From b4b016e90485db5687c2fd9aeefbc105a020bbce Mon Sep 17 00:00:00 2001
From: Marcel Holtmann <marcel@holtmann.org>
Date: Fri, 10 Apr 2015 23:21:47 +0200
Subject: [PATCH] tools: Add utility for analyzing Nokia firmware files

---
 .gitignore     |   1 +
 Makefile.tools |   8 +-
 tools/nokfw.c  | 247 +++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 254 insertions(+), 2 deletions(-)
 create mode 100644 tools/nokfw.c

diff --git a/.gitignore b/.gitignore
index 3e0fcb102..3a0541328 100644
--- a/.gitignore
+++ b/.gitignore
@@ -67,6 +67,7 @@ tools/bdaddr
 tools/bluemoon
 tools/seq2bseq
 tools/hex2hcd
+tools/nokfw
 tools/btiotest
 tools/mpris-proxy
 tools/bluetooth-player
diff --git a/Makefile.tools b/Makefile.tools
index e96ea9f7b..d46c65416 100644
--- a/Makefile.tools
+++ b/Makefile.tools
@@ -234,8 +234,8 @@ noinst_PROGRAMS += tools/bdaddr tools/avinfo tools/avtest \
 			tools/btsnoop tools/btproxy \
 			tools/btiotest tools/bneptest tools/mcaptest \
 			tools/cltest tools/oobtest tools/seq2bseq \
-			tools/ibeacon tools/btgatt-client tools/btgatt-server \
-			tools/create-image \
+			tools/nokfw tools/create-image tools/ibeacon \
+			tools/btgatt-client tools/btgatt-server \
 			tools/test-runner tools/check-selftest
 
 tools_bdaddr_SOURCES = tools/bdaddr.c src/oui.h src/oui.c
@@ -292,6 +292,10 @@ tools_oobtest_LDADD = lib/libbluetooth-internal.la src/libshared-mainloop.la
 
 tools_seq2bseq_SOURCES = tools/seq2bseq.c
 
+tools_nokfw_SOURCES = tools/nokfw.c
+
+tools_create_image_SOURCES = tools/create-image.c
+
 tools_ibeacon_SOURCES = tools/ibeacon.c monitor/bt.h
 tools_ibeacon_LDADD = src/libshared-mainloop.la
 
