search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix reds and yellows. The targets that showed have more that just #define (like inlin...
[kugel-rb.git] / rbutil / mkamsboot / mkamsboot.c
blob9c7f3ba8e37ae98d7d6a43faeceeb704d130060b
1 /***************************************************************************
2 * __________ __ ___.
3 * Open \______ \ ____ ____ | | _\_ |__ _______ ___
4 * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ /
5 * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < <
6 * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \
7 * \/ \/ \/ \/ \/
8 * $Id$
9 *
10 * mkamsboot.c - a tool for merging bootloader code into an Sansa V2
11 * (AMS) firmware file
12 *
13 * Copyright (C) 2008 Dave Chapman
14 *
15 * This program is free software; you can redistribute it and/or
16 * modify it under the terms of the GNU General Public License
17 * as published by the Free Software Foundation; either version 2
18 * of the License, or (at your option) any later version.
19 *
20 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
21 * KIND, either express or implied.
22 *
23 ****************************************************************************/
24
25 /*
26
27 Insert a Rockbox bootloader into an AMS original firmware file.
28
29 We replace the main firmware block (bytes 0x400..0x400+firmware_size)
30 as follows:
31
32
33 ---------------------- 0x0
34 | |
35 | Dual-boot code |
36 | |
37 |----------------------|
38 | EMPTY SPACE |
39 |----------------------|
40 | |
41 | compressed RB image |
42 | |
43 |----------------------|
44 | |
45 | compressed OF image |
46 | |
47 |----------------------|
48 | UCL unpack function |
49 ----------------------
50
51 This entire block fits into the space previously occupied by the main
52 firmware block - the space saved by compressing the OF image is used
53 to store the compressed version of the Rockbox bootloader. The OF
54 image is typically about 120KB, which allows us to store a Rockbox
55 bootloader with an uncompressed size of about 60KB-70KB.
56
57 mkamsboot then corrects the checksums and writes a new legal firmware
58 file which can be installed on the device.
59
60 When the Sansa device boots, this firmware block is loaded to RAM at
61 address 0x0 and executed.
62
63 Firstly, the dual-boot code will copy the UCL unpack function to the
64 end of RAM.
65
66 Then, depending on the detection of the dual-boot keypress, either the
67 OF image or the Rockbox image is copied to the end of RAM (just before
68 the ucl unpack function) and uncompress it to the start of RAM.
69
70 Finally, the ucl unpack function branches to address 0x0, passing
71 execution to the uncompressed firmware.
72
73
74 */
75
76
77 #include <stdio.h>
78 #include <stdlib.h>
79 #include <stdint.h>
80 #include <sys/types.h>
81 #include <sys/stat.h>
82 #include <fcntl.h>
83 #include <unistd.h>
84 #include <string.h>
85
86 #include <ucl/ucl.h>
87
88 /* Headers for ARM code binaries */
89 #include "nrv2e_d8.h"
90 #include "md5.h"
91
92 #include "dualboot_clip.h"
93 #include "dualboot_e200v2.h"
94 #include "dualboot_fuze.h"
95 #include "dualboot_m200v4.h"
96 #include "dualboot_c200v2.h"
97
98 /* Win32 compatibility */
99 #ifndef O_BINARY
100 #define O_BINARY 0
101 #endif
102
103 #ifndef VERSION
104 #define VERSION "0.1"
105 #endif
106
107 enum
108 {
109 MODEL_UNKNOWN = -1,
110 MODEL_FUZE = 0,
111 MODEL_CLIP,
112 MODEL_CLIPV2,
113 MODEL_E200V2,
114 MODEL_M200V4,
115 MODEL_C200V2,
116 };
117
118 static const char* model_names[] =
119 {
120 "Fuze",
121 "Clip",
122 "Clip V2",
123 "e200 v2",
124 "m200 v4",
