This repository has been archived by the owner on Oct 7, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 8
/
bl_0_03_14.c
274 lines (238 loc) · 10.1 KB
/
bl_0_03_14.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
/*
* This file maps functions and variables that can be found in Acer 0.03.14-ICS bootloader,
* and the patched version.
*
* Copyright (C) 2012 Skrilax_CZ
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
*/
/*
* Please note: Entry point of the application occurs when the bootloader
* is about to check for bootmode (MSC commands).
*
* Initial key state is already stored. Application is entered every time,
* and can override boot mode.
*
* This file contains only functions that are linked to the bootloader binary.
*/
#include "bl_0_03_14.h"
#include "bootimg.h"
/* ===========================================================================
* Thumb Mode functions
* ===========================================================================
*/
#define NAKED __attribute__((naked))
/* This is a HACK, use linker script */
#define ASM_THUMB_B(address) __asm__("B " #address "\n")
#define ASM_ARM_B(address) __asm__("LDR R12, =" #address "\n BX R12")
/*
* GPIO
*/
int NAKED get_gpio(int row, int column) { ASM_THUMB_B(0x10C2FC); }
/*
* Display functions
*/
void NAKED println_display(const char* fmt, ...) { ASM_THUMB_B(0x10ECB0); }
void NAKED println_display_error(const char* fmt, ...) { ASM_THUMB_B(0x10ED1C); }
void NAKED print_bootlogo() { ASM_THUMB_B(0x10CEDC); }
void NAKED clear_screen() { ASM_THUMB_B(0x10EDE0); }
void NAKED framebuffer_unknown_call() { ASM_THUMB_B(0x10ED84); }
/*
* Partitions
*/
int NAKED open_partition(const char* partition, int open_type, int* partition_handle) { ASM_THUMB_B(0x11E648); }
int NAKED get_partition_position(int partition_handle, uint64_t* postition) { ASM_THUMB_B(0x11E26C); }
int NAKED set_partition_position(int partition_handle, int64_t offset, int origin) { ASM_THUMB_B(0x11E248); }
int NAKED read_partition(int partition_handle, void* buffer, uint32_t buffer_length, uint32_t* processed_bytes) { ASM_THUMB_B(0x11E1A4); }
int NAKED write_partition(int partition_handle, void* buffer, uint32_t data_size, uint32_t* processed_bytes) { ASM_THUMB_B(0x11E1E0); }
int NAKED close_partition(int partition_handle) { ASM_THUMB_B(0x11E28C); }
int NAKED format_partition(const char* partition) { ASM_THUMB_B(0x11E534); }
int NAKED get_partition_size(const char* partition, uint64_t* partition_size) { ASM_THUMB_B(0x11E790); }
/*
* Miscellaneuos
*/
int NAKED is_wifi_only() { ASM_THUMB_B(0x10C5C0); }
long int NAKED strtol(const char* str, char** endptr, int base) { ASM_THUMB_B(0x1798A8); }
void toggle_vibrator(int state) { ASM_THUMB_B(0x10C678); }
/*
* Fastboot
*/
int NAKED fastboot_load_handle(int* fastboot_handle) { ASM_THUMB_B(0x11A840); }
void NAKED fastboot_unload_handle(int fastboot_handle) { ASM_THUMB_B(0x11A820); }
/*
* Booting
*/
int NAKED android_load_image(struct boot_img_hdr** bootimg_ptr, uint32_t* bootimg_size, const char* partition) { ASM_THUMB_B(0x10C898); }
void NAKED android_boot_image(struct boot_img_hdr* bootimg, uint32_t bootimg_size, uint32_t ram_base) { ASM_THUMB_B(0x10CB40); }
int NAKED add_atag(uint32_t atag, uint32_t size, void* data) { ASM_THUMB_B(0x10F730); }
/* ===========================================================================
* Direct device access
* NOTE: Init / Deinit is handled by the binary part
* ===========================================================================
*/
/*
* HS MMC
*/
int NAKED hsmmc_open(int major, int minor, int** handle) { ASM_THUMB_B(0x14717C); }
int NAKED hsmmc_close(int* handle) { ASM_THUMB_B(0x146A80); }
int NAKED hsmmc_ioctl(int* handle, uint32_t opcode, uint32_t input_size, uint32_t output_size, const void* input_args, void* output_args) { ASM_THUMB_B(0x1478D4); }
int NAKED hsmmc_power_up(int* handle) { ASM_THUMB_B(0x14735C); }
int NAKED hsmmc_power_down(int* handle) { ASM_THUMB_B(0x146A54); }
int NAKED hsmmc_read_sector(int* handle, uint32_t sector, void* buffer, uint32_t num_sectors) { ASM_THUMB_B(0x14738C); }
int NAKED hsmmc_write_sector(int* handle, uint32_t sector, void* buffer, uint32_t num_sectors) { ASM_THUMB_B(0x1474CC); }
/*
* SD
*/
int NAKED sd_open(int major, int minor, int** handle) { ASM_THUMB_B(0x144EC0); }
int NAKED sd_close(int* handle) { ASM_THUMB_B(0x143E10); }
int NAKED sd_ioctl(int* handle, uint32_t opcode, uint32_t input_size, uint32_t output_size, const void* input_args, void* output_args) { ASM_THUMB_B(0x145864); }
int NAKED sd_power_up(int* handle) { ASM_THUMB_B(0x1450AC); }
int NAKED sd_power_down(int* handle) { ASM_THUMB_B(0x1450F8); }
int NAKED sd_read_sector(int* handle, uint32_t sector, void* buffer, uint32_t num_sectors) { ASM_THUMB_B(0x145628); }
int NAKED sd_write_sector(int* handle, uint32_t sector, void* buffer, uint32_t num_sectors) { ASM_THUMB_B(0x14513C); }
/* ===========================================================================
* ARM Mode functions
* ===========================================================================
*/
/*
* Standard library:
*
* You can use your own of course, but these are found in the bootloader.
