From 2e0c558064ad6c92624a0a826721a83321b227af Mon Sep 17 00:00:00 2001 From: Amaury Pouly Date: Tue, 22 Oct 2013 00:48:33 +0200 Subject: [PATCH] Introduce rbutil/mkzenboot, a replacement for tools/mkzenboot The old tools/mkzenboot has a number of problems: very hard to maintain, poor integration with rbutil. Restart from scratch by recycling all the crypto and descrambling code, rewrite the actual firmware modification part to handle all scenarios in a much clearer way. The code is ready to be integrated into Rockbox Utility, by using the very similar interface to mkimxboot. I copied all the keys from the old mkzenboot, so it can potentially support the older Creative ports, but since this is untested, I prefer not do so at the moment. However, I did add a "mixed" boot option to support the dualboot style used in the older ports. Change-Id: I80cfc48fa78187baa1b1692e8a30ec7137cea37b --- rbutil/mkzenboot/Makefile | 30 + rbutil/mkzenboot/dualboot.c | 43 ++ rbutil/mkzenboot/dualboot.h | 5 + rbutil/mkzenboot/dualboot/Makefile | 50 ++ rbutil/mkzenboot/dualboot/bin2c.c | 140 ++++ rbutil/mkzenboot/dualboot/config.h | 22 + rbutil/mkzenboot/dualboot/dualboot.c | 134 ++++ rbutil/mkzenboot/dualboot/dualboot.lds | 32 + rbutil/mkzenboot/main.c | 123 ++++ rbutil/mkzenboot/md5.c | 246 +++++++ rbutil/mkzenboot/md5.h | 25 + rbutil/mkzenboot/mkzenboot.c | 689 +++++++++++++++++++ rbutil/mkzenboot/mkzenboot.h | 86 +++ rbutil/mkzenboot/utils.c | 896 +++++++++++++++++++++++++ rbutil/mkzenboot/utils.h | 53 ++ 15 files changed, 2574 insertions(+) create mode 100644 rbutil/mkzenboot/Makefile create mode 100644 rbutil/mkzenboot/dualboot.c create mode 100644 rbutil/mkzenboot/dualboot.h create mode 100644 rbutil/mkzenboot/dualboot/Makefile create mode 100644 rbutil/mkzenboot/dualboot/bin2c.c create mode 100644 rbutil/mkzenboot/dualboot/config.h create mode 100644 rbutil/mkzenboot/dualboot/dualboot.c create mode 100644 rbutil/mkzenboot/dualboot/dualboot.lds create mode 100644 rbutil/mkzenboot/main.c create mode 100644 rbutil/mkzenboot/md5.c create mode 100644 rbutil/mkzenboot/md5.h create mode 100644 rbutil/mkzenboot/mkzenboot.c create mode 100644 rbutil/mkzenboot/mkzenboot.h create mode 100644 rbutil/mkzenboot/utils.c create mode 100644 rbutil/mkzenboot/utils.h diff --git a/rbutil/mkzenboot/Makefile b/rbutil/mkzenboot/Makefile new file mode 100644 index 0000000000..019b8a669f --- /dev/null +++ b/rbutil/mkzenboot/Makefile @@ -0,0 +1,30 @@ +# __________ __ ___. +# Open \______ \ ____ ____ | | _\_ |__ _______ ___ +# Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ / +# Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < < +# Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \ +# \/ \/ \/ \/ \/ + +# We use the HMAC-SHA1 code from tools/ +TOOLS_DIR=../../tools/ +CFLAGS += -Wall -I$(TOOLS_DIR) +CFLAGS += -std=c99 -g +LDOPTS += -lz + +OUTPUT = mkzenboot + +# inputs for lib +TOOLS_SOURCES = hmac-sha1.c +LIBSOURCES := dualboot.c mkzenboot.c md5.c utils.c \ + $(addprefix $(TOOLS_DIR),$(TOOLS_SOURCES)) + +# inputs for binary only +SOURCES := $(LIBSOURCES) main.c +# dependencies for binary +EXTRADEPS := + +include ../libtools.make + +# explicit dependencies on dualboot.{c,h} and mkimxboot.h +$(OBJDIR)mkzenboot.o: dualboot.h dualboot.c mkzenboot.c mkzenboot.h +$(OBJDIR)main.o: dualboot.h dualboot.c main.c mkzenboot.h diff --git a/rbutil/mkzenboot/dualboot.c b/rbutil/mkzenboot/dualboot.c new file mode 100644 index 0000000000..42baada495 --- /dev/null +++ b/rbutil/mkzenboot/dualboot.c @@ -0,0 +1,43 @@ +/* Generated by bin2c */ + +#include "dualboot.h" + +unsigned char dualboot_zenmozaic[168] = { + 0x10, 0x40, 0x2d, 0xe9, 0x7c, 0x30, 0x9f, 0xe5, 0x00, 0x30, 0x93, 0xe5, 0x78, 0x20, 0x9f, 0xe5, + 0x00, 0x00, 0x92, 0xe5, 0x74, 0x20, 0x9f, 0xe5, 0x02, 0x11, 0xa0, 0xe3, 0x08, 0x10, 0x82, 0xe5, + 0x03, 0x11, 0x81, 0xe2, 0x08, 0x10, 0x82, 0xe5, 0xff, 0x14, 0x81, 0xe2, 0x58, 0x10, 0x82, 0xe5, + 0xc2, 0x14, 0x81, 0xe2, 0x24, 0x10, 0x82, 0xe5, 0x01, 0x10, 0xa0, 0xe3, 0x18, 0x10, 0x82, 0xe5, + 0x04, 0x10, 0x82, 0xe5, 0x02, 0x10, 0xa0, 0xe1, 0x10, 0x20, 0x91, 0xe5, 0x01, 0x00, 0x12, 0xe3, + 0xfc, 0xff, 0xff, 0x0a, 0x34, 0x20, 0x9f, 0xe5, 0x50, 0x20, 0x92, 0xe5, 0xff, 0x24, 0xc2, 0xe3, + 0x3f, 0x27, 0xc2, 0xe3, 0xa5, 0x2e, 0x42, 0xe2, 0x0a, 0x20, 0x42, 0xe2, 0x63, 0x00, 0x52, 0xe3, + 0x00, 0x30, 0xa0, 0x93, 0x20, 0x00, 0x83, 0x95, 0x14, 0x20, 0x9f, 0xe5, 0x00, 0x00, 0x92, 0xe5, + 0x33, 0xff, 0x2f, 0xe1, 0x10, 0x80, 0xbd, 0xe8, 0xa0, 0x00, 0x00, 0x41, 0x9c, 0x00, 0x00, 0x41, + 0x00, 0x00, 0x05, 0x80, 0xa4, 0x00, 0x00, 0x41, 0xda, 0x00, 0xeb, 0x1c, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; +unsigned char dualboot_zenxfi[168] = { + 0x10, 0x40, 0x2d, 0xe9, 0x7c, 0x30, 0x9f, 0xe5, 0x00, 0x30, 0x93, 0xe5, 0x78, 0x20, 0x9f, 0xe5, + 0x00, 0x00, 0x92, 0xe5, 0x74, 0x20, 0x9f, 0xe5, 0x02, 0x11, 0xa0, 0xe3, 0x08, 0x10, 0x82, 0xe5, + 0x03, 0x11, 0x81, 0xe2, 0x08, 0x10, 0x82, 0xe5, 0xff, 0x14, 0x81, 0xe2, 0x58, 0x10, 0x82, 0xe5, + 0xc2, 0x14, 0x81, 0xe2, 0x24, 0x10, 0x82, 0xe5, 0x01, 0x10, 0xa0, 0xe3, 0x18, 0x10, 0x82, 0xe5, + 0x04, 0x10, 0x82, 0xe5, 0x02, 0x10, 0xa0, 0xe1, 0x10, 0x20, 0x91, 0xe5, 0x01, 0x00, 0x12, 0xe3, + 0xfc, 0xff, 0xff, 0x0a, 0x34, 0x20, 0x9f, 0xe5, 0x50, 0x20, 0x92, 0xe5, 0xff, 0x24, 0xc2, 0xe3, + 0x3f, 0x27, 0xc2, 0xe3, 0xa5, 0x2e, 0x42, 0xe2, 0x0a, 0x20, 0x42, 0xe2, 0x63, 0x00, 0x52, 0xe3, + 0x00, 0x30, 0xa0, 0x93, 0x20, 0x00, 0x83, 0x95, 0x14, 0x20, 0x9f, 0xe5, 0x00, 0x00, 0x92, 0xe5, + 0x33, 0xff, 0x2f, 0xe1, 0x10, 0x80, 0xbd, 0xe8, 0xa0, 0x00, 0x00, 0x41, 0x9c, 0x00, 0x00, 0x41, + 0x00, 0x00, 0x05, 0x80, 0xa4, 0x00, 0x00, 0x41, 0xda, 0x00, 0xeb, 0x1c, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; +unsigned char dualboot_zen[168] = { + 0x10, 0x40, 0x2d, 0xe9, 0x7c, 0x30, 0x9f, 0xe5, 0x00, 0x30, 0x93, 0xe5, 0x78, 0x20, 0x9f, 0xe5, + 0x00, 0x00, 0x92, 0xe5, 0x74, 0x20, 0x9f, 0xe5, 0x02, 0x11, 0xa0, 0xe3, 0x08, 0x10, 0x82, 0xe5, + 0x03, 0x11, 0x81, 0xe2, 0x08, 0x10, 0x82, 0xe5, 0xff, 0x14, 0x81, 0xe2, 0x58, 0x10, 0x82, 0xe5, + 0xc2, 0x14, 0x81, 0xe2, 0x24, 0x10, 0x82, 0xe5, 0x01, 0x10, 0xa0, 0xe3, 0x18, 0x10, 0x82, 0xe5, + 0x04, 0x10, 0x82, 0xe5, 0x02, 0x10, 0xa0, 0xe1, 0x10, 0x20, 0x91, 0xe5, 0x01, 0x00, 0x12, 0xe3, + 0xfc, 0xff, 0xff, 0x0a, 0x34, 0x20, 0x9f, 0xe5, 0x50, 0x20, 0x92, 0xe5, 0xff, 0x24, 0xc2, 0xe3, + 0x3f, 0x27, 0xc2, 0xe3, 0xa5, 0x2e, 0x42, 0xe2, 0x0a, 0x20, 0x42, 0xe2, 0x63, 0x00, 0x52, 0xe3, + 0x00, 0x30, 0xa0, 0x93, 0x20, 0x00, 0x83, 0x95, 0x14, 0x20, 0x9f, 0xe5, 0x00, 0x00, 0x92, 0xe5, + 0x33, 0xff, 0x2f, 0xe1, 0x10, 0x80, 0xbd, 0xe8, 0xa0, 0x00, 0x00, 0x41, 0x9c, 0x00, 0x00, 0x41, + 0x00, 0x00, 0x05, 0x80, 0xa4, 0x00, 0x00, 0x41, 0xda, 0x00, 0xeb, 0x1c, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; diff --git a/rbutil/mkzenboot/dualboot.h b/rbutil/mkzenboot/dualboot.h new file mode 100644 index 0000000000..c6c2d402d0 --- /dev/null +++ b/rbutil/mkzenboot/dualboot.h @@ -0,0 +1,5 @@ +/* Generated by bin2c */ + +extern unsigned char dualboot_zenmozaic[168]; +extern unsigned char dualboot_zenxfi[168]; +extern unsigned char dualboot_zen[168]; diff --git a/rbutil/mkzenboot/dualboot/Makefile b/rbutil/mkzenboot/dualboot/Makefile new file mode 100644 index 0000000000..cc8c604f6e --- /dev/null +++ b/rbutil/mkzenboot/dualboot/Makefile @@ -0,0 +1,50 @@ +CC=gcc +LD=ld +OC=objcopy +CROSS_PREFIX=arm-elf-eabi- +REGS_PATH=../../../firmware/target/arm/imx233/regs +CFLAGS=-mcpu=arm926ej-s -std=gnu99 -I. -I$(REGS_PATH) -nostdlib -ffreestanding -fomit-frame-pointer -O +LDFLAGS= +# Edit the following variables when adding a new target. +# mkimxboot.c also needs to be edited to refer to these +# To add a new target x you need to: +# 1) add x to the list in TARGETS +# 2) create a variable named OPT_x of the form: +# OPT_x=target specific defines +TARGETS=zenmozaic zenxfi zen +OPT_zenmozaic=-DCREATIVE_ZENMOZAIC -DIMX233_SUBTARGET=3700 +OPT_zenxfi=-DCREATIVE_ZENXFI -DIMX233_SUBTARGET=3700 +OPT_zen=-DCREATIVE_ZEN -DIMX233_SUBTARGET=3700 + +BOOTLDS=$(patsubst %, dualboot_%.lds, $(TARGETS)) +BOOTOBJS=$(patsubst %, dualboot_%.o, $(TARGETS)) +BOOTBINS=$(patsubst %, dualboot_%.arm-bin, $(TARGETS)) +BOOTELFS=$(patsubst %, dualboot_%.arm-elf, $(TARGETS)) + +all: ../dualboot.h ../dualboot.c $(BOOTELFS) + +# Dualboot bootloaders + +dualboot_%.o: dualboot.c + $(CROSS_PREFIX)$(CC) $(CFLAGS) $(OPT_$(@:dualboot_%.o=%)) -c -o $@ $^ + +dualboot_%.lds: dualboot.lds + $(CROSS_PREFIX)$(CC) $(CFLAGS) $(OPT_$(@:dualboot_%.lds=%)) -E -x c - < $< | sed '/#/d' > $@ + +dualboot_%.arm-elf: dualboot_%.o dualboot_%.lds + $(CROSS_PREFIX)$(LD) $(LDFLAGS) -T$(@:dualboot_%.arm-elf=dualboot_%.lds) -o $@ $< + +# Rules for the ARM code embedded in mkamsboot - assemble, link, then extract +# the binary code and finally convert to .h for building in mkamsboot + +%.arm-bin: %.arm-elf + $(CROSS_PREFIX)$(OC) -O binary $< $@ + +../dualboot.c ../dualboot.h: $(BOOTBINS) bin2c + ./bin2c ../dualboot $(BOOTBINS) + +bin2c: bin2c.c + $(CC) -o bin2c bin2c.c + +clean: + rm -f *~ bin2c $(BOOTBINS) $(BOOTOBJS) $(BOOTELFS) $(BOOTLDS) diff --git a/rbutil/mkzenboot/dualboot/bin2c.c b/rbutil/mkzenboot/dualboot/bin2c.c new file mode 100644 index 0000000000..b02af88a4d --- /dev/null +++ b/rbutil/mkzenboot/dualboot/bin2c.c @@ -0,0 +1,140 @@ +/*************************************************************************** + * __________ __ ___. + * Open \______ \ ____ ____ | | _\_ |__ _______ ___ + * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ / + * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < < + * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \ + * \/ \/ \/ \/ \/ + * $Id$ + * + * Copyright (C) 2007 Dave Chapman + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + ****************************************************************************/ + +#include +#include +#include +#include +#include +#include +#include +#include + +#ifndef O_BINARY +#define O_BINARY 0 +#endif + +static off_t filesize(int fd) +{ + struct stat buf; + + fstat(fd,&buf); + return buf.st_size; +} + +static void write_cfile(const unsigned char* buf, off_t len, FILE* fp, const char *name) +{ + int