search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Remove .a files before running ar, to avoid problems with renamed files remaining...
[kugel-rb.git] / rbutil / mkamsboot / mkamsboot.c
blob52cb2cece9021a20775896dd74f099f5aa610db2
1 /***************************************************************************
2 * __________ __ ___.
3 * Open \______ \ ____ ____ | | _\_ |__ _______ ___
4 * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ /
5 * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < <
6 * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \
7 * \/ \/ \/ \/ \/
8 * $Id$
9 *
10 * mkamsboot.c - a tool for merging bootloader code into an Sansa V2
11 * (AMS) firmware file
12 *
13 * Copyright (C) 2008 Dave Chapman
14 *
15 * This program is free software; you can redistribute it and/or
16 * modify it under the terms of the GNU General Public License
17 * as published by the Free Software Foundation; either version 2
18 * of the License, or (at your option) any later version.
19 *
20 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
21 * KIND, either express or implied.
22 *
23 ****************************************************************************/
24
25 /*
26
27 Insert a Rockbox bootloader into an AMS original firmware file.
28
29 We replace the main firmware block (bytes 0x400..0x400+firmware_size)
30 as follows:
31
32
33 ---------------------- 0x0
34 | |
35 | Dual-boot code |
36 | |
37 |----------------------|
38 | EMPTY SPACE |
39 |----------------------|
40 | |
41 | compressed RB image |
42 | |
43 |----------------------|
44 | |
45 | compressed OF image |
46 | |
47 |----------------------|
48 | UCL unpack function |
49 ----------------------
50
51 This entire block fits into the space previously occupied by the main
52 firmware block - the space saved by compressing the OF image is used
53 to store the compressed version of the Rockbox bootloader. The OF
54 image is typically about 120KB, which allows us to store a Rockbox
55 bootloader with an uncompressed size of about 60KB-70KB.
56
57 mkamsboot then corrects the checksums and writes a new legal firmware
58 file which can be installed on the device.
59
60 When the Sansa device boots, this firmware block is loaded to RAM at
61 address 0x0 and executed.
62
63 Firstly, the dual-boot code will copy the UCL unpack function to the
64 end of RAM.
65
66 Then, depending on the detection of the dual-boot keypress, either the
67 OF image or the Rockbox image is copied to the end of RAM (just before
68 the ucl unpack function) and uncompress it to the start of RAM.
69
70 Finally, the ucl unpack function branches to address 0x0, passing
71 execution to the uncompressed firmware.
72
73
74 */
75
76
77 #include <stdio.h>
78 #include <stdlib.h>
79 #include <stdint.h>
80 #include <sys/types.h>
81 #include <sys/stat.h>
82 #include <fcntl.h>
83 #include <unistd.h>
84 #include <string.h>
85
86 #include <ucl/ucl.h>
87
88 /* Headers for ARM code binaries */
89 #include "nrv2e_d8.h"
90 #include "md5.h"
91
92 #include "dualboot_clip.h"
93 #include "dualboot_e200v2.h"
94 #include "dualboot_fuze.h"
95 #include "dualboot_m200v4.h"
96
97 /* Win32 compatibility */
98 #ifndef O_BINARY
99 #define O_BINARY 0
100 #endif
101
102 #ifndef VERSION
103 #define VERSION "0.1"
104 #endif
105
106 enum
107 {
108 MODEL_UNKNOWN = -1,
109 MODEL_FUZE = 0,
110 MODEL_CLIP,
111 MODEL_CLIPV2,
112 MODEL_E200,
113 MODEL_M200,
114 MODEL_C200
115 };
116
117 static const char* model_names[] =
118 {
119 "Fuze",
120 "Clip",
121 "Clip V2",
122 "E200",
