summaryrefslogtreecommitdiffstats
path: root/firmware/linuxboot.c
blob: 419044b5a908f55b5c5ab11d4a04408ebea8d332 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
/***************************************************************************
 *             __________               __   ___.
 *   Open      \______   \ ____   ____ |  | _\_ |__   _______  ___
 *   Source     |       _//  _ \_/ ___\|  |/ /| __ \ /  _ \  \/  /
 *   Jukebox    |    |   (  <_> )  \___|    < | \_\ (  <_> > <  <
 *   Firmware   |____|_  /\____/ \___  >__|_ \|___  /\____/__/\_ \
 *                     \/            \/     \/    \/            \/
 * $Id$
 *
 * Copyright (C) 2022 Aidan MacDonald
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version 2
 * of the License, or (at your option) any later version.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 ****************************************************************************/

#include "linuxboot.h"
#include "system.h"
#include "core_alloc.h"
#include "crc32.h"
#include "inflate.h"
#include "file.h"
#include <string.h>

/* compression support options - can be decided per target if needed,
 * for now default to enabling everything */
#define HAVE_UIMAGE_COMP_NONE
#define HAVE_UIMAGE_COMP_GZIP

enum {
    E_OUT_OF_MEMORY = -1,
    E_BUFFER_OVERFLOW = -2,
    E_MAGIC_MISMATCH = -3,
    E_HCRC_MISMATCH = -4,
    E_DCRC_MISMATCH = -5,
    E_UNSUPPORTED_COMPRESSION = -6,
    E_READ = -7,
    E_INFLATE = -8,
    E_INFLATE_UNCONSUMED = -9,
};

uint32_t uimage_crc(uint32_t crc, const void* data, size_t size)
{
    return letoh32(crc_32r(data, size, htole32(crc ^ 0xffffffff))) ^ 0xffffffff;
}

uint32_t uimage_calc_hcrc(const struct uimage_header* uh)
{
    struct uimage_header h = *uh;
    uimage_set_hcrc(&h, 0);
    return uimage_crc(0, &h, sizeof(h));
}

static int uimage_check_header(const struct uimage_header* uh)
{
    if(uimage_get_magic(uh) != IH_MAGIC)
        return E_MAGIC_MISMATCH;

    if(uimage_get_hcrc(uh) != uimage_calc_hcrc(uh))
        return E_HCRC_MISMATCH;

    return 0;
}

static int uimage_alloc_state(const struct uimage_header* uh)
{
    size_t size;

    switch(uimage_get_comp(uh)) {
#ifdef HAVE_UIMAGE_COMP_NONE
    case IH_COMP_NONE:
        return 0;
#endif

#ifdef HAVE_UIMAGE_COMP_GZIP
    case IH_COMP_GZIP:
        size = inflate_size + inflate_align - 1;
        return core_alloc_ex("inflate", size, &buflib_ops_locked);
#endif

    default:
        return E_UNSUPPORTED_COMPRESSION;
    }
}

#ifdef HAVE_UIMAGE_COMP_GZIP
struct uimage_inflatectx
{
    uimage_reader reader;
    void* rctx;
    uint32_t dcrc;
    size_t remain;
    int err;
};

static uint32_t uimage_inflate_reader(void* block, uint32_t block_size, void* ctx)
{
    struct uimage_inflatectx* c = ctx;
    ssize_t len = c->reader(block, block_size, c->rctx);
    if(len < 0) {
        c->err = E_READ;
        return 0;
    }

    len = MIN(c->remain, (size_t)len);
    c->remain -= len;
    c->dcrc = uimage_crc(c->dcrc, block, len);
    return len;
}

static int uimage_decompress_gzip(const struct uimage_header* uh, int state_h,
                                  void* out, size_t* out_size,
                                  uimage_reader reader, void* rctx)
{
    size_t hbufsz = inflate_size + inflate_align - 1;
    void* hbuf = core_get_data(state_h);
    ALIGN_BUFFER(hbuf, hbufsz, inflate_align);

    struct uimage_inflatectx r_ctx;
    r_ctx.reader = reader;
    r_ctx.rctx = rctx;
    r_ctx.dcrc = 0;
    r_ctx.remain = uimage_get_size(uh);
    r_ctx.err = 0;

    struct inflate_bufferctx w_ctx;
    w_ctx.buf = out;
    w_ctx.end = out + *out_size;

    int ret = inflate(hbuf, INFLATE_GZIP,
                      uimage_inflate_reader, &r_ctx,
                      inflate_buffer_writer, &w_ctx);
    if(ret) {
        if(r_ctx.err)
            return r_ctx.err;
        else if(w_ctx.end == w_ctx.buf)
            return E_BUFFER_OVERFLOW;
        else
            /* note: this will likely mask DCRC_MISMATCH errors */
            return E_INFLATE;
    }

    if(r_ctx.remain > 0)
        return E_INFLATE_UNCONSUMED;
    if(r_ctx.dcrc != uimage_get_dcrc(uh))
        return E_DCRC_MISMATCH;

    *out_size = w_ctx.end - w_ctx.buf;
    return 0;
}
#endif /* HAVE_UIMAGE_COMP_GZIP */

static int uimage_decompress(const struct uimage_header* uh, int state_h,
                             void* out, size_t* out_size,
                             uimage_reader reader, void* rctx)
{
    size_t in_size = uimage_get_size(uh);
    ssize_t len;

    switch(uimage_get_comp(uh)) {
#ifdef HAVE_UIMAGE_COMP_NONE
    case IH_COMP_NONE:
        if(*out_size < in_size)
            return E_BUFFER_OVERFLOW;

        len = reader(out, in_size, rctx);
        if(len < 0 || (size_t)len != in_size)
            return E_READ;

        if(uimage_crc(0, out, in_size) != uimage_get_dcrc(uh))
            return E_DCRC_MISMATCH;

