| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| |
|
|
|
|
|
| |
The overriding of the IV and real key should be the exception, there is no
need to manually set them to false.
Change-Id: Id66754f20a79aa5c1a991839345d1242e0aa587d
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The old code had some annoying way of dealing with padding by adding explicit
instructions to the stream, which is 1) ugly 2) not in par with freescale
tools. The trick, which this new version implements, is to put the useful length
of the section in the section header, and the actual (with padding) length in
the boot tag. This way the tools can just ignore padding instruction by
reading the section header, and the bootloader can still load the image because
it uses the boot tags.
Also correctly handle the case where the first section does not start right
after the header (there is a bug in freescale tools for this case by the way).
There is an ambiguity in the way the padding instructions should be encrypted:
the bootloader should logically treat them as regular instruction of the section
stream, but it appears the freescale tools do not generate them as part of the
stream and instead encrypt them like boot tags, which is stupid because there
is no way the bootloader could decrypt them, and anyway we don't care because
the bootloader doesn't decrypt them at all.
Change-Id: Iabdc1d1f9f82d374779bf03efb75c2c3998f5b5d
|
| |
|
|
| |
Change-Id: I4e4679d6e92c1c0fc8a03db5201aee39d82b24b2
|
| |
|
|
|
|
| |
Users can't read the wiki instructions, hopefully they can read this...
Change-Id: I3840879fdc663fb6e7f9234f352eea04a556256a
|
| |
|
|
|
|
| |
Also now gen_db.py can check for such mismatch
Change-Id: I4d91aae0dde08c866eda2ed5da3c11431c46e06a
|
| |
|
|
| |
Change-Id: I2cc887ce2824a2d0b9aeb2a89df662c621c28750
|
| |
|
|
| |
Change-Id: I4341f2af71675cb795987ecc5ce12104445a9d97
|
| |
|
|
| |
Change-Id: I88fb2aefafbc7820a49847fbf0888de9cf81bd3f
|
| |
|
|
| |
Change-Id: I69b8b81d357553c979682d42097eba864c951512
|
| |
|
|
|
|
|
|
| |
The cool now takes the database as a hint and will not complain if the device
returns less data. The tool also supports user provided size and raw node numbers
that are not in the database (advanced usage).
Change-Id: I8cec536718d7eff01c7803bea648d6122b82377a
|
| |
|
|
|
|
| |
Like the NW-A30, we don't know how to use it, but record it anyway.
Change-Id: Iebd26637253613625a4885afe88695ad3ffb0605
|
| |
|
|
|
|
|
|
| |
We don't know the encryption method, the KAS is completely different but it
might be useful to record it anyway for future purposes. MID extracted from
device, Japanese NW-A35.
Change-Id: I4c4bb5b063da99003b5c316061d8c490b77428a4
|
| |
|
|
|
|
| |
Extracted from a target.
Change-Id: Ieb4aff15f332a681142a7079c1adf3b1da31de24
|
| |
|
|
| |
Change-Id: I88ae7391732c6f41c3c4adccce2ddf0a92142067
|
| |
|
|
|
|
|
| |
It is Android based and despite the fact that Sony wrote an NVP driver for it,
experiments suggest it is unused because it returns ff all the time...
Change-Id: I37750b659e341b21bed5ebaccf60f9f5fe569f64
|
| |
|
|
|
|
|
| |
Also fix code that was supposed to sort things deterministically and was a
massive failure.
Change-Id: Iedf25f05a94ef51421710a283eb60f33ee977de1
|
| |
|
|
| |
Change-Id: I1b5688ba7ad99c7a22ba4532c8237b4563e4a9e4
|
| |
|
|
| |
Change-Id: I0a139eb236f825368ae627fdbb2f75286f747f10
|
| |
|
|
|
|
|
|
| |
Don't use colors since the terminal doesn't support it. Also packing is broken
on MinGW so use #pragma pack when compiling for windows, this is also supported
by MSCV.
Change-Id: I635649d52ed5f2e0af46cb9ca2ec325955b2ddb2
|
| |
|
|
|
|
|
| |
Split the ugly firmware read/write into a API function and a much simplified code.
Also the code can now report progress.
Change-Id: I3f998eaf0c067c6da42b1d2dd9c5a5bf43c6915d
|
| |
|
|
|
|
| |
No code modification code, just moving code around.
Change-Id: I30744d3994aa7540f4b5b158f31b51959d5d8586
|
| |
|
|
|
|
|
|
|
|
| |
Sanitize the whole library by hiding most of the horrible details of the
implementation. This means that all logical/drive/table attributes are exported
in structures that are internally filled by higher-level API functions. This makes
the code much more readable and prepares for a split between scsitool and the stmp
scsi library.
Change-Id: Id85d450b25cf99cd7c0896c6fc35bcd00babe9e1
|
| |
|
|
|
|
|
| |
The function names and prototypes are also normalized so make subsequent reworks
easier.
Change-Id: Ifa5d64aa144b11f8c087517ddc904744e3037361
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Several tools need to perform raw SCSI commands, and we need to support Linux,
Windows and Mac OS, without pulling tons of dependencies to build it easily.