123 "M200",
124 "C200"
125 };
126
127 static const unsigned char* bootloaders[] =
128 {
129 dualboot_fuze,
130 dualboot_clip,
131 NULL,
132 dualboot_e200v2,
133 dualboot_m200v4,
134 NULL
135 };
136
137 static const int bootloader_sizes[] =
138 {
139 sizeof(dualboot_fuze),
140 sizeof(dualboot_clip),
141 0,
142 sizeof(dualboot_e200v2),
143 sizeof(dualboot_m200v4),
144 0
145 };
146
147 /* Model names used in the Rockbox header in ".sansa" files - these match the
148 -add parameter to the "scramble" tool */
149 static const char* rb_model_names[] =
150 {
151 "fuze",
152 "clip",
153 NULL,
154 "e2v2",
155 "m2v2",
156 NULL
157 };
158
159 /* Model numbers used to initialise the checksum in the Rockbox header in
160 ".sansa" files - these are the same as MODEL_NUMBER in config-target.h */
161 static const int rb_model_num[] =
162 {
163 43,
164 40,
165 0,
166 41,
167 42,
168 0
169 };
170
171 struct md5sums {
172 int model;
173 char *version;
174 int fw_version;
175 char *md5;
176 };
177
178 /* Checksums of unmodified original firmwares - for safety, and device
179 detection */
180 static struct md5sums sansasums[] = {
181 /* NOTE: Different regional versions of the firmware normally only
182 differ in the filename - the md5sums are identical */
183 { MODEL_E200, "3.01.11", 1, "e622ca8cb6df423f54b8b39628a1f0a3" },
184 { MODEL_E200, "3.01.14", 1, "2c1d0383fc3584b2cc83ba8cc2243af6" },
185 { MODEL_E200, "3.01.16", 1, "12563ad71b25a1034cf2092d1e0218c4" },
186
187 { MODEL_FUZE, "1.01.11", 1, "cac8ffa03c599330ac02c4d41de66166" },
188 { MODEL_FUZE, "1.01.15", 1, "df0e2c1612727f722c19a3c764cff7f2" },
189
190 { MODEL_C200, "3.02.05", 1, "b6378ebd720b0ade3fad4dc7ab61c1a5" },
191
192 { MODEL_M200, "4.00.45", 1, "82e3194310d1514e3bbcd06e84c4add3" },
193 { MODEL_M200, "4.01.08-A", 1, "fc9dd6116001b3e6a150b898f1b091f0" },
194 { MODEL_M200, "4.01.08-E", 1, "d3fb7d8ec8624ee65bc99f8dab0e2369" },
195
196 { MODEL_CLIP, "1.01.17", 1, "12caad785d506219d73f538772afd99e" },
197 { MODEL_CLIP, "1.01.18", 1, "d720b266bd5afa38a198986ef0508a45" },
198 { MODEL_CLIP, "1.01.20", 1, "236d8f75189f468462c03f6d292cf2ac" },
199 { MODEL_CLIP, "1.01.29", 1, "c12711342169c66e209540cd1f27cd26" },
200 { MODEL_CLIP, "1.01.30", 1, "f2974d47c536549c9d8259170f1dbe4d" },
201 };
202
203 #define NUM_MD5S (sizeof(sansasums)/sizeof(sansasums[0]))
204
205 static off_t filesize(int fd) {
206 struct stat buf;
207
208 if (fstat(fd,&buf) < 0) {
209 perror("[ERR] Checking filesize of input file");
210 return -1;
211 } else {
212 return(buf.st_size);
213 }
214 }
215
216 static uint32_t get_uint32le(unsigned char* p)
217 {
218 return p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
219 }
220
221 static uint32_t get_uint32be(unsigned char* p)
222 {
223 return (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
224 }
225
226 static void put_uint32le(unsigned char* p, uint32_t x)
227 {
228 p[0] = x & 0xff;
229 p[1] = (x >> 8) & 0xff;
230 p[2] = (x >> 16) & 0xff;
231 p[3] = (x >> 24) & 0xff;
232 }
233
234 void calc_MD5(unsigned char* buf, int len, char *md5str)
235 {
236 int i;
237 md5_context ctx;
238 unsigned char md5sum[16];
239
240 md5_starts(&ctx);
241 md5_update(&ctx, buf, len);
242 md5_finish(&ctx, md5sum);
243
244 for (i = 0; i < 16; ++i)
245 sprintf(md5str + 2*i, "%02x", md5sum[i]);
246 }
247
248
249 static uint32_t calc_checksum(unsigned char* buf, uint32_t n)
250 {
251 uint32_t sum = 0;
252 uint32_t i;
253
254 for (i=0;i<n;i+=4)
255 sum += get_uint32le(buf + i);
256
257 return sum;
258 }
259
260 static int get_model(int model_id)
