2 files changed, 473 insertions, 128 deletions
diff --git a/utils/AMS/hacking/Makefile b/utils/AMS/hacking/Makefile
index 1a297bc3ab..bd062cfc5c 100644
--- a/utils/AMS/hacking/Makefile
+++ b/utils/AMS/hacking/Makefile
@@ -1,7 +1,7 @@
 all: amsinfo
 amsinfo: amsinfo.c
-        gcc -o amsinfo -W -Wall amsinfo.c
+        $(CC) -ansi -o amsinfo -W -Wall amsinfo.c
 clean:
        rm -fr amsinfo
diff --git a/utils/AMS/hacking/amsinfo.c b/utils/AMS/hacking/amsinfo.c
index 1aed9db075..631345f2f9 100644
--- a/utils/AMS/hacking/amsinfo.c
+++ b/utils/AMS/hacking/amsinfo.c
@@ -1,175 +1,520 @@
 /*
+ * Copyright © 2008 Rafaël Carré <rafael.carre@gmail.com>
-amsinfo - a tool for examining AMS firmware files
+ *
+ * This program is free software; you can redistribute it and/or modify
-Copyright (C) Dave Chapman 2007
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
-This program is free software; you can redistribute it and/or modify
+ * (at your option) any later version.
-it under the terms of the GNU General Public License as published by
+ *
-the Free Software Foundation; either version 2 of the License, or
+ * This program is distributed in the hope that it will be useful,
-(at your option) any later version.
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-This program is distributed in the hope that it will be useful,
+ * GNU General Public License for more details.
-but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * You should have received a copy of the GNU General Public License
-GNU General Public License for more details.
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110, USA
-You should have received a copy of the GNU General Public License
+ *
-along with this program; if not, write to the Free Software
+ */
-Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110, USA
+#define _ISOC99_SOURCE /* snprintf() */
-*/
 #include <stdio.h>
-#include <stdlib.h>
-#include <stdint.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <fcntl.h>
+#include <errno.h>
 #include <unistd.h>
+#include <stdlib.h>
+#include <inttypes.h>
+#include <string.h>
+#if 1 /* ANSI colors */
-/* Win32 compatibility */
+#       define color(a) printf("%s",a)
-#ifndef O_BINARY
+char OFF[]              = { 0x1b, 0x5b, 0x31, 0x3b, '0', '0', 0x6d, '\0' };
-#define O_BINARY 0
-#endif
-#define PAD_TO_BOUNDARY(x) ((x) + 0x1ff) & ~0x1ff;
-static off_t filesize(int fd) {
+char GREY[]     = { 0x1b, 0x5b, 0x31, 0x3b, '3', '0', 0x6d, '\0' };
-    struct stat buf;
+char RED[]              = { 0x1b, 0x5b, 0x31, 0x3b, '3', '1', 0x6d, '\0' };
+char GREEN[]    = { 0x1b, 0x5b, 0x31, 0x3b, '3', '2', 0x6d, '\0' };
+char YELLOW[]   = { 0x1b, 0x5b, 0x31, 0x3b, '3', '3', 0x6d, '\0' };
+char BLUE[]     = { 0x1b, 0x5b, 0x31, 0x3b, '3', '4', 0x6d, '\0' };
-    if (fstat(fd,&buf) < 0) {
+#else
-        perror("[ERR]  Checking filesize of input file");
+        /* disable colors */
-        return -1;
+#       define color(a)
-    } else {
+#endif
-        return(buf.st_size);
-    }
-}
-static uint32_t get_uint32le(unsigned char* p)
+#define LIB_OFFSET 160 /* FIXME (see below) */
+/* The alignement of library blocks (in number of 0x200 bytes blocks)
+ * alignement   -       md5sum          -                       filename                -       model
+ * 120 : fc9dd6116001b3e6a150b898f1b091f0  m200p-4.1.08A.bin    M200
+ * 128 : 82e3194310d1514e3bbcd06e84c4add3  m200p.bin                    Fuze
+ * 160 : c12711342169c66e209540cd1f27cd26  m300f.bin                    CLIP
+ *
+ * Note : the size of library blocks is variable:
+ *
+ * For m200p-4.1.08A.bin it's always 0x1e000 blocks = 240 * 0x200
+ *
+ * For m200p.bin it can be 0x20000 (256*0x200) or 0x40000 (512*0x200)
+ *              (for "acp_decoder" and "sd_reload__" blocks)
+ *
+ * For m300f.bin it can be 0x28000 (320*0x200) or 0x14000 (160 * 0x200)
+ *
+ */
+#define bug(...) do { fprintf(stderr,"ERROR: "__VA_ARGS__); exit(1); } while(0)
+#define bugp(a) do { perror("ERROR: "a); exit(1); } while(0)
+/* byte swapping */
+#define get32le(a) ((uint32_t) \
+    ( buf[a+3] << 24 | buf[a+2] << 16 | buf[a+1] << 8 | buf[a] ))
+#define get16le(a) ((uint16_t)( buf[a+1] << 8 | buf[a] ))
+/* all blocks are sized as a multiple of 0x1ff */
+#define PAD_TO_BOUNDARY(x) (((x) + 0x1ff) & ~0x1ff)
+/* If you find a firmware that breaks the known format ^^ */
+#define assert(a) do { if(!(a)) { fprintf(stderr,"Assertion \"%s\" failed in %s() line %d!\n\nPlease send us your firmware!\n",#a,__func__,__LINE__); exit(1); } } while(0)
+/* globals */
+size_t sz;      /* file size */
+uint8_t *buf; /* file content */
+/* 1st block description */
+uint32_t idx,checksum,bs_multiplier,firmware_sz;
+uint32_t unknown_4_1; uint8_t unknown_1,id; uint16_t unknown_2;
+uint32_t unknown_4_2,unknown_4_3;
+static void *xmalloc(size_t s) /* malloc helper */
 {
-    return p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
+        void * r = malloc(s);
+        if(!r) bugp("malloc");
+        return r;
 }
-static uint16_t get_uint16le(unsigned char* p)
+/* known models */
+static const char * model(uint8_t id)
 {
-    return p[0] | (p[1] << 8);
+        switch(id)
+        {
+                case 0x1E: return "FUZE"; break;
+                case 0x22: return "CLIP"; break;
+                case 0x23: return "C200"; break;
+                case 0x24: return "E200"; break;
+                case 0x25: return "M200"; break;
+                case 0x27: return "CLV2"; break;
+        case 0x70:
+                case 0x6d: return "FUZ2"; break;
+                default:
+                printf("Unknown ID 0x%x\n", id);
+                assert(id == 0x1E || (id > 0x21 && id < 0x26));
+                return "UNKNOWN!";
+        }
 }
-static int calc_checksum(unsigned char* buf, int n)
+/* checksums the firmware (the firmware header contains the verification) */
+static uint32_t do_checksum(void)
