| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
| |
Change-Id: I1b8272a486ba2377e5047855acda3f80aa92c232
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new code gets closer to an actual bootloader:
- it provides a menu with three options: Sony, Rockox, tools with icons (and
extracts the Sony logo from the NVP)
- the dualboot install script now creates a symlink from /.rockbox to
/contents/.rockox which is necessary to run rockbox
- more text drawing / framebuffer functions
In the long run, we will move this under bootloader/ and rbutil/ and also use
firmware/ drawing facilities, at the moment we use OF display program which
is slow and creates some flickering.
The logo extraction/placement code was tested with resolution 240x320 and I
guessed some reasonable values for 240x400, but those will probably need some
tweaking.
Change-Id: I0319be902d21a7d33c1dee0fffdb4797065dbf8a
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Now that we have a nice database of player index, the scsitool becomes more
useful and supports a lot more players. I did some general cleanup of the code,
though eventually it would be nice to really split it into a library and a CLI.
The SCSI vendor command allow to read but also write most NVP nodes. Since there
seems to a demand to change destination and sound pressure settings on device,
I implement this feature in the tool. I do not plan to allow arbitrary NVP
writes because this could easily brick the device. Changing the destination
should be safe, but as usual, use at your own risks.
Change-Id: Iff4e8cc3ac97b965c1df849051c5fd373756cda5
|
| |
|
|
|
|
|
| |
Using the database, we can now safely read/write the NVP. I also add more
support for Sony's "display" tool.
Change-Id: I8439fe9bad391c7f29859d99f236781be7983625
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There must be an evil genius in Sony's Walkman division. Someone who made sure
that each model is close enough to the previous one so that little code is needed
but different enough so that an educated guess is not enough.
Each linux-based Sony player has a model ID (mid) which is a 32-bit integer.
I was able to extract a list of all model IDs and the correspoding name of
the player (see README). This gives us 1) a nice list of all players (because
NWZ-A729 vs NWZ-A729B, really Sony?) 2) an easy way to find the name of player
programatically. It seems that the lower 8-bit of the model ID gives the storage
size but don't bet your life on it. The remaining bytes seem to follow some kind
of pattern but there are exceptions.
From this list, I was able to build a list of all Sony's series (up to quite
recent one). The only safe way to build that is by hand, with a list of series,
each series having a list of model IDs. The notion of series is very important
because all models in a series share the same firmware.
A very important concept on Sony's players is the NVP, an area of the flash
that stores data associated with keys. The README contains more information but
basically this is where is record the model ID, the destination, the boot flags,
the firmware upgrade flags, the boot image, the DRM keys, and a lot of other stuff.
Of course Sony decided to slightly tweak the index of the keys regularly over time
which means that each series has a potentially different map, and we need this map
to talk to the NVP driver. Fortunately, Sony distributes the kernel for all its
players and they contain a kernel header with this information. I wrote a script
to unpack kernel sources and parse this header, producing a bunch of nw-*.txt
files, included in this commit. This map is very specific though: it maps Sony's
3-letter names (bti) to indexes (1). This is not very useful without the
decription (bti = boot image) and its size (262144). This information is harder
to come by, and is only stored in one place: if icx_nvp_emmc.ko drivers, found
on the device. Fortunately, Sony distributes a number of firmware upgrade, that
contain the rootfs, than once extracted contain this driver. The driver is a
standard ELF files with symbols. I wrote a parsing tool (nvptool) that is able
to extract this information from the drivers. Using that, I produced a bunch
of nodes-nw*.txt files. A reasonable assumption is that nodes meaning and
size do not change over time (bti is always the boot image and is always
262144 bytes), so by merging a few of those file, we can get a complete picture
(note that some nodes that existed in older player do not exists anymore so
we really need to merge several ones from different generations).
The advantage of storing all this information in plain text files, is that it
now makes it easy to parse it and produce whatever format we want to use it.
I wrote a python script that parses all this mess and produces a C file and
header with all this information (nwz_db.{c,h}).
Change-Id: Id790581ddd527d64418fe9e4e4df8e0546117b80
|
| |
|
|
|
|
|
| |
There is no need to store the key and sig since those are derived from the KAS
anyway.