diff --git a/tools/nokfw.c b/tools/nokfw.c
new file mode 100644
index 000000000..20ff846b2
--- /dev/null
+++ b/tools/nokfw.c
@@ -0,0 +1,247 @@
+/*
+ *
+ *  BlueZ - Bluetooth protocol stack for Linux
+ *
+ *  Copyright (C) 2012-2013  Intel Corporation
+ *
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <string.h>
+#include <getopt.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+
+struct neg_cmd {
+	uint8_t  ack;
+	uint16_t baud;
+	uint16_t unused1;
+	uint8_t  proto;
+	uint16_t sys_clk;
+	uint16_t unused2;
+} __attribute__ ((packed));
+
+struct alive_pkt {
+	uint8_t  mid;
+	uint8_t  unused;
+} __attribute__ ((packed));
+
+static void print_cmd(uint16_t opcode, const uint8_t *buf, uint8_t plen)
+{
+	switch (opcode) {
+	case 0x0c43:
+		printf(" Write_Inquiry_Scan_Type [type=%u]", buf[0]);
+		break;
+	case 0x0c47:
+		printf(" Write_Page_Scan_Type [type=%u]", buf[0]);
+		break;
+	case 0xfc01:
+		printf(" Write_BD_ADDR [bdaddr=%02x:%02x:%02x:%02x:%02x:%02x]",
+			buf[5], buf[4], buf[3], buf[2], buf[1], buf[0]);
+		break;
+	case 0xfc0b:
+		printf(" Write_Local_Supported_Features");
+		printf(" [features=%02x,%02x,%02x,%02x,%02x,%02x,%02x,%02x]",
+					buf[0], buf[1], buf[2], buf[3],
+					buf[4], buf[5], buf[6], buf[7]);
+		break;
+	case 0xfc0a:
+		printf(" Super_Peek_Poke [type=%u]", buf[0]);
+		break;
+	case 0xfc15:
+		printf(" FM_RDS_Command [register=0x%02x,mode=%u]",
+							buf[0], buf[1]);
+		break;
+	case 0xfc18:
+		printf(" Update_UART_Baud_Rate");
+		break;
+	case 0xfc1c:
+		printf(" Write_SCO_PCM_Int_Param");
+		break;
+	case 0xfc1e:
+		printf(" Write_PCM_Data_Format_Param");
+		break;
+	case 0xfc22:
+		printf(" Write_SCO_Time_Slot [slot=%u]", buf[0]);
+		break;
+	case 0xfc41:
+		printf(" Write_Collaboration_Mode");
+		break;
+	case 0xfc4c:
+		printf(" Write_RAM [address=0x%08x]",
+			buf[0] | buf[1] << 8 | buf[2] << 16 | buf[3] << 24);
+		break;
+	case 0xfc4e:
+		printf(" Launch_RAM [address=0x%08x]",
+			buf[0] | buf[1] << 8 | buf[2] << 16 | buf[3] << 24);
+		break;
+	case 0xfc61:
+		printf(" Write_PCM_Pins");
+		break;
+	}
+}
+
+static void analyze_memory(const uint8_t *buf, size_t len)
+{
+	const uint8_t *ptr = buf;
+	const struct neg_cmd *neg;
+	const struct alive_pkt *alive;
+	uint16_t pkt_len, opcode;
+	uint8_t pkt_type, plen;
+
+	while (ptr < buf + len) {
+		pkt_len = ptr[0] | ptr[1] << 8;
+		pkt_type = ptr[2];
+
+		printf("len=%-3u type=%u,", pkt_len, pkt_type);
+
+		switch (pkt_type) {
+		case 0x01:
+			opcode = ptr[3] | ptr[4] << 8;
+			plen = ptr[5];
+			printf("%-5s opcode=0x%04x plen=%-3u", "cmd",
+							opcode, plen);
+			print_cmd(opcode, ptr + 6, plen);
+			break;
+		case 0x06:
+			plen = ptr[3];
+			printf("%-5s plen=%-2u", "neg", plen);
+			neg = (void *) (ptr + 4);
+			printf(" [ack=%u baud=%u proto=0x%02x sys_clk=%u]",
+				neg->ack, neg->baud, neg->proto, neg->sys_clk);
+			break;
+		case 0x07:
+			plen = ptr[3];
+			printf("%-5s plen=%-2u", "alive", plen);
+			alive = (void *) (ptr + 4);
+			printf(" [mid=0x%02x]", alive->mid);
+			break;
+		case 0x08:
+			opcode = ptr[3] | ptr[4] << 8;
+			plen = ptr[5];
+			printf("%-5s opcode=0x%04x plen=%-3u", "radio",
+							opcode, plen);
+			print_cmd(opcode, ptr + 6, plen);
+			break;
+		default:
+			printf("unknown");
+			break;
+		}
+
+		printf("\n");
+
+		ptr += pkt_len + 2;
+	}
+}
+
+static void analyze_file(const char *pathname)
+{
+	struct stat st;
+	void *map;
+	int fd;
+
+	printf("Analyzing %s\n", pathname);
+
+	fd = open(pathname, O_RDONLY | O_CLOEXEC);
+	if (fd < 0) {
+		perror("Failed to open file");
+		return;
+	}
+
+	if (fstat(fd, &st) < 0) {
+		fprintf(stderr, "Failed get file size\n");
+		close(fd);
+		return;
+	}
+
+	if (st.st_size == 0) {
+		fprintf(stderr, "Empty file\n");
+		close(fd);
+		return;
+	}
+
+	map = mmap(NULL, st.st_size, PROT_READ, MAP_SHARED, fd, 0);
+	if (!map || map == MAP_FAILED) {
+		fprintf(stderr, "Failed to map file\n");
+		close(fd);
+		return;
+        }
+
+	analyze_memory(map, st.st_size);
+
+	munmap(map, st.st_size);
+	close(fd);
+}
+
+static void usage(void)
+{
+	printf("Nokia Bluetooth firmware analyzer\n"
+		"Usage:\n");
+	printf("\tnokfw [options] <file>\n");
+	printf("Options:\n"
+		"\t-h, --help             Show help options\n");
+}
+
+static const struct option main_options[] = {
+	{ "version", no_argument,       NULL, 'v' },
+	{ "help",    no_argument,       NULL, 'h' },
+	{ }
+};
+
+int main(int argc, char *argv[])
+{
+	int i;
+
+	for (;;) {
+		int opt;
+
+		opt = getopt_long(argc, argv, "vh", main_options, NULL);
+		if (opt < 0)
+			break;
+
+		switch (opt) {
+		case 'v':
+			printf("%s\n", VERSION);
+			return EXIT_SUCCESS;
+		case 'h':
+			usage();
+			return EXIT_SUCCESS;
+		default:
+			return EXIT_FAILURE;
+		}
+	}
+
+	if (argc - optind < 1) {
+		fprintf(stderr, "No input firmware files provided\n");
+		return EXIT_FAILURE;
+	}
+
+	for (i = optind; i < argc; i++)
+		analyze_file(argv[i]);
+
+	return EXIT_SUCCESS;
+}
-- 
2.47.3