Revision a00cb72ef2f501616afe5b97ed20aea696023aa3 authored by hudson@kremvax on 03 June 2009, 03:26:36 UTC, committed by hudson@kremvax on 03 June 2009, 03:26:36 UTC
1 parent 624bb7c
dissect_fw.c
/*
* Based on version 3.2 from chdk site.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stddef.h>
#include <stdint.h>
#include <stdarg.h>
#include <sys/stat.h>
#include <sys/types.h>
#define SIZE_CHECK( struct_name, size ) \
static char _size_check_##struct_name[ \
sizeof(struct struct_name) == size ? 0 : -1 \
] __attribute__((unused))
struct fw_header_t
{
uint32_t model_id; // offset 0x00
uint8_t pad0[ 0x0C ]; // offset 0x04
char version[ 0x10 ]; // offset 0x10
uint32_t crc; // offset 0x20
uint32_t flasher_offset; // offset 0x24, points to 0xB0
uint32_t file_header_size; // offset 0x28, must be 0x120
uint32_t some_size; // offset 0x2C
uint32_t _data_offset; // offset 0x30
uint32_t unknown1; // offset 0x34
uint32_t file_size; // offset 0x38
uint32_t unknown2; // offset 0x3C
uint32_t sha1_hash; // offset 0x40
uint32_t pad2[ 7 ]; // offset 0x44-0x5C
uint32_t data_offset; // offset 0x60
uint8_t pad3[ 0x58 ]; // offset 0x64
uint32_t data_len; // offset 0xBC
uint8_t pad4[ 0x60 ]; // offset 0xC0
} __attribute__((packed));
SIZE_CHECK( fw_header_t, 0x120 );
char CRYPT1[512] = { 0x07, 0x9E, 0xD5, 0x5E, 0x19, 0xB5, 0xE6, 0x2B, 0x17, 0xA5,
0xC1, 0xA2, 0xBD, 0x59, 0x38, 0x68, 0xEC, 0xFE, 0x2D, 0x8C,
0x14, 0x99, 0xE6, 0xB9, 0x54, 0xAD, 0x85, 0x84, 0x40, 0x48,
0xCE, 0x78, 0xA4, 0xA0, 0xA7, 0x4B, 0xEC, 0x59, 0xCD, 0x93,
0xD8, 0x8C, 0xA7, 0x33, 0xB0, 0xA1, 0x78, 0x66, 0x0A, 0x8C,
0xB6, 0x26, 0x80, 0xDB, 0x49, 0xC1, 0x54, 0xD9, 0x88, 0x0C,
0xA2, 0x8A, 0xF1, 0x68, 0x2A, 0xBC, 0x12, 0x93, 0x23, 0x74,
0x11, 0x4C, 0x66, 0x67, 0x93, 0x81, 0x12, 0x6B, 0x04, 0x52,
0x79, 0xEC, 0x90, 0xD4, 0xF7, 0x1E, 0xB9, 0x6B, 0xEB, 0x6C,
0xF9, 0x86, 0x58, 0x97, 0xDA, 0xF0, 0x7D, 0x3D, 0xC4, 0xEA,
0x8F, 0x48, 0x75, 0x21, 0x62, 0xC7, 0x5F, 0xFB, 0x93, 0xF9,
