| 150 |
theseven |
1 |
//
|
|
|
2 |
//
|
|
|
3 |
// Copyright 2010 TheSeven
|
|
|
4 |
//
|
|
|
5 |
//
|
|
|
6 |
// This file is part of emBIOS.
|
|
|
7 |
//
|
|
|
8 |
// emBIOS is free software: you can redistribute it and/or
|
|
|
9 |
// modify it under the terms of the GNU General Public License as
|
|
|
10 |
// published by the Free Software Foundation, either version 2 of the
|
|
|
11 |
// License, or (at your option) any later version.
|
|
|
12 |
//
|
|
|
13 |
// emBIOS is distributed in the hope that it will be useful,
|
|
|
14 |
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
15 |
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
|
|
16 |
// See the GNU General Public License for more details.
|
|
|
17 |
//
|
|
|
18 |
// You should have received a copy of the GNU General Public License along
|
|
|
19 |
// with emBIOS. If not, see <http://www.gnu.org/licenses/>.
|
|
|
20 |
//
|
|
|
21 |
//
|
|
|
22 |
|
|
|
23 |
|
| 145 |
theseven |
24 |
#include "embiosapp.h"
|
|
|
25 |
|
|
|
26 |
|
|
|
27 |
void main();
|
|
|
28 |
EMBIOS_APP_HEADER("Uninstaller thread", 0x1000, main, 127)
|
|
|
29 |
|
|
|
30 |
|
|
|
31 |
uint16_t lcdbuffer[176 * 132];
|
|
|
32 |
|
|
|
33 |
struct wakeup eventwakeup;
|
|
|
34 |
volatile int button;
|
|
|
35 |
|
|
|
36 |
char mallocbuf[0x1000000] __attribute__((aligned(16)));
|
|
|
37 |
tlsf_pool mallocpool;
|
|
|
38 |
|
|
|
39 |
uint8_t norbuf[0x100000] __attribute__((aligned(16)));
|
|
|
40 |
#define norbufword ((uint32_t*)norbuf)
|
|
|
41 |
|
|
|
42 |
#define nor ((uint8_t*)0x24000000)
|
|
|
43 |
#define norword ((uint32_t*)0x24000000)
|
|
|
44 |
|
|
|
45 |
|
|
|
46 |
void handler(enum button_event eventtype, int which, int value)
|
|
|
47 |
{
|
|
|
48 |
if (eventtype == BUTTON_PRESS) button |= 1 << which;
|
|
|
49 |
wakeup_signal(&eventwakeup);
|
|
|
50 |
}
|
|
|
51 |
|
|
|
52 |
uint32_t freeret(uint32_t rc, void* ptr)
|
|
|
53 |
{
|
|
|
54 |
tlsf_free(mallocpool, ptr);
|
|
|
55 |
return rc;
|
|
|
56 |
}
|
|
|
57 |
|
|
|
58 |
uint32_t decryptfw(void* image, uint32_t offset)
|
|
|
59 |
{
|
|
|
60 |
uint32_t size = ((uint32_t*)image)[5];
|
|
|
61 |
if (size > 0x800000) return 0;
|
|
|
62 |
hwkeyaes(HWKEYAES_DECRYPT, ((uint32_t*)image)[2], &((uint8_t*)image)[offset], size);
|
|
|
63 |
memcpy(image, &((uint8_t*)image)[offset], size);
|
|
|
64 |
return size;
|
|
|
65 |
}
|
|
|
66 |
|
|
|
67 |
uint32_t getfw(const char* filename, uint32_t* sector, uint32_t* size)
|
|
|
68 |
{
|
|
|
69 |
uint32_t i;
|
|
|
70 |
