d07ea9a48e
git-svn-id: svn://svn.rockbox.org/rockbox/trunk@22565 a1c6a512-1295-4272-9138-f99709370657
457 lines
13 KiB
C
457 lines
13 KiB
C
/***************************************************************************
|
|
* __________ __ ___.
|
|
* Open \______ \ ____ ____ | | _\_ |__ _______ ___
|
|
* Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ /
|
|
* Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < <
|
|
* Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \
|
|
* \/ \/ \/ \/ \/
|
|
*
|
|
* Copyright (C) 2009 by Karl Kurbjun
|
|
* based on work by Shirour:
|
|
* http://www.mrobe.org/forum/viewtopic.php?f=6&t=2176
|
|
* $Id$
|
|
*
|
|
* All files in this archive are subject to the GNU General Public License.
|
|
* See the file COPYING in the source tree root for full license agreement.
|
|
*
|
|
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
|
* KIND, either express or implied.
|
|
*
|
|
****************************************************************************/
|
|
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <stdlib.h>
|
|
#include <fcntl.h>
|
|
#include <errno.h>
|
|
#include <unistd.h>
|
|
#include <inttypes.h>
|
|
#include <sys/stat.h>
|
|
#include "mr500.h"
|
|
|
|
/* Notes about firmware:
|
|
* These notes are based on the work and observations of Shirour on the M:Robe
|
|
* forums.
|
|
*
|
|
* The firmware for the M:Robe has basic encryption on it. The data is XORed
|
|
* and scrambled. The mr500_save_data function provides an implemenation of the
|
|
* encryption/decryption.
|
|
*
|
|
* When a firmware update is done the "{#4F494D4346575550#}" folder is stored
|
|
* in the system folder on the player. The "{#4F494D4346575550#}" should only
|
|
* contain the encrypted N5002-BD.BIN file. At the end of a firmware update
|
|
* the "{#4F494D4346575550#}" folder and it's contents are removed from the
|
|
* player.
|
|
*
|
|
* An interesting note is that the name "{#4F494D4346575550#}" is actually the
|
|
* Hex representation of the magic text found at the beginning of the firmware
|
|
* image "OIMCFWUP".
|
|
*/
|
|
|
|
/* These two arrays are used for descrambling or scrambling the data */
|
|
int decrypt_array[16]={2, 0, 3, 1, 5, 7, 4, 6, 11, 10, 9, 8, 14, 12, 13, 15};
|
|
int encrypt_array[16];
|
|
|
|
/* mr500_patch_file: This function modifies the specified file with the patches
|
|
* struct.
|
|
*
|
|
* Parameters:
|
|
* filename: text filename
|
|
* patches: pointer to structure array of patches
|
|
* num_patches: number of patches to apply (applied in reverse order)
|
|
*
|
|
* Returns:
|
|
* Returns 0 if there was no error, -1 if there was an error
|
|
*/
|
|
int mr500_patch_file(char *filename, struct patch_single *patches,
|
|
int num_patches) {
|
|
int fdo;
|
|
int ret=0;
|
|
uint32_t endian_int;
|
|
|
|
/* Open the file write only. */
|
|
fdo = open(filename, O_WRONLY);
|
|
|
|
if(fdo<0) {
|
|
ret=-1;
|
|
}
|
|
|
|
while(num_patches--) {
|
|
/* seek to patch offset */
|
|
if(lseek(fdo, patches[num_patches].offset, SEEK_SET)
|
|
!= patches[num_patches].offset) {
|
|
ret=-1;
|
|
break;
|
|
}
|
|
|
|
/* Make sure patch is written in little endian format */
|
|
endian_int = htole32(patches[num_patches].value);
|
|
|
|
/* Write the patch value to the file */
|
|
if(write(fdo, (void *) &endian_int, sizeof(endian_int)) < 0) {
|
|
ret = -1;
|
|
break;
|
|
}
|
|
}
|
|
|
|
/* Close the file and check for errors */
|
|
if(close (fdo) < 0) {
|
|
ret = -1;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
/* mr500_save_header: This function saves the Olympus header to the firmware
|
|
* image. The values stored in the header are explained above. Note that this
|
|
* will truncate a file. The header is stored in little endian format.
