Hooking your way inside Gmini

This addresses the problem of modifying Archos firmware to make it run your own code.

The proposed method is to bind the playing of wave files to jump at an address of your choice. It’ll be there that you’ll flash your code. The following method is reported to succeed with the Gmini SP, firmware 1.3. Here we go…

1. Extract the AAZ file (src/unpack x.AOS) & get the listing (src/disasm -l x.aaz)

2. Search for the following piece of code:

03A532:( 137) AAA2 3FD1: LD A10, #data_223FD1
03A536:( 002) 1006     : LD R0, #6H
03A538:( 013) 7020     : LDB @[A10 + 0H], R0
03A53A:( 137) AA85 FD4E: LD A10, #data_05FD4E
03A53E:( 063) 8DF0 FFFE: LD R0, #fffeH
03A542:( 007) 5020     : LDW @[A10 + 0], R0
03A544:( 030) 82D1     : LD R2, R1
03A546:( 120) 9FC4 2836: JSR wavDecInit
03A54A:( 054) 84F2 00FF: AND R2, #00FFH
03A54E:( 029) 82C9     : CMPEQ, R2, R9
03A550:( 160) D802     : BRT rel_03A556
03A552:( 002) 1201     : LD R2, #1H

03A554:( 156) C841     : BRA rel_03A5D8
rel_03A556:   RJUMP 0x03A550

“LD A10, #data_223FD1” is found only three times in there, so look for it then check “LD R0, #6H”.

3. Hack’it

In the aaz file, replace “9FC4 2836” with “9FCx xxxx” where xxxxxx is where you’ll flash your code. Take care to chose the address after the end of Archos’ firmware, and at a 0×1000 boundary. For example, I wrote “9FC7 0000”. Take note that 0×70000 is ok only on the SP!

Fixup the checksum. Use fixazz <aazfile>.

4. Flash it!

IMPORTANT: Safety measure! Test the newly created aaz file in the graphic emulator!

Put the aaz file in root of gmini filesystem. Take a deep breath… everything is gonna be ok :)

5. Test it.

Everything should be the same as before, except playing wav files. (mp3 and wma are still played) I advise not trying playing .wav files until you put some code of your own at the target address.

6. You are now ready to flash your very own aaz files. Use the address above as loadaddress. The good thing is that from now on you’ll flash only after Archos’ code and thus be safe. So have fun runnning code on the gmini. :)

  Last modified: 2005/01/24 17:25
