1 /***************************************************************************
3 * Open \______ \ ____ ____ | | _\_ |__ _______ ___
4 * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ /
5 * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < <
6 * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \
10 * Copyright (C) 2008 by Maurus Cuelenaere
12 * based on tcctool.c by Dave Chapman
14 * USB code based on ifp-line - http://ifp-driver.sourceforge.net
16 * ifp-line is (C) Pavel Kriz, Jun Yamishiro and Joe Roback and
17 * licensed under the GPL (v2)
20 * All files in this archive are subject to the GNU General Public License.
21 * See the file COPYING in the source tree root for full license agreement.
23 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
24 * KIND, either express or implied.
26 ****************************************************************************/
32 #include <sys/types.h>
42 #define MAX_FIRMWARESIZE (64*1024*1024) /* Arbitrary limit (for safety) */
44 /* For win32 compatibility: */
49 /* USB IDs for USB Boot Mode */
53 #define EP_BULK_TO 0x01
56 enum USB_JZ4740_REQUEST
106 enum DATA_STRUCTURE_OB
119 int filesize(FILE* fd
)
122 fseek(fd
, 0, SEEK_END
);
124 fseek(fd
, 0, SEEK_SET
);
128 #define SEND_COMMAND(cmd, arg) err = usb_control_msg(dh, USB_ENDPOINT_OUT | USB_TYPE_VENDOR, cmd, arg>>16, arg&0xFFFF, NULL, 0, TOUT);\
131 fprintf(stderr,"\n[ERR] Error sending control message (%d, %s)\n", err, usb_strerror()); \
135 #define GET_CPU_INFO(s) err = usb_control_msg(dh, USB_ENDPOINT_IN | USB_TYPE_VENDOR, VR_GET_CPU_INFO, 0, 0, s, 8, TOUT); \
138 fprintf(stderr,"\n[ERR] Error sending control message (%d, %s)\n", err, usb_strerror()); \
142 #define SEND_DATA(ptr, size) err = usb_bulk_write(dh, USB_ENDPOINT_OUT | EP_BULK_TO, ptr, size, TOUT); \
145 fprintf(stderr,"\n[ERR] Error writing data\n"); \
146 fprintf(stderr,"[ERR] Bulk write error (%d, %s)\n", err, strerror(-err)); \
150 #define GET_DATA(ptr, size) err = usb_bulk_read(dh, USB_ENDPOINT_IN | EP_BULK_TO, ptr, size, TOUT); \
153 fprintf(stderr,"\n[ERR] Error writing data\n"); \
154 fprintf(stderr,"[ERR] Bulk write error (%d, %s)\n", err, strerror(-err)); \
158 int upload_app(usb_dev_handle
* dh
, int address
, unsigned char* p
, int len
, bool stage2
)
162 unsigned char* tmp_buf
;
164 fprintf(stderr
, "[INFO] GET_CPU_INFO: ");
167 fprintf(stderr
, "%s\n", buf
);
169 fprintf(stderr
, "[INFO] Flushing cache...");
170 SEND_COMMAND(VR_FLUSH_CACHES
, 0);
171 fprintf(stderr
, " Done!\n");
174 fprintf(stderr
, "[INFO] SET_DATA_ADDRESS to 0x%x...", address
);
175 SEND_COMMAND(VR_SET_DATA_ADDRESS
, address
);
176 fprintf(stderr
, " Done!\n");
178 fprintf(stderr
, "[INFO] Sending data...");
179 /* Must not split the file in several packages! */
181 fprintf(stderr
, " Done!\n");
183 fprintf(stderr
, "[INFO] Verifying data...");
184 SEND_COMMAND(VR_SET_DATA_ADDRESS
, address
);
185 SEND_COMMAND(VR_SET_DATA_LENGTH
, len
);
186 tmp_buf
= malloc(len
);
189 fprintf(stderr
, "\n[ERR] Could not allocate memory.\n");
