1 /***************************************************************************
3 * Open \______ \ ____ ____ | | _\_ |__ _______ ___
4 * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ /
5 * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < <
6 * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \
10 * Copyright (C) 2006 by Barry Wardell
12 * Based on Rockbox iriver bootloader by Linus Nielsen Feltzing
13 * and the ipodlinux bootloader by Daniel Palffy and Bernard Leach
15 * All files in this archive are subject to the GNU General Public License.
16 * See the file COPYING in the source tree root for full license agreement.
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
21 ****************************************************************************/
34 #include "crc32-mi4.h"
37 #if defined(SANSA_E200)
39 #include "backlight-target.h"
41 #if defined(SANSA_E200) || defined(SANSA_C200)
46 /* Show the Rockbox logo - in show_logo.c */
47 extern int show_logo(void);
49 /* Button definitions */
50 #if CONFIG_KEYPAD == IRIVER_H10_PAD
51 #define BOOTLOADER_BOOT_OF BUTTON_LEFT
53 #elif CONFIG_KEYPAD == SANSA_E200_PAD
54 #define BOOTLOADER_BOOT_OF BUTTON_LEFT
56 #elif CONFIG_KEYPAD == SANSA_C200_PAD
57 #define BOOTLOADER_BOOT_OF BUTTON_LEFT
59 #elif CONFIG_KEYPAD == MROBE100_PAD
60 #define BOOTLOADER_BOOT_OF BUTTON_POWER
64 /* Maximum allowed firmware image size. 10MB is more than enough */
65 #define MAX_LOADSIZE (10*1024*1024)
67 /* A buffer to load the original firmware or Rockbox into */
68 unsigned char *loadbuffer
= (unsigned char *)DRAM_START
;
70 /* Bootloader version */
71 char version
[] = APPSVERSION
;
73 /* Locations and sizes in hidden partition on Sansa */
74 #if defined(SANSA_E200) || defined(SANSA_C200)
75 #define PPMI_SECTOR_OFFSET 1024
76 #define PPMI_SECTORS 1
77 #define MI4_HEADER_SECTORS 1
78 #define NUM_PARTITIONS 2
81 #define NUM_PARTITIONS 1
85 #define MI4_HEADER_SIZE 0x200
87 /* mi4 header structure */
89 unsigned char magic
[4];
98 unsigned char type
[4];
99 unsigned char model
[4];
102 /* PPMI header structure */
103 struct ppmi_header_t
{
104 unsigned char magic
[4];
109 inline unsigned int le2int(unsigned char* buf
)
111 int32_t res
= (buf
[3] << 24) | (buf
[2] << 16) | (buf
[1] << 8) | buf
[0];
116 inline void int2le(unsigned int val
, unsigned char* addr
)
118 addr
[0] = val
& 0xFF;
119 addr
[1] = (val
>> 8) & 0xff;
120 addr
[2] = (val
>> 16) & 0xff;
121 addr
[3] = (val
>> 24) & 0xff;
129 #define NUM_KEYS (sizeof(tea_keytable)/sizeof(tea_keytable[0]))
130 struct tea_key tea_keytable
[] = {
131 { "default" , { 0x20d36cc0, 0x10e8c07d, 0xc0e7dcaa, 0x107eb080 } },
132 { "sansa", { 0xe494e96e, 0x3ee32966, 0x6f48512b, 0xa93fbb42 } },
133 { "sansa_gh", { 0xd7b10538, 0xc662945b, 0x1b3fce68, 0xf389c0e6 } },
134 { "sansa_103", { 0x1d29ddc0, 0x2579c2cd, 0xce339e1a, 0x75465dfe } },
135 { "rhapsody", { 0x7aa9c8dc, 0xbed0a82a, 0x16204cc7, 0x5904ef38 } },
136 { "p610", { 0x950e83dc, 0xec4907f9, 0x023734b9, 0x10cfb7c7 } },
137 { "p640", { 0x220c5f23, 0xd04df68e, 0x431b5e25, 0x4dcc1fa1 } },
138 { "virgin", { 0xe83c29a1, 0x04862973, 0xa9b3f0d4, 0x38be2a9c } },
139 { "20gc_eng", { 0x0240772c, 0x6f3329b5, 0x3ec9a6c5, 0xb0c9e493 } },
140 { "20gc_fre", { 0xbede8817, 0xb23bfe4f, 0x80aa682d, 0xd13f598c } },
141 { "elio_p722", { 0x6af3b9f8, 0x777483f5, 0xae8181cc, 0xfa6d8a84 } },
