search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Introduce Rockbox Utility to the manual as automated installation option. Only rather...
[Rockbox.git] / bootloader / main-pp.c
blobe6c0df0ae21504e30abd818e59de30e36a5e5240
1 /***************************************************************************
2 * __________ __ ___.
3 * Open \______ \ ____ ____ | | _\_ |__ _______ ___
4 * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ /
5 * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < <
6 * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \
7 * \/ \/ \/ \/ \/
8 * $Id$
9 *
10 * Copyright (C) 2006 by Barry Wardell
11 *
12 * Based on Rockbox iriver bootloader by Linus Nielsen Feltzing
13 * and the ipodlinux bootloader by Daniel Palffy and Bernard Leach
14 *
15 * All files in this archive are subject to the GNU General Public License.
16 * See the file COPYING in the source tree root for full license agreement.
17 *
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
20 *
21 ****************************************************************************/
22 #include <stdio.h>
23 #include <stdlib.h>
24 #include "common.h"
25 #include "cpu.h"
26 #include "file.h"
27 #include "system.h"
28 #include "kernel.h"
29 #include "lcd.h"
30 #include "font.h"
31 #include "ata.h"
32 #include "button.h"
33 #include "disk.h"
34 #include "crc32-mi4.h"
35 #include <string.h>
36 #if defined(SANSA_E200) || defined(SANSA_C200)
37 #include "usb.h"
38 #include "arcotg_udc.h"
39 #endif
40
41
42 /* Button definitions */
43 #if CONFIG_KEYPAD == IRIVER_H10_PAD
44 #define BOOTLOADER_BOOT_OF BUTTON_LEFT
45
46 #elif CONFIG_KEYPAD == SANSA_E200_PAD
47 #define BOOTLOADER_BOOT_OF BUTTON_LEFT
48
49 #elif CONFIG_KEYPAD == SANSA_C200_PAD
50 #define BOOTLOADER_BOOT_OF BUTTON_LEFT
51
52 #endif
53
54 /* Maximum allowed firmware image size. 10MB is more than enough */
55 #define MAX_LOADSIZE (10*1024*1024)
56
57 /* A buffer to load the original firmware or Rockbox into */
58 unsigned char *loadbuffer = (unsigned char *)DRAM_START;
59
60 /* Bootloader version */
61 char version[] = APPSVERSION;
62
63 /* Locations and sizes in hidden partition on Sansa */
64 #if defined(SANSA_E200) || defined(SANSA_C200)
65 #define PPMI_SECTOR_OFFSET 1024
66 #define PPMI_SECTORS 1
67 #define MI4_HEADER_SECTORS 1
68 #define NUM_PARTITIONS 2
69
70 #else
71 #define NUM_PARTITIONS 1
72
73 #endif
74
75 #define MI4_HEADER_SIZE 0x200
76
77 /* mi4 header structure */
78 struct mi4header_t {
79 unsigned char magic[4];
80 uint32_t version;
81 uint32_t length;
82 uint32_t crc32;
83 uint32_t enctype;
84 uint32_t mi4size;
85 uint32_t plaintext;
86 uint32_t dsa_key[10];
87 uint32_t pad[109];
88 unsigned char type[4];
89 unsigned char model[4];
90 };
91
92 /* PPMI header structure */
93 struct ppmi_header_t {
94 unsigned char magic[4];
95 uint32_t length;
96 uint32_t pad[126];
97 };
98
99 inline unsigned int le2int(unsigned char* buf)
100 {
101 int32_t res = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0];
