1 /***************************************************************************
3 * Open \______ \ ____ ____ | | _\_ |__ _______ ___
4 * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ /
5 * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < <
6 * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \
10 * Copyright (C) 2011 by Amaury Pouly
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
18 * KIND, either express or implied.
20 ****************************************************************************/
26 #include "mkimxboot.h"
31 struct imx_fw_variant_desc_t
33 /* Offset within file */
35 /* Total size of the firmware */
42 enum imx_model_t model
;
43 /* md5sum of the file */
47 /* Variant descriptions */
48 struct imx_fw_variant_desc_t fw_variants
[VARIANT_COUNT
];
51 struct imx_model_desc_t
53 /* Descriptive name of this model */
54 const char *model_name
;
55 /* Dualboot code for this model */
56 const unsigned char *dualboot
;
57 /* Size of dualboot functions for this model */
59 /* Model name used in the Rockbox header in ".sansa" files - these match the
60 -add parameter to the "scramble" tool */
61 const char *rb_model_name
;
62 /* Model number used to initialise the checksum in the Rockbox header in
63 ".sansa" files - these are the same as MODEL_NUMBER in config-target.h */
64 const int rb_model_num
;
65 /* Number of keys needed to decrypt/encrypt */
68 struct crypto_key_t
*keys
;
69 /* Dualboot load address */
70 uint32_t dualboot_addr
;
71 /* Bootloader load address */
72 uint32_t bootloader_addr
;
75 static const char *imx_fw_variant
[] =
77 [VARIANT_DEFAULT
] = "default",
78 [VARIANT_ZENXFI2_RECOVERY
] = "ZEN X-Fi2 Recovery",
79 [VARIANT_ZENXFI2_NAND
] = "ZEN X-Fi2 NAND",
80 [VARIANT_ZENXFI2_SD
] = "ZEN X-Fi2 eMMC/SD",
81 [VARIANT_ZENXFISTYLE_RECOVERY
] = "ZEN X-Fi Style Recovery",
84 static const struct imx_md5sum_t imx_sums
[] =
88 MODEL_FUZEPLUS
, "c3e27620a877dc6b200b97dcb3e0ecc7", "2.38.6",
89 { [VARIANT_DEFAULT
] = { 0, 34652624 } }
93 MODEL_ZENXFI2
, "e37e2c24abdff8e624d0a29f79157850", "1.23.01",
95 [VARIANT_ZENXFI2_RECOVERY
] = { 602128, 684192},
96 [VARIANT_ZENXFI2_NAND
] = { 1286320, 42406608 },
97 [VARIANT_ZENXFI2_SD
] = { 43692928, 42304208 }
101 /* Version 1.23.01e */
102 MODEL_ZENXFI2
, "2beff2168212d332f13cfc36ca46989d", "1.23.01e",
104 [VARIANT_ZENXFI2_RECOVERY
] = { 0x93010, 684192},
105 [VARIANT_ZENXFI2_NAND
] = { 0x13a0b0, 42410704 },
106 [VARIANT_ZENXFI2_SD
] = { 0x29ac380, 42304208 }
110 /* Version 1.00.15e */
111 MODEL_ZENXFI3
, "658a24eeef5f7186ca731085d8822a87", "1.00.15e",
112 { [VARIANT_DEFAULT
] = {0, 18110576} }
115 /* Version 1.00.22e */
116 MODEL_ZENXFI3
, "a5114cd45ea4554ec221f51a71083862", "1.00.22e",
117 { [VARIANT_DEFAULT
] = {0, 18110576} }
120 /* Version 1.03.04e */
121 MODEL_ZENXFISTYLE
