]> cvs.zerfleddert.de Git - proxmark3-svn/blame - client/flash.c
added EMV tag #9F6E (#676)
[proxmark3-svn] / client / flash.c
CommitLineData
a553f267 1//-----------------------------------------------------------------------------
8fe1a992 2// Copyright (C) 2010 Hector Martin "marcan" <marcan@marcansoft.com>
3//
a553f267 4// This code is licensed to you under the terms of the GNU GPL, version 2 or,
5// at your option, any later version. See the LICENSE.txt file for the text of
6// the license.
7//-----------------------------------------------------------------------------
8fe1a992 8// ELF file flasher
a553f267 9//-----------------------------------------------------------------------------
10
6e4d4ee6 11#include <stdio.h>
6e4d4ee6 12#include <string.h>
83a9b236 13#include <stdlib.h>
43534cba 14#include <inttypes.h>
acf0582d 15#include <unistd.h>
125a98a1 16#include "proxmark3.h"
acf0582d 17#include "util.h"
ec9c7112 18#include "util_posix.h"
6e4d4ee6 19#include "flash.h"
2cab856f 20#include "elf.h"
8fe1a992 21#include "proxendian.h"
28fdb04f 22#include "usb_cmd.h"
ad939de5 23#include "comms.h"
6e4d4ee6 24
8fe1a992 25#define FLASH_START 0x100000
26#define FLASH_SIZE (256*1024)
27#define FLASH_END (FLASH_START + FLASH_SIZE)
28#define BOOTLOADER_SIZE 0x2000
29#define BOOTLOADER_END (FLASH_START + BOOTLOADER_SIZE)
30
28fdb04f 31#define BLOCK_SIZE 0x200
8fe1a992 32
33static const uint8_t elf_ident[] = {
34 0x7f, 'E', 'L', 'F',
35 ELFCLASS32,
36 ELFDATA2LSB,
37 EV_CURRENT
38};
39
f5ecd97b 40
8fe1a992 41// Turn PHDRs into flasher segments, checking for PHDR sanity and merging adjacent
42// unaligned segments if needed
44964fd1 43static int build_segs_from_phdrs(flash_file_t *ctx, FILE *fd, Elf32_Phdr *phdrs, uint16_t num_phdrs)
7fe9b0b7 44{
8fe1a992 45 Elf32_Phdr *phdr = phdrs;
46 flash_seg_t *seg;
47 uint32_t last_end = 0;
48
49 ctx->segments = malloc(sizeof(flash_seg_t) * num_phdrs);
50 if (!ctx->segments) {
51 fprintf(stderr, "Out of memory\n");
52 return -1;
53 }
54 ctx->num_segs = 0;
55 seg = ctx->segments;
56
57 fprintf(stderr, "Loading usable ELF segments:\n");
58 for (int i = 0; i < num_phdrs; i++) {
59 if (le32(phdr->p_type) != PT_LOAD) {
60 phdr++;
61 continue;
62 }
63 uint32_t vaddr = le32(phdr->p_vaddr);
64 uint32_t paddr = le32(phdr->p_paddr);
65 uint32_t filesz = le32(phdr->p_filesz);
66 uint32_t memsz = le32(phdr->p_memsz);
67 uint32_t offset = le32(phdr->p_offset);
68 uint32_t flags = le32(phdr->p_flags);
69 if (!filesz) {
70 phdr++;
71 continue;
72 }
73 fprintf(stderr, "%d: V 0x%08x P 0x%08x (0x%08x->0x%08x) [%c%c%c] @0x%x\n",
74 i, vaddr, paddr, filesz, memsz,
75 flags & PF_R ? 'R' : ' ',
76 flags & PF_W ? 'W' : ' ',
77 flags & PF_X ? 'X' : ' ',
78 offset);
79 if (filesz != memsz) {
80 fprintf(stderr, "Error: PHDR file size does not equal memory size\n"
81 "(DATA+BSS PHDRs do not make sense on ROM platforms!)\n");
