diff options
Diffstat (limited to 'utils/AMS')
-rw-r--r-- | utils/AMS/hacking/Makefile | 34 | ||||
-rw-r--r-- | utils/AMS/hacking/README | 16 | ||||
-rw-r--r-- | utils/AMS/hacking/amsinfo.c | 175 | ||||
-rw-r--r-- | utils/AMS/hacking/mkamsboot.c | 289 | ||||
-rw-r--r-- | utils/AMS/hacking/test.S | 11 |
5 files changed, 525 insertions, 0 deletions
diff --git a/utils/AMS/hacking/Makefile b/utils/AMS/hacking/Makefile new file mode 100644 index 0000000000..7a10c20ae4 --- /dev/null +++ b/utils/AMS/hacking/Makefile @@ -0,0 +1,34 @@ + +# Change INFILE to point to your original firmware file +INFILE=$(HOME)/FW/AMS/CLIP/m300a-1.1.17A.bin + +# OUTFILE is the file you copy to your device's root and rename to +# (e.g.) m300a.bin +OUTFILE=patched.bin + + +all: amsinfo $(OUTFILE) + +amsinfo: amsinfo.c + gcc -o amsinfo -W -Wall amsinfo.c + +mkamsboot: mkamsboot.c + gcc -o mkamsboot -W -Wall mkamsboot.c + +# Rules for our test ARM application - assemble, link, then extract +# the binary code + +test.o: test.S + arm-elf-as -o test.o test.S + +test.elf: test.o + arm-elf-ld -e 0 -o test.elf test.o + +test.bin: test.elf + arm-elf-objcopy -O binary test.elf test.bin + +$(OUTFILE): mkamsboot test.bin $(INFILE) + ./mkamsboot $(INFILE) test.bin $(OUTFILE) + +clean: + rm -fr amsinfo mkamsboot test.bin test.o test.elf $(OUTFILE) *~ diff --git a/utils/AMS/hacking/README b/utils/AMS/hacking/README new file mode 100644 index 0000000000..ce16f954cd --- /dev/null +++ b/utils/AMS/hacking/README @@ -0,0 +1,16 @@ +This directory contains the following tools related to the Sansa V2 +(AMS) firmware files: + +1) amsinfo + +A tool that dumps information from an AMS firmware file. + +2) mkamsboot + +A tool to inject some code (contained in test.S) into a firmware file. + +Edit the INFILE variable in the Makefile to point to the original +firmware file you want to patch, edit "test.S" appropriately, and then +type "make". + + diff --git a/utils/AMS/hacking/amsinfo.c b/utils/AMS/hacking/amsinfo.c new file mode 100644 index 0000000000..0ebfb94caf --- /dev/null +++ b/utils/AMS/hacking/amsinfo.c @@ -0,0 +1,175 @@ +/* + +amsinfo - a tool for examining AMS firmware files + +Copyright (C) Dave Chapman 2007 + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110, USA + +*/ + +#include <stdio.h> +#include <stdlib.h> +#include <stdint.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <fcntl.h> +#include <unistd.h> + + +/* Win32 compatibility */ +#ifndef O_BINARY +#define O_BINARY 0 +#endif + + +#define PAD_TO_BOUNDARY(x) ((x) + 0x1ff) & ~0x1ff; + + +static off_t filesize(int fd) { + struct stat buf; + + if (fstat(fd,&buf) < 0) { + perror("[ERR] Checking filesize of input file"); + return -1; + } else { + return(buf.st_size); + } +} + +static uint32_t get_uint32le(unsigned char* p) +{ + return p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24); +} + +static uint16_t get_uint16le(unsigned char* p) +{ + return p[0] | (p[1] << 8); +} + +static int calc_checksum(unsigned char* buf, int n) +{ + int sum = 0; + int i; + + for (i=0;i<n;i+=4) + sum += get_uint32le(buf + 0x400 + i); + + return sum; +} + + +static void dump_header(unsigned char* buf, int i) +{ + printf("0x%08x:\n",i); + printf(" HEADER: 0x%08x\n",i);; + printf(" FirmwareHeaderIndex: 0x%08x\n",get_uint32le(&buf[i])); + printf(" FirmwareChecksum: 