search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix yellow from 64bit platform sim
[kugel-rb.git] / bootloader / main-pp.c
blob99200da1b94ea0d7581a3a95dc6290a29a4e2e5b
1 /***************************************************************************
2 * __________ __ ___.
3 * Open \______ \ ____ ____ | | _\_ |__ _______ ___
4 * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ /
5 * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < <
6 * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \
7 * \/ \/ \/ \/ \/
8 * $Id$
9 *
10 * Copyright (C) 2006 by Barry Wardell
11 *
12 * Based on Rockbox iriver bootloader by Linus Nielsen Feltzing
13 * and the ipodlinux bootloader by Daniel Palffy and Bernard Leach
14 *
15 * All files in this archive are subject to the GNU General Public License.
16 * See the file COPYING in the source tree root for full license agreement.
17 *
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
20 *
21 ****************************************************************************/
22 #include <stdio.h>
23 #include <stdlib.h>
24 #include "common.h"
25 #include "cpu.h"
26 #include "file.h"
27 #include "system.h"
28 #include "kernel.h"
29 #include "lcd.h"
30 #include "font.h"
31 #include "ata.h"
32 #include "button.h"
33 #include "disk.h"
34 #include <string.h>
35 #ifdef SANSA_E200
36 #include "usb.h"
37 #endif
38
39
40 /* Button definitions */
41 #if CONFIG_KEYPAD == IRIVER_H10_PAD
42 #define BOOTLOADER_BOOT_OF BUTTON_LEFT
43
44 #elif CONFIG_KEYPAD == SANSA_E200_PAD
45 #define BOOTLOADER_BOOT_OF BUTTON_LEFT
46
47 #endif
48
49 /* Maximum allowed firmware image size. 10MB is more than enough */
50 #define MAX_LOADSIZE (10*1024*1024)
51
52 /* A buffer to load the original firmware or Rockbox into */
53 unsigned char *loadbuffer = (unsigned char *)DRAM_START;
54
55 /* Bootloader version */
56 char version[] = APPSVERSION;
57
58 /* Locations and sizes in hidden partition on Sansa */
59 #ifdef SANSA_E200
60 #define PPMI_SECTOR_OFFSET 1024
61 #define PPMI_SECTORS 1
62 #define MI4_HEADER_SECTORS 1
63 #define NUM_PARTITIONS 2
64
65 #else
66 #define NUM_PARTITIONS 1
67
68 #endif
69
70 #define MI4_HEADER_SIZE 0x200
71
72 /* mi4 header structure */
73 struct mi4header_t {
74 unsigned char magic[4];
75 uint32_t version;
76 uint32_t length;
77 uint32_t crc32;
78 uint32_t enctype;
79 uint32_t mi4size;
80 uint32_t plaintext;
81 uint32_t dsa_key[10];
82 uint32_t pad[109];
83 unsigned char type[4];
84 unsigned char model[4];
85 };
86
87 /* PPMI header structure */
88 struct ppmi_header_t {
89 unsigned char magic[4];
90 uint32_t length;
91 uint32_t pad[126];
92 };
93
94 inline unsigned int le2int(unsigned char* buf)
95 {
96 int32_t res = (buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0];
97
98 return res;
99 }
100
101 inline void int2le(unsigned int val, unsigned char* addr)
102 {
103 addr[0] = val & 0xFF;
104 addr[1] = (val >> 8) & 0xff;
105 addr[2] = (val >> 16) & 0xff;
106 addr[3] = (val >> 24) & 0xff;
107 }
108
109 struct tea_key {
110 const char * name;
111 uint32_t key[4];
112 };
113
114 #define NUM_KEYS 11
115 struct tea_key tea_keytable[] = {
116 { "default" , { 0x20d36cc0, 0x10e8c07d, 0xc0e7dcaa, 0x107eb080 } },
117 { "sansa", { 0xe494e96e, 0x3ee32966, 0x6f48512b, 0xa93fbb42 } },
118 { "sansa_gh", { 0xd7b10538, 0xc662945b, 0x1b3fce68, 0xf389c0e6 } },
119 { "rhapsody", { 0x7aa9c8dc, 0xbed0a82a, 0x16204cc7, 0x5904ef38 } },
120 { "p610", { 0x950e83dc, 0xec4907f9, 0x023734b9, 0x10cfb7c7 } },
121 { "p640", { 0x220c5f23, 0xd04df68e, 0x431b5e25, 0x4dcc1fa1 } },
122 { "virgin", { 0xe83c29a1, 0x04862973, 0xa9b3f0d4, 0x38be2a9c } },
123 { "20gc_eng", { 0x0240772c, 0x6f3329b5, 0x3ec9a6c5, 0xb0c9e493 } },
124 { "20gc_fre", { 0xbede8817, 0xb23bfe4f, 0x80aa682d, 0xd13f598c } },
125 { "elio_p722", { 0x6af3b9f8, 0x777483f5, 0xae8181cc, 0xfa6d8a84 } },
126 { "c200", { 0xbf2d06fa, 0xf0e23d59, 0x29738132, 0xe2d04ca7 } },
127 };
128
129 /*
130
131 tea_decrypt() from http://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm
132
133 "Following is an adaptation of the reference encryption and decryption
134 routines in C, released into the public domain by David Wheeler and
135 Roger Needham:"
136
137 */
138
139 /* NOTE: The mi4 version of TEA uses a different initial value to sum compared
140 to the reference implementation and the main loop is 8 iterations, not
141 32.
