1 /***************************************************************************
3 * Open \______ \ ____ ____ | | _\_ |__ _______ ___
4 * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ /
5 * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < <
6 * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \
10 * mkamsboot.c - a tool for merging bootloader code into an Sansa V2
13 * Copyright (C) 2008 Dave Chapman
15 * This program is free software; you can redistribute it and/or
16 * modify it under the terms of the GNU General Public License
17 * as published by the Free Software Foundation; either version 2
18 * of the License, or (at your option) any later version.
20 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
21 * KIND, either express or implied.
23 ****************************************************************************/
27 Insert a Rockbox bootloader into a Sansa AMS original firmware file.
29 Layout of a Sansa AMS original firmware file:
31 ---------------------- 0x0
33 |----------------------| 0x400
35 |----------------------| 0x400 + firmware block size
37 ---------------------- END
39 We replace the main firmware block (bytes 0x400..0x400+firmware_size)
43 ---------------------- 0x0
47 |----------------------|
49 |----------------------|
51 | compressed RB image |
53 |----------------------|
55 | compressed OF image |
57 |----------------------|
58 | UCL unpack function |
59 ----------------------
61 This entire block fits into the space previously occupied by the main
62 firmware block - the space saved by compressing the OF image is used
63 to store the compressed version of the Rockbox bootloader.
65 On version 1 firmwares, the OF image is typically about 120KB, which allows
66 us to store a Rockbox bootloader with an uncompressed size of about 60KB-70KB.
67 Version 2 firmwares are bigger and are stored in SDRAM (instead of IRAM).
68 In both cases, the RAM we are using is mapped at offset 0x0.
70 mkamsboot then corrects the checksums and writes a new legal firmware
71 file which can be installed on the device.
73 When the Sansa device boots, this firmware block is loaded to RAM at
74 address 0x0 and executed.
76 Firstly, the dual-boot code will copy the UCL unpack function to the
79 Then, depending on the detection of the dual-boot keypress, either the
80 OF image or the Rockbox image is copied to the end of RAM (just before
81 the ucl unpack function) and uncompressed to the start of RAM.
83 Finally, the ucl unpack function branches to address 0x0, passing
84 execution to the uncompressed firmware.
92 #include <sys/types.h>
100 #include "mkamsboot.h"
104 /* Header for ARM code binaries */
105 #include "dualboot.h"
107 /* Win32 compatibility */
112 /* 4 for m200, 2 for e200/c200, 1 or 2 for fuze/clip, 1 for clip+ */
113 const unsigned short hw_revisions
[] = {
124 /* version 2 is used in Clipv2, Clip+ and Fuzev2 firmwares */
125 const unsigned short fw_revisions
[] = {
136 /* Descriptive name of these models */
137 const char* model_names
[] = {
138 [MODEL_FUZE
] = "Fuze",
139 [MODEL_CLIP
] = "Clip",
140 [MODEL_CLIPV2
] = "Clip",
141 [MODEL_CLIPPLUS
]= "Clip+",
142 [MODEL_E200V2
] = "e200",
143 [MODEL_M200V4
] = "m200",
144 [MODEL_C200V2
] = "c200",
145 [MODEL_FUZEV2
] = "Fuze",
148 /* Dualboot functions for these models */
149 static const unsigned char* bootloaders
[] = {
150 [MODEL_FUZE
] = dualboot_fuze
,
151 [MODEL_CLIP
] = dualboot_clip
,
152 [MODEL_CLIPV2
] = dualboot_clipv2
,
153 [MODEL_E200V2
] = dualboot_e200v2
,
154 [MODEL_M200V4
] = dualboot_m200v4
,
