6 typedef unsigned char u8;
7 typedef unsigned short u16;
8 typedef unsigned int u32;
9 #define array_size(x) (sizeof(x) / sizeof(x[0]))
12 unsigned short vendor;
13 unsigned short product;
16 { 0x03eb, 0x202a, "16MX+U Game Device" },
17 { 0x03eb, 0x202b, "32MX+U Game Device" },
18 { 0x03eb, 0x202c, "16MX+US Game Device" },
19 { 0x03eb, 0x202d, "32MX+UF Game Device" },
24 #define IO_BLK_SIZE 0x2000 /* 8K */
26 #define CMD_ATM_READY 0x22
27 #define CMD_SEC_GET_NAME 'G' /* filename r/w */
28 #define CMD_SEC_PUT_NAME 'P'
29 #define CMD_SEC_DEVID 'L' /* read flash device ID */
30 #define CMD_SEC_ERASE 'E'
31 #define CMD_SEC_READY 'C' /* is flash ready? */
32 #define CMD_SEC_READ 'R'
33 #define CMD_SEC_WRITE 'W'
36 #define CTL_DATA_BUS 0x55
37 #define CTL_ADDR_BUS 0xAA
39 #define W_COUNTER 0xA0
40 #define W_CNT_WRITE 0x01
41 #define W_CNT_READ 0x00
43 #define FILENAME_ROM0 0
44 #define FILENAME_ROM1 1
45 #define FILENAME_RAM 2
59 u8 addrb2; /* most significant (BE) */
62 u8 param; /* 64 byte usb packets for i/o */
96 static const page_table_t p_AM29LV320DB[] =
98 { 0x000000, 0x00ffff, 0x002000 },
99 { 0x010000, 0x3fffff, 0x010000 },
100 { 0x000000, 0x000000, 0x000000 },
103 static const page_table_t p_AM29LV320DT[] =
105 { 0x000000, 0x3effff, 0x010000 },
106 { 0x3f0000, 0x3fffff, 0x002000 },
107 { 0x000000, 0x000000, 0x000000 },
110 static const page_table_t p_2x_16[] =
112 { 0x000000, 0x003fff, 0x004000 },
113 { 0x004000, 0x007fff, 0x002000 },
114 { 0x008000, 0x00ffff, 0x008000 },
115 { 0x010000, 0x1fffff, 0x010000 },
116 { 0x200000, 0x203fff, 0x004000 },
117 { 0x204000, 0x207fff, 0x002000 },
118 { 0x208000, 0x20ffff, 0x008000 },
119 { 0x210000, 0x3fffff, 0x010000 },
120 { 0x000000, 0x000000, 0x000000 },
123 /*****************************************************************************/
125 static void prepare_cmd(dev_cmd_t *dev_cmd, u8 cmd)
127 memset(dev_cmd, 0, sizeof(*dev_cmd));
129 memcpy(dev_cmd->magic, "USBC", 4);
130 dev_cmd->magic2 = 0x67; /* MySCSICommand, EXCOMMAND */
131 dev_cmd->mx_cmd = cmd;
134 static int write_data(struct usb_dev_handle *dev, void *data, int len)
136 int ret = usb_bulk_write(dev, 0x03, data, len, 2000);
138 fprintf(stderr, "failed to write:\n");
139 fprintf(stderr, "%s (%d)\n", usb_strerror(), ret);
140 } else if (ret != len)
141 printf("write_cmd: wrote only %d of %d bytes\n", ret, len);
146 static int write_cmd(struct usb_dev_handle *dev, dev_cmd_t *cmd)
148 return write_data(dev, cmd, sizeof(*cmd));
151 static int read_data(struct usb_dev_handle *dev, void *buff, int size)
153 int ret = usb_bulk_read(dev, 0x82, buff, size, 2000);
155 fprintf(stderr, "failed to read:\n");
156 fprintf(stderr, "%s (%d)\n", usb_strerror(), ret);
159 else if (ret != size)
160 printf("read_data: read only %d of %d bytes\n", ret, size);
165 static int read_info(struct usb_dev_handle *device, u8 ctl_id, dev_info_t *info)
170 prepare_cmd(&cmd, CMD_ATM_READY);
171 cmd.dev_info.which_device = ctl_id;
172 memset(info, 0, sizeof(*info));
174 ret = write_cmd(device, &cmd);