142 */
143
144 static void tea_decrypt(uint32_t* v0, uint32_t* v1, uint32_t* k) {
145 uint32_t sum=0xF1BBCDC8, i; /* set up */
146 uint32_t delta=0x9E3779B9; /* a key schedule constant */
147 uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */
148 for(i=0; i<8; i++) { /* basic cycle start */
149 *v1 -= ((*v0<<4) + k2) ^ (*v0 + sum) ^ ((*v0>>5) + k3);
150 *v0 -= ((*v1<<4) + k0) ^ (*v1 + sum) ^ ((*v1>>5) + k1);
151 sum -= delta; /* end cycle */
152 }
153 }
154
155 /* mi4 files are encrypted in 64-bit blocks (two little-endian 32-bit
156 integers) and the key is incremented after each block
157 */
158
159 static void tea_decrypt_buf(unsigned char* src, unsigned char* dest, size_t n, uint32_t * key)
160 {
161 uint32_t v0, v1;
162 unsigned int i;
163
164 for (i = 0; i < (n / 8); i++) {
165 v0 = le2int(src);
166 v1 = le2int(src+4);
167
168 tea_decrypt(&v0, &v1, key);
169
170 int2le(v0, dest);
171 int2le(v1, dest+4);
172
173 src += 8;
174 dest += 8;
175
176 /* Now increment the key */
177 key[0]++;
178 if (key[0]==0) {
179 key[1]++;
180 if (key[1]==0) {
181 key[2]++;
182 if (key[2]==0) {
183 key[3]++;
184 }
185 }
186 }
187 }
188 }
189
190 static inline bool tea_test_key(unsigned char magic_enc[8], uint32_t * key, int unaligned)
191 {
192 unsigned char magic_dec[8];
193 tea_decrypt_buf(magic_enc, magic_dec, 8, key);
194
195 return (le2int(&magic_dec[4*unaligned]) == 0xaa55aa55);
196 }
197
198 static int tea_find_key(struct mi4header_t *mi4header, int fd)
199 {
200 int i, rc;
201 unsigned int j;
202 uint32_t key[4];
203 unsigned char magic_enc[8];
204 int key_found = -1;
205 unsigned int magic_location = mi4header->length-4;
206 int unaligned = 0;
207
208 if ( (magic_location % 8) != 0 )
209 {
210 unaligned = 1;
211 magic_location -= 4;
212 }
213
214 /* Load encrypted magic 0xaa55aa55 to check key */
215 lseek(fd, MI4_HEADER_SIZE + magic_location, SEEK_SET);
216 rc = read(fd, magic_enc, 8);
217 if(rc < 8 )
218 return EREAD_IMAGE_FAILED;
219
220 printf("Searching for key:");
221
222 for (i=0; i < NUM_KEYS && (key_found<0) ; i++) {
223 key[0] = tea_keytable[i].key[0];
224 key[1] = tea_keytable[i].key[1];
225 key[2] = tea_keytable[i].key[2];
226 key[3] = tea_keytable[i].key[3];
227
228 /* Now increment the key */
229 for(j=0; j<((magic_location-mi4header->plaintext)/8); j++){
230 key[0]++;
231 if (key[0]==0) {
232 key[1]++;
233 if (key[1]==0) {
234 key[2]++;
235 if (key[2]==0) {
236 key[3]++;
237 }
238 }
239 }
240 }
241
242 if (tea_test_key(magic_enc,key,unaligned))
243 {
244 key_found = i;
245 printf("%s...found", tea_keytable[i].name);
246 } else {
247 /* printf("%s...failed", tea_keytable[i].name); */
248 }
249 }
250
251 return key_found;
252 }
253
254 /*
255 * We can't use the CRC32 implementation in the firmware library as it uses a
256 * different polynomial. The polynomial needed is 0xEDB88320L
257 *
258 * CRC32 implementation taken from:
259 *
260 * efone - Distributed internet phone system.
