The tool now provides more useful information for developers when the device
is not supported. Is also has a new verb "help_us" that also prints all this
information (notably the device info and model ID).
Change-Id: I04baec8fff23eb83a0408add6296b5d42e9aa8e7
We still miss the model IDS for those device so scsitool won't be able to
recognize them automatically.
Change-Id: I17ae0f0d95c011cea8e289def63c7673b6c4b667
DES ignores the parity bit of each byte (making the 64-bit key really 56-bit),
but the current code skipped the parity bit of each half-byte, thus missing
some keys.
Change-Id: Ia523ebb944e458905b7de1742df151df22166150
Strangely it has the SAME encryption key as the E450. Either they didn't bother
changing it or more likely they have exactly the same internals and a slightly
different case.
Change-Id: I39ab88845b3e40db34160c2e61dde421f391df44
SUPPORTED SERIES:
- NWZ-E450
- NWZ-E460
- NWZ-E470
- NWZ-E580
- NWZ-A10
NOTES:
- bootloader makefile convert an extra font to be installed alongside the bootloader
since sysfont is way too small
- the toolsicon bitmap comes from the Oxygen iconset
- touchscreen driver is untested
TODO:
- implement audio routing driver (pcm is handled by pcm-alsa)
- fix playback: it crashes on illegal instruction in DEBUG builds
- find out why the browser starts at / instead of /contents
- implement radio support
- implement return to OF for usb handling
- calibrate battery curve (NB: of can report a battery level on a 0-5 scale but
probabl don't want to use that ?)
- implement simulator build (we need a nice image of the player)
- figure out if we can detect jack removal
POTENTIAL TODOS:
- try to build a usb serial gadget and gdbserver
Change-Id: Ic77d71e0651355d47cc4e423a40fb64a60c69a80
The devinfo request returned the raw data, now the tool prints the various
fields. Also add support for the dhp (destination/headphones/color ...): this
one is untested because it's only supported starting from A10 or A20. There is
still a problem with the dpcc prop: although it should work for DEVINFO, it does
not, despite the fact that the get_dev_info command works and is internally (on
the Sony) translated into a dpcc request. I keep the code just in case.
Change-Id: I5aa8ef4afb0b11d3c0ddfa3d38f3e737ee1aff66
The detailled error message is only printed if -d switch is on command line,
otherwise there is no error message which is wrong so fix that.
Change-Id: I397541c467940e9b290ee8d4ae704368b1ce132b
I am unsure about the names of the player, the manual says A36HN and A37HN but
at the same time there is a A35 and A35HN with the same ID, and Sony does not
usually put the "HN" in its device list.
Change-Id: Idbf32970aa334b30f1b8947a78b8eebd524b193b
* make gen_db.py work on Windows/Python 2
- use hashlib module instead of md5sum, also don't rely on / for file path
matching
- don't use 'file' for a variable name
* fix parse_nvp_header.sh for older kernels
pre-emmc kernel sources use a slightly different #define format; adjust
regexp to catch it.
* add nwz-x1000 series NVP layout (from icx1087_nvp.h)
some new tags have no description, alas the driver doesn't have
them :/
* minor fixes to nvp/README
fixed typos/wording
Change-Id: I77d8c2704be2f2316e32aadcfd362df7102360d4
* added KAS for nwz-x1000 (extracted from an NWZ-X1060 via "get_dnk_nvp kas")
* hint that -o is needed when extracting
Change-Id: Ic91c448aa058a22c8ddcae54726f628f7cf60f6b
The cool now takes the database as a hint and will not complain if the device
returns less data. The tool also supports user provided size and raw node numbers
that are not in the database (advanced usage).
Change-Id: I8cec536718d7eff01c7803bea648d6122b82377a
We don't know the encryption method, the KAS is completely different but it
might be useful to record it anyway for future purposes. MID extracted from
device, Japanese NW-A35.
Change-Id: I4c4bb5b063da99003b5c316061d8c490b77428a4
It is Android based and despite the fact that Sony wrote an NVP driver for it,
experiments suggest it is unused because it returns ff all the time...
Change-Id: I37750b659e341b21bed5ebaccf60f9f5fe569f64
Don't use colors since the terminal doesn't support it. Also packing is broken
on MinGW so use #pragma pack when compiling for windows, this is also supported
by MSCV.
Change-Id: I635649d52ed5f2e0af46cb9ca2ec325955b2ddb2
We cannot auto-detect a device if we don't know its model ID, but we can't know
the model ID if we haven't decrypted the upgrade which requires the key. The only
way to solve this chicken-and-egg problem is to get the NVP table from kernel,
create an empty series in the database (no model ID), then get the key using
scsitool and forcing the model (using this commit), then decrypt the upgrade
and get the model ID list.
