freemyipod r179 - Code Review

Repository:	freemyipod
Revision:	< r178‎ \| r179 \| r180 >
Date:	00:41, 27 August 2010
Author:	theseven
Status:	new
Tags:
Comment:	Fix a lot of things and add missing tools. The Nano2G installer can be built without external tools now :)
Modified paths:	/apps/installer-nano2g (modified) (history) /apps/installer-nano2g/Makefile (modified) (history) /apps/installer-nano2g/flashfiles (modified) (history) /embios/trunk/loader/ipodnano2g/Makefile (modified) (history) /embios/trunk/loader/ipodnano2g/main.S (modified) (history) /embios/trunk/tools/ipodcrypt.py (added) (history) /embios/trunk/tools/libipodcrypto.py (added) (history) /embios/trunk/usb/usb.c (modified) (history) /tools/scramble.py (added) (history)

Diff [purge]

Index: tools/scramble.py
—	—	@@ -0,0 +1,51 @@
	2	+#!/usr/bin/env python
	3	+#
	4	+#
	5	+# Copyright 2010 TheSeven
	6	+#
	7	+#
	8	+# This file is part of TheSeven's iPod tools.
	9	+#
	10	+# TheSeven's iBugger is free software: you can redistribute it and/or
	11	+# modify it under the terms of the GNU General Public License as
	12	+# published by the Free Software Foundation, either version 2 of the
	13	+# License, or (at your option) any later version.
	14	+#
	15	+# TheSeven's iBugger is distributed in the hope that it will be useful,
	16	+# but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
	18	+# See the GNU General Public License for more details.
	19	+#
	20	+# You should have received a copy of the GNU General Public License along
	21	+# with TheSeven's iPod tools. If not, see <http://www.gnu.org/licenses/>.
	22	+#
	23	+#
	24	+
	25	+
	26	+import sys
	27	+import struct
	28	+
	29	+from optparse import *
	30	+
	31	+parser = OptionParser("usage: %prog [options] <infile> <outfile>")
	32	+parser.add_option("--signature", metavar = "SIGN",
	33	+ help = "The device signature. Must be 4 characters, e.g. \"nn2x\". (mandantory)")
	34	+parser.add_option("--targetid", type = "int", metavar = "ID",
	35	+ help = "The numeric target ID. (mandantory)")
	36	+(options, args) = parser.parse_args()
	37	+if len(args) != 2: parser.error("incorrect number of arguments")
	38	+if not options.signature: parser.error("please specify a device signature")
	39	+if not options.targetid: parser.error("please specify numeric target id")
	40	+if len(options.signature) != 4: parser.error("device signature must be 4 characters")
	41	+
	42	+file = open(args[0], "rb")
	43	+data = file.read()
	44	+file.close()
	45	+
	46	+checksum = options.targetid
	47	+for i in range(len(data)):
	48	+ checksum = (checksum + struct.unpack("B", data[i])[0]) & 0xffffffff
	49	+
	50	+file = open(args[1], "wb")
	51	+file.write(struct.pack(">I", checksum) + options.signature + data)
	52	+file.close()
Index: apps/installer-nano2g/flashfiles
Property changes on: apps/installer-nano2g/flashfiles
___________________________________________________________________
Modified: svn:ignore
## -4,3 +4,4 ##
1	53	iloader.conf
