Mini0801 Hacking (Hardware and Software)

Have you had a chance to map memory locations for the hardware (switches, audio mic, speaker, g-sensor, GPS, display, SD-card flash, etc.)? I'd guess the chipset handles most of the image sensor to video RAM functions, maybe even the encoding/decoding.
 
Well the most interesting thing is that I can use RFS sections from different Firmware Releases (they have different offset and length for each file) with one prkernel release. So I assume that the addresses are not hardcoded and therefore I shoulöd be able to create a valid RFS
 
romfs header documentation (pseudo code):
Code: 
romfs_header {
    romfs_meta_header(size:2048) {
        /* Alignment to 2K is general from nand and nor */
        file_count:
            length: 4
        magic:
            static val: 0x66fc328a
            length: 4
        padding:
            length: 2040
    }
    
    romfs_file_header(size:128) {
        name:
            length: 116
        offset:
            length: 4
        size:
            length: 4
        magic:
            static val: 0x2387ab76
            length: 4
    }
}

+Bonus I found a very interesting c file in the 2013 SDK which is called host_romfs_gen and it seems to be responsible for creating the rfs section :D
Just Need to study its code now

edit....

I think I got it:
Code: 
    for (l = romfs_parsed.list; l; l = l->next) {
        l->offset = offset;
        l->padding = (ROMFS_DATA_ALIGN - (l->size % ROMFS_DATA_ALIGN));
        offset = offset + l->size + l->padding;
    }

and one more edit:
simplified:
DATA_ALIGN = 2048
size = filesize
therefore:
Padding = 2048 - (size%2048)
 
Last edited:
[EMAIL said:
Tobi@s, post: 47981, member: 3699[/EMAIL]]
Code: 
I think I got it:
[CODE]    for (l = romfs_parsed.list; l; l = l->next) {
        l->offset = offset;
        l->padding = (ROMFS_DATA_ALIGN - (l->size % ROMFS_DATA_ALIGN));
        offset = offset + l->size + l->padding;
    }

and one more edit:
simplified:
DATA_ALIGN = 2048
size = filesize
therefore:
Padding = 2048 - (size%2048)
Click to expand...

Yay! That solved my problem. Now I'm able to create valid RFS sections :D
 
Cool. Does this also correct the audio problems you found with AVI recording?
 
No thats a completely different problem I'm most likely never be able to fix.
 
Damnit.... Seems that the latest firmwares (2014/02/22) got some rfs section related changes. I see more padding data and the kernel wont finish booting with modified rfs sections. All modified RFS sections throw an ARM exception.

No clue why they did change something and how to fix it, yet.
Issue solved. File information header length is 8192.
 
Last edited:
Next interesting binary is strings.bin which contains all language releated texts. Niko translated a documentation for me which contains information about the file header. Unfortunately the mini0801 has a lot more unknown data (in the data sections) than documented

Progress shown below is based on nikos translation. thanks again for translating :D
unbenanntle2swt1bvq.png
 
Guess I got some more info on the unknown data. I counted it (using the hex editor of course) and I get 3768 Bytes "in front" of every language section. Since every number is stored in 4 bytes I divide 3768 by 4 and get the magic number 942.
Why is 942 special? The header of strings.bin tells me that every language section contains 942 different strings. So... What could These 942 4-byte-long numbers tell us? Maybe it's the offset of every string relative to the language offset+this header with 3768 bytes or something like that. Not sure yet.

Edit: Yep. Thats it.
dsfds6nubjzdke2.png
 
Last edited:
Rewrote strings.bin decompiling/compiling algorithm and did a quick test - any