1 /***************************************************************************
3 * Open \______ \ ____ ____ | | _\_ |__ _______ ___
4 * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ /
5 * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < <
6 * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \
10 * Copyright (C) 2008 by Maurus Cuelenaere
12 * based on tcctool.c by Dave Chapman
14 * USB code based on ifp-line - http://ifp-driver.sourceforge.net
16 * ifp-line is (C) Pavel Kriz, Jun Yamishiro and Joe Roback and
17 * licensed under the GPL (v2)
20 * This program is free software; you can redistribute it and/or
21 * modify it under the terms of the GNU General Public License
22 * as published by the Free Software Foundation; either version 2
23 * of the License, or (at your option) any later version.
25 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
26 * KIND, either express or implied.
28 ****************************************************************************/
34 #include <sys/types.h>
44 #define MAX_FIRMWARESIZE (64*1024*1024) /* Arbitrary limit (for safety) */
46 /* For win32 compatibility: */
51 /* USB IDs for USB Boot Mode */
55 #define EP_BULK_TO 0x01
58 enum USB_JZ4740_REQUEST
108 enum DATA_STRUCTURE_OB
121 int filesize(FILE* fd
)
124 fseek(fd
, 0, SEEK_END
);
126 fseek(fd
, 0, SEEK_SET
);
130 #define SEND_COMMAND(cmd, arg) err = usb_control_msg(dh, USB_ENDPOINT_OUT | USB_TYPE_VENDOR, cmd, arg>>16, arg&0xFFFF, NULL, 0, TOUT);\
133 fprintf(stderr,"\n[ERR] Error sending control message (%d, %s)\n", err, usb_strerror()); \
137 #define GET_CPU_INFO(s) err = usb_control_msg(dh, USB_ENDPOINT_IN | USB_TYPE_VENDOR, VR_GET_CPU_INFO, 0, 0, s, 8, TOUT); \
140 fprintf(stderr,"\n[ERR] Error sending control message (%d, %s)\n", err, usb_strerror()); \
144 #define SEND_DATA(ptr, size) err = usb_bulk_write(dh, USB_ENDPOINT_OUT | EP_BULK_TO, ptr, size, TOUT); \
147 fprintf(stderr,"\n[ERR] Error writing data\n"); \
148 fprintf(stderr,"[ERR] Bulk write error (%d, %s)\n", err, strerror(-err)); \
152 #define GET_DATA(ptr, size) err = usb_bulk_read(dh, USB_ENDPOINT_IN | EP_BULK_TO, ptr, size, TOUT); \
155 fprintf(stderr,"\n[ERR] Error writing data\n"); \
156 fprintf(stderr,"[ERR] Bulk write error (%d, %s)\n", err, strerror(-err)); \
160 int upload_app(usb_dev_handle
* dh
, int address
, unsigned char* p
, int len
, bool stage2
)
164 unsigned char* tmp_buf
;
166 fprintf(stderr
, "[INFO] GET_CPU_INFO: ");
169 fprintf(stderr
, "%s\n", buf
);
171 fprintf(stderr
, "[INFO] Flushing cache...");
172 SEND_COMMAND(VR_FLUSH_CACHES
, 0);
173 fprintf(stderr
, " Done!\n");
176 fprintf(stderr
, "[INFO] SET_DATA_ADDRESS to 0x%x...", address
);
177 SEND_COMMAND(VR_SET_DATA_ADDRESS
, address
);
178 fprintf(stderr
, " Done!\n");
180 fprintf(stderr
, "[INFO] Sending data...");
181 /* Must not split the file in several packages! */
183 fprintf(stderr
, " Done!\n");
185 fprintf(stderr
, "[INFO] Verifying data...");
186 SEND_COMMAND(VR_SET_DATA_ADDRESS
, address
);
187 SEND_COMMAND(VR_SET_DATA_LENGTH
, len
);
188 tmp_buf