 {
-    int sum = 0;
+        uint32_t c = 0;
-    int i;
-    for (i=0;i<n;i+=4)
+        size_t i = 0x400/4;
-        sum += get_uint32le(buf + 0x400 + i);
+        while(i<(0x400+firmware_sz)/4)
+                c += ((uint32_t*)buf)[i++];
-    return sum;
+        return c;
 }
+/* verify the firmware header */
-static void dump_header(unsigned char* buf, int i)
+static void check(void)
 {
-    printf("0x%08x:\n",i);
+        uint32_t checksum2;
-    printf("  HEADER: 0x%08x\n",i);
-    printf("    FirmwareHeaderIndex:     0x%08x\n",get_uint32le(&buf[i]));
+        assert(sz >= 0x400 && sz % 0x200 == 0);
-    printf("    FirmwareChecksum:        0x%08x\n",get_uint32le(&buf[i+0x04]));
-    printf("    CodeBlockSizeMultiplier: 0x%08x\n",get_uint32le(&buf[i+0x08]));
+        size_t i;
-    printf("    FirmwareSize:            0x%08x\n",get_uint32le(&buf[i+0x0c]));
+        checksum2 = 0;
-    printf("    Unknown1:                0x%08x\n",get_uint32le(&buf[i+0x10]));
+        for(i=0;i<sz/4-1;i++)
-    printf("    ModelID:                 0x%04x\n",get_uint16le(&buf[i+0x14]));
+                checksum2 += ((uint32_t*)buf)[i];
-    printf("    Unknown2:                0x%04x\n",get_uint16le(&buf[i+0x16]));
+        uint32_t last_word = get32le(sz - 4);
+        switch(last_word)
+        {
+                case 0:                         /* no whole file checksum */
+                        break;
+                case 0xefbeadde:        /* no whole file checksum */
+                        break;
+                default:                        /* verify whole file checksum */
+                        assert(last_word == checksum2);
+        }
+        idx = get32le(0);
+        unsigned int shift = (get32le(4) == 0x0000f000) ? 4 : 0;
+        checksum = get32le(4 + shift);
+        bs_multiplier = get32le(8 + shift);
+        firmware_sz = get32le(0xc + shift);
+        assert(bs_multiplier << 9 == PAD_TO_BOUNDARY(firmware_sz)); /* 0x200 * bs_multiplier */
+        unknown_4_1 = get32le(0x10 + shift);
+        unknown_1 = buf[0x14 + shift];
+        id = buf[0x15 + shift];
+        unknown_2 = get16le(0x16 + shift);
+        unknown_4_2 = get32le(0x18 + shift);
+        unknown_4_3 = get32le(0x1c + shift);
+        color(GREEN);
+        printf("4 Index                  %d\n",idx);
+        assert(idx == 0);
+        color(GREEN);
+        printf("4 Firmware Checksum      %x",checksum);
+        checksum2=do_checksum();
+        color(GREEN);
+        printf(" (%x)\n",checksum2);
+        assert(checksum == checksum2);
+        color(GREEN);
+        printf("4 Block Size Multiplier  %x\n",bs_multiplier);
+        color(GREEN);
+        printf("4 Firmware block size    %x (%d)\n",firmware_sz,firmware_sz);
+        color(GREEN);
+        printf("4 Unknown (should be 3)  %x\n",unknown_4_1);
+        assert(unknown_4_1 == 3);
+        /* variable */
+        color(GREEN);
+        printf("1 Unknown                %x\n",unknown_1);
+        color(GREEN);
+        printf("1 Model ID               %x (%s)\n",id,model(id));
+        color(GREEN);
+        printf("2 Unknown (should be 0)  %x\n",unknown_2);
+        assert(unknown_2 == 0);
+        color(GREEN);
+        printf("4 Unknown (should be 40) %x\n",unknown_4_2);
+        assert(unknown_4_2 == 0x40 );
+        color(GREEN);
+        printf("4 Unknown (should be 1)  %x\n",unknown_4_3);
+        assert(unknown_4_3 == 1);
+        /* rest of the block is padded with 0xff */
+        for(i=0x20 + shift;i<0x200 - shift;i++)
+                assert(buf[i]==0xff /* normal case */ ||
+                        ((id==0x1e||id==0x24) && ( /* Fuze or E200 */
+                                (i>=0x3c && i<=0x3f && get32le(0x3c)==0x00005000)
+                        )));
+        /* the 2nd block is identical, except that the 1st byte has been incremented */
+        assert(buf[0x0]==0&&buf[0x200]==1);
+        assert(!memcmp(&buf[1],&buf[0x201],0x1FF - shift));
 }
-static int dump_lib(unsigned char* buf, int i)
+typedef enum
 {
-    int export_count;
-    int size;
-    int unknown1;
-    int baseaddr, endaddr;
-    baseaddr = get_uint32le(&buf[i+0x04]);
-    endaddr = get_uint32le(&buf[i+0x08]);
-    size = get_uint32le(&buf[i+0x0c]);
-    unknown1 = get_uint32le(&buf[i+0x10]);
-    export_count = get_uint32le(&buf[i+0x14]);
-    printf("0x%08x: \"%s\"  0x%08x  0x%08x  0x%08x  0x%08x  0x%08x\n",i, buf + i + get_uint32le(&buf[i]),baseaddr,endaddr,size,unknown1,export_count);
 #if 0
-    if (export_count > 1) { 
+        FW_HEADER,
-      for (j=0;j<export_count;j++) {
+        FW,
-        printf("    Exports[%02d]:   0x%08x\n",j,get_uint32le(&buf[i+0x18+4*j]));
-      }
-    }
 #endif
-    return PAD_TO_BOUNDARY(size);
+        LIB,
-}
+        PAD,
+        HEADER,
+        UNKNOWN
+} type;
-int main(int argc, char* argv[])
+static unsigned int n_libs = 0, n_pads_ff = 0, n_pads_deadbeef = 0, n_unkn = 0, n_headers = 0;
-{
-    int fd;
-    off_t len;
-    int n;
-    unsigned char* buf;
-    int firmware_size;
-    int i;
-    if (argc != 2) {
+static void show_lib(size_t off)
-         fprintf(stderr,"USAGE: amsinfo firmware.bin\n");
+{
-         return 1;
+        /* first word: char* */
-    }
+        uint32_t start = get32le(off+4);
+        uint32_t stop = get32le(off+8);
-    fd = open(argv[1],O_RDONLY|O_BINARY);
-    if ((len = filesize(fd)) < 0)
+        uint32_t size = get32le(off+0xc);
-        return 1;
-    if ((buf = malloc(len)) == NULL) {
+#if 0 /* library block hacking */
-        fprintf(stderr,"[ERR]  Could not allocate buffer for input file (%d bytes)\n",(int)len);
+        /* assert(stop > start); */
-        return 1;
-    }
-    n = read(fd, buf, len);
+        /* assert(stop - start == size); */
-    if (n != len) {
+        if(stop - start != size)
-        fprintf(stderr,"[ERR] Could not read file\n");
