1 files changed, 398 insertions, 0 deletions
diff --git a/utils/ipodpatcher/ipodpatcher-aupd.c b/utils/ipodpatcher/ipodpatcher-aupd.c
new file mode 100644
index 0000000000..69b027284c
--- /dev/null
+++ b/utils/ipodpatcher/ipodpatcher-aupd.c
@@ -0,0 +1,398 @@
+/***************************************************************************
+ *             __________               __   ___.
+ *   Open      \______   \ ____   ____ |  | _\_ |__   _______  ___
+ *   Source     |       _//  _ \_/ ___\|  |/ /| __ \ /  _ \  \/  /
+ *   Jukebox    |    |   (  <_> )  \___|    < | \_\ (  <_> > <  <
+ *   Firmware   |____|_  /\____/ \___  >__|_ \|___  /\____/__/\_ \
+ *                     \/            \/     \/    \/            \/
+ * $Id$
+ *
+ * Copyright (C) 2006-2007 Dave Chapman
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ****************************************************************************/
+#include <stdio.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <string.h>
+#include <stdlib.h>
+#include <inttypes.h>
+#include <stdbool.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include "ipodpatcher.h"
+#include "arc4.h"
+static inline int le2int(unsigned char* buf)
+{
+   int32_t res = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0];
+   return res;
+}
+static inline void int2le(unsigned int val, unsigned char* addr)
+{
+    addr[0] = val & 0xFF;
+    addr[1] = (val >> 8) & 0xff;
+    addr[2] = (val >> 16) & 0xff;
+    addr[3] = (val >> 24) & 0xff;
+}
+static inline uint32_t getuint32le(unsigned char* buf)
+{
+  int32_t res = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0];
+  return res;
+}
+/* testMarker and GetSecurityBlockKey based on code from BadBlocks and
+   Kingstone, posted at http://ipodlinux.org/Flash_Decryption
+*/
+static bool testMarker(int marker)
+{
+    int mask, decrypt, temp1, temp2;
+    mask = (marker&0xff)|((marker&0xff)<<8)|((marker&0xff)<<16)|((marker&0xff)<<24);
+    decrypt = marker ^ mask;
+    temp1=(int)((unsigned int)decrypt>>24);
+    temp2=decrypt<<8;
+    if (temp1==0)
+        return false;
+    temp2=(int)((unsigned int)temp2>>24);
+    decrypt=decrypt<<16;
+    decrypt=(int)((unsigned int)decrypt>>24);
+    if ((temp1 < temp2) && (temp2 < decrypt))
+    {
+        temp1 = temp1 & 0xf;
+        temp2 = temp2 & 0xf;
+        decrypt = decrypt & 0xf;
+        if ((temp1 > temp2) && (temp2 > decrypt) && (decrypt != 0))
+        {
+            return true;
+        }
+    }
+    return false;
+}
+static int GetSecurityBlockKey(unsigned char *data, unsigned char* this_key)
+{
+    int constant = 0x54c3a298;
+    int key=0;
+    int nkeys = 0;
+    int aMarker=0;
+    int pos=0;
+    int c, count;
+    int temp1;
+    static const int offset[8]={0x5,0x25,0x6f,0x69,0x15,0x4d,0x40,0x34};
+    for (c = 0; c < 8; c++)
+    {
+        pos = offset[c]*4;
+        aMarker = getuint32le(data + pos);
+        if (testMarker(aMarker))
+        {
+            if (c<7)
+                pos =(offset[c+1]*4)+4;
+            else
+                pos =(offset[0]*4)+4;
+            key=0;
+            temp1=aMarker;