uint32_t* buffer = tlsf_memalign(mallocpool, 0x10, 0x800);
|
|
|
71 |
if (storage_read_sectors_md(0, 0, 1, buffer) != 0) return freeret(1, buffer);
|
|
|
72 |
if (*((uint16_t*)((uint32_t)buffer + 0x1FE)) != 0xAA55) return freeret(1, buffer);
|
|
|
73 |
uint32_t startsector = 0;
|
|
|
74 |
for (i = 0x1C2; i < 0x200; i += 0x10)
|
|
|
75 |
if (((uint8_t*)buffer)[i] == 0)
|
|
|
76 |
{
|
|
|
77 |
startsector = *((uint16_t*)((uint32_t)buffer + i + 4))
|
|
|
78 |
| (*((uint16_t*)((uint32_t)buffer + i + 6)) << 16);
|
|
|
79 |
break;
|
|
|
80 |
}
|
|
|
81 |
if (startsector == 0) return freeret(1, buffer);
|
|
|
82 |
if (storage_read_sectors_md(0, startsector, 1, buffer) != 0) return freeret(1, buffer);
|
|
|
83 |
if (buffer[0x40] != 0x5B68695D) return freeret(1, buffer);
|
|
|
84 |
if (storage_read_sectors_md(0, startsector + 1 + (buffer[0x41] >> 11), 1, buffer) != 0)
|
|
|
85 |
return freeret(1, buffer);
|
|
|
86 |
for (i = 0; i < 0x1FE; i += 10)
|
|
|
87 |
if (memcmp(&buffer[i], filename, 8) == 0)
|
|
|
88 |
{
|
|
|
89 |
*sector = startsector + (buffer[i + 3] >> 11);
|
|
|
90 |
*size = buffer[i + 4] + 0x800;
|
|
|
91 |
tlsf_free(mallocpool, buffer);
|
|
|
92 |
return 0;
|
|
|
93 |
}
|
|
|
94 |
return freeret(2, buffer);
|
|
|
95 |
}
|
|
|
96 |
|
|
|
97 |
uint32_t readfw(const char* filename, void** address, uint32_t* size)
|
|
|
98 |
{
|
|
|
99 |
uint32_t sector;
|
|
|
100 |
uint32_t rc = getfw(filename, §or, size);
|
|
|
101 |
if (rc) return rc;
|
|
|
102 |
*address = tlsf_memalign(mallocpool, 0x10, *size);
|
|
|
103 |
if (storage_read_sectors_md(0, sector, ((*size + 0x7FF) >> 11), *address) != 0)
|
|
|
104 |
return freeret(1, *address);
|
|
|
105 |
*size = decryptfw(*address, 0x800);
|
| 150 |
theseven |
106 |
*address = tlsf_realloc(mallocpool, *address, *size);
|
| 145 |
theseven |
107 |
return 0;
|
|
|
108 |
}
|
|
|
109 |
|
|
|
110 |
void main(void)
|
|
|
111 |
{
|
|
|
112 |
uint32_t i, j, k;
|
|
|
113 |
uint8_t* aupd;
|
|
|
114 |
uint32_t aupdsize;
|
|
|
115 |
uint32_t payloadstart = 0;
|
|
|
116 |
struct progressbar_state progressbar;
|
|
|
117 |
|
|
|
118 |
wakeup_init(&eventwakeup);
|
|
|
119 |
button_register_handler(handler);
|
|
|
120 |
mallocpool = tlsf_create(mallocbuf, sizeof(mallocbuf));
|
|
|
121 |
|
|
|
122 |
memset(lcdbuffer, 0xff, 176 * 132 * 2);
|
|
|
123 |
rendertext(&lcdbuffer[177], 0, 0xffff, "Loading...", 176);
|
|
|
124 |
displaylcd(0, 175, 0, 131, lcdbuffer, 0);
|
|
|
125 |
if (norword[0x400] != 0x53436667)
|
|
|
126 |
{
|
|
|
127 |