2	54	iloader.embiosapp.ucl
3	55	uninstaller-nano2g.embiosapp.ucl
	56	+embios-ipodnano2g.bin
Index: apps/installer-nano2g/Makefile
—	—	@@ -22,7 +22,7 @@
23	23	COMPILECONFIG := python $(ILOADERDIR)/tools/compileconfig.py
24	24	EMBIOSBOOTCFG := python $(EMBIOSDIR)/tools/embiosbootcfg.py
25	25	EMBIOSEMBEDAPP := python $(EMBIOSDIR)/tools/embiosembedapp.py
26		~~-CRYPTFW := python $(TOOLSDIR)/ipodcrypt.py nano2g-cryptfw~~
	26	+CRYPTFW := python $(EMBIOSDIR)/tools/ipodcrypt.py nano2g-cryptfirmware
27	27	SCRAMBLE := python $(TOOLSDIR)/scramble.py
28	28
29	29	CFLAGS += -Os -fno-pie -fno-stack-protector -fomit-frame-pointer -I. -I$(EMBIOSDIR)/export -ffunction-sections -fdata-sections -mcpu=arm940t
Index: apps/installer-nano2g
Property changes on: apps/installer-nano2g
___________________________________________________________________
Modified: svn:ignore
## -1 +1,2 ##
30	30	build
	31	+flashfiles.built
Index: embios/trunk/tools/ipodcrypt.py
—	—	@@ -0,0 +1,59 @@
	2	+#!/usr/bin/env python
	3	+#
	4	+#
	5	+# Copyright 2010 TheSeven
	6	+#
	7	+#
	8	+# This file is part of TheSeven's iPod tools.
	9	+#
	10	+# TheSeven's iBugger is free software: you can redistribute it and/or
	11	+# modify it under the terms of the GNU General Public License as
	12	+# published by the Free Software Foundation, either version 2 of the
	13	+# License, or (at your option) any later version.
	14	+#
	15	+# TheSeven's iBugger is distributed in the hope that it will be useful,
	16	+# but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
	18	+# See the GNU General Public License for more details.
	19	+#
	20	+# You should have received a copy of the GNU General Public License along
	21	+# with TheSeven's iPod tools. If not, see <http://www.gnu.org/licenses/>.
	22	+#
	23	+#
	24	+
	25	+
	26	+import sys
	27	+import libipodcrypto
	28	+
	29	+
	30	+def usage():
	31	+ print ""
	32	+ print "Please provide a command and (if needed) parameters as command line arguments"
	33	+ print ""
	34	+ print "Available commands:"
	35	+ print " nano2g-cryptdfu <infile> <outfile>"
	36	+ print " nano2g-decryptdfu <infile> <outfile>"
	37	+ print " nano2g-cryptfirmware <infile> <outfile>"
	38	+ print " nano2g-decryptfirmware <infile> <outfile>"
	39	+ exit(2)
	40	+
	41	+
	42	+def parsecommand(argv):
	43	+ if len(argv) != 4: usage()
	44	+
	45	+ elif argv[1] == "nano2g-cryptdfu":
	46	+ libipodcrypto.nano2gcryptdfufile(argv[2], argv[3])
	47	+
	48	+ elif argv[1] == "nano2g-decryptdfu":
	49	+ libipodcrypto.nano2gdecryptdfufile(argv[2], argv[3])
	50	+
	51	+ elif argv[1] == "nano2g-cryptfirmware":
	52	+ libipodcrypto.nano2gcryptfirmwarefile(argv[2], argv[3])
	53	+
	54	+ elif argv[1] == "nano2g-decryptfirmware":
	55	+ libipodcrypto.nano2gdecryptfirmwarefile(argv[2], argv[3])
	56	+
	57	+ else: usage()
	58	+
	59	+
	60	+parsecommand(sys.argv)
Index: embios/trunk/tools/libipodcrypto.py
—	—	@@ -0,0 +1,103 @@
	2	+#!/usr/bin/env python
	3	+#
	4	+#
	5	+# Copyright 2010 TheSeven
