1 /***************************************************************************
3 * Open \______ \ ____ ____ | | _\_ |__ _______ ___
4 * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ /
5 * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < <
6 * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \
10 * Copyright (C) 2011 by Amaury Pouly
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
18 * KIND, either express or implied.
20 ****************************************************************************/
24 #include "mkimxboot.h"
29 /* Supported models */
34 /* new models go here */
45 struct imx_model_desc_t
47 /* Descriptive name of this model */
48 const char *model_name
;
49 /* Dualboot code for this model */
50 const unsigned char *dualboot
;
51 /* Size of dualboot functions for this model */
53 /* Model name used in the Rockbox header in ".sansa" files - these match the
54 -add parameter to the "scramble" tool */
55 const char *rb_model_name
;
56 /* Model number used to initialise the checksum in the Rockbox header in
57 ".sansa" files - these are the same as MODEL_NUMBER in config-target.h */
58 const int rb_model_num
;
59 /* Number of keys needed to decrypt/encrypt */
62 struct crypto_key_t
*keys
;
63 /* Dualboot load address */
64 uint32_t dualboot_addr
;
65 /* Bootloader load address */
66 uint32_t bootloader_addr
;
69 static const struct imx_md5sum_t imx_sums
[] =
71 { MODEL_FUZEPLUS
, "c3e27620a877dc6b200b97dcb3e0ecc7" }, /* Version 2.38.6 */
74 static struct crypto_key_t zero_key
=
80 static const struct imx_model_desc_t imx_models
[] =
82 [MODEL_FUZEPLUS
] = { "Fuze+", dualboot_fuzeplus
, sizeof(dualboot_fuzeplus
), "fuz+", 72,
83 1, &zero_key
, 0, 0x40000000 },
86 #define NR_IMX_SUMS (sizeof(imx_sums) / sizeof(imx_sums[0]))
87 #define NR_IMX_MODELS (sizeof(imx_models) / sizeof(imx_models[0]))
89 #define MAGIC_ROCK 0x726f636b /* 'rock' */
90 #define MAGIC_RECOVERY 0xfee1dead
91 #define MAGIC_NORMAL 0xcafebabe
93 static enum imx_error_t
patch_std_zero_host_play(int jump_before
, int model
,
94 enum imx_output_type_t type
, struct sb_file_t
*sb_file
, void *boot
, size_t boot_sz
)
96 /* We assume the file has three boot sections: ____, host, play and one
97 * resource section rsrc.
101 * We patch the file by inserting the dualboot code before the <jump_before>th
102 * call in the ____ section. We give it as argument the section name 'rock'
103 * and add a section called 'rock' after rsrc which contains the bootloader.
105 * Single Boot & Recovery:
106 * -----------------------
107 * We patch the file by inserting the bootloader code after the <jump_before>th
108 * call in the ____ section and get rid of everything else. In recovery mode,
109 * we give 0xfee1dead as argument */
111 /* Do not override real key and IV */
112 sb_file
->override_crypto_iv
= false;
113 sb_file
->override_real_key
= false;
115 /* first locate the good instruction */
116 struct sb_section_t
*sec
= &sb_file
->sections
[0];
118 while(jump_idx
< sec
->nr_insts
&& jump_before
> 0)
119 if(sec
->insts
[jump_idx
++].inst
== SB_INST_CALL
)
121 if(jump_idx
== sec
->nr_insts
)
123 printf("[ERR] Cannot locate call in section ____\n");
124 return IMX_DONT_KNOW_HOW_TO_PATCH
;
127 if(type
== IMX_DUALBOOT
)
129 /* create a new instruction array with a hole for two instructions */
130 struct sb_inst_t
*new_insts
= xmalloc(sizeof(struct sb_inst_t
) * (sec
->nr_insts
+ 2));
131 memcpy(new_insts
, sec
->insts
, sizeof(struct sb_inst_t
) * jump_idx
);
132 memcpy(new_insts
+ jump_idx
+ 2, sec
->insts
+ jump_idx
,
133 sizeof(struct sb_inst_t
) * (sec
->nr_insts
- jump_idx
));
