1 /***************************************************************************
3 * Open \______ \ ____ ____ | | _\_ |__ _______ ___
4 * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ /
5 * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < <
6 * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \
10 * mkamsboot.c - a tool for merging bootloader code into an Sansa V2
13 * Copyright (C) 2008 Dave Chapman
15 * This program is free software; you can redistribute it and/or
16 * modify it under the terms of the GNU General Public License
17 * as published by the Free Software Foundation; either version 2
18 * of the License, or (at your option) any later version.
20 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
21 * KIND, either express or implied.
23 ****************************************************************************/
27 Insert a Rockbox bootloader into an AMS original firmware file.
29 We replace the main firmware block (bytes 0x400..0x400+firmware_size)
33 ---------------------- 0x0
37 |----------------------|
39 |----------------------|
41 | compressed RB image |
43 |----------------------|
45 | compressed OF image |
47 |----------------------|
48 | UCL unpack function |
49 ----------------------
51 This entire block fits into the space previously occupied by the main
52 firmware block - the space saved by compressing the OF image is used
53 to store the compressed version of the Rockbox bootloader. The OF
54 image is typically about 120KB, which allows us to store a Rockbox
55 bootloader with an uncompressed size of about 60KB-70KB.
57 mkamsboot then corrects the checksums and writes a new legal firmware
58 file which can be installed on the device.
60 When the Sansa device boots, this firmware block is loaded to RAM at
61 address 0x0 and executed.
63 Firstly, the dual-boot code will copy the UCL unpack function to the
66 Then, depending on the detection of the dual-boot keypress, either the
67 OF image or the Rockbox image is copied to the end of RAM (just before
68 the ucl unpack function) and uncompress it to the start of RAM.
70 Finally, the ucl unpack function branches to address 0x0, passing
71 execution to the uncompressed firmware.
80 #include <sys/types.h>
88 /* Headers for ARM code binaries */
92 #include "dualboot_clip.h"
93 #include "dualboot_e200v2.h"
94 #include "dualboot_fuze.h"
95 #include "dualboot_m200v4.h"
96 #include "dualboot_c200v2.h"
98 /* Win32 compatibility */
104 #define VERSION "0.1"
118 static const char* model_names
[] =
128 static const unsigned char* bootloaders
[] =
138 static const int bootloader_sizes
[] =
140 sizeof(dualboot_fuze
),
141 sizeof(dualboot_clip
),
143 sizeof(dualboot_e200v2
),
144 sizeof(dualboot_m200v4
),
145 sizeof(dualboot_c200v2
),
148 /* Model names used in the Rockbox header in ".sansa" files - these match the
149 -add parameter to the "scramble" tool */
150 static const char* rb_model_names
[] =
160 /* Model numbers used to initialise the checksum in the Rockbox header in
161 ".sansa" files - these are the same as MODEL_NUMBER in config-target.h */
162 static const int rb_model_num
[] =
179 /* Checksums of unmodified original firmwares - for safety, and device
181 static struct md5sums sansasums
[] = {
182 /* NOTE: Different regional versions of the firmware normally only
183 differ in the filename - the md5sums are identical */
184 { MODEL_E200V2
, "3.01.11", 1, "e622ca8cb6df423f54b8b39628a1f0a3" },
