Custom Firmware
This document describes how to flash a modified firmware to your iriver T10, which will allow you to run custom code on the iriver T10 hardware. Afterwards, you will still be able to use all the features of the normal firmware, except playing WMA files (but who does that, anyway?).
The first step involves flashing a modified firmware to the T10. The modified firmware was inspired by a similar firmware hack for the iriver iFP 790 by Tomek Malesinski. Disclaimer: Although I have tested the modified firmware, I make no gurantee that it will work for you. I take no responsibility for the modified firmware! It may leave you with a bricked player! Perform this update at your own risk!
The modified firmware will treat .wma files as raw binary executables,
and instead of playing them it will load the file
(currently, at most 4KiB) at 0x2203d800.
The firmware will then perform a branch and link to the loaded file.
In order to create the modified firmware file, you will need firmware version
T10_FRE_UM_OK 1.73.
Here is a
direct link to the zip-file with the correct firmware file.
iriver has removed version 1.73 from their server. Get it here instead.
You will also need the patch file and a
patch tool.
gcc -o bin_patch bin_patch.c)../bin_patch T10N.HEX T10N-hack.HEX < T10_FRE_UM_OK_173_hack.patch1ec062f44be9c7d2487205b6e82ca96a.
Do not copy the file to the player, if it does not have that MD5 sum.The code that has been inserted into the modified firmware can be found here: T10_FRE_UM_OK_173_hack.s.
Note: The firmware files from iriver are encrypted.
The encryption has however been broken and a decryption program written by Tomek Malesinski
(ifp_decode) is available
here. It was originally intended for
the iriver iFP series, but iriver T10 (and possibly other iriver models) use the same encryption.
Another program (irde by mlb2gm5x @ misticriver forum) that does both encryption and decryption
is available here.
Note: It will not be neccesary to encrypt/decrypt anything to apply the firmware patch.
With the new firmware in place you will be able to run custom code on your T10 hardware.
All you have to do is put the ARM machine code in a raw binary file,
give that file a .wma extension and put it on the T10 filesystem.
It is a good idea to put each executable in a separate folder and
enable the directory play mode before you start an executable.
This will ensure that only one executable is started.
Before you can compile sourcecode to ARM machine code you will need an ARM toolchain. It is a bit complicated to build the toolchain, but there are several guides that explain how to do this in details. Google is your friend. Note: A full toolchain will not be neccesary, only binutils and GCC are needed. Also, GCC is only needed if you care about being able to compile C programs.
If you happen to have Gentoo Linux installed, there is an easy way to build the toolchain.
Substitute --stage0 for --stage1 if you do not want GCC.
# emerge crossdev
# crossdev -t armeb-softfloat-linux-gnu --stage1
I use this script to compile assembly language sourcecode to
an ELF executable, and this script to convert the ELF file to raw binary code.
These scripts assume that the ARM toolchain is in your PATH.
Here are a few example programs that might help you get started:
One of the first problems you may encounter, when running custom programs,
is the watchdog timer.
If a few seconds elapses with no call to the watchdog service routine the device will simply reset.
It can be seen in the loop_wd.s example file how a call to the service routine is made.
It is also possible to disable the watchdog entirely.
Most other parts of the hardware are not yet as fully understood.
It is possible to call the functions in the firmware from your custom code. Here is a list of some of the functions/symbols I have identified in the firmware.
Hosted by