82 return -1;
83 }
84 if (paddr < last_end) {
85 fprintf(stderr, "Error: PHDRs not sorted or overlap\n");
86 return -1;
87 }
88 if (paddr < FLASH_START || (paddr+filesz) > FLASH_END) {
89 fprintf(stderr, "Error: PHDR is not contained in Flash\n");
90 return -1;
91 }
92 if (vaddr >= FLASH_START && vaddr < FLASH_END && (flags & PF_W)) {
93 fprintf(stderr, "Error: Flash VMA segment is writable\n");
94 return -1;
95 }
96
97 uint8_t *data;
98 // make extra space if we need to move the data forward
99 data = malloc(filesz + BLOCK_SIZE);
100 if (!data) {
101 fprintf(stderr, "Out of memory\n");
102 return -1;
103 }
104 if (fseek(fd, offset, SEEK_SET) < 0 || fread(data, 1, filesz, fd) != filesz) {
105 fprintf(stderr, "Error while reading PHDR payload\n");
106 free(data);
107 return -1;
108 }
109
110 uint32_t block_offset = paddr & (BLOCK_SIZE-1);
111 if (block_offset) {
112 if (ctx->num_segs) {
113 flash_seg_t *prev_seg = seg - 1;
114 uint32_t this_end = paddr + filesz;
115 uint32_t this_firstblock = paddr & ~(BLOCK_SIZE-1);
116 uint32_t prev_lastblock = (last_end - 1) & ~(BLOCK_SIZE-1);
117
118 if (this_firstblock == prev_lastblock) {
119 uint32_t new_length = this_end - prev_seg->start;
120 uint32_t this_offset = paddr - prev_seg->start;
121 uint32_t hole = this_offset - prev_seg->length;
122 uint8_t *new_data = malloc(new_length);
123 if (!new_data) {
124 fprintf(stderr, "Out of memory\n");
125 free(data);
126 return -1;
127 }
128 memset(new_data, 0xff, new_length);
129 memcpy(new_data, prev_seg->data, prev_seg->length);
130 memcpy(new_data + this_offset, data, filesz);
131 fprintf(stderr, "Note: Extending previous segment from 0x%x to 0x%x bytes\n",
132 prev_seg->length, new_length);
133 if (hole)
134 fprintf(stderr, "Note: 0x%x-byte hole created\n", hole);
135 free(data);
136 free(prev_seg->data);
137 prev_seg->data = new_data;
138 prev_seg->length = new_length;
139 last_end = this_end;
140 phdr++;
141 continue;
142 }
143 }
144 fprintf(stderr, "Warning: segment does not begin on a block boundary, will pad\n");
145 memmove(data + block_offset, data, filesz);
146 memset(data, 0xFF, block_offset);
147 filesz += block_offset;
148 paddr -= block_offset;
149 }
150
151 seg->data = data;
152 seg->start = paddr;
153 seg->length = filesz;
154 seg++;
155 ctx->num_segs++;
156
157 last_end = paddr + filesz;
158 phdr++;
159 }
160 return 0;
6e4d4ee6 161}
162
8fe1a992 163// Sanity check segments and check for bootloader writes
164static int check_segs(flash_file_t *ctx, int can_write_bl) {
165 for (int i = 0; i < ctx->num_segs; i++) {
166 flash_seg_t *seg = &ctx->segments[i];
167
168 if (seg->start & (BLOCK_SIZE-1)) {
169 fprintf(stderr, "Error: Segment is not aligned\n");
170 return -1;
171 }
172 if (seg->start < FLASH_START) {
173 fprintf(stderr, "Error: Segment is outside of flash bounds\n");
174 return -1;
