Thanks! The main problem I had was conflicts with the 'patch' peripheral during the erase/write. This peripheral allows for a small virtual overlay in memory space. It was used in previous devices to fix small bugs by overwriting a couple of words in the ROM. As all the flashing code needs to live in SRAM during flashing, the vector table needs to be patched to point to the code in SRAM. During the erase/write cycle you need to poll the values on certain addresses to figure out success - and if you haven't correctly disabled the patch overlay that can go wrong. That was how I got my first brick :)
Thanks! Does it mean I can now upload tracks to the mz-rh1 without using their ugly piece of software? Or is this still impossible due to the use of cryptographic keys?
The firmware in a sense does not change anything regarding connectivity (for now). If you want to record normal MD, just use Web MiniDisc Pro. For HiMD, I recommend the Electron version of Web MiniDisc Pro, but it's not yet as stable as SonicStage (due to the complixity of Sony's system).
A lot of reverse engineering and guesswork actually!
One of the parts when writing a extensions for a device from which you've only extract a firmware blob from memory space is to understand as much as possible from the memory layout, and possible memory mappings. With HiMD MiniDisc recorders, they don't just have to bring up the MCU on boot, but also the VME (Virtual Mobile Engine / DSP).
As such, during my investigation I found a bit of code mapped to an unknown memory area 0x0081_0000. It contained what seemed to be a vector table, code for bootstrapping the system, and then some USB code with a small protocol to do some debug operations. The code was written as it was supposed to live at address 0x00 (which is where the Flash is mapped to in normal conditions).
As such, to me this seemed to clearly be a bootrom that could be activated in some condition. The question was, how?
Sony has always been protective of their hardware, and as such they have been careful in the service manual documentation of their NetMD/HiMD devices and renamed any pin/pad that could be potentially dangerous (as in, giving more control to users than they should have). Of course, if you look for nonsensical names, that brings you directly to the interesting pins :) That's how I isolated JTAG (though figuring out how to get it working and the right pinout was another story). The HSALF pin stood out as well, somehow I sort-of recognised the name, but I did not know how until I realised it stood for FLASH in reverse. Basically, it was pulled up, activating the flash. Pulling it down activated the bootrom.
The other pin that has to be bridged is related to the power IC. If not asserted by the MCU it will shut off. In bootrom mode or JTAG the MCU will not do this, so you need to force the power IC to stay alive.
> As such, during my investigation I found a bit of code mapped to an unknown memory area 0x0081_0000. It contained what seemed to be a vector table, code for bootstrapping the system, and then some USB code with a small protocol to do some debug operations. The code was written as it was supposed to live at address 0x00 (which is where the Flash is mapped to in normal conditions).
Is this something you can pattern-match directly from the assembly, or was this dis-assembled to C or so?
Yes, it is now possible on many Sony Portables thanks to firmware reverse engineering efforts and custom homebrew code. Most of the functionality is available directly in Web MiniDisc Pro.
Has anyone made any headways into MD DATA itself and/or trying to dump from a portable audio player?
I'd love to see what I can pull from some MD DATA stuff I've got from an old DATA EATA and a Sharp Viewhunter camera that I just can't track down the damn weird proprietary cable for that shoots on MD.
Not yet. There have been some experiments with this in mind, but nothing practical yet that allows dumping data discs. Considering that we have large control over the firmware, it should become possible with more work (and time).
> Web MiniDisc Pro (WMDpro)[0][1] is a web app that can copy (almost) any audio file onto a Sony MiniDisc using the NetMD USB protocol. It can also manage tracks, erase discs, and enable new features that extend the MD format. It is a complete replacement for Sony's SonicStage (except Hi-MD modes.)[2]
reply