XclefMT500 < Main

Downloads

release

dev builds

extras

themes

Documentation

manual

wiki

device status

Support

forums

mailing lists

IRC

Development

bugs

patches

dev guide

Wiki > Main > DocsIndex > XclefMT500

---+!! Xclef MT-500 Hardware Information

%ATTACHURL%/MT500.jpg

%TOC%

---++ Hardware Specifications

%ATTACHURL%/inside_128_desc.jpg

*Xclef MT-500 (128 MB version) mainboard*

%ATTACHURL%/inside_256_desc.jpg

*Xclef MT-500 (256 MB version) mainboard*

   1 Telechips TCC730Y - device controller (CPU), which seems to be a rebadged [[http://ferenczy.dump.cz/mt-500/data/s3cc410.pdf][Samsung S3CC410]]
   2 [[http://www.sst.com/products.xhtml/parallel_flash/39/x16/SST39VF800A][SST 39VF800A 70-4C-EK]] - 1 MB (512k x16) flash memory for the firmware
   3 a) [[http://www.samsung.com/Products/Semiconductor/Flash/NAND/1Gbit/K9F1G08U0M/K9F1G08U0M.htm][Samsung K9F1G08U0M-YCB0]] - 128 MB flash memory that represents the internal data memory. Alternate [[http://www.datasheetarchive.com/datasheet/pdf/94/948735.html][Datasheet]]
   <br />b) [[http://www.samsung.com/Products/Semiconductor/Flash/NAND/2Gbit/K9K2G08U0M/K9K2G08U0M.htm][Samsung K9K2G08U0M-YCB0]] - 256 MB flash memory that represents the internal data memory. Alternate [[http://www.datasheetarchive.com/datasheet/pdf/44/442589.html][Datasheet]]
   4 Display - We need more information on this, can it be replaced with another LCD of similar size?
   5 Microphone
   6 USB connector
   7 Mode/volume jog
   8 Playback control jog

There exists a 64 MB version of this model, which flash chip it use is unknown at present.

*Xclef MT-500 mainboard (bottom view)*

%ATTACHURL%/mainboard_bottom_small.jpg

*Xclef MT-500 second board (top view)*

%ATTACHURL%/secondboard_top_small.jpg

*Xclef MT-500 second board (bottom view)*

%ATTACHURL%/secondboard_bottom_small.jpg

---++ Reverse Engineering

Luckily the Archos Gmini has similar hardware to the MT-500. The [[http://www.donat.org/archos/][Gmemu]] team have already created a working emulator for the Gmini. The best way forward is to use their work as a starting point.

---+++ Steps towards an open firmware replacement

   1 Disassemble the MT-500 firmware to find out the memory mapped registers that the hardware has built into it. [%GREEN% *in progress* %ENDCOLOR% by DawidFerenczy ]
   2 Reverse engineer the Xclef flash tool, this will give some insight into how to flash the player and whether it's posible to control the hardware over the USB cable. [ %RED%awaiting%ENDCOLOR% ]
      * This tool is only available for Win32, so having a command line tool that works for Linux would be a good start.
      * It looks like this tool was written in Delphi, I'm not sure about the DLL's that also need to be reversed engineered as well.
      * In the pre-UMS versions there was a different flash tool to the one used now (the UMS enabled version). Does this mean that flashing is also dependent on the current firmware version?
      * When flashing the Xclef it might be possible to place a USB packet sniffer inbetween the Xclef and the Win32 host.
   3 Extend the Gmini emulator to handle the MT-500 hardware, so we don't break our hardware. [ %RED%awaiting%ENDCOLOR% ]
   4 Ability to load an existing firmware into the emulator and use emulated flash memory filesystems for the internal and external memories for playing MP3's from. Once this has been achieved it will be possible to start implementing the replacement firmware. [ %RED%awaiting%ENDCOLOR% ]

---+++ What you will need

   1 Download the [[http://sourceforge.net/projects/gemoss/][Gmemu tools]]. It is important to get the tools from the CVS repository, you will need:
      * binutils-2.15
      * gcc
      * gemoss
   2 The MT-500 firmware, available from:
      * [[https://www.advancedmp3players.co.uk/shop/login.php][AdvancedMP3Players]] (Requires a login) for the 2.0.08 UMS version
      * [[http://www.xclef.com/downroom_e.htm][Xclef]] for the 2.0.13J version
      * [[http://www.xclef.com/downroom.htm][Xclef]] for the 2.0.17 version. This seems to be the latest version, and the strings are in English too.

