search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
mkimxboot: add an option to extract the of without processing
[maemo-rb.git] / rbutil / mkimxboot / mkimxboot.c
blob9e43bbd61c36a52068c4e41c3d6a00697cd6eca4
1 /***************************************************************************
2 * __________ __ ___.
3 * Open \______ \ ____ ____ | | _\_ |__ _______ ___
4 * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ /
5 * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < <
6 * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \
7 * \/ \/ \/ \/ \/
8 * $Id$
9 *
10 * Copyright (C) 2011 by Amaury Pouly
11 *
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
16 *
17 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
18 * KIND, either express or implied.
19 *
20 ****************************************************************************/
21 #include <stdio.h>
22 #include <stdlib.h>
23 #include <stdarg.h>
24 #include "mkimxboot.h"
25 #include "sb.h"
26 #include "dualboot.h"
27 #include "md5.h"
28
29 struct imx_fw_variant_desc_t
30 {
31 /* Offset within file */
32 size_t offset;
33 /* Total size of the firmware */
34 size_t size;
35 };
36
37 struct imx_md5sum_t
38 {
39 /* Device model */
40 enum imx_model_t model;
41 /* md5sum of the file */
42 char *md5sum;
43 /* Version string */
44 const char *version;
45 /* Variant descriptions */
46 struct imx_fw_variant_desc_t fw_variants[VARIANT_COUNT];
47 };
48
49 struct imx_model_desc_t
50 {
51 /* Descriptive name of this model */
52 const char *model_name;
53 /* Dualboot code for this model */
54 const unsigned char *dualboot;
55 /* Size of dualboot functions for this model */
56 int dualboot_size;
57 /* Model name used in the Rockbox header in ".sansa" files - these match the
58 -add parameter to the "scramble" tool */
59 const char *rb_model_name;
60 /* Model number used to initialise the checksum in the Rockbox header in
61 ".sansa" files - these are the same as MODEL_NUMBER in config-target.h */
62 const int rb_model_num;
63 /* Number of keys needed to decrypt/encrypt */
64 int nr_keys;
65 /* Array of keys */
66 struct crypto_key_t *keys;
67 /* Dualboot load address */
68 uint32_t dualboot_addr;
69 /* Bootloader load address */
70 uint32_t bootloader_addr;
71 };
72
73 static const char *imx_fw_variant[] =
74 {
75 [VARIANT_DEFAULT] = "default",
76 [VARIANT_ZENXFI2_RECOVERY] = "ZEN X-Fi2 Recovery",
77 [VARIANT_ZENXFI2_NAND] = "ZEN X-Fi2 NAND",
78 [VARIANT_ZENXFI2_SD] = "ZEN X-Fi2 eMMC/SD",
79 };
80
81 static const struct imx_md5sum_t imx_sums[] =
82 {
83 {
84 /* Version 2.38.6 */
85 MODEL_FUZEPLUS, "c3e27620a877dc6b200b97dcb3e0ecc7", "2.38.6",
86 { [VARIANT_DEFAULT] = { 0, 34652624 } }
87 },
88 {
89 /* Version 1.23.01e */
90 MODEL_ZENXFI2, "e37e2c24abdff8e624d0a29f79157850", "1.23.01e",
91 },
92 {
93 /* Version 1.23.01e */
94 MODEL_ZENXFI2, "2beff2168212d332f13cfc36ca46989d", "1.23.01e",
95 { [VARIANT_ZENXFI2_RECOVERY] = { 0x93010, 684192},
96 [VARIANT_ZENXFI2_NAND] = { 0x13a0b0, 42410704 },
97 [VARIANT_ZENXFI2_SD] = { 0x29ac380, 42304208 }
98 }
99 },
100 {
101 /* Version 1.00.15e */
102 MODEL_ZENXFI3, "658a24eeef5f7186ca731085d8822a87", "1.00.15e",
103 { [VARIANT_DEFAULT] = {0, 18110576} }
104 },
105 {
106 /* Version 1.00.22e */
107 MODEL_ZENXFI3, "a5114cd45ea4554ec221f51a71083862", "1.00.22e",
