From c876d3bbefe0dc00c27ca0c12d29da5874946962 Mon Sep 17 00:00:00 2001 From: Dominik Riebeling Date: Wed, 15 Dec 2021 21:04:28 +0100 Subject: rbutil: Merge rbutil with utils folder. rbutil uses several components from the utils folder, and can be considered part of utils too. Having it in a separate folder is an arbitrary split that doesn't help anymore these days, so merge them. This also allows other utils to easily use libtools.make without the need to navigate to a different folder. Change-Id: I3fc2f4de19e3e776553efb5dea5f779dfec0dc21 --- utils/mkamsboot/mkamsboot.c | 595 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 595 insertions(+) create mode 100644 utils/mkamsboot/mkamsboot.c (limited to 'utils/mkamsboot/mkamsboot.c') diff --git a/utils/mkamsboot/mkamsboot.c b/utils/mkamsboot/mkamsboot.c new file mode 100644 index 0000000000..09eb15ee43 --- /dev/null +++ b/utils/mkamsboot/mkamsboot.c @@ -0,0 +1,595 @@ +/*************************************************************************** + * __________ __ ___. + * Open \______ \ ____ ____ | | _\_ |__ _______ ___ + * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ / + * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < < + * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \ + * \/ \/ \/ \/ \/ + * $Id$ + * + * mkamsboot.c - a tool for merging bootloader code into an Sansa V2 + * (AMS) firmware file + * + * Copyright (C) 2008 Dave Chapman + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + ****************************************************************************/ + +/* + +Insert a Rockbox bootloader into a Sansa AMS original firmware file. + +Layout of a Sansa AMS original firmware file: + + ---------------------- 0x0 +| HEADER | +|----------------------| 0x400 +| FIRMWARE BLOCK | (contains the OF version on some fuzev2 firmwares +|----------------------| 0x600 +| FIRMWARE BLOCK | +|----------------------| 0x400 + firmware block size +| LIBRARIES/DATA | + ---------------------- END + +We replace the main firmware block while preserving the potential OF version +(bytes 0x600..0x400+firmware_size) as follows: + + + ---------------------- 0x0 +| | +| Dual-boot code | +| | +|----------------------| +| EMPTY SPACE | +|----------------------| +| | +| compressed RB image | +| | +|----------------------| +| | +| compressed OF image | +| | +|----------------------| +| UCL unpack function | + ---------------------- + +This entire block fits into the space previously occupied by the main +firmware block - the space saved by compressing the OF image is used +to store the compressed version of the Rockbox bootloader. + +On version 1 firmwares, the OF image is typically about 120KB, which allows +us to store a Rockbox bootloader with an uncompressed size of about 60KB-70KB. +Version 2 firmwares are bigger and are stored in SDRAM (instead of IRAM). +In both cases, the RAM we are using is mapped at offset 0x0. + +mkamsboot then corrects the checksums and writes a new legal firmware +file which can be installed on the device. + +When the Sansa device boots, this firmware block is loaded to RAM at +address 0x0 and executed. + +Firstly, the dual-boot code will copy the UCL unpack function to the +end of RAM. + +Then, depending on the detection of the dual-boot keypress, either the +OF image or the Rockbox image is copied to the end of RAM (just before +the ucl unpack function) and uncompressed to the start of RAM. + +Finally, the ucl unpack function branches to address 0x0, passing +execution to the uncompressed firmware. + + +*/ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +#include "mkamsboot.h" + +#include "md5.h" + +/* Header for ARM code binaries */ +#include "dualboot.h" + +/* Win32 