Daniel's page
SanDisk Sansa e200 Reverse Engineering
Rockbox SanDisk Connection Sansa e200 Pics Hacking Devboard e200tool mi4 File Format mi4code AMS Sansas Sansa View
SanDisk Sansa e200 Reverse Engineering
Sansa e200 with LCD showing Rockbox bootloader text

MrH findings:

The picture to the right was taken by MrH, as the first proof ever of working LCD code on target.

Daily tip: hold 'menu' for 15 seconds for (HW-based?) power down.

$ dmesg
 
  Vendor: SanDisk   Model: Sansa e260        Rev:
  Type:   Direct-Access                      ANSI SCSI revision: 02
SCSI device sda: 7854080 512-byte hdwr sectors (4021 MB)

Below is my factory default partitions:

$ fdisk -l /dev/sda
 
Disk /dev/sda: 4021 MB, 4021288960 bytes
124 heads, 62 sectors/track, 1021 cylinders
Units = cylinders of 7688 * 512 = 3936256 bytes
 
   Device Boot      Start         End      Blocks   Id  System
/dev/sda1               1        1017     3906270    b  W95 FAT32
Partition 1 has different physical/logical beginnings (non-Linux?):
     phys=(0, 9, 14) logical=(0, 9, 23)
Partition 1 has different physical/logical endings:
     phys=(230, 87, 49) logical=(1016, 34, 4)
Partition 1 does not end on cylinder boundary.
/dev/sda2            1017        1022       20480   84  OS/2 hidden C: drive
Partition 2 has different physical/logical beginnings (non-Linux?):
     phys=(230, 87, 50) logical=(1016, 34, 5)
Partition 2 has different physical/logical endings:
     phys=(232, 227, 59) logical=(1021, 74, 44)
Partition 2 does not end on cylinder boundary.

The first partition is the normal UMS disk while the second one is magic.

Note: the Rhapsody models don't have the second parition like this.

Second Partition

Full and more details on Rockbox's Sansa E200 Firmware Partition page.

The contents of the second partition is built up like:

There's a NVPARAMS section. Byte 0x7810e1 determines whether a database update is done or not. 1 = update, 0 = don't update.

Here's the first dd dumps of mine:
sansa-sda2.gz 5.3MB (US firmware)
sansa-sda2-2.gz 5.3MB (I copied over the BL* file again without an mi4 file)
sansa-sda2-3.gz 5.3MB US firmware signed with a dummy DSA sig

Try cutit.c (view it) to extract the mi4 file from the partition. Use mi4code to decrypt it afterwards.

The BL has a lot of code in ARM thumb mode. Disassemble with objdump like this:

  arm-elf-objdump -D --target binary -marm -Mforce-thumb BL.rom
Running Rockbox on Sansa

Install Rockbox on your Sansa e200

e200tool
See e200tool
mi4

On upgrade you put the PP5022.mi4 on the file system root, but when the device upgrades to this it moves it elsewhere and removes it from the root filesystem. On other mi4 devices, such as the iriver H10, you put the mi4 file in the /system/ directory and the bootloader loads it directly from there...

It seems the Sansa moves the firmware image to a difference place, which is accessible through the second partition of the device. In that partition, at offset 0x80200, the mi4 file seems to be located.

With a more recent Sansa firmware SanDisk changed the TEA encryption key (and named their firmware file "firmware.mi4"). mi4code is updated to decrypt both versions fine.

Sansa Rhapsody

The Rhapsody version of the Sansa e200 series uses yet another key that was successfully extracted on February 23, 2007. Use mi4code 0.9.33 or later. They name the firmware file pp5022.mi4 (note the lower case).

The Rhapsody BL does not allow a "dummy" DSA signed mi4 file to get loaded. This means we must either patch the existing BL to allow the loading of the Rockbox bootloader, or we must "upgrade" the R model BL to a vanilla Sansa model BL.

Some initial tests of patching the original R BL file (with a .btl extension) seems to indicate that installing a patch BL file on the R model is somehow prohibited...

Sansa USB Modes

The Sansas seem to have at least four (4) different USB modes in which it can start and allow various kinds of accesses from a host computer:

  1. "pre-bootloader" - in which the Sansa appears as a "PortalPlayer USB Device." - e200tool 0.0.6 and later can (hopefully) access the device in this mode. A device might stop here due to a corrupted i2c rom.
  2. "Manufacturing" - see below, access it with e200tool. A device might require this mode due to a corrupted bootloader.
  3. "Recovery" - normal UMS mode but with a 16MB disk in which you can restore/upgrade mi4 and bootloader images.
  4. "Firmware" - when the normal firmware runs you get to a normal UMS mode that exposes the whole data partition of the NAND flash.
FM Tuner in Euro version

It has been confirmed by SanDisk that the disabling of the FM tuner in the euro version of the player is done in firmware/software.

This is contradicted by the people that claim that the euro version has no radio chip insde... Different HW revisions doing it differently perhaps?

Recovery Mode
If you put a bad mi4 on the device it can no longer function properly, but you must then enter Recovery Mode and correct the bad image.

Note that when I did this, the device appears like this with dmesg:

  Vendor: SanDisk   Model: Sansa e250        Rev:
  Type:   Direct-Access                      ANSI SCSI revision: 02
SCSI device sda: 32769 512-byte hdwr sectors (17 MB)
sda: assuming Write Enabled
sda: assuming drive cache: write through
 sda: unknown partition table
... so there's no partitions but I had to mount /dev/sda instead of /dev/sda1.

You then only copy your fine mi4 file to the player, disconnect USB and it'll use that new mi4.

It seems people have copied all sorts of things to the player in recovery mode, and then suffered badly.

Manufacturing Mode

This mode requires a special driver or tool to access it, and I just got a complete system lock when I tried it without one!

"As of now we can not give out manufacturing mode to anyone outside sandisk or sandisk vendors" / SanDisk person

MrH has written a tool for addressing and poking on the device while in manufacturing mode. See the e200tool.

How to get into Manufacturing Mode on a C200:

Updated: December 28, 2009 17:21 (Central European, Stockholm Sweden)

daniel at haxx dot .se