192 GET_DATA(tmp_buf
, len
);
193 if (memcmp(tmp_buf
, p
, len
) != 0)
194 fprintf(stderr
, "\n[WARN] Sent data isn't the same as received data...\n");
196 fprintf(stderr
, " Done!\n");
199 fprintf(stderr
, "[INFO] Booting device [STAGE%d]...", (stage2
? 2 : 1));
200 SEND_COMMAND((stage2
? VR_PROGRAM_START2
: VR_PROGRAM_START1
), (address
+(stage2
? 8 : 0)) );
201 fprintf(stderr
, " Done!\n");
206 int read_data(usb_dev_handle
* dh
, int address
, unsigned char *p
, int len
)
211 fprintf(stderr
, "[INFO] GET_CPU_INFO: ");
214 fprintf(stderr
, "%s\n", buf
);
216 fprintf(stderr
, "[INFO] Reading data...");
217 SEND_COMMAND(VR_SET_DATA_ADDRESS
, address
);
218 SEND_COMMAND(VR_SET_DATA_LENGTH
, len
);
220 fprintf(stderr
, " Done!\n");
224 unsigned int read_reg(usb_dev_handle
* dh
, int address
, int size
)
227 unsigned char buf
[4];
229 SEND_COMMAND(VR_SET_DATA_ADDRESS
, address
);
230 SEND_COMMAND(VR_SET_DATA_LENGTH
, size
);
236 return (buf
[1] << 8) | buf
[0];
238 return (buf
[3] << 24) | (buf
[2] << 16) | (buf
[1] << 8) | buf
[0];
243 int set_reg(usb_dev_handle
* dh
, int address
, unsigned int val
, int size
)
246 unsigned char buf
[4];
251 buf
[1] = (val
>> 8) & 0xff;
254 buf
[2] = (val
>> 16) & 0xff;
255 buf
[3] = (val
>> 24) & 0xff;
259 SEND_COMMAND(VR_SET_DATA_ADDRESS
, address
);
260 SEND_DATA(buf
, size
);
264 #define or_reg(dh, adr, val, size) set_reg(dh, adr, (read_reg(dh, adr, size) | (val)), size);
265 #define and_reg(dh, adr, val, size) set_reg(dh, adr, (read_reg(dh, adr, size) & (val)), size);
266 #define bc_reg(dh, adr, val, size) set_reg(dh, adr, (read_reg(dh, adr, size) & ~(val)), size);
267 #define xor_reg(dh, adr, val, size) set_reg(dh, adr, (read_reg(dh, adr, size) ^ (val)), size);
269 #define TEST(m, size) fprintf(stderr, "%s -> %x\n", #m, read_reg(dh, m, size));
270 int test_device(usb_dev_handle
* dh
)
278 fprintf(stderr
, "\n");
290 fprintf(stderr
, "\n");
291 TEST(GPIO_PXPIN(0), 4);
292 TEST(GPIO_PXPIN(1), 4);
293 TEST(GPIO_PXPIN(2), 4);
294 TEST(GPIO_PXPIN(3), 4);
296 fprintf(stderr
, "\n");
299 fprintf(stderr
, "\n");
300 //or_reg(dh, SADC_ENA, SADC_ENA_TSEN, 1);
304 TEST(SADC_BATDAT
, 2);
307 fprintf(stderr
, "\n");
316 #define VOL_DOWN (1 << 27)
317 #define VOL_UP (1 << 0)
318 #define MENU (1 << 1)
319 #define HOLD (1 << 16)
320 #define OFF (1 << 29)
321 #define MASK (VOL_DOWN|VOL_UP|MENU|HOLD|OFF)
322 #define TS_MASK (SADC_STATE_PEND|SADC_STATE_PENU|SADC_STATE_TSRDY)
323 int probe_device(usb_dev_handle
* dh
)
327 //or_reg(dh, SADC_ENA, SADC_ENA_TSEN, 1);
330 if(read_reg(dh
, SADC_STATE
, 1) & SADC_STATE_TSRDY
)
332 printf("%x\n", read_reg(dh
, SADC_TSDAT
, 4));
333 or_reg(dh
, SADC_CTRL
, read_reg(dh
, SADC_STATE
, 1) & TS_MASK
, 1);
336 tmp
= read_reg(dh
, GPIO_PXPIN(3), 4);
341 if(!(tmp
& VOL_DOWN
))
342 printf("VOL_DOWN\t");
357 unsigned int read_file(const char *name
, unsigned char **buffer
)
362 fd
= fopen(name
, "rb");
365 fprintf(stderr
, "[ERR] Could not open %s\n", name
);
371 *buffer
= (unsigned char*)malloc(len
);
374 fprintf(stderr