This very simple library has no dependency and supports Linux.
TODO:
- windows
- mac os
Change-Id: I496f5ad2490bd3e96ad962d31cce4e511a523c3a
|
| |
|
|
|
|
|
|
|
|
|
| |
We cannot auto-detect a device if we don't know its model ID, but we can't know
the model ID if we haven't decrypted the upgrade which requires the key. The only
way to solve this chicken-and-egg problem is to get the NVP table from kernel,
create an empty series in the database (no model ID), then get the key using
scsitool and forcing the model (using this commit), then decrypt the upgrade
and get the model ID list.
Change-Id: I8eced486a5f6a1a99028b25fdc4f87a3b11e31a8
|
| |
|
|
|
|
|
| |
We already use Crypto++ for DES anyway, and using OpenSSL is not great because
of its incompatible licence.
Change-Id: I78771b84c1708795a0c0c30afa5bdfe4885dea4e
|
| |
|
|
|
|
| |
This was a huge mess, the new is much cleaner hopefully.
Change-Id: I43663d021dc8bc31662d3923e1c3da22d987ebf9
|
| |
|
|
|
|
|
| |
Allow to search for hex with upper case and alphanumeric. This is *much* slower
of course.
Change-Id: I41a2fc63c4b2220c21147b711098ebc37ddb3527
|
| |
|
|
| |
Change-Id: If5781f0a98b3f2fee08a2daed383064cc59f1680
|
| |
|
|
|
|
| |
Make sure scripts use bash, make nwz database generator more deterministic
Change-Id: I26812b697abe0406fb3c60d6eb231cb27edc81d5
|
| |
|
|
|
|
|
| |
Although this does bug is never triggered because we never decrypt and use the
resulting CBC-MAC, it's a major overlook.
Change-Id: I3c5d318e6428d528483bf888ea284e9ded3889f0
|
| |
|
|
|
|
| |
This ensures that the libs are always up-to-date hopefully.
Change-Id: I790302fcabc91457091006de749b76735fdd510f
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- hwstub load now properly stops reading the log when the device returns a 0
size buffer instead of STALLing
- add debug output option to hwstub_load
- correctly report transfered size on write error
- add some debug error message in usb code so that some errors can be diagnosed
more easily
- add a batch mode to hwstub_shell to disable the interactive shell
- increase usb control timeout to 1sec, 100ms was really tight
- cap usb buffer size to ~4000 bytes because libusb has a hardwired limit of
4096 bytes for control transfers
Change-Id: Id3200ab99ce70a7a3b09ce7faeaafa4a0fac64c7
|
| |
|
|
|
|
|
|
| |
Since ext3 supports ext2, we can support more platforms. Some platforms use ext4
with a very specific set of options, we I haven't encountered those yet so it's
not currently a problem.
Change-Id: Iff87e925a4caa866c6a66b1883ad6baab88c0b8d
|
| |
|
|
|
|
|
|
| |
The unsigned function were deprecated and hidden begind a compat flag. Since
they will get removed in the next version, I simply reimplemented them, those
are mostly casts anyway.
Change-Id: Ie5db81d7c8589b1e5e9b45a2a4ed41919aa07387
|
| |
|
|
| |
Change-Id: Ibf17fe523c6ef534368d6f94f43fce5ac0c91caf
|
| |
|
|
| |
Change-Id: I1b8272a486ba2377e5047855acda3f80aa92c232
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new code gets closer to an actual bootloader:
- it provides a menu with three options: Sony, Rockox, tools with icons (and
extracts the Sony logo from the NVP)
- the dualboot install script now creates a symlink from /.rockbox to
/contents/.rockox which is necessary to run rockbox
- more text drawing / framebuffer functions
In the long run, we will move this under bootloader/ and rbutil/ and also use
firmware/ drawing facilities, at the moment we use OF display program which
is slow and creates some flickering.
The logo extraction/placement code was tested with resolution 240x320 and I
guessed some reasonable values for 240x400, but those will probably need some
tweaking.
Change-Id: I0319be902d21a7d33c1dee0fffdb4797065dbf8a
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Now that we have a nice database of player index, the scsitool becomes more
useful and supports a lot more players. I did some general cleanup of the code,
though eventually it would be nice to really split it into a library and a CLI.
The SCSI vendor command allow to read but also write most NVP nodes. Since there
seems to a demand to change destination and sound pressure settings on device,
I implement this feature in the tool. I do not plan to allow arbitrary NVP
writes because this could easily brick the device. Changing the destination
should be safe, but as usual, use at your own risks.
Change-Id: Iff4e8cc3ac97b965c1df849051c5fd373756cda5
|
| |
|
|
|
|
|
| |
Using the database, we can now safely read/write the NVP. I also add more
support for Sony's "display" tool.
Change-Id: I8439fe9bad391c7f29859d99f236781be7983625
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There must be an evil genius in Sony's Walkman division. Someone who made sure
that each model is close enough to the previous one so that little code is needed
but different enough so that an educated guess is not enough.
Each linux-based Sony player has a model ID (mid) which is a 32-bit integer.
