search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
And of course the stubs still need to be there...
[kugel-rb.git] / apps / plugins / crypt_firmware.c
blob051a3d1bd98960e5cd8e54f6a7d8570a386a1b23
1 /***************************************************************************
2 *
3 * __________ __ ___.
4 * Open \______ \ ____ ____ | | _\_ |__ _______ ___
5 * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ /
6 * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < <
7 * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \
8 * \/ \/ \/ \/ \/
9 *
10 * $Id$
11 *
12 * Rockbox plugin copyright (C) 2009 Dave Chapman.
13 * Based on encryption code (C) 2009 Michael Sparmann
14 *
15 * This program is free software; you can redistribute it and/or
16 * modify it under the terms of the GNU General Public License
17 * as published by the Free Software Foundation; either version 2
18 * of the License, or (at your option) any later version.
19 *
20 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
21 * KIND, either express or implied.
22 *
23 ****************************************************************************/
24
25 /*
26
27 This viewer plugin is for the encryption/decryption of iPod Nano
28 (2nd generation) firmware images using the hardware AES crypto unit
29 in such devices.
30
31 Encrypted images are stored with the modelname "nn2x" and extension
32 ".ipodx" Unencrypted images use "nn2g" and ".ipod".
33
34 Heavily based on Payloads/CryptFirmware/main.c from iBugger.
35
36 */
37
38 #include "plugin.h"
39
40 PLUGIN_HEADER
41
42 static void aes_encrypt(void* data, uint32_t size)
43 {
44 uint32_t ptr, i;
45 uint32_t go = 1;
46 PWRCONEXT &= ~0x400;
47 AESTYPE = 1;
48 AESUNKREG0 = 1;
49 AESUNKREG0 = 0;
50 AESCONTROL = 1;
51 AESKEYLEN = 9;
52 AESOUTSIZE = size;
53 AESAUXSIZE = 0x10;
54 AESINSIZE = 0x10;
55 AESSIZE3 = 0x10;
56 for (ptr = 0; ptr < (size >> 2); ptr += 4)
57 {
58 AESOUTADDR = (uint32_t)data + (ptr << 2);
59 AESINADDR = (uint32_t)data + (ptr << 2);
60 AESAUXADDR = (uint32_t)data + (ptr << 2);
61 if (ptr != 0)
62 for (i = 0; i < 4; i++)
63 ((uint32_t*)data)[ptr + i] ^= ((uint32_t*)data)[ptr + i - 4];
64 AESSTATUS = 6;
65 AESGO = go;
66 go = 3;
67 while ((AESSTATUS & 6) == 0);
68 }
69 AESCONTROL = 0;
70 PWRCONEXT |= 0x400;
71 }
72
73 static void aes_decrypt(void* data, uint32_t size)
74 {
75 uint32_t ptr, i;
76 uint32_t go = 1;
77 PWRCONEXT &= ~0x400;
78 AESTYPE = 1;
79 AESUNKREG0 = 1;
80 AESUNKREG0 = 0;
81 AESCONTROL = 1;
82 AESKEYLEN = 8;
83 AESOUTSIZE = size;
84 AESAUXSIZE = 0x10;
85 AESINSIZE = 0x10;
86 AESSIZE3 = 0x10;
87 for (ptr = (size >> 2) - 4; ; ptr -= 4)
88 {
89 AESOUTADDR = (uint32_t)data + (ptr << 2);
90 AESINADDR = (uint32_t)data + (ptr << 2);
91 AESAUXADDR = (uint32_t)data + (ptr << 2);
92 AESSTATUS = 6;
93 AESGO = go;
94 go = 3;
95 while ((AESSTATUS & 6) == 0);
96 if (ptr == 0) break;
97 for (i = 0; i < 4; i++)
