Wiki > Main > IriverMemoryMap (compare)
Difference: IriverMemoryMap (r34 vs. r33)
DaveHooper (stripwax) has developed and published decryption & encryption tools for this. (Binary: http://www.beermex.com/@spc/ihpfirm.exe & Source: http://www.beermex.com/@spc/ihpfirm.src.zip). See the IriverToolsGuide for info on how to use this tool.
Using the iHP-140 as an example -- the decoded image from the above has a 512 byte encryption header, then a 32 byte "ESTFBINR" header with nothing in it. Following this is the content of the flash, with the entry point at 0x0 as explained in "Reset Logic" below. The flash routine inits the processor, important regs and GPIO, then copies portions of the remaining FLASH data into SDRAM and SDRAM as follows (see offset 0x00001528 for details):
Copy 0xD2525-0xD82C9 to 0x10000000 (Start of SRAM)
A few well-constructed "dd" commands, and you'll be able to construct two images: one containing the content of the SRAM image and one containing the SDRAM image. The dd would be of the form "dd if=ihp_120.bin of=sdram_img.bin bs=1 skip=$[0xE3099] seek=$[0x0] count=$[0x19D2E9-0xE3099] conv=notrunc" -- that example copies the first block of SDRAM at offset 0x3100000 into offset 0 (seek=0) of sdram_img.bin. There are bits of executable code in both -- some speed critical routines are placed in SRAM, like memcpy().
You can add strings references to the assembly code using the attached addstrings.pl command below. This will add a surprising amount of clarity to the code since there are more than a few error messages that were built into the code (but the error function itself appears to have been ifdeffed out).
Can we agree on a common firmware to analyze? I suggest the US firmware? But should it be 1.40 or 1.60?
I'm just making up descriptive function names. -- PaulS?
StephanNielsen: I was wondering which tools and methods you use to analyze the firmware (extract addresses). Disassembler (objdump), A modded MCF5249 emulator, BDM, GDB??? Is it possible that you could inform other interested people about this on a separate WikiPage?- unless of course you will rather do all the hard work yourself ;). Have anyone been able to compile a cross-compiler for the MFC5249 yet - a WikiPage? for instruction on how to do this would also be really useful? PaulS?: Check out the new addition to the ColdFire page.
PaulS?: There's not a lot of magic going on here. I think there are other people (and pages) that are much better suited to give a tutorial on disassembly. The tools I've relied on the most are the disassembly tools I mentioned on the IriverPort page. I wrote a little perl code to build forward and reverse function call trees, but the results of that haven't been very useful so far. Aside from that, I spent a little time getting used to the assembly language, kept a ColdFire Programmers Reference Manual and the CF5259 User Manual by my side and curled up with some code. It didn't take long to get an intuition for loop structure and function call semantics. The important bit of code I found very early on built the Software Memory Map below, which talks about where all the peripheral interfaces are in memory. Just searching for references to the GPIO memory range (mostly in MBAR2) will get you plenty of interesting code to look at and ponder on what it's doing. Again, other people might be better at formalizing this process. Is this short bit worth a separate Wiki page?
The iRiver can map external peripherals in a flexible manner, using the Chip Select Module. There are also base address registers for many other facilities so devices like GPIO registers can float around based on the firmware in question. Here's an attempt to document the 1.40US firmware's setup (and coincidentally the 1.60 appears largely the same) for various important bits. Some of these registers are supervisory registers in the core, accessed by special MOVE instructions. Others, like the chip select regs are actually within the MBAR.
Here's a summary of how the ColdFire GPIO pins are used on the iRiver. These are mostly guesses that LinusNielsenFeltzing should be able to confirm or dispute based on his findings. The I/O/F column indicates whether the pin is a GPIO Input, GPIO Output or Function pin (assigned to the ColdFire's special-purpose function, or not used). Pointers are into the 1.40US SDRAM code.
"*" indicates that this GPIO or function is actually implemented by two pins on the physical package -- one dedicated input pin and one dedicated output. This means that this logical bit can serve two functions simultaneously. There's only one bit that decides function vs. GPIO, so the composite pin must either both be function pins or a GPI and GPO pin.
"(C)" indicates that it is confirmed
DaveHooper: Is the battery LED connected to GPIO or is it controller directly by the charging hardware?
A lot of documentation can be found in the ColdFire manuals. The below list refers to the most important address tables:
r34 - 03 Nov 2004 - 08:39:00 - LinusNielsenFeltzingRevision r34 - 03 Nov 2004 - 08:39 - LinusNielsenFeltzing
Revision r33 - 03 Nov 2004 - 07:54 - LinusNielsenFeltzing
Copyright © by the contributing authors.