---+!! iriver H10 Port: Development Information %TOC% ---+About This Page This page has been created as a place for development information for the iriver H10 port to be placed. This is to keep the iriver h10 port page cleaner. ---+ Development Information ---++ Firmware information The firmware on the H10 shares a common format with most other PortalPlayer based players (the iPod being the notable exception). The firmware comes in two parts: * Bootloader (BL_H10.rom for 5/6GB / BL_H10_20GC.hex for 20GB) * Actual firmware (H10.mi4 for 5/6GB / H10_20GC.mi4 for 20GB) !MrH has developed a useful tool for working with the H10 firmware called [[http://daniel.haxx.se/sansa/mi4.html][mi4code]]. ---+++ Bootloader The bootloader appears to be stored in flash. It is loaded first when the system is turned on. Its function is to initalise the device (turn on the LCD, allow button detection, etc) and then to load the main firmware from the hard disk. The bootloader is also responsible for the UMS mode. With the H10 connected to a computer, holding 'O' as the device is started causes the bootloader to not load the main firmware, but instead to make the H10 appear as a Universal Mass Storage device to the computer. This way, it is possible to access the .mi4 file in the 'System' directory. ---++++ Disassembly The .rom version of the bootloader is not encrypted and can be disassembled straight away: <verbatim> $ arm-elf-objdump -D --target binary -marm BL_H10.rom </verbatim> The .hex version is encrypted and so must first be decrypted using mi4code: <verbatim> $ mi4code hexdecode BL_20GC.hex BL_20GC.hex.bin 20gc_eng </verbatim> where 20gc_eng corresponds to the decryption key for the US firmware. It can then be disassembled as with the .rom version: <verbatim> $ arm-elf-objdump -D --target binary -marm BL_H10_20GC.hex.bin </verbatim> ---++++ Reverse Engineering There is a header in the hex file. Actual code execution starts at 0x40. The first thing the bootloader does is BIC 0x1a00 in to 0x70000020 which (according to ipodlinux) is the I2S init address. Next, it enables bit 5 of GPIOF for output and writes 1 to it: * Write 0x20 to 0x6000d084 (GPIOF_ENABLE) * Write 0x20 to 0x6000d094 (GPIOF_OUTPUT_EN) * Write 0x20 to 0x6000d0a4 (GPIOF_OUTPUT_VAL) It then puts the COP to sleep, and then switches into Thumb mode to run some thumb code. ---++++ Upgrading As the bootloader loads the mi4 file from disk, it is *not* necessary to use a modified bootloader to get Rockbox working on the H10. The procedure below is just for information purposes. The bootloader upgrade procedure is probably as follows: * Connect the device in UMS mode * Put the BL_ file in the root of the player. (The official firmware updater also puts two files in the System directory called "H10_20GC_image.mi4" and "H10_20GC.mi4". The _image file is the new firmware to be used, and the other file is an older firmware version. It may be necessary to do this too) * Unmount the disk and unplug the USB cable. * The device then restarts and apparently copies the BL_ file to flash, then restarts again and moves the _image file to "H10_20GC.mi4". ---+++ Firmware ---++++ Disassembly The .mi4 file is encrypted and so must first be decrypted using mi4code: <verbatim> $ mi4code decrypt H10_20GC.mi4 H10_20GC.mi4.bin </verbatim> where 20gc_eng corresponds to the decryption key for the US firmware. It can then be disassembled as with the bootloader: <verbatim> $ arm-elf-objdump -D --target binary -marm H10_20GC.mi4.bin </verbatim> ---++++ Reverse Engineering There is a header which is documented on the [[http://daniel.haxx.se/sansa/mi4.html][mi4code website]]. Actual code execution starts at 0x200. ---++++ Running Custom Code It is possible to run custom code on the H10 simply by creating a mi4 file and copying it to the player. The process of making the mi4 file is: * Compile the code (eg. compile the Rockbox bootloader using the patch above) * Use mi4code's 'build' command to make the mi4: <verbatim> $ mi4code build -3 bootloader/bootloader.bin bootloader.mi4 </verbatim> * Encrypt the new mi4 file for your model: <verbatim> $ mi4code encrypt bootloader.mi4 H10_20GC_unsigned.mi4 20gc_eng </verbatim> * Digitally sign the mi4 file: <verbatim> $ mi4code sign H10_20GC_unsigned.mi4 H10_20GC.mi4 </verbatim> * Follow normal firmware upgrading procedures ---++++ Firmware Upgrade Using a modified mi4 firmware on the H10 is very straightforward. It is also very easy to recover from a bad firmware image. The upgrade procedure is as follows: * Connect the device in UMS mode * Put the mi4 file in the 'System' directory of the player. Make sure it is named properly for your model. It's a good idea to keep a backup of the mi4 file that is there already. * Unmount the disk and unplug the USB cable. * The device then restarts and runs the new firmware To recover from a bad firmware: * Connect the device in UMS mode * Put the backed up original mi4 file in the 'System' directory of the player. Make sure it is named properly for your model. * Unmount the disk and unplug the USB cable. * The device then restarts and runs the original firmware ---++ Build a Rockbox Bootloader There is Rockbox bootloader in SVN. The procedure for building and using the bootloader on a H10 is: * Get rockbox-devel from SVN * Follow the HowToCompile guide to compiling Rockbox (step 6 isn't required for the bootloader only for a normal Rockbox build). Select the appropriate H10 model and bootloader when running =../tools/configure=. (Note: Those with the H10 MTP version must run =../tools/scramble -mi4v3 bootloader/bootloader.bin H10.mi4= in order to get a proper bootloader) * There will now be an appropriate mi4 file in the current directory. Using this file, follow normal Firmware Upgrade procedures (just the mi4 file, it is *not* necessary to update the iriver bootloader - BL_*.rom or BL_*.hex) * The bootloader will start up and look for the Rockbox firmware (rockbox.mi4) in the .rockbox directory on your player. This firmware can be compiled from SVN by selecting normal instead of bootloader when running ../tools/configure. You can then unzip in the root directory of your player the rockbox.zip file that =make zip= creates. ---+ Usefull links Some usefull links: * [[http://www.misticriver.net/wiki/index.php/H10_Firmware_Conversion:_MTP/UMS][Converting from MTP to UMS (misticriver.net)]]
ore topic actions
r4 - 20 Aug 2007 - 11:11:54 -
Copyright © by the contributing authors.