185 { MODEL_E200V2
, "3.01.14", 1, "2c1d0383fc3584b2cc83ba8cc2243af6" },
186 { MODEL_E200V2
, "3.01.16", 1, "12563ad71b25a1034cf2092d1e0218c4" },
188 { MODEL_FUZE
, "1.01.11", 1, "cac8ffa03c599330ac02c4d41de66166" },
189 { MODEL_FUZE
, "1.01.15", 1, "df0e2c1612727f722c19a3c764cff7f2" },
190 { MODEL_FUZE
, "1.01.22", 1, "5aff5486fe8dd64239cc71eac470af98" },
191 { MODEL_FUZE
, "1.02.26", 1, "7c632c479461c48c8833baed74eb5e4f" },
193 { MODEL_C200V2
, "3.02.05", 1, "b6378ebd720b0ade3fad4dc7ab61c1a5" },
195 { MODEL_M200V4
, "4.00.45", 1, "82e3194310d1514e3bbcd06e84c4add3" },
196 { MODEL_M200V4
, "4.01.08-A", 1, "fc9dd6116001b3e6a150b898f1b091f0" },
197 { MODEL_M200V4
, "4.01.08-E", 1, "d3fb7d8ec8624ee65bc99f8dab0e2369" },
199 { MODEL_CLIP
, "1.01.17", 1, "12caad785d506219d73f538772afd99e" },
200 { MODEL_CLIP
, "1.01.18", 1, "d720b266bd5afa38a198986ef0508a45" },
201 { MODEL_CLIP
, "1.01.20", 1, "236d8f75189f468462c03f6d292cf2ac" },
202 { MODEL_CLIP
, "1.01.29", 1, "c12711342169c66e209540cd1f27cd26" },
203 { MODEL_CLIP
, "1.01.30", 1, "f2974d47c536549c9d8259170f1dbe4d" },
204 { MODEL_CLIP
, "1.01.32", 1, "d835d12342500732ffb9c4ee54abec15" },
207 #define NUM_MD5S (sizeof(sansasums)/sizeof(sansasums[0]))
209 static off_t
filesize(int fd
) {
212 if (fstat(fd
,&buf
) < 0) {
213 perror("[ERR] Checking filesize of input file");
220 static uint32_t get_uint32le(unsigned char* p
)
222 return p
[0] | (p
[1] << 8) | (p
[2] << 16) | (p
[3] << 24);
225 static uint32_t get_uint32be(unsigned char* p
)
227 return (p
[0] << 24) | (p
[1] << 16) | (p
[2] << 8) | p
[3];
230 static void put_uint32le(unsigned char* p
, uint32_t x
)
233 p
[1] = (x
>> 8) & 0xff;
234 p
[2] = (x
>> 16) & 0xff;
235 p
[3] = (x
>> 24) & 0xff;
238 void calc_MD5(unsigned char* buf
, int len
, char *md5str
)
242 unsigned char md5sum
[16];
245 md5_update(&ctx
, buf
, len
);
246 md5_finish(&ctx
, md5sum
);
248 for (i
= 0; i
< 16; ++i
)
249 sprintf(md5str
+ 2*i
, "%02x", md5sum
[i
]);
253 static uint32_t calc_checksum(unsigned char* buf
, uint32_t n
)
259 sum
+= get_uint32le(buf
+ i
);
264 static int get_model(int model_id
)
282 return MODEL_UNKNOWN
;
286 static unsigned char* uclpack(unsigned char* inbuf
, int insize
, int* outsize
)
289 unsigned char* outbuf
;
292 /* The following formula comes from the UCL documentation */
293 maxsize
= insize
+ (insize
/ 8) + 256;
295 /* Allocate some memory for the output buffer */
296 outbuf
= malloc(maxsize
);
298 if (outbuf
== NULL
) {
302 r
= ucl_nrv2e_99_compress(
303 (const ucl_bytep
) inbuf
,
309 if (r
!= UCL_E_OK
|| *outsize
> maxsize
)
311 /* this should NEVER happen, and implies memory corruption */
312 fprintf(stderr
, "internal error - compression failed: %d\n", r
);
320 static unsigned char* load_file(char* filename
, off_t
* bufsize
)
326 fd
= open(filename
, O_RDONLY
|O_BINARY
);
329 fprintf(stderr
,"[ERR] Could not open %s for reading\n",filename
);
333 *bufsize
= filesize(fd
);
335 buf
= malloc(*bufsize
);
337 fprintf(stderr
,"[ERR] Could not allocate memory for %s\n",filename
);
341 n
= read(fd
, buf
, *bufsize
);
344 fprintf(stderr
,"[ERR] Could not read file %s\n",filename
);
352 static unsigned char* load_rockbox_file(char* filename
, int model
, off_t
* bufsize
)
356 unsigned char header
[8];
361 fd
= open(filename
, O_RDONLY
|O_BINARY
);
364 fprintf(stderr
,"[ERR] Could not open %s for reading\n",filename
);
368 /* Read Rockbox header */
369 n
= read(fd
, header
, sizeof(header
));
370 if (n