108 { [VARIANT_DEFAULT] = {0, 18110576} }
109 },
110 };
111
112 static struct crypto_key_t zero_key =
113 {
114 .method = CRYPTO_KEY,
115 .u.key = {0}
116 };
117
118 static const struct imx_model_desc_t imx_models[] =
119 {
120 [MODEL_FUZEPLUS] = { "Fuze+", dualboot_fuzeplus, sizeof(dualboot_fuzeplus), "fuz+", 72,
121 1, &zero_key, 0, 0x40000000 },
122 [MODEL_ZENXFI2] = {"Zen X-Fi2", dualboot_zenxfi2, sizeof(dualboot_zenxfi2), "zxf2", 82,
123 1, &zero_key, 0, 0x40000000 },
124 [MODEL_ZENXFI3] = {"Zen X-Fi3", dualboot_zenxfi3, sizeof(dualboot_zenxfi3), "zxf3", 83,
125 1, &zero_key, 0, 0x40000000 },
126 };
127
128 #define NR_IMX_SUMS (sizeof(imx_sums) / sizeof(imx_sums[0]))
129 #define NR_IMX_MODELS (sizeof(imx_models) / sizeof(imx_models[0]))
130
131 #define MAGIC_ROCK 0x726f636b /* 'rock' */
132 #define MAGIC_RECOVERY 0xfee1dead
133 #define MAGIC_NORMAL 0xcafebabe
134
135 static enum imx_error_t patch_std_zero_host_play(int jump_before, int model,
136 enum imx_output_type_t type, struct sb_file_t *sb_file, void *boot, size_t boot_sz)
137 {
138 /* We assume the file has three boot sections: ____, host, play and one
139 * resource section rsrc.
140 *
141 * Dual Boot:
142 * ----------
143 * We patch the file by inserting the dualboot code before the <jump_before>th
144 * call in the ____ section. We give it as argument the section name 'rock'
145 * and add a section called 'rock' after rsrc which contains the bootloader.
146 *
147 * Single Boot & Recovery:
148 * -----------------------
149 * We patch the file by inserting the bootloader code after the <jump_before>th
150 * call in the ____ section and get rid of everything else. In recovery mode,
151 * we give 0xfee1dead as argument */
152
153 /* Do not override real key and IV */
154 sb_file->override_crypto_iv = false;
155 sb_file->override_real_key = false;
156
157 /* first locate the good instruction */
158 struct sb_section_t *sec = &sb_file->sections[0];
159 int jump_idx = 0;
160 while(jump_idx < sec->nr_insts && jump_before > 0)
161 if(sec->insts[jump_idx++].inst == SB_INST_CALL)
162 jump_before--;
163 if(jump_idx == sec->nr_insts)
164 {
165 printf("[ERR] Cannot locate call in section ____\n");
166 return IMX_DONT_KNOW_HOW_TO_PATCH;
167 }
168
169 if(type == IMX_DUALBOOT)
170 {
171 /* create a new instruction array with a hole for two instructions */
172 struct sb_inst_t *new_insts = xmalloc(sizeof(struct sb_inst_t) * (sec->nr_insts + 2));
173 memcpy(new_insts, sec->insts, sizeof(struct sb_inst_t) * jump_idx);
174 memcpy(new_insts + jump_idx + 2, sec->insts + jump_idx,
175 sizeof(struct sb_inst_t) * (sec->nr_insts - jump_idx));
176 /* first instruction is be a load */
177 struct sb_inst_t *load = &new_insts[jump_idx];
178 memset(load, 0, sizeof(struct sb_inst_t));
179 load->inst = SB_INST_LOAD;
180 load->size = imx_models[model].dualboot_size;
181 load->addr = imx_models[model].dualboot_addr;
182 /* duplicate memory because it will be free'd */
183 load->data = memdup(imx_models[model].dualboot, imx_models[model].dualboot_size);
184 /* second instruction is a call */
185 struct sb_inst_t *call = &new_insts[jump_idx + 1];
186 memset(call, 0, sizeof(struct sb_inst_t));
187 call->inst = SB_INST_CALL;
188 call->addr = imx_models[model].dualboot_addr;
189 call->argument = MAGIC_ROCK;
190 /* free old instruction array */
191 free(sec->insts);
