release
dev builds
extras
themes manual
wiki
device status forums
mailing lists
IRC bugs
patches
dev guide



Wiki > Main > Creative (compare)

Difference: Creative (r2 vs. r1)

Creative

Current status

Watch the ZVM Port Thread for current progress

"The short-term goal is to get a build tool chain up and running." - tools/rockboxdev.sh (and select arm)

"Once that's ready, the actual porting process can begin. Which I think entails writing a bootloader, working out (reversing/reading specs) how the various devices work and writing the code to integrate them into the rockbox source."

"The bootloading of the player software is split into 3 phases: 1) The built-in boot loading, which loads a limited sized secondary boot loader from a fixed location in flash memory, to a fixed address. 2) The secondary boot loader (named FBOOT in the firmware) which decrypts and loads the Rescue Mode software (FRESC) also from flash memory. 3) The Rescue Mode software decrypts, decompresses and loads the actual player software (CENC/TL) from a file named Jukebox2.jrm on the HDD. If the validation checks fail, it'll load a Resuce Mode menu, which allows you to "reload" the firmware amongst other things."

"I've described the file formats, hashing, compression and encryptions algorithms involved in the process."

zook from the forum thread

Information:

  • Zen Nano Plus/Non-Plus

The chipset implemented in this device (SigmaTel 3520) is similar to that of the Ipod Shuffle, and is the same as in the iAudio I5/G2/U2, as well as the MobiBLU DAH-1500i. A free complier for the chip does not exist. The Plus models have an FM tuner on-board, the TEA5767. Hi-Res photos of the internals found here.

Original Firmware

Firmware Info

The firmware used by Creative is Nucleus RTOS. They use Nucleus PLUS and the ARM925 TI v. 1.14 toolchain to compile it according to strings found in FBOOT. This is based on MicroWindows? (Nano-X), as several assert messages are found pointing to (open source) source code. (even NeurosTechnology uses Nano-X)

Other strings of companies working on the firmware:

  • Copyright MGC 2004 - Nucleus PLUS - ARM925 TI v. 1.14
  • Accelerated Technology Internal Use Only - Serial Number: NP0000
  • Copyright(c) Founder Corporation.2005

Modifying the firmware

Modifying the firmware is as easy as deleting a block/block data, inserting the new data, adjusting the Size attribute of the block and the CIFF block and computing the NULL checksum of the CIFF block (so without the NULL block). You don't have to fill the entire firmware with all the blocks, if you for example just want to replace Hdeviceinfo.xml with another one, you only have to make a CIFF, CINF, DATA and NULL block (so you do not have to include all the others).

Uploading a firmware

You can either compile the program located in utils/MTP/ in SVN or you can get the hacked version of the official firmware updater.

Firmware Boot

  1. The built-in boot loading(EXT0?), which loads a limited sized secondary boot loader from a fixed location in flash memory, to a fixed address.
  2. The secondary boot loader (named FBOOT in the firmware) which decrypts and loads the Rescue Mode software (FRESC) also from flash memory.
  3. The Rescue Mode software decrypts, decompresses and loads the actual player software (CENC/TL) from a file named Jukebox2.jrm on the HDD. If the validation checks fail or switch is hold to ON/OFF, it'll load a Rescue Mode menu, which allows you to "reload" the firmware amongst other things.

Firmware Format

Description

The firmware is Little Endian.

A firmware always starts with the string FFIC (=CIFF). Followed by the total size of the file minus the last (NULL) block and possible some padding bytes.

After this header comes a block structure, always started with a 4-byte string header (e.g. FNIC, ATAD, LLUN, CNEC, 0TXE or LT©). Then comes (again) the size of this block.

Then you have, based on the type of block: a) a data block with size of Size b) a 32-byte Unicode name(=filename) and the data block of (Size-32).

Overview table

Block TypeBlock SizeDescriptionExtra
FNIC 96 bytes player name (e.g. Creative Zen Vision:M) Unicode formatted
ATAD depends on Size attribute   if name starts with F->Flash, H->HDD
LLUN 20 bytes contains HMAC-SHA1 checksum of CIFF block  
CNEC/LT© depends on Size attribute encrypted player data(gets written to jukebox2.jrm on HDD) has no Description attribute
0TXE depends on Size attribute gets written to internal device (either mcu0 or ide0) name attribute is 24 bytes long

Normal files to be found in an official firmware

Block TypeNameInformation
FINC n.a. player string
ATAD FBOOT flash boot loader
ATAD FRESC flash rescue mode (key is 'Copyright (C) CTL. - zN0MAD iz v~p0wderful!')
LT© n.a. hdd firmware file
ATAD Hjukebox.grs graphics and other UI data
ATAD Hjukebox2.jrs multilingual strings
ATAD HCreative_T.TTF Unicode font
ATAD HCreative_S.TTF Unicode font
ATAD Hsplash.jbm hdd boot loader graphics
ATAD Hdevicon.ico icon used in MTP mode
ATAD Hdevlogo.png picture of 'CreAtive'
ATAD Hdeviceinfo.xml MTP description
ATAD Hjukebox.opt player settings (only found in EU firmware -> EU cap is present in it)
0TXE Pmcu0 (??) ??
LLUN n.a. firmware checksum

