Commit graph

23 commits

Author SHA1 Message Date
Nikita Burnashev
e232f69214 atjboottool: gzipped fw files, option for big-endian fw, clarify ECIES in fwu
Added fw modifications required to unpack real world player dumps.


Documented more fwu header fields, magic numbers and finite field arithmetics (extended Euclidean for inverse, long division for reducing modulo field_poly).

v3 encryption used is standard RC4 with the key additionally ciphered by the Elliptic Curve Integrated Encryption Scheme.

Either sect233k1 (NIST K-233) or sect163r2 (NIST B-163) curves can be used, with the former overwhelmingly prevailing, being hardwired in SDK's maker.exe. Using a private/public key scheme is superfluous because both are stored in the firmware, with the added level of complexity likely serving the purpose of obfuscation. The private key is generated at random with each invokation.

None of KDF or MAC from ECIES are used, RC4 key is directly xored with the shared secret. The random number r used to calculate rG isn't stored, but that's unimportant since only krG == rkG is actually used in the encryption.

Change-Id: Ieacf8cc744bc90c7c5582dd724b2c10a41bfc191
2023-05-17 13:19:31 -04:00
William Wilgus
47e1f96427 Bugfix Backlight_init should be called after lcd_init
the rest..

Change-Id: I50585ba2191aa8134de3045b1445859b27503a68
2020-11-13 13:57:39 -05:00
Amaury Pouly
7807934a27 atjboottool: document more header fields and crypto code
The encryption definitely uses some standard elliptic curve encryption over
binary fields (163 and 233 bits, standard polynomials). It is still unclear
how this is used in the actual encryption, the key authentification and
derivation do not look standard.

Change-Id: I6b9180ff7e6115e1dceca8489e986a02a9ea6fc9
2017-10-26 18:17:59 +01:00
Amaury Pouly
7e42e90294 atjboottool: add support for FwuTail
Change-Id: Ib01a2ff92294dd0bb59439c23f26bc31eafa4a39
2017-10-20 23:57:58 +02:00
Amaury Pouly
ea679de837 atjboottool: put afi and fw code in its own files
Change-Id: I16347ebee0f82d5fdf32f5aa8f955c07fe148eba
2017-09-29 18:22:30 +02:00
Amaury Pouly
95c32a505a atjboottool: split fwu code into its own file
Slightly cleanup the code by removing the old and dangerous --force option.

Change-Id: I776633a9924797fcd509b8b80623bcd64b391672
2017-09-29 17:56:04 +02:00
Amaury Pouly
d1ca2e45e9 atjboottool: cleanup and add support for atj2127
Several people asked me recently how to decrypt atj2127 firmware. Someone
posted on github (https://github.com/nfd/atj2127decrypt) a decrypt utility
clearly reverse engineered from some unknown source. The code is an absolute
horror but I concluded that ATJ changed very little between ATJ213x and ATJ2127
so I added support for the ATJ2127, credit to this github code that I stole
and rewrite (code was under MIT licence). At the same time do some small code
cleanups.
Note that there is not 100% sure way that I know to distinguish between the
two firmware types, so the code tries to do an educated guess to detect
ATJ2127. If this does not work, use --atj21217 option. Also note that contrary
to the github tool that decrypts and unpack in one go, this tool only does one
step at once. So first decrypt: HEX -> AFI, then unpack AFI -> files.
I also added for a different version of AFI. Based on AFI files I have, there
are, I think, two versions: the "old" ones (pre-ATJ213x) and "new" ones. The
tool only supported the new one but for some reason the ATJ2127 uses the old
ones without a mostly empty header. Strangely, even this mostly empty header
does not seem to follow the old layout as reverse engineered by the s1mp3
project (https://sourceforge.net/p/s1mp3/code/HEAD/tree/trunk/s1fwx/heads.h),
so in fact there might be three versions. In any case, only the header is
different, the rest of the file is identical so at the moment I just don't
print any header info for "old" files.

