr = *(uint32_t *)start_vector; | ||
355 | /* patch vector */ | ||
356 | *start_vector = dualboot_addr; | ||
357 | /* fix checksum */ | ||
358 | sec_hdr->checksum = edoc_checksum(sec_hdr + 1, sec_hdr->size); | ||
359 | } | ||
360 | sec_hdr = (void *)(sec_hdr + 1) + sec_hdr->size; | ||
361 | } | ||
362 | if(of_addr == 0) | ||
363 | errorf(ZEN_FW_INVALID, "[ERR] Firmware doesn't have the expected format\n"); | ||
364 | printf("[INFO] OF start address: %#x\n", of_addr); | ||
365 | /* add extra section */ | ||
366 | sec_hdr->addr = dualboot_addr; | ||
367 | sec_hdr->size = dualboot_size + boot_size; | ||
368 | /* add extra data */ | ||
369 | memcpy(sec_hdr + 1, dualboot, dualboot_size); | ||
370 | memcpy((void *)(sec_hdr + 1) + dualboot_size, boot, boot_size); | ||
371 | /* locate and patch dualboot footer */ | ||
372 | struct dualboot_footer_t *footer = (void *)(sec_hdr + 1) + dualboot_size - | ||
373 | sizeof(struct dualboot_footer_t); | ||
374 | if(footer->magic != FOOTER_MAGIC) | ||
375 | errorf(ZEN_FW_INVALID, "[ERR] Footer magic mismatch\n"); | ||
376 | uint32_t rb_addr = dualboot_addr + dualboot_size; | ||
377 | printf("[INFO] RB start address: %#x\n", rb_addr); | ||
378 | footer->of_addr = opt.output == ZEN_DUALBOOT ? of_addr : rb_addr; | ||
379 | footer->rb_addr = rb_addr; | ||
380 | footer->boot_arg = opt.output == ZEN_RECOVERY ? 0xfee1dead : 0xcafebabe; | ||
381 | printf("[INFO] Footer: 0x%08x 0x%08x 0x%08x\n", footer->of_addr, footer->rb_addr, | ||
382 | footer->boot_arg); | ||
383 | /* fix image */ | ||
384 | sec_hdr->checksum = edoc_checksum(sec_hdr + 1, sec_hdr->size); | ||
385 | hdr->total_size += extra_size; | ||
386 | return ZEN_SUCCESS; | ||
387 | } | ||
388 | |||
389 | struct player_info_t *get_player_info(enum zen_model_t model) | ||
390 | { | ||
391 | for(int i = 0; zen_players[i].name; i++) | ||
392 | if(strcmp(zen_models[model].model_name, zen_players[i].name) == 0) | ||
393 | return &zen_players[i]; | ||
394 | return NULL; | ||
395 | } | ||
396 | |||
397 | enum zen_error_t build_firmware(void *exec, size_t exec_size, void *boot, size_t boot_size, | ||
398 | const char *outfile, struct zen_option_t opt) | ||
399 | { | ||
400 | uint8_t *buffer = exec; | ||
401 | /** find player info */ | ||
402 | struct player_info_t *player = get_player_info(opt.model); | ||
403 | if(player == NULL) | ||
404 | errorf(ZEN_UNSUPPORTED, "[ERR] There is no player info for this model\n"); | ||
405 | if(player->big_endian) | ||
406 | errorf(ZEN_UNSUPPORTED, "[ERR] Big-endian players are currently unsupported\n"); | ||
407 | |||
408 | /** Find Win32 PE .data section */ | ||
409 | uint32_t data_ptr; | ||
410 | uint32_t data_size; | ||
411 | enum zen_error_t err = find_pe_data(exec, exec_size, &data_ptr, &data_size); | ||
412 | if(err != ZEN_SUCCESS) | ||
413 | errorf(err, "[ERR] Cannot find .data section\n"); | ||
414 | printf("[INFO] .data section is at 0x%x with size 0x%x\n", data_ptr, data_size); | ||
415 | |||
