internal SBL3(string FileName) { Binary = null; // First try to parse as FFU try { if (FFU.IsFFU(FileName)) { FFU FFUFile = new(FileName); Binary = FFUFile.GetPartition("SBL3"); } } catch { } // If not succeeded, then try to parse it as raw image if (Binary == null) { byte[] SBL3Pattern = new byte[] { 0x18, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF0, 0x8F, 0xFF, 0xFF, 0xFF, 0xFF }; byte[] SBL3Mask = new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF }; UInt32?Offset = ByteOperations.FindPatternInFile(FileName, SBL3Pattern, SBL3Mask, out byte[] SBL3Header); if (Offset != null) { UInt32 Length = ByteOperations.ReadUInt32(SBL3Header, 0x10) + 0x28; // SBL3 Image Size + Header Size Binary = new byte[Length]; FileStream Stream = new(FileName, FileMode.Open, FileAccess.Read); Stream.Seek((long)Offset, SeekOrigin.Begin); Stream.Read(Binary, 0, (int)Length); Stream.Close(); } } }
internal GPT(byte[] GPTBuffer) { this.GPTBuffer = GPTBuffer; UInt32?TempHeaderOffset = ByteOperations.FindAscii(GPTBuffer, "EFI PART"); if (TempHeaderOffset == null) { throw new WPinternalsException("Bad GPT"); } HeaderOffset = (UInt32)TempHeaderOffset; HeaderSize = ByteOperations.ReadUInt32(GPTBuffer, HeaderOffset + 0x0C); TableOffset = HeaderOffset + 0x200; FirstUsableSector = ByteOperations.ReadUInt64(GPTBuffer, HeaderOffset + 0x28); LastUsableSector = ByteOperations.ReadUInt64(GPTBuffer, HeaderOffset + 0x30); MaxPartitions = ByteOperations.ReadUInt32(GPTBuffer, HeaderOffset + 0x50); PartitionEntrySize = ByteOperations.ReadUInt32(GPTBuffer, HeaderOffset + 0x54); TableSize = MaxPartitions * PartitionEntrySize; if ((TableOffset + TableSize) > GPTBuffer.Length) { throw new WPinternalsException("Bad GPT"); } UInt32 PartitionOffset = TableOffset; while (PartitionOffset < (TableOffset + TableSize)) { string Name = ByteOperations.ReadUnicodeString(GPTBuffer, PartitionOffset + 0x38, 0x48).TrimEnd(new char[] { (char)0, ' ' }); if (Name.Length == 0) { break; } Partition CurrentPartition = new Partition(); CurrentPartition.Name = Name; CurrentPartition.FirstSector = ByteOperations.ReadUInt64(GPTBuffer, PartitionOffset + 0x20); CurrentPartition.LastSector = ByteOperations.ReadUInt64(GPTBuffer, PartitionOffset + 0x28); CurrentPartition.PartitionTypeGuid = ByteOperations.ReadGuid(GPTBuffer, PartitionOffset + 0x00); CurrentPartition.PartitionGuid = ByteOperations.ReadGuid(GPTBuffer, PartitionOffset + 0x10); CurrentPartition.Attributes = ByteOperations.ReadUInt64(GPTBuffer, PartitionOffset + 0x30); Partitions.Add(CurrentPartition); PartitionOffset += PartitionEntrySize; } HasChanged = false; }
internal static void PatchImg(string dump) { using (var fil = File.Open(dump, FileMode.Open)) { byte[] gptbuffer = new byte[0x4200]; fil.Seek(0x200, SeekOrigin.Begin); fil.Read(gptbuffer, 0, 0x4200); uint BackupLBA = ByteOperations.ReadUInt32(gptbuffer, 0x20); uint LastUsableLBA = ByteOperations.ReadUInt32(gptbuffer, 0x30); LogFile.Log("Previous BackupLBA: " + BackupLBA, LogType.ConsoleOnly); LogFile.Log("Previous LastUsableLBA: " + LastUsableLBA, LogType.ConsoleOnly); uint NewBackupLBA = 62078975u; uint NewLastUsableLBA = 62078942u; ByteOperations.WriteUInt32(gptbuffer, 0x20, NewBackupLBA); ByteOperations.WriteUInt32(gptbuffer, 0x30, NewLastUsableLBA); uint HeaderSize = ByteOperations.ReadUInt32(gptbuffer, 0x0C); uint PrevCRC = ByteOperations.ReadUInt32(gptbuffer, 0x10); LogFile.Log("Previous CRC: " + PrevCRC, LogType.ConsoleOnly); ByteOperations.WriteUInt32(gptbuffer, 0x10, 0); uint NewCRC = ByteOperations.CRC32(gptbuffer, 0, HeaderSize); LogFile.Log("New CRC: " + NewCRC, LogType.ConsoleOnly); ByteOperations.WriteUInt32(gptbuffer, 0x10, NewCRC); LogFile.Log("Writing", LogType.ConsoleOnly); fil.Seek(0x200, SeekOrigin.Begin); fil.Write(gptbuffer, 0, 0x4200); LogFile.Log("Done!", LogType.ConsoleOnly); } }
public bool Handshake() { bool Result = true; try { byte[] Hello = Serial.GetResponse(new byte[] { 0x01, 0x00, 0x00, 0x00 }); // Incoming Hello packet: // 00000001 = Hello command id // xxxxxxxx = Length // xxxxxxxx = Protocol version // xxxxxxxx = Supported version // xxxxxxxx = Max packet length // xxxxxxxx = Expected mode // 6 dwords reserved space LogFile.Log("Protocol: 0x" + ByteOperations.ReadUInt32(Hello, 0x08).ToString("X8"), LogType.FileOnly); LogFile.Log("Supported: 0x" + ByteOperations.ReadUInt32(Hello, 0x0C).ToString("X8"), LogType.FileOnly); LogFile.Log("MaxLength: 0x" + ByteOperations.ReadUInt32(Hello, 0x10).ToString("X8"), LogType.FileOnly); LogFile.Log("Mode: 0x" + ByteOperations.ReadUInt32(Hello, 0x14).ToString("X8"), LogType.FileOnly); byte[] HelloResponse = new byte[] { 0x02, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; byte[] Ready = Serial.SendCommand(HelloResponse, new byte[] { 0x03, 0x00, 0x00, 0x00 }); } catch { Result = false; } return(Result); }