178 ret = read_data(device, info, sizeof(*info));
185 static void printf_info(dev_info_t *info)
187 printf(" firmware version: %X.%X.%X%c\n", info->firmware_ver[0],
188 info->firmware_ver[1], info->firmware_ver[2], info->firmware_ver[3]);
189 printf(" bootloader version: %X.%X.%X%c\n", info->bootloader_ver[0],
190 info->bootloader_ver[1], info->bootloader_ver[2], info->bootloader_ver[3]);
191 info->names[sizeof(info->names) - 1] = 0;
192 printf(" device name: %s\n", info->names);
195 static void print_progress(u32 done, u32 total)
199 printf("\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b");
200 printf("\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b"); /* 20 */
201 printf("\b\b\b\b\b\b");
202 printf("%06x/%06x |", done, total);
205 for (i = step; i <= total; i += step)
206 printf("%c", done >= i ? '=' : '-');
207 printf("| %3d%%", done * 100 / total);
211 static int read_filename(struct usb_dev_handle *dev, char *dst, int len, u8 which)
217 prepare_cmd(&cmd, CMD_SEC_GET_NAME);
218 cmd.filename.which = which;
219 memset(buff, 0, sizeof(buff));
221 ret = write_cmd(dev, &cmd);
225 ret = read_data(dev, buff, 64);
229 strncpy(dst, buff, len);
235 static int write_filename(struct usb_dev_handle *dev, const char *fname, u8 which)
244 strncpy(buff, fname, len);
247 prepare_cmd(&cmd, CMD_SEC_PUT_NAME);
248 cmd.filename.which = which;
250 ret = write_cmd(dev, &cmd);
254 return write_data(dev, buff, len + 1);
257 static int read_erase_counter(struct usb_dev_handle *dev, u32 *val)
259 dev_info_t dummy_info;
264 /* must perform dummy info read here,
265 * or else device hangs after close (firmware bug?) */
266 ret = read_info(dev, CTL_DATA_BUS, &dummy_info);
270 prepare_cmd(&cmd, CMD_ATM_READY);
271 cmd.write_cnt.cmd = W_COUNTER;
272 cmd.write_cnt.action = W_CNT_READ;
274 ret = write_cmd(dev, &cmd);
278 ret = read_data(dev, buff, sizeof(buff));
286 static int read_flash_rom_id(struct usb_dev_handle *dev, int is_second, u32 *val)
292 prepare_cmd(&cmd, CMD_SEC_DEVID);
293 cmd.rom_id.which = is_second ? 0x10 : 0;
294 cmd.rom_id.dev_id = 0;
296 ret = write_cmd(dev, &cmd);
300 ret = read_data(dev, buff, sizeof(buff));
304 *val = *(u16 *)buff << 16;
306 cmd.rom_id.dev_id = 1;
307 ret = write_cmd(dev, &cmd);
311 ret = read_data(dev, buff, sizeof(buff));
315 *val |= *(u16 *)buff;
319 static const page_table_t *get_page_table(u32 rom_id)
323 return p_AM29LV320DB;
325 return p_AM29LV320DT;
330 fprintf(stderr, "unrecognized ROM id: %08x\n", rom_id);
336 static int get_page_size(const page_table_t *table, u32 addr, u32 *size)
338 const page_table_t *t;
340 for (t = table; t->end_addr != 0; t++) {
341 if (addr >= t->start_addr && addr <= t->end_addr) {
342 *size = t->page_size;
347 if (addr == t[-1].end_addr + 1)
348 return 1; /* no more */
350 fprintf(stderr, "get_page_size: failed on addr %06x\n", addr);
355 * - bytes must be multiple of 64
356 * - bytes must be less than 16k
357 * - must perform even number of reads, or dev hangs on exit (firmware bug?) */
358 static int rw_rom_block(struct usb_dev_handle *dev, u32 addr, void *buffer, int bytes, int is_w)