, "[ERR] Could not allocate memory.\n");
379 n
= fread(*buffer
, 1, len
, fd
);
382 fprintf(stderr
, "[ERR] Short read.\n");
390 #define _GET_CPU fprintf(stderr, "[INFO] GET_CPU_INFO:"); \
393 fprintf(stderr, " %s\n", cpu);
394 #define _SET_ADDR(a) fprintf(stderr, "[INFO] Set address to 0x%x...", a); \
395 SEND_COMMAND(VR_SET_DATA_ADDRESS, a); \
396 fprintf(stderr, " Done!\n");
397 #define _SEND_FILE(a) fsize = read_file(a, &buffer); \
398 fprintf(stderr, "[INFO] Sending file %s: %d bytes...", a, fsize); \
399 SEND_DATA(buffer, fsize); \
401 fprintf(stderr, " Done!\n");
402 #define _VERIFY_DATA(a,c) fprintf(stderr, "[INFO] Verifying data (%s)...", a); \
403 fsize = read_file(a, &buffer); \
404 buffer2 = (unsigned char*)malloc(fsize); \
405 SEND_COMMAND(VR_SET_DATA_ADDRESS, c); \
406 SEND_COMMAND(VR_SET_DATA_LENGTH, fsize); \
407 GET_DATA(buffer2, fsize); \
408 if(memcmp(buffer, buffer2, fsize) != 0) \
409 fprintf(stderr, "\n[WARN] Sent data isn't the same as received data...\n"); \
411 fprintf(stderr, " Done!\n"); \
414 #define _STAGE1(a) fprintf(stderr, "[INFO] Stage 1 at 0x%x\n", a); \
415 SEND_COMMAND(VR_PROGRAM_START1, a);
416 #define _STAGE2(a) fprintf(stderr, "[INFO] Stage 2 at 0x%x\n", a); \
417 SEND_COMMAND(VR_PROGRAM_START2, a);
418 #define _FLUSH fprintf(stderr, "[INFO] Flushing caches...\n"); \
419 SEND_COMMAND(VR_FLUSH_CACHES, 0);
421 #define _SLEEP(x) Sleep(x*1000);
423 #define _SLEEP(x) sleep(x);
425 int mimic_of(usb_dev_handle
*dh
)
428 unsigned char *buffer
, *buffer2
;
431 fprintf(stderr
, "[INFO] Start!\n");
433 _SET_ADDR(0x8000 << 16);
436 _VERIFY_DATA("1.bin", 0x8000 << 16);
437 _STAGE1(0x8000 << 16);
439 _VERIFY_DATA("2.bin", 0xB3020060);
445 _SET_ADDR(0x8000 << 16);
448 _VERIFY_DATA("3.bin", 0x8000 << 16);
453 _SET_ADDR(0x80D0 << 16);
456 _VERIFY_DATA("4.bin", 0x80D0 << 16);
461 _SET_ADDR(0x80E0 << 16);
464 _VERIFY_DATA("5.bin", 0x80E0 << 16);
469 _SET_ADDR(0x80004000);
472 _VERIFY_DATA("6.bin", 0x80004000);
477 _SET_ADDR(0x80FD << 16);
480 _VERIFY_DATA("7.bin", 0x80FD << 16);
485 _VERIFY_DATA("8.bin", 0x80004004);
486 _VERIFY_DATA("9.bin", 0x80004008);
489 _SET_ADDR(0x80E0 << 16);
490 _SEND_FILE("10.bin");
492 _VERIFY_DATA("10.bin", 0x80E0 << 16);
497 fprintf(stderr
, "[INFO] Done!\n");
501 void jzconnect(int address
, unsigned char* buf
, int len
, int func
)
504 struct usb_device
*tmp_dev
;
505 struct usb_device
*dev
= NULL
;
509 fprintf(stderr
,"[INFO] Searching for device...\n");
512 if(usb_find_busses() < 0)
514 fprintf(stderr
, "[ERR] Could not find any USB busses.\n");
518 if (usb_find_devices() < 0)
520 fprintf(stderr
, "[ERR] USB devices not found(nor hubs!).\n");
524 for (bus
= usb_get_busses(); bus
; bus
= bus
->next
)
526 for (tmp_dev
= bus
->devices
; tmp_dev
; tmp_dev
= tmp_dev
->next
)
528 //printf("Found Vendor %04x Product %04x\n",tmp_dev->descriptor.idVendor, tmp_dev->descriptor.idProduct);
529 if (tmp_dev
->descriptor
.idVendor
== VID
&&
530 tmp_dev
->descriptor
.idProduct
== PID
)
541 fprintf(stderr
, "[ERR] Device not found.\n");
542 fprintf(stderr
