S1giveio
From S1MP3 Wiki
Contents |
About
s1giveio is a LGPL licensed, win32 cli tool to analyze/debug the s1mp3 player's hardware.
It's possible that it may look familiar to you, since it's designed like the traditional MS-DOS "debug"-console.
NOTE: There is a new debug console available which offers much more functionality, but requires you to attach a hardware debug interface: S1debug
Features:
- real time access to the players hardware (ROMs, displays, flash chips, radio controller, ...)
- upload and execution of files with the possibillity to return to the console (if the executed code returns)
- reading/writing from/to memory addresses or ports
- disassembling of memory
Download it
- From www.s1mp3.de (original release)
From our OpenSVN repository(out of date, opensvn is offline anyway)- From the sourceforge svn (first linux port attempt)
- From PulkoMandy's svn (working linux port)
Run it
Windows
Follow these steps if you haven't installed the "Swan ADFU driver" (libusb) yet:
- connect your player to the pc and bring it into firmware-update-mode. either by choosing this option from inside the configuration menu, or by shorten the right pins of the flash chip
- if it asks for some driver, go to step 3. otherwise open the device manager window, choose the adfu driver from the usb device list and select driver update. tell windows you will manually select the driver.
- browse to the driver folder inside the s1giveio zip-file and select the inf file.
- verify the new "Swan ADFU driver" (usblib driver) has been loaded (maybe you have to turn off and repeat step 1)
- have fun with s1giveio
Linux
First build it :
make -f Makefile.s1giveio
You need g++ compiler with support for C++11 (any recent gcc installation will do), as well as the as-z80 assembler.
When everything is done you should get s1giveio/s1giveio binary.
Make sure the "generic SCSI module" is loaded
modprobe sg
Plug your device and look in /dev to see the /dev/sg(0,1,2?) device created for it. Then run s1giveio and start hacking! s1giveio will switch the player to firmware mode by itself.
Running programs with s1giveio
- Make sure you don't corrupt the stack
- End your program with a ret
Snapshot
s1giveio v1.2 - some small debug console to access the players hardware copyright (c) 2006 wiRe - http://www.s1mp3.de/ - LGPL give access to the device... found 5 busses giveio version: 1.01 use command '?' for help! -? unassemble memory u [address] [size] dump memory d [address] [size] enter data into memory e address d0 [d1] [d2] [d3]... fill memory with patterns f address times d0 [d1] [d2]... multiply read same address r address [times] multiply write same address w address d0 [d1] [d2] [d3]... read from input port i [port] [size] write to output port o port d0 [d1] [d2] [d3]... dump memory to txt-file t [address] [size] dump memory to bin-file b [address] [size] load bin-file into memory l [address] call address c [address] [max_time] execute bin-file x [address] [max_time] quit this program q -d8000 8000 C3 30 80 00 30 00 51 0C - 20 03 03 02 D6 10 51 FF ├0Ç.0.Q. ...╓.Q 8010 41 63 74 6F 73 40 41 63 - 74 69 6F 6E 73 00 00 00 Actos@Actions... 8020 47 6F 6E 67 65 65 2E 5A - 68 61 6E 67 00 00 00 00 Gongee.Zhang.... 8030 3E A2 D3 4E 3E 01 D3 04 - F3 ED 56 AF D3 27 3E 80 >ó╙N>.╙.≤φV»╙'>Ç 8040 D3 42 DB 70 F6 30 D3 70 - 3E F7 D3 05 31 00 4F 3E ╙B█p÷0╙p>≈╙.1.O> 8050 10 D3 00 21 00 81 11 00 - 40 01 00 0C ED B0 CD 13 .╙.!.ü..@...φ░═. 8060 40 A7 CA 00 00 21 00 90 - 11 00 00 01 00 0C ED B0 @º╩..!.É......φ░ 8070 31 00 01 C3 00 00 76 00 - 00 00 00 00 00 00 00 00 1..├..v......... -u8000 3 8000 C3 30 80 JP 8030h -u8030 8030 3E A2 LD A,A2h 8032 D3 4E OUTA (4Eh) 8034 3E 01 LD A,01h 8036 D3 04 OUTA (04h) 8038 F3 DI 8039 ED 56 IM 1 803B AF XOR A 803C D3 27 OUTA (27h) 803E 3E 80 LD A,80h 8040 D3 42 OUTA (42h) 8042 DB 70 INA (70h) 8044 F6 30 OR 30h 8046 D3 70 OUTA (70h) 8048 3E F7 LD A,F7h 804A D3 05 OUTA (05h) 804C 31 00 4F LD SP,4F00h -
How does it work
S1giveio first enters ADFU mode (either [SOFTADFU] or [HARDADFU]) and uses ADFU commands to load and run the giveio executable. This program takes over control of the USB port and communicates with its own protocol.
The same giveio system is used by many other tools developped by wiRe, since it allows to do mostly everything with the device.
Giveio commands
The commands are, like in ADFU mode, sent using the USB Mass Storage protocol. Thus, they are formatted like SCSI commands. However, older versions of Giveio used commands less than 6 bytes. This works fine in windows, but completely mess up the linux mass storage driver, so this was changed in the linux port by adding some padding.
- p - Read/Write ports
'P' portNumber (4 bytes padding) 'P' portNumber data (3 bytes padding)
Read or write data to a z80 I/O port. Port and data are embedded in the command directly.
- m - Read/write memory
'm' addr.low addr.high (3 bytes padding)
Read or write data to z80 memory space. Address is 16 bit and LSB sent first. Data is sent in the data of the SCSI command.
Data is split in 0x400 bytes chunks and sent with multiple commands.
- d - DMA access
'd' addr.low addr.high addr.low addr.high memsel dmamode (no padding)
Read or write using DMA. Split in 0x400 bytes chunks as well.
- X - Execute
'X' addr.low addr.high (3 bytes padding)
Call code at given address. The code can get back to giveio using RET instruction. So the code can put something in memory for later analysis.
- R - Reset
'R' (5 bytes padding)
Reset the device to exit giveio mode.
Authors
s1giveio was developed by wiRe - s1mp3.de
Linux port by PulkoMandy - [1]
