Commit graph

1052 commits

Author SHA1 Message Date
Amaury Pouly
d1ca2e45e9 atjboottool: cleanup and add support for atj2127
Several people asked me recently how to decrypt atj2127 firmware. Someone
posted on github (https://github.com/nfd/atj2127decrypt) a decrypt utility
clearly reverse engineered from some unknown source. The code is an absolute
horror but I concluded that ATJ changed very little between ATJ213x and ATJ2127
so I added support for the ATJ2127, credit to this github code that I stole
and rewrite (code was under MIT licence). At the same time do some small code
cleanups.
Note that there is not 100% sure way that I know to distinguish between the
two firmware types, so the code tries to do an educated guess to detect
ATJ2127. If this does not work, use --atj21217 option. Also note that contrary
to the github tool that decrypts and unpack in one go, this tool only does one
step at once. So first decrypt: HEX -> AFI, then unpack AFI -> files.
I also added for a different version of AFI. Based on AFI files I have, there
are, I think, two versions: the "old" ones (pre-ATJ213x) and "new" ones. The
tool only supported the new one but for some reason the ATJ2127 uses the old
ones without a mostly empty header. Strangely, even this mostly empty header
does not seem to follow the old layout as reverse engineered by the s1mp3
project (https://sourceforge.net/p/s1mp3/code/HEAD/tree/trunk/s1fwx/heads.h),
so in fact there might be three versions. In any case, only the header is
different, the rest of the file is identical so at the moment I just don't
print any header info for "old" files.

Change-Id: I1de61e64f433f6cacd239cd3c1ba469b9bb12442
2017-07-30 14:32:12 +02:00
Amaury Pouly
37a945d203 nwztools/scsitool: add a command to query multiple nvp nodes at once
Change-Id: I89fed904b282a202bc845b08f4c8d1200a49636d
2017-06-18 23:16:18 +02:00
Amaury Pouly
91ede1ea08 nwztools/scsitool: fix devinfo, add dhp
The devinfo request returned the raw data, now the tool prints the various
fields. Also add support for the dhp (destination/headphones/color ...): this
one is untested because it's only supported starting from A10 or A20. There is
still a problem with the dpcc prop: although it should work for DEVINFO, it does
not, despite the fact that the get_dev_info command works and is internally (on
the Sony) translated into a dpcc request. I keep the code just in case.

Change-Id: I5aa8ef4afb0b11d3c0ddfa3d38f3e737ee1aff66
2017-06-18 13:37:26 +02:00
Amaury Pouly
8d5dcd395d nwztools/scsitool: print error on check sense
The detailled error message is only printed if -d switch is on command line,
otherwise there is no error message which is wrong so fix that.

Change-Id: I397541c467940e9b290ee8d4ae704368b1ce132b
2017-06-18 13:35:42 +02:00
Amaury Pouly
e9bb9a25ad nwztools: add KAS for NW-S10 (brute-forced using upgtool)
Change-Id: Ia37818faee29130ffe3690c83f85a39bd35637e0
2017-06-13 21:03:03 +02:00
Amaury Pouly
cd812218ab nwztools: add nvp description for NW-S10 series
Change-Id: Id6a6e51288f4ff24c0063b6c16b74109211e63c0
2017-06-13 20:41:43 +02:00
Amaury Pouly
28c3f6b4d3 Add NW-A36 and NW-A37 model IDs, based on the A30 service manual.
I am unsure about the names of the player, the manual says A36HN and A37HN but
at the same time there is a A35 and A35HN with the same ID, and Sony does not
usually put the "HN" in its device list.

Change-Id: Idbf32970aa334b30f1b8947a78b8eebd524b193b
2017-06-05 16:17:13 -05:00
Igor Skochinsky
03dd4b92be nwztools/database: misc improvements
* make gen_db.py work on Windows/Python 2

- use hashlib module instead of md5sum, also don't rely on / for file path
matching
- don't use 'file' for a variable name

* fix parse_nvp_header.sh for older kernels

pre-emmc kernel sources use a slightly different #define format; adjust
regexp to catch it.