Change-Id: I8eced486a5f6a1a99028b25fdc4f87a3b11e31a8
We already use Crypto++ for DES anyway, and using OpenSSL is not great because
of its incompatible licence.
Change-Id: I78771b84c1708795a0c0c30afa5bdfe4885dea4e
Since ext3 supports ext2, we can support more platforms. Some platforms use ext4
with a very specific set of options, we I haven't encountered those yet so it's
not currently a problem.
Change-Id: Iff87e925a4caa866c6a66b1883ad6baab88c0b8d
The new code gets closer to an actual bootloader:
- it provides a menu with three options: Sony, Rockox, tools with icons (and
extracts the Sony logo from the NVP)
- the dualboot install script now creates a symlink from /.rockbox to
/contents/.rockox which is necessary to run rockbox
- more text drawing / framebuffer functions
In the long run, we will move this under bootloader/ and rbutil/ and also use
firmware/ drawing facilities, at the moment we use OF display program which
is slow and creates some flickering.
The logo extraction/placement code was tested with resolution 240x320 and I
guessed some reasonable values for 240x400, but those will probably need some
tweaking.
Change-Id: I0319be902d21a7d33c1dee0fffdb4797065dbf8a
Now that we have a nice database of player index, the scsitool becomes more
useful and supports a lot more players. I did some general cleanup of the code,
though eventually it would be nice to really split it into a library and a CLI.
The SCSI vendor command allow to read but also write most NVP nodes. Since there
seems to a demand to change destination and sound pressure settings on device,
I implement this feature in the tool. I do not plan to allow arbitrary NVP
writes because this could easily brick the device. Changing the destination
should be safe, but as usual, use at your own risks.
Change-Id: Iff4e8cc3ac97b965c1df849051c5fd373756cda5
Using the database, we can now safely read/write the NVP. I also add more
support for Sony's "display" tool.
Change-Id: I8439fe9bad391c7f29859d99f236781be7983625
There must be an evil genius in Sony's Walkman division. Someone who made sure
that each model is close enough to the previous one so that little code is needed
but different enough so that an educated guess is not enough.
Each linux-based Sony player has a model ID (mid) which is a 32-bit integer.
I was able to extract a list of all model IDs and the correspoding name of
the player (see README). This gives us 1) a nice list of all players (because
NWZ-A729 vs NWZ-A729B, really Sony?) 2) an easy way to find the name of player
programatically. It seems that the lower 8-bit of the model ID gives the storage
size but don't bet your life on it. The remaining bytes seem to follow some kind
of pattern but there are exceptions.
From this list, I was able to build a list of all Sony's series (up to quite
recent one). The only safe way to build that is by hand, with a list of series,
each series having a list of model IDs. The notion of series is very important
because all models in a series share the same firmware.
A very important concept on Sony's players is the NVP, an area of the flash
that stores data associated with keys. The README contains more information but
basically this is where is record the model ID, the destination, the boot flags,
the firmware upgrade flags, the boot image, the DRM keys, and a lot of other stuff.
Of course Sony decided to slightly tweak the index of the keys regularly over time
which means that each series has a potentially different map, and we need this map
to talk to the NVP driver. Fortunately, Sony distributes the kernel for all its
players and they contain a kernel header with this information. I wrote a script
to unpack kernel sources and parse this header, producing a bunch of nw-*.txt
files, included in this commit. This map is very specific though: it maps Sony's
3-letter names (bti) to indexes (1). This is not very useful without the
decription (bti = boot image) and its size (262144). This information is harder
to come by, and is only stored in one place: if icx_nvp_emmc.ko drivers, found
on the device. Fortunately, Sony distributes a number of firmware upgrade, that
contain the rootfs, than once extracted contain this driver. The driver is a
standard ELF files with symbols. I wrote a parsing tool (nvptool) that is able
to extract this information from the drivers. Using that, I produced a bunch
of nodes-nw*.txt files. A reasonable assumption is that nodes meaning and
size do not change over time (bti is always the boot image and is always
262144 bytes), so by merging a few of those file, we can get a complete picture
(note that some nodes that existed in older player do not exists anymore so
we really need to merge several ones from different generations).
The advantage of storing all this information in plain text files, is that it
now makes it easy to parse it and produce whatever format we want to use it.
I wrote a python script that parses all this mess and produces a C file and
header with all this information (nwz_db.{c,h}).
Change-Id: Id790581ddd527d64418fe9e4e4df8e0546117b80
Sony added extensions to the frambuffer interface. It is important to take them
into account since the OF uses them and might leave the framebuffer in an
unusual state which would make the dualboot not display anything. Also rework
the dualboot code so that it can boot rockbox (not doing anything at the moment),
display all tools or boot the OF.
