2 * Copyright 2011 Drew Fisher <drew.m.fisher@gmail.com>. All rights reserved.
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ''AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL DREW FISHER OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * The views and conclusions contained in the software and documentation are
28 * those of the authors and should not be interpreted as representing official
29 * policies, either expressed or implied, of Drew Fisher.
39 static libusb_device_handle *dev;
57 #define LOG(...) printf(__VA_ARGS__)
58 #define fn_le32(x) (x)
59 // TODO: support architectures that aren't little-endian
61 static void dump_bl_cmd(bootloader_command cmd) {
63 for (i = 0; i < 24; i++)
64 LOG("%02X ", ((unsigned char*)(&cmd))[i]);
68 static int get_first_reply(void) {
69 unsigned char buffer[512];
72 res = libusb_bulk_transfer(dev, 0x81, buffer, 512, &transferred, 0);
74 LOG("Error reading first reply: %d\ttransferred: %d (expected %d)\n", res, transferred, 0x60);
77 LOG("Reading first reply: ");
79 for (i = 0; i < transferred; ++i) {
80 LOG("%02X ", buffer[i]);
86 static int get_reply(void) {
89 /* The following is needed because libusb_bulk_transfer might
90 * fail when working on a buffer smaller than 512 bytes.
92 unsigned char dump[512];
97 res = libusb_bulk_transfer(dev, 0x81, reply.dump, 512, &transferred, 0);
98 if (res != 0 || transferred != sizeof(status_code)) {
99 LOG("Error reading reply: %d\ttransferred: %d (expected %lu)\n", res, transferred, sizeof(status_code));
102 if (fn_le32(reply.buffer.magic) != 0x0a6fe000) {
103 LOG("Error reading reply: invalid magic %08X\n", reply.buffer.magic);
106 if (fn_le32(reply.buffer.seq) != seq) {
107 LOG("Error reading reply: non-matching sequence number %08X (expected %08X)\n", reply.buffer.seq, seq);
110 if (fn_le32(reply.buffer.status) != 0) {
111 LOG("Notice reading reply: last uint32_t was nonzero: %d\n", reply.buffer.status);
114 LOG("Reading reply: ");
116 for (i = 0; i < transferred; ++i) {
117 LOG("%02X ", reply.dump[i]);
124 int main(int argc, char** argv) {
125 char default_filename[] = "firmware.bin";
126 char* filename = default_filename;
132 FILE* fw = fopen(filename, "r");
134 fprintf(stderr, "Failed to open %s: %s\n", filename, strerror(errno));
139 libusb_set_debug(0, 3);
141 dev = libusb_open_device_with_vid_pid(NULL, 0x045e, 0x02ad);
143 fprintf(stderr, "Couldn't open device.\n");
147 libusb_set_configuration(dev, 1);
148 libusb_claim_interface(dev, 0);
152 bootloader_command cmd;
153 cmd.magic = fn_le32(0x06022009);
154 cmd.seq = fn_le32(seq);
155 cmd.bytes = fn_le32(0x60);
156 cmd.cmd = fn_le32(0);
157 cmd.write_addr = fn_le32(0x15);
158 cmd.unk = fn_le32(0);
160 LOG("About to send: ");
166 res = libusb_bulk_transfer(dev, 1, (unsigned char*)&cmd, sizeof(cmd), &transferred, 0);
167 if (res != 0 || transferred != sizeof(cmd)) {
168 LOG("Error: res: %d\ttransferred: %d (expected %lu)\n", res, transferred, sizeof(cmd));
171 res = get_first_reply(); // This first one doesn't have the usual magic bytes at the beginning, and is 96 bytes long - much longer than the usual 12-byte replies.
172 res = get_reply(); // I'm not sure why we do this twice here, but maybe it'll make sense later.
175 uint32_t addr = 0x00080000;
176 unsigned char page[0x4000];
179 read = fread(page, 1, 0x4000, fw);
184 cmd.seq = fn_le32(seq);
185 cmd.bytes = fn_le32(read);
186 cmd.cmd = fn_le32(0x03);
187 cmd.write_addr = fn_le32(addr);
188 LOG("About to send: ");
191 res = libusb_bulk_transfer(dev, 1, (unsigned char*)&cmd, sizeof(cmd), &transferred, 0);
192 if (res != 0 || transferred != sizeof(cmd)) {
193 LOG("Error: res: %d\ttransferred: %d (expected %lu)\n", res, transferred, sizeof(cmd));
197 while (bytes_sent < read) {
198 int to_send = (read - bytes_sent > 512 ? 512 : read - bytes_sent);
199 res = libusb_bulk_transfer(dev, 1, &page[bytes_sent], to_send, &transferred, 0);
200 if (res != 0 || transferred != to_send) {
201 LOG("Error: res: %d\ttransferred: %d (expected %d)\n", res, transferred, to_send);
204 bytes_sent += to_send;
208 addr += (uint32_t)read;
212 cmd.seq = fn_le32(seq);
213 cmd.bytes = fn_le32(0);
214 cmd.cmd = fn_le32(0x04);
215 cmd.write_addr = fn_le32(0x00080030);
217 res = libusb_bulk_transfer(dev, 1, (unsigned char*)&cmd, sizeof(cmd), &transferred, 0);
218 if (res != 0 || transferred != sizeof(cmd)) {
219 LOG("Error: res: %d\ttransferred: %d (expected %lu)\n", res, transferred, sizeof(cmd));
224 // Now the device reenumerates.