Sony added extensions to the frambuffer interface. It is important to take them
into account since the OF uses them and might leave the framebuffer in an
unusual state which would make the dualboot not display anything. Also rework
the dualboot code so that it can boot rockbox (not doing anything at the moment),
display all tools or boot the OF.
Change-Id: Ia0f589c9ec8558f375270841503c0964aff07f0b
At the moment, the script install_duaboot does the following:
- rename SpiderApp to SpiderApp.of (unless it already exists)
- install payload as SpiderApp
- fixes permissions
Since SpiderApp is the main app, it will execute instead of the OF.
The current dualboot code (dualboot.c) is still a preliminary but the current
version displays an "all tools" menu to choose for. When exitting the menu
using BACK, it will run the OF.
With the modifications made by the install script, it should not be possible
to break the device. In the worst case scenario, the dualboot code crashes
and it restarted by the sysmgrd, or hangs. A safe way to recover is to plug
the USB cable and reset the device: the system manager will then start the
USB app and one can reflash the device if necessary.
Change-Id: Id9edab0347538ad2a8651a28aea7fd083feaa626
Unify series names: e46x -> e460 to be consistent with Sony' name. Add keys
for various players that were cracked using upgtools. The real KAS would need
to be extracted from a target but at least we can open/create firmware upgrades.
Change-Id: Id23a10e10170d7f6330c6699bf205c4df5ddebfe
This new tool (all_tools) embeds all the other tools and provides a menu to
choose which one to run.
Change-Id: I0e07864dd46559a7079b0f942c25155e6fa07112
Since the nwz_lib does not have any nvp code yet, it's quite of ugly hack
with hardcoded nvp node (11) for shipment information (shp). Thus I whitelisted
two series (NWZ-E460 and NWZ-A860) which I know for sure use this node ID.
Change-Id: I94c9b0db1f9d7ad764d2aa50576a911e710f25e1
This list can map from model id to device name. It was automatically extracted
from Sony's tools. In the future, we will probably generate it from a clean
database containing more useful information.
Change-Id: Ibe580edf25b60bf0bf4aef4a06f40dddd19c5404
This is useful because there is no easy way to get it except from Sony's tool,
unless one knows the npv node, but that requires to know the model already...
Change-Id: I202f7cdb2f7cf924cc5bdb53c17e34600d4bf153
The new search has two new features:
- it takes advantage of the fact that DES keys are only 56-bit long (and not 64)
- it is now multithreaded
As a proof of concept, I ran it on the A10 series firmware upgrade and was able
to find the key in a few seconds using 4 threads. The search is still limited
to ascii hex passwords (seems to work on all devices I have tried thus far).
Change-Id: Ied080286d2bbdc493a6ceaecaaadba802b429666
This is code is intended to development into a library of code for the NWZ that
will be useful to write the "bootloader" on those device. At the same time, it
comes with test programs that are easy to run in firmware upgrade mode and also
provide a great test bench for the library. At the moment, two test programs are
available:
- test_display: simply prints two messages using /usr/bin/lcdmsg
- test_keys: displays input key event
Change-Id: I9d214894ffc9127b528fcdd3eb5d6b61f4e657a7
The exec_file allows to embed a script/executable and run it on target. It takes
of unpacking, remounting contents rw and redirect output to exec.txt at the root
of the drive. More generally, rework how the makefile works.
Change-Id: Iec719227be96e80701ad8f5398d2d34389f4da9e
There was a lot of copy and paste, and the code was just crap. This commit tries
to clarify the code and also document the encryption procedure. Hopefully I didn't
break anything.
Change-Id: I257793010e7cf94f2b090b30bb8608359d3886e3
There is a windows port of the sg_utils library for scsi pass-
through. This little changes make it compile under mingw. A better
fix would be to implement direct ioctl on both windows and linux
but that's already better than nothing
Change-Id: I0d77cd1bad69806a66f0590362f165f24fa240e9
There is a vendor specific command to read the NVP of the device,
including the KAS. The trick is that the data is randomly
scrambled using a so-called para_noise array of random values.
There seems to be a problem when retrieving large entries (>1000
bytes typically) which causes sg_pt do behave strangely.
Change-Id: Iefa6140df78ab9c7dcf7ac34cb1170979123ecd7
This tool can send vendor specific scsi commands to sony nwz
players such as getting serial number, model id, device info,
and others. It can potentially be used to get some private keys
stored on the device but probably not the KAS used to encrypt
firmware upgrades images(UPG).
Change-Id: Ia49c1edf8d421b20c4e9afeb1192e00e06eb6047
This tool is specific to the em1/mp200 sony based players. In
deals with raw emmc images (which is possible but hard to get).
This tool is also useful as a documentation of the underlying
emmc format used for a future port.
Change-Id: I66c9b0e47351e5d89f6a404aa62038e00fdc1093
