Vytvořeno: 3. 3. 2005, poslední změna: 28. 3. 2009, 22.49
Jagg
Xclef MT-500 reverse engineering
Content
- Prologue
- Basic informations
- Photographs
- Mechanical device disassembling
- CPU
- Firmware
- Internal memory
- Current status
- Links
- Document history
1. Prologue
At the beginning of the document I would like to remark that english isn't my native language and I know, I'm better in programming languages than natural ones, so corrections and suggestions are welcome ;)
This project is intented as a port of the RockBox project.
I will be pleased, if you send me informations you missed here.
You can reach me on ICQ# 85997864, at #xclef_mt-500, #gmemu and #rockbox IRC channels at the FreeNode server (irc.freenode.net) or just can send me an email ;)
Dawid Ferenczy
ferenczy@volny.cz
2. Basic informations
The device is controlled by the TCC730 chip, which made by korean company Telechips (see CPU). The firmware is stored in a 8 MBit (1 MB) flash memory, 39VF800A made by STT (see firmware). The internal data memory of device is composed of 1/2 Gbit (128/256 MB) flash memory, K9F1G08U0M-YCB0 made by Samsung (see internal memory).
3. Photographs
[ 1 ] - Telechips TCC730Y - device controller (CPU)
[ 2 ] - STT 39VF800A - 8 Mb (1 MB) flash memory for the firmware
[ 3a ] - Samsung K9F1G08U0M-YCB0 - 1 Gb (128 MB) flash memory that represents the internal data memory (128 MB version)
[ 3b ] - Samsung K9K2G08U0M-YCB0 - 2 Gb (256 MB) flash memory that represents the internal data memory (256 MB version)
[ 4 ] - display
[ 5 ] - microphone
[ 6 ] - USB connector
[ 7 ] - mode/volume jog
[ 8 ] - playback control jog
[ 2 ] - STT 39VF800A - 8 Mb (1 MB) flash memory for the firmware
[ 3a ] - Samsung K9F1G08U0M-YCB0 - 1 Gb (128 MB) flash memory that represents the internal data memory (128 MB version)
[ 3b ] - Samsung K9K2G08U0M-YCB0 - 2 Gb (256 MB) flash memory that represents the internal data memory (256 MB version)
[ 4 ] - display
[ 5 ] - microphone
[ 6 ] - USB connector
[ 7 ] - mode/volume jog
[ 8 ] - playback control jog
4. Mechanical device disassembling
Disassembling of the device should be pretty simple - just unstrech two screws and remove the plastic case. The first screw is in the closest corner to the line-in connector and second one is under the battery pack, near to battery pack connector. It's not necessary to remove the last screw (on the same side as volume jog).
5. CPU
The core of device is made by the TCC730Y SoC (System-on-Chip) microcontroller. Information (datasheets etc.) regarding this product from the manufacturers side - korean Telechips - are not available (if you don't want to buy a wagon of chips ;) Fortunately, our korean comrades didn't invent a new MCU, but they almost copied it from the S3CC410 16-bit CMOS microcontroller, made by Samsung (datasheet [PDF, 1.33 MB], comparsion of both MCU). Thus, the MCU contains a 16bit CalmRISC core and a MAC24 DSP core.
The TCC730 datasheet is now available for download (many thanks to Nikita Afanasyev)!
5.1 Basic informations:
- 16-bit RISC type MCU core
- 24-bit fixed point DSP core
- 72 kB internal data memory
- Instruction cache: 4 kB direct-mapped cache
- Data cache: 4 kB 2-way set associative cache
- On-chip peripherals
- Basic timer & watchdog timer
- Three 16-bit timers
- One I2C & two I2S I/F
- Full-duplex UART controller
- USB version 1.1 compliance
- SSFDC (SMC) I/F
- Intelligent interrupt controller
- Six 8-bit resolution A/D channels
- LCD controller for STN/TFT LCD
- PLL based on 32.768KHz OSC
- 80 MHz (max) operation frequency
- 3 V operation voltage
- 208-pin LQFP / FBGA package
- Low power consumption
- MP3 encoder/decoder
- WMATM decoder
- Flash file-system
- SSFDC for SMC
- FAT12/FAT16 for MMC and SD
- USB driver for Windows 98/Me/2K/XP
Some of the TCC730's functions aren't realized at hardware layer, but, as in MP3 encoder/decoder's case, as functions library optimized for the 24bit DSP.
5.2 Samsung S3CC410
S3CC410 single-chip CMOS microcontroller is designed for high-quality audio platform. It uses Samsung's newest 16-bit microcontroller, CalmRISC16 and 24-bit DSP engine, CalmMAC24.
5.3 CalmRISC16
The CalmRISC16 is a 16-bit low power RISC microcontroller. The CalmRISC's basic architecture follows Harvard style, that is, it has separate program memory and data memory (both up to 4 MB). Both instruction and data can be fetched simultaneously without causing a stall, using separate paths for memory access. It can operate up to 100 MHz alone or up to 80 MHz, when operating with a MAC24 coprocessor. The instruction set provides no instruction for writing to the program memory.