Change-Id: I1de61e64f433f6cacd239cd3c1ba469b9bb12442
2017-07-30 14:32:12 +02:00
Thomas Jarosch
89ab3c2761 Fix uninitialized variable (should fix libusb retry handling)
Reported by cppcheck

Change-Id: I5ac7b73f2e3eaee3d5427d118944613e572f684d
2015-01-04 13:35:47 +01:00
Amaury Pouly
229a02a4ee adfuload: fix argument parsing
Change-Id: Ibde77a2f7cb7a73c26235be5b2afed9f0aec3e97
Reviewed-on: http://gerrit.rockbox.org/1039
Reviewed-by: Amaury Pouly <amaury.pouly@gmail.com>
2014-11-15 13:01:47 +01:00
Marcin Bukat
df2ac7428f adfuload: Improve arguments parsing
Change-Id: If18975f13d20bb7f7232cafdb4ea87fa516b5750
2014-11-06 07:56:02 +01:00
Marcin Bukat
d11704fed5 hwstub: Add atj213x support
Change-Id: Ic32200f9ab2c6977e503307a9cbe43a1328d0341
2014-11-05 08:18:59 +01:00
Amaury Pouly
791be56cff atjbootool: fix date printing
Change-Id: If5cd0d79e4afb12224932b24c63b016636c7a56e
2014-10-31 18:02:41 +01:00
Marcin Bukat
c626fe7004 atj213x: e100/150 lcd test binary
Change-Id: I3f9fa21dcb33d1cd3081d0c995adfb44e085dd7a
2014-10-18 20:18:01 +02:00
Marcin Bukat
c64b59fc5e atj213x: various fixes in sample code snippets
Change-Id: I78781e1a56cb6705d011ee2296f1789b497a566a
2014-03-04 11:07:07 +01:00
Marcin Bukat
101d10ff6c atj213x: rework crt0.S in test code
Rework init code so relocation is safe for binaries linked
into cached unmapped KSEG0 region.

Change-Id: I705ee3f0334f8998237f249a2c3059d6dbe78a43
2014-02-14 08:37:01 +01:00
Marcin Bukat
7552542288 atj213x: Simple test exploring irq handling
This test software setups timer T0 periodic interrupt.
In ISR it changes backlight level. The interrupt handler
does not support nesting and the whole ISR is run in interrupt
context. Exceptions are not handled yet.

Change-Id: Idc5d622991c7257b4577448d8be08ddd1c24c745
2014-02-09 22:29:30 +01:00
Marcin Bukat
51d8a45057 adfuload: add atj213x timer0 test program
This simple program shows how to setup timer for periodic
operation. Interrupts are not used yet and simply pending
irq bit is polled and cleared when set. This program
supports my understanding of disassm of ADEC_N63.BIN that
P_CLK is configured for 7.5MHz and timer clock source is P_CLK
directly.

Change-Id: Idd6461bf847c763b78b8c324012ec2515f65dd41
2014-01-08 08:56:09 +01:00
Marcin Bukat
062801e3ed atj213x: obtain PC value in more elegant way
Change-Id: I2e6ffb3b58ddda0ea62ce5d4cd71ac5475b34495
2014-01-03 09:00:11 +01:00
Marcin Bukat
87c6df98a3 adfuload: add test program
This test program. I add it mainly to document somehow my work:
1) atj213x.h    lists registers addresses
2) crt0.S       exploits self relocation of the binary
3) test_bl.c    documents how to control backlight on e150

Change-Id: I055e0fe065d926a5c3805b73cea3f537cb64bf52
2013-12-13 22:43:52 +01:00
Marcin Bukat
b5ca0cffac adfuload: utility to upload and exec binary using brom adfu mode of atj213x SoC
Change-Id: If52aa34124be2801c2ac316641ff9aa0bbd837c6
2013-12-11 15:42:25 +01:00
Amaury Pouly
08ca0b59c8 atjboottool: add missing copyright headers
Change-Id: Idb2f5e4b0bd6a84bc3eaff088fb4706f46ed1535
2012-10-30 13:14:52 +01:00
Amaury Pouly
283277e5ab atj: provide default output prefix/filenames on unpacking
If no output prefix is specified, a default is picked:
- filename with extension replaced by .afi for FWU files
- filename with extension replaced by .fw/ for AFI files
- filename without extension and with / for FW files

Change-Id: I6497b8f4a49f1238e5db738429f687cad3ae8a5a
2012-10-04 12:27:17 +02:00
Amaury Pouly
821efc46ec Introduce atjboottool for ATJ213x firmwares
Change-Id: Ie857b82e25de235c8549defab7e75995efefb3f6
2012-10-03 14:27:19 +02:00