261 {
262 switch(model_id)
263 {
264 case 0x1e:
265 return MODEL_FUZE;
266 case 0x22:
267 return MODEL_CLIP;
268 case 0x23:
269 return MODEL_C200;
270 case 0x24:
271 return MODEL_E200;
272 case 0x25:
273 return MODEL_M200;
274 case 0x27:
275 return MODEL_CLIPV2;
276 }
277
278 return MODEL_UNKNOWN;
279 }
280
281
282 static unsigned char* uclpack(unsigned char* inbuf, int insize, int* outsize)
283 {
284 int maxsize;
285 unsigned char* outbuf;
286 int r;
287
288 /* The following formula comes from the UCL documentation */
289 maxsize = insize + (insize / 8) + 256;
290
291 /* Allocate some memory for the output buffer */
292 outbuf = malloc(maxsize);
293
294 if (outbuf == NULL) {
295 return NULL;
296 }
297
298 r = ucl_nrv2e_99_compress(
299 (const ucl_bytep) inbuf,
300 (ucl_uint) insize,
301 (ucl_bytep) outbuf,
302 (ucl_uintp) outsize,
303 0, 10, NULL, NULL);
304
305 if (r != UCL_E_OK || *outsize > maxsize)
306 {
307 /* this should NEVER happen, and implies memory corruption */
308 fprintf(stderr, "internal error - compression failed: %d\n", r);
309 free(outbuf);
310 return NULL;
311 }
312
313 return outbuf;
314 }
315
316 static unsigned char* load_file(char* filename, off_t* bufsize)
317 {
318 int fd;
319 unsigned char* buf;
320 off_t n;
321
322 fd = open(filename, O_RDONLY|O_BINARY);
323 if (fd < 0)
324 {
325 fprintf(stderr,"[ERR] Could not open %s for reading\n",filename);
326 return NULL;
327 }
328
329 *bufsize = filesize(fd);
330
331 buf = malloc(*bufsize);
332 if (buf == NULL) {
333 fprintf(stderr,"[ERR] Could not allocate memory for %s\n",filename);
334 return NULL;
335 }
336
337 n = read(fd, buf, *bufsize);
338
339 if (n != *bufsize) {
340 fprintf(stderr,"[ERR] Could not read file %s\n",filename);
341 return NULL;
342 }
343
344 return buf;
345 }
346
347
348 static unsigned char* load_rockbox_file(char* filename, int model, off_t* bufsize)
349 {
350 int fd;
351 unsigned char* buf;
352 unsigned char header[8];
353 uint32_t sum;
354 off_t n;
355 int i;
356
357 fd = open(filename, O_RDONLY|O_BINARY);
358 if (fd < 0)
359 {
360 fprintf(stderr,"[ERR] Could not open %s for reading\n",filename);
361 return NULL;
362 }
363
364 /* Read Rockbox header */
365 n = read(fd, header, sizeof(header));
366 if (n != sizeof(header)) {
367 fprintf(stderr,"[ERR] Could not read file %s\n",filename);
368 return NULL;
369 }
370
371 /* Check for correct model string */
372 if (memcmp(rb_model_names[model],header + 4,4)!=0) {
373 fprintf(stderr,"[ERR] Model name \"%s\" not found in %s\n",
374 rb_model_names[model],filename);
375 }
376
377 *bufsize = filesize(fd) - sizeof(header);
378
379 buf = malloc(*bufsize);
380 if (buf == NULL) {
381 fprintf(stderr,"[ERR] Could not allocate memory for %s\n",filename);
382 return NULL;
383 }
384
385 n = read(fd, buf, *bufsize);
386
387 if (n != *bufsize) {
388 fprintf(stderr,"[ERR] Could not read file %s\n",filename);
389 return NULL;
390 }
391
392 /* Check checksum */
393 sum = rb_model_num[model];
394 for (i = 0; i < *bufsize; i++) {
395 /* add 8 unsigned bits but keep a 32 bit sum */
396 sum += buf[i];
397 }
398
399 if (sum != get_uint32be(header)) {
400 fprintf(stderr,"[ERR] Checksum mismatch in %s\n",filename);
401 return NULL;
402 }
403 return buf;
404 }
405
406
407 int main(int argc, char* argv[])
408 {
409 char *infile, *bootfile, *outfile;
410 int fdout;
411 off_t len;
412 uint32_t n;
413 unsigned char* buf;
414 int firmware_size;
415 off_t bootloader_size;
416 uint32_t sum,filesum;
417 uint8_t model_id;
418 int model;
419 uint32_t i;
