|
Hacking the Firmware 1.10.04.exe
I've been trying to peek and poke the ZENX-Fi2_PCFW_L22_1_10_04.exe file to see
if there was anything interesting to be done. So far I've change the boot logo using Gimp raw image import function and a hexeditor to put the altered image back into the 1.10.04.exe file and then updated the player. So there is no "checksum verification". I've also extracted a LUA application from the firmware, looks like a calculator, if run on the Zen X-fi2 (it sort of works, there is no clear screen). I've uploaded it here http://www.exras.netne.net/Hack.lua If I use the luadec.exe -f 0 then this: Code:
C:\luadec>luadec -f 0 hack.luahttp://www.exras.netne.net/a1.jpg http://www.exras.netne.net/a2.jpg The boot image header in the firmware is at '0xD09480' 0C DE 00 00 07 CB 60 04 The first 3 or 4 bytes is the size(in reverse) of the image block including the next 4 bytes, witch contains the image width CB = 203 and height? 6004 = 0x46 = 70 dec. ? 203*70*4 = 56840 0xDE08 203*70*4+4 = 56844 0xDE0C I'm using this free Hexeditor http://mh-nexus.de/en/hxd/ it can do block copy/paste. I should be possible to extract all images,icons and put them back in, but it's manual hard work and ONE byte off and your risking bricking the player. Using GIMP raw import function and playing with the offset and width, I can find a lot of bitmap in the firmware, and then using the hex editor to fine tune the image location and size in the exe file. more to come... |
Aww, this is nice! But I really fear messing up my firmware, so I won't try this at home ;)
|
Quote:
I have just removed the colour of the 14 icon's in the firmware. X-Fi2 going MX... http://www.exras.netne.net/X-fi2-mx.jpg The Offset of the Icons: Code:
____________Icons______________ |
You should be able to unbrick it via the Creative MP3 Player Recovery Tool correct? I'm bummed you beat me to it though haha. I was waiting for Creative to give me the OK before I start releasing reversed stuff, but I'll join you after school today. =P
|
Quote:
that only can be used on a another Creative X-Fi2 player, can't hurt that much.:cool: Jan_DK |
While I did find some function info that I haven't previously had from the source I did find something that confused me even more:
if control.read(1) == 1 then Ideas? |
Ok, got a question here... How did you find out the offset / adress of the bootlogo image? Since it's animated there should be more frames.
|
In his second image do you see the "13669512" offset value. That equals 0x00D09488. I'm guessing he scanned the offsets while finding images.
|
Quote:
1. animation(display for 1 sec.) 2. The boot image(display for 3 sec.) The boot animation looks like the boot image, just with the sparkle thing. I have not found anything other than the black Zen boot logo, and there is no frames on either side of it. "How did you find out the offset / adress of the bootlogo image?" I first use Gimp to get a approximate offset address, then I use the hexeditor to close in on the bit's :-) Every data block in the firmware file is separated or end with at least 32 0xEE's, so a search for those will quickly get there, and the header + the file header, revile the file type image(raw), wave,RES.BIN, LUA, PNG(apps. logo). For all file types the header( the first 4 bytes)following the block of 0xEE's is the size of the data block in reverse, if the file is a image then the next 4 bytes is the image dimension. And should not be altered. A typical data block( this one containing a wave file, and only the first 4 bytes is header) http://www.exras.netne.net/hex_01_files.jpg A typical data block containing a raw image( this one is the boot logo) Start: http://www.exras.netne.net/hex_02_bootheader.jpg end: http://www.exras.netne.net/hex_03_bootheader.jpg Using the hexeditor and block select, it's just a matter of reading the header subtracting 4 bytes and placing the cursor and selecting a block,copy/new/paste/save/ edit in gimp(raw) in-out./ open in hexeditor/copy/overwrite/double check/save firmware.:cool: http://www.exras.netne.net/hex_04_blockselect.jpg Edit: UPDATE Se thread "Firmware Image Extractor | Injector 5000" for a program to extract and inject the images. http://www.anythingbutipod.com/forum...ad.php?t=51111 Jan. |
I wanted to see if I could search for a image I knew the size of using the header size,
to see what happens to the header with image-width larger than 0xFF Wallpaper is 400x240*4+4 = 0x05DC04 reversed 0x04DC05. searching for 04DC05,,, http://www.exras.netne.net/hex_05_wallpaper.jpg Jan. |
When the file ZENX-Fi2_PCFW_L22_1_10_04.exe is run it create 3 files
in the windows temp folder: 'StMp3Rec.cat' 'stmp3rec.inf' 'StMp3Rec.sys' It looks like a driver and inf. ''SigmaTel 3410/3500/3600'' could it be the CPU of the X-fi. I would be fun if we could talk the player through the USB interface and make it do tricks that way. Code:
; Installation inf for the SigmaTel 3410/3500/3600 USB Bulk IO Recovery Device |
Quote:
|
If you open the "My Zen" directory in Google Chrome there are more files than there should be, notably CTSTORE.dat and PREVIEW.dat. These files do not show up in windows explorer even with hidden files being shown.
