Sony added extensions to the frambuffer interface. It is important to take them
into account since the OF uses them and might leave the framebuffer in an
unusual state which would make the dualboot not display anything. Also rework
the dualboot code so that it can boot rockbox (not doing anything at the moment),
display all tools or boot the OF.
Change-Id: Ia0f589c9ec8558f375270841503c0964aff07f0b
At the moment, the script install_duaboot does the following:
- rename SpiderApp to SpiderApp.of (unless it already exists)
- install payload as SpiderApp
- fixes permissions
Since SpiderApp is the main app, it will execute instead of the OF.
The current dualboot code (dualboot.c) is still a preliminary but the current
version displays an "all tools" menu to choose for. When exitting the menu
using BACK, it will run the OF.
With the modifications made by the install script, it should not be possible
to break the device. In the worst case scenario, the dualboot code crashes
and it restarted by the sysmgrd, or hangs. A safe way to recover is to plug
the USB cable and reset the device: the system manager will then start the
USB app and one can reflash the device if necessary.
Change-Id: Id9edab0347538ad2a8651a28aea7fd083feaa626
Unify series names: e46x -> e460 to be consistent with Sony' name. Add keys
for various players that were cracked using upgtools. The real KAS would need
to be extracted from a target but at least we can open/create firmware upgrades.
Change-Id: Id23a10e10170d7f6330c6699bf205c4df5ddebfe
This new tool (all_tools) embeds all the other tools and provides a menu to
choose which one to run.
Change-Id: I0e07864dd46559a7079b0f942c25155e6fa07112
Since the nwz_lib does not have any nvp code yet, it's quite of ugly hack
with hardcoded nvp node (11) for shipment information (shp). Thus I whitelisted
two series (NWZ-E460 and NWZ-A860) which I know for sure use this node ID.
Change-Id: I94c9b0db1f9d7ad764d2aa50576a911e710f25e1
This list can map from model id to device name. It was automatically extracted
from Sony's tools. In the future, we will probably generate it from a clean
database containing more useful information.
Change-Id: Ibe580edf25b60bf0bf4aef4a06f40dddd19c5404
This is useful because there is no easy way to get it except from Sony's tool,
unless one knows the npv node, but that requires to know the model already...
Change-Id: I202f7cdb2f7cf924cc5bdb53c17e34600d4bf153
The new search has two new features:
- it takes advantage of the fact that DES keys are only 56-bit long (and not 64)
- it is now multithreaded
As a proof of concept, I ran it on the A10 series firmware upgrade and was able
to find the key in a few seconds using 4 threads. The search is still limited
to ascii hex passwords (seems to work on all devices I have tried thus far).
Change-Id: Ied080286d2bbdc493a6ceaecaaadba802b429666
This is code is intended to development into a library of code for the NWZ that
will be useful to write the "bootloader" on those device. At the same time, it
comes with test programs that are easy to run in firmware upgrade mode and also
provide a great test bench for the library. At the moment, two test programs are
available:
- test_display: simply prints two messages using /usr/bin/lcdmsg
- test_keys: displays input key event
Change-Id: I9d214894ffc9127b528fcdd3eb5d6b61f4e657a7
The exec_file allows to embed a script/executable and run it on target. It takes
of unpacking, remounting contents rw and redirect output to exec.txt at the root
of the drive. More generally, rework how the makefile works.
Change-Id: Iec719227be96e80701ad8f5398d2d34389f4da9e
There was a lot of copy and paste, and the code was just crap. This commit tries
to clarify the code and also document the encryption procedure. Hopefully I didn't
break anything.
Change-Id: I257793010e7cf94f2b090b30bb8608359d3886e3
This new header generator works differently from the previous one:
- it uses the new format
- the generated macro follow a different style (see below)
- the generated macro are highly documented!