134 /* first instruction is be a load */
135 struct sb_inst_t
*load
= &new_insts
[jump_idx
];
136 memset(load
, 0, sizeof(struct sb_inst_t
));
137 load
->inst
= SB_INST_LOAD
;
138 load
->size
= imx_models
[model
].dualboot_size
;
139 load
->addr
= imx_models
[model
].dualboot_addr
;
140 /* duplicate memory because it will be free'd */
141 load
->data
= memdup(imx_models
[model
].dualboot
, imx_models
[model
].dualboot_size
);
142 /* second instruction is a call */
143 struct sb_inst_t
*call
= &new_insts
[jump_idx
+ 1];
144 memset(call
, 0, sizeof(struct sb_inst_t
));
145 call
->inst
= SB_INST_CALL
;
146 call
->addr
= imx_models
[model
].dualboot_addr
;
147 call
->argument
= MAGIC_ROCK
;
148 /* free old instruction array */
150 sec
->insts
= new_insts
;
153 /* create a new section */
154 struct sb_section_t rock_sec
;
155 memset(&rock_sec
, 0, sizeof(rock_sec
));
156 /* section has two instructions: load and call */
157 rock_sec
.identifier
= MAGIC_ROCK
;
158 rock_sec
.alignment
= BLOCK_SIZE
;
159 rock_sec
.nr_insts
= 2;
160 rock_sec
.insts
= xmalloc(2 * sizeof(struct sb_inst_t
));
161 memset(rock_sec
.insts
, 0, 2 * sizeof(struct sb_inst_t
));
162 rock_sec
.insts
[0].inst
= SB_INST_LOAD
;
163 rock_sec
.insts
[0].size
= boot_sz
;
164 rock_sec
.insts
[0].data
= memdup(boot
, boot_sz
);
165 rock_sec
.insts
[0].addr
= imx_models
[model
].bootloader_addr
;
166 rock_sec
.insts
[1].inst
= SB_INST_JUMP
;
167 rock_sec
.insts
[1].addr
= imx_models
[model
].bootloader_addr
;
168 rock_sec
.insts
[1].argument
= MAGIC_NORMAL
;
170 sb_file
->sections
= augment_array(sb_file
->sections
,
171 sizeof(struct sb_section_t
), sb_file
->nr_sections
,
173 sb_file
->nr_sections
++;
177 else if(type
== IMX_SINGLEBOOT
|| type
== IMX_RECOVERY
)
179 bool recovery
= type
== IMX_RECOVERY
;
180 /* remove everything after the call and add two instructions: load and call */
181 struct sb_inst_t
*new_insts
= xmalloc(sizeof(struct sb_inst_t
) * (jump_idx
+ 2));
182 memcpy(new_insts
, sec
->insts
, sizeof(struct sb_inst_t
) * jump_idx
);
183 for(int i
= jump_idx
; i
< sec
->nr_insts
; i
++)
184 sb_free_instruction(sec
->insts
[i
]);
185 memset(new_insts
+ jump_idx
, 0, 2 * sizeof(struct sb_inst_t
));
186 new_insts
[jump_idx
+ 0].inst
= SB_INST_LOAD
;
187 new_insts
[jump_idx
+ 0].size
= boot_sz
;
188 new_insts
[jump_idx
+ 0].data
= memdup(boot
, boot_sz
);
189 new_insts
[jump_idx
+ 0].addr
= imx_models
[model
].bootloader_addr
;
190 new_insts
[jump_idx
+ 1].inst
= SB_INST_JUMP
;
191 new_insts
[jump_idx
+ 1].addr
= imx_models
[model
].bootloader_addr
;
192 new_insts
[jump_idx
+ 1].argument
= recovery
? MAGIC_RECOVERY
: MAGIC_NORMAL
;
195 sec
->insts
= new_insts
;
196 sec
->nr_insts
= jump_idx
+ 2;
197 /* remove all other sections */
198 for(int i
= 1; i
< sb_file
->nr_sections
; i
++)
199 sb_free_section(sb_file
->sections
[i
]);
200 struct sb_section_t
*new_sec
= xmalloc(sizeof(struct sb_section_t
));
201 memcpy(new_sec
, &sb_file
->sections
[0], sizeof(struct sb_section_t
));
202 free(sb_file
->sections
);
203 sb_file
->sections
= new_sec
;
204 sb_file
->nr_sections
= 1;
210 printf("[ERR] Bad output type !\n");
211 return IMX_DONT_KNOW_HOW_TO_PATCH
;
215 static enum imx_error_t
patch_firmware(int model
, enum imx_output_type_t type
,
216 struct sb_file_t
*sb_file
, void *boot
, size_t boot_sz
)
221 /* The Fuze+ uses the standard ____, host, play sections, patch after third
222 * call in ____ section */
223 return patch_std_zero_host_play(3, model
, type
, sb_file
, boot
, boot_sz
);
225 return IMX_DONT_KNOW_HOW_TO_PATCH
;
229 static void imx_printf(void *user
, bool error
, color_t c
, const char *fmt
, ...)
