Rockbox the Creative Zen Vision:M

About

Watch the ZVM Port Thread and FS#8686

Port Status

• The LCD driver works
• The button driver works, but there hasn't been a polling-method implemented; currently it is only interrupt based
• The ATA driver works
• The I²C(Inter-Integrated Circuit) driver works
• The SPI(Serial Port Interface) driver should work, but is untested
• The UART(Universal Asynchronous Receiver/Transmitter) driver should work, but is untested
• The USB driver works partly(EP0SETUP is received!), but there's something wrong with the interrupts
• System rebooting works (3/4 of the times)

Install method

To people who want to replicate my case this is what you got to do:

• you've got to mount your ZVM's HDD to your computer (using an 1,8"->3,5" adapter or other method) and format the second partition (starting at byte 0x3200200) as a FAT file system -> to do so (on Linux):

losetup -o 52429312 /dev/loop0 /dev/XXX
mkfs.vfat -F 32 /dev/loop0
mount -t vfat /dev/loop0 /mnt/XXX

• set up a Rockbox build environment and check out latest SVN (HINT: use the VMWare image)
• mount the FAT partition you've created in step 1 (see last line) and copy all files from ./rockbox/* to /mnt/XXX/.rockbox/ (except for rockbox.zvm)
• use either utils/MTP/sendfirm or an other MTP utility (CreativeWizard) to upload the firmware (rockbox.zvm)

Information about the ZVM 30GB

Pictures/scans

• Scans of the Player
• More Pictures
• And some more
• Picture of the back
• And more pictures
• Link to disassembly of the dongle

Internal components

How internals are connected

• I²C
  • PIC (at 0x07)
  • TLV320 (at 0x1A? unverified)
  • TEA5761UK (at 0x24? unverified)
  • RTC (at 0x51)
• EMIF
  • HDD (at 0x50FEE000)
  • Unknown (at 0x50FFC000)
  • ISP1583 (at 0x60FFC000)
  • SDRAM Controller
    • 64MB Infineon RAM (at 0x00900000)
  • FLASH Memory Interface
    • 4MB Spansion flash memory (at 0x00100000)
• SPI
  • LCD (slave select pin is BITSET2/CLR2 |= (1 << 5) )
• UART
  • LCD doesn't seem to work if UART isn't enabled
• GIO
  • GIO0 is used as an interrupt triggered by the PIC
  • GIO2 is used as an interrupt triggered by the HDD
  • GIO7 is used as an interrupt triggered by the ISP1583
  • GIO26, GIO34 is used as the Video Encoder clock
  • GIO29, GIO32, GIO36, GIO35, GIO37, GIO40 are related to the LCD
  • GIO3, GIO5, GIO14 are related to the ATA controller/HDD

• Control
  • I²C <= DM320
• Audio
  • unknown <= TEA5761UK
  • DSP/I²S mode <= C54xx DSP

• buttons
• buttons backlight (unverified)
• (piezo) clicker (unverified)
• touchpad
• headphones detection
• dock connector
  • USB connector
  • power connector
  • TV out connector (unverified)
• hold switch LED (unverified)
• LCD backlight (unverified)
• probably other stuff too...

Original Firmware

Firmware Info

The firmware used by Creative is Nucleus RTOS.
They use Nucleus PLUS and the ARM925 TI v. 1.14 toolchain to compile it according to strings found in FBOOT.
This is based on MicroWindows (Nano-X), as several assert messages are found pointing to (open source) source code. (even NeurosTechnology uses Nano-X)
Also libpng is incorporated (and zlib of course).

Other strings of companies working on the firmware:

• Copyright MGC 2004 - Nucleus PLUS - ARM925 TI v. 1.14
• Accelerated Technology Internal Use Only - Serial Number: NP0000
• Copyright(c) Founder Corporation.2005

Modifying the firmware

Another way is using CreativeWizard (Windows only and requires .NET 2.0).

Uploading a firmware

Firmware Boot

1. The built-in boot loader loads a limited sized secondary boot loader from a fixed location in flash memory to a fixed address.
2. The secondary boot loader (named FBOOT in the firmware) decrypts and loads the Rescue Mode software (FRESC), also from flash memory.
3. The Rescue Mode software decrypts, decompresses and loads the actual player software (CENC/TL) from a file named jukebox2.jrm on the HDD.
   If the validation checks fails or switch is hold to ON/OFF, it'll load a Rescue Mode menu, which allows you to "reload" the firmware amongst other things.
   1. Try opening jukebox2.jrm(load it into RAM, disable MMU and I/Dcache and jump to 0x1EE0000), if it fails show error and go to Rescue Mode
   2. Check the internal database if file type was ©TL
      if(true): decrypt and decode and execute data
      else: show error and go to Rescue Mode
   3. Check the internal database if file type was CENC
      if(true): decode and execute data
      else: show error and go to Rescue Mode
   4. If file type is different: execute data

The 'actual firmware loading' goes as follows:

1. location 0x0 contains a jump to the reset vector
2. the reset vector initializes the coprocessor and maps several memory addresses (including the USER DATA MAPPINGS; all of this isn't part of the Nucleus core)
   The mapping consist of these steps:
   1. there are 2 main variables in RAM (called mappings1 and mappings2 here);
      0x900000 is stored in mappings1 and (0x904000 | 0x13) in mappings2
   2. more info to come...
   3. USER_DATA (starts at 0x1C00004) is parsed as this:
      1. first 4 bytes are read into buffer (=length of data)
         if (buffer==NULL) return;
      2. next 4 bytes are read into second buffer (=address of data)
      3. if !(buffer2 & 3) { [copy data from (end of buffer2) to *(buffer2) for (buffer) bytes]; }
         else { buffer2-= 4; [copy data in pairs of 4 bytes from (end of buffer2) to *(buffer2) for (buffer) bytes]; }
      4. go back to step 1
3. finally INC_INITIALIZE(first_available_memory); is called with first_available_memory pointing to the start of USER DATA MAPPINGS (=0x01C00000)
4. INC_Initialize_State is set to INC_START_INITIALIZE and INC_INITIALIZE() initializes all basic Nucleus kernel entities
5. Application_Initialize(first_available_memory); is called (this isn't part of the Nucleus core)
6. INC_Initialize_State is set to INC_END_INITIALIZE and TCT_Schedule(); is called (starting the main Nucleus threading loop)

0x1EE0000

This is the FRESCUE structure parsing code, located at 0x228 in FBOOT in ZVM firmware.
It disables all caches and MMU and cleans it. Then it parses the loaded data (given by arguments R0->memory pointer and R1->size) and loads it into the corresponding memory addresses.
Several checksum checks are done (described at jukebox2.jrm) and if one fails, code jumps to an infinite loop.
After all loading is done, code jumps to 0x0.

Below is a C code example for loading a firmware image.

#define OF_firmware_load(mem_addr, size) asm volatile ( \
                                         "mov r1, %1\n" \
                                         "mov r0, %0\n" \
                                         "ldr pc, =0x1EE0000\n" \
                                         : \
                                         : "r"(mem_addr), "r"(size)\
                                         );
OF_firmware_load(ptr_to_loaded_image, size_of_loaded_image);

Upload Code To The Player

The code you want to upload should be raw binary, so no ELF format. Scramble is included in Rockbox SVN. If you run it like this:

scramble -creative=zvm inputfile outputfile

LCD info

The LCD is controlled via the serial interface of the TMS320 (a driver in Rockbox is present) and the built-in OSD facilities (serial is only LCD on/off).

Some uncategorized data:

raw dump of spi_send_block: http://pastecode.com/?show=f627241eb
analyzed version:

function spi_send_block(char arg_0, char arg_1) {
    IO_GIO_BITSET2 &= (1 << 0x5);
    spi_send_byte(0x74);
    spi_send_byte(0);
    spi_send_byte(arg_0 & 0xFF);
    spi_send_byte(0x25);
    IO_GIO_BITCLR2 &= (1 << 0x5);
    IO_GIO_BITSET2 &= (1 << 0x5);
    spi_send_byte(0x76);
    spi_send_byte( (arg_1 >> 8) & 0xFF);
    spi_send_byte(arg_1 & 0xFF);
    spi_send_byte(0x25);
    IO_GIO_BITCLR2 &= (1 << 0x5);
}

LCD init function: http://mcuelenaere.pastebin.com/f23b3226a

HDD partitioning info

struct partition_struct
{
    unsigned int end;
    unsigned int start;
    char name[8];
};

struct hdd_struct
{
    char MBLK[4];
    int block_size;
    long long total_disk_size;
    struct partition_struct minifs;
    struct partition_struct cfs;
};

struct __attribute__ ((aligned (32))) minifs_file
{
    char name[16];
    unsigned int unknown;
    unsigned int size;
    unsigned int index;
    unsigned int index2; /* The same as above */
};

Some interesting links:

• nomadness 1
• nomadness 2
• nomadness 3

• link 1
• link 2
• link 3

Notes:

• The disk available in the Removable Drive option in the OF is stored as a file named VFSYS in the cfs partition. Currently it isn't possible to access it as the cfs nor the minifs file system has been figured out.
• The minifs file system is supposedly based on BFS (not BeFS) which was called minifs in earlier days (now it is in the VSTa OS)
• There is a disk dump available (see RAR comments for more info).

Firmware Format

Description

A firmware always starts with the ASCII string FFIC (=CIFF). Followed by the total size of the file minus the last (NULL) block and possible some padding bytes.
After this header comes a block structure, always started with a 4-byte string header (e.g. FNIC, ATAD, LLUN, CNEC, 0TXE or LT©). Then comes (again) the size of this block.
Then you have, based on the type of block: a) a data block with size of Size b) a 32-byte Unicode name(=filename) and the data block of (Size-32).