192 sec->insts = new_insts;
193 sec->nr_insts += 2;
194
195 /* create a new section */
196 struct sb_section_t rock_sec;
197 memset(&rock_sec, 0, sizeof(rock_sec));
198 /* section has two instructions: load and call */
199 rock_sec.identifier = MAGIC_ROCK;
200 rock_sec.alignment = BLOCK_SIZE;
201 rock_sec.nr_insts = 2;
202 rock_sec.insts = xmalloc(2 * sizeof(struct sb_inst_t));
203 memset(rock_sec.insts, 0, 2 * sizeof(struct sb_inst_t));
204 rock_sec.insts[0].inst = SB_INST_LOAD;
205 rock_sec.insts[0].size = boot_sz;
206 rock_sec.insts[0].data = memdup(boot, boot_sz);
207 rock_sec.insts[0].addr = imx_models[model].bootloader_addr;
208 rock_sec.insts[1].inst = SB_INST_JUMP;
209 rock_sec.insts[1].addr = imx_models[model].bootloader_addr;
210 rock_sec.insts[1].argument = MAGIC_NORMAL;
211
212 sb_file->sections = augment_array(sb_file->sections,
213 sizeof(struct sb_section_t), sb_file->nr_sections,
214 &rock_sec, 1);
215 sb_file->nr_sections++;
216
217 return IMX_SUCCESS;
218 }
219 else if(type == IMX_SINGLEBOOT || type == IMX_RECOVERY)
220 {
221 bool recovery = type == IMX_RECOVERY;
222 /* remove everything after the call and add two instructions: load and call */
223 struct sb_inst_t *new_insts = xmalloc(sizeof(struct sb_inst_t) * (jump_idx + 2));
224 memcpy(new_insts, sec->insts, sizeof(struct sb_inst_t) * jump_idx);
225 for(int i = jump_idx; i < sec->nr_insts; i++)
226 sb_free_instruction(sec->insts[i]);
227 memset(new_insts + jump_idx, 0, 2 * sizeof(struct sb_inst_t));
228 new_insts[jump_idx + 0].inst = SB_INST_LOAD;
229 new_insts[jump_idx + 0].size = boot_sz;
230 new_insts[jump_idx + 0].data = memdup(boot, boot_sz);
231 new_insts[jump_idx + 0].addr = imx_models[model].bootloader_addr;
232 new_insts[jump_idx + 1].inst = SB_INST_JUMP;
233 new_insts[jump_idx + 1].addr = imx_models[model].bootloader_addr;
234 new_insts[jump_idx + 1].argument = recovery ? MAGIC_RECOVERY : MAGIC_NORMAL;
235
236 free(sec->insts);
237 sec->insts = new_insts;
238 sec->nr_insts = jump_idx + 2;
239 /* remove all other sections */
240 for(int i = 1; i < sb_file->nr_sections; i++)
241 sb_free_section(sb_file->sections[i]);
242 struct sb_section_t *new_sec = xmalloc(sizeof(struct sb_section_t));
243 memcpy(new_sec, &sb_file->sections[0], sizeof(struct sb_section_t));
244 free(sb_file->sections);
245 sb_file->sections = new_sec;
246 sb_file->nr_sections = 1;
247
248 return IMX_SUCCESS;
249 }
250 else
251 {
252 printf("[ERR] Bad output type !\n");
253 return IMX_DONT_KNOW_HOW_TO_PATCH;
254 }
255 }
256
257 static enum imx_error_t patch_firmware(enum imx_model_t model,
258 enum imx_firmware_variant_t variant, enum imx_output_type_t type,
259 struct sb_file_t *sb_file, void *boot, size_t boot_sz)
260 {
261 switch(model)
262 {
263 case MODEL_FUZEPLUS:
264 /* The Fuze+ uses the standard ____, host, play sections, patch after third
265 * call in ____ section */
266 return patch_std_zero_host_play(3, model, type, sb_file, boot, boot_sz);
267 case MODEL_ZENXFI3:
268 /* The ZEN X-Fi3 uses the standard ____, hSst, pSay sections, patch after third
269 * call in ____ section. Although sections names use the S variant, they are standard. */
270 return patch_std_zero_host_play(3, model, type, sb_file, boot, boot_sz);
271 case MODEL_ZENXFI2:
272 /* The ZEN X-Fi2 has two types of firmware: recovery and normal.