0xC3, 0x91, 0x83, 0xF6, 0x64, 0x46, 0xA9, 0x14, 0x64, 0xCB,
0xF2, 0x4C, 0xAB, 0x8F, 0xE9, 0xAE, 0xC9, 0xE8, 0xC3, 0x5D,
0xC0, 0x07, 0xD4, 0xD2, 0xD5, 0xEC, 0x7E, 0x89, 0x3E, 0x65,
0x66, 0xDA, 0x2A, 0xB1, 0xB7, 0xD0, 0x47, 0x0A, 0x3A, 0x93,
0x52, 0x49, 0x5F, 0xAB, 0xD7, 0x21, 0x79, 0xF0, 0xF7, 0xAF,
0x90, 0x60, 0x52, 0x88, 0x80, 0x7F, 0x31, 0xBA, 0xF3, 0x2D,
0x04, 0xA2, 0xE8, 0x66, 0xB5, 0x68, 0x6D, 0x15, 0x58, 0x94,
0x1C, 0xC4, 0x16, 0x68, 0xF3, 0xE2, 0x20, 0x68, 0x89, 0x3E,
0x08, 0xD8, 0x43, 0xA2, 0xD0, 0x27, 0x55, 0x58, 0x51, 0xF6,
0x8B, 0x49, 0x14, 0xF6, 0xE9, 0xBD, 0x37, 0xFB, 0x80, 0xBA,
0x99, 0xAD, 0x4C, 0x55, 0xC1, 0xDD, 0x89, 0xDE, 0xF8, 0x2D,
0x72, 0x2C, 0xB9, 0x37, 0x84, 0x45, 0x34, 0x9D, 0xBE, 0x83,
0x42, 0x9A, 0x2D, 0xD7, 0x78, 0xE5, 0x0F, 0xAC, 0xA7, 0xCC,
0xC3, 0x35, 0xDC, 0x56, 0x7F, 0xBD, 0xC4, 0xBF, 0xA1, 0x41,
0x44, 0x5F, 0xAD, 0x45, 0x68, 0x65, 0x7F, 0x10, 0x73, 0x4B,
0x89, 0x72, 0x2F, 0xDA, 0xD0, 0xC3, 0x3F, 0x26, 0xD9, 0x5E,
0x94, 0x61, 0xF8, 0x21, 0x19, 0xD5, 0xF9, 0x1B, 0x18, 0xF5,
0xDD, 0x26, 0x79, 0xF4, 0xF2, 0x44, 0x77, 0x44, 0xCD, 0x83,
0x44, 0x12, 0xCE, 0x37, 0xB9, 0x25, 0xDE, 0x0F, 0x12, 0x2A,
0x5D, 0xD6, 0x7D, 0x1F, 0x39, 0x10, 0x4F, 0x7F, 0xB9, 0x75,
0x1C, 0xAB, 0x8B, 0x43, 0xEB, 0x3D, 0xC1, 0x8C, 0xCB, 0x2B,
0x1E, 0x45, 0x7D, 0x31, 0x1A, 0xC9, 0x8B, 0xDB, 0x65, 0xD0,
0x75, 0x50, 0xEB, 0xB3, 0x65, 0xFB, 0x05, 0xCE, 0xC0, 0xCF,
0x58, 0x24, 0xFB, 0x1C, 0x94, 0x4B, 0x6A, 0x15, 0xEF, 0x32,
0xB3, 0x9B, 0x63, 0x91, 0xC2, 0x61, 0xE6, 0x66, 0x0A, 0xCA,
0xA8, 0xE5, 0x5B, 0x98, 0x95, 0x52, 0xAA, 0x9F, 0xC5, 0xB0,
0x9D, 0x3A, 0x98, 0x43, 0x2D, 0x7D, 0x14, 0x74, 0x34, 0x6B,
0xB1, 0x11, 0x19, 0x64, 0x07, 0x7D, 0x11, 0x0B, 0x13, 0x77,
0xE4, 0x46, 0x86, 0xEF, 0x2B, 0x7F, 0x5E, 0x05, 0xF1, 0xB4,
0x12, 0xC3, 0xAB, 0x34, 0xCA, 0x64, 0x62, 0x76, 0xA1, 0xDF,
0x37, 0x8F, 0xBF, 0xFA, 0xB3, 0x5C, 0xE4, 0x59, 0x84, 0x22,
0xD1, 0x26, 0x8B, 0x5F, 0x8D, 0x44, 0x92, 0xD5, 0xDD, 0x61,
