This trivial patch wants to exploit /tmp filesystem to place
Rockbox executable. Why that? It will be then possible to
easily unlock & umount the storage partition, in order to provide
Rockbox itself a mean for RAW storage access. In turn, this will
allow a Rockbox-handled USB Mass Storage support, as well as other
goodies (storage info is one I can think of).
It takes way less than a second so it doesn't hurt boot time.
Moreover, YPR0/YPR1 targets have plenty (64MB) of RAM, so
the humble half meg executable won't hurt at all.
Change-Id: Ibc9d9a40712e924c8e19cfd7c62189b182f0401a
This patch removes the deprecated kernel module to manage
the fm-radio chip on the ypr0 target.
http://gerrit.rockbox.org/r/#/c/1594/ implements the interface to
the i2c bus by using the i2c-dev kernel driver, no need for
additional complexity.
Change-Id: I0d09e2e9d1714b3cb8a72b3d79a91602a627cc90
Only expand pkg-config calls once by making the compiler flags simply
expanded variables. Makes things more predicable and slightly faster.
Change-Id: Ie2ed066f205a95ec8a7708cefeb29e9989815db6
Building with mxe failed due to the toolchain (and Qt5) introducing
dependencies to system libraries we don't know about. Commit 3083abeb95
thus ignored the actual problem. Revert that and instead add the missing
system libraries to the list of known libraries.
Change-Id: I29ac296765e580b751d3d906d58ab563d05efde2
At least newer devices support more NVP properties in a device-independent
numbering. Many are supported but I just added two useful ones
Change-Id: I57926de7f0dd364b46a57ca8d48a5c4d4f20402b
This fixes a couple of issues when cross-compiling for windows:
- lib builds (i.e. mks5lboot) were overriding the cross CC/CXX with the
native CC, producing incompatible binaries.
- Qt made the accessibility plugin part of the core library, so we no
longer need to import it.
Change-Id: I9d884aee62dfa51d3624a3fa9b99c23b3b375f20
Seems like newer versions of mingw will sponteanously add a .exe suffix to
the output path if it doesn't have one, for example mingw-gcc -o scsitool bla
will actually create scsitool.exe and of course this breaks my release script.
Fix this by explicitely adding the .exe to avoid any problem
Change-Id: Ic8019b968b532b2ca612ba0c03977a96c22cee01
This is one of those fancy gold-plated devices. Of course it breaks my scripts
that were nicely expecting every device to start with NW.
Change-Id: I161320f620f65f4f92c2650d192b26a9831eeb9d
There is something weird going on: the Sony website has two different entries:
- NW-ZX300/NW-ZX300A/NW-A45/NW-A47/NW-A45HN/NW-A46HN
- NW-ZX300,NW-ZX300A update(20181004)/NW-ZX300G
with slightly different nvp entries, but it is impossible to tell whether
an NW-ZX300(A) belong to one or the other. Since the diff is very small,
I am adding this as nw-zx300g but treat all devices as nz-zx300 since the
destination node is the same and that is the main usage of the tool anyway.
Change-Id: I3dc2fdec52650f938d568bed578184f6bc43d130
If the model is not known (ie model ID in the database) but another device from
the same series is known, then the database information probably applies and
one can use the "force" option -s to tell the tool to ignore the model ID.
Automatically print such advice when the series can be guessed.
Change-Id: I6bcc7aa29693df8c3d7d8e709ece7cea650be717
swr/swl instructions used for word aligning were wrong. This
made memset() terribly broken. I can't imagine how it went
uncaught for soooo long. Spotted by Solomon Peachy.
I run unit tests for alignments 0,1,2,3
size 1, 2, 3, 4, 5, 63, 64, 65, 127, 128, 129;
and fill pattern 0x00 and other (since 0 is special case in this
implementation).
Change-Id: I513a10734335fe97734c10ab5a6c3e3fb3f4687a
Previously only atomic read/write 8/16/32 were exposed. But it is useful to
be able to read a whole buffer at once, this is more efficient than N times
read8.
Change-Id: I06e331641e1ab1f74c0e16e8c432eafb398e8e6d
The encryption definitely uses some standard elliptic curve encryption over
binary fields (163 and 233 bits, standard polynomials). It is still unclear
how this is used in the actual encryption, the key authentification and
derivation do not look standard.
