| blob | bc0310893085c98bbe9401ffe5dc2e30012497f2 |
1 /***************************************************************************
2 * __________ __ ___.
3 * Open \______ \ ____ ____ | | _\_ |__ _______ ___
4 * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ /
5 * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < <
6 * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \
7 * \/ \/ \/ \/ \/
8 * $Id$
9 *
10 * Copyright (C) 2006-2007 Dave Chapman
11 *
12 * All files in this archive are subject to the GNU General Public License.
13 * See the file COPYING in the source tree root for full license agreement.
14 *
15 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
16 * KIND, either express or implied.
17 *
18 ****************************************************************************/
20 #include <stdio.h>
21 #include <unistd.h>
22 #include <fcntl.h>
23 #include <string.h>
24 #include <stdlib.h>
25 #include <inttypes.h>
26 #include <sys/types.h>
27 #include <sys/stat.h>
32 #ifndef RBUTIL
35 #endif
36 /* The offset of the MI4 image header in the firmware partition */
37 #define PPMI_OFFSET 0x80000
38 #define NVPARAMS_OFFSET 0x780000
39 #define NVPARAMS_SIZE (0x80000-0x200)
43 /* Windows requires the buffer for disk I/O to be aligned in memory on a
44 multiple of the disk volume size - so we use a single global variable
45 and initialise it with sansa_alloc_buf() in main().
46 */
58 }
59 }
61 /* Partition table parsing code taken from Rockbox */
63 #define MAX_SECTOR_SIZE 2048
64 #define SECTOR_SIZE 512
67 {
71 }
74 {
78 }
81 {
86 }
88 #define BYTES2INT32(array,pos)\
89 ((long)array[pos] | ((long)array[pos+1] << 8 ) |\
90 ((long)array[pos+2] << 16 ) | ((long)array[pos+3] << 24 ))
93 {
102 }
105 /* parse partitions */
112 /* extended? */
114 /* not handled yet */
115 }
116 }
120 }
122 /* Calculate the starting position of the firmware partition */
125 }
127 /* NOTE: memmem implementation copied from glibc-2.2.4 - it's a GNU
128 extension and is not universally. In addition, early versions of
129 memmem had a serious bug - the meaning of needle and haystack were
130 reversed. */
132 /* Copyright (C) 1991,92,93,94,96,97,98,2000 Free Software Foundation, Inc.
133 This file is part of the GNU C Library.
135 The GNU C Library is free software; you can redistribute it and/or
136 modify it under the terms of the GNU Lesser General Public
137 License as published by the Free Software Foundation; either
138 version 2.1 of the License, or (at your option) any later version.
140 The GNU C Library is distributed in the hope that it will be useful,
141 but WITHOUT ANY WARRANTY; without even the implied warranty of
142 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
143 Lesser General Public License for more details.
145 You should have received a copy of the GNU Lesser General Public
146 License along with the GNU C Library; if not, write to the Free
147 Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
148 02111-1307 USA. */
150 /* Return the first occurrence of NEEDLE in HAYSTACK. */
157 {
163 /* The first occurrence of the empty string is deemed to occur at
164 the beginning of the string. */
167 /* Sanity check, otherwise the loop might search through the whole
168 memory. */
180 }
182 /*
183 * CRC32 implementation taken from:
184 *
185 * efone - Distributed internet phone system.
186 *
187 * (c) 1999,2000 Krzysztof Dabrowski
188 * (c) 1999,2000 ElysiuM deeZine
189 *
190 * This program is free software; you can redistribute it and/or
191 * modify it under the terms of the GNU General Public License
192 * as published by the Free Software Foundation; either version
193 * 2 of the License, or (at your option) any later version.
194 *
195 */
197 /* crc_tab[] -- this crcTable is being build by chksum_crc32GenTab().
198 * so make sure, you call it before using the other
199 * functions!
200 */
203 /* chksum_crc() -- to a given block, this one calculates the
204 * crc32-checksum until the length is
205 * reached. the crc32-checksum will be
206 * the result.
207 */
209 {
215 {
217 }
219 }
221 /* chksum_crc32gentab() -- to a global crc_tab[256], this one will
222 * calculate the crcTable for crc32-checksums.
223 * it is generated to the polynom [..]
224 */
227 {
233 {
236 {
238 {
240 }
241 else
242 {
244 }
245 }
247 }
248 }
250 /* Known keys for Sansa E200 and C200 firmwares: */
251 #define NUM_KEYS ((int)(sizeof(keys)/sizeof(keys[0])))
260 };
262 /*
264 tea_decrypt() from http://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm
266 "Following is an adaptation of the reference encryption and decryption
267 routines in C, released into the public domain by David Wheeler and
268 Roger Needham:"
270 */
272 /* NOTE: The mi4 version of TEA uses a different initial value to sum compared
273 to the reference implementation and the main loop is 8 iterations, not
274 32.
275 */
285 }
286 }
288 /* mi4 files are encrypted in 64-bit blocks (two little-endian 32-bit
289 integers) and the key is incremented after each block
290 */
293 {
309 /* Now increment the key */
317 }
318 }
319 }
320 }
321 }
324 {
336 }
339 {
350 /* Add a dummy DSA signature */
355 }
357 static int sansa_seek_and_read(struct sansa_t* sansa, loff_t pos, unsigned char* buf, int nbytes)
358 {
363 }
367 }
373 }
376 }
379 /* We identify an E200 based on the following criteria:
381 1) Exactly two partitions;
382 2) First partition is type "W95 FAT32" (0x0b or 0x0c);
383 3) Second partition is type "OS/2 hidden C: drive" (0x84);
384 4) The "PPBL" string appears at offset 0 in the 2nd partition;
385 5) The "PPMI" string appears at offset PPMI_OFFSET in the 2nd partition.
