Creative Zen Vision:M

[mcuelenaere]

Hello,
I committed a custom firmware update utility for the Gigabeat S, based on the sendfile.c file that mcuelenaere posted earlier. I've only tested it on the Gigabeat and it works fine. However, mcuelenaere told me it has the same update process as the ZVM, so I'm hoping my tool will work on the ZVM too... Could someone confirm? The tool is in the utils/MTP directory of the SVN repository.

I've (finally) got it to compile in cygwin, but libmtp doesn't recognize my ZVM
So, maybe whenever I will install linux, I'll test it but I'm pretty sure that it will work (if it works with the Gigabeat, it should also work with the ZVM)

edit:
shouldn't in the Makefile

Code: [Select]

LIBS = -lmtp be

Code: [Select]

LIBS = -llibmtp ?
Because this one worked in cygwin, and I suppose the library is called libmtp and not mtp?

[GodEater]

edit:
shouldn't in the Makefile

Code: [Select]

LIBS = -lmtp be

Code: [Select]

LIBS = -llibmtp ?
Because this one worked in cygwin, and I suppose the library is called libmtp and not mtp?

Can't speak for cygwin, but no - that's not what it should be for any other POSIX based system. Nico's is right for Linux certainly.

[bobbaluba]

Hi. I'm not very skilled in programming yet, so i don't think I am able to help with rockbox. But I've created a small program, which you might find useful.
It calculates the correct checksum of the CIFF block, and replaces the existing one in the null block.

http://bananweb.mine.nu/filer/nullblockfixerMKII.zip

[mcuelenaere]

So the LT© block is firstly encrypted using Blowfish in CBC mode with key '1sN0TM3D az u~may th1nk*Creative Zen Vision:M'.
After this, it is decoded using the compression/encoding of CENC (zook documented it in his zenfirm utility source code).

Only problem is: I can't seem to decrypt the block correctly (probably because my first IV isn't set correctly) so I'm kinda stuck right now.

zook, you know the most of the encryptions used in the firmware, did you already decode LT© ?
If not, can you help me decrypting the file?

[zook]

I've been a bit busy, however I've just added zenutils to the wiki.
The package contains all the utilities needed to produce firmware archives with executable code in them.
I haven't had time to document their usage, so you'll have to read the help screens for instructions.

[sejerpz]

Very nice work! Thank you!
This is my first day here and you (all of you) have made a great work.
I've made some experiments based on your code with my Zen 4GB (not the vision).
From what I've seen everything in the firmware is the same (but nk.bin lacks the FBOOT field).
This afternoon I've ported some of your windows versions, and I manage to extract and flash my device reliabily.
Some hour ago I compiled your new zenutils in my linux box, zen_crypt failed just because stricmp in linux is strcasecmp, but everything else worked and even zen_crypt with the correction worked well.

So I've tryed to guess the encription key and I was lucky.

The Zen 4GB keys for the TL record and for the HMAC-SHA1 are:
HMAC: CTL:Z3N07|PDE0.DPMP.
TL: 1sN0TM3D az u~may th1nk*Creative ZEN

I'm sorry, but the most difficult key still remain unknown (FRESC)

Attached a patch to zenutils/zen_crypt

Bye,
Andrea

P.S.
Zook mind the #if since I never use cmake...

[Falafel]

Sorry to ask, but could someone add a zenvision playerconstant to zencrypt? I tried to but had trouble compiling it (probably because of my ignorance, but still)
the TL key is: 1sN0TM3D az u~may th1nk*Creative Zen Vision

[bobbbaluba]

I know I shouldn't ask about progress all the time, but has anyone looked at the TL block yet?
Does anyone understand what it does, and how it works?

I looked through the file, and i noticed some filenames i don't think anyone has mentioned yet.
One of them was called jukebox.hds, and is not present in any of the firmware archives. Looks like this is some kind of file that just is in the firmware when you get it from the store. Any idea what it does?

Another files are jukebox2.jrm and Creative_L.h

I also have some problems upgrading my player after i have decrypted and encrypted the TL block. If I leave it alone, everything works smooth.
Great tool, zook!

[zook]

This afternoon I've ported some of your windows versions, and I manage to extract and flash my device reliabily.
Some hour ago I compiled your new zenutils in my linux box, zen_crypt failed just because stricmp in linux is strcasecmp, but everything else worked and even zen_crypt with the correction worked well.

Ohh, I thought supporting cygwin would implicitly include linux. I've been meaning to install ubuntu for a while, so I'll have a look at it when I get around to it.

I'm sorry, but the most difficult key still remain unknown (FRESC)

FRESC on the Zen player uses a different file format than all the other players I've looked at.
Maybe decryption will work if you offset it by the 0x70 bytes header.

