After some reverse engineering, it appears that the keys of the
sb1 format are very weak: the 128 bytes are generated from the
laserfuse words 4,5 and 6 but in a weird manner: 4 and 5 are
simply ORed and 6 is only half used (somehow), making it "only" a
48 bit word to find.
Change-Id: I40702e19d0924ef51c01894efce3cb65bd664456
There is a windows port of the sg_utils library for scsi pass-
through. This little changes make it compile under mingw. A better
fix would be to implement direct ioctl on both windows and linux
but that's already better than nothing
Change-Id: I0d77cd1bad69806a66f0590362f165f24fa240e9
This is a common problem that proprietary tools don't handle ELF
files correctly. ELF sections use a virtual address and the
virtual -> physical translation is done though segments. This
allows to have a load (physical) address different from the
virtual one. Here is the trick: proprietary tools usually don't
take the pain to do the translation and just grab the virtual
address. This commit implements proper translation in elftosb1
knowing that this introduce a deviation from the behaviour of the
proprietary tool.
Change-Id: I91721a3a8dead382a0603f84ae3b35c5eb9704eb
The tool still lacks some feature of the proprietary one but
can create files with all the basic features.
Change-Id: Ib0c91210940ca829291ce70945f88dc510a49974
The PWM code was for testing only the Zen X-Fi and should be
present in general because it could touch pins by error and
without producing any result.
Change-Id: Id20e2940cd7a057941d241254d0a867f5451e2db
It appears that all devices based on the Sigmaltel SDK support a
common vendor specific SCSI interface when in UMS mode. This
applies to the STMP36xx and the STMP37xx. This interface supports
many operations:
- get device info
- get device paritionning
- get janus/drm info
- read/write/allocate/erase any partition
- reset (chip or to updater and/or recovery)
This includes the ability to do a firmware upgrade by rewriting
the firmware partition. The tool currently does mostly nothing
but will be enhanced depending on the reverse engineering efforts
and the use of it. It has been tested on the Fuze+ and the Zen
X-Fi2/3.
Change-Id: Ibd4b2ad364c03ada4f9001573ef4cc87cfb041d1
This tool is very preliminary but could be use for whatever
purpose since the format of the rsrc sections is now known.
By the way it appears that this format is the same as the
one use by the stmp36xx for its resources.
Change-Id: Idd7057f5cdce5af9726904169bb100c8bacb0981
While elf simplification is a powerful tool it can be useful to
prevent it from happening for debug purposes. Also add a missing
switch description in usage() and missing static.
Change-Id: I80a1904dc4340c412bd3de1c124a2e38d6ac11a2
This is less useful is most cases because sb2 doesn't have the
size restritions but some elf are produced with one section per
file and still yield dozens or hundreds of sections. And this free
anyway so we can do it.
Change-Id: Ia5ca83a8375063ecc7052d1ea73b2b21c00be730
Load, fill and call/jump instructions are extracted as elf files
like for sb2. Because of the size limitations of the sb1
instructions, the resulting elf files can easily have hundreds of
sections. The (currently) implemented elf simplification method
will hopefully reduce this to a few sections only
Change-Id: I8fd6ed935ac3128f244bbd71c782e2a0a1c6d44a
Implement actual loading of a sb1 file to a structure in full
generality. Also implement dumping for debug purpose
Change-Id: I320035ea628719480a79aaccb05dce9a83256927
The STMP36xx series also uses .sb files but with a different
format. The main differences are the encryption and the lack of
sections, making it basically a list of commands: fill, load,
call, jump, switch mode, set sdram settings. Currently only the
sbtoelf has support for the sb1 and can only dump the list of
commands. Actual support for elf creation will come later.
Change-Id: I1f2e0230c91ac64efd0e8430e0c5212098c599fd
The hwemul tool is a small binary blob running on the device
that can received commands over USB. It is mainly intended to be
loaded using the recory mode and allows to read/write registers,
memory, use the OTP device, ... The tool is split into three
parts: dev/ contains the actual blob (which handles both imx233
and stmp3700), lib/ contains the communication library and can
also use the register description produced by the regtools/
to ease register by name, tools/ contains an interactive tool
to send commands to the device when running the blob.
Change-Id: Ie8cb32e987f825d8ed750d48071e43415b4dacb3
These files were produced by parsing some linux and/or sigmatel
provided headers and later tweaked by hand or by programs.
Each file describes one or more soc. A soc has a list of devices.
Each device can either be unique or have several copies at
different addresses. Each device has a list of registers which
can either be unique or indexed. Each register can further have
a list of fields. Registers with a SCT variant are also handled.
Change-Id: Ib50bb3fda268b6d5713f81bd8961de7978a5815e
These tools allow one to read a register description in a XML
file and to produce something useful out of it. Three example
programs are written:
- tester which simply prints the register tree
- headergen which produces a set of headers with the #define
- hwemulgen which produces something for the hwemul tool (to come)
Change-Id: I52573688b29d5faeaf64ce7c5ffe08ee8db3d33c
In the case of encrypted SB files without any key match, it is
still possible to dump the section headers. The force option
allows one to do so. It also allows to dump unencrypted sections
of encrypted files if there are some.
Change-Id: I36280230679ac5903f9c451c68c276f5c6959536