416 | /** look for firmware and key in data section */ | ||
417 | uint32_t fw_offset = find_firmware_offset(&buffer[data_ptr], data_size); | ||
418 | if(fw_offset == 0) | ||
419 | errorf(ZEN_FW_INVALID, "[ERR] Couldn't find firmware offset\n"); | ||
420 | uint32_t fw_size = le2int(&buffer[data_ptr + fw_offset]); | ||
421 | printf("[INFO] Firmware offset is at 0x%x with size 0x%x\n", data_ptr + fw_offset, fw_size); | ||
422 | const char *fw_key = find_firmware_key(exec, exec_size); | ||
423 | if(fw_key == NULL) | ||
424 | errorf(ZEN_FW_INVALID, "[ERR] Couldn't find firmware key\n"); | ||
425 | printf("[INFO] Firmware key is %s\n", fw_key); | ||
426 | |||
427 | /** descramble firmware */ | ||
428 | printf("[INFO] Descrambling firmware... "); | ||
429 | if(!crypt_firmware(fw_key, &buffer[data_ptr + fw_offset + 4], fw_size)) | ||
430 | errorf(ZEN_ERROR, "Fail!\n"); | ||
431 | else | ||
432 | printf("Done!\n"); | ||
433 | /** decompress it */ | ||
434 | uint8_t *out_buffer = malloc(fw_size * 2); | ||
435 | if(out_buffer == NULL) | ||
436 | errorf(ZEN_ERROR, "[ERR] Couldn't allocate memory"); | ||
437 | memset(out_buffer, 0, fw_size * 2); | ||
438 | printf("[INFO] Decompressing firmware... "); | ||
439 | char *err_msg; | ||
440 | if(!inflate_to_buffer(&buffer[data_ptr + fw_offset + 4], fw_size, out_buffer, | ||
441 | fw_size * 2, &err_msg)) | ||
442 | errorf(ZEN_ERROR, "Fail!\n[ERR] ZLib error: %s\n", err_msg); | ||
443 | else | ||
444 | printf("Done!\n"); | ||
445 | |||
446 | /** check format and resize the buffer */ | ||
447 | if(memcmp(out_buffer, "FFIC", 4) != 0) | ||
448 | errorf(ZEN_FW_INVALID, "[ERR] CIFF header doesn't match\n"); | ||
449 | uint32_t ciff_size = le2int(&out_buffer[4]) + 8 + 28; /* CIFF block + NULL block*/ | ||
450 | printf("[INFO] Total firmware size: %d\n", ciff_size); | ||
451 | out_buffer = realloc(out_buffer, ciff_size); | ||
452 | if(out_buffer == NULL) | ||
453 | errorf(ZEN_ERROR, "[ERR] Cannot resize memory block\n"); | ||
454 | |||
455 | /** look for firmware file */ | ||
456 | printf("[INFO] Locating encoded block... "); | ||
457 | uint32_t fw_off = 8; | ||
458 | uint8_t *cinf_ptr = NULL; | ||
459 | while(memcmp(&out_buffer[fw_off], " LT\xa9", 4) != 0 && fw_off < ciff_size) | ||
460 | { | ||
461 | if(memcmp(&out_buffer[fw_off], "FNIC", 4) == 0) | ||
462 | { | ||
463 | cinf_ptr = &out_buffer[fw_off + 8]; | ||
464 | fw_off += 4 + 4 + 96; | ||
465 | } | ||
466 | else if(memcmp(&out_buffer[fw_off], "ATAD", 4) == 0) | ||
467 | { | ||
468 | fw_off += 4; | ||
469 | fw_off += le2int(&out_buffer[fw_off]); | ||
470 | fw_off += 4; | ||
471 | } | ||
472 | else | ||
473 | errorf(ZEN_FW_INVALID, "Fail!\n[ERR] Unknown block\n"); | ||
474 | } | ||
475 | if(fw_off >= ciff_size || memcmp(&out_buffer[fw_off], " LT\xa9", 4) != 0) | ||
476 | errorf(ZEN_FW_INVALID, "Fail!\n[ERR] Couldn't find encoded block\n"); | ||
477 | if(!cinf_ptr) | ||
478 | errorf(ZEN_FW_INVALID, "Fail!\n[ERR] Couldn't find CINF\n"); | ||