i; + + fprintf(fp,"unsigned char %s[%ld] = {",name,len); + + for (i=0;i orig_len) + memset(buf+orig_len, 0, len-orig_len); + + /* remove file extension */ + ext = strchr (array, '.'); + if (ext != NULL) + *ext = '\0'; + write_cfile (buf, len, cfile, array); + fprintf(hfile,"extern unsigned char %s[%ld];\n",array,len); + + close(fd); + } + + fclose(cfile); + fclose(hfile); + + return 0; +} diff --git a/rbutil/mkzenboot/dualboot/config.h b/rbutil/mkzenboot/dualboot/config.h new file mode 100644 index 0000000000..ff59cee710 --- /dev/null +++ b/rbutil/mkzenboot/dualboot/config.h @@ -0,0 +1,22 @@ +/*************************************************************************** + * __________ __ ___. + * Open \______ \ ____ ____ | | _\_ |__ _______ ___ + * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ / + * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < < + * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \ + * \/ \/ \/ \/ \/ + * $Id$ + * + * Copyright (C) 2013 by Amaury Pouly + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + ****************************************************************************/ + +/** empty, used by register files */ diff --git a/rbutil/mkzenboot/dualboot/dualboot.c b/rbutil/mkzenboot/dualboot/dualboot.c new file mode 100644 index 0000000000..d0587fa65d --- /dev/null +++ b/rbutil/mkzenboot/dualboot/dualboot.c @@ -0,0 +1,134 @@ +/*************************************************************************** + * __________ __ ___. + * Open \______ \ ____ ____ | | _\_ |__ _______ ___ + * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ / + * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < < + * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \ + * \/ \/ \/ \/ \/ + * $Id$ + * + * Copyright (C) 2013 by Amaury Pouly + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + ****************************************************************************/ +#include "regs-pinctrl.h" +#include "regs-power.h" +#include "regs-lradc.h" + +typedef unsigned long uint32_t; + +// target specific boot decision +enum boot_t +{ + BOOT_STOP, /* power down */ + BOOT_ROCK, /* boot to Rockbox */ + BOOT_OF, /* boot to OF */ +}; + +/** + * Helper functions + */ + +static inline int __attribute__((always_inline)) read_gpio(int bank, int pin) +{ + return (HW_PINCTRL_DINn(bank) >> pin) & 1; +} + +static inline int __attribute__((always_inline)) read_pswitch(void) +{ +#if IMX233_SUBTARGET >= 3700 + return BF_RD(POWER_STS, PSWITCH); +#else + return BF_RD(DIGCTL_STATUS, PSWITCH); +#endif +} + +/* only works for channels <=7, always divide by 2, never accumulates */ +static inline void __attribute__((always_inline)) setup_lradc(int src) +{ + BF_CLR(LRADC_CTRL0, SFTRST); + BF_CLR(LRADC_CTRL0, CLKGATE); + /* don't bother changing the source, we are early enough at boot so that + * channel x is mapped to source x */ + HW_LRADC_CHn_CLR(src) = BM_OR2(LRADC_CHn, NUM_SAMPLES, ACCUMULATE); + BF_SETV(LRADC_CTRL2, DIVIDE_BY_TWO, 1 << src); +} + +#define BP_LRADC_CTRL1_LRADCx_IRQ(x) (x) +#define BM_LRADC_CTRL1_LRADCx_IRQ(x) (1 << (x)) + +static inline int __attribute__((always_inline)) read_lradc(int src) +{ + BF_CLR(LRADC_CTRL1, LRADCx_IRQ(src)); + BF_SETV(LRADC_CTRL0, SCHEDULE, 1 << src); + while(!BF_RD(LRADC_CTRL1, LRADCx_IRQ(src))); + return BF_RDn(LRADC_CHn, src, VALUE); +} + +static inline void __attribute__((noreturn)) power_down() +{ + /* power down */ + HW_POWER_RESET = BM_OR2(POWER_RESET, UNLOCK, PWD); + while(1); +} + +/** + * Boot decision functions + */ + +#if defined(CREATIVE_ZENMOZAIC) || defined(CREATIVE_ZEN) || defined(CREATIVE_ZENXFI) +static enum boot_t boot_decision() +{ + setup_lradc(0); // setup LRADC channel 0 to read keys + /* make a decision */ + /* read keys */ + int val = read_lradc(0); + /* if back is pressed, boot to OF + * otherwise boot to RB */ + if(val >= 2650 && val < 2750) // conveniently, all players use the same value + return BOOT_OF; + return BOOT_ROCK; +} +#else +#warning You should define a target specific boot decision function +static int boot_decision() +{ + return BOOT_ROCK; +} +#endif + +static int main(uint32_t rb_addr, uint32_t of_addr) +{ + switch(boot_decision()) + { + case BOOT_ROCK: + return rb_addr; + case BOOT_OF: + /* fix back the loading address + /* NOTE: see mkzenboot for more details */ + *(uint32_t *)0x20 = of_addr; + return 0; + case BOOT_STOP: + default: + power_down(); + } +} + +/** Glue for the linker mostly */ + +extern uint32_t of_vector; +extern uint32_t rb_vector; +extern uint32_t boot_arg; + +void __attribute__((section(".start"))) start() +{ + uint32_t addr = main(rb_vector, of_vector); + ((void (*)(uint32_t))addr)(boot_arg); +} diff --git a/rbutil/mkzenboot/dualboot/dualboot.lds b/rbutil/mkzenboot/dualboot/dualboot.lds new file mode 100644 index 0000000000..7444a1e427 --- /dev/null +++ b/rbutil/mkzenboot/dualboot/dualboot.lds @@ -0,0 +1,32 @@ +ENTRY(start) +OUTPUT_FORMAT(elf32-littlearm) +OUTPUT_ARCH(arm) + +MEMORY +{ + /* keep this consistent with the address in mkzenboot.c */ +#if IMX233_SUBTARGET == 3700 + RAM : ORIGIN = 0x41000000, LENGTH = 0x8000 +#elif IMX233_SUBTARGET == 3600 + RAM : ORIGIN = 0x61000000, LENGTH = 0x8000 +#else +#error define me +#endif +} + +SECTIONS +{ + .text : + { + *(.start*) + *(.text*) + . = ALIGN(4); + LONG(0x1ceb00da) + of_vector = .; + . += 4; + rb_vector = .; + . += 4; + boot_arg = .; + . += 4; + } > RAM +} diff --git a/rbutil/mkzenboot/main.c b/rbutil/mkzenboot/main.c new file mode 100644 index 0000000000..7aef2b76a3 --- /dev/null +++ b/rbutil/mkzenboot/main.c @@ -0,0 +1,123 @@ +/*************************************************************************** + * __________ __ ___. + * Open \______ \ ____ ____ | | _\_ |__ _______ ___ + * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ / + * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < < + * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \ + * \/ \/ \/ \/ \/ + * $Id$ + * + * Copyright (C) 2013 by Amaury Pouly + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + ****************************************************************************/ + +#include +#include +#include +#include +#include "mkzenboot.h" + +static void usage(void) +{ + printf("Usage: mkzenboot [options | file]...\n"); + printf("Options:\n"); + printf(" -?/--help Display this message\n"); + printf(" -i Set input file\n"); + printf(" -o Set output file\n"); + printf(" -b Set boot file\n"); + printf(" -t Set output type\n"); + printf(" -d/--debug Enable debug output\n"); + printf("Output types: dualboot, deferred_dualboot, singleboot, recovery\n"); + printf("By default a dualboot image is built\n"); + exit(1); +} + +int main(int argc, char *argv[]) +{ + char *outfile = NULL; + char *bootfile = NULL; + char *infile = NULL; + struct zen_option_t opt; + memset(&opt, 0, sizeof(opt)); + + if(argc == 1) + usage(); + + while(1) + { + static struct option long_options[] = + { + {"help", no_argument, 0, '?'}, + {"debug", no_argument, 0, 'd'}, + {0, 0, 0, 0} + }; + + int c = getopt_long(argc, argv, "?di:o:b:t:", long_options, NULL); + if(c == -1) + break; + switch(c) + { + case 'd': + opt.debug = true; + break; + case '?': + usage(); + break; + case 'o': + outfile = optarg; + break; + case 'i': + infile = optarg; + break; + case 'b': + bootfile = optarg; + break; + case 't': + if(strcmp(optarg, "dualboot") == 0) opt.output = ZEN_DUALBOOT; + else if(strcmp(optarg, "mixedboot") == 0) opt.output = ZEN_MIXEDBOOT; + else if(strcmp(optarg, "singleboot") == 0) opt.output = ZEN_SINGLEBOOT; + else if(strcmp(optarg, "recovery") == 0) opt.output = ZEN_RECOVERY; + else + { + printf("Unknown output type '%s'\n", optarg); + return 1; + } + break; + default: + abort(); + } + } + + if(!outfile) + { + printf("You must specify an output file\n"); + return 1; + } + if(!bootfile) + { + printf("You must specify a boot file\n"); + return 1; + } + if(!infile) + { + printf("You must specify an input file\n"); + return 1; + } + if(optind != argc) + { + printf("Extra arguments on command line\n"); + return 1; + } + + enum zen_error_t err = mkzenboot(infile, bootfile, outfile, opt); + printf("Result: %d\n", err); + return 0; +} diff --git a/rbutil/mkzenboot/md5.c b/rbutil/mkzenboot/md5.c new file mode 100644 index 0000000000..530d8df15a --- /dev/null +++ b/rbutil/mkzenboot/md5.c @@ -0,0 +1,246 @@ +/* + * RFC 1321 compliant MD5 implementation + * + * Copyright (C) 2001-2003 Christophe Devine + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +#include + +#include "md5.h" + +#define GET_UINT32(n,b,i) \ +{ \ + (n) = ( (uint32) (b)[(i) ] ) \ + | ( (uint32) (b)[(i) + 1] << 8 ) \ + | ( (uint32) (b)[(i) + 2] << 16 ) \ + | ( (uint32) (b)[(i) + 3] << 24 ); \ +} + +#define PUT_UINT32(n,b,i) \ +{ \ + (b)[(i) ] = (uint8) ( (n) ); \ + (b)[(i) + 1] = (uint8) ( (n) >> 8 ); \ + (b)[(i) + 2] = (uint8) ( (n) >> 16 ); \ + (b)[(i) + 3] = (uint8) ( (n) >> 24 ); \ +} + +void md5_starts( md5_context *ctx ) +{ + ctx->total[0] = 0; + ctx->total[1] = 0; + + ctx->state[0] = 0x67452301; + ctx->state[1] = 0xEFCDAB89; + ctx->state[2] = 0x98BADCFE; + ctx->state[3] = 0x10325476; +} + +void md5_process( md5_context *ctx, uint8 data[64] ) +{ + uint32 X[16], A, B, C, D; + + GET_UINT32( X[0], data, 0 ); + GET_UINT32( X[1], data, 4 ); + GET_UINT32( X[2], data, 8 ); + GET_UINT32( X[3], data, 12 ); + GET_UINT32( X[4], data, 16 ); + GET_UINT32( X[5], data, 20 ); + GET_UINT32( X[6], data, 24 ); + GET_UINT32( X[7], data, 28 ); + GET_UINT32( X[8], data, 32 ); + GET_UINT32( X[9], data, 36 ); + GET_UINT32( X[10], data, 40 ); + GET_UINT32( X[11], data, 44 ); + GET_UINT32( X[12], data, 48 ); + GET_UINT32( X[13], data, 52 ); + GET_UINT32( X[14], data, 56 ); + GET_UINT32( X[15], data, 60 ); + +#define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n))) + +#define P(a,b,c,d,k,s,t) \ +{ \ + a += F(b,c,d) + X[k] + t; a = S(a,s) + b; \ +} + + A = ctx->state[0]; + B = ctx->state[1]; + C = ctx->state[2]; + D = ctx->state[3]; + +#define F(x,y,z) (z ^ (x & (y ^ z))) + + P( A, B, C, D, 0, 7, 0xD76AA478 ); + P( D, A, B, C, 1, 12, 0xE8C7B756 ); + P( C, D, A, B, 2, 17, 0x242070DB ); + P( B, C, D, A, 