155 [MODEL_C200V2
] = dualboot_c200v2
,
156 [MODEL_CLIPPLUS
]= dualboot_clipplus
,
157 [MODEL_FUZEV2
] = dualboot_fuzev2
,
160 /* Size of dualboot functions for these models */
161 const int bootloader_sizes
[] = {
162 [MODEL_FUZE
] = sizeof(dualboot_fuze
),
163 [MODEL_CLIP
] = sizeof(dualboot_clip
),
164 [MODEL_CLIPV2
] = sizeof(dualboot_clipv2
),
165 [MODEL_E200V2
] = sizeof(dualboot_e200v2
),
166 [MODEL_M200V4
] = sizeof(dualboot_m200v4
),
167 [MODEL_C200V2
] = sizeof(dualboot_c200v2
),
168 [MODEL_CLIPPLUS
]= sizeof(dualboot_clipplus
),
169 [MODEL_FUZEV2
] = sizeof(dualboot_fuzev2
),
172 /* Model names used in the Rockbox header in ".sansa" files - these match the
173 -add parameter to the "scramble" tool */
174 static const char* rb_model_names
[] = {
175 [MODEL_FUZE
] = "fuze",
176 [MODEL_CLIP
] = "clip",
177 [MODEL_CLIPV2
] = "clv2",
178 [MODEL_E200V2
] = "e2v2",
179 [MODEL_M200V4
] = "m2v4",
180 [MODEL_C200V2
] = "c2v2",
181 [MODEL_CLIPPLUS
]= "cli+",
182 [MODEL_FUZEV2
] = "fuz2",
185 /* Model numbers used to initialise the checksum in the Rockbox header in
186 ".sansa" files - these are the same as MODEL_NUMBER in config-target.h */
187 static const int rb_model_num
[] = {
194 [MODEL_CLIPPLUS
]= 66,
198 /* Checksums of unmodified original firmwares - for safety, and device
200 static struct md5sums sansasums
[] = {
201 /* NOTE: Different regional versions of the firmware normally only
202 differ in the filename - the md5sums are identical */
204 /* model version md5 */
205 { MODEL_E200V2
, "3.01.11", "e622ca8cb6df423f54b8b39628a1f0a3" },
206 { MODEL_E200V2
, "3.01.14", "2c1d0383fc3584b2cc83ba8cc2243af6" },
207 { MODEL_E200V2
, "3.01.16", "12563ad71b25a1034cf2092d1e0218c4" },
209 { MODEL_FUZE
, "1.01.11", "cac8ffa03c599330ac02c4d41de66166" },
210 { MODEL_FUZE
, "1.01.15", "df0e2c1612727f722c19a3c764cff7f2" },
211 { MODEL_FUZE
, "1.01.22", "5aff5486fe8dd64239cc71eac470af98" },
212 { MODEL_FUZE
, "1.02.26", "7c632c479461c48c8833baed74eb5e4f" },
213 { MODEL_FUZE
, "1.02.28", "5b34260f6470e75f702a9c6825471752" },
214 { MODEL_FUZE
, "1.02.31", "66d01b37462a5ef7ccc6ad37188b4235" },
216 { MODEL_C200V2
, "3.02.05", "b6378ebd720b0ade3fad4dc7ab61c1a5" },
218 { MODEL_M200V4
, "4.00.45", "82e3194310d1514e3bbcd06e84c4add3" },
219 { MODEL_M200V4
, "4.01.08-A", "fc9dd6116001b3e6a150b898f1b091f0" },
220 { MODEL_M200V4
, "4.01.08-E", "d3fb7d8ec8624ee65bc99f8dab0e2369" },
222 { MODEL_CLIP
, "1.01.17", "12caad785d506219d73f538772afd99e" },
223 { MODEL_CLIP
, "1.01.18", "d720b266bd5afa38a198986ef0508a45" },
224 { MODEL_CLIP
, "1.01.20", "236d8f75189f468462c03f6d292cf2ac" },
225 { MODEL_CLIP
, "1.01.29", "c12711342169c66e209540cd1f27cd26" },
226 { MODEL_CLIP
, "1.01.30", "f2974d47c536549c9d8259170f1dbe4d" },
227 { MODEL_CLIP
, "1.01.32", "d835d12342500732ffb9c4ee54abec15" },
228 { MODEL_CLIP
, "1.01.35", "b4d0edb3b8f2a4e8eee0a344f7f8e480" },
230 { MODEL_CLIPV2
, "2.01.16", "c57fb3fcbe07c2c9b360f060938f80cb" },
231 { MODEL_CLIPV2
, "2.01.32", "0ad3723e52022509089d938d0fbbf8c5" },
232 { MODEL_CLIPV2
, "2.01.35", "a3cbbd22b9508d7f8a9a1a39acc342c2" },
234 { MODEL_CLIPPLUS
, "01.02.09", "656d38114774c2001dc18e6726df3c5d" },
236 { MODEL_FUZEV2
, "2.01.17", "8b85fb05bf645d08a4c8c3e344ec9ebe" },
237 { MODEL_FUZEV2
, "2.02.26", "d4f6f85c3e4a8ea8f2e5acc421641801" },
238 { MODEL_FUZEV2
, "2.03.31", "74fb197ccd51707388f3b233402186a6" },
241 #define NUM_MD5S (sizeof(sansasums)/sizeof(sansasums[0]))
243 static unsigned int model_memory_size(int model
)
245 if(model
== MODEL_CLIPV2
)
247 /* The decompressed Clipv2 OF is around 380kB.