+        {
-        return 1;
+                color(RED);
-    }
+                printf("STOP - START != SIZE || 0x%.8x - 0x%.8x == 0x%.8x != 0x%.8x\n",
+                                stop, start, stop - start, size);
+        }
-    close(fd);
+        color(RED);
+        printf("0x%.8x -> 0x%.8x SIZE 0x%.6x\n", start, stop, size);
-    /* Now we dump the firmware structure */
+        uint32_t first = get32le(off+0x10); /* ? */
+        printf("? = 0x%.8x , ",first);
+#endif
-    dump_header(buf,0);      /* First copy of header block */
+        uint32_t funcs = get32le(off+0x14); /* nmbr of functions */
-//    dump_header(buf,0x200);  /* Second copy of header block */
+        color(YELLOW);
+        printf("\t%d funcs",funcs);
+        unsigned int i;
+        for(i=0;i<funcs;i++)
+        {
+                uint32_t fptr = get32le(off+0x18+i*4);
+                if(!fptr)
+                {
+                        assert(funcs==1); /* if 1 function is exported, it's empty */
+                }
+                else
+                {
+                        assert(fptr - start < 0x0000ffff);
+                        /* printf("0x%.4x ",fptr); */
+                }
+        }
+        color(BLUE);
+        printf("\tBASE 0x%.8x (code + 0x%x) END 0x%.8x : SIZE 0x%.8x\n",start, 0x18 + i*4, stop, stop - start);
+        char name[12+1];
+        memcpy(name,&buf[off+get32le(off)],12);
+        name[12] = '\0';
+        FILE *out = fopen(name,"w");
+        if(!out)
+                bug("library block");
+        if(fwrite(&buf[off],size,1,out)!=1)
+                bug();
+        fclose(out);
+}
-    firmware_size = get_uint32le(&buf[0x0c]);
+static int unknown = 0;
+static int padding = 0;
+static void print_block(size_t off, type t)
+{
+        /* reset counters if needed */
+        if(t != UNKNOWN && unknown)
+        {       /* print only the number of following blocks */
+                color(GREY);
+                printf("%d unknown blocks (0x%.6x bytes)\n",unknown,unknown*0x200);
+                unknown = 0;
+        }
+        else if(t != PAD && padding)
+        {       /* same */
+                color(GREY);
+                printf("%d padding blocks (0x%.6x bytes)\n",padding,padding*0x200);
+                padding = 0;
+        }
+        if(t != UNKNOWN && t != PAD) /* for other block types, always print the offset */
+        {
+                color(GREEN);
+                printf("0x%.6x\t", (unsigned int)off);
+                color(OFF);
+        }
+        switch(t)
+        {
+                size_t s;
+                FILE *f;
+                char filename[8+4]; /* unknown\0 , 10K max */
+#if 0
+                case FW_HEADER:
+                        printf("firmware header 0x%x\n",off);
+                        break;
+                case FW:
+                        printf("firmware block  0x%x\n",off);
+                        break;
+#endif
+                case LIB:
+                        s = LIB_OFFSET * 0x200;
+                        while(s < get32le(off+12))
+                                s <<= 1;
+                        color(RED);
+                        printf("library block   0x%.6x\t->\t0x%.6x\t\"%s\"\n",
+                                        (unsigned int)s, (unsigned int)(off+s),
+                    &buf[off+get32le(off)]);
+                        show_lib(off);
+                        n_libs++;
+                        break;
+                case PAD:
+                        if(buf[off] == 0xff)
+                                n_pads_ff++;
+                        else
+                                n_pads_deadbeef++;
+                        padding++;
+                        break;
+                case UNKNOWN:
+                        unknown++;
+            n_unkn++;
+#if 0       /* do not dump unknown blocks */
+                        snprintf(filename, sizeof(filename), "unknown%d", n_unkn);
+                        f = fopen(filename, "w");
+                        if(f)
+                        {
+                                if( fwrite(buf+off, 0x200, 1, f) != 1 )
+                                        bugp("unknown block");
+                                fclose(f);
+                        }
+                        else
+                                bugp("unknown block");
+#endif
+                        break;
+                case HEADER:
+                        color(YELLOW);
+                        printf("header block    0x%.6x\t->\t0x%.6x\n",
+                                        PAD_TO_BOUNDARY(get32le(off)),
+                                        (unsigned int)PAD_TO_BOUNDARY(off+get32le(off)));
+                snprintf(filename, sizeof(filename), "header%d", n_headers++);
+                f = fopen(filename,"w");
+                if(!f)
+                    bug("header");
+                if(fwrite(&buf[off],get32le(off),1,f)!=1)
+                    bug();
+                fclose(f);
+                        break;
+                default:
+                        abort();
+        }
+        if(t != PAD && t != UNKNOWN)
+                printf("\n");
+}
-    printf("Calculated firmware checksum: 0x%08x\n",calc_checksum(buf,firmware_size));
+static size_t verify_block(size_t off)
+{
+        assert(!(off%0x200));
+        assert(off+0x200 < sz);
+        size_t s = 0x200;
+        type t = UNKNOWN;
+        size_t offset_str = get32le(off);
+        if(get32le(off) == 0xefbeadde )
+        {
+#if 0 /* some blocks begin with 0xdeadbeef but aren't padded with that value */
+                unsigned int i;
+                for(i=0;i<s;i+=4)
+                        assert(get32le(off+i) == 0xefbeadde);
+#endif
+                t = PAD;
+        }
+        else if( *(uint32_t*)(&buf[off]) == 0xffffffff)
+        {
+                unsigned int i;