Change-Id: I6b9180ff7e6115e1dceca8489e986a02a9ea6fc9
Now print list of devices immediately even if the rest of the command line
is empty (ie 'scsitool -s ?' works, whereas before one would need an actual
device to even get a list). Add more information in the help_us command:
print kas, lyr and fpi.
Change-Id: Icfeeaeebe28c774a74ca54661357fafa25c3d114
The tool now provides more useful information for developers when the device
is not supported. Is also has a new verb "help_us" that also prints all this
information (notably the device info and model ID).
Change-Id: I04baec8fff23eb83a0408add6296b5d42e9aa8e7
We still miss the model IDS for those device so scsitool won't be able to
recognize them automatically.
Change-Id: I17ae0f0d95c011cea8e289def63c7673b6c4b667
DES ignores the parity bit of each byte (making the 64-bit key really 56-bit),
but the current code skipped the parity bit of each half-byte, thus missing
some keys.
Change-Id: Ia523ebb944e458905b7de1742df151df22166150
Strangely it has the SAME encryption key as the E450. Either they didn't bother
changing it or more likely they have exactly the same internals and a slightly
different case.
Change-Id: I39ab88845b3e40db34160c2e61dde421f391df44
SUPPORTED SERIES:
- NWZ-E450
- NWZ-E460
- NWZ-E470
- NWZ-E580
- NWZ-A10
NOTES:
- bootloader makefile convert an extra font to be installed alongside the bootloader
since sysfont is way too small
- the toolsicon bitmap comes from the Oxygen iconset
- touchscreen driver is untested
TODO:
- implement audio routing driver (pcm is handled by pcm-alsa)
- fix playback: it crashes on illegal instruction in DEBUG builds
- find out why the browser starts at / instead of /contents
- implement radio support
- implement return to OF for usb handling
- calibrate battery curve (NB: of can report a battery level on a 0-5 scale but
probabl don't want to use that ?)
- implement simulator build (we need a nice image of the player)
- figure out if we can detect jack removal
POTENTIAL TODOS:
- try to build a usb serial gadget and gdbserver
Change-Id: Ic77d71e0651355d47cc4e423a40fb64a60c69a80
Several people asked me recently how to decrypt atj2127 firmware. Someone
posted on github (https://github.com/nfd/atj2127decrypt) a decrypt utility
clearly reverse engineered from some unknown source. The code is an absolute
horror but I concluded that ATJ changed very little between ATJ213x and ATJ2127
so I added support for the ATJ2127, credit to this github code that I stole
and rewrite (code was under MIT licence). At the same time do some small code
cleanups.
Note that there is not 100% sure way that I know to distinguish between the
two firmware types, so the code tries to do an educated guess to detect
ATJ2127. If this does not work, use --atj21217 option. Also note that contrary
to the github tool that decrypts and unpack in one go, this tool only does one
step at once. So first decrypt: HEX -> AFI, then unpack AFI -> files.
I also added for a different version of AFI. Based on AFI files I have, there
are, I think, two versions: the "old" ones (pre-ATJ213x) and "new" ones. The
tool only supported the new one but for some reason the ATJ2127 uses the old
ones without a mostly empty header. Strangely, even this mostly empty header
does not seem to follow the old layout as reverse engineered by the s1mp3
project (https://sourceforge.net/p/s1mp3/code/HEAD/tree/trunk/s1fwx/heads.h),
so in fact there might be three versions. In any case, only the header is
different, the rest of the file is identical so at the moment I just don't
print any header info for "old" files.
Change-Id: I1de61e64f433f6cacd239cd3c1ba469b9bb12442
The devinfo request returned the raw data, now the tool prints the various
fields. Also add support for the dhp (destination/headphones/color ...): this
one is untested because it's only supported starting from A10 or A20. There is
still a problem with the dpcc prop: although it should work for DEVINFO, it does
not, despite the fact that the get_dev_info command works and is internally (on
the Sony) translated into a dpcc request. I keep the code just in case.
Change-Id: I5aa8ef4afb0b11d3c0ddfa3d38f3e737ee1aff66
The detailled error message is only printed if -d switch is on command line,
otherwise there is no error message which is wrong so fix that.
Change-Id: I397541c467940e9b290ee8d4ae704368b1ce132b
I am unsure about the names of the player, the manual says A36HN and A37HN but
at the same time there is a A35 and A35HN with the same ID, and Sony does not
usually put the "HN" in its device list.