compatibility */ +#ifndef O_BINARY +#define O_BINARY 0 +#endif + +/* fw_revision: version 2 is used in Clipv2, Clip+ and Fuzev2 firmwares */ +/* hw_revision: 4 for m200, 2 for e200/c200, 1 or 2 for fuze/clip, 1 for clip+ */ +const struct ams_models ams_identity[] = { + [MODEL_C200V2] = { 2, 1, "c200", dualboot_c200v2, sizeof(dualboot_c200v2), "c2v2", 44 }, + [MODEL_CLIPPLUS]= { 1, 2, "Clip+", dualboot_clipplus, sizeof(dualboot_clipplus), "cli+", 66 }, + [MODEL_CLIPV2] = { 2, 2, "Clip", dualboot_clipv2, sizeof(dualboot_clipv2), "clv2", 60 }, + [MODEL_CLIP] = { 1, 1, "Clip", dualboot_clip, sizeof(dualboot_clip), "clip", 40 }, + [MODEL_E200V2] = { 2, 1, "e200", dualboot_e200v2, sizeof(dualboot_e200v2), "e2v2", 41 }, + [MODEL_FUZEV2] = { 2, 2, "Fuze", dualboot_fuzev2, sizeof(dualboot_fuzev2), "fuz2", 68 }, + [MODEL_FUZE] = { 1, 1, "Fuze", dualboot_fuze, sizeof(dualboot_fuze), "fuze", 43 }, + [MODEL_M200V4] = { 4, 1, "m200", dualboot_m200v4, sizeof(dualboot_m200v4), "m2v4", 42 }, + [MODEL_CLIPZIP] = { 1, 2, "ClipZip", dualboot_clipzip, sizeof(dualboot_clipzip), "clzp", 79 }, +}; + + +/* Checksums of unmodified original firmwares - for safety, and device + detection */ +static struct md5sums sansasums[] = { + /* NOTE: Different regional versions of the firmware normally only + differ in the filename - the md5sums are identical */ + + /* model version md5 */ + { MODEL_E200V2, "3.01.11", "e622ca8cb6df423f54b8b39628a1f0a3" }, + { MODEL_E200V2, "3.01.14", "2c1d0383fc3584b2cc83ba8cc2243af6" }, + { MODEL_E200V2, "3.01.16", "12563ad71b25a1034cf2092d1e0218c4" }, + + { MODEL_FUZE, "1.01.11", "cac8ffa03c599330ac02c4d41de66166" }, + { MODEL_FUZE, "1.01.15", "df0e2c1612727f722c19a3c764cff7f2" }, + { MODEL_FUZE, "1.01.22", "5aff5486fe8dd64239cc71eac470af98" }, + { MODEL_FUZE, "1.02.26", "7c632c479461c48c8833baed74eb5e4f" }, + { MODEL_FUZE, "1.02.28", "5b34260f6470e75f702a9c6825471752" }, + { MODEL_FUZE, "1.02.31", "66d01b37462a5ef7ccc6ad37188b4235" }, + + { MODEL_C200V2, "3.02.05", "b6378ebd720b0ade3fad4dc7ab61c1a5" }, + + { MODEL_M200V4, "4.00.45", "82e3194310d1514e3bbcd06e84c4add3" }, + { MODEL_M200V4, "4.01.08-A", "fc9dd6116001b3e6a150b898f1b091f0" }, + { MODEL_M200V4, "4.01.08-E", "d3fb7d8ec8624ee65bc99f8dab0e2369" }, + + { MODEL_CLIP, "1.01.17", "12caad785d506219d73f538772afd99e" }, + { MODEL_CLIP, "1.01.18", "d720b266bd5afa38a198986ef0508a45" }, + { MODEL_CLIP, "1.01.20", "236d8f75189f468462c03f6d292cf2ac" }, + { MODEL_CLIP, "1.01.29", "c12711342169c66e209540cd1f27cd26" }, + { MODEL_CLIP, "1.01.30", "f2974d47c536549c9d8259170f1dbe4d" }, + { MODEL_CLIP, "1.01.32", "d835d12342500732ffb9c4ee54abec15" }, + { MODEL_CLIP, "1.01.35", "b4d0edb3b8f2a4e8eee0a344f7f8e480" }, + + { MODEL_CLIPV2, "2.01.16", "c57fb3fcbe07c2c9b360f060938f80cb" }, + { MODEL_CLIPV2, "2.01.32", "0ad3723e52022509089d938d0fbbf8c5" }, + { MODEL_CLIPV2, "2.01.35", "a3cbbd22b9508d7f8a9a1a39acc342c2" }, + + { MODEL_CLIPPLUS, "01.02.09", "656d38114774c2001dc18e6726df3c5d" }, + { MODEL_CLIPPLUS, "01.02.13", "5f89872b79ef440b0e5ee3a7a44328b2" }, + { MODEL_CLIPPLUS, "01.02.15", "680a4f521e790ad25b93b1b16f3a207d" }, + { MODEL_CLIPPLUS, "01.02.16", "055a53de1dfb09f6cb71c504ad48bd13" }, + { MODEL_CLIPPLUS, "01.02.18", "80b547244438b113e2a55ff0305f12c0" }, + + { MODEL_FUZEV2, "2.01.17", "8b85fb05bf645d08a4c8c3e344ec9ebe" }, + { MODEL_FUZEV2, "2.02.26", "d4f6f85c3e4a8ea8f2e5acc421641801" }, + { MODEL_FUZEV2, "2.03.31", "74fb197ccd51707388f3b233402186a6" }, + { MODEL_FUZEV2, "2.03.33", "1599cc73d02ea7fe53fe2d4379c24b66" }, + + { MODEL_CLIPZIP, "1.01.12", "45adea0873326b5af34f096e5c402f78" }, + { MODEL_CLIPZIP, "1.01.15", "f62af954334cd9ba1a87a7fa58ec6074" }, + { MODEL_CLIPZIP, "1.01.17", "27bcb343d6950f35dc261629e22ba60c" }, + { MODEL_CLIPZIP, "1.01.18", "ef16aa9e02b49885ebede5aa149502e8" }, + { MODEL_CLIPZIP, "1.01.20", "d88c8977cc6a952d3f51ece105869d97" }, + { MODEL_CLIPZIP, "1.01.21", "92c814d6e3250189706a36d2b49b6152" }, +}; + +#define