rbutil/mkimxboot/mkimxboot.c

   1 /***************************************************************************
   2  *             __________               __   ___.
   3  *   Open      \______   \ ____   ____ |  | _\_ |__   _______  ___
   4  *   Source     |       _//  _ \_/ ___\|  |/ /| __ \ /  _ \  \/  /
   5  *   Jukebox    |    |   (  <_> )  \___|    < | \_\ (  <_> > <  <
   6  *   Firmware   |____|_  /\____/ \___  >__|_ \|___  /\____/__/\_ \
   7  *                     \/            \/     \/    \/            \/
   8  * $Id$
   9  *
  10  * Copyright (C) 2011 by Amaury Pouly
  11  *
  12  * This program is free software; you can redistribute it and/or
  13  * modify it under the terms of the GNU General Public License
  14  * as published by the Free Software Foundation; either version 2
  15  * of the License, or (at your option) any later version.
  16  *
  17  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  18  * KIND, either express or implied.
  19  *
  20  ****************************************************************************/
  21 #include <stdio.h>
  22 #include <stdlib.h>
  23 #include <stdarg.h>
  24 #include "mkimxboot.h"
  25 #include "sb.h"
  26 #include "dualboot.h"
  27 #include "md5.h"
  28
  29 /* Supported models */
  30 enum imx_model_t
  31 {
  32     MODEL_UNKNOWN = -1,
  33     MODEL_FUZEPLUS = 0,
  34     /* new models go here */
  35
  36     NUM_MODELS
  37 };
  38
  39 struct imx_md5sum_t
  40 {
  41     int model;
  42     char *md5sum;
  43 };
  44
  45 struct imx_model_desc_t
  46 {
  47     /* Descriptive name of this model */
  48     const char *model_name;
  49     /* Dualboot code for this model */
  50     const unsigned char *dualboot;
  51     /* Size of dualboot functions for this model */
  52     int dualboot_size;
  53     /* Model name used in the Rockbox header in ".sansa" files - these match the
  54        -add parameter to the "scramble" tool */
  55     const char *rb_model_name;
  56     /* Model number used to initialise the checksum in the Rockbox header in
  57        ".sansa" files - these are the same as MODEL_NUMBER in config-target.h */
  58     const int rb_model_num;
  59     /* Number of keys needed to decrypt/encrypt */
  60     int nr_keys;
  61     /* Array of keys */
  62     struct crypto_key_t *keys;
  63     /* Dualboot load address */
  64     uint32_t dualboot_addr;
  65     /* Bootloader load address */
  66     uint32_t bootloader_addr;
  67 };
  68
  69 static const struct imx_md5sum_t imx_sums[] =
  70 {
  71     { MODEL_FUZEPLUS, "c3e27620a877dc6b200b97dcb3e0ecc7" }, /* Version 2.38.6 */
  72 };
  73
  74 static struct crypto_key_t zero_key =
  75 {
  76     .method = CRYPTO_KEY,
  77     .u.key = {0}
  78 };
  79
  80 static const struct imx_model_desc_t imx_models[] =
  81 {
  82     [MODEL_FUZEPLUS]  = { "Fuze+",  dualboot_fuzeplus, sizeof(dualboot_fuzeplus), "fuz+", 72,
  83                           1, &zero_key, 0, 0x40000000 },
  84 };
  85
  86 #define NR_IMX_SUMS     (sizeof(imx_sums) / sizeof(imx_sums[0]))
  87 #define NR_IMX_MODELS   (sizeof(imx_models) / sizeof(imx_models[0]))
  88
  89 #define MAGIC_ROCK      0x726f636b /* 'rock' */
  90 #define MAGIC_RECOVERY  0xfee1dead
  91 #define MAGIC_NORMAL    0xcafebabe
  92
  93 static enum imx_error_t patch_std_zero_host_play(int jump_before, int model,
  94  enum imx_output_type_t type, struct sb_file_t *sb_file, void *boot, size_t boot_sz)
  95 {
  96     /* We assume the file has three boot sections: ____, host, play and one
  97      * resource section rsrc.
  98      *
  99      * Dual Boot:
 100      * ----------
 101      * We patch the file by inserting the dualboot code before the <jump_before>th
 102      * call in the ____ section. We give it as argument the section name 'rock'
 103      * and add a section called 'rock' after rsrc which contains the bootloader.