= malloc(len
);
191 fprintf(stderr
, "\n[ERR] Could not allocate memory.\n");
194 GET_DATA(tmp_buf
, len
);
195 if (memcmp(tmp_buf
, p
, len
) != 0)
196 fprintf(stderr
, "\n[WARN] Sent data isn't the same as received data...\n");
198 fprintf(stderr
, " Done!\n");
201 fprintf(stderr
, "[INFO] Booting device [STAGE%d]...", (stage2
? 2 : 1));
202 SEND_COMMAND((stage2
? VR_PROGRAM_START2
: VR_PROGRAM_START1
), (address
+(stage2
? 8 : 0)) );
203 fprintf(stderr
, " Done!\n");
208 int read_data(usb_dev_handle
* dh
, int address
, unsigned char *p
, int len
)
213 fprintf(stderr
, "[INFO] GET_CPU_INFO: ");
216 fprintf(stderr
, "%s\n", buf
);
218 fprintf(stderr
, "[INFO] Reading data...");
219 SEND_COMMAND(VR_SET_DATA_ADDRESS
, address
);
220 SEND_COMMAND(VR_SET_DATA_LENGTH
, len
);
222 fprintf(stderr
, " Done!\n");
226 unsigned int read_reg(usb_dev_handle
* dh
, int address
, int size
)
229 unsigned char buf
[4];
231 SEND_COMMAND(VR_SET_DATA_ADDRESS
, address
);
232 SEND_COMMAND(VR_SET_DATA_LENGTH
, size
);
238 return (buf
[1] << 8) | buf
[0];
240 return (buf
[3] << 24) | (buf
[2] << 16) | (buf
[1] << 8) | buf
[0];
245 int set_reg(usb_dev_handle
* dh
, int address
, unsigned int val
, int size
)
248 unsigned char buf
[4];
253 buf
[1] = (val
>> 8) & 0xff;
256 buf
[2] = (val
>> 16) & 0xff;
257 buf
[3] = (val
>> 24) & 0xff;
261 SEND_COMMAND(VR_SET_DATA_ADDRESS
, address
);
262 SEND_DATA(buf
, size
);
266 #define or_reg(dh, adr, val, size) set_reg(dh, adr, (read_reg(dh, adr, size) | (val)), size);
267 #define and_reg(dh, adr, val, size) set_reg(dh, adr, (read_reg(dh, adr, size) & (val)), size);
268 #define bc_reg(dh, adr, val, size) set_reg(dh, adr, (read_reg(dh, adr, size) & ~(val)), size);
269 #define xor_reg(dh, adr, val, size) set_reg(dh, adr, (read_reg(dh, adr, size) ^ (val)), size);
271 #define TEST(m, size) fprintf(stderr, "%s -> %x\n", #m, read_reg(dh, m, size));
272 int test_device(usb_dev_handle
* dh
)
280 fprintf(stderr
, "\n");
292 fprintf(stderr
, "\n");
293 TEST(GPIO_PXPIN(0), 4);
294 TEST(GPIO_PXPIN(1), 4);
295 TEST(GPIO_PXPIN(2), 4);
296 TEST(GPIO_PXPIN(3), 4);
298 fprintf(stderr
, "\n");
301 fprintf(stderr
, "\n");
302 //or_reg(dh, SADC_ENA, SADC_ENA_TSEN, 1);
306 TEST(SADC_BATDAT
, 2);
309 fprintf(stderr
, "\n");
318 #define VOL_DOWN (1 << 27)
319 #define VOL_UP (1 << 0)
320 #define MENU (1 << 1)
321 #define HOLD (1 << 16)
322 #define OFF (1 << 29)
323 #define MASK (VOL_DOWN|VOL_UP|MENU|HOLD|OFF)
324 #define TS_MASK (SADC_STATE_PEND|SADC_STATE_PENU|SADC_STATE_TSRDY)
325 int probe_device(usb_dev_handle
* dh
)
329 //or_reg(dh, SADC_ENA, SADC_ENA_TSEN, 1);
332 if(read_reg(dh
, SADC_STATE
, 1) & SADC_STATE_TSRDY
)
334 printf("%x\n", read_reg(dh
, SADC_TSDAT
, 4));
335 or_reg(dh
, SADC_CTRL
, read_reg(dh
, SADC_STATE
, 1) & TS_MASK
, 1);
338 tmp
= read_reg(dh
, GPIO_PXPIN(3), 4);
343 if(!(tmp
& VOL_DOWN
))
344 printf("VOL_DOWN\t");
359 unsigned int read_file(const char *name
, unsigned char **buffer
)
364 fd
= fopen(name
, "rb");
367 fprintf(stderr
, "[ERR] Could not open %s\n", name
);
373 *buffer
= (unsigned char*)malloc(len
