Re: [concordance-devel] Houston, we have a firmware checksum algorithm!

Thu, 20 Mar 2008 22:02:26 -0700 

Phil Dibowitz wrote:
> You rule. Seriously man, you are awesome! Thanks! I can't wait to get back
> home and merge this code and get some testers behind it.

Thanks:-)

I've attached a libconcord patch that implements this. It's been tested
on both 880 firmwares that I have.

It replaces the previous patch I sent for 48/47 byte location
parameterization.

? concordance/.concordance.c.swp
? concordance/.deps
? concordance/.libs
? concordance/Makefile
? concordance/Makefile.in
? concordance/aclocal.m4
? concordance/autom4te.cache
? concordance/concordance
? concordance/config.guess
? concordance/config.h
? concordance/config.h.in
? concordance/config.log
? concordance/config.status
? concordance/config.sub
? concordance/configure
? concordance/depcomp
? concordance/install-sh
? concordance/libtool
? concordance/ltmain.sh
? concordance/missing
? concordance/stamp-h1
? libconcord/.deps
? libconcord/.libconcord.cpp.swp
? libconcord/.libconcord.h.swp
? libconcord/.libs
? libconcord/.remote_info.h.swp
? libconcord/Makefile
? libconcord/Makefile.in
? libconcord/aclocal.m4
? libconcord/autom4te.cache
? libconcord/binaryfile.lo
? libconcord/config.guess
? libconcord/config.h
? libconcord/config.h.in
? libconcord/config.log
? libconcord/config.status
? libconcord/config.sub
? libconcord/configure
? libconcord/depcomp
? libconcord/install-sh
? libconcord/libconcord.la
? libconcord/libconcord.lo
? libconcord/libtool
? libconcord/libusbhid.lo
? libconcord/ltmain.sh
? libconcord/missing
? libconcord/remote.lo
? libconcord/remote_z.lo
? libconcord/stamp-h1
? libconcord/usblan.lo
? libconcord/web.lo
Index: libconcord/libconcord.cpp
===================================================================
RCS file: /cvsroot/concordance/concordance/libconcord/libconcord.cpp,v
retrieving revision 1.11
diff -u -r1.11 libconcord.cpp
--- libconcord/libconcord.cpp	14 Mar 2008 23:09:36 -0000	1.11
+++ libconcord/libconcord.cpp	21 Mar 2008 04:59:11 -0000
@@ -736,12 +736,12 @@
 	 * fw_up_base (we know we have a fw_base from previous portion of if),
 	 * to know we're capable of doing it.
 	 *
-	 * IN ADDITION, remotes whose fw_base and fw_up_base are the same
-	 * require extra steps we don't yet support, so don't attempt them,
-	 * in live mode! Hence the last part.
+	 * Also, only allow architectures where we've figured out the
+	 * structure of the initial magic bytes.
 	 */
 	if (ri.arch->firmware_base == 0
-	    || (!direct && ri.arch->firmware_update_base == 0)) {
+	    || (!direct && ri.arch->firmware_update_base == 0)
+	    || (ri.arch->firmware_4847_offset == 0)) {
 		return 0;
 	}
 
