This imports the MD5 code used by other utilities and creates
a function for checking the provided NK.bin against known original
firmware checksums. Integration into mknkboot and beastpatcher is
also added.
For the sake of consistency with beastpatcher, mknkboot had its
printf statements rewrote to print to stderr like beastpatcher
does.
Change-Id: I0e52271d8d627a5b02302ab5cd1da2815b7cec1e
- Drop obsolete NAND patch script (it's simpler to use 'dd' directly)
- Remove an outdated comment
- Fix missing 'void' in a function definition
- Reset the poweroff timer when we poke the backlight
Change-Id: I752624386f30ac95f41a731d2b6be837e12275a9
I think this covers everything now, although some fields are missing
enum values. Those can be added in if and when they are needed.
Change-Id: Ib1a94ba9c9a5949b6a038f8c1a49786823fae58f
This only required a minor patch to the usb-designware driver due
to DMA requiring physical addresses -- on the X1000, these differ
from virtual addresses so we have to do the usual conversion.
Both the mass storage and HID drivers work, but there are a few
issues so this can't be considered 100% stable yet.
- Mass storage might not be detected properly on insertion,
and USB has to be replugged before it shows up
- HID driver may occasionally panic or hang the machine
Change-Id: Ia3ce7591d5928ec7cbca7953abfef01bdbd873ef
This uses the new unicode string literal feature that is available
now to greatly simplify the initialization of these special string
types. This makes them much more readable at a quick glance.
Change-Id: Iad8b49aa763486608e3bb7e83fb8abfb48ce0a7b
This is essentially an expanded version of jz4760_tools/usbboot,
able to support both X1000 and JZ4760 CPUs and easily extended to
handle other Ingenic CPUs using the same boot protocol.
Change-Id: I70ce3acc3531d65390c6bbae4d2b3352140acf0a
Don't always operate on the remote head, instead default to the local
HEAD, and allow passing a hash to use for calculating statistics.
Change-Id: I420308e66769689c1dfac56e19058b097a0533a2
Make sure the target version isn't the default one so it also runs on
older macOS version than the current one.
Change-Id: Ib3517c97eee23ce1648e644ffc9daba2d1e7b599
- When make on Windows finds sh.exe it will try to use that. We use
cmd.exe calls when detecting Windows, so make sure we use cmd.exe as
shell.
- Add missing Windows compatibility to tomcrypt Makefile.
Change-Id: Iaef133ca27472a5ddf449174d540983f15c66aea
On macOS we pass the full path to the compiler. On recent versions this
causes the compiler to not find its SDK path, this needs to get passed
via the isysroot option.
Change-Id: Iea2820e1755cc80e12691119dfa31d70938ea511
Replace the use of crypto++ with tomcrypt, which is much smaller and C.
This gets rid of various build issues for systems that don't ship
crypo++ (i.e. everything except Linux.)
Change-Id: Ic0799e17b94935c71b14765cf9a2a7ea2b0adc7a
libtomcrypt uses a macro "byte" which conflicts with this type. Since
the underlying type is uint8_t and there's no real benefit from using a
custom type use the actual underlying type.
Change-Id: I982c9b8bdcb657b99fa645a5235303af7afda25b
When generating the MD5 using -z index,name the tool would add the entry but
forgot to increase the file size, hence truncating the file.
Change-Id: Ibd3c594722ab46350cda60d158666fe34a96e922
When compressing, it is possible to tell the tool to add an entry to the MD5
file (index 1), it is still necessary to give an empty file for that index.
To do so, pass the option "-z idx,name" insteas of "-z idx". This will create
an entry of the form "size md5 name". For instance "-z 6,system.img".
When decompressing, if one passes "-z idx,name" instead of "-z idx", the tool
will decompress and check against the value in the MD5 file.
