Rockbox Development > New Ports
Creative Zen Vision:M
mcuelenaere:
--- Quote from: iSE on August 03, 2007, 12:18:53 PM ---could it be that its encrypted aswell?
--- End quote ---
It could be, but I don't think so.
There maybe is some MD5 verification, but it would be kinda strange of Creative to do so
(cause then you would have an MD5 "hacker-free" ZLIB compressed binary, which will get an SHA-1 sort-of hash added and get sent to the device).
MagistrateD:
--- Quote from: mcuelenaere on August 03, 2007, 12:12:50 PM ---
--- Quote from: davidb on July 30, 2007, 01:30:29 AM ---I believe your right about the F* and H* theory and therefore about the HDD dump not providing anything about the hashing algorithm. I really think what we need to be concentrating on is answering the question I posed earlier - does the firmware come with the checksum value already in the null block, or does the updater put it there.
--- End quote ---
Indeed, I agree with you.
But to find out, we should extract the firmware from the .exe where it is ZLIB compressed.
I already tried decompressing it, but without any result (see some posts back).
Could someone else try this?
--- End quote ---
im no expert with .exe files but by looking at the latest patch.exe fro the zvm it looks like the fun stuff starts at 0x001000 and ends at 0xF1D140 and is followed by a series of warning strings. i tried running the all round unidecrypt and all i could learn was that it is coded in C++ 6.0. if anyone has anymore guesses about what format it could be compressed in lemme know please.
EDIT: not sure if someone has pointed this out before but creative has a recovery tool for all mps players (http://www.creative.com/products/mp3/MP3PlayerRecoveryTool/welcome.asp?region=2)
not too sure if its worth taking a look at to manipulate and im too tired to check but this also means that if any little tests brick a zen it can be reverted.
mcuelenaere:
Some (useful) links were posted at epiZENter.net:
http://flickr.com/photos/chlazza/946305589/
http://flickr.com/photos/chlazza/946305207/
http://flickr.com/photos/chlazza/946305167/
mcuelenaere:
OK so the last few days I focused myself on trying to extract the compressed nk.bin out of the installer, which I unfortunately didn't succeed in.
But if someone could locate the program called deezee or one which has the same functionality, that could be very helpful.
edit: I already got the program now, but it didn't work; so the data must be available in an altered way and not in the normal ZLIB format.
On the other hand, I analyzed some of the files in nk.bin and I'm pretty sure EXT0 is written for the C54x DSP chip and FBOOT is the boot loader (which could load the encrypted/compressed/obfuscated/... block present in the nk.bin file).
I also checked the SHA-1 variants iSE sent me, but apparently these are just 'other ways' for generating the same SHA-1 checksum; so maybe Creative is using a slightly modified version or they are computing the checksum in a way we don't (yet) know, for example the whole file except for the first 10 bytes.
mcuelenaere:
So I extracted some raw data out of the exe, but I think it is 1)XORed with a key and 2)ZLIB compressed.
The size of the file is present at 0x5D0C0 and is a Little Endian UInt. Directly after this number is the raw data present ending in one '0000' block. These numbers are based on ZENVisionM_30GB_PCFW_L21_1_61_01.exe.
The file could be XORed with this key: '34d12D23f6c894B96ff4735153836'
download link: http://www.verzend.be/v/7079781/perfect.bin.html
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version