| 145 |
theseven |
1 |
#include "embiosapp.h"
|
|
|
2 |
|
|
|
3 |
|
|
|
4 |
void main();
|
|
|
5 |
EMBIOS_APP_HEADER("Uninstaller thread", 0x1000, main, 127)
|
|
|
6 |
|
|
|
7 |
|
|
|
8 |
uint16_t lcdbuffer[176 * 132];
|
|
|
9 |
|
|
|
10 |
struct wakeup eventwakeup;
|
|
|
11 |
volatile int button;
|
|
|
12 |
|
|
|
13 |
char mallocbuf[0x1000000] __attribute__((aligned(16)));
|
|
|
14 |
tlsf_pool mallocpool;
|
|
|
15 |
|
|
|
16 |
uint8_t norbuf[0x100000] __attribute__((aligned(16)));
|
|
|
17 |
#define norbufword ((uint32_t*)norbuf)
|
|
|
18 |
|
|
|
19 |
#define nor ((uint8_t*)0x24000000)
|
|
|
20 |
#define norword ((uint32_t*)0x24000000)
|
|
|
21 |
|
|
|
22 |
|
|
|
23 |
void handler(enum button_event eventtype, int which, int value)
|
|
|
24 |
{
|
|
|
25 |
if (eventtype == BUTTON_PRESS) button |= 1 << which;
|
|
|
26 |
wakeup_signal(&eventwakeup);
|
|
|
27 |
}
|
|
|
28 |
|
|
|
29 |
uint32_t freeret(uint32_t rc, void* ptr)
|
|
|
30 |
{
|
|
|
31 |
tlsf_free(mallocpool, ptr);
|
|
|
32 |
return rc;
|
|
|
33 |
}
|
|
|
34 |
|
|
|
35 |
uint32_t decryptfw(void* image, uint32_t offset)
|
|
|
36 |
{
|
|
|
37 |
uint32_t size = ((uint32_t*)image)[5];
|
|
|
38 |
if (size > 0x800000) return 0;
|
|
|
39 |
hwkeyaes(HWKEYAES_DECRYPT, ((uint32_t*)image)[2], &((uint8_t*)image)[offset], size);
|
|
|
40 |
memcpy(image, &((uint8_t*)image)[offset], size);
|
|
|
41 |
return size;
|
|
|
42 |
}
|
|
|
43 |
|
|
|
44 |
uint32_t getfw(const char* filename, uint32_t* sector, uint32_t* size)
|
|
|
45 |
{
|
|
|
46 |
uint32_t i;
|
|
|
47 |
uint32_t* buffer = tlsf_memalign(mallocpool, 0x10, 0x800);
|
|
|
48 |
if (storage_read_sectors_md(0, 0, 1, buffer) != 0) return freeret(1, buffer);
|
|
|
49 |
if (*((uint16_t*)((uint32_t)buffer + 0x1FE)) != 0xAA55) return freeret(1, buffer);
|
|
|
50 |
uint32_t startsector = 0;
|
|
|
51 |
for (i = 0x1C2; i < 0x200; i += 0x10)
|
|
|
52 |
if (((uint8_t*)buffer)[i] == 0)
|
|
|
53 |
{
|
|
|
54 |
startsector = *((uint16_t*)((uint32_t)buffer + i + 4))
|
|
|
55 |
| (*((uint16_t*)((uint32_t)buffer + i + 6)) << 16);
|
|
|
56 |
break;
|
|
|
57 |
}
|
|
|
58 |
if (startsector == 0) return freeret(1, buffer);
|
|
|
59 |
if (storage_read_sectors_md(0, startsector, 1, buffer) != 0) return freeret(1, buffer);
|
|
|
60 |
if (buffer[0x40] != 0x5B68695D) return freeret(1, buffer);
|
|
|
61 |
if (storage_read_sectors_md(0, startsector + 1 + (buffer[0x41] >> 11), 1, buffer) != 0)
|
|
|
62 |
return freeret(1, buffer);
|
|
|
63 |
for (i = 0; i < 0x1FE; i += 10)
|
|
|
64 |
if (memcmp(&buffer[i], filename, 8) == 0)
|
|
|
65 |
{
|
|
|
66 |
*sector = startsector + (buffer[i + 3] >> 11);
|
|
|
67 |
*size = buffer[i + 4] + 0x800;
|
|
|
68 |
tlsf_free(mallocpool, buffer);
|
|
|
69 |
return 0;
|
|
|
70 |
}
|
|
|
71 |
return freeret(2, buffer);
|
|
|
72 |
}
|
|
|
73 |
|
|
|
74 |
uint32_t readfwptr(const char* filename, void* address, uint32_t* size)
|
|
|
75 |
{
|
|
|
76 |
uint32_t sector;
|
|
|
77 |
uint32_t rc = getfw(filename, §or, size);
|
|
|
78 |
if (rc) return rc;
|
|
|
79 |
if (storage_read_sectors_md(0, sector, ((*size + 0x7FF) >> 11), address) != 0) return 1;
|
|
|
80 |