Change-Id: Idbf32970aa334b30f1b8947a78b8eebd524b193b
* make gen_db.py work on Windows/Python 2
- use hashlib module instead of md5sum, also don't rely on / for file path
matching
- don't use 'file' for a variable name
* fix parse_nvp_header.sh for older kernels
pre-emmc kernel sources use a slightly different #define format; adjust
regexp to catch it.
* add nwz-x1000 series NVP layout (from icx1087_nvp.h)
some new tags have no description, alas the driver doesn't have
them :/
* minor fixes to nvp/README
fixed typos/wording
Change-Id: I77d8c2704be2f2316e32aadcfd362df7102360d4
* added KAS for nwz-x1000 (extracted from an NWZ-X1060 via "get_dnk_nvp kas")
* hint that -o is needed when extracting
Change-Id: Ic91c448aa058a22c8ddcae54726f628f7cf60f6b
The code dependend on the sg_lib header being present, remove this dependency
so that we only need public headers.
Change-Id: I69398453635135deb33e2adf67f15ddb80e4ba16
...by QStyleOptionViewItem. Yes Qt got it right, in 5.7 they deprecated
QStyleOptionViewItemV4 and recommend using QStyleOptionViewItem which contains
less fields except on newer Qt where it contains all fields. Hopefully it still
works on Qt>4.x for a large enough value of x.
Change-Id: I013c383d2424b04c1c0745f0d7b1d5e62a29d324
The clock structure is identical, and the EMI are the same.
Also fix SSP clock, it was broken on imx233 as well.
Change-Id: I25ec66059b00b1a456ef2f02131d225082536c0a
Because a node ref is at root doesn't make it valid, check that soc is valid
otherwise we return garbage.
Change-Id: I6e5befc959dc670ab39a87484e87af6d90be7726
Add lua code to check whether ei/di and ext instructions are supported. This
is unclear since xburst is somewhere between mips32r1 and mips32r2. Details
results are below, but in summary: they don't work (ei has no effect, di/ext
cause illegal instruction exceptions)
> ./hwstub_shell -q -b -e 'require("jz/misc"); JZ.misc.enable_sram()' \
-f lua/xburst.lua -e "XBURST.test_ext_inst(0xb32d0000)"
[...]
Selecting soc jz4760b. Redirecting HW to hwstub.soc.jz4760b
data: d7168acf
error: lua/xburst.lua:209: call failed
trapped exception in call
> ./hwstub_shell -q -b -e 'require("jz/misc"); JZ.misc.enable_sram()' \
-f lua/xburst.lua -e "XBURST.test_ei_di_inst(0xb32d0000)"
[...]
Selecting soc jz4760b. Redirecting HW to hwstub.soc.jz4760b
Testing ei
Test SR
Enable interrupts with CP0
SR: 0x1
Disable interrupts with CP0
SR: 0x0
Test ei/di
Enable interrupts with ei
SR: 0x0
Disable interrupts with di
error: lua/xburst.lua:244: call failed
trapped exception in call
Change-Id: I2e162b5dd5e70488bcd8b58f3ca401a3ecab3c4b
Since we can catch exceptions like data aborts on read/write, it takes very
little to also catch exceptions in calls. When extending this with the catching
of illegal instructions, the call instruction now becomes much more robust and
also for address and instruction probing. Since we can catch several types of
exception, rename set_data_abort_jmp to set_exception_jmp. At the same time,
simplify the logic in read/write request handlers. Also fix a bug in ARM
jump code: it was using
stmia r1, {..., pc}
as if pc would get current pc + 8 but this is actually implementation defined
on older ARMs (typically pc + 12) and deprecated on newer ARMs, so rewrite the
code avoid that. The set_exception_jmp() function now also reports the exception
type.
Change-Id: Icd0dd52d2456b361b27c4776be09c3d13528ed93
Now that we now that jz4760b implements EBASE, we can use it to rebase
exceptions to use a k1seg address, that maps to the physical address of the
TCSM0. It requires to enable HAB1 to have this translation. This most the most
inefficient way to access tighly coupled memory ever, but it works.
Change-Id: I894ca929c9835696102eb2fef44b06e6eaf96d44
The JZ misc allows to enable and test SRAM.
The XBurst code uses the coprocessor interface to analyse the cpu. It also
provides a test platform for various features like EBASE and exceptions.