273 * Normal uses the standard ___, host, play sections and recovery only ____ */
274 switch(variant)
275 {
276 case VARIANT_ZENXFI2_RECOVERY:
277 case VARIANT_ZENXFI2_NAND:
278 case VARIANT_ZENXFI2_SD:
279 return patch_std_zero_host_play(1, model, type, sb_file, boot, boot_sz);
280 default:
281 return IMX_DONT_KNOW_HOW_TO_PATCH;
282 }
283 break;
284 default:
285 return IMX_DONT_KNOW_HOW_TO_PATCH;
286 }
287 }
288
289 static void imx_printf(void *user, bool error, color_t c, const char *fmt, ...)
290 {
291 (void) user;
292 (void) c;
293 va_list args;
294 va_start(args, fmt);
295 /*
296 if(error)
297 printf("[ERR] ");
298 else
299 printf("[INFO] ");
300 */
301 vprintf(fmt, args);
302 va_end(args);
303 }
304
305 static uint32_t get_uint32be(unsigned char *p)
306 {
307 return (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
308 }
309
310 void dump_imx_dev_info(const char *prefix)
311 {
312 printf("%smkimxboot models:\n", prefix);
313 for(int i = 0; i < NR_IMX_MODELS; i++)
314 {
315 printf("%s %s: idx=%d rb_model=%s rb_num=%d\n", prefix,
316 imx_models[i].model_name, i, imx_models[i].rb_model_name,
317 imx_models[i].rb_model_num);
318 }
319 printf("%smkimxboot variants:\n", prefix);
320 for(int i = 0; i < VARIANT_COUNT; i++)
321 {
322 printf("%s %d: %s\n", prefix, i, imx_fw_variant[i]);
323 }
324 printf("%smkimxboot mapping:\n", prefix);
325 for(int i = 0; i < NR_IMX_SUMS; i++)
326 {
327 printf("%s md5sum=%s -> idx=%d, ver=%s\n", prefix, imx_sums[i].md5sum,
328 imx_sums[i].model, imx_sums[i].version);
329 for(int j = 0; j < VARIANT_COUNT; j++)
330 if(imx_sums[i].fw_variants[j].size)
331 printf("%s variant=%d -> offset=%#x size=%#x\n", prefix,
332 j, (unsigned)imx_sums[i].fw_variants[j].offset,
333 (unsigned)imx_sums[i].fw_variants[j].size);
334 }
335 }
336
337 enum imx_error_t mkimxboot(const char *infile, const char *bootfile,
338 const char *outfile, struct imx_option_t opt)
339 {
340 /* Dump tables */
341 if(opt.fw_variant > VARIANT_COUNT) {
342 return IMX_ERROR;
343 }
344 dump_imx_dev_info("[INFO] ");
345 /* compute MD5 sum of the file */
346 uint8_t file_md5sum[16];
347 do
348 {
349 FILE *f = fopen(infile, "rb");
350 if(f == NULL)
351 {
352 printf("[ERR] Cannot open input file\n");
353 return IMX_OPEN_ERROR;
354 }
355 fseek(f, 0, SEEK_END);
356 size_t sz = ftell(f);
357 fseek(f, 0, SEEK_SET);
358 void *buf = xmalloc(sz);
359 if(fread(buf, sz, 1, f) != 1)
360 {
361 fclose(f);
362 free(buf);
363 printf("[ERR] Cannot read file\n");
364 return IMX_READ_ERROR;
365 }
366 fclose(f);
367 md5_context ctx;
368 md5_starts(&ctx);
369 md5_update(&ctx, buf, sz);
370 md5_finish(&ctx, file_md5sum);
371 free(buf);
372 }while(0);
373 printf("[INFO] MD5 sum of the file: ");
374 print_hex(file_md5sum, 16, true);
375 /* find model */
376 enum imx_model_t model;
377 int md5_idx;
378 do
379 {
380 int i = 0;
381 while(i < NR_IMX_SUMS)
