The picture to the right was taken by MrH, as the first proof ever of working LCD code on target.
Daily tip: hold 'menu' for 15 seconds for (HW-based?) power down.
$ dmesg Vendor: SanDisk Model: Sansa e260 Rev: Type: Direct-Access ANSI SCSI revision: 02 SCSI device sda: 7854080 512-byte hdwr sectors (4021 MB)
Below is my factory default partitions:
$ fdisk -l /dev/sda Disk /dev/sda: 4021 MB, 4021288960 bytes 124 heads, 62 sectors/track, 1021 cylinders Units = cylinders of 7688 * 512 = 3936256 bytes Device Boot Start End Blocks Id System /dev/sda1 1 1017 3906270 b W95 FAT32 Partition 1 has different physical/logical beginnings (non-Linux?): phys=(0, 9, 14) logical=(0, 9, 23) Partition 1 has different physical/logical endings: phys=(230, 87, 49) logical=(1016, 34, 4) Partition 1 does not end on cylinder boundary. /dev/sda2 1017 1022 20480 84 OS/2 hidden C: drive Partition 2 has different physical/logical beginnings (non-Linux?): phys=(230, 87, 50) logical=(1016, 34, 5) Partition 2 has different physical/logical endings: phys=(232, 227, 59) logical=(1021, 74, 44) Partition 2 does not end on cylinder boundary.
The first partition is the normal UMS disk while the second one is magic.
Note: the Rhapsody models don't have the second parition like this.
Full and more details on Rockbox's Sansa E200 Firmware Partition page.
The contents of the second partition is built up like:
There's a NVPARAMS section. Byte 0x7810e1 determines whether a database update is done or not. 1 = update, 0 = don't update.
Here's the first dd dumps of mine:
sansa-sda2.gz 5.3MB (US firmware)
sansa-sda2-2.gz 5.3MB (I copied over the BL* file again without an mi4 file)
sansa-sda2-3.gz 5.3MB US firmware signed with a dummy DSA sig
The BL has a lot of code in ARM thumb mode. Disassemble with objdump like this:
arm-elf-objdump -D --target binary -marm -Mforce-thumb BL.rom
On upgrade you put the PP5022.mi4 on the file system root, but when the device upgrades to this it moves it elsewhere and removes it from the root filesystem. On other mi4 devices, such as the iriver H10, you put the mi4 file in the /system/ directory and the bootloader loads it directly from there...
It seems the Sansa moves the firmware image to a difference place, which is accessible through the second partition of the device. In that partition, at offset 0x80200, the mi4 file seems to be located.
With a more recent Sansa firmware SanDisk changed the TEA encryption key (and named their firmware file "firmware.mi4"). mi4code is updated to decrypt both versions fine.
The Rhapsody version of the Sansa e200 series uses yet another key that was successfully extracted on February 23, 2007. Use mi4code 0.9.33 or later. They name the firmware file pp5022.mi4 (note the lower case).
The Rhapsody BL does not allow a "dummy" DSA signed mi4 file to get loaded. This means we must either patch the existing BL to allow the loading of the Rockbox bootloader, or we must "upgrade" the R model BL to a vanilla Sansa model BL.
Some initial tests of patching the original R BL file (with a .btl extension) seems to indicate that installing a patch BL file on the R model is somehow prohibited...
The Sansas seem to have at least four (4) different USB modes in which it can start and allow various kinds of accesses from a host computer:
It has been confirmed by SanDisk that the disabling of the FM tuner in the euro version of the player is done in firmware/software.
This is contradicted by the people that claim that the euro version has no radio chip insde... Different HW revisions doing it differently perhaps?
Note that when I did this, the device appears like this with dmesg:
Vendor: SanDisk Model: Sansa e250 Rev: Type: Direct-Access ANSI SCSI revision: 02 SCSI device sda: 32769 512-byte hdwr sectors (17 MB) sda: assuming Write Enabled sda: assuming drive cache: write through sda: unknown partition table... so there's no partitions but I had to mount /dev/sda instead of /dev/sda1.
You then only copy your fine mi4 file to the player, disconnect USB and it'll use that new mi4.
It seems people have copied all sorts of things to the player in recovery mode, and then suffered badly.
This mode requires a special driver or tool to access it, and I just got a complete system lock when I tried it without one!
MrH has written a tool for addressing and poking on the device while in manufacturing mode. See the e200tool.
How to get into Manufacturing Mode on a C200: