1 files changed, 108 insertions, 0 deletions
diff --git a/utils/hwpatcher/generic_stmp.lua b/utils/hwpatcher/generic_stmp.lua
new file mode 100644
index 0000000000..538e269e60
--- /dev/null
+++ b/utils/hwpatcher/generic_stmp.lua
@@ -0,0 +1,108 @@
+--[[
+Generic STMP hacking
+required argument (in order):
+- path to firmware
+- path to output firmware
+- path to blob
+- path to stub
+]]--
+require("lib")
+require("arm")
+if #arg < 4 then
+    error("usage: <fw file> <out file> <blob> <stub>")
+end
+-- compute MD5
+print("Computing MD5 sum of the firmware...")
+local md5 = hwp.md5sum(arg[1])
+print("=> " .. hwp.md5str(md5))
+local md5_db =
+{
+    ["d0047f8a87d456a0032297b3c802a1ff"] =
+    {
+        model = "Sony NWZ-E3600 1.0.0",
+        irq_addr_pool = 0x40A314E4,
+        irq_addr_pool_sec = "play.1",
+        -- proxy_addr = 0x4005C1E0,
+        -- proxy_addr_sec = "play.1"
+        proxy_addr = 0x4007C258,
+        proxy_addr_sec = "play.1",
+        -- stub_addr = 0x1971C8,
+        -- stub_addr_virt = 0x2971C8,
+        -- stub_addr_sec = "pvmi",
+    },
+    ["f42742d4d90d88e2fb6ff468c1389f5f"] =
+    {
+        model = "Creative ZEN X-Fi Style 1.03.04",
+        irq_addr_pool = 0x402D3A64,
+        irq_addr_pool_sec = "play.1",
+        proxy_addr = 0x402E076C,
+        proxy_addr_sec = "play.1"
+    },
+    ["c180f57e2b2d62620f87a1d853f349ff"] =
+    {
+        model = "Creative ZEN X-Fi3 1.00.25e",
+        irq_addr_pool = 0x405916f0,
+        proxy_addr = 0x40384674,
+    }
+}
+local db_entry = md5_db[hwp.md5str(md5)]
+if db_entry == nil then
+    error("Cannot find device in the DB")
+    os.exit(1)
+end
+print("Model: " .. db_entry.model)
+local fw = hwp.load_file(arg[1])
+local irq_addr_pool = hwp.make_addr(db_entry.irq_addr_pool, db_entry.irq_addr_pool_sec)
+local proxy_addr = arm.to_arm(hwp.make_addr(db_entry.proxy_addr, db_entry.proxy_addr_sec))
+-- read old IRQ address pool
+local old_irq_addr = hwp.make_addr(hwp.read32(fw, irq_addr_pool))
+print(string.format("Old IRQ address: %s", old_irq_addr))
+-- put stub at the beginning of the proxy
+local stub = hwp.load_bin_file(arg[4])
+local stub_info = hwp.section_info(stub, "")
+local stub_data = hwp.read(stub, hwp.make_addr(stub_info.addr, ""), stub_info.size)
+local stub_addr = nil
+local stub_addr_virt = nil
+if db_entry.stub_addr ~= nil then
+    stub_addr = arm.to_arm(hwp.make_addr(db_entry.stub_addr, db_entry.stub_addr_sec))
+    if db_entry.stub_addr_virt ~= nil then
+        stub_addr_virt = arm.to_arm(hwp.make_addr(db_entry.stub_addr_virt, db_entry.stub_addr_sec)) 
+    else
+        stub_addr_virt = stub_addr
+    end
+    hwp.write(fw, stub_addr, stub_data)
+else
+    stub_addr = proxy_addr
+    stub_addr_virt = stub_addr
+    hwp.write(fw, stub_addr, stub_data)
+    proxy_addr = hwp.inc_addr(proxy_addr, stub_info.size)
+end
+-- modify irq
+hwp.write32(fw, irq_addr_pool, proxy_addr.addr)
+print(string.format("New IRQ address: %s", proxy_addr))
+-- in proxy, save registers
+arm.write_save_regs(fw, proxy_addr)
+proxy_addr = hwp.inc_addr(proxy_addr, 4)
+-- load blob
+local blob = hwp.load_bin_file(arg[3])
+local blob_info = hwp.section_info(blob, "")
+-- patch blob with stub address
+hwp.write32(blob, hwp.make_addr(blob_info.addr + 4, ""), stub_addr_virt.addr)
+-- write it !
+local blob_data = hwp.read(blob, hwp.make_addr(blob_info.addr, ""), blob_info.size)
+hwp.write(fw, proxy_addr, blob_data)
+proxy_addr = hwp.inc_addr(proxy_addr, blob_info.size)
+-- restore registers
+arm.write_restore_regs(fw, proxy_addr)
+proxy_addr = hwp.inc_addr(proxy_addr, 4)
+-- branch to old code
+local branch_to_old = arm.make_branch(old_irq_addr, false)
+arm.write_branch(fw, proxy_addr, branch_to_old, hwp.inc_addr(proxy_addr, 4))
+-- save
+hwp.save_file(fw, arg[2])
+

diff --git a/utils/hwpatcher/generic_stmp.lua b/utils/hwpatcher/generic_stmp.lua new file mode 100644 index 0000000000..538e269e60 --- /dev/null +++ b/utils/hwpatcher/generic_stmp.lua
@@ -0,0 +1,108 @@
	1	--[[
	2	Generic STMP hacking
	3	required argument (in order):
	4	- path to firmware
	5	- path to output firmware
	6	- path to blob
	7	- path to stub
	8	]]--
	9	require("lib")
	10	require("arm")
	11
	12	if #arg < 4 then
	13	error("usage: <fw file> <out file> <blob> <stub>")
	14	end
	15
	16	-- compute MD5
	17	print("Computing MD5 sum of the firmware...")
	18	local md5 = hwp.md5sum(arg[1])
	19	print("=> " .. hwp.md5str(md5))
	20
	21	local md5_db =
	22	{
	23	["d0047f8a87d456a0032297b3c802a1ff"] =
	24	{
	25	model = "Sony NWZ-E3600 1.0.0",
	26	irq_addr_pool = 0x40A314E4,
	27	irq_addr_pool_sec = "play.1",
	28	-- proxy_addr = 0x4005C1E0,
	29	-- proxy_addr_sec = "play.1"
	30	proxy_addr = 0x4007C258,
	31	proxy_addr_sec = "play.1",
	32	-- stub_addr = 0x1971C8,
	33	-- stub_addr_virt = 0x2971C8,
	34	-- stub_addr_sec = "pvmi",
	35	},
	36	["f42742d4d90d88e2fb6ff468c1389f5f"] =
	37	{
	38	model = "Creative ZEN X-Fi Style 1.03.04",
	39	irq_addr_pool = 0x402D3A64,
	40	irq_addr_pool_sec = "play.1",
	41	proxy_addr = 0x402E076C,
	42	proxy_addr_sec = "play.1"
	43	},
	44	["c180f57e2b2d62620f87a1d853f349ff"] =
	45	{
	46	model = "Creative ZEN X-Fi3 1.00.25e",
	47	irq_addr_pool = 0x405916f0,
	48	proxy_addr = 0x40384674,
	49	}
	50	}
	51
	52	local db_entry = md5_db[hwp.md5str(md5)]
	53	if db_entry == nil then
	54	error("Cannot find device in the DB")
	55	os.exit(1)
	56	end
	57	print("Model: " .. db_entry.model)
	58
	59	local fw = hwp.load_file(arg[1])
	60	local irq_addr_pool = hwp.make_addr(db_entry.irq_addr_pool, db_entry.irq_addr_pool_sec)
	61	local proxy_addr = arm.to_arm(hwp.make_addr(db_entry.proxy_addr, db_entry.proxy_addr_sec))
	62	-- read old IRQ address pool
	63	local old_irq_addr = hwp.make_addr(hwp.read32(fw, irq_addr_pool))
	64	print(string.format("Old IRQ address: %s", old_irq_addr))
	65	-- put stub at the beginning of the proxy
	66	local stub = hwp.load_bin_file(arg[4])
	67	local stub_info = hwp.section_info(stub, "")
	68	local stub_data = hwp.read(stub, hwp.make_addr(stub_info.addr, ""), stub_info.size)
	69	local stub_addr = nil
	70	local stub_addr_virt = nil
	71	if db_entry.stub_addr ~= nil then
	72	stub_addr = arm.to_arm(hwp.make_addr(db_entry.stub_addr, db_entry.stub_addr_sec))
	73	if db_entry.stub_addr_virt ~= nil then
	74	stub_addr_virt = arm.to_arm(hwp.make_addr(db_entry.stub_addr_virt, db_entry.stub_addr_sec))
	75	else
	76	stub_addr_virt = stub_addr
	77	end
	78	hwp.write(fw, stub_addr, stub_data)
	79	else
	80	stub_addr = proxy_addr
	81	stub_addr_virt = stub_addr
	82	hwp.write(fw, stub_addr, stub_data)
	83	proxy_addr = hwp.inc_addr(proxy_addr, stub_info.size)
	84	end
	85	-- modify irq
	86	hwp.write32(fw, irq_addr_pool, proxy_addr.addr)
	87	print(string.format("New IRQ address: %s", proxy_addr))
	88	-- in proxy, save registers
	89	arm.write_save_regs(fw, proxy_addr)
	90	proxy_addr = hwp.inc_addr(proxy_addr, 4)
	91	-- load blob
	92	local blob = hwp.load_bin_file(arg[3])
	93	local blob_info = hwp.section_info(blob, "")
	94	-- patch blob with stub address
	95	hwp.write32(blob, hwp.make_addr(blob_info.addr + 4, ""), stub_addr_virt.addr)
	96	-- write it !
	97	local blob_data = hwp.read(blob, hwp.make_addr(blob_info.addr, ""), blob_info.size)
	98	hwp.write(fw, proxy_addr, blob_data)
	99	proxy_addr = hwp.inc_addr(proxy_addr, blob_info.size)
	100	-- restore registers
	101	arm.write_restore_regs(fw, proxy_addr)
	102	proxy_addr = hwp.inc_addr(proxy_addr, 4)
	103	-- branch to old code
	104	local branch_to_old = arm.make_branch(old_irq_addr, false)
	105	arm.write_branch(fw, proxy_addr, branch_to_old, hwp.inc_addr(proxy_addr, 4))
	106	-- save
	107	hwp.save_file(fw, arg[2])
	108