386 */
389 {
394 /* Check partition layout */
403 /* Bad partition layout, abort */
405 }
407 /* Check Bootloader header */
410 }
412 /* No bootloader header, abort */
414 }
417 /* Sanity/safety check - the bootloader can't be larger than PPMI_OFFSET */
419 {
421 }
423 /* Load Sansa bootloader and check for "Sansa C200" magic string */
428 }
430 /* C200 */
433 /* E200 */
435 }
437 /* Check Main firmware header */
442 }
444 /* No bootloader header, abort */
446 }
449 /* Check main mi4 file header */
454 }
459 }
461 /* Some sanity checks:
463 1) Main MI4 image without RBBL and < 100000 bytes -> old install
464 2) Main MI4 image with RBBL but no second image -> old install
465 */
469 /* Look for an original firmware after the first image */
474 }
479 }
483 }
486 }
489 {
497 #ifdef __WIN32__
499 #elif defined(linux) || defined (__linux)
501 #elif defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) \
502 || defined(__bsdi__) || defined(__DragonFly__)
504 #elif defined(__APPLE__) && defined(__MACH__)
506 #else
507 #error No disk paths defined for this platform
508 #endif
511 }
515 }
519 }
521 #ifdef __WIN32__
523 #else
525 #endif
526 n++;
529 }
532 /* Remember the disk name */
534 }
536 }
538 /* Prepare original firmware for writing to the firmware partition by decrypting
539 and updating the header */
541 {
548 #if 0
555 #endif
557 /* Decrypt anything that needs decrypting. */
559 /* TODO: Check different keys */
564 }
569 tmpbuf,
573 }
576 memcpy(buf+(mi4header->plaintext+0x200),tmpbuf,mi4header->mi4size-(mi4header->plaintext+0x200));
582 }
583 }
585 /* Increase plaintext value to full file */
588 /* Update CRC checksum */
594 /* Add Rockbox-specific header */
598 }
600 static int load_original_firmware(struct sansa_t* sansa, unsigned char* buf, struct mi4header_t* mi4header)
601 {
605 /* Read 512 bytes from PPMI_OFFSET - the PPMI header plus the mi4 header */
608 }
610 /* No need to check PPMI magic - it's done during init to confirm
611 this is an E200 */
614 /* Firstly look for an original firmware after the first image */
615 if (sansa_seek_and_read(sansa, sansa->start + PPMI_OFFSET + 0x200 + ppmi_length, buf, 512) < 0) {
617 }
620 /* We have a valid MI4 file after a bootloader, so we use this. */
625 }
627 /* No valid MI4 file, so read the first image. */
632 }
633 }
635 }
638 {
651 }
657 }
661 }
665 {
674 /* Step 1 - read bootloader into RAM. */
679 }
683 #ifndef RBUTIL
688 }
689 #endif
690 }
692 /* Create PPMI header */
699 /* Read bootloader into sectorbuf+0x200 */
706 }
710 filename);
712 }
714 #ifndef RBUTIL
719 }
720 #endif
721 }
723 /* Load original firmware from Sansa to the space after the bootloader */
728 /* Now write the whole thing back to the Sansa */
734 }
742 }
745 }
748 {
754 /* Load original firmware from Sansa to sectorbuf+0x200 */
759 /* Create PPMI header */
765 /* Now write the whole thing back to the Sansa */
771 }
779 }
782 }
785 {
787 loff_t ppmi_length;
789 /* Check Main firmware header */
792 }
798 /* Look for an original firmware after the first image */
799 if (sansa_seek_and_read(sansa, sansa->start + PPMI_OFFSET + 0x200 + ppmi_length, sectorbuf, 512) < 0) {
801 }
805 }
806 }
809 {
817 /* Step 1 - check we have an OF on the Sansa to upgrade. We expect the
818 Rockbox bootloader to be installed and the OF to be after it on disk. */
820 /* Read 512 bytes from PPMI_OFFSET - the PPMI header */
824 }
826 /* No need to check PPMI magic - it's done during init to confirm
827 this is an E200 */
830 /* Look for an original firmware after the first image */
834 }
837 /* We don't have a valid MI4 file after a bootloader, so do nothing. */
841 }
843 /* Step 2 - read OF into RAM. */
848 }
852 /* Load original firmware from file */
860 }
862 /* Check we have a valid MI4 file. */
866 }
868 /* Decrypt and build the header */
873 }
875 /* Step 3 - write the OF to the Sansa */
880 }
886 }
888 /* Step 4 - zero out the nvparams section - we have to do this or we end up
889 with multiple copies of the nvparams data and don't know which one to
890 work with for the database rebuild disabling trick in our bootloader */
897 }
904 }
905 }
908 }
910 /* Update the PPBL (bootloader) image in the hidden firmware partition */
912 {
917 /* Step 1 - read bootloader into RAM. */
922 }
931 }
933 /* Step 2 - Build the header */
939 /* Step 3 - write the bootloader to the Sansa */
943 }
949 }
952 }