102
103 return res;
104 }
105
106 inline void int2le(unsigned int val, unsigned char* addr)
107 {
108 addr[0] = val & 0xFF;
109 addr[1] = (val >> 8) & 0xff;
110 addr[2] = (val >> 16) & 0xff;
111 addr[3] = (val >> 24) & 0xff;
112 }
113
114 struct tea_key {
115 const char * name;
116 uint32_t key[4];
117 };
118
119 #define NUM_KEYS (sizeof(tea_keytable)/sizeof(tea_keytable[0]))
120 struct tea_key tea_keytable[] = {
121 { "default" , { 0x20d36cc0, 0x10e8c07d, 0xc0e7dcaa, 0x107eb080 } },
122 { "sansa", { 0xe494e96e, 0x3ee32966, 0x6f48512b, 0xa93fbb42 } },
123 { "sansa_gh", { 0xd7b10538, 0xc662945b, 0x1b3fce68, 0xf389c0e6 } },
124 { "sansa_103", { 0x1d29ddc0, 0x2579c2cd, 0xce339e1a, 0x75465dfe } },
125 { "rhapsody", { 0x7aa9c8dc, 0xbed0a82a, 0x16204cc7, 0x5904ef38 } },
126 { "p610", { 0x950e83dc, 0xec4907f9, 0x023734b9, 0x10cfb7c7 } },
127 { "p640", { 0x220c5f23, 0xd04df68e, 0x431b5e25, 0x4dcc1fa1 } },
128 { "virgin", { 0xe83c29a1, 0x04862973, 0xa9b3f0d4, 0x38be2a9c } },
129 { "20gc_eng", { 0x0240772c, 0x6f3329b5, 0x3ec9a6c5, 0xb0c9e493 } },
130 { "20gc_fre", { 0xbede8817, 0xb23bfe4f, 0x80aa682d, 0xd13f598c } },
131 { "elio_p722", { 0x6af3b9f8, 0x777483f5, 0xae8181cc, 0xfa6d8a84 } },
132 { "c200", { 0xbf2d06fa, 0xf0e23d59, 0x29738132, 0xe2d04ca7 } },
133 { "c200_103", { 0x2a7968de, 0x15127979, 0x142e60a7, 0xe49c1893 } },
134 { "c200_106", { 0xa913d139, 0xf842f398, 0x3e03f1a6, 0x060ee012 } },
135 };
136
137 /*
138
139 tea_decrypt() from http://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm
140
141 "Following is an adaptation of the reference encryption and decryption
142 routines in C, released into the public domain by David Wheeler and
143 Roger Needham:"
144
145 */
146
147 /* NOTE: The mi4 version of TEA uses a different initial value to sum compared
148 to the reference implementation and the main loop is 8 iterations, not
149 32.
150 */
151
152 static void tea_decrypt(uint32_t* v0, uint32_t* v1, uint32_t* k) {
153 uint32_t sum=0xF1BBCDC8, i; /* set up */
154 uint32_t delta=0x9E3779B9; /* a key schedule constant */
155 uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */
156 for(i=0; i<8; i++) { /* basic cycle start */
157 *v1 -= ((*v0<<4) + k2) ^ (*v0 + sum) ^ ((*v0>>5) + k3);
158 *v0 -= ((*v1<<4) + k0) ^ (*v1 + sum) ^ ((*v1>>5) + k1);
159 sum -= delta; /* end cycle */
160 }
161 }
162
163 /* mi4 files are encrypted in 64-bit blocks (two little-endian 32-bit
164 integers) and the key is incremented after each block
165 */
166
167 static void tea_decrypt_buf(unsigned char* src, unsigned char* dest, size_t n, uint32_t * key)
168 {
169 uint32_t v0, v1;
170 unsigned int i;
171
172 for (i = 0; i < (n / 8); i++) {
173 v0 = le2int(src);
174 v1 = le2int(src+4);
175
176 tea_decrypt(&v0, &v1, key);
177
178 int2le(v0, dest);
179 int2le(v1, dest+4);
180
181 src += 8;
182 dest += 8;
183
184 /* Now increment the key */
185 key[0]++;
186 if (key[0]==0) {
187 key[1]++;
188 if (key[1]==0) {
189 key[2]++;
190 if (key[2]==0) {
191 key[3]++;