|
|
*
|
|
* Parameters:
|
|
* filename: text filename
|
|
* header: pointer to header structure to be saved
|
|
*
|
|
* Returns:
|
|
* Returns 0 if there was no error, -1 if there was an error
|
|
*/
|
|
int mr500_save_header(char *filename, struct olympus_header *header) {
|
|
int fdo;
|
|
int ret=0;
|
|
|
|
/* Temporary header used for storing the header in little endian. */
|
|
struct olympus_header save;
|
|
|
|
/* Open the file write only and truncate it. If it doesn't exist create. */
|
|
fdo = open(filename, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);
|
|
|
|
if(fdo<0) {
|
|
ret=-1;
|
|
}
|
|
|
|
/* Header is stored at offset 0 (Not really needed) */
|
|
if(lseek(fdo, 0, SEEK_SET) != 0) {
|
|
ret=-1;
|
|
}
|
|
|
|
/* Convert header to Little Endian */
|
|
memcpy(&save.magic_name, &header->magic_name, 8*sizeof(int8_t));
|
|
save.unknown = htole32(header->unknown);
|
|
save.header_length = htole16(header->header_length);
|
|
save.flags = htole16(header->flags);
|
|
save.unknown_zeros = htole32(header->unknown_zeros);
|
|
save.image_length = htole32(header->image_length);
|
|
|
|
/* Write the header to the file */
|
|
if(write(fdo, (void *) &save, sizeof(save)) < 0) {
|
|
ret = -1;
|
|
}
|
|
|
|
/* Close the file and check for errors */
|
|
if(close (fdo) < 0) {
|
|
ret = -1;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
/* mr500_read_header: This function reads the Olympus header and converts it to
|
|
* the host endian format. The values stored in the header are explained above.
|
|
* The header is stored in little endian format.
|
|
*
|
|
* Parameters:
|
|
* filename: text filename
|
|
* header: pointer to header structure to store header read from file
|
|
*
|
|
* Returns:
|
|
* Returns 0 if there was no error, -1 if there was an error
|
|
*/
|
|
int mr500_read_header(char *filename, struct olympus_header *header) {
|
|
int fdi;
|
|
int ret = 0;
|
|
|
|
/* Open the file read only */
|
|
fdi = open(filename, O_RDONLY);
|
|
|
|
if(fdi<0) {
|
|
ret=-1;
|
|
}
|
|
|
|
/* Header is stored at offset 0 (Not really needed) */
|
|
if(lseek(fdi, 0, SEEK_SET) != 0) {
|
|
ret=-1;
|
|
}
|
|
|
|
/* Read in the header */
|
|
if(read(fdi, (void *) header, sizeof(*header)) < 0) {
|
|
ret = -1;
|
|
}
|
|
|
|
/* Convert header to system endian */
|
|
header->unknown = le32toh(header->unknown);
|
|
header->header_length = le16toh(header->header_length);
|
|
header->flags = le16toh(header->flags);
|
|
header->unknown_zeros = le32toh(header->unknown_zeros);
|
|
header->image_length = le32toh(header->image_length);
|
|
|
|
/* Close the file and check for errors */
|
|
if(close (fdi) < 0) {
|
|
ret = -1;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
/* mr500_save_crc: This function saves the 'CRC' of the Olympus firmware image.
|
|
* Note that the 'CRC' must be calculated on the decrytped image. It is stored
|
|
* in little endian.