+                for(i=0;i<s;i++)
+                        assert(buf[off+i] == 0xff);
+                t = PAD;
+        }
+        else if(off+offset_str+12<sz) /* XXX: we should check that the address at which
+                                                                        * the string is located is included in this
+                                                                        * library block's size, but we only know the
+                                                                        * block's size after we confirmed that this is 
+                                                                        * a library block (by looking at the 11 chars
+                                                                        * ASCII string). */
+        {
+                short int ok = 1;
+                unsigned int i;
+                for(i=0;i<11;i++)
+                        if(buf[off+offset_str+i] >> 7 || !buf[off+offset_str+i])
+                                ok = 0;
+                if(buf[off+offset_str+11])
+                        ok = 0;
+                if(ok) /* library block */
+                {
+                        t = LIB;
+                        s = LIB_OFFSET * 0x200;
+                        while(s < get32le(off+12))      /* of course the minimum is the size
+                                                                                                * specified in the block header */
+                                s <<= 1;
+                }
+                else
+                        t = UNKNOWN;
+        }
+        else
+                t = UNKNOWN;
+        if(t==UNKNOWN)
+        {
+                if(!strncmp((char*)buf+off+8,"HEADER",6))
+                {
+                        s = PAD_TO_BOUNDARY(get32le(off)); /* first 4 bytes le are the block size */
+                        t = HEADER;
+                }
+        }
+        print_block(off,t);
+        return PAD_TO_BOUNDARY(s);
+}
-    /* Round size up to next multiple of 0x200 */
+static void extract(void)
+{
+        FILE *out = fopen("firmware","w");
+        if(!out)
+                bug("firmware");
+        if(fwrite(&buf[0x400],firmware_sz,1,out)!=1)
+                bug("firmare writing");
+        fclose(out);
+        off_t off = PAD_TO_BOUNDARY(0x400 + firmware_sz);
+        unsigned int n = 0;
+        printf("\n");
+        color(RED);
+        printf("Extracting\n\n");
+        while((unsigned int)(off+0x200)<sz)
+        {
+                /* look at the next 0x200 bytes if we can recognize a block type */
+                off += verify_block(off); /* then skip its real size */
+                n++;    /* and look at the next block ;) */
+        }
+        /* statistics */
+        printf("\n");
+        color(RED);
+        printf("TOTAL\t%d\tblocks (%d unknown)\n",n,n_unkn);
+        color(BLUE);
+        printf("\t%d\tlibs\n",n_libs);
+        color(GREY);
+        printf("\t%d\tpads ff\n",n_pads_ff);
+        color(GREY);
+        printf("\t%d\tpads deadbeef\n",n_pads_deadbeef);
+        color(GREEN);
+        printf("\t%d\theaders\n",n_headers);
+}
-    firmware_size = PAD_TO_BOUNDARY(firmware_size);
+int main(int argc, const char **argv)
+{
+        int fd;
+        struct stat st;
+        if(argc != 2)
+                bug("Usage: %s <firmware>\n",*argv);
-    i = firmware_size + 0x400;
+        if( (fd = open(argv[1],O_RDONLY)) == -1 )
+                bugp("opening firmware failed");
-    printf("LIBRARY BLOCKS:\n");
+        if(fstat(fd,&st) == -1)
-    printf("Offset      Name           BaseAddr    EndAddr     BlockSize   Unknown1    EntryCount\n");
+                bugp("firmware stat() failed");
+        sz = st.st_size;
-    while (get_uint32le(&buf[i]) != 0xffffffff)
+        buf=xmalloc(sz);
-    {
+        if(read(fd,buf,sz)!=(ssize_t)sz) /* load the whole file into memory */
-        i += dump_lib(buf,i);
+                bugp("reading firmware");
-        while (get_uint32le(&buf[i]) == 0xefbeadde)
+        close(fd);
-           i+=4;
-    }
-    printf("0x%08x: PADDING BLOCK\n",i);
+        check();        /* verify header and checksums */
- 
+        extract();      /* split in blocks */
-    return 0;
+        free(buf);
+        return 0;
 }

diff --git a/utils/AMS/hacking/Makefile b/utils/AMS/hacking/Makefile index 1a297bc3ab..bd062cfc5c 100644 --- a/utils/AMS/hacking/Makefile +++ b/utils/AMS/hacking/Makefile
@@ -1,7 +1,7 @@
1	all: amsinfo	1	all: amsinfo
2		2
3	amsinfo: amsinfo.c	3	amsinfo: amsinfo.c
4	gcc -o amsinfo -W -Wall amsinfo.c	4	$(CC) -ansi -o amsinfo -W -Wall amsinfo.c
5		5
6	clean:	6	clean:
7	rm -fr amsinfo	7	rm -fr amsinfo


diff --git a/utils/AMS/hacking/amsinfo.c b/utils/AMS/hacking/amsinfo.c index 1aed9db075..631345f2f9 100644 --- a/utils/AMS/hacking/amsinfo.c +++ b/utils/AMS/hacking/amsinfo.c
@@ -1,175 +1,520 @@
1	/*	1	/*
2		2	* Copyright © 2008 Rafaël Carré <rafael.carre@gmail.com>
3	amsinfo - a tool for examining AMS firmware files	3	*
4		4	* This program is free software; you can redistribute it and/or modify
5	Copyright (C) Dave Chapman 2007	5	* it under the terms of the GNU General Public License as published by
6		6	* the Free Software Foundation; either version 2 of the License, or
7	This program is free software; you can redistribute it and/or modify	7	* (at your option) any later version.
8	it under the terms of the GNU General Public License as published by	8	*
9	the Free Software Foundation; either version 2 of the License, or	9	* This program is distributed in the hope that it will be useful,
10	(at your option) any later version.	10	* but WITHOUT ANY WARRANTY; without even the implied warranty of
11		11	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12	This program is distributed in the hope that it will be useful,	12	* GNU General Public License for more details.