, "32a731b7f714e9f99a95991003759c98", "1.03.04",
123 [VARIANT_DEFAULT
] = {842960, 29876944},
124 [VARIANT_ZENXFISTYLE_RECOVERY
] = {610272, 232688},
128 /* Version 1.03.04e */
129 MODEL_ZENXFISTYLE
, "2c7ee52d9984d85dd39aa49b3331e66c", "1.03.04e",
131 [VARIANT_DEFAULT
] = {842960, 29876944},
132 [VARIANT_ZENXFISTYLE_RECOVERY
] = {610272, 232688},
137 static struct crypto_key_t zero_key
=
139 .method
= CRYPTO_KEY
,
143 static const struct imx_model_desc_t imx_models
[] =
145 [MODEL_FUZEPLUS
] = { "Fuze+", dualboot_fuzeplus
, sizeof(dualboot_fuzeplus
), "fuz+", 72,
146 1, &zero_key
, 0, 0x40000000 },
147 [MODEL_ZENXFI2
] = {"Zen X-Fi2", dualboot_zenxfi2
, sizeof(dualboot_zenxfi2
), "zxf2", 82,
148 1, &zero_key
, 0, 0x40000000 },
149 [MODEL_ZENXFI3
] = {"Zen X-Fi3", dualboot_zenxfi3
, sizeof(dualboot_zenxfi3
), "zxf3", 83,
150 1, &zero_key
, 0, 0x40000000 },
151 [MODEL_ZENXFISTYLE
] = {"Zen X-Fi Style", NULL
, 0, "", -1,
152 1, &zero_key
, 0, 0x40000000 },
155 #define NR_IMX_SUMS (sizeof(imx_sums) / sizeof(imx_sums[0]))
156 #define NR_IMX_MODELS (sizeof(imx_models) / sizeof(imx_models[0]))
158 #define MAGIC_ROCK 0x726f636b /* 'rock' */
159 #define MAGIC_RECOVERY 0xfee1dead
160 #define MAGIC_NORMAL 0xcafebabe
162 static enum imx_error_t
patch_std_zero_host_play(int jump_before
, int model
,
163 enum imx_output_type_t type
, struct sb_file_t
*sb_file
, void *boot
, size_t boot_sz
)
165 /* We assume the file has three boot sections: ____, host, play and one
166 * resource section rsrc.
170 * We patch the file by inserting the dualboot code before the <jump_before>th
171 * call in the ____ section. We give it as argument the section name 'rock'
172 * and add a section called 'rock' after rsrc which contains the bootloader.
174 * Single Boot & Recovery:
175 * -----------------------
176 * We patch the file by inserting the bootloader code after the <jump_before>th
177 * call in the ____ section and get rid of everything else. In recovery mode,
178 * we give 0xfee1dead as argument */
180 /* Do not override real key and IV */
181 sb_file
->override_crypto_iv
= false;
182 sb_file
->override_real_key
= false;
184 /* first locate the good instruction */
185 struct sb_section_t
*sec
= &sb_file
->sections
[0];
187 while(jump_idx
< sec
->nr_insts
&& jump_before
> 0)
188 if(sec
->insts
[jump_idx
++].inst
== SB_INST_CALL
)
190 if(jump_idx
== sec
->nr_insts
)
192 printf("[ERR] Cannot locate call in section ____\n");
193 return IMX_DONT_KNOW_HOW_TO_PATCH
;
196 if(type
== IMX_DUALBOOT
)
198 /* create a new instruction array with a hole for two instructions */
199 struct sb_inst_t
*new_insts
= xmalloc(sizeof(struct sb_inst_t
) * (sec
->nr_insts
+ 2));
200 memcpy(new_insts
, sec
->insts
, sizeof(struct sb_inst_t
) * jump_idx
);
201 memcpy(new_insts
+ jump_idx
+ 2, sec
->insts
+ jump_idx
,