142 { "c200", { 0xbf2d06fa, 0xf0e23d59, 0x29738132, 0xe2d04ca7 } },
143 { "c200_103", { 0x2a7968de, 0x15127979, 0x142e60a7, 0xe49c1893 } },
144 { "c200_106", { 0xa913d139, 0xf842f398, 0x3e03f1a6, 0x060ee012 } },
145 { "view", { 0x70e19bda, 0x0c69ea7d, 0x2b8b1ad1, 0xe9767ced } },
146 { "sa9200", { 0x33ea0236, 0x9247bdc5, 0xdfaedf9f, 0xd67c9d30 } },
151 tea_decrypt() from http://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm
153 "Following is an adaptation of the reference encryption and decryption
154 routines in C, released into the public domain by David Wheeler and
159 /* NOTE: The mi4 version of TEA uses a different initial value to sum compared
160 to the reference implementation and the main loop is 8 iterations, not
164 static void tea_decrypt(uint32_t* v0
, uint32_t* v1
, uint32_t* k
) {
165 uint32_t sum
=0xF1BBCDC8, i
; /* set up */
166 uint32_t delta
=0x9E3779B9; /* a key schedule constant */
167 uint32_t k0
=k
[0], k1
=k
[1], k2
=k
[2], k3
=k
[3]; /* cache key */
168 for(i
=0; i
<8; i
++) { /* basic cycle start */
169 *v1
-= ((*v0
<<4) + k2
) ^ (*v0
+ sum
) ^ ((*v0
>>5) + k3
);
170 *v0
-= ((*v1
<<4) + k0
) ^ (*v1
+ sum
) ^ ((*v1
>>5) + k1
);
171 sum
-= delta
; /* end cycle */
175 /* mi4 files are encrypted in 64-bit blocks (two little-endian 32-bit
176 integers) and the key is incremented after each block
179 static void tea_decrypt_buf(unsigned char* src
, unsigned char* dest
, size_t n
, uint32_t * key
)
184 for (i
= 0; i
< (n
/ 8); i
++) {
188 tea_decrypt(&v0
, &v1
, key
);
196 /* Now increment the key */
210 static inline bool tea_test_key(unsigned char magic_enc
[8], uint32_t * key
, int unaligned
)
212 unsigned char magic_dec
[8];
213 tea_decrypt_buf(magic_enc
, magic_dec
, 8, key
);
215 return (le2int(&magic_dec
[4*unaligned
]) == 0xaa55aa55);
218 static int tea_find_key(struct mi4header_t
*mi4header
, int fd
)
224 unsigned char magic_enc
[8];
226 unsigned int magic_location
= mi4header
->length
-4;
229 if ( (magic_location
% 8) != 0 )
235 /* Load encrypted magic 0xaa55aa55 to check key */
236 lseek(fd
, MI4_HEADER_SIZE
+ magic_location
, SEEK_SET
);
237 rc
= read(fd
, magic_enc
, 8);
239 return EREAD_IMAGE_FAILED
;
241 printf("Searching for key:");
243 for (i
=0; i
< NUM_KEYS
&& (key_found
<0) ; i
++) {
244 key
[0] = tea_keytable
[i
].key
[0];
245 key
[1] = tea_keytable
[i
].key
[1];
246 key
[2] = tea_keytable
[i
].key
[2];
247 key
[3] = tea_keytable
[i
].key
[3];
249 /* Now increment the key */
250 for(j
=0; j
<((magic_location
-mi4header
->plaintext
)/8); j
++){
263 if (tea_test_key(magic_enc
,key
,unaligned
))
266 printf("%s...found", tea_keytable
[i
].name
);
268 /* printf("%s...failed", tea_keytable[i].name); */
276 /* Load mi4 format firmware image */
277 int load_mi4(unsigned char* buf
, char* firmware
, unsigned int buffer_size
)
280 struct mi4header_t mi4header
;
283 char filename
[MAX_PATH
];
285 snprintf(filename
,sizeof(filename
),"/.rockbox/%s",firmware
);
286 fd
= open(filename
, O_RDONLY
);
289 snprintf(filename
,sizeof(filename
),"/%s",firmware
);
290 fd
= open(filename
, O_RDONLY
);
292 return EFILE_NOT_FOUND
;
295 read(fd
, &mi4header
, MI4_HEADER_SIZE
);
298 printf("mi4 size: %x", mi4header
.mi4size
);
300 if ((mi4header
.mi4size
-MI4_HEADER_SIZE
) > buffer_size
)
301 return EFILE_TOO_BIG
;
304 printf("CRC32: %x", mi4header
.crc32
);
306 /* Rockbox model id */
