Subversion Repositories freemyipod

Rev

Rev 652 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log | RSS feed

Rev 652 Rev 670
Line 19... Line 19...
19 
//    with emCORE.  If not, see <http://www.gnu.org/licenses/>.
 19 
//    with emCORE.  If not, see <http://www.gnu.org/licenses/>.
20 
//
 20 
//
21 
//
 21 
//
22 
 
 22 
 
23 
 
 23 
 
24 
#include "embiosapp.h"
 24 
#include "emcoreapp.h"
- 
 
 25 
#include "libboot.h"
25 
 
 26 
 
26 
 
 27 
 
27 
void main();
 28 
void main();
28 
EMBIOS_APP_HEADER("Uninstaller thread", 0x1000, main, 127)
 29 
EMCORE_APP_HEADER("emCORE uninstaller", main, 127)
29 
 
 30 
 
30 
 
 31 
 
31 
uint16_t lcdbuffer[176 * 132];
 - 
 
32 
 
 - 
 
33 
struct wakeup eventwakeup;
 32 
struct wakeup eventwakeup;
34 
volatile int button;
 33 
volatile int button;
35 
 
 34 
 
36 
char mallocbuf[0x1000000] __attribute__((aligned(16)));
 - 
 
37 
tlsf_pool mallocpool;
 - 
 
38 
 
 - 
 
39 
uint8_t norbuf[0x100000] __attribute__((aligned(16)));
 - 
 
40 
#define norbufword ((uint32_t*)norbuf)
 - 
 
41 
 
 - 
 
42 
#define nor ((uint8_t*)0x24000000)
 35 
#define nor ((uint8_t*)0x24000000)
43 
#define norword ((uint32_t*)0x24000000)
 36 
#define norword ((uint32_t*)0x24000000)
44 
 
 37 
 
45 
 
 38 
 
46 
void handler(enum button_event eventtype, int which, int value)
 39 
void handler(void* user, enum button_event eventtype, int which, int value)
47 
{
 40 
{
48 
    if (eventtype == BUTTON_PRESS) button |= 1 << which;
 41 
    if (eventtype == BUTTON_PRESS) button |= 1 << which;
49 
    wakeup_signal(&eventwakeup);
 42 
    wakeup_signal(&eventwakeup);
50 
}
 43 
}
51 
 
 44 
 
- 
 
 45 
void* safe_memalign(size_t align, size_t size)
- 
 
 46 
{
- 
 
 47 
    void* addr = memalign(align, size);
- 
 
 48 
    if (!addr) panicf(PANIC_KILLTHREAD, "Out of memory!");
- 
 
 49 
    return addr;
- 
 
 50 
}
- 
 
 51 
 
52 
uint32_t freeret(uint32_t rc, void* ptr)
 52 
uint32_t freeret(uint32_t rc, void* ptr)
53 
{
 53 
{
54 
    tlsf_free(mallocpool, ptr);
 54 
    free(ptr);
55 
    return rc;
 55 
    return rc;
56 
}
 56 
}
57 
 
 57 
 
58 
uint32_t decryptfw(void* image, uint32_t offset)
 58 
uint32_t decryptfw(void* image, uint32_t offset)
59 
{
 59 
{
Line 65... Line 65...
65 
}
 65 
}
66 
 