3, 22, 0xC1BDCEEE ); + P( A, B, C, D, 4, 7, 0xF57C0FAF ); + P( D, A, B, C, 5, 12, 0x4787C62A ); + P( C, D, A, B, 6, 17, 0xA8304613 ); + P( B, C, D, A, 7, 22, 0xFD469501 ); + P( A, B, C, D, 8, 7, 0x698098D8 ); + P( D, A, B, C, 9, 12, 0x8B44F7AF ); + P( C, D, A, B, 10, 17, 0xFFFF5BB1 ); + P( B, C, D, A, 11, 22, 0x895CD7BE ); + P( A, B, C, D, 12, 7, 0x6B901122 ); + P( D, A, B, C, 13, 12, 0xFD987193 ); + P( C, D, A, B, 14, 17, 0xA679438E ); + P( B, C, D, A, 15, 22, 0x49B40821 ); + +#undef F + +#define F(x,y,z) (y ^ (z & (x ^ y))) + + P( A, B, C, D, 1, 5, 0xF61E2562 ); + P( D, A, B, C, 6, 9, 0xC040B340 ); + P( C, D, A, B, 11, 14, 0x265E5A51 ); + P( B, C, D, A, 0, 20, 0xE9B6C7AA ); + P( A, B, C, D, 5, 5, 0xD62F105D ); + P( D, A, B, C, 10, 9, 0x02441453 ); + P( C, D, A, B, 15, 14, 0xD8A1E681 ); + P( B, C, D, A, 4, 20, 0xE7D3FBC8 ); + P( A, B, C, D, 9, 5, 0x21E1CDE6 ); + P( D, A, B, C, 14, 9, 0xC33707D6 ); + P( C, D, A, B, 3, 14, 0xF4D50D87 ); + P( B, C, D, A, 8, 20, 0x455A14ED ); + P( A, B, C, D, 13, 5, 0xA9E3E905 ); + P( D, A, B, C, 2, 9, 0xFCEFA3F8 ); + P( C, D, A, B, 7, 14, 0x676F02D9 ); + P( B, C, D, A, 12, 20, 0x8D2A4C8A ); + +#undef F + +#define F(x,y,z) (x ^ y ^ z) + + P( A, B, C, D, 5, 4, 0xFFFA3942 ); + P( D, A, B, C, 8, 11, 0x8771F681 ); + P( C, D, A, B, 11, 16, 0x6D9D6122 ); + P( B, C, D, A, 14, 23, 0xFDE5380C ); + P( A, B, C, D, 1, 4, 0xA4BEEA44 ); + P( D, A, B, C, 4, 11, 0x4BDECFA9 ); + P( C, D, A, B, 7, 16, 0xF6BB4B60 ); + P( B, C, D, A, 10, 23, 0xBEBFBC70 ); + P( A, B, C, D, 13, 4, 0x289B7EC6 ); + P( D, A, B, C, 0, 11, 0xEAA127FA ); + P( C, D, A, B, 3, 16, 0xD4EF3085 ); + P( B, C, D, A, 6, 23, 0x04881D05 ); + P( A, B, C, D, 9, 4, 0xD9D4D039 ); + P( D, A, B, C, 12, 11, 0xE6DB99E5 ); + P( C, D, A, B, 15, 16, 0x1FA27CF8 ); + P( B, C, D, A, 2, 23, 0xC4AC5665 ); + +#undef F + +#define F(x,y,z) (y ^ (x | ~z)) + + P( A, B, C, D, 0, 6, 0xF4292244 ); + P( D, A, B, C, 7, 10, 0x432AFF97 ); + P( C, D, A, B, 14, 15, 0xAB9423A7 ); + P( B, C, D, A, 5, 21, 0xFC93A039 ); + P( A, B, C, D, 12, 6, 0x655B59C3 ); + P( D, A, B, C, 3, 10, 0x8F0CCC92 ); + P( C, D, A, B, 10, 15, 0xFFEFF47D ); + P( B, C, D, A, 1, 21, 0x85845DD1 ); + P( A, B, C, D, 8, 6, 0x6FA87E4F ); + P( D, A, B, C, 15, 10, 0xFE2CE6E0 ); + P( C, D, A, B, 6, 15, 0xA3014314 ); + P( B, C, D, A, 13, 21, 0x4E0811A1 ); + P( A, B, C, D, 4, 6, 0xF7537E82 ); + P( D, A, B, C, 11, 10, 0xBD3AF235 ); + P( C, D, A, B, 2, 15, 0x2AD7D2BB ); + P( B, C, D, A, 9, 21, 0xEB86D391 ); + +#undef F + + ctx->state[0] += A; + ctx->state[1] += B; + ctx->state[2] += C; + ctx->state[3] += D; +} + +void md5_update( md5_context *ctx, uint8 *input, uint32 length ) +{ + uint32 left, fill; + + if( ! length ) return; + + left = ctx->total[0] & 0x3F; + fill = 64 - left; + + ctx->total[0] += length; + ctx->total[0] &= 0xFFFFFFFF; + + if( ctx->total[0] < length ) + ctx->total[1]++; + + if( left && length >= fill ) + { + memcpy( (void *) (ctx->buffer + left), + (void *) input, fill ); + md5_process( ctx, ctx->buffer ); + length -= fill; + input += fill; + left = 0; + } + + while( length >= 64 ) + { + md5_process( ctx, input ); + length -= 64; + input += 64; + } + + if( length ) + { + memcpy( (void *) (ctx->buffer + left), + (void *) input, length ); + } +} + +static uint8 md5_padding[64] = +{ + 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 +}; + +void md5_finish( md5_context *ctx, uint8 digest[16] ) +{ + uint32 last, padn; + uint32 high, low; + uint8 msglen[8]; + + high = ( ctx->total[0] >> 29 ) + | ( ctx->total[1] << 3 ); + low = ( ctx->total[0] << 3 ); + + PUT_UINT32( low, msglen, 0 ); + PUT_UINT32( high, msglen, 4 ); + + last = ctx->total[0] & 0x3F; + padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last ); + + md5_update( ctx, md5_padding, padn ); + md5_update( ctx, msglen, 8 ); + + PUT_UINT32( ctx->state[0], digest, 0 ); + PUT_UINT32( ctx->state[1], digest, 4 ); + PUT_UINT32( ctx->state[2], digest, 8 ); + PUT_UINT32( ctx->state[3], digest, 12 ); +} + diff --git a/rbutil/mkzenboot/md5.h b/rbutil/mkzenboot/md5.h new file mode 100644 index 0000000000..71fa395548 --- /dev/null +++ b/rbutil/mkzenboot/md5.h @@ -0,0 +1,25 @@ +#ifndef _MD5_H +#define _MD5_H + +#ifndef uint8 +#define uint8 unsigned char +#endif + +#ifndef uint32 +#define uint32 unsigned long int +#endif + +typedef struct +{ + uint32 total[2]; + uint32 state[4]; + uint8 buffer[64]; +} +md5_context; + +void md5_starts( md5_context *ctx ); +void md5_update( md5_context *ctx, uint8 *input, uint32 length ); +void md5_finish( md5_context *ctx, uint8 digest[16] ); + +#endif /* md5.h */ + diff --git a/rbutil/mkzenboot/mkzenboot.c b/rbutil/mkzenboot/mkzenboot.c new file mode 100644 index 0000000000..396357e6fe --- /dev/null +++ b/rbutil/mkzenboot/mkzenboot.c @@ -0,0 +1,689 @@ +/*************************************************************************** + * __________ __ ___. + * Open \______ \ ____ ____ | | _\_ |__ _______ ___ + * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ / + * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < < + * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \ + * \/ \/ \/ \/ \/ + * $Id$ + * + * Copyright (C) 2008 by Maurus Cuelenaere + * Based on zenutils by Rasmus Ry + * Copyright (C) 2013 by Amaury Pouly + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + ****************************************************************************/ +#include +#include +#include +#include +#include "mkzenboot.h" +#include "utils.h" +#include "dualboot.h" + +/** + * Keys used by players + */ +static const char null_key_v1[] = "CTL:N0MAD|PDE0.SIGN."; +static const char null_key_v2[] = "CTL:N0MAD|PDE0.DPMP."; +static const char null_key_v3[] = "CTL:N0MAD|PDE0.DPFP."; +static const char null_key_v4[] = "CTL:Z3N07|PDE0.DPMP."; + +static const char tl_zvm_key[] = "1sN0TM3D az u~may th1nk*" + "Creative Zen Vision:M"; +static const char tl_zvm60_key[] = "1sN0TM3D az u~may th1nk*" + "Creative Zen Vision:M (D" + "VP-HD0004)"; +static const char tl_zen_key[] = "1sN0TM3D az u~may th1nk*" + "Creative ZEN"; +static const char tl_zenxf_key[] = "1sN0TM3D az u~may th1nk*" + "Creative ZEN X-Fi"; +static const char tl_zenmo_key[] = "1sN0TM3D az u~may th1nk*" + "Creative ZEN Mozaic"; +static const char tl_zv_key[] = "1sN0TM3D az u~may th1nk*" + "Creative Zen Vision"; +static const char tl_zvw_key[] = "1sN0TM3D az u~may th1nk*" + "Creative ZEN Vision W"; +static const char tl_zm_key[] = "1sN0TM3D az u~may th1nk*" + "Creative Zen Micro"; +static const char tl_zmp_key[] = "1sN0TM3D az u~may th1nk*" + "Creative Zen MicroPhoto"; +static const char tl_zs_key[] = "1sN0TM3D az u~may th1nk*" + "Creative Zen Sleek"; +static const char tl_zsp_key[] = "1sN0TM3D az u~may th1nk*" + "Creative Zen Sleek Photo"; +static const char tl_zt_key[] = "1sN0TM3D az u~may th1nk*" + "Creative Zen Touch"; +static const char tl_zx_key[] = "1sN0TM3D az u~may th1nk*" + "NOMAD Jukebox Zen Xtra"; +static const char tl_zenv_key[] = "1sN0TM3D az u~may th1nk*" + "Creative ZEN V"; +static const char tl_zenvp_key[] = "1sN0TM3D az u~may th1nk*" + "Creative ZEN V Plus"; +static const char tl_zenvv_key[] = "1sN0TM3D az u~may th1nk*" + "Creative ZEN V (Video)"; + +struct player_info_t +{ + const char* name; + const char* null_key; /* HMAC-SHA1 key */ + const char* tl_key; /* BlowFish key */ + bool big_endian; + char *cinf; +}; + +static struct player_info_t zen_players[] = +{ + {"Zen Vision:M", null_key_v2, tl_zvm_key, false, NULL}, + {"Zen Vision:M 60GB", null_key_v2, tl_zvm60_key, false, NULL}, + {"Zen", null_key_v4, tl_zen_key, false, "Creative ZEN"}, + {"Zen X-Fi", null_key_v4, tl_zenxf_key, false, "Creative ZEN X-Fi"}, + {"Zen Mozaic", null_key_v4, tl_zenmo_key, false, "Creative ZEN Mozaic"}, + {"Zen Vision", null_key_v2, tl_zv_key, false, NULL}, + {"Zen Vision W", null_key_v2, tl_zvw_key, false, NULL}, + {"Zen Micro", null_key_v1, tl_zm_key, true, NULL}, + {"Zen MicroPhoto", null_key_v1, tl_zmp_key, true, NULL}, + {"Zen Sleek", null_key_v1, tl_zs_key, true, NULL}, + {"Zen SleekPhoto", null_key_v1, tl_zsp_key, true, NULL}, + {"Zen Touch", null_key_v1, tl_zt_key, true, NULL}, + {"Zen Xtra", null_key_v1, tl_zx_key, true, NULL}, + {"Zen V", null_key_v3, tl_zenv_key, false, NULL}, + {"Zen V Plus", null_key_v3, tl_zenvp_key, false, NULL}, + {"Zen V Video", null_key_v3, tl_zenvv_key, false, NULL}, + {NULL, NULL, NULL, false, NULL} +}; + +/** + * Information on how to patch firmwares + */ +struct zen_model_desc_t +{ + /* Descriptive name of this model (must match player in zen_players[]) */ + const char *model_name; + /* Model name used in the Rockbox header in ".zen" files - these match the + -add parameter to the "scramble" tool */ + const char *rb_model_name; + /* Model number used to initialise the checksum in the Rockbox header in + ".zen" files - these are the same as MODEL_NUMBER in config-target.h */ + const int rb_model_num; + /* Bootloader load address */ + uint32_t bootloader_addr; + /* Dualboot code for this model */ + const unsigned char *dualboot; + /* Size of dualboot functions for this model */ + int dualboot_size; +}; + +/* keep this consistent with the address in dualboot.lds */ +static const struct zen_model_desc_t zen_models[] = +{ + [MODEL_UNKNOWN] = + { + "Unknown", " ", 0, 0, NULL, 0 + }, + [MODEL_ZENV] = + { + "Zen V", "zenv", 85, 0x60000000, NULL, 0 + }, + [MODEL_ZENXFI] = + { + "Zen X-Fi", "zxfi", 86, 0x41000000, dualboot_zenxfi, sizeof(dualboot_zenxfi) + }, + [MODEL_ZENMOZAIC] = + { + "Zen Mozaic", "zmoz", 87, 0x41000000, dualboot_zenmozaic, sizeof(dualboot_zenmozaic) + }, + [MODEL_ZEN] = + { + "Zen", "zen", 90, 0x41000000, dualboot_zen, sizeof(dualboot_zen) + }, +}; + +/** + * MD5 knowledge base + */ + +struct zen_md5sum_t +{ + /* Device model */ + enum zen_model_t model; + /* md5sum of the file */ + char *md5sum; + /* Version string */ + const char *version; +}; + +static const struct zen_md5sum_t zen_sums[] = +{ + /** Zen Mozaic */ + { + /* Version 1.06.01e */ + MODEL_ZENMOZAIC, "88a856f8273b2bc3fcacf1f067a44aa8", "1.06.01e" + }, + /** Zen X-Fi */ + { + /* Version 1.04.08e */ + MODEL_ZENXFI, "f07e2e75069289a2aa14c6583bd9643b", "1.04.08e" + }, + /** Zen V */ + { + /* Version 1.32.01e */ + MODEL_ZENV, "2f6d3e619557583c30132ac87221bc3e", "1.32.01e" + }, + /** Zen */ + { + /* Version 1.21.03e */ + MODEL_ZEN, "1fe28f587f87ac3c280281db28c42465", "1.21.03e" + } +}; + +#define NR_ZEN_PLAYERS (sizeof(zen_players) / sizeof(zen_players[0])) +#define NR_ZEN_SUMS (sizeof(zen_sums) / sizeof(zen_sums[0])) +#define NR_ZEN_MODELS (sizeof(zen_models) / sizeof(zen_models[0])) + +#define MAGIC_ROCK 0x726f636b /* 'rock' */ +#define MAGIC_RECOVERY 0xfee1dead +#define MAGIC_NORMAL 0xcafebabe + +/** + * Stolen from various places in our codebase + */ + +/** + * EDOC file format + */ +struct edoc_header_t +{ + char magic[4]; + uint32_t total_size; + uint32_t zero; +}; + +struct edoc_section_header_t +{ + uint32_t addr; + uint32_t size; + uint32_t checksum; +}; + +uint32_t edoc_checksum(void *buffer, size_t size) +{ + uint32_t c = 0; + uint32_t *p = buffer; + while(size >= 4) + { + c += *p + (*p >> 16); + p++; + size -= 4; + } + if(size != 0) + printf("[WARN] EDOC Checksum section size is not a multiple of 4 bytes, result is undefined!