I was able to test and confirm that on jz4760b (thus xburst), EBASE works
(but top 2 bits are not controllable and always 01). The processor claims
to support vector interrupts but this is untested. The values in ConfigX
are not to be trusted blindly, clearly some are wrong. I tried to use the
JZ4780 Config7 "ebase gate" to change bit 30 of EBASE but it does not work,
which suggests that JZ480 uses a newer version of XBurst. Detailled log below:
> ./hwstub_shell -q -f lua/xburst.lua -e "XBURST.init()"
[...]
XBurst:
PRId: 0x2ed0024f
CPU: JZ4760(B)
Config: 0x80000483
Architecture Type: MIPS32
Architecture Level: Release 2 (or more)
MMU Type: Standard TLB
Config1: 0x3e63318a
MMU Size: 32
ICache
Sets per way: 128
Ways: 4
Line size: 32
DCache
Sets per way: 128
Ways: 4
Line size: 32
FPU: no
Config2: 0x80000000
Config3: 0x20
Vectored interrupt: yes
Config7: 0x0
> ./hwstub_shell -q -e 'require("jz/misc"); JZ.misc.enable_sram()' \
-f lua/xburst.lua -e "XBURST.test_ebase(0x80000000);XBURST.test_ebase(0xb32d0000)
[...]
Testing EBASE...
Disable BEV
SR value: 0x2000fc00
EBASE value: 0x80000000
Value after writing 0x80000000: 0x80000000
Value after writing 0x80040000: 0x80040000
Test result: EBase seems to work
Disable config7 gate: write 0x0 to Config7
Value after writing 0xfffff000: 0xbffff000
Enable config7 gate: write 0x80 to Config7
Value after writing 0xc0000000: 0x80000000
Config7 result: Config7 gate does not work
Exception test with EBASE at 0x80000000...
Writing instructions to memory
Old SR: 0x2000fc00
New SR: 0xfc00
EBASE: 80000000
Before: cafebabe
After: deadbeef
Exception result: Exception and EBASE are working
Testing EBASE...
Disable BEV
SR value: 0x2000fc00
EBASE value: 0x80000000
Value after writing 0x80000000: 0x80000000
Value after writing 0x80040000: 0x80040000
Test result: EBase seems to work
Disable config7 gate: write 0x0 to Config7
Value after writing 0xfffff000: 0xbffff000
Enable config7 gate: write 0x80 to Config7
Value after writing 0xc0000000: 0x80000000
Config7 result: Config7 gate does not work
Exception test with EBASE at 0xb32d0000...
Writing instructions to memory
Old SR: 0x2000fc00
New SR: 0xfc00
EBASE: b32d0000
Before: cafebabe
After: deadbeef
Exception result: Exception and EBASE are working
Change-Id: I894227981a141a8c14419b36ed9f519baf145ad1
These macros are like jz_setf but instead of writing fields, they write a
raw value directly: jz_set(REG, value) and jz_clr(REG, value).
Change-Id: I660f20dd691b26d367533877875fc3226a26c992
Apparently I completely forgot to implement it so using hwstub over net would
just fail all EXEC commands :-s
Change-Id: I0d0506cbbce9b86c9a4f19036dacc922d1e51338
This is needed on the jz4760b because if some data is loaded to DRAM, then it
is cached and a disaster lurks if dcaches/icache are not flushed. Targets that
needs this must define CONFIG_FLUSH_CACHES in target-config.h and implement
target_flush_caches(). Currently MIPS has some generic code for mips32r1 that
requires to define {D,I}CACHE_SIZE and {D,I}CACHE_LINE_SIZE in target-config.h
Change-Id: I5a3fc085de9445d8c8a2eb61ae4e2dc9bb6b4e8e
The stub is quite versatile: it can be loaded using bootrom or another other
means (like factory boot on Fiio X1). It relocates itself to TCSM0 and provides
basic functionality (it does not recover from failed read/writes at the moment).
Change-Id: Ib646a4b43fba9358d6f93f0f73a5c2e9bcd775a7
The jz code can do several useful things like dumping the IPL and SPL.
The Fiio code can play with backlight and has code do dump the IPL
and SPL with the correct parameters (extracted by reverse engineering).