Change-Id: Ifb945f6121644ae9105265d2d83ce6067301c5b2
To decompress some output file(s), simply pass -z <idx> where idx is the index
of the file to decompress, starting from 0. For example
upgtool -e NW_WM_FW.UPG -o tmp/ -m nw-wm1a -z 6 -z 7
to decompress files 6 and 7. To compress file, use the same options:
upgtool -c NW_WM_FW.UPG -m nw-wm1a -z 2 script.sh md5sum.txt system.img
Change-Id: I1ef0b3e02c98e58154f1a959fb1ad70ad2ce6500
In order to avoid the crypto++ mess, the code uses the Windows Cryptography API,
which is standard. There is also some makefile magic to cross-compile:
make PREFIX=i686-w64-mingw32- EXE_EXT=.exe
I selected the option so that it should statically link supports libraries used
by gcc (slsj and libwinpthread).
Change-Id: Iaf07da23afe81ed217fb3921ce13367c5441514d
The new code supports reading and writing UPG files. I kept the old keysig
search code but it only supports the old format (the new format has too long
keys anyway). Since we now have to support two types of encryption(DES and AES),
I reorganized the crypto routines and clean-up some code.
Change-Id: Ie9be220ec2431ec6d0bd11699fa0493b62e1cec2
Split WM1A/WM1Z because they don't have the same KAS. On newer devices, the KAS
is actually 64 bytes, not 60. The strange thing is that "get_dnk_nvp kas" returns
60 bytes whereas "get_dnk_prop kas" returns 64, not sure why.
Change-Id: I944d3d838209ba58388439af0cdf5d7c74f1f7fc
* DMA Bulk IN (ie our TX) results in sequential transfers 33-68% faster.
* DMA Bulk OUT (ie RX) is mostly stripped out due to complete brokenness.
* Interrupt and control endpoints remain PIO-driven.
Other improvements:
1) Use consistent endpoint references (no magic numbers)
2) Greatly enhanced logging
3) DMA support can be compiled out completely
4) Setting lockswitch will disable all DMA operations at runtime
5) Much more robust error checking and recovery
Change-Id: I57b82e655e55ced0dfe289e379b0b61d8fe443b4
- Replace use of obsolete members with their replacements.
- Fix type issue that requires explicitly creating the right object now.
- Update project file to work with Qt5.
Change-Id: I3af2b1520796e977e58c0a01e165c77c469a23b9
Let the linker find libmtp / libusb. Also don't insist on linking them
statically -- current Debian doesn't have a static libmtp.
Set STATIC to force linking statically.
Change-Id: I3ce9cea832705c87f08054435eadf9f169afedb2
ypr1 target should switch back to OF by pressing volume down,
since volume up is already mapped to the early/safe mode.
Change-Id: I18c4deed2c8982dbee18b081ecc59b970c654473
This trivial patch wants to exploit /tmp filesystem to place
Rockbox executable. Why that? It will be then possible to
easily unlock & umount the storage partition, in order to provide
Rockbox itself a mean for RAW storage access. In turn, this will
allow a Rockbox-handled USB Mass Storage support, as well as other
goodies (storage info is one I can think of).
It takes way less than a second so it doesn't hurt boot time.
Moreover, YPR0/YPR1 targets have plenty (64MB) of RAM, so
the humble half meg executable won't hurt at all.
Change-Id: Ibc9d9a40712e924c8e19cfd7c62189b182f0401a
This patch removes the deprecated kernel module to manage
the fm-radio chip on the ypr0 target.
http://gerrit.rockbox.org/r/#/c/1594/ implements the interface to
the i2c bus by using the i2c-dev kernel driver, no need for
additional complexity.
Change-Id: I0d09e2e9d1714b3cb8a72b3d79a91602a627cc90
Only expand pkg-config calls once by making the compiler flags simply
expanded variables. Makes things more predicable and slightly faster.
