Daniel's page
The mi4 File Format
Rockbox SanDisk Connection Sansa e200 Pics Hacking Devboard e200tool mi4 File Format mi4code AMS Sansas Sansa View
mi4

The mi4 file format is something PortalPlayer provides or supports, as numerous PortalPlayer based music players use that for firmware upgrades.

All glory to MrH for his hard digging on this.

mi4code

mi4code is a tool for dealing with mi4 and BL files.

mi4 collection

An extensive collection of most (if not all) existing firmwares for Sansa E200 an Sansa C200

mi4 filedecodethanks toBL fileNotesmi4 md5sum
SanDisk Sansa View OK zivan56BL rom1.00.03 27124dcbe7425cf36314ae9d7454826a
SanDisk Sansa c200 OK zefieBL rom1.00.06 7d4de4ac02f6c3d8aeff88c8872b08a5
SanDisk Sansa e200 (American) OK BL rom1.00.12 2c11dc0b10f1393115c54b17b6278cd2
SanDisk Sansa e200 (American) OK lgianasiBL rom1.01.11A 8fbdfa44671e936bb2fffc9e11e8bedb
SanDisk Sansa e200 (American) OK matzeregular BL1.02.15a e83a74b44accc88f64f1e81039200442
SanDisk Sansa e200 (European) OK Dave ChapmanBL rom1.00.12 86db01ed5175f2e18ff833baa9f2660c
SanDisk Sansa e250R OK Kpt Kill & MrHBL btl1.0.2.31 c9d7b92492ceddf8c32008e925aee5f4
iriver H10 OK BL rom d4f5cc4e52124249cd6880ae0c1cbae5
iriver H10 20GC/MTP OK Barry WardellBL hex c57b2cf2a6b49dbbc43645fecee6a576
Medion MD 95x00 OK 8562a83695383a5f09290225d89ca68d
Philips HDD6330 FAIL needs BL to decode a58edfeb2745ac132119b3c9b5742a12
Philips HDD120/00 OK Marcoen Hirschberg a0393696971474cc73328426e482bf9e
Philips SA9200 OK philips.comBLBL ripped from target d384fe46e2e40ed80fef6a45ed1e2944
Virgin Electronics OK BL rom 318df5fecc7327fdc14620dc9885baf1
Tatung Elio M310 OK Jason Simpson e5e0c4f1d8f5a5e0db0494a9246966d0
Tatung Elio P722 #2 OK f96200548d9923042345814d0fad0af9
Tatung Elio P810 FAIL needs BL to decode 589641eff7c0ed70c3aaa96922bd3834
Tatung Elio TPJ-1022 OK Dave Chapman010201 using default key 2be6b2878ef8fd385aa8a52cbccefcb6
M-Audio MicroTrack 24/96 OK Lee KoloszycBL rom 03795b6d92c385ea0559a1ef3a03973e
Aldi Pod OK Dave Hooper 79c23133c51b4f41f942a9b64692e3c7
Sirrius S50 FAIL Lee Koloszycneeds BL to decode 93a2d15aeeec7fba813bf3986d81e31c
Samsung YH-925GS OK BL rom 18d7d69e823eacda37d5b154d2b59fb2
Samsung YH-820 OK f40347a60d322193cb03154a7e61addb
Samsung YH-920 OK 3ed1bb882128ee26dbf6420da3245a9c
Samsung YH-925 OK Benjamin Larsson 18d7d69e823eacda37d5b154d2b59fb2
MSI P610 OK BL rom PRI + BL rom SEC fcb868a7773384d1ee6282b9c40de60f
MSI P640 OK BL rom 014848b3ed9e4e353d7b691d93311c05
Olympus MR-100 OK BL rom 7417ee459d86e22d795240899441ef07

Reminder: arm-elf-objdump -D --target binary -marm PP5022.mi4.bin

mi4 Header Explained
OffsetWhat
0x0032bit magic (50504f53 == "PPOS")
0x0432bit indicating version as the 01030100 ones have bigger headers (0x44 bytes == includes DSA keys) than the 01020100 ones (0x1C bytes).
0x0832bit number, The length of actual data used within the file (beyond this point the files seems to be zero-padded). However, the last 32bit word of the data always is 0xaa55aa55 and the bootloader checks it.
0x0C32bit crc32 (starting polynomial 0xEDB88320) over the firwmare image starting at index 0x200 (with initial value of 0 and without pre- and post-conditioning). This value seems to not get checked for 010301 versions.
0x10 32bit encryption algorithm ID (or similar). The bootloader will skip the decryption if the value here is zero, use TEA if the value is two and fail if the value is any other.
0x1432bit file size of the mi4 (even 0x400 bytes)
0x1832bit length of the plaintext part. The YH-920 mi4 file has zero there. Every other file has it 0x200. Most bootloaders seems to be OK with this value being the entire file's size and thus effectively removing encryption.
0x1C-0x2F
0x30-0x43		 Two 160bit DSA-related numbers. They are the signature (referred to as r and s in the literature). The public key (p, q, g and y) is in the BL. The private key (x) is not disclosed anywhere.

Other details:

  1. there is a few "magic words" within the mi4 file that have to be correct for the BL to accept it. TODO: list them
  2. the number at index 0x18 can be set to be the size of the entire mi4 file and thus totally avoid having the mi4 file encrypted - this is what we do in Rockbox when we generate mi4 files.
  3. the DSA signature can be replaced with a "dummy" (by using mi4code) which is a fixed combination that is a known flaw in the DSA algorithm that is accepted by the Sansa e200 BL. This allows us to run any mi4 file without having to sign it with a "real" signature or patch the BL file to accept our own signature. In the Rhapsody BL, they removed this flaw.
Updated: December 28, 2009 17:21 (Central European, Stockholm Sweden)

daniel at haxx dot .se