192 }
193 }
194 }
195 }
196 }
197
198 static inline bool tea_test_key(unsigned char magic_enc[8], uint32_t * key, int unaligned)
199 {
200 unsigned char magic_dec[8];
201 tea_decrypt_buf(magic_enc, magic_dec, 8, key);
202
203 return (le2int(&magic_dec[4*unaligned]) == 0xaa55aa55);
204 }
205
206 static int tea_find_key(struct mi4header_t *mi4header, int fd)
207 {
208 unsigned int i;
209 int rc;
210 unsigned int j;
211 uint32_t key[4];
212 unsigned char magic_enc[8];
213 int key_found = -1;
214 unsigned int magic_location = mi4header->length-4;
215 int unaligned = 0;
216
217 if ( (magic_location % 8) != 0 )
218 {
219 unaligned = 1;
220 magic_location -= 4;
221 }
222
223 /* Load encrypted magic 0xaa55aa55 to check key */
224 lseek(fd, MI4_HEADER_SIZE + magic_location, SEEK_SET);
225 rc = read(fd, magic_enc, 8);
226 if(rc < 8 )
227 return EREAD_IMAGE_FAILED;
228
229 printf("Searching for key:");
230
231 for (i=0; i < NUM_KEYS && (key_found<0) ; i++) {
232 key[0] = tea_keytable[i].key[0];
233 key[1] = tea_keytable[i].key[1];
234 key[2] = tea_keytable[i].key[2];
235 key[3] = tea_keytable[i].key[3];
236
237 /* Now increment the key */
238 for(j=0; j<((magic_location-mi4header->plaintext)/8); j++){
239 key[0]++;
240 if (key[0]==0) {
241 key[1]++;
242 if (key[1]==0) {
243 key[2]++;
244 if (key[2]==0) {
245 key[3]++;
246 }
247 }
248 }
249 }
250
251 if (tea_test_key(magic_enc,key,unaligned))
252 {
253 key_found = i;
254 printf("%s...found", tea_keytable[i].name);
255 } else {
256 /* printf("%s...failed", tea_keytable[i].name); */
257 }
258 }
259
260 return key_found;
261 }
262
263
264 /* Load mi4 format firmware image */
265 int load_mi4(unsigned char* buf, char* firmware, unsigned int buffer_size)
266 {
267 int fd;
268 struct mi4header_t mi4header;
269 int rc;
270 unsigned long sum;
271 char filename[MAX_PATH];
272
273 snprintf(filename,sizeof(filename),"/.rockbox/%s",firmware);
274 fd = open(filename, O_RDONLY);
275 if(fd < 0)
276 {
277 snprintf(filename,sizeof(filename),"/%s",firmware);
278 fd = open(filename, O_RDONLY);
279 if(fd < 0)
280 return EFILE_NOT_FOUND;
281 }
282
283 read(fd, &mi4header, MI4_HEADER_SIZE);
284
285 /* MI4 file size */
286 printf("mi4 size: %x", mi4header.mi4size);
287
288 if ((mi4header.mi4size-MI4_HEADER_SIZE) > buffer_size)
289 return EFILE_TOO_BIG;
290
291 /* CRC32 */
292 printf("CRC32: %x", mi4header.crc32);
293
294 /* Rockbox model id */
295 printf("Model id: %.4s", mi4header.model);
296
297 /* Read binary type (RBOS, RBBL) */
298 printf("Binary type: %.4s", mi4header.type);
299
300 /* Load firmware file */
301 lseek(fd, MI4_HEADER_SIZE, SEEK_SET);
302 rc = read(fd, buf, mi4header.mi4size-MI4_HEADER_SIZE);
303 if(rc < (int)mi4header.mi4size-MI4_HEADER_SIZE)
304 return EREAD_IMAGE_FAILED;
305
306 /* Check CRC32 to see if we have a valid file */
307 sum = chksum_crc32 (buf, mi4header.mi4size - MI4_HEADER_SIZE);
308
309 printf("Calculated CRC32: %x", sum);
310
311 if(sum != mi4header.crc32)
312 return EBAD_CHKSUM;
313
