SanDisk Sansa E200 Firmware Partition
Description
The SanDisk Sansa e200 series has a 20MB hidden firmware partition. It holds both the bootloader and main firmware. This partition is hidden by e200r firmwares. The partition is 20MB and is at the end of the disk. It doesn't have any partition table, but has files at specific address locations inside it. Each file has a 512B (1 sector) header which has a 4 character string describing its contents, followed by a 32-bit little endian number indicating the length of the file in bytes. There is then a 32 bit number with an unknown purpose.Structure
Addresses are relative to the start of the partition. The partition is divided up into 3 block. The first block is 512KB for the bootloader. The last 5MB of the partition is for the ppfn (image?) data. The remaining space in between is used for the main firmware.| Address | Description |
|---|---|
| 0x0 | Bootloader header - PPBL followed by the bootloader length, followed by 0x10000 |
| 0x200 | Bootloader |
| 0x80000 | Main firmware header - PPMI followed by firmware length, followed by 0x20000 |
| 0x80200 | Main firmware in mi4 format |
| 0x780000 | NVPARAMS |
| 0x780200 | PPPS Non-volatile parameters - used by the OF to save data (eg. current track, database status, etc.) through a power cycle. There appears to be a header here too |
| 0x780240 | Firmware version string, e.g. "PP5022AF-05.51-S301-02.18-S301.02.18E-D" |
| 0x7810e1 | If this is set to 1, the database is rebuilt on next reboot |
| 0x800000 | Unknown data of length 0x200 |
| 0xefe400 | PPID followed by length (0x10), followed by 0x40000 |
| 0xefe600 | ppid data. Unknown purpose. Reads DF 83 75 C6 F6 FC 1A 44 84 66 45 99 6C E1 DC 70 on Sansa e280 |
| 0xf00000 | PPFN followed by length followed by 0x30000 |
| 0xf00000 | ppfn data. Possibly images or animation used by the bootloader |
Dumping the firmware partition
Sometimes it can be useful to dump the partition to a file, for example to experiment with the database rebuild byte at offset 0x7810e1. Procedure:- Boot the original firmware and set USB mode to MSC.
- Connect the e200 to USB, the display should now say "Connected".
- Use sansapatcher to find out where the 20MB partition lives (in this example at sector 7813120):
$ ./sansapatcher.exe -l sansapatcher v0.5 with v3.0 bootloaders - (C) Dave Chapman 2006-2007 This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. [INFO] Scanning disk devices... [INFO] e200 found - disk device 2 [INFO] Reading partition table from \\.\PhysicalDrive2 [INFO] Sector size is 512 bytes [INFO] Part Start Sector End Sector Size (MB) Type [INFO] 0 580 7813119 3814.7 W95 FAT32 (0x0b) [INFO] 1 7813120 7854079 20.0 OS/2 hidden C: drive (0x84) [INFO] Image 1 - 60416 bytes [INFO] Image 2 - 5798912 bytes
- Use dd to dump the entire 20MB partition (partition 1), /dev/sdc is the block device name of the Sansa (this even works under Cygwin), notice how the "skip" argument is filled with the start sector of the partition:
$ dd if=/dev/sdc of=part1.bin skip=7813120 count=40960 40960+0 records in 40960+0 records out 20971520 bytes (21 MB) copied, 5.156 s, 4.1 MB/s
- Check the dumped partition with your favorite hex-editor. It should start with "PPBL". If it doesn't, you may have accidentally dumped some data from another device. In that case, change "/dev/sdc" to something else.
r7 - 22 Oct 2007 - 19:22:20 - BertrikSikken
| Edit | View raw | Attach | Ref-By | History: r7 < r6 < r5 < r4 < r3 | More | Refresh cache | ||
|
Copyright © 1999-2008 by the contributing authors.
|
||