Firmware and Loading without the Hard Drive in

Obsolete, see CreativeZVMPort


Breihanj has made some headway with the firmware loading. Below is a summary of a chat I had with them. Below that is the transcript of the important parts of the actual chat.

It looks like the majority of the firmware is loaded from the hard drive on every boot. Without the hard drive in, it boots into recovery mode only. The main UI will not come up without the hard drive in. Hopefully this will make it easier for us to load our own firmware with less of a chance of bricking it. See the 19:09 timestamp for the details of what Breihanj saw when booting it up. We are going to try and get the adapter to load the hard drive directly into the computer so we can see what the partition tables are and hopefully load the firmware directly onto the disk. Breihanj thinks that the checksum may be in the .exe firmware loader.


(13:28:43) Breihanj: i might be able to get it. i got a hard drive adapter to mount a laptop hard drive in a desktop... do you know if the zen vision m uses the same connector? i suspect it does but haven't gotten the case of the zvm completely open

(13:29:05) Breihanj: i'm hoping to get it open, connect the adapter and use the dd command in linux to dump the contents of the drive


(13:29:48) Breihanj: i suspect that we may be able to copy firmwares directly to the hd

(13:29:58) Breihanj: if we can mount it with an adapter

(13:30:08) Breihanj: and that'll reduce chance of bricking the zvm

(13:30:28) jhulst:Right, but then we need a bootloader

(13:30:33) jhulst:So that it will run

(13:30:46) Breihanj: well, not if the bootloader is booting code off of the hd

(13:30:56) Breihanj: we could just put our code in the same location

(13:31:23) jhulst:If it boots off the hard drive like that, that would be wonderful

(13:31:37) Breihanj: yeah. i heard that is how the ipod boots and i think the zvm may boot that way

(13:31:42) Breihanj: but i won't know until i dump the data ...

(13:34:45) Breihanj: i have done some reverse engineering though with the compaq ipaq

(13:34:59) Breihanj: i've flashed linux onto it before

(13:35:10) Breihanj: extracted firmware from compaq updaters

(13:35:31) Breihanj: and then split that firmware up with dd

(13:35:41) Breihanj: and used the compaq openhandhelds flasher to upgrade from pocketpc 2000 to pocketpc 2002

(13:35:56) jhulst:Right now our biggest goal is to figure out how to get the Zen to accept a hacked firmware

(13:36:00) Breihanj: it took me about four tries to get the thing apart and i almost bricked it

(13:36:08) jhulst:It seems like there is a checksum validation somewhere

(13:36:18) Breihanj: yeah the crc check is in the flasher too, just like in the compaq flasher

(13:36:42) Breihanj: its most likely the exe that does the crc check, not the device itself

(13:36:49) jhulst:You think so?

(13:36:55) jhulst:That would make this even easier

(13:37:58) Breihanj: yeah, but this is speculation


(18:50:10) Breihanj: ok, did some research while at work and it needs a different adapter

(18:50:31) jhulst:Okay

(18:50:37) Breihanj: i'm going to order one

(18:50:39) jhulst:Is the adapter generally available?

(18:50:51) Breihanj: fry's didn't have it and neither did micro center

(18:50:56) Breihanj: and they're the only stores that would have that kind of thing

(18:51:08) Breihanj: i've found two sites that sell em though, about $15 apiece

(18:51:31) jhulst:Could I get the link for it?

(18:51:36) Breihanj: yeah, one sec

(18:52:03) Breihanj: this is assuming the drive is a toshiba, i'm pretty sure it is

(18:52:09) Breihanj: if it's a hitachi it'll work with a laptop adapter


(18:52:37) Breihanj: this appears to be the better model:

(18:52:50) Breihanj: plus they're in WI so they'd ship to you quickly

(18:53:08) Breihanj: the other one is


(18:55:44) Breihanj: i've been curious as to how the file structure is on the drive

(18:56:07) Breihanj: i was messing around two weekends ago with libmtp, copying files back and forth

(18:56:12) Breihanj: using c#


(19:04:29) Breihanj: i got the zvm open

(19:04:30) jhulst:Right

(19:04:35) jhulst:Nice

(19:04:40) Breihanj: good news i think

(19:04:41) Breihanj: hitachi drive

(19:04:45) Breihanj: it may work with the adapter

(19:05:13) Breihanj: nevermind

(19:05:23) Breihanj: i've never seen a cable end like this on a hard drive

(19:05:28) Breihanj: i think it looks like the one in that adapter

(19:05:39) Breihanj: i'm sure it is

(19:05:50) jhulst:You think it would work with that special adaptor?

(19:06:09) Breihanj: yeah i'm pretty sure

(19:06:22) Breihanj: i'm gonna try booting it without the hd


(19:08:12) Breihanj: i booted without the hard drive

(19:08:25) Breihanj: it goes into the same interface..