Change-Id: Ie2ed066f205a95ec8a7708cefeb29e9989815db6
Building with mxe failed due to the toolchain (and Qt5) introducing
dependencies to system libraries we don't know about. Commit 3083abeb95
thus ignored the actual problem. Revert that and instead add the missing
system libraries to the list of known libraries.
Change-Id: I29ac296765e580b751d3d906d58ab563d05efde2
At least newer devices support more NVP properties in a device-independent
numbering. Many are supported but I just added two useful ones
Change-Id: I57926de7f0dd364b46a57ca8d48a5c4d4f20402b
This fixes a couple of issues when cross-compiling for windows:
- lib builds (i.e. mks5lboot) were overriding the cross CC/CXX with the
native CC, producing incompatible binaries.
- Qt made the accessibility plugin part of the core library, so we no
longer need to import it.
Change-Id: I9d884aee62dfa51d3624a3fa9b99c23b3b375f20
Seems like newer versions of mingw will sponteanously add a .exe suffix to
the output path if it doesn't have one, for example mingw-gcc -o scsitool bla
will actually create scsitool.exe and of course this breaks my release script.
Fix this by explicitely adding the .exe to avoid any problem
Change-Id: Ic8019b968b532b2ca612ba0c03977a96c22cee01
This is one of those fancy gold-plated devices. Of course it breaks my scripts
that were nicely expecting every device to start with NW.
Change-Id: I161320f620f65f4f92c2650d192b26a9831eeb9d
There is something weird going on: the Sony website has two different entries:
- NW-ZX300/NW-ZX300A/NW-A45/NW-A47/NW-A45HN/NW-A46HN
- NW-ZX300,NW-ZX300A update(20181004)/NW-ZX300G
with slightly different nvp entries, but it is impossible to tell whether
an NW-ZX300(A) belong to one or the other. Since the diff is very small,
I am adding this as nw-zx300g but treat all devices as nz-zx300 since the
destination node is the same and that is the main usage of the tool anyway.
Change-Id: I3dc2fdec52650f938d568bed578184f6bc43d130
If the model is not known (ie model ID in the database) but another device from
the same series is known, then the database information probably applies and
one can use the "force" option -s to tell the tool to ignore the model ID.
Automatically print such advice when the series can be guessed.
Change-Id: I6bcc7aa29693df8c3d7d8e709ece7cea650be717
swr/swl instructions used for word aligning were wrong. This
made memset() terribly broken. I can't imagine how it went
uncaught for soooo long. Spotted by Solomon Peachy.
I run unit tests for alignments 0,1,2,3
size 1, 2, 3, 4, 5, 63, 64, 65, 127, 128, 129;
and fill pattern 0x00 and other (since 0 is special case in this
implementation).
Change-Id: I513a10734335fe97734c10ab5a6c3e3fb3f4687a
Previously only atomic read/write 8/16/32 were exposed. But it is useful to
be able to read a whole buffer at once, this is more efficient than N times
read8.
Change-Id: I06e331641e1ab1f74c0e16e8c432eafb398e8e6d
The encryption definitely uses some standard elliptic curve encryption over
binary fields (163 and 233 bits, standard polynomials). It is still unclear
how this is used in the actual encryption, the key authentification and
derivation do not look standard.
Change-Id: I6b9180ff7e6115e1dceca8489e986a02a9ea6fc9
Now print list of devices immediately even if the rest of the command line
is empty (ie 'scsitool -s ?' works, whereas before one would need an actual
device to even get a list). Add more information in the help_us command:
print kas, lyr and fpi.
Change-Id: Icfeeaeebe28c774a74ca54661357fafa25c3d114
The tool now provides more useful information for developers when the device
is not supported. Is also has a new verb "help_us" that also prints all this
information (notably the device info and model ID).
Change-Id: I04baec8fff23eb83a0408add6296b5d42e9aa8e7
We still miss the model IDS for those device so scsitool won't be able to
recognize them automatically.
