Age | Commit message (Collapse) | Author | Files | Lines |
|
The encryption definitely uses some standard elliptic curve encryption over
binary fields (163 and 233 bits, standard polynomials). It is still unclear
how this is used in the actual encryption, the key authentification and
derivation do not look standard.
Change-Id: I6b9180ff7e6115e1dceca8489e986a02a9ea6fc9
|
|
Change-Id: I75a7723498564ee73c3682391582e354ad672fd7
|
|
Change-Id: I8b311ed6b48b92b9ecf4fb25c19119cfb2d5beb1
|
|
Change-Id: I9daca9148b7aaea905a765dfeb95faf6fb7198b1
|
|
Change-Id: Ib01a2ff92294dd0bb59439c23f26bc31eafa4a39
|
|
Change-Id: I6e22ba0a58eb62dcc9f2025ee7233f5afae1bbec
|
|
Change-Id: Id35671f1e039a94e2b319262e4faa51d73f12afd
|
|
Now print list of devices immediately even if the rest of the command line
is empty (ie 'scsitool -s ?' works, whereas before one would need an actual
device to even get a list). Add more information in the help_us command:
print kas, lyr and fpi.
Change-Id: Icfeeaeebe28c774a74ca54661357fafa25c3d114
|
|
Change-Id: I6331a48a4d336348e90a32cf151427b29eeedb2b
|
|
Now this is very weird, is it yet another format/encryption?
Change-Id: I119dec1e6d636a99508fb1394de27237ca3ab814
|
|
I forgot to add the NW-ZX300 to its series
Change-Id: I78fd9440492e1868b887f6a2e137d4d0c2ff199a
|
|
Change-Id: I8e7a14b86408c52cbd4a059e2db6a9c9d0966fc6
|
|
Change-Id: Ic357f82d61cc0004ac6193fa9dbbc90976042574
|
|
The tool now provides more useful information for developers when the device
is not supported. Is also has a new verb "help_us" that also prints all this
information (notably the device info and model ID).
Change-Id: I04baec8fff23eb83a0408add6296b5d42e9aa8e7
|
|
We still miss the model IDS for those device so scsitool won't be able to
recognize them automatically.
Change-Id: I17ae0f0d95c011cea8e289def63c7673b6c4b667
|
|
Change-Id: I16347ebee0f82d5fdf32f5aa8f955c07fe148eba
|
|
Slightly cleanup the code by removing the old and dangerous --force option.
Change-Id: I776633a9924797fcd509b8b80623bcd64b391672
|
|
Change-Id: If616e646aeddf20aa3cee79a821a420d9102c708
|
|
DES ignores the parity bit of each byte (making the 64-bit key really 56-bit),
but the current code skipped the parity bit of each half-byte, thus missing
some keys.
Change-Id: Ia523ebb944e458905b7de1742df151df22166150
|
|
Strangely it has the SAME encryption key as the E450. Either they didn't bother
changing it or more likely they have exactly the same internals and a slightly
different case.
Change-Id: I39ab88845b3e40db34160c2e61dde421f391df44
|
|
All the hard work was done by pamaury. I simply added proper
defines.
Change-Id: Ib374eea7cd20f35518ad8a68d771c57c54ae01ca
|
|
Change-Id: Iad7b8fd171d57228796a68cb3406914213b91926
|
|
SUPPORTED SERIES:
- NWZ-E450
- NWZ-E460
- NWZ-E470
- NWZ-E580
- NWZ-A10
NOTES:
- bootloader makefile convert an extra font to be installed alongside the bootloader
since sysfont is way too small
- the toolsicon bitmap comes from the Oxygen iconset
- touchscreen driver is untested
TODO:
- implement audio routing driver (pcm is handled by pcm-alsa)
- fix playback: it crashes on illegal instruction in DEBUG builds
- find out why the browser starts at / instead of /contents
- implement radio support
- implement return to OF for usb handling
- calibrate battery curve (NB: of can report a battery level on a 0-5 scale but
probabl don't want to use that ?)