0x%08x\n",get_uint32le(&buf[i+0x04])); + printf(" CodeBlockSizeMultiplier: 0x%08x\n",get_uint32le(&buf[i+0x08])); + printf(" FirmwareSize: 0x%08x\n",get_uint32le(&buf[i+0x0c])); + printf(" Unknown1: 0x%08x\n",get_uint32le(&buf[i+0x10])); + printf(" ModelID: 0x%04x\n",get_uint16le(&buf[i+0x14])); + printf(" Unknown2: 0x%04x\n",get_uint16le(&buf[i+0x16])); +} + +static int dump_lib(unsigned char* buf, int i) +{ + int export_count; + int size; + int unknown1; + int baseaddr, endaddr; + + baseaddr = get_uint32le(&buf[i+0x04]); + endaddr = get_uint32le(&buf[i+0x08]); + size = get_uint32le(&buf[i+0x0c]); + unknown1 = get_uint32le(&buf[i+0x10]); + export_count = get_uint32le(&buf[i+0x14]); + + printf("0x%08x: \"%s\" 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x\n",i, buf + i + get_uint32le(&buf[i]),baseaddr,endaddr,size,unknown1,export_count); + +#if 0 + if (export_count > 1) { + for (j=0;j<export_count;j++) { + printf(" Exports[%02d]: 0x%08x\n",j,get_uint32le(&buf[i+0x18+4*j])); + } + } +#endif + return PAD_TO_BOUNDARY(size); +} + +int main(int argc, char* argv[]) +{ + int fd; + off_t len; + int n; + unsigned char* buf; + int firmware_size; + int i; + + if (argc != 2) { + fprintf(stderr,"USAGE: amsinfo firmware.bin\n"); + return 1; + } + + fd = open(argv[1],O_RDONLY|O_BINARY); + + if ((len = filesize(fd)) < 0) + return 1; + + if ((buf = malloc(len)) == NULL) { + fprintf(stderr,"[ERR] Could not allocate buffer for input file (%d bytes)\n",(int)len); + return 1; + } + + n = read(fd, buf, len); + + if (n != len) { + fprintf(stderr,"[ERR] Could not read file\n"); + return 1; + } + + close(fd); + + /* Now we dump the firmware structure */ + + dump_header(buf,0); /* First copy of header block */ +// dump_header(buf,0x200); /* Second copy of header block */ + + firmware_size = get_uint32le(&buf[0x0c]); + + printf("Calculated firmware checksum: 0x%08x\n",calc_checksum(buf,firmware_size)); + + /* Round size up to next multiple of 0x200 */ + + firmware_size = PAD_TO_BOUNDARY(firmware_size); + + i = firmware_size + 0x400; + + printf("LIBRARY BLOCKS:\n"); + printf("Offset Name BaseAddr EndAddr BlockSize Unknown1 EntryCount\n"); + + while (get_uint32le(&buf[i]) != 0xffffffff) + { + i += dump_lib(buf,i); + + while (get_uint32le(&buf[i]) == 0xefbeadde) + i+=4; + } + + printf("0x%08x: PADDING BLOCK\n",i); + + return 0; + +} diff --git a/utils/AMS/hacking/mkamsboot.c b/utils/AMS/hacking/mkamsboot.c new file mode 100644 index 0000000000..a6e4e01532 --- /dev/null +++ b/utils/AMS/hacking/mkamsboot.c @@ -0,0 +1,289 @@ +/* + +mkamsboot.c - a tool for merging bootloader code into an Sansa V2 + (AMS) firmware file + +Copyright (C) Dave Chapman 2008 + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110, USA + +*/ + + +/* + +Insert a Rockbox bootloader into an AMS original firmware file. + +The first instruction in an AMS firmware file is always of the form: + + ldr pc, [pc, #xxx] + +where [pc, #xxx] contains the entry point of the firmware - e.g. 0x00000138 + +mkamsboot appends the Rockbox bootloader to the end of the original +firmware block in the firmware file and shifts the remaining contents of the firmware file to make space for it. + +It also replaces the contents of [pc, #xxx] with the entry point of +our bootloader - i.e. the length of the original firmware block plus 4 +bytes. + +It then stores the original entry point from [pc, #xxx] in the first +four bytes of the Rockbox bootloader image, which is used by the +bootloader to dual-boot. + +Finally, mkamsboot corrects the length and checksum in the main +firmware headers (both copies), creating a new legal firmware file +which can be installed on the device. + +*/ + + +#include <stdio.h> +#include <stdlib.h> +#include <stdint.