 104      *
 105      * Single Boot & Recovery:
 106      * -----------------------
 107      * We patch the file by inserting the bootloader code after the <jump_before>th
 108      * call in the ____ section and get rid of everything else. In recovery mode,
 109      * we give 0xfee1dead as argument */
 110
 111     /* Do not override real key and IV */
 112     sb_file->override_crypto_iv = false;
 113     sb_file->override_real_key = false;
 114
 115     /* first locate the good instruction */
 116     struct sb_section_t *sec = &sb_file->sections[0];
 117     int jump_idx = 0;
 118     while(jump_idx < sec->nr_insts && jump_before > 0)
 119         if(sec->insts[jump_idx++].inst == SB_INST_CALL)
 120             jump_before--;
 121     if(jump_idx == sec->nr_insts)
 122     {
 123         printf("[ERR] Cannot locate call in section ____\n");
 124         return IMX_DONT_KNOW_HOW_TO_PATCH;
 125     }
 126
 127     if(type == IMX_DUALBOOT)
 128     {
 129         /* create a new instruction array with a hole for two instructions */
 130         struct sb_inst_t *new_insts = xmalloc(sizeof(struct sb_inst_t) * (sec->nr_insts + 2));
 131         memcpy(new_insts, sec->insts, sizeof(struct sb_inst_t) * jump_idx);
 132         memcpy(new_insts + jump_idx + 2, sec->insts + jump_idx,
 133             sizeof(struct sb_inst_t) * (sec->nr_insts - jump_idx));
 134         /* first instruction is be a load */
 135         struct sb_inst_t *load = &new_insts[jump_idx];
 136         memset(load, 0, sizeof(struct sb_inst_t));
 137         load->inst = SB_INST_LOAD;
 138         load->size = imx_models[model].dualboot_size;
 139         load->addr = imx_models[model].dualboot_addr;
 140         /* duplicate memory because it will be free'd */
 141         load->data = memdup(imx_models[model].dualboot, imx_models[model].dualboot_size);
 142         /* second instruction is a call */
 143         struct sb_inst_t *call = &new_insts[jump_idx + 1];
 144         memset(call, 0, sizeof(struct sb_inst_t));
 145         call->inst = SB_INST_CALL;
 146         call->addr = imx_models[model].dualboot_addr;
 147         call->argument = MAGIC_ROCK;
 148         /* free old instruction array */
 149         free(sec->insts);
 150         sec->insts = new_insts;
 151         sec->nr_insts += 2;
 152
 153         /* create a new section */
 154         struct sb_section_t rock_sec;
 155         memset(&rock_sec, 0, sizeof(rock_sec));
 156         /* section has two instructions: load and call */
 157         rock_sec.identifier = MAGIC_ROCK;
 158         rock_sec.alignment = BLOCK_SIZE;
 159         rock_sec.nr_insts = 2;
 160         rock_sec.insts = xmalloc(2 * sizeof(struct sb_inst_t));
 161         memset(rock_sec.insts, 0, 2 * sizeof(struct sb_inst_t));
 162         rock_sec.insts[0].inst = SB_INST_LOAD;
 163         rock_sec.insts[0].size = boot_sz;
 164         rock_sec.insts[0].data = memdup(boot, boot_sz);
 165         rock_sec.insts[0].addr = imx_models[model].bootloader_addr;
 166         rock_sec.insts[1].inst = SB_INST_JUMP;
 167         rock_sec.insts[1].addr = imx_models[model].bootloader_addr;
 168         rock_sec.insts[1].argument = MAGIC_NORMAL;
 169
 170         sb_file->sections = augment_array(sb_file->sections,
 171             sizeof(struct sb_section_t), sb_file->nr_sections,
 172             &rock_sec, 1);
 173         sb_file->nr_sections++;
 174
 175         return IMX_SUCCESS;
 176     }
 177     else if(type == IMX_SINGLEBOOT || type == IMX_RECOVERY)
 178     {
 179         bool recovery = type == IMX_RECOVERY;
 180         /* remove everything after the call and add two instructions: load and call */
 181         struct sb_inst_t *new_insts = xmalloc(sizeof(struct sb_inst_t) * (jump_idx + 2));
 182         memcpy(new_insts, sec->insts, sizeof(struct sb_inst_t) * jump_idx);
 183         for(int i = jump_idx; i < sec->nr_insts; i++)
 184             sb_free_instruction(sec->insts[i]);
