Because Qt doesn't support QObject multiple inherance, it is a bit tricky
to have a base class which interact with the UI. The register tab name
now display:
- file dump name (for dumps)
- hwstub device path (for hwstub)
And the register editor display the filename
Change-Id: If2579992098c02627c67d560c824f1668e73bc45
Reviewed-on: http://gerrit.rockbox.org/979
Reviewed-by: Amaury Pouly <amaury.pouly@gmail.com>
The code did not call xmlInitParser() and would call xmlCleanupParser() each
time which is doubly wrong because 1) it's not init 2) all init/cleanup
must be done from the main thread. To ensure 2), call it from a static ctor.
Change-Id: I3d191bf3b8c0cfc51da78157e88c786636fd3ebf
Reviewed-on: http://gerrit.rockbox.org/966
Reviewed-by: Amaury Pouly <amaury.pouly@gmail.com>
A older commit removed this ability but it tends to be a problem since the HID
driver can prevent probing of transfer size which then needs to be entered
by hand on the command line.
Change-Id: Ie5a556ffdcc2adec0e1c984810983e19136b6473
This script is handy hacking tool to patch RKW file with
arbitrary binary and put jump into implanted code.
It also shows how to use hwstub crc routine.
Change-Id: I89b5086dc1ddaca3dbc03df26a85472d8a20d51e
This tool is a scriptable (lua) tool to patch binaries, it supports:
- raw binary
- ELF
- SB(v1/v2)
It also contains some basic routines to parse and generate useful arm/thumb code
like jump or register load/store. This is very useful to take a firmware and
patch an interrupt vector or some code to jump to an extra payload added to
the binary. Examples are provided for several STMP based target which the payload
is expected to be hwstub, and also for the Sansa View. A typical patcher usually
requires three elements:
- the lua patcher itself
- the payload (hwstub for example)
- (optional) a small stub either to jump properly to the payload or determine
under which circumstance to do the jump (hold a key for example)
Change-Id: I6d36020a3bc9e636615ac8221b7591ade5f251e3
Qeditor has been improved in many ways:
- it can now dump all registers, just like the lua DUMPER.dump_all() command
- several crash were fixed
- when connected to a hwstub command, one can correctly edit individual fields
- the code was simplified in several places
Change-Id: I092b99ce3a12ff6417552de61d62c65f706bcff0
The graphical editor can now display and editor description files.
The library has been improved to provide more useful function.
The XML format has been slightly changed: only one soc is allowed per file
(this is was already de facto the case since <soc> was the root tag).
Also introduce a DTD to validate the files.
Change-Id: If70ba35b6dc0242bdb87411cf4baee9597798aac
- drop support for PP500x: it's very different from other PP and although
it would be possible to support them, I don't have one to test the code
- make sure only the CPU is started
- add PP descriptor to report chip ID and revision
- add code in shell and lua to support pp (no register description yet)
- compile for ARMv4 because PP502x is an ARM7TDMI
Change-Id: I36c4e465dfc2cfdfe7433b2f65cc8f6f0720fe62
It is very similar to how e200tool from MrH works but uses the framework
of hwstub which is makes it completely trivial since we already have the
USB driver written.
Change-Id: I61cdc245d3f828c2682bcd6ecfed5a1cc0094139
This is actually the trivial part of e200tool from MrH: it simply writes the
code on the bulk endpoint. Code was mostly copied from imxtools/sbloader.
Change-Id: I6c208840d23553aaf3bd8b9374e6b0337e54f3b0
On some OSes like Windows or if running in a virtual machine, the one second
timeout might be too short.
Change-Id: I717f7a2aaed1cb3d40e8fbe6f9b1081b43ceea95
The UI now has a "read-only" check box to prevent accidently changes: once
unchecked, the UI can do write to register (only full register writes are
supported for now). If the register supports it, the UI provides SCT writes
as well. The display register panel was moved to its own class to cleanup
things a bit.
