search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Remove executable property that somehow got set
[kugel-rb.git] / rbutil / mkamsboot / mkamsboot.c
bloba7f6ad65b1ef9696055a0ef9e6a861b35d741435
1 /***************************************************************************
2 * __________ __ ___.
3 * Open \______ \ ____ ____ | | _\_ |__ _______ ___
4 * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ /
5 * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < <
6 * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \
7 * \/ \/ \/ \/ \/
8 * $Id$
9 *
10 * mkamsboot.c - a tool for merging bootloader code into an Sansa V2
11 * (AMS) firmware file
12 *
13 * Copyright (C) 2008 Dave Chapman
14 *
15 * This program is free software; you can redistribute it and/or
16 * modify it under the terms of the GNU General Public License
17 * as published by the Free Software Foundation; either version 2
18 * of the License, or (at your option) any later version.
19 *
20 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
21 * KIND, either express or implied.
22 *
23 ****************************************************************************/
24
25 /*
26
27 Insert a Rockbox bootloader into an AMS original firmware file.
28
29 We replace the main firmware block (bytes 0x400..0x400+firmware_size)
30 as follows:
31
32
33 ---------------------- 0x0
34 | |
35 | Dual-boot code |
36 | |
37 |----------------------|
38 | EMPTY SPACE |
39 |----------------------|
40 | |
41 | compressed RB image |
42 | |
43 |----------------------|
44 | |
45 | compressed OF image |
46 | |
47 |----------------------|
48 | UCL unpack function |
49 ----------------------
50
51 This entire block fits into the space previously occupied by the main
52 firmware block - the space saved by compressing the OF image is used
53 to store the compressed version of the Rockbox bootloader. The OF
54 image is typically about 120KB, which allows us to store a Rockbox
55 bootloader with an uncompressed size of about 60KB-70KB.
56
57 mkamsboot then corrects the checksums and writes a new legal firmware
58 file which can be installed on the device.
59
60 When the Sansa device boots, this firmware block is loaded to RAM at
61 address 0x0 and executed.
62
63 Firstly, the dual-boot code will copy the UCL unpack function to the
64 end of RAM.
65
66 Then, depending on the detection of the dual-boot keypress, either the
67 OF image or the Rockbox image is copied to the end of RAM (just before
68 the ucl unpack function) and uncompress it to the start of RAM.
69
70 Finally, the ucl unpack function branches to address 0x0, passing
71 execution to the uncompressed firmware.
72
73
74 */
75
76
77 #include <stdio.h>
78 #include <stdlib.h>
79 #include <stdint.h>
80 #include <sys/types.h>
81 #include <sys/stat.h>
82 #include <fcntl.h>
83 #include <unistd.h>
84 #include <string.h>
85
86 #include <ucl/ucl.h>
87
88 /* Headers for ARM code binaries */
89 #include "nrv2e_d8.h"
90 #include "md5.h"
91
92 #include "dualboot_clip.h"
93 #include "dualboot_e200v2.h"
94 #include "dualboot_fuze.h"
95 #include "dualboot_m200v4.h"
96 #include "dualboot_c200v2.h"
97
98 /* Win32 compatibility */
99 #ifndef O_BINARY
100 #define O_BINARY 0
101 #endif
102
103 #ifndef VERSION
104 #define VERSION "0.1"
105 #endif
106
107 enum
108 {
109 MODEL_UNKNOWN = -1,
110 MODEL_FUZE = 0,
111 MODEL_CLIP,
112 MODEL_CLIPV2,
113 MODEL_E200V2,
114 MODEL_M200V4,
115 MODEL_C200V2,
116 };
117
118 static const char* model_names[] =
119 {
120 "Fuze",
121 "Clip",
122 "Clip V2",
123 "e200 v2",
124 "m200 v4",