261 *
262 * (c) 1999,2000 Krzysztof Dabrowski
263 * (c) 1999,2000 ElysiuM deeZine
264 *
265 * This program is free software; you can redistribute it and/or
266 * modify it under the terms of the GNU General Public License
267 * as published by the Free Software Foundation; either version
268 * 2 of the License, or (at your option) any later version.
269 *
270 */
271
272 /* based on implementation by Finn Yannick Jacobs */
273
274
275
276 /* crc_tab[] -- this crcTable is being build by chksum_crc32GenTab().
277 * so make sure, you call it before using the other
278 * functions!
279 */
280 static unsigned int crc_tab[256];
281
282 /* chksum_crc() -- to a given block, this one calculates the
283 * crc32-checksum until the length is
284 * reached. the crc32-checksum will be
285 * the result.
286 */
287 unsigned int chksum_crc32 (unsigned char *block, unsigned int length)
288 {
289 register unsigned long crc;
290 unsigned long i;
291
292 crc = 0;
293 for (i = 0; i < length; i++)
294 {
295 crc = ((crc >> 8) & 0x00FFFFFF) ^ crc_tab[(crc ^ *block++) & 0xFF];
296 }
297 return (crc);
298 }
299
300 /* chksum_crc32gentab() -- to a global crc_tab[256], this one will
301 * calculate the crcTable for crc32-checksums.
302 * it is generated to the polynom [..]
303 */
304
305 static void chksum_crc32gentab (void)
306 {
307 unsigned long crc, poly;
308 int i, j;
309
310 poly = 0xEDB88320L;
311 for (i = 0; i < 256; i++)
312 {
313 crc = i;
314 for (j = 8; j > 0; j--)
315 {
316 if (crc & 1)
317 {
318 crc = (crc >> 1) ^ poly;
319 }
320 else
321 {
322 crc >>= 1;
323 }
324 }
325 crc_tab[i] = crc;
326 }
327 }
328
329
330 /* Load mi4 format firmware image */
331 int load_mi4(unsigned char* buf, char* firmware, unsigned int buffer_size)
332 {
333 int fd;
334 struct mi4header_t mi4header;
335 int rc;
336 unsigned long sum;
337 char filename[MAX_PATH];
338
339 snprintf(filename,sizeof(filename),"/.rockbox/%s",firmware);
340 fd = open(filename, O_RDONLY);
341 if(fd < 0)
342 {
343 snprintf(filename,sizeof(filename),"/%s",firmware);
344 fd = open(filename, O_RDONLY);
345 if(fd < 0)
346 return EFILE_NOT_FOUND;
347 }
348
349 read(fd, &mi4header, MI4_HEADER_SIZE);
350
351 /* MI4 file size */
352 printf("mi4 size: %x", mi4header.mi4size);
353
354 if ((mi4header.mi4size-MI4_HEADER_SIZE) > buffer_size)
355 return EFILE_TOO_BIG;
356
357 /* CRC32 */
358 printf("CRC32: %x", mi4header.crc32);
359
360 /* Rockbox model id */
361 printf("Model id: %.4s", mi4header.model);
362
363 /* Read binary type (RBOS, RBBL) */
364 printf("Binary type: %.4s", mi4header.type);
365
366 /* Load firmware file */
367 lseek(fd, MI4_HEADER_SIZE, SEEK_SET);
368 rc = read(fd, buf, mi4header.mi4size-MI4_HEADER_SIZE);
369 if(rc < (int)mi4header.mi4size-MI4_HEADER_SIZE)
370 return EREAD_IMAGE_FAILED;
371
372 /* Check CRC32 to see if we have a valid file */
373 sum = chksum_crc32 (buf, mi4header.mi4size - MI4_HEADER_SIZE);
374
375 printf("Calculated CRC32: %x", sum);
376
377 if(sum != mi4header.crc32)
378 return EBAD_CHKSUM;
379
380 if( (mi4header.plaintext + MI4_HEADER_SIZE) != mi4header.mi4size)
381 {
382 /* Load encrypted firmware */
383 int key_index = tea_find_key(&mi4header, fd);
384
385 if (key_index < 0)
386 return EINVALID_FORMAT;
387
388 /* Plaintext part is already loaded */
389 buf += mi4header.plaintext;
390
391 /* Decrypt in-place */
392 tea_decrypt_buf(buf, buf,
393 mi4header.mi4size-(mi4header.plaintext+MI4_HEADER_SIZE),
