android
  #1  
Old 12-17-2009, 10:10 AM
Jan_DK's Avatar
Jan_DK Jan_DK is offline
Junior Member
 
Join Date: Mar 2009
Location: Denmark
Posts: 88
Default Hacking the Firmware 1.10.04.exe

I've been trying to peek and poke the ZENX-Fi2_PCFW_L22_1_10_04.exe file to see
if there was anything interesting to be done.

So far I've change the boot logo using Gimp raw image import function
and a hexeditor to put the altered image back into the 1.10.04.exe file
and then updated the player. So there is no "checksum verification".

I've also extracted a LUA application from the firmware, looks like a
calculator, if run on the Zen X-fi2 (it sort of works, there is no clear screen). I've uploaded it here
http://www.exras.netne.net/Hack.lua

If I use the luadec.exe -f 0 then this:
Code:
C:\luadec>luadec -f 0 hack.lua
-- Decompiled using luadec 2.0 standard by sztupy (http://luadec51.luaforge.net)

-- Command line was: -f 0 hack.lua

version = "20091116"
print("CTC LUA calc." .. version)
image.setresource("res.bin")
swidth = screen.width()
sheight = screen.height()
color_black = color.new(0, 0, 0)
color_white = color.new(255, 255, 255)
color_red = color.new(255, 0, 0)
color_blue = color.new(0, 0, 255)
More.......
The red X-fi text I drew on the boot image is displaying as blue so the image format must be 'BGRA' and not RGBA





The boot image header in the firmware is at '0xD09480'
0C DE 00 00 07 CB 60 04

The first 3 or 4 bytes is the size(in reverse) of the image block including the next 4 bytes, witch contains the image width CB = 203 and height?
6004 = 0x46 = 70 dec. ?

203*70*4 = 56840 0xDE08
203*70*4+4 = 56844 0xDE0C

I'm using this free Hexeditor http://mh-nexus.de/en/hxd/
it can do block copy/paste.

I should be possible to extract all images,icons and put them back in, but it's manual hard work
and ONE byte off and your risking bricking the player.

Using GIMP raw import function and playing with the offset and width,
I can find a lot of bitmap in the firmware, and then using the hex editor to fine tune the image location and size in the exe file.

more to come...

Last edited by Jan_DK; 01-07-2010 at 11:16 AM.
Reply With Quote

Advertisement [Remove Advertisement]

  #2  
Old 12-17-2009, 11:55 AM
ZaPx64's Avatar
ZaPx64 ZaPx64 is offline
Member
 
Join Date: Nov 2009
Location: Germany
Posts: 136
Default

Aww, this is nice! But I really fear messing up my firmware, so I won't try this at home
Reply With Quote

  #3  
Old 12-17-2009, 04:07 PM
Jan_DK's Avatar
Jan_DK Jan_DK is offline
Junior Member
 
Join Date: Mar 2009
Location: Denmark
Posts: 88
Default

Quote:
Originally Posted by ZaPx64 View Post
Aww, this is nice! But I really fear messing up my firmware, so I won't try this at home
Hehe, Well I'm not, It's only a 8gb model.

I have just removed the colour of the 14 icon's in the firmware.
X-Fi2 going MX...




The Offset of the Icons:
Code:
____________Icons______________

14 Icons Images: Image block length: 30276 0x7644 (header - 4 bytes)
Width:  87
Height: 87

Icon #1 Application 
Image block start: 0x1BD4C88

Icon #2 Calender 
Image block start:  0x1BDC488

Icon #3 Clock 
Image block start:  0x1BE3C88

Icon #4 Contact 
Image block start:  0x1BEB488

Icon #5 Radio
Image block start:  0x1BF2C88

Icon #6 Microphone
Image block start:  0x1BFA488

Icon #7 Video
Image block start:  0x1C01C88

Icon #8 Music
Image block start:  0x1C09488

Icon #9 Photo
Image block start:  0x1C10C88

Icon #10 Rss
Image block start:  0x1C18488

Icon #11 Micro SD
Image block start:  0x1C1FC88

Icon #12 Settings
Image block start:  0x1C27488

Icon #13 Task
Image block start:  0x1C2EC88

Icon #14 X-fi
Image block start:  0x1C36488
Reply With Quote

  #4  
Old 12-17-2009, 06:35 PM
ThievingSix ThievingSix is offline
Member
 
Join Date: Aug 2008
Posts: 218
Default

You should be able to unbrick it via the Creative MP3 Player Recovery Tool correct? I'm bummed you beat me to it though haha. I was waiting for Creative to give me the OK before I start releasing reversed stuff, but I'll join you after school today. =P
Reply With Quote

  #5  
Old 12-17-2009, 07:55 PM
Jan_DK's Avatar
Jan_DK Jan_DK is offline
Junior Member
 
Join Date: Mar 2009
Location: Denmark
Posts: 88
Default

Quote:
Originally Posted by ThievingSix View Post
You should be able to unbrick it via the Creative MP3 Player Recovery Tool correct? I'm bummed you beat me to it though haha. I was waiting for Creative to give me the OK before I start releasing reversed stuff, but I'll join you after school today. =P
Yes I'm a bad man. But my sense of judgement say that releasing stuff
that only can be used on a another Creative X-Fi2 player, can't hurt that much.