314 if( (mi4header.plaintext + MI4_HEADER_SIZE) != mi4header.mi4size)
315 {
316 /* Load encrypted firmware */
317 int key_index = tea_find_key(&mi4header, fd);
318
319 if (key_index < 0)
320 return EINVALID_FORMAT;
321
322 /* Plaintext part is already loaded */
323 buf += mi4header.plaintext;
324
325 /* Decrypt in-place */
326 tea_decrypt_buf(buf, buf,
327 mi4header.mi4size-(mi4header.plaintext+MI4_HEADER_SIZE),
328 tea_keytable[key_index].key);
329
330 printf("%s key used", tea_keytable[key_index].name);
331
332 /* Check decryption was successfull */
333 if(le2int(&buf[mi4header.length-mi4header.plaintext-4]) != 0xaa55aa55)
334 {
335 return EREAD_IMAGE_FAILED;
336 }
337 }
338
339 return EOK;
340 }
341
342 #if defined(SANSA_E200) || defined(SANSA_C200)
343 #ifdef SANSA_E200
344 struct OFDB_info {
345 char *version;
346 int version_length;
347 int sector;
348 int offset;
349 } OFDatabaseOffsets[] = {
350 { "PP5022AF-05.51-S301-01.11-S301.01.11A-D", 39, 0x3c08, 0xe1 },
351 { "PP5022AF-05.51-S301-00.12-S301.00.12E-D", 39, 0x3c5c, 0x2 },
352 { "PP5022AF-05.51-S301-00.12-S301.00.12A-D", 39, 0x3c08, 0xe1 },
353 };
354 #else /* SANSA_C200 */
355 /* TODO: need to determine these for the c200 */
356 struct OFDB_info {
357 char *version;
358 int version_length;
359 int sector;
360 int offset;
361 } OFDatabaseOffsets[] = {
362 { "PP5022AF-05.51-S301-01.11-S301.01.11A-D", 39, 0x3c08, 0xe1 },
363 };
364 #endif
365
366 /* Load mi4 firmware from a hidden disk partition */
367 int load_mi4_part(unsigned char* buf, struct partinfo* pinfo,
368 unsigned int buffer_size, bool disable_rebuild)
369 {
370 struct mi4header_t mi4header;
371 struct ppmi_header_t ppmi_header;
372 unsigned long sum;
373
374 /* Read header to find out how long the mi4 file is. */
375 ata_read_sectors(IF_MV2(0,) pinfo->start + PPMI_SECTOR_OFFSET,
376 PPMI_SECTORS, &ppmi_header);
377
378 /* The first four characters at 0x80000 (sector 1024) should be PPMI*/
379 if( memcmp(ppmi_header.magic, "PPMI", 4) )
380 return EFILE_NOT_FOUND;
381
382 printf("BL mi4 size: %x", ppmi_header.length);
383
384 /* Read mi4 header of the OF */
385 ata_read_sectors(IF_MV2(0,) pinfo->start + PPMI_SECTOR_OFFSET + PPMI_SECTORS
386 + (ppmi_header.length/512), MI4_HEADER_SECTORS, &mi4header);
387
388 /* We don't support encrypted mi4 files yet */
389 if( (mi4header.plaintext) != (mi4header.mi4size-MI4_HEADER_SIZE))
390 return EINVALID_FORMAT;
391
392 /* MI4 file size */
393 printf("OF mi4 size: %x", mi4header.mi4size);
394
395 if ((mi4header.mi4size-MI4_HEADER_SIZE) > buffer_size)
396 return EFILE_TOO_BIG;
397
398 /* CRC32 */
399 printf("CRC32: %x", mi4header.crc32);
400
401 /* Rockbox model id */
402 printf("Model id: %.4s", mi4header.model);
403
404 /* Read binary type (RBOS, RBBL) */
405 printf("Binary type: %.4s", mi4header.type);
406
407 /* Load firmware */
408 ata_read_sectors(IF_MV2(0,) pinfo->start + PPMI_SECTOR_OFFSET + PPMI_SECTORS
409 + (ppmi_header.length/512) + MI4_HEADER_SECTORS,
410 (mi4header.mi4size-MI4_HEADER_SIZE)/512, buf);