125 "c200 v2"
126 };
127
128 static const unsigned char* bootloaders[] =
129 {
130 dualboot_fuze,
131 dualboot_clip,
132 NULL,
133 dualboot_e200v2,
134 dualboot_m200v4,
135 dualboot_c200v2,
136 };
137
138 static const int bootloader_sizes[] =
139 {
140 sizeof(dualboot_fuze),
141 sizeof(dualboot_clip),
142 0,
143 sizeof(dualboot_e200v2),
144 sizeof(dualboot_m200v4),
145 sizeof(dualboot_c200v2),
146 };
147
148 /* Model names used in the Rockbox header in ".sansa" files - these match the
149 -add parameter to the "scramble" tool */
150 static const char* rb_model_names[] =
151 {
152 "fuze",
153 "clip",
154 NULL,
155 "e2v2",
156 "m2v4",
157 "c2v2",
158 };
159
160 /* Model numbers used to initialise the checksum in the Rockbox header in
161 ".sansa" files - these are the same as MODEL_NUMBER in config-target.h */
162 static const int rb_model_num[] =
163 {
164 43,
165 40,
166 0,
167 41,
168 42,
169 44
170 };
171
172 struct md5sums {
173 int model;
174 char *version;
175 int fw_version;
176 char *md5;
177 };
178
179 /* Checksums of unmodified original firmwares - for safety, and device
180 detection */
181 static struct md5sums sansasums[] = {
182 /* NOTE: Different regional versions of the firmware normally only
183 differ in the filename - the md5sums are identical */
184 { MODEL_E200V2, "3.01.11", 1, "e622ca8cb6df423f54b8b39628a1f0a3" },
185 { MODEL_E200V2, "3.01.14", 1, "2c1d0383fc3584b2cc83ba8cc2243af6" },
186 { MODEL_E200V2, "3.01.16", 1, "12563ad71b25a1034cf2092d1e0218c4" },
187
188 { MODEL_FUZE, "1.01.11", 1, "cac8ffa03c599330ac02c4d41de66166" },
189 { MODEL_FUZE, "1.01.15", 1, "df0e2c1612727f722c19a3c764cff7f2" },
190 { MODEL_FUZE, "1.01.22", 1, "5aff5486fe8dd64239cc71eac470af98" },
191 { MODEL_FUZE, "1.02.26", 1, "7c632c479461c48c8833baed74eb5e4f" },
192
193 { MODEL_C200V2, "3.02.05", 1, "b6378ebd720b0ade3fad4dc7ab61c1a5" },
194
195 { MODEL_M200V4, "4.00.45", 1, "82e3194310d1514e3bbcd06e84c4add3" },
196 { MODEL_M200V4, "4.01.08-A", 1, "fc9dd6116001b3e6a150b898f1b091f0" },
197 { MODEL_M200V4, "4.01.08-E", 1, "d3fb7d8ec8624ee65bc99f8dab0e2369" },
198
199 { MODEL_CLIP, "1.01.17", 1, "12caad785d506219d73f538772afd99e" },
200 { MODEL_CLIP, "1.01.18", 1, "d720b266bd5afa38a198986ef0508a45" },
201 { MODEL_CLIP, "1.01.20", 1, "236d8f75189f468462c03f6d292cf2ac" },
202 { MODEL_CLIP, "1.01.29", 1, "c12711342169c66e209540cd1f27cd26" },
203 { MODEL_CLIP, "1.01.30", 1, "f2974d47c536549c9d8259170f1dbe4d" },
204 { MODEL_CLIP, "1.01.32", 1, "d835d12342500732ffb9c4ee54abec15" },
205 };
206
207 #define NUM_MD5S (sizeof(sansasums)/sizeof(sansasums[0]))
208
209 static off_t filesize(int fd) {
210 struct stat buf;
211
212 if (fstat(fd,&buf) < 0) {
213 perror("[ERR] Checking filesize of input file");
214 return -1;
215 } else {
216 return(buf.st_size);
217 }
218 }
219
220 static uint32_t get_uint32le(unsigned char* p)
221 {
222 return p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
223 }
224
225 static uint32_t get_uint32be(unsigned char* p)
226 {
227 return (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
228 }
229
230 static void put_uint32le(unsigned char* p, uint32_t x)
231 {
232 p[0] = x & 0xff;
233 p[1] = (x >> 8) & 0xff;
234 p[2] = (x >> 16) & 0xff;
235 p[3] = (x >> 24) & 0xff;
236 }
237
238 void calc_MD5(unsigned char* buf, int len, char *md5str)
239 {
240 int i;
241 md5_context ctx;
242 unsigned char md5sum[16];
243
244 md5_starts(&ctx);
245 md5_update(&ctx, buf, len);
246 md5_finish(&ctx, md5sum);
247
248 for (i = 0; i < 16; ++i)
249 sprintf(md5str + 2*i, "%02x", md5sum[i]);
250 }
251
252
253 static uint32_t calc_checksum(unsigned char* buf, uint32_t n)