13	but WITHOUT ANY WARRANTY; without even the implied warranty of	13	*
14	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the	14	* You should have received a copy of the GNU General Public License
15	GNU General Public License for more details.	15	* along with this program; if not, write to the Free Software
16		16	* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110, USA
17	You should have received a copy of the GNU General Public License	17	*
18	along with this program; if not, write to the Free Software	18	*/
19	Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110, USA	19
20		20	#define _ISOC99_SOURCE /* snprintf() */
21	*/
22
23	#include <stdio.h>	21	#include <stdio.h>
24	#include <stdlib.h>
25	#include <stdint.h>
26	#include <sys/types.h>	22	#include <sys/types.h>
27	#include <sys/stat.h>	23	#include <sys/stat.h>
28	#include <fcntl.h>	24	#include <fcntl.h>
		25	#include <errno.h>
29	#include <unistd.h>	26	#include <unistd.h>
		27	#include <stdlib.h>
		28	#include <inttypes.h>
		29	#include <string.h>
30		30
		31	#if 1 /* ANSI colors */
31		32
32	/* Win32 compatibility */	33	# define color(a) printf("%s",a)
33	#ifndef O_BINARY	34	char OFF[] = { 0x1b, 0x5b, 0x31, 0x3b, '0', '0', 0x6d, '\0' };
34	#define O_BINARY 0
35	#endif
36
37
38	#define PAD_TO_BOUNDARY(x) ((x) + 0x1ff) & ~0x1ff;
39
40		35
41	static off_t filesize(int fd) {	36	char GREY[] = { 0x1b, 0x5b, 0x31, 0x3b, '3', '0', 0x6d, '\0' };
42	struct stat buf;	37	char RED[] = { 0x1b, 0x5b, 0x31, 0x3b, '3', '1', 0x6d, '\0' };
		38	char GREEN[] = { 0x1b, 0x5b, 0x31, 0x3b, '3', '2', 0x6d, '\0' };
		39	char YELLOW[] = { 0x1b, 0x5b, 0x31, 0x3b, '3', '3', 0x6d, '\0' };
		40	char BLUE[] = { 0x1b, 0x5b, 0x31, 0x3b, '3', '4', 0x6d, '\0' };
43		41
44	if (fstat(fd,&buf) < 0) {	42	#else
45	perror("[ERR] Checking filesize of input file");	43	/* disable colors */
46	return -1;	44	# define color(a)
47	} else {	45	#endif
48	return(buf.st_size);
49	}
50	}
51		46
52	static uint32_t get_uint32le(unsigned char* p)	47	#define LIB_OFFSET 160 /* FIXME (see below) */
		48	/* The alignement of library blocks (in number of 0x200 bytes blocks)
		49	* alignement - md5sum - filename - model
		50	* 120 : fc9dd6116001b3e6a150b898f1b091f0 m200p-4.1.08A.bin M200
		51	* 128 : 82e3194310d1514e3bbcd06e84c4add3 m200p.bin Fuze
		52	* 160 : c12711342169c66e209540cd1f27cd26 m300f.bin CLIP
		53	*
		54	* Note : the size of library blocks is variable:
		55	*
		56	* For m200p-4.1.08A.bin it's always 0x1e000 blocks = 240 * 0x200
		57	*
		58	* For m200p.bin it can be 0x20000 (2560x200) or 0x40000 (5120x200)
		59	* (for "acp_decoder" and "sd_reload__" blocks)
		60	*
		61	* For m300f.bin it can be 0x28000 (3200x200) or 0x14000 (160 0x200)
		62	*
		63	*/
		64
		65	#define bug(...) do { fprintf(stderr,"ERROR: "__VA_ARGS__); exit(1); } while(0)
		66	#define bugp(a) do { perror("ERROR: "a); exit(1); } while(0)
		67
		68	/* byte swapping */
		69	#define get32le(a) ((uint32_t) \
		70	( buf[a+3] << 24 \| buf[a+2] << 16 \| buf[a+1] << 8 \| buf[a] ))
		71	#define get16le(a) ((uint16_t)( buf[a+1] << 8 \| buf[a] ))
		72
		73	/* all blocks are sized as a multiple of 0x1ff */
		74	#define PAD_TO_BOUNDARY(x) (((x) + 0x1ff) & ~0x1ff)
		75
		76	/* If you find a firmware that breaks the known format ^^ */
		77	#define assert(a) do { if(!(a)) { fprintf(stderr,"Assertion \"%s\" failed in %s() line %d!\n\nPlease send us your firmware!\n",#a,__func__,__LINE__); exit(1); } } while(0)
		78
		79	/* globals */
		80
		81	size_t sz; /* file size */
		82	uint8_t buf; / file content */
		83
		84
		85	/* 1st block description */
		86	uint32_t idx,checksum,bs_multiplier,firmware_sz;
		87	uint32_t unknown_4_1; uint8_t unknown_1,id; uint16_t unknown_2;
		88	uint32_t unknown_4_2,unknown_4_3;
		89
		90	static void xmalloc(size_t s) / malloc helper */
53	{	91	{
54	return p[0] \| (p[1] << 8) \| (p[2] << 16) \| (p[3] << 24);	92	void * r = malloc(s);
		93	if(!r) bugp("malloc");
		94	return r;
55	}	95	}
56		96
57	static uint16_t get_uint16le(unsigned char* p)	97	/* known models */
		98	static const char * model(uint8_t id)
58	{	99	{
59	return p[0] \| (p[1] << 8);	100	switch(id)
		101	{
		102	case 0x1E: return "FUZE"; break;
		103	case 0x22: return "CLIP"; break;
		104	case 0x23: return "C200"; break;
		105	case 0x24: return "E200"; break;
		106	case 0x25: return "M200"; break;
		107	case 0x27: return "CLV2"; break;
		108	case 0x70:
		109	case 0x6d: return "FUZ2"; break;
		110	default:
		111	printf("Unknown ID 0x%x\n", id);
		112