175 }
176 if (seg->start + seg->length > FLASH_END) {
177 fprintf(stderr, "Error: Segment is outside of flash bounds\n");
178 return -1;
179 }
180 if (!can_write_bl && seg->start < BOOTLOADER_END) {
181 fprintf(stderr, "Attempted to write bootloader but bootloader writes are not enabled\n");
182 return -1;
183 }
184 }
185 return 0;
186}
187
188// Load an ELF file and prepare it for flashing
ad939de5 189int flash_load(flash_file_t *ctx, const char *name, bool can_write_bl)
8fe1a992 190{
191 FILE *fd = NULL;
192 Elf32_Ehdr ehdr;
193 Elf32_Phdr *phdrs = NULL;
44964fd1 194 uint16_t num_phdrs;
8fe1a992 195 int res;
196
197 fd = fopen(name, "rb");
198 if (!fd) {
199 fprintf(stderr, "Could not open file '%s': ", name);
200 perror(NULL);
201 goto fail;
202 }
203
204 fprintf(stderr, "Loading ELF file '%s'...\n", name);
205
206 if (fread(&ehdr, sizeof(ehdr), 1, fd) != 1) {
207 fprintf(stderr, "Error while reading ELF file header\n");
208 goto fail;
209 }
210 if (memcmp(ehdr.e_ident, elf_ident, sizeof(elf_ident))
211 || le32(ehdr.e_version) != 1)
212 {
213 fprintf(stderr, "Not an ELF file or wrong ELF type\n");
214 goto fail;
215 }
216 if (le16(ehdr.e_type) != ET_EXEC) {
217 fprintf(stderr, "ELF is not executable\n");
218 goto fail;
219 }
220 if (le16(ehdr.e_machine) != EM_ARM) {
221 fprintf(stderr, "Wrong ELF architecture\n");
222 goto fail;
223 }
224 if (!ehdr.e_phnum || !ehdr.e_phoff) {
225 fprintf(stderr, "ELF has no PHDRs\n");
226 goto fail;
227 }
228 if (le16(ehdr.e_phentsize) != sizeof(Elf32_Phdr)) {
229 // could be a structure padding issue...
230 fprintf(stderr, "Either the ELF file or this code is made of fail\n");
231 goto fail;
232 }
233 num_phdrs = le16(ehdr.e_phnum);
234
235 phdrs = malloc(le16(ehdr.e_phnum) * sizeof(Elf32_Phdr));
236 if (!phdrs) {
237 fprintf(stderr, "Out of memory\n");
238 goto fail;
239 }
240 if (fseek(fd, le32(ehdr.e_phoff), SEEK_SET) < 0) {
241 fprintf(stderr, "Error while reading ELF PHDRs\n");
242 goto fail;
243 }
244 if (fread(phdrs, sizeof(Elf32_Phdr), num_phdrs, fd) != num_phdrs) {
245 fprintf(stderr, "Error while reading ELF PHDRs\n");
246 goto fail;
247 }
248
249 res = build_segs_from_phdrs(ctx, fd, phdrs, num_phdrs);
250 if (res < 0)
251 goto fail;
252 res = check_segs(ctx, can_write_bl);
253 if (res < 0)
254 goto fail;
255
66d6ba70 256 free(phdrs);
8fe1a992 257 fclose(fd);
258 ctx->filename = name;
259 return 0;
260
261fail:
262 if (phdrs)
263 free(phdrs);
264 if (fd)
265 fclose(fd);
266 flash_free(ctx);
267 return -1;
268}
6e4d4ee6 269
8fe1a992 270// Get the state of the proxmark, backwards compatible
271static int get_proxmark_state(uint32_t *state)
6e4d4ee6 272{
44964fd1 273 UsbCommand c = {0};
8fe1a992 274 c.cmd = CMD_DEVICE_INFO;
f5ecd97b 275 SendCommand(&c);
28fdb04f 276 UsbCommand resp;
ad939de5 277 WaitForResponse(CMD_UNKNOWN, &resp); // wait for any response. No timeout.
