1
0
mirror of https://github.com/mbirth/wiki.git synced 2024-11-09 13:16:45 +00:00
wiki.mbirth.de/know-how/hacking/audiomate/_posts/2016-02-01-firmware.md
2016-12-27 13:39:36 +01:00

4.1 KiB

title layout created updated toc tags
AudioMate Firmware default 2009-01-26 00:47:15 +0100 2016-02-01 17:42:11 +0100 false
know-how
hacking
hardware
audiomate
allsound
firmware

Download

Details

Looking at the firmware file, the header starts - as usual - at 0x00. It consists of the string UMDA! followed by the firmware revision in octets. For the v1.2.2.1 I found the bytes 01 02 02 01. After that are some bytes which might be a checksum. The line looks like this:

55 4d 44 41 21 00 01 02 01 02 02 01 00 06 c5 c9   UMDA!...........

At 0x10 starts the .tar.gz compressed kernel image kernel.bin and it ends at 0x0e1474. After that there's a lot of room for more code in the future.

The kernel seems to be version 2.4.26-uc0 for MIPS architecture. At least I found the string somewhere there.

At 0x0ff000 the boot logo starts - a 128x64 pixel black-white-BMP. Since I don't like the original logo, I made a new one. Here's the comparison:

![Original boot logo]({{ site.url }}/assets/logo.bmp) ![My custom boot logo]({{ site.url }}/assets/customlogo.bmp)

And now for the interesting part:

At 0x100000 the cramfs starts. You can unpack it in Windows using e.g. the FSExtractor or uncramfs from the Firmware-Mod-Kit. You could also mount it using the cramfstools or fusecram.

After mounting the kernel image, you'll find some interesting things. Here are some examples:

/etc/customer.info:

AudioMate U-MEDIA Communications, Inc http://www.u-media.com.tw

/etc/buildtime:

2005 Dec 22, 12:20 PM

Below /etc/ringbell/ you'll find a MP3 file ringbell.mp3 which is the alarm sound. I formerly guessed it is made of sinus waves - but this discovery open new possibilities for tuning the device. The file is recorded at 44.1 kHz with 64kbps and mono signal.

Under /etc/icons/ are all used icons in BMP format. Even the boot logo is found there - don't know why. Also a "screenshot" of the main menu.

For time synchronization, the NTP server 0.pool.ntp.org is used - good choice! This entry is found in /etc/conf_def.dat.

Finally you'll find all pre-defined radio stations in the binary file /bin/dma_ui. Sadly this throws all my plans away. I hoped these are defined in a text file which I could change easily and re-insert into the kernel. I don't need those 500+ Asian radio stations. I'd like to have my own favorite stations - because the 20 favorites the device supports are not enough to hold ALL the stations I'd like it to hold.

Well, there still is the way of having lots of .m3u playlists with links to your favorite stations on a USB drive.

I still have to find out how the firmware gets checked for validity - because without knowing it, the firmware containing my custom logo gets rejected. Seems like they didn't use a common checksum (CRC16 or CRC32) - or I didn't find the correct range of where the checksum gets calculated.

Checksum

A user called "tidy" has found out what the header bytes are meaning and how checksum is compiled:

bytes 0-3: file magic UMDA
byte 4: Platform *
byte 5+7: Customer * * (whatever that means its extracted from decompiling the header parse code)
byte 6: Model *
byte 8-10: Version number
byte 11-12: build number (little endian)
byte 13: flags seem to have impact on the update process but I'm not sure in which function
byte 14-15: checksum

The checksum is calculated by interpreting the file as a little endian int16 stream, adding up its values, truncating the 16LSBs after every addition and calculating the value that is missing to sum up to 0x10000. I.e. if one calculates the checksum as described over the whole file including the calculated checksum the result has to be zero.