I was able to extract a list of all model IDs and the correspoding name of
the player (see README). This gives us 1) a nice list of all players (because
NWZ-A729 vs NWZ-A729B, really Sony?) 2) an easy way to find the name of player
programatically. It seems that the lower 8-bit of the model ID gives the storage
size but don't bet your life on it. The remaining bytes seem to follow some kind
of pattern but there are exceptions.
From this list, I was able to build a list of all Sony's series (up to quite
recent one). The only safe way to build that is by hand, with a list of series,
each series having a list of model IDs. The notion of series is very important
because all models in a series share the same firmware.
A very important concept on Sony's players is the NVP, an area of the flash
that stores data associated with keys. The README contains more information but
basically this is where is record the model ID, the destination, the boot flags,
the firmware upgrade flags, the boot image, the DRM keys, and a lot of other stuff.
Of course Sony decided to slightly tweak the index of the keys regularly over time
which means that each series has a potentially different map, and we need this map
to talk to the NVP driver. Fortunately, Sony distributes the kernel for all its
players and they contain a kernel header with this information. I wrote a script
to unpack kernel sources and parse this header, producing a bunch of nw-*.txt
files, included in this commit. This map is very specific though: it maps Sony's
3-letter names (bti) to indexes (1). This is not very useful without the
decription (bti = boot image) and its size (262144). This information is harder
to come by, and is only stored in one place: if icx_nvp_emmc.ko drivers, found
on the device. Fortunately, Sony distributes a number of firmware upgrade, that
contain the rootfs, than once extracted contain this driver. The driver is a
standard ELF files with symbols. I wrote a parsing tool (nvptool) that is able
to extract this information from the drivers. Using that, I produced a bunch
of nodes-nw*.txt files. A reasonable assumption is that nodes meaning and
size do not change over time (bti is always the boot image and is always
262144 bytes), so by merging a few of those file, we can get a complete picture
(note that some nodes that existed in older player do not exists anymore so
we really need to merge several ones from different generations).
The advantage of storing all this information in plain text files, is that it
now makes it easy to parse it and produce whatever format we want to use it.
I wrote a python script that parses all this mess and produces a C file and
header with all this information (nwz_db.{c,h}).
Change-Id: Id790581ddd527d64418fe9e4e4df8e0546117b80
|
| |
|
|
|
|
|
| |
There is no need to store the key and sig since those are derived from the KAS
anyway.
Change-Id: I228913b1cb32e496db265e9a7aaf3bb4200a9f6b
|
| |
|
|
|
|
|
|
|
|
|
| |
0e2b490 introduced rework of usb driver which was broken. It was reverted
in f2da975 to restore hwstub functionality on ATJ.
This commit reenables usb rework AND fixes remining issues.
The problem was with 0 length OUT thransfers. Additionally
a few cleanups were made.
Change-Id: I529ea9ad6540509e9287ca7e1cd2b44369b03cbb
|
| |
|
|
|
|
|
|
|
| |
This reverts commit 0e2b4908d012dbd45a58002774f32b64ea8f83e3.
Although I swear it was tested it apparently broke hwstub on atj.
I will need to investigate more whats going on. Revert for now.
Change-Id: I2ff3adf8c72bb0e53be7d81b975382adfb700eab
|
| |
|
|
| |
Change-Id: I4ac259e6cd7b707ca725c6ba1c526f5aeed56b71
|
| |
|
|
| |
Change-Id: I32e23035a608ee04a69690975ab4bf629a902388
|
| |
|
|
|
|
|
|
|
|
| |
Sony added extensions to the frambuffer interface. It is important to take them
into account since the OF uses them and might leave the framebuffer in an
unusual state which would make the dualboot not display anything. Also rework
the dualboot code so that it can boot rockbox (not doing anything at the moment),
display all tools or boot the OF.
Change-Id: Ia0f589c9ec8558f375270841503c0964aff07f0b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At the moment, the script install_duaboot does the following:
- rename SpiderApp to SpiderApp.of (unless it already exists)
- install payload as SpiderApp
- fixes permissions
Since SpiderApp is the main app, it will execute instead of the OF.
The current dualboot code (dualboot.c) is still a preliminary but the current
version displays an "all tools" menu to choose for. When exitting the menu
using BACK, it will run the OF.
With the modifications made by the install script, it should not be possible
to break the device. In the worst case scenario, the dualboot code crashes
and it restarted by the sysmgrd, or hangs. A safe way to recover is to plug
the USB cable and reset the device: the system manager will then start the
USB app and one can reflash the device if necessary.
Change-Id: Id9edab0347538ad2a8651a28aea7fd083feaa626
|
| |
|
|
|
|
|
|
| |
Unify series names: e46x -> e460 to be consistent with Sony' name. Add keys
for various players that were cracked using upgtools. The real KAS would need
to be extracted from a target but at least we can open/create firmware upgrades.
Change-Id: Id23a10e10170d7f6330c6699bf205c4df5ddebfe
|
| |
|
|
|
|
|
| |
This new tool (all_tools) embeds all the other tools and provides a menu to
choose which one to run.
Change-Id: I0e07864dd46559a7079b0f942c25155e6fa07112
|