cputs(1, "Boot flash contents are damaged! (No SYSCFG found)\n\nPlease ask for help.\n");
|
|
|
128 |
return;
|
|
|
129 |
}
|
|
|
130 |
|
|
|
131 |
memset(norbuf, 0xff, 0x100000);
|
|
|
132 |
memcpy(&norbuf[0x4000], &nor[0x1000], 0x1000);
|
|
|
133 |
|
|
|
134 |
aupdsize = 0;
|
|
|
135 |
if (readfw("DNANdpua", (void**)&aupd, &aupdsize)) aupdsize = 0;
|
|
|
136 |
if (!aupdsize)
|
|
|
137 |
{
|
|
|
138 |
memset(lcdbuffer, 0xff, 176 * 132 * 2);
|
|
|
139 |
rendertext(&lcdbuffer[176 * 10 + 10], 0, 0xffff, "Please press any key to", 176);
|
|
|
140 |
rendertext(&lcdbuffer[176 * 18 + 10], 0, 0xffff, "enter disk mode and", 176);
|
|
|
141 |
rendertext(&lcdbuffer[176 * 26 + 10], 0, 0xffff, "restore your iPod using", 176);
|
|
|
142 |
rendertext(&lcdbuffer[176 * 34 + 10], 0, 0xffff, "iTunes. Your iPod will", 176);
|
|
|
143 |
rendertext(&lcdbuffer[176 * 42 + 10], 0, 0xffff, "reboot and ask you to", 176);
|
|
|
144 |
rendertext(&lcdbuffer[176 * 50 + 10], 0, 0xffff, "uninstall iLoader again.", 176);
|
|
|
145 |
rendertext(&lcdbuffer[176 * 66 + 10], 0, 0xffff, "If this message is still", 176);
|
|
|
146 |
rendertext(&lcdbuffer[176 * 74 + 10], 0, 0xffff, "shown after restoring,", 176);
|
|
|
147 |
rendertext(&lcdbuffer[176 * 82 + 10], 0, 0xffff, "please ask for help.", 176);
|
|
|
148 |
displaylcd(0, 175, 0, 131, lcdbuffer, 0);
|
|
|
149 |
button = 0;
|
|
|
150 |
while (true)
|
|
|
151 |
{
|
|
|
152 |
wakeup_wait(&eventwakeup, TIMEOUT_BLOCK);
|
|
|
153 |
if (button)
|
|
|
154 |
{
|
|
|
155 |
int size = bootflash_filesize("diskmode");
|
|
|
156 |
cprintf(1, "\nsize = %d bytes\n", size);
|
|
|
157 |
if (size > 0)
|
|
|
158 |
{
|
|
|
159 |
if (bootflash_attributes("diskmode") & 0x800)
|
|
|
160 |
{
|
|
|
161 |
if (!ucl_decompress(bootflash_getaddr("diskmode"), size,
|
|
|
162 |
(void*)0x08000000, (uint32_t*)&size))
|
|
|
163 |
{
|
|
|
164 |
shutdown(false);
|
|
|
165 |
execfirmware((void*)0x08000000);
|
|
|
166 |
}
|
|
|
167 |
}
|
|
|
168 |
else if (bootflash_read("diskmode", (void*)0x08000000, 0, size) == size)
|
|
|
169 |
{
|
|
|
170 |
shutdown(false);
|
|
|
171 |
execfirmware((void*)0x08000000);
|
|
|
172 |
}
|
|
|
173 |
}
|
|
|
174 |
cputs(1, "Could not boot disk mode.\nPlease ask for help.\n");
|
|
|
175 |
return;
|
|
|
176 |
}
|
|
|
177 |
}
|
|
|
178 |
}
|
|
|
179 |
for (i = 0; i < (aupdsize >> 2); i++)
|
|
|
180 |
if (((uint32_t*)aupd)[i] == 0x50796c64 && ((uint32_t*)aupd)[i + 4] == 0x46775570)
|
|
|
181 |
payloadstart = i << 2;
|
|
|
182 |
if (!payloadstart)
|
|
