diff options
Diffstat (limited to 'rbutil/mkimxboot/mkimxboot.c')
-rw-r--r-- | rbutil/mkimxboot/mkimxboot.c | 409 |
1 files changed, 409 insertions, 0 deletions
diff --git a/rbutil/mkimxboot/mkimxboot.c b/rbutil/mkimxboot/mkimxboot.c new file mode 100644 index 0000000000..f1a874b3f5 --- /dev/null +++ b/rbutil/mkimxboot/mkimxboot.c | |||
@@ -0,0 +1,409 @@ | |||
1 | /*************************************************************************** | ||
2 | * __________ __ ___. | ||
3 | * Open \______ \ ____ ____ | | _\_ |__ _______ ___ | ||
4 | * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ / | ||
5 | * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < < | ||
6 | * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \ | ||
7 | * \/ \/ \/ \/ \/ | ||
8 | * $Id$ | ||
9 | * | ||
10 | * Copyright (C) 2011 by Amaury Pouly | ||
11 | * | ||
12 | * This program is free software; you can redistribute it and/or | ||
13 | * modify it under the terms of the GNU General Public License | ||
14 | * as published by the Free Software Foundation; either version 2 | ||
15 | * of the License, or (at your option) any later version. | ||
16 | * | ||
17 | * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY | ||
18 | * KIND, either express or implied. | ||
19 | * | ||
20 | ****************************************************************************/ | ||
21 | #include <stdio.h> | ||
22 | #include <stdlib.h> | ||
23 | #include <stdarg.h> | ||
24 | #include "mkimxboot.h" | ||
25 | #include "sb.h" | ||
26 | #include "dualboot.h" | ||
27 | #include "md5.h" | ||
28 | |||
29 | /* Supported models */ | ||
30 | enum imx_model_t | ||
31 | { | ||
32 | MODEL_UNKNOWN = -1, | ||
33 | MODEL_FUZEPLUS = 0, | ||
34 | /* new models go here */ | ||
35 | |||
36 | NUM_MODELS | ||
37 | }; | ||
38 | |||
39 | struct imx_md5sum_t | ||
40 | { | ||
41 | int model; | ||
42 | char *md5sum; | ||
43 | }; | ||
44 | |||
45 | struct imx_model_desc_t | ||
46 | { | ||
47 | /* Descriptive name of this model */ | ||
48 | const char *model_name; | ||
49 | /* Dualboot code for this model */ | ||
50 | const unsigned char *dualboot; | ||
51 | /* Size of dualboot functions for this model */ | ||
52 | int dualboot_size; | ||
53 | /* Model name used in the Rockbox header in ".sansa" files - these match the | ||
54 | -add parameter to the "scramble" tool */ | ||
55 | const char *rb_model_name; | ||
56 | /* Model number used to initialise the checksum in the Rockbox header in | ||
57 | ".sansa" files - these are the same as MODEL_NUMBER in config-target.h */ | ||
58 | const int rb_model_num; | ||
59 | /* Number of keys needed to decrypt/encrypt */ | ||
60 | int nr_keys; | ||
61 | /* Array of keys */ | ||
62 | struct crypto_key_t *keys; | ||
63 | /* Dualboot load address */ | ||
64 | uint32_t dualboot_addr; | ||
65 | /* Bootloader load address */ | ||
66 | uint32_t bootloader_addr; | ||
67 | }; | ||
68 | |||
69 | static const struct imx_md5sum_t imx_sums[] = | ||
70 | { | ||
71 | { MODEL_FUZEPLUS, "c3e27620a877dc6b200b97dcb3e0ecc7" }, /* Version 2.38.6 */ | ||
72 | }; | ||
73 | |||
74 | static struct crypto_key_t zero_key = | ||
75 | { | ||
76 | .method = CRYPTO_KEY, | ||