+            for (count=0;count<2;count++){
+                int word = getuint32le(data + pos);
+                temp1 = aMarker;
+                temp1 = temp1^word;
+                temp1 = temp1^constant;
+                key = temp1;
+                pos = pos+4;
+            }
+            int r1=0x6f;
+            int r2=0;
+            int r12;
+            int r14;
+            unsigned int r_tmp;
+            for (count=2;count<128;count=count+2){
+                r2=getuint32le(data+count*4);
+                r12=getuint32le(data+(count*4)+4);
+                r_tmp=(unsigned int)r12>>16;
+                r14=r2 | ((int)r_tmp);
+                r2=r2&0xffff;
+                r2=r2 | r12;
+                r1=r1^r14;
+                r1=r1+r2;
+            }
+            key=key^r1;
+            // Invert key, little endian
+            this_key[0] = key & 0xff;
+            this_key[1] = (key >> 8) & 0xff;
+            this_key[2] = (key >> 16) & 0xff;
+            this_key[3] = (key >> 24) & 0xff;
+            nkeys++;
+        }
+    }
+    return nkeys;
+}
+static int find_key(struct ipod_t* ipod, int aupd, unsigned char* key)
+{
+    int n;
+    /* Firstly read the security block and find the RC4 key.  This is
+       in the sector preceeding the AUPD image. */
+    if(ipod->sectorbuf == NULL) {
+        fprintf(stderr,"[ERR]  Buffer not initialized.");
+        return -1;
+    }
+    fprintf(stderr, "[INFO] Reading security block at offset 0x%08x\n",ipod->ipod_directory[aupd].devOffset-ipod->sector_size);
+    if (ipod_seek(ipod, ipod->fwoffset+ipod->ipod_directory[aupd].devOffset-ipod->sector_size) < 0) {
+        return -1;
+    }
+    if ((n = ipod_read(ipod, 512)) < 0) {
+        return -1;
+    }
+    n = GetSecurityBlockKey(ipod->sectorbuf, key);
+    if (n != 1)
+    {
+        fprintf(stderr, "[ERR]  %d keys found in security block, can not continue\n",n);
+        return -1;
+    }
+    return 0;
+}
+int read_aupd(struct ipod_t* ipod, char* filename)
+{
+    int length;
+    int i;
+    int outfile;
+    int n;
+    int aupd;
+    struct rc4_key_t rc4;
+    unsigned char key[4];
+    unsigned long chksum=0;
+    if(ipod->sectorbuf == NULL) {
+        fprintf(stderr,"[ERR]  Buffer not initialized.");
+        return -1;
+    }
+    aupd = 0;
+    while ((aupd < ipod->nimages) && (ipod->ipod_directory[aupd].ftype != FTYPE_AUPD))
+    {
+        aupd++;
+    }
+    if (aupd == ipod->nimages)
+    {
+        fprintf(stderr,"[ERR]  No AUPD image in firmware partition.\n");
+        return -1;
+    }
+    length = ipod->ipod_directory[aupd].len;
+    fprintf(stderr,"[INFO] Reading firmware (%d bytes)\n",length);
+    if (find_key(ipod, aupd, key) < 0)
+    {
+       return -1;
+    }
+    fprintf(stderr, "[INFO] Decrypting AUPD image with key %02x%02x%02x%02x\n",key[0],key[1],key[2],key[3]);
+    if (ipod_seek(ipod, ipod->fwoffset+ipod->ipod_directory[aupd].devOffset) < 0) {
+        return -1;
+    }
+    i = (length+ipod->sector_size-1) & ~(ipod->sector_size-1);
+    if ((n = ipod_read(ipod,i)) < 0) {
+        return -1;
+    }
+    if (n < i) {