394 tea_keytable[key_index].key);
395
396 printf("%s key used", tea_keytable[key_index].name);
397
398 /* Check decryption was successfull */
399 if(le2int(&buf[mi4header.length-mi4header.plaintext-4]) != 0xaa55aa55)
400 {
401 return EREAD_IMAGE_FAILED;
402 }
403 }
404
405 return EOK;
406 }
407
408 #ifdef SANSA_E200
409 /* Load mi4 firmware from a hidden disk partition */
410 int load_mi4_part(unsigned char* buf, struct partinfo* pinfo,
411 unsigned int buffer_size, bool disable_rebuild)
412 {
413 struct mi4header_t mi4header;
414 struct ppmi_header_t ppmi_header;
415 unsigned long sum;
416
417 /* Read header to find out how long the mi4 file is. */
418 ata_read_sectors(pinfo->start + PPMI_SECTOR_OFFSET,
419 PPMI_SECTORS, &ppmi_header);
420
421 /* The first four characters at 0x80000 (sector 1024) should be PPMI*/
422 if( memcmp(ppmi_header.magic, "PPMI", 4) )
423 return EFILE_NOT_FOUND;
424
425 printf("BL mi4 size: %x", ppmi_header.length);
426
427 /* Read mi4 header of the OF */
428 ata_read_sectors(pinfo->start + PPMI_SECTOR_OFFSET + PPMI_SECTORS
429 + (ppmi_header.length/512), MI4_HEADER_SECTORS, &mi4header);
430
431 /* We don't support encrypted mi4 files yet */
432 if( (mi4header.plaintext) != (mi4header.mi4size-MI4_HEADER_SIZE))
433 return EINVALID_FORMAT;
434
435 /* MI4 file size */
436 printf("OF mi4 size: %x", mi4header.mi4size);
437
438 if ((mi4header.mi4size-MI4_HEADER_SIZE) > buffer_size)
439 return EFILE_TOO_BIG;
440
441 /* CRC32 */
442 printf("CRC32: %x", mi4header.crc32);
443
444 /* Rockbox model id */
445 printf("Model id: %.4s", mi4header.model);
446
447 /* Read binary type (RBOS, RBBL) */
448 printf("Binary type: %.4s", mi4header.type);
449
450 /* Load firmware */
451 ata_read_sectors(pinfo->start + PPMI_SECTOR_OFFSET + PPMI_SECTORS
452 + (ppmi_header.length/512) + MI4_HEADER_SECTORS,
453 (mi4header.mi4size-MI4_HEADER_SIZE)/512, buf);
454
455 /* Check CRC32 to see if we have a valid file */
456 sum = chksum_crc32 (buf,mi4header.mi4size-MI4_HEADER_SIZE);
457
458 printf("Calculated CRC32: %x", sum);
459
460 if(sum != mi4header.crc32)
461 return EBAD_CHKSUM;
462
463 if (disable_rebuild)
464 {
465 char block[512];
466 int sector = 0, offset = 0;
467
468 /* check which known version we have */
469 /* These are taken from the PPPS section, 0x00780240 */
470 ata_read_sectors(pinfo->start + 0x3C01, 1, block);
471 if (!memcmp(&block[0x40],
472 "PP5022AF-05.51-S301-01.11-S301.01.11A-D", 39))
473 { /* American e200, OF version 1.01.11A */
474 sector = pinfo->start + 0x3c08;
475 offset = 0xe1;
476 }
477 else if (!memcmp(&block[0x40],
478 "PP5022AF-05.51-S301-00.12-S301.00.12E-D", 39))
479 { /* European e200, OF version 1.00.12 */
480 sector = pinfo->start + 0x3c5c;
481 offset = 0x2;
482 }
483 else
484 return EOK;
485 ata_read_sectors(sector, 1, block);
486 block[offset] = 0;
487 ata_write_sectors(sector, 1, block);
488 }
489 return EOK;
490 }
491 #endif
492
493 void* main(void)
494 {
495 char buf[256];
496 int i;
497 int btn;
498 int rc;
499 int num_partitions;
500 unsigned short* identify_info;
501 struct partinfo* pinfo;
502 #ifdef SANSA_E200
503 int usb_retry = 0;
504 bool usb = false;
505 #endif
506
507 chksum_crc32gentab ();
508
509 system_init();
510 kernel_init();
511 lcd_init();
512 font_init();
513 button_init();
514
515 lcd_set_foreground(LCD_WHITE);
516 lcd_set_background(LCD_BLACK);
517 lcd_clear_display();
518
519 btn = button_read_device();