internal FFU(string Path) { this.Path = Path; try { OpenFile(); // Read Security Header byte[] ShortSecurityHeader = new byte[0x20]; FFUFile.Read(ShortSecurityHeader, 0, 0x20); if (ByteOperations.ReadAsciiString(ShortSecurityHeader, 0x04, 0x0C) != "SignedImage ") { throw new BadImageFormatException(); } ChunkSize = ByteOperations.ReadInt32(ShortSecurityHeader, 0x10) * 1024; UInt32 SecurityHeaderSize = ByteOperations.ReadUInt32(ShortSecurityHeader, 0x00); UInt32 CatalogSize = ByteOperations.ReadUInt32(ShortSecurityHeader, 0x18); UInt32 HashTableSize = ByteOperations.ReadUInt32(ShortSecurityHeader, 0x1C); SecurityHeader = new byte[RoundUpToChunks(SecurityHeaderSize + CatalogSize + HashTableSize)]; FFUFile.Seek(0, SeekOrigin.Begin); FFUFile.Read(SecurityHeader, 0, SecurityHeader.Length); // Read Image Header byte[] ShortImageHeader = new byte[0x1C]; FFUFile.Read(ShortImageHeader, 0, 0x1C); if (ByteOperations.ReadAsciiString(ShortImageHeader, 0x04, 0x0C) != "ImageFlash ") { throw new BadImageFormatException(); } UInt32 ImageHeaderSize = ByteOperations.ReadUInt32(ShortImageHeader, 0x00); UInt32 ManifestSize = ByteOperations.ReadUInt32(ShortImageHeader, 0x10); ImageHeader = new byte[RoundUpToChunks(ImageHeaderSize + ManifestSize)]; FFUFile.Seek(SecurityHeader.Length, SeekOrigin.Begin); FFUFile.Read(ImageHeader, 0, ImageHeader.Length); // Read Store Header byte[] ShortStoreHeader = new byte[248]; FFUFile.Read(ShortStoreHeader, 0, 248); PlatformID = ByteOperations.ReadAsciiString(ShortStoreHeader, 0x0C, 192).TrimEnd(new char[] { (char)0, ' ' }); int WriteDescriptorCount = ByteOperations.ReadInt32(ShortStoreHeader, 208); UInt32 WriteDescriptorLength = ByteOperations.ReadUInt32(ShortStoreHeader, 212); UInt32 ValidateDescriptorLength = ByteOperations.ReadUInt32(ShortStoreHeader, 220); StoreHeader = new byte[RoundUpToChunks(248 + WriteDescriptorLength + ValidateDescriptorLength)]; FFUFile.Seek(SecurityHeader.Length + ImageHeader.Length, SeekOrigin.Begin); FFUFile.Read(StoreHeader, 0, StoreHeader.Length); // Parse Chunk Indexes int HighestChunkIndex = 0; UInt32 LocationCount; int ChunkIndex; int ChunkCount; int DiskAccessMethod; UInt32 WriteDescriptorEntryOffset = 248 + ValidateDescriptorLength; int FFUChunkIndex = 0; for (int i = 0; i < WriteDescriptorCount; i++) { LocationCount = ByteOperations.ReadUInt32(StoreHeader, WriteDescriptorEntryOffset + 0x00); ChunkCount = ByteOperations.ReadInt32(StoreHeader, WriteDescriptorEntryOffset + 0x04); for (int j = 0; j < LocationCount; j++) { DiskAccessMethod = ByteOperations.ReadInt32(StoreHeader, (UInt32)(WriteDescriptorEntryOffset + 0x08 + (j * 0x08))); ChunkIndex = ByteOperations.ReadInt32(StoreHeader, (UInt32)(WriteDescriptorEntryOffset + 0x0C + (j * 0x08))); if (DiskAccessMethod == 0 && (ChunkIndex + ChunkCount - 1) > HighestChunkIndex) // 0 = From begin, 2 = From end. We ignore chunks at end of disk. These contain secondairy GPT. { HighestChunkIndex = ChunkIndex + ChunkCount - 1; } } WriteDescriptorEntryOffset += 8 + (LocationCount * 0x08); FFUChunkIndex += ChunkCount; } ChunkIndexes = new int?[HighestChunkIndex + 1]; WriteDescriptorEntryOffset = 248 + ValidateDescriptorLength; FFUChunkIndex = 0; for (int i = 0; i < WriteDescriptorCount; i++) { LocationCount = ByteOperations.ReadUInt32(StoreHeader, WriteDescriptorEntryOffset + 0x00); ChunkCount = ByteOperations.ReadInt32(StoreHeader, WriteDescriptorEntryOffset + 0x04); for (int j = 0; j < LocationCount; j++) { DiskAccessMethod = ByteOperations.ReadInt32(StoreHeader, (UInt32)(WriteDescriptorEntryOffset + 0x08 + (j * 0x08))); ChunkIndex = ByteOperations.ReadInt32(StoreHeader, (UInt32)(WriteDescriptorEntryOffset + 0x0C + (j * 0x08))); if (DiskAccessMethod == 0) // 0 = From begin, 2 = From end. We ignore chunks at end of disk. These contain secondairy GPT. { for (int k = 0; k < ChunkCount; k++) { ChunkIndexes[ChunkIndex + k] = FFUChunkIndex + k; } } } WriteDescriptorEntryOffset += 8 + (LocationCount * 0x08); FFUChunkIndex += ChunkCount; } byte[] GPTBuffer = GetSectors(0x01, 0x21); GPT = new GPT(GPTBuffer); HeaderSize = (UInt64)(SecurityHeader.Length + ImageHeader.Length + StoreHeader.Length); TotalChunkCount = (UInt64)FFUChunkIndex; PayloadSize = TotalChunkCount * (UInt64)ChunkSize; TotalSize = HeaderSize + PayloadSize; if (TotalSize != (UInt64)FFUFile.Length) { throw new WPinternalsException("Bad FFU file", "Bad FFU file: " + Path + "." + Environment.NewLine + "Expected size: " + TotalSize.ToString() + ". Actual size: " + FFUFile.Length + "."); } } catch (WPinternalsException) { throw; } catch (Exception Ex) { throw new WPinternalsException("Bad FFU file", "Bad FFU file: " + Path + "." + Environment.NewLine + Ex.Message, Ex); } finally { CloseFile(); } }
internal QualcommPartition(byte[] Binary, uint Offset = 0) { #if DEBUG System.Diagnostics.Debug.Print("Loader: " + Converter.ConvertHexToString(new SHA256Managed().ComputeHash(Binary, 0, Binary.Length), "")); #endif this.Binary = Binary; byte[] LongHeaderPattern = new byte[] { 0xD1, 0xDC, 0x4B, 0x84, 0x34, 0x10, 0xD7, 0x73, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }; byte[] LongHeaderMask = new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; if (ByteOperations.FindPattern(Binary, Offset, 4, new byte[] { 0x7F, 0x45, 0x4C, 0x46 }, new byte[] { 0x00, 0x00, 0x00, 0x00 }, null) == 0) { // This is an ELF image // First program header is a reference to the elf-header // Second program header is a reference to the signed hash-table HeaderType = QualcommPartitionHeaderType.Short; UInt32 ProgramHeaderOffset; UInt16 ProgramHeaderEntrySize; UInt32 HashTableProgramHeaderOffset; if (Binary[Offset + 0x04] == 1) { // 32-bit elf image ProgramHeaderOffset = Offset + ByteOperations.ReadUInt32(Binary, Offset + 0x1c); ProgramHeaderEntrySize = ByteOperations.ReadUInt16(Binary, Offset + 0x2a); HashTableProgramHeaderOffset = ProgramHeaderOffset + ProgramHeaderEntrySize; ImageOffset = Offset + ByteOperations.ReadUInt32(Binary, HashTableProgramHeaderOffset + 0x04); HeaderOffset = ImageOffset + 8; } else if (Binary[Offset + 0x04] == 2) { // 64-bit elf image ProgramHeaderOffset = Offset + ByteOperations.ReadUInt32(Binary, Offset + 0x20); ProgramHeaderEntrySize = ByteOperations.ReadUInt16(Binary, Offset + 0x36); HashTableProgramHeaderOffset = ProgramHeaderOffset + ProgramHeaderEntrySize; ImageOffset = Offset + (UInt32)ByteOperations.ReadUInt64(Binary, HashTableProgramHeaderOffset + 0x08); HeaderOffset = ImageOffset + 8; } else { throw new WPinternalsException("Invalid programmer"); } } else if (ByteOperations.FindPattern(Binary, Offset, (uint)LongHeaderPattern.Length, LongHeaderPattern, LongHeaderMask, null) == null) { HeaderType = QualcommPartitionHeaderType.Short; ImageOffset = Offset; HeaderOffset = ImageOffset + 8; } else { HeaderType = QualcommPartitionHeaderType.Long; ImageOffset = Offset; HeaderOffset = ImageOffset + (uint)LongHeaderPattern.Length; } if (ByteOperations.ReadUInt32(Binary, HeaderOffset + 0X00) != 0) { ImageOffset = ByteOperations.ReadUInt32(Binary, HeaderOffset + 0X00); } else if (HeaderType == QualcommPartitionHeaderType.Short) { ImageOffset += 0x28; } else { ImageOffset += 0x50; } ImageAddress = ByteOperations.ReadUInt32(Binary, HeaderOffset + 0X04); ImageSize = ByteOperations.ReadUInt32(Binary, HeaderOffset + 0X08); CodeSize = ByteOperations.ReadUInt32(Binary, HeaderOffset + 0X0C); SignatureAddress = ByteOperations.ReadUInt32(Binary, HeaderOffset + 0X10); SignatureSize = ByteOperations.ReadUInt32(Binary, HeaderOffset + 0X14); SignatureOffset = SignatureAddress - ImageAddress + ImageOffset; CertificatesAddress = ByteOperations.ReadUInt32(Binary, HeaderOffset + 0X18); CertificatesSize = ByteOperations.ReadUInt32(Binary, HeaderOffset + 0X1C); CertificatesOffset = CertificatesAddress - ImageAddress + ImageOffset; uint CurrentCertificateOffset = CertificatesOffset; uint CertificateSize = 0; while (CurrentCertificateOffset < (CertificatesOffset + CertificatesSize)) { if ((Binary[CurrentCertificateOffset] == 0x30) && (Binary[CurrentCertificateOffset + 1] == 0x82)) { CertificateSize = (uint)(Binary[CurrentCertificateOffset + 2] * 0x100) + Binary[CurrentCertificateOffset + 3] + 4; // Big endian! if ((CurrentCertificateOffset + CertificateSize) == (CertificatesOffset + CertificatesSize)) { // This is the last certificate. So this is the root key. RootKeyHash = new SHA256Managed().ComputeHash(Binary, (int)CurrentCertificateOffset, (int)CertificateSize); #if DEBUG System.Diagnostics.Debug.Print("RKH: " + Converter.ConvertHexToString(RootKeyHash, "")); #endif } #if DEBUG else { System.Diagnostics.Debug.Print("Cert: " + Converter.ConvertHexToString(new SHA256Managed().ComputeHash(Binary, (int)CurrentCertificateOffset, (int)CertificateSize), "")); } #endif CurrentCertificateOffset += CertificateSize; } else { if ((RootKeyHash == null) && (CurrentCertificateOffset > CertificatesOffset)) { CurrentCertificateOffset -= CertificateSize; // This is the last certificate. So this is the root key. RootKeyHash = new SHA256Managed().ComputeHash(Binary, (int)CurrentCertificateOffset, (int)CertificateSize); #if DEBUG System.Diagnostics.Debug.Print("RKH: " + Converter.ConvertHexToString(RootKeyHash, "")); #endif } break; } } }
private void ClearEfiChecksum(byte[] EfiFile) { UInt32 PEHeaderOffset = ByteOperations.ReadUInt32(EfiFile, 0x3C); ByteOperations.WriteUInt32(EfiFile, PEHeaderOffset + 0x58, 0); }
internal UEFI(byte[] UefiBinary) { Binary = UefiBinary; string VolumeHeaderMagic; UInt32?Offset = ByteOperations.FindAscii(Binary, "_FVH"); if (Offset == null) { throw new BadImageFormatException(); } else { VolumeHeaderOffset = (UInt32)Offset - 0x28; } if (!VerifyVolumeChecksum(Binary, VolumeHeaderOffset)) { throw new BadImageFormatException(); } VolumeSize = ByteOperations.ReadUInt32(Binary, VolumeHeaderOffset + 0x20); // TODO: This is actually a QWORD VolumeHeaderSize = ByteOperations.ReadUInt16(Binary, VolumeHeaderOffset + 0x30); PaddingByteValue = (ByteOperations.ReadUInt32(Binary, VolumeHeaderOffset + 0x2C) & 0x00000800) > 0 ? (byte)0xFF : (byte)0x00; // EFI_FVB_ERASE_POLARITY = 0x00000800 // In the volume look for a file of type EFI_FV_FILETYPE_FIRMWARE_VOLUME_IMAGE (0x0B) FileHeaderOffset = VolumeHeaderOffset + VolumeHeaderSize; bool VolumeFound = false; int FileType; UInt32 FileSize; do { if (!VerifyFileChecksum(Binary, FileHeaderOffset)) { throw new BadImageFormatException(); } FileType = ByteOperations.ReadUInt8(Binary, FileHeaderOffset + 0x12); FileSize = ByteOperations.ReadUInt24(Binary, FileHeaderOffset + 0x14); if (FileType == 0x0B) // EFI_FV_FILETYPE_FIRMWARE_VOLUME_IMAGE { VolumeFound = true; } else { FileHeaderOffset += FileSize; // FileHeaderOffset in Volume-body must be Align 8 // In the file-header-attributes the file-alignment relative to the start of the volume is always set to 1, // so that alignment can be ignored. FileHeaderOffset = ByteOperations.Align(VolumeHeaderOffset + VolumeHeaderSize, FileHeaderOffset, 8); } }while (!VolumeFound && (FileHeaderOffset < (VolumeHeaderOffset + VolumeSize))); if (!VolumeFound) { throw new BadImageFormatException(); } // Look in file for section of type EFI_SECTION_GUID_DEFINED (0x02) SectionHeaderOffset = FileHeaderOffset + 0x18; int SectionType; UInt32 SectionSize; UInt16 SectionHeaderSize = 0; bool DecompressedVolumeFound = false; do { SectionType = ByteOperations.ReadUInt8(Binary, SectionHeaderOffset + 0x03); SectionSize = ByteOperations.ReadUInt24(Binary, SectionHeaderOffset + 0x00); if (SectionType == 0x02) // EFI_SECTION_GUID_DEFINED { SectionHeaderSize = ByteOperations.ReadUInt16(Binary, SectionHeaderOffset + 0x14); DecompressedVolumeFound = true; } else { SectionHeaderOffset += SectionSize; // SectionHeaderOffset in File-body must be Align 4 SectionHeaderOffset = ByteOperations.Align(FileHeaderOffset + 0x18, SectionHeaderOffset, 4); } }while (!DecompressedVolumeFound && (SectionHeaderOffset < (FileHeaderOffset + FileSize))); if (!DecompressedVolumeFound) { throw new BadImageFormatException(); } // Decompress subvolume CompressedSubImageOffset = SectionHeaderOffset + SectionHeaderSize; CompressedSubImageSize = SectionSize - SectionHeaderSize; // DECOMPRESS HERE DecompressedImage = LZMA.Decompress(Binary, CompressedSubImageOffset, CompressedSubImageSize); // Extracted volume contains Sections at its root level DecompressedVolumeSectionHeaderOffset = 0; DecompressedVolumeFound = false; do { SectionType = ByteOperations.ReadUInt8(DecompressedImage, DecompressedVolumeSectionHeaderOffset + 0x03); SectionSize = ByteOperations.ReadUInt24(DecompressedImage, DecompressedVolumeSectionHeaderOffset + 0x00); SectionHeaderSize = ByteOperations.ReadUInt16(DecompressedImage, DecompressedVolumeSectionHeaderOffset + 0x14); if (SectionType == 0x17) // EFI_SECTION_FIRMWARE_VOLUME_IMAGE { DecompressedVolumeFound = true; } else { DecompressedVolumeSectionHeaderOffset += SectionSize; // SectionHeaderOffset in File-body must be Align 4 DecompressedVolumeSectionHeaderOffset = ByteOperations.Align(FileHeaderOffset + 0x18, DecompressedVolumeSectionHeaderOffset, 4); } }while (!DecompressedVolumeFound && (DecompressedVolumeSectionHeaderOffset < DecompressedImage.Length)); if (!DecompressedVolumeFound) { throw new BadImageFormatException(); } DecompressedVolumeHeaderOffset = DecompressedVolumeSectionHeaderOffset + 4; // PARSE COMPRESSED VOLUME VolumeHeaderMagic = ByteOperations.ReadAsciiString(DecompressedImage, DecompressedVolumeHeaderOffset + 0x28, 0x04); if (VolumeHeaderMagic != "_FVH") { throw new BadImageFormatException(); } if (!VerifyVolumeChecksum(DecompressedImage, DecompressedVolumeHeaderOffset)) { throw new BadImageFormatException(); } Int32 DecompressedVolumeSize = ByteOperations.ReadInt32(DecompressedImage, DecompressedVolumeHeaderOffset + 0x20); // TODO: This is actually a QWORD UInt16 DecompressedVolumeHeaderSize = ByteOperations.ReadUInt16(DecompressedImage, DecompressedVolumeHeaderOffset + 0x30); // The files in this decompressed volume are the real EFI's. UInt32 DecompressedFileHeaderOffset = DecompressedVolumeHeaderOffset + DecompressedVolumeHeaderSize; EFI CurrentEFI; do { if ((DecompressedFileHeaderOffset + 0x18) >= (DecompressedVolumeHeaderOffset + DecompressedVolumeSize)) { break; } bool ContentFound = false; for (int i = 0; i < 0x18; i++) { if (DecompressedImage[DecompressedFileHeaderOffset + i] != PaddingByteValue) { ContentFound = true; break; } } if (!ContentFound) { break; } FileSize = ByteOperations.ReadUInt24(DecompressedImage, DecompressedFileHeaderOffset + 0x14); if ((DecompressedFileHeaderOffset + FileSize) >= (DecompressedVolumeHeaderOffset + DecompressedVolumeSize)) { break; } if (!VerifyFileChecksum(DecompressedImage, DecompressedFileHeaderOffset)) { throw new BadImageFormatException(); } CurrentEFI = new EFI(); CurrentEFI.Type = ByteOperations.ReadUInt8(DecompressedImage, DecompressedFileHeaderOffset + 0x12); byte[] FileGuidBytes = new byte[0x10]; System.Buffer.BlockCopy(DecompressedImage, (int)DecompressedFileHeaderOffset + 0x00, FileGuidBytes, 0, 0x10); CurrentEFI.Guid = new Guid(FileGuidBytes); // Parse sections of the EFI CurrentEFI.FileOffset = DecompressedFileHeaderOffset; UInt32 DecompressedSectionHeaderOffset = DecompressedFileHeaderOffset + 0x18; do { SectionType = ByteOperations.ReadUInt8(DecompressedImage, DecompressedSectionHeaderOffset + 0x03); SectionSize = ByteOperations.ReadUInt24(DecompressedImage, DecompressedSectionHeaderOffset + 0x00); // SectionTypes that are relevant here: // 0x10 = PE File // 0x19 = RAW // 0x15 = Description // Not all section headers in the UEFI specs are 4 bytes long, // but the sections that are used in Windows Phone EFI's all have a header of 4 bytes. if (SectionType == 0x15) { CurrentEFI.Name = ByteOperations.ReadUnicodeString(DecompressedImage, DecompressedSectionHeaderOffset + 0x04, SectionSize - 0x04).TrimEnd(new char[] { (char)0, ' ' }); } else if ((SectionType == 0x10) || (SectionType == 0x19)) { CurrentEFI.SectionOffset = DecompressedSectionHeaderOffset; CurrentEFI.BinaryOffset = DecompressedSectionHeaderOffset + 0x04; CurrentEFI.Size = SectionSize - 0x04; } DecompressedSectionHeaderOffset += SectionSize; // SectionHeaderOffset in File-body must be Align 4 DecompressedSectionHeaderOffset = ByteOperations.Align(DecompressedFileHeaderOffset + 0x18, DecompressedSectionHeaderOffset, 4); }while (DecompressedSectionHeaderOffset < (DecompressedFileHeaderOffset + FileSize)); DecompressedFileHeaderOffset += FileSize; // FileHeaderOffset in Volume-body must be Align 8 // In the file-header-attributes the file-alignment relative to the start of the volume is always set to 1, // so that alignment can be ignored. DecompressedFileHeaderOffset = ByteOperations.Align(DecompressedVolumeHeaderOffset + DecompressedVolumeHeaderSize, DecompressedFileHeaderOffset, 8); EFIs.Add(CurrentEFI); }while (DecompressedFileHeaderOffset < (DecompressedVolumeHeaderOffset + DecompressedVolumeSize)); }