- implement simulator build (we need a nice image of the player)
- figure out if we can detect jack removal
POTENTIAL TODOS:
- try to build a usb serial gadget and gdbserver
Change-Id: Ic77d71e0651355d47cc4e423a40fb64a60c69a80
|
|
Change-Id: I157c83fea8173adc53254f15aa49e41ee1ba7549
|
|
Several people asked me recently how to decrypt atj2127 firmware. Someone
posted on github (https://github.com/nfd/atj2127decrypt) a decrypt utility
clearly reverse engineered from some unknown source. The code is an absolute
horror but I concluded that ATJ changed very little between ATJ213x and ATJ2127
so I added support for the ATJ2127, credit to this github code that I stole
and rewrite (code was under MIT licence). At the same time do some small code
cleanups.
Note that there is not 100% sure way that I know to distinguish between the
two firmware types, so the code tries to do an educated guess to detect
ATJ2127. If this does not work, use --atj21217 option. Also note that contrary
to the github tool that decrypts and unpack in one go, this tool only does one
step at once. So first decrypt: HEX -> AFI, then unpack AFI -> files.
I also added for a different version of AFI. Based on AFI files I have, there
are, I think, two versions: the "old" ones (pre-ATJ213x) and "new" ones. The
tool only supported the new one but for some reason the ATJ2127 uses the old
ones without a mostly empty header. Strangely, even this mostly empty header
does not seem to follow the old layout as reverse engineered by the s1mp3
project (https://sourceforge.net/p/s1mp3/code/HEAD/tree/trunk/s1fwx/heads.h),
so in fact there might be three versions. In any case, only the header is
different, the rest of the file is identical so at the moment I just don't
print any header info for "old" files.
Change-Id: I1de61e64f433f6cacd239cd3c1ba469b9bb12442
|
|
Change-Id: I89fed904b282a202bc845b08f4c8d1200a49636d
|
|
The devinfo request returned the raw data, now the tool prints the various
fields. Also add support for the dhp (destination/headphones/color ...): this
one is untested because it's only supported starting from A10 or A20. There is
still a problem with the dpcc prop: although it should work for DEVINFO, it does
not, despite the fact that the get_dev_info command works and is internally (on
the Sony) translated into a dpcc request. I keep the code just in case.
Change-Id: I5aa8ef4afb0b11d3c0ddfa3d38f3e737ee1aff66
|
|
The detailled error message is only printed if -d switch is on command line,
otherwise there is no error message which is wrong so fix that.
Change-Id: I397541c467940e9b290ee8d4ae704368b1ce132b
|
|
Change-Id: Ia37818faee29130ffe3690c83f85a39bd35637e0
|
|
Change-Id: Id6a6e51288f4ff24c0063b6c16b74109211e63c0
|
|
I am unsure about the names of the player, the manual says A36HN and A37HN but
at the same time there is a A35 and A35HN with the same ID, and Sony does not
usually put the "HN" in its device list.
Change-Id: Idbf32970aa334b30f1b8947a78b8eebd524b193b
|
|
* make gen_db.py work on Windows/Python 2
- use hashlib module instead of md5sum, also don't rely on / for file path
matching
- don't use 'file' for a variable name
* fix parse_nvp_header.sh for older kernels
pre-emmc kernel sources use a slightly different #define format; adjust
regexp to catch it.
* add nwz-x1000 series NVP layout (from icx1087_nvp.h)
some new tags have no description, alas the driver doesn't have
them :/
* minor fixes to nvp/README
fixed typos/wording
Change-Id: I77d8c2704be2f2316e32aadcfd362df7102360d4
|
|
* added KAS for nwz-x1000 (extracted from an NWZ-X1060 via "get_dnk_nvp kas")
* hint that -o is needed when extracting
Change-Id: Ic91c448aa058a22c8ddcae54726f628f7cf60f6b
|
|
Change-Id: I0a191db1970e64b5ced518c68861392ba342404f
|
|
Change-Id: I4fde020ca0556a84d051f9b5e46f49ee1241266e
|
|
The code dependend on the sg_lib header being present, remove this dependency
so that we only need public headers.
