Gigabeat F firmware hacking information

[shoora]

I have done some homework on Gigabeat F firmware.
So far:
1. Created program to decode/encode firmware images.
2. Created program to change bitmaps in flash image and modified my Splash screen.
3. Successfully flushed my Gigabeat with modified images.
4. Made patch power button for shorter wait before system starts bootup.
5. Made patch to start up Gigabeat immediately after external power plugged. Great for "Car adapter mode"! With this patch you can not shutdown player while external power connected - it will startup again :-)

I believe it's not impossible to write custom bootloader to load Rockbox image directly. I just don't care that much. Resume (see below) is lot more important!

Firmware utilities, flash listing (IDA 5.10), LCD init code. Will be continued...
http://rapidshare.com/users/VUBQPF
Updated Apr. 19 2007
- GigabeatBmpView: better recognition of bitmap files
- GigabeatBmpView: work only with RGB 24 bit files.

- You may want to change splash screen in "hd-graphic+crc.bin". Then use GigabeatBmpView.exe to vies and change bitmaps (F1 - help).
- You may be interested in changing f-hd-loader+crc.bin (loader and startup code). You can find couple of patches in directory /patches. If you want
BE EXTREMELY CAREFUL making you own patch! You can use provided IDA listing to find place to patch in firmware.
The GigabeatBmpView tool now can process encrypted files.
ote:
Please, use TAB key to switch between bitmaps in graphics file. In this way window sizes will be changed automatically with pixel precision.

WE DO NOT HAVE ANY PROCEDURE TO UNBRICK THE PLAYER.
I can confirm that  couple patches from patches directory work and graphics safely be edited.
1. Use fwupDecrypt.exe to decrypt firmware files (hd-zboot-flprog-2440+CRC.bin, f-hd-loader+crc.bin,
hd-secure+crc.bin, hd-panic+crc.bin, hd-graphic+crc.bin) from directory \update (in archive \firmware_upgrade\update).
2. Do something manipulations with this binaries.
3. Reencode  them using fwupDecrypt.exe with parameter -e.
4. Use package from /firmware_upgrade to update  flash.

[Mad Cow]

Wow, good work! What's the possibility of bricking the gigabeat with bootloader hacking? Is there any lower form of bootloader that handles USB? Maybe you can release some of this, because I would find the shorter power button holding very, very useful.

[markun]

nice work shoora!

We still want to flash our own bootloader some day, but I was waiting for more info about the LCD driver IC so we can write our own LCD init code and actually know what we are doing (instead of just taking it from the OF)

Could you visit us in #rockbox to talk about it some more?

[kkurbjun]

shoora,

I am really interested in this information.  How are you doing your patches?  Are you dumping the flash and running objdump or something similar?  Currently I am really interested in getting a dump/disassembly of the flash - I just started looking at it tonight and Llorean pointed me to your post.  I am interested in working toward a fully replaced bootloader, or at the least patching some of the checks in startup (I think the OF bootloader is interfering with the alarm wakeup, but I am not sure without a dump/disassembly).

[shoora]

Wow, good work! What's the possibility of bricking the gigabeat with bootloader hacking? Is there any lower form of bootloader that handles USB? Maybe you can release some of this, because I would find the shorter power button holding very, very useful.

I am pretty sure we can brick the device flashing buggy firmware.
I am not familiar with common practice of recovery from bad flash. But considering number of protection you have to pass before binary will be flashed, we are in danger zone.
I need some time to reorder my stuff for your convenience, and put at least some notes behalf my findings.

[Soader03]

If a day, we can flash the bootloader, it will have a chance to unflash to put the original bootloader or firmware? I don't see the utily but when you return your player to Toshiba to change a piece or the battery...

[Mad Cow]

If a day, we can flash the bootloader, it will have a chance to unflash to put the original bootloader or firmware? I don't see the utily but when you return your player to Toshiba to change a piece or the battery...

I can't see why you wouldn't be able to. But I think that your warranty will be over by the time you have to buy a new battery.

[shoora]

If a day, we can flash the bootloader, it will have a chance to unflash to put the original bootloader or firmware? I don't see the utily but when you return your player to Toshiba to change a piece or the battery...

Actually firmware is time stamped. So, you can revert original firmware only with new date. In order to do so you need to decode and then encode original firmware file.
This will only be necessary if you have changed changed your splash screen.

[markun]

Actually firmware is time stamped. So, you can revert original firmware only with new date. In order to do so you need to decode and then encode original firmware file.
This will only be necessary if you have changed changed your splash screen.

If we have our own tool (like the iriver_flash plugin) this doesn't apply of course.

[shoora]

Actually firmware is time stamped. So, you can revert original firmware only with new date. In order to do so you need to decode and then encode original firmware file.
This will only be necessary if you have changed changed your splash screen.

If we have our own tool (like the iriver_flash plugin) this doesn't apply of course.