363 prepare_cmd(&cmd, is_w ? CMD_SEC_WRITE : CMD_SEC_READ);
364 cmd.write_flag = is_w ? 1 : 0;
365 cmd.rom_rw.addrb2 = addr >> (16 + 1);
366 cmd.rom_rw.addrb1 = addr >> (8 + 1);
367 cmd.rom_rw.addrb0 = addr >> 1;
368 cmd.rom_rw.param = bytes / 64;
369 cmd.rom_rw.param2 = is_w ? 1 : 0; /* ? */
371 ret = write_cmd(dev, &cmd);
378 ret = write_data(dev, buffer, bytes);
380 ret = read_data(dev, buffer, bytes);
385 fprintf(stderr, "rw_rom_block warning: done only %d/%d bytes\n", ret, bytes);
390 static int read_write_rom(struct usb_dev_handle *dev, u32 addr, void *buffer, int bytes, int is_write)
392 int total_bytes = bytes;
398 fprintf(stderr, "read_write_rom: can't handle odd address %06x, "
399 "LSb will be ignored\n", addr);
401 fprintf(stderr, "read_write_rom: byte count must be multiple of 64, "
402 "last %d bytes will not be handled\n", bytes & 63);
404 printf("%s flash ROM...\n", is_write ? "writing to" : "reading");
406 /* do i/o in blocks */
407 for (count = 0; bytes >= IO_BLK_SIZE; count++) {
408 print_progress(buff - (u8 *)buffer, total_bytes);
410 ret = rw_rom_block(dev, addr, buff, IO_BLK_SIZE, is_write);
415 bytes -= IO_BLK_SIZE;
417 print_progress(buff - (u8 *)buffer, total_bytes);
421 ret = rw_rom_block(dev, addr, buff, bytes, is_write);
423 print_progress(total_bytes, total_bytes);
427 /* work around read_rom_block() limitation 3 */
428 rw_rom_block(dev, 0, dummy, sizeof(dummy), 0);
434 static int increment_erase_cnt(struct usb_dev_handle *dev)
441 ret = read_erase_counter(dev, &cnt);
445 if (cnt == (u32)-1) {
446 fprintf(stderr, "flash erase counter maxed out!\n");
447 fprintf(stderr, "(wow, did you really erase so many times?)\n");
453 prepare_cmd(&cmd, CMD_ATM_READY);
454 cmd.write_cnt.cmd = W_COUNTER;
455 cmd.write_cnt.action = W_CNT_WRITE;
456 cmd.write_cnt.b3 = cnt >> 24;
457 cmd.write_cnt.b2 = cnt >> 16;
458 cmd.write_cnt.b1 = cnt >> 8;
459 cmd.write_cnt.b0 = cnt;
461 ret = write_cmd(dev, &cmd);
465 ret = read_data(dev, buff, sizeof(buff));
472 static int erase_page(struct usb_dev_handle *dev, u32 addr, int whole)
478 prepare_cmd(&cmd, CMD_SEC_ERASE);
480 cmd.rom_rw.addrb2 = addr >> (16 + 1);
481 cmd.rom_rw.addrb1 = addr >> (8 + 1);
482 cmd.rom_rw.addrb0 = addr >> 1;
483 cmd.rom_rw.param = whole ? 0x10 : 0;
485 ret = write_cmd(dev, &cmd);
489 ret = read_data(dev, buff, sizeof(buff));
493 prepare_cmd(&cmd, CMD_SEC_READY);
494 cmd.rom_rw.addrb2 = addr >> (16 + 1);
495 cmd.rom_rw.addrb1 = addr >> (8 + 1);
496 cmd.rom_rw.addrb0 = addr >> 1;
498 for (i = 0; i < 100; i++) {
499 ret = write_cmd(dev, &cmd);
503 ret = read_data(dev, buff, sizeof(buff));
507 if (ret > 4 && buff[4] == 1)
510 usleep((whole ? 600 : 20) * 1000);
514 fprintf(stderr, "\ntimeout waiting for erase to complete\n");
521 static int erase_seq(struct usb_dev_handle *dev, u32 size)
523 const page_table_t *table;
524 u32 addr, page_size = 0;
525 u32 rom0_id, rom1_id;
528 ret = read_flash_rom_id(dev, 0, &rom0_id);
532 ret = read_flash_rom_id(dev, 1, &rom1_id);
536 if (rom0_id != rom1_id)