0x0F, 0xF2, 0xA1, 0xC9, 0x02, 0x9C, 0x6F, 0xAC, 0x4A, 0x36,
0x99, 0x19, 0xDF, 0xF3, 0x20, 0xBF, 0xD9, 0x02, 0xAE, 0x08,
0xF7, 0xC0, 0x6D, 0xA8, 0x24, 0x93, 0x94, 0xD4, 0x40, 0xF9,
0x67, 0xE2, 0x5C, 0x3B, 0x37, 0xDF, 0xC8, 0xDB, 0x70, 0x18,
0xC5, 0xA2, 0x55, 0x5A, 0x04, 0xB6, 0x40, 0x63, 0xDE, 0xF6,
0x4C, 0x78, 0x6F, 0xC7, 0xC2, 0x59, 0xB6, 0x8B, 0xF4, 0x35,
0x31, 0x19, 0x4F, 0xE2, 0x56, 0x39, 0x50, 0x5C, 0x65, 0x0C,
0x29, 0xF2, 0x22, 0xE1, 0x35, 0x51, 0xE1, 0x91, 0x89, 0x52,
0xF3, 0x64 };
char CRYPT2[513] = { 0xB8, 0xE4, 0x0F, 0xD5, 0xAC, 0x6B, 0x38, 0x5F, 0x4F, 0x75,
0x21, 0x0F, 0x38, 0x3B, 0x43, 0x0D, 0x9F, 0xD8, 0x46, 0xCA,
0xB0, 0x7C, 0x26, 0x71, 0x6D, 0xCA, 0xB4, 0x48, 0xBE, 0x3C,
0x96, 0xAE, 0xCE, 0x63, 0x88, 0xC2, 0x9A, 0x63, 0x49, 0x5F,
0xEF, 0xB9, 0x1F, 0xB8, 0x46, 0x66, 0x98, 0xF3, 0x95, 0xB9,
0xBF, 0xBA, 0x15, 0x47, 0x56, 0x3A, 0x70, 0x88, 0x0A, 0x8D,
0x20, 0x3C, 0x2E, 0x1A, 0x76, 0xDE, 0xE8, 0xB6, 0x9A, 0x65,
0x6B, 0xD8, 0x93, 0xF1, 0x55, 0xC5, 0x65, 0xA7, 0x97, 0xF3,
0xC7, 0x43, 0x2E, 0xED, 0xA5, 0x19, 0x80, 0xB4, 0xFE, 0x39,
0x02, 0xD2, 0xDE, 0xF7, 0x4D, 0x31, 0x61, 0x10, 0xC0, 0x45,
0x26, 0x9D, 0x37, 0x94, 0x2C, 0x19, 0xA7, 0xC7, 0x1A, 0xAC,
0xD8, 0xEC, 0xFA, 0x9D, 0x2E, 0x18, 0xFB, 0x8E, 0x26, 0x25,
0xAD, 0x43, 0xC0, 0x59, 0x3B, 0x6E, 0x55, 0xFA, 0x27, 0x18,
0x21, 0xED, 0x36, 0x54, 0x04, 0xB9, 0x9B, 0x54, 0x5E, 0x12,
0x31, 0x9E, 0x86, 0xBC, 0xD6, 0x7A, 0x54, 0xF2, 0x02, 0x8B,
0x39, 0xC1, 0x4A, 0xAD, 0x3D, 0x3A, 0x12, 0x5A, 0x90, 0x3D,
0xD5, 0x6F, 0x4E, 0x30, 0xE5, 0xFC, 0xAF, 0x75, 0x10, 0xB2,
0x0E, 0xE2, 0x8A, 0x9F, 0x46, 0x2B, 0x34, 0xEA, 0x87, 0x73,
0xB7, 0x39, 0x51, 0x9B, 0xAB, 0x62, 0x27, 0xA8, 0xF1, 0xD7,
0xE7, 0xF2, 0xE3, 0xAE, 0x9F, 0x21, 0x8F, 0x8F, 0x70, 0x0D,
0x4B, 0x0D, 0x7B, 0x25, 0xFC, 0xC9, 0x8C, 0xF6, 0xD5, 0x21,
0xC1, 0xC8, 0xF9, 0x75, 0xAD, 0xE7, 0xA7, 0xB3, 0xF5, 0x31,
0xB1, 0xF6, 0x66, 0x7B, 0xCA, 0x34, 0xDA, 0xCD, 0x37, 0xAB,