- it supports SCT-style platform or RMW-style ones
Compared to the old style, the new one generate a big set of macros per
register/field/enum (loosely related to iohw.h from Embedded C spec). The user
then calls generic (names are customizable) macros to perform operations:
reg_read(REG_A)
reg_read(REG_B(3))
reg_read_field(REG_A, FIELD_X)
reg_read_field(REG_B(3), COOL_FIELD)
reg_write(REG_A, 0x42)
reg_write_field(REG_A, FIELD_X(1), FIELD_Y(3), IRQ_V(FIQ))
reg_write_fielc(REG_B(3), COOL_FIELD_V(I_AM_COOL), BLA(42))
the following use RMW or SET/CLR variants, depending on target:
reg_set_field(REG_A, FLAG_U, FLAG_V)
reg_clr_field(REG_A, FIELD_X, FIELD_Y, IRQ)
reg_clr_field(REG_B(3), COOL_FIELD, BLA)
the following does clear followed by set, on SET/CLR targets:
reg_cs(REG_A, 0xff, 0x42)
reg_cs(REG_B(3), 0xaa, 0x55)
reg_cs_field(REG_A, FIELD_X(1), FIELD_Y(3), IRQ_V(FIQ))
reg_cs_field(REG_B(3), COOL_FIELD_V(I_AM_COOL))
The generator code is pretty long but has lots of documentation and lots of
macro names can be customized.
Change-Id: I5d6c5ec2406e58b5da11a5240c3a409a5bb5239a
Although the jz4740 contains a similar tool to usbboot, its command-line
interface is not very useful, also it does not compile by default because it
relies on some external code, and it contains code specific to some JZ4740
devices.
Change-Id: I22688238d147e21fb0fd524466b333b6003d4ff1
This commit adds support for the version of the hwstub library, which requires
a lot of changes. It also adds some editing features, such as register access
and much better editing of fields using the mouse (double click on a field
to be able to resize and move it).
Change-Id: I3c4e4cc855cb44911c72bc8127bad841b68efe52
Registers (and variants) can now specify the type of access supported:
- unspecified: for variant means same as register, for register defaults R/W
- read/write
- read only
- write only
Backward compatibility is preserved by setting access to unspecified by default.
Change-Id: I3e84ae18f962a45db62f996a542d08405d05b895
Also use this opportunity to cleanup support for multiple devices: the shell
now supports dynamic changes in the device and will call init() everytime
a new device is selected, to prepare a new environment. The shell now
honors register width on register read/write. The shell also provides access
to variants as follows by creating a subtable under the register using the
variant type in UPPER case and having the same layout as a register.
For example if register HW.GPIO.DIR has variants "set" and "clr", those can
be used like this:
HW.GPIO.DIR.SET.write(0xff)
HW.GPIO.DIR.CLR.write(0xff00)
Change-Id: I943947fa98bce875de0cba4338e8b7196a4c1165
Rewrite the hwstub library in C++, with a clean and modular design.
The library was designed from the ground up to be aware of multithreading
issues and to handle memory allocation nicely with shared pointers.
Compared to the original library, it brings the following major features:
- support for JZ boot devices, it is very easy to add support for others
- support for network transparent operations (through sockets): both tcp
and unix domains are support
Change-Id: I75899cb9c7aa938c17ede2bb3f468e7a55d625b4
After being caught by several bugs of the type "let's forgot to initialize
a field to default value", I'm finally fixing this.
Change-Id: I01c33e0611d4f697f767db66465e4fb30858cdab
The parser would simply ignore unknown elements or attributes, which is bad
on many levels. Now any unknown tag will trigger a fatal error.
Change-Id: I32eead8e96c1567241cf2a565d9e20e62877c14d
This big commit port qeditor from v1 to v2 register file format. Although
the display code was much simplified, the edit code had to be rewritten.
The new code also brings many improvement to the register display widget.
The new code also compiles with both Qt4 and Qt5, although it is recommended
to use Qt5 to get some improvements, especially in the layout of editor.