Change-Id: Ia0f589c9ec8558f375270841503c0964aff07f0b
At the moment, the script install_duaboot does the following:
- rename SpiderApp to SpiderApp.of (unless it already exists)
- install payload as SpiderApp
- fixes permissions
Since SpiderApp is the main app, it will execute instead of the OF.
The current dualboot code (dualboot.c) is still a preliminary but the current
version displays an "all tools" menu to choose for. When exitting the menu
using BACK, it will run the OF.
With the modifications made by the install script, it should not be possible
to break the device. In the worst case scenario, the dualboot code crashes
and it restarted by the sysmgrd, or hangs. A safe way to recover is to plug
the USB cable and reset the device: the system manager will then start the
USB app and one can reflash the device if necessary.
Change-Id: Id9edab0347538ad2a8651a28aea7fd083feaa626
Unify series names: e46x -> e460 to be consistent with Sony' name. Add keys
for various players that were cracked using upgtools. The real KAS would need
to be extracted from a target but at least we can open/create firmware upgrades.
Change-Id: Id23a10e10170d7f6330c6699bf205c4df5ddebfe
This new tool (all_tools) embeds all the other tools and provides a menu to
choose which one to run.
Change-Id: I0e07864dd46559a7079b0f942c25155e6fa07112
Since the nwz_lib does not have any nvp code yet, it's quite of ugly hack
with hardcoded nvp node (11) for shipment information (shp). Thus I whitelisted
two series (NWZ-E460 and NWZ-A860) which I know for sure use this node ID.
Change-Id: I94c9b0db1f9d7ad764d2aa50576a911e710f25e1
This list can map from model id to device name. It was automatically extracted
from Sony's tools. In the future, we will probably generate it from a clean
database containing more useful information.
Change-Id: Ibe580edf25b60bf0bf4aef4a06f40dddd19c5404
This is useful because there is no easy way to get it except from Sony's tool,
unless one knows the npv node, but that requires to know the model already...
Change-Id: I202f7cdb2f7cf924cc5bdb53c17e34600d4bf153
The new search has two new features:
- it takes advantage of the fact that DES keys are only 56-bit long (and not 64)
- it is now multithreaded
As a proof of concept, I ran it on the A10 series firmware upgrade and was able
to find the key in a few seconds using 4 threads. The search is still limited
to ascii hex passwords (seems to work on all devices I have tried thus far).
Change-Id: Ied080286d2bbdc493a6ceaecaaadba802b429666
This is code is intended to development into a library of code for the NWZ that
will be useful to write the "bootloader" on those device. At the same time, it
comes with test programs that are easy to run in firmware upgrade mode and also
provide a great test bench for the library. At the moment, two test programs are
available:
- test_display: simply prints two messages using /usr/bin/lcdmsg
- test_keys: displays input key event
Change-Id: I9d214894ffc9127b528fcdd3eb5d6b61f4e657a7
The exec_file allows to embed a script/executable and run it on target. It takes
of unpacking, remounting contents rw and redirect output to exec.txt at the root
of the drive. More generally, rework how the makefile works.
Change-Id: Iec719227be96e80701ad8f5398d2d34389f4da9e
There was a lot of copy and paste, and the code was just crap. This commit tries
to clarify the code and also document the encryption procedure. Hopefully I didn't
break anything.
Change-Id: I257793010e7cf94f2b090b30bb8608359d3886e3
There is a windows port of the sg_utils library for scsi pass-
through. This little changes make it compile under mingw. A better
fix would be to implement direct ioctl on both windows and linux
but that's already better than nothing
Change-Id: I0d77cd1bad69806a66f0590362f165f24fa240e9
There is a vendor specific command to read the NVP of the device,
including the KAS. The trick is that the data is randomly
scrambled using a so-called para_noise array of random values.
There seems to be a problem when retrieving large entries (>1000
bytes typically) which causes sg_pt do behave strangely.
Change-Id: Iefa6140df78ab9c7dcf7ac34cb1170979123ecd7
This tool can send vendor specific scsi commands to sony nwz
players such as getting serial number, model id, device info,
and others. It can potentially be used to get some private keys
stored on the device but probably not the KAS used to encrypt
firmware upgrades images(UPG).
Change-Id: Ia49c1edf8d421b20c4e9afeb1192e00e06eb6047
This tool is specific to the em1/mp200 sony based players. In
deals with raw emmc images (which is possible but hard to get).
This tool is also useful as a documentation of the underlying
emmc format used for a future port.
Change-Id: I66c9b0e47351e5d89f6a404aa62038e00fdc1093