internal byte[] Rebuild() { // The new binary will include the Qualcomm header, but not the signature and certificates, because they won't match anyway. byte[] NewBinary = new byte[Binary.Length]; Buffer.BlockCopy(Binary, 0, NewBinary, 0, (int)CompressedSubImageOffset); ByteOperations.WriteUInt32(NewBinary, 0x10, ByteOperations.ReadUInt32(NewBinary, 0x14)); // Complete image size - does not include signature and certs anymore ByteOperations.WriteUInt32(NewBinary, 0x18, 0x00000000); // Address of signature ByteOperations.WriteUInt32(NewBinary, 0x1C, 0x00000000); // Signature length ByteOperations.WriteUInt32(NewBinary, 0x20, 0x00000000); // Address of certificate ByteOperations.WriteUInt32(NewBinary, 0x24, 0x00000000); // Certificate length // Compress volume byte[] NewCompressedImage = LZMA.Compress(DecompressedImage, 0, (UInt32)DecompressedImage.Length); // Replace compressed volume and add correct padding // First copy new image Buffer.BlockCopy(NewCompressedImage, 0, NewBinary, (int)CompressedSubImageOffset, NewCompressedImage.Length); // Determine padding UInt32 OldSectionPadding = ByteOperations.Align(0, CompressedSubImageSize, 4) - CompressedSubImageSize; UInt32 NewSectionPadding = ByteOperations.Align(0, (UInt32)NewCompressedImage.Length, 4) - (UInt32)NewCompressedImage.Length; UInt32 OldFileSize = ByteOperations.ReadUInt24(Binary, FileHeaderOffset + 0x14); // Filesize includes fileheader. But it does not include the padding-bytes. Not even the padding bytes of the last section. UInt32 NewFileSize; if ((CompressedSubImageOffset + CompressedSubImageSize + OldSectionPadding) >= (FileHeaderOffset + OldFileSize)) { // Compressed image is the last section of this file NewFileSize = CompressedSubImageOffset - FileHeaderOffset + (UInt32)NewCompressedImage.Length; } else { // Compressed image is NOT the last section of this file NewFileSize = OldFileSize - CompressedSubImageSize - OldSectionPadding + (UInt32)NewCompressedImage.Length + NewSectionPadding; } // Add section padding for (int i = 0; i < NewSectionPadding; i++) { NewBinary[CompressedSubImageOffset + NewCompressedImage.Length + i] = PaddingByteValue; } // If there are more bytes after the section padding of the compressed image, then copy the trailing sections if (((Int32)FileHeaderOffset + OldFileSize - CompressedSubImageOffset - CompressedSubImageSize - OldSectionPadding) > 0) { Buffer.BlockCopy(Binary, (int)(CompressedSubImageOffset + CompressedSubImageSize + OldSectionPadding), NewBinary, (int)(CompressedSubImageOffset + NewCompressedImage.Length + NewSectionPadding), (int)(FileHeaderOffset + OldFileSize - CompressedSubImageOffset - CompressedSubImageSize - OldSectionPadding)); } // Add file padding // Filesize does not include last section padding or file padding UInt32 OldFilePadding = ByteOperations.Align(0, OldFileSize, 8) - OldFileSize; UInt32 NewFilePadding = ByteOperations.Align(0, NewFileSize, 8) - NewFileSize; for (int i = 0; i < NewFilePadding; i++) { NewBinary[FileHeaderOffset + NewFileSize + i] = PaddingByteValue; } if (NewCompressedImage.Length > CompressedSubImageSize) { Buffer.BlockCopy(Binary, (int)(FileHeaderOffset + OldFileSize + OldFilePadding), NewBinary, (int)(FileHeaderOffset + NewFileSize + NewFilePadding), (int)(VolumeHeaderOffset + VolumeSize - FileHeaderOffset - NewFileSize - NewFilePadding)); } else { Buffer.BlockCopy(Binary, (int)(FileHeaderOffset + OldFileSize + OldFilePadding), NewBinary, (int)(FileHeaderOffset + NewFileSize + NewFilePadding), (int)(VolumeHeaderOffset + VolumeSize - FileHeaderOffset - OldFileSize - OldFilePadding)); for (int i = (int)(VolumeHeaderOffset + VolumeSize - OldFileSize - OldFilePadding + NewFileSize + NewFilePadding); i < VolumeHeaderOffset + VolumeSize; i++) { NewBinary[i] = PaddingByteValue; } } CompressedSubImageSize = (UInt32)NewCompressedImage.Length; // Fix section ByteOperations.WriteUInt24(NewBinary, SectionHeaderOffset, CompressedSubImageSize + ByteOperations.ReadUInt16(Binary, SectionHeaderOffset + 0x14)); // Fix file ByteOperations.WriteUInt24(NewBinary, FileHeaderOffset + 0x14, NewFileSize); CalculateFileChecksum(NewBinary, FileHeaderOffset); // Fix volume (volume size is fixed) CalculateVolumeChecksum(NewBinary, VolumeHeaderOffset); Binary = NewBinary; return(Binary); }