77 | .u.key = {0} | ||
78 | }; | ||
79 | |||
80 | static const struct imx_model_desc_t imx_models[] = | ||
81 | { | ||
82 | [MODEL_FUZEPLUS] = { "Fuze+", dualboot_fuzeplus, sizeof(dualboot_fuzeplus), "fuz+", 72, | ||
83 | 1, &zero_key }, | ||
84 | }; | ||
85 | |||
86 | #define NR_IMX_SUMS (sizeof(imx_sums) / sizeof(imx_sums[0])) | ||
87 | #define NR_IMX_MODELS (sizeof(imx_models) / sizeof(imx_models[0])) | ||
88 | |||
89 | #define MAGIC_ROCK 0x726f636b /* 'rock' */ | ||
90 | #define MAGIC_RECOVERY 0xfee1dead | ||
91 | #define MAGIC_NORMAL 0xcafebabe | ||
92 | |||
93 | static enum imx_error_t patch_std_zero_host_play(int jump_before, int model, | ||
94 | enum imx_output_type_t type, struct sb_file_t *sb_file, void *boot, size_t boot_sz) | ||
95 | { | ||
96 | /* We assume the file has three boot sections: ____, host, play and one | ||
97 | * resource section rsrc. | ||
98 | * | ||
99 | * Dual Boot: | ||
100 | * ---------- | ||
101 | * We patch the file by inserting the dualboot code before the <jump_before>th | ||
102 | * call in the ____ section. We give it as argument the section name 'rock' | ||
103 | * and add a section called 'rock' after rsrc which contains the bootloader. | ||
104 | * | ||
105 | * Single Boot & Recovery: | ||
106 | * ----------------------- | ||
107 | * We patch the file by inserting the bootloader code after the <jump_before>th | ||
108 | * call in the ____ section and get rid of everything else. In recovery mode, | ||
109 | * we give 0xfee1dead as argument */ | ||
110 | |||
111 | /* Do not override real key and IV */ | ||
112 | sb_file->override_crypto_iv = false; | ||
113 | sb_file->override_real_key = false; | ||
114 | |||
115 | /* first locate the good instruction */ | ||
116 | struct sb_section_t *sec = &sb_file->sections[0]; | ||
117 | int jump_idx = 0; | ||
118 | while(jump_idx < sec->nr_insts && jump_before > 0) | ||
119 | if(sec->insts[jump_idx++].inst == SB_INST_CALL) | ||
120 | jump_before--; | ||
121 | if(jump_idx == sec->nr_insts) | ||
122 | { | ||
123 | printf("[ERR] Cannot locate call in section ____\n"); | ||
124 | return IMX_DONT_KNOW_HOW_TO_PATCH; | ||
125 | } | ||
126 | |||
127 | if(type == IMX_DUALBOOT) | ||
128 | { | ||
129 | /* create a new instruction array with a hole for two instructions */ | ||
130 | struct sb_inst_t *new_insts = xmalloc(sizeof(struct sb_inst_t) * (sec->nr_insts + 2)); | ||
131 | memcpy(new_insts, sec->insts, sizeof(struct sb_inst_t) * jump_idx); | ||
132 | memcpy(new_insts + jump_idx + 2, sec->insts + jump_idx, | ||
133 | sizeof(struct sb_inst_t) * (sec->nr_insts - jump_idx)); | ||
134 | /* first instruction is be a load */ | ||
135 | struct sb_inst_t *load = &new_insts[jump_idx]; | ||
136 | memset(load, 0, sizeof(struct sb_inst_t)); | ||
137 | load->inst = SB_INST_LOAD; | ||
138 | load->size = imx_models[model].dualboot_size; | ||
139 | load->addr = imx_models[model].dualboot_addr; | ||
140 | /* duplicate memory because it will be free'd */ | ||
141 | load->data = memdup(imx_models[model].dualboot, imx_models[model].dualboot_size); | ||
142 | /* second instruction is a call */ | ||
143 | struct sb_inst_t *call = &new_insts[jump_idx + 1]; | ||