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <fcntl.h> +#include <unistd.h> +#include <string.h> + + +/* Win32 compatibility */ +#ifndef O_BINARY +#define O_BINARY 0 +#endif + + +#define PAD_TO_BOUNDARY(x) (((x) + 0x1ff) & ~0x1ff) + + +static off_t filesize(int fd) { + struct stat buf; + + if (fstat(fd,&buf) < 0) { + perror("[ERR] Checking filesize of input file"); + return -1; + } else { + return(buf.st_size); + } +} + +static uint32_t get_uint32le(unsigned char* p) +{ + return p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24); +} + +static void put_uint32le(unsigned char* p, uint32_t x) +{ + p[0] = x & 0xff; + p[1] = (x >> 8) & 0xff; + p[2] = (x >> 16) & 0xff; + p[3] = (x >> 24) & 0xff; +} + +static int calc_checksum(unsigned char* buf, uint32_t n) +{ + uint32_t sum = 0; + uint32_t i; + + for (i=0;i<n;i+=4) + sum += get_uint32le(buf + i); + + return sum; +} + +void usage(void) +{ + printf("Usage: mkamsboot <firmware file> <boot file> <output file>\n"); + + exit(1); +} + +int main(int argc, char* argv[]) +{ + char *infile, *bootfile, *outfile; + int fdin, fdboot,fdout; + off_t len; + uint32_t n; + unsigned char* buf; + uint32_t ldr; + uint32_t origoffset; + uint32_t firmware_size; + uint32_t firmware_paddedsize; + uint32_t bootloader_size; + uint32_t new_paddedsize; + uint32_t sum,filesum; + uint32_t new_length; + uint32_t i; + + if(argc != 4) { + usage(); + } + + infile = argv[1]; + bootfile = argv[2]; + outfile = argv[3]; + + /* Open the bootloader file */ + fdboot = open(bootfile, O_RDONLY|O_BINARY); + if (fdboot < 0) + { + fprintf(stderr,"[ERR] Could not open %s for reading\n",bootfile); + return 1; + } + + bootloader_size = filesize(fdboot); + + + /* Open the firmware file */ + fdin = open(infile,O_RDONLY|O_BINARY); + + if (fdin < 0) { + fprintf(stderr,"[ERR] Could not open %s for reading\n",infile); + return 1; + } + + if ((len = filesize(fdin)) < 0) + return 1; + + /* We will need no more memory than the total size plus the bootloader size + padded to a boundary */ + if ((buf = malloc(len + PAD_TO_BOUNDARY(bootloader_size))) == NULL) { + fprintf(stderr,"[ERR] Could not allocate buffer for input file (%d bytes)\n",(int)len); + return 1; + } + + n = read(fdin, buf, len); + + if (n != (uint32_t)len) { + fprintf(stderr,"[ERR] Could not read firmware file\n"); + return 1; + } + + close(fdin); + + /* Get the firmware size */ + firmware_size = get_uint32le(&buf[0x0c]); + + /* Round size up to next multiple of 0x200 */ + + firmware_paddedsize = PAD_TO_BOUNDARY(firmware_size); + + /* Total new size */ + new_paddedsize = PAD_TO_BOUNDARY(firmware_size + bootloader_size); + + /* Total new size of firmware file */ + new_length = len + (new_paddedsize - firmware_paddedsize); + + fprintf(stderr,"Original firmware size - 0x%08x\n",firmware_size); + fprintf(stderr,"Padded firmware size - 