From 44bb2856a59be53ef5ede154a39c54a59b1cc6d0 Mon Sep 17 00:00:00 2001 From: Amaury Pouly Date: Fri, 11 Nov 2016 15:40:56 +0100 Subject: nwztools/database: add database of information on Sony NWZ linux players There must be an evil genius in Sony's Walkman division. Someone who made sure that each model is close enough to the previous one so that little code is needed but different enough so that an educated guess is not enough. Each linux-based Sony player has a model ID (mid) which is a 32-bit integer. I was able to extract a list of all model IDs and the correspoding name of the player (see README). This gives us 1) a nice list of all players (because NWZ-A729 vs NWZ-A729B, really Sony?) 2) an easy way to find the name of player programatically. It seems that the lower 8-bit of the model ID gives the storage size but don't bet your life on it. The remaining bytes seem to follow some kind of pattern but there are exceptions. From this list, I was able to build a list of all Sony's series (up to quite recent one). The only safe way to build that is by hand, with a list of series, each series having a list of model IDs. The notion of series is very important because all models in a series share the same firmware. A very important concept on Sony's players is the NVP, an area of the flash that stores data associated with keys. The README contains more information but basically this is where is record the model ID, the destination, the boot flags, the firmware upgrade flags, the boot image, the DRM keys, and a lot of other stuff. Of course Sony decided to slightly tweak the index of the keys regularly over time which means that each series has a potentially different map, and we need this map to talk to the NVP driver. Fortunately, Sony distributes the kernel for all its players and they contain a kernel header with this information. I wrote a script to unpack kernel sources and parse this header, producing a bunch of nw-*.txt files, included in this commit. This map is very specific though: it maps Sony's 3-letter names (bti) to indexes (1). This is not very useful without the decription (bti = boot image) and its size (262144). This information is harder to come by, and is only stored in one place: if icx_nvp_emmc.ko drivers, found on the device. Fortunately, Sony distributes a number of firmware upgrade, that contain the rootfs, than once extracted contain this driver. The driver is a standard ELF files with symbols. I wrote a parsing tool (nvptool) that is able to extract this information from the drivers. Using that, I produced a bunch of nodes-nw*.txt files. A reasonable assumption is that nodes meaning and size do not change over time (bti is always the boot image and is always 262144 bytes), so by merging a few of those file, we can get a complete picture (note that some nodes that existed in older player do not exists anymore so we really need to merge several ones from different generations). The advantage of storing all this information in plain text files, is that it now makes it easy to parse it and produce whatever format we want to use it. I wrote a python script that parses all this mess and produces a C file and header with all this information (nwz_db.{c,h}). Change-Id: Id790581ddd527d64418fe9e4e4df8e0546117b80 --- utils/nwztools/database/nvp/nodes-nwz-e460.txt | 89 ++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 utils/nwztools/database/nvp/nodes-nwz-e460.txt (limited to 'utils/nwztools/database/nvp/nodes-nwz-e460.txt') diff --git a/utils/nwztools/database/nvp/nodes-nwz-e460.txt b/utils/nwztools/database/nvp/nodes-nwz-e460.txt new file mode 100644 index 0000000000..4a998d839a --- /dev/null +++ b/utils/nwztools/database/nvp/nodes-nwz-e460.txt @@ -0,0 +1,89 @@ +24,4,system information +23,32,u-boot password +9,4,firmware update flag +10,4,beep ok flag +34,16,rtc alarm +80,4,hold mode +16,64,model id +4,16,serial number +11,32,ship information +68,4,color variation +26,5,product code +29,8,update file name +32,64,key and signature +17,4,test mode flag +18,4,getty mode flag +70,4,disable iptable flag +30,64,sound driver parameter +31,64,noise cancel driver parameter +77,6,wifi mac address +75,4,wifi protected setup +82,16,fm parameter +83,4,speaker ship info +84,4,mass storage class mode +25,4,exception monitor mode +27,4,battery calibration +86,512,bluetooth pskey +5,4096,application parameter +7,20,secure clock +12,160,aad icv +13,520,empr key +76,16,slacker time +21,4,key mode (debug/release) +71,64,marlin time +72,16384,marlin crl +89,512,btmw factory pair info +88,512,btmw factory scdb +87,4,btmw log mode flag +85,4,europe vol regulation flag +8,8,middleware parameter +22,4,quick shutdown flag +69,4,time out to sleep +78,4,application debug mode flag +79,4,browser log mode flag +3,704,aad key +28,64,wmt key +81,8224,slacker id file +73,33024,marlin device key +33,64,starfish id +35,2048,bluetooth address +14,16384,EKB 0 +15,16384,EKB 1 +74,24576,marlin user key +36,1024,EMPR 0 +37,1024,EMPR 1 +38,1024,EMPR 2 +39,1024,EMPR 3 +40,1024,EMPR 4 +41,1024,EMPR 5 +42,1024,EMPR 6 +43,1024,EMPR 7 +44,1024,EMPR 8 +45,1024,EMPR 9 +46,1024,EMPR 10 +47,1024,EMPR 11 +48,1024,EMPR 12 +49,1024,EMPR 13 +50,1024,EMPR 14 +51,1024,EMPR 15 +52,1024,EMPR 16 +53,1024,EMPR 17 +54,1024,EMPR 18 +55,1024,EMPR 19 +56,1024,EMPR 20 +57,1024,EMPR 21 +58,1024,EMPR 22 +59,1024,EMPR 23 +60,1024,EMPR 24 +61,1024,EMPR 25 +62,1024,EMPR 26 +63,1024,EMPR 27 +64,1024,EMPR 28 +65,1024,EMPR 29 +66,1024,EMPR 30 +67,1024,EMPR 31 +1,262144,boot image +2,262144,hold image +20,262144,low battery image +19,262144,update image +6,262144,update error image -- cgit v1.2.3