\n"); + return c & 0xffff; +} + +#define errorf(err, ...) do { printf(__VA_ARGS__); return err; } while(0) + +/** + * How does patching code work + * --------------------------- + * + * All Creative firmwares work the same: they start at 0 and the code sequence at + * 0 always contains the vector table with ldr with offsets: + * 0: e59ff018 ldr pc, [pc, #24] ; 0x20 + * 4: e59ff018 ldr pc, [pc, #24] ; 0x24 + * 8: e59ff018 ldr pc, [pc, #24] ; 0x28 + * c: e59ff018 ldr pc, [pc, #24] ; 0x2c + * 10: e59ff018 ldr pc, [pc, #24] ; 0x30 + * 14: e59ff018 ldr pc, [pc, #24] ; 0x34 + * 18: e59ff018 ldr pc, [pc, #24] ; 0x38 + * 1c: e59ff018 ldr pc, [pc, #24] ; 0x3c + * 20: 0000dbd4 .word start + * 24: 0000dcac .word undef_instr_handler + * 28: 0000dcb0 .word software_int_handler + * 2c: 0000dcb4 .word prefetch_abort_handler + * 30: 0000dcb8 .word data_abort_handler + * 34: 0000dcbc .word reserved_handler + * 38: 0000dcc0 .word irq_handler + * 3c: 0000dd08 .word fiq_handler + * + * To build a dual-boot image, we modify the start address to point to some + * code we added to the image. Specifically we first add the stub, then + * the rockbox image. We also write the old start address to this + * stub so that it can either decide to run rockbox or patch back the + * start address and jump to 0. + * Singleboot and recovery is handled the same way except that both targets use + * the same address and we drop the OF, so we create a fake vector table! + */ + +struct dualboot_footer_t +{ + uint32_t magic; + uint32_t of_addr; + uint32_t rb_addr; + uint32_t boot_arg; +} __attribute__((packed)); + +#define FOOTER_MAGIC 0x1ceb00da + +static enum zen_error_t create_fake_image(uint8_t **fw, uint32_t *fw_size) +{ + /** We need to create a fake EDOC image, so first a header and one section + * header with one data chunk. */ + /** The fake image is as follows: + * 0: e59ff018 ldr pc, [pc, #24] ; 0x20 + * 4: e59ff018 ldr pc, [pc, #24] ; 0x24 + * 8: e59ff018 ldr pc, [pc, #24] ; 0x28 + * c: e59ff018 ldr pc, [pc, #24] ; 0x2c + * 10: e59ff018 ldr pc, [pc, #24] ; 0x30 + * 14: e59ff018 ldr pc, [pc, #24] ; 0x34 + * 18: e59ff018 ldr pc, [pc, #24] ; 0x38 + * 1c: e59ff018 ldr pc, [pc, #24] ; 0x3c + * 20: 00000040 .word hang + * 24: 00000040 .word hang + * 28: 00000040 .word hang + * 2c: 00000040 .word hang + * 30: 00000040 .word hang + * 34: 00000040 .word hang + * 38: 00000040 .word hang + * 3c: 00000040 .word hang + * 40 : + * 40: eafffffe b 40 */ + *fw_size = sizeof(struct edoc_header_t) + sizeof(struct edoc_section_header_t) + 0x44; + *fw = malloc(*fw_size); + if(*fw == NULL) + errorf(ZEN_ERROR, "[ERR] Allocation failed"); + struct edoc_header_t *hdr = (void *)*fw; + memcpy(hdr->magic, "EDOC", 4); + hdr->total_size = *fw_size - sizeof(struct edoc_header_t) + 4; + hdr->zero = 0; + struct edoc_section_header_t *sec = (void *)(hdr + 1); + sec->addr = 0; + sec->size = 0x44; + uint32_t *p = (void *)(sec + 1); + p[0] = p[1] = p[2] = p[3] = p[4] = p[5] = p[6] = p[7] = 0xe59ff018; + p[8] = p[9] = p[10] = p[11] = p[12] = p[13] = p[14] = p[15] = 0x40; + p[16] = 0xeafffffe; + sec->checksum = edoc_checksum(p, 0x44); + return ZEN_SUCCESS; +} + +static enum zen_error_t patch_firmware(uint8_t **fw, uint32_t *fw_size, + void *boot, size_t boot_size, struct zen_option_t opt) +{ + /* check if dualboot stub is available */ + const void *dualboot = zen_models[opt.model].dualboot; + int dualboot_size = zen_models[opt.model].dualboot_size; + uint32_t dualboot_addr = zen_models[opt.model].bootloader_addr; + if(dualboot == NULL) + errorf(ZEN_DONT_KNOW_HOW_TO_PATCH, "[ERR] I don't have a dualboot stub for this model\n"); + /* if not asked to dualboot, drop OF and create a fake image */ + if(opt.output != ZEN_DUALBOOT) + { + enum zen_error_t ret = create_fake_image(fw, fw_size); + if(ret != ZEN_SUCCESS) + return ret; + } + /* compute final image size: add stub + bootloader in one block as a section */ + int extra_size = sizeof(struct edoc_section_header_t) + dualboot_size + boot_size; + *fw_size += extra_size; + *fw = realloc(*fw, *fw_size); + if(*fw == NULL) + errorf(ZEN_ERROR, "[ERR] Allocation failed"); + /* sanity check */ + struct edoc_header_t *hdr = (void *)*fw; + if(memcmp(hdr->magic, "EDOC", 4) != 0) + errorf(ZEN_FW_INVALID, "[ERR] Firmware doesn't use EDOC format\n"); + /* validate image and find OF start addr */ + uint32_t of_addr = 0; + struct edoc_section_header_t *sec_hdr = (void *)(hdr + 1); + while((void *)sec_hdr - (void *)&hdr->zero < hdr->total_size) + { + if(sec_hdr->checksum != edoc_checksum(sec_hdr + 1, sec_hdr->size)) + errorf(ZEN_FW_INVALID, "[ERR] Firmware checksum error\n"); + if(sec_hdr->addr == 0) + { + uint32_t *start_vector = ((void *)(sec_hdr + 1) + 0x20); + /* extract address */ + of_addr = *(uint32_t *)start_vector; + /* patch vector */ + *start_vector = dualboot_addr; + /* fix checksum */ + sec_hdr->checksum = edoc_checksum(sec_hdr + 1, sec_hdr->size); + } + sec_hdr = (void *)(sec_hdr + 1) + sec_hdr->size; + } + if(of_addr == 0) + errorf(ZEN_FW_INVALID, "[ERR] Firmware doesn't have the expected format\n"); + printf("[INFO] OF start address: %#x\n", of_addr); + /* add extra section */ + sec_hdr->addr = dualboot_addr; + sec_hdr->size = dualboot_size + boot_size; + /* add extra data */ + memcpy(sec_hdr + 1, dualboot, dualboot_size); + memcpy((void *)(sec_hdr + 1) + dualboot_size, boot, boot_size); + /* locate and patch dualboot footer */ + struct dualboot_footer_t *footer = (void *)(sec_hdr + 1) + dualboot_size - + sizeof(struct dualboot_footer_t); + if(footer->magic != FOOTER_MAGIC) + errorf(ZEN_FW_INVALID, "[ERR] Footer magic mismatch\n"); + uint32_t rb_addr = dualboot_addr + dualboot_size; + printf("[INFO] RB start address: %#x\n", rb_addr); + footer->of_addr = opt.output == ZEN_DUALBOOT ? of_addr : rb_addr; + footer->rb_addr = rb_addr; + footer->boot_arg = opt.output == ZEN_RECOVERY ? 0xfee1dead : 0xcafebabe; + printf("[INFO] Footer: 0x%08x 0x%08x 0x%08x\n", footer->of_addr, footer->rb_addr, + footer->boot_arg); + /* fix image */ + sec_hdr->checksum = edoc_checksum(sec_hdr + 1, sec_hdr->size); + hdr->total_size += extra_size; + return ZEN_SUCCESS; +} + +struct player_info_t *get_player_info(enum zen_model_t model) +{ + for(int i = 0; zen_players[i].name; i++) + if(strcmp(zen_models[model].model_name, zen_players[i].name) == 0) + return &zen_players[i]; + return NULL; +} + +enum zen_error_t build_firmware(void *exec, size_t exec_size, void *boot, size_t boot_size, + const char *outfile, struct zen_option_t opt) +{ + uint8_t *buffer = exec; + /** find player info */ + struct player_info_t *player = get_player_info(opt.model); + if(player == NULL) + errorf(ZEN_UNSUPPORTED, "[ERR] There is no player info for this model\n"); + if(player->big_endian) + errorf(ZEN_UNSUPPORTED, "[ERR] Big-endian players are currently unsupported\n"); + + /** Find Win32 PE .data section */ + uint32_t data_ptr; + uint32_t data_size; + enum zen_error_t err = find_pe_data(exec, exec_size, &data_ptr, &data_size); + if(err != ZEN_SUCCESS) + errorf(err, "[ERR] Cannot find .data section\n"); + printf("[INFO] .data section is at 0x%x with size 0x%x\n", data_ptr, data_size); + + /** look for firmware and key in data section */ + uint32_t fw_offset = find_firmware_offset(&buffer[data_ptr], data_size); + if(fw_offset == 0) + errorf(ZEN_FW_INVALID, "[ERR] Couldn't find firmware offset\n"); + uint32_t fw_size = le2int(&buffer[data_ptr + fw_offset]); + printf("[INFO] Firmware offset is at 0x%x with size 0x%x\n", data_ptr + fw_offset, fw_size); + const char *fw_key = find_firmware_key(exec, exec_size); + if(fw_key == NULL) + errorf(ZEN_FW_INVALID, "[ERR] Couldn't find firmware key\n"); + printf("[INFO] Firmware key is %s\n", fw_key); + + /** descramble firmware */ + printf("[INFO] Descrambling firmware... "); + if(!crypt_firmware(fw_key, &buffer[data_ptr + fw_offset + 4], fw_size)) + errorf(ZEN_ERROR, "Fail!\n"); + else + printf("Done!\n"); + /** decompress it */ + uint8_t *out_buffer = malloc(fw_size * 2); + if(out_buffer == NULL) + errorf(ZEN_ERROR, "[ERR] Couldn't allocate memory"); + memset(out_buffer, 0, fw_size * 2); + printf("[INFO] Decompressing firmware... "); + char *err_msg; + if(!inflate_to_buffer(&buffer[data_ptr + fw_offset + 4], fw_size, out_buffer, + fw_size * 2, &err_msg)) + errorf(ZEN_ERROR, "Fail!\n[ERR] ZLib error: %s\n", err_msg); + else + printf("Done!\n"); + + /** check format and resize the buffer */ + if(memcmp(out_buffer, "FFIC", 4) != 0) + errorf(ZEN_FW_INVALID, "[ERR] CIFF header doesn't match\n"); + uint32_t ciff_size = le2int(&out_buffer[4]) + 8 + 28; /* CIFF block + NULL block*/ + printf("[INFO] Total firmware size: %d\n", ciff_size); + out_buffer = realloc(out_buffer, ciff_size); + if(out_buffer == NULL) + errorf(ZEN_ERROR, "[ERR] Cannot resize memory block\n"); + + /** look for firmware file */ + printf("[INFO] Locating encoded block... "); + uint32_t fw_off = 8; + uint8_t *cinf_ptr = NULL; + while(memcmp(&out_buffer[fw_off], " LT\xa9", 4) != 0 && fw_off < ciff_size) + { + if(memcmp(&out_buffer[fw_off], "FNIC", 4) == 0) + { + cinf_ptr = &out_buffer[fw_off + 8]; + fw_off += 4 + 4 + 96; + } + else if(memcmp(&out_buffer[fw_off], "ATAD", 4) == 0) + { + fw_off += 4; + fw_off += le2int(&out_buffer[fw_off]); + fw_off += 4; + } + else + errorf(ZEN_FW_INVALID, "Fail!