General
This page is intended to document and keep track of all Samsung players firmware variants.
Encryption
In general some are encrypted, some aren't.
The ones that are encrypted are following, so far, all the same encryption scheme: cyclic XOR with a 128 bit key.
// key suitable for R0/R1/R2
uint8_t ypr0_key[] =
{
0xa3, 0x04, 0xb9, 0xcd, 0x34, 0x13, 0x4a, 0x19, 0x19, 0x31, 0xdf, 0xbb,
0x8f, 0x3d, 0x7f, 0x09, 0x42, 0x3c, 0x96, 0x33, 0x41, 0xa9, 0x95, 0xf1,
0xd0, 0xac, 0x16, 0x37, 0x57, 0x35, 0x28, 0xe7, 0x0b, 0xc2, 0x12, 0x09,
0x39, 0x42, 0xd2, 0x96, 0xf5, 0x00, 0xd2, 0x23, 0x37, 0x24, 0xe2, 0x8e,
0x50, 0x3c, 0x6e, 0x23, 0xeb, 0x68, 0xed, 0x31, 0xb7, 0xee, 0xc0, 0xc7,
0x09, 0xf8, 0x39, 0x9d, 0x51, 0xed, 0x17, 0x95, 0x64, 0x09, 0xe0, 0xf9,
0xf0, 0xef, 0x86, 0xc0, 0x04, 0x46, 0x89, 0x8a, 0x6e, 0x27, 0x69, 0xde,
0xc7, 0x31, 0x1e, 0xee, 0x3c, 0x3f, 0x17, 0x05, 0x44, 0xbb, 0xbb, 0x1d,
0x3d, 0x5d, 0x6e, 0xf2, 0x78, 0x15, 0xd6, 0x3c, 0xcc, 0x7d, 0x67, 0x1a,
0xb8, 0xd2, 0x79, 0x54, 0x97, 0xa2, 0x58, 0x58, 0xf7, 0x4e, 0x5e, 0x50,
0x42, 0x69, 0xdc, 0xe7, 0x3a, 0x87, 0x2e, 0x22
};
// key suitable for Z5 and others (refer to list)
uint8_t ypz5_key[] =
{
0xa3, 0x04, 0xb9, 0xcd, 0x34, 0x13, 0x4a, 0x19, 0x19, 0x35, 0xdf, 0xbb, 0x8f, 0x3d, 0x7f, 0x09,
0x42, 0x3c, 0x96, 0xc6, 0x41, 0xa9, 0x95, 0xf1, 0xd0, 0xac, 0x16, 0x37, 0x57, 0x1f, 0x28, 0xe7,
0x0b, 0xc2, 0x12, 0x09, 0x39, 0x42, 0xd2, 0x96, 0xf5, 0x00, 0xd2, 0x23, 0xa4, 0x24, 0xe2, 0x8e,
0x50, 0x3c, 0x6e, 0x23, 0xeb, 0x68, 0xed, 0x31, 0xb7, 0xee, 0xc0, 0xc7, 0x09, 0xf8, 0x0e, 0x9d,
0x51, 0xed, 0x17, 0x95, 0x64, 0x09, 0xe0, 0xf9, 0xf0, 0xef, 0x86, 0xc0, 0x04, 0x46, 0x89, 0x8a,
0x6e, 0x27, 0x69, 0xde, 0xc7, 0x9d, 0x1e, 0xee, 0x3c, 0x3f, 0x17, 0x05, 0x44, 0xbb, 0xbb, 0x1d,
0x3d, 0x5d, 0x6e, 0xf2, 0xcf, 0x15, 0xd6, 0x3c, 0xcc, 0x7d, 0x67, 0x1a, 0xb8, 0xd2, 0x1b, 0x54,
0x97, 0xa2, 0x58, 0x58, 0xf7, 0x4e, 0x5e, 0x50, 0x42, 0x69, 0xdc, 0xe7, 0x3a, 0x87, 0x2e, 0x22
};
void cyclic_xor(void *data, int datasize, void *xor, int xorsize)
{
for(int i = 0; i < datasize; i++)
*(uint8_t *)(data + i) ^= *(uint8_t *)(xor + (i % xorsize));
}
Firmware types: general information
Device (codename) |
Firmware name |
Encrypted |
Format |
YP-F3 (-) |
YP-F3.ROM |
no |
Muonizer |
YP-Q1 (-) |
Q1.ROM + Q1.RSC |
no |
TCCFormat |
YP-R0 (BigBang) |
R0.ROM |
yes |
MuonModel-1 |
YP-R1 (BigBang) |
R1.ROM |
yes |
MuonModel-1 |
YP-R2 (Toledo) |
R2.ROM |
yes |
MuonModel-2 |
YP-Z3 (Ruskin) |
Z3.ROM |
yes |
MuonModel-2 |
YP-U7 (-) |
YP-U7.ROM |
no |
Muonizer |
YP-W1 (-) |
YP-W1.ROM |
no |
Muonizer |
YP-Z5 (-) |
Z5.ROM |
yes |
tarfile |
YP-Q3 (-) |
Q3.BIN |
no |
TCCFormat |
Firmware format: content type and header information
Format |
Mode |
Components |
Checksum check |
User-flashable bootloader |
tool in rockbox tree |
MuonModel-1 |
component encryption / header based extraction |
MBoot.bin/zImage/cramfs-fsl.rom/SYSDATA.bin |
yes |
no |
yes (pack and unpack) |
MuonModel-2 |
WIP |
MBoot.bin/Firmware.bin/SysData.bin |
?(WIP) |
? |
WIP |
Muonizer |
WIP |
ITCM_SYSV/SRAM_SYSV/506CODECALL/APP_PACK/SOUND_ALIVE_1-2/APP_DBU_1-2-3/YP-W1.rsc/NLS_CONV.tbl |
?(WIP) |
? |
WIP |
TCCFormat |
simple container + 756 byte metadata |
XX.ROM / XX.RSC |
YES |
YES(guess) |
WIP |
NOTE: names for "Format" are partially invented!
MuonModel comes out as recurrent string. It indicates the main framework used in the years to develop these audio players! Some are guessed or indicating the technology behind the scenes.
--
LorenzoMiori - 07 Sep 2013
Copyright © by the contributing authors.