8fe1a992 278
279 // Three outcomes:
280 // 1. The old bootrom code will ignore CMD_DEVICE_INFO, but respond with an ACK
281 // 2. The old os code will respond with CMD_DEBUG_PRINT_STRING and "unknown command"
282 // 3. The new bootrom and os codes will respond with CMD_DEVICE_INFO and flags
283
284 switch (resp.cmd) {
285 case CMD_ACK:
286 *state = DEVICE_INFO_FLAG_CURRENT_MODE_BOOTROM;
287 break;
288 case CMD_DEBUG_PRINT_STRING:
289 *state = DEVICE_INFO_FLAG_CURRENT_MODE_OS;
290 break;
291 case CMD_DEVICE_INFO:
292 *state = resp.arg[0];
293 break;
294 default:
43534cba 295 fprintf(stderr, "Error: Couldn't get proxmark state, bad response type: 0x%04" PRIx64 "\n", resp.cmd);
8fe1a992 296 return -1;
297 break;
298 }
299
300 return 0;
6e4d4ee6 301}
302
8fe1a992 303// Enter the bootloader to be able to start flashing
3851172d 304static int enter_bootloader(char *serial_port_name)
6e4d4ee6 305{
8fe1a992 306 uint32_t state;
307
308 if (get_proxmark_state(&state) < 0)
309 return -1;
310
311 if (state & DEVICE_INFO_FLAG_CURRENT_MODE_BOOTROM) {
312 /* Already in flash state, we're done. */
313 return 0;
314 }
315
316 if (state & DEVICE_INFO_FLAG_CURRENT_MODE_OS) {
317 fprintf(stderr,"Entering bootloader...\n");
28fdb04f 318 UsbCommand c;
8fe1a992 319 memset(&c, 0, sizeof (c));
320
321 if ((state & DEVICE_INFO_FLAG_BOOTROM_PRESENT)
322 && (state & DEVICE_INFO_FLAG_OSIMAGE_PRESENT))
323 {
324 // New style handover: Send CMD_START_FLASH, which will reset the board
325 // and enter the bootrom on the next boot.
326 c.cmd = CMD_START_FLASH;
28fdb04f 327 SendCommand(&c);
8fe1a992 328 fprintf(stderr,"(Press and release the button only to abort)\n");
329 } else {
330 // Old style handover: Ask the user to press the button, then reset the board
331 c.cmd = CMD_HARDWARE_RESET;
28fdb04f 332 SendCommand(&c);
8fe1a992 333 fprintf(stderr,"Press and hold down button NOW if your bootloader requires it.\n");
334 }
61aaee35 335
f5ecd97b 336 msleep(100);
ad939de5 337 CloseProxmark();
61aaee35 338
ad939de5 339 bool opened = OpenProxmark(serial_port_name, true, 120, true); // wait for 2 minutes
340 if (opened) {
341 fprintf(stderr," Found.\n");
342 return 0;
343 } else {
344 fprintf(stderr,"Error: Proxmark not found.\n");
345 return -1;
346 }
8fe1a992 347 }
348
349 fprintf(stderr, "Error: Unknown Proxmark mode\n");
350 return -1;
6e4d4ee6 351}
352
3851172d 353static int wait_for_ack(void)
6e4d4ee6 354{
f5ecd97b 355 UsbCommand ack;
ad939de5 356 WaitForResponse(CMD_UNKNOWN, &ack);
3851172d 357 if (ack.cmd != CMD_ACK) {
358 printf("Error: Unexpected reply 0x%04" PRIx64 " (expected ACK)\n", ack.cmd);
8fe1a992 359 return -1;
360 }
361 return 0;
6e4d4ee6 362}
363
8fe1a992 364// Go into flashing mode
3851172d 365int flash_start_flashing(int enable_bl_writes,char *serial_port_name)
6e4d4ee6 366{
8fe1a992 367 uint32_t state;
368
3851172d 369 if (enter_bootloader(serial_port_name) < 0)
8fe1a992 370 return -1;
371
372 if (get_proxmark_state(&state) < 0)
373 return -1;
374
375 if (state & DEVICE_INFO_FLAG_UNDERSTANDS_START_FLASH) {
376 // This command is stupid. Why the heck does it care which area we're
377 // flashing, as long as it's not the bootloader area? The mind boggles.