411
412 /* Check CRC32 to see if we have a valid file */
413 sum = chksum_crc32 (buf,mi4header.mi4size-MI4_HEADER_SIZE);
414
415 printf("Calculated CRC32: %x", sum);
416
417 if(sum != mi4header.crc32)
418 return EBAD_CHKSUM;
419
420 if (disable_rebuild)
421 {
422 char block[512];
423 int sector = 0, offset = 0;
424 unsigned int i;
425 /* check which known version we have */
426 /* These are taken from the PPPS section, 0x00780240 */
427 ata_read_sectors(IF_MV2(0,) pinfo->start + 0x3C01, 1, block);
428 for (i=0; i<sizeof(OFDatabaseOffsets)/sizeof(*OFDatabaseOffsets); i++)
429 {
430 if (!memcmp(&block[0x40], OFDatabaseOffsets[i].version,
431 OFDatabaseOffsets[i].version_length))
432 {
433 sector = pinfo->start + OFDatabaseOffsets[i].sector;
434 offset = OFDatabaseOffsets[i].offset;
435 break;
436 }
437 }
438 if (sector && offset)
439 {
440 ata_read_sectors(IF_MV2(0,) sector, 1, block);
441 block[offset] = 0;
442 ata_write_sectors(IF_MV2(0,) sector, 1, block);
443 }
444 }
445 return EOK;
446 }
447 #endif
448
449 void* main(void)
450 {
451 int i;
452 int btn;
453 int rc;
454 int num_partitions;
455 struct partinfo* pinfo;
456 #if defined(SANSA_E200) || defined(SANSA_C200)
457 int usb_retry = 0;
458 bool usb = false;
459 #else
460 char buf[256];
461 unsigned short* identify_info;
462 #endif
463
464 chksum_crc32gentab ();
465
466 system_init();
467 kernel_init();
468 lcd_init();
469 font_init();
470 button_init();
471
472 lcd_set_foreground(LCD_WHITE);
473 lcd_set_background(LCD_BLACK);
474 lcd_clear_display();
475
476 btn = button_read_device();
477 #if defined(SANSA_E200) || defined(SANSA_C200)
478 usb_init();
479 while ((UDC_OTGSC&0x800) && usb_retry < 5 && !usb)
480 {
481 usb_retry++;
482 sleep(HZ/4);
483 usb = (usb_detect() == USB_INSERTED);
484 }
485 if (usb)
486 btn |= BOOTLOADER_BOOT_OF;
487 #endif
488 /* Enable bootloader messages if any button is pressed */
489 if (btn)
490 verbose = true;
491
492 lcd_setfont(FONT_SYSFIXED);
493
494 printf("Rockbox boot loader");
495 printf("Version: %s", version);
496 printf(MODEL_NAME);
497
498 i=ata_init();
499 #if !defined(SANSA_E200) && !defined(SANSA_C200)
500 if (i==0) {
501 identify_info=ata_get_identify();
502 /* Show model */
503 for (i=0; i < 20; i++) {
504 ((unsigned short*)buf)[i]=htobe16(identify_info[i+27]);
505 }
506 buf[40]=0;
507 for (i=39; i && buf[i]==' '; i--) {
508 buf[i]=0;
509 }
510 printf(buf);
511 } else {
512 error(EATA, i);
513 }
514 #endif
515
516 disk_init(IF_MV(0));
517 num_partitions = disk_mount_all();
518 if (num_partitions<=0)
519 {
520 error(EDISK,num_partitions);
521 }
522
523 /* Just list the first 2 partitions since we don't have any devices yet
524 that have more than that */
525 for(i=0; i<NUM_PARTITIONS; i++)
526 {
527 pinfo = disk_partinfo(i);
528 printf("Partition %d: 0x%02x %ld MB",
529 i, pinfo->type, pinfo->size / 2048);
530 }
531
532 if(btn & BOOTLOADER_BOOT_OF)
533 {
534 /* Load original mi4 firmware in to a memory buffer called loadbuffer.
