Loading New Firmware:
The first step to loading new firmware into the MP3 player, or doing a firmware dump from the player, is to set the device into loader mode. In some cases, where the firmware is intact on the device, new firmware can be loaded without setting the device into loader mode.
There are a variety of ways to set the device into loader mode. The most definite, guaranteed to work method is to short a number of the I/O pins of the flash chip with the battery removed, while connecting the player to a free USB port. If the device has two flash chips, the I/O pins on the first chip (closest to the CPU) are the ones to short. While this method should work for pretty much any similar device, it can cause problems, especially if you short the wrong pins.
The safer method for forcing the device into loader mode is to hold down the R/V (recorder mode/volume control) button with the battery removed, while connecting the player to a free USB port.
When the player is plugged into a free USB port while in loader mode, a new device will be detected as "ALi USB 2.0 BOOT LOADER". The LCD and backlight will both not illuminate when this is successful.
Should neither method work in setting the player into loader mode, it is possible that the player itself is damaged, and it may not be possible to recover it.
Useful Software:
Finding software capable of loading firmware to this brand of player was quite challenging, given the similarities between ALi chipset players and S1MP3 players, and that many manufacturers were based in China. This is where the entries on the Polish forums on elektroda.pl were most useful. From rough translations, there were a few software packages that could read and write firmware images to the flash memory.
One such tool is a program called MPTool, which appears to be designed to be used as a factory firmware loader. With minimal documentation available, it is difficult to determine what all the features are used for without risking further damage to the player, however it would appear that the software can be used to change USB vendor and product IDs, reformat the flash memory used for storing MP3s, and changing the inbuilt serial number. This software does not seem to be able to create actual firmware images from scratch, and is not able to dump existing firmware from the device to disk.
A potentially more useful program is the M566x ISP tool. This program is capable of uploading firmware binaries to devices, and is also capable of dumping the current contents of the flash memory to disk. The function of particular interest is the "Save PM" function. This function appears to dump the complete operating system image to disk as a file called PM.bin. At the moment, there is no obvious way of converting this file back to a broken down set of binaries or Cabinet archive as required for loading into a device.
Before you can use the M566x ISP tool to dump firmware images, it is necessary to identify what type of flash memory is used in the player. In most cases this should be printed quite clearly on the flash chip itself, but if it has been rubbed off, or you do not want to open the case of the player, the "Auto ID" button will in most cases identify the type of flash memory used in the player. Clicking "OK" will start the firmware loading process, allowing you to select multiple binary files to be loaded as firmware. If there is a problem with any of these binaries, in most cases it will either crash the program, or cause the write process to fail. This does not seem to destroy the player, but as always be very careful when loading new firmware.
MPTool can be found in many different distributions of firmware updates for ALi chipset MP3 players, and under a wide variety of names. One of the more common names for the MPTool executable is "Factory4.exe". A quick hunt on Google will find many sites with this file, and a zipped barebones copy is available, although this does not include any firmware files. M566xISP (known as the M5661 ISP tool or M566x ISP tool) is considerably harder to find, but can be found within some firmware distributions, most notably within the firmware package of the Z-cyber Zling T-Nax. The tool itself is also available for download below, but again does not include firmware files for any player. If possible, it is best to download these files elsewhere, as the bandwidth of this server is very limited.
Want to help me maintain this server? Donate some BitCoins to: 1FZFrGTAdnQzUD9y5AkvqS6WY18m9vcMyH
MPTool.zip (485k)
M566xISP.zip (1354k)
The Firmware Itself:
In my case, it took many weeks of on-and-off searching to finally find a firmware image that was compatible with my device. Given the number of M566x based MP3 and MP4 devices out there on the market, it is very easy to find firmware images that may seem right, only to load them and find that the display and controls do not work. Eventually, I found a firmware set that did work for my player, a firmware package built for a Typhoon 1GB MP3 player (obviously another rebrand of the same device sold by Egoman and Yuraku). Within the firmware package for this MP3 player is a file called IEOA_FW16.13.11_060617.CAB. This file contains 94 small binary files, the structure of which are discussed in more depth later on.
While this firmware package did work, it did not have the original "Ministry of Sound" introduction screen which I had grown quite fond of. In order to recover it, I needed a copy of the firmware dumped from a working "Ministry of Sound" branded player of similar design, while the flash memory size was largely irrelevant, the device needed to have the same type of LCD and controls.
Fortunately, I was able to acquire a similar player from a friend who had purchased the 2GB version. Using the M566x ISP tool, I saved a copy of the PM from it to disk and loaded it up in a hex editor. Before I continue however, below is a brief discussion of what I have found out about the firmware files used by the loader software.
It would appear that single file firmware images used by MPTool are Microsoft Cabinet archives of a large number of binary files. Each binary filename starts with a number and usually has a limited text description following it, such as 000INIT.BIN, or 005PLAY.BIN. The number would appear to signify what order in which the overall firmware is to be assembled and where in the memory each section of code is to be stored. The name of the binary file itself after the initial three digits seems to be irrelevant other than describing the purpose of each to developers, and is not stored in the overall firmware image when loaded into the player. The M566x ISP tool does not use Cabinet packed archives of these binary files when loading them into a device, rather it allows you to select the individual binary files for loading. Size of each of these binary files seems to play a role, as it is not possible to load a single large binary file, however the size of each of the binary files is able to be varied.
The saved PM.bin file appears to be a concatenated set of each of the binary files, each padded with some extra bytes which are often null.
From the various firmware files I had found and discovered not to work on my player, I noticed that in many cases the basic files such as (in some cases) 000INIT.BIN were very similar, despite the differences in the players, which meant that the original "Ministry of Sound" firmware loaded on the player must have had a similar structure to the Typhoon firmware that worked when loaded onto the player. It was possible to find the "Ministry Of Sound" introduction animation by finding the end and beginning of the surrounding binaries, which in this case were collections of strings. The data between the end of one string binary and the beginning of the next were copied to a new file, where the padding data was removed, then was loaded in with the working firmware image. - source
0 comments:
Post a Comment