125 "c200 v2"
126 };
127
128 static const unsigned char* bootloaders[] =
129 {
130 dualboot_fuze,
131 dualboot_clip,
132 NULL,
133 dualboot_e200v2,
134 dualboot_m200v4,
135 dualboot_c200v2,
136 };
137
138 static const int bootloader_sizes[] =
139 {
140 sizeof(dualboot_fuze),
141 sizeof(dualboot_clip),
142 0,
143 sizeof(dualboot_e200v2),
144 sizeof(dualboot_m200v4),
145 sizeof(dualboot_c200v2),
146 };
147
148 /* Model names used in the Rockbox header in ".sansa" files - these match the
149 -add parameter to the "scramble" tool */
150 static const char* rb_model_names[] =
151 {
152 "fuze",
153 "clip",
154 NULL,
155 "e2v2",
156 "m2v4",
157 "c2v2",
158 };
159
160 /* Model numbers used to initialise the checksum in the Rockbox header in
161 ".sansa" files - these are the same as MODEL_NUMBER in config-target.h */
162 static const int rb_model_num[] =
163 {
164 43,
165 40,
166 0,
167 41,
168 42,
169 44
170 };
171
172 struct md5sums {
173 int model;
174 char *version;
175 int fw_version;
176 char *md5;
177 };
178
179 /* Checksums of unmodified original firmwares - for safety, and device
180 detection */
181 static struct md5sums sansasums[] = {
182 /* NOTE: Different regional versions of the firmware normally only
183 differ in the filename - the md5sums are identical */
184 { MODEL_E200V2, "3.01.11", 1, "e622ca8cb6df423f54b8b39628a1f0a3" },
185 { MODEL_E200V2, "3.01.14", 1, "2c1d0383fc3584b2cc83ba8cc2243af6" },
186 { MODEL_E200V2, "3.01.16", 1, "12563ad71b25a1034cf2092d1e0218c4" },
187
188 { MODEL_FUZE, "1.01.11", 1, "cac8ffa03c599330ac02c4d41de66166" },
189 { MODEL_FUZE, "1.01.15", 1, "df0e2c1612727f722c19a3c764cff7f2" },
190 { MODEL_FUZE, "1.01.22", 1, "5aff5486fe8dd64239cc71eac470af98" },
191
192 { MODEL_C200V2, "3.02.05", 1, "b6378ebd720b0ade3fad4dc7ab61c1a5" },
193
194 { MODEL_M200V4, "4.00.45", 1, "82e3194310d1514e3bbcd06e84c4add3" },
195 { MODEL_M200V4, "4.01.08-A", 1, "fc9dd6116001b3e6a150b898f1b091f0" },
196 { MODEL_M200V4, "4.01.08-E", 1, "d3fb7d8ec8624ee65bc99f8dab0e2369" },
197
198 { MODEL_CLIP, "1.01.17", 1, "12caad785d506219d73f538772afd99e" },
199 { MODEL_CLIP, "1.01.18", 1, "d720b266bd5afa38a198986ef0508a45" },
200 { MODEL_CLIP, "1.01.20", 1, "236d8f75189f468462c03f6d292cf2ac" },
201 { MODEL_CLIP, "1.01.29", 1, "c12711342169c66e209540cd1f27cd26" },
202 { MODEL_CLIP, "1.01.30", 1, "f2974d47c536549c9d8259170f1dbe4d" },
203 };
204
205 #define NUM_MD5S (sizeof(sansasums)/sizeof(sansasums[0]))
206
207 static off_t filesize(int fd) {
208 struct stat buf;
209
210 if (fstat(fd,&buf) < 0) {
211 perror("[ERR] Checking filesize of input file");
212 return -1;
213 } else {
214 return(buf.st_size);
215 }
216 }
217
218 static uint32_t get_uint32le(unsigned char* p)
219 {
220 return p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
221 }
222
223 static uint32_t get_uint32be(unsigned char* p)
224 {
225 return (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
226 }
227
228 static void put_uint32le(unsigned char* p, uint32_t x)
229 {
230 p[0] = x & 0xff;
231 p[1] = (x >> 8) & 0xff;
232 p[2] = (x >> 16) & 0xff;
233 p[3] = (x >> 24) & 0xff;
234 }
235
236 void calc_MD5(unsigned char* buf, int len, char *md5str)
237 {
238 int i;
239 md5_context ctx;
240 unsigned char md5sum[16];
241
242 md5_starts(&ctx);
243 md5_update(&ctx, buf, len);
244 md5_finish(&ctx, md5sum);
245
246 for (i = 0; i < 16; ++i)
247 sprintf(md5str + 2*i, "%02x", md5sum[i]);
248 }
249
250
251 static uint32_t calc_checksum(unsigned char* buf, uint32_t n)
252 {
253 uint32_t sum = 0;
254 uint32_t i;
255
256 for (i=0;i<n;i+=4)
257 sum += get_uint32le(buf + i);