* add nwz-x1000 series NVP layout (from icx1087_nvp.h)

some new tags have no description, alas the driver doesn't have
them :/

*  minor fixes to nvp/README

fixed typos/wording

Change-Id: I77d8c2704be2f2316e32aadcfd362df7102360d4
2017-04-25 11:24:24 +10:00
Igor Skochinsky
f1c8d63a76 nwztools/upgtools: misc fixes
* added KAS for nwz-x1000 (extracted from an NWZ-X1060 via "get_dnk_nvp kas")

* hint that -o is needed when extracting

Change-Id: Ic91c448aa058a22c8ddcae54726f628f7cf60f6b
2017-04-25 11:23:57 +10:00
Amaury Pouly
88dd2026c4 nwztools/upgtools: add key for NWZ-A840
Change-Id: I0a191db1970e64b5ced518c68861392ba342404f
2017-04-25 11:22:08 +10:00
Amaury Pouly
15e66a5b19 nwztools: small cleanups
Change-Id: I4fde020ca0556a84d051f9b5e46f49ee1241266e
2017-04-25 11:21:54 +10:00
Amaury Pouly
1597c4fe34 scsi: don't make the linux lib depend on a library header file
The code dependend on the sg_lib header being present, remove this dependency
so that we only need public headers.

Change-Id: I69398453635135deb33e2adf67f15ddb80e4ba16
2017-04-03 15:02:19 +02:00
Amaury Pouly
d052f13999 nwztools/script: fix dump_rootfs.sh to handle ext4
Change-Id: I04bd7599a58669df96dfd018a2ab0e3d53e06694
2017-02-04 17:20:09 +01:00
Amaury Pouly
2ea0ccb6c5 regtools/qeditor: replace deprecated QStyleOptionViewItemV4
...by QStyleOptionViewItem. Yes Qt got it right, in 5.7 they deprecated
QStyleOptionViewItemV4 and recommend using QStyleOptionViewItem which contains
less fields except on newer Qt where it contains all fields. Hopefully it still
works on Qt>4.x for a large enough value of x.

Change-Id: I013c383d2424b04c1c0745f0d7b1d5e62a29d324
2017-02-04 17:19:50 +01:00
Amaury Pouly
2a3a6bb4b3 regtools/qeditor: compute RAM size
Change-Id: I7bfb5cc25bc3dc55f379b2319b20dc9510434de0
2017-02-04 17:19:20 +01:00
Amaury Pouly
fa5324bbbb regtools/qeditor: enable imx233 analysers for imx233
The clock structure is identical, and the EMI are the same.
Also fix SSP clock, it was broken on imx233 as well.

Change-Id: I25ec66059b00b1a456ef2f02131d225082536c0a
2017-02-04 17:18:59 +01:00
Amaury Pouly
fafb770ca5 regtools/soc_desc: fix bug in library
Because a node ref is at root doesn't make it valid, check that soc is valid
otherwise we return garbage.

Change-Id: I6e5befc959dc670ab39a87484e87af6d90be7726
2017-02-04 17:18:37 +01:00
Amaury Pouly
6f0f1193e5 regtools: add new tool list/find/describe registers
Change-Id: I2d93d24bd421e1a2ea6d27b8f7cfd17311e6d458
2017-02-04 17:18:13 +01:00
Amaury Pouly
a1d1832049 hwstub: be more quiet about register description loading failure
Change-Id: I0edbb838022b71485179edec7361a6c554a1ab11
2017-01-24 15:34:20 +01:00
Amaury Pouly
30ac37b20b hwstub: fix memory leak in net backend
Change-Id: I98bef5aa0c518e698c42761d02899adde8bc4aca
2017-01-24 15:34:20 +01:00
Amaury Pouly
fdb98c258f hwstub/jz4760b: add lua code to probe for ei/di and ext instructions
Add lua code to check whether ei/di and ext instructions are supported. This
is unclear since xburst is somewhere between mips32r1 and mips32r2. Details
results are below, but in summary: they don't work (ei has no effect, di/ext
cause illegal instruction exceptions)

> ./hwstub_shell -q -b -e 'require("jz/misc"); JZ.misc.enable_sram()' \
  -f lua/xburst.lua -e "XBURST.test_ext_inst(0xb32d0000)"
[...]
Selecting soc jz4760b. Redirecting HW to hwstub.soc.jz4760b
  data: d7168acf
error: lua/xburst.lua:209: call failed
trapped exception in call

> ./hwstub_shell -q -b -e 'require("jz/misc"); JZ.misc.enable_sram()' \
  -f lua/xburst.lua -e "XBURST.test_ei_di_inst(0xb32d0000)"
[...]
Selecting soc jz4760b. Redirecting HW to hwstub.soc.jz4760b
Testing ei
  Test SR
    Enable interrupts with CP0
    SR: 0x1
    Disable interrupts with CP0
    SR: 0x0
  Test ei/di
    Enable interrupts with ei
    SR: 0x0
    Disable interrupts with di
error: lua/xburst.lua:244: call failed
trapped exception in call