);
376 fprintf(stderr
, "[ERR] Could not allocate memory.\n");
381 n
= fread(*buffer
, 1, len
, fd
);
384 fprintf(stderr
, "[ERR] Short read.\n");
392 #define _GET_CPU fprintf(stderr, "[INFO] GET_CPU_INFO:"); \
395 fprintf(stderr, " %s\n", cpu);
396 #define _SET_ADDR(a) fprintf(stderr, "[INFO] Set address to 0x%x...", a); \
397 SEND_COMMAND(VR_SET_DATA_ADDRESS, a); \
398 fprintf(stderr, " Done!\n");
399 #define _SEND_FILE(a) fsize = read_file(a, &buffer); \
400 fprintf(stderr, "[INFO] Sending file %s: %d bytes...", a, fsize); \
401 SEND_DATA(buffer, fsize); \
403 fprintf(stderr, " Done!\n");
404 #define _VERIFY_DATA(a,c) fprintf(stderr, "[INFO] Verifying data (%s)...", a); \
405 fsize = read_file(a, &buffer); \
406 buffer2 = (unsigned char*)malloc(fsize); \
407 SEND_COMMAND(VR_SET_DATA_ADDRESS, c); \
408 SEND_COMMAND(VR_SET_DATA_LENGTH, fsize); \
409 GET_DATA(buffer2, fsize); \
410 if(memcmp(buffer, buffer2, fsize) != 0) \
411 fprintf(stderr, "\n[WARN] Sent data isn't the same as received data...\n"); \
413 fprintf(stderr, " Done!\n"); \
416 #define _STAGE1(a) fprintf(stderr, "[INFO] Stage 1 at 0x%x\n", a); \
417 SEND_COMMAND(VR_PROGRAM_START1, a);
418 #define _STAGE2(a) fprintf(stderr, "[INFO] Stage 2 at 0x%x\n", a); \
419 SEND_COMMAND(VR_PROGRAM_START2, a);
420 #define _FLUSH fprintf(stderr, "[INFO] Flushing caches...\n"); \
421 SEND_COMMAND(VR_FLUSH_CACHES, 0);
423 #define _SLEEP(x) Sleep(x*1000);
425 #define _SLEEP(x) sleep(x);
427 int mimic_of(usb_dev_handle
*dh
)
430 unsigned char *buffer
, *buffer2
;
433 fprintf(stderr
, "[INFO] Start!\n");
435 _SET_ADDR(0x8000 << 16);
438 _VERIFY_DATA("1.bin", 0x8000 << 16);
439 _STAGE1(0x8000 << 16);
441 _VERIFY_DATA("2.bin", 0xB3020060);
447 _SET_ADDR(0x8000 << 16);
450 _VERIFY_DATA("3.bin", 0x8000 << 16);
455 _SET_ADDR(0x80D0 << 16);
458 _VERIFY_DATA("4.bin", 0x80D0 << 16);
463 _SET_ADDR(0x80E0 << 16);
466 _VERIFY_DATA("5.bin", 0x80E0 << 16);
471 _SET_ADDR(0x80004000);
474 _VERIFY_DATA("6.bin", 0x80004000);
479 _SET_ADDR(0x80FD << 16);
482 _VERIFY_DATA("7.bin", 0x80FD << 16);
487 _VERIFY_DATA("8.bin", 0x80004004);
488 _VERIFY_DATA("9.bin", 0x80004008);
491 _SET_ADDR(0x80E0 << 16);
492 _SEND_FILE("10.bin");
494 _VERIFY_DATA("10.bin", 0x80E0 << 16);
499 fprintf(stderr
, "[INFO] Done!\n");
503 void jzconnect(int address
, unsigned char* buf
, int len
, int func
)
506 struct usb_device
*tmp_dev
;
507 struct usb_device
*dev
= NULL
;
511 fprintf(stderr
,"[INFO] Searching for device...\n");
514 if(usb_find_busses() < 0)
516 fprintf(stderr
, "[ERR] Could not find any USB busses.\n");
520 if (usb_find_devices() < 0)
522 fprintf(stderr
, "[ERR] USB devices not found(nor hubs!).\n");
526 for (bus
= usb_get_busses(); bus
; bus
= bus
->next
)
528 for (tmp_dev
= bus
->devices
; tmp_dev
; tmp_dev
= tmp_dev
->next
)
530 //printf("Found Vendor %04x Product %04x\n",tmp_dev->descriptor.idVendor, tmp_dev->descriptor.idProduct);
531 if (tmp_dev
->descriptor
.idVendor
== VID
&&
532 tmp_dev
->descriptor
.idProduct
== PID
)
543 fprintf(stderr
, "[ERR] Device not found.\n");
