1 /***************************************************************************
3 * Open \______ \ ____ ____ | | _\_ |__ _______ ___
4 * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ /
5 * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < <
6 * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \
10 * Copyright (C) 2008 by Maurus Cuelenaere
12 * based on tcctool.c by Dave Chapman
14 * USB code based on ifp-line - http://ifp-driver.sourceforge.net
16 * ifp-line is (C) Pavel Kriz, Jun Yamishiro and Joe Roback and
17 * licensed under the GPL (v2)
20 * This program is free software; you can redistribute it and/or
21 * modify it under the terms of the GNU General Public License
22 * as published by the Free Software Foundation; either version 2
23 * of the License, or (at your option) any later version.
25 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
26 * KIND, either express or implied.
28 ****************************************************************************/
34 #include <sys/types.h>
44 #define MAX_FIRMWARESIZE (64*1024*1024) /* Arbitrary limit (for safety) */
46 /* For win32 compatibility: */
51 /* USB IDs for USB Boot Mode */
55 #define EP_BULK_TO 0x01
58 enum USB_JZ4740_REQUEST
107 enum DATA_STRUCTURE_OB
120 int filesize(FILE* fd
)
123 fseek(fd
, 0, SEEK_END
);
125 fseek(fd
, 0, SEEK_SET
);
129 #define SEND_COMMAND(cmd, arg) err = usb_control_msg(dh, USB_ENDPOINT_OUT | USB_TYPE_VENDOR, (cmd), (arg)>>16, (arg)&0xFFFF, NULL, 0, TOUT);\
132 fprintf(stderr,"\n[ERR] Error sending control message (%d, %s)\n", err, usb_strerror()); \
136 #define GET_CPU_INFO(s) err = usb_control_msg(dh, USB_ENDPOINT_IN | USB_TYPE_VENDOR, VR_GET_CPU_INFO, 0, 0, (s), 8, TOUT); \
139 fprintf(stderr,"\n[ERR] Error sending control message (%d, %s)\n", err, usb_strerror()); \
143 #define SEND_DATA(ptr, size) err = usb_bulk_write(dh, USB_ENDPOINT_OUT | EP_BULK_TO, ((char*)(ptr)), (size), TOUT); \
146 fprintf(stderr,"\n[ERR] Error writing data\n"); \
147 fprintf(stderr,"[ERR] Bulk write error (%d, %s)\n", err, strerror(-err)); \
151 #define GET_DATA(ptr, size) err = usb_bulk_read(dh, USB_ENDPOINT_IN | EP_BULK_TO, ((char*)(ptr)), (size), TOUT); \
154 fprintf(stderr,"\n[ERR] Error writing data\n"); \
155 fprintf(stderr,"[ERR] Bulk write error (%d, %s)\n", err, strerror(-err)); \
159 int upload_app(usb_dev_handle
* dh
, int address
, unsigned char* p
, int len
, bool stage2
)
163 unsigned char* tmp_buf
;
165 fprintf(stderr
, "[INFO] GET_CPU_INFO: ");
168 fprintf(stderr
, "%s\n", buf
);
170 fprintf(stderr
, "[INFO] Flushing cache...");
171 SEND_COMMAND(VR_FLUSH_CACHES
, 0);
172 fprintf(stderr
, " Done!\n");
175 fprintf(stderr
, "[INFO] SET_DATA_ADDRESS to 0x%x...", address
);
176 SEND_COMMAND(VR_SET_DATA_ADDRESS
, address
);
177 fprintf(stderr
, " Done!\n");
179 fprintf(stderr
, "[INFO] Sending data...");
180 /* Must not split the file in several packages! */
182 fprintf(stderr
, " Done!\n");
184 fprintf(stderr
, "[INFO] Verifying data...");