*size = decryptfw(address, 0x800);
|
|
|
81 |
return 0;
|
|
|
82 |
}
|
|
|
83 |
|
|
|
84 |
uint32_t readfw(const char* filename, void** address, uint32_t* size)
|
|
|
85 |
{
|
|
|
86 |
uint32_t sector;
|
|
|
87 |
uint32_t rc = getfw(filename, §or, size);
|
|
|
88 |
if (rc) return rc;
|
|
|
89 |
*address = tlsf_memalign(mallocpool, 0x10, *size);
|
|
|
90 |
if (storage_read_sectors_md(0, sector, ((*size + 0x7FF) >> 11), *address) != 0)
|
|
|
91 |
return freeret(1, *address);
|
|
|
92 |
*size = decryptfw(*address, 0x800);
|
|
|
93 |
tlsf_realloc(mallocpool, *address, *size);
|
|
|
94 |
return 0;
|
|
|
95 |
}
|
|
|
96 |
|
|
|
97 |
void main(void)
|
|
|
98 |
{
|
|
|
99 |
uint32_t i, j, k;
|
|
|
100 |
uint8_t* aupd;
|
|
|
101 |
uint32_t aupdsize;
|
|
|
102 |
uint32_t payloadstart = 0;
|
|
|
103 |
struct progressbar_state progressbar;
|
|
|
104 |
|
|
|
105 |
wakeup_init(&eventwakeup);
|
|
|
106 |
button_register_handler(handler);
|
|
|
107 |
mallocpool = tlsf_create(mallocbuf, sizeof(mallocbuf));
|
|
|
108 |
|
|
|
109 |
memset(lcdbuffer, 0xff, 176 * 132 * 2);
|
|
|
110 |
rendertext(&lcdbuffer[177], 0, 0xffff, "Loading...", 176);
|
|
|
111 |
displaylcd(0, 175, 0, 131, lcdbuffer, 0);
|
|
|
112 |
if (norword[0x400] != 0x53436667)
|
|
|
113 |
{
|
|
|
114 |
cputs(1, "Boot flash contents are damaged! (No SYSCFG found)\n\nPlease ask for help.\n");
|
|
|
115 |
return;
|
|
|
116 |
}
|
|
|
117 |
|
|
|
118 |
memset(norbuf, 0xff, 0x100000);
|
|
|
119 |
memcpy(&norbuf[0x4000], &nor[0x1000], 0x1000);
|
|
|
120 |
|
|
|
121 |
aupdsize = 0;
|
|
|
122 |
if (readfw("DNANdpua", (void**)&aupd, &aupdsize)) aupdsize = 0;
|
|
|
123 |
if (!aupdsize)
|
|
|
124 |
{
|
|
|
125 |
memset(lcdbuffer, 0xff, 176 * 132 * 2);
|
|
|
126 |
rendertext(&lcdbuffer[176 * 10 + 10], 0, 0xffff, "Please press any key to", 176);
|
|
|
127 |
rendertext(&lcdbuffer[176 * 18 + 10], 0, 0xffff, "enter disk mode and", 176);
|
|
|
128 |
rendertext(&lcdbuffer[176 * 26 + 10], 0, 0xffff, "restore your iPod using", 176);
|
|
|
129 |
rendertext(&lcdbuffer[176 * 34 + 10], 0, 0xffff, "iTunes. Your iPod will", 176);
|
|
|
130 |
rendertext(&lcdbuffer[176 * 42 + 10], 0, 0xffff, "reboot and ask you to", 176);
|
|
|
131 |
rendertext(&lcdbuffer[176 * 50 + 10], 0, 0xffff, "uninstall iLoader again.", 176);
|
|
|
132 |
rendertext(&lcdbuffer[176 * 66 + 10], 0, 0xffff, "If this message is still", 176);
|
|
|
133 |
rendertext(&lcdbuffer[176 * 74 + 10], 0, 0xffff, "shown after restoring,", 176);
|
|
|
134 |
rendertext(&lcdbuffer[176 * 82 + 10], 0, 0xffff, "please ask for help.", 176);
|
|
|
135 |
displaylcd(0, 175, 0, 131, lcdbuffer, 0);
|
|
|
136 |
button = 0;
|
|
|
137 |
while (true)
|
|
|
138 |
{
|
|
|
139 |
wakeup_wait(&eventwakeup, TIMEOUT_BLOCK);
|
|
|
140 |
if (button)
|
|
|
141 |
{
|
|
|
142 |
int size = bootflash_filesize("diskmode");
|
|
|
143 |
cprintf(1, "\nsize = %d bytes\n", size);
|
|
|
144 |
if (size > 0)
|
|
|
145 |
{
|
|
|
146 |
if (bootflash_attributes("diskmode") & 0x800)
|
|
|
147 |
{
|
|
|
148 |
if (!ucl_decompress(bootflash_getaddr("diskmode"), size,
|
|
|
149 |
(void*)0x08000000, (uint32_t*)&size))
|
|
|
150 |
{
|
|
|