+        fprintf(stderr,"[ERR]  Short read - requested %d bytes, received %d\n",
+                i,n);
+        return -1;
+    }
+    /* Perform the decryption - this is standard (A)RC4 */
+    matrixArc4Init(&rc4, key, 4);
+    matrixArc4(&rc4, ipod->sectorbuf, ipod->sectorbuf, length);
+    chksum = 0;
+    for (i = 0; i < (int)length; i++) {
+         /* add 8 unsigned bits but keep a 32 bit sum */
+         chksum += ipod->sectorbuf[i];
+    }
+    if (chksum != ipod->ipod_directory[aupd].chksum)
+    {
+        fprintf(stderr,"[ERR]  Decryption failed - checksum error\n");
+        return -1;
+    }
+    fprintf(stderr,"[INFO] Decrypted OK (checksum matches header)\n");
+    outfile = open(filename,O_CREAT|O_TRUNC|O_WRONLY|O_BINARY,0666);
+    if (outfile < 0) {
+        fprintf(stderr,"[ERR]  Couldn't open file %s\n",filename);
+        return -1;
+    }
+    n = write(outfile,ipod->sectorbuf,length);
+    if (n != length) {
+        fprintf(stderr,"[ERR]  Write error - %d\n",n);
+    }
+    close(outfile);
+    return 0;
+}
+int write_aupd(struct ipod_t* ipod, char* filename)
+{
+    unsigned int length;
+    int i;
+    int x;
+    int n;
+    int infile;
+    int newsize;
+    int aupd;
+    unsigned long chksum=0;
+    struct rc4_key_t rc4;
+    unsigned char key[4];
+    if(ipod->sectorbuf == NULL) {
+        fprintf(stderr,"[ERR]  Buffer not initialized.");
+        return -1;
+    }
+    /* First check that the input file is the correct type for this ipod. */
+    infile=open(filename,O_RDONLY);
+    if (infile < 0) {
+        fprintf(stderr,"[ERR]  Couldn't open input file %s\n",filename);
+        return -1;
+    }
+    
+    length = filesize(infile);
+    newsize=(length+ipod->sector_size-1)&~(ipod->sector_size-1);
+    fprintf(stderr,"[INFO] Padding input file from 0x%08x to 0x%08x bytes\n",
+            length,newsize);
+    if (newsize > BUFFER_SIZE) {
+        fprintf(stderr,"[ERR]  Input file too big for buffer\n");
+        if (infile >= 0) close(infile);
+        return -1;
+    }
+    /* Find aupd image number */
+    aupd = 0;
+    while ((aupd < ipod->nimages) && (ipod->ipod_directory[aupd].ftype != FTYPE_AUPD))
+    {
+        aupd++;
+    }
+    if (aupd == ipod->nimages)
+    {
+        fprintf(stderr,"[ERR]  No AUPD image in firmware partition.\n");
+        return -1;
+    }
+    if (length != ipod->ipod_directory[aupd].len)
+    {
+        fprintf(stderr,"[ERR]  AUPD image (%d bytes) differs in size to %s (%d bytes).\n",
+                       ipod->ipod_directory[aupd].len, filename, length);
+        return -1;
+    }
+    if (find_key(ipod, aupd, key) < 0)
+    {
+       return -1;
+    }
+    fprintf(stderr, "[INFO] Encrypting AUPD image with key %02x%02x%02x%02x\n",key[0],key[1],key[2],key[3]);
+    /* We now know we have enough space, so write it. */
+    fprintf(stderr,"[INFO] Reading input file...\n");
+    n = read(infile,ipod->sectorbuf,length);
+    if (n < 0) {
+        fprintf(stderr,"[ERR]  Couldn't read input file\n");
+        close(infile);
+        return -1;
+    }
+    close(infile);
+    /* Pad the data with zeros */
