forked from webhdx/PicoBoot
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathprocess_ipl.py
executable file
·174 lines (130 loc) · 4.69 KB
/
process_ipl.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
#!/usr/bin/env python3
#
# Based on dol2ipl.py from https://github.com/redolution/iplboot
#
# Original source by 9ary, bootrom descrambler reversed by segher
#
from datetime import datetime
import math
import struct
import sys
payload_padding = [
0x81, 0x4a, 0xe6, 0xc8, 0x00, 0x04, 0xc5, 0x77,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
]
def scramble(data):
acc = 0
nacc = 0
t = 0x2953
u = 0xD9C2
v = 0x3FF1
x = 1
it = 0
while it < len(data):
t0 = t & 1
t1 = (t >> 1) & 1
u0 = u & 1
u1 = (u >> 1) & 1
v0 = v & 1
x ^= t1 ^ v0
x ^= u0 | u1
x ^= (t0 ^ u1 ^ v0) & (t0 ^ u0)
if t0 == u0:
v >>= 1
if v0:
v ^= 0xB3D0
if t0 == 0:
u >>= 1
if u0:
u ^= 0xFB10
t >>= 1
if t0:
t ^= 0xA740
nacc = (nacc + 1) % 256
acc = (acc * 2 + x) % 256
if nacc == 8:
data[it] ^= acc
nacc = 0
it += 1
return data
def flatten_dol(data):
header = struct.unpack(">64I", data[:256])
dol_min = min(a for a in header[18:36] if a)
dol_max = max(a + s for a, s in zip(header[18:36], header[36:54]))
img = bytearray(dol_max - dol_min)
for offset, address, length in zip(header[:18], header[18:36], header[36:54]):
img[address - dol_min:address + length - dol_min] = data[offset:offset + length]
# Entry point, load address, memory image
return header[56], dol_min, img
def bytes_to_c_array(data):
p_list = [data[i:i + 4] for i in range(0, len(data), 4)]
return ["0x%08x" % int.from_bytes(b, byteorder='big', signed=False) for b in p_list]
def generate_header_file(elements, executable, input_file, output_file, size):
output = '#include <stdio.h>\n\n'
output += '//\n'
output += '// Command: {0} {1} {2}\n'.format(executable, input_file, output_file)
output += '//\n'
output += '// File: {0}, size: {1} bytes\n'.format(input_file, size)
output += '//\n'
output += '// File generated on {0}\n'.format(datetime.now().strftime("%d.%m.%Y %H:%M:%S"))
output += '//\n\n'
output += 'uint32_t __in_flash("ipl_data") ipl[] = {\n\t'
for num in range(len(elements)):
if num > 0 and num % 4 == 0:
output += '\n\t'
output += elements[num]
if num != len(elements):
output += ', '
output += '\n};\n'
return output
def process_scrambled_ipl(ipl, size):
"""Does additional processing to scrambled IPL payload.
Payload used by PicoBoot has to be preprocessed.
Whole payload has to be aligned to 1K blocks then every bit needs to be duplicated 4 times.
"""
out2 = int.from_bytes(ipl, byteorder='big', signed=False)
out2 = out2 << 1
binary = ''.join([char * 4 for char in format(out2, 'b')])
binary = int(binary, 2)
payload = binary.to_bytes(size * 4, 'big')
return payload
def main():
if len(sys.argv) != 3:
print(f"Usage: {sys.argv[0]} <executable> <output>")
return -1
with open(sys.argv[1], "rb") as f:
exe = bytearray(f.read())
if sys.argv[1].endswith(".dol"):
entry, load, img = flatten_dol(exe)
entry &= 0x017FFFFF
entry |= 0x80000000
load &= 0x017FFFFF
size = len(img)
print(f"Entry point: 0x{entry:0{8}X}")
print(f"Load address: 0x{load:0{8}X}")
print(f"Image size: {size} bytes ({size // 1024}K)")
else:
print("Unknown input format")
return -1
if entry != 0x81300000 or load != 0x01300000:
print("Invalid entry point and base address (must be 0x81300000)")
return -1
payload = bytearray(0x700) + bytearray(payload_padding)+ img
payload_size = size + 0x20; # there are 32 bytes of additional padding needed
if payload_size % 1024 != 0:
new_size_k = math.ceil(payload_size / 1024)
new_size = new_size_k * 1024
print(f"Payload needs to be aligned to {new_size_k}K")
payload += bytearray(new_size - payload_size)
payload_size = new_size
print(f"Output binary size: {payload_size} bytes ({payload_size / 1024}K)")
scrambled_payload = scramble(payload)[0x700:]
payload_size = len(scrambled_payload);
byte_groups = bytes_to_c_array(process_scrambled_ipl(scrambled_payload, payload_size))
output = generate_header_file(byte_groups, sys.argv[0], sys.argv[1], sys.argv[2], size)
with open(sys.argv[2], "w") as f:
f.write(output)
if __name__ == "__main__":
sys.exit(main())