Change-Id: I24633ac37a144f25d9e705b565654269ec9cfbd3
A v2 register description file can now include register variants and instances
addresses can now be a list (previously it could only be a stride or a formula).
Update the library to deal with that. The convert option of swiss_knife was
updated and one incompatible change was introduce: if a v1 device has several
addresses, those are converted to a single v2 instance with list (instead of
several single instances). This should have been the behaviour from the start.
Swiss_knife can now also convert regdumps, in which case it needs to be given
both the dump and register description file. Also introduce two register
descriptions files (vsoc1000 and vsoc2000) which give more complicated examples
of v2 register description files.
Change-Id: Id9415b8363269ffaf9216abfc6dd1bd1adbfcf8d
With this you can upload and run code on DSP core in atj213x.
The files can be produced using as2181. You can download
this assembler from https://github.com/wodz/as2181
You should use extended mode (-x switch) since DSP core
in atj is non standard and uses 24bit operands.
PX register has different meaning as well and is used as MSB
when loading other registers with immediates (immediate field
is 16bit in instruction so to set register to 24bit value
you need to store MSB in PX prior to this).
MAC MR is 56bit accordingly.
HIP interface seems to be mapped at standard addresses
(except that regular 218x doesn't have HIP).
Have a fun!
Change-Id: I9a80ca0dd3718ba8435ae8579bfffa66e067e022
This uses slightly hacked luaprompt to provide all the goodis.
See https://github.com/dpapavas/luaprompt for original.
Change-Id: Iedddb79abae5809299322bc215722dd928c35cca
When building in the current tree (i.e. buildfolder ending up as '.') creating
the filename to use in the zip file stripped all '.' characters. Use a
different way to create the filename to avoid this.
Change-Id: I139c404d5e83a8bcb028a9a22b125f238911e405
version.h doesn't store the version number as string anymore. Update
findversion to use the individual values instead.
Change-Id: I6bf0fdd4420d41279b44cffd22b42febbfc778ce
This tool can pack/unpack a jz4760 archive (like the one used for the fiio
x1/x3/x5), and can descramble/scramble (it's the same operation) a firmware
file (the sys.bin file in the archive). I did my best to keep the compatibility
with the leaked Fiio/Ingenic tool which has the same name.
I wrote the tools from scratch, but here are some remarks:
- the format used is a slightly modified IHFS used in the older JZ4640 series,
I used the information on the wiki about the IHFS format
- the CRC computation done was already reversed engineered by someone on the
forums but I realised this later
- There are a few unknown fields in the headers, see comments in the source code
- The firmware scrambling was discovered by pure guess, I realised there were
some repetitve sequences, some I guessed it was a rotative XOR and ran some
analysis to find the most probable sequence
Change-Id: Ib83735b3db8475be5de9c94231714e88668a0340
The solution is a bit hacky as it simply call make in libs
directory as pre-dependency. Clean doesn't touch libs.
Change-Id: Ib447a48fd87cc41228944f17444474a55d393543
Catched by swiss_knife check there are some overlaping fields
and invalid characters in some names.
Change-Id: Ia26ffd2e29452f4ddd9f8229f78bb2a2cc325ab4
The WRITE() macro checks if the "fw" pointer
is open upon fwrite() error. Since fw was
not initialized before use, it might crash for non-zero fw.
cppcheck reported.
[utils/jz4740_tools/HXFreplace.c:187]: (error) Uninitialized variable: fw
Change-Id: I558170f9f17828c9fd515a5da36ad8b5cb30a9ad
The variable 'i' should actually be 'size'.
See the read_reg() function above it.
Confirmed via private email from Maurus Cuelenaere. Thanks!
(who also remembered having trouble reading/setting
registers over USB back then ;))
cppcheck reported:
[rockbox/utils/jz4740_tools/jz4740_usbtool.c:281]: (error) Uninitialized variable: i
Change-Id: I0f34834335e89d2504e7597e8db22cf69b5ca7e7
cppcheck reported:
[utils/zenutils/source/update_patch/main.cpp:105]: (performance) Passing the result of c_str() to a function that takes std::string as argument no. 1 is slow and redundant.