202 sizeof(struct sb_inst_t
) * (sec
->nr_insts
- jump_idx
));
203 /* first instruction is be a load */
204 struct sb_inst_t
*load
= &new_insts
[jump_idx
];
205 memset(load
, 0, sizeof(struct sb_inst_t
));
206 load
->inst
= SB_INST_LOAD
;
207 load
->size
= imx_models
[model
].dualboot_size
;
208 load
->addr
= imx_models
[model
].dualboot_addr
;
209 /* duplicate memory because it will be free'd */
210 load
->data
= memdup(imx_models
[model
].dualboot
, imx_models
[model
].dualboot_size
);
211 /* second instruction is a call */
212 struct sb_inst_t
*call
= &new_insts
[jump_idx
+ 1];
213 memset(call
, 0, sizeof(struct sb_inst_t
));
214 call
->inst
= SB_INST_CALL
;
215 call
->addr
= imx_models
[model
].dualboot_addr
;
216 call
->argument
= MAGIC_ROCK
;
217 /* free old instruction array */
219 sec
->insts
= new_insts
;
222 /* create a new section */
223 struct sb_section_t rock_sec
;
224 memset(&rock_sec
, 0, sizeof(rock_sec
));
225 /* section has two instructions: load and call */
226 rock_sec
.identifier
= MAGIC_ROCK
;
227 rock_sec
.alignment
= BLOCK_SIZE
;
228 rock_sec
.nr_insts
= 2;
229 rock_sec
.insts
= xmalloc(2 * sizeof(struct sb_inst_t
));
230 memset(rock_sec
.insts
, 0, 2 * sizeof(struct sb_inst_t
));
231 rock_sec
.insts
[0].inst
= SB_INST_LOAD
;
232 rock_sec
.insts
[0].size
= boot_sz
;
233 rock_sec
.insts
[0].data
= memdup(boot
, boot_sz
);
234 rock_sec
.insts
[0].addr
= imx_models
[model
].bootloader_addr
;
235 rock_sec
.insts
[1].inst
= SB_INST_JUMP
;
236 rock_sec
.insts
[1].addr
= imx_models
[model
].bootloader_addr
;
237 rock_sec
.insts
[1].argument
= MAGIC_NORMAL
;
239 sb_file
->sections
= augment_array(sb_file
->sections
,
240 sizeof(struct sb_section_t
), sb_file
->nr_sections
,
242 sb_file
->nr_sections
++;
246 else if(type
== IMX_SINGLEBOOT
|| type
== IMX_RECOVERY
)
248 bool recovery
= type
== IMX_RECOVERY
;
249 /* remove everything after the call and add two instructions: load and call */
250 struct sb_inst_t
*new_insts
= xmalloc(sizeof(struct sb_inst_t
) * (jump_idx
+ 2));
251 memcpy(new_insts
, sec
->insts
, sizeof(struct sb_inst_t
) * jump_idx
);
252 for(int i
= jump_idx
; i
< sec
->nr_insts
; i
++)
253 sb_free_instruction(sec
->insts
[i
]);
254 memset(new_insts
+ jump_idx
, 0, 2 * sizeof(struct sb_inst_t
));
255 new_insts
[jump_idx
+ 0].inst
= SB_INST_LOAD
;
256 new_insts
[jump_idx
+ 0].size
= boot_sz
;
257 new_insts
[jump_idx
+ 0].data
= memdup(boot
, boot_sz
);
258 new_insts
[jump_idx
+ 0].addr
= imx_models
[model
].bootloader_addr
;
259 new_insts
[jump_idx
+ 1].inst
= SB_INST_JUMP
;
260 new_insts
[jump_idx
+ 1].addr
= imx_models
[model
].bootloader_addr
;
261 new_insts
[jump_idx
+ 1].argument
= recovery
? MAGIC_RECOVERY
: MAGIC_NORMAL
;
264 sec
->insts
= new_insts
;
265 sec
->nr_insts
= jump_idx
+ 2;
266 /* remove all other sections */
267 for(int i
= 1; i