185 SEND_COMMAND(VR_SET_DATA_ADDRESS
, address
);
186 SEND_COMMAND(VR_SET_DATA_LENGTH
, len
);
187 tmp_buf
= malloc(len
);
190 fprintf(stderr
, "\n[ERR] Could not allocate memory.\n");
193 GET_DATA(tmp_buf
, len
);
194 if (memcmp(tmp_buf
, p
, len
) != 0)
195 fprintf(stderr
, "\n[WARN] Sent data isn't the same as received data...\n");
197 fprintf(stderr
, " Done!\n");
200 fprintf(stderr
, "[INFO] Booting device [STAGE%d]...", (stage2
? 2 : 1));
201 SEND_COMMAND((stage2
? VR_PROGRAM_START2
: VR_PROGRAM_START1
), address
);
202 fprintf(stderr
, " Done!\n");
207 int read_data(usb_dev_handle
* dh
, int address
, unsigned char *p
, int len
)
212 fprintf(stderr
, "[INFO] GET_CPU_INFO: ");
215 fprintf(stderr
, "%s\n", buf
);
217 fprintf(stderr
, "[INFO] Reading data...");
218 SEND_COMMAND(VR_SET_DATA_ADDRESS
, address
);
219 SEND_COMMAND(VR_SET_DATA_LENGTH
, len
);
221 fprintf(stderr
, " Done!\n");
225 unsigned int read_reg(usb_dev_handle
* dh
, int address
, int size
)
228 unsigned char buf
[4];
230 SEND_COMMAND(VR_SET_DATA_ADDRESS
, address
);
231 SEND_COMMAND(VR_SET_DATA_LENGTH
, size
);
237 return (buf
[1] << 8) | buf
[0];
239 return (buf
[3] << 24) | (buf
[2] << 16) | (buf
[1] << 8) | buf
[0];
244 int set_reg(usb_dev_handle
* dh
, int address
, unsigned int val
, int size
)
247 unsigned char buf
[4];
252 buf
[1] = (val
>> 8) & 0xff;
255 buf
[2] = (val
>> 16) & 0xff;
256 buf
[3] = (val
>> 24) & 0xff;
260 SEND_COMMAND(VR_SET_DATA_ADDRESS
, address
);
261 SEND_DATA(buf
, size
);
265 #define or_reg(dh, adr, val, size) set_reg(dh, adr, (read_reg(dh, adr, size) | (val)), size);
266 #define and_reg(dh, adr, val, size) set_reg(dh, adr, (read_reg(dh, adr, size) & (val)), size);
267 #define bc_reg(dh, adr, val, size) set_reg(dh, adr, (read_reg(dh, adr, size) & ~(val)), size);
268 #define xor_reg(dh, adr, val, size) set_reg(dh, adr, (read_reg(dh, adr, size) ^ (val)), size);
270 #define TEST(m, size) fprintf(stderr, "%s -> %x\n", #m, read_reg(dh, m, size));
271 int test_device(usb_dev_handle
* dh
)
279 fprintf(stderr
, "\n");
291 fprintf(stderr
, "\n");
292 TEST(GPIO_PXPIN(0), 4);
293 TEST(GPIO_PXPIN(1), 4);
294 TEST(GPIO_PXPIN(2), 4);
295 TEST(GPIO_PXPIN(3), 4);
297 fprintf(stderr
, "\n");
300 fprintf(stderr
, "\n");
304 TEST(SADC_BATDAT
, 2);
307 fprintf(stderr
, "\n");
316 #define VOL_DOWN (1 << 27)
317 #define VOL_UP (1 << 0)
318 #define MENU (1 << 1)
319 #define HOLD (1 << 16)
320 #define OFF (1 << 29)
321 #define MASK (VOL_DOWN|VOL_UP|MENU|HOLD|OFF)
322 #define TS_MASK (SADC_STATE_PEND|SADC_STATE_PENU|SADC_STATE_TSRDY)
323 int probe_device(usb_dev_handle
* dh
)
329 if(read_reg(dh
, SADC_STATE
, 1) & SADC_STATE_TSRDY
)
331 printf("%x\n", read_reg(dh
, SADC_TSDAT
, 4));
332 or_reg(dh
, SADC_CTRL
, read_reg(dh
, SADC_STATE
, 1) & TS_MASK
, 1);
335 tmp
= read_reg(dh
, GPIO_PXPIN(3), 4);
340 if(!(tmp
& VOL_DOWN
))
341 printf("VOL_DOWN\t");
356 unsigned int read_file(const char *name
, unsigned char **buffer
)
361 fd
= fopen(name
, "rb");
364 fprintf(stderr