NUM_MD5S (sizeof(sansasums)/sizeof(sansasums[0])) + +static unsigned int model_memory_size(int model) +{ + /* The OF boots with IRAM (320kB) mapped at 0x0 */ + + if(model == MODEL_CLIPV2) + { + /* The decompressed Clipv2 OF is around 380kB. + * Let's use the full IRAM (1MB on AMSv2) + */ + return 1 << 20; + } + else + { + /* The IRAM is 320kB on AMSv1, and 320 will be enough on Fuzev1/Clip+ */ + return 320 << 10; + } +} + +int firmware_revision(int model) +{ + return ams_identity[model].fw_revision; +} + +static off_t filesize(int fd) +{ + struct stat buf; + + if (fstat(fd, &buf) < 0) { + perror("[ERR] Checking filesize of input file"); + return -1; + } else { + return(buf.st_size); + } +} + +static uint32_t get_uint32le(unsigned char* p) +{ + return p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24); +} + +static uint32_t get_uint32be(unsigned char* p) +{ + return (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]; +} + +static void put_uint32le(unsigned char* p, uint32_t x) +{ + p[0] = x & 0xff; + p[1] = (x >> 8) & 0xff; + p[2] = (x >> 16) & 0xff; + p[3] = (x >> 24) & 0xff; +} + +void calc_MD5(unsigned char* buf, int len, char *md5str) +{ + int i; + md5_context ctx; + unsigned char md5sum[16]; + + md5_starts(&ctx); + md5_update(&ctx, buf, len); + md5_finish(&ctx, md5sum); + + for (i = 0; i < 16; ++i) + sprintf(md5str + 2*i, "%02x", md5sum[i]); +} + +/* Calculate a simple checksum used in Sansa Original Firmwares */ +static uint32_t calc_checksum(unsigned char* buf, uint32_t n) +{ + uint32_t sum = 0; + uint32_t i; + + for (i=0;i maxsize) { + /* this should NEVER happen, and implies memory corruption */ + fprintf(stderr, "internal error - compression failed: %d\n", r); + free(outbuf); + return NULL; + } + + return outbuf; +} + +#define ERROR(format, ...) \ + do { \ + snprintf(errstr, errstrsize, format, __VA_ARGS__); \ + goto error; \ + } while(0) + +/* Loads a Sansa AMS Original Firmware file into memory */ +unsigned char* load_of_file( + char* filename, int model, off_t* bufsize, struct md5sums *sum, + int* firmware_size, unsigned char** of_packed, + int* of_packedsize, char* errstr, int errstrsize) +{ + int fd; + unsigned char* buf =NULL; + off_t n; + unsigned int i=0; + uint32_t checksum; + unsigned int last_word; + + fd = open(filename, O_RDONLY|O_BINARY); + if (fd < 0) + ERROR("[ERR] Could not open %s for reading\n", filename); + + *bufsize = filesize(fd); + + buf = malloc(*bufsize); + if (buf == NULL) + ERROR("[ERR] Could not allocate memory for %s\n", filename); + + n = read(fd, buf, *bufsize); + + if (n != *bufsize) + ERROR("[ERR] Could not read file %s\n", filename); + + /* check the file */ + + /* Calculate MD5 checksum of OF */ + calc_MD5(buf, *bufsize, sum->md5); + + while ((i < NUM_MD5S) && (strcmp(sansasums[i].md5, sum->md5) != 0)) + i++; + + if (i < NUM_MD5S) { + *sum = sansasums[i]; + if(sum->model != model) { + ERROR("[ERR] OF File provided is %sv%d version %s, not for %sv%d\n", + ams_identity[sum->model].model_name, ams_identity[sum->model].hw_revision, + sum->version, ams_identity[model].model_name, ams_identity[model].hw_revision + ); + } + } else { + /* OF unknown, give a list of tested versions for the requested model */ + + char tested_versions[100]; + tested_versions[0] = '\0'; + + for (i = 0; i < NUM_MD5S ; i++) + if (sansasums[i].model == model) { + if (tested_versions[0] != '\0') { + strncat(tested_versions, ", ", + sizeof(tested_versions) - strlen(tested_versions) - 