 66 
 
67 
uint32_t getfw(const char* filename, uint32_t* sector, uint32_t* size)
 67 
uint32_t getfw(const char* filename, uint32_t* sector, uint32_t* size)
68 
{
 68 
{
69 
    uint32_t i;
 69 
    uint32_t i;
70 
    uint32_t* buffer = tlsf_memalign(mallocpool, 0x10, 0x800);
 70 
    uint32_t* buffer = safe_memalign(0x10, 0x800);
71 
    if (storage_read_sectors_md(0, 0, 1, buffer) != 0) return freeret(1, buffer);
 71 
    if (storage_read_sectors_md(0, 0, 1, buffer) != 0) return freeret(1, buffer);
72 
    if (*((uint16_t*)((uint32_t)buffer + 0x1FE)) != 0xAA55) return freeret(1, buffer);
 72 
    if (*((uint16_t*)((uint32_t)buffer + 0x1FE)) != 0xAA55) return freeret(1, buffer);
73 
    uint32_t startsector = 0;
 73 
    uint32_t startsector = 0;
74 
    for (i = 0x1C2; i < 0x200; i += 0x10)
 74 
    for (i = 0x1C2; i < 0x200; i += 0x10)
75 
        if (((uint8_t*)buffer)[i] == 0)
 75 
        if (((uint8_t*)buffer)[i] == 0)
Line 86... Line 86...
86 
    for (i = 0; i < 0x1FE; i += 10)
 86 
    for (i = 0; i < 0x1FE; i += 10)
87 
        if (memcmp(&buffer[i], filename, 8) == 0)
 87 
        if (memcmp(&buffer[i], filename, 8) == 0)
88 
        {
 88 
        {
89 
            *sector = startsector + (buffer[i + 3] >> 11);
 89 
            *sector = startsector + (buffer[i + 3] >> 11);
90 
            *size = buffer[i + 4] + 0x800;
 90 
            *size = buffer[i + 4] + 0x800;
91 
            tlsf_free(mallocpool, buffer);
 91 
            free(buffer);
92 
            return 0;
 92 
            return 0;
93 
        }
 93 
        }
94 
    return freeret(2, buffer);
 94 
    return freeret(2, buffer);
95 
}
 95 
}
96 
 
 96 
 
97 
uint32_t readfw(const char* filename, void** address, uint32_t* size)
 97 
uint32_t readfw(const char* filename, void** address, uint32_t* size)
98 
{
 98 
{
99 
    uint32_t sector;
 99 
    uint32_t sector;
100 
    uint32_t rc = getfw(filename, &sector, size);
 100 
    uint32_t rc = getfw(filename, &sector, size);
101 
    if (rc) return rc;
 101 
    if (rc) return rc;
102 
    *address = tlsf_memalign(mallocpool, 0x10, *size);
 102 
    *address = safe_memalign(0x10, *size);
103 
    if (storage_read_sectors_md(0, sector, ((*size + 0x7FF) >> 11), *address) != 0)
 103 
    if (storage_read_sectors_md(0, sector, ((*size + 0x7FF) >> 11), *address) != 0)
104 
        return freeret(1, *address);
 104 
        return freeret(1, *address);
105 
    *size = decryptfw(*address, 0x800);
 105 
    *size = decryptfw(*address, 0x800);
106 
    *address = tlsf_realloc(mallocpool, *address, *size);
 106 
    *address = realloc(*address, *size);
107 
    return 0;
 107 
    return 0;
108 
}
 108 
}
109 
 
 109 
 
110 
void main(void)
 110 
void main(void)
111 
{
 111 
{
Line 113... Line 113...
113 
    uint8_t* aupd;
 113 
    uint8_t* aupd;
114 
    uint32_t aupdsize;
 114 
    uint32_t aupdsize;
115 
	uint32_t payloadstart = 0;
 115 
	uint32_t payloadstart = 0;
116 
    struct progressbar_state progressbar;
 116 
    struct progressbar_state progressbar;
117 
 
 117 
 
118 
    wakeup_init(&eventwakeup);
 - 
 
119 
    button_register_handler(handler);
 - 
 
120 
    mallocpool = tlsf_create(mallocbuf, sizeof(mallocbuf));
 - 
 
121 
 
 - 
 
122 
    memset(lcdbuffer, 0xff, 176 * 132 * 2);
 - 
 
123 
    rendertext(&lcdbuffer[177], 0, 0xffff, "Loading...", 176);
 - 
 
124 
    displaylcd(0, 175, 0, 131, lcdbuffer, 0);
 - 
 
125 
    if (norword[0x400] != 0x53436667)
 - 
 
126 
    {
 - 
 
127 
        cputs(1, "Boot flash contents are damaged! (No SYSCFG found)\n\nPlease ask for help.\n");
 - 
 
128 
        return;
 118 
    cputc(1, '.');
129 
    }
 - 
 
130 
 
 119 
 
131 
    memset(norbuf, 0xff, 0x100000);
 120 
    if (norword[0x400] != 0x53436667)
- 
 
 121 
        panicf(PANIC_KILLTHREAD, "Boot flash contents are damaged! (No SYSCFG found)\n\n"
132 
    memcpy(&norbuf[0x4000], &nor[0x1000], 0x1000);
 122 
                                 "Please ask for help.");
133 
 