< sb_file
->nr_sections
; i
++)
268 sb_free_section(sb_file
->sections
[i
]);
269 struct sb_section_t
*new_sec
= xmalloc(sizeof(struct sb_section_t
));
270 memcpy(new_sec
, &sb_file
->sections
[0], sizeof(struct sb_section_t
));
271 free(sb_file
->sections
);
272 sb_file
->sections
= new_sec
;
273 sb_file
->nr_sections
= 1;
279 printf("[ERR] Bad output type !\n");
280 return IMX_DONT_KNOW_HOW_TO_PATCH
;
284 static enum imx_error_t
parse_subversion(const char *s
, const char *end
, uint16_t *ver
)
286 int len
= (end
== NULL
) ? strlen(s
) : end
- s
;
289 printf("[ERR] Bad subversion override '%s' (too long)\n", s
);
293 for(int i
= 0; i
< len
; i
++)
297 printf("[ERR] Bad subversion override '%s' (not a digit)\n", s
);
300 *ver
= *ver
<< 4 | (s
[i
] - '0');
305 static enum imx_error_t
parse_version(const char *s
, struct sb_version_t
*ver
)
307 const char *dot1
= strchr(s
, '.');
310 printf("[ERR] Bad version override '%s' (missing dot)\n", s
);
313 const char *dot2
= strchr(dot1
+ 1, '.');
316 printf("[ERR] Bad version override '%s' (missing second dot)\n", s
);
319 enum imx_error_t ret
= parse_subversion(s
, dot1
, &ver
->major
);
320 if(ret
!= IMX_SUCCESS
) return ret
;
321 ret
= parse_subversion(dot1
+ 1, dot2
, &ver
->minor
);
322 if(ret
!= IMX_SUCCESS
) return ret
;
323 ret
= parse_subversion(dot2
+ 1, NULL
, &ver
->revision
);
324 if(ret
!= IMX_SUCCESS
) return ret
;
328 static enum imx_error_t
patch_firmware(enum imx_model_t model
,
329 enum imx_firmware_variant_t variant
, enum imx_output_type_t type
,
330 struct sb_file_t
*sb_file
, void *boot
, size_t boot_sz
,
331 const char *force_version
)
335 enum imx_error_t err
= parse_version(force_version
, &sb_file
->product_ver
);
336 if(err
!= IMX_SUCCESS
) return err
;
337 err
= parse_version(force_version
, &sb_file
->component_ver
);
338 if(err
!= IMX_SUCCESS
) return err
;
343 /* The Fuze+ uses the standard ____, host, play sections, patch after third
344 * call in ____ section */
345 return patch_std_zero_host_play(3, model
, type
, sb_file
, boot
, boot_sz
);
347 /* The ZEN X-Fi3 uses the standard ____, hSst, pSay sections, patch after third
348 * call in ____ section. Although sections names use the S variant, they are standard. */
349 return patch_std_zero_host_play(3, model
, type
, sb_file
, boot
, boot_sz
);
351 /* The ZEN X-Fi2 has two types of firmware: recovery and normal.
352 * Normal uses the standard ___, host, play sections and recovery only ____ */
355 case VARIANT_ZENXFI2_RECOVERY
:
356 case VARIANT_ZENXFI2_NAND
:
357 case VARIANT_ZENXFI2_SD
:
358 return patch_std_zero_host_play(1, model
, type
, sb_file
, boot
, boot_sz
);
360 return IMX_DONT_KNOW_HOW_TO_PATCH
;
364 return IMX_DONT_KNOW_HOW_TO_PATCH
;
368 static void imx_printf(void *user
, bool error
, color_t c
, const char *fmt
, ...)