Change-Id: I228913b1cb32e496db265e9a7aaf3bb4200a9f6b
|
| |
|
|
|
|
|
|
|
|
|
| |
0e2b490 introduced rework of usb driver which was broken. It was reverted
in f2da975 to restore hwstub functionality on ATJ.
This commit reenables usb rework AND fixes remining issues.
The problem was with 0 length OUT thransfers. Additionally
a few cleanups were made.
Change-Id: I529ea9ad6540509e9287ca7e1cd2b44369b03cbb
|
| |
|
|
|
|
|
|
|
| |
This reverts commit 0e2b4908d012dbd45a58002774f32b64ea8f83e3.
Although I swear it was tested it apparently broke hwstub on atj.
I will need to investigate more whats going on. Revert for now.
Change-Id: I2ff3adf8c72bb0e53be7d81b975382adfb700eab
|
| |
|
|
| |
Change-Id: I4ac259e6cd7b707ca725c6ba1c526f5aeed56b71
|
| |
|
|
| |
Change-Id: I32e23035a608ee04a69690975ab4bf629a902388
|
| |
|
|
|
|
|
|
|
|
| |
Sony added extensions to the frambuffer interface. It is important to take them
into account since the OF uses them and might leave the framebuffer in an
unusual state which would make the dualboot not display anything. Also rework
the dualboot code so that it can boot rockbox (not doing anything at the moment),
display all tools or boot the OF.
Change-Id: Ia0f589c9ec8558f375270841503c0964aff07f0b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At the moment, the script install_duaboot does the following:
- rename SpiderApp to SpiderApp.of (unless it already exists)
- install payload as SpiderApp
- fixes permissions
Since SpiderApp is the main app, it will execute instead of the OF.
The current dualboot code (dualboot.c) is still a preliminary but the current
version displays an "all tools" menu to choose for. When exitting the menu
using BACK, it will run the OF.
With the modifications made by the install script, it should not be possible
to break the device. In the worst case scenario, the dualboot code crashes
and it restarted by the sysmgrd, or hangs. A safe way to recover is to plug
the USB cable and reset the device: the system manager will then start the
USB app and one can reflash the device if necessary.
Change-Id: Id9edab0347538ad2a8651a28aea7fd083feaa626
|
| |
|
|
|
|
|
|
| |
Unify series names: e46x -> e460 to be consistent with Sony' name. Add keys
for various players that were cracked using upgtools. The real KAS would need
to be extracted from a target but at least we can open/create firmware upgrades.
Change-Id: Id23a10e10170d7f6330c6699bf205c4df5ddebfe
|
| |
|
|
|
|
|
| |
This new tool (all_tools) embeds all the other tools and provides a menu to
choose which one to run.
Change-Id: I0e07864dd46559a7079b0f942c25155e6fa07112
|
| |
|
|
|
|
|
|
| |
Since the nwz_lib does not have any nvp code yet, it's quite of ugly hack
with hardcoded nvp node (11) for shipment information (shp). Thus I whitelisted
two series (NWZ-E460 and NWZ-A860) which I know for sure use this node ID.
Change-Id: I94c9b0db1f9d7ad764d2aa50576a911e710f25e1
|
| |
|
|
|
|
|
|
| |
This list can map from model id to device name. It was automatically extracted
from Sony's tools. In the future, we will probably generate it from a clean
database containing more useful information.
Change-Id: Ibe580edf25b60bf0bf4aef4a06f40dddd19c5404
|
| |
|
|
|
|
|
| |
This is useful because there is no easy way to get it except from Sony's tool,
unless one knows the npv node, but that requires to know the model already...
Change-Id: I202f7cdb2f7cf924cc5bdb53c17e34600d4bf153
|
| |
|
|
|
|
|
|
|
|
|
| |
The new search has two new features:
- it takes advantage of the fact that DES keys are only 56-bit long (and not 64)
- it is now multithreaded
As a proof of concept, I ran it on the A10 series firmware upgrade and was able
to find the key in a few seconds using 4 threads. The search is still limited
to ascii hex passwords (seems to work on all devices I have tried thus far).
Change-Id: Ied080286d2bbdc493a6ceaecaaadba802b429666
|
| |
|
|
|
|
| |
The power off/option does not exist on some models.