151 |
shutdown(false);
|
|
|
152 |
execfirmware((void*)0x08000000);
|
|
|
153 |
}
|
|
|
154 |
}
|
|
|
155 |
else if (bootflash_read("diskmode", (void*)0x08000000, 0, size) == size)
|
|
|
156 |
{
|
|
|
157 |
shutdown(false);
|
|
|
158 |
execfirmware((void*)0x08000000);
|
|
|
159 |
}
|
|
|
160 |
}
|
|
|
161 |
cputs(1, "Could not boot disk mode.\nPlease ask for help.\n");
|
|
|
162 |
return;
|
|
|
163 |
}
|
|
|
164 |
}
|
|
|
165 |
}
|
|
|
166 |
for (i = 0; i < (aupdsize >> 2); i++)
|
|
|
167 |
if (((uint32_t*)aupd)[i] == 0x50796c64 && ((uint32_t*)aupd)[i + 4] == 0x46775570)
|
|
|
168 |
payloadstart = i << 2;
|
|
|
169 |
if (!payloadstart)
|
|
|
170 |
{
|
|
|
171 |
cputs(1, "Restore image is weird:\nNo payload start found.\nPlease ask for help.\n");
|
|
|
172 |
return;
|
|
|
173 |
}
|
|
|
174 |
memcpy(norbuf, &aupd[payloadstart + 0x2c], 0x2000);
|
|
|
175 |
memcpy(&norbuf[0x8800], &aupd[payloadstart + 0x2048], 0x1f800);
|
|
|
176 |
memcpy(&norbuf[0x28000], &aupd[payloadstart + 0x22048], 0xd8000);
|
|
|
177 |
tlsf_free(mallocpool, aupd);
|
|
|
178 |
|
|
|
179 |
rendertext(&lcdbuffer[177], 0, 0xffff, "Encrypting flash update...", 176);
|
|
|
180 |
displaylcd(0, 175, 0, 131, lcdbuffer, 0);
|
|
|
181 |
memset(&norbuf[0x8000], 0, 0x800);
|
|
|
182 |
norbufword[0x2000] = 0x31303738;
|
|
|
183 |
norbufword[0x2001] = 0x00302e31;
|
|
|
184 |
norbufword[0x2002] = 0x800;
|
|
|
185 |
norbufword[0x2003] = 0x1f800;
|
|
|
186 |
hmacsha1(&norbuf[0x8800], 0x1f800, &norbuf[0x8010]);
|
|
|
187 |
hmacsha1(&norbuf[0x8000], 0x40, &norbuf[0x8040]);
|
|
|
188 |
hwkeyaes(HWKEYAES_ENCRYPT, 2, &norbuf[0x8000], 0x20000);
|
|
|
189 |
for (i = 0xffe00; i < 0xffec8; i += 0x28)
|
|
|
190 |
if (norbufword[i >> 2])
|
|
|
191 |
{
|
|
|
192 |
uint32_t offs = norbufword[(i >> 2) + 3] >> 2;
|
|
|
193 |
norbufword[offs] = 0;
|
|
|
194 |
norbufword[offs + 1] = 2;
|
|
|
195 |
norbufword[offs + 2] = 2;
|
|
|
196 |
norbufword[offs + 3] = 0x40;
|
|
|
197 |
norbufword[offs + 4] = 0;
|
|
|
198 |
norbufword[offs + 5] = norbufword[(i >> 2) + 4];
|
|
|
199 |
hmacsha1(&norbufword[offs + 0x80], norbufword[(i >> 2) + 4], &norbufword[offs + 7]);
|
|
|
200 |
memset(&norbufword[offs + 0x75], 0, 0x14);
|
|
|
201 |
hmacsha1(&norbufword[offs], 0x200, &norbufword[offs + 0x75]);
|
|
|
202 |
hwkeyaes(HWKEYAES_ENCRYPT, 2, &norbufword[offs + 0x80], norbufword[(i >> 2) + 4]);
|
|
|
203 |
}
|
|
|
204 |
|
|
|
205 |
rendertext(&lcdbuffer[177], 0, 0xffff, "Flashing... (DO NOT RESET!!!)", 176);
|
|
|
206 |
displaylcd(0, 175, 0, 131, lcdbuffer, 0);
|
|
|
207 |
progressbar_init(&progressbar, 1, 174, 10, 17, 0, lcd_translate_color(0, 0xcf, 0xcf, 0xcf),
|
|
|
208 |
lcd_translate_color(0, 0, 0, 0xcf), 0, 256);
|
|
|
209 |
for (i = 0; i < 256; i++)
|
|
|
210 |
{
|
|
|
211 |
bootflash_writeraw(&norbuf[i * 0x1000], i * 0x1000, 0x1000);
|
|
|
212 |
progressbar_setpos(&progressbar, i, false);
|
|
|
213 |
}
|
|
|
214 |
rendertext(&lcdbuffer[177], 0, 0xffff, "Uninstallation successful! ", 176);
|
|
|
215 |
displaylcd(0, 175, 0, 131, lcdbuffer, 0);
|
|
|
216 |
sleep(1000000);
|
|
|
217 |
shutdown(true);
|
|
|
218 |
reset();
|
|
|
219 |
}
|