Phillips Go Gear Vibe /17

[ATTIKIT]

 Hey guys as some of you might know my sansa clip V2 broke and I could not find a new one so I got a Philips Go Gear and I am starting to research the FW.I found a verification key in the FW using a hex editor (HxD).Just wanted to say I am going to try to port rockbox to this mp3/mp4 player.Any help is appreciated.

Edit: 4/7/10

The FW is loaded from the FLASH

Edit: 4/9/10

built in memory is  NAND Flash

Edit: 4/27/10


I will scan the PCB when I have time

Edit: 4/28/10

I got the FW files and I will post them here

info.dat

Code: [Select]

[FIRMWARE]
FWTYPE=0
MAJORVER=0
MIDVER=6
MINORVER=39


fwaretoc.dat

Code: [Select]

CFG_NUM_FIRMWARE_FILES=6
FILE1_DESCRIPTION=Janus Drive
FILE1_FORMAT_TYPE=2
FILE1_NAME=
FILE1_TAG=11
FILE2_DESCRIPTION=Persistent Data
FILE2_FORMAT_TYPE=2
FILE2_NAME=settings.bin
FILE2_TAG=12
FILE3_DESCRIPTION=Application Image 1
FILE3_FORMAT_TYPE=1
FILE3_NAME=firmware.sb
FILE3_TAG=80
FILE4_DESCRIPTION=Application Image 2
FILE4_FORMAT_TYPE=1
FILE4_NAME=firmware.sb
FILE4_TAG=96
FILE5_DESCRIPTION=Application Image 3
FILE5_FORMAT_TYPE=1
FILE5_NAME=firmware.sb
FILE5_TAG=112
FILE6_DESCRIPTION=Updater
FILE6_FORMAT_TYPE=1
FILE6_NAME=updater.sb
FILE6_TAG=255
signature.dat

Code: [Select]

Philips GoGear Recovery
Philips GoGear Vibe

Edit: 4/29/10

 I found this in the "STDBSTR.DAT" that is hidden on the player in MSC Mode @ Offset 116204                                  

Code: [Select]

...ROCKBO~1/CODECS/WAV64~1.COD.ÿÿÿÿÿÿÿÿÿ
and this @ Offset 116A01

Code: [Select]

...ROCKBO~1/CODECS/COOK~1.COD.ÿÿÿÿÿÿÿÿÿ
along with many other codecs looks like philips might use your codecs

[GoGearVibe]

hey man i found in my Phillips go gear vibe a data file its named:

 Devlcon.fil
i tryed to delete this ,but with the next start it was there again......

what is this???ß

[ATTIKIT]

um if its just me then don't expect this for a while because I go to school and work on this in my spare time

[szczepan2]

How to get a Philips GoGear Vibe SA1VBE04K/17 to MSC mode? I can test your programmed firmware. Lucky porting.

[ATTIKIT]

How to get a Philips GoGear Vibe SA1VBE04K/17 to MSC mode? I can test your programmed firmware. Lucky porting.

Go to Settings/PC Conection

and thx wil be a bit longer school is a bitch

[Chronon]

You should start a wiki page to collect your findings and post its location in this thread.

[saratoga]

Here is a link to the firmware file if anyone is still interested:

http://web.mit.edu/mgg6/www/SA1VBE04K17.7z

It is an STMP format firmware, so probably STMP3700 given the age of the player.  sbtoelf is not able to fully decrypt the file for what its worth.

[pamaury]

For your information, there is page http://www.rockbox.org/wiki/PhilipsGoGear to sumarise the SoC inside some philips players. The SA1VBE04K_17 is of STMP37xx family but it's unclear which one, in particular it could be the STMP3770 which will be hard to port.
The major problem though is that Philips uses an unknown encryption key. It is unfeasible to brute force it and I know for sure that they don't use special keys. We are left with basically three options, all of them are realistic:

• attack on recovery mode: some philips players comes with both a firmware (firmware.sb) and a recovery (recovery.sb) and in the past, Philips made the mistake of encryption the recovery with two keys, including the zero key. When done this way, there is a (relatively) easy way to craft a special firmware to send in USB recovery mode to execute arbitrary code and dump the key
• attack on USB vendor SCSI: most STMP based players are based on the SDK from Sigmatel/Freescale which contains a fatal flaw in its handling of vendor SCSI, leading to remote crashes from the host. I think that by a careful study of how the crash happen, it is possible to take advantage of it to run any code and/or dump the whole firmware (unencrypted)
• attack on virtual memory: here again there is a fatal flow in the firmwares of the STMP because the data section are unencrypted and accessible even without the key. On of them (the pvmi) contains most of the firmware when virtual memory is used (which is very often the case), thus easy to modify. The issue of course is that any modification will make the firmware invalid but with proper SCSI one can write the firmware in a way to bypass any signature check and the ROM doesn't check global validity of the file. Thus allowing to run potentially any piece of code, by proper modification of the virtual memory content.

Clearly the first one is the easiest, but it has very strong requirements. The second one is second easiest if a flaw is found because everything can be done remotely. The last one is the most promising but means some RE and a lots of trial and failures. All of them require physical access to the device.

As a proof of concept, I will try to apply the second or third method to the SA1VBE04K_17 if any of you has the device to test and/or can send me a device to test.
A disassembly of the device with pictures would be most useful too.

[pamaury]

I just checked and the SAVBE04K_17 satisfies the requirement of the first method: it has an updater.sb encrypted with key 0, so it's possible to craft it. So it is possible to retrieve the key using linux and by compiling a few tools. Anyone with the player feels like doing so ?

[Songs0fFailure]

«Magnavox is currently a brand for products made by Funai under license from trademark owner Philips.»
http://www.m4c.magnavox.com/files/s/ == http://download.p4c.philips.com/files/s/
+Indexes
For newer players 'Device Manager Installer' - must be InstallShield 16, but IsXunpack\UniExtract can't unpack it.
And firmware updates in .exe -  smtn named as "PdmFwExe MFC Application". %)

[kevinv710]

Hi pamaury!
i have some GoGear Vibe and Raga from 2G 4G 8G, if you need some of them for project porting let me know, i will send you some of them as gift. Let me know!
Kevin

[rendiok]

I just checked and the SAVBE04K_17 satisfies the requirement of the first method: it has an updater.sb encrypted with key 0, so it's possible to craft it. So it is possible to retrieve the key using linux and by compiling a few tools. Anyone with the player feels like doing so ?

Hello,

I have a go gear vibe sa4vbe08kf/12 and I'm a Linux User. If anyone tells me what i have to do I could try to help.

Regards,

[pamaury]

Hi,
I haven't worked on Philips targets for a long time and I do not really plan to work on them anymore since those are old players now.
Furthermore, some of those Philips players use the STMP3770 which Rockbox cannot support (because it does not have enough RAM).
If you are a programmer, I can walked you through some of the steps (better come on the IRC channel then) but you'll have to do most of the work.