, "[ERR] Could not open %s\n", name
);
370 *buffer
= (unsigned char*)malloc(len
);
373 fprintf(stderr
, "[ERR] Could not allocate memory.\n");
378 n
= fread(*buffer
, 1, len
, fd
);
381 fprintf(stderr
, "[ERR] Short read.\n");
389 #define _GET_CPU fprintf(stderr, "[INFO] GET_CPU_INFO:"); \
392 fprintf(stderr, " %s\n", cpu);
393 #define _SET_ADDR(a) fprintf(stderr, "[INFO] Set address to 0x%x...", a); \
394 SEND_COMMAND(VR_SET_DATA_ADDRESS, a); \
395 fprintf(stderr, " Done!\n");
396 #define _SEND_FILE(a) fsize = read_file(a, &buffer); \
399 fprintf(stderr, "[INFO] Sending file %s: %d bytes...", a, fsize); \
400 SEND_DATA(buffer, fsize); \
402 fprintf(stderr, " Done!\n");
403 #define _VERIFY_DATA(a,c) fprintf(stderr, "[INFO] Verifying data (%s)...", a); \
404 fsize = read_file(a, &buffer); \
407 buffer2 = (unsigned char*)malloc(fsize); \
408 SEND_COMMAND(VR_SET_DATA_ADDRESS, c); \
409 SEND_COMMAND(VR_SET_DATA_LENGTH, fsize); \
410 GET_DATA(buffer2, fsize); \
411 if(memcmp(buffer, buffer2, fsize) != 0) \
412 fprintf(stderr, "\n[WARN] Sent data isn't the same as received data...\n"); \
414 fprintf(stderr, " Done!\n"); \
417 #define _STAGE1(a) fprintf(stderr, "[INFO] Stage 1 at 0x%x\n", a); \
418 SEND_COMMAND(VR_PROGRAM_START1, a);
419 #define _STAGE2(a) fprintf(stderr, "[INFO] Stage 2 at 0x%x\n", a); \
420 SEND_COMMAND(VR_PROGRAM_START2, a);
421 #define _FLUSH fprintf(stderr, "[INFO] Flushing caches...\n"); \
422 SEND_COMMAND(VR_FLUSH_CACHES, 0);
424 #define _SLEEP(x) Sleep(x*1000);
426 #define _SLEEP(x) sleep(x);
428 int mimic_of(usb_dev_handle
*dh
, bool vx767
)
431 unsigned char *buffer
, *buffer2
;
434 fprintf(stderr
, "[INFO] Start!\n");
436 _SET_ADDR(0x8000 << 16);
439 _VERIFY_DATA("1.bin", 0x8000 << 16);
440 _STAGE1(0x8000 << 16);
442 _VERIFY_DATA("2.bin", 0xB3020060);
448 _SET_ADDR(0x8000 << 16);
451 _VERIFY_DATA("3.bin", 0x8000 << 16);
456 _SET_ADDR(0x80D0 << 16);
459 _VERIFY_DATA("4.bin", 0x80D0 << 16);
464 _SET_ADDR(0x80E0 << 16);
467 _VERIFY_DATA("5.bin", 0x80E0 << 16);
472 _SET_ADDR(0x80004000);
475 _VERIFY_DATA("6.bin", 0x80004000);
480 _SET_ADDR(0x80FD << 16);
483 _VERIFY_DATA("7.bin", 0x80FD << 16);
488 _VERIFY_DATA("8.bin", 0x80004004);
489 _VERIFY_DATA("9.bin", 0x80004008);
492 _SET_ADDR(0x80E0 << 16);
493 _SEND_FILE("10.bin");
495 _VERIFY_DATA("10.bin", 0x80E0 << 16);
507 fprintf(stderr
, "[INFO] Done!\n");
511 int send_rockbox(usb_dev_handle
*dh
)
514 unsigned char *buffer
, *buffer2
;
517 fprintf(stderr
, "[INFO] Start!\n");
519 _SET_ADDR(0x8000 << 16);
522 _VERIFY_DATA("1.bin", 0x8000 << 16);
523 _STAGE1(0x8000 << 16);
526 _SET_ADDR(0x080004000);
527 _SEND_FILE("onda.bin");
529 _VERIFY_DATA("onda.bin", 0x080004000);
533 _STAGE2(0x080004008);
534 fprintf(stderr
, "[INFO] Done!\n");
538 #define SEND_NAND_COMMAND(cs, cmd, option) SEND_COMMAND(VR_NAND_OPS, ((cmd&0xF)|((cs&0xFF)<<4)|((option&0xFF)<<12)) );
539 #define LENGTH 1024*1024*5
540 int nand_dump(usb_dev_handle
*dh
)
545 unsigned char* buffer
;
547 fd