|
Quote:
Code:
G:\>dir /AH |
So the CPU in this XFi2 is it more powerful compared to the Texas Instruments CPU in the Vision:M/Vision:W?
Quote:
|
if someone can hack that awful volume control so it showed up all the time (maybe across the top) and was wider, that person would not only be my hero, but would be on the receiving end of a 30 dollar paypal donation from me.
maybe others would also be willing to donate towards this as well and you could get a decent pool of money. some other firmware suggestions: - integration of microsd into library without physically copying the file to the player's memory - ability to create playlists for the microsd playable by the player - album thumbnails for flac files - stop problem with flac files where the artist's name will show up in the player as TIST=artist's name or as RTIST=artist's name - stopping player from skipping in some flac files - have low battery graphic pop up once or twice when watching video instead of popping up every 15 seconds for an hour and a half - GRRRRR! - smaller docking graphic that doesnt require the whole screen to be lit up sort of like little charging graphic when you plug in the wall charger - lowering the power on button press time to 2 seconds instead of 5 -enable the setting of date/time for clock...i mean, how are you supposed to change the timezone when you're on an airplane? -RSS: i would still like to use the rss even though centrale is pretty much unusable -a slider or knob for the fm radio the person who fixes one or more of these problems will be hailed as a god among men. |
one more suggestion, and i know this is WAAAY out there....
a scratch slider....sort of like the knobs they have on cd-dj players where you can play the music forwards and backwards from the present point sort of like scratching a record. as far as i understand it, those cd-djs buffer a few seconds before and after the current playhead position so it can play it back when you scratch i imagine with something like that in 2 x-fi2s with a one of these http://imago.techtop.it/d/2567-1/071...roMixerDJ5.jpg in-between, you could have a sweet pocket dj setup. |
@badazzmofo -
Ohh so many complaints now I wanna put my player up on ebay again lol Flac's an issue for sure. Volume control yeah slight bit but I'm used too it now. I kinda like the microSD not being integrated in the library for a change. My music is in the players. Videos on the microSD card. Power on is a "Major" gripe with me. That sucks a lot! Date/Time yeah not having different time zones sucks but no biggie for me. RSS, Tasks, Contacts are just useless for me. If I had the option off deleting them I would do it. If I ever get tied to a particular application for synchronization ala iTunes, I'm not game for that. Regarding the DJ slider, I think Samsung MP3 players have that feature labelled "BeatDJ" something I'm not sure. Regardless if it's possible on this player then it would be great for some but I wouldn't be all that excited for such a feature. |
x-fi2
I have a 64gb Zen X-Fi2. Today, I found out that there is an 8000 song limit, including the micro-sd slot. Obviously, 64gb plus and sd card will hold far more than 8000 songs, meaning all the extra space is pretty much useless, and making this a great opportunity for a hack fixing the problem. That's above my abilities, but anyone who could look into it and fix it or give me any feedback on how to go about it would be appreciated.
|
I think the whole firmware wishlist could be listed here easily, but it would be way too hard to hack. So Creative, just make a new firmware!!!
|
| All times are GMT -5. The time now is 05:53 PM. |