0x80, 0x44, 0x2F, 0x1C, 0x5B, 0xD3, 0x05, 0x94, 0x65, 0xC7,
0xDC, 0xC3, 0x82, 0xAF, 0x8F, 0xA6, 0x56, 0x62, 0x28, 0x54,
0x7E, 0xF8, 0xEE, 0x49, 0x78, 0xD9, 0x4B, 0xA8, 0x81, 0xDD,
0x3B, 0x71, 0xD2, 0x36, 0xB9, 0x18, 0xC9, 0x2D, 0xD7, 0x78,
0xFD, 0x66, 0xE7, 0x85, 0xF2, 0x0F, 0xFC, 0xEB, 0x8B, 0x93,
0x76, 0x48, 0x53, 0xF8, 0x05, 0x94, 0x93, 0xAC, 0x68, 0xE2,
0x3A, 0xB2, 0xE4, 0x65, 0x8B, 0x47, 0x75, 0x49, 0xF4, 0x5F,
0x59, 0x64, 0x5A, 0x16, 0x3B, 0xB2, 0xB7, 0x37, 0x50, 0xA3,
0xBA, 0x4B, 0xB4, 0xE6, 0xAF, 0x9A, 0xC7, 0x6E, 0x15, 0x51,
0x88, 0xB5, 0xE0, 0xFA, 0x09, 0xB4, 0x90, 0x47, 0xDD, 0x3D,
0x86, 0x90, 0xA9, 0x12, 0x30, 0x2F, 0x79, 0x83, 0xDF, 0xF1,
0xA8, 0x2D, 0xC9, 0xBC, 0xFB, 0xBD, 0x61, 0x93, 0x3F, 0x18,
0xB9, 0x38, 0x5C, 0xCA, 0x20, 0x58, 0x3B, 0x1C, 0xF3, 0xD9,
0x56, 0xBE, 0x5F, 0x1A, 0x3E, 0x0F, 0x18, 0xD5, 0xF1, 0xA2,
0xFD, 0x8B, 0xB0, 0x27, 0x67, 0x0F, 0xB8, 0x4D, 0x51, 0xEB,
0x8B, 0x2C, 0x50, 0x14, 0xDC, 0xD2, 0xAD, 0x7E, 0x06, 0xFE,
0x6A, 0x4D, 0x26, 0x38, 0x37, 0x9E, 0x77, 0x16, 0xBF, 0xB4,
0xA0, 0xF9, 0x0A, 0x64, 0x0E, 0x7F, 0xD0, 0xF4, 0xE5, 0x72,
0x82, 0x72, 0xC8, 0x7A, 0xB7, 0xEC, 0x8D, 0x53, 0x14, 0x2D,
0xA5, 0x98, 0xAD, 0xBE, 0x17, 0x83, 0x42, 0xD4, 0xC4, 0x04,
0xE7, 0xC2, 0x4D, 0x20, 0x05, 0xDE, 0xAA, 0xE8, 0x09, 0xE7,
0x45, 0x15, 0x74, 0xEF, 0x7F, 0x6E, 0x38, 0x76, 0xAA, 0x5B,
0x44, 0xCC, 0xFD, 0x82, 0x12, 0xF6, 0xDA, 0x33, 0x84, 0x0A,
0x6A, 0x5B, 0x34, 0xE7, 0x9E, 0x22, 0x10, 0xF5, 0x8C, 0xA0,
0xCA, 0x92, 0x58, 0xA1, 0xD0, 0x46, 0x47, 0xDA, 0xF6, 0x43,
0x3C, 0xF1, 0x17, 0x8F, 0x50, 0xE4, 0xFD, 0x33, 0xBD, 0x46,
0x83, 0x41, 0x0E, 0xD5, 0x27, 0x0D, 0xB2, 0x87, 0x86, 0x16,
0x82, 0x1D, 0xDD, 0xE7, 0xE1, 0xEF, 0x29, 0x5D, 0x48, 0xF4,
0xFC, 0xF2, 0x1D };
void
getoffsets(
uintptr_t base,
unsigned int * o1,
unsigned int * o2
)
{
unsigned int a = base;
unsigned int b = 0xFF803FE1;
// Get high 32 bits of multiplication
unsigned int highbits = ((long long) a * b) >> 32;
*o1 = (base<<23) >> 23; // base&0x100?