248 * Since it doesn't fit in the 0x50000 bytes IRAM, the OF starts
249 * with DRAM mapped at 0x0
251 * We could use all the available memory (supposedly 8MB)
252 * but 1MB ought to be enough for our use
257 { /* The OF boots with IRAM (320kB) mapped at 0x0 */
262 int firmware_revision(int model
)
264 return fw_revisions
[model
];
267 static off_t
filesize(int fd
)
271 if (fstat(fd
, &buf
) < 0) {
272 perror("[ERR] Checking filesize of input file");
279 static uint32_t get_uint32le(unsigned char* p
)
281 return p
[0] | (p
[1] << 8) | (p
[2] << 16) | (p
[3] << 24);
284 static uint32_t get_uint32be(unsigned char* p
)
286 return (p
[0] << 24) | (p
[1] << 16) | (p
[2] << 8) | p
[3];
289 static void put_uint32le(unsigned char* p
, uint32_t x
)
292 p
[1] = (x
>> 8) & 0xff;
293 p
[2] = (x
>> 16) & 0xff;
294 p
[3] = (x
>> 24) & 0xff;
297 void calc_MD5(unsigned char* buf
, int len
, char *md5str
)
301 unsigned char md5sum
[16];
304 md5_update(&ctx
, buf
, len
);
305 md5_finish(&ctx
, md5sum
);
307 for (i
= 0; i
< 16; ++i
)
308 sprintf(md5str
+ 2*i
, "%02x", md5sum
[i
]);
311 /* Calculate a simple checksum used in Sansa Original Firmwares */
312 static uint32_t calc_checksum(unsigned char* buf
, uint32_t n
)
318 sum
+= get_uint32le(buf
+ i
);
323 static int get_model(int model_id
)
339 return MODEL_CLIPPLUS
;
344 return MODEL_UNKNOWN
;
347 /* Compress using nrv2e algorithm : Thumb decompressor fits in 168 bytes ! */
348 static unsigned char* uclpack(unsigned char* inbuf
, int insize
, int* outsize
)
351 unsigned char* outbuf
;
354 /* The following formula comes from the UCL documentation */
355 maxsize
= insize
+ (insize
/ 8) + 256;
357 /* Allocate some memory for the output buffer */
358 outbuf
= malloc(maxsize
);
363 r
= ucl_nrv2e_99_compress(
364 (const ucl_bytep
) inbuf
,
370 if (r
!= UCL_E_OK
|| *outsize
> maxsize
) {
371 /* this should NEVER happen, and implies memory corruption */
372 fprintf(stderr
, "internal error - compression failed: %d\n", r
);
380 #define ERROR(format, ...) \
382 snprintf(errstr, errstrsize, format, __VA_ARGS__); \
386 /* Loads a Sansa AMS Original Firmware file into memory */
387 unsigned char* load_of_file(
388 char* filename
, off_t
* bufsize
, struct md5sums
*sum
,
389 int* firmware_size
, unsigned char** of_packed
,
390 int* of_packedsize
, char* errstr
, int errstrsize
)
393 unsigned char* buf
=NULL
;
398 unsigned int last_word
;
400 fd
= open(filename
, O_RDONLY
|O_BINARY
);
402 ERROR("[ERR] Could not open %s for reading\n", filename
);
404 *bufsize
= filesize(fd
);
406 buf
= malloc(*bufsize
);
408 ERROR("[ERR] Could not allocate memory for %s\n", filename
);
410 n
= read(fd
, buf
, *bufsize
);
413 ERROR("[ERR] Could not read file %s\n", filename
);
417 /* Calculate MD5 checksum of OF */
418 calc_MD5(buf
, *bufsize
, sum
->md5
);
420 while ((i
< NUM_MD5S
) && (strcmp(sansasums
[i
].md5
, sum
->md5
) != 0))
426 int fw_version
= (get_uint32le(&buf
[0x204]) == 0x0000f000) ? 2 : 1;
427 model_id
= buf
[(fw_version
== 2) ? 0x219 : 0x215];
428 sum
->model
= get_model(model_id
);
430 if (sum
->model
== MODEL_UNKNOWN
)
431 ERROR("[ERR] Unknown firmware model (v%d) - model id 0x%02x\n",
432 fw_version
, model_id
);
434 #if 1 /* comment to test new OFs */
435 char tested_versions