Change-Id: I17ae0f0d95c011cea8e289def63c7673b6c4b667
DES ignores the parity bit of each byte (making the 64-bit key really 56-bit),
but the current code skipped the parity bit of each half-byte, thus missing
some keys.
Change-Id: Ia523ebb944e458905b7de1742df151df22166150
Strangely it has the SAME encryption key as the E450. Either they didn't bother
changing it or more likely they have exactly the same internals and a slightly
different case.
Change-Id: I39ab88845b3e40db34160c2e61dde421f391df44
SUPPORTED SERIES:
- NWZ-E450
- NWZ-E460
- NWZ-E470
- NWZ-E580
- NWZ-A10
NOTES:
- bootloader makefile convert an extra font to be installed alongside the bootloader
since sysfont is way too small
- the toolsicon bitmap comes from the Oxygen iconset
- touchscreen driver is untested
TODO:
- implement audio routing driver (pcm is handled by pcm-alsa)
- fix playback: it crashes on illegal instruction in DEBUG builds
- find out why the browser starts at / instead of /contents
- implement radio support
- implement return to OF for usb handling
- calibrate battery curve (NB: of can report a battery level on a 0-5 scale but
probabl don't want to use that ?)
- implement simulator build (we need a nice image of the player)
- figure out if we can detect jack removal
POTENTIAL TODOS:
- try to build a usb serial gadget and gdbserver
Change-Id: Ic77d71e0651355d47cc4e423a40fb64a60c69a80
Several people asked me recently how to decrypt atj2127 firmware. Someone
posted on github (https://github.com/nfd/atj2127decrypt) a decrypt utility
clearly reverse engineered from some unknown source. The code is an absolute
horror but I concluded that ATJ changed very little between ATJ213x and ATJ2127
so I added support for the ATJ2127, credit to this github code that I stole
and rewrite (code was under MIT licence). At the same time do some small code
cleanups.
Note that there is not 100% sure way that I know to distinguish between the
two firmware types, so the code tries to do an educated guess to detect
ATJ2127. If this does not work, use --atj21217 option. Also note that contrary
to the github tool that decrypts and unpack in one go, this tool only does one
step at once. So first decrypt: HEX -> AFI, then unpack AFI -> files.
I also added for a different version of AFI. Based on AFI files I have, there
are, I think, two versions: the "old" ones (pre-ATJ213x) and "new" ones. The
tool only supported the new one but for some reason the ATJ2127 uses the old
ones without a mostly empty header. Strangely, even this mostly empty header
does not seem to follow the old layout as reverse engineered by the s1mp3
project (https://sourceforge.net/p/s1mp3/code/HEAD/tree/trunk/s1fwx/heads.h),
so in fact there might be three versions. In any case, only the header is
different, the rest of the file is identical so at the moment I just don't
print any header info for "old" files.
Change-Id: I1de61e64f433f6cacd239cd3c1ba469b9bb12442
The devinfo request returned the raw data, now the tool prints the various
fields. Also add support for the dhp (destination/headphones/color ...): this
one is untested because it's only supported starting from A10 or A20. There is
still a problem with the dpcc prop: although it should work for DEVINFO, it does
not, despite the fact that the get_dev_info command works and is internally (on
the Sony) translated into a dpcc request. I keep the code just in case.
Change-Id: I5aa8ef4afb0b11d3c0ddfa3d38f3e737ee1aff66
The detailled error message is only printed if -d switch is on command line,
otherwise there is no error message which is wrong so fix that.
Change-Id: I397541c467940e9b290ee8d4ae704368b1ce132b
I am unsure about the names of the player, the manual says A36HN and A37HN but
at the same time there is a A35 and A35HN with the same ID, and Sony does not
usually put the "HN" in its device list.
Change-Id: Idbf32970aa334b30f1b8947a78b8eebd524b193b
* make gen_db.py work on Windows/Python 2
- use hashlib module instead of md5sum, also don't rely on / for file path
matching
- don't use 'file' for a variable name
* fix parse_nvp_header.sh for older kernels
pre-emmc kernel sources use a slightly different #define format; adjust
regexp to catch it.