Jan_DK
Reply With Quote

  #6  
Old 12-18-2009, 01:07 AM
ThievingSix ThievingSix is offline
Member
 
Join Date: Aug 2008
Posts: 218
Default

While I did find some function info that I haven't previously had from the source I did find something that confused me even more:

if control.read(1) == 1 then

Ideas?
Reply With Quote

  #7  
Old 12-22-2009, 04:01 AM
ZaPx64's Avatar
ZaPx64 ZaPx64 is offline
Member
 
Join Date: Nov 2009
Location: Germany
Posts: 136
Default

Ok, got a question here... How did you find out the offset / adress of the bootlogo image? Since it's animated there should be more frames.
Reply With Quote

  #8  
Old 12-22-2009, 05:20 AM
ThievingSix ThievingSix is offline
Member
 
Join Date: Aug 2008
Posts: 218
Default

In his second image do you see the "13669512" offset value. That equals 0x00D09488. I'm guessing he scanned the offsets while finding images.
Reply With Quote

  #9  
Old 12-22-2009, 12:29 PM
Jan_DK's Avatar
Jan_DK Jan_DK is offline
Junior Member
 
Join Date: Mar 2009
Location: Denmark
Posts: 88
Default

Quote:
Originally Posted by ZaPx64 View Post
Ok, got a question here... How did you find out the offset / adress of the bootlogo image? Since it's animated there should be more frames.
Looks like the boot sequence consist of to parts
1. animation(display for 1 sec.)
2. The boot image(display for 3 sec.)

The boot animation looks like the boot image,
just with the sparkle thing. I have not found anything other than
the black Zen boot logo, and there is no frames on either side of it.

"How did you find out the offset / adress of the bootlogo image?"

I first use Gimp to get a approximate offset address, then I use the hexeditor
to close in on the bit's :-)

Every data block in the firmware file is separated or end with
at least 32 0xEE's, so a search for those will quickly get there, and the header + the file header, revile the file type image(raw), wave,RES.BIN, LUA, PNG(apps. logo).

For all file types the header( the first 4 bytes)following the block of 0xEE's is the size of the data block in reverse, if the file is a image then the next 4 bytes is the image dimension. And should not be altered.

A typical data block( this one containing a wave file, and only the first 4 bytes is header)


A typical data block containing a raw image( this one is the boot logo)

Start:


end:



Using the hexeditor and block select, it's just a matter of reading the header subtracting
4 bytes and placing the cursor and selecting a block,copy/new/paste/save/ edit in gimp(raw) in-out./
open in hexeditor/copy/overwrite/double check/save firmware.




Edit: UPDATE Se thread "Firmware Image Extractor | Injector 5000"
for a program to extract and inject the images.
http://www.anythingbutipod.com/forum...ad.php?t=51111

Jan.

Last edited by Jan_DK; 01-03-2010 at 03:25 AM.
Reply With Quote

  #10  
Old 12-22-2009, 12:54 PM
Jan_DK's Avatar
Jan_DK Jan_DK is offline
Junior Member
 
Join Date: Mar 2009
Location: Denmark
Posts: 88
Default

I wanted to see if I could search for a image I knew the size of using the header size,
to see what happens to the header with image-width larger than 0xFF

Wallpaper is 400x240*4+4 = 0x05DC04 reversed 0x04DC05.

searching for 04DC05,,,



Jan.

Last edited by Jan_DK; 12-22-2009 at 12:59 PM.
Reply With Quote

  #11  
Old 12-31-2009, 11:44 AM
Jan_DK's Avatar
Jan_DK Jan_DK is offline
Junior Member
 
Join Date: Mar 2009
Location: Denmark
Posts: 88
Default

When the file ZENX-Fi2_PCFW_L22_1_10_04.exe is run it create 3 files
in the windows temp folder:
'StMp3Rec.cat'
'stmp3rec.inf'
'StMp3Rec.sys'

It looks like a driver and inf.

''SigmaTel 3410/3500/3600'' could it be the CPU of the X-fi.

I would be fun if we could talk the player through the USB interface
and make it do tricks that way.