[100];
436 tested_versions
[0] = '\0';
438 for (i
= 0; i
< NUM_MD5S
; i
++)
439 if (sansasums
[i
].model
== sum
->model
) {
440 if (tested_versions
[0] != '\0') {
441 strncat(tested_versions
, ", ",
442 sizeof(tested_versions
) - strlen(tested_versions
) - 1);
444 strncat(tested_versions
, sansasums
[i
].version
,
445 sizeof(tested_versions
) - strlen(tested_versions
) - 1);
448 ERROR("[ERR] Original firmware unknown, please try an other version." \
449 " Tested %s versions are : %s\n",
450 model_names
[sum
->model
], tested_versions
);
454 /* TODO: Do some more sanity checks on the OF image. Some images (like
455 m200v4) dont have a checksum at the end, only padding (0xdeadbeef). */
456 last_word
= *bufsize
- 4;
457 checksum
= get_uint32le(buf
+ last_word
);
458 if (checksum
!= 0xefbeadde && checksum
!= calc_checksum(buf
, last_word
))
459 ERROR("%s", "[ERR] Whole file checksum failed\n");
461 if (bootloaders
[sum
->model
] == NULL
)
462 ERROR("[ERR] Unsupported model - \"%s\"\n", model_names
[sum
->model
]);
464 /* Get the firmware size */
465 if (fw_revisions
[sum
->model
] == 1)
466 *firmware_size
= get_uint32le(&buf
[0x0c]);
467 else if (fw_revisions
[sum
->model
] == 2)
468 *firmware_size
= get_uint32le(&buf
[0x10]);
470 /* Compress the original firmware image */
471 *of_packed
= uclpack(buf
+ 0x400, *firmware_size
, of_packedsize
);
472 if (*of_packed
== NULL
)
473 ERROR("[ERR] Could not compress %s\n", filename
);
482 /* Loads a rockbox bootloader file into memory */
483 unsigned char* load_rockbox_file(
484 char* filename
, int model
, int* bufsize
, int* rb_packedsize
,
485 char* errstr
, int errstrsize
)
488 unsigned char* buf
= NULL
;
489 unsigned char* packed
= NULL
;
490 unsigned char header
[8];
495 fd
= open(filename
, O_RDONLY
|O_BINARY
);
497 ERROR("[ERR] Could not open %s for reading\n", filename
);
499 /* Read Rockbox header */
500 n
= read(fd
, header
, sizeof(header
));
501 if (n
!= sizeof(header
))
502 ERROR("[ERR] Could not read file %s\n", filename
);
504 /* Check for correct model string */
505 if (memcmp(rb_model_names
[model
], header
+ 4, 4)!=0)
506 ERROR("[ERR] Expected model name \"%s\" in %s, not \"%4.4s\"\n",
507 rb_model_names
[model
], filename
, (char*)header
+4);
509 *bufsize
= filesize(fd
) - sizeof(header
);
511 buf
= malloc(*bufsize
);
513 ERROR("[ERR] Could not allocate memory for %s\n", filename
);
515 n
= read(fd
, buf
, *bufsize
);
518 ERROR("[ERR] Could not read file %s\n", filename
);
521 sum
= rb_model_num
[model
];
522 for (i
= 0; i
< *bufsize
; i
++) {
523 /* add 8 unsigned bits but keep a 32 bit sum */
527 if (sum
!= get_uint32be(header
))
528 ERROR("[ERR] Checksum mismatch in %s\n", filename
);
530 packed
= uclpack(buf
, *bufsize
, rb_packedsize
);
532 ERROR("[ERR] Could not compress %s\n", filename
);
544 /* Patches a Sansa AMS Original Firmware file */
546 int model
, int fw_revision
, int firmware_size
, unsigned char* buf
,
547 int len
, unsigned char* of_packed
, int of_packedsize
,
548 unsigned char* rb_packed
, int rb_packedsize
)
551 uint32_t sum
, filesum
;
555 /* Zero the original firmware area - not needed, but helps debugging */
556 memset(buf
+ 0x400, 0, firmware_size
);
558 /* Insert dual-boot bootloader at offset 0 */
559 memcpy(buf