		113	assert(id == 0x1E \|\| (id > 0x21 && id < 0x26));
		114	return "UNKNOWN!";
		115	}
60	}	116	}
61		117
62	static int calc_checksum(unsigned char* buf, int n)	118	/* checksums the firmware (the firmware header contains the verification) */
		119	static uint32_t do_checksum(void)
63	{	120	{
64	int sum = 0;	121	uint32_t c = 0;
65	int i;
66		122
67	for (i=0;i<n;i+=4)	123	size_t i = 0x400/4;
68	sum += get_uint32le(buf + 0x400 + i);	124	while(i<(0x400+firmware_sz)/4)
		125	c += ((uint32_t*)buf)[i++];
69		126
70	return sum;	127	return c;
71	}	128	}
72		129
73		130	/* verify the firmware header */
74	static void dump_header(unsigned char* buf, int i)	131	static void check(void)
75	{	132	{
76	printf("0x%08x:\n",i);	133	uint32_t checksum2;
77	printf(" HEADER: 0x%08x\n",i);	134
78	printf(" FirmwareHeaderIndex: 0x%08x\n",get_uint32le(&buf[i]));	135	assert(sz >= 0x400 && sz % 0x200 == 0);
79	printf(" FirmwareChecksum: 0x%08x\n",get_uint32le(&buf[i+0x04]));	136
80	printf(" CodeBlockSizeMultiplier: 0x%08x\n",get_uint32le(&buf[i+0x08]));	137	size_t i;
81	printf(" FirmwareSize: 0x%08x\n",get_uint32le(&buf[i+0x0c]));	138	checksum2 = 0;
82	printf(" Unknown1: 0x%08x\n",get_uint32le(&buf[i+0x10]));	139	for(i=0;i<sz/4-1;i++)
83	printf(" ModelID: 0x%04x\n",get_uint16le(&buf[i+0x14]));	140	checksum2 += ((uint32_t*)buf)[i];
84	printf(" Unknown2: 0x%04x\n",get_uint16le(&buf[i+0x16]));	141
		142	uint32_t last_word = get32le(sz - 4);
		143
		144	switch(last_word)
		145	{
		146	case 0: /* no whole file checksum */
		147	break;
		148	case 0xefbeadde: /* no whole file checksum */
		149	break;
		150	default: /* verify whole file checksum */
		151	assert(last_word == checksum2);
		152	}
		153
		154	idx = get32le(0);
		155	unsigned int shift = (get32le(4) == 0x0000f000) ? 4 : 0;
		156	checksum = get32le(4 + shift);
		157	bs_multiplier = get32le(8 + shift);
		158	firmware_sz = get32le(0xc + shift);
		159	assert(bs_multiplier << 9 == PAD_TO_BOUNDARY(firmware_sz)); /* 0x200 * bs_multiplier */
		160
		161	unknown_4_1 = get32le(0x10 + shift);
		162	unknown_1 = buf[0x14 + shift];
		163	id = buf[0x15 + shift];
		164	unknown_2 = get16le(0x16 + shift);
		165	unknown_4_2 = get32le(0x18 + shift);
		166	unknown_4_3 = get32le(0x1c + shift);
		167
		168	color(GREEN);
		169	printf("4 Index %d\n",idx);
		170	assert(idx == 0);
		171	color(GREEN);
		172	printf("4 Firmware Checksum %x",checksum);
		173	checksum2=do_checksum();
		174	color(GREEN);
		175	printf(" (%x)\n",checksum2);
		176	assert(checksum == checksum2);
		177	color(GREEN);
		178	printf("4 Block Size Multiplier %x\n",bs_multiplier);
		179	color(GREEN);
		180	printf("4 Firmware block size %x (%d)\n",firmware_sz,firmware_sz);
		181
		182	color(GREEN);
		183	printf("4 Unknown (should be 3) %x\n",unknown_4_1);
		184	assert(unknown_4_1 == 3);
		185
		186	/* variable */
		187	color(GREEN);
		188	printf("1 Unknown %x\n",unknown_1);
		189
		190	color(GREEN);
		191	printf("1 Model ID %x (%s)\n",id,model(id));
		192
		193	color(GREEN);
		194	printf("2 Unknown (should be 0) %x\n",unknown_2);
		195	assert(unknown_2 == 0);
		196
		197	color(GREEN);
		198	printf("4 Unknown (should be 40) %x\n",unknown_4_2);
		199	assert(unknown_4_2 == 0x40 );
		200
		201	color(GREEN);
		202	printf("4 Unknown (should be 1) %x\n",unknown_4_3);
		203	assert(unknown_4_3 == 1);
		204
		205	/* rest of the block is padded with 0xff */
		206	for(i=0x20 + shift;i<0x200 - shift;i++)
		207	assert(buf[i]==0xff /* normal case */ \|\|
		208	((id==0x1e\|\|id==0x24) && ( /* Fuze or E200 */
		209	(i>=0x3c && i<=0x3f && get32le(0x3c)==0x00005000)
		210	)));
		211
		212	/* the 2nd block is identical, except that the 1st byte has been incremented */
		213	assert(buf[0x0]==0&&buf[0x200]==1);
		214	assert(!memcmp(&buf[1],&buf[0x201],0x1FF - shift));
85	}	215	}
86		216
87	static int dump_lib(unsigned char* buf, int i)	217	typedef enum
88	{	218	{
89	int export_count;
90	int size;
91	int unknown1;
92	int baseaddr, endaddr;
93
94	baseaddr = get_uint32le(&buf[i+0x04]);
95	endaddr = get_uint32le(&buf[i+0x08]);
96	size = get_uint32le(&buf[i+0x0c]);
97	unknown1 = get_uint32le(&buf[i+0x10]);
98	export_count = get_uint32le(&buf[i+0x14]);
99
100	printf("0x%08x: \"%s\" 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x\n",i, buf + i + get_uint32le(&buf[i]),baseaddr,endaddr,size,unknown1,export_count);
101
102	#if 0	219	#if 0
103	if (export_count > 1) {	220	FW_HEADER,
104	for (j=0;j<export_count;j++) {	221	FW,
105	printf(" Exports[%02d]: 0x%08x\n",j,get_uint32le(&buf[i+0x18+4*j]));