Change-Id: I0fc6aab3b351f9080076102ee6fad0037ab5353b
The code was a mess with respect to soc handling: some code just plain copied
the SoC descriptor which are big objects, some was using indexes. The new soc
factor out everything in a few classes which hide these ugly details so that
descriptors are never copied.
Change-Id: I17af8b47f997a528b58221621389d42d24fded93
A SoC descriptor is not a small object: it can be as large as ~100KiB so
it's better to avoid copying things over.
Change-Id: I1ef862e1260299cdaa0c4d2822ac45968713498a
This commit add the very handy feature of being able to read registers
directly from a device using hwstub. This is mostly trivial using the hwstub
library and the biggest change here is actually:
- being able to read registers by name and/or addresses
- being able to enumerate devives
The UI code currently doesn't handle hotplug but the backend does so it should
be trivial to add in the future. It also opens up the possibility the write
registers from hwstub or save the register values to a file.
Since it relies on both hwstub and libusb, a switch has been introduced in
qmake to disable it (use -config nohwstub).
Change-Id: I5d7d7a2a7c97ecd7407227357c8553c2773ea6cc
In might be useful to load hwstub in an environment with the MMU active,
in which case care must be taken on the order in which things are done.
Mostly, one should not disable the MMU before moving stuff around. The code
assumes the linking address (0 currently) is identity mapped.
Change-Id: I8d54ce9e8cadcde2e08990353ca7a46803731ca7
The protocol has evolved a lot during the 2.x.y lifetime, bringing more
features which later got unused. This commit removes all the unused stuff
and simplifies everything:
- drop the feature mask: everything is mandatory or stalled on error
- remove the info request and put all static information in standard USB
descriptors which are part of the configuration descriptor (and can be
retrieved using the standard GetDescriptor request).
- remove the USB interface, we had only one anyway
- remove all endpoint descriptors
- remove the exit/atexit stuff, it never worked as intended anyway
- update the hwstub library and make it able to handle any device
- update the tools (mostly renaming and removing of code)
Change-Id: I1872bba7f4177fc3891180e8f944aab88f5bde31
This test software setups timer T0 periodic interrupt.
In ISR it changes backlight level. The interrupt handler
does not support nesting and the whole ISR is run in interrupt
context. Exceptions are not handled yet.
Change-Id: Idc5d622991c7257b4577448d8be08ddd1c24c745
This is the basic port to the new target Samsung
YP-R1, which runs on a similar platform as YP-R0.
Port is usable, although there are still
some optimizations that have to be done.
Change-Id: If83a8e386369e413581753780c159026d9e41f04
The getty service mointors /dev/ttyGS0 (also created by the patched firmware).
When the g_serial.ko module is loaded this automatically enables shell access
via usb. It exposes a cdc-acm device to the host which is compatible to linux
(usb_serial.ko) and windows.
The g_serial.ko is not included module can be build from the YP-R0 open source
package provided by samsung. It can be loaded via rc.user on the internal memory.
Change-Id: I4903a635fd2e2f0ce6f5e91589a31d72bba2776b
This simple program shows how to setup timer for periodic
operation. Interrupts are not used yet and simply pending
irq bit is polled and cleared when set. This program
supports my understanding of disassm of ADEC_N63.BIN that
P_CLK is configured for 7.5MHz and timer clock source is P_CLK
directly.
Change-Id: Idd6461bf847c763b78b8c324012ec2515f65dd41
This test program. I add it mainly to document somehow my work:
1) atj213x.h lists registers addresses
2) crt0.S exploits self relocation of the binary
3) test_bl.c documents how to control backlight on e150
Change-Id: I055e0fe065d926a5c3805b73cea3f537cb64bf52
Some targets like Sony NWZ use a watchdog, so we must disable it to prevent
spurious reboot when we take over
Change-Id: I138a8d7f9a1b089acb2d08d7f6c4a58e8b088b3a
Conditional no longer needed since ctr0.S is private to target, also setup
stack just before jumping to C code only
Change-Id: I74116239be9e87bbe53e8fa814c45f04f242f1c1
The old code would set CPU to 64MHz and HCLK to 9MHz but that's too low for
many things like usb and gpmi. So change HCLK to ~32MHZ.