537 fprintf(stderr, "Warning: flash ROM ids differ: %08x %08x\n",
540 table = get_page_table(rom0_id);
544 printf("erasing flash...\n");
546 ret = increment_erase_cnt(dev);
548 fprintf(stderr, "warning: coun't increase erase counter\n");
550 for (addr = 0, count = 0; addr < size; addr += page_size, count++) {
551 print_progress(addr, size);
553 ret = erase_page(dev, addr, 0);
557 ret = get_page_size(table, addr, &page_size);
564 /* must submit even number of erase commands (fw bug?) */
565 erase_page(dev, 0, 0);
567 print_progress(addr, size);
573 static int erase_all(struct usb_dev_handle *dev, u32 size)
577 printf("erasing flash0...");
580 ret = increment_erase_cnt(dev);
582 fprintf(stderr, "warning: couldn't increase erase counter\n");
584 ret = erase_page(dev, 0xaaa, 1);
588 if (size > 0x200000) {
590 printf("erasing flash1...");
593 ret = erase_page(dev, 0x200aaa, 1);
600 static int print_device_info(struct usb_dev_handle *dev)
602 u32 counter, rom0_id, rom1_id;
606 printf("data bus controller:\n");
607 ret = read_info(dev, CTL_DATA_BUS, &info);
612 printf("address bus controller:\n");
613 ret = read_info(dev, CTL_ADDR_BUS, &info);
618 ret = read_erase_counter(dev, &counter);
621 printf("flash erase count: %u\n", counter);
623 ret = read_flash_rom_id(dev, 0, &rom0_id);
626 printf("flash rom0 id: %08x\n", rom0_id);
628 ret = read_flash_rom_id(dev, 1, &rom1_id);
631 printf("flash rom1 id: %08x\n", rom1_id);
636 static int print_game_info(struct usb_dev_handle *dev)
641 ret = read_filename(dev, fname, sizeof(fname), FILENAME_ROM0);
644 printf("ROM filename: %s\n", fname);
646 ret = read_filename(dev, fname, sizeof(fname), FILENAME_RAM);
649 printf("SRAM filename: %s\n", fname);
654 static usb_dev_handle *get_device(void)
656 struct usb_dev_handle *handle;
657 struct usb_device *dev;
661 ret = usb_find_busses();
663 fprintf(stderr, "Can't find USB busses\n");
667 ret = usb_find_devices();
669 fprintf(stderr, "Can't find USB devices\n");
673 bus = usb_get_busses();
674 for (; bus; bus = bus->next)
676 for (dev = bus->devices; dev; dev = dev->next)
678 for (i = 0; i < array_size(g_devices); i++)
680 if (dev->descriptor.idVendor == g_devices[i].vendor &&
681 dev->descriptor.idProduct == g_devices[i].product)
687 fprintf(stderr, "device not found.\n");
691 printf("found %s.\n", g_devices[i].name);
693 handle = usb_open(dev);
694 if (handle == NULL) {
695 fprintf(stderr, "failed to open device:\n");
696 fprintf(stderr, "%s\n", usb_strerror());
700 ret = usb_set_configuration(handle, 1);
702 fprintf(stderr, "couldn't set configuration for /*/bus/usb/%s/%s:\n",
703 bus->dirname, dev->filename);
704 fprintf(stderr, "%s (%d)\n", usb_strerror(), ret);
708 ret = usb_claim_interface(handle, 0);
710 fprintf(stderr, "couldn't claim /*/bus/usb/%s/%s:\n",
711 bus->dirname, dev->filename);
712 fprintf(stderr, "%s (%d)\n", usb_strerror(), ret);
719 static void release_device(struct usb_dev_handle *device)
721 usb_release_interface(device, 0);
725 static void usage(const char *app_name)