254 {
255 uint32_t sum = 0;
256 uint32_t i;
257
258 for (i=0;i<n;i+=4)
259 sum += get_uint32le(buf + i);
260
261 return sum;
262 }
263
264 static int get_model(int model_id)
265 {
266 switch(model_id)
267 {
268 case 0x1e:
269 return MODEL_FUZE;
270 case 0x22:
271 return MODEL_CLIP;
272 case 0x23:
273 return MODEL_C200V2;
274 case 0x24:
275 return MODEL_E200V2;
276 case 0x25:
277 return MODEL_M200V4;
278 case 0x27:
279 return MODEL_CLIPV2;
280 }
281
282 return MODEL_UNKNOWN;
283 }
284
285
286 static unsigned char* uclpack(unsigned char* inbuf, int insize, int* outsize)
287 {
288 int maxsize;
289 unsigned char* outbuf;
290 int r;
291
292 /* The following formula comes from the UCL documentation */
293 maxsize = insize + (insize / 8) + 256;
294
295 /* Allocate some memory for the output buffer */
296 outbuf = malloc(maxsize);
297
298 if (outbuf == NULL) {
299 return NULL;
300 }
301
302 r = ucl_nrv2e_99_compress(
303 (const ucl_bytep) inbuf,
304 (ucl_uint) insize,
305 (ucl_bytep) outbuf,
306 (ucl_uintp) outsize,
307 0, 10, NULL, NULL);
308
309 if (r != UCL_E_OK || *outsize > maxsize)
310 {
311 /* this should NEVER happen, and implies memory corruption */
312 fprintf(stderr, "internal error - compression failed: %d\n", r);
313 free(outbuf);
314 return NULL;
315 }
316
317 return outbuf;
318 }
319
320 static unsigned char* load_file(char* filename, off_t* bufsize)
321 {
322 int fd;
323 unsigned char* buf;
324 off_t n;
325
326 fd = open(filename, O_RDONLY|O_BINARY);
327 if (fd < 0)
328 {
329 fprintf(stderr,"[ERR] Could not open %s for reading\n",filename);
330 return NULL;
331 }
332
333 *bufsize = filesize(fd);
334
335 buf = malloc(*bufsize);
336 if (buf == NULL) {
337 fprintf(stderr,"[ERR] Could not allocate memory for %s\n",filename);
338 return NULL;
339 }
340
341 n = read(fd, buf, *bufsize);
342
343 if (n != *bufsize) {
344 fprintf(stderr,"[ERR] Could not read file %s\n",filename);
345 return NULL;
346 }
347
348 return buf;
349 }
350
351
352 static unsigned char* load_rockbox_file(char* filename, int model, off_t* bufsize)
353 {
354 int fd;
355 unsigned char* buf;
356 unsigned char header[8];
357 uint32_t sum;
358 off_t n;
359 int i;
360
361 fd = open(filename, O_RDONLY|O_BINARY);
362 if (fd < 0)
363 {
364 fprintf(stderr,"[ERR] Could not open %s for reading\n",filename);
365 return NULL;
366 }
367
368 /* Read Rockbox header */
369 n = read(fd, header, sizeof(header));
370 if (n != sizeof(header)) {
371 fprintf(stderr,"[ERR] Could not read file %s\n",filename);
372 return NULL;
373 }
374
375 /* Check for correct model string */
376 if (memcmp(rb_model_names[model],header + 4,4)!=0) {
377 fprintf(stderr,"[ERR] Model name \"%s\" not found in %s\n",
378 rb_model_names[model],filename);
379 }
380
381 *bufsize = filesize(fd) - sizeof(header);
382
383 buf = malloc(*bufsize);
384 if (buf == NULL) {
385 fprintf(stderr,"[ERR] Could not allocate memory for %s\n",filename);
386 return NULL;
387 }
388
389 n = read(fd, buf, *bufsize);
390
391 if (n != *bufsize) {
392 fprintf(stderr,"[ERR] Could not read file %s\n",filename);
393 return NULL;
394 }
395
396 /* Check checksum */
397 sum = rb_model_num[model];
398 for (i = 0; i < *bufsize; i++) {
399 /* add 8 unsigned bits but keep a 32 bit sum */
400 sum += buf[i];
401 }
402
403 if (sum != get_uint32be(header)) {
404 fprintf(stderr,"[ERR] Checksum mismatch in %s\n",filename);
405 return NULL;
406 }
407 return buf;
408 }
409
410
411 int main(int argc, char* argv[])
412 {
413 char *infile, *bootfile, *outfile;
414 int fdout;
415 off_t len;
416 uint32_t n;
417 unsigned char* buf;
418 int firmware_size;