+    memset(ipod->sectorbuf+length,0,newsize-length);
+    /* Calculate the new checksum (before we encrypt) */
+    chksum = 0;
+    for (i = 0; i < (int)length; i++) {
+         /* add 8 unsigned bits but keep a 32 bit sum */
+         chksum += ipod->sectorbuf[i];
+    }
+    /* Perform the encryption - this is standard (A)RC4 */
+    matrixArc4Init(&rc4, key, 4);
+    matrixArc4(&rc4, ipod->sectorbuf, ipod->sectorbuf, length);
+    if (ipod_seek(ipod, ipod->fwoffset+ipod->ipod_directory[aupd].devOffset) < 0) {
+        fprintf(stderr,"[ERR]  Seek failed\n");
+        return -1;
+    }
+    if ((n = ipod_write(ipod,newsize)) < 0) {
+        perror("[ERR]  Write failed\n");
+        return -1;
+    }
+    if (n < newsize) {
+        fprintf(stderr,"[ERR]  Short write - requested %d bytes, received %d\n"
+                      ,newsize,n);
+        return -1;
+    }
+    fprintf(stderr,"[INFO] Wrote %d bytes to firmware partition\n",n);
+    x = ipod->diroffset % ipod->sector_size;
+    /* Read directory */
+    if (ipod_seek(ipod, ipod->start + ipod->diroffset - x) < 0) { return -1; }
+    n=ipod_read(ipod, ipod->sector_size);
+    if (n < 0) { return -1; }
+    /* Update checksum */
+    fprintf(stderr,"[INFO] Updating checksum to 0x%08x (was 0x%08x)\n",(unsigned int)chksum,le2int(ipod->sectorbuf + x + aupd*40 + 28));
+    int2le(chksum,ipod->sectorbuf+x+aupd*40+28);
+    /* Write directory */    
+    if (ipod_seek(ipod, ipod->start + ipod->diroffset - x) < 0) { return -1; }
+    n=ipod_write(ipod, ipod->sector_size);
+    if (n < 0) { return -1; }
+    return 0;
+}

diff --git a/utils/ipodpatcher/ipodpatcher-aupd.c b/utils/ipodpatcher/ipodpatcher-aupd.c new file mode 100644 index 0000000000..69b027284c --- /dev/null +++ b/utils/ipodpatcher/ipodpatcher-aupd.c
@@ -0,0 +1,398 @@
	1	/***************************************************************************
	2	* __________ __ ___.
	3	* Open \______ \ ____ ____ \| \| _\_ \|__ _______ ___
	4	* Source \| _// _ \_/ ___\\| \|/ /\| __ \ / _ \ \/ /
	5	* Jukebox \| \| ( <_> ) \___\| < \| \_\ ( <_> > < <
	6	* Firmware \|____\|_ /\____/ \___ >__\|_ \\|___ /\____/__/\_ \
	7	* \/ \/ \/ \/ \/
	8	* $Id$
	9	*
	10	* Copyright (C) 2006-2007 Dave Chapman
	11	*
	12	* This program is free software; you can redistribute it and/or
	13	* modify it under the terms of the GNU General Public License
	14	* as published by the Free Software Foundation; either version 2
	15	* of the License, or (at your option) any later version.
	16	*
	17	* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
	18	* KIND, either express or implied.
	19	*
	20	****************************************************************************/
	21
	22	#include <stdio.h>
	23	#include <unistd.h>
	24	#include <fcntl.h>
	25	#include <string.h>
	26	#include <stdlib.h>
	27	#include <inttypes.h>
	28	#include <stdbool.h>
	29	#include <sys/types.h>
	30	#include <sys/stat.h>
	31
	32	#include "ipodpatcher.h"
	33
	34	#include "arc4.h"
	35
	36	static inline int le2int(unsigned char* buf)
	37	{
	38	int32_t res = (buf[3] << 24) \| (buf[2] << 16) \| (buf[1] << 8) \| buf[0];
	39
	40	return res;