144 | memset(call, 0, sizeof(struct sb_inst_t)); | ||
145 | call->inst = SB_INST_CALL; | ||
146 | call->addr = imx_models[model].dualboot_addr; | ||
147 | call->argument = MAGIC_ROCK; | ||
148 | /* free old instruction array */ | ||
149 | free(sec->insts); | ||
150 | sec->insts = new_insts; | ||
151 | sec->nr_insts += 2; | ||
152 | |||
153 | /* create a new section */ | ||
154 | struct sb_section_t rock_sec; | ||
155 | memset(&rock_sec, 0, sizeof(rock_sec)); | ||
156 | /* section has two instructions: load and call */ | ||
157 | rock_sec.identifier = MAGIC_ROCK; | ||
158 | rock_sec.alignment = BLOCK_SIZE; | ||
159 | rock_sec.nr_insts = 2; | ||
160 | rock_sec.insts = xmalloc(2 * sizeof(struct sb_inst_t)); | ||
161 | memset(rock_sec.insts, 0, 2 * sizeof(struct sb_inst_t)); | ||
162 | rock_sec.insts[0].inst = SB_INST_LOAD; | ||
163 | rock_sec.insts[0].size = boot_sz; | ||
164 | rock_sec.insts[0].data = memdup(boot, boot_sz); | ||
165 | rock_sec.insts[0].addr = imx_models[model].bootloader_addr; | ||
166 | rock_sec.insts[1].inst = SB_INST_CALL; | ||
167 | rock_sec.insts[1].addr = imx_models[model].bootloader_addr; | ||
168 | rock_sec.insts[1].argument = MAGIC_NORMAL; | ||
169 | |||
170 | sb_file->sections = augment_array(sb_file->sections, | ||
171 | sizeof(struct sb_section_t), sb_file->nr_sections, | ||
172 | &rock_sec, 1); | ||
173 | sb_file->nr_sections++; | ||
174 | |||
175 | return IMX_SUCCESS; | ||
176 | } | ||
177 | else if(type == IMX_SINGLEBOOT || type == IMX_RECOVERY) | ||
178 | { | ||
179 | bool recovery = type == IMX_RECOVERY; | ||
180 | /* remove everything after the call and add two instructions: load and call */ | ||
181 | struct sb_inst_t *new_insts = xmalloc(sizeof(struct sb_inst_t) * (jump_idx + 2)); | ||
182 | memcpy(new_insts, sec->insts, sizeof(struct sb_inst_t) * jump_idx); | ||
183 | for(int i = jump_idx; i < sec->nr_insts; i++) | ||
184 | sb_free_instruction(sec->insts[i]); | ||
185 | memset(new_insts + jump_idx, 0, 2 * sizeof(struct sb_inst_t)); | ||
186 | new_insts[jump_idx + 0].inst = SB_INST_LOAD; | ||
187 | new_insts[jump_idx + 0].size = boot_sz; | ||
188 | new_insts[jump_idx + 0].data = memdup(boot, boot_sz); | ||
189 | new_insts[jump_idx + 0].addr = imx_models[model].bootloader_addr; | ||
190 | new_insts[jump_idx + 1].inst = SB_INST_CALL; | ||
191 | new_insts[jump_idx + 1].addr = imx_models[model].bootloader_addr; | ||
192 | new_insts[jump_idx + 1].argument = recovery ? MAGIC_RECOVERY : MAGIC_NORMAL; | ||
193 | |||
194 | free(sec->insts); | ||
195 | sec->insts = new_insts; | ||
196 | sec->nr_insts = jump_idx + 2; | ||
197 | /* remove all other sections */ | ||
198 | for(int i = 1; i < sb_file->nr_sections; i++) | ||
199 | sb_free_section(sb_file->sections[i]); | ||
200 | struct sb_section_t *new_sec = xmalloc(sizeof(struct sb_section_t)); | ||
201 | memcpy(new_sec, &sb_file->sections[0], sizeof(struct sb_section_t)); | ||
202 | free(sb_file->sections); | ||
203 | sb_file->sections = new_sec; | ||
204 | sb_file->nr_sections = 1; | ||
205 | |||
206 | return IMX_SUCCESS; | ||
207 | } | ||
208 | else | ||
209 | { | ||
210 | printf("[ERR] Bad output type !\n"); | ||