Change-Id: Ifb45293b3b3faa96d9fece2340cbd98299a4a0b7
|
| |
|
|
| |
Change-Id: I55ca29627801b5e760d1dbe407d96cd055f659ab
|
| |
|
|
| |
Change-Id: I0acd3db2f644f4521da715d4931315bdb7548eae
|
| |
|
|
| |
Change-Id: Ic3ef964e8b5cc7b8ca3f02f141e9e4436a4d41db
|
| |
|
|
| |
Change-Id: I4bef0824eeed54238578d8b24a9845e8602d61af
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is code is intended to development into a library of code for the NWZ that
will be useful to write the "bootloader" on those device. At the same time, it
comes with test programs that are easy to run in firmware upgrade mode and also
provide a great test bench for the library. At the moment, two test programs are
available:
- test_display: simply prints two messages using /usr/bin/lcdmsg
- test_keys: displays input key event
Change-Id: I9d214894ffc9127b528fcdd3eb5d6b61f4e657a7
|
| |
|
|
|
|
| |
The new script allows the upgrade to execute a file found on the user partition.
Change-Id: I564941d01bcdbae050002e77cb119f3d95ecdc21
|
| |
|
|
| |
Change-Id: Ia69e5ff941549ca98b23b40927137bb29876b8f9
|
| |
|
|
|
|
|
|
| |
The exec_file allows to embed a script/executable and run it on target. It takes
of unpacking, remounting contents rw and redirect output to exec.txt at the root
of the drive. More generally, rework how the makefile works.
Change-Id: Iec719227be96e80701ad8f5398d2d34389f4da9e
|
| |
|
|
| |
Change-Id: I8adea40d2fa7c1a26f1975d987233249f61af8ef
|
| |
|
|
| |
Change-Id: Ib8d34e4f58f3225b1dafc533ce7e1b7867ad053b
|
| |
|
|
| |
Change-Id: I90ed3a0c911014eee013cbea0e98a85f4310471d
|
| |
|
|
|
|
|
|
| |
There was a lot of copy and paste, and the code was just crap. This commit tries
to clarify the code and also document the encryption procedure. Hopefully I didn't
break anything.
Change-Id: I257793010e7cf94f2b090b30bb8608359d3886e3
|
| |
|
|
|
|
| |
Also fix a typo in the script makefile
Change-Id: Ie747d8b99ca0f6a98bbcaf1c82e66c7788f00e6e
|
| |
|
|
|
|
| |
KAS was in its own structure for historical reasons, but it's stupid now.
Change-Id: Ie8d69ac6d489337cd857ace1abe5b1e4b1177172
|
| |
|
|
| |
Change-Id: I315d1010ce5477c0112f4a890156b360e8123e11
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new header generator works differently from the previous one:
- it uses the new format
- the generated macro follow a different style (see below)
- the generated macro are highly documented!
- it supports SCT-style platform or RMW-style ones
Compared to the old style, the new one generate a big set of macros per
register/field/enum (loosely related to iohw.h from Embedded C spec). The user
then calls generic (names are customizable) macros to perform operations:
reg_read(REG_A)
reg_read(REG_B(3))
reg_read_field(REG_A, FIELD_X)
reg_read_field(REG_B(3), COOL_FIELD)
reg_write(REG_A, 0x42)
reg_write_field(REG_A, FIELD_X(1), FIELD_Y(3), IRQ_V(FIQ))
reg_write_fielc(REG_B(3), COOL_FIELD_V(I_AM_COOL), BLA(42))
the following use RMW or SET/CLR variants, depending on target:
reg_set_field(REG_A, FLAG_U, FLAG_V)
reg_clr_field(REG_A, FIELD_X, FIELD_Y, IRQ)
reg_clr_field(REG_B(3), COOL_FIELD, BLA)
the following does clear followed by set, on SET/CLR targets:
reg_cs(REG_A, 0xff, 0x42)
reg_cs(REG_B(3), 0xaa, 0x55)
reg_cs_field(REG_A, FIELD_X(1), FIELD_Y(3), IRQ_V(FIQ))
reg_cs_field(REG_B(3), COOL_FIELD_V(I_AM_COOL))
The generator code is pretty long but has lots of documentation and lots of
macro names can be customized.