384 static uint32_t get_uint32be(unsigned char *p
)
386 return (p
[0] << 24) | (p
[1] << 16) | (p
[2] << 8) | p
[3];
389 void dump_imx_dev_info(const char *prefix
)
391 printf("%smkimxboot models:\n", prefix
);
392 for(int i
= 0; i
< NR_IMX_MODELS
; i
++)
394 printf("%s %s: idx=%d rb_model=%s rb_num=%d\n", prefix
,
395 imx_models
[i
].model_name
, i
, imx_models
[i
].rb_model_name
,
396 imx_models
[i
].rb_model_num
);
398 printf("%smkimxboot variants:\n", prefix
);
399 for(int i
= 0; i
< VARIANT_COUNT
; i
++)
401 printf("%s %d: %s\n", prefix
, i
, imx_fw_variant
[i
]);
403 printf("%smkimxboot mapping:\n", prefix
);
404 for(int i
= 0; i
< NR_IMX_SUMS
; i
++)
406 printf("%s md5sum=%s -> idx=%d, ver=%s\n", prefix
, imx_sums
[i
].md5sum
,
407 imx_sums
[i
].model
, imx_sums
[i
].version
);
408 for(int j
= 0; j
< VARIANT_COUNT
; j
++)
409 if(imx_sums
[i
].fw_variants
[j
].size
)
410 printf("%s variant=%d -> offset=%#x size=%#x\n", prefix
,
411 j
, (unsigned)imx_sums
[i
].fw_variants
[j
].offset
,
412 (unsigned)imx_sums
[i
].fw_variants
[j
].size
);
416 enum imx_error_t
mkimxboot(const char *infile
, const char *bootfile
,
417 const char *outfile
, struct imx_option_t opt
)
420 if(opt
.fw_variant
> VARIANT_COUNT
) {
423 dump_imx_dev_info("[INFO] ");
424 /* compute MD5 sum of the file */
425 uint8_t file_md5sum
[16];
428 FILE *f
= fopen(infile
, "rb");
431 printf("[ERR] Cannot open input file\n");
432 return IMX_OPEN_ERROR
;
434 fseek(f
, 0, SEEK_END
);
435 size_t sz
= ftell(f
);
436 fseek(f
, 0, SEEK_SET
);
437 void *buf
= xmalloc(sz
);
438 if(fread(buf
, sz
, 1, f
) != 1)
442 printf("[ERR] Cannot read file\n");
443 return IMX_READ_ERROR
;
448 md5_update(&ctx
, buf
, sz
);
449 md5_finish(&ctx
, file_md5sum
);
452 printf("[INFO] MD5 sum of the file: ");
453 print_hex(file_md5sum
, 16, true);
455 enum imx_model_t model
;
460 while(i
< NR_IMX_SUMS
)
463 if(strlen(imx_sums
[i
].md5sum
) != 32)
465 printf("[INFO] Invalid MD5 sum in imx_sums\n");
468 for(int j
= 0; j
< 16; j
++)
471 if(convxdigit(imx_sums
[i
].md5sum
[2 * j
], &a
) || convxdigit(imx_sums
[i
].md5sum
[2 * j
+ 1], &b
))
473 printf("[ERR][INTERNAL] Bad checksum format: %s\n", imx_sums
[i
].md5sum
);
476 md5
[j
] = (a
<< 4) | b
;
478 if(memcmp(file_md5sum
, md5
, 16) == 0)
484 printf("[ERR] MD5 sum doesn't match any known file\n");
487 model
= imx_sums
[i
].model
;
490 printf("[INFO] File is for model %d (%s, version %s)\n", model
,
491 imx_models
[model
].model_name
, imx_sums
[md5_idx
].version
);
492 /* load rockbox file */
497 FILE *f
= fopen(bootfile
, "rb");
500 printf("[ERR] Cannot open boot file\n");
501 return IMX_OPEN_ERROR
;
503 fseek(f
, 0, SEEK_END
);
504 boot_size
= ftell(f
);
505 fseek(f
, 0, SEEK_SET
);
506 boot
= xmalloc(boot_size
);
507 if(fread(boot
, boot_size
, 1, f
) != 1)
511 printf("[ERR] Cannot read boot file\n");
512 return IMX_READ_ERROR
;
516 /* Check boot file */
521 printf("[ERR] Bootloader file is too small to be valid\n");
523 return IMX_BOOT_INVALID
;
525 /* check model name */
526 uint8_t *name
= boot
+ 4;
527 if(memcmp(name
, imx_models