Change-Id: Ied9de135e693af22e1fdc3aa3b67d14b7d2c21e6
The variable 'len' is not used after this statement.
Probably a copy'n'paste leftover from the similar
looking block above.
cppcheck reported:
[rockbox/utils/zenutils/source/shared/cenc.cpp:212]: (style) Same expression on both sides of '-'.
Change-Id: Ia8357187ed39d3fab10d97df75a1146c4f733790
cppcheck reported:
[rockbox/utils/imxtools/sbtools/sb1.c:440]: (warning) Comparison of a boolean expression with an integer other than 0 or 1.
Thanks to Thomas Jarosch
Change-Id: I0078232706d4014a1f2acea310a7a0d0edf7788b
This one is much more efficient than using a generic table widget.
Change-Id: I3578964eead746e656f6b0a8dcec0f8442deb13d
Reviewed-on: http://gerrit.rockbox.org/1022
Reviewed-by: Amaury Pouly <amaury.pouly@gmail.com>
With the previous code, tab names would be ignored if tab is detached
which can happen early on.
Change-Id: I9eac4202850f3e79a04590a4ba1444850ec6a583
Reviewed-on: http://gerrit.rockbox.org/986
Reviewed-by: Amaury Pouly <amaury.pouly@gmail.com>
The current code assumed that READ/WRITE would produce atomic read/writes for
8/16/32-bit words, which in turned put assumption on the memcpy function.
Since some memcpy implementation do not always guarantee such strong assumption,
introduce two new operation READ/WRITE_ATOMIC which provide the necessary
tools to do correct read and write to register in a single memory access.
Change-Id: I37451bd5057bb0dcaf5a800d8aef8791c792a090
Because Qt doesn't support QObject multiple inherance, it is a bit tricky
to have a base class which interact with the UI. The register tab name
now display:
- file dump name (for dumps)
- hwstub device path (for hwstub)
And the register editor display the filename
Change-Id: If2579992098c02627c67d560c824f1668e73bc45
Reviewed-on: http://gerrit.rockbox.org/979
Reviewed-by: Amaury Pouly <amaury.pouly@gmail.com>
The code did not call xmlInitParser() and would call xmlCleanupParser() each
time which is doubly wrong because 1) it's not init 2) all init/cleanup
must be done from the main thread. To ensure 2), call it from a static ctor.
Change-Id: I3d191bf3b8c0cfc51da78157e88c786636fd3ebf
Reviewed-on: http://gerrit.rockbox.org/966
Reviewed-by: Amaury Pouly <amaury.pouly@gmail.com>
A older commit removed this ability but it tends to be a problem since the HID
driver can prevent probing of transfer size which then needs to be entered
by hand on the command line.
Change-Id: Ie5a556ffdcc2adec0e1c984810983e19136b6473
This script is handy hacking tool to patch RKW file with
arbitrary binary and put jump into implanted code.
It also shows how to use hwstub crc routine.
Change-Id: I89b5086dc1ddaca3dbc03df26a85472d8a20d51e
This tool is a scriptable (lua) tool to patch binaries, it supports:
- raw binary
- ELF
- SB(v1/v2)
It also contains some basic routines to parse and generate useful arm/thumb code
like jump or register load/store. This is very useful to take a firmware and
patch an interrupt vector or some code to jump to an extra payload added to
the binary. Examples are provided for several STMP based target which the payload
is expected to be hwstub, and also for the Sansa View. A typical patcher usually
requires three elements:
- the lua patcher itself
- the payload (hwstub for example)
- (optional) a small stub either to jump properly to the payload or determine
under which circumstance to do the jump (hold a key for example)
Change-Id: I6d36020a3bc9e636615ac8221b7591ade5f251e3
Qeditor has been improved in many ways:
- it can now dump all registers, just like the lua DUMPER.dump_all() command
- several crash were fixed
- when connected to a hwstub command, one can correctly edit individual fields
- the code was simplified in several places
Change-Id: I092b99ce3a12ff6417552de61d62c65f706bcff0
The graphical editor can now display and editor description files.