internal void ReplaceFile(string Name, byte[] Binary) { EFI File = EFIs.Where(f => (string.Compare(Name, f.Name, true) == 0) || (string.Compare(Name, f.Guid.ToString(), true) == 0)).FirstOrDefault(); if (File == null) { throw new ArgumentOutOfRangeException(); } UInt32 OldBinarySize = File.Size; UInt32 NewBinarySize = (UInt32)Binary.Length; UInt32 OldSectionPadding = ByteOperations.Align(0, OldBinarySize, 4) - OldBinarySize; UInt32 NewSectionPadding = ByteOperations.Align(0, NewBinarySize, 4) - NewBinarySize; UInt32 OldFileSize = ByteOperations.ReadUInt24(DecompressedImage, File.FileOffset + 0x14); UInt32 NewFileSize = OldFileSize - OldBinarySize - OldSectionPadding + NewBinarySize + NewSectionPadding; UInt32 OldFilePadding = ByteOperations.Align(0, OldFileSize, 8) - OldFileSize; UInt32 NewFilePadding = ByteOperations.Align(0, NewFileSize, 8) - NewFileSize; if ((OldBinarySize + OldSectionPadding) != (NewBinarySize + NewSectionPadding)) { byte[] NewImage = new byte[DecompressedImage.Length - OldFileSize - OldFilePadding + NewFileSize + NewFilePadding]; // Also preserve space for File-alignement here // Copy Volume-head and File-head Buffer.BlockCopy(DecompressedImage, 0, NewImage, 0, (int)File.BinaryOffset); // Copy new binary Buffer.BlockCopy(Binary, 0, NewImage, (int)File.BinaryOffset, Binary.Length); // Insert section-padding for (int i = 0; i < NewSectionPadding; i++) { NewImage[File.BinaryOffset + NewBinarySize + i] = PaddingByteValue; } // Copy file-tail Buffer.BlockCopy( DecompressedImage, (int)(File.BinaryOffset + OldBinarySize + OldSectionPadding), NewImage, (int)(File.BinaryOffset + NewBinarySize + NewSectionPadding), (int)(File.FileOffset + OldFileSize - File.BinaryOffset - OldBinarySize - OldSectionPadding)); // Insert file-padding for (int i = 0; i < NewFilePadding; i++) { NewImage[File.BinaryOffset + NewFileSize + i] = PaddingByteValue; } // Copy volume-tail Buffer.BlockCopy( DecompressedImage, (int)(File.FileOffset + OldFileSize + OldFilePadding), NewImage, (int)(File.FileOffset + NewFileSize + NewFilePadding), (int)(DecompressedImage.Length - File.FileOffset - OldFileSize - OldFilePadding)); Int32 NewOffset = (int)(NewFileSize + NewFilePadding) - (int)(OldFileSize - OldFilePadding); // Fix section-size ByteOperations.WriteUInt24(NewImage, File.SectionOffset, (UInt32)(ByteOperations.ReadUInt24(NewImage, File.SectionOffset) + NewOffset)); // Fix file-size ByteOperations.WriteUInt24(NewImage, File.FileOffset + 0x14, (UInt32)(ByteOperations.ReadUInt24(NewImage, File.FileOffset + 0x14) + NewOffset)); // Fix volume-size - TODO: This is actually a QWORD ByteOperations.WriteUInt32(NewImage, DecompressedVolumeHeaderOffset + 0x20, (UInt32)(ByteOperations.ReadUInt32(NewImage, DecompressedVolumeHeaderOffset + 0x20) + NewOffset)); // Fix section-size ByteOperations.WriteUInt24(NewImage, DecompressedVolumeSectionHeaderOffset, (UInt32)(ByteOperations.ReadUInt24(NewImage, DecompressedVolumeSectionHeaderOffset) + NewOffset)); DecompressedImage = NewImage; // Modify all sizes in EFI's foreach (EFI CurrentFile in EFIs) { if (CurrentFile.FileOffset > File.FileOffset) { CurrentFile.FileOffset = (UInt32)(CurrentFile.FileOffset + NewOffset); CurrentFile.SectionOffset = (UInt32)(CurrentFile.SectionOffset + NewOffset); CurrentFile.BinaryOffset = (UInt32)(CurrentFile.BinaryOffset + NewOffset); } } } else { Buffer.BlockCopy(Binary, 0, DecompressedImage, (int)File.BinaryOffset, Binary.Length); for (int i = 0; i < NewSectionPadding; i++) { DecompressedImage[File.BinaryOffset + Binary.Length + i] = PaddingByteValue; } } // Calculate File-checksum CalculateFileChecksum(DecompressedImage, File.FileOffset); // Calculate Volume-checksum CalculateVolumeChecksum(DecompressedImage, DecompressedVolumeHeaderOffset); }
internal byte[] GenerateExtraSector(byte[] PartitionHeader) { UInt32?Offset = ByteOperations.FindPattern(Binary, new byte[] { 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, null, null); if (Offset == null) { throw new BadImageFormatException(); } UInt32 PartitionLoaderTableOffset = (UInt32)Offset; byte[] FoundPattern = new byte[0x10]; Offset = ByteOperations.FindPattern(Binary, new byte[] { 0x04, 0x00, 0x9F, 0xE5, 0x28, 0x00, 0xD0, 0xE5, 0x1E, 0xFF, 0x2F, 0xE1, 0xFF, 0xFF, 0xFF, 0xFF }, new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF }, FoundPattern); if (Offset == null) { throw new BadImageFormatException(); } UInt32 SharedMemoryAddress = ByteOperations.ReadUInt32(FoundPattern, 0x0C); UInt32 GlobalIsSecurityEnabledAddress = SharedMemoryAddress + 0x28; Offset = ByteOperations.FindPattern(Binary, new byte[] { 0x01, 0xFF, 0xA0, 0xE3, 0xFF, 0xFF, 0xA0, 0xE1, 0x1C, 0xD0, 0x8D, 0xE2, 0xF0, 0x4F, 0xBD, 0xE8, 