---++++ The Gmini tools

When you have the source follow you need to build the tools:

   * =cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/gemoss co -P gemoss=
   * =cd gemoss=
   * =automake -a=
   * =./configure --prefix=<install-dir> GMINIMODEL=mt-500 LOADADDRESS=10000=
   * =make=
   * =make install=

The =GMINIMODEL= and =LOADADDRESS= are completely irrelevant at the moment.

---+++++ wxWidgets Gmemu GUI

As well as trying to understand the logs from runnint the Xclef MT-500's 2.0.17 firmware on the Gmemu program, I'm developing a new GUI with wxWidgets, I'll be placing screenshots and source [[http://www.archangel-interactive.com/wx.html][here]].


---++++ The GNU tools
 
Before you can disassemble the firmware you need the GNU tools built, this can be found in the CrossCompiler#CalmRISC16 section.

---++++ Disassembling the Xclef firmware

Now you have the tools, you need to create a firmware file that the disasm tool will accept, you need to make sure that you are in the =gemoss/reverse/= directory so that the disasm tool picks up the files it needs to handle register symbols in the disassembly.

   * =cd reverse=
   * =calmrisc16-unknown-elf-objcopy -I ihex -O elf32-calmrisc16 path-to-firmware-version.hex path-to-firmware-version.elf=
   * =calmrisc16-unknown-elf-objcopy -I elf32-calmrisc16 -O binary path-to-firmware-version.elf path-to-firmware-version.bin=
   * =pack path-to-firmware-version.bin path-to-firmware-version.aaz 2000 MUNKEE MASTER=
   * =disasm path-to-firmware-version.aaz=

The value of 2000 is the lowest address in the firmware and thus, is where the code starts. The =MUNKEE= and =MASTER= values are just dummy parameters which are irrelevant for now.

Replace the text =path-to-firmware-version= with whatever the path to the firmware is and the filename of the firmware files are.

---++++ CalmRISC16

The CalmRISC16 is a 16-bit low power RISC microcontroller. The CalmRISC's basic architecture follows Harvard style, that is, it has separate program memory and data memory (both up to 4 MB). Both instruction and data can be fetched simultaneously without causing a stall, using separate paths for memory access. It can operate up to 100 MHz alone or up to 80 MHz, when operating with a MAC24 coprocessor. The instruction set provides no instruction for writing to the program memory.

There exists the CalmRISC16 development environment from the [[http://www.aijisystem.com/][AIJI System]] called [[http://www.aijisystem.com/e/product/CalmSHINE16_download.htm][CalmSHINE16]].

   * [[http://www.donat.org/archos/documents/mmio.html][Memory mapped I/O]]
   * [[http://www.donat.org/archos/documents/opcodes.html][OP decoding]]

---++++ USB packet sniffing

There are a number of packet sniffers out there, but you need one that can attach to a USB hub or one that doesn't need to restart the device like the [[http://sourceforge.net/projects/usbsnoop/][SnoopyPro]] does.

The Xclef needs to be put into __upgrade__ mode in the menu and then the cable is attached, at this point the USB Mass Storage device disappears and something else appears in it's place. Using a USB packet sniffer it may be possible to work out what kind of device this now represents and create a Linux device driver (the USB generic serial driver shows nothing).

---++ Expected features of the open firmware

The replacement firmware must retain as much as possible from the existing firmware feature set, but extending them to the following:

   * OGG support
   * Playlist support

It's most probably not possible to implement SoundCodecWMA and we can probably do without it.