\n[ERR] Unknown block\n"); + } + if(fw_off >= ciff_size || memcmp(&out_buffer[fw_off], " LT\xa9", 4) != 0) + errorf(ZEN_FW_INVALID, "Fail!\n[ERR] Couldn't find encoded block\n"); + if(!cinf_ptr) + errorf(ZEN_FW_INVALID, "Fail!\n[ERR] Couldn't find CINF\n"); + printf("Done!\n"); + + /** validate player if possible */ + printf("[INFO] Checking player model..."); + if(player->cinf) + { + char cinf_ascii[96]; + for(int j = 0; j < 96; j++) + cinf_ascii[j] = *(unsigned short *)&cinf_ptr[2 * j]; + if(strncmp(cinf_ascii, player->cinf, 96) != 0) + errorf(ZEN_FW_MISMATCH, "Fail!\n[ERR] Player mismatch: CINF indicates '%s' instead of '%s'\n", + cinf_ascii, player->cinf); + else + printf("Done!\n"); + } + else + printf("Bypass!\n"); + + /** decrypt firmware */ + printf("[INFO] Decrypting encoded block... "); + uint32_t iv[2]; + iv[0] = 0; + iv[1] = swap(le2int(&out_buffer[fw_off + 4])); + if(!bf_cbc_decrypt((unsigned char*)player->tl_key, strlen(player->tl_key) + 1, + &out_buffer[fw_off + 8], le2int(&out_buffer[fw_off + 4]), (const unsigned char*)&iv)) + errorf(ZEN_ERROR, "Fail!\n[ERR] Couldn't decrypt encoded block\n"); + printf("Done!\n"); + + /** sanity checks on firmware */ + uint32_t jrm_size = le2int(&out_buffer[fw_off + 8]); + if(jrm_size > le2int(&out_buffer[fw_off + 4]) * 3) + errorf(ZEN_FW_INVALID, "[ERR] Decrypted length of encoded block is unexpectedly large: 0x%08x\n", jrm_size); + printf("[INFO] Firmware size: %d\n", jrm_size); + uint8_t *jrm = malloc(jrm_size); + if(jrm == NULL) + errorf(ZEN_ERROR, "[ERR] Couldn't allocate memory\n"); + memset(buffer, 0, jrm_size); + + /** decompress firmware */ + printf("[INFO] Decompressing encoded block... "); + if(!cenc_decode(&out_buffer[fw_off + 12], le2int(&out_buffer[fw_off + 4]) - 4, jrm, jrm_size)) + errorf(ZEN_ERROR, "Fail!\n[ERR] Couldn't decompress the encoded block\n"); + printf("Done!\n"); + + /** Copy OF because patching might modify it */ + void *jrm_save = malloc(jrm_size); + uint32_t jrm_save_size = jrm_size; + if(jrm_save == NULL) + errorf(ZEN_ERROR, "[ERR] Couldn't allocate memory"); + memcpy(jrm_save, jrm, jrm_size); + + /** Patch firmware */ + err = patch_firmware(&jrm, &jrm_size, boot, boot_size, opt); + if(err != ZEN_SUCCESS) + errorf(err, "[ERR] Couldn't patch firmware\n"); + + /** Rebuild archive */ + bool keep_old_bits = opt.output == ZEN_DUALBOOT || opt.output == ZEN_MIXEDBOOT; + bool keep_of = opt.output == ZEN_MIXEDBOOT; + /* if we keep old stuff, keep everything up to LT block, otherwise just CIFF header */ + uint32_t off = keep_old_bits ? fw_off : 8; + /* move the rest of the archive if keeping old stuff */ + if(keep_old_bits) + { + uint32_t copy_off = fw_off + 8 + le2int(&out_buffer[fw_off + 4]); + uint32_t copy_size = ciff_size - fw_off - 8 - le2int(&out_buffer[fw_off + 4]) - 28; + memmove(&out_buffer[off], &out_buffer[copy_off], copy_size); + off += copy_size; + } + /* if we keep the OF, put a copy of it after renaming it to Hcreativeos.jrm */ + if(keep_of) + { + out_buffer = realloc(out_buffer, off + jrm_save_size + 40); + if(out_buffer == NULL) + errorf(ZEN_ERROR, "[ERR] Couldn't resize memory block\n"); + printf("[INFO] Renaming encoded block to Hcreativeos.jrm... "); + memcpy(&out_buffer[off], "ATAD", 4); + int2le(jrm_save_size + 32, &out_buffer[off + 4]); + memset(&out_buffer[off + 8], 0, 32); + memcpy(&out_buffer[off + 8], "H\0c\0r\0e\0a\0t\0i\0v\0e\0o\0s\0.\0j\0r\0m", 30); + memcpy(&out_buffer[off + 40], jrm_save, jrm_save_size); + off += jrm_save_size + 40; + printf("Done!\n"); + } + /* put modified firmware */ + out_buffer = realloc(out_buffer, off + jrm_size + 40); + if(out_buffer == NULL) + errorf(ZEN_ERROR, "[ERR] Couldn't resize memory block\n"); + printf("[INFO] Adding Hjukebox2.jrm... "); + memcpy(&out_buffer[off], "ATAD", 4); + int2le(jrm_size + 32, &out_buffer[off + 4]); + memset(&out_buffer[off + 8], 0, 32); + memcpy(&out_buffer[off + 8], "H\0j\0u\0k\0e\0b\0o\0x\0""2\0.\0j\0r\0m", 26); + memcpy(&out_buffer[off + 40], jrm, jrm_size); + off += jrm_size + 40; + printf("Done!\n"); + + /** fix header */ + int2le(off - 8, &out_buffer[4]); + + /** update checksum */ + printf("[INFO] Updating checksum... "); + out_buffer = realloc(out_buffer, off + 28); + if(out_buffer == NULL) + errorf(ZEN_ERROR, "[ERR] Couldn't resize memory block\n"); + memcpy(&out_buffer[off], "LLUN", 4); + int2le(20, &out_buffer[off + 4]); + hmac_sha1((unsigned char*)player->null_key, strlen(player->null_key), out_buffer, + off, &out_buffer[off + 8]); + off += 28; + printf("Done!\n"); + + err = write_file(outfile, out_buffer, off); + + free(jrm); + free(jrm_save); + free(out_buffer); + return err; +} + +/* find an entry into zen_sums which matches the MD5 sum of a file */ +static enum zen_error_t find_model_by_md5sum(uint8_t file_md5sum[16], int *md5_idx) +{ + int i = 0; + while(i < NR_ZEN_SUMS) + { + uint8_t md5[20]; + if(strlen(zen_sums[i].md5sum) != 32) + errorf(ZEN_ERROR, "[ERR][INTERNAL] Invalid MD5 sum in zen_sums\n"); + for(int j = 0; j < 16; j++) + { + uint8_t a, b; + if(convxdigit(zen_sums[i].md5sum[2 * j], &a) || convxdigit(zen_sums[i].md5sum[2 * j + 1], &b)) + errorf(ZEN_ERROR, "[ERR][INTERNAL] Bad checksum format: %s\n", zen_sums[i].md5sum); + md5[j] = (a << 4) | b; + } + if(memcmp(file_md5sum, md5, 16) == 0) + break; + i++; + } + if(i == NR_ZEN_SUMS) + errorf(ZEN_NO_MATCH, "[ERR] MD5 sum doesn't match any known file\n"); + *md5_idx = i; + return ZEN_SUCCESS; +} + +enum zen_error_t mkzenboot(const char *infile, const char *bootfile, + const char *outfile, struct zen_option_t opt) +{ + /* determine firmware model */ + void *fw; + size_t fw_size; + enum zen_error_t err = read_file(infile, &fw, &fw_size); + uint8_t file_md5sum[16]; + err = compute_md5sum_buf(fw, fw_size, file_md5sum); + if(err != ZEN_SUCCESS) + { + free(fw); + return err; + } + printf("[INFO] MD5 sum of the file: "); + for(int i = 0; i < 16; i++) + printf("%02X ", file_md5sum[i]); + printf("\n"); + if(opt.model == MODEL_UNKNOWN) + { + int idx; + err = find_model_by_md5sum(file_md5sum, &idx); + if(err != ZEN_SUCCESS) + { + free(fw); + errorf(err, "[ERR] Cannot determine model type\n"); + } + opt.model = zen_sums[idx].model; + printf("[INFO] MD5 matches %s, version %s\n", + zen_models[opt.model].model_name, zen_sums[idx].version); + } + printf("[INFO] Model is: %s\n", zen_models[opt.model].model_name); + /* load rockbox file */ + uint8_t *boot; + size_t boot_size; + err = read_file(bootfile, (void **)&boot, &boot_size); + if(err != ZEN_SUCCESS) + { + free(fw); + errorf(err, "[ERR] Cannot read boot file\n"); + } + /* validate checksum */ + if(memcmp(boot + 4, zen_models[opt.model].rb_model_name, 4) != 0) + { + free(fw); + free(boot); + errorf(ZEN_BOOT_MISMATCH, "[ERR] Boot model mismatch\n"); + } + printf("[INFO] Bootloader file matches model\n"); + uint32_t sum = zen_models[opt.model].rb_model_num; + for(int i = 8; i < boot_size; i++) + sum += boot[i]; + if(sum != be2int(boot)) + { + free(fw); + free(boot); + errorf(ZEN_BOOT_CHECKSUM_ERROR, "[ERR] Checksum mismatch\n"); + } + printf("[INFO] Bootloader file checksum is correct\n"); + /* produce file */ + err = build_firmware(fw, fw_size, boot + 8, boot_size - 8, outfile, opt); + free(boot); + free(fw); + return err; +} diff --git a/rbutil/mkzenboot/mkzenboot.h b/rbutil/mkzenboot/mkzenboot.h new file mode 100644 index 0000000000..8da3e25762 --- /dev/null +++ b/rbutil/mkzenboot/mkzenboot.h @@ -0,0 +1,86 @@ +/*************************************************************************** + * __________ __ ___. + * Open \______ \ ____ ____ | | _\_ |__ _______ ___ + * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ / + * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < < + * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \ + * \/ \/ \/ \/ \/ + * $Id$ + * + * Copyright (C) 2013 by Amaury Pouly + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + ****************************************************************************/ + +#ifndef MKZENBOOT_H +#define MKZENBOOT_H + +#include +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +enum zen_error_t +{ + ZEN_SUCCESS = 0, + ZEN_ERROR = -1, + ZEN_OPEN_ERROR = -2, + ZEN_READ_ERROR = -3, + ZEN_NO_MATCH = -4, + ZEN_BOOT_INVALID = -5, + ZEN_BOOT_MISMATCH = -6, + ZEN_BOOT_CHECKSUM_ERROR = -7, + ZEN_DONT_KNOW_HOW_TO_PATCH = -8, + ZEN_WRITE_ERROR = -9, + ZEN_UNSUPPORTED = 10, + ZEN_FW_INVALID = -11, + ZEN_FW_MISMATCH = -12, + ZEN_FIRST_ZENTOOLS_ERROR = -12, +}; + +enum zen_output_type_t +{ + ZEN_DUALBOOT = 0, /* keep all OF data and pack OF+RB into firmware for dualboot */ + ZEN_MIXEDBOOT, /* rename OF, keep data, put RB as firmware, use RB bootloader to dualboot */ + ZEN_RECOVERY, /* only put rockbox with recovery mode */ + ZEN_SINGLEBOOT, /* only put rockbox with recovery mode */ +}; + +/* Supported models */ +enum zen_model_t +{ + MODEL_UNKNOWN = 0, + MODEL_ZENMOZAIC, + MODEL_ZENV, + MODEL_ZENXFI, + MODEL_ZEN, + /* new models go here */ + + NUM_MODELS +}; + +struct zen_option_t +{ + bool debug; + enum zen_output_type_t output; + enum zen_model_t model; /* pass MODEL_UNKNOWN to use MD5 knowledge base */ +}; + +enum zen_error_t mkzenboot(const char *infile, const char *bootfile, + const char *outfile, struct zen_option_t opt); + +#ifdef __cplusplus +} +#endif +#endif + diff --git a/rbutil/mkzenboot/utils.c b/rbutil/mkzenboot/utils.c new file mode 100644 index 0000000000..b8ef3be237 --- /dev/null +++ b/rbutil/mkzenboot/utils.c @@ -0,0 +1,896 @@ +/*************************************************************************** + * __________ __ ___. + * Open \______ \ ____ ____ | | _\_ |__ _______ ___ + * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ / + * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < < + * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \ + * \/ \/ \/ \/ \/ + * $Id$ + * + * Copyright (C) 2008 by Maurus Cuelenaere + * Based on zenutils by Rasmus Ry + * Copyright (C) 2013 by Amaury Pouly + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + ****************************************************************************/ +#include "utils.h" +#include "md5.h" +#include +//#include "hmac-sha1.h" + +int filesize(FILE* fd) +{ + int tmp, tmp2 = ftell(fd); + fseek(fd, 0, SEEK_END); + tmp = ftell(fd); + fseek(fd, tmp2, SEEK_SET); + return tmp; +} + +unsigned int le2int(unsigned char* buf) +{ + return ((buf[3] << 24) | (buf[2] << 16) | (buf[1] << 8) | buf[0]); +} + +unsigned int be2int(unsigned char* buf) +{ + return ((buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]); +} + +void int2le(unsigned int val, unsigned char* addr) +{ + addr[0] = val & 0xFF; + addr[1] = (val >> 8) & 0xff; + addr[2] = (val >> 16) & 0xff; + addr[3] = (val >> 24) & 0xff; +} + +const char* find_firmware_key(const unsigned char* buffer, size_t len) +{ + char szkey1[] = "34d1"; + size_t cchkey1 = strlen(szkey1); + char szkey2[] = "TbnCboEbn"; + size_t cchkey2 = strlen(szkey2); + uint32_t i; + for (i = 0; i < (uint32_t)len; i++) + { + if (len >= cchkey1) + { + if (!strncmp((char*)&buffer[i], szkey1, cchkey1)) + return (const char*)&buffer[i]; + } + if (len >= cchkey2) + { + if (!strncmp((char*)&buffer[i], szkey2, cchkey2)) + return (const char*)&buffer[i]; + } + } + return NULL; +} + +uint32_t find_firmware_offset(unsigned char* buffer, size_t len) +{ + uint32_t i; + for (i = 0; i < (uint32_t)len; i += 0x10) + { + if (buffer[i + sizeof(uint32_t)] != 0 + && buffer[i + sizeof(uint32_t) + 1] != 0 + && buffer[i + sizeof(uint32_t) + 2] != 0 + && buffer[i + sizeof(uint32_t) + 3] != 0) + { + return i; + } + if(i > 0xFF) /* Arbitrary guess */ + return 0; + } + return 0; +} + +bool crypt_firmware(const char* key, unsigned char* buffer, size_t len) +{ + char key_cpy[255]; + unsigned int i; + unsigned int tmp = 0; + int key_length = strlen(key); + + strcpy(key_cpy, key); + for(i=0; i < strlen(key); i++) + key_cpy[i] = key[i] - 1; + + for(i=0; i < len; i++) + { + buffer[i] ^= key_cpy[tmp] | 0x80; + tmp = (tmp + 1) % key_length; + } + + return true; +} + +bool inflate_to_buffer(const unsigned char *buffer, size_t len, unsigned char* out_buffer, size_t out_len, char** err_msg) +{ + /* Initialize Zlib */ + z_stream d_stream; + int ret; + + d_stream.zalloc = Z_NULL; + d_stream.zfree = Z_NULL; + d_stream.opaque = Z_NULL; + + d_stream.next_in = (unsigned char*)buffer; + d_stream.avail_in = len; + + ret = inflateInit(&d_stream); + if (ret != Z_OK) + { + *err_msg = d_stream.msg; + return false; + } + + d_stream.next_out = out_buffer; + d_stream.avail_out = out_len; + + ret = inflate(&d_stream, Z_SYNC_FLUSH); + if(ret < 0) + { + *err_msg = d_stream.msg; + return false; + } + else + inflateEnd(&d_stream); + + return true; +} + +#define CODE_MASK 0xC0 +#define ARGS_MASK 0x3F + +#define REPEAT_CODE 0x00 +#define BLOCK_CODE 0x40 +#define LONG_RUN_CODE 0x80 +#define SHORT_RUN_CODE 0xC0 + +#define BLOCK_ARGS 0x1F +#define BLOCK_MODE 0x20 + + +static void decode_run(unsigned char* dst, uint16_t len, unsigned char val, + int* dstidx) +{ + memset(dst + *dstidx, val, len); + *dstidx += len; +} + +static void decode_pattern(unsigned char* src, unsigned char* dst, + uint16_t len, int* srcidx, int* dstidx, + bool bdecode, int npasses) +{ + int i, j; + for (i = 0; i < npasses; i++) + { + if (bdecode) + { + for (j = 0; j < len; j++) + { + uint16_t c, d; + c = src[*srcidx + j]; + d = (c >> 5) & 7; + c = (c << 3) & 0xF8; + src[*srcidx + j] = (unsigned char)(c | d); + } + bdecode = false; + } + memcpy(dst + *dstidx, src + *srcidx, len); + *dstidx += len; + } + *srcidx += len; +} + +int cenc_decode(unsigned char* src, int srclen, unsigned char* dst, int dstlen) +{ + int i = 0, j = 0; + do + { + uint16_t c, d, e; + c = src[i++]; + switch (c & CODE_MASK) + { + case REPEAT_CODE: /* 2 unsigned chars */ + d = src[i++]; + d = d + 2; + + e = (c & ARGS_MASK) + 2; + + decode_pattern(src, dst, e, &i, &j, false, d); + break; + + case BLOCK_CODE: /* 1/2/3 unsigned chars */ + d = c & BLOCK_ARGS; + if (!(c & BLOCK_MODE)) + { + e = src[i++]; + e = (d << 8) + (e + 0x21); + + d = (uint16_t)(i ^ j); + } + else + { + e = d + 1; + + d = (uint16_t)(i ^ j); + } + if (d & 1) + { + i++; + } + + decode_pattern(src, dst, e, &i, &j, true, 1); + break; + + case LONG_RUN_CODE: /* 3 unsigned chars */ + d = src[i++]; + e = ((c & ARGS_MASK) << 8) + (d + 0x42); + + d = src[i++]; + d = ((d & 7) << 5) | ((d >> 3) & 0x1F); + + decode_run(dst, e, (unsigned char)(d), &j); + break; + + case SHORT_RUN_CODE: /* 2 unsigned chars */ + d = src[i++]; + d = ((d & 3) << 6) | ((d >> 2) & 0x3F); + + e = (c & ARGS_MASK) + 2; + + decode_run(dst, e, (unsigned char)(d), &j); + break; + }; + } while (i < srclen && j < dstlen); + + return j; +} + +/* + * Copyright (c) 1999, 2000, 2002 Virtual Unlimited B.V. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + */ + +#define BLOWFISHROUNDS 16 +#define BLOWFISHPSIZE (BLOWFISHROUNDS+2) +#define WORDS_BIGENDIAN 0 + +struct blowfishParam +{ + uint32_t p[BLOWFISHPSIZE]; + uint32_t s[1024]; + uint32_t fdback[2]; +}; + +typedef enum +{ + NOCRYPT, + ENCRYPT, + DECRYPT +} cipherOperation; + +static inline uint32_t swapu32(uint32_t n) +{ + return ( ((n & 0xffU) << 24) | + ((n & 0xff00U) << 8) | + ((n & 0xff0000U) >> 8) | + ((n & 0xff000000U) >> 24) ); +} + +static uint32_t _bf_p[BLOWFISHPSIZE] = { + 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344, + 0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89, + 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c, + 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917, + 0x9216d5d9, 0x8979fb1b +}; + +static uint32_t _bf_s[1024] = { + 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7, + 0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99, + 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16, + 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e, + 0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee, + 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013, + 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef, + 0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e, + 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60, + 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440, + 0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce, + 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a, + 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e, + 0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677, + 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193, + 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032, + 0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88, + 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239, + 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e, + 0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0, + 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3, + 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98, + 0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88, + 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe, + 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6, + 0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d, + 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b, + 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7, + 0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba, + 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463, + 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f, + 0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09, + 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3, + 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb, + 0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279, + 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8, + 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab, + 0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82, + 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db, + 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573, + 0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0, + 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b, + 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790, + 0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8, + 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4, + 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0, + 0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7, + 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c, + 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad, + 0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1, + 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299, + 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9, + 0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477, + 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf, + 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49, + 0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af, + 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa, + 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5, + 0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41, + 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915, + 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400, + 0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915, + 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664, + 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a, + 0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623, + 0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266, + 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1, + 0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e, + 0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6, + 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1, + 0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e, + 0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1, + 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737, + 0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8, + 0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff, + 