106	}
107	}
108	#endif	222	#endif
109	return PAD_TO_BOUNDARY(size);	223	LIB,
110	}	224	PAD,
		225	HEADER,
		226	UNKNOWN
		227	} type;
111		228
112	int main(int argc, char* argv[])	229	static unsigned int n_libs = 0, n_pads_ff = 0, n_pads_deadbeef = 0, n_unkn = 0, n_headers = 0;
113	{
114	int fd;
115	off_t len;
116	int n;
117	unsigned char* buf;
118	int firmware_size;
119	int i;
120		230
121	if (argc != 2) {	231	static void show_lib(size_t off)
122	fprintf(stderr,"USAGE: amsinfo firmware.bin\n");	232	{
123	return 1;	233	/* first word: char* */
124	}	234	uint32_t start = get32le(off+4);
125		235	uint32_t stop = get32le(off+8);
126	fd = open(argv[1],O_RDONLY\|O_BINARY);
127		236
128	if ((len = filesize(fd)) < 0)	237	uint32_t size = get32le(off+0xc);
129	return 1;
130		238
131	if ((buf = malloc(len)) == NULL) {	239	#if 0 /* library block hacking */
132	fprintf(stderr,"[ERR] Could not allocate buffer for input file (%d bytes)\n",(int)len);	240	/* assert(stop > start); */
133	return 1;
134	}
135		241
136	n = read(fd, buf, len);	242	/* assert(stop - start == size); */
137		243
138	if (n != len) {	244	if(stop - start != size)
139	fprintf(stderr,"[ERR] Could not read file\n");	245	{
140	return 1;	246	color(RED);
141	}	247	printf("STOP - START != SIZE \|\| 0x%.8x - 0x%.8x == 0x%.8x != 0x%.8x\n",
		248	stop, start, stop - start, size);
		249	}
142		250
143	close(fd);	251	color(RED);
		252	printf("0x%.8x -> 0x%.8x SIZE 0x%.6x\n", start, stop, size);
144		253
145	/* Now we dump the firmware structure */	254	uint32_t first = get32le(off+0x10); /* ? */
		255	printf("? = 0x%.8x , ",first);
		256	#endif
146		257
147	dump_header(buf,0); /* First copy of header block */	258	uint32_t funcs = get32le(off+0x14); /* nmbr of functions */
148	// dump_header(buf,0x200); /* Second copy of header block */	259	color(YELLOW);
		260	printf("\t%d funcs",funcs);
		261
		262	unsigned int i;
		263	for(i=0;i<funcs;i++)
		264	{
		265	uint32_t fptr = get32le(off+0x18+i*4);
		266	if(!fptr)
		267	{
		268	assert(funcs==1); /* if 1 function is exported, it's empty */
		269	}
		270	else
		271	{
		272	assert(fptr - start < 0x0000ffff);
		273	/* printf("0x%.4x ",fptr); */
		274	}
		275	}
		276
		277	color(BLUE);
		278	printf("\tBASE 0x%.8x (code + 0x%x) END 0x%.8x : SIZE 0x%.8x\n",start, 0x18 + i*4, stop, stop - start);
		279
		280	char name[12+1];
		281	memcpy(name,&buf[off+get32le(off)],12);
		282	name[12] = '\0';
		283
		284	FILE *out = fopen(name,"w");
		285	if(!out)
		286	bug("library block");
		287
		288	if(fwrite(&buf[off],size,1,out)!=1)
		289	bug();
		290
		291	fclose(out);
		292	}
149		293
150	firmware_size = get_uint32le(&buf[0x0c]);	294	static int unknown = 0;
		295	static int padding = 0;
		296	static void print_block(size_t off, type t)
		297	{
		298	/* reset counters if needed */
		299	if(t != UNKNOWN && unknown)
		300	{ /* print only the number of following blocks */
		301	color(GREY);
		302	printf("%d unknown blocks (0x%.6x bytes)\n",unknown,unknown*0x200);
		303	unknown = 0;
		304	}
		305	else if(t != PAD && padding)
		306	{ /* same */
		307	color(GREY);
		308	printf("%d padding blocks (0x%.6x bytes)\n",padding,padding*0x200);
		309	padding = 0;
		310	}
		311
		312	if(t != UNKNOWN && t != PAD) /* for other block types, always print the offset */
		313	{
		314	color(GREEN);
		315	printf("0x%.6x\t", (unsigned int)off);
		316	color(OFF);
		317	}
		318
		319	switch(t)
		320	{
		321	size_t s;
		322	FILE *f;
		323	char filename[8+4]; /* unknown\0 , 10K max */
		324	#if 0
		325	case FW_HEADER:
		326	printf("firmware header 0x%x\n",off);
		327	break;
		328	case FW:
		329	printf("firmware block 0x%x\n",off);
		330	break;
		331	#endif
		332	case LIB:
		333	s = LIB_OFFSET * 0x200;
		334	while(s < get32le(off+12))
		335	s <<= 1;
		336	color(RED);
		337	printf("library block 0x%.6x\t->\t0x%.6x\t\"%s\"\n",
		338	(unsigned int)s, (unsigned int)(off+s),
		339	&buf[off+get32le(off)]);
		340	show_lib(off);
		341	n_libs++;
		342	break;
		343	case PAD:
		344	if(buf[off] == 0xff)
		345	n_pads_ff++;
		346	else
		347	n_pads_deadbeef++;
		348	padding++;
		349	break;
		350	case UNKNOWN:
		351	unknown++;
		352	n_unkn++;
		353	#if 0 /* do not dump unknown blocks */
		354	snprintf(filename, sizeof(filename), "unknown%d", n_unkn);
		355	f = fopen(filename, "w");
		356	if(f)
		357	{
		358	if( fwrite(buf+off, 0x200, 1, f) != 1 )
		359	bugp("unknown block");
		360	fclose(f);
		361	}
		362	else
		363	bugp("unknown block");
		364	#endif