|
183 |
{
|
|
|
184 |
cputs(1, "Restore image is weird:\nNo payload start found.\nPlease ask for help.\n");
|
|
|
185 |
return;
|
|
|
186 |
}
|
|
|
187 |
memcpy(norbuf, &aupd[payloadstart + 0x2c], 0x2000);
|
|
|
188 |
memcpy(&norbuf[0x8800], &aupd[payloadstart + 0x2048], 0x1f800);
|
|
|
189 |
memcpy(&norbuf[0x28000], &aupd[payloadstart + 0x22048], 0xd8000);
|
|
|
190 |
tlsf_free(mallocpool, aupd);
|
|
|
191 |
|
|
|
192 |
rendertext(&lcdbuffer[177], 0, 0xffff, "Encrypting flash update...", 176);
|
|
|
193 |
displaylcd(0, 175, 0, 131, lcdbuffer, 0);
|
|
|
194 |
memset(&norbuf[0x8000], 0, 0x800);
|
|
|
195 |
norbufword[0x2000] = 0x31303738;
|
|
|
196 |
norbufword[0x2001] = 0x00302e31;
|
|
|
197 |
norbufword[0x2002] = 0x800;
|
|
|
198 |
norbufword[0x2003] = 0x1f800;
|
|
|
199 |
hmacsha1(&norbuf[0x8800], 0x1f800, &norbuf[0x8010]);
|
|
|
200 |
hmacsha1(&norbuf[0x8000], 0x40, &norbuf[0x8040]);
|
|
|
201 |
hwkeyaes(HWKEYAES_ENCRYPT, 2, &norbuf[0x8000], 0x20000);
|
|
|
202 |
for (i = 0xffe00; i < 0xffec8; i += 0x28)
|
|
|
203 |
if (norbufword[i >> 2])
|
|
|
204 |
{
|
|
|
205 |
uint32_t offs = norbufword[(i >> 2) + 3] >> 2;
|
|
|
206 |
norbufword[offs] = 0;
|
|
|
207 |
norbufword[offs + 1] = 2;
|
|
|
208 |
norbufword[offs + 2] = 2;
|
|
|
209 |
norbufword[offs + 3] = 0x40;
|
|
|
210 |
norbufword[offs + 4] = 0;
|
|
|
211 |
norbufword[offs + 5] = norbufword[(i >> 2) + 4];
|
|
|
212 |
hmacsha1(&norbufword[offs + 0x80], norbufword[(i >> 2) + 4], &norbufword[offs + 7]);
|
|
|
213 |
memset(&norbufword[offs + 0x75], 0, 0x14);
|
|
|
214 |
hmacsha1(&norbufword[offs], 0x200, &norbufword[offs + 0x75]);
|
|
|
215 |
hwkeyaes(HWKEYAES_ENCRYPT, 2, &norbufword[offs + 0x80], norbufword[(i >> 2) + 4]);
|
|
|
216 |
}
|
|
|
217 |
|
|
|
218 |
rendertext(&lcdbuffer[177], 0, 0xffff, "Flashing... (DO NOT RESET!!!)", 176);
|
|
|
219 |
displaylcd(0, 175, 0, 131, lcdbuffer, 0);
|
|
|
220 |
progressbar_init(&progressbar, 1, 174, 10, 17, 0, lcd_translate_color(0, 0xcf, 0xcf, 0xcf),
|
|
|
221 |
lcd_translate_color(0, 0, 0, 0xcf), 0, 256);
|
|
|
222 |
for (i = 0; i < 256; i++)
|
|
|
223 |
{
|
|
|
224 |
bootflash_writeraw(&norbuf[i * 0x1000], i * 0x1000, 0x1000);
|
|
|
225 |
progressbar_setpos(&progressbar, i, false);
|
|
|
226 |
}
|
|
|
227 |
rendertext(&lcdbuffer[177], 0, 0xffff, "Uninstallation successful! ", 176);
|
|
|
228 |
displaylcd(0, 175, 0, 131, lcdbuffer, 0);
|
|
|
229 |
sleep(1000000);
|
| 422 |
theseven |
230 |
shutdown(false);
|
| 145 |
theseven |
231 |
reset();
|
|
|
232 |
}
|