|
|
iriver H10 Port: Development InformationAbout This PageThis page has been created as a place for development information for the iriver H10 port to be placed. This is to keep the iriver h10 port page cleaner.Development InformationFirmware informationThe firmware on the H10 shares a common format with most other PortalPlayer based players (the iPod being the notable exception). The firmware comes in two parts:
BootloaderThe bootloader appears to be stored in flash. It is loaded first when the system is turned on. Its function is to initalise the device (turn on the LCD, allow button detection, etc) and then to load the main firmware from the hard disk. The bootloader is also responsible for the UMS mode. With the H10 connected to a computer, holding 'O' as the device is started causes the bootloader to not load the main firmware, but instead to make the H10 appear as a Universal Mass Storage device to the computer. This way, it is possible to access the .mi4 file in the 'System' directory.DisassemblyThe .rom version of the bootloader is not encrypted and can be disassembled straight away:$ arm-elf-objdump -D --target binary -marm BL_H10.romThe .hex version is encrypted and so must first be decrypted using mi4code: $ mi4code hexdecode BL_20GC.hex BL_20GC.hex.bin 20gc_engwhere 20gc_eng corresponds to the decryption key for the US firmware. It can then be disassembled as with the .rom version: $ arm-elf-objdump -D --target binary -marm BL_H10_20GC.hex.bin Reverse EngineeringThere is a header in the hex file. Actual code execution starts at 0x40. The first thing the bootloader does is BIC 0x1a00 in to 0x70000020 which (according to ipodlinux) is the I2S init address. Next, it enables bit 5 of GPIOF for output and writes 1 to it:
UpgradingAs the bootloader loads the mi4 file from disk, it is not necessary to use a modified bootloader to get Rockbox working on the H10. The procedure below is just for information purposes. The bootloader upgrade procedure is probably as follows:
FirmwareDisassemblyThe .mi4 file is encrypted and so must first be decrypted using mi4code:$ mi4code decrypt H10_20GC.mi4 H10_20GC.mi4.binwhere 20gc_eng corresponds to the decryption key for the US firmware. It can then be disassembled as with the bootloader: $ arm-elf-objdump -D --target binary -marm H10_20GC.mi4.bin Reverse EngineeringThere is a header which is documented on the mi4code website. Actual code execution starts at 0x200.Running Custom CodeIt is possible to run custom code on the H10 simply by creating a mi4 file and copying it to the player. The process of making the mi4 file is:
$ mi4code build -3 bootloader/bootloader.bin bootloader.mi4
$ mi4code encrypt bootloader.mi4 H10_20GC_unsigned.mi4 20gc_eng
$ mi4code sign H10_20GC_unsigned.mi4 H10_20GC.mi4
Firmware UpgradeUsing a modified mi4 firmware on the H10 is very straightforward. It is also very easy to recover from a bad firmware image. The upgrade procedure is as follows:
Build a Rockbox BootloaderThere is Rockbox bootloader in SVN. The procedure for building and using the bootloader on a H10 is:
Usefull linksSome usefull links:r5 - 02 Apr 2021 - 20:46:06 - UnknownUser
Copyright © by the contributing authors.
|