release
dev builds
extras
themes manual
wiki
device status forums
mailing lists
IRC bugs
patches
dev guide
translations



Search | Go
Wiki > Main > SanDisk > SansaE200Port > SansaE200FirmwarePartition

SanDisk Sansa E200 Firmware Partition

Description

The SanDisk Sansa e200 series has a 20MB hidden firmware partition. It holds both the bootloader and main firmware. This partition is hidden by e200r firmwares.

The partition is 20MB and is at the end of the disk. It doesn't have any partition table, but has files at specific address locations inside it. Each file has a 512B (1 sector) header which has a 4 character string describing its contents, followed by a 32-bit little endian number indicating the length of the file in bytes. There is then a 32 bit number with an unknown purpose.

Structure

Addresses are relative to the start of the partition. The partition is divided up into 3 block. The first block is 512KB for the bootloader. The last 5MB of the partition is for the ppfn (image?) data. The remaining space in between is used for the main firmware.
Address Description
0x0 Bootloader header - PPBL followed by the bootloader length, followed by 0x10000
0x200 Bootloader
0x80000 Main firmware header - PPMI followed by firmware length, followed by 0x20000
0x80200 Main firmware in mi4 format
0x780000 NVPARAMS
0x780200 PPPS Non-volatile parameters - used by the OF to save data (eg. current track, database status, etc.) through a power cycle. There appears to be a header here too
0x780240 Firmware version string, e.g. "PP5022AF-05.51-S301-02.18-S301.02.18E-D"
0x7810e1 If this is set to 1, the database is rebuilt on next reboot
0x800000 Unknown data of length 0x200
0xefe400 PPID followed by length (0x10), followed by 0x40000
0xefe600 ppid data. Unknown purpose. Reads DF 83 75 C6 F6 FC 1A 44 84 66 45 99 6C E1 DC 70 on Sansa e280
0xf00000 PPFN followed by length followed by 0x30000
0xf00000 ppfn data. Possibly images or animation used by the bootloader

Dumping the firmware partition

Sometimes it can be useful to dump the partition to a file, for example to experiment with the database rebuild byte at offset 0x7810e1.

Procedure:
  • Boot the original firmware and set USB mode to MSC.
  • Connect the e200 to USB, the display should now say "Connected".
  • Use sansapatcher to find out where the 20MB partition lives (in this example at sector 7813120):
$ ./sansapatcher.exe -l
sansapatcher v0.5 with v3.0 bootloaders - (C) Dave Chapman 2006-2007
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

[INFO] Scanning disk devices...
[INFO] e200 found - disk device 2
[INFO] Reading partition table from \\.\PhysicalDrive2
[INFO] Sector size is 512 bytes
[INFO] Part    Start Sector    End Sector   Size (MB)   Type
[INFO]    0             580       7813119      3814.7   W95 FAT32 (0x0b)
[INFO]    1         7813120       7854079        20.0   OS/2 hidden C: drive (0x84)
[INFO] Image 1 - 60416 bytes
[INFO] Image 2 - 5798912 bytes
  • Use dd to dump the entire 20MB partition (partition 1), /dev/sdc is the block device name of the Sansa (this even works under Cygwin), notice how the "skip" argument is filled with the start sector of the partition:
$ dd if=/dev/sdc of=part1.bin skip=7813120 count=40960
40960+0 records in
40960+0 records out
20971520 bytes (21 MB) copied, 5.156 s, 4.1 MB/s
  • Check the dumped partition with your favorite hex-editor. It should start with "PPBL". If it doesn't, you may have accidentally dumped some data from another device. In that case, change "/dev/sdc" to something else.

r8 - 02 Apr 2021 - 20:46:07 - UnknownUser

Copyright © by the contributing authors.