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd, + 0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701, + 0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7, + 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41, + 0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331, + 0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf, + 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af, + 0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e, + 0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87, + 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c, + 0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2, + 0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16, + 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd, + 0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b, + 0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509, + 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e, + 0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3, + 0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f, + 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a, + 0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4, + 0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960, + 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66, + 0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28, + 0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802, + 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84, + 0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510, + 0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf, + 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14, + 0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e, + 0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50, + 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7, + 0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8, + 0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281, + 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99, + 0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696, + 0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128, + 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73, + 0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0, + 0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0, + 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105, + 0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250, + 0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3, + 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285, + 0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00, + 0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061, + 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb, + 0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e, + 0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735, + 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc, + 0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9, + 0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340, + 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20, + 0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7, + 0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934, + 0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068, + 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af, + 0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840, + 0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45, + 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504, + 0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a, + 0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb, + 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee, + 0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6, + 0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42, + 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b, + 0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2, + 0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb, + 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527, + 0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b, + 0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33, + 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c, + 0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3, + 0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc, + 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17, + 0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564, + 0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b, + 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115, + 0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922, + 0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728, + 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0, + 0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e, + 0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37, + 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d, + 0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804, + 0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b, + 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3, + 0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb, + 0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d, + 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c, + 0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350, + 0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9, + 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a, + 0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe, + 0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d, + 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc, + 0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f, + 0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61, + 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2, + 0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9, + 0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2, + 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c, + 0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e, + 0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633, + 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10, + 0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169, + 0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52, + 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027, + 0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5, + 0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62, + 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634, + 0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76, + 0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24, + 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc, + 0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4, + 0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c, + 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837, + 0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0, + 0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b, + 0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe, + 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b, + 0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4, + 0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8, + 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6, + 0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304, + 0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22, + 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4, + 0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6, + 0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9, + 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59, + 0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593, + 0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51, + 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28, + 0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c, + 0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b, + 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28, + 0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c, + 0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd, + 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a, + 0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319, + 0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb, + 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f, + 0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991, + 0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32, + 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680, + 0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166, + 0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae, + 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb, + 0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5, + 0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47, + 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370, + 0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d, + 0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84, + 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048, + 0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8, + 0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd, + 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9, + 0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7, + 0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38, + 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f, + 0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c, + 0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525, + 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1, + 0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442, + 0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964, + 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e, + 0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8, + 0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d, + 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f, + 0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299, + 0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02, + 