Code:
; Installation inf for the SigmaTel 3410/3500/3600 USB Bulk IO Recovery Device
;
; (c) Copyright 1999 Microsoft
;

[Version]
Signature="$CHICAGO$"
Class=Player_Recovery_Device
ClassGUID={9FFF066D-3ED3-4567-9123-8B82CFE1CDD4}
provider=%MfgName%
DriverVer=02/15/2007,6.2.3790.2001
CatalogFile=StMp3Rec.cat

[SourceDisksNames]
1=%Disk_Description%,,,

[SourceDisksFiles]
StMp3Rec.sys = 1

[Manufacturer]
%MfgName%=Mfg0

[Mfg0]
%DeviceDesc%=StMp3Rec.Dev, USB\VID_066F&PID_3410&REV_0083
%DeviceDesc%=StMp3Rec.Dev, USB\VID_066F&PID_3410
%DeviceDesc%=StMp3Rec.Dev, USB\VID_066F&PID_3500
%DeviceDesc%=StMp3Rec.Dev, USB\VID_066F&PID_3600

[ClassInstall32]
Addreg=Class_AddReg

[Class_AddReg]
HKR,,,,%DeviceDesc%
HKR,,Icon,,"-53"

[DestinationDirs]
StMp3Rec.Files.Ext = 10,System32\Drivers

[StMp3Rec.Dev.NT]
CopyFiles=StMp3Rec.Files.Ext

[StMp3Rec.Dev.NT.Services]
Addservice = StMp3Rec, 0x00000002, StMp3Rec.AddService

[StMp3Rec.AddService]
DisplayName    = %SvcDesc%
ServiceType    = 1                  ; SERVICE_KERNEL_DRIVER
StartType      = 3                  ; SERVICE_DEMAND_START
ErrorControl   = 1                  ; SERVICE_ERROR_NORMAL
ServiceBinary  = %10%\System32\Drivers\StMp3Rec.sys
AddReg         = StMp3Rec.AddReg
LoadOrderGroup = Base

[StMp3Rec.AddReg]
HKR,,DevLoader,,*ntkern
HKR,,NTMPDriver,,StMp3Rec.sys
HKR,"Parameters","MaximumTransferSize",0x10001,4096
HKR,"Parameters","DebugLevel",0x10001,2
HKR,"Parameters","BulkUsbEnable",0x10001,1

[StMp3Rec.Files.Ext]
StMp3Rec.sys

;---------------------------------------------------------------;

[Strings]
; English
Disk_Description="Installation Disk"
ProviderName="Player"
MfgName="Generic"
DeviceDesc="Player Recovery Device Class"
SvcDesc="Player Recovery Device Control Driver"
Reply With Quote

  #12  
Old 12-31-2009, 11:48 AM
dfkt's Avatar
dfkt dfkt is offline
Moderator
 
Join Date: May 2006
Location: Vienna, Austria
Posts: 15,330
Default

Quote:
Originally Posted by Jan_DK View Post
''SigmaTel 3410/3500/3600'' could it be the CPU of the X-fi.
It's the whole SoC the player runs on, presumably. A bit of an older chip, Sigmatel got acquired by Freescale some time ago.
__________________
Please don't PM me with questions that can be answered in a forum thread. Don't be an idiot.
My Gear and Reviews | My RMAA Tests | IRC: #anythingbutipod on Freenode | Last.fm | Album Art Exchange | Rockbox | Replaygain
Reply With Quote

  #13  
Old 01-02-2010, 04:17 PM
bzdbbb's Avatar
bzdbbb bzdbbb is offline
X-Fi2 Development Moderator
 
Join Date: Dec 2009
Location: Gloucestershire, UK
Posts: 94
Default

If you open the "My Zen" directory in Google Chrome there are more files than there should be, notably CTSTORE.dat and PREVIEW.dat. These files do not show up in windows explorer even with hidden files being shown.
Reply With Quote

  #14  
Old 01-02-2010, 06:52 PM
Jan_DK's Avatar
Jan_DK Jan_DK is offline
Junior Member
 
Join Date: Mar 2009
Location: Denmark
Posts: 88
Default

Quote:
Originally Posted by bzdbbb View Post
If you open the "My Zen" directory in Google Chrome there are more files than there should be, notably CTSTORE.dat and PREVIEW.dat. These files do not show up in windows explorer even with hidden files being shown.
They are just thumbnails and music library files,,,

Code:
G:\>dir /AH
 Disken i drev G er My ZEN
 Diskens serienummer er 0000-0000

 Indhold af G:\

01-12-2009  12:49         5.451.912 MATADATA.DAT
01-12-2009  12:49           960.072 CTSTORE.DAT
01-12-2009  12:49           441.008 CTSTORE.IDX
01-12-2009  12:49         1.242.198 thumblnail.dat
02-01-2010  06:25                14 CDARTTHN.DAT
01-12-2009  12:49           371.344 PREVIEW.DAT
01-12-2009  12:49             3.326 SETSTOR.DAT
01-12-2009  13:58             2.612 APQ.TXT
Reply With Quote