Change-Id: I69398453635135deb33e2adf67f15ddb80e4ba16
|
|
Change-Id: I04bd7599a58669df96dfd018a2ab0e3d53e06694
|
|
...by QStyleOptionViewItem. Yes Qt got it right, in 5.7 they deprecated
QStyleOptionViewItemV4 and recommend using QStyleOptionViewItem which contains
less fields except on newer Qt where it contains all fields. Hopefully it still
works on Qt>4.x for a large enough value of x.
Change-Id: I013c383d2424b04c1c0745f0d7b1d5e62a29d324
|
|
Change-Id: I7bfb5cc25bc3dc55f379b2319b20dc9510434de0
|
|
The clock structure is identical, and the EMI are the same.
Also fix SSP clock, it was broken on imx233 as well.
Change-Id: I25ec66059b00b1a456ef2f02131d225082536c0a
|
|
Because a node ref is at root doesn't make it valid, check that soc is valid
otherwise we return garbage.
Change-Id: I6e5befc959dc670ab39a87484e87af6d90be7726
|
|
Change-Id: I2d93d24bd421e1a2ea6d27b8f7cfd17311e6d458
|
|
Change-Id: I0edbb838022b71485179edec7361a6c554a1ab11
|
|
Change-Id: I98bef5aa0c518e698c42761d02899adde8bc4aca
|
|
Add lua code to check whether ei/di and ext instructions are supported. This
is unclear since xburst is somewhere between mips32r1 and mips32r2. Details
results are below, but in summary: they don't work (ei has no effect, di/ext
cause illegal instruction exceptions)
> ./hwstub_shell -q -b -e 'require("jz/misc"); JZ.misc.enable_sram()' \
-f lua/xburst.lua -e "XBURST.test_ext_inst(0xb32d0000)"
[...]
Selecting soc jz4760b. Redirecting HW to hwstub.soc.jz4760b
data: d7168acf
error: lua/xburst.lua:209: call failed
trapped exception in call
> ./hwstub_shell -q -b -e 'require("jz/misc"); JZ.misc.enable_sram()' \
-f lua/xburst.lua -e "XBURST.test_ei_di_inst(0xb32d0000)"
[...]
Selecting soc jz4760b. Redirecting HW to hwstub.soc.jz4760b
Testing ei
Test SR
Enable interrupts with CP0
SR: 0x1
Disable interrupts with CP0
SR: 0x0
Test ei/di
Enable interrupts with ei
SR: 0x0
Disable interrupts with di
error: lua/xburst.lua:244: call failed
trapped exception in call
Change-Id: I2e162b5dd5e70488bcd8b58f3ca401a3ecab3c4b
|
|
Since we can catch exceptions like data aborts on read/write, it takes very
little to also catch exceptions in calls. When extending this with the catching
of illegal instructions, the call instruction now becomes much more robust and
also for address and instruction probing. Since we can catch several types of
exception, rename set_data_abort_jmp to set_exception_jmp. At the same time,
simplify the logic in read/write request handlers. Also fix a bug in ARM
jump code: it was using
stmia r1, {..., pc}
as if pc would get current pc + 8 but this is actually implementation defined
on older ARMs (typically pc + 12) and deprecated on newer ARMs, so rewrite the
code avoid that. The set_exception_jmp() function now also reports the exception
type.
Change-Id: Icd0dd52d2456b361b27c4776be09c3d13528ed93
|
|
Now that we now that jz4760b implements EBASE, we can use it to rebase
exceptions to use a k1seg address, that maps to the physical address of the
TCSM0. It requires to enable HAB1 to have this translation. This most the most
inefficient way to access tighly coupled memory ever, but it works.
Change-Id: I894ca929c9835696102eb2fef44b06e6eaf96d44
|
|
Although this case be done with hwstub_shell, this is common enough to deserve
its own tool.
Change-Id: I9253e40850f37257464548a3acefb14ea083841d
|
|
Change-Id: I3daa5e0c3fa2e7eab6a3d75b4c8aa66254d72f3c
|
|
Change-Id: I543e405bf75868d0f7509a35e08fe31ed253e0e6
|