98 ((uint32_t*)data)[ptr + i] ^= ((uint32_t*)data)[ptr + i - 4];
99 }
100 AESCONTROL = 0;
101 PWRCONEXT |= 0x400;
102 }
103
104 static void calc_hash(uint32_t* data, uint32_t size, uint32_t* result)
105 {
106 uint32_t ptr, i;
107 uint32_t ctrl = 2;
108
109 PWRCONEXT &= ~0x4;
110
111 for (ptr = 0; ptr < (size >> 2); ptr += 0x10)
112 {
113 for (i = 0; i < 0x10; i++) HASHDATAIN[i] = data[ptr + i];
114 HASHCTRL = ctrl;
115 ctrl = 0xA;
116 while ((HASHCTRL & 1) != 0);
117 }
118 for (i = 0; i < 5; i ++) result[i] = HASHRESULT[i];
119
120 PWRCONEXT |= 0x4;
121 }
122
123 static uint32_t get_uint32be(unsigned char* buf)
124 {
125 return (uint32_t)((buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]);
126 }
127
128 static void put_uint32be(unsigned char* buf, uint32_t x)
129 {
130 buf[0] = (x & 0xff000000) >> 24;
131 buf[1] = (x & 0xff0000) >> 16;
132 buf[2] = (x & 0xff00) >> 8;
133 buf[3] = x & 0xff;
134 }
135
136 static uint32_t calc_checksum(uint32_t sum, unsigned char* buf, int len)
137 {
138 int i;
139
140 for (i = 0; i < len ; i++) {
141 sum += buf[i];
142 }
143
144 return sum;
145 }
146
147 enum plugin_status plugin_start(const void* parameter)
148 {
149 int fd;
150 int length;
151 int n;
152 ssize_t buf_size;
153 uint32_t* buf;
154 int size;
155 uint32_t sum;
156 uint32_t hash[0x200];
157 char outputfilename[MAX_PATH];
158
159 fd = rb->open(parameter,O_RDONLY);
160
161 if (fd < 0) {
162 rb->splash(HZ*2, "Cannot open file");
163 return PLUGIN_ERROR;
164 }
165
166 length = rb->filesize(fd);
167
168 if (length < 12) {
169 rb->splash(HZ*2, "File too small");
170 return PLUGIN_ERROR;
171 }
172
173 /* Get the audio buffer */
174 buf = rb->plugin_get_audio_buffer((size_t *)&buf_size);
175
176 /* Use uncached alias for buf - equivalent to buf |= 0x40000000 */
177 buf += 0x10000000;
178
179 if (length > buf_size) {
180 rb->splash(HZ*2, "File too big");
181 return PLUGIN_ERROR;
182 }
183
184 n = rb->read(fd, buf, length);
185 if (n < length) {
186 rb->splash(HZ*2, "Cannot read file");
187 return PLUGIN_ERROR;
188 }
189 rb->close(fd);
190
191 size = length - 8; /* Size of firmware image */
192
193 if (calc_checksum(MODEL_NUMBER, (unsigned char*)(buf + 2), size) !=
194 get_uint32be((unsigned char*)buf)) {
195 rb->splash(HZ*2, "Bad checksum in input file");
196 return PLUGIN_ERROR;
197 }
198
199 n = rb->strlen(parameter);
200 if (memcmp(buf+1,"nn2g",4)==0) {
201 /* Encrypting - Input file should be .ipod, output file is .ipodx */
202
203 if ((n < 6) || (rb->strcmp(parameter+n-5,".ipod") != 0)) {
204 rb->splash(HZ*2, "Input filename must be .ipod");
205 return PLUGIN_ERROR;
206 }
207
208 if (n + 2 > MAX_PATH) {
209 rb->splash(HZ*2, "Filename too long");
210 return PLUGIN_ERROR;
211 }
212
213 size = (size + 0x3f) & ~0x3f; /* Pad to multiple of 64 bytes */
214 if (size > (length - 8)) {
215 rb->memset(&buf[length/4], 0, size - (length - 8));
216 }
217