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc, + 0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614, + 0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a, + 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6, + 0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b, + 0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0, + 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060, + 0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e, + 0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9, + 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f, + 0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6 +}; + +#define EROUND(l,r) l ^= *(p++); r ^= ((s[((l>>24)&0xff)+0x000]+s[((l>>16)&0xff)+0x100])^s[((l>>8)&0xff)+0x200])+s[((l>>0)&0xff)+0x300] +#define DROUND(l,r) l ^= *(p--); r ^= ((s[((l>>24)&0xff)+0x000]+s[((l>>16)&0xff)+0x100])^s[((l>>8)&0xff)+0x200])+s[((l>>0)&0xff)+0x300] + +static int blowfishEncrypt(struct blowfishParam* bp, uint32_t* dst, const uint32_t* src) +{ + #if WORDS_BIGENDIAN + register uint32_t xl = src[0], xr = src[1]; + #else + register uint32_t xl = swapu32(src[0]), xr = swapu32(src[1]); + #endif + register uint32_t* p = bp->p; + register uint32_t* s = bp->s; + + EROUND(xl, xr); EROUND(xr, xl); + EROUND(xl, xr); EROUND(xr, xl); + EROUND(xl, xr); EROUND(xr, xl); + EROUND(xl, xr); EROUND(xr, xl); + EROUND(xl, xr); EROUND(xr, xl); + EROUND(xl, xr); EROUND(xr, xl); + EROUND(xl, xr); EROUND(xr, xl); + EROUND(xl, xr); EROUND(xr, xl); + + #if WORDS_BIGENDIAN + dst[1] = xl ^ *(p++); + dst[0] = xr ^ *(p++); + #else + dst[1] = swapu32(xl ^ *(p++)); + dst[0] = swapu32(xr ^ *(p++)); + #endif + + return 0; +} + +static int blowfishDecrypt(struct blowfishParam* bp, uint32_t* dst, const uint32_t* src) +{ + #if WORDS_BIGENDIAN + register uint32_t xl = src[0], xr = src[1]; + #else + register uint32_t xl = swapu32(src[0]), xr = swapu32(src[1]); + #endif + register uint32_t* p = bp->p+BLOWFISHPSIZE-1; + register uint32_t* s = bp->s; + + DROUND(xl, xr); DROUND(xr, xl); + DROUND(xl, xr); DROUND(xr, xl); + DROUND(xl, xr); DROUND(xr, xl); + DROUND(xl, xr); DROUND(xr, xl); + DROUND(xl, xr); DROUND(xr, xl); + DROUND(xl, xr); DROUND(xr, xl); + DROUND(xl, xr); DROUND(xr, xl); + DROUND(xl, xr); DROUND(xr, xl); + + #if WORDS_BIGENDIAN + dst[1] = xl ^ *(p--); + dst[0] = xr ^ *(p--); + #else + dst[1] = swapu32(xl ^ *(p--)); + dst[0] = swapu32(xr ^ *(p--)); + #endif + + return 0; +} + +static int blowfishSetup(struct blowfishParam* bp, const unsigned char* key, size_t keybits, cipherOperation op) +{ + if ((op != ENCRYPT) && (op != DECRYPT)) + return -1; + + if (((keybits & 7) == 0) && (keybits >= 32) && (keybits <= 448)) + { + register uint32_t* p = bp->p; + register uint32_t* s = bp->s; + register unsigned int i, j, k; + + uint32_t tmp, work[2]; + + memcpy(s, _bf_s, 1024 * sizeof(uint32_t)); + + for (i = 0, k = 0; i < BLOWFISHPSIZE; i++) + { + tmp = 0; + for (j = 0; j < 4; j++) + { + tmp <<= 8; + tmp |= key[k++]; + if (k >= (keybits >> 3)) + k = 0; + } + p[i] = _bf_p[i] ^ tmp; + } + + work[0] = work[1] = 0; + + for (i = 0; i < BLOWFISHPSIZE; i += 2, p += 2) + { + blowfishEncrypt(bp, work, work); + #if WORDS_BIGENDIAN + p[0] = work[0]; + p[1] = work[1]; + #else + p[0] = swapu32(work[0]); + p[1] = swapu32(work[1]); + #endif + } + + for (i = 0; i < 1024; i += 2, s += 2) + { + blowfishEncrypt(bp, work, work); + #if WORDS_BIGENDIAN + s[0] = work[0]; + s[1] = work[1]; + #else + s[0] = swapu32(work[0]); + s[1] = swapu32(work[1]); + #endif + } + + /* clear fdback/iv */ + bp->fdback[0] = 0; + bp->fdback[1] = 0; + + return 0; + } + return -1; +} + +static int blowfishSetIV(struct blowfishParam* bp, const unsigned char* iv) +{ + if (iv) + memcpy(bp->fdback, iv, 8); + else + memset(bp->fdback, 0, 8); + + return 0; +} + +#define BLOWFISH_BLOCKSIZE 8 +static int blowfishDecryptCBC(struct blowfishParam* bp, uint32_t* dst, const uint32_t* src, unsigned int nblocks) +{ + register const unsigned int blockwords = BLOWFISH_BLOCKSIZE >> 2; + register uint32_t* fdback = bp->fdback; + register uint32_t* buf = (uint32_t*) malloc(blockwords * sizeof(uint32_t)); + + if (buf) + { + while (nblocks > 0) + { + register uint32_t tmp; + register unsigned int i; + + blowfishDecrypt(bp, buf, src); + + for (i = 0; i < blockwords; i++) + { + tmp = src[i]; + dst[i] = buf[i] ^ fdback[i]; + fdback[i] = tmp; + } + + dst += blockwords; + src += blockwords; + + nblocks--; + } + free(buf); + return 0; + } + + return -1; +} + +bool bf_cbc_decrypt(const unsigned char* key, size_t keylen, + unsigned char* data, size_t datalen, + const unsigned char* iv) +{ + struct blowfishParam param; + unsigned char *cipher; + unsigned int nblocks; + + if (datalen % BLOWFISH_BLOCKSIZE) + return false; + + if (blowfishSetup(¶m, key, keylen * 8, ENCRYPT)) + return false; + if (blowfishSetIV(¶m, iv)) + return false; + + cipher = malloc(datalen); + memcpy(cipher, data, datalen); + + nblocks = datalen / BLOWFISH_BLOCKSIZE; + if (blowfishDecryptCBC(¶m, (uint32_t*)data, (uint32_t*)cipher, + nblocks)) + { + free(cipher); + return false; + } + + free(cipher); + return true; +} + +uint32_t swap(uint32_t val) +{ + return ((val & 0xFF) << 24) + | ((val & 0xFF00) << 8) + | ((val & 0xFF0000) >> 8) + | ((val & 0xFF000000) >> 24); +} + +/* read a file to a buffer */ +enum zen_error_t read_file(const char *file, void **buffer, size_t *size) +{ + FILE *f = fopen(file, "rb"); + if(f == NULL) + { + printf("[ERR] Cannot open file '%s' for reading: %m\n", file); + return ZEN_OPEN_ERROR; + } + fseek(f, 0, SEEK_END); + *size = ftell(f); + fseek(f, 0, SEEK_SET); + *buffer = malloc(*size); + if(fread(*buffer, *size, 1, f) != 1) + { + free(*buffer); + fclose(f); + printf("[ERR] Cannot read file '%s': %m\n", file); + return ZEN_READ_ERROR; + } + fclose(f); + return ZEN_SUCCESS; +} + +/* write a file from a buffer */ +enum zen_error_t write_file(const char *file, void *buffer, size_t size) +{ + FILE *f = fopen(file, "wb"); + if(f == NULL) + { + printf("[ERR] Cannot open file '%s' for writing: %m\n", file); + return ZEN_OPEN_ERROR; + } + if(fwrite(buffer, size, 1, f) != 1) + { + fclose(f); + printf("[ERR] Cannot write file '%s': %m\n", file); + return ZEN_WRITE_ERROR; + } + fclose(f); + return ZEN_SUCCESS; +} + +/* compute MD5 sum of a buffer */ +enum zen_error_t compute_md5sum_buf(void *buf, size_t sz, uint8_t file_md5sum[16]) +{ + md5_context ctx; + md5_starts(&ctx); + md5_update(&ctx, buf, sz); + md5_finish(&ctx, file_md5sum); + return ZEN_SUCCESS; +} + +/* compute MD5 of a file */ +enum zen_error_t compute_md5sum(const char *file, uint8_t file_md5sum[16]) +{ + void *buf; + size_t sz; + enum zen_error_t err = read_file(file, &buf, &sz); + if(err != ZEN_SUCCESS) + return err; + compute_md5sum_buf(buf, sz, file_md5sum); + free(buf); + return ZEN_SUCCESS; +} + +enum zen_error_t find_pe_data(void *fw, size_t fw_size, uint32_t *data_ptr, uint32_t *data_size) +{ + uint8_t *buffer = fw; + /* Rudimentary Win32 PE reading to find .data section */ + if(memcmp(&buffer[0], "MZ", 2) != 0 && memcmp(&buffer[0x118], "PE", 2) != 0) + { + printf("[ERR] Input file isn't an executable\n"); + return ZEN_FW_INVALID; + } + *data_ptr = 0, *data_size = 0; + uint32_t start_sec_addr = /*sizeof NT headers */ 0xf8 + + /* address of opt header */*(uint32_t *)&buffer[0x3c]; + for(uint32_t i = start_sec_addr; i < 0x1000; i += 0x28) + { + if(strcmp((char*)&buffer[i], ".data") == 0) + { + *data_ptr = le2int(&buffer[i + 0x14]); + *data_size = le2int(&buffer[i + 0x10]); + break; + } + } + if(*data_ptr == 0 || *data_size == 0) + { + printf("[ERR] Couldn't find .data section\n"); + return ZEN_FW_INVALID; + } + return ZEN_SUCCESS; +} + +int convxdigit(char digit, uint8_t *val) +{ + if(digit >= '0' && digit <= '9') + { + *val = digit - '0'; + return 0; + } + else if(digit >= 'A' && digit <= 'F') + { + *val = digit - 'A' + 10; + return 0; + } + else if(digit >= 'a' && digit <= 'f') + { + *val = digit - 'a' + 10; + return 0; + } + else + return 1; +} diff --git a/rbutil/mkzenboot/utils.h b/rbutil/mkzenboot/utils.h new file mode 100644 index 0000000000..56edb4e20b --- /dev/null +++ b/rbutil/mkzenboot/utils.h @@ -0,0 +1,53 @@ +/*************************************************************************** + * __________ __ ___. + * Open \______ \ ____ ____ | | _\_ |__ _______ ___ + * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ / + * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < < + * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \ + * \/ \/ \/ \/ \/ + * $Id$ + * + * Copyright (C) 2013 by Amaury Pouly + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + ****************************************************************************/ +#ifndef __UTILS__ +#define __UTILS__ + +#include +#include +#include +#include +#include +#include +#include "mkzenboot.h" +#include "hmac-sha1.h" + +int filesize(FILE* fd); +unsigned int le2int(unsigned char* buf); +unsigned int be2int(unsigned char* buf); +void int2le(unsigned int val, unsigned char* addr); +const char* find_firmware_key(const unsigned char* buffer, size_t len); +uint32_t find_firmware_offset(unsigned char* buffer, size_t len); +bool crypt_firmware(const char* key, unsigned char* buffer, size_t len); +bool inflate_to_buffer(const unsigned char *buffer, size_t len, + unsigned char* out_buffer, size_t out_len, char** err_msg); +int cenc_decode(unsigned char* src, int srclen, unsigned char* dst, int dstlen); +bool bf_cbc_decrypt(const unsigned char* key, size_t keylen, unsigned char* data, + size_t datalen, const unsigned char* iv); +uint32_t swap(uint32_t val); +enum zen_error_t compute_md5sum(const char *file, uint8_t file_md5sum[16]); +enum zen_error_t compute_md5sum_buf(void *buf, size_t sz, uint8_t file_md5sum[16]); +enum zen_error_t read_file(const char *file, void **buffer, size_t *size); +enum zen_error_t write_file(const char *file, void *buffer, size_t size); +enum zen_error_t find_pe_data(void *fw, size_t fw_size, uint32_t *data_ptr, uint32_t *data_size); +int convxdigit(char digit, uint8_t *val); + +#endif /* __UTILS__ */ \ No newline at end of file