		365	break;
		366	case HEADER:
		367	color(YELLOW);
		368	printf("header block 0x%.6x\t->\t0x%.6x\n",
		369	PAD_TO_BOUNDARY(get32le(off)),
		370	(unsigned int)PAD_TO_BOUNDARY(off+get32le(off)));
		371	snprintf(filename, sizeof(filename), "header%d", n_headers++);
		372	f = fopen(filename,"w");
		373	if(!f)
		374	bug("header");
		375
		376	if(fwrite(&buf[off],get32le(off),1,f)!=1)
		377	bug();
		378
		379	fclose(f);
		380
		381	break;
		382	default:
		383	abort();
		384	}
		385
		386	if(t != PAD && t != UNKNOWN)
		387	printf("\n");
		388	}
151		389
152	printf("Calculated firmware checksum: 0x%08x\n",calc_checksum(buf,firmware_size));	390	static size_t verify_block(size_t off)
		391	{
		392	assert(!(off%0x200));
		393	assert(off+0x200 < sz);
		394
		395	size_t s = 0x200;
		396	type t = UNKNOWN;
		397
		398	size_t offset_str = get32le(off);
		399	if(get32le(off) == 0xefbeadde )
		400	{
		401	#if 0 /* some blocks begin with 0xdeadbeef but aren't padded with that value */
		402	unsigned int i;
		403	for(i=0;i<s;i+=4)
		404	assert(get32le(off+i) == 0xefbeadde);
		405	#endif
		406	t = PAD;
		407	}
		408	else if( (uint32_t)(&buf[off]) == 0xffffffff)
		409	{
		410	unsigned int i;
		411	for(i=0;i<s;i++)
		412	assert(buf[off+i] == 0xff);
		413	t = PAD;
		414	}
		415	else if(off+offset_str+12<sz) /* XXX: we should check that the address at which
		416	* the string is located is included in this
		417	* library block's size, but we only know the
		418	* block's size after we confirmed that this is
		419	* a library block (by looking at the 11 chars
		420	* ASCII string). */
		421	{
		422	short int ok = 1;
		423	unsigned int i;
		424	for(i=0;i<11;i++)
		425	if(buf[off+offset_str+i] >> 7 \|\| !buf[off+offset_str+i])
		426	ok = 0;
		427	if(buf[off+offset_str+11])
		428	ok = 0;
		429	if(ok) /* library block */
		430	{
		431	t = LIB;
		432	s = LIB_OFFSET * 0x200;
		433	while(s < get32le(off+12)) /* of course the minimum is the size
		434	* specified in the block header */
		435	s <<= 1;
		436	}
		437	else
		438	t = UNKNOWN;
		439	}
		440	else
		441	t = UNKNOWN;
		442
		443	if(t==UNKNOWN)
		444	{
		445	if(!strncmp((char*)buf+off+8,"HEADER",6))
		446	{
		447	s = PAD_TO_BOUNDARY(get32le(off)); /* first 4 bytes le are the block size */
		448	t = HEADER;
		449	}
		450	}
		451
		452	print_block(off,t);
		453
		454	return PAD_TO_BOUNDARY(s);
		455	}
153		456
154	/* Round size up to next multiple of 0x200 */	457	static void extract(void)
		458	{
		459	FILE *out = fopen("firmware","w");
		460	if(!out)
		461	bug("firmware");
		462
		463	if(fwrite(&buf[0x400],firmware_sz,1,out)!=1)
		464	bug("firmare writing");
		465	fclose(out);
		466
		467	off_t off = PAD_TO_BOUNDARY(0x400 + firmware_sz);
		468	unsigned int n = 0;
		469
		470	printf("\n");
		471	color(RED);
		472	printf("Extracting\n\n");
		473
		474	while((unsigned int)(off+0x200)<sz)
		475	{
		476	/* look at the next 0x200 bytes if we can recognize a block type */
		477	off += verify_block(off); /* then skip its real size */
		478	n++; /* and look at the next block ;) */
		479	}
		480
		481	/* statistics */
		482	printf("\n");
		483	color(RED);
		484	printf("TOTAL\t%d\tblocks (%d unknown)\n",n,n_unkn);
		485	color(BLUE);
		486	printf("\t%d\tlibs\n",n_libs);
		487	color(GREY);
		488	printf("\t%d\tpads ff\n",n_pads_ff);
		489	color(GREY);
		490	printf("\t%d\tpads deadbeef\n",n_pads_deadbeef);
		491	color(GREEN);
		492	printf("\t%d\theaders\n",n_headers);
		493	}
155		494
156	firmware_size = PAD_TO_BOUNDARY(firmware_size);	495	int main(int argc, const char **argv)
		496	{
		497	int fd;
		498	struct stat st;
		499	if(argc != 2)
		500	bug("Usage: %s <firmware>\n",*argv);
157		501
158	i = firmware_size + 0x400;	502	if( (fd = open(argv[1],O_RDONLY)) == -1 )
		503	bugp("opening firmware failed");
159		504
160	printf("LIBRARY BLOCKS:\n");	505	if(fstat(fd,&st) == -1)
161	printf("Offset Name BaseAddr EndAddr BlockSize Unknown1 EntryCount\n");	506	bugp("firmware stat() failed");
		507	sz = st.st_size;
162		508
163	while (get_uint32le(&buf[i]) != 0xffffffff)	509	buf=xmalloc(sz);
164	{	510	if(read(fd,buf,sz)!=(ssize_t)sz) /* load the whole file into memory */
165	i += dump_lib(buf,i);	511	bugp("reading firmware");
166		512
167	while (get_uint32le(&buf[i]) == 0xefbeadde)	513	close(fd);
168	i+=4;
169	}
170		514
171	printf("0x%08x: PADDING BLOCK\n",i);	515	check(); /* verify header and checksums */
172		516	extract(); /* split in blocks */
173	return 0;
174		517
		518	free(buf);
		519	return 0;
175	}	520	}