218 rb->strlcpy(outputfilename, parameter, MAX_PATH);
219 outputfilename[n] = 'x';
220 outputfilename[n+1] = 0;
221
222 /* Everything is OK, now do the encryption */
223
224 /* 1 - Calculate hashes */
225
226 rb->memset(hash, 0, sizeof(hash));
227
228 hash[1] = 2;
229 hash[2] = 1;
230 hash[3] = 0x40;
231 hash[5] = size;
232
233 calc_hash(buf + 2, size, &hash[7]);
234 calc_hash(hash, 0x200, &hash[0x75]);
235
236 /* 2 - Do the encryption */
237
238 rb->splash(0, "Encrypting...");
239 aes_encrypt(buf + 2, size);
240
241 /* 3 - Update the Rockbox header */
242
243 sum = calc_checksum(MODEL_NUMBER, (unsigned char*)hash, sizeof(hash));
244 sum = calc_checksum(sum, (unsigned char*)(buf + 2), size);
245 put_uint32be((unsigned char*)buf, sum);
246 memcpy(buf + 1, "nn2x", 4);
247
248 /* 4 - Write to disk */
249 fd = rb->open(outputfilename,O_WRONLY|O_CREAT|O_TRUNC, 0666);
250
251 if (fd < 0) {
252 rb->splash(HZ*2, "Could not open output file");
253 return PLUGIN_ERROR;
254 }
255
256 n = rb->write(fd, buf, 8);
257 n = rb->write(fd, hash, sizeof(hash));
258 n = rb->write(fd, buf + 2, size);
259
260 rb->close(fd);
261 } else if (memcmp(buf + 1,"nn2x",4)==0) {
262 /* Decrypting - Input file should be .ipodx, output file is .ipod */
263
264 if ((n < 7) || (rb->strcmp(parameter+n-6,".ipodx") != 0)) {
265 rb->splash(HZ*2, "Input filename must be .ipodx");
266 return PLUGIN_ERROR;
267 }
268
269 rb->strlcpy(outputfilename, parameter, MAX_PATH);
270 outputfilename[n-1] = 0; /* Remove "x" at end of filename */
271
272 /* Everything is OK, now do the decryption */
273
274 size -= 0x800; /* Remove hash size from firmware size */
275
276 /* 1 - Decrypt */
277
278 rb->splash(0, "Decrypting...");
279
280 aes_decrypt(&buf[0x202], size);
281
282 /* 2 - Calculate hashes to verify decryption */
283
284 rb->lcd_clear_display();
285 rb->splash(0, "Calculating hash...");
286
287 rb->memset(hash, 0, sizeof(hash));
288
289 hash[1] = 2;
290 hash[2] = 1;
291 hash[3] = 0x40;
292 hash[5] = size;
293
294 calc_hash(&buf[0x202], size, &hash[7]);
295 calc_hash(hash, 0x200, &hash[0x75]);
296
297 if ((memcmp(hash + 7, buf + 9, 20) != 0) ||
298 (memcmp(hash + 75, buf + 77, 20) != 0)) {
299 rb->splash(HZ*2, "Decryption failed - bad hash");
300 return PLUGIN_ERROR;
301 }
302
303 /* 3 - Update the Rockbox header */
304
305 sum = calc_checksum(MODEL_NUMBER, (unsigned char*)(&buf[0x202]), size);
306 put_uint32be((unsigned char*)buf, sum);
307 memcpy(buf + 1, "nn2g", 4);
308
309 /* 4 - Write to disk */
310 fd = rb->open(outputfilename,O_WRONLY|O_CREAT|O_TRUNC, 0666);
311
312 if (fd < 0) {
313 rb->splash(HZ*2, "Could not open output file");
314 return PLUGIN_ERROR;
315 }
316
317 n = rb->write(fd, buf, 8);
318 n = rb->write(fd, &buf[0x202], size);
319
320 rb->close(fd);
321 } else {
322 rb->splash(HZ*2,"Invalid input file");
323 return PLUGIN_ERROR;
324 }
325
326 return PLUGIN_OK;
327 }
My public Rockbox git repo