Downloads

releases

current build

extras

Documentation

FAQ

manual

wiki

docs index

Support

mailing lists

IRC

forums

Tracker

bugs

patches

TWiki > Main > Creative

Creative

Current status
Information:
Original Firmware
Miscellaneous Links

Current status

Watch the ZVM Port Thread for current progress

"The short-term goal is to get a build tool chain up and running." - tools/rockboxdev.sh (and select arm)

"Once that's ready, the actual porting process can begin. Which I think entails writing a bootloader, working out (reversing/reading specs) how the various devices work and writing the code to integrate them into the rockbox source."

"The bootloading of the player software is split into 3 phases: 1) The built-in boot loading, which loads a limited sized secondary boot loader from a fixed location in flash memory, to a fixed address. 2) The secondary boot loader (named FBOOT in the firmware) which decrypts and loads the Rescue Mode software (FRESC) also from flash memory. 3) The Rescue Mode software decrypts, decompresses and loads the actual player software (CENC/TL) from a file named Jukebox2.jrm on the HDD. If the validation checks fail, it'll load a Resuce Mode menu, which allows you to "reload" the firmware amongst other things."

"I've described the file formats, hashing, compression and encryptions algorithms involved in the process."

zook from the forum thread

Information:

Zen Xtra/NJB3/Touch

Dell DJ

Zen Nano Plus/Non-Plus

The chipset implemented in this device (SigmaTel 3520) is similar to that of the Ipod Shuffle, and is the same as in the iAudio I5/G2/U2, as well as the MobiBLU DAH-1500i. A free complier for the chip does not exist. The Plus models have an FM tuner on-board, the TEA5767. Hi-Res photos of the internals found here.

Original Firmware

Firmware Info

NJB Firmware info page - outdated

The firmware used by Creative is Nucleus RTOS. They use Nucleus PLUS and the ARM925 TI v. 1.14 toolchain to compile it according to strings found in FBOOT. This is based on MicroWindows^? (Nano-X), as several assert messages are found pointing to (open source) source code. (even NeurosTechnology uses Nano-X)

Other strings of companies working on the firmware:

Copyright MGC 2004 - Nucleus PLUS - ARM925 TI v. 1.14
Accelerated Technology Internal Use Only - Serial Number: NP0000
Copyright(c) Founder Corporation.2005

Modifying the firmware

Modifying the firmware is as easy as deleting a block/block data, inserting the new data, adjusting the Size attribute of the block and the CIFF block and computing the NULL checksum of the CIFF block (so without the NULL block). You don't have to fill the entire firmware with all the blocks, if you for example just want to replace Hdeviceinfo.xml with another one, you only have to make a CIFF, CINF, DATA and NULL block (so you do not have to include all the others).

Uploading a firmware

You can either compile the program located in utils/MTP/ in SVN or you can get the hacked version of the official firmware updater.

Firmware Boot

The built-in boot loading(EXT0?), which loads a limited sized secondary boot loader from a fixed location in flash memory, to a fixed address.
The secondary boot loader (named FBOOT in the firmware) which decrypts and loads the Rescue Mode software (FRESC) also from flash memory.
The Rescue Mode software decrypts, decompresses and loads the actual player software (CENC/TL) from a file named Jukebox2.jrm on the HDD. If the validation checks fail or switch is hold to ON/OFF, it'll load a Rescue Mode menu, which allows you to "reload" the firmware amongst other things.

Firmware Format

Description

The firmware is Little Endian.

A firmware always starts with the string FFIC (=CIFF). Followed by the total size of the file minus the last (NULL) block and possible some padding bytes.

After this header comes a block structure, always started with a 4-byte string header (e.g. FNIC, ATAD, LLUN, CNEC, 0TXE or LT©). Then comes (again) the size of this block.

Then you have, based on the type of block: a) a data block with size of Size b) a 32-byte Unicode name(=filename) and the data block of (Size-32).

Overview table

Block Type	Block Size	Description	Extra
FNIC	96 bytes	player name (e.g. Creative Zen Vision:M)	Unicode formatted
ATAD	depends on Size attribute		if name starts with F->Flash, H->HDD
LLUN	20 bytes	contains HMAC-SHA1 checksum of CIFF block
CNEC/LT©	depends on Size attribute	encrypted player data(gets written to jukebox2.jrm on HDD)	has no Description attribute
0TXE	depends on Size attribute	gets written to internal device (either mcu0 or ide0)	name attribute is 24 bytes long

Normal files to be found in an official firmware

Block Type	Name	Information
FINC	n.a.	player string
ATAD	FBOOT	flash boot loader
ATAD	FRESC	flash rescue mode (key is 'Copyright (C) CTL. - zN0MAD iz v~p0wderful!')
LT©	n.a.	hdd firmware file
ATAD	Hjukebox.grs	graphics and other UI data
ATAD	Hjukebox2.jrs	multilingual strings
ATAD	HCreative_T.TTF	Unicode font
ATAD	HCreative_S.TTF	Unicode font
ATAD	Hsplash.jbm	hdd boot loader graphics
ATAD	Hdevicon.ico	icon used in MTP mode
ATAD	Hdevlogo.png	picture of 'CreAtive'
ATAD	Hdeviceinfo.xml	MTP description
ATAD	Hjukebox.opt	player settings (only found in EU firmware -> EU cap is present in it)
0TXE	Pmcu0 (??)	??
LLUN	n.a.	firmware checksum

CINF block

The CINF block is the identifier of the firmware i.e. it says if the firmware belongs to a Creative ZVM 30/60GB, Creative ZEN, etc.. The 30GB ZVM contains the Unicode string 'Creative Zen Vision:M'. The 60GB contains 'Creative Zen Vision:M Go!' (also Unicode).

