Rockbox Development > New Ports
Dell Digital Jukebox
LambdaCalculus:
Excellent!! No protection to hassle with means that we shouldn't have much trouble alternate firmware to work.
zook, can you add this info to the wiki?
zook:
--- Quote from: LambdaCalculus379 on September 20, 2007, 11:12:49 AM ---Excellent!! No protection to hassle with means that we shouldn't have much trouble alternate firmware to work.
zook, can you add this info to the wiki?
--- End quote ---
Sure. I'll have to think about how to best arrange it. The information applies to select versions of the Dell DJ, Zen Micro, Zen Touch and Zen Xtra. So we'll probably need a shared page with information about the firmware in these models.
I've written a loader plugin for IDA, which handles the FRESCUE address mappings.
And I'm currently working on fixing the TMS320C55 processor plugin. As it turns out it's actually missing 14 instructions out of 393, so there's a bit of work in determining what needs to be added.
Once that is done I'll have a go at producing signatures from the TI libraries, which the firmware uses.
This should give us a good basis for exploring the rescue mode software. I'll add source and binaries to the wiki when I get so far.
Now, I should probably add that I own neither of these models (or any other for that matter). I'm hoping that looking into these will shed some light on what happens in the new versions. Most of the models introduce the NULL signature block, in their later firmware revisions, which is what is holding back progress on the Vision:M. So the entrance into the protected firmware must lie within the unprotected ones. I'll of course share whatever relevant bit's I discover but ultimately my focus is towards the newer models.
LambdaCalculus:
zook: Here's the Dell DJ wiki page: http://www.rockbox.org/twiki/bin/view/Main/DellDJPort
mcuelenaere:
Hi zook,
could you share your IDA loader plugin because I'm having trouble identifying the FRESCUE address mappings.
The only things I discovered are the two blocks (CODE & CENC) and a lot of strings.
zook:
--- Quote from: LambdaCalculus379 on September 21, 2007, 03:13:01 PM ---zook: Here's the Dell DJ wiki page: http://www.rockbox.org/twiki/bin/view/Main/DellDJPort
--- End quote ---
Right. I just got permission's, so I'll have a look at getting the info added.
--- Quote from: mcuelenaere on September 22, 2007, 09:48:03 AM ---Hi zook,
could you share your IDA loader plugin because I'm having trouble identifying the FRESCUE address mappings.
The only things I discovered are the two blocks (CODE & CENC) and a lot of strings.
--- End quote ---
Sure. Here's the source and a binary built for 5.0: http://www.mediafire.com/?ftddmjbxzsn
If you need to build it for another version, you'll have to extract it to the \sdk\ldr\ directory.
It only works for big-endian models right now. There's no point supporting the little-endian's right now, as they're all protected.
The firmware's that I've tested it with so far are:
DellDJ_1_20_03.exe
ZenMicro_PCFW_L4_2_00_12_MTP.exe
ZenTouch_PCFW_L4_1_01_03.exe
ZenXtra_PCFW_LA_1_20_08.exe
There's two things to be aware of once you get a firmware loaded:
1) The following two instructions are not supported by the disassembler (I'm working on that, though):
10010000 XSSSXDDD MOV xsrc, xdst
11101100 AAAAAAAI XDDD1110 AMAR Smem, XAdst
2) There's an ISR table of 32 entries starting at address 0x200. Each entry consist of 8 bytes. It starts with a status byte(IIRC) then a 24-bit address of the ISR handler, and 4 filler bytes.
The first entry is the reset handler and it points to the function named _c_int00 (in the TI source), this is the starting point of the rescue mode software.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version