iriver T10 notes: ......................... Address space: ......................... Initially: 00000000 - ????????: Flash ROM 00000000 - 00000020: Exception vector (see symbol table) 0004aabc - 0004aad0: function table 00057e44 - ????????: byte table (ref: 13570) 20000000 - ?????????: ROM (50KiB??) 22000000 - 22040000(?): RAM (256KiB?) bytes are moved here presumably from ROM (ref: 48744) 22000000 - 22000114: moved from b4d44 (could be data section) 220000cc: ? (ref: 1870) 22000100: ? (ref: e06c) 22000104: ? (ref: e06c) zeroed out 22000114 - 2200f8f0: could be bss, heap and stack?? 22000141: ? byte value depends on language (1: eng, 0: other) (ref: a84, b10) 22000164: ? byte (ref: 1870) 22000165: byte, index for array at 0x4aabc (ref: 1870) determines file type of current? file 22000166: ? byte (ref: 1870) 22000168: ? hword (ref: 2ae8) 2200016a: ? hword (ref: 2ae8) 2200016c: ? byte (ref: 2ae8, 2d8c, 2edc, 3390, 3604) 22000170: ? (ref: 2ae8) 22000174: ? (ref: 2ae8) 22000178 - 220001f8: zeroed out (ref: 54a0) 22000230: ? FILE object (ref: 80a4, 23418) 22000254: ? code address, set to b404 (ref: b330) 2200025c: struct related to FAT (ref: b330) struct fat_info_t { int (*unknown_func)(unknown *arg1, u8_t *arg2, uint_t arg3, size_t arg4, size_t arg5, u8_t *arg6); /* 0: initialized to 438d8 */ unknown *unknown; /* 4: initialized to 0x22000254 */ byte unknown; /* 8 */ u8_t num_fats; /* 9: number of FATs */ ... u32_t sects_per_fat; /* 0xc: sectors per FAT */ u32_t sects_per_cluster; /* 0x10: sectors per cluster */ u32_t avail_nonroot_clusters; /* 0x14: number of clusters that are not reserved, not part of a FAT, and not reserved for root dir */ u32_t root_dir_entries; /* 0x18: number of reserved root dir entries */ u32_t reserved_sects; /* 0x1c: reserved sector count */ u32_t fat_reserved_sects; /* 0x20: number of sectors occupied by FATs plus reserved sector count */ u32_t all_reserved_sects; /* 0x24: number of sectors occupied by FATs plus reserved sector count plus sectors reserved for root dir entries. */ ... }; 22000290: ? (ref: c238, ba14, c24c, d880) 22000298: ? (ref: ba14) 22001d48: ? (ref: e5c4) 22001d64: bitfield, (ref: 75fc, 93e4) bit 1: set if MBR signatur (0x55aa) is missing or if sectors per cluster field is 0 (ref: 32008) bit 4: if not set, 93e4 does nothing bit 31: if set 75fc writes "T10N-0GB" 22001d68: ? bitfield (ref: 2d8c, 54ac, 23418) bit 0: if set, prints `folder' instead of `file' (ref: 12860) 22001d6c: bitfield (ref: d9f0) bit 5: ? (reg: 7774) bit 20: ? (ref: 6e78) bit 22: ? tag related (ref: 40ec, 4a08, 4b70, 4ee4, 552c, 6e78) bit 26: selects low battery screen (ref: 17c64) bit 31: selects hold screen (ref: 17c64) 22001d70: bitfield (ref: 552c, 365bc) bit 6: show `delete from list' instead of `delete file' (list was showing) (ref: 12860) bit 7: show `add to quick list' instead of `delete file' (button was held) (ref: 12860) 22001d74: bitfield (ref: 54ac, 113abc, 1a0d4, 1f08c) bit 27: selects hold screen (ref: 1a23c) 22001d78: ? bitfield (ref: 54ac, 14ff8, 1a0d4) 22001d7c: ? byte (ref: 14f40, 151e0) 22001d8a: ? byte value from 22001f9c assigned (ref: 157f4) value assigned to 22001f9c (ref: 158cc) 22001d8d: byte, used to choose between two different strings (value of 3 selects ascii) (ref: 5a28, 136c8) 22001d97: byte, determines language (language 1) (ref: ea44, 125d8, 12688, 12724, 12860, 13570) 22001d9a: ? byte (ref: 365bc) 22001d9c: ? byte (ref: 157f4) 22001d9e: ? byte (ref: 157f4) 22001da2: ? byte (ref: 1e414) 22001da7: ? byte (ref: 136c8) 22001db4: Watchdog timer counter target (ref: e06c) 22001db8: Watchdog timer counter (ref: e06c, e108) 22001dbc: ? hword (ref: 13abc, 18bcc) 22001dbe: ? hword (ref: 13abc) 22001dcc: ? shword (ref: 14ff8) 22001dce: ? shword (ref: 14ce8) 22001de2: hword (ref: 0xe2b4) 22001e2a: related to cursor position in gui lists, hword (ref: 37e24) 22001e46 - 22001e52: filled with 0xff in 1f540 22001e50: ? byte (ref: 1e414) 22001e51: ? byte (ref: 1e414) 22001f26: ? hword (ref: 136c8) 22001f28: ? hword (ref: 136c8) 22001f58 - 22002658: ? (ref: de50) 22001f60: ? (ref: dd88, de50) 22001f70: ? byte (ref: dd88) 22001f71: ? byte (ref: dd88) 22001f78: ? (ref: dd88) 22001f7c: ? hword (ref: dd88) 22001f81: ? byte (ref: dd88) 22001f88: ? (ref: dd88) 22001f8c: ? (ref: dd88) 22001f92: byte, determines language group (language 2) (ref: 13534, 13570) 22001f93: ? byte (ref: dd88) 22001f94: ? byte (ref: dd88) 20001f95: ? byte (ref: 1a0d4) 22001f9c: byte, determines language, (language 3) index for a table at 0x57e44 (ref: 13570, 18d0c) 22001fb4: ? (ref: 552c, dd88) 22001ff6: ? wchar_t, possibly a path (ref: 8398) 2200221c: pointer to path (wchar_t *) of current (playing) file (ref: d590) 22002220: ? hword (ref: cc38, d590) 22002222: ? hword (ref: cc38) 22002226: ? (ref: d1a8) 22002228: wchar_t path of playlist file (ref: 3642c) 22002438: cursor position, related to playlist view, hword (ref: 368c4) 2200243a: ? hword (ref: 3642c) 22006758 - 22006c74: cleared in 1e414 22006c60: ? byte (ref: 1a120) 22006c61: ? byte (ref: 1a120) 22006c62: ? byte (ref: 1a120, 1f08c) 22006c6f: ? bitfield (ref: 1a564, 1a57c, 1a120) 22006c70: ? bitfield (ref: 1a564, 1a57c) 22006c74: ? byte (ref: 1a500) 22006c75: ? word (ref: 22164) 22006c7d: ? byte (ref: 1a500) 22006c7e: ? byte (ref: 1a500) 22006c7f: ? byte (ref: 1a500) 22006c80: ? byte (ref: 1a500) 22006c82: ? hword (ref: 1a500) 22006c84: ? byte (ref: 1a500) interrupt jump table is set up here (ref: 231f4): 22006c90 - 22006d10: interrupt jump table (32 entries) 22006d10: ? byte (ref: 23418) 22006d11: ? byte (ref: 2337c, 23388, 23398, 23418) 22006d14: ? hword pointer (ref: 23418, 235cc, 23750) 22006d18: ? hword pointer (ref: 235cc, 23750) 22006e50: ? (ref: 23418) 22006e54: ? (ref: 23418) 22006e5c: ? (ref: 23418) 22006e60: ? (ref: 23418) 22006e70: ? pointer to an area of at least 0x1000 bytes (ref: 2735c) 22006ea4: ? function pointer: (ref: 2adc0) int? (*fun)(FILE *f=r0, int arg2=r1) contains at one point: 0x24ba8 22006f38: ? (ref: 26cfc, 2735c) 22006f44: ? struct (ref: 276e4, 27d14) struct unknown_t { byte unknown; /* 0 */ byte unknown; /* 1 */ byte unknown; /* 2 */ ... hword unknown; /* 4 */ hword unknown; /* 6 */ usb_dev_desc_t *dev_desc; /* 8: Pointer to a USB device descriptor. initialised to 0x2200002b, which can be seen in then firmware image at 0xb4d6f. */ void *other_desc; /* 0xc: Pointer to USB configuration descriptor, interface descriptor, endpoint descriptors and string descriptors. Initialised to 0x2200003d, which can be seen in then firmware image at 0xb4d81. */ unknown *unknown; /* 0x10: initialised to 0x220000b8, which can be seen in the firmware image at 0xb4dfc. */ ... }; 22007400 - ????????: ? (ref: 737c) 220074c0: ? (ref: 3cb00) 220075cc: ? size_t (ref: 3e57c) 2200785c: fil_func_table: (ref: 42d74, 42dc0) contains pointers to various functions struct fil_func_table_t { func *init; /* 0x00: 40c74 (NAND_Init) */ func *reset; /* 0x04: 406a8 (NAND_Reset) */ func *read; /* 0x08: 41030 (NAND_Read) */ func *write; /* 0x0c: 41f54 (NAND_Write) */ func *erase; /* 0x10: 42a84 (NAND_Erase) */ func *sync; /* 0x14: 406cc (NAND_Sync) */ }; 22007874: malloc heap pointer (ref: OAM_Malloc) 22007878 - 22008978: malloc heap (ref: OAM_Malloc) 2200c0e4: ? bitfield (ref: 14ce8) 2200c0ec: timer counter?, increased by one when irq5 or irq7 interrupt fires (ref: 11b4, 6fdc, 700c, 8df8, 915c, 9600, 9e1c, 9ddc, e158, e1b8, e3f4, 13858, 17930, 1a98c, 1e630, 23164, 231a4, 300e8, 3794c, 37cd8, 38a84, 38d50) stacks are set up here (ref: 0x48708): 2200c610(?) - 2200c630: undef mode stack 2200c630 - 2200c650: abort mode stack 2200ce30(?) - 2200ce50: interrupt mode stack 2200ce50 - 2200ce70: fast interrupt mode stack 2200ce70(?) - 2200f8f0: supervisor mode stack 22031400 - 22032400: ? data space (ref: 2735c) 22039e00 - ????????: ASF data space (ref: 237a8) 2203b800 - 22040000: firmware decoder space (ref: 2178) 2203d800 - 2203e800: wav data space (ref: 19c0) 24000000 - ????????: Flash ROM (ref: 1a1ec) 2c000000 - ????????: ? (ref: 1a03c, 1a0d4) 2c000000: ? (8) 2c000001: ? often (always?) written twice (8, rW) 38200000 - ????????: Memory Interface Unit (ref: 48650) 38400000 - ????????: DMA (ref: 0x42150) 38800000 - ????????: USB 39000000 - ????????: ADM (irq 20) (ref: 232d8, 232ec, 23418, 23418, 23564) 39c00000 - ????????: IRQ/FIQ controller (ref: 4858c, 23280) 39c00000: IRQ pending bitfield (32, RW) 39c00008: Mask (32, RW) 39c0000c: Priority (32, RW) 39c00010: Pending (32, RW) 39c00014: Offset (32, Rw) 39c0001c: External Pending (32, rW) 39c00020: External Mask (32, rW) 3c200000 - ????????: NAND (ref: 406a8) 3c200000: enabled chips bitfield? (32, rW) (ref: 40b10) 3c200004: ? (32, rW) (ref: 0x424f0) 3c200008: Command register (32, rW) 3c20000c: ? (32, rW) (ref: 0x424e0) 3c200010: ? (32, rW) (ref: 0x424ec) 3c20002c: ? (32, rW) (ref: 0x424d4) 3c200030: ? (32, rW) (ref: 0x40b60) 3c200048: Status register (32, RW) bit 2: Ready flag/Ack flag? (RW) bit 5: ? (ref: 0x42304) 3c20004c: ? (32, Rw) (ref: 0x425c0) 3c200050: ? (32, Rw) (ref: 0x425d0) 3c200054: ? (32, Rw) (ref: 0x425dc) 3c200058: ? (32, Rw) (ref: 0x425ec) 3c20005c: ? (32, Rw) (ref: 0x425f8) 3c200060: ? (32, Rw) (ref: 0x42608) 3c200064: ? (32, Rw) (ref: 0x42618) 3c200068: ? (32, Rw) (ref: 0x42628) 3c200080: ? data output in this reg (32, Rw) (ref: 0x40b7c) 3c400000 - ????????: ? (ref: 485a8) 3c500000 - ????????: Clock (ref: 485c4, 7258) 3c700000 - ????????: Timer (ref: 70ec, 23164) (related to irq5 and irq7) 3c700000: guess: Counter register (32, rW) (ref: 70ec) 3c700004: ? (32, rW) (ref: 70ec) 3c700008: ? (32, rW) (ref: 70ec) 3c700010: ? (32, rW) (ref: 70ec) 3c800000 - ????????: Watchdog Timer (see watchdog timer) 3c900000 - ????????: I²C (ref: 4551c) 3c900000: Control (32, Rw) 3c900004: Status (32, RW) 3c900008: Slave Address (32, RW) 3c90000c: Data (32, rW) 3ce00000 - ????????: ? (ref: e1a4) 3cf00000 - ????????: GPIO (ref: 706c) 3cf00004: ? (32, RW) (ref: 2fcd0) bit 4: power off when cleared? 