|
|
*
|
|
* Parameters:
|
|
* filename: text filename
|
|
* offset: Offset to store the 'CRC' (header size + data size)
|
|
* crc_value: pointer to crc value to save
|
|
*
|
|
* Returns:
|
|
* Returns 0 if there was no error, -1 if there was an error
|
|
*/
|
|
int mr500_save_crc(char *filename, off_t offset, uint32_t *crc_value) {
|
|
int fdo;
|
|
int ret = 0;
|
|
uint32_t save_crc;
|
|
|
|
/* Open the file write only */
|
|
fdo = open(filename, O_WRONLY);
|
|
|
|
if(fdo<0) {
|
|
ret=-1;
|
|
}
|
|
|
|
/* Seek to offset and check for errors */
|
|
if(lseek(fdo, offset, SEEK_SET) != offset) {
|
|
ret=-1;
|
|
}
|
|
|
|
/* Convert 'CRC' to little endian from system native endian */
|
|
save_crc = htole32(*crc_value);
|
|
|
|
/* Write the 'CRC' and check for errors */
|
|
if(write(fdo, (void *) &save_crc, sizeof(unsigned int)) < 0) {
|
|
ret = -1;
|
|
}
|
|
|
|
/* Close the file and check for errors */
|
|
if(close (fdo) < 0) {
|
|
ret = -1;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
/* mr500_read_crc: This function reads the 'CRC' of the Olympus firmware image.
|
|
* Note that the 'CRC' is calculated on the decrytped values. It is stored
|
|
* in little endian.
|
|
*
|
|
* Parameters:
|
|
* filename: text filename
|
|
* offset: Offset to read the 'CRC' (header size + data size)
|
|
* crc_value: pointer to crc value to save
|
|
*
|
|
* Returns:
|
|
* Returns 0 if there was no error, -1 if there was an error
|
|
*/
|
|
int mr500_read_crc(char *filename, off_t offset, uint32_t *crc_value) {
|
|
int fdi;
|
|
int ret = 0;
|
|
|
|
/* Open the file read only */
|
|
fdi = open(filename, O_RDONLY);
|
|
|
|
if(fdi<0) {
|
|
ret = -1;
|
|
}
|
|
|
|
/* Seek to offset and check for errors */
|
|
if(lseek(fdi, offset, SEEK_SET) != offset) {
|
|
ret=-1;
|
|
}
|
|
|
|
/* Read in the 'CRC' */
|
|
if(read(fdi, (void *) crc_value, sizeof(uint32_t)) < 0) {
|
|
ret = -1;
|
|
}
|
|
|
|
/* Convert the 'CRC' from little endian to system native format */
|
|
*crc_value = le32toh(*crc_value);
|
|
|
|
/* Close the file and check for errors */
|
|
if(close (fdi) < 0) {
|
|
ret = -1;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
/* mr500_calculate_crc: This function calculates the 'CRC' of the Olympus
|
|
* firmware image. Note that the 'CRC' must be calculated on decrytped values.
|
|
* It is stored in little endian.
|
|
*
|
|
* Parameters:
|
|
* filename: text filename
|
|
* offset: Offset to the start of the data (header size)
|
|
* length: Length of data to calculate
|
|
* crc_value: pointer to crc value to save
|
|
*
|
|
* Returns:
|
|
* Returns 0 if there was no error, -1 if there was an error
|
|
*/
|
|
int mr500_calculate_crc( char *filename, off_t offset, unsigned int length,
|
|
uint32_t *crc_value){
|
|
uint32_t temp;
|
|
int fdi;
|
|
int ret = 0;
|
|
|
|
/* Open the file read only */
|
|
fdi = open(filename, O_RDONLY);
|
|
|
|
if(fdi<0) {
|
|
ret = -1;
|
|
}
|
|
|
|
/* Seek to offset and check for errors */
|
|
if(lseek(fdi, offset, SEEK_SET) != offset) {
|
|
ret=-1;
|
|
}
|
|
|
|
/* Initialize the crc_value to make sure this starts at 0 */
|
|
*crc_value = 0;
|
|
/* Run this loop till the entire sum is created */
|
|
do {
|
|
/* Read an integer at a time */
|
|
if(read(fdi, &temp, sizeof(uint32_t)) < 0) {
|
|
ret = -1;
|
|
break;
|
|
}
|
|
|
|
/* Keep summing the values */
|
|
*crc_value+=temp;
|
|
} while (length-=4);
|
|
|
|
/* Close the file and check for errors */
|
|
if(close (fdi) < 0) {
|
|
ret = -1;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
/* mr500_save_data: This function encypts or decrypts the Olympus firmware
|
|
* image based on the dictionary passed to it.