211 | return IMX_DONT_KNOW_HOW_TO_PATCH; | ||
212 | } | ||
213 | } | ||
214 | |||
215 | static enum imx_error_t patch_firmware(int model, enum imx_output_type_t type, | ||
216 | struct sb_file_t *sb_file, void *boot, size_t boot_sz) | ||
217 | { | ||
218 | switch(model) | ||
219 | { | ||
220 | case MODEL_FUZEPLUS: | ||
221 | /* The Fuze+ uses the standard ____, host, play sections, patch after third | ||
222 | * call in ____ section */ | ||
223 | return patch_std_zero_host_play(3, model, type, sb_file, boot, boot_sz); | ||
224 | default: | ||
225 | return IMX_DONT_KNOW_HOW_TO_PATCH; | ||
226 | } | ||
227 | } | ||
228 | |||
229 | static void imx_printf(void *user, bool error, color_t c, const char *fmt, ...) | ||
230 | { | ||
231 | (void) user; | ||
232 | (void) c; | ||
233 | va_list args; | ||
234 | va_start(args, fmt); | ||
235 | /* | ||
236 | if(error) | ||
237 | printf("[ERR] "); | ||
238 | else | ||
239 | printf("[INFO] "); | ||
240 | */ | ||
241 | vprintf(fmt, args); | ||
242 | va_end(args); | ||
243 | } | ||
244 | |||
245 | static uint32_t get_uint32be(unsigned char *p) | ||
246 | { | ||
247 | return (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]; | ||
248 | } | ||
249 | |||
250 | enum imx_error_t mkimxboot(const char *infile, const char *bootfile, | ||
251 | const char *outfile, struct imx_option_t opt) | ||
252 | { | ||
253 | /* Dump tables */ | ||
254 | do | ||
255 | { | ||
256 | printf("[INFO] mkimxboot models:\n"); | ||
257 | for(int i = 0; i < NR_IMX_MODELS; i++) | ||
258 | { | ||
259 | printf("[INFO] %s: idx=%d rb_model=%s rb_num=%d\n", | ||
260 | imx_models[i].model_name, i, imx_models[i].rb_model_name, | ||
261 | imx_models[i].rb_model_num); | ||
262 | } | ||
263 | printf("[INFO] mkimxboot mapping:\n"); | ||
264 | for(int i = 0; i < NR_IMX_SUMS; i++) | ||
265 | { | ||
266 | printf("[INFO] md5sum=%s -> idx=%d\n", imx_sums[i].md5sum, | ||
267 | imx_sums[i].model); | ||
268 | } | ||
269 | }while(0); | ||
270 | /* compute MD5 sum of the file */ | ||
271 | uint8_t file_md5sum[16]; | ||
272 | do | ||
273 | { | ||
274 | FILE *f = fopen(infile, "rb"); | ||
275 | if(f == NULL) | ||
276 | { | ||
277 | printf("[ERR] Cannot open input file\n"); | ||
278 | return IMX_OPEN_ERROR; | ||
279 | } | ||
280 | fseek(f, 0, SEEK_END); | ||
281 | size_t sz = ftell(f); | ||
282 | fseek(f, 0, SEEK_SET); | ||
283 | void *buf = xmalloc(sz); | ||
284 | if(fread(buf, sz, 1, f) != 1) | ||
285 | { | ||
286 | fclose(f); | ||
287 | free(buf); | ||
288 | printf("[ERR] Cannot read file\n"); | ||
289 | return IMX_READ_ERROR; | ||
290 | } | ||
291 | fclose(f); | ||
292 | md5_context ctx; | ||
293 | md5_starts(&ctx); | ||
294 | md5_update(&ctx, buf, sz); | ||
295 | md5_finish(&ctx, file_md5sum); | ||
296 | free(buf); | ||
297 | }while(0); | ||
298 | printf("[INFO] MD5 sum of the file: "); | ||
299 | print_hex(file_md5sum, 16, true); | ||
300 | /* find model */ | ||
301 | int model; | ||
302 | do | ||
303 | { | ||
304 | int i = 0; | ||
305 | while(i < NR_IMX_SUMS) | ||
306 | { | ||
307 | uint8_t md5[20]; | ||
308 | if(strlen(imx_sums[i].md5sum) != 32) | ||
309 | { | ||
310 | printf("[INFO] Invalid MD5 sum in imx_sums\n"); | ||