 123 
 
134 
    aupdsize = 0;
 124 
    aupdsize = 0;
135 
    if (readfw("DNANdpua", (void**)&aupd, &aupdsize)) aupdsize = 0;
 125 
    if (readfw("DNANdpua", (void**)&aupd, &aupdsize)) aupdsize = 0;
- 
 
 126 
    cputc(1, '.');
136 
    if (!aupdsize)
 127 
    if (!aupdsize)
137 
    {
 128 
    {
138 
        memset(lcdbuffer, 0xff, 176 * 132 * 2);
 - 
 
139 
        rendertext(&lcdbuffer[176 * 10 + 10], 0, 0xffff, "Please press any key to", 176);
 - 
 
140 
        rendertext(&lcdbuffer[176 * 18 + 10], 0, 0xffff, "enter disk mode and", 176);
 - 
 
141 
        rendertext(&lcdbuffer[176 * 26 + 10], 0, 0xffff, "restore your iPod using", 176);
 129 
        cputs(3, "\n\nPlease press any key to\nenter disk mode and\nrestore your iPod using\n"
142 
        rendertext(&lcdbuffer[176 * 34 + 10], 0, 0xffff, "iTunes. Your iPod will", 176);
 - 
 
143 
        rendertext(&lcdbuffer[176 * 42 + 10], 0, 0xffff, "reboot and ask you to", 176);
 - 
 
144 
        rendertext(&lcdbuffer[176 * 50 + 10], 0, 0xffff, "uninstall iLoader again.", 176);
 130 
                 "iTunes. After your iPod\nreboots, run the\nuninstaller again.\n"
145 
        rendertext(&lcdbuffer[176 * 66 + 10], 0, 0xffff, "If this message is still", 176);
 131 
                 "If this message is still\nshown after restoring,\nplease ask for help.");
146 
        rendertext(&lcdbuffer[176 * 74 + 10], 0, 0xffff, "shown after restoring,", 176);
 132 
        wakeup_init(&eventwakeup);
147 
        rendertext(&lcdbuffer[176 * 82 + 10], 0, 0xffff, "please ask for help.", 176);
 133 
        struct button_hook_entry* hook = button_register_handler(handler, NULL);
148 
        displaylcd(0, 175, 0, 131, lcdbuffer, 0);
 134 
        if (!hook) panicf(PANIC_KILLTHREAD, "Could not register button hook!");
149 
        button = 0;
 135 
        button = 0;
150 
        while (true)
 136 
        while (true)
151 
        {
 137 
        {
152 
            wakeup_wait(&eventwakeup, TIMEOUT_BLOCK);
 138 
            wakeup_wait(&eventwakeup, TIMEOUT_BLOCK);
153 
            if (button)
 139 
            if (button)
154 
            {
 140 
            {
155 
                int size = bootflash_filesize("diskmode");
 - 
 
156 
                cprintf(1, "\nsize = %d bytes\n", size);
 - 
 
157 
                if (size > 0)
 141 
                void* firmware = NULL;
158 
                {
 142 
                int size;
159 
                    if (bootflash_attributes("diskmode") & 0x800)
 143 
                struct emcorelib_header* lib = get_library(LIBBOOT_IDENTIFIER, LIBBOOT_API_VERSION,
160 
                    {
 - 
 
161 
                        if (!ucl_decompress(bootflash_getaddr("diskmode"), size,
 144 
                                                           LIBSOURCE_BOOTFLASH, "libboot ");
162 
                                            (void*)0x08000000, (uint32_t*)&size))
 145 
                if (!lib) panicf(PANIC_KILLTHREAD, "Could not load libboot!");
163 
                        {
 146 
                struct libboot_api* boot = (struct libboot_api*)lib->api;
164 
                            shutdown(false);
 147 
                boot->load_from_flash(&firmware, &size, false, "diskmode", 0x100000);
165 
                            execfirmware((void*)0x08000000);
 148 
                release_library(lib);
166 
                        }
 149 
                library_unload(lib);
167 
                    }
 150 
                if (!firmware)
168 
                    else if (bootflash_read("diskmode", (void*)0x08000000, 0, size) == size)
 151 
                    panicf(PANIC_KILLTHREAD, "Could not boot disk mode.\nPlease ask for help.");
169 
                    {
 - 
 