	6	+#
	7	+#
	8	+# This file is part of emBIOS.
	9	+#
	10	+# emBIOS is free software: you can redistribute it and/or
	11	+# modify it under the terms of the GNU General Public License as
	12	+# published by the Free Software Foundation, either version 2 of the
	13	+# License, or (at your option) any later version.
	14	+#
	15	+# emBIOS is distributed in the hope that it will be useful,
	16	+# but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
	18	+# See the GNU General Public License for more details.
	19	+#
	20	+# You should have received a copy of the GNU General Public License
	21	+# along with emBIOS. If not, see <http://www.gnu.org/licenses/>.
	22	+#
	23	+#
	24	+
	25	+
	26	+import sys
	27	+import struct
	28	+import time
	29	+import libembios
	30	+from libembios import Error
	31	+import libembiosdata
	32	+
	33	+
	34	+def nano2gcryptdfu(data):
	35	+ data = data.ljust((len(data) + 0x3f) & ~0x3f, "\0")
	36	+ header = "87011.0\0\0\x08\0\0" + struct.pack("<I", len(data))
	37	+ embios = libembios.Embios()
	38	+ embios.write(0x08000000, header.ljust(0x800, "\0") + data)
	39	+ embios.timeout = 20000
	40	+ embios.hmac_sha1(0x08000800, len(data), 0x08000010)
	41	+ embios.hmac_sha1(0x08000000, 0x40, 0x08000040)
	42	+ embios.aesencrypt(0x08000000, len(data) + 0x800, 1)
	43	+ return embios.read(0x08000000, len(data) + 0x800)
	44	+
	45	+
	46	+def nano2gdecryptdfu(data):
	47	+ embios = libembios.Embios()
	48	+ embios.write(0x08000000, data)
	49	+ embios.timeout = 20000
	50	+ embios.aesdecrypt(0x08000000, len(data), 1)
	51	+ return embios.read(0x08000800, len(data) - 0x800)
	52	+
	53	+
	54	+def nano2gcryptfirmware(data):
	55	+ data = data.ljust((len(data) + 0x3f) & ~0x3f, "\0")
	56	+ header = "\0\0\0\0\0x02\0\0\0\0x01\0\0\0\0x40\0\0\0\0\0\0\0" + struct.pack("<I", len(data))
	57	+ embios = libembios.Embios()
	58	+ embios.write(0x08000000, header.ljust(0x800, "\0") + data)
	59	+ embios.timeout = 20000
	60	+ embios.hmac_sha1(0x08000800, len(data), 0x0800001c)
	61	+ embios.hmac_sha1(0x08000000, 0x200, 0x080001d4)
	62	+ embios.aesencrypt(0x08000800, len(data), 1)
	63	+ return embios.read(0x08000000, len(data) + 0x800)
	64	+
	65	+
	66	+def nano2gdecryptfirmware(data):
	67	+ embios = libembios.Embios()
	68	+ embios.write(0x08000000, data)
	69	+ embios.timeout = 20000
	70	+ embios.aesdecrypt(0x08000800, len(data) - 0x800, 1)
	71	+ return embios.read(0x08000800, len(data) - 0x800)
	72	+
	73	+
	74	+def nano2gcryptdfufile(infile, outfile):
	75	+ print(outfile)
	76	+ infile = open(infile, "rb")
	77	+ outfile = open(outfile, "wb")
	78	+ outfile.write(nano2gcryptdfu(infile.read()))
	79	+ infile.close()
	80	+ outfile.close()
	81	+
	82	+
	83	+def nano2gdecryptdfufile(infile, outfile):
	84	+ infile = open(infile, "rb")
	85	+ outfile = open(outfile, "wb")
	86	+ outfile.write(nano2gdecryptdfu(infile.read()))
	87	+ infile.close()
	88	+ outfile.close()
	89	+
	90	+
	91	+def nano2gcryptfirmwarefile(infile, outfile):