1); + } + strncat(tested_versions, sansasums[i].version, + sizeof(tested_versions) - strlen(tested_versions) - 1); + } + + ERROR("[ERR] Original firmware unknown, please try another version." + " Tested %sv%d versions are: %s\n", + ams_identity[model].model_name, ams_identity[model].hw_revision, tested_versions); + } + + /* TODO: Do some more sanity checks on the OF image. Some images (like + m200v4) dont have a checksum at the end, only padding (0xdeadbeef). */ + last_word = *bufsize - 4; + checksum = get_uint32le(buf + last_word); + if (checksum != 0xefbeadde && checksum != calc_checksum(buf, last_word)) + ERROR("%s", "[ERR] Whole file checksum failed\n"); + + if (ams_identity[sum->model].bootloader == NULL) + ERROR("[ERR] Unsupported model - \"%s\"\n", ams_identity[sum->model].model_name); + + /* Get the firmware size */ + if (ams_identity[sum->model].fw_revision == 1) + *firmware_size = get_uint32le(&buf[0x0c]); + else if (ams_identity[sum->model].fw_revision == 2) + *firmware_size = get_uint32le(&buf[0x10]); + + /* Compress the original firmware image */ + *of_packed = uclpack(buf + 0x400, *firmware_size, of_packedsize); + if (*of_packed == NULL) + ERROR("[ERR] Could not compress %s\n", filename); + + return buf; + +error: + free(buf); + return NULL; +} + +/* Loads a rockbox bootloader file into memory */ +unsigned char* load_rockbox_file( + char* filename, int *model, int* bufsize, int* rb_packedsize, + char* errstr, int errstrsize) +{ + int fd; + unsigned char* buf = NULL; + unsigned char* packed = NULL; + unsigned char header[8]; + uint32_t sum; + off_t n; + int i; + + fd = open(filename, O_RDONLY|O_BINARY); + if (fd < 0) + ERROR("[ERR] Could not open %s for reading\n", filename); + + /* Read Rockbox header */ + n = read(fd, header, sizeof(header)); + if (n != sizeof(header)) + ERROR("[ERR] Could not read file %s\n", filename); + + for(*model = 0; *model < NUM_MODELS; (*model)++) + if (memcmp(ams_identity[*model].rb_model_name, header + 4, 4) == 0) + break; + + if(*model == NUM_MODELS) + ERROR("[ERR] Model name \"%4.4s\" unknown. Is this really a rockbox bootloader?\n", header + 4); + + *bufsize = filesize(fd) - sizeof(header); + + buf = malloc(*bufsize); + if (buf == NULL) + ERROR("[ERR] Could not allocate memory for %s\n", filename); + + n = read(fd, buf, *bufsize); + + if (n != *bufsize) + ERROR("[ERR] Could not read file %s\n", filename); + + /* Check checksum */ + sum = ams_identity[*model].rb_model_num; + for (i = 0; i < *bufsize; i++) { + /* add 8 unsigned bits but keep a 32 bit sum */ + sum += buf[i]; + } + + if (sum != get_uint32be(header)) + ERROR("[ERR] Checksum mismatch in %s\n", filename); + + packed = uclpack(buf, *bufsize, rb_packedsize); + if(packed == NULL) + ERROR("[ERR] Could not compress %s\n", filename); + + free(buf); + return packed; + +error: + free(buf); + return NULL; +} + +#undef ERROR + +/* Patches a Sansa AMS Original Firmware file */ +void patch_firmware( + int model, int fw_revision, int firmware_size, unsigned char* buf, + int len, unsigned char* of_packed, int of_packedsize, + unsigned char* rb_packed, int rb_packedsize) +{ + unsigned char *p; + uint32_t sum, filesum; + uint32_t ucl_dest; + unsigned int i; + + /* Zero the original firmware area - not needed, but helps debugging */ + memset(buf + 0x600, 0, firmware_size); + + /* Insert dual-boot bootloader at offset 0x200, we preserve the OF + * version string located between 0x0 and 0x200 */ + memcpy(buf + 0x600, ams_identity[model].bootloader, ams_identity[model].bootloader_size); + + /* Insert vectors, they won't overwrite the OF version string */ + static const uint32_t goto_start = 0xe3a0fc02; // mov pc, #0x200 + static const uint32_t infinite_loop = 0xeafffffe; // 1: b 1b + /* ALL vectors: infinite loop */ + for (i=0; i < 8; i++) + put_uint32le(buf + 0x400 + 4*i, infinite_loop); + /* Now change only the interesting vectors */ + /* Reset/SWI vectors: branch to our dualboot code at 0x200 */ + put_uint32le(buf + 0x400 + 4*0, goto_start); // Reset + put_uint32le(buf + 0x400 + 4*2, goto_start); // SWI + + /* We are filling the firmware buffer backwards from the end */ + p = buf + 0x400 + firmware_size; + + /* 1 - UCL unpack function */ + p -= sizeof(nrv2e_d8); + memcpy(p, nrv2e_d8, sizeof(nrv2e_d8)); + + /* 2 - Compressed copy of original firmware */ + p -= of_packedsize; + memcpy(p, of_packed, of_packedsize); + + /* 3 - Compressed copy of Rockbox bootloader */ + p -= rb_packedsize; + memcpy(p, rb_packed, rb_packedsize); + + /* Write the locations of the various images to the variables at the + start of the dualboot image - we save the location of the last byte + in each image, along with the size in bytes */ + + /* UCL unpack function */ + put_uint32le(&buf[0x604], firmware_size - 1); + put_uint32le(&buf[0x608], sizeof(nrv2e_d8)); + + /* Compressed original firmware image */ + put_uint32le(&buf[0x60c], firmware_size - sizeof(nrv2e_d8) - 1); + put_uint32le(&buf[0x610], of_packedsize); + + /* Compressed Rockbox image */ + put_uint32le(&buf[0x614], firmware_size - sizeof(nrv2e_d8) - of_packedsize + - 1); + put_uint32le(&buf[0x618], rb_packedsize); + + ucl_dest = model_memory_size(model) - 1; /* last byte of memory */ + put_uint32le(&buf[0x61c], ucl_dest); + + /* Update the firmware block checksum */ + sum = calc_checksum(buf + 0x400, firmware_size); + + if (fw_revision == 1) { + put_uint32le(&buf[0x04], sum); + put_uint32le(&buf[0x204], sum); + } else if (fw_revision == 2) { + put_uint32le(&buf[0x08], sum); + put_uint32le(&buf[0x208], sum); + + /* Update the header checksums */ + put_uint32le(&buf[0x1fc], calc_checksum(buf, 0x1fc)); + put_uint32le(&buf[0x3fc], calc_checksum(buf + 0x200, 0x1fc)); + } + + /* Update the whole-file checksum */ + filesum = 0; + for (i=0;i < (unsigned)len - 4; i+=4) + filesum += get_uint32le(&buf[i]); + + put_uint32le(buf + len - 4, filesum); +} + +/* returns != 0 if the firmware can be safely patched */ +int check_sizes(int model, int rb_packed_size, int rb_unpacked_size, + int of_packed_size, int of_unpacked_size, int *total_size, + char *errstr, int errstrsize) +{ + /* XXX: we keep the first 0x200 bytes block unmodified, we just replace + * the ARM vectors */ + unsigned int packed_size = ams_identity[model].bootloader_size + sizeof(nrv2e_d8) + + of_packed_size + rb_packed_size + 0x200; + + /* how much memory is available */ + unsigned int memory_size = model_memory_size(model); + + /* the memory used when unpacking the OF */ + unsigned int ram_of = sizeof(nrv2e_d8) + of_packed_size + of_unpacked_size; + + /* the memory used when unpacking the bootloader */ + unsigned int ram_rb = sizeof(nrv2e_d8) + rb_packed_size + rb_unpacked_size; + + *total_size = packed_size; + +#define ERROR(format, ...) \ + do { \ + snprintf(errstr, errstrsize, format, __VA_ARGS__); \ + return 0; \ + } while(0) + + /* will packed data fit in the OF file ? */ + if(packed_size > of_unpacked_size) + ERROR( + "[ERR] Packed data (%d bytes) doesn't fit in the firmware " + "(%d bytes)\n", packed_size, of_unpacked_size + ); + + else if(ram_rb > memory_size) + ERROR("[ERR] Rockbox can't be unpacked at runtime, needs %d bytes " + "of memory and only %d available\n", ram_rb, memory_size + ); + + else if(ram_of > memory_size) + ERROR("[ERR] OF can't be unpacked at runtime, needs %d bytes " + "of memory and only %d available\n", ram_of, memory_size + ); + + return 1; + +#undef ERROR +} -- cgit v1.2.3