Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Nomad II development questions

0 views
Skip to first unread message

Ian

unread,
Mar 1, 2001, 4:47:37 PM3/1/01
to
Greetings,
I just bought a Nomad II and I've got some questions about it.

First: The firmware updates come in .exe files that contain the firmware
which is
very easy to dump from the .exe. I hear that one can modify the dump and
the .exe
checksum but the acutal firmware looks encrypted. Is it? Has anyone been
able to
do much with it? Does the firmware update contain only a patch to the OS
of the
Nomad, or is it the entire OS of the unit?

Second: Because I am not God, Creative Labs will not give me the SDK so
I
shouldn't bother filling out the forms..correct?

Third: The box for the unit says it has SDM*I. It is my understanding
that SDM*I
doesn't exist, but future firmware updates will add this to the unit. Is
this true?

Fourth: If the firmware is encrypted and nobody knows how, I'm going
to open the unit up to investigate it. Has anyone opened up their Nomad
II?
Should I do or not do something?

Fifth and final: Would any of this be illegal?

Thanks!

Andrea L

unread,
Mar 1, 2001, 6:59:12 PM3/1/01
to
> Fourth: If the firmware is encrypted and nobody knows how, I'm going
> to open the unit up to investigate it. Has anyone opened up their Nomad
> II?
> Should I do or not do something?

This is the only question I can answer :) When my NOMAD dropped in the sewer
(don't ask, I can't be more stupid, lol), we had to open it to clean it... a
screwdriver, and voila... I found my NOMAD II wide open, kinda like in a
authopsy (we didn't know if the thing will continue working -and it did,
perfectly-)...
There are two main cards: one to handle the LCD display and the other one to
read the smartmedia card (I asume)...
If you are carefull with it, you cant open it without problems (hey, it was
under the water for 20 minutes, a finger or two in the boards won't hurt it
:b)... however, the warranty will probablly void the minute you open it...

Let me know if I can help you in any other way

~Andy.


Anthony Volodkin

unread,
Mar 1, 2001, 9:56:31 PM3/1/01
to
How useful is the binary for the Nomad II?
The device has its own instruction set (i'd guess its a lot different from
x86) and currently there are no emulators to run the code. Most people
would need to actually run the code to see where they want to patch/modify
something. Then you could find the place you would want to modify, etc.
Finally, if you don't have the instruction set, you really can't do anything
to it.

On encryption: I'd assume either the exe itself decrypts the file before
sending or NII has a built in hardware feature to decrypt it on receipt.
Decrypting it on every execution (how windows deals with encrypted EXEs)
would be a hard task for the NII chip, since its pretty resource demanding.

I am on the side of "the firmware updates are like disk images", as opposed
to "patches to existing data".

Nice to see that there are lots of hackers (and these seem to be the real
deal, in the full meaning of the word - they aren't asking how to DoS CL's
website :)) in the ng.

Legal? I don't remember anyone appreciating reverse-engineering their stuff
(*cough* *DeCSS* *cough*). BUT ITS SO MUCH FUN!!! =)

--
Anthony Volodkin
http://non-standard.net/
"Ian" <noe...@noemail.com> wrote in message
news:3A9EC378...@noemail.com...

Ian

unread,
Mar 3, 2001, 3:21:10 AM3/3/01
to
Thanks for the info!

I have had to return my Nomad twice(!!) so far. I'm almost thinking
a sewer is the right place for the thing!
I'm glad to hear that the thing can survive being submerged in sewage
though.

Ian

unread,
Mar 3, 2001, 3:12:40 AM3/3/01
to
Thanks for your reply.

I'm guessing the binary is useful. How useful depends on a few things.
I'm pretty sure at this point that the firmware is not encrypted. The
thing must contain the entire software code for the unit. It looks
like anyone with basic knowledge on the subject could change the text
and the graphic images displayed by the unit just by editing the
firmware and keeping in mind the file size. This isn't very useful.

To have fun with the unit (read: make the binary useful) an emulator
would be great. An assembler and the instruction set would be better.
While I'm dreaming, maybe Creative Labs is using a standard small
device processor in the Nomad II that is made by a company that
releases their SDK! Maybe the binary is stored, unencrypted, on an
eprom or some other standard form of solid state storage that can
be read after a change is made to the device to save me a bunch of
time when trying to figure this out! But, yeah, otherwise I really
can't do anything to it. I'll still mess with it though :)

I really want to remap the stop button on the remote to the menu
button on the unit. At this point in time I'm thinking this is going
to have to be done on the hardware level. I'll get around to cracking
the unit open this weekend to get a better idea of how it works. I'm
a bit rusty with electronics and programming so before I hope that
I can remap the buttons, I'll hope that I don't fry the unit.

