Sony NW/NWZ series: analysis
This page documents what is known about the Sony NW players that use linux. This information has only been verified for a handful of players, it may be inaccurate
most of this initial information comes from SonyNWZE460Analysis
All linux-based Sony players so far seem to use one of those two cpus:
Based on the information we have about the EmmaMobile1
, we believe that the SoC
can only boot from Flash or SD/MMC. Most Sony players seems to come with an eMMC but some players still use NAND flash. This means this SoC has NO USB RECOVERY MODE
, making them very easy to brick
(or at least hard to recover).
The other pieces of hardware (buttons, radio, sound, bluetooth, screen) seem to vary from player to player.
boot from eMMC. It first loads 4096 bytes from the eMMC (miniboot) and execute it. This miniboot then loads the secondary bootloader (uboot) from eMMC and execute it. Uboot is located at a fixed address (0x1000-0x40000 on some players).
The boot process from NAND is very similar.
When UBoot is executed, it seems it can do one of three things:
- run a console session: although the code seems to allow it, we have no idea if retails players can enter this mode, it is possible it uses a special usb cable
- execute the "recovery" kernel: this is in fact the firmware upgrade kernel
- execute the normal kernel
The console session is probed from some pins, we have no idea what they are, they might only exists on dev boards. The recovery kernel is entred if the NVP upgrade flag is set (see section on NVP for more information). It appears that the eMMC really contains two different kernels: the firmware upgrade kernel never changes (at least no firmware upgrade so far seems to touch it) and comes with its own initrd (that also never changes). The normal kernel does not always use an initrd (guess: it only does if the the device uses flash instead of eMMC ?
When the firmware upgrade kernel is booted, the initrd contains the minimum amount of software to run linux without access to flash. It also contains an upgrade script that run after the system has booted. The upgrade script does the following:
- mount the user partition (the one accessible through USB)
- look for a file called
- if the file is not there, it clears the NVP upgrade flag and reboots
- it decrypts the file and check the MD5 signature
- if the signature does not match, it clears the NVP upgrade flag and reboots
- it unpacks the first file from the firmware upgrade archive and runs it (it is a shell script)
- it clears the NVP upgrade flag and reboot
The only restriction about firmware upgrades is that the signature must match and it must contains at least one file. A typical Sony upgrade will contain three or four files:
- the update script
- the new kernel image
- the new kernel initrd (only if kernel uses an initrd)
- a new rootfs image
- a new loader image (we know this is possible from the code but we haven't see any such update yet)
The typical Sony upgrade file will:
- upgrade kernel and initrd
- format the root partition
- mount the root partition
- extract the rootfs from the archive
- umount and sync
When the normal kernel boots, it setups the system and run the main sony executable (which one is that ?
). When USB is plugged in, it supports both MTP and MSC mode. In MTP mode, a special undocumented commands is available to tell the device to set the upgrade flag in the NVP. In MSC mode, another undocumented SCSI request achieves the same. When in MSC mode, more undocumented SCSI requests exist to query the NVP or device information.
Part of the flash/mmc is dedicated the what Sony calls the NVP (Non-Volatile what ?
). The NVP is basically a key-value store. The keys are numbers (usually ranging from 0 to ~100) and only Sony knows exactly what each number corresponds to (it also depends on the device). The value can be anything. Here are typical keys found on the devices:
- encryption key
- various firmware upgrade image (showing success, work in progress or error)
- upgrade flag
- various DRM keys
- RTC/alarm/secure clock parameters
- bluetooth/wifi address
- uboot password
- battery calibration
When in MSC USB mode, the NVP can be queried. As a result, it is possible to get the encryption key by kindly asking the device, assuming you know the know which NVP key to ask for.
Original Firmware and Linux
- 14 Aug 2016
Copyright © by the contributing authors.