170 
                        shutdown(false);
 152 
                shutdown(false);
171 
                        execfirmware((void*)0x08000000);
 153 
                execfirmware((void*)0x08000000, firmware, size);
172 
                    }
 - 
 
173 
                }
 - 
 
174 
                cputs(1, "Could not boot disk mode.\nPlease ask for help.\n");
 - 
 
175 
                return;
 - 
 
176 
            }
 154 
            }
177 
        }
 155 
        }
178 
    }
 156 
    }
- 
 
 157 
 
- 
 
 158 
    cputc(1, '.');
- 
 
 159 
    uint8_t* norbuf = (uint8_t*)safe_memalign(0x10, 0x100000);
- 
 
 160 
    #define norbufword ((uint32_t*)norbuf)
- 
 
 161 
    cputc(1, '.');
- 
 
 162 
    memset(norbuf, 0xff, 0x100000);
- 
 
 163 
    cputc(1, '.');
- 
 
 164 
    memcpy(&norbuf[0x4000], &nor[0x1000], 0x1000);
- 
 
 165 
    cputc(1, '.');
- 
 
 166
179 
	for (i = 0; i < (aupdsize >> 2); i++)
 167 
    for (i = 0; i < (aupdsize >> 2); i++)
180 
		if (((uint32_t*)aupd)[i] == 0x50796c64 && ((uint32_t*)aupd)[i + 4] == 0x46775570)
 168 
		if (((uint32_t*)aupd)[i] == 0x50796c64 && ((uint32_t*)aupd)[i + 4] == 0x46775570)
181 
		    payloadstart = i << 2;
 169 
		    payloadstart = i << 2;
182 
	if (!payloadstart)
 170 
	if (!payloadstart)
183 
    {
 - 
 
184 
        cputs(1, "Restore image is weird:\nNo payload start found.\nPlease ask for help.\n");
 171 
        panicf(PANIC_KILLTHREAD, "Restore image is weird:\nNo payload start found.\n"
185 
        return;
 172 
                                 "Please ask for help.");
186 
    }
 173 
    cputc(1, '.');
187 
	memcpy(norbuf, &aupd[payloadstart + 0x2c], 0x2000);
 174 
	memcpy(norbuf, &aupd[payloadstart + 0x2c], 0x2000);
- 
 
 175 
    cputc(1, '.');
188 
	memcpy(&norbuf[0x8800], &aupd[payloadstart + 0x2048], 0x1f800);
 176 
	memcpy(&norbuf[0x8800], &aupd[payloadstart + 0x2048], 0x1f800);
- 
 
 177 
    cputc(1, '.');
189 
	memcpy(&norbuf[0x28000], &aupd[payloadstart + 0x22048], 0xd8000);
 178 
	memcpy(&norbuf[0x28000], &aupd[payloadstart + 0x22048], 0xd8000);
- 
 
 179 
    cputc(1, '.');
190 
	tlsf_free(mallocpool, aupd);
 180 
	free(aupd);
191 
 
 181 
 
192 
    rendertext(&lcdbuffer[177], 0, 0xffff, "Encrypting flash update...", 176);
 - 
 
193 
    displaylcd(0, 175, 0, 131, lcdbuffer, 0);
 - 
 
194 
    memset(&norbuf[0x8000], 0, 0x800);
 182 
    memset(&norbuf[0x8000], 0, 0x800);
- 
 
 183 
    cputc(1, '.');
195 
    norbufword[0x2000] = 0x31303738;
 184 
    norbufword[0x2000] = 0x31303738;
196 
    norbufword[0x2001] = 0x00302e31;
 185 
    norbufword[0x2001] = 0x00302e31;
197 
    norbufword[0x2002] = 0x800;
 186 
    norbufword[0x2002] = 0x800;
198 
    norbufword[0x2003] = 0x1f800;
 187 
    norbufword[0x2003] = 0x1f800;
- 
 
 188 
    cputc(1, '.');
199 
    hmacsha1(&norbuf[0x8800], 0x1f800, &norbuf[0x8010]);
 189 
    hmacsha1(&norbuf[0x8800], 0x1f800, &norbuf[0x8010]);
- 
 
 190 
    cputc(1, '.');
200 
    hmacsha1(&norbuf[0x8000], 0x40, &norbuf[0x8040]);
 191 
    hmacsha1(&norbuf[0x8000], 0x40, &norbuf[0x8040]);
- 
 