479 | printf("Done!\n"); | ||
480 | |||
481 | /** validate player if possible */ | ||
482 | printf("[INFO] Checking player model..."); | ||
483 | if(player->cinf) | ||
484 | { | ||
485 | char cinf_ascii[96]; | ||
486 | for(int j = 0; j < 96; j++) | ||
487 | cinf_ascii[j] = *(unsigned short *)&cinf_ptr[2 * j]; | ||
488 | if(strncmp(cinf_ascii, player->cinf, 96) != 0) | ||
489 | errorf(ZEN_FW_MISMATCH, "Fail!\n[ERR] Player mismatch: CINF indicates '%s' instead of '%s'\n", | ||
490 | cinf_ascii, player->cinf); | ||
491 | else | ||
492 | printf("Done!\n"); | ||
493 | } | ||
494 | else | ||
495 | printf("Bypass!\n"); | ||
496 | |||
497 | /** decrypt firmware */ | ||
498 | printf("[INFO] Decrypting encoded block... "); | ||
499 | uint32_t iv[2]; | ||
500 | iv[0] = 0; | ||
501 | iv[1] = swap(le2int(&out_buffer[fw_off + 4])); | ||
502 | if(!bf_cbc_decrypt((unsigned char*)player->tl_key, strlen(player->tl_key) + 1, | ||
503 | &out_buffer[fw_off + 8], le2int(&out_buffer[fw_off + 4]), (const unsigned char*)&iv)) | ||
504 | errorf(ZEN_ERROR, "Fail!\n[ERR] Couldn't decrypt encoded block\n"); | ||
505 | printf("Done!\n"); | ||
506 | |||
507 | /** sanity checks on firmware */ | ||
508 | uint32_t jrm_size = le2int(&out_buffer[fw_off + 8]); | ||
509 | if(jrm_size > le2int(&out_buffer[fw_off + 4]) * 3) | ||
510 | errorf(ZEN_FW_INVALID, "[ERR] Decrypted length of encoded block is unexpectedly large: 0x%08x\n", jrm_size); | ||
511 | printf("[INFO] Firmware size: %d\n", jrm_size); | ||
512 | uint8_t *jrm = malloc(jrm_size); | ||
513 | if(jrm == NULL) | ||
514 | errorf(ZEN_ERROR, "[ERR] Couldn't allocate memory\n"); | ||
515 | memset(buffer, 0, jrm_size); | ||
516 | |||
517 | /** decompress firmware */ | ||
518 | printf("[INFO] Decompressing encoded block... "); | ||
519 | if(!cenc_decode(&out_buffer[fw_off + 12], le2int(&out_buffer[fw_off + 4]) - 4, jrm, jrm_size)) | ||
520 | errorf(ZEN_ERROR, "Fail!\n[ERR] Couldn't decompress the encoded block\n"); | ||
521 | printf("Done!\n"); | ||
522 | |||
523 | /** Copy OF because patching might modify it */ | ||
524 | void *jrm_save = malloc(jrm_size); | ||
525 | uint32_t jrm_save_size = jrm_size; | ||
526 | if(jrm_save == NULL) | ||
527 | errorf(ZEN_ERROR, "[ERR] Couldn't allocate memory"); | ||
528 | memcpy(jrm_save, jrm, jrm_size); | ||
529 | |||
530 | /** Patch firmware */ | ||
531 | err = patch_firmware(&jrm, &jrm_size, boot, boot_size, opt); | ||
532 | if(err != ZEN_SUCCESS) | ||
533 | errorf(err, "[ERR] Couldn't patch firmware\n"); | ||
534 | |||
535 | /** Rebuild archive */ | ||
536 | bool keep_old_bits = opt.output == ZEN_DUALBOOT || opt.output == ZEN_MIXEDBOOT; | ||
537 | bool keep_of = opt.output == ZEN_MIXEDBOOT; | ||
538 | /* if we keep old stuff, keep everything up to LT block, otherwise just CIFF header */ | ||
539 | uint32_t off = keep_old_bits ? fw_off : 8; | ||
540 | /* move the rest of the archive if keeping old stuff */ | ||
541 | if(keep_old_bits) | ||