 185         memset(new_insts + jump_idx, 0, 2 * sizeof(struct sb_inst_t));
 186         new_insts[jump_idx + 0].inst = SB_INST_LOAD;
 187         new_insts[jump_idx + 0].size = boot_sz;
 188         new_insts[jump_idx + 0].data = memdup(boot, boot_sz);
 189         new_insts[jump_idx + 0].addr = imx_models[model].bootloader_addr;
 190         new_insts[jump_idx + 1].inst = SB_INST_JUMP;
 191         new_insts[jump_idx + 1].addr = imx_models[model].bootloader_addr;
 192         new_insts[jump_idx + 1].argument = recovery ? MAGIC_RECOVERY : MAGIC_NORMAL;
 193
 194         free(sec->insts);
 195         sec->insts = new_insts;
 196         sec->nr_insts = jump_idx + 2;
 197         /* remove all other sections */
 198         for(int i = 1; i < sb_file->nr_sections; i++)
 199             sb_free_section(sb_file->sections[i]);
 200         struct sb_section_t *new_sec = xmalloc(sizeof(struct sb_section_t));
 201         memcpy(new_sec, &sb_file->sections[0], sizeof(struct sb_section_t));
 202         free(sb_file->sections);
 203         sb_file->sections = new_sec;
 204         sb_file->nr_sections = 1;
 205
 206         return IMX_SUCCESS;
 207     }
 208     else
 209     {
 210         printf("[ERR] Bad output type !\n");
 211         return IMX_DONT_KNOW_HOW_TO_PATCH;
 212     }
 213 }
 214
 215 static enum imx_error_t patch_firmware(int model, enum imx_output_type_t type,
 216     struct sb_file_t *sb_file, void *boot, size_t boot_sz)
 217 {
 218     switch(model)
 219     {
 220         case MODEL_FUZEPLUS:
 221             /* The Fuze+ uses the standard ____, host, play sections, patch after third
 222              * call in ____ section */
 223             return patch_std_zero_host_play(3, model, type, sb_file, boot, boot_sz);
 224         default:
 225             return IMX_DONT_KNOW_HOW_TO_PATCH;
 226     }
 227 }
 228
 229 static void imx_printf(void *user, bool error, color_t c, const char *fmt, ...)
 230 {
 231     (void) user;
 232     (void) c;
 233     va_list args;
 234     va_start(args, fmt);
 235     /*
 236     if(error)
 237         printf("[ERR] ");
 238     else
 239         printf("[INFO] ");
 240     */
 241     vprintf(fmt, args);
 242     va_end(args);
 243 }
 244
 245 static uint32_t get_uint32be(unsigned char *p)
 246 {
 247     return (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
 248 }
 249
 250 enum imx_error_t mkimxboot(const char *infile, const char *bootfile,
 251     const char *outfile, struct imx_option_t opt)
 252 {
 253     /* Dump tables */
 254     do
 255     {
 256         printf("[INFO] mkimxboot models:\n");
 257         for(int i = 0; i < NR_IMX_MODELS; i++)
 258         {
 259             printf("[INFO]   %s: idx=%d rb_model=%s rb_num=%d\n",
 260                 imx_models[i].model_name, i, imx_models[i].rb_model_name,
 261                 imx_models[i].rb_model_num);
 262         }
 263         printf("[INFO] mkimxboot mapping:\n");
 264         for(int i = 0; i < NR_IMX_SUMS; i++)
 265         {
 266             printf("[INFO]   md5sum=%s -> idx=%d\n", imx_sums[i].md5sum,
 267                 imx_sums[i].model);
 268         }
 269     }while(0);
 270     /* compute MD5 sum of the file */
 271     uint8_t file_md5sum[16];
 272     do
 273     {
 274         FILE *f = fopen(infile, "rb");
 275         if(f == NULL)
 276         {
 277             printf("[ERR] Cannot open input file\n");
 278             return IMX_OPEN_ERROR;
 279         }
 280         fseek(f, 0, SEEK_END);
 281         size_t sz = ftell(f);
 282         fseek(f, 0, SEEK_SET);
 283         void *buf = xmalloc(sz);
 284         if(fread(buf, sz, 1, f) != 1)
 285         {
 286             fclose(f);
 287             free(buf);
 288             printf("[ERR] Cannot read file\n");
 289             return IMX_READ_ERROR;
 290         }
 291         fclose(f);
 292         md5_context ctx;
 293         md5_starts(&ctx);