        *out_size = in_size;
        break;
#endif

#ifdef HAVE_UIMAGE_COMP_GZIP
    case IH_COMP_GZIP:
        return uimage_decompress_gzip(uh, state_h, out, out_size, reader, rctx);
#endif

    default:
        return E_UNSUPPORTED_COMPRESSION;
    }

    return 0;
}

int uimage_load(struct uimage_header* uh, size_t* out_size,
                uimage_reader reader, void* rctx)
{
    if(reader(uh, sizeof(*uh), rctx) != (ssize_t)sizeof(*uh))
        return E_READ;

    int ret = uimage_check_header(uh);
    if(ret)
        return ret;

    int state_h = uimage_alloc_state(uh);
    if(state_h < 0)
        return E_OUT_OF_MEMORY;

    *out_size = 0;
    int out_h = core_alloc_maximum("uimage", out_size, &buflib_ops_locked);
    if(out_h <= 0) {
        ret = E_OUT_OF_MEMORY;
        goto err;
    }

    ret = uimage_decompress(uh, state_h, core_get_data(out_h), out_size,
                            reader, rctx);
    if(ret)
        goto err;

    core_shrink(out_h, core_get_data(out_h), *out_size);
    ret = 0;

  err:
    core_free(state_h);
    if(out_h > 0) {
        if(ret == 0)
            ret = out_h;
        else
            core_free(out_h);
    }

    return ret;
}

ssize_t uimage_fd_reader(void* buf, size_t size, void* ctx)
{
    int fd = (intptr_t)ctx;
    return read(fd, buf, size);
}

/* Linux's self-extracting kernels are broken on MIPS. The decompressor stub
 * doesn't flush caches after extracting the kernel code which can cause the
 * boot to fail horribly. This has been true since at least 2009 and at the
 * time of writing (2022) it's *still* broken.
 *
 * The FiiO M3K and Shanling Q1 both have broken kernels of this type, so we
 * work around this by replacing the direct call to the kernel entry point with
 * a thunk that adds the necessary cache flush.
 */
uint32_t mips_linux_stub_get_entry(void** code_start, size_t code_size)
{
    /* The jump to the kernel entry point looks like this:
     *
     *   move a0, s0
     *   move a1, s1
     *   move a2, s2
     *   move a3, s3
     *   ...
     *   la   k0, KERNEL_ENTRY
     *   jr   k0
     *   --- or in kernels since 2021: ---
     *   la   t9, KERNEL_ENTRY
     *   jalr t9
     *
     * We're trying to identify this code and decode the kernel entry
     * point address, and return a suitable address where we can patch
     * in a call to our thunk.
     */

    /* We should only need to scan within the first 128 bytes
     * but do up to 256 just in case. */
    uint32_t* start = *code_start;
    uint32_t* end = start + (MIN(code_size, 256) + 3) / 4;

    /* Scan for the "move aN, sN" sequence */
    uint32_t* move_instr = start;
    for(move_instr += 4; move_instr < end; ++move_instr) {
        if(move_instr[-4] == 0x02002021 &&  /* move a0, s0 */
           move_instr[-3] == 0x02202821 &&  /* move a1, s1 */
           move_instr[-2] == 0x02403021 &&  /* move a2, s2 */
           move_instr[-1] == 0x02603821)    /* move a3, s3 */
            break;
    }

    if(move_instr == end)
        return 0;

    /* Now search forward for the next jr/jalr instruction */
    int jreg = 0;
    uint32_t* jump_instr = move_instr;
    for(; jump_instr != end; ++jump_instr) {
        if((jump_instr[0] & 0xfc1ff83f) == 0xf809 ||
           (jump_instr[0] & 0xfc00003f) == 0x8) {
            /* jalr rN */
            jreg = (jump_instr[0] >> 21) & 0x1f;
            break;
        }
    }

    /* Need room here for 4 instructions. Assume everything between the
     * moves and the jump is safe to overwrite; otherwise, we'll need to
     * take a different approach.
     *
     * Count +1 instruction for the branch delay slot and another +1 because
     * "move_instr" points to the instruction following the last move. */
    if(jump_instr - move_instr + 2 < 4)
        return 0;
    if(!jreg)
        return 0;

    /* Now scan from the end of the move sequence until the jump instruction
     * and try to reconstruct the entry address. We check for lui/ori/addiu. */
    const uint32_t lui_mask   = 0xffff0000;
    const uint32_t lui        = 0x3c000000 | (jreg << 16);
    const uint32_t ori_mask   = 0xffff0000;
    const uint32_t ori        = 0x34000000 | (jreg << 21) | (jreg << 16);
    const uint32_t addiu_mask = 0xffff0000;
    const uint32_t addiu      = 0x24000000 | (jreg << 21) | (jreg << 16);

    /* Can use any initial value here */
    uint32_t jreg_val = 0xdeadbeef;

    for(uint32_t* instr = move_instr; instr != jump_instr; ++instr) {
        if((instr[0] & lui_mask) == lui)
            jreg_val = (instr[0] & 0xffff) << 16;
        else if((instr[0] & ori_mask) == ori)
            jreg_val |= instr[0] & 0xffff;
        else if((instr[0] & addiu_mask) == addiu)
            jreg_val += instr[0] & 0xffff;
    }

    /* Success! Probably! */
    *code_start = move_instr;
    return jreg_val;
}