@@ -959,43 +959,54 @@
 }
 
 /*
- * The first 6 bytes of the firmware file we receive from the
+ * The first few bytes of the firmware file we receive from the
  * website will be blanked out (0xFF), and we need to fill them
- * in with the magic 6 bytes from the existing firmware.
+ * by calculating appropriate content.
  *
  * So why don't we always do this? If the user has a dump from us,
- * it already has the right first 6 bytes... and if somehow the
+ * it already has the right initial bytes... and if somehow the
  * firmware on the device is messed up, we don't want to ignore
  * that useful data in the file.
  *
- * So we only retreive it from the remote if it isn't given to us.
+ * So we only overwrite the initial bytes if they are missing.
  * For most users, that will be all the time.
  *
  *   - Phil Dibowitz    Tue Mar 11 23:17:53 PDT 2008
  */
-int _fix_six_magic_bytes(uint8_t *in)
+int _fix_magic_bytes(uint8_t *in)
 {
-	int err = 0;
-
 	if (in[0] == 0xFF && in[1] == 0xFF) {
 		/*
-		 * FIXME: This is HORRIBLE and will only work
-		 * 	for the LATEST firmware (at time of writing)
-		 * 	but it's simply a place holder. These two
-		 * 	bytes are some magic "value" - perhaps
-		 * 	a checksum, perhaps something else. Until
-		 * 	we figure it out, we'll hardcode the latest.
+		 * There are "always" two bytes at some location that
+		 * contain 0x48 and 0x47.
+		 *
+		 * Note: For some arch's (10 currently) we haven't
+		 * investigated where these go, hence the check for
+		 * a valid location in _is_fw_update_supported.
+		 *
+		 * Note: Arch 2 may be an exception to rule, and needs
+		 * more investigation.
 		 */
-		in[0] = 0xFB;
-		in[1] = 0x85;
+		in[ri.arch->firmware_4847_offset] = 0x48;
+		in[ri.arch->firmware_4847_offset + 1] = 0x47;
 
 		/*
-		 * These two bytes are "always" 0x48 and 0x47, at least
-		 * for architecture 8, which is all we've thus-far figured
-		 * out definitively.
+		 * The first 2 bytes are a simple 16-bit checksum, computed
+		 * beginning at the location of the hard-coded 0x48/0x47
+		 * bytes through the end of the firmware.
 		 */
-		in[4] = 0x48;
-		in[5] = 0x47;
+		uint8_t suma = 0x21;
+		uint8_t sumb = 0x43;
+		for (
+			uint32_t index = ri.arch->firmware_4847_offset;
+			index < FIRMWARE_SIZE;
+			index += 2
+		) {
+			suma ^= in[index];
+			sumb ^= in[index + 1];
+		}
+		in[0] = suma;
+		in[1] = sumb;
 	}
 
 	return 0;
@@ -1018,7 +1029,7 @@
 		addr = ri.arch->firmware_base;
 	}
 
-	if ((err = _fix_six_magic_bytes(in))) {
+	if ((err = _fix_magic_bytes(in))) {
 		return LC_ERROR_READ;
 	}
 
Index: libconcord/libconcord.h
===================================================================
RCS file: /cvsroot/concordance/concordance/libconcord/libconcord.h,v
retrieving revision 1.8
diff -u -r1.8 libconcord.h
--- libconcord/libconcord.h	14 Mar 2008 09:23:01 -0000	1.8
+++ libconcord/libconcord.h	21 Mar 2008 04:59:11 -0000
@@ -393,5 +393,5 @@
 }
 #endif
 
-#endif // LIBCONCORD_H
+#endif /* LIBCONCORD_H */
 
Index: libconcord/remote.h
===================================================================
RCS file: /cvsroot/concordance/concordance/libconcord/remote.h,v
retrieving revision 1.13
diff -u -r1.13 remote.h
--- libconcord/remote.h	14 Mar 2008 23:09:36 -0000	1.13
+++ libconcord/remote.h	21 Mar 2008 04:59:11 -0000
@@ -68,6 +68,7 @@
 	uint32_t	firmware_base;
 	uint32_t	config_base;
 	uint32_t	firmware_update_base;
+	uint32_t	firmware_4847_offset;
 	uint32_t	cookie;
 	uint32_t	cookie_size;
 	uint32_t	end_vector;
Index: libconcord/remote_info.h
===================================================================
RCS file: /cvsroot/concordance/concordance/libconcord/remote_info.h,v
retrieving revision 1.4
diff -u -r1.4 remote_info.h
--- libconcord/remote_info.h	9 Mar 2008 01:50:48 -0000	1.4
+++ libconcord/remote_info.h	21 Mar 2008 04:59:11 -0000
@@ -116,18 +116,18 @@
 };
 