Change-Id: I317b3174f5db8d38c9a56670c1d45565142ec208
This is a register description file for the JZ4760B. There are several
details worth noticing:
- it was obtained by gathering information from several sources/headers, but
since there are inconsistencies between them about the exact differences
between JZ4760 and JZ4760B, this file probably contains some errors
- the register names are not the same as the manual ones (which are not the
same as the one in the headers anyway): I dropped the "R" suffix on most
registers because it's redundant
- Ingenic likes to have read-only registers and then set/clr registers, with
very confusing names like DIR/DIRS/DIRC: in the file, the set/clr registers
are described as set/clr variants of the original register
- Parts of the description were obtained programmatically, which explains why
there are empty nodes or partially undocumented registers
Change-Id: I8da1d61e172e932e1a4a58ac0a5008f02b1751be
The code was not updated when I added support for list and other stuff, and thus
it did not properly sort by addresses.
Change-Id: Iaed0717b607beedfb2856c020c2a760e7a5667c5
The current implementation was custom and super slow. Since we use Crypto++
anyway, we might as well get use a good implementation.
Change-Id: I761ad7401653471e54000e1c2bc3d9882378112f
Instead of having our own copy of the AES code, use a good library to do that.
Crypto++ is well-maintained, supports a lot of ciphers, works on many OSes, and
is optimized for many architectures.
Change-Id: I7d7d24b47993206d7338c5f9bac8bbdd3915a667
It was a mess, a mix of crypto_* and cbc_mac calls. I made everything call crypto
functions, and also separate key setup from cryptographic operations, this will
be useful to speed up the code in the upcoming commits. Drop support for "usbotp"
key, since the crypto code for that was never mainlined and we can always get the
keys from a device as long as we have code execution (using the DCP debug registers).
Change-Id: I7aa24d12207ffb744225d1b9cc7cb1dc7281dd22
The overriding of the IV and real key should be the exception, there is no
need to manually set them to false.
Change-Id: Id66754f20a79aa5c1a991839345d1242e0aa587d
The old code had some annoying way of dealing with padding by adding explicit
instructions to the stream, which is 1) ugly 2) not in par with freescale
tools. The trick, which this new version implements, is to put the useful length
of the section in the section header, and the actual (with padding) length in
the boot tag. This way the tools can just ignore padding instruction by
reading the section header, and the bootloader can still load the image because
it uses the boot tags.
Also correctly handle the case where the first section does not start right
after the header (there is a bug in freescale tools for this case by the way).
There is an ambiguity in the way the padding instructions should be encrypted:
the bootloader should logically treat them as regular instruction of the section
stream, but it appears the freescale tools do not generate them as part of the
stream and instead encrypt them like boot tags, which is stupid because there
is no way the bootloader could decrypt them, and anyway we don't care because
the bootloader doesn't decrypt them at all.
Change-Id: Iabdc1d1f9f82d374779bf03efb75c2c3998f5b5d
The cool now takes the database as a hint and will not complain if the device
returns less data. The tool also supports user provided size and raw node numbers
that are not in the database (advanced usage).
Change-Id: I8cec536718d7eff01c7803bea648d6122b82377a
We don't know the encryption method, the KAS is completely different but it
might be useful to record it anyway for future purposes. MID extracted from
device, Japanese NW-A35.
Change-Id: I4c4bb5b063da99003b5c316061d8c490b77428a4
It is Android based and despite the fact that Sony wrote an NVP driver for it,
experiments suggest it is unused because it returns ff all the time...
Change-Id: I37750b659e341b21bed5ebaccf60f9f5fe569f64
Don't use colors since the terminal doesn't support it. Also packing is broken
on MinGW so use #pragma pack when compiling for windows, this is also supported
by MSCV.
Change-Id: I635649d52ed5f2e0af46cb9ca2ec325955b2ddb2
Split the ugly firmware read/write into a API function and a much simplified code.
Also the code can now report progress.
Change-Id: I3f998eaf0c067c6da42b1d2dd9c5a5bf43c6915d
Sanitize the whole library by hiding most of the horrible details of the
implementation. This means that all logical/drive/table attributes are exported
in structures that are internally filled by higher-level API functions. This makes
the code much more readable and prepares for a split between scsitool and the stmp
scsi library.
Change-Id: Id85d450b25cf99cd7c0896c6fc35bcd00babe9e1
Several tools need to perform raw SCSI commands, and we need to support Linux,
Windows and Mac OS, without pulling tons of dependencies to build it easily.
This very simple library has no dependency and supports Linux.
TODO:
- windows
- mac os
Change-Id: I496f5ad2490bd3e96ad962d31cce4e511a523c3a
We cannot auto-detect a device if we don't know its model ID, but we can't know
the model ID if we haven't decrypted the upgrade which requires the key. The only
way to solve this chicken-and-egg problem is to get the NVP table from kernel,
create an empty series in the database (no model ID), then get the key using
scsitool and forcing the model (using this commit), then decrypt the upgrade
and get the model ID list.