Change-Id: I6459f25900e42603333cebccb7b0ed26c59640ad
Some older versions of the ROM (TA3 for example), use a 64 byte report size
instead of 1024, so hardcoding 1024 is just a bad idea.
Change-Id: I720c4465cfe2f519bffa307175614bba58766dce
The version.sh tool tries to locate the repository root if no argument is
given but it doesn't really work. Instead explicitely give it the path to
the root.
Change-Id: Ie3a35cb3d41bbd8819823358763f714ad045527e
This is an improvement for the special
mode present in the samsung ypr0 target.
Apart adding new useful functionalities, it
fixes a random disconnection bug, solved by debouncing
and fully support to YP-R1 target.
This opens also the possibility to interface
this operating mode to rockbox USB functionality.
Change-Id: Id70541541fcfaa1234328485fab0696a3bd491c9
fixed a bug concerning bytes padding, since it wasn't correctly
implemented regarding original firmware structure.
This fixes ROM generation especially for ypr1.
Change-Id: I1a40fb4bb8f9d6b005d694246123e314c4d19b49
Reviewed-on: http://gerrit.rockbox.org/616
Reviewed-by: Thomas Martitz <kugel@rockbox.org>
They have been rewritten for being completely free and
as fast as possible.
Successfully extracted, patched, repacked and flashed
original firmware (tested on device and it worked)
Change-Id: I74d47d13f2dc3a2832a0d6821d3c2182dfd4b33b
Reviewed-on: http://gerrit.rockbox.org/506
Reviewed-by: Thomas Martitz <kugel@rockbox.org>
Tested-by: Thomas Martitz <kugel@rockbox.org>
This quick and dirty utility allows to extract nand bootloader
from raw 1st nand block dump. I post it mainly to somewhat
document how BCH error correction engine of the rk27xx works.
Change-Id: I37ca91add7d372e3576d2722afc946d0f08971a9
Now always generate a "make.db" file which aims at being the exact
representation of the file, ie running sbtoelf and elftosb using
the generated command file should produce the exact same file
(except for the random paddings). We still miss the support
for some option parsing to achieve that though.
Change-Id: Ib7d6b241f7855fd35225df8ab8e0711f69d9ee5a
This dump has been obtained with hwpatcher + hwstub, the fuze+
was running OF 2.36.8 in normal mode while playing some mp3.
Change-Id: Ieecaa760fe8ccade0858db929b9d7c175a3eaddf
This tool allows one to explore any register map. Register dumps
(like produced by hwstub tools) can be loaded and decoded by the
tool. Finally some analysers are provided for specific soc analysis
like clock tree and emi on imx233 for example.
Change-Id: Iaf81bd52d15f3e44ab4fe9bc039153fcf60cf92a
Remove the hackish elf_translate_addresses which should not have
existed in the first place, on write always compute the physical
address of a section using elf_translate_virtual_address which
makes it possible to specify any virtual to physical mapping and
fail nicely if there is none.
Change-Id: I4f436945e90280a6fd9430de6c642dbeb8e23d40
Rename STOP command to EXIT, introduce ATEXIT, this gives better
control over the exit of the stub. Add stmp implementation.
Change-Id: I45442c8b88b9330d12ef439417ca5ffa1520477a
Completely rewrite the Mafile, properly put the usb driver in its
own file and the target specific files in a subdirectory.
Change-Id: Iaeee0128e021d5dad76b4d6035a63e33e2d946c1
The generator now has more options to generate or not selectors.
It can also generate a macro header containing lots of using
macros for register operations.
Change-Id: I9dd6b4bdc7daeabd1a2c9365ce082358475721b5
The tool can now load sb1 and sb files to devices. Detection has
been improved and the tool can infer the packet size for the HID
description as well. The command line interface has been vastly
improved too, this breaks the old one.