 192 
    cputc(1, '.');
201 
    hwkeyaes(HWKEYAES_ENCRYPT, 2, &norbuf[0x8000], 0x20000);
 193 
    hwkeyaes(HWKEYAES_ENCRYPT, 2, &norbuf[0x8000], 0x20000);
- 
 
 194 
    cputc(1, '.');
202 
    for (i = 0xffe00; i < 0xffec8; i += 0x28)
 195 
    for (i = 0xffe00; i < 0xffec8; i += 0x28)
203 
        if (norbufword[i >> 2])
 196 
        if (norbufword[i >> 2])
204 
        {
 197 
        {
205 
            uint32_t offs = norbufword[(i >> 2) + 3] >> 2;
 198 
            uint32_t offs = norbufword[(i >> 2) + 3] >> 2;
206 
            norbufword[offs] = 0;
 199 
            norbufword[offs] = 0;
207 
            norbufword[offs + 1] = 2;
 200 
            norbufword[offs + 1] = 2;
208 
            norbufword[offs + 2] = 2;
 201 
            norbufword[offs + 2] = 2;
209 
            norbufword[offs + 3] = 0x40;
 202 
            norbufword[offs + 3] = 0x40;
210 
            norbufword[offs + 4] = 0;
 203 
            norbufword[offs + 4] = 0;
211 
            norbufword[offs + 5] = norbufword[(i >> 2) + 4];
 204 
            norbufword[offs + 5] = norbufword[(i >> 2) + 4];
- 
 
 205 
            cputc(1, '.');
212 
            hmacsha1(&norbufword[offs + 0x80], norbufword[(i >> 2) + 4], &norbufword[offs + 7]);
 206 
            hmacsha1(&norbufword[offs + 0x80], norbufword[(i >> 2) + 4], &norbufword[offs + 7]);
- 
 
 207 
            cputc(1, '.');
213 
            memset(&norbufword[offs + 0x75], 0, 0x14);
 208 
            memset(&norbufword[offs + 0x75], 0, 0x14);
- 
 
 209 
            cputc(1, '.');
214 
            hmacsha1(&norbufword[offs], 0x200, &norbufword[offs + 0x75]);
 210 
            hmacsha1(&norbufword[offs], 0x200, &norbufword[offs + 0x75]);
- 
 
 211 
            cputc(1, '.');
215 
            hwkeyaes(HWKEYAES_ENCRYPT, 2, &norbufword[offs + 0x80], norbufword[(i >> 2) + 4]);
 212 
            hwkeyaes(HWKEYAES_ENCRYPT, 2, &norbufword[offs + 0x80], norbufword[(i >> 2) + 4]);
- 
 
 213 
            cputc(1, '.');
216 
        }
 214 
        }
217 
 
 215 
 
218 
    rendertext(&lcdbuffer[177], 0, 0xffff, "Flashing... (DO NOT RESET!!!)", 176);
 - 
 
219 
    displaylcd(0, 175, 0, 131, lcdbuffer, 0);
 - 
 
220 
    progressbar_init(&progressbar, 1, 174, 10, 17, 0, lcd_translate_color(0, 0xcf, 0xcf, 0xcf),
 - 
 
221 
                     lcd_translate_color(0, 0, 0, 0xcf), 0, 256);
 - 
 
222 
    for (i = 0; i < 256; i++)
 216 
    for (i = 0; i < 16; i++)
223 
    {
 217 
    {
224 
        bootflash_writeraw(&norbuf[i * 0x1000], i * 0x1000, 0x1000);
 218 
        bootflash_writeraw(&norbuf[i * 0x10000], i * 0x10000, 0x10000);
225 
        progressbar_setpos(&progressbar, i, false);
 219 
        cputc(1, '.');
226 
    }
 220 
    }
227 
    rendertext(&lcdbuffer[177], 0, 0xffff, "Uninstallation successful!   ", 176);
 - 
 
228 
    displaylcd(0, 175, 0, 131, lcdbuffer, 0);
 - 
 
229 
    sleep(1000000);
 221 
    free(norbuf);
230 
    shutdown(false);
 222 
    shutdown(false);
231 
    reset();
 223 
    reset();
232 
}
 224 
}