520 #ifdef SANSA_E200
521 usb_init();
522 while (usb_retry < 5 && !usb)
523 {
524 usb_retry++;
525 sleep(HZ/4);
526 usb = usb_detect();
527 }
528 if (usb)
529 btn |= BOOTLOADER_BOOT_OF;
530 #endif
531 /* Enable bootloader messages if any button is pressed */
532 if (btn)
533 verbose = true;
534
535 lcd_setfont(FONT_SYSFIXED);
536
537 printf("Rockbox boot loader");
538 printf("Version: %s", version);
539 printf(MODEL_NAME);
540
541 i=ata_init();
542 if (i==0) {
543 identify_info=ata_get_identify();
544 /* Show model */
545 for (i=0; i < 20; i++) {
546 ((unsigned short*)buf)[i]=htobe16(identify_info[i+27]);
547 }
548 buf[40]=0;
549 for (i=39; i && buf[i]==' '; i--) {
550 buf[i]=0;
551 }
552 printf(buf);
553 } else {
554 error(EATA, i);
555 }
556
557 disk_init();
558 num_partitions = disk_mount_all();
559 if (num_partitions<=0)
560 {
561 error(EDISK,num_partitions);
562 }
563
564 /* Just list the first 2 partitions since we don't have any devices yet
565 that have more than that */
566 for(i=0; i<NUM_PARTITIONS; i++)
567 {
568 pinfo = disk_partinfo(i);
569 printf("Partition %d: 0x%02x %ld MB",
570 i, pinfo->type, pinfo->size / 2048);
571 }
572
573 if(btn & BOOTLOADER_BOOT_OF)
574 {
575 /* Load original mi4 firmware in to a memory buffer called loadbuffer.
576 The rest of the loading is done in crt0.S.
577 1) First try reading from the hidden partition (on Sansa only).
578 2) Next try a decrypted mi4 file in /System/OF.mi4
579 3) Finally, try a raw firmware binary in /System/OF.mi4. It should be
580 a mi4 firmware decrypted and header stripped using mi4code.
581 */
582 printf("Loading original firmware...");
583
584 #ifdef SANSA_E200
585 /* First try a (hidden) firmware partition */
586 printf("Trying firmware partition");
587 pinfo = disk_partinfo(1);
588 if(pinfo->type == PARTITION_TYPE_OS2_HIDDEN_C_DRIVE)
589 {
590 rc = load_mi4_part(loadbuffer, pinfo, MAX_LOADSIZE, usb);
591 if (rc < EOK) {
592 printf("Can't load from partition");
593 printf(strerror(rc));
594 } else {
595 return (void*)loadbuffer;
596 }
597 } else {
598 printf("No hidden partition found.");
599 }
600 #endif
601
602 printf("Trying /System/OF.mi4");
603 rc=load_mi4(loadbuffer, "/System/OF.mi4", MAX_LOADSIZE);
604 if (rc < EOK) {
605 printf("Can't load /System/OF.mi4");
606 printf(strerror(rc));
607 } else {
608 return (void*)loadbuffer;
609 }
610
611 printf("Trying /System/OF.bin");
612 rc=load_raw_firmware(loadbuffer, "/System/OF.bin", MAX_LOADSIZE);
613 if (rc < EOK) {
614 printf("Can't load /System/OF.bin");
615 printf(strerror(rc));
616 } else {
617 return (void*)loadbuffer;
618 }
619
620 error(0, 0);
621
622 } else {
623 printf("Loading Rockbox...");
624 rc=load_mi4(loadbuffer, BOOTFILE, MAX_LOADSIZE);
625 if (rc < EOK) {
626 printf("Can't load %s:", BOOTFILE);
627 printf(strerror(rc));
628
629 /* Try loading rockbox from old rockbox.e200/rockbox.h10 format */
630 rc=load_firmware(loadbuffer, OLD_BOOTFILE, MAX_LOADSIZE);
631 if (rc < EOK) {
632 printf("Can't load %s:", OLD_BOOTFILE);
633 error(EBOOTFILE, rc);
634 }
635 }
636 }
637
638 return (void*)loadbuffer;
639 }
640
641 #ifndef SANSA_E200
642 /* These functions are present in the firmware library, but we reimplement
643 them here because the originals do a lot more than we want */
644 void usb_acknowledge(void)
645 {
646 }
647
648 void usb_wait_for_disconnect(void)
649 {
650 }
651 #endif
652
My public Rockbox git repo