307 printf("Model id: %.4s", mi4header
.model
);
309 /* Read binary type (RBOS, RBBL) */
310 printf("Binary type: %.4s", mi4header
.type
);
312 /* Load firmware file */
313 lseek(fd
, MI4_HEADER_SIZE
, SEEK_SET
);
314 rc
= read(fd
, buf
, mi4header
.mi4size
-MI4_HEADER_SIZE
);
315 if(rc
< (int)mi4header
.mi4size
-MI4_HEADER_SIZE
)
316 return EREAD_IMAGE_FAILED
;
318 /* Check CRC32 to see if we have a valid file */
319 sum
= chksum_crc32 (buf
, mi4header
.mi4size
- MI4_HEADER_SIZE
);
321 printf("Calculated CRC32: %x", sum
);
323 if(sum
!= mi4header
.crc32
)
326 if( (mi4header
.plaintext
+ MI4_HEADER_SIZE
) != mi4header
.mi4size
)
328 /* Load encrypted firmware */
329 int key_index
= tea_find_key(&mi4header
, fd
);
332 return EINVALID_FORMAT
;
334 /* Plaintext part is already loaded */
335 buf
+= mi4header
.plaintext
;
337 /* Decrypt in-place */
338 tea_decrypt_buf(buf
, buf
,
339 mi4header
.mi4size
-(mi4header
.plaintext
+MI4_HEADER_SIZE
),
340 tea_keytable
[key_index
].key
);
342 printf("%s key used", tea_keytable
[key_index
].name
);
344 /* Check decryption was successfull */
345 if(le2int(&buf
[mi4header
.length
-mi4header
.plaintext
-4]) != 0xaa55aa55)
347 return EREAD_IMAGE_FAILED
;
354 #if defined(SANSA_E200) || defined(SANSA_C200)
355 /* Load mi4 firmware from a hidden disk partition */
356 int load_mi4_part(unsigned char* buf
, struct partinfo
* pinfo
,
357 unsigned int buffer_size
, bool disable_rebuild
)
359 struct mi4header_t mi4header
;
360 struct ppmi_header_t ppmi_header
;
363 /* Read header to find out how long the mi4 file is. */
364 ata_read_sectors(IF_MV2(0,) pinfo
->start
+ PPMI_SECTOR_OFFSET
,
365 PPMI_SECTORS
, &ppmi_header
);
367 /* The first four characters at 0x80000 (sector 1024) should be PPMI*/
368 if( memcmp(ppmi_header
.magic
, "PPMI", 4) )
369 return EFILE_NOT_FOUND
;
371 printf("BL mi4 size: %x", ppmi_header
.length
);
373 /* Read mi4 header of the OF */
374 ata_read_sectors(IF_MV2(0,) pinfo
->start
+ PPMI_SECTOR_OFFSET
+ PPMI_SECTORS
375 + (ppmi_header
.length
/512), MI4_HEADER_SECTORS
, &mi4header
);
377 /* We don't support encrypted mi4 files yet */
378 if( (mi4header
.plaintext
) != (mi4header
.mi4size
-MI4_HEADER_SIZE
))
379 return EINVALID_FORMAT
;
382 printf("OF mi4 size: %x", mi4header
.mi4size
);
384 if ((mi4header
.mi4size
-MI4_HEADER_SIZE
) > buffer_size
)
385 return EFILE_TOO_BIG
;
388 printf("CRC32: %x", mi4header
.crc32
);
390 /* Rockbox model id */
391 printf("Model id: %.4s", mi4header
.model
);
393 /* Read binary type (RBOS, RBBL) */
394 printf("Binary type: %.4s", mi4header
.type
);
397 ata_read_sectors(IF_MV2(0,) pinfo
->start
+ PPMI_SECTOR_OFFSET
+ PPMI_SECTORS
398 + (ppmi_header
.length
/512) + MI4_HEADER_SECTORS
,
399 (mi4header
.mi4size
-MI4_HEADER_SIZE
)/512, buf
);
401 /* Check CRC32 to see if we have a valid file */
402 sum
= chksum_crc32 (buf
,mi4header
.mi4size
-MI4_HEADER_SIZE
);
404 printf("Calculated CRC32: %x", sum
);
406 if(sum
!= mi4header
.crc32
)
414 printf("Disabling database rebuild");
416 ata_read_sectors(IF_MV2(0,) pinfo
->start
+ 0x3c08, 1, block
);
418 ata_write_sectors(IF_MV2(0,) pinfo
->start
+ 0x3c08, 1, block
);
421 (void) disable_rebuild
;
434 struct partinfo
* pinfo
;
435 #if defined(SANSA_E200) || defined(SANSA_C200)
440 unsigned short* identify_info
;
443 chksum_crc32gentab ();
454 #if defined(SANSA_E200)
464 printf("Hold switch on");