Change-Id: I8eced486a5f6a1a99028b25fdc4f87a3b11e31a8
We already use Crypto++ for DES anyway, and using OpenSSL is not great because
of its incompatible licence.
Change-Id: I78771b84c1708795a0c0c30afa5bdfe4885dea4e
Although this does bug is never triggered because we never decrypt and use the
resulting CBC-MAC, it's a major overlook.
Change-Id: I3c5d318e6428d528483bf888ea284e9ded3889f0
- hwstub load now properly stops reading the log when the device returns a 0
size buffer instead of STALLing
- add debug output option to hwstub_load
- correctly report transfered size on write error
- add some debug error message in usb code so that some errors can be diagnosed
more easily
- add a batch mode to hwstub_shell to disable the interactive shell
- increase usb control timeout to 1sec, 100ms was really tight
- cap usb buffer size to ~4000 bytes because libusb has a hardwired limit of
4096 bytes for control transfers
Change-Id: Id3200ab99ce70a7a3b09ce7faeaafa4a0fac64c7
Since ext3 supports ext2, we can support more platforms. Some platforms use ext4
with a very specific set of options, we I haven't encountered those yet so it's
not currently a problem.
Change-Id: Iff87e925a4caa866c6a66b1883ad6baab88c0b8d
The unsigned function were deprecated and hidden begind a compat flag. Since
they will get removed in the next version, I simply reimplemented them, those
are mostly casts anyway.
Change-Id: Ie5db81d7c8589b1e5e9b45a2a4ed41919aa07387
The new code gets closer to an actual bootloader:
- it provides a menu with three options: Sony, Rockox, tools with icons (and
extracts the Sony logo from the NVP)
- the dualboot install script now creates a symlink from /.rockbox to
/contents/.rockox which is necessary to run rockbox
- more text drawing / framebuffer functions
In the long run, we will move this under bootloader/ and rbutil/ and also use
firmware/ drawing facilities, at the moment we use OF display program which
is slow and creates some flickering.
The logo extraction/placement code was tested with resolution 240x320 and I
guessed some reasonable values for 240x400, but those will probably need some
tweaking.
Change-Id: I0319be902d21a7d33c1dee0fffdb4797065dbf8a
Now that we have a nice database of player index, the scsitool becomes more
useful and supports a lot more players. I did some general cleanup of the code,
though eventually it would be nice to really split it into a library and a CLI.
The SCSI vendor command allow to read but also write most NVP nodes. Since there
seems to a demand to change destination and sound pressure settings on device,
I implement this feature in the tool. I do not plan to allow arbitrary NVP
writes because this could easily brick the device. Changing the destination
should be safe, but as usual, use at your own risks.
Change-Id: Iff4e8cc3ac97b965c1df849051c5fd373756cda5
Using the database, we can now safely read/write the NVP. I also add more
support for Sony's "display" tool.
Change-Id: I8439fe9bad391c7f29859d99f236781be7983625
There must be an evil genius in Sony's Walkman division. Someone who made sure
that each model is close enough to the previous one so that little code is needed
but different enough so that an educated guess is not enough.
Each linux-based Sony player has a model ID (mid) which is a 32-bit integer.
I was able to extract a list of all model IDs and the correspoding name of
the player (see README). This gives us 1) a nice list of all players (because
NWZ-A729 vs NWZ-A729B, really Sony?) 2) an easy way to find the name of player
programatically. It seems that the lower 8-bit of the model ID gives the storage
size but don't bet your life on it. The remaining bytes seem to follow some kind
of pattern but there are exceptions.
From this list, I was able to build a list of all Sony's series (up to quite
recent one). The only safe way to build that is by hand, with a list of series,
each series having a list of model IDs. The notion of series is very important
because all models in a series share the same firmware.
A very important concept on Sony's players is the NVP, an area of the flash
that stores data associated with keys. The README contains more information but
basically this is where is record the model ID, the destination, the boot flags,
the firmware upgrade flags, the boot image, the DRM keys, and a lot of other stuff.