I agree about the hackers here. They are worlds different than the
"scriptkiddie"/rootshell group. I get a big kick out of reading some
of the posts on this group. You don't learn that stuff in Visual
Basic 101, that's for sure.

DeCSS. Ah, yes, a gentle reminder of how much big companies enjoy
having their software broken down. I'm curious if there is some
kind of licensed encryption for either the firmware itself, or
for the secured media formats (MP3+SDM*I or WMA) that, if broken,
would make the encryption as useless as DeCSS. I highly doubt it.

Anthony Volodkin

unread,
Mar 3, 2001, 12:43:05 PM3/3/01
to
Oh... you meant changing the text and stuff as useful... aahhh :) I was
talking about actually modifying functionality.

Also, it seems that the firmware image in the extration EXE is encrypted or
somehow scrambled since i found no notice of any menu strings. Oh well.

--
Anthony Volodkin
http://non-standard.net/
"Ian" <noe...@noemail.com> wrote in message

news:3AA0A778...@noemail.com...

Ian

unread,
Mar 4, 2001, 2:22:12 AM3/4/01
to
Anthony Volodkin wrote:
>
> Oh... you meant changing the text and stuff as useful... aahhh :) I was
> talking about actually modifying functionality.

> > *snip* change the text


> > and the graphic images displayed by the unit just by editing the
> > firmware and keeping in mind the file size. This isn't very useful.

By that I mean changing the text and stuff isn't very useful. It has
its uses, but it isn't useful to me. Though it is pretty cool..

> Also, it seems that the firmware image in the extration EXE is encrypted or
> somehow scrambled since i found no notice of any menu strings. Oh well.

This looks to be the case. Inside the unit is a Cirrus Logic CPU (model:
EP7212-CV-D EP AWAFED0007 ARM) which seems to be the heart of the unit.
The chip is a processor that even has support for Windows CE. It handles
audio decompression and even the LCD display. On Cirrus Logic's
site you can find sample binaries for the processor that are "C and ARM
assembly". They look nothing like the Nomad II firmware in the exe.

Also inside the unit is one flash memory chip and one static memory
chip. (Intel Flash TE28F800 B3BA90 U0160740A, and an ISSI
IS62LV12816LL-70T CA894500P 0002) One must be for the firmware backup
used when you do the master reset and the other must be for the
regular firmware. I'm very curious to know if the binary is encrypted
on these chips. The flash chip is 12mm by 18mm with 24 surface mount
pins on each narrow side. Maybe I can drop a socket over the top of
it, then pick up a cheap 2meg compact flash card on eBay to turn
into a computer interface. Even if that all worked and the image
wasn't encrypted I may not be able to do very much.

I guess the next step would be to capture the data going over the
USB port when the firmware is updated to see if an unencrypted
binary is sent to the unit.

If you're interested, the url for Cirrus Logic's processor is:
http://www.cirruslogic.com/design/products/overview/index.cfm?DivisionID=6&SubdivisionID=27&ProductID=111

Anthony Volodkin

unread,
Mar 4, 2001, 12:19:25 PM3/4/01
to
Given the decrypted firmware, reassigning buttons is a very feasible task
though. You would just need to figure out where in code the buttons get
polled and then go from there.

There is a program to sniff USB packets... i've seen it online, just can't
remember where.

--
Anthony Volodkin
http://non-standard.net/
"Ian" <noe...@noemail.com> wrote in message

news:3AA1ED24...@noemail.com...

Ian

unread,
Mar 6, 2001, 2:25:16 AM3/6/01
to
> There is a program to sniff USB packets... i've seen it online, just can't
> remember where.
>

http://www.aracnet.com/~seagull/NJB/
http://www.jps.net/~koma/

I sniffed the USB packets while I updated the firmware. The data
looks different from the stuff in the firmware update, and from
the sample binaries on Cirrus Logic's site. If they are encoded
when they pass through the USB, maybe it wouldn't hurt to do a
little homework on Philips' USB chip (used on the Nomad II) to
see what kind of encoding is done. I haven't spent too much time
looking at the data from the packets though. I'm still trying to
read the flash memory that contains the firmware. I'm hung up on
trying to find a socket for the chip's weird design.

0 new messages