= fopen("nand_dump.bin", "wb");
550 fprintf(stderr
, "[ERR] Could not open nand_dump.bin\n");
554 buffer
= (unsigned char*)malloc(LENGTH
);
557 fprintf(stderr
, "[ERR] Could not allocate memory.\n");
561 memset(buffer
, 0, LENGTH
);
563 SEND_NAND_COMMAND(0, NAND_INIT
, 0);
565 fprintf(stderr, "[INFO] Querying NAND...\n");
566 SEND_NAND_COMMAND(0, NAND_QUERY, 0);
568 printf("[INFO] %x %x %x %x\n", buffer[0], buffer[1], buffer[2], buffer[3]);
570 SEND_COMMAND(VR_SET_DATA_ADDRESS
, 0);
571 SEND_COMMAND(VR_SET_DATA_LENGTH
, LENGTH
);
572 SEND_NAND_COMMAND(0, NAND_READ
, NO_OOB
);
574 fprintf(stderr
, "[INFO] Reading data...\n");
575 err
= usb_bulk_read(dh
, USB_ENDPOINT_IN
| EP_BULK_TO
, (char*)buffer
, LENGTH
, TOUT
);
578 fprintf(stderr
,"\n[ERR] Error writing data\n");
579 fprintf(stderr
,"[ERR] Bulk write error (%d, %s)\n", err
, strerror(-err
));
585 n
= fwrite(buffer
, 1, LENGTH
, fd
);
588 fprintf(stderr
, "[ERR] Short write.\n");
600 #define LENGTH 0x1000*16
601 int rom_dump(usb_dev_handle
*dh
)
606 unsigned char* buffer
;
608 fd
= fopen("rom_dump.bin", "wb");
611 fprintf(stderr
, "[ERR] Could not open rom_dump.bin\n");
615 buffer
= (unsigned char*)malloc(LENGTH
);
618 fprintf(stderr
, "[ERR] Could not allocate memory.\n");
622 memset(buffer
, 0, LENGTH
);
624 SEND_COMMAND(VR_SET_DATA_ADDRESS
, 0x1FC00000);
625 SEND_COMMAND(VR_SET_DATA_LENGTH
, LENGTH
);
627 fprintf(stderr
, "[INFO] Reading data...\n");
628 err
= usb_bulk_read(dh
, USB_ENDPOINT_IN
| EP_BULK_TO
, (char*)buffer
, LENGTH
, TOUT
);
631 fprintf(stderr
,"\n[ERR] Error writing data\n");
632 fprintf(stderr
,"[ERR] Bulk write error (%d, %s)\n", err
, strerror(-err
));
638 n
= fwrite(buffer
, 1, LENGTH
, fd
);
641 fprintf(stderr
, "[ERR] Short write.\n");
652 int jzconnect(int address
, unsigned char* buf
, int len
, int func
)
655 struct usb_device
*tmp_dev
;
656 struct usb_device
*dev
= NULL
;
660 fprintf(stderr
,"[INFO] Searching for device...\n");
663 if(usb_find_busses() < 0)
665 fprintf(stderr
, "[ERR] Could not find any USB busses.\n");
669 if (usb_find_devices() < 0)
671 fprintf(stderr
, "[ERR] USB devices not found(nor hubs!).\n");
675 for (bus
= usb_get_busses(); bus
; bus
= bus
->next
)
677 for (tmp_dev
= bus
->devices
; tmp_dev
; tmp_dev
= tmp_dev
->next
)
679 if (tmp_dev
->descriptor
.idVendor
== VID
&&
680 tmp_dev
->descriptor
.idProduct
== PID
)
690 fprintf(stderr
, "[ERR] Device not found.\n");
691 fprintf(stderr
, "[ERR] Ensure your device is in USB boot mode and run usbtool again.\n");
696 if ( (dh
= usb_open(dev
)) == NULL
)
698 fprintf(stderr
,"[ERR] Unable to open device.\n");
702 /* usb_set_configuration() calls are already done in Linux */
704 err
= usb_set_configuration(dh
, 1);
708 fprintf(stderr
, "[ERR] usb_set_configuration failed (%d, %s)\n", err
, usb_strerror());
714 /* "must be called" written in the libusb documentation */
715 err
= usb_claim_interface(dh
, 0);
718 fprintf(stderr
, "[ERR] Unable to claim interface (%d, %s)\n", err
, usb_strerror());