---++ The USB cable pinout

%ATTACHURL%/usb-pinout.gif

In the usb-pinout image (which I got from [[http://www.abccables.com/000-usb-am-m4p.html][here]]) of the standard USB to hirose type connector, the pins are mapped, thus:

| *USB A MALE* | *MINI USB 4P MALE* |
| 1 | 1 |
| 2 | 2 |
| 3 | 3 |
| 4 | 4 |
| Shield | Shield |

In the Xclef's cable this is slightly different:

| *USB A MALE* | *MINI USB 4P MALE* |
| 1 | 4 |
| 2 | 3 |
| 3 | 2 |
| 4 | 1 |
| Shield | Shield |

---++ What can you do to help

We need more pictures of the internals of this device:

   * The other side of the mainboard
   * Disassembly instructions
   * I have a feeling that there are two PCB's in this thing, but I could be wrong, I can't get into mine at the moment
   * Images of the 64 MB version
   * Determine whether any other MP3 player's remote controls have the same connector as the one that Xclef __was__ going to release, in other words, would another remote control work with this player? The connector seems to be mechanical compatible, but other remote controls doesn't work with the player. In better case, it could be a FW problem.

We need people who have experience with reverse engineering, especially for the Win32 tools.

If you have some relevant information or you are interrested in developing opensource firmware replacement, please contact me at ferenczy [at server] volny.cz or at ICQ# 85997864. Thanks :) Main.DawidFerenczy

---++ Useful links and resources

   * [[http://ferenczy.coex.cz/mt-500][ferenczy.coex.cz/mt-500]] - my personal webpage with the fresheast information about reversing Xclef MT-500 (both - [[http://ferenczy.coex.cz/mt-500/reversing-en.php][english]] and [[http://ferenczy.coex.cz/mt-500/reversing-cz.php][czech]] language versions). I'll try to keep this wiki version up to date too.

I	Attachment	Action	Size	Date	Who	Comment
jpg	MT500.jpg	manage	14.8 K	11 Jul 2006 - 21:07	UnknownUser	Xclef MT-500
png	Screenshot-wxdmpemu-1.png	manage	49.1 K	11 Jul 2006 - 21:07	UnknownUser	wxDMPEmu - Work in progress
jpg	inside_128_desc.jpg	manage	24.9 K	11 Jul 2006 - 21:07	DawidFerenczy	Xclef MT-500 (128 MB version) mainboard
jpg	inside_128_full.jpg	manage	148.4 K	11 Jul 2006 - 21:07	DawidFerenczy	Xclef MT-500 (128 MB version) mainboard (hires)
jpg	inside_256_desc.jpg	manage	24.8 K	11 Jul 2006 - 21:07	DawidFerenczy	Xclef MT-500 (256 MB version) mainboard
jpg	inside_256_full.jpg	manage	58.7 K	11 Jul 2006 - 21:07	DawidFerenczy	Xclef MT-500 (256 MB version) mainboard (hires)
jpg	mainboard_bottom.jpg	manage	182.2 K	11 Jul 2006 - 21:07	DawidFerenczy	Xclef MT-500 (v128 MB) mainboard (bottom, hires)
jpg	mainboard_bottom_small.jpg	manage	30.6 K	11 Jul 2006 - 21:08	DawidFerenczy	Xclef MT-500 (128 MB version) mainboard (bottom)
jpg	secondboard_bottom.jpg	manage	127.2 K	11 Jul 2006 - 21:08	DawidFerenczy	Xclef MT-500's second board - bottom view (hires)
jpg	secondboard_bottom_small.jpg	manage	19.4 K	11 Jul 2006 - 21:08	DawidFerenczy	Xclef MT-500's second board - bottom view
jpg	secondboard_top.jpg	manage	134.6 K	11 Jul 2006 - 21:08	DawidFerenczy	Xclef MT-500's second board - top view (hires)
jpg	secondboard_top_small.jpg	manage	22.0 K	11 Jul 2006 - 21:08	DawidFerenczy	Xclef MT-500's second board - top view
gz	trace_io.log.gz	manage	105.1 K	11 Jul 2006 - 21:08	UnknownUser	[Xclef 2.0.17] Gmemu firmware IO trace
gif	usb-pinout.gif	manage	11.5 K	11 Jul 2006 - 21:08	UnknownUser	USB pinout

r66 - 30 Nov 2007 - 09:04:49 - LinusNielsenFeltzing

Parents: DocsIndex