258
259 return sum;
260 }
261
262 static int get_model(int model_id)
263 {
264 switch(model_id)
265 {
266 case 0x1e:
267 return MODEL_FUZE;
268 case 0x22:
269 return MODEL_CLIP;
270 case 0x23:
271 return MODEL_C200V2;
272 case 0x24:
273 return MODEL_E200V2;
274 case 0x25:
275 return MODEL_M200V4;
276 case 0x27:
277 return MODEL_CLIPV2;
278 }
279
280 return MODEL_UNKNOWN;
281 }
282
283
284 static unsigned char* uclpack(unsigned char* inbuf, int insize, int* outsize)
285 {
286 int maxsize;
287 unsigned char* outbuf;
288 int r;
289
290 /* The following formula comes from the UCL documentation */
291 maxsize = insize + (insize / 8) + 256;
292
293 /* Allocate some memory for the output buffer */
294 outbuf = malloc(maxsize);
295
296 if (outbuf == NULL) {
297 return NULL;
298 }
299
300 r = ucl_nrv2e_99_compress(
301 (const ucl_bytep) inbuf,
302 (ucl_uint) insize,
303 (ucl_bytep) outbuf,
304 (ucl_uintp) outsize,
305 0, 10, NULL, NULL);
306
307 if (r != UCL_E_OK || *outsize > maxsize)
308 {
309 /* this should NEVER happen, and implies memory corruption */
310 fprintf(stderr, "internal error - compression failed: %d\n", r);
311 free(outbuf);
312 return NULL;
313 }
314
315 return outbuf;
316 }
317
318 static unsigned char* load_file(char* filename, off_t* bufsize)
319 {
320 int fd;
321 unsigned char* buf;
322 off_t n;
323
324 fd = open(filename, O_RDONLY|O_BINARY);
325 if (fd < 0)
326 {
327 fprintf(stderr,"[ERR] Could not open %s for reading\n",filename);
328 return NULL;
329 }
330
331 *bufsize = filesize(fd);
332
333 buf = malloc(*bufsize);
334 if (buf == NULL) {
335 fprintf(stderr,"[ERR] Could not allocate memory for %s\n",filename);
336 return NULL;
337 }
338
339 n = read(fd, buf, *bufsize);
340
341 if (n != *bufsize) {
342 fprintf(stderr,"[ERR] Could not read file %s\n",filename);
343 return NULL;
344 }
345
346 return buf;
347 }
348
349
350 static unsigned char* load_rockbox_file(char* filename, int model, off_t* bufsize)
351 {
352 int fd;
353 unsigned char* buf;
354 unsigned char header[8];
355 uint32_t sum;
356 off_t n;
357 int i;
358
359 fd = open(filename, O_RDONLY|O_BINARY);
360 if (fd < 0)
361 {
362 fprintf(stderr,"[ERR] Could not open %s for reading\n",filename);
363 return NULL;
364 }
365
366 /* Read Rockbox header */
367 n = read(fd, header, sizeof(header));
368 if (n != sizeof(header)) {
369 fprintf(stderr,"[ERR] Could not read file %s\n",filename);
370 return NULL;
371 }
372
373 /* Check for correct model string */
374 if (memcmp(rb_model_names[model],header + 4,4)!=0) {
375 fprintf(stderr,"[ERR] Model name \"%s\" not found in %s\n",
376 rb_model_names[model],filename);
377 }
378
379 *bufsize = filesize(fd) - sizeof(header);
380
381 buf = malloc(*bufsize);
382 if (buf == NULL) {
383 fprintf(stderr,"[ERR] Could not allocate memory for %s\n",filename);
384 return NULL;
385 }
386
387 n = read(fd, buf, *bufsize);
388
389 if (n != *bufsize) {
390 fprintf(stderr,"[ERR] Could not read file %s\n",filename);
391 return NULL;
392 }
393
394 /* Check checksum */
395 sum = rb_model_num[model];
396 for (i = 0; i < *bufsize; i++) {
397 /* add 8 unsigned bits but keep a 32 bit sum */
398 sum += buf[i];
399 }
400
401 if (sum != get_uint32be(header)) {
402 fprintf(stderr,"[ERR] Checksum mismatch in %s\n",filename);
403 return NULL;
404 }
405 return buf;
406 }
407
408
409 int main(int argc, char* argv[])
410 {
411 char *infile, *bootfile, *outfile;
412 int fdout;
413 off_t len;
414 uint32_t n;
415 unsigned char* buf;
416 int firmware_size;
417 off_t bootloader_size;
418 uint32_t sum,filesum;