Sorry to ask, but could someone add a zenvision playerconstant to zencrypt? I tried to but had trouble compiling it (probably because of my ignorance, but still)
the TL key is: 1sN0TM3D az u~may th1nk*Creative Zen Vision

I'll add it this weekend, along with a few other fixes.

I know I shouldn't ask about progress all the time, but has anyone looked at the TL block yet?
Does anyone understand what it does, and how it works?

Yes. Most of my time lately has been spent reading and commenting it.

FBOOT contains a bootloader (stored in flash) which get's loaded by the on-chip bootloader.
When FBOOT executes, it decrypts and loads FRESC.
FRESC contains the Rescue Mode software (stored in flash).
When FRESC executes, it does a series of tests to determine if it needs to execute the Rescue Mode menu or decrypt and load Jukebox2.jrm.
TL contains the Player Mode software (stored as Jukebox2.jrm on the HDD).
TL, like FRESC, includes the Nucleus RTOS, making them self-contained. The fileformat used for both is what I've described as the FRESCUE Structure on the DellDJPort wiki.

I looked through the file, and i noticed some filenames i don't think anyone has mentioned yet.
One of them was called jukebox.hds, and is not present in any of the firmware archives. Looks like this is some kind of file that just is in the firmware when you get it from the store. Any idea what it does?

I haven't looked into the meat of the filesystem, however the bit's i've seen does resemble what's described here.
At any rate there's dozen's of files which are only created and used internally.
Presumably they're using a meta file system which is layered on top of the underlaying filesystem provided by whatever RTOS they've used (Nucleus on the Vision:M, TI DSP/BIOS on the elder players).

I also have some problems upgrading my player after i have decrypted and encrypted the TL block. If I leave it alone, everything works smooth.

Hmm, did you update the null signature after you created the archive?
I'll be able to test the updater some time next week. So far I've had to rely on testing the tools against each other.

[mcuelenaere]

...

Yes. Most of my time lately has been spent reading and commenting it.
...

I've been doing the same, maybe we could share our findings?
Some of the naming of the functions aren't correct at all, but all the png_*, Gd*, linear16*, freetype2 and memcpy & co are correct (I verified them against the (open) source code)

Code: [Select]

Start         Length     Name                   Class
 0001:00000000 000003510H seg000                 DATA
 0002:00000000 000000068H seg001                 DATA
 0001:00000000 00000B046H seg002                 DATA
 0003:00000000 0001E6BE0H seg003                 DATA
 0004:00000000 000000E10H seg004                 DATA
 0005:00000000 000010054H seg005                 DATA
 0006:00000000 000067FB8H seg006                 DATA
 0007:00000000 00004B464H seg007                 DATA
 