 static const TArchInfo ArchList[11]={
-//        fl_base,  fw_base,    config_base,    fw_up_base,	cookie,		ck_sz,	endvec, micro,		fl_sz,	ram_sz, ee_sz, usb
-	{ 0,        0,		0,		0,		0,		0,	0,	"",		0,	0,	0,	"" },			// 0
-	{ 0,	    0,		0,		0,		0,		0,	0,	"",		0,	0,	0,	"" },			// 1
-	{ 0x000000, 0,		0x006000,	0,		0x03A5,		2,	2,	"PIC16LF877",	8,	368,	256,	"USBN9603" },	// 2 - 745
-	{ 0x000000, 0x010000,	0x020000,	0x020000,	0x0369,		2,	2,	"PIC18LC801",	0,	1536,	0,	"USBN9604" },	// 3 - 748,768
-	{ 0,	    0,		0,		0,		0,		0,	0,	"",		0,	0,	0,	"" },			// 4
-	{ 0,	    0,		0,		0,		0,		0,	0,	"",		0,	0,	0,	"" },			// 5
-	{ 0,	    0,		0,		0,		0,		0,	0,	"",		0,	0,	0,	"" },			// 6
-	{ 0x000000, 0x010000,	0x020000,	0x020000,	0x4D424D42,	4,	5,	"PIC18LC801",	0,	1536,	0,	"USBN9604" },	// 7 - 600 Series
-	{ 0x000000, 0x010000,	0x020000,	0x1D0000,	0x50545054,	4,	4,	"PIC18LC801",	0,	1536,	0,	"USBN9604" },	// 8 - 880
-	{ 0x800000, 0x810000,	0x820000,	0x810000,	0x4D434841,	4,	4,	"PIC18LF4550",	16,	2048,	256,	"Internal" },	// 9 - 360/520/550
-	{ 0x000000, 0x010000,	0x020000,	0,		0x1, /*hack*/ 	4,	4,	"PIC18LC801",	0,	1536,	0,	"USBN9604" },	// 10 - 890
+//        fl_base,  fw_base,    config_base,    fw_up_base,	fw_4847_off,	cookie,		ck_sz,	endvec, micro,		fl_sz,	ram_sz, ee_sz, usb
+	{ 0,        0,		0,		0,		0,		0,		0,	0,	"",		0,	0,	0,	"" },			// 0
+	{ 0,	    0,		0,		0,		0,		0,		0,	0,	"",		0,	0,	0,	"" },			// 1
+	{ 0x000000, 0,		0x006000,	0,		0,		0x03A5,		2,	2,	"PIC16LF877",	8,	368,	256,	"USBN9603" },	// 2 - 745
+	{ 0x000000, 0x010000,	0x020000,	0x020000,	2,		0x0369,		2,	2,	"PIC18LC801",	0,	1536,	0,	"USBN9604" },	// 3 - 748,768
+	{ 0,	    0,		0,		0,		0,		0,		0,	0,	"",		0,	0,	0,	"" },			// 4
+	{ 0,	    0,		0,		0,		0,		0,		0,	0,	"",		0,	0,	0,	"" },			// 5
+	{ 0,	    0,		0,		0,		0,		0,		0,	0,	"",		0,	0,	0,	"" },			// 6
+	{ 0x000000, 0x010000,	0x020000,	0x020000,	2,		0x4D424D42,	4,	5,	"PIC18LC801",	0,	1536,	0,	"USBN9604" },	// 7 - 600 Series
+	{ 0x000000, 0x010000,	0x020000,	0x1D0000,	4,		0x50545054,	4,	4,	"PIC18LC801",	0,	1536,	0,	"USBN9604" },	// 8 - 880
+	{ 0x800000, 0x810000,	0x820000,	0x810000,	4,		0x4D434841,	4,	4,	"PIC18LF4550",	16,	2048,	256,	"Internal" },	// 9 - 360/520/550
+	{ 0x000000, 0x010000,	0x020000,	0,		0,		0x1, /*hack*/ 	4,	4,	"PIC18LC801",	0,	1536,	0,	"USBN9604" },	// 10 - 890
 };
 
 #endif

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
concordance-devel mailing list
concordance-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/concordance-devel

Reply via email to