CINF block

The CINF block is the identifier of the firmware i.e. it says if the firmware belongs to a Creative ZVM 30/60GB, Creative ZEN, etc.. The 30GB ZVM contains the Unicode string 'Creative Zen Vision:M'. The 60GB contains 'Creative Zen Vision:M Go!' (also Unicode).

NULL block

The NULL block in the current Creative ZVM's is a HMAC-SHA1 computed checksum of the CIFF block using the key 'CTL:N0MAD|PDE0.DPMP.'

©TL block

The ©TL block gets written to the ZVM's HDD as jukebox2.jrm It is encrypted using Blowfish in CBC mode with key '1sN0TM3D az u~may th1nk*Creative Zen Vision:M' and after that you have to decompress/decode it using the CENC algorithm (described on DellDJPort).

FRESCUE Structure

The FRESCUE file starts off with a header consisting of two 32-bits words, a tag and a size, followed by the data:

  struct R_HEADER {
    DWORD Tag;
    DWORD Length;
    BYTE Data[Length];
  };

The Tag is always CODE. The Data starts off with one 32-bit word whose purpose is unknown at this point. Following is an array of section objects, which specifies where in memory to read the contained section data:

  struct R_SECTION {
    DWORD Address;
    DWORD Length;
    DWORD Unknown;
    BYTE Data[Length];
  };

The Address specifies the physical address which the data will be written to. This array continues till the end of the file.
I've attached zenldr.rar, an IDA loader plugin which handles the FRESCUE format. The pre-compiled file zenldr.ldw is compiled for IDA 5.0.

Once mapped into memory, address 0x200 will contain an array of 32 8-byte ISR entries. The ISR entry format is as follows:

  struct TMS320C55x_ISR {
    BYTE  Flags;
    DWORD ISR : 24;
    BYTE  Filler[4];
  };

The Flags controls the operating behaviour when performing an interrupt. The ISR is a 24-bit address of the ISR handler.
The first ISR entry is the RESET vector, which points to a function named _c_int00, in the TI RTOS/BIOS source code.

Other Creative players' firmware information

Since these information about the firmware applies to (almost?) the whole Creative Zen line, you'll find here some info for other players (like NULL block key, CINF header, ©TL block key, ...)

Remark: Because the TWiki markup sees '|' as a table marker, all '|' are replaced by '$'

PlayerCINFNULL key©TL
Creative Zen Vision:M Creative Zen Vision:M CTL:N0MAD$PDE0.DPMP. 1sN0TM3D az u~may th1nk*Creative Zen Vision:M
Creative Zen Vision:M 60GB Creative Zen Vision:M Go! CTL:N0MAD$PDE0.DPMP.  
Creative ZEN Creative ZEN CTL:Z3N07$PDE0.DPMP.  
Creative Zen Vision Creative Zen Vision ©TL CTL:N0MAD$PDE0.DPMP. 1sN0TM3D az u~may th1nk*Creative Zen Vision
Creative Zen Vision W Creative Zen Vision W CTL:N0MAD$PDE0.DPMP. 1sN0TM3D az u~may th1nk*Creative ZEN Vision W
Creative Zen Micro   CTL:N0MAD$PDE0.SIGN. 1sN0TM3D az u~may th1nk*Creative Zen Micro
Creative Zen MicroPhoto?   CTL:N0MAD$PDE0.SIGN. 1sN0TM3D az u~may th1nk*Creative Zen MicroPhoto?
Creative Zen Sleek   CTL:N0MAD$PDE0.SIGN. 1sN0TM3D az u~may th1nk*Creative Zen Sleek
Creative Zen Sleek Photo   CTL:N0MAD$PDE0.SIGN. 1sN0TM3D az u~may th1nk*Creative Zen Sleek Photo
Creative Zen Touch   CTL:N0MAD$PDE0.SIGN. 1sN0TM3D az u~may th1nk*Creative Zen Touch
Creative Zen Jukebox Xtra   CTL:N0MAD$PDE0.SIGN. 1sN0TM3D az u~may th1nk*NOMAD Jukebox Zen Xtra

Miscellaneous Links

r4 - 14 Sep 2008 - 12:45:49 - MaurusCuelenaere

Revision r2 - 20 Dec 2007 - 02:38 - WessamBaghdadi
Revision r1 - 20 Dec 2007 - 02:09 - WessamBaghdadi
Copyright by the contributing authors.