1 files changed, 237 insertions, 0 deletions
diff --git a/firmware/target/arm/pp/mi4-loader.c b/firmware/target/arm/pp/mi4-loader.c
new file mode 100644
index 0000000000..c465b898b4
--- /dev/null
+++ b/firmware/target/arm/pp/mi4-loader.c
@@ -0,0 +1,237 @@
+/***************************************************************************
+ *             __________               __   ___.
+ *   Open      \______   \ ____   ____ |  | _\_ |__   _______  ___
+ *   Source     |       _//  _ \_/ ___\|  |/ /| __ \ /  _ \  \/  /
+ *   Jukebox    |    |   (  <_> )  \___|    < | \_\ (  <_> > <  <
+ *   Firmware   |____|_  /\____/ \___  >__|_ \|___  /\____/__/\_ \
+ *                     \/            \/     \/    \/            \/
+ *
+ * Copyright (C) 2006 by Barry Wardell
+ *
+ * Based on Rockbox iriver bootloader by Linus Nielsen Feltzing
+ * and the ipodlinux bootloader by Daniel Palffy and Bernard Leach
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ****************************************************************************/
+#include <stdbool.h>
+#include <stdio.h>
+#include "config.h"
+#include "mi4-loader.h"
+#include "loader_strerror.h"
+#include "crc32-mi4.h"
+#include "file.h"
+static inline unsigned int le2int(unsigned char* buf)
+{
+   int32_t res = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0];
+   return res;
+}
+static inline void int2le(unsigned int val, unsigned char* addr)
+{
+    addr[0] = val & 0xFF;
+    addr[1] = (val >> 8) & 0xff;
+    addr[2] = (val >> 16) & 0xff;
+    addr[3] = (val >> 24) & 0xff;
+}
+static struct tea_key tea_keytable[] = {
+  { "default" ,          { 0x20d36cc0, 0x10e8c07d, 0xc0e7dcaa, 0x107eb080 } },
+  { "sansa",             { 0xe494e96e, 0x3ee32966, 0x6f48512b, 0xa93fbb42 } },
+  { "sansa_gh",          { 0xd7b10538, 0xc662945b, 0x1b3fce68, 0xf389c0e6 } },
+  { "sansa_103",         { 0x1d29ddc0, 0x2579c2cd, 0xce339e1a, 0x75465dfe } },
+  { "rhapsody",          { 0x7aa9c8dc, 0xbed0a82a, 0x16204cc7, 0x5904ef38 } },
+  { "p610",              { 0x950e83dc, 0xec4907f9, 0x023734b9, 0x10cfb7c7 } },
+  { "p640",              { 0x220c5f23, 0xd04df68e, 0x431b5e25, 0x4dcc1fa1 } },
+  { "virgin",            { 0xe83c29a1, 0x04862973, 0xa9b3f0d4, 0x38be2a9c } },
+  { "20gc_eng",          { 0x0240772c, 0x6f3329b5, 0x3ec9a6c5, 0xb0c9e493 } },
+  { "20gc_fre",          { 0xbede8817, 0xb23bfe4f, 0x80aa682d, 0xd13f598c } },
+  { "elio_p722",         { 0x6af3b9f8, 0x777483f5, 0xae8181cc, 0xfa6d8a84 } },
+  { "c200",              { 0xbf2d06fa, 0xf0e23d59, 0x29738132, 0xe2d04ca7 } },
+  { "c200_103",          { 0x2a7968de, 0x15127979, 0x142e60a7, 0xe49c1893 } },
+  { "c200_106",          { 0xa913d139, 0xf842f398, 0x3e03f1a6, 0x060ee012 } },
+  { "view",              { 0x70e19bda, 0x0c69ea7d, 0x2b8b1ad1, 0xe9767ced } },
+  { "sa9200",            { 0x33ea0236, 0x9247bdc5, 0xdfaedf9f, 0xd67c9d30 } },
+  { "hdd1630/hdd63x0",   { 0x04543ced, 0xcebfdbad, 0xf7477872, 0x0d12342e } },
+  { "vibe500",           { 0xe3a66156, 0x77c6b67a, 0xe821dca5, 0xca8ca37c } },
+};
+/*
+tea_decrypt() from http://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm
+"Following is an adaptation of the reference encryption and decryption
+routines in C, released into the public domain by David Wheeler and
+Roger Needham:"
+*/
+/* NOTE: The mi4 version of TEA uses a different initial value to sum compared
+         to the reference implementation and the main loop is 8 iterations, not
+         32.