419 uint8_t model_id;
420 int model;
421 uint32_t i;
422 unsigned char* of_packed;
423 int of_packedsize;
424 unsigned char* rb_unpacked;
425 unsigned char* rb_packed;
426 int rb_packedsize;
427 int fw_version;
428 int totalsize;
429 unsigned char* p;
430 uint32_t checksum;
431 char md5sum[33]; /* 32 hex digits, plus terminating zero */
432
433 fprintf(stderr,"mkamsboot v" VERSION " - (C) Dave Chapman and Rafaël Carré 2008\n");
434 fprintf(stderr,"This is free software; see the source for copying conditions. There is NO\n");
435 fprintf(stderr,"warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n\n");
436
437 if(argc != 4) {
438 printf("Usage: mkamsboot <firmware file> <boot file> <output file>\n\n");
439 return 1;
440 }
441
442 infile = argv[1];
443 bootfile = argv[2];
444 outfile = argv[3];
445
446 /* Load original firmware file */
447 buf = load_file(infile, &len);
448
449 if (buf == NULL) {
450 fprintf(stderr,"[ERR] Could not load %s\n",infile);
451 return 1;
452 }
453
454 /* Calculate MD5 checksum of OF */
455 calc_MD5(buf, len, md5sum);
456
457 fprintf(stderr,"[INFO] MD5 sum - %s\n",md5sum);
458
459 i = 0;
460 while ((i < NUM_MD5S) && (strcmp(sansasums[i].md5, md5sum) != 0))
461 i++;
462
463 if (i < NUM_MD5S) {
464 model = sansasums[i].model;
465 fw_version = sansasums[i].fw_version;
466 fprintf(stderr,"[INFO] Original firmware MD5 checksum match - %s %s\n",
467 model_names[model], sansasums[i].version);
468 } else {
469 fprintf(stderr,"[WARN] ****** Original firmware unknown ******\n");
470
471 if (get_uint32le(&buf[0x204])==0x0000f000) {
472 fw_version = 2;
473 model_id = buf[0x219];
474 } else {
475 fw_version = 1;
476 model_id = buf[0x215];
477 }
478
479 model = get_model(model_id);
480
481 if (model == MODEL_UNKNOWN) {
482 fprintf(stderr,"[ERR] Unknown firmware - model id 0x%02x\n",
483 model_id);
484 free(buf);
485 return 1;
486 }
487 }
488
489
490 /* TODO: Do some more sanity checks on the OF image. Some images (like
491 m200v4) dont have a checksum at the end, only padding (0xdeadbeef). */
492 checksum = get_uint32le(buf + len - 4);
493 if (checksum != 0xefbeadde && checksum != calc_checksum(buf, len - 4)) {
494
495 fprintf(stderr,"[ERR] Whole file checksum failed - %s\n",infile);
496 free(buf);
497 return 1;
498 }
499
500 if (bootloaders[model] == NULL) {
501 fprintf(stderr,"[ERR] Unsupported model - \"%s\"\n",model_names[model]);
502 free(buf);
503 return 1;
504 }
505
506 /* Load bootloader file */
507 rb_unpacked = load_rockbox_file(bootfile, model, &bootloader_size);
508 if (rb_unpacked == NULL) {
509 fprintf(stderr,"[ERR] Could not load %s\n",bootfile);
510 free(buf);
511 return 1;
512 }
513
514 printf("[INFO] Patching %s firmware\n",model_names[model]);
515
516 /* Get the firmware size */
517 firmware_size = get_uint32le(&buf[0x0c]);
518
519 /* Compress the original firmware image */
520 of_packed = uclpack(buf + 0x400, firmware_size, &of_packedsize);
521 if (of_packed == NULL) {
522 fprintf(stderr,"[ERR] Could not compress original firmware\n");
523 free(buf);
524 free(rb_unpacked);
525 return 1;
526 }
527
528 rb_packed = uclpack(rb_unpacked, bootloader_size, &rb_packedsize);
529 if (rb_packed == NULL) {
530 fprintf(stderr,"[ERR] Could not compress %s\n",bootfile);
531 free(buf);
532 free(rb_unpacked);
533 free(of_packed);
534 return 1;
535 }
536
537 /* We are finished with the unpacked version of the bootloader */
538 free(rb_unpacked);
539
540 fprintf(stderr,"[INFO] Original firmware size: %d bytes\n",firmware_size);
541 fprintf(stderr,"[INFO] Packed OF size: %d bytes\n",of_packedsize);