The library has been improved to provide more useful function.
The XML format has been slightly changed: only one soc is allowed per file
(this is was already de facto the case since <soc> was the root tag).
Also introduce a DTD to validate the files.
Change-Id: If70ba35b6dc0242bdb87411cf4baee9597798aac
- drop support for PP500x: it's very different from other PP and although
it would be possible to support them, I don't have one to test the code
- make sure only the CPU is started
- add PP descriptor to report chip ID and revision
- add code in shell and lua to support pp (no register description yet)
- compile for ARMv4 because PP502x is an ARM7TDMI
Change-Id: I36c4e465dfc2cfdfe7433b2f65cc8f6f0720fe62
It is very similar to how e200tool from MrH works but uses the framework
of hwstub which is makes it completely trivial since we already have the
USB driver written.
Change-Id: I61cdc245d3f828c2682bcd6ecfed5a1cc0094139
This is actually the trivial part of e200tool from MrH: it simply writes the
code on the bulk endpoint. Code was mostly copied from imxtools/sbloader.
Change-Id: I6c208840d23553aaf3bd8b9374e6b0337e54f3b0
On some OSes like Windows or if running in a virtual machine, the one second
timeout might be too short.
Change-Id: I717f7a2aaed1cb3d40e8fbe6f9b1081b43ceea95
The UI now has a "read-only" check box to prevent accidently changes: once
unchecked, the UI can do write to register (only full register writes are
supported for now). If the register supports it, the UI provides SCT writes
as well. The display register panel was moved to its own class to cleanup
things a bit.
Change-Id: I0fc6aab3b351f9080076102ee6fad0037ab5353b
The code was a mess with respect to soc handling: some code just plain copied
the SoC descriptor which are big objects, some was using indexes. The new soc
factor out everything in a few classes which hide these ugly details so that
descriptors are never copied.
Change-Id: I17af8b47f997a528b58221621389d42d24fded93
A SoC descriptor is not a small object: it can be as large as ~100KiB so
it's better to avoid copying things over.
Change-Id: I1ef862e1260299cdaa0c4d2822ac45968713498a
This commit add the very handy feature of being able to read registers
directly from a device using hwstub. This is mostly trivial using the hwstub
library and the biggest change here is actually:
- being able to read registers by name and/or addresses
- being able to enumerate devives
The UI code currently doesn't handle hotplug but the backend does so it should
be trivial to add in the future. It also opens up the possibility the write
registers from hwstub or save the register values to a file.
Since it relies on both hwstub and libusb, a switch has been introduced in
qmake to disable it (use -config nohwstub).
Change-Id: I5d7d7a2a7c97ecd7407227357c8553c2773ea6cc
In might be useful to load hwstub in an environment with the MMU active,
in which case care must be taken on the order in which things are done.
Mostly, one should not disable the MMU before moving stuff around. The code
assumes the linking address (0 currently) is identity mapped.
Change-Id: I8d54ce9e8cadcde2e08990353ca7a46803731ca7
The protocol has evolved a lot during the 2.x.y lifetime, bringing more
features which later got unused. This commit removes all the unused stuff
and simplifies everything:
- drop the feature mask: everything is mandatory or stalled on error
- remove the info request and put all static information in standard USB
descriptors which are part of the configuration descriptor (and can be
retrieved using the standard GetDescriptor request).
- remove the USB interface, we had only one anyway
- remove all endpoint descriptors
- remove the exit/atexit stuff, it never worked as intended anyway
- update the hwstub library and make it able to handle any device
- update the tools (mostly renaming and removing of code)
Change-Id: I1872bba7f4177fc3891180e8f944aab88f5bde31
This test software setups timer T0 periodic interrupt.