Of course Sony decided to slightly tweak the index of the keys regularly over time
which means that each series has a potentially different map, and we need this map
to talk to the NVP driver. Fortunately, Sony distributes the kernel for all its
players and they contain a kernel header with this information. I wrote a script
to unpack kernel sources and parse this header, producing a bunch of nw-*.txt
files, included in this commit. This map is very specific though: it maps Sony's
3-letter names (bti) to indexes (1). This is not very useful without the
decription (bti = boot image) and its size (262144). This information is harder
to come by, and is only stored in one place: if icx_nvp_emmc.ko drivers, found
on the device. Fortunately, Sony distributes a number of firmware upgrade, that
contain the rootfs, than once extracted contain this driver. The driver is a
standard ELF files with symbols. I wrote a parsing tool (nvptool) that is able
to extract this information from the drivers. Using that, I produced a bunch
of nodes-nw*.txt files. A reasonable assumption is that nodes meaning and
size do not change over time (bti is always the boot image and is always
262144 bytes), so by merging a few of those file, we can get a complete picture
(note that some nodes that existed in older player do not exists anymore so
we really need to merge several ones from different generations).
The advantage of storing all this information in plain text files, is that it
now makes it easy to parse it and produce whatever format we want to use it.
I wrote a python script that parses all this mess and produces a C file and
header with all this information (nwz_db.{c,h}).
Change-Id: Id790581ddd527d64418fe9e4e4df8e0546117b80
0e2b490 introduced rework of usb driver which was broken. It was reverted
in f2da975 to restore hwstub functionality on ATJ.
This commit reenables usb rework AND fixes remining issues.
The problem was with 0 length OUT thransfers. Additionally
a few cleanups were made.
Change-Id: I529ea9ad6540509e9287ca7e1cd2b44369b03cbb
This reverts commit 0e2b4908d0.
Although I swear it was tested it apparently broke hwstub on atj.
I will need to investigate more whats going on. Revert for now.
Change-Id: I2ff3adf8c72bb0e53be7d81b975382adfb700eab
Sony added extensions to the frambuffer interface. It is important to take them
into account since the OF uses them and might leave the framebuffer in an
unusual state which would make the dualboot not display anything. Also rework
the dualboot code so that it can boot rockbox (not doing anything at the moment),
display all tools or boot the OF.
Change-Id: Ia0f589c9ec8558f375270841503c0964aff07f0b
At the moment, the script install_duaboot does the following:
- rename SpiderApp to SpiderApp.of (unless it already exists)
- install payload as SpiderApp
- fixes permissions
Since SpiderApp is the main app, it will execute instead of the OF.
The current dualboot code (dualboot.c) is still a preliminary but the current
version displays an "all tools" menu to choose for. When exitting the menu
using BACK, it will run the OF.
With the modifications made by the install script, it should not be possible
to break the device. In the worst case scenario, the dualboot code crashes
and it restarted by the sysmgrd, or hangs. A safe way to recover is to plug
the USB cable and reset the device: the system manager will then start the
USB app and one can reflash the device if necessary.
Change-Id: Id9edab0347538ad2a8651a28aea7fd083feaa626
Unify series names: e46x -> e460 to be consistent with Sony' name. Add keys
for various players that were cracked using upgtools. The real KAS would need
to be extracted from a target but at least we can open/create firmware upgrades.
Change-Id: Id23a10e10170d7f6330c6699bf205c4df5ddebfe
This new tool (all_tools) embeds all the other tools and provides a menu to
choose which one to run.
Change-Id: I0e07864dd46559a7079b0f942c25155e6fa07112
Since the nwz_lib does not have any nvp code yet, it's quite of ugly hack
with hardcoded nvp node (11) for shipment information (shp). Thus I whitelisted
two series (NWZ-E460 and NWZ-A860) which I know for sure use this node ID.
Change-Id: I94c9b0db1f9d7ad764d2aa50576a911e710f25e1
This list can map from model id to device name. It was automatically extracted
from Sony's tools. In the future, we will probably generate it from a clean
database containing more useful information.
Change-Id: Ibe580edf25b60bf0bf4aef4a06f40dddd19c5404
This is useful because there is no easy way to get it except from Sony's tool,
unless one knows the npv node, but that requires to know the model already...
Change-Id: I202f7cdb2f7cf924cc5bdb53c17e34600d4bf153
The new search has two new features:
- it takes advantage of the fact that DES keys are only 56-bit long (and not 64)
- it is now multithreaded
As a proof of concept, I ran it on the A10 series firmware upgrade and was able
to find the key in a few seconds using 4 threads. The search is still limited
to ascii hex passwords (seems to work on all devices I have tried thus far).