535 The rest of the loading is done in crt0.S.
536 1) First try reading from the hidden partition (on Sansa only).
537 2) Next try a decrypted mi4 file in /System/OF.mi4
538 3) Finally, try a raw firmware binary in /System/OF.mi4. It should be
539 a mi4 firmware decrypted and header stripped using mi4code.
540 */
541 printf("Loading original firmware...");
542
543 #if defined(SANSA_E200) || defined(SANSA_C200)
544 /* First try a (hidden) firmware partition */
545 printf("Trying firmware partition");
546 pinfo = disk_partinfo(1);
547 if(pinfo->type == PARTITION_TYPE_OS2_HIDDEN_C_DRIVE)
548 {
549 rc = load_mi4_part(loadbuffer, pinfo, MAX_LOADSIZE, usb);
550 if (rc < EOK) {
551 printf("Can't load from partition");
552 printf(strerror(rc));
553 } else {
554 return (void*)loadbuffer;
555 }
556 } else {
557 printf("No hidden partition found.");
558 }
559 #endif
560
561 printf("Trying /System/OF.mi4");
562 rc=load_mi4(loadbuffer, "/System/OF.mi4", MAX_LOADSIZE);
563 if (rc < EOK) {
564 printf("Can't load /System/OF.mi4");
565 printf(strerror(rc));
566 } else {
567 return (void*)loadbuffer;
568 }
569
570 printf("Trying /System/OF.bin");
571 rc=load_raw_firmware(loadbuffer, "/System/OF.bin", MAX_LOADSIZE);
572 if (rc < EOK) {
573 printf("Can't load /System/OF.bin");
574 printf(strerror(rc));
575 } else {
576 return (void*)loadbuffer;
577 }
578
579 error(0, 0);
580
581 } else {
582 #if 0 /* e200: enable to be able to dump the hidden partition */
583 if(btn & BUTTON_UP)
584 {
585 int fd;
586 pinfo = disk_partinfo(1);
587 fd = open("/part.bin", O_CREAT|O_RDWR);
588 char sector[512];
589 for(i=0; i<40960; i++){
590 if (!(i%100))
591 {
592 printf("dumping sector %d", i);
593 }
594 ata_read_sectors(0, pinfo->start + i, 1, sector);
595 write(fd,sector,512);
596 }
597 close(fd);
598 }
599 #endif
600 printf("Loading Rockbox...");
601 rc=load_mi4(loadbuffer, BOOTFILE, MAX_LOADSIZE);
602 if (rc < EOK) {
603 printf("Can't load %s:", BOOTFILE);
604 printf(strerror(rc));
605
606 #ifdef OLD_BOOTFILE
607 /* Try loading rockbox from old rockbox.e200/rockbox.h10 format */
608 rc=load_firmware(loadbuffer, OLD_BOOTFILE, MAX_LOADSIZE);
609 if (rc < EOK) {
610 printf("Can't load %s:", OLD_BOOTFILE);
611 error(EBOOTFILE, rc);
612 }
613 #endif
614 }
615 }
616
617 return (void*)loadbuffer;
618 }
619
620 #if !defined(SANSA_E200) && !defined(SANSA_C200)
621 /* These functions are present in the firmware library, but we reimplement
622 them here because the originals do a lot more than we want */
623 void usb_acknowledge(void)
624 {
625 }
626
627 void usb_wait_for_disconnect(void)
628 {
629 }
630 #endif
631
Open Source Jukebox Firmware