Change-Id: I5d6c5ec2406e58b5da11a5240c3a409a5bb5239a
|
| |
|
|
|
|
|
|
|
| |
Although the jz4740 contains a similar tool to usbboot, its command-line
interface is not very useful, also it does not compile by default because it
relies on some external code, and it contains code specific to some JZ4740
devices.
Change-Id: I22688238d147e21fb0fd524466b333b6003d4ff1
|
| |
|
|
| |
Change-Id: I94d0f67cfd0d636407cd9cf3afbe0db4064de28e
|
| |
|
|
|
|
|
|
|
| |
This commit adds support for the version of the hwstub library, which requires
a lot of changes. It also adds some editing features, such as register access
and much better editing of fields using the mouse (double click on a field
to be able to resize and move it).
Change-Id: I3c4e4cc855cb44911c72bc8127bad841b68efe52
|
| |
|
|
|
|
|
|
|
|
|
| |
Registers (and variants) can now specify the type of access supported:
- unspecified: for variant means same as register, for register defaults R/W
- read/write
- read only
- write only
Backward compatibility is preserved by setting access to unspecified by default.
Change-Id: I3e84ae18f962a45db62f996a542d08405d05b895
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also use this opportunity to cleanup support for multiple devices: the shell
now supports dynamic changes in the device and will call init() everytime
a new device is selected, to prepare a new environment. The shell now
honors register width on register read/write. The shell also provides access
to variants as follows by creating a subtable under the register using the
variant type in UPPER case and having the same layout as a register.
For example if register HW.GPIO.DIR has variants "set" and "clr", those can
be used like this:
HW.GPIO.DIR.SET.write(0xff)
HW.GPIO.DIR.CLR.write(0xff00)
Change-Id: I943947fa98bce875de0cba4338e8b7196a4c1165
|
| |
|
|
| |
Change-Id: I7e8ae50907401a9480a0da809a4470f1728d3a57
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Rewrite the hwstub library in C++, with a clean and modular design.
The library was designed from the ground up to be aware of multithreading
issues and to handle memory allocation nicely with shared pointers.
Compared to the original library, it brings the following major features:
- support for JZ boot devices, it is very easy to add support for others
- support for network transparent operations (through sockets): both tcp
and unix domains are support
Change-Id: I75899cb9c7aa938c17ede2bb3f468e7a55d625b4
|
| |
|
|
|
|
|
| |
After being caught by several bugs of the type "let's forgot to initialize
a field to default value", I'm finally fixing this.
Change-Id: I01c33e0611d4f697f767db66465e4fb30858cdab
|
| |
|
|
| |
Change-Id: I60a764567d2fc73ed87fca2a8b0eaf643d4984bc
|
| |
|
|
| |
Change-Id: Icb4233fb9b2b0d5b6f8c4a35dff300f38c8d3025
|
| |
|
|
| |
Change-Id: I7b175103e567ae4375ff94e74ed1a06215f640c3
|
| |
|
|
|
|
|
| |
The parser would simply ignore unknown elements or attributes, which is bad
on many levels. Now any unknown tag will trigger a fatal error.
Change-Id: I32eead8e96c1567241cf2a565d9e20e62877c14d
|
| |
|
|
|
|
|
| |
Conversion done using swiss_knife as follows:
./swiss_knife convert --author "Amaury Pouly" --version "2.4.0" desc/regs-stmp3XXX-v1.xml desc/regs-stmp3XXX.xml
Change-Id: Iad26e04f8f599cf25339a33aa65f231379434e98
|
| |
|
|
| |
Change-Id: Ib66a404acf1f640e19b30b35d6a976094ae4264a
|
| |
|
|
|
|
|
|
|
|
|
| |
This big commit port qeditor from v1 to v2 register file format. Although
the display code was much simplified, the edit code had to be rewritten.
The new code also brings many improvement to the register display widget.
The new code also compiles with both Qt4 and Qt5, although it is recommended
to use Qt5 to get some improvements, especially in the layout of editor.
Change-Id: I24633ac37a144f25d9e705b565654269ec9cfbd3
|