In ISR it changes backlight level. The interrupt handler
does not support nesting and the whole ISR is run in interrupt
context. Exceptions are not handled yet.
Change-Id: Idc5d622991c7257b4577448d8be08ddd1c24c745
This is the basic port to the new target Samsung
YP-R1, which runs on a similar platform as YP-R0.
Port is usable, although there are still
some optimizations that have to be done.
Change-Id: If83a8e386369e413581753780c159026d9e41f04
The getty service mointors /dev/ttyGS0 (also created by the patched firmware).
When the g_serial.ko module is loaded this automatically enables shell access
via usb. It exposes a cdc-acm device to the host which is compatible to linux
(usb_serial.ko) and windows.
The g_serial.ko is not included module can be build from the YP-R0 open source
package provided by samsung. It can be loaded via rc.user on the internal memory.
Change-Id: I4903a635fd2e2f0ce6f5e91589a31d72bba2776b
This simple program shows how to setup timer for periodic
operation. Interrupts are not used yet and simply pending
irq bit is polled and cleared when set. This program
supports my understanding of disassm of ADEC_N63.BIN that
P_CLK is configured for 7.5MHz and timer clock source is P_CLK
directly.
Change-Id: Idd6461bf847c763b78b8c324012ec2515f65dd41
This test program. I add it mainly to document somehow my work:
1) atj213x.h lists registers addresses
2) crt0.S exploits self relocation of the binary
3) test_bl.c documents how to control backlight on e150
Change-Id: I055e0fe065d926a5c3805b73cea3f537cb64bf52
Some targets like Sony NWZ use a watchdog, so we must disable it to prevent
spurious reboot when we take over
Change-Id: I138a8d7f9a1b089acb2d08d7f6c4a58e8b088b3a
Conditional no longer needed since ctr0.S is private to target, also setup
stack just before jumping to C code only
Change-Id: I74116239be9e87bbe53e8fa814c45f04f242f1c1
The old code would set CPU to 64MHz and HCLK to 9MHz but that's too low for
many things like usb and gpmi. So change HCLK to ~32MHZ.
Change-Id: I6459f25900e42603333cebccb7b0ed26c59640ad
Some older versions of the ROM (TA3 for example), use a 64 byte report size
instead of 1024, so hardcoding 1024 is just a bad idea.
Change-Id: I720c4465cfe2f519bffa307175614bba58766dce
The version.sh tool tries to locate the repository root if no argument is
given but it doesn't really work. Instead explicitely give it the path to
the root.
Change-Id: Ie3a35cb3d41bbd8819823358763f714ad045527e
This is an improvement for the special
mode present in the samsung ypr0 target.
Apart adding new useful functionalities, it
fixes a random disconnection bug, solved by debouncing
and fully support to YP-R1 target.
This opens also the possibility to interface
this operating mode to rockbox USB functionality.
Change-Id: Id70541541fcfaa1234328485fab0696a3bd491c9
fixed a bug concerning bytes padding, since it wasn't correctly
implemented regarding original firmware structure.
This fixes ROM generation especially for ypr1.
Change-Id: I1a40fb4bb8f9d6b005d694246123e314c4d19b49
Reviewed-on: http://gerrit.rockbox.org/616
Reviewed-by: Thomas Martitz <kugel@rockbox.org>
They have been rewritten for being completely free and
as fast as possible.
Successfully extracted, patched, repacked and flashed
original firmware (tested on device and it worked)
Change-Id: I74d47d13f2dc3a2832a0d6821d3c2182dfd4b33b
Reviewed-on: http://gerrit.rockbox.org/506
Reviewed-by: Thomas Martitz <kugel@rockbox.org>
Tested-by: Thomas Martitz <kugel@rockbox.org>
This quick and dirty utility allows to extract nand bootloader
from raw 1st nand block dump. I post it mainly to somewhat
document how BCH error correction engine of the rk27xx works.
Change-Id: I37ca91add7d372e3576d2722afc946d0f08971a9