419 off_t bootloader_size;
420 uint32_t sum,filesum;
421 uint8_t model_id;
422 int model;
423 uint32_t i;
424 unsigned char* of_packed;
425 int of_packedsize;
426 unsigned char* rb_unpacked;
427 unsigned char* rb_packed;
428 int rb_packedsize;
429 int fw_version;
430 int totalsize;
431 unsigned char* p;
432 uint32_t checksum;
433 char md5sum[33]; /* 32 hex digits, plus terminating zero */
434
435 fprintf(stderr,"mkamsboot v" VERSION " - (C) Dave Chapman and Rafaël Carré 2008\n");
436 fprintf(stderr,"This is free software; see the source for copying conditions. There is NO\n");
437 fprintf(stderr,"warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n\n");
438
439 if(argc != 4) {
440 printf("Usage: mkamsboot <firmware file> <boot file> <output file>\n\n");
441 return 1;
442 }
443
444 infile = argv[1];
445 bootfile = argv[2];
446 outfile = argv[3];
447
448 /* Load original firmware file */
449 buf = load_file(infile, &len);
450
451 if (buf == NULL) {
452 fprintf(stderr,"[ERR] Could not load %s\n",infile);
453 return 1;
454 }
455
456 /* Calculate MD5 checksum of OF */
457 calc_MD5(buf, len, md5sum);
458
459 fprintf(stderr,"[INFO] MD5 sum - %s\n",md5sum);
460
461 i = 0;
462 while ((i < NUM_MD5S) && (strcmp(sansasums[i].md5, md5sum) != 0))
463 i++;
464
465 if (i < NUM_MD5S) {
466 model = sansasums[i].model;
467 fw_version = sansasums[i].fw_version;
468 fprintf(stderr,"[INFO] Original firmware MD5 checksum match - %s %s\n",
469 model_names[model], sansasums[i].version);
470 } else {
471 fprintf(stderr,"[WARN] ****** Original firmware unknown ******\n");
472
473 if (get_uint32le(&buf[0x204])==0x0000f000) {
474 fw_version = 2;
475 model_id = buf[0x219];
476 } else {
477 fw_version = 1;
478 model_id = buf[0x215];
479 }
480
481 model = get_model(model_id);
482
483 if (model == MODEL_UNKNOWN) {
484 fprintf(stderr,"[ERR] Unknown firmware - model id 0x%02x\n",
485 model_id);
486 free(buf);
487 return 1;
488 }
489 }
490
491
492 /* TODO: Do some more sanity checks on the OF image. Some images (like
493 m200v4) dont have a checksum at the end, only padding (0xdeadbeef). */
494 checksum = get_uint32le(buf + len - 4);
495 if (checksum != 0xefbeadde && checksum != calc_checksum(buf, len - 4)) {
496
497 fprintf(stderr,"[ERR] Whole file checksum failed - %s\n",infile);
498 free(buf);
499 return 1;
500 }
501
502 if (bootloaders[model] == NULL) {
503 fprintf(stderr,"[ERR] Unsupported model - \"%s\"\n",model_names[model]);
504 free(buf);
505 return 1;
506 }
507
508 /* Load bootloader file */
509 rb_unpacked = load_rockbox_file(bootfile, model, &bootloader_size);
510 if (rb_unpacked == NULL) {
511 fprintf(stderr,"[ERR] Could not load %s\n",bootfile);
512 free(buf);
513 return 1;
514 }
515
516 printf("[INFO] Patching %s firmware\n",model_names[model]);
517
518 /* Get the firmware size */
519 firmware_size = get_uint32le(&buf[0x0c]);
520
521 /* Compress the original firmware image */
522 of_packed = uclpack(buf + 0x400, firmware_size, &of_packedsize);
523 if (of_packed == NULL) {
524 fprintf(stderr,"[ERR] Could not compress original firmware\n");
525 free(buf);
526 free(rb_unpacked);
527 return 1;
528 }
529
530 rb_packed = uclpack(rb_unpacked, bootloader_size, &rb_packedsize);
531 if (rb_packed == NULL) {
532 fprintf(stderr,"[ERR] Could not compress %s\n",bootfile);
533 free(buf);
534 free(rb_unpacked);
535 free(of_packed);
536 return 1;
537 }
538
539 /* We are finished with the unpacked version of the bootloader */
540 free(rb_unpacked);
541
542 fprintf(stderr,"[INFO] Original firmware size: %d bytes\n",firmware_size);