  #15  
Old 01-02-2010, 09:46 PM
skybluedream skybluedream is offline
Member
 
Join Date: Oct 2009
Posts: 132
Default

So the CPU in this XFi2 is it more powerful compared to the Texas Instruments CPU in the Vision:M/Vision:W?
Quote:
Originally Posted by dfkt View Post
It's the whole SoC the player runs on, presumably. A bit of an older chip, Sigmatel got acquired by Freescale some time ago.
Really awesome work btw, Jan_DK! keep it up!
Reply With Quote

  #16  
Old 01-05-2010, 02:48 PM
badazzmofo badazzmofo is offline
Junior Member
 
Join Date: Dec 2009
Posts: 75
Lightbulb

if someone can hack that awful volume control so it showed up all the time (maybe across the top) and was wider, that person would not only be my hero, but would be on the receiving end of a 30 dollar paypal donation from me.

maybe others would also be willing to donate towards this as well and you could get a decent pool of money.

some other firmware suggestions:

- integration of microsd into library without physically copying the file to the player's memory

- ability to create playlists for the microsd playable by the player

- album thumbnails for flac files

- stop problem with flac files where the artist's name will show up in the player as TIST=artist's name or as RTIST=artist's name

- stopping player from skipping in some flac files

- have low battery graphic pop up once or twice when watching video instead of popping up every 15 seconds for an hour and a half - GRRRRR!

- smaller docking graphic that doesnt require the whole screen to be lit up sort of like little charging graphic when you plug in the wall charger

- lowering the power on button press time to 2 seconds instead of 5

-enable the setting of date/time for clock...i mean, how are you supposed to change the timezone when you're on an airplane?

-RSS: i would still like to use the rss even though centrale is pretty much unusable

-a slider or knob for the fm radio

the person who fixes one or more of these problems will be hailed as a god among men.
Reply With Quote

  #17  
Old 01-05-2010, 02:58 PM
badazzmofo badazzmofo is offline
Junior Member
 
Join Date: Dec 2009
Posts: 75
Default

one more suggestion, and i know this is WAAAY out there....

a scratch slider....sort of like the knobs they have on cd-dj players where you can play the music forwards and backwards from the present point sort of like scratching a record.

as far as i understand it, those cd-djs buffer a few seconds before and after the current playhead position so it can play it back when you scratch

i imagine with something like that in 2 x-fi2s with a one of these

in-between, you could have a sweet pocket dj setup.

Last edited by badazzmofo; 01-05-2010 at 03:14 PM. Reason: cuz i ROCK!
Reply With Quote

  #18  
Old 01-05-2010, 09:57 PM
skybluedream skybluedream is offline
Member
 
Join Date: Oct 2009
Posts: 132
Default

@badazzmofo -

Ohh so many complaints now I wanna put my player up on ebay again lol

Flac's an issue for sure.

Volume control yeah slight bit but I'm used too it now.

I kinda like the microSD not being integrated in the library for a change. My music is in the players. Videos on the microSD card.

Power on is a "Major" gripe with me. That sucks a lot!

Date/Time yeah not having different time zones sucks but no biggie for me.

RSS, Tasks, Contacts are just useless for me. If I had the option off deleting them I would do it. If I ever get tied to a particular application for synchronization ala iTunes, I'm not game for that.

Regarding the DJ slider, I think Samsung MP3 players have that feature labelled "BeatDJ" something I'm not sure.

Regardless if it's possible on this player then it would be great for some but I wouldn't be all that excited for such a feature.
Reply With Quote

  #19  
Old 02-08-2011, 02:41 PM
cyberxstrm cyberxstrm is offline
Junior Member
 
Join Date: Feb 2011
Posts: 1
Default x-fi2

I have a 64gb Zen X-Fi2. Today, I found out that there is an 8000 song limit, including the micro-sd slot. Obviously, 64gb plus and sd card will hold far more than 8000 songs, meaning all the extra space is pretty much useless, and making this a great opportunity for a hack fixing the problem. That's above my abilities, but anyone who could look into it and fix it or give me any feedback on how to go about it would be appreciated.
Reply With Quote

  #20  
Old 07-01-2011, 01:36 PM
jameswalker101 jameswalker101 is offline
Junior Member
 
Join Date: Jul 2010
Location: United Kingdom
Posts: 91
Default

I think the whole firmware wishlist could be listed here easily, but it would be way too hard to hack. So Creative, just make a new firmware!!!
__________________
Apps: Guitar Tuner- http://anythingbutipod.com/forum/showthread.php?t=61049
Reply With Quote

Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -5. The time now is 04:51 AM.