Change-Id: I01a0ff8f8a007514aa81c56f114c0f0a86e3303c
Fix the stub in many way to correctly detect the STMP family and
act upon that. Drop some unused commands and bump version.
Rewrite the tool to allows scripting in lua and load the register
description from an XML file using the regtools. Introduce a new
tool to load and run code using the hwstub (either binary format
or Rockbox additive scramble format). Also switch to an optimise
version of the memcpy/move/set functions to correctly handle
alignement issue (like writing a full word/half-word when
possible for registers which is crucial)
Change-Id: Id1d5cfe0b1b47e8b43900d32c5cd6eafae6414f6
Change the XML description to unify multi dev/reg in a clean
fashion. Move the description parser to its own library. Fix
the tester and headergen tools to work with the new format and
library. Move the STMP3700/3780 descriptions to the new format
(and fixes many errors as well). Drop the hwemulgen tool
in favor on the upcoming hwstub tools revamp.
Change-Id: I7119a187aab5c8b083cc5228cb1b248ee29f184d
The register tools are in no way stmp specific. The XML
description of the registers is powerful enough to describe
the STMP register which should be more than enough to describe
virtually all other SoCs. The generators follow the STMP coding
convention but others could be used as well.
Change-Id: If1a9f56e4a3594161688de34adbea698e5aaecd8
The hwemul is only partly imx specific: the stub is stmp specific
but could be ported to other targets, the computer side and the
protocol are mostly stmp independent (or should be).
Change-Id: If88febffe591b0de86ea11cb740455ba20ddc401
During testing it can be useful to set an arbitrary (non-current) time on the
device. Extend time-sync to accept an additional (optional) parameter with the
time to set. Only changes date / time, no timezone.
Change-Id: Ib320777cb245cff19ca00b20540db3a43a4e488f
Correctly descramble the first stages (0 to 2) in continuous mode.
Also fix a disassembled (but unused) crc routine used in dfu mode.
Change-Id: I20016d1c696a9bcb6584377ee9b55493783c7159
This tool can upload a firmware to the device in DFU mode. The
protocol is the same as the rk27xx devices except that it can
load a bigger (unlimited ?) firmware.
Change-Id: Ic9d4c5087629a9156f9d5d5cdc80767e6359c431
After some reverse engineering, it appears that the keys of the
sb1 format are very weak: the 128 bytes are generated from the
laserfuse words 4,5 and 6 but in a weird manner: 4 and 5 are
simply ORed and 6 is only half used (somehow), making it "only" a
48 bit word to find.
Change-Id: I40702e19d0924ef51c01894efce3cb65bd664456
There is a windows port of the sg_utils library for scsi pass-
through. This little changes make it compile under mingw. A better
fix would be to implement direct ioctl on both windows and linux
but that's already better than nothing
Change-Id: I0d77cd1bad69806a66f0590362f165f24fa240e9
This is a common problem that proprietary tools don't handle ELF
files correctly. ELF sections use a virtual address and the
virtual -> physical translation is done though segments. This
allows to have a load (physical) address different from the
virtual one. Here is the trick: proprietary tools usually don't
take the pain to do the translation and just grab the virtual
address. This commit implements proper translation in elftosb1
knowing that this introduce a deviation from the behaviour of the
proprietary tool.
Change-Id: I91721a3a8dead382a0603f84ae3b35c5eb9704eb
The tool still lacks some feature of the proprietary one but
can create files with all the basic features.
Change-Id: Ib0c91210940ca829291ce70945f88dc510a49974
The PWM code was for testing only the Zen X-Fi and should be
present in general because it could touch pins by error and
without producing any result.
