T10 Hardware
This is a detailed description of the T10 hardware, based on reverse engineering and comparison with similar devices.
This document is based on reverse engineering of both the original iriver T10 firmwares (available here) and also the boot ROM code that every T10 is born with. Also, reverse engineering of other similar devices has provided a great amount of information that also applies to the T10 (see references).
The following list of components has been compiled from pictures of a disassembled T10, and from reverse engineering of the original firmware:
| Component | Type | Datasheet |
| CPU | Samsung SA58450X01 | N/A |
| NAND Flash | Samsung K9W8G08U1M | Here |
| FM Radio | Philips TEA5761UK | Here |
| RTC | Philips PCF8563 | Here |
| LCD Controller | Leadis LDS176 (or compatible) | Here |
The SA58450X01 is a package of S5L8450, 8Mbit NOR Flash and Audio Codec.
Samsung provided the following description of S5L8450 before the
product description page disappeared:
S5L8450X is an audio player IC supporting various compressed audio format on Flash Memory Media. S5L8450X provides 256Kbytes of SRAM and it supports optional external SDRAM. An ARM940T TM is provided as a CPU and an 16bit RISC processor (CalmRISC16™) and 24bit MAC(MAC2424™) are provided as a DSP function.
Supply Voltage Range - Supply Voltage (Core): 1.2V - Supply Voltage (IO): 3.3V X-tal Oscillator: 32.768 kHz ARM940T 16bit RISC (CalmRISC16) & 24bit MAC with 4KB of Instruction Cache - 6KB of X Cache - 6KB of Y Cache 256KB SRAM & 50KB Mask ROM IO DMA Supports SMC/MMC/SD/Memory Stick ATAPI Controller LCD Controller supporting - Single/Dual-panel color and monochrome STN - 15 gray-level mono, 3375 color STN, and 32K color TFT support - 1, 2, or 4 bpp palettized displays for mono STN - 1, 2, 4 or 8 bpp palettized color displays for color STN and TFT - 16 bpp true-color non-palettized, for color STN and TFT - 24 bpp true-color non-palettized, for color TFT LCD Interface 4-channels of IIS IIC / SPDIF Input / SPDIF Output / UART / SPI USB1.1 Host + USB2.0 Function 4-channel 10bit ADC Real Timer Clock (RTC) General-Purpose Input/Output (GPIO) 16-bit timer.
- SA58450X01-Y080: S5L8450 + 8Mbit Nor + Audio Codec
- SA58450X02-Y080: S5L8450 + 8Mbit Nor + Audio Codec
The following memory map is in place at boot time, but it is later remapped in the boot ROM code:
| Address | Device |
| 0x0 | Boot ROM (50KiB) |
| 0x22000000 | SRAM (256KiB) |
| 0x24000000 | NOR Flash (1MiB) |
| Base address | Module |
| 0x2c000000 | LCD interface |
| 0x38200000 | MIU |
| 0x38400000 | DMA controller |
| 0x38800000 | USB 2.0 Function |
| 0x39000000 | CalmADM (CalmRISC and MAC) |
| 0x39c00000 | ICU |
| 0x3c200000 | NAND Flash Controller |
| 0x3c400000 | USB 2.0 PHY |
| 0x3c500000 | Clock and power management |
| 0x3c700000 | Timer |
| 0x3c800000 | Watchdog |
| 0x3c900000 | I²C |
| 0x3ca00000 | I²S |
| 0x3cc00000 | UART (only accessed in the boot ROM) |
| 0x3ce00000 | ADC |
| 0x3cf00000 | GPIO |
| 0x3d100000 | Chip ID |
| Address | Module |
| 0x20 | FM Tuner (Philips TEA5761UK) |
| 0x36 | Unknown |
| 0xa2 | RTC (Philips PCF8563) |
| Channel | Module |
| 0 | Battery |
| 1 | Buttons (except power and hold) |
| 2 | Power button |
| Pin | I/O | Function |
| P0.1 | I | USB cable connected |
| P0.2 | O | LCD backlight |
| P0.4 | O | System power (power off when low) |
| P1.5 | I | Hold disabled |
The boot ROM contains the code that is executed when the T10 is turned on. This ROM is written when the device is manufactured, and it is impossible to change the contents afterwards. The boot ROM is mainly responsible for setting up the memory through the MIU, but it also provides other interesting features. A dump of the boot ROM code can be obtained with the modified firmware.
Before the boot ROM code jumps to the main firmware, it has to change the memory map to the following:
| Address | Device |
| 0x0 | NOR Flash (1MiB) |
| 0x20000000 | Boot ROM (50KiB) |
| 0x22000000 | SRAM (256KiB) |
| 0x24000000 | NOR Flash (1MiB) |
Then a number of checks are done on the firmware,
to determine if it has somehow been corrupted. To be booted,
the boot code must find the value 0x43554644 (“CUFD”)
at address 0x24000020.
This would be at offset 0x20 in the firmware,
which seems right, as this exact value is present in the
original firmware files from iriver.
The boot code then looks for a DFU image suffix
supposedly at the end of the firmware image.
The boot code expects to find the size of the firmware image at 0x24000024
(as 32-bit little endian), but the corresponding value in
the original firmware is simply 0, so it is not clear
where this suffix would be found. Also, it should be noted that the DFU specification
clearly states that the DFU suffix should never be transmitted to the device,
but only be interpreted by the host. It is a mystery what those checks are doing in the device.
If the checks are successful, the watchdog timer is instructed to reboot the system
and start executing from 0x0, which would supposedly now be the firmware
instead of the boot ROM.
If the firmware checks fail, the T10 should switch to DFU mode. The DFU specification is available here.
Note: The following has not been tested, but is only based on reverse engineering of the boot ROM.
In DFU mode, the boot ROM should be able to connect to a computer, and accept a new firmware image over USB, which is then written to NAND flash. There are some open source DFU tools available (openmoko, dfu-programmer), but I don't know if they will work with the T10. If you have a bricked T10 this might be worth a try.
The DFU mode in the boot ROM seems to be only accessible if the firmware checks fail; i.e. if the firmware has been corrupted. This is unfortunate, as it makes it impossible to recover from a good firmware with broken or non-existing upgrade capabilites, such as a new firmware developed from scratch (e.g. a rockbox port).
Hosted by