*o2 = base - ((highbits>>9)+(highbits&0xFFFFFE00));
}
void
decrypt_block(
unsigned char * buf,
size_t bytes,
uintptr_t base
)
{
unsigned int offset1;
unsigned int offset2;
unsigned int i;
getoffsets( base, &offset1, &offset2 );
for( i=0 ; i<bytes ; i++ )
{
buf[i] ^= CRYPT1[offset1] ^ CRYPT2[offset2] ^ 0x37;
if( ++offset1 >= 512 )
offset1 = 0;
if( ++offset2 >= 513 )
offset2 = 0;
}
}
FILE *
sfopen(
const char * mode,
const char * fmt,
...
)
{
char filename[ 256 ];
va_list ap;
va_start( ap, fmt );
int len = vsnprintf( filename, sizeof(filename), fmt, ap );
va_end( ap );
if( len == sizeof(filename) )
return 0;
fprintf( stderr, "Opening '%s'\n", filename );
FILE * fp = fopen( filename, mode );
if( !fp )
perror( filename );
return fp;
}
int
main(
int argc,
char ** argv
)
{
uint32_t i;
if( argc <= 1 )
{
fprintf( stderr,
"Usage: %s inputfile [out_dir [files_prefix]]\n",
argv[0]
);
return EXIT_FAILURE;
}
const char * input_file = argv[1];
const char * out_dir = argc <= 2 ? "." : argv[2];
const char * prefix = argc <= 3 ? input_file : argv[3];
mkdir( out_dir, 0777 );
FILE * in = fopen( input_file, "rb" );
if( !in )
{
perror( input_file );
return EXIT_FAILURE;
}
FILE * rep = sfopen( "wb", "%s.csv", input_file );
if( !rep )
return EXIT_FAILURE;
fseek( in, 0, SEEK_END );
uint32_t file_size = ftell( in );
fseek( in, 0, SEEK_SET );
unsigned char *data = malloc(file_size);
fprintf( rep, "head,,%s\n", input_file );
fprintf( rep, "file size,,0x%8.8X\n", file_size );
fread( data, file_size, 1, in );
fclose(in);
struct fw_header_t * const hdr = (void*) data;
const uint32_t data_offset = hdr->data_offset;
const uint32_t data_len = hdr->data_len;
const size_t hdr_size = sizeof(*hdr);
printf( "Firmware version: '%s' model %08x\n",
hdr->version,
hdr->model_id
);
printf( "Body length/offset: 0x%x + 0x%x\n",
data_len,
data_offset
);
printf( "CRC32: %08x\n", hdr->crc );
FILE * out = sfopen( "wb", "%s/%s.0.header.bin", out_dir, prefix );
if( !out )
return EXIT_FAILURE;
fwrite( hdr, hdr_size, 1, out );
fclose( out );
for( i=0 ; i<hdr_size/4 ; i++ )
{
uint32_t *arr = (uint32_t*) hdr;
fprintf( rep, ",0x%2.2X,0x%8.8X\n", i*4, arr[i] );
}
out = sfopen( "wb", "%s/%s.1.flasher.bin", out_dir, prefix );
if( !out )
return EXIT_FAILURE;
decrypt_block( data+hdr_size, data_offset-hdr_size, data_len );
fwrite( data+hdr_size, data_offset-hdr_size, 1, out );
fclose( out );
out = sfopen( "wb", "%s/%s.2.data_head.bin", out_dir, prefix );
if( !out )
return EXIT_FAILURE;
fwrite( data+data_offset, 0x18, 1, out );
fclose( out );
fprintf( rep, "data head\n" );
out = sfopen( "wb", "%s/%s.3.data_body.bin", out_dir, prefix );
if( !out )
return EXIT_FAILURE;
// decrypt_block( data + data_offset + 0x18, file_size - data_offset - 0x18 , arr[0x2f]);
fwrite(
data + data_offset + 0x18,
file_size - data_offset - 0x18,
1,
out
);
fclose(out);
return 0;
}
Computing file changes ...