NULL block

The NULL block in the current Creative ZVM's is a HMAC-SHA1 computed checksum of the CIFF block using the key 'CTL:N0MAD|PDE0.DPMP.'

©TL block

The ©TL block gets written to the ZVM's HDD as jukebox2.jrm It is encrypted using Blowfish in CBC mode with key '1sN0TM3D az u~may th1nk*Creative Zen Vision:M' and after that you have to decompress/decode it using the CENC algorithm (described on DellDJPort).

FRESCUE Structure

The FRESCUE file starts off with a header consisting of two 32-bits words, a tag and a size, followed by the data:

  struct R_HEADER {
    DWORD Tag;
    DWORD Length;
    BYTE Data[Length];
  };

The Tag is always CODE. The Data starts off with one 32-bit word whose purpose is unknown at this point. Following is an array of section objects, which specifies where in memory to read the contained section data:

  struct R_SECTION {
    DWORD Address;
    DWORD Length;
    DWORD Unknown;
    BYTE Data[Length];
  };

The Address specifies the physical address which the data will be written to. This array continues till the end of the file.
I've attached zenldr.rar, an IDA loader plugin which handles the FRESCUE format. The pre-compiled file zenldr.ldw is compiled for IDA 5.0.

Once mapped into memory, address 0x200 will contain an array of 32 8-byte ISR entries. The ISR entry format is as follows:

  struct TMS320C55x_ISR {
    BYTE  Flags;
    DWORD ISR : 24;
    BYTE  Filler[4];
  };

The Flags controls the operating behaviour when performing an interrupt. The ISR is a 24-bit address of the ISR handler.
The first ISR entry is the RESET vector, which points to a function named _c_int00, in the TI RTOS/BIOS source code.

Other Creative players' firmware information

Since these information about the firmware applies to (almost?) the whole Creative Zen line, you'll find here some info for other players (like NULL block key, CINF header, ©TL block key, ...)

Remark: Because the TWiki markup sees '|' as a table marker, all '|' are replaced by '$'

Player	CINF	NULL key	©TL
Creative Zen Vision:M	Creative Zen Vision:M	CTL:N0MAD$PDE0.DPMP.	1sN0TM3D az u~may th1nk*Creative Zen Vision:M
Creative Zen Vision:M 60GB	Creative Zen Vision:M Go!	CTL:N0MAD$PDE0.DPMP.
Creative ZEN	Creative ZEN	CTL:Z3N07$PDE0.DPMP.
Creative Zen Vision	Creative Zen Vision ©TL	CTL:N0MAD$PDE0.DPMP.	1sN0TM3D az u~may th1nk*Creative Zen Vision
Creative Zen Vision W	Creative Zen Vision W	CTL:N0MAD$PDE0.DPMP.	1sN0TM3D az u~may th1nk*Creative ZEN Vision W
Creative Zen Micro		CTL:N0MAD$PDE0.SIGN.	1sN0TM3D az u~may th1nk*Creative Zen Micro
Creative Zen MicroPhoto^?		CTL:N0MAD$PDE0.SIGN.	1sN0TM3D az u~may th1nk*Creative Zen MicroPhoto^?
Creative Zen Sleek		CTL:N0MAD$PDE0.SIGN.	1sN0TM3D az u~may th1nk*Creative Zen Sleek
Creative Zen Sleek Photo		CTL:N0MAD$PDE0.SIGN.	1sN0TM3D az u~may th1nk*Creative Zen Sleek Photo
Creative Zen Touch		CTL:N0MAD$PDE0.SIGN.	1sN0TM3D az u~may th1nk*Creative Zen Touch
Creative Zen Jukebox Xtra		CTL:N0MAD$PDE0.SIGN.	1sN0TM3D az u~may th1nk*NOMAD Jukebox Zen Xtra

Miscellaneous Links

Transcript of initial IRC meeting
TMS320DSC24 Manual (pdf) Same DSP, similar Arm core as what is in the ZVM
Dock Pinout
Video Adapter Pinout
Free C54x compiler from TI
ARM/DSP bridge
ZVMFirmwareLoader - Conversation where the hard drive was removed and the ZVM was booted up. Looks like the majority of the firmware comes off of the hardrive and the recovery console is booted from the flash memory.
TexasInstrumentsTMS320

Attachment	Action	Size	Date	Who	Comment
idc_utils.zip	manage	9.8 K	20 Dec 2007 - 02:59	WessamBaghdadi	idc utils

r2 - 20 Dec 2007 - 03:38:35 - WessamBaghdadi

Edit \| View raw \| Attach \| Ref-By \| History: r2 < r1 \| More \| Refresh cache
	Copyright © 1999-2008 by the contributing authors.