542 | { | ||
543 | uint32_t copy_off = fw_off + 8 + le2int(&out_buffer[fw_off + 4]); | ||
544 | uint32_t copy_size = ciff_size - fw_off - 8 - le2int(&out_buffer[fw_off + 4]) - 28; | ||
545 | memmove(&out_buffer[off], &out_buffer[copy_off], copy_size); | ||
546 | off += copy_size; | ||
547 | } | ||
548 | /* if we keep the OF, put a copy of it after renaming it to Hcreativeos.jrm */ | ||
549 | if(keep_of) | ||
550 | { | ||
551 | out_buffer = realloc(out_buffer, off + jrm_save_size + 40); | ||
552 | if(out_buffer == NULL) | ||
553 | errorf(ZEN_ERROR, "[ERR] Couldn't resize memory block\n"); | ||
554 | printf("[INFO] Renaming encoded block to Hcreativeos.jrm... "); | ||
555 | memcpy(&out_buffer[off], "ATAD", 4); | ||
556 | int2le(jrm_save_size + 32, &out_buffer[off + 4]); | ||
557 | memset(&out_buffer[off + 8], 0, 32); | ||
558 | memcpy(&out_buffer[off + 8], "H\0c\0r\0e\0a\0t\0i\0v\0e\0o\0s\0.\0j\0r\0m", 30); | ||
559 | memcpy(&out_buffer[off + 40], jrm_save, jrm_save_size); | ||
560 | off += jrm_save_size + 40; | ||
561 | printf("Done!\n"); | ||
562 | } | ||
563 | /* put modified firmware */ | ||
564 | out_buffer = realloc(out_buffer, off + jrm_size + 40); | ||
565 | if(out_buffer == NULL) | ||
566 | errorf(ZEN_ERROR, "[ERR] Couldn't resize memory block\n"); | ||
567 | printf("[INFO] Adding Hjukebox2.jrm... "); | ||
568 | memcpy(&out_buffer[off], "ATAD", 4); | ||
569 | int2le(jrm_size + 32, &out_buffer[off + 4]); | ||
570 | memset(&out_buffer[off + 8], 0, 32); | ||
571 | memcpy(&out_buffer[off + 8], "H\0j\0u\0k\0e\0b\0o\0x\0""2\0.\0j\0r\0m", 26); | ||
572 | memcpy(&out_buffer[off + 40], jrm, jrm_size); | ||
573 | off += jrm_size + 40; | ||
574 | printf("Done!\n"); | ||
575 | |||
576 | /** fix header */ | ||
577 | int2le(off - 8, &out_buffer[4]); | ||
578 | |||
579 | /** update checksum */ | ||
580 | printf("[INFO] Updating checksum... "); | ||
581 | out_buffer = realloc(out_buffer, off + 28); | ||
582 | if(out_buffer == NULL) | ||
583 | errorf(ZEN_ERROR, "[ERR] Couldn't resize memory block\n"); | ||
584 | memcpy(&out_buffer[off], "LLUN", 4); | ||
585 | int2le(20, &out_buffer[off + 4]); | ||
586 | hmac_sha1((unsigned char*)player->null_key, strlen(player->null_key), out_buffer, | ||
587 | off, &out_buffer[off + 8]); | ||
588 | off += 28; | ||
589 | printf("Done!\n"); | ||
590 | |||
591 | err = write_file(outfile, out_buffer, off); | ||
592 | |||
593 | free(jrm); | ||
594 | free(jrm_save); | ||
595 | free(out_buffer); | ||
596 | return err; | ||
597 | } | ||
598 | |||
599 | /* find an entry into zen_sums which matches the MD5 sum of a file */ | ||
600 | static enum zen_error_t find_model_by_md5sum(uint8_t file_md5sum[16], int *md5_idx) | ||
601 | { | ||
602 | int i = 0; | ||
603 | while(i < NR_ZEN_SUMS) | ||
604 | { | ||
605 | uint8_t md5[20]; | ||
606 | if(strlen(zen_sums[i].md5sum) != 32) | ||
607 | errorf(ZEN_ERROR, "[ERR][INTERNAL] Invalid MD5 sum in zen_sums\n"); | ||
608 | for(int j = 0; j < 16; j++) | ||