3cf00020: ? (32, rW) (ref: 43128) 3cf00064: ? (32, RW) bit 5: ? (ref: 93e4) 3d100000 - ????????: ? (ref: 739c) Firmware Image: ......................... The encrypted firmware image can be decoded by `irde', a firmware decoder written by mlb2gm5x (at MisticRiver forums). The decode algorithm can also be found in the decoded firmware at 2054. The first 500 bytes of the decoded firmware image is a header. If the header is valid, the rest of the image is written to flash rom. Header fields: 10:20:30:40: Size of firmware image 90:a0:b0:c0: Checksum Interrupts: ......................... Interrupt handlers for the following interrupts have handlers installed by the firmware: irq5: Timer A irq6: Watchdog Timer irq7: Timer B irq10: DMA (two different handlers) irq16: USB irq20: Calm Other: irq19: NAND? (no handler) None of the above irqs seem to fire on a key press. Watchdog Timer: ......................... The watchdog timer is memory mapped at 0x3c800000. It is also thought to be related to irq6. 3c800000: Control register (32, RW) (ref: e00c, e06c, e0ec, e108, 48554) 3c800004: Counter (32, Rw) (ref: e130) Enable timer: Set bits 7:0 of the control register to 0x0. Disable timer: Set bits 7:0 of the control register to 0xa5. Service timer: Set bits 11:8 of the control register to 0xa to clear the counter. File I/O: ......................... The File I/O system allows for different types of files. Only one type of files (FAT filesystem files) is implemented. FAT file system files have type set to 0. struct FILE { u8_t type; /* 0 */ struct fat_file; /* 4 */ }; sizeof(FILE) is 0x24; struct fat_file { u32_t unknown; /* 0 */ u32_t unknown; /* 4 */ u32_t unknown; /* 8 */ u32_t unknown; /* 0xc */ u32_t unknown; /* 0x10 */ u32_t unknown; /* 0x14 */ u32_t size; /* 0x18 */ u8_t unknown; /* 0x1c */ u8_t unknown; /* 0x1d */ u8_t unknown; /* 0x1e */ }; sizeof(fat_file) is 0x20; Language: ......................... Five languages supported in this firmware: Language 1: 0: English 1: Korean 2: Japanese 3: Chinese(S) 4: Chinese(T) English and korean are complete languages. Japanese and chinese use english strings when no native translation is available. Language groups and mapping to language 1 used in the firmware: Language 2: 0: Korean -> Korean 1: Japanese -> Japanese 2: Afrikaans, Basque, Catalan, Danish, Dutch, English, Finnish, French, German, Icelandic, Indonesian, Italian, Norwegian, Portuguese, Spanish, Swedish -> English 3: Albania, Croatia, Czech, Faeroese, Hungarian, Polish, Romanian, Serbian, Slovak, Slovenian -> English 4: Estonian, Latvian, Lithuanian -> English 5: Greek -> English 6: Turkish -> English 7: Byelorussian, Bulgarian, Russian, Ukrainian -> English 8: Hebrew -> English 9: Chinese(S) -> Chinese(S) 10: Chinese(T) -> Chinese(T) Individual languages that appears in the language select menu: Language 3: 0: Afrikaans 20: Hungarian 1: Albania 21: Icelandic 2: Basque 22: Indonesian 3: Byelorussian (Belarus) 23: Italian 4: Bulgarian 24: Japanese 5: Catalan 25: Korean 6: Chinese(S) 26: Latvian 7: Chinese(T) 27: Lithuanian 8: Croatia 28: Norwegian 9: Czech 29: Polish 10: Danish 30: Portuguese 11: Dutch 31: Romanian 12: English 32: Russian 13: Estonian 33: Serbian 14: Faeroese 34: Slovak 15: Finnish 35: Slovenian 16: French 36: Spanish 17: German 37: Swedish 18: Greek 38: Turkish 19: Hebrew 39: Ukrainian Coprocessors: ......................... Coprocessor 15: System Control coprocessor Misc: ......................... Samsung jargon: *FIL: Flash Interface Layer *FTL: Flash Translation Layer *OAL: OEM Adaptation Layer *OAM: OS Adaptation Module *OEM: Original Equipment Manufacturer *STL: Sector Translation Layer svc (SuperVisor Call): swi (SoftWare Interrupt) Conditions (Zero, Carry, Negative, oVerflow) eq: Z vs: V ne: !Z vc: !V cs: C hi: C && !Z hs: C ls: !C || Z cc: !C ge: N == V lo: !C lt: N != V mi: N gt: !Z && (N == V) pl: !N le: Z && (N != V)