	41	}
	42
	43	static inline void int2le(unsigned int val, unsigned char* addr)
	44	{
	45	addr[0] = val & 0xFF;
	46	addr[1] = (val >> 8) & 0xff;
	47	addr[2] = (val >> 16) & 0xff;
	48	addr[3] = (val >> 24) & 0xff;
	49	}
	50
	51	static inline uint32_t getuint32le(unsigned char* buf)
	52	{
	53	int32_t res = (buf[3] << 24) \| (buf[2] << 16) \| (buf[1] << 8) \| buf[0];
	54
	55	return res;
	56	}
	57
	58	/* testMarker and GetSecurityBlockKey based on code from BadBlocks and
	59	Kingstone, posted at http://ipodlinux.org/Flash_Decryption
	60
	61	*/
	62
	63	static bool testMarker(int marker)
	64	{
	65	int mask, decrypt, temp1, temp2;
	66
	67	mask = (marker&0xff)\|((marker&0xff)<<8)\|((marker&0xff)<<16)\|((marker&0xff)<<24);
	68	decrypt = marker ^ mask;
	69	temp1=(int)((unsigned int)decrypt>>24);
	70	temp2=decrypt<<8;
	71
	72	if (temp1==0)
	73	return false;
	74
	75	temp2=(int)((unsigned int)temp2>>24);
	76	decrypt=decrypt<<16;
	77	decrypt=(int)((unsigned int)decrypt>>24);
	78
	79	if ((temp1 < temp2) && (temp2 < decrypt))
	80	{
	81	temp1 = temp1 & 0xf;
	82	temp2 = temp2 & 0xf;
	83	decrypt = decrypt & 0xf;
	84
	85	if ((temp1 > temp2) && (temp2 > decrypt) && (decrypt != 0))
	86	{
	87	return true;
	88	}
	89	}
	90	return false;
	91	}
	92
	93	static int GetSecurityBlockKey(unsigned char data, unsigned char this_key)
	94	{
	95	int constant = 0x54c3a298;
	96	int key=0;
	97	int nkeys = 0;
	98	int aMarker=0;
	99	int pos=0;
	100	int c, count;
	101	int temp1;
	102	static const int offset[8]={0x5,0x25,0x6f,0x69,0x15,0x4d,0x40,0x34};
	103
	104	for (c = 0; c < 8; c++)
	105	{
	106	pos = offset[c]*4;
	107	aMarker = getuint32le(data + pos);
	108
	109	if (testMarker(aMarker))
	110	{
	111	if (c<7)
	112	pos =(offset[c+1]*4)+4;
	113	else
	114	pos =(offset[0]*4)+4;
	115
	116	key=0;
	117
	118	temp1=aMarker;
	119
	120	for (count=0;count<2;count++){
	121	int word = getuint32le(data + pos);
	122	temp1 = aMarker;
	123	temp1 = temp1^word;
	124	temp1 = temp1^constant;
	125	key = temp1;
	126	pos = pos+4;
	127	}
	128	int r1=0x6f;
	129	int r2=0;
	130	int r12;
	131	int r14;
	132	unsigned int r_tmp;
	133
	134	for (count=2;count<128;count=count+2){
	135	r2=getuint32le(data+count*4);
	136	r12=getuint32le(data+(count*4)+4);
	137	r_tmp=(unsigned int)r12>>16;
	138	r14=r2 \| ((int)r_tmp);
	139	r2=r2&0xffff;
	140	r2=r2 \| r12;
	141	r1=r1^r14;
	142	r1=r1+r2;
	143	}
	144	key=key^r1;
	145
	146	// Invert key, little endian
	147	this_key[0] = key & 0xff;
	148	this_key[1] = (key >> 8) & 0xff;
	149	this_key[2] = (key >> 16) & 0xff;
	150	this_key[3] = (key >> 24) & 0xff;
	151	nkeys++;
	152	}
	153	}
	154	return nkeys;
	155	}
	156
	157	static int find_key(struct ipod_t* ipod, int aupd, unsigned char* key)
	158	{
	159	int n;
	160
	161	/* Firstly read the security block and find the RC4 key. This is
	162	in the sector preceeding the AUPD image. */
	163
	164	if(ipod->sectorbuf == NULL) {
	165	fprintf(stderr,"[ERR] Buffer not initialized.");
	166	return -1;
	167	}
	168	fprintf(stderr, "[INFO] Reading security block at offset 0x%08x\n",ipod->ipod_directory[aupd].devOffset-ipod->sector_size);