(19:08:51) Breihanj: system reports 1.61.01 firmware

(19:08:58) jhulst:What did it have before?

(19:09:00) Breihanj: same

(19:09:07) Breihanj: i was kind of hoping it was booting something new off the hd

(19:09:14) Breihanj: i'm gonna do a recovery mode boot

(19:09:17) Breihanj: and see what happens


(19:10:04) Breihanj: well, even if the firmware is running from rom we may be able to launch something else through an overflow exploit

(19:10:22) Breihanj: however my knowhow when it gets to that stuff is basically nonexistent


(19:11:30) Breihanj: it hangs at the zen logo right now

(19:11:43) Breihanj: in recovery mode

(19:12:04) Breihanj: i'm gonna let it sit for a minute and see what it says

(19:12:28) Breihanj: here we go

(19:12:32) Breihanj: recovery mode came up

(19:12:42) Breihanj: 1.61.91_0.0.23 reported

(19:12:54) Breihanj: choosing reboot from recovery mode

(19:13:06) Breihanj: gonna see if the normal ui comes up

(19:13:10) Breihanj: i have a feeling it won't

(19:13:27) Breihanj: i have a feeling the stuff before was cached and that i removed the hard drive when it was sleeping rather than powered down

(19:13:29) Breihanj: so that stuff was still in ram.

(19:13:40) Breihanj: yeah

(19:13:46) Breihanj: it goes into recovery mode automatically

(19:13:57) Breihanj: this means it's booting most of the software from the hd i think

(19:14:06) Breihanj: of course the only way to test that completely

(19:14:14) Breihanj: is to get that adapter

(19:14:19) Breihanj: and start doing fun things with the hard drive


(19:18:06) Breihanj: i was really hoping this would take a 44 pin connector but i probably should have just read that "taking apart your zvm" page more closely

(19:18:22) Breihanj: yeah it's booting directly into recovery mode no matter what without the hd in

(19:18:34) Breihanj: the only reason it went to teh ui before was because when you shutoff it goes into sleep mode before it actually shuts off

(19:18:41) Breihanj: and i, stupidly, removed the hd while in sleep mode hehe

(19:19:25) Breihanj: the orange thing is a grounding plate for the hard drive


(19:21:42) Breihanj: ok, so

(19:21:49) Breihanj: when it's booting from firmware

(19:21:53) Breihanj: it shows the ZEN logo across the screen

(19:21:56) Breihanj: not animated

(19:22:01) Breihanj: then when it boots the os off the screen

(19:22:16) Breihanj: that's when it flickers quickly and shows the creative zen animation

(19:22:48) Breihanj: i'm sure it's loading the animation at the very least off the hd

(19:22:57) jhulst:okay good

(19:22:58) Breihanj: i haven't looked at the firmware updater binary

(19:23:08) Breihanj: but i'm pretty sure it's probably divided like the ipaq i was telling you about

(19:23:13) Breihanj: into different partitions

(19:23:29) Breihanj: in this case, there's the eeprom that gets flashed for the bootloader/recover mode system

(19:23:34) Breihanj: and then there's the stuff that gets copied to the hd

(19:23:38) Breihanj: which is basically the os

(19:23:42) jhulst:That would be good, if it loads off the harddrive, it will be very helpful

(19:24:10) Breihanj: what i want to do after i get the adapter (hopefully by next weekend)

(19:24:28) Breihanj: is dump the disk image with dd

(19:24:39) Breihanj: and then inspect it with a hex editor to see where the partitions start

(19:24:41) Breihanj: for data

(19:25:00) Breihanj: where the database for the mtp metadata is kept

(19:25:37) jhulst:yup

(19:25:54) Breihanj: and where the os is

(19:25:54) Breihanj: and we can match that up alongside the binary you guys got from the firmware updater

(19:25:54) Breihanj: since it was said that it isn't encrypted (hopefully)

(19:25:54) Breihanj: we should be able to match up the pieces and see where the updater is putting stuff

(19:25:59) Breihanj: the only obstacle

(19:26:15) Breihanj: could be if there is a crc of some kind flashed into the eeprom

(19:26:24) Breihanj: that matches the os data it loads off the hd

(19:26:35) Breihanj: but there's a good chance the crc check is only in exe updater that you run on windows

(19:26:44) Breihanj: at any rate

(19:26:54) Breihanj: by comparing the firmware binary against the hd's data

(19:27:04) Breihanj: we should be able to find a crc hash of some kind to match with


(19:46:16) Breihanj: we should just be able to copy our data into that location

(06:29:21 PM) Breihanj: and then we could still have the creative recovery mode and bootloader part in the eeprom

(06:29:25 PM) Breihanj: and that would handle booting

(06:29:32 PM) Breihanj: if we figure more out

(06:29:38 PM) Breihanj: we may be able to write some kind of second stage bootloader