	92	+ infile = open(infile, "rb")
	93	+ outfile = open(outfile, "wb")
	94	+ outfile.write(nano2gcryptfirmware(infile.read()))
	95	+ infile.close()
	96	+ outfile.close()
	97	+
	98	+
	99	+def nano2gdecryptfirmwarefile(infile, outfile):
	100	+ infile = open(infile, "rb")
	101	+ outfile = open(outfile, "wb")
	102	+ outfile.write(nano2gdecryptfirmware(infile.read()))
	103	+ infile.close()
	104	+ outfile.close()
Index: embios/trunk/usb/usb.c
—	—	@@ -555,6 +555,7 @@
556	556	dbgactionoffset = ((uint16_t*)dbgrecvbuf)[3];
557	557	dbgactionaddr = dbgrecvbuf[2];
558	558	dbgactionlength = dbgrecvbuf[3];
	559	+ break;
559	560	#endif
560	561	#ifdef HAVE_HMACSHA1
561	562	case 26: // HMACSHA1
—	—	@@ -562,6 +563,7 @@
563	564	dbgactionaddr = dbgrecvbuf[1];
564	565	dbgactionlength = dbgrecvbuf[2];
565	566	dbgactionoffset = dbgrecvbuf[3];
	567	+ break;
566	568	#endif
567	569	default:
568	570	dbgsendbuf[0] = 2;
Index: embios/trunk/loader/ipodnano2g/main.S
—	—	@@ -149,7 +149,7 @@
150	150	str r5, [r0,#0x88]
151	151	add r4, r6, #0x00200000
152	152	str r1, [r4,#0x08]
153		~~- mov r5, #0xb7~~
	153	+ mov r5, #0xf3
154	154	str r5, [r4]
155	155	mov r5, #0x10
156	156	str r5, [r4,#0x04]
—	—	@@ -1548,7 +1548,7 @@
1549	1549	str r0, [r12,#0x0c]
1550	1550	mov r4, #0xf0
1551	1551	str r4, [r12,#0x04]
1552		~~- mov r4, #0xf3~~
	1552	+ mov r4, #0xb7
1553	1553	str r4, [r12]
1554	1554	bl i2cwait
1555	1555	str r1, [r12,#0x0c]
—	—	@@ -1586,7 +1586,7 @@
1587	1587	str r0, [r12,#0x0c]
1588	1588	mov r4, #0xf0
1589	1589	str r4, [r12,#0x04]
1590		~~- mov r4, #0xf3~~
	1590	+ mov r4, #0xb7
1591	1591	str r4, [r12]
1592	1592	bl i2cwait
1593	1593	str r1, [r12,#0x0c]
—	—	@@ -1601,7 +1601,7 @@
1602	1602	bl i2cwait
1603	1603	i2crecv_read:
1604	1604	subs r3, r3, #1
1605		~~- moveq r4, #0x73~~
	1605	+ moveq r4, #0x37
1606	1606	str r4, [r12]
1607	1607	bl i2cwait
1608	1608	ldr r0, [r12,#0x0c]
—	—	@@ -1611,7 +1611,7 @@
1612	1612	bne i2crecv_read
1613	1613	mov r1, #0x90
1614	1614	str r1, [r12,#0x04]
1615		~~- mov r1, #0xf3~~
	1615	+ mov r1, #0xb7
1616	1616	str r1, [r12]
1617	1617	i2crecv_wait:
1618	1618	ldr r1, [r12,#0x04]
Index: embios/trunk/loader/ipodnano2g/Makefile
—	—	@@ -1,7 +1,7 @@
2	2	NAME := embiosldr-ipodnano2g
3	3	BOOTADDR = 24008000
4	4
5		~~-TOOLSDIR ?= ../../../../tools/~~
	5	+EMBIOSDIR ?= ../../
6	6
7	7	CROSS ?= arm-none-eabi-
8	8	CC := $(CROSS)gcc
—	—	@@ -9,7 +9,7 @@
10	10	LD := $(CROSS)ld
11	11	OBJCOPY := $(CROSS)objcopy
12	12	UCLPACK := ucl2e10singleblk
13		~~-CRYPTDFU := python $(TOOLSDIR)/ipodcrypt.py nano2g-cryptdfu~~
	13	+CRYPTDFU := python $(EMBIOSDIR)/tools/ipodcrypt.py nano2g-cryptdfu
14	14
15	15	CFLAGS += -Os -fno-pie -fno-stack-protector -fomit-frame-pointer -I. -ffunction-sections -fdata-sections -mcpu=arm940t
16	16	LDFLAGS += "$(shell $(CC) -print-libgcc-file-name)" --gc-sections

freemyipod r179 - Code Review

Diff [purge]

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Info

Reverse engineering Results

Exploiting

Other Guides

Tools