+ 0x400, bootloaders
[model
], bootloader_sizes
[model
]);
561 /* We are filling the firmware buffer backwards from the end */
562 p
= buf
+ 0x400 + firmware_size
;
564 /* 1 - UCL unpack function */
565 p
-= sizeof(nrv2e_d8
);
566 memcpy(p
, nrv2e_d8
, sizeof(nrv2e_d8
));
568 /* 2 - Compressed copy of original firmware */
570 memcpy(p
, of_packed
, of_packedsize
);
572 /* 3 - Compressed copy of Rockbox bootloader */
574 memcpy(p
, rb_packed
, rb_packedsize
);
576 /* Write the locations of the various images to the variables at the
577 start of the dualboot image - we save the location of the last byte
578 in each image, along with the size in bytes */
580 /* UCL unpack function */
581 put_uint32le(&buf
[0x420], firmware_size
- 1);
582 put_uint32le(&buf
[0x424], sizeof(nrv2e_d8
));
584 /* Compressed original firmware image */
585 put_uint32le(&buf
[0x428], firmware_size
- sizeof(nrv2e_d8
) - 1);
586 put_uint32le(&buf
[0x42c], of_packedsize
);
588 /* Compressed Rockbox image */
589 put_uint32le(&buf
[0x430], firmware_size
- sizeof(nrv2e_d8
) - of_packedsize
591 put_uint32le(&buf
[0x434], rb_packedsize
);
593 ucl_dest
= model_memory_size(model
) - 1; /* last byte of memory */
594 put_uint32le(&buf
[0x438], ucl_dest
);
596 /* Update the firmware block checksum */
597 sum
= calc_checksum(buf
+ 0x400, firmware_size
);
599 if (fw_revision
== 1) {
600 put_uint32le(&buf
[0x04], sum
);
601 put_uint32le(&buf
[0x204], sum
);
602 } else if (fw_revision
== 2) {
603 put_uint32le(&buf
[0x08], sum
);
604 put_uint32le(&buf
[0x208], sum
);
606 /* Update the header checksums */
607 put_uint32le(&buf
[0x1fc], calc_checksum(buf
, 0x1fc));
608 put_uint32le(&buf
[0x3fc], calc_checksum(buf
+ 0x200, 0x1fc));
611 /* Update the whole-file checksum */
613 for (i
=0;i
< (unsigned)len
- 4; i
+=4)
614 filesum
+= get_uint32le(&buf
[i
]);
616 put_uint32le(buf
+ len
- 4, filesum
);
619 /* returns != 0 if the firmware can be safely patched */
620 int check_sizes(int model
, int rb_packed_size
, int rb_unpacked_size
,
621 int of_packed_size
, int of_unpacked_size
, int *total_size
,
622 char *errstr
, int errstrsize
)
624 unsigned int packed_size
= bootloader_sizes
[model
] + sizeof(nrv2e_d8
) +
625 of_packed_size
+ rb_packed_size
;
627 /* how much memory is available */
628 unsigned int memory_size
= model_memory_size(model
);
630 /* the memory used when unpacking the OF */
631 unsigned int ram_of
= sizeof(nrv2e_d8
) + of_packed_size
+ of_unpacked_size
;
633 /* the memory used when unpacking the bootloader */
634 unsigned int ram_rb
= sizeof(nrv2e_d8
) + rb_packed_size
+ rb_unpacked_size
;
636 *total_size
= packed_size
;
638 #define ERROR(format, ...) \
640 snprintf(errstr, errstrsize, format, __VA_ARGS__); \
644 /* will packed data fit in the OF file ? */
645 if(packed_size
> of_unpacked_size
)
647 "[ERR] Packed data (%d bytes) doesn't fit in the firmware "
648 "(%d bytes)\n", packed_size
, of_unpacked_size
651 else if(ram_rb
> memory_size
)
652 ERROR("[ERR] Rockbox can't be unpacked at runtime, needs %d bytes "
653 "of memory and only %d available\n", ram_rb
, memory_size
656 else if(ram_of
> memory_size
)
657 ERROR("[ERR] OF can't be unpacked at runtime, needs %d bytes "
658 "of memory and only %d available\n", ram_of
, memory_size