0x%08x\n",firmware_paddedsize); + fprintf(stderr,"Bootloader size - 0x%08x\n",bootloader_size); + fprintf(stderr,"New padded size - 0x%08x\n",new_paddedsize); + fprintf(stderr,"Original total size of firmware - 0x%08x\n",(int)len); + fprintf(stderr,"New total size of firmware - 0x%08x\n",new_length); + + if (firmware_paddedsize != new_paddedsize) { + /* Move everything after the firmare block "bootloader_size" + bytes forward to make room for the bootloader */ + + fprintf(stderr,"Calling memmove(buf + 0x%08x,buf + 0x%08x,0x%08x)\n", + 0x400 + new_paddedsize, + 0x400 + firmware_paddedsize, + (int)len - firmware_paddedsize); + + memmove(buf + 0x400 + new_paddedsize, + buf + 0x400 + firmware_paddedsize, + len - firmware_paddedsize); + } + + ldr = get_uint32le(&buf[0x400]); + + if ((ldr & 0xfffff000) != 0xe59ff000) { + fprintf(stderr,"[ERR] Firmware file doesn't start with an \"ldr pc, [pc, #xx]\" instruction.\n"); + return 1; + } + origoffset = (ldr&0xfff) + 8; + + printf("original firmware entry point: 0x%08x\n",get_uint32le(buf + 0x400 + origoffset)); + printf("New entry point: 0x%08x\n", firmware_size + 4); + +#if 0 + /* Replace the "Product: Express" string with "Rockbox" */ + i = 0x400 + firmware_size - 7; + while ((i > 0x400) && (memcmp(&buf[i],"Express",7)!=0)) + i--; + + i = (i + 3) & ~0x3; + + if (i >= 0x400) { + printf("Replacing \"Express\" string at offset 0x%08x\n",i); + memcpy(&buf[i],"Rockbox",7); + } else { + printf("Could not find \"Express\" string to replace\n"); + } +#endif + + n = read(fdboot, buf + 0x400 + firmware_size, bootloader_size); + + if (n != bootloader_size) { + fprintf(stderr,"[ERR] Could not bootloader file\n"); + return 1; + } + close(fdboot); + + /* Replace first word of the bootloader with the original entry point */ + put_uint32le(buf + 0x400 + firmware_size, get_uint32le(buf + 0x400 + origoffset)); + +#if 1 + put_uint32le(buf + 0x400 + origoffset, firmware_size + 4); +#endif + + /* Update checksum */ + sum = calc_checksum(buf + 0x400,firmware_size + bootloader_size); + + put_uint32le(&buf[0x04], sum); + put_uint32le(&buf[0x204], sum); + + /* Update firmware block count */ + put_uint32le(&buf[0x08], new_paddedsize / 0x200); + put_uint32le(&buf[0x208], new_paddedsize / 0x200); + + /* Update firmware size */ + put_uint32le(&buf[0x0c], firmware_size + bootloader_size); + put_uint32le(&buf[0x20c], firmware_size + bootloader_size); + + /* Update the whole-file checksum */ + filesum = 0; + for (i=0;i < new_length - 4; i+=4) + filesum += get_uint32le(&buf[i]); + + put_uint32le(buf + new_length - 4, filesum); + + + /* Write the new firmware */ + fdout = open(outfile, O_CREAT|O_TRUNC|O_WRONLY|O_BINARY,0666); + + if (fdout < 0) { + fprintf(stderr,"[ERR] Could not open %s for writing\n",outfile); + return 1; + } + + write(fdout, buf, new_length); + + close(fdout); + + return 0; + +} diff --git a/utils/AMS/hacking/test.S b/utils/AMS/hacking/test.S new file mode 100644 index 0000000000..52f54bdaf6 --- /dev/null +++ b/utils/AMS/hacking/test.S @@ -0,0 +1,11 @@ + +/* This value is filled in by mkamsboot */ +originalentry: .word 0 + + /* A delay loop - just to prove we're running */ + mov r1, #0x500000 /* Approximately 5 seconds */ +loop: subs r1, r1, #1 + bne loop + + /* Now branch back to the original firmware's entry point */ + ldr pc, originalentry |