+*/
+static void tea_decrypt(uint32_t* v0, uint32_t* v1, uint32_t* k) {
+    uint32_t sum=0xF1BBCDC8, i;                    /* set up */
+    uint32_t delta=0x9E3779B9;                     /* a key schedule constant */
+    uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3];   /* cache key */
+    for(i=0; i<8; i++) {                               /* basic cycle start */
+        *v1 -= ((*v0<<4) + k2) ^ (*v0 + sum) ^ ((*v0>>5) + k3);
+        *v0 -= ((*v1<<4) + k0) ^ (*v1 + sum) ^ ((*v1>>5) + k1);
+        sum -= delta;                                   /* end cycle */
+    }
+}
+/* mi4 files are encrypted in 64-bit blocks (two little-endian 32-bit
+   integers) and the key is incremented after each block
+ */
+static void tea_decrypt_buf(unsigned char* src,
+                            unsigned char* dest,
+                            size_t n, uint32_t * key)
+{
+    uint32_t v0, v1;
+    unsigned int i;
+    for (i = 0; i < (n / 8); i++) {
+        v0 = le2int(src);
+        v1 = le2int(src+4);
+        tea_decrypt(&v0, &v1, key);
+        int2le(v0, dest);
+        int2le(v1, dest+4);
+        src += 8;
+        dest += 8;
+        /* Now increment the key */
+        key[0]++;
+        if (key[0]==0) {
+            key[1]++;
+            if (key[1]==0) {
+                key[2]++;
+                if (key[2]==0) {
+                    key[3]++;
+                }
+            }
+        }
+    }
+}
+static int tea_find_key(struct mi4header_t *mi4header, unsigned char* buf)
+{
+    unsigned int i;
+    uint32_t key[4];
+    uint32_t keyinc;
+    unsigned char magic_dec[8];
+    int key_found = -1;
+    unsigned int magic_location = mi4header->length-4;
+    int unaligned = 0;
+    if ( (magic_location % 8) != 0 )
+    {
+        unaligned = 1;
+        magic_location -= 4;
+    }
+    for (i=0; i < NUM_KEYS && (key_found<0) ; i++) {
+        key[0] = tea_keytable[i].key[0];
+        key[1] = tea_keytable[i].key[1];
+        key[2] = tea_keytable[i].key[2];
+        key[3] = tea_keytable[i].key[3];
+        /* Now increment the key */
+        keyinc = (magic_location-mi4header->plaintext)/8;
+        if ((key[0]+keyinc) < key[0]) key[1]++;
+        key[0] += keyinc;
+        if (key[1]==0) key[2]++;
+        if (key[2]==0) key[3]++;
+        /* Decrypt putative magic */
+        tea_decrypt_buf(&buf[magic_location], magic_dec, 8, key);
+        if (le2int(&magic_dec[4*unaligned]) == 0xaa55aa55)
+        {
+            key_found = i;
+        }
+    }
+    return key_found;
+}
+/* Load mi4 format firmware image */
+int load_mi4(unsigned char* buf,
+             const char* firmware,
+             unsigned int buffer_size)
+{
+    int fd;
+    struct mi4header_t mi4header;
+    int rc;
+    unsigned long sum;
+    char filename[MAX_PATH];