465 printf("Shutting down...");
470 btn
= button_read_device();
472 /* Enable bootloader messages if any button is pressed */
478 #if defined(SANSA_E200) || defined(SANSA_C200)
479 #if !defined(USE_ROCKBOX_USB)
481 while (usb_drv_powered() && usb_retry
< 5 && !usb
)
485 usb
= (usb_detect() == USB_INSERTED
);
488 btn
|= BOOTLOADER_BOOT_OF
;
489 #endif /* USE_ROCKBOX_USB */
492 lcd_setfont(FONT_SYSFIXED
);
494 printf("Rockbox boot loader");
495 printf("Version: %s", version
);
499 #if !defined(SANSA_E200) && !defined(SANSA_C200)
501 identify_info
=ata_get_identify();
503 for (i
=0; i
< 20; i
++) {
504 ((unsigned short*)buf
)[i
]=htobe16(identify_info
[i
+27]);
507 for (i
=39; i
&& buf
[i
]==' '; i
--) {
517 num_partitions
= disk_mount_all();
518 if (num_partitions
<=0)
520 error(EDISK
,num_partitions
);
523 /* Just list the first 2 partitions since we don't have any devices yet
524 that have more than that */
525 for(i
=0; i
<NUM_PARTITIONS
; i
++)
527 pinfo
= disk_partinfo(i
);
528 printf("Partition %d: 0x%02x %ld MB",
529 i
, pinfo
->type
, pinfo
->size
/ 2048);
532 if(btn
& BOOTLOADER_BOOT_OF
)
534 /* Load original mi4 firmware in to a memory buffer called loadbuffer.
535 The rest of the loading is done in crt0.S.
536 1) First try reading from the hidden partition (on Sansa only).
537 2) Next try a decrypted mi4 file in /System/OF.mi4
538 3) Finally, try a raw firmware binary in /System/OF.mi4. It should be
539 a mi4 firmware decrypted and header stripped using mi4code.
541 printf("Loading original firmware...");
543 #if defined(SANSA_E200) || defined(SANSA_C200)
544 /* First try a (hidden) firmware partition */
545 printf("Trying firmware partition");
546 pinfo
= disk_partinfo(1);
547 if(pinfo
->type
== PARTITION_TYPE_OS2_HIDDEN_C_DRIVE
)
549 rc
= load_mi4_part(loadbuffer
, pinfo
, MAX_LOADSIZE
, usb
);
551 printf("Can't load from partition");
552 printf(strerror(rc
));
554 return (void*)loadbuffer
;
557 printf("No hidden partition found.");
561 printf("Trying /System/OF.mi4");
562 rc
=load_mi4(loadbuffer
, "/System/OF.mi4", MAX_LOADSIZE
);
564 printf("Can't load /System/OF.mi4");
565 printf(strerror(rc
));
567 return (void*)loadbuffer
;
570 printf("Trying /System/OF.bin");
571 rc
=load_raw_firmware(loadbuffer
, "/System/OF.bin", MAX_LOADSIZE
);
573 printf("Can't load /System/OF.bin");
574 printf(strerror(rc
));
576 return (void*)loadbuffer
;
582 #if 0 /* e200: enable to be able to dump the hidden partition */
586 pinfo
= disk_partinfo(1);
587 fd
= open("/part.bin", O_CREAT
|O_RDWR
);
589 for(i
=0; i
<40960; i
++){
592 printf("dumping sector %d", i
);
594 ata_read_sectors(IF_MV2(0,) pinfo
->start
+ i
, 1, sector
);
595 write(fd
,sector
,512);
600 printf("Loading Rockbox...");
601 rc
=load_mi4(loadbuffer
, BOOTFILE
, MAX_LOADSIZE
);
603 printf("Can't load %s:", BOOTFILE
);
604 printf(strerror(rc
));
607 /* Try loading rockbox from old rockbox.e200/rockbox.h10 format */
608 rc
=load_firmware(loadbuffer
, OLD_BOOTFILE
, MAX_LOADSIZE
);
610 printf("Can't load %s:", OLD_BOOTFILE
);
611 error(EBOOTFILE
, rc
);
617 return (void*)loadbuffer
;
620 #if !defined(SANSA_E200) && !defined(SANSA_C200)
621 /* These functions are present in the firmware library, but we reimplement
622 them here because the originals do a lot more than we want */
623 void usb_acknowledge(void)
627 void usb_wait_for_disconnect(void)