Change-Id: I2e162b5dd5e70488bcd8b58f3ca401a3ecab3c4b
2017-01-24 15:34:20 +01:00
Amaury Pouly
9bb6050d40 hwstub: rewrite exception catching
Since we can catch exceptions like data aborts on read/write, it takes very
little to also catch exceptions in calls. When extending this with the catching
of illegal instructions, the call instruction now becomes much more robust and
also for address and instruction probing. Since we can catch several types of
exception, rename set_data_abort_jmp to set_exception_jmp. At the same time,
simplify the logic in read/write request handlers. Also fix a bug in ARM
jump code: it was using
  stmia r1, {..., pc}
as if pc would get current pc + 8 but this is actually implementation defined
on older ARMs (typically pc + 12) and deprecated on newer ARMs, so rewrite the
code avoid that. The set_exception_jmp() function now also reports the exception
type.

Change-Id: Icd0dd52d2456b361b27c4776be09c3d13528ed93
2017-01-24 15:34:19 +01:00
Amaury Pouly
f3cce72269 hwstub/jz460b: implement exception recovery
Now that we now that jz4760b implements EBASE, we can use it to rebase
exceptions to use a k1seg address, that maps to the physical address of the
TCSM0. It requires to enable HAB1 to have this translation. This most the most
inefficient way to access tighly coupled memory ever, but it works.

Change-Id: I894ca929c9835696102eb2fef44b06e6eaf96d44
2017-01-24 15:34:19 +01:00
Amaury Pouly
07bc348c91 hwstub: add tool to dump memory regions (such as ROM, RAM, or peripherals)
Although this case be done with hwstub_shell, this is common enough to deserve
its own tool.

Change-Id: I9253e40850f37257464548a3acefb14ea083841d
2017-01-24 15:34:19 +01:00
Amaury Pouly
f4091be1d3 hwstub: small fixes to argument processing and usage()
Change-Id: I3daa5e0c3fa2e7eab6a3d75b4c8aa66254d72f3c
2017-01-24 15:34:05 +01:00
Amaury Pouly
9851849ae6 hwstub/jz4760b: build packtools automatically if neeeded
Change-Id: I543e405bf75868d0f7509a35e08fe31ed253e0e6
2017-01-24 15:31:05 +01:00
Amaury Pouly
8934169666 hwstub: add verbose mode to make
Use make V=1 to print all commands

Change-Id: I28bd4151178413f10ddab292f1d582a9d019f5ea
2017-01-24 15:31:05 +01:00
Amaury Pouly
eadba57d53 hwstub: fix long transfers failing because of control xfer size of libusb
libusb limits control transfer sizes to 4k, see diff for details.

Change-Id: Id2e638010274009ea641d06e9040a8b9ab9d54a9
2017-01-24 15:31:05 +01:00
Amaury Pouly
24c208336c hwstub: fix library sending wrong data on long transfers
Change-Id: I886b8dc28e306f631389dbed41451eb086fea4fc
2017-01-24 15:31:05 +01:00
Amaury Pouly
06c5e5f4c1 hwstub: add Fiio X3II IPL/SPL dumping code
Change-Id: I76f7cffc700e8051d02936c24e8a70a0f8925edf
2017-01-24 15:25:14 +01:00
Amaury Pouly
3a219cefe1 hwstub: add Shanling M2 IPL/SPL dumping code
Change-Id: I14987d9783dd371f4990a5bcfbfb2d1c0c9be213
2017-01-24 15:25:14 +01:00
Amaury Pouly
8e07d68452 hwstub: add various jz stuff and xburst tests
The JZ misc allows to enable and test SRAM.
The XBurst code uses the coprocessor interface to analyse the cpu. It also
provides a test platform for various features like EBASE and exceptions.
I was able to test and confirm that on jz4760b (thus xburst), EBASE works
(but top 2 bits are not controllable and always 01). The processor claims
to support vector interrupts but this is untested. The values in ConfigX
are not to be trusted blindly, clearly some are wrong. I tried to use the
JZ4780 Config7 "ebase gate" to change bit 30 of EBASE but it does not work,
which suggests that JZ480 uses a newer version of XBurst. Detailled log below:

> ./hwstub_shell -q -f lua/xburst.lua -e "XBURST.init()"
[...]
XBurst:
  PRId: 0x2ed0024f
    CPU: JZ4760(B)
  Config: 0x80000483
    Architecture Type: MIPS32
    Architecture Level: Release 2 (or more)
    MMU Type: Standard TLB
  Config1: 0x3e63318a
    MMU Size: 32
    ICache
      Sets per way: 128
      Ways: 4
      Line size: 32
    DCache
      Sets per way: 128
      Ways: 4
      Line size: 32
    FPU: no
  Config2: 0x80000000
  Config3: 0x20
    Vectored interrupt: yes
  Config7: 0x0

> ./hwstub_shell -q -e 'require("jz/misc"); JZ.misc.enable_sram()' \
  -f lua/xburst.lua -e "XBURST.test_ebase(0x80000000);XBURST.test_ebase(0xb32d0000)
[...]
Testing EBASE...
  Disable BEV
  SR value: 0x2000fc00
  EBASE value: 0x80000000
    Value after writing 0x80000000: 0x80000000
    Value after writing 0x80040000: 0x80040000
  Test result: EBase seems to work
    Disable config7 gate: write 0x0 to Config7
    Value after writing 0xfffff000: 0xbffff000
    Enable config7 gate: write 0x80 to Config7
    Value after writing 0xc0000000: 0x80000000
  Config7 result: Config7 gate does not work
Exception test with EBASE at 0x80000000...
  Writing instructions to memory
  Old SR: 0x2000fc00
  New SR: 0xfc00
  EBASE: 80000000
  Before: cafebabe
  After: deadbeef
  Exception result: Exception and EBASE are working
Testing EBASE...
  Disable BEV
  SR value: 0x2000fc00
  EBASE value: 0x80000000
    Value after writing 0x80000000: 0x80000000
    Value after writing 0x80040000: 0x80040000
  Test result: EBase seems to work
    Disable config7 gate: write 0x0 to Config7
    Value after writing 0xfffff000: 0xbffff000
    Enable config7 gate: write 0x80 to Config7
    Value after writing 0xc0000000: 0x80000000
  Config7 result: Config7 gate does not work
Exception test with EBASE at 0xb32d0000...
  Writing instructions to memory
  Old SR: 0x2000fc00
  New SR: 0xfc00
  EBASE: b32d0000
  Before: cafebabe
  After: deadbeef
  Exception result: Exception and EBASE are working

Change-Id: I894227981a141a8c14419b36ed9f519baf145ad1
2017-01-24 15:25:14 +01:00
Amaury Pouly
50eaa2d9ac hwstub: fix bug in jz4760B boot rom backend probe
Change-Id: Idb2b3b3903d88c8f6b494d5c9f04778daf3aaed0
2017-01-24 15:25:14 +01:00
Amaury Pouly
8fabbb008c hwstub: add support for coprocessor operations
At the moment the stub only implement them for MIPS.

Change-Id: Ica835a0e9c70fa5675c3d655eae986e812a47de8
2017-01-24 15:25:14 +01:00
Amaury Pouly
d91d9f6851 jz4760b/regtools: fix/rename some register fields, add clock analyzer to qeditor
Change-Id: I196414d6e4fc18c00b77903e334b7e6adfb7debc
2017-01-24 15:25:14 +01:00
Amaury Pouly
51cce81cd4 headergen_v2: add two new macros to write a raw write to set/clr variants
These macros are like jz_setf but instead of writing fields, they write a
raw value directly: jz_set(REG, value) and jz_clr(REG, value).

Change-Id: I660f20dd691b26d367533877875fc3226a26c992
2017-01-24 15:25:14 +01:00
Amaury Pouly
a36694eb4a hwstub: implement EXEC command over net
Apparently I completely forgot to implement it so using hwstub over net would
just fail all EXEC commands :-s

Change-Id: I0d0506cbbce9b86c9a4f19036dacc922d1e51338
2017-01-24 15:25:14 +01:00
Amaury Pouly
56340f4cd0 hwstub: add the possibility to flush caches before exec
This is needed on the jz4760b because if some data is loaded to DRAM, then it
is cached and a disaster lurks if dcaches/icache are not flushed. Targets that
needs this must define CONFIG_FLUSH_CACHES in target-config.h and implement
target_flush_caches(). Currently MIPS has some generic code for mips32r1 that
requires to define {D,I}CACHE_SIZE and {D,I}CACHE_LINE_SIZE in target-config.h