[model
].rb_model_name
, 4) != 0)
529 printf("[ERR] Bootloader model doesn't match found model for input file\n");
531 return IMX_BOOT_MISMATCH
;
534 uint32_t sum
= imx_models
[model
].rb_model_num
;
535 for(int i
= 8; i
< boot_size
; i
++)
537 if(sum
!= get_uint32be(boot
))
539 printf("[ERR] Bootloader checksum mismatch\n");
541 return IMX_BOOT_CHECKSUM_ERROR
;
545 struct sb_file_t
*sb_file
;
548 if(imx_sums
[md5_idx
].fw_variants
[opt
.fw_variant
].size
== 0)
550 printf("[ERR] Input file does not contain variant '%s'\n", imx_fw_variant
[opt
.fw_variant
]);
552 return IMX_VARIANT_MISMATCH
;
557 add_keys(imx_models
[model
].keys
, imx_models
[model
].nr_keys
);
558 sb_file
= sb_read_file_ex(infile
, imx_sums
[md5_idx
].fw_variants
[opt
.fw_variant
].offset
,
559 imx_sums
[md5_idx
].fw_variants
[opt
.fw_variant
].size
, false, NULL
, &imx_printf
, &err
);
564 return IMX_FIRST_SB_ERROR
+ err
;
568 enum imx_error_t ret
= patch_firmware(model
, opt
.fw_variant
, opt
.output
,
569 sb_file
, boot
+ 8, boot_size
- 8, opt
.force_version
);
570 if(ret
== IMX_SUCCESS
)
571 ret
= sb_write_file(sb_file
, outfile
);
579 enum imx_error_t
extract_firmware(const char *infile
,
580 enum imx_firmware_variant_t fw_variant
, const char *outfile
)
583 if(fw_variant
> VARIANT_COUNT
) {
586 dump_imx_dev_info("[INFO] ");
587 /* compute MD5 sum of the file */
588 uint8_t file_md5sum
[16];
589 FILE *f
= fopen(infile
, "rb");
592 printf("[ERR] Cannot open input file\n");
593 return IMX_OPEN_ERROR
;
595 fseek(f
, 0, SEEK_END
);
596 size_t sz
= ftell(f
);
597 fseek(f
, 0, SEEK_SET
);
598 void *buf
= xmalloc(sz
);
599 if(fread(buf
, sz
, 1, f
) != 1)
603 printf("[ERR] Cannot read file\n");
604 return IMX_READ_ERROR
;
608 md5_update(&ctx
, buf
, sz
);
609 md5_finish(&ctx
, file_md5sum
);
612 printf("[INFO] MD5 sum of the file: ");
613 print_hex(file_md5sum
, 16, true);
615 enum imx_model_t model
;
620 while(i
< NR_IMX_SUMS
)
623 if(strlen(imx_sums
[i
].md5sum
) != 32)
625 printf("[INFO] Invalid MD5 sum in imx_sums\n");
628 for(int j
= 0; j
< 16; j
++)
631 if(convxdigit(imx_sums
[i
].md5sum
[2 * j
], &a
) || convxdigit(imx_sums
[i
].md5sum
[2 * j
+ 1], &b
))
633 printf("[ERR][INTERNAL] Bad checksum format: %s\n", imx_sums
[i
].md5sum
);
637 md5
[j
] = (a
<< 4) | b
;
639 if(memcmp(file_md5sum
, md5
, 16) == 0)
645 printf("[ERR] MD5 sum doesn't match any known file\n");
648 model
= imx_sums
[i
].model
;
651 printf("[INFO] File is for model %d (%s, version %s)\n", model
,
652 imx_models
[model
].model_name
, imx_sums
[md5_idx
].version
);
654 if(imx_sums
[md5_idx
].fw_variants
[fw_variant
].size
== 0)
656 printf("[ERR] Input file does not contain variant '%s'\n", imx_fw_variant
[fw_variant
]);
658 return IMX_VARIANT_MISMATCH
;
661 f
= fopen(outfile
, "wb");
664 printf("[ERR] Cannot open input file\n");
666 return IMX_OPEN_ERROR
;
668 enum imx_error_t ret
= IMX_SUCCESS
;
670 if(fwrite(buf
+ imx_sums
[md5_idx
].fw_variants
[fw_variant
].offset
,
671 imx_sums
[md5_idx
].fw_variants
[fw_variant
].size
, 1, f
) != 1)
673 printf("[ERR] Cannot write file\n");