544 fprintf(stderr
, "[ERR] Ensure your device is in USB boot mode and run usbtool again.\n");
549 if ( (dh
= usb_open(dev
)) == NULL
)
551 fprintf(stderr
,"[ERR] Unable to open device.\n");
555 err
= usb_set_configuration(dh
, 1);
559 fprintf(stderr
, "[ERR] usb_set_configuration failed (%d, %s)\n", err
, usb_strerror());
564 /* "must be called" written in the libusb documentation */
565 err
= usb_claim_interface(dh
, 0);
568 fprintf(stderr
, "[ERR] Unable to claim interface (%d, %s)\n", err
, usb_strerror());
573 fprintf(stderr
,"[INFO] Found device, uploading application.\n");
575 /* Now we can transfer the application to the device. */
581 err
= upload_app(dh
, address
, buf
, len
, (func
== 5));
584 err
= read_data(dh
, address
, buf
, len
);
587 err
= test_device(dh
);
590 err
= probe_device(dh
);
597 /* release claimed interface */
598 usb_release_interface(dh
, 0);
603 void print_usage(void)
606 fprintf(stderr
, "Usage: usbtool.exe [CMD] [FILE] [ADDRESS] [LEN]\n");
608 fprintf(stderr
, "Usage: usbtool [CMD] [FILE] [ADDRESS] [LEN]\n");
610 fprintf(stderr
, "\t[ADDRESS] has to be in 0xHEXADECIMAL format\n");
611 fprintf(stderr
, "\t[CMD]:\n\t\t1 -> upload file to specified address and boot from it\n\t\t2 -> read data from [ADDRESS] with length [LEN] to [FILE]\n");
612 fprintf(stderr
, "\t\t3 -> read device status\n\t\t4 -> probe keys (only Onda VX747)\n");
613 fprintf(stderr
, "\t\t5 -> same as 1 but do a stage 2 boot\n\t\t6 -> mimic OF fw recovery\n");
615 fprintf(stderr
, "\nExample:\n\t usbtool.exe 1 fw.bin 0x80000000");
616 fprintf(stderr
, "\n\t usbtool.exe 2 save.bin 0x81000000 1024");
618 fprintf(stderr
, "\nExample:\n\t usbtool 1 fw.bin 0x80000000");
619 fprintf(stderr
, "\n\t usbtool 2 save.bin 0x81000000 1024");
623 int main(int argc
, char* argv
[])
626 int n
, len
, address
, cmd
=0;
629 fprintf(stderr
, "USBtool v" VERSION
" - (C) 2008 Maurus Cuelenaere\n");
630 fprintf(stderr
, "This is free software; see the source for copying conditions. There is NO\n");
631 fprintf(stderr
, "warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n\n");
634 sscanf(argv
[1], "%d", &cmd
);
639 if (strcmp(argv
[3], "-1") == 0)
640 address
= 0x80000000;
643 if (sscanf(argv
[3], "0x%x", &address
) <= 0)
650 fd
= fopen(argv
[2], "rb");
653 fprintf(stderr
, "[ERR] Could not open %s\n", argv
[2]);
659 if (len
> MAX_FIRMWARESIZE
)
661 fprintf(stderr
, "[ERR] Firmware file too big\n");
669 fprintf(stderr
, "[ERR] Could not allocate memory.\n");
674 n
= fread(buf
, 1, len
, fd
);
677 fprintf(stderr
, "[ERR] Short read.\n");
683 fprintf(stderr
, "[INFO] File size: %d bytes\n", n
);
685 jzconnect(address
, buf
, len
, cmd
);
688 if (sscanf(argv
[3], "0x%x", &address
) <= 0)
694 fd
= fopen(argv
[2], "wb");
697 fprintf(stderr
, "[ERR] Could not open %s\n", argv
[2]);
701 sscanf(argv
[4], "%d", &len
);
706 fprintf(stderr
, "[ERR] Could not allocate memory.\n");
711 jzconnect(address
, buf
, len
, 2);
713 n
= fwrite(buf
, 1, len
, fd
);
716 fprintf(stderr
, "[ERR] Short write.\n");
725 jzconnect(address
, NULL
, 0, cmd
);