+    snprintf(filename,sizeof(filename), BOOTDIR "/%s",firmware);
+    fd = open(filename, O_RDONLY);
+    if(fd < 0)
+    {
+        snprintf(filename,sizeof(filename),"/%s",firmware);
+        fd = open(filename, O_RDONLY);
+        if(fd < 0)
+            return EFILE_NOT_FOUND;
+    }
+    read(fd, &mi4header, MI4_HEADER_SIZE);
+    /* MI4 file size */
+    if ((mi4header.mi4size-MI4_HEADER_SIZE) > buffer_size)
+    {
+        close(fd);
+        return EFILE_TOO_BIG;
+    }
+    /* Load firmware file */
+    lseek(fd, MI4_HEADER_SIZE, SEEK_SET);
+    rc = read(fd, buf, mi4header.mi4size-MI4_HEADER_SIZE);
+    close(fd);
+    if(rc < (int)mi4header.mi4size-MI4_HEADER_SIZE)
+        return EREAD_IMAGE_FAILED;
+    /* Check CRC32 to see if we have a valid file */
+    sum = chksum_crc32 (buf, mi4header.mi4size - MI4_HEADER_SIZE);
+    if(sum != mi4header.crc32)
+        return EBAD_CHKSUM;
+    if( (mi4header.plaintext + MI4_HEADER_SIZE) != mi4header.mi4size)
+    {
+        /* Load encrypted firmware */
+        int key_index = tea_find_key(&mi4header, buf);
+        if (key_index < 0)
+            return EINVALID_FORMAT;
+        /* Plaintext part is already loaded */
+        buf += mi4header.plaintext;
+        /* Decrypt in-place */
+        tea_decrypt_buf(buf, buf,
+                        mi4header.mi4size-(mi4header.plaintext+MI4_HEADER_SIZE),
+                        tea_keytable[key_index].key);
+        /* Check decryption was successfull */
+        if(le2int(&buf[mi4header.length-mi4header.plaintext-4]) != 0xaa55aa55)
+            return EREAD_IMAGE_FAILED;
+    }
+    return mi4header.mi4size - MI4_HEADER_SIZE;
+}

diff --git a/firmware/target/arm/pp/mi4-loader.c b/firmware/target/arm/pp/mi4-loader.c new file mode 100644 index 0000000000..c465b898b4 --- /dev/null +++ b/firmware/target/arm/pp/mi4-loader.c
@@ -0,0 +1,237 @@
	1	/***************************************************************************
	2	* __________ __ ___.
	3	* Open \______ \ ____ ____ \| \| _\_ \|__ _______ ___
	4	* Source \| _// _ \_/ ___\\| \|/ /\| __ \ / _ \ \/ /
	5	* Jukebox \| \| ( <_> ) \___\| < \| \_\ ( <_> > < <
	6	* Firmware \|____\|_ /\____/ \___ >__\|_ \\|___ /\____/__/\_ \
	7	* \/ \/ \/ \/ \/
	8	*
	9	* Copyright (C) 2006 by Barry Wardell
	10	*
	11	* Based on Rockbox iriver bootloader by Linus Nielsen Feltzing
	12	* and the ipodlinux bootloader by Daniel Palffy and Bernard Leach
	13	*
	14	* This program is free software; you can redistribute it and/or
	15	* modify it under the terms of the GNU General Public License
	16	* as published by the Free Software Foundation; either version 2
	17	* of the License, or (at your option) any later version.
	18	*
	19	* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
	20	* KIND, either express or implied.