723 fprintf(stderr
,"[INFO] Found device, uploading application.\n");
725 /* Now we can transfer the application to the device. */
731 err
= upload_app(dh
, address
, buf
, len
, (func
== 5));
734 err
= read_data(dh
, address
, buf
, len
);
737 err
= test_device(dh
);
740 err
= probe_device(dh
);
744 err
= mimic_of(dh
, (func
== 7));
753 err
= send_rockbox(dh
);
757 /* release claimed interface */
758 usb_release_interface(dh
, 0);
765 void print_usage(void)
768 fprintf(stderr
, "Usage: usbtool.exe <CMD> [FILE] [ADDRESS] [LEN]\n");
770 fprintf(stderr
, "Usage: usbtool <CMD> [FILE] [ADDRESS] [LEN]\n");
773 fprintf(stderr
, "\t[ADDRESS] has to be in 0xHEXADECIMAL format\n");
774 fprintf(stderr
, "\tCMD:\n");
775 fprintf(stderr
, "\t\t 1 -> upload file to specified address and boot from it\n");
776 fprintf(stderr
, "\t\t 2 -> read data from [ADDRESS] with length [LEN] to [FILE]\n");
777 fprintf(stderr
, "\t\t 3 -> read device status\n");
778 fprintf(stderr
, "\t\t 4 -> probe keys (only Onda VX747)\n");
779 fprintf(stderr
, "\t\t 5 -> same as 1 but do a stage 2 boot\n");
780 fprintf(stderr
, "\t\t 6 -> mimic VX747 OF fw recovery\n");
781 fprintf(stderr
, "\t\t 7 -> mimic VX767 OF fw recovery\n");
782 fprintf(stderr
, "\t\t 8 -> do a NAND dump\n");
783 fprintf(stderr
, "\t\t 9 -> do a ROM dump\n");
784 fprintf(stderr
, "\t\t10 -> send Rockbox bootloader to SDRAM\n");
787 fprintf(stderr
, "\nExample:\n\t usbtool.exe 1 fw.bin 0x80000000\n");
788 fprintf(stderr
, "\t usbtool.exe 2 save.bin 0x81000000 1024\n");
790 fprintf(stderr
, "\nExample:\n\t usbtool 1 fw.bin 0x80000000\n");
791 fprintf(stderr
, "\t usbtool 2 save.bin 0x81000000 1024\n");
795 int main(int argc
, char* argv
[])
798 int n
, len
, address
, cmd
=0;
801 fprintf(stderr
, "USBtool v" VERSION
" - (C) 2008 Maurus Cuelenaere\n");
802 fprintf(stderr
, "This is free software; see the source for copying conditions. There is NO\n");
803 fprintf(stderr
, "warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n\n");
806 sscanf(argv
[1], "%d", &cmd
);
811 if (strcmp(argv
[3], "-1") == 0)
812 address
= 0x80000000;
815 if (sscanf(argv
[3], "0x%x", &address
) <= 0)
822 fd
= fopen(argv
[2], "rb");
825 fprintf(stderr
, "[ERR] Could not open %s\n", argv
[2]);
831 if (len
> MAX_FIRMWARESIZE
)
833 fprintf(stderr
, "[ERR] Firmware file too big\n");
841 fprintf(stderr
, "[ERR] Could not allocate memory.\n");
846 n
= fread(buf
, 1, len
, fd
);
849 fprintf(stderr
, "[ERR] Short read.\n");
855 fprintf(stderr
, "[INFO] File size: %d bytes\n", n
);
857 return jzconnect(address
, buf
, len
, cmd
);
860 if (sscanf(argv
[3], "0x%x", &address
) <= 0)
866 fd
= fopen(argv
[2], "wb");
869 fprintf(stderr
, "[ERR] Could not open %s\n", argv
[2]);
873 sscanf(argv
[4], "%d", &len
);
878 fprintf(stderr
, "[ERR] Could not allocate memory.\n");
883 int err
= jzconnect(address
, buf
, len
, 2);
885 n
= fwrite(buf
, 1, len
, fd
);
888 fprintf(stderr
, "[ERR] Short write.\n");
903 return jzconnect(address
, NULL
, 0, cmd
);