!= sizeof(header
)) {
371 fprintf(stderr
,"[ERR] Could not read file %s\n",filename
);
375 /* Check for correct model string */
376 if (memcmp(rb_model_names
[model
],header
+ 4,4)!=0) {
377 fprintf(stderr
,"[ERR] Model name \"%s\" not found in %s\n",
378 rb_model_names
[model
],filename
);
381 *bufsize
= filesize(fd
) - sizeof(header
);
383 buf
= malloc(*bufsize
);
385 fprintf(stderr
,"[ERR] Could not allocate memory for %s\n",filename
);
389 n
= read(fd
, buf
, *bufsize
);
392 fprintf(stderr
,"[ERR] Could not read file %s\n",filename
);
397 sum
= rb_model_num
[model
];
398 for (i
= 0; i
< *bufsize
; i
++) {
399 /* add 8 unsigned bits but keep a 32 bit sum */
403 if (sum
!= get_uint32be(header
)) {
404 fprintf(stderr
,"[ERR] Checksum mismatch in %s\n",filename
);
411 int main(int argc
, char* argv
[])
413 char *infile
, *bootfile
, *outfile
;
419 off_t bootloader_size
;
420 uint32_t sum
,filesum
;
424 unsigned char* of_packed
;
426 unsigned char* rb_unpacked
;
427 unsigned char* rb_packed
;
433 char md5sum
[33]; /* 32 hex digits, plus terminating zero */
435 fprintf(stderr
,"mkamsboot v" VERSION
" - (C) Dave Chapman and Rafaël Carré 2008\n");
436 fprintf(stderr
,"This is free software; see the source for copying conditions. There is NO\n");
437 fprintf(stderr
,"warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n\n");
440 printf("Usage: mkamsboot <firmware file> <boot file> <output file>\n\n");
448 /* Load original firmware file */
449 buf
= load_file(infile
, &len
);
452 fprintf(stderr
,"[ERR] Could not load %s\n",infile
);
456 /* Calculate MD5 checksum of OF */
457 calc_MD5(buf
, len
, md5sum
);
459 fprintf(stderr
,"[INFO] MD5 sum - %s\n",md5sum
);
462 while ((i
< NUM_MD5S
) && (strcmp(sansasums
[i
].md5
, md5sum
) != 0))
466 model
= sansasums
[i
].model
;
467 fw_version
= sansasums
[i
].fw_version
;
468 fprintf(stderr
,"[INFO] Original firmware MD5 checksum match - %s %s\n",
469 model_names
[model
], sansasums
[i
].version
);
471 fprintf(stderr
,"[WARN] ****** Original firmware unknown ******\n");
473 if (get_uint32le(&buf
[0x204])==0x0000f000) {
475 model_id
= buf
[0x219];
478 model_id
= buf
[0x215];
481 model
= get_model(model_id
);
483 if (model
== MODEL_UNKNOWN
) {
484 fprintf(stderr
,"[ERR] Unknown firmware - model id 0x%02x\n",
492 /* TODO: Do some more sanity checks on the OF image. Some images (like
493 m200v4) dont have a checksum at the end, only padding (0xdeadbeef). */
494 checksum
= get_uint32le(buf
+ len
- 4);
495 if (checksum
!= 0xefbeadde && checksum
!= calc_checksum(buf
, len
- 4)) {
497 fprintf(stderr
,"[ERR] Whole file checksum failed - %s\n",infile
);
502 if (bootloaders
[model
] == NULL
) {
503 fprintf(stderr
,"[ERR] Unsupported model - \"%s\"\n",model_names
[model
]);
508 /* Load bootloader file */
509 rb_unpacked
= load_rockbox_file(bootfile
, model
, &bootloader_size
);
510 if (rb_unpacked
== NULL
) {
511 fprintf(stderr
,"[ERR] Could not load %s\n",bootfile
);
516 printf("[INFO] Patching %s firmware\n",model_names
[model
]);
518 /* Get the firmware size */
519 firmware_size
= get_uint32le(&buf
[0x0c]);
521 /* Compress the original firmware image */
522 of_packed
= uclpack(buf
+ 0x400, firmware_size
, &of_packedsize
);
523 if (of_packed
== NULL
) {
524 fprintf(stderr
,"[ERR] Could not compress original firmware\n");
530 rb_packed
= uclpack(rb_unpacked
, bootloader_size
, &rb_packedsize
);
531 if (rb_packed
== NULL
) {
532 fprintf(stderr
,"[ERR] Could not compress %s\n",bootfile