At this point we can...if we really need.
they use _open("/dev/from",_O_SHORT_LIVED|_O_RDWR/*0x1002*/);
Please look for fwup listing in forder
http://rapidshare.com/users/VUBQPF

[roolku]

Please look for fwup listing in forder
http://rapidshare.com/users/VUBQPF

Thank you for sharing this, I now have "Powerup on AC plugin" and "Shorted delay on POWER" on my gigabeat.

One thing I noticed was that encrypt.bat and decrypt.bat didn't handle f-hd-loader+crc.bin, so i added:

Code: [Select]

..\fwupDecrypt\fwupDecrypt.exe f-hd-loader+crc.bin          f-hd-loader+crc.bin.decand

Code: [Select]

..\fwupDecrypt\fwupDecrypt.exe -e f-hd-loader+crc.bin.dec          f-hd-loader+crc.bin respectively. Also is it required to de-/encrypt the other 4 files since only f-hd-loader+crc.bin.dec is being patched? I noticed the cycle didn't result in identical files.

Anyway. Everything worked fine. So thanks again.

[shoora]

One thing I noticed was that encrypt.bat and decrypt.bat didn't handle f-hd-loader+crc.bin, so i added:

It's just because of time stamp in image. Look at last 16 bytes in decrypted file. fwup utility just compares time stamp of image file with same area in flash and reject flashing of older or same image.
I just decided not to put adiition effort on detection that image was actually modified.

By the way, with some mumba-jumba I've managed to successfuly resume Gigabeat from suspend bypassing bootstrap. The only problem I have is LED controller initialization is unreliable. And, possibly, there some small issues with IDE controller. I am can try to implement something like suspend function to put Rockbox into sleep and return from this function after resume. Same as original Linux on gigabeat.
Do we any Rockbox targets that implement suspend? We can save few seconds on shutdown and on resume (bypassing rebuffering).
I have some project with higher priority, and have plan to return to rockbox in a few days.

[Mad Cow]

Nice! I just figured out how to decrypt hd-graphic+crc.bin and work the BMP viewer. I'm guessing you have to run "fwupdecrypt.exe -e -a5 input.bin hd-graphic+crc.bin" after, to encrypt it. Also, how do you work the patches?

EDIT:  decrypt.bat doesn't seem to work, it says that it's "unable to open source file", but fwupdecrypt.exe works fine if I do it manually. The paths are all correct, if they aren't it gives another error.

[roolku]

I'm guessing you have to run "fwupdecrypt.exe -e -a5 input.bin hd-graphic+crc.bin" after, to encrypt it.

Where did you get the -a5 ? encrypt.bat doesn't have it.

fwupDecrypt.exe -e hd-graphic+crc.bin.dec           hd-graphic+crc.bin    

Also, how do you work the patches?

decrypt.bat
<patch>.bat
encrypt.bat

note my comment about missing line in *crypt.bat. I am still not 100% sure you need to *crypt all 5 files (or just the one you want to modify), but Shora's date comment seems to support it.

EDIT:  decrypt.bat doesn't seem to work, it says that it's "unable to open source file", but fwupdecrypt.exe works fine if I do it manually. The paths are all correct, if they aren't it gives another error.

Double-check your path. It worked for me. Alternatively - did you have the input file open in an editor perhaps?

[Mad Cow]

I'm guessing you have to run "fwupdecrypt.exe -e -a5 input.bin hd-graphic+crc.bin" after, to encrypt it.

Where did you get the -a5 ? encrypt.bat doesn't have it.

fwupDecrypt.exe -e hd-graphic+crc.bin.dec           hd-graphic+crc.bin    

Also, how do you work the patches?

decrypt.bat
.bat
encrypt.bat

note my comment about missing line in *crypt.bat. I am still not 100% sure you need to *crypt all 5 files (or just the one you want to modify), but Shora's date comment seems to support it.

EDIT:  decrypt.bat doesn't seem to work, it says that it's "unable to open source file", but fwupdecrypt.exe works fine if I do it manually. The paths are all correct, if they aren't it gives another error.

Double-check your path. It worked for me. Alternatively - did you have the input file open in an editor perhaps?

Then what do the -a* switches do? And yes, I had it open in an editor, could that have caused the problem?

EDIT: the .bat files still don't work, this is what they look like:

Code: [Select]

..\fwupDecrypt\fwupDecrypt.exe hd-graphic+crc.bin           hd-graphic+crc.bin.dec
..\fwupDecrypt\fwupDecrypt.exe hd-panic+crc.bin             hd-panic+crc.bin.dec
..\fwupDecrypt\fwupDecrypt.exe hd-secure+crc.bin            hd-secure+crc.bin.dec
..\fwupDecrypt\fwupDecrypt.exe hd-zboot-flprog-2440+CRC.bin hd-zboot-flprog-2440+CRC.bin.dec The directory structure is the same as in the zip and anll of the needed files are in fwupDecrypt.