 294         md5_update(&ctx, buf, sz);
 295         md5_finish(&ctx, file_md5sum);
 296         free(buf);
 297     }while(0);
 298     printf("[INFO] MD5 sum of the file: ");
 299     print_hex(file_md5sum, 16, true);
 300     /* find model */
 301     int model;
 302     do
 303     {
 304         int i = 0;
 305         while(i < NR_IMX_SUMS)
 306         {
 307             uint8_t md5[20];
 308             if(strlen(imx_sums[i].md5sum) != 32)
 309             {
 310                 printf("[INFO] Invalid MD5 sum in imx_sums\n");
 311                 return IMX_ERROR;
 312             }
 313             for(int j = 0; j < 16; j++)
 314             {
 315                 byte a, b;
 316                 if(convxdigit(imx_sums[i].md5sum[2 * j], &a) || convxdigit(imx_sums[i].md5sum[2 * j + 1], &b))
 317                     return false;
 318                 md5[j] = (a << 4) | b;
 319             }
 320             if(memcmp(file_md5sum, md5, 16) == 0)
 321                 break;
 322             i++;
 323         }
 324         if(i == NR_IMX_SUMS)
 325         {
 326             printf("[ERR] MD5 sum doesn't match any known file\n");
 327             return IMX_NO_MATCH;
 328         }
 329         model = imx_sums[i].model;
 330     }while(0);
 331     printf("[INFO] File is for model %d (%s)\n", model, imx_models[model].model_name);
 332     /* load rockbox file */
 333     uint8_t *boot;
 334     size_t boot_size;
 335     do
 336     {
 337         FILE *f = fopen(bootfile, "rb");
 338         if(f == NULL)
 339         {
 340             printf("[ERR] Cannot open boot file\n");
 341             return IMX_OPEN_ERROR;
 342         }
 343         fseek(f, 0, SEEK_END);
 344         boot_size = ftell(f);
 345         fseek(f, 0, SEEK_SET);
 346         boot = xmalloc(boot_size);
 347         if(fread(boot, boot_size, 1, f) != 1)
 348         {
 349             free(boot);
 350             fclose(f);
 351             printf("[ERR] Cannot read boot file\n");
 352             return IMX_READ_ERROR;
 353         }
 354         fclose(f);
 355     }while(0);
 356     /* Check boot file */
 357     do
 358     {
 359         if(boot_size < 8)
 360         {
 361             printf("[ERR] Bootloader file is too small to be valid\n");
 362             free(boot);
 363             return IMX_BOOT_INVALID;
 364         }
 365         /* check model name */
 366         uint8_t *name = boot + 4;
 367         if(memcmp(name, imx_models[model].rb_model_name, 4) != 0)
 368         {
 369             printf("[ERR] Bootloader model doesn't match found model for input file\n");
 370             free(boot);
 371             return IMX_BOOT_MISMATCH;
 372         }
 373         /* check checksum */
 374         uint32_t sum = imx_models[model].rb_model_num;
 375         for(int i = 8; i < boot_size; i++)
 376             sum += boot[i];
 377         if(sum != get_uint32be(boot))
 378         {
 379             printf("[ERR] Bootloader checksum mismatch\n");
 380             free(boot);
 381             return IMX_BOOT_CHECKSUM_ERROR;
 382         }
 383     }while(0);
 384     /* load OF file */
 385     struct sb_file_t *sb_file;
 386     do
 387     {
 388         enum sb_error_t err;
 389         g_debug = opt.debug;
 390         clear_keys();
 391         add_keys(imx_models[model].keys, imx_models[model].nr_keys);
 392         sb_file = sb_read_file(infile, false, NULL, &imx_printf, &err);
 393         if(sb_file == NULL)
 394         {
 395             clear_keys();
 396             free(boot);
 397             return IMX_FIRST_SB_ERROR + err;
 398         }
 399     }while(0);
 400     /* produce file */
 401     enum imx_error_t ret = patch_firmware(model, opt.output, sb_file, boot + 8, boot_size - 8);
 402     if(ret == IMX_SUCCESS)
 403         ret = sb_write_file(sb_file, outfile);
 404
 405     clear_keys();
 406     free(boot);
 407     sb_free(sb_file);
 408     return ret;
 409 }