420 unsigned char* of_packed;
421 int of_packedsize;
422 unsigned char* rb_unpacked;
423 unsigned char* rb_packed;
424 int rb_packedsize;
425 int fw_version;
426 int totalsize;
427 unsigned char* p;
428 uint32_t checksum;
429 char md5sum[33]; /* 32 hex digits, plus terminating zero */
430
431 fprintf(stderr,"mkamsboot v" VERSION " - (C) Dave Chapman and Rafaël Carré 2008\n");
432 fprintf(stderr,"This is free software; see the source for copying conditions. There is NO\n");
433 fprintf(stderr,"warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n\n");
434
435 if(argc != 4) {
436 printf("Usage: mkamsboot <firmware file> <boot file> <output file>\n\n");
437 return 1;
438 }
439
440 infile = argv[1];
441 bootfile = argv[2];
442 outfile = argv[3];
443
444 /* Load original firmware file */
445 buf = load_file(infile, &len);
446
447 if (buf == NULL) {
448 fprintf(stderr,"[ERR] Could not load %s\n",infile);
449 return 1;
450 }
451
452 /* Calculate MD5 checksum of OF */
453 calc_MD5(buf, len, md5sum);
454
455 fprintf(stderr,"[INFO] MD5 sum - %s\n",md5sum);
456
457 i = 0;
458 while ((i < NUM_MD5S) && (strcmp(sansasums[i].md5, md5sum) != 0))
459 i++;
460
461 if (i < NUM_MD5S) {
462 model = sansasums[i].model;
463 fw_version = sansasums[i].fw_version;
464 fprintf(stderr,"[INFO] Original firmware MD5 checksum match - %s %s\n",
465 model_names[model], sansasums[i].version);
466 } else {
467 fprintf(stderr,"[WARN] ****** Original firmware unknown ******\n");
468
469 if (get_uint32le(&buf[0x204])==0x0000f000) {
470 fw_version = 2;
471 model_id = buf[0x219];
472 } else {
473 fw_version = 1;
474 model_id = buf[0x215];
475 }
476
477 model = get_model(model_id);
478
479 if (model == MODEL_UNKNOWN) {
480 fprintf(stderr,"[ERR] Unknown firmware - model id 0x%02x\n",
481 model_id);
482 free(buf);
483 return 1;
484 }
485 }
486
487
488 /* TODO: Do some more sanity checks on the OF image. Some images (like
489 m200v4) dont have a checksum at the end, only padding (0xdeadbeef). */
490 checksum = get_uint32le(buf + len - 4);
491 if (checksum != 0xefbeadde && checksum != calc_checksum(buf, len - 4)) {
492
493 fprintf(stderr,"[ERR] Whole file checksum failed - %s\n",infile);
494 free(buf);
495 return 1;
496 }
497
498 if (bootloaders[model] == NULL) {
499 fprintf(stderr,"[ERR] Unsupported model - \"%s\"\n",model_names[model]);
500 free(buf);
501 return 1;
502 }
503
504 /* Load bootloader file */
505 rb_unpacked = load_rockbox_file(bootfile, model, &bootloader_size);
506 if (rb_unpacked == NULL) {
507 fprintf(stderr,"[ERR] Could not load %s\n",bootfile);
508 free(buf);
509 return 1;
510 }
511
512 printf("[INFO] Patching %s firmware\n",model_names[model]);
513
514 /* Get the firmware size */
515 firmware_size = get_uint32le(&buf[0x0c]);
516
517 /* Compress the original firmware image */
518 of_packed = uclpack(buf + 0x400, firmware_size, &of_packedsize);
519 if (of_packed == NULL) {
520 fprintf(stderr,"[ERR] Could not compress original firmware\n");
521 free(buf);
522 free(rb_unpacked);
523 return 1;
524 }
525
526 rb_packed = uclpack(rb_unpacked, bootloader_size, &rb_packedsize);
527 if (rb_packed == NULL) {
528 fprintf(stderr,"[ERR] Could not compress %s\n",bootfile);
529 free(buf);
530 free(rb_unpacked);
531 free(of_packed);
532 return 1;
533 }
534
535 /* We are finished with the unpacked version of the bootloader */
536 free(rb_unpacked);
537
538 fprintf(stderr,"[INFO] Original firmware size: %d bytes\n",firmware_size);
539 fprintf(stderr,"[INFO] Packed OF size: %d bytes\n",of_packedsize);