* These are defined in linker script
*/
/* ===========================================================================
* Functions using magic argument (need to be reverse engineered more)
* ===========================================================================
*/
void NAKED reboot(void* global_handle)
{
__asm__
(
"PUSH {LR}\n"
"LDR R1, =0xFFFFF9F8\n"
"LDR R0, [R0,R1]\n"
"LDR R0, [R0]\n"
"BL 0x11124C\n"
"POP {PC}\n"
);
}
int NAKED check_bootloader_update(void* global_handle)
{
/* magic is on R0 */
__asm__
(
"PUSH {LR}\n"
"SUB SP, SP, #4\n"
"LDR R1, =0xFFFFF9F8\n"
"LDR R0, [R0,R1]\n"
"LDR R0, [R0]\n"
"MOV R1, SP\n" /* unused argument */
"BL 0x110DD8\n"
"ADD SP, SP, #4\n"
"POP {PC}\n"
);
}
void NAKED get_serial_no(uint32_t* serial_no)
{
__asm__
(
"PUSH {LR}\n"
"MOV R2, R0\n"
"MOV R1, #8\n"
"LDR R0, =0x24BB40\n"
"BL 0x153E94\n"
"POP {PC}\n"
);
}
/*
* Fastboot related
*/
void NAKED fastboot_init_unk0(void* global_handle)
{
__asm__
(
"PUSH {LR}\n"
"LDR R1, =0xFFFFFA24\n"
"LDR R0, [R0,R1]\n"
"LDR R0, [R0]\n"
"BL 0x139C1C\n"
"POP {PC}\n"
);
}
void NAKED fastboot_init_unk1()
{
__asm__
(
"PUSH {LR}\n"
"LDR R0, =0x23ED30\n"
"LDR R0, [R0]\n"
"BL 0x15F6CC\n"
"POP {PC}\n"
);
}
int NAKED fastboot_send(int fastboot_handle, const char *command, uint32_t command_length)
{
__asm__
(
"PUSH {LR}\n"
"SUB SP, SP, #4\n"
"MOV.W R3, #0x3E8\n"
"STR R3, [SP]\n"
"MOV R3, #0\n"
"BL 0x11A734\n"
"ADD SP, SP, #4\n"
"POP {PC}\n"
);
}
int NAKED fastboot_recv0(int fastboot_handle, char* cmd_buffer, uint32_t buffer_length, uint32_t* cmd_length)
{
__asm__
(
"PUSH {R4,LR}\n"
"SUB SP, SP, #4\n"
"MOV R4, #0\n"
"STR R4, [SP]\n"
"BL 0x11A780\n"
"ADD SP, SP, #4\n"
"POP {R4,PC}\n"
);
}
int NAKED fastboot_recv5(int fastboot_handle, char* cmd_buffer, uint32_t buffer_length, uint32_t* cmd_length)
{
__asm__
(
"PUSH {R4,LR}\n"
"SUB SP, SP, #8\n"
"MOV.W R4, #0\n"
"STR R4, [SP]\n"
"MOV R4, #0x3E8\n"
"STR R4, [SP, #4]\n"
"BL 0x11A6DC\n"
"ADD SP, SP, #8\n"
"POP {R4,PC}\n"
);
}
/* ===========================================================================
* Variables
* ===========================================================================
*/
/* Bootloader version */
const char* bootloader_version = (const char*)0x18EBF8;
/* Framebuffer */
uint8_t** framebuffer_ptr = (uint8_t**)0x23EDA8;
uint32_t* framebuffer_size_ptr = (uint32_t*)0x23EDA4;
/* Fastboot unknown */
int* fastboot_unk_handle_var = (int*)0x23EDAC;