	21	*
	22	****************************************************************************/
	23
	24	#include <stdbool.h>
	25	#include <stdio.h>
	26	#include "config.h"
	27	#include "mi4-loader.h"
	28	#include "loader_strerror.h"
	29	#include "crc32-mi4.h"
	30	#include "file.h"
	31
	32	static inline unsigned int le2int(unsigned char* buf)
	33	{
	34	int32_t res = (buf[3] << 24) \| (buf[2] << 16) \| (buf[1] << 8) \| buf[0];
	35
	36	return res;
	37	}
	38
	39	static inline void int2le(unsigned int val, unsigned char* addr)
	40	{
	41	addr[0] = val & 0xFF;
	42	addr[1] = (val >> 8) & 0xff;
	43	addr[2] = (val >> 16) & 0xff;
	44	addr[3] = (val >> 24) & 0xff;
	45	}
	46
	47	static struct tea_key tea_keytable[] = {
	48	{ "default" , { 0x20d36cc0, 0x10e8c07d, 0xc0e7dcaa, 0x107eb080 } },
	49	{ "sansa", { 0xe494e96e, 0x3ee32966, 0x6f48512b, 0xa93fbb42 } },
	50	{ "sansa_gh", { 0xd7b10538, 0xc662945b, 0x1b3fce68, 0xf389c0e6 } },
	51	{ "sansa_103", { 0x1d29ddc0, 0x2579c2cd, 0xce339e1a, 0x75465dfe } },
	52	{ "rhapsody", { 0x7aa9c8dc, 0xbed0a82a, 0x16204cc7, 0x5904ef38 } },
	53	{ "p610", { 0x950e83dc, 0xec4907f9, 0x023734b9, 0x10cfb7c7 } },
	54	{ "p640", { 0x220c5f23, 0xd04df68e, 0x431b5e25, 0x4dcc1fa1 } },
	55	{ "virgin", { 0xe83c29a1, 0x04862973, 0xa9b3f0d4, 0x38be2a9c } },
	56	{ "20gc_eng", { 0x0240772c, 0x6f3329b5, 0x3ec9a6c5, 0xb0c9e493 } },
	57	{ "20gc_fre", { 0xbede8817, 0xb23bfe4f, 0x80aa682d, 0xd13f598c } },
	58	{ "elio_p722", { 0x6af3b9f8, 0x777483f5, 0xae8181cc, 0xfa6d8a84 } },
	59	{ "c200", { 0xbf2d06fa, 0xf0e23d59, 0x29738132, 0xe2d04ca7 } },
	60	{ "c200_103", { 0x2a7968de, 0x15127979, 0x142e60a7, 0xe49c1893 } },
	61	{ "c200_106", { 0xa913d139, 0xf842f398, 0x3e03f1a6, 0x060ee012 } },
	62	{ "view", { 0x70e19bda, 0x0c69ea7d, 0x2b8b1ad1, 0xe9767ced } },
	63	{ "sa9200", { 0x33ea0236, 0x9247bdc5, 0xdfaedf9f, 0xd67c9d30 } },
	64	{ "hdd1630/hdd63x0", { 0x04543ced, 0xcebfdbad, 0xf7477872, 0x0d12342e } },
	65	{ "vibe500", { 0xe3a66156, 0x77c6b67a, 0xe821dca5, 0xca8ca37c } },
	66	};
	67
	68	/*
	69
	70	tea_decrypt() from http://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm
	71
	72	"Following is an adaptation of the reference encryption and decryption
	73	routines in C, released into the public domain by David Wheeler and
	74	Roger Needham:"
	75
	76	*/
	77
	78	/* NOTE: The mi4 version of TEA uses a different initial value to sum compared
	79	to the reference implementation and the main loop is 8 iterations, not
	80	32.
	81	*/
	82
	83	static void tea_decrypt(uint32_t* v0, uint32_t* v1, uint32_t* k) {
	84	uint32_t sum=0xF1BBCDC8, i; /* set up */
	85	uint32_t delta=0x9E3779B9; /* a key schedule constant */
	86	uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */
	87	for(i=0; i<8; i++) { /* basic cycle start */
	88	v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
	89	v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
	90	sum -= delta; /* end cycle */
	91	}
	92	}
	93
	94	/* mi4 files are encrypted in 64-bit blocks (two little-endian 32-bit
	95	integers) and the key is incremented after each block
	96	*/
	97
	98	static void tea_decrypt_buf(unsigned char* src,
	99	unsigned char* dest,
	100	size_t n, uint32_t * key)
	101	{
	102	uint32_t v0, v1;
	103	unsigned int i;
	104
	105	for (i = 0; i < (n / 8); i++) {
	106	v0 = le2int(src);