540 fprintf(stderr,"[INFO] Bootloader size: %d bytes\n",(int)bootloader_size);
541 fprintf(stderr,"[INFO] Packed bootloader size: %d bytes\n",rb_packedsize);
542 fprintf(stderr,"[INFO] Dual-boot function size: %d bytes\n",bootloader_sizes[model]);
543 fprintf(stderr,"[INFO] UCL unpack function size: %d bytes\n",sizeof(nrv2e_d8));
544
545 totalsize = bootloader_sizes[model] + sizeof(nrv2e_d8) + of_packedsize +
546 rb_packedsize;
547
548 fprintf(stderr,"[INFO] Total size of new image: %d bytes\n",totalsize);
549
550 if (totalsize > firmware_size) {
551 fprintf(stderr,"[ERR] No room to insert bootloader, aborting\n");
552 free(buf);
553 free(rb_unpacked);
554 free(of_packed);
555 return 1;
556 }
557
558 /* Zero the original firmware area - not needed, but helps debugging */
559 memset(buf + 0x400, 0, firmware_size);
560
561
562 /* Insert dual-boot bootloader at offset 0 */
563 memcpy(buf + 0x400, bootloaders[model], bootloader_sizes[model]);
564
565 /* We are filling the firmware buffer backwards from the end */
566 p = buf + 0x400 + firmware_size;
567
568 /* 1 - UCL unpack function */
569 p -= sizeof(nrv2e_d8);
570 memcpy(p, nrv2e_d8, sizeof(nrv2e_d8));
571
572 /* 2 - Compressed copy of original firmware */
573 p -= of_packedsize;
574 memcpy(p, of_packed, of_packedsize);
575
576 /* 3 - Compressed copy of Rockbox bootloader */
577 p -= rb_packedsize;
578 memcpy(p, rb_packed, rb_packedsize);
579
580 /* Write the locations of the various images to the variables at the
581 start of the dualboot image - we save the location of the last byte
582 in each image, along with the size in bytes */
583
584 /* UCL unpack function */
585 put_uint32le(&buf[0x420], firmware_size - 1);
586 put_uint32le(&buf[0x424], sizeof(nrv2e_d8));
587
588 /* Compressed original firmware image */
589 put_uint32le(&buf[0x428], firmware_size - sizeof(nrv2e_d8) - 1);
590 put_uint32le(&buf[0x42c], of_packedsize);
591
592 /* Compressed Rockbox image */
593 put_uint32le(&buf[0x430], firmware_size - sizeof(nrv2e_d8) - of_packedsize - 1);
594 put_uint32le(&buf[0x434], rb_packedsize);
595
596
597 /* Update the firmware block checksum */
598 sum = calc_checksum(buf + 0x400,firmware_size);
599
600 if (fw_version == 1) {
601 put_uint32le(&buf[0x04], sum);
602 put_uint32le(&buf[0x204], sum);
603 } else {
604 /* TODO: Verify that this is correct for the v2 firmware */
605
606 put_uint32le(&buf[0x08], sum);
607 put_uint32le(&buf[0x208], sum);
608
609 /* Update the header checksums */
610 put_uint32le(&buf[0x1fc], calc_checksum(buf, 0x1fc));
611 put_uint32le(&buf[0x3fc], calc_checksum(buf + 0x200, 0x1fc));
612 }
613
614 /* Update the whole-file checksum */
615 filesum = 0;
616 for (i=0;i < (unsigned)len - 4; i+=4)
617 filesum += get_uint32le(&buf[i]);
618
619 put_uint32le(buf + len - 4, filesum);
620
621
622 /* Write the new firmware */
623 fdout = open(outfile, O_CREAT|O_TRUNC|O_WRONLY|O_BINARY,0666);
624
625 if (fdout < 0) {
626 fprintf(stderr,"[ERR] Could not open %s for writing\n",outfile);
627 return 1;
628 }
629
630 n = write(fdout, buf, len);
631
632 if (n != (unsigned)len) {
633 fprintf(stderr,"[ERR] Could not write firmware file\n");
634 return 1;
635 }
636
637 close(fdout);
638
639 fprintf(stderr," *****************************************************************************\n");
640 fprintf(stderr," *** THIS CODE IS UNTESTED - DO NOT USE IF YOU CAN NOT RECOVER YOUR DEVICE ***\n");
641 fprintf(stderr," *****************************************************************************\n");
642
643 return 0;
644
645 }
My public Rockbox git repo