* add nwz-x1000 series NVP layout (from icx1087_nvp.h)
some new tags have no description, alas the driver doesn't have
them :/
* minor fixes to nvp/README
fixed typos/wording
Change-Id: I77d8c2704be2f2316e32aadcfd362df7102360d4
* added KAS for nwz-x1000 (extracted from an NWZ-X1060 via "get_dnk_nvp kas")
* hint that -o is needed when extracting
Change-Id: Ic91c448aa058a22c8ddcae54726f628f7cf60f6b
The code dependend on the sg_lib header being present, remove this dependency
so that we only need public headers.
Change-Id: I69398453635135deb33e2adf67f15ddb80e4ba16
...by QStyleOptionViewItem. Yes Qt got it right, in 5.7 they deprecated
QStyleOptionViewItemV4 and recommend using QStyleOptionViewItem which contains
less fields except on newer Qt where it contains all fields. Hopefully it still
works on Qt>4.x for a large enough value of x.
Change-Id: I013c383d2424b04c1c0745f0d7b1d5e62a29d324
The clock structure is identical, and the EMI are the same.
Also fix SSP clock, it was broken on imx233 as well.
Change-Id: I25ec66059b00b1a456ef2f02131d225082536c0a
Because a node ref is at root doesn't make it valid, check that soc is valid
otherwise we return garbage.
Change-Id: I6e5befc959dc670ab39a87484e87af6d90be7726
Add lua code to check whether ei/di and ext instructions are supported. This
is unclear since xburst is somewhere between mips32r1 and mips32r2. Details
results are below, but in summary: they don't work (ei has no effect, di/ext
cause illegal instruction exceptions)
> ./hwstub_shell -q -b -e 'require("jz/misc"); JZ.misc.enable_sram()' \
-f lua/xburst.lua -e "XBURST.test_ext_inst(0xb32d0000)"
[...]
Selecting soc jz4760b. Redirecting HW to hwstub.soc.jz4760b
data: d7168acf
error: lua/xburst.lua:209: call failed
trapped exception in call
> ./hwstub_shell -q -b -e 'require("jz/misc"); JZ.misc.enable_sram()' \
-f lua/xburst.lua -e "XBURST.test_ei_di_inst(0xb32d0000)"
[...]
Selecting soc jz4760b. Redirecting HW to hwstub.soc.jz4760b
Testing ei
Test SR
Enable interrupts with CP0
SR: 0x1
Disable interrupts with CP0
SR: 0x0
Test ei/di
Enable interrupts with ei
SR: 0x0
Disable interrupts with di
error: lua/xburst.lua:244: call failed
trapped exception in call
Change-Id: I2e162b5dd5e70488bcd8b58f3ca401a3ecab3c4b
Since we can catch exceptions like data aborts on read/write, it takes very
little to also catch exceptions in calls. When extending this with the catching
of illegal instructions, the call instruction now becomes much more robust and
also for address and instruction probing. Since we can catch several types of
exception, rename set_data_abort_jmp to set_exception_jmp. At the same time,
simplify the logic in read/write request handlers. Also fix a bug in ARM
jump code: it was using
stmia r1, {..., pc}
as if pc would get current pc + 8 but this is actually implementation defined
on older ARMs (typically pc + 12) and deprecated on newer ARMs, so rewrite the
code avoid that. The set_exception_jmp() function now also reports the exception
type.
Change-Id: Icd0dd52d2456b361b27c4776be09c3d13528ed93
Now that we now that jz4760b implements EBASE, we can use it to rebase
exceptions to use a k1seg address, that maps to the physical address of the
TCSM0. It requires to enable HAB1 to have this translation. This most the most
inefficient way to access tighly coupled memory ever, but it works.
Change-Id: I894ca929c9835696102eb2fef44b06e6eaf96d44