);
539 /* We are finished with the unpacked version of the bootloader */
542 fprintf(stderr
,"[INFO] Original firmware size: %d bytes\n",firmware_size
);
543 fprintf(stderr
,"[INFO] Packed OF size: %d bytes\n",of_packedsize
);
544 fprintf(stderr
,"[INFO] Bootloader size: %d bytes\n",(int)bootloader_size
);
545 fprintf(stderr
,"[INFO] Packed bootloader size: %d bytes\n",rb_packedsize
);
546 fprintf(stderr
,"[INFO] Dual-boot function size: %d bytes\n",bootloader_sizes
[model
]);
547 fprintf(stderr
,"[INFO] UCL unpack function size: %d bytes\n",sizeof(nrv2e_d8
));
549 totalsize
= bootloader_sizes
[model
] + sizeof(nrv2e_d8
) + of_packedsize
+
552 fprintf(stderr
,"[INFO] Total size of new image: %d bytes\n",totalsize
);
554 if (totalsize
> firmware_size
) {
555 fprintf(stderr
,"[ERR] No room to insert bootloader, aborting\n");
562 /* Zero the original firmware area - not needed, but helps debugging */
563 memset(buf
+ 0x400, 0, firmware_size
);
566 /* Insert dual-boot bootloader at offset 0 */
567 memcpy(buf
+ 0x400, bootloaders
[model
], bootloader_sizes
[model
]);
569 /* We are filling the firmware buffer backwards from the end */
570 p
= buf
+ 0x400 + firmware_size
;
572 /* 1 - UCL unpack function */
573 p
-= sizeof(nrv2e_d8
);
574 memcpy(p
, nrv2e_d8
, sizeof(nrv2e_d8
));
576 /* 2 - Compressed copy of original firmware */
578 memcpy(p
, of_packed
, of_packedsize
);
580 /* 3 - Compressed copy of Rockbox bootloader */
582 memcpy(p
, rb_packed
, rb_packedsize
);
584 /* Write the locations of the various images to the variables at the
585 start of the dualboot image - we save the location of the last byte
586 in each image, along with the size in bytes */
588 /* UCL unpack function */
589 put_uint32le(&buf
[0x420], firmware_size
- 1);
590 put_uint32le(&buf
[0x424], sizeof(nrv2e_d8
));
592 /* Compressed original firmware image */
593 put_uint32le(&buf
[0x428], firmware_size
- sizeof(nrv2e_d8
) - 1);
594 put_uint32le(&buf
[0x42c], of_packedsize
);
596 /* Compressed Rockbox image */
597 put_uint32le(&buf
[0x430], firmware_size
- sizeof(nrv2e_d8
) - of_packedsize
- 1);
598 put_uint32le(&buf
[0x434], rb_packedsize
);
601 /* Update the firmware block checksum */
602 sum
= calc_checksum(buf
+ 0x400,firmware_size
);
604 if (fw_version
== 1) {
605 put_uint32le(&buf
[0x04], sum
);
606 put_uint32le(&buf
[0x204], sum
);
608 /* TODO: Verify that this is correct for the v2 firmware */
610 put_uint32le(&buf
[0x08], sum
);
611 put_uint32le(&buf
[0x208], sum
);
613 /* Update the header checksums */
614 put_uint32le(&buf
[0x1fc], calc_checksum(buf
, 0x1fc));
615 put_uint32le(&buf
[0x3fc], calc_checksum(buf
+ 0x200, 0x1fc));
618 /* Update the whole-file checksum */
620 for (i
=0;i
< (unsigned)len
- 4; i
+=4)
621 filesum
+= get_uint32le(&buf
[i
]);
623 put_uint32le(buf
+ len
- 4, filesum
);
626 /* Write the new firmware */
627 fdout
= open(outfile
, O_CREAT
|O_TRUNC
|O_WRONLY
|O_BINARY
,0666);
630 fprintf(stderr
,"[ERR] Could not open %s for writing\n",outfile
);
634 n
= write(fdout
, buf
, len
);
636 if (n
!= (unsigned)len
) {
637 fprintf(stderr
,"[ERR] Could not write firmware file\n");
643 fprintf(stderr
," *****************************************************************************\n");
644 fprintf(stderr
," *** THIS CODE IS UNTESTED - DO NOT USE IF YOU CAN NOT RECOVER YOUR DEVICE ***\n");
645 fprintf(stderr
," *****************************************************************************\n");