, "[ERR] Ensure your device is in USB boot mode and run usbtool again.\n");
547 if ( (dh
= usb_open(dev
)) == NULL
)
549 fprintf(stderr
,"[ERR] Unable to open device.\n");
553 err
= usb_set_configuration(dh
, 1);
557 fprintf(stderr
, "[ERR] usb_set_configuration failed (%d, %s)\n", err
, usb_strerror());
562 /* "must be called" written in the libusb documentation */
563 err
= usb_claim_interface(dh
, 0);
566 fprintf(stderr
, "[ERR] Unable to claim interface (%d, %s)\n", err
, usb_strerror());
571 fprintf(stderr
,"[INFO] Found device, uploading application.\n");
573 /* Now we can transfer the application to the device. */
579 err
= upload_app(dh
, address
, buf
, len
, (func
== 5));
582 err
= read_data(dh
, address
, buf
, len
);
585 err
= test_device(dh
);
588 err
= probe_device(dh
);
595 /* release claimed interface */
596 usb_release_interface(dh
, 0);
601 void print_usage(void)
604 fprintf(stderr
, "Usage: usbtool.exe [CMD] [FILE] [ADDRESS] [LEN]\n");
606 fprintf(stderr
, "Usage: usbtool [CMD] [FILE] [ADDRESS] [LEN]\n");
608 fprintf(stderr
, "\t[ADDRESS] has to be in 0xHEXADECIMAL format\n");
609 fprintf(stderr
, "\t[CMD]:\n\t\t1 -> upload file to specified address and boot from it\n\t\t2 -> read data from [ADDRESS] with length [LEN] to [FILE]\n");
610 fprintf(stderr
, "\t\t3 -> read device status\n\t\t4 -> probe keys (only Onda VX747)\n");
611 fprintf(stderr
, "\t\t5 -> same as 1 but do a stage 2 boot\n\t\t6 -> mimic OF fw recovery\n");
613 fprintf(stderr
, "\nExample:\n\t usbtool.exe 1 fw.bin 0x80000000");
614 fprintf(stderr
, "\n\t usbtool.exe 2 save.bin 0x81000000 1024");
616 fprintf(stderr
, "\nExample:\n\t usbtool 1 fw.bin 0x80000000");
617 fprintf(stderr
, "\n\t usbtool 2 save.bin 0x81000000 1024");
621 int main(int argc
, char* argv
[])
624 int n
, len
, address
, cmd
=0;
627 fprintf(stderr
, "USBtool v" VERSION
" - (C) 2008 Maurus Cuelenaere\n");
628 fprintf(stderr
, "This is free software; see the source for copying conditions. There is NO\n");
629 fprintf(stderr
, "warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n\n");
632 sscanf(argv
[1], "%d", &cmd
);
637 if (strcmp(argv
[3], "-1") == 0)
638 address
= 0x80000000;
641 if (sscanf(argv
[3], "0x%x", &address
) <= 0)
648 fd
= fopen(argv
[2], "rb");
651 fprintf(stderr
, "[ERR] Could not open %s\n", argv
[2]);
657 if (len
> MAX_FIRMWARESIZE
)
659 fprintf(stderr
, "[ERR] Firmware file too big\n");
667 fprintf(stderr
, "[ERR] Could not allocate memory.\n");
672 n
= fread(buf
, 1, len
, fd
);
675 fprintf(stderr
, "[ERR] Short read.\n");
681 fprintf(stderr
, "[INFO] File size: %d bytes\n", n
);
683 jzconnect(address
, buf
, len
, cmd
);
686 if (sscanf(argv
[3], "0x%x", &address
) <= 0)
692 fd
= fopen(argv
[2], "wb");
695 fprintf(stderr
, "[ERR] Could not open %s\n", argv
[2]);
699 sscanf(argv
[4], "%d", &len
);
704 fprintf(stderr
, "[ERR] Could not allocate memory.\n");
709 jzconnect(address
, buf
, len
, 2);
711 n
= fwrite(buf
, 1, len
, fd
);
714 fprintf(stderr
, "[ERR] Short write.\n");
723 jzconnect(address
, NULL
, 0, cmd
);