28fdb04f 378 UsbCommand c = {CMD_START_FLASH};
8fe1a992 379
380 if (enable_bl_writes) {
381 c.arg[0] = FLASH_START;
382 c.arg[1] = FLASH_END;
383 c.arg[2] = START_FLASH_MAGIC;
384 } else {
385 c.arg[0] = BOOTLOADER_END;
386 c.arg[1] = FLASH_END;
387 c.arg[2] = 0;
388 }
28fdb04f 389 SendCommand(&c);
8fe1a992 390 return wait_for_ack();
391 } else {
392 fprintf(stderr, "Note: Your bootloader does not understand the new START_FLASH command\n");
393 fprintf(stderr, " It is recommended that you update your bootloader\n\n");
394 }
395
396 return 0;
6e4d4ee6 397}
398
8fe1a992 399static int write_block(uint32_t address, uint8_t *data, uint32_t length)
6e4d4ee6 400{
8fe1a992 401 uint8_t block_buf[BLOCK_SIZE];
402
403 memset(block_buf, 0xFF, BLOCK_SIZE);
404 memcpy(block_buf, data, length);
ad939de5 405 UsbCommand c;
8fe1a992 406 c.cmd = CMD_FINISH_WRITE;
407 c.arg[0] = address;
28fdb04f 408 memcpy(c.d.asBytes, block_buf, length);
ad939de5 409 SendCommand(&c);
410 return wait_for_ack();
6e4d4ee6 411}
412
8fe1a992 413// Write a file's segments to Flash
414int flash_write(flash_file_t *ctx)
6e4d4ee6 415{
8fe1a992 416 fprintf(stderr, "Writing segments for file: %s\n", ctx->filename);
417 for (int i = 0; i < ctx->num_segs; i++) {
418 flash_seg_t *seg = &ctx->segments[i];
419
420 uint32_t length = seg->length;
421 uint32_t blocks = (length + BLOCK_SIZE - 1) / BLOCK_SIZE;
422 uint32_t end = seg->start + length;
423
424 fprintf(stderr, " 0x%08x..0x%08x [0x%x / %d blocks]",
425 seg->start, end - 1, length, blocks);
426
427 int block = 0;
428 uint8_t *data = seg->data;
429 uint32_t baddr = seg->start;
430
431 while (length) {
432 uint32_t block_size = length;
433 if (block_size > BLOCK_SIZE)
434 block_size = BLOCK_SIZE;
435
436 if (write_block(baddr, data, block_size) < 0) {
437 fprintf(stderr, " ERROR\n");
438 fprintf(stderr, "Error writing block %d of %d\n", block, blocks);
439 return -1;
440 }
441
442 data += block_size;
443 baddr += block_size;
444 length -= block_size;
445 block++;
446 fprintf(stderr, ".");
447 }
448 fprintf(stderr, " OK\n");
449 }
450 return 0;
6e4d4ee6 451}
452
8fe1a992 453// free a file context
454void flash_free(flash_file_t *ctx)
7fe9b0b7 455{
8fe1a992 456 if (!ctx)
457 return;
458 if (ctx->segments) {
459 for (int i = 0; i < ctx->num_segs; i++)
460 free(ctx->segments[i].data);
461 free(ctx->segments);
462 ctx->segments = NULL;
463 ctx->num_segs = 0;
464 }
465}
466
467// just reset the unit
3851172d 468int flash_stop_flashing(void) {
28fdb04f 469 UsbCommand c = {CMD_HARDWARE_RESET};
f5ecd97b 470 SendCommand(&c);
471 msleep(100);
472 return 0;
6e4d4ee6 473}
Impressum, Datenschutz