There exists the CalmRISC16 development environment from the AIJI System called CalmSHINE16.
6. Firmware
The firmware of the MT-500 is stored in a 8 Mbit (1 MB) flash memroy 39VF800A, made by STT (product page, datasheet [497 kB], application note [41 kB]). Also, similar flash chips are sometimes used as BIOS storage memory in PC (e.g. STT 29EE020). The Xclef MT-500 has got similar hardware to the Archos Gmini, at least the Telechip's TCC730. The Gmemu team have already created a working emulator for the Gmini. The best way forward is to use their work as a starting point.
6.1 Firmware reversing
There exists a couple versions of original MultiChannel's firware:
The firmware is stored in a hexadecimal format. Conversion to the binary format is possible with hex2bin utility (mirror: hex2bin-1.02 win binaries [19 kB], hex2bin-1.02 documentation [36 kB]). Then, binary code can be disassembled. There are whole binary data without any headers and so on, in the output of hex2bin. People from the gmEmu project have developed their own TCC730 disassembler (mirror: TCC730 disasm v0.2 [18 kB]). I have compiled it with the GCC under the Cygwin (Win32 environment for running Linux applications).
It's possible to view graphics stored in a binary firmware file with a Flash Graphic (utility for mobile phone's firmware graphics viewing, mirror: Flash Graphic 1.01 [235 kB]). Graphics starts somewhere at offset 316 670, I think (version 2.0.17). Flash Graphic's output may look like this:
6.2 Building a development environment
To set up a development environment for building a CalmRISC binaries you need:
- Linux, Cygwin on Windows or Mac OS X (I used Cygwin on Windows 2000, but Linux procedure should be same)
- download binutils (the assembler, linker and stuff), GCC (the GNU C Compiler) and optionaly gemoss (Gmini tools, emulator) sources from web or rather CVS (without password):
binutils - download, mirrors, info
GCC - download, mirrors, infocvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/gemoss login cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/gemoss co binutils-2.15 cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/gemoss co gcc-3.4 cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/gemoss co -P gemoss
- prepare directories, for example unpack (or copy from CVS) binutils into "~/binutils" and GCC into "~/gcc" (~ means user's home directory)
~> mkdir build ~> cd build ~/build> mkdir binutils ~/build> mkdir gcc
- choose installation location - directory for all files that will be created. I chose "/home/ferenczy/calmrisc", so replace it with your own path everywhere, you'll find it. You can also use "configure" without the prefix option, then files will be stored in a common location.
- build binutils. Note that there's currently a bug with the binutils (tex)info install for CalmRISC16. It can be safely skipped with "make -k install" (-k option skips errors).
~> cd build/binutils ~/build/binutils> ../../binutils/configure --target=calmrisc16-unknown-elf --prefix=/home/ferenczy/calmrisc ~/build/binutils> make ~/build/binutils> make -k install
- build GCC. It requires to set up newly built binutils into the PATH variable:
~> export PATH=/home/ferenczy/calmrisc/bin:$PATH ~> cd build/gcc ~/build/gcc> ../../gcc/configure --target=calmrisc16-unknown-elf --prefix=/home/ferenczy/calmrisc --enable-languages=c ~/build/gcc> make ~/build/gcc> make install
- Now you should have fully functional CalmRISC16 development toolchain on your system. Now, it's good time to build the Gmini tools. Just choose your prefix or left blank.
~> cd gemoss ~/gemoss> automake -a ~/gemoss> ./configure --prefix=/home/ferenczy/gmemu GMINIMODEL=mt-500 LOADADDRESS=10000 ~/gemoss> make ~/gemoss> make install
The GMINIMODEL and LOADADDRESS are completely irrelevant at the moment. There is developed a GUI with wxWidgets for the Gmemu emulator. - If you would like to set PATH variable to the CalmRISC and Gmemu binaries permanently, you should add necessary lines ("export PATH=/new/path:$PATH" without quotes) to your shell configuration file (when using bash, it's ".bashrc" in your homedir).
6.3 Disassembling the MT-500's firmware
Now you have the tools, you need to create a firmware file that the disasm tool will accept. It's good idea, to work in a new directory (I chose "reverese" in my homedir). Also, you need to make sure that you have got path to the Gmemu tools in your PATH variable (e.g. "~/gmemu/bin/" directory, gmemu is directory, which you used as a prefix when building the Gmemu tools). Else you have to use full path to the "pack" utility and others in that directory.