Overview table

Normal files to be found in an official firmware

CINF block

NULL block

©TL block

EXT0 block

char header[4];
char padding[2];
unsigned char length_a;
unsigned char length_b;

total_size = (length_b + (length_a << 8) + 0xA) & 0xFFFF;

jukebox.opt file

jukebox2.jrm file

typedef struct {
UINT Address;
UINT Length;
UINT Checksum;
UCHAR Data[Length];
} BLOCK;

The checksum is calculated as follows:

FSeek(0xC);
local int i = 0x239C;
local uint j = 0;
local uint temp = 0;
while(i>0){
   if(i<4) break;
   temp = ReadUInt(FTell()); //FTell() tells us the current stream position and ReadUInt() reads 4 bytes
   j += temp + (temp>>16);
   FSkip(4); //FSkip() skips x bytes in the stream (ReadUInt() doesn't move the pointer)
   i -= 4;
   if(i<4) break;
   temp = ReadUInt(FTell());
   j += temp + (temp>>16);
   FSkip(4);
   i -= 4;
   if(i<4) break;
   temp = ReadUInt(FTell());
   j += temp + (temp>>16);
   FSkip(4);
   i -= 4;
   if(i<4) break;
   temp = ReadUInt(FTell());
   j += temp + (temp>>16);
   FSkip(4);
   i-= 4;
}
j = j << 16;
Printf("%x", j);

At the end of the file you have another block (NULL) - the header is also 4 bytes long - followed by the size in WORD format (which is always 20 bytes) and then (presumed) a SHA-1-HMAC hash of the CODE block; although the key hasn't been found yet; but the device seems to ignore this block if it isn't present.

Flash files

• BOOT: contains Nucleus kernel + custom software; loads RESC; can be identified by the 'CreAtive' splash screen; contains encrypted data starting at 0xB000: RSA encrypted with 128-byte public key located at 0x410; view fboot_decrypt.cpp code for more info
• RESC: structure is the same as jukebox2.jrm; contains Nucleus kernel + custom software; loads jukebox2.jrm; can be identified by the 'ZEN' splash screen
• TSIG
• CONF
• TOC0 (not sure)
• PFM1 (not sure)

Other Creative players' firmware information

CreativeWizard

CreativeWizard is a .NET 2.0 application intended for analyzing and modifying Creative Zen firmwares. You can download it at epiZENter.
For creating a firmware, following steps are required:

1. 'Make firmware'
2. 'Select your player'
3. choose your player from the list and press OK
4. 'Add block'
5. select the newly added block
6. change type to 'DATA'
7. check 'Use file instead of data'
8. type 'Hjukebox2.jrm' in 'Filename' textarea
9. choose the file
10. press 'Create Firmware'
11. press 'Yes'
12. press 'OK'
13. in main window: press 'Upload Firmware'
14. choose your firmware and upload it to your player

External Links

• Transcript of initial IRC meeting
• TMS320DSC24 Manual (pdf) - Same DSP, similar ARM core as what is in the ZVM
• Dock Pinout
• Video Adapter Pinout
• Free C54x compiler from TI
• TMS320 ARM/DSP bridge
• reference to some Nucleus OS API's
• more TI related datasheets
• NeurosTechnology DM320 DevBoard specifications
• getting into Rescue Mode for various Creative devices
• information about the filesystems used in the firmware (cfs, minifs)

Wiki Links

• CreativeZenTouch
• DellDJPort
• TexasInstrumentsTMS320
• OlympusMR500Info - Link to an other TMS320DM320 based target
• ZVMFirmwareLoader - Conversation where the hard drive was removed and the ZVM was booted up. Looks like the majority of the firmware comes off of the hardrive and the recovery console is booted from the flash memory.

Attachment	Action	Size	Date	Who	Comment
ZVM-Blocks.bt	manage	1.4 K	21 Nov 2007 - 17:28	MaurusCuelenaere	010 Editor block structure template
ZVM-JBM2.bt	manage	0.4 K	21 Nov 2007 - 17:29	MaurusCuelenaere	010 Editor Splash.jbm structure template
ZVM-Jukebox-grs.bt	manage	1.3 K	21 Nov 2007 - 17:30	MaurusCuelenaere	010 Editor Jukebox.grs structure template
ZVM-Jukebox2-jrs.bt	manage	1.3 K	21 Nov 2007 - 17:31	MaurusCuelenaere	010 Editor Jukebox2.jrs structure template
ZVM-EXT0.bt	manage	0.9 K	21 Nov 2007 - 17:32	MaurusCuelenaere	010 Editor EXT0 block structure template
zenutils.zip	manage	649.4 K	02 Dec 2007 - 18:20	RasmusRy	Utilities for working with zen firmwares
fboot_decrypt.cpp	manage	3.4 K	17 Feb 2008 - 11:10	MaurusCuelenaere	FBOOT decryption code
ZVM-Firm.bt	manage	1.1 K	17 Feb 2008 - 12:06	MaurusCuelenaere	010 Editor Jukebox2.jrm structure template
DiskDump.rar	manage	87.8 K	20 Apr 2008 - 11:25	MaurusCuelenaere	A diskdump of a freshly formatted Creative ZVM (see RAR comments for more info)
Pmcu0.asm	manage	205.9 K	23 Apr 2008 - 12:38	MaurusCuelenaere	asm dump of the PIC's firmware