 Address             Publics by Value
 0001:00000000       start
 0001:00000040       boot_2
 0003:00000000       interrupts____
 0003:0000146C       usb_mode
 0003:000024A0       interrupts___
 0003:00016158       minifs_related
 0003:00016794       mass_used_2
 0003:00016BE4       mass_used
 0003:0001704C       poss_fwrite
 0003:00017318       fread
 0003:0001738C       minifs_related_2
 0003:00017570       fopen
 0003:000177A4       fclose
 0003:00017DE4       VFAT_something
 0003:00038D4C       malloc
 0003:000391F8       free
 0003:0003C0D0       system
 0003:0003DF88       kernelobject__
 0003:0003EEF4       special___
 0003:0003EF24       fclose_2___
 0003:0003EFAC       fopen_2___
 0003:0003F124       jukebox_grs_GROUP_parser
 0003:0003F22C       move_4_forward
 0003:0003F238       move_8_forward
 0003:0003F254       mass_used_3
 0003:00040200       HDD_and_VFAT_something
 0003:00040C18       winmgr_object__
 0003:00041948       HW___
 0003:00041958       interrupts
 0003:0004253C       init_all
 0003:00042968       f_____write___2
 0003:000434DC       SYSTEM_H__
 0003:00043C44       load_messages_and_start
 0003:0004420C       loadcopyrightaccelerated
 0003:00044248       loadcopyrightMGC
 0003:000451B8       farfree
 0003:00045200       farmalloc
 0003:0004524C       png_malloc_default
 0003:000454C4       png_free_default
 0003:00048EC8       memcpy
 0003:000496C4       mwdrawing
 0003:00049E00       memset
 0003:0004A438       strncpy
 0003:0004A5BC       memcmp
 0003:0004A708       strcpy
 0003:0004A724       strlen
 0003:0004B06C       FT_MulFix
 0003:0004E8D4       FT_New_Memory_Face
 0003:0004E98C       FT_New_Face
 0003:000C4A28       parsejukebox_opt
 0003:000C5EC4       init_rtc0_and_video0
 0003:000C6A38       system_boot
 0003:000DA264       enc_engine
 0003:000DB498       enc_engine2
 0003:001027B8       used_in_kobjects
 0003:00102850       initjukebox_opt
 0003:00102958       system_boot_caller
 0003:001168C0       init_wallpaper
 0003:00116A70       init_wallpaper_and___
 0003:0011B4F0       j_fread
 0003:0011C26C       png_read_transform_info
 0003:0011F46C       png_do_read_transformations
 0003:0011F8BC       png_do_read_intrapixel
 0003:0011FA60       png_read_start_row
 0003:0011FD38       png_crc_read
 0003:0011FDF8       png_crc_finish
 0003:0011FEC8       png_get_uint_32
 0003:0011FF24       png_read_finish_row
 0003:00120224       png_read_filter_row
 0003:0012044C       png_decompress_chunk
 0003:00120778       png_handle_unknown
 0003:00120B04       png_handle_zTXt
 0003:00120D20       png_handle_tRNS
 0003:00120F34       png_handle_tEXt
 0003:00121164       png_handle_sRGB
 0003:001214AC       png_handle_sPLT
 0003:001217B4       png_handle_sCAL
 0003:001219CC       png_handle_sBIT
 0003:00121B68       png_handle_pHYs
 0003:00121DA0       png_handle_pCAL
 0003:00122034       png_handle_oFFs
 0003:0012219C       png_handle_iCCP
 0003:00122460       png_handle_hIST
 0003:0012260C       png_handle_gAMA
 0003:00122928       png_handle_cHRM
 0003:00122D84       png_handle_bKGD
 0003:0012309C       png_handle_PLTE
 0003:00123284       png_handle_IHDR
 0003:00123410       png_handle_IEND
 0003:0012396C       png_combine_row
 0003:001297B4       linear16_stretchblit
 0003:00129D6C       linear16_readpixel
 0003:0012B01C       linear16_drawarea
 0003:0012B520       linear16_blit
 0003:0012BF10       GdBlit
 0003:0012C2D8       GdStretchBlitEx
 0003:0012C788       GdStretchBlit
 0003:001307E8       j_malloc
 0003:001307F0       j_free_0
 0003:0013E9A4       inflateReset
 0003:0013EE3C       inflateEnd
 0003:0013F060       inflate
 0003:001404EC       png_read_update_info
 0003:0014056C       png_read_row
 0003:00140AD4       png_read_info
 0003:00140FF8       png_read_image
 0003:00141088       png_read_end
 0003:00141524       png_read_png
 0003:001416FC       png_read_init_3
 0003:00141868       png_read_init_2
 0003:001418E0       png_read_init
 0003:0014198C       png_read_destroy
 0003:00141CDC       png_destroy_read_struct
 0003:001423CC       f_____3
 0003:00142F68       create_3_CLASS
 0003:00148B88       freetype2_gettextsize_fast
 0003:00148DAC       freetype2_gettextsize_rotated
 0003:00149018       freetype2_gettextsize
 0003:001490C4       freetype2_getfontinfo
 0003:00149278       freetype2_face_requester
 0003:0014CCB4       png_set_unknown_chunks
 0003:0014CE10       png_set_text_2
 0003:0014D3D0       png_set_sPLT
 0003:00158330       Creative_L_h__
 0003:00158B34       load_wallpaper
 0003:00160A00       png_zfree
 0003:00160A04       png_zalloc
 0003:00160A5C       png_sig_cmp
 0003:00160AB0       pngsignature
 0003:00160AE4       png_reset_crc
 0003:00161000       png_info_destroy
 0003:00161118       png_data_freer
 0003:00161980       initialize_winmgr
 0003:00168170       png_set_interlace_handling
 0003:0016EC80       GdFixCursor
 0003:0016ECB0       GdCheckCursor
 0003:0016F82C       GdClipArea
 0003:00170D88       create_CLASS
 0003:00170DA4       create_2_CLASS
 0003:00172AC0       initmemgc
 0003:001732F4       Creative_L_h
 0003:00173994       png_warning
 0003:00173A24       png_default_error
 0003:00173A34       png_error
 0003:0017407C       png_memcpy_check
 0003:001740B8       png_malloc
 0003:00174114       png_malloc_warn
 0003:00174158       png_free
 0003:001741C4       png_destroy_struct
 0003:00174248       png_create_struct
 0003:0017650C       png_set_read_fn
 0003:00176550       png_read_data
 0003:0017786C       j_mass_mass_used_malloc__
 0003:00177870       j_free
 0003:001A7E64       parsevideofile
 0003:001A8B34       determinefiletype

[zook]

...