~> mkdir reverse ~> cd reverse ~/reverse> calmrisc16-unknown-elf-objcopy -I ihex -O elf32-calmrisc16 firmware.hex firmware.elf ~/reverse> calmrisc16-unknown-elf-objcopy -I elf32-calmrisc16 -O binary firmware.elf firmware.bin ~/reverse> pack firmware.bin firmware.aaz 2000 MUNKEE MASTER ~/reverse> disasm firmware.aazThe value of 2000 is the lowest address in the firmware and thus, is where the code starts. The MUNKEE and MASTER values are just dummy parameters which are irrelevant for now.
7. Internal memory
The device contains a NAND flash memory manufactured by the Samsung that acts as the internal data memory. There exists three versions - either with the 64 MB, 128 MB or 256 MB chip. It's produced 128 MB version only, at the present (reason isn't clear for me). There are used chips in 48-pin TSOP I package, in a device (signed as YCB0).
7.1 128 MB version
Contains the Samsung's K9F1G08U0M (datasheet [714 kB]). It's 1 Gbit (128 Mb × 8, 128 MB) NAND flash memory. More information you can find at product page.
7.2 256 MB version
Contains the Samsung's K9K2G08U0M (datasheet [735 kB]). It's 2 Gbit (256 Mb × 8, 256 MB) NAND flash memory. More information you can find at product page.
8. Current status
- 07. 03. 2005
- I started to reversing disassembled firmware.
- 14. 03. 2005
- I tried to sniff an USB communication with a SnoopyPro and USBsnoop. In a mass storage mode it goes well, but in an upgrade mode my Windows 2000 crashes when I connected the player with installated sniffer. Could anybody help me, please??? (contact is in a prologue)
9. Links
[ 1 ] Project RockBox - open source project of development firmware replacement for Archos MP3 players (with ports to e.g. Iriver and Ipod)
[ 2 ] Wiki version of this web - wiki web of this project in the RockBox's wikipedia
[ 3 ] gmEmu - open source Archos Gmini firmware, the most related project (devices uses the same CPU - TCC730)
[ 4 ] S1 MP3 Player - device based on the same CPU as the Xclef MT-500 (Sigmatel's STMP3505, it's a copy of the Samsung's S3CC410 too)
[ 5 ] S1 MP3 forum - forum of the previous project, I recommend!
[ 6 ] OpenJukebox Project - project to make an alternative and opensource firmware for the Xclef MP3 HDD Jukebox
[ 7 ] Advanced MP3 Players Forum -forum for digital audio players Xclef,Archos, Creative, Iriver, Cowon, Apple,Sony a others
[ 8 ] Xclef MT-500 @ codebudnny.org - useful information at one user's website
[ 9 ] Multichannel's Xclef web forum - forum which provides a manufacturer of the Xclef MT-500
[ 10 ] TCC730 product page - the TCC730 chip's product page on the Telechips.com website
[ 11 ] MSI Mega Player 536 - maybe it will be a new Rockbox port :) (MCU is PP5020E - ARM7 compatible, running in some iPods)
[ 2 ] Wiki version of this web - wiki web of this project in the RockBox's wikipedia
[ 3 ] gmEmu - open source Archos Gmini firmware, the most related project (devices uses the same CPU - TCC730)
[ 4 ] S1 MP3 Player - device based on the same CPU as the Xclef MT-500 (Sigmatel's STMP3505, it's a copy of the Samsung's S3CC410 too)
[ 5 ] S1 MP3 forum - forum of the previous project, I recommend!
[ 6 ] OpenJukebox Project - project to make an alternative and opensource firmware for the Xclef MP3 HDD Jukebox
[ 7 ] Advanced MP3 Players Forum -forum for digital audio players Xclef,Archos, Creative, Iriver, Cowon, Apple,Sony a others
[ 8 ] Xclef MT-500 @ codebudnny.org - useful information at one user's website
[ 9 ] Multichannel's Xclef web forum - forum which provides a manufacturer of the Xclef MT-500
[ 10 ] TCC730 product page - the TCC730 chip's product page on the Telechips.com website
[ 11 ] MSI Mega Player 536 - maybe it will be a new Rockbox port :) (MCU is PP5020E - ARM7 compatible, running in some iPods)
10. Document history
- 03. 03. 2005
- version 0.1 - initial english document draft (translated czech version)
- 11. 03. 2005
- version 0.2 - added firmware and CalmRISC16 toolchain building informations
- 15. 03. 2005
- version 0.3 - added informations about building the Gmemu, disassembling the firmware, miscelaneous info and the section "Current status"
- 11. 04. 2005
- version 0.3.1 - small changes related to design and HTML code only
- 18. 04. 2005
- version 0.4 - added section "4. Device disassembling" and informations and picture about the 256 MB version
- 10. 05. 2005
- version 0.4.1 - added photographs of the second PCB and link to the S1 MP3 player reversing project
- 24. 05. 2005
- version 0.4.2 - added the TCC730 datasheet
- 22. 04. 2006
- version 0.4.3 - minor changes, some links were added and changed
- 15. 06. 2006
- version 0.4.4 - link added