727 printf("Flasher tool for MX game devices\n"
728 "written by Grazvydas \"notaz\" Ignotas\n");
729 printf("v" VERSION " (" __DATE__ ")\n\n");
731 "%s [-i] [-g] [-e] [-r [file]] [-w <file>]\n"
732 " -i print some info about connected device\n"
733 " -g print some info about game ROM inside device\n"
734 " -e erase whole flash ROM in device\n"
735 " -f use different erase method\n"
736 " -r [file] copy game image from device to file; can autodetect filename\n"
737 " -w <file> write file to device\n"
738 " -v with -w: verify written file\n",
742 int main(int argc, char *argv[])
744 int pr_dev_info = 0, pr_rom_info = 0, do_erase_size = 0;
745 int erase_method = 0, do_read = 0, do_verify = 0;
746 struct usb_dev_handle *device;
747 char *r_fname = NULL, *w_fname = NULL;
748 void *r_fdata = NULL, *w_fdata = NULL;
749 char r_fname_buff[65];
754 for (i = 1; i < argc; i++)
756 if (argv[i][0] != '-')
759 switch (argv[i][1]) {
767 do_erase_size = 0x400000;
777 if (argv[i+1] && (argv[i+1][0] != '-' || argv[i+1][2] != ' '))
781 if (argv[i+1] && (argv[i+1][0] != '-' || argv[i+1][2] != ' '))
792 if (i <= 1 || i < argc) {
797 if (w_fname != NULL) {
798 file = fopen(w_fname, "rb");
800 fprintf(stderr, "can't open file: %s\n", w_fname);
803 fseek(file, 0, SEEK_END);
804 file_size = ftell(file);
805 fseek(file, 0, SEEK_SET);
806 if (file_size > 0x400000)
807 fprintf(stderr, "warning: input file too large\n");
809 fprintf(stderr, "bad/empty file: %s\n", w_fname);
814 w_fdata = malloc(file_size);
815 if (w_fdata == NULL) {
816 fprintf(stderr, "low memory\n");
821 ret = fread(w_fdata, 1, file_size, file);
823 if (ret != file_size) {
824 fprintf(stderr, "failed to read file: %s\n", w_fname);
828 if (do_erase_size < file_size)
829 do_erase_size = file_size;
830 } else if (do_verify) {
831 fprintf(stderr, "warning: -w not specified, -v ignored.\n");
837 device = get_device();
842 ret = print_device_info(device);
848 ret = print_game_info(device);
854 if (do_erase_size != 0) {
856 ret = erase_all(device, do_erase_size);
858 ret = erase_seq(device, do_erase_size);
864 if (w_fdata != NULL) {
867 ret = read_write_rom(device, 0, w_fdata, file_size, 1);
871 p = strrchr(w_fname, '/');
877 ret = write_filename(device, p, FILENAME_ROM0);
879 fprintf(stderr, "warning: failed to save ROM filename\n");
883 if (do_read && r_fname == NULL) {
884 ret = read_filename(device, r_fname_buff, sizeof(r_fname_buff), FILENAME_ROM0);
887 r_fname = r_fname_buff;
892 if (r_fname != NULL || do_verify) {
893 r_fdata = malloc(0x400000);
894 if (r_fdata == NULL) {
895 fprintf(stderr, "low mem\n");
899 ret = read_write_rom(device, 0, r_fdata, 0x400000, 0);
905 ret = memcmp(w_fdata, r_fdata, file_size);
907 printf("verification passed.\n");
909 printf("verification failed!\n");
912 if (r_fname != NULL) {
913 file = fopen(r_fname, "wb");
915 fprintf(stderr, "can't open for writing: %s\n", r_fname);
918 ret = fwrite(r_fdata, 1, 0x400000, file);
921 fprintf(stderr, "write failed to %s\n", r_fname);
923 printf("saved to %s\n", r_fname);
932 release_device(device);