245 static uint32_t get_uint32be(unsigned char *p
)
247 return (p
[0] << 24) | (p
[1] << 16) | (p
[2] << 8) | p
[3];
250 enum imx_error_t
mkimxboot(const char *infile
, const char *bootfile
,
251 const char *outfile
, struct imx_option_t opt
)
256 printf("[INFO] mkimxboot models:\n");
257 for(int i
= 0; i
< NR_IMX_MODELS
; i
++)
259 printf("[INFO] %s: idx=%d rb_model=%s rb_num=%d\n",
260 imx_models
[i
].model_name
, i
, imx_models
[i
].rb_model_name
,
261 imx_models
[i
].rb_model_num
);
263 printf("[INFO] mkimxboot mapping:\n");
264 for(int i
= 0; i
< NR_IMX_SUMS
; i
++)
266 printf("[INFO] md5sum=%s -> idx=%d\n", imx_sums
[i
].md5sum
,
270 /* compute MD5 sum of the file */
271 uint8_t file_md5sum
[16];
274 FILE *f
= fopen(infile
, "rb");
277 printf("[ERR] Cannot open input file\n");
278 return IMX_OPEN_ERROR
;
280 fseek(f
, 0, SEEK_END
);
281 size_t sz
= ftell(f
);
282 fseek(f
, 0, SEEK_SET
);
283 void *buf
= xmalloc(sz
);
284 if(fread(buf
, sz
, 1, f
) != 1)
288 printf("[ERR] Cannot read file\n");
289 return IMX_READ_ERROR
;
294 md5_update(&ctx
, buf
, sz
);
295 md5_finish(&ctx
, file_md5sum
);
298 printf("[INFO] MD5 sum of the file: ");
299 print_hex(file_md5sum
, 16, true);
305 while(i
< NR_IMX_SUMS
)
308 if(strlen(imx_sums
[i
].md5sum
) != 32)
310 printf("[INFO] Invalid MD5 sum in imx_sums\n");
313 for(int j
= 0; j
< 16; j
++)
316 if(convxdigit(imx_sums
[i
].md5sum
[2 * j
], &a
) || convxdigit(imx_sums
[i
].md5sum
[2 * j
+ 1], &b
))
318 md5
[j
] = (a
<< 4) | b
;
320 if(memcmp(file_md5sum
, md5
, 16) == 0)
326 printf("[ERR] MD5 sum doesn't match any known file\n");
329 model
= imx_sums
[i
].model
;
331 printf("[INFO] File is for model %d (%s)\n", model
, imx_models
[model
].model_name
);
332 /* load rockbox file */
337 FILE *f
= fopen(bootfile
, "rb");
340 printf("[ERR] Cannot open boot file\n");
341 return IMX_OPEN_ERROR
;
343 fseek(f
, 0, SEEK_END
);
344 boot_size
= ftell(f
);
345 fseek(f
, 0, SEEK_SET
);
346 boot
= xmalloc(boot_size
);
347 if(fread(boot
, boot_size
, 1, f
) != 1)
351 printf("[ERR] Cannot read boot file\n");
352 return IMX_READ_ERROR
;
356 /* Check boot file */
361 printf("[ERR] Bootloader file is too small to be valid\n");
363 return IMX_BOOT_INVALID
;
365 /* check model name */
366 uint8_t *name
= boot
+ 4;
367 if(memcmp(name
, imx_models
[model
].rb_model_name
, 4) != 0)
369 printf("[ERR] Bootloader model doesn't match found model for input file\n");
371 return IMX_BOOT_MISMATCH
;
374 uint32_t sum
= imx_models
[model
].rb_model_num
;
375 for(int i
= 8; i
< boot_size
; i
++)
377 if(sum
!= get_uint32be(boot
))
379 printf("[ERR] Bootloader checksum mismatch\n");
381 return IMX_BOOT_CHECKSUM_ERROR
;
385 struct sb_file_t
*sb_file
;
391 add_keys(imx_models
[model
].keys
, imx_models
[model
].nr_keys
);
392 sb_file
= sb_read_file(infile
, false, NULL
, &imx_printf
, &err
);
397 return IMX_FIRST_SB_ERROR
+ err
;
401 enum imx_error_t ret
= patch_firmware(model
, opt
.output
, sb_file
, boot
+ 8, boot_size
- 8);
402 if(ret
== IMX_SUCCESS
)
403 ret
= sb_write_file(sb_file
, outfile
);