	107	v1 = le2int(src+4);
	108
	109	tea_decrypt(&v0, &v1, key);
	110
	111	int2le(v0, dest);
	112	int2le(v1, dest+4);
	113
	114	src += 8;
	115	dest += 8;
	116
	117	/* Now increment the key */
	118	key[0]++;
	119	if (key[0]==0) {
	120	key[1]++;
	121	if (key[1]==0) {
	122	key[2]++;
	123	if (key[2]==0) {
	124	key[3]++;
	125	}
	126	}
	127	}
	128	}
	129	}
	130
	131	static int tea_find_key(struct mi4header_t mi4header, unsigned char buf)
	132	{
	133	unsigned int i;
	134	uint32_t key[4];
	135	uint32_t keyinc;
	136	unsigned char magic_dec[8];
	137	int key_found = -1;
	138	unsigned int magic_location = mi4header->length-4;
	139	int unaligned = 0;
	140
	141	if ( (magic_location % 8) != 0 )
	142	{
	143	unaligned = 1;
	144	magic_location -= 4;
	145	}
	146
	147	for (i=0; i < NUM_KEYS && (key_found<0) ; i++) {
	148	key[0] = tea_keytable[i].key[0];
	149	key[1] = tea_keytable[i].key[1];
	150	key[2] = tea_keytable[i].key[2];
	151	key[3] = tea_keytable[i].key[3];
	152
	153	/* Now increment the key */
	154	keyinc = (magic_location-mi4header->plaintext)/8;
	155	if ((key[0]+keyinc) < key[0]) key[1]++;
	156	key[0] += keyinc;
	157	if (key[1]==0) key[2]++;
	158	if (key[2]==0) key[3]++;
	159
	160	/* Decrypt putative magic */
	161	tea_decrypt_buf(&buf[magic_location], magic_dec, 8, key);
	162
	163	if (le2int(&magic_dec[4*unaligned]) == 0xaa55aa55)
	164	{
	165	key_found = i;
	166	}
	167	}
	168
	169	return key_found;
	170	}
	171
	172	/* Load mi4 format firmware image */
	173	int load_mi4(unsigned char* buf,
	174	const char* firmware,
	175	unsigned int buffer_size)
	176	{
	177	int fd;
	178	struct mi4header_t mi4header;
	179	int rc;
	180	unsigned long sum;
	181	char filename[MAX_PATH];
	182
	183	snprintf(filename,sizeof(filename), BOOTDIR "/%s",firmware);
	184	fd = open(filename, O_RDONLY);
	185	if(fd < 0)
	186	{
	187	snprintf(filename,sizeof(filename),"/%s",firmware);
	188	fd = open(filename, O_RDONLY);
	189	if(fd < 0)
	190	return EFILE_NOT_FOUND;
	191	}
	192
	193	read(fd, &mi4header, MI4_HEADER_SIZE);
	194
	195	/* MI4 file size */
	196	if ((mi4header.mi4size-MI4_HEADER_SIZE) > buffer_size)
	197	{
	198	close(fd);
	199	return EFILE_TOO_BIG;
	200	}
	201
	202	/* Load firmware file */
	203	lseek(fd, MI4_HEADER_SIZE, SEEK_SET);
	204	rc = read(fd, buf, mi4header.mi4size-MI4_HEADER_SIZE);
	205	close(fd);
	206	if(rc < (int)mi4header.mi4size-MI4_HEADER_SIZE)
	207	return EREAD_IMAGE_FAILED;
	208
	209	/* Check CRC32 to see if we have a valid file */
	210	sum = chksum_crc32 (buf, mi4header.mi4size - MI4_HEADER_SIZE);
	211
	212	if(sum != mi4header.crc32)
	213	return EBAD_CHKSUM;
	214
	215	if( (mi4header.plaintext + MI4_HEADER_SIZE) != mi4header.mi4size)
	216	{
	217	/* Load encrypted firmware */
	218	int key_index = tea_find_key(&mi4header, buf);
	219
	220	if (key_index < 0)
	221	return EINVALID_FORMAT;
	222
	223	/* Plaintext part is already loaded */
	224	buf += mi4header.plaintext;
	225
	226	/* Decrypt in-place */
	227	tea_decrypt_buf(buf, buf,
	228	mi4header.mi4size-(mi4header.plaintext+MI4_HEADER_SIZE),
	229	tea_keytable[key_index].key);
	230
	231	/* Check decryption was successfull */
	232	if(le2int(&buf[mi4header.length-mi4header.plaintext-4]) != 0xaa55aa55)
	233	return EREAD_IMAGE_FAILED;
	234	}
	235
	236	return mi4header.mi4size - MI4_HEADER_SIZE;
	237	}