Change-Id: Id20e2940cd7a057941d241254d0a867f5451e2db
It appears that all devices based on the Sigmaltel SDK support a
common vendor specific SCSI interface when in UMS mode. This
applies to the STMP36xx and the STMP37xx. This interface supports
many operations:
- get device info
- get device paritionning
- get janus/drm info
- read/write/allocate/erase any partition
- reset (chip or to updater and/or recovery)
This includes the ability to do a firmware upgrade by rewriting
the firmware partition. The tool currently does mostly nothing
but will be enhanced depending on the reverse engineering efforts
and the use of it. It has been tested on the Fuze+ and the Zen
X-Fi2/3.
Change-Id: Ibd4b2ad364c03ada4f9001573ef4cc87cfb041d1
The new tool fwcrypt can create a firmware image with a specified
model, version, region and so on.
Change-Id: I0e90e9ab905398a3e7ae3f4fb8b8bbfb2d12d703
Samsung provides many firmware upgrade in the format of a .dat
file, at least for nearly all YP's (checked for Q2, R0, T10, Z5).
This is a simple cyclic xor which a fixed key, a md5 sum and a
header specifying the model/version/region.
Change-Id: Ib0461a74196383189fd2d8162da444a85a229c60
This tool is very preliminary but could be use for whatever
purpose since the format of the rsrc sections is now known.
By the way it appears that this format is the same as the
one use by the stmp36xx for its resources.
Change-Id: Idd7057f5cdce5af9726904169bb100c8bacb0981
While elf simplification is a powerful tool it can be useful to
prevent it from happening for debug purposes. Also add a missing
switch description in usage() and missing static.
Change-Id: I80a1904dc4340c412bd3de1c124a2e38d6ac11a2
This is less useful is most cases because sb2 doesn't have the
size restritions but some elf are produced with one section per
file and still yield dozens or hundreds of sections. And this free
anyway so we can do it.
Change-Id: Ia5ca83a8375063ecc7052d1ea73b2b21c00be730
Load, fill and call/jump instructions are extracted as elf files
like for sb2. Because of the size limitations of the sb1
instructions, the resulting elf files can easily have hundreds of
sections. The (currently) implemented elf simplification method
will hopefully reduce this to a few sections only
Change-Id: I8fd6ed935ac3128f244bbd71c782e2a0a1c6d44a
Implement actual loading of a sb1 file to a structure in full
generality. Also implement dumping for debug purpose
Change-Id: I320035ea628719480a79aaccb05dce9a83256927
The STMP36xx series also uses .sb files but with a different
format. The main differences are the encryption and the lack of
sections, making it basically a list of commands: fill, load,
call, jump, switch mode, set sdram settings. Currently only the
sbtoelf has support for the sb1 and can only dump the list of
commands. Actual support for elf creation will come later.
Change-Id: I1f2e0230c91ac64efd0e8430e0c5212098c599fd
The hwemul tool is a small binary blob running on the device
that can received commands over USB. It is mainly intended to be
loaded using the recory mode and allows to read/write registers,
memory, use the OTP device, ... The tool is split into three
parts: dev/ contains the actual blob (which handles both imx233
and stmp3700), lib/ contains the communication library and can
also use the register description produced by the regtools/
to ease register by name, tools/ contains an interactive tool
to send commands to the device when running the blob.
Change-Id: Ie8cb32e987f825d8ed750d48071e43415b4dacb3
These files were produced by parsing some linux and/or sigmatel
provided headers and later tweaked by hand or by programs.
Each file describes one or more soc. A soc has a list of devices.
Each device can either be unique or have several copies at
different addresses. Each device has a list of registers which
can either be unique or indexed. Each register can further have
a list of fields. Registers with a SCT variant are also handled.
Change-Id: Ib50bb3fda268b6d5713f81bd8961de7978a5815e
These tools allow one to read a register description in a XML
file and to produce something useful out of it. Three example
programs are written:
- tester which simply prints the register tree
- headergen which produces a set of headers with the #define
- hwemulgen which produces something for the hwemul tool (to come)
Change-Id: I52573688b29d5faeaf64ce7c5ffe08ee8db3d33c