609 | { | ||
610 | uint8_t a, b; | ||
611 | if(convxdigit(zen_sums[i].md5sum[2 * j], &a) || convxdigit(zen_sums[i].md5sum[2 * j + 1], &b)) | ||
612 | errorf(ZEN_ERROR, "[ERR][INTERNAL] Bad checksum format: %s\n", zen_sums[i].md5sum); | ||
613 | md5[j] = (a << 4) | b; | ||
614 | } | ||
615 | if(memcmp(file_md5sum, md5, 16) == 0) | ||
616 | break; | ||
617 | i++; | ||
618 | } | ||
619 | if(i == NR_ZEN_SUMS) | ||
620 | errorf(ZEN_NO_MATCH, "[ERR] MD5 sum doesn't match any known file\n"); | ||
621 | *md5_idx = i; | ||
622 | return ZEN_SUCCESS; | ||
623 | } | ||
624 | |||
625 | enum zen_error_t mkzenboot(const char *infile, const char *bootfile, | ||
626 | const char *outfile, struct zen_option_t opt) | ||
627 | { | ||
628 | /* determine firmware model */ | ||
629 | void *fw; | ||
630 | size_t fw_size; | ||
631 | enum zen_error_t err = read_file(infile, &fw, &fw_size); | ||
632 | uint8_t file_md5sum[16]; | ||
633 | err = compute_md5sum_buf(fw, fw_size, file_md5sum); | ||
634 | if(err != ZEN_SUCCESS) | ||
635 | { | ||
636 | free(fw); | ||
637 | return err; | ||
638 | } | ||
639 | printf("[INFO] MD5 sum of the file: "); | ||
640 | for(int i = 0; i < 16; i++) | ||
641 | printf("%02X ", file_md5sum[i]); | ||
642 | printf("\n"); | ||
643 | if(opt.model == MODEL_UNKNOWN) | ||
644 | { | ||
645 | int idx; | ||
646 | err = find_model_by_md5sum(file_md5sum, &idx); | ||
647 | if(err != ZEN_SUCCESS) | ||
648 | { | ||
649 | free(fw); | ||
650 | errorf(err, "[ERR] Cannot determine model type\n"); | ||
651 | } | ||
652 | opt.model = zen_sums[idx].model; | ||
653 | printf("[INFO] MD5 matches %s, version %s\n", | ||
654 | zen_models[opt.model].model_name, zen_sums[idx].version); | ||
655 | } | ||
656 | printf("[INFO] Model is: %s\n", zen_models[opt.model].model_name); | ||
657 | /* load rockbox file */ | ||
658 | uint8_t *boot; | ||
659 | size_t boot_size; | ||
660 | err = read_file(bootfile, (void **)&boot, &boot_size); | ||
661 | if(err != ZEN_SUCCESS) | ||
662 | { | ||
663 | free(fw); | ||
664 | errorf(err, "[ERR] Cannot read boot file\n"); | ||
665 | } | ||
666 | /* validate checksum */ | ||
667 | if(memcmp(boot + 4, zen_models[opt.model].rb_model_name, 4) != 0) | ||
668 | { | ||
669 | free(fw); | ||
670 | free(boot); | ||
671 | errorf(ZEN_BOOT_MISMATCH, "[ERR] Boot model mismatch\n"); | ||
672 | } | ||
673 | printf("[INFO] Bootloader file matches model\n"); | ||
674 | uint32_t sum = zen_models[opt.model].rb_model_num; | ||
675 | for(int i = 8; i < boot_size; i++) | ||
676 | sum += boot[i]; | ||
677 | if(sum != be2int(boot)) | ||
678 | { | ||
679 | free(fw); | ||
680 | free(boot); | ||
681 | errorf(ZEN_BOOT_CHECKSUM_ERROR, "[ERR] Checksum mismatch\n"); | ||
682 | } | ||
683 | printf("[INFO] Bootloader file checksum is correct\n"); | ||
684 | /* produce file */ | ||
685 | err = build_firmware(fw, fw_size, boot + 8, boot_size - 8, outfile, opt); | ||
686 | free(boot); | ||
687 | free(fw); | ||
688 | return err; | ||
689 | } | ||