382 {
383 uint8_t md5[20];
384 if(strlen(imx_sums[i].md5sum) != 32)
385 {
386 printf("[INFO] Invalid MD5 sum in imx_sums\n");
387 return IMX_ERROR;
388 }
389 for(int j = 0; j < 16; j++)
390 {
391 byte a, b;
392 if(convxdigit(imx_sums[i].md5sum[2 * j], &a) || convxdigit(imx_sums[i].md5sum[2 * j + 1], &b))
393 {
394 printf("[ERR][INTERNAL] Bad checksum format: %s\n", imx_sums[i].md5sum);
395 return IMX_ERROR;
396 }
397 md5[j] = (a << 4) | b;
398 }
399 if(memcmp(file_md5sum, md5, 16) == 0)
400 break;
401 i++;
402 }
403 if(i == NR_IMX_SUMS)
404 {
405 printf("[ERR] MD5 sum doesn't match any known file\n");
406 return IMX_NO_MATCH;
407 }
408 model = imx_sums[i].model;
409 md5_idx = i;
410 }while(0);
411 printf("[INFO] File is for model %d (%s, version %s)\n", model,
412 imx_models[model].model_name, imx_sums[md5_idx].version);
413 /* load rockbox file */
414 uint8_t *boot;
415 size_t boot_size;
416 do
417 {
418 FILE *f = fopen(bootfile, "rb");
419 if(f == NULL)
420 {
421 printf("[ERR] Cannot open boot file\n");
422 return IMX_OPEN_ERROR;
423 }
424 fseek(f, 0, SEEK_END);
425 boot_size = ftell(f);
426 fseek(f, 0, SEEK_SET);
427 boot = xmalloc(boot_size);
428 if(fread(boot, boot_size, 1, f) != 1)
429 {
430 free(boot);
431 fclose(f);
432 printf("[ERR] Cannot read boot file\n");
433 return IMX_READ_ERROR;
434 }
435 fclose(f);
436 }while(0);
437 /* Check boot file */
438 do
439 {
440 if(boot_size < 8)
441 {
442 printf("[ERR] Bootloader file is too small to be valid\n");
443 free(boot);
444 return IMX_BOOT_INVALID;
445 }
446 /* check model name */
447 uint8_t *name = boot + 4;
448 if(memcmp(name, imx_models[model].rb_model_name, 4) != 0)
449 {
450 printf("[ERR] Bootloader model doesn't match found model for input file\n");
451 free(boot);
452 return IMX_BOOT_MISMATCH;
453 }
454 /* check checksum */
455 uint32_t sum = imx_models[model].rb_model_num;
456 for(int i = 8; i < boot_size; i++)
457 sum += boot[i];
458 if(sum != get_uint32be(boot))
459 {
460 printf("[ERR] Bootloader checksum mismatch\n");
461 free(boot);
462 return IMX_BOOT_CHECKSUM_ERROR;
463 }
464 }while(0);
465 /* load OF file */
466 struct sb_file_t *sb_file;
467 do
468 {
469 if(imx_sums[md5_idx].fw_variants[opt.fw_variant].size == 0)
470 {
471 printf("[ERR] Input file does not contain variant '%s'\n", imx_fw_variant[opt.fw_variant]);
472 free(boot);
473 return IMX_VARIANT_MISMATCH;
474 }
475 enum sb_error_t err;
476 g_debug = opt.debug;
477 clear_keys();
478 add_keys(imx_models[model].keys, imx_models[model].nr_keys);
479 sb_file = sb_read_file_ex(infile, imx_sums[md5_idx].fw_variants[opt.fw_variant].offset,
480 imx_sums[md5_idx].fw_variants[opt.fw_variant].size, false, NULL, &imx_printf, &err);
481 if(sb_file == NULL)
482 {
483 clear_keys();
484 free(boot);
485 return IMX_FIRST_SB_ERROR + err;
486 }
487 }while(0);
488 /* produce file */