	169	if (ipod_seek(ipod, ipod->fwoffset+ipod->ipod_directory[aupd].devOffset-ipod->sector_size) < 0) {
	170	return -1;
	171	}
	172
	173	if ((n = ipod_read(ipod, 512)) < 0) {
	174	return -1;
	175	}
	176
	177	n = GetSecurityBlockKey(ipod->sectorbuf, key);
	178
	179	if (n != 1)
	180	{
	181	fprintf(stderr, "[ERR] %d keys found in security block, can not continue\n",n);
	182	return -1;
	183	}
	184
	185	return 0;
	186	}
	187
	188	int read_aupd(struct ipod_t* ipod, char* filename)
	189	{
	190	int length;
	191	int i;
	192	int outfile;
	193	int n;
	194	int aupd;
	195	struct rc4_key_t rc4;
	196	unsigned char key[4];
	197	unsigned long chksum=0;
	198
	199	if(ipod->sectorbuf == NULL) {
	200	fprintf(stderr,"[ERR] Buffer not initialized.");
	201	return -1;
	202	}
	203	aupd = 0;
	204	while ((aupd < ipod->nimages) && (ipod->ipod_directory[aupd].ftype != FTYPE_AUPD))
	205	{
	206	aupd++;
	207	}
	208
	209	if (aupd == ipod->nimages)
	210	{
	211	fprintf(stderr,"[ERR] No AUPD image in firmware partition.\n");
	212	return -1;
	213	}
	214
	215	length = ipod->ipod_directory[aupd].len;
	216
	217	fprintf(stderr,"[INFO] Reading firmware (%d bytes)\n",length);
	218
	219	if (find_key(ipod, aupd, key) < 0)
	220	{
	221	return -1;
	222	}
	223
	224	fprintf(stderr, "[INFO] Decrypting AUPD image with key %02x%02x%02x%02x\n",key[0],key[1],key[2],key[3]);
	225
	226	if (ipod_seek(ipod, ipod->fwoffset+ipod->ipod_directory[aupd].devOffset) < 0) {
	227	return -1;
	228	}
	229
	230	i = (length+ipod->sector_size-1) & ~(ipod->sector_size-1);
	231
	232	if ((n = ipod_read(ipod,i)) < 0) {
	233	return -1;
	234	}
	235
	236	if (n < i) {
	237	fprintf(stderr,"[ERR] Short read - requested %d bytes, received %d\n",
	238	i,n);
	239	return -1;
	240	}
	241
	242	/* Perform the decryption - this is standard (A)RC4 */
	243	matrixArc4Init(&rc4, key, 4);
	244	matrixArc4(&rc4, ipod->sectorbuf, ipod->sectorbuf, length);
	245
	246	chksum = 0;
	247	for (i = 0; i < (int)length; i++) {
	248	/* add 8 unsigned bits but keep a 32 bit sum */
	249	chksum += ipod->sectorbuf[i];
	250	}
	251
	252	if (chksum != ipod->ipod_directory[aupd].chksum)
	253	{
	254	fprintf(stderr,"[ERR] Decryption failed - checksum error\n");
	255	return -1;
	256	}
	257	fprintf(stderr,"[INFO] Decrypted OK (checksum matches header)\n");
	258
	259	outfile = open(filename,O_CREAT\|O_TRUNC\|O_WRONLY\|O_BINARY,0666);
	260	if (outfile < 0) {
	261	fprintf(stderr,"[ERR] Couldn't open file %s\n",filename);
	262	return -1;
	263	}
	264
	265	n = write(outfile,ipod->sectorbuf,length);
	266	if (n != length) {
	267	fprintf(stderr,"[ERR] Write error - %d\n",n);
	268	}
	269	close(outfile);
	270
	271	return 0;
	272	}
	273
	274	int write_aupd(struct ipod_t* ipod, char* filename)
	275	{
	276	unsigned int length;
	277	int i;
	278	int x;
	279	int n;
	280	int infile;
	281	int newsize;
	282	int aupd;
	283	unsigned long chksum=0;
	284	struct rc4_key_t rc4;
	285	unsigned char key[4];
	286
	287	if(ipod->sectorbuf == NULL) {
	288	fprintf(stderr,"[ERR] Buffer not initialized.");
	289	return -1;
	290	}
	291	/* First check that the input file is the correct type for this ipod. */
	292	infile=open(filename,O_RDONLY);
	293	if (infile < 0) {