311 | return IMX_ERROR; | ||
312 | } | ||
313 | for(int j = 0; j < 16; j++) | ||
314 | { | ||
315 | byte a, b; | ||
316 | if(convxdigit(imx_sums[i].md5sum[2 * j], &a) || convxdigit(imx_sums[i].md5sum[2 * j + 1], &b)) | ||
317 | return false; | ||
318 | md5[j] = (a << 4) | b; | ||
319 | } | ||
320 | if(memcmp(file_md5sum, md5, 16) == 0) | ||
321 | break; | ||
322 | i++; | ||
323 | } | ||
324 | if(i == NR_IMX_SUMS) | ||
325 | { | ||
326 | printf("[ERR] MD5 sum doesn't match any known file\n"); | ||
327 | return IMX_NO_MATCH; | ||
328 | } | ||
329 | model = imx_sums[i].model; | ||
330 | }while(0); | ||
331 | printf("[INFO] File is for model %d (%s)\n", model, imx_models[model].model_name); | ||
332 | /* load rockbox file */ | ||
333 | uint8_t *boot; | ||
334 | size_t boot_size; | ||
335 | do | ||
336 | { | ||
337 | FILE *f = fopen(bootfile, "rb"); | ||
338 | if(f == NULL) | ||
339 | { | ||
340 | printf("[ERR] Cannot open boot file\n"); | ||
341 | return IMX_OPEN_ERROR; | ||
342 | } | ||
343 | fseek(f, 0, SEEK_END); | ||
344 | boot_size = ftell(f); | ||
345 | fseek(f, 0, SEEK_SET); | ||
346 | boot = xmalloc(boot_size); | ||
347 | if(fread(boot, boot_size, 1, f) != 1) | ||
348 | { | ||
349 | free(boot); | ||
350 | fclose(f); | ||
351 | printf("[ERR] Cannot read boot file\n"); | ||
352 | return IMX_READ_ERROR; | ||
353 | } | ||
354 | fclose(f); | ||
355 | }while(0); | ||
356 | /* Check boot file */ | ||
357 | do | ||
358 | { | ||
359 | if(boot_size < 8) | ||
360 | { | ||
361 | printf("[ERR] Bootloader file is too small to be valid\n"); | ||
362 | free(boot); | ||
363 | return IMX_BOOT_INVALID; | ||
364 | } | ||
365 | /* check model name */ | ||
366 | uint8_t *name = boot + 4; | ||
367 | if(memcmp(name, imx_models[model].rb_model_name, 4) != 0) | ||
368 | { | ||
369 | printf("[ERR] Bootloader model doesn't match found model for input file\n"); | ||
370 | free(boot); | ||
371 | return IMX_BOOT_MISMATCH; | ||
372 | } | ||
373 | /* check checksum */ | ||
374 | uint32_t sum = imx_models[model].rb_model_num; | ||
375 | for(int i = 8; i < boot_size; i++) | ||
376 | sum += boot[i]; | ||
377 | if(sum != get_uint32be(boot)) | ||
378 | { | ||
379 | printf("[ERR] Bootloader checksum mismatch\n"); | ||
380 | free(boot); | ||
381 | return IMX_BOOT_CHECKSUM_ERROR; | ||
382 | } | ||
383 | }while(0); | ||
384 | /* load OF file */ | ||
385 | struct sb_file_t *sb_file; | ||
386 | do | ||
387 | { | ||
388 | enum sb_error_t err; | ||
389 | g_debug = opt.debug; | ||
390 | clear_keys(); | ||
391 | add_keys(imx_models[model].keys, imx_models[model].nr_keys); | ||
392 | sb_file = sb_read_file(infile, false, NULL, &imx_printf, &err); | ||
393 | if(sb_file == NULL) | ||
394 | { | ||
395 | clear_keys(); | ||
396 | free(boot); | ||
397 | return IMX_FIRST_SB_ERROR + err; | ||
398 | } | ||
399 | }while(0); | ||
400 | /* produce file */ | ||
401 | enum imx_error_t ret = patch_firmware(model, opt.output, sb_file, boot + 8, boot_size - 8); | ||
402 | if(ret == IMX_SUCCESS) | ||
403 | ret = sb_write_file(sb_file, outfile); | ||
404 | |||
405 | clear_keys(); | ||
406 | free(boot); | ||
407 | sb_free(sb_file); | ||
408 | return ret; | ||
409 | } | ||