|
|
*
|
|
* Parameters:
|
|
* source_filename: text filename where data is read from
|
|
* dest_filename: text filename where data is written to
|
|
* offset: Offset to the start of the data (header size)
|
|
* length: Length of data to modify
|
|
* dictionary: pointer to dictionary used for scrambling
|
|
*
|
|
* Returns:
|
|
* Returns 0 if there was no error, -1 if there was an error
|
|
*/
|
|
int mr500_save_data(
|
|
char *source_filename, char *dest_filename, off_t offset,
|
|
unsigned int length, int* dictionary) {
|
|
int fdi, fdo;
|
|
int ret = 0;
|
|
int i;
|
|
|
|
/* read_count stores the number of bytes actually read */
|
|
int read_count;
|
|
|
|
/* read_request stores the number of bytes to be requested */
|
|
int read_request;
|
|
|
|
/* These two buffers are used for reading data and scrambling or
|
|
* descrambling
|
|
*/
|
|
int8_t buffer_original[16];
|
|
int8_t buffer_modified[16];
|
|
|
|
/* Open input read only, output write only */
|
|
fdi = open(source_filename, O_RDONLY);
|
|
fdo = open(dest_filename, O_WRONLY);
|
|
|
|
/* If there was an error loading the files set ret appropriately */
|
|
if(fdi<0 || fdo < 0) {
|
|
ret = -1;
|
|
}
|
|
|
|
/* Input file: Seek to offset and check for errors */
|
|
if(lseek(fdi, offset, SEEK_SET) != offset) {
|
|
ret=-1;
|
|
}
|
|
|
|
/* Output file: Seek to offset and check for errors */
|
|
if(lseek(fdo, offset, SEEK_SET) != offset) {
|
|
ret=-1;
|
|
}
|
|
|
|
/* Run this loop till size is 0 */
|
|
do {
|
|
/* Choose the amount of data to read - normally in 16 byte chunks, but
|
|
* when the end of the file is near may be less.
|
|
*/
|
|
if( length > sizeof(buffer_original)){
|
|
read_request = sizeof(buffer_original);
|
|
} else {
|
|
read_request = length;
|
|
}
|
|
|
|
/* Read in the data */
|
|
read_count = read(fdi, (void *) &buffer_original, read_request);
|
|
|
|
/* If there was an error set the flag and break */
|
|
if(read_count < 0) {
|
|
ret = -1;
|
|
break;
|
|
}
|
|
|
|
for(i=0; i<read_count; i++) {
|
|
/* XOR all of the bits to de/encrypt them */
|
|
buffer_original[i] ^= 0xFF;
|
|
/* Handle byte scrambling */
|
|
buffer_modified[dictionary[i]] = buffer_original[i];
|
|
}
|
|
|
|
/* write the data: If there was an error set the flag and break */
|
|
if(write(fdo, (void *) &buffer_modified, read_count) < 0) {
|
|
ret = -1;
|
|
break;
|
|
}
|
|
} while (length -= read_count);
|
|
|
|
/* Close the files and check for errors */
|
|
if(close (fdi) < 0) {
|
|
ret = -1;
|
|
}
|
|
if(close (fdo) < 0) {
|
|
ret = -1;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
/* mr500_init: This function initializes the encryption array
|
|
*
|
|
* Parameters:
|
|
* None
|
|
*
|
|
* Returns:
|
|
* Returns 0
|
|
*/
|
|
int mr500_init(void) {
|
|
int i;
|
|
/* Initialize the encryption array */
|
|
for(i=0; i<16; i++) {
|
|
encrypt_array[decrypt_array[i]]=i;
|
|
}
|
|
return 0;
|
|
}
|
|
|