542 fprintf(stderr,"[INFO] Bootloader size: %d bytes\n",(int)bootloader_size);
543 fprintf(stderr,"[INFO] Packed bootloader size: %d bytes\n",rb_packedsize);
544 fprintf(stderr,"[INFO] Dual-boot function size: %d bytes\n",bootloader_sizes[model]);
545 fprintf(stderr,"[INFO] UCL unpack function size: %d bytes\n",sizeof(nrv2e_d8));
546
547 totalsize = bootloader_sizes[model] + sizeof(nrv2e_d8) + of_packedsize +
548 rb_packedsize;
549
550 fprintf(stderr,"[INFO] Total size of new image: %d bytes\n",totalsize);
551
552 if (totalsize > firmware_size) {
553 fprintf(stderr,"[ERR] No room to insert bootloader, aborting\n");
554 free(buf);
555 free(rb_unpacked);
556 free(of_packed);
557 return 1;
558 }
559
560 /* Zero the original firmware area - not needed, but helps debugging */
561 memset(buf + 0x400, 0, firmware_size);
562
563
564 /* Insert dual-boot bootloader at offset 0 */
565 memcpy(buf + 0x400, bootloaders[model], bootloader_sizes[model]);
566
567 /* We are filling the firmware buffer backwards from the end */
568 p = buf + 0x400 + firmware_size;
569
570 /* 1 - UCL unpack function */
571 p -= sizeof(nrv2e_d8);
572 memcpy(p, nrv2e_d8, sizeof(nrv2e_d8));
573
574 /* 2 - Compressed copy of original firmware */
575 p -= of_packedsize;
576 memcpy(p, of_packed, of_packedsize);
577
578 /* 3 - Compressed copy of Rockbox bootloader */
579 p -= rb_packedsize;
580 memcpy(p, rb_packed, rb_packedsize);
581
582 /* Write the locations of the various images to the variables at the
583 start of the dualboot image - we save the location of the last byte
584 in each image, along with the size in bytes */
585
586 /* UCL unpack function */
587 put_uint32le(&buf[0x420], firmware_size - 1);
588 put_uint32le(&buf[0x424], sizeof(nrv2e_d8));
589
590 /* Compressed original firmware image */
591 put_uint32le(&buf[0x428], firmware_size - sizeof(nrv2e_d8) - 1);
592 put_uint32le(&buf[0x42c], of_packedsize);
593
594 /* Compressed Rockbox image */
595 put_uint32le(&buf[0x430], firmware_size - sizeof(nrv2e_d8) - of_packedsize - 1);
596 put_uint32le(&buf[0x434], rb_packedsize);
597
598
599 /* Update the firmware block checksum */
600 sum = calc_checksum(buf + 0x400,firmware_size);
601
602 if (fw_version == 1) {
603 put_uint32le(&buf[0x04], sum);
604 put_uint32le(&buf[0x204], sum);
605 } else {
606 /* TODO: Verify that this is correct for the v2 firmware */
607
608 put_uint32le(&buf[0x08], sum);
609 put_uint32le(&buf[0x208], sum);
610
611 /* Update the header checksums */
612 put_uint32le(&buf[0x1fc], calc_checksum(buf, 0x1fc));
613 put_uint32le(&buf[0x3fc], calc_checksum(buf + 0x200, 0x1fc));
614 }
615
616 /* Update the whole-file checksum */
617 filesum = 0;
618 for (i=0;i < (unsigned)len - 4; i+=4)
619 filesum += get_uint32le(&buf[i]);
620
621 put_uint32le(buf + len - 4, filesum);
622
623
624 /* Write the new firmware */
625 fdout = open(outfile, O_CREAT|O_TRUNC|O_WRONLY|O_BINARY,0666);
626
627 if (fdout < 0) {
628 fprintf(stderr,"[ERR] Could not open %s for writing\n",outfile);
629 return 1;
630 }
631
632 n = write(fdout, buf, len);
633
634 if (n != (unsigned)len) {
635 fprintf(stderr,"[ERR] Could not write firmware file\n");
636 return 1;
637 }
638
639 close(fdout);
640
641 fprintf(stderr," *****************************************************************************\n");
642 fprintf(stderr," *** THIS CODE IS UNTESTED - DO NOT USE IF YOU CAN NOT RECOVER YOUR DEVICE ***\n");
643 fprintf(stderr," *****************************************************************************\n");
644
645 return 0;
646
647 }
My public Rockbox git repo