543 fprintf(stderr,"[INFO] Packed OF size: %d bytes\n",of_packedsize);
544 fprintf(stderr,"[INFO] Bootloader size: %d bytes\n",(int)bootloader_size);
545 fprintf(stderr,"[INFO] Packed bootloader size: %d bytes\n",rb_packedsize);
546 fprintf(stderr,"[INFO] Dual-boot function size: %d bytes\n",bootloader_sizes[model]);
547 fprintf(stderr,"[INFO] UCL unpack function size: %d bytes\n",sizeof(nrv2e_d8));
548
549 totalsize = bootloader_sizes[model] + sizeof(nrv2e_d8) + of_packedsize +
550 rb_packedsize;
551
552 fprintf(stderr,"[INFO] Total size of new image: %d bytes\n",totalsize);
553
554 if (totalsize > firmware_size) {
555 fprintf(stderr,"[ERR] No room to insert bootloader, aborting\n");
556 free(buf);
557 free(rb_unpacked);
558 free(of_packed);
559 return 1;
560 }
561
562 /* Zero the original firmware area - not needed, but helps debugging */
563 memset(buf + 0x400, 0, firmware_size);
564
565
566 /* Insert dual-boot bootloader at offset 0 */
567 memcpy(buf + 0x400, bootloaders[model], bootloader_sizes[model]);
568
569 /* We are filling the firmware buffer backwards from the end */
570 p = buf + 0x400 + firmware_size;
571
572 /* 1 - UCL unpack function */
573 p -= sizeof(nrv2e_d8);
574 memcpy(p, nrv2e_d8, sizeof(nrv2e_d8));
575
576 /* 2 - Compressed copy of original firmware */
577 p -= of_packedsize;
578 memcpy(p, of_packed, of_packedsize);
579
580 /* 3 - Compressed copy of Rockbox bootloader */
581 p -= rb_packedsize;
582 memcpy(p, rb_packed, rb_packedsize);
583
584 /* Write the locations of the various images to the variables at the
585 start of the dualboot image - we save the location of the last byte
586 in each image, along with the size in bytes */
587
588 /* UCL unpack function */
589 put_uint32le(&buf[0x420], firmware_size - 1);
590 put_uint32le(&buf[0x424], sizeof(nrv2e_d8));
591
592 /* Compressed original firmware image */
593 put_uint32le(&buf[0x428], firmware_size - sizeof(nrv2e_d8) - 1);
594 put_uint32le(&buf[0x42c], of_packedsize);
595
596 /* Compressed Rockbox image */
597 put_uint32le(&buf[0x430], firmware_size - sizeof(nrv2e_d8) - of_packedsize - 1);
598 put_uint32le(&buf[0x434], rb_packedsize);
599
600
601 /* Update the firmware block checksum */
602 sum = calc_checksum(buf + 0x400,firmware_size);
603
604 if (fw_version == 1) {
605 put_uint32le(&buf[0x04], sum);
606 put_uint32le(&buf[0x204], sum);
607 } else {
608 /* TODO: Verify that this is correct for the v2 firmware */
609
610 put_uint32le(&buf[0x08], sum);
611 put_uint32le(&buf[0x208], sum);
612
613 /* Update the header checksums */
614 put_uint32le(&buf[0x1fc], calc_checksum(buf, 0x1fc));
615 put_uint32le(&buf[0x3fc], calc_checksum(buf + 0x200, 0x1fc));
616 }
617
618 /* Update the whole-file checksum */
619 filesum = 0;
620 for (i=0;i < (unsigned)len - 4; i+=4)
621 filesum += get_uint32le(&buf[i]);
622
623 put_uint32le(buf + len - 4, filesum);
624
625
626 /* Write the new firmware */
627 fdout = open(outfile, O_CREAT|O_TRUNC|O_WRONLY|O_BINARY,0666);
628
629 if (fdout < 0) {
630 fprintf(stderr,"[ERR] Could not open %s for writing\n",outfile);
631 return 1;
632 }
633
634 n = write(fdout, buf, len);
635
636 if (n != (unsigned)len) {
637 fprintf(stderr,"[ERR] Could not write firmware file\n");
638 return 1;
639 }
640
641 close(fdout);
642
643 fprintf(stderr," *****************************************************************************\n");
644 fprintf(stderr," *** THIS CODE IS UNTESTED - DO NOT USE IF YOU CAN NOT RECOVER YOUR DEVICE ***\n");
645 fprintf(stderr," *****************************************************************************\n");
646
647 return 0;
648
649 }
My public Rockbox git repo