489 enum imx_error_t ret = patch_firmware(model, opt.fw_variant, opt.output, sb_file, boot + 8, boot_size - 8);
490 if(ret == IMX_SUCCESS)
491 ret = sb_write_file(sb_file, outfile);
492
493 clear_keys();
494 free(boot);
495 sb_free(sb_file);
496 return ret;
497 }
498
499 enum imx_error_t extract_firmware(const char *infile,
500 enum imx_firmware_variant_t fw_variant, const char *outfile)
501 {
502 /* Dump tables */
503 if(fw_variant > VARIANT_COUNT) {
504 return IMX_ERROR;
505 }
506 dump_imx_dev_info("[INFO] ");
507 /* compute MD5 sum of the file */
508 uint8_t file_md5sum[16];
509 FILE *f = fopen(infile, "rb");
510 if(f == NULL)
511 {
512 printf("[ERR] Cannot open input file\n");
513 return IMX_OPEN_ERROR;
514 }
515 fseek(f, 0, SEEK_END);
516 size_t sz = ftell(f);
517 fseek(f, 0, SEEK_SET);
518 void *buf = xmalloc(sz);
519 if(fread(buf, sz, 1, f) != 1)
520 {
521 fclose(f);
522 free(buf);
523 printf("[ERR] Cannot read file\n");
524 return IMX_READ_ERROR;
525 }
526 md5_context ctx;
527 md5_starts(&ctx);
528 md5_update(&ctx, buf, sz);
529 md5_finish(&ctx, file_md5sum);
530 fclose(f);
531
532 printf("[INFO] MD5 sum of the file: ");
533 print_hex(file_md5sum, 16, true);
534 /* find model */
535 enum imx_model_t model;
536 int md5_idx;
537 do
538 {
539 int i = 0;
540 while(i < NR_IMX_SUMS)
541 {
542 uint8_t md5[20];
543 if(strlen(imx_sums[i].md5sum) != 32)
544 {
545 printf("[INFO] Invalid MD5 sum in imx_sums\n");
546 return IMX_ERROR;
547 }
548 for(int j = 0; j < 16; j++)
549 {
550 byte a, b;
551 if(convxdigit(imx_sums[i].md5sum[2 * j], &a) || convxdigit(imx_sums[i].md5sum[2 * j + 1], &b))
552 {
553 printf("[ERR][INTERNAL] Bad checksum format: %s\n", imx_sums[i].md5sum);
554 free(buf);
555 return IMX_ERROR;
556 }
557 md5[j] = (a << 4) | b;
558 }
559 if(memcmp(file_md5sum, md5, 16) == 0)
560 break;
561 i++;
562 }
563 if(i == NR_IMX_SUMS)
564 {
565 printf("[ERR] MD5 sum doesn't match any known file\n");
566 return IMX_NO_MATCH;
567 }
568 model = imx_sums[i].model;
569 md5_idx = i;
570 }while(0);
571 printf("[INFO] File is for model %d (%s, version %s)\n", model,
572 imx_models[model].model_name, imx_sums[md5_idx].version);
573
574 if(imx_sums[md5_idx].fw_variants[fw_variant].size == 0)
575 {
576 printf("[ERR] Input file does not contain variant '%s'\n", imx_fw_variant[fw_variant]);
577 free(buf);
578 return IMX_VARIANT_MISMATCH;
579 }
580
581 f = fopen(outfile, "wb");
582 if(f == NULL)
583 {
584 printf("[ERR] Cannot open input file\n");
585 free(buf);
586 return IMX_OPEN_ERROR;
587 }
588 enum imx_error_t ret = IMX_SUCCESS;
589
590 if(fwrite(buf + imx_sums[md5_idx].fw_variants[fw_variant].offset,
591 imx_sums[md5_idx].fw_variants[fw_variant].size, 1, f) != 1)
592 {
593 printf("[ERR] Cannot write file\n");
594 ret = IMX_ERROR;
595 }
596 fclose(f);
597 free(buf);
598
599 return ret;
600 }
thomasjfox's rockbox modifications (mameo port)