Yes. Most of my time lately has been spent reading and commenting it.
...

I've been doing the same, maybe we could share our findings?
Some of the naming of the functions aren't correct at all, but all the png_*, Gd*, linear16*, freetype2 and memcpy & co are correct (I verified them against the (open) source code)

Here's a few different scripts I've been using: idc_utils
load.idc - maps tms320dm320 peripheral registers, maps the "user data" starting at 0x1C00004, loads names from a txt file.
save.idc - saves non-autogenerated function names to a txt file.
zook.txt - contains the result of running save.idc against my idb.

[mcuelenaere]

@zook:
I'm having trouble decrypting the ZVM 60GB TL block, I'm always getting 'Failed to decrypt the input file'. (I'm using your binaries)

I haven't custom compiled the source so I could see the exception, but I will later maybe; I just thought I should report it.

BTW, the key is "1sN0TM3D az u~may th1nk*Creative ZEN Vision:M (DVP-HD0004)"

edit:
I'm also having trouble extracting the firmware out of the Zen Vision W's executable. The key is '34d12GC61e9ggF2C6dc114596666926' and firmware_extract gives me this:

Code: [Select]

c:\zen\zvw>update_extract -u ZENVisionW_PCFW_P4S_L20_1_10_01.exe -V
[*] Looking for firmware archive key...
[*] Looking for firmware archive offset...
[*] Printing input variables...
    Updater executable:  ZENVisionW_PCFW_P4S_L20_1_10_01.exe
    Firmware archive:    ZENVisionW_PCFW_P4S_L20_1_10_01_rk.bin
      Key:               34d12GC61e9ggF2C6dc114596666926
      Offset:            0x0005d0c0
      Size:              0x00eea7c0
[*] Reading firmware archive...
[*] Decrypting firmware archive...
[*] Decompressing firmware archive...
Failed to decompress the firmware archive.

[sejerpz]

Zook:

FRESC on the Zen player uses a different file format than all the other players I've looked at.
Maybe decryption will work if you offset it by the 0x70 bytes header.

No luck, tried a lot of keys, but nothing.

I don't know if I understand it correctly, but I've first to decrypt the FRESC and *than* decode using CENC?
Will give another try this night.

Bye.

[wesmo]

I think we need to clean up the wiki information about all creative ports - there seems to be info scattered on 5 pages:

http://www.rockbox.org/twiki/bin/view/Main/CreativeZenTouch - Zen Xtra/NJB3/Touch info
http://www.rockbox.org/twiki/bin/view/Main/CreativeZVMPort - most current page
http://www.rockbox.org/twiki/bin/view/Main/DellDJPort - based on zen xtra
http://www.rockbox.org/twiki/bin/view/Main/OtherTargets - nano/nano plus info
http://www.rockbox.org/twiki/bin/view/Main/NJB3Firmware - firmware page (outdated)

I might give this a shot today - check over at  http://www.rockbox.org/twiki/bin/view/Main/Creative - ill try and have something semi functional today - my plan is to incorporate all current firmware info on one page and keep the exist port pages for scans and part info - any other opinions?

If anyone has some spare time. did you want to check out the remaining firmwares we haven't looked at - i think we can smart guess most of them? I reckon anything before Creative Zen Vision W -> NJB1 will have keys "1sN0TM3D az u~may th1nk*INSERT NAME HERE"

Product names used are listed here http://www.rockbox.org/twiki/bin/view/Main/CreativeZenTouch#Creative_Series_3_NJB3_Info  , http://en.wikipedia.org/wiki/Creative_Nomad and http://en.wikipedia.org/wiki/Creative_ZEN

[mcuelenaere]

...

edit:
I'm also having trouble extracting the firmware out of the Zen Vision W's executable. The key is '34d12GC61e9ggF2C6dc114596666926' and firmware_extract gives me this:

...

Next to the Zen Vision W firmware, the Zen V doesn't work either:

Code: [Select]

C:\zen>update_extract -u ZENV_PCFW_L22_1_32_01.exe -V
[*] Looking for firmware archive key...
[*] Looking for firmware archive offset...
[*] Printing input variables...
    Updater executable:  ZENV_PCFW_L22_1_32_01.exe
    Firmware archive:    ZENV_PCFW_L22_1_32_01_rk.bin
      Key:               34d12G399fc29D25669g616119143
      Offset:            0x0006fb70
      Size:              0x0036e18b
[*] Reading firmware archive...
[*] Decrypting firmware archive...
[*] Decompressing firmware archive...
Failed to decompress the firmware archive.