	294	fprintf(stderr,"[ERR] Couldn't open input file %s\n",filename);
	295	return -1;
	296	}
	297
	298	length = filesize(infile);
	299	newsize=(length+ipod->sector_size-1)&~(ipod->sector_size-1);
	300
	301	fprintf(stderr,"[INFO] Padding input file from 0x%08x to 0x%08x bytes\n",
	302	length,newsize);
	303
	304	if (newsize > BUFFER_SIZE) {
	305	fprintf(stderr,"[ERR] Input file too big for buffer\n");
	306	if (infile >= 0) close(infile);
	307	return -1;
	308	}
	309
	310	/* Find aupd image number */
	311	aupd = 0;
	312	while ((aupd < ipod->nimages) && (ipod->ipod_directory[aupd].ftype != FTYPE_AUPD))
	313	{
	314	aupd++;
	315	}
	316
	317	if (aupd == ipod->nimages)
	318	{
	319	fprintf(stderr,"[ERR] No AUPD image in firmware partition.\n");
	320	return -1;
	321	}
	322
	323	if (length != ipod->ipod_directory[aupd].len)
	324	{
	325	fprintf(stderr,"[ERR] AUPD image (%d bytes) differs in size to %s (%d bytes).\n",
	326	ipod->ipod_directory[aupd].len, filename, length);
	327	return -1;
	328	}
	329
	330	if (find_key(ipod, aupd, key) < 0)
	331	{
	332	return -1;
	333	}
	334
	335	fprintf(stderr, "[INFO] Encrypting AUPD image with key %02x%02x%02x%02x\n",key[0],key[1],key[2],key[3]);
	336
	337	/* We now know we have enough space, so write it. */
	338
	339	fprintf(stderr,"[INFO] Reading input file...\n");
	340	n = read(infile,ipod->sectorbuf,length);
	341	if (n < 0) {
	342	fprintf(stderr,"[ERR] Couldn't read input file\n");
	343	close(infile);
	344	return -1;
	345	}
	346	close(infile);
	347
	348	/* Pad the data with zeros */
	349	memset(ipod->sectorbuf+length,0,newsize-length);
	350
	351	/* Calculate the new checksum (before we encrypt) */
	352	chksum = 0;
	353	for (i = 0; i < (int)length; i++) {
	354	/* add 8 unsigned bits but keep a 32 bit sum */
	355	chksum += ipod->sectorbuf[i];
	356	}
	357
	358	/* Perform the encryption - this is standard (A)RC4 */
	359	matrixArc4Init(&rc4, key, 4);
	360	matrixArc4(&rc4, ipod->sectorbuf, ipod->sectorbuf, length);
	361
	362	if (ipod_seek(ipod, ipod->fwoffset+ipod->ipod_directory[aupd].devOffset) < 0) {
	363	fprintf(stderr,"[ERR] Seek failed\n");
	364	return -1;
	365	}
	366
	367	if ((n = ipod_write(ipod,newsize)) < 0) {
	368	perror("[ERR] Write failed\n");
	369	return -1;
	370	}
	371
	372	if (n < newsize) {
	373	fprintf(stderr,"[ERR] Short write - requested %d bytes, received %d\n"
	374	,newsize,n);
	375	return -1;
	376	}
	377	fprintf(stderr,"[INFO] Wrote %d bytes to firmware partition\n",n);
	378
	379	x = ipod->diroffset % ipod->sector_size;
	380
	381	/* Read directory */
	382	if (ipod_seek(ipod, ipod->start + ipod->diroffset - x) < 0) { return -1; }
	383
	384	n=ipod_read(ipod, ipod->sector_size);
	385	if (n < 0) { return -1; }
	386
	387	/* Update checksum */
	388	fprintf(stderr,"[INFO] Updating checksum to 0x%08x (was 0x%08x)\n",(unsigned int)chksum,le2int(ipod->sectorbuf + x + aupd*40 + 28));
	389	int2le(chksum,ipod->sectorbuf+x+aupd*40+28);
	390
	391	/* Write directory */
	392	if (ipod_seek(ipod, ipod->start + ipod->diroffset - x) < 0) { return -1; }
	393	n=ipod_write(ipod, ipod->sector_size);
	394	if (n < 0) { return -1; }
	395
	396	return 0;
	397	}
	398