0x1E, 0xFF, 0x2F, 0xE1 }, new byte[] { 0x00, 0xFF, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, null); if (Offset == null) { throw new BadImageFormatException(); } UInt32 ReturnAddress = (UInt32)Offset - ImageOffset + ImageAddress; byte[] Sector = new byte[0x200]; Array.Clear(Sector, 0, 0x200); byte[] Content = new byte[] { 0x16, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x28, 0xBD, 0x02, 0x00, 0xD8, 0x01, 0x00, 0x00, 0xD8, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0xE3, 0x3C, 0x10, 0x9F, 0xE5, 0x00, 0x00, 0xC1, 0xE5, 0x38, 0x00, 0x9F, 0xE5, 0x38, 0x10, 0x9F, 0xE5, 0x00, 0x00, 0x81, 0xE5, 0x34, 0x10, 0x9F, 0xE5, 0x00, 0x00, 0x81, 0xE5, 0x30, 0x00, 0x9F, 0xE5, 0x20, 0x10, 0x9F, 0xE5, 0x2C, 0x30, 0x9F, 0xE5, 0x00, 0x20, 0x90, 0xE5, 0x00, 0x20, 0x81, 0xE5, 0x04, 0x00, 0x80, 0xE2, 0x04, 0x10, 0x81, 0xE2, 0x03, 0x00, 0x50, 0xE1, 0xF9, 0xFF, 0xFF, 0xBA, 0x14, 0xF0, 0x9F, 0xE5, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x02, 0x00, 0x90, 0xBF, 0x02, 0x00, 0xD0, 0xBF, 0x02, 0x00, 0xA0, 0xBD, 0x02, 0x00, 0xA0, 0xBE, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00 }; byte[] PartitionTypeGuid = new byte[] { 0x74, 0x74, 0x74, 0x74, 0x74, 0x74, 0x74, 0x74, 0x74, 0x74, 0x74, 0x74, 0x74, 0x74, 0x74, 0x74 }; Buffer.BlockCopy(Content, 0, Sector, 0, Content.Length); // Overwrite first part of partition-header with model-specific header Buffer.BlockCopy(PartitionHeader, 0, Sector, 0, PartitionHeader.Length); ByteOperations.WriteUInt32(Sector, 0x70, GlobalIsSecurityEnabledAddress); ByteOperations.WriteUInt32(Sector, 0x88, ReturnAddress); Buffer.BlockCopy(Binary, (int)PartitionLoaderTableOffset, Sector, 0xA0, 0x50); ByteOperations.WriteUInt32(Sector, 0xA0 + 0x30, 0); Buffer.BlockCopy(Binary, (int)PartitionLoaderTableOffset, Sector, 0xF0, 0x50); ByteOperations.WriteUInt32(Sector, 0xF0 + 0x2C, 0); ByteOperations.WriteUInt32(Sector, 0xF0 + 0x38, 0x210F0); Buffer.BlockCopy(PartitionTypeGuid, 0, Sector, 0x190, 0x10); ByteOperations.WriteUInt32(Sector, 0x1FC, 0x0002BD28); return(Sector); }
public bool SendImage(string Path) { bool Result = true; LogFile.Log("Sending programmer: " + Path, LogType.FileOnly); int Step = 0; UInt32 Offset = 0; UInt32 Length = 0; byte[] ImageBuffer = null; try { Step = 1; byte[] Hello = null; Hello = Serial.GetResponse(new byte[] { 0x01, 0x00, 0x00, 0x00 }); // Incoming Hello packet: // 00000001 = Hello command id // xxxxxxxx = Length // xxxxxxxx = Protocol version // xxxxxxxx = Supported version // xxxxxxxx = Max packet length // xxxxxxxx = Expected mode // 6 dwords reserved space LogFile.Log("Protocol: 0x" + ByteOperations.ReadUInt32(Hello, 0x08).ToString("X8"), LogType.FileOnly); LogFile.Log("Supported: 0x" + ByteOperations.ReadUInt32(Hello, 0x0C).ToString("X8"), LogType.FileOnly); LogFile.Log("MaxLength: 0x" + ByteOperations.ReadUInt32(Hello, 0x10).ToString("X8"), LogType.FileOnly); LogFile.Log("Mode: 0x" + ByteOperations.ReadUInt32(Hello, 0x14).ToString("X8"), LogType.FileOnly); // Packet: // 00000002 = Hello response command id // 00000030 = Length // 00000002 = Protocol version // 00000001 = Supported version // 00000000 = Status OK // 00000000 = Mode // rest is reserved space Step = 2; byte[] HelloResponse = new byte[] { 0x02, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; Serial.SendData(HelloResponse); Step = 3; using (System.IO.FileStream FileStream = new System.IO.FileStream(Path, System.IO.FileMode.Open, System.IO.FileAccess.Read)) { while (true) { Step = 4; byte[] ReadDataRequest = Serial.GetResponse(null); UInt32 ResponseID = ByteOperations.ReadUInt32(ReadDataRequest, 0); if (ResponseID == 4) { break; } if (ResponseID != 3) { Step = 5; throw new BadConnectionException(); } Offset = ByteOperations.ReadUInt32(ReadDataRequest, 0x0C); Length = ByteOperations.ReadUInt32(ReadDataRequest, 0x10); if ((ImageBuffer == null) || (ImageBuffer.Length != Length)) { ImageBuffer = new byte[Length]; } if (FileStream.Position != Offset) { FileStream.Seek(Offset, System.IO.SeekOrigin.Begin); } Step = 6; FileStream.Read(ImageBuffer, 0, (int)Length); Step = 7; Serial.SendData(ImageBuffer); } } } catch (Exception Ex) { LogFile.LogException(Ex, LogType.FileAndConsole, Step.ToString() + " 0x" + Offset.ToString("X8") + " 0x" + Length.ToString("X8")); Result = false; } if (Result) { LogFile.Log("Programmer loaded into phone memory", LogType.FileOnly); } return(Result); }