|
| 1 | +#!/usr/bin/env python3 |
| 2 | +import argparse |
| 3 | +import hashlib |
| 4 | +import pathlib |
| 5 | +import subprocess |
| 6 | +import tempfile |
| 7 | + |
| 8 | + |
| 9 | +RAW_BOOTLOADER_SHA256 = "6342d53961e743dfe73c852b31c7083f08f740fc27444cb75ebcb22d4b1031f8" |
| 10 | +WRAPPER_OFFSET = 0xD300 |
| 11 | +ORIGINAL_WRITE = 0x7778 |
| 12 | +CALL_SITES = (0x6774, 0x6816) |
| 13 | + |
| 14 | + |
| 15 | +def thumb_bl(site, target): |
| 16 | + offset = target - (site + 4) |
| 17 | + if offset & 1: |
| 18 | + raise ValueError("unaligned Thumb BL target") |
| 19 | + if not (-(1 << 22) <= offset < (1 << 22)): |
| 20 | + raise ValueError("Thumb BL target out of range") |
| 21 | + |
| 22 | + imm = offset >> 1 |
| 23 | + hi = 0xF000 | ((imm >> 11) & 0x7FF) |
| 24 | + lo = 0xF800 | (imm & 0x7FF) |
| 25 | + return hi.to_bytes(2, "little") + lo.to_bytes(2, "little") |
| 26 | + |
| 27 | + |
| 28 | +def tool_path(toolchain, name): |
| 29 | + path = toolchain / name |
| 30 | + if path.exists(): |
| 31 | + return path |
| 32 | + |
| 33 | + exe_path = toolchain / (name + ".exe") |
| 34 | + if exe_path.exists(): |
| 35 | + return exe_path |
| 36 | + |
| 37 | + return path |
| 38 | + |
| 39 | + |
| 40 | +def build_wrapper(toolchain, source): |
| 41 | + gcc = tool_path(toolchain, "arm-none-eabi-gcc") |
| 42 | + nm = tool_path(toolchain, "arm-none-eabi-nm") |
| 43 | + objcopy = tool_path(toolchain, "arm-none-eabi-objcopy") |
| 44 | + |
| 45 | + with tempfile.TemporaryDirectory(prefix="bk7252_tuya_bl_") as tmp: |
| 46 | + tmp_path = pathlib.Path(tmp) |
| 47 | + obj = tmp_path / "wrap.o" |
| 48 | + elf = tmp_path / "wrap.elf" |
| 49 | + binary = tmp_path / "wrap.bin" |
| 50 | + |
| 51 | + subprocess.run([ |
| 52 | + str(gcc), "-c", str(source), "-o", str(obj), |
| 53 | + "-Os", "-mthumb", "-mcpu=arm9tdmi", |
| 54 | + "-ffreestanding", "-fno-builtin", "-fno-pic", |
| 55 | + "-fno-unwind-tables", "-fno-asynchronous-unwind-tables", |
| 56 | + ], check=True) |
| 57 | + subprocess.run([ |
| 58 | + str(gcc), "-nostdlib", "-Wl,-Ttext=0x%08x" % WRAPPER_OFFSET, |
| 59 | + "-Wl,-e,tuya_fal_partition_write", |
| 60 | + "-o", str(elf), str(obj), |
| 61 | + ], check=True) |
| 62 | + nm_output = subprocess.check_output([str(nm), "-n", str(elf)], text=True) |
| 63 | + for line in nm_output.splitlines(): |
| 64 | + parts = line.split() |
| 65 | + if len(parts) >= 3 and parts[2] == "tuya_fal_partition_write": |
| 66 | + entry = int(parts[0], 16) |
| 67 | + if entry != WRAPPER_OFFSET: |
| 68 | + raise RuntimeError("wrapper entry at 0x%04x, expected 0x%04x" % (entry, WRAPPER_OFFSET)) |
| 69 | + break |
| 70 | + else: |
| 71 | + raise RuntimeError("wrapper entry symbol not found") |
| 72 | + |
| 73 | + subprocess.run([ |
| 74 | + str(objcopy), "-O", "binary", "-j", ".text", str(elf), str(binary), |
| 75 | + ], check=True) |
| 76 | + |
| 77 | + return binary.read_bytes() |
| 78 | + |
| 79 | + |
| 80 | +def patch_bootloader(raw_path, output_path, wrapper): |
| 81 | + raw = bytearray(raw_path.read_bytes()) |
| 82 | + raw_sha = hashlib.sha256(raw).hexdigest() |
| 83 | + if raw_sha != RAW_BOOTLOADER_SHA256: |
| 84 | + raise RuntimeError("unexpected BK7252 bootloader SHA256: %s" % raw_sha) |
| 85 | + |
| 86 | + for site in CALL_SITES: |
| 87 | + expected = thumb_bl(site, ORIGINAL_WRITE) |
| 88 | + found = bytes(raw[site:site + 4]) |
| 89 | + if found != expected: |
| 90 | + raise RuntimeError("unexpected call at 0x%04x: got %s expected %s" % (site, found.hex(), expected.hex())) |
| 91 | + raw[site:site + 4] = thumb_bl(site, WRAPPER_OFFSET) |
| 92 | + |
| 93 | + wrapper_end = WRAPPER_OFFSET + len(wrapper) |
| 94 | + if len(raw) > WRAPPER_OFFSET: |
| 95 | + raise RuntimeError("wrapper offset overlaps bootloader body") |
| 96 | + if wrapper_end > 0x10000: |
| 97 | + raise RuntimeError("patched bootloader exceeds 64K logical boot partition") |
| 98 | + |
| 99 | + raw.extend(b"\xff" * (WRAPPER_OFFSET - len(raw))) |
| 100 | + raw[WRAPPER_OFFSET:wrapper_end] = wrapper |
| 101 | + output_path.write_bytes(raw) |
| 102 | + |
| 103 | + print("Patched BK7252 Tuya bootloader: wrapper %d bytes at 0x%04x" % (len(wrapper), WRAPPER_OFFSET)) |
| 104 | + |
| 105 | + |
| 106 | +def main(): |
| 107 | + parser = argparse.ArgumentParser(description="Patch the BK7252 RT bootloader to coeff-encrypt app writes for Tuya OTA.") |
| 108 | + parser.add_argument("raw_bootloader", type=pathlib.Path) |
| 109 | + parser.add_argument("output_bootloader", type=pathlib.Path) |
| 110 | + parser.add_argument("toolchain_bin", type=pathlib.Path) |
| 111 | + parser.add_argument("wrapper_source", type=pathlib.Path) |
| 112 | + args = parser.parse_args() |
| 113 | + |
| 114 | + wrapper = build_wrapper(args.toolchain_bin, args.wrapper_source) |
| 115 | + patch_bootloader(args.raw_bootloader, args.output_bootloader, wrapper) |
| 116 | + |
| 117 | + |
| 118 | +if __name__ == "__main__": |
| 119 | + main() |
0 commit comments