Change-Id: Ied080286d2bbdc493a6ceaecaaadba802b429666
This is code is intended to development into a library of code for the NWZ that
will be useful to write the "bootloader" on those device. At the same time, it
comes with test programs that are easy to run in firmware upgrade mode and also
provide a great test bench for the library. At the moment, two test programs are
available:
- test_display: simply prints two messages using /usr/bin/lcdmsg
- test_keys: displays input key event
Change-Id: I9d214894ffc9127b528fcdd3eb5d6b61f4e657a7
The exec_file allows to embed a script/executable and run it on target. It takes
of unpacking, remounting contents rw and redirect output to exec.txt at the root
of the drive. More generally, rework how the makefile works.
Change-Id: Iec719227be96e80701ad8f5398d2d34389f4da9e
There was a lot of copy and paste, and the code was just crap. This commit tries
to clarify the code and also document the encryption procedure. Hopefully I didn't
break anything.
Change-Id: I257793010e7cf94f2b090b30bb8608359d3886e3
This new header generator works differently from the previous one:
- it uses the new format
- the generated macro follow a different style (see below)
- the generated macro are highly documented!
- it supports SCT-style platform or RMW-style ones
Compared to the old style, the new one generate a big set of macros per
register/field/enum (loosely related to iohw.h from Embedded C spec). The user
then calls generic (names are customizable) macros to perform operations:
reg_read(REG_A)
reg_read(REG_B(3))
reg_read_field(REG_A, FIELD_X)
reg_read_field(REG_B(3), COOL_FIELD)
reg_write(REG_A, 0x42)
reg_write_field(REG_A, FIELD_X(1), FIELD_Y(3), IRQ_V(FIQ))
reg_write_fielc(REG_B(3), COOL_FIELD_V(I_AM_COOL), BLA(42))
the following use RMW or SET/CLR variants, depending on target:
reg_set_field(REG_A, FLAG_U, FLAG_V)
reg_clr_field(REG_A, FIELD_X, FIELD_Y, IRQ)
reg_clr_field(REG_B(3), COOL_FIELD, BLA)
the following does clear followed by set, on SET/CLR targets:
reg_cs(REG_A, 0xff, 0x42)
reg_cs(REG_B(3), 0xaa, 0x55)
reg_cs_field(REG_A, FIELD_X(1), FIELD_Y(3), IRQ_V(FIQ))
reg_cs_field(REG_B(3), COOL_FIELD_V(I_AM_COOL))
The generator code is pretty long but has lots of documentation and lots of
macro names can be customized.
Change-Id: I5d6c5ec2406e58b5da11a5240c3a409a5bb5239a
Although the jz4740 contains a similar tool to usbboot, its command-line
interface is not very useful, also it does not compile by default because it
relies on some external code, and it contains code specific to some JZ4740
devices.
Change-Id: I22688238d147e21fb0fd524466b333b6003d4ff1
This commit adds support for the version of the hwstub library, which requires
a lot of changes. It also adds some editing features, such as register access
and much better editing of fields using the mouse (double click on a field
to be able to resize and move it).
Change-Id: I3c4e4cc855cb44911c72bc8127bad841b68efe52
Registers (and variants) can now specify the type of access supported:
- unspecified: for variant means same as register, for register defaults R/W
- read/write
- read only
- write only
Backward compatibility is preserved by setting access to unspecified by default.
Change-Id: I3e84ae18f962a45db62f996a542d08405d05b895
Also use this opportunity to cleanup support for multiple devices: the shell
now supports dynamic changes in the device and will call init() everytime
a new device is selected, to prepare a new environment. The shell now
honors register width on register read/write. The shell also provides access
to variants as follows by creating a subtable under the register using the
variant type in UPPER case and having the same layout as a register.
For example if register HW.GPIO.DIR has variants "set" and "clr", those can
be used like this:
HW.GPIO.DIR.SET.write(0xff)
HW.GPIO.DIR.CLR.write(0xff00)
Change-Id: I943947fa98bce875de0cba4338e8b7196a4c1165
Rewrite the hwstub library in C++, with a clean and modular design.
The library was designed from the ground up to be aware of multithreading
issues and to handle memory allocation nicely with shared pointers.
Compared to the original library, it brings the following major features:
- support for JZ boot devices, it is very easy to add support for others
- support for network transparent operations (through sockets): both tcp
and unix domains are support
Change-Id: I75899cb9c7aa938c17ede2bb3f468e7a55d625b4