Change-Id: I5a3fc085de9445d8c8a2eb61ae4e2dc9bb6b4e8e
2017-01-24 15:25:14 +01:00
Amaury Pouly
83155f32bf jz4760b_tools: improve usbboot tool
Change-Id: I21b61a3f56d718bef3aa0cf5096359c463c1f93a
2017-01-24 15:23:21 +01:00
Amaury Pouly
f698b201ad hwstub/jz4760b: fix some typos in lua script after register name changes
Change-Id: Ie46ec293fcd5a16143818e77cd6c79cc08620fb5
2017-01-24 15:22:43 +01:00
Amaury Pouly
cc2389b7a6 hwstub: add jz4760b stub
The stub is quite versatile: it can be loaded using bootrom or another other
means (like factory boot on Fiio X1). It relocates itself to TCSM0 and provides
basic functionality (it does not recover from failed read/writes at the moment).

Change-Id: Ib646a4b43fba9358d6f93f0f73a5c2e9bcd775a7
2017-01-24 15:22:27 +01:00
Amaury Pouly
d7c71a3fe8 update jz4760b register desc
Change-Id: Id0a071528eca08fe512941be9c8091819e817e4c
2017-01-24 15:17:46 +01:00
Amaury Pouly
4fd9400458 hwstub/tools/shell: add JZ4760B and Fiio X1 code
The jz code can do several useful things like dumping the IPL and SPL.
The Fiio code can play with backlight and has code do dump the IPL
and SPL with the correct parameters (extracted by reverse engineering).

Change-Id: I317b3174f5db8d38c9a56670c1d45565142ec208
2017-01-24 15:17:46 +01:00
Amaury Pouly
0b6cbd8e49 regtools: add JZ4760B description
This is a register description file for the JZ4760B. There are several
details worth noticing:
- it was obtained by gathering information from several sources/headers, but
  since there are inconsistencies between them about the exact differences
  between JZ4760 and JZ4760B, this file probably contains some errors
- the register names are not the same as the manual ones (which are not the
  same as the one in the headers anyway): I dropped the "R" suffix on most
  registers because it's redundant
- Ingenic likes to have read-only registers and then set/clr registers, with
  very confusing names like DIR/DIRS/DIRC: in the file, the set/clr registers
  are described as set/clr variants of the original register
- Parts of the description were obtained programmatically, which explains why
  there are empty nodes or partially undocumented registers

Change-Id: I8da1d61e172e932e1a4a58ac0a5008f02b1751be
2017-01-24 15:17:46 +01:00
Amaury Pouly
6ef3f7c13b regtools: fix normalization procedure
The code was not updated when I added support for list and other stuff, and thus
it did not properly sort by addresses.

Change-Id: Iaed0717b607beedfb2856c020c2a760e7a5667c5
2017-01-24 15:17:46 +01:00
Amaury Pouly
6b227c5ea6 regtools: convert all reg dumps to v2. keep v1 for reference
Change-Id: Ib496eb5d47adb75479ce94a203d4a93524700843
2017-01-16 20:09:18 +01:00
Amaury Pouly
759a78e5df imxtools/sbtools: switch SHA1 implementation to Crypto++
The current implementation was custom and super slow. Since we use Crypto++
anyway, we might as well get use a good implementation.

Change-Id: I761ad7401653471e54000e1c2bc3d9882378112f
2017-01-16 19:59:28 +01:00
Amaury Pouly
8b3f5a8ad7 imxtools/sbtools: switch AES implementation to Crypto++
Instead of having our own copy of the AES code, use a good library to do that.
Crypto++ is well-maintained, supports a lot of ciphers, works on many OSes, and
is optimized for many architectures.

Change-Id: I7d7d24b47993206d7338c5f9bac8bbdd3915a667
2017-01-16 19:59:26 +01:00
Amaury Pouly
5ff3a3a98f imxtools/sbtools: various fixes
Change bug() macro, fix memory leaks, always use -h for help, fix usage(),
fix comment, remove useless macro

Change-Id: I30554b5e07e6f2845560a570808603cf8c4da5ad
2017-01-16 19:58:31 +01:00
Amaury Pouly
2b20026dd7 imxtools/sbtools: rework cryptography
It was a mess, a mix of crypto_* and cbc_mac calls. I made everything call crypto
functions, and also separate key setup from cryptographic operations, this will
be useful to speed up the code in the upcoming commits. Drop support for "usbotp"
key, since the crypto code for that was never mainlined and we can always get the
keys from a device as long as we have code execution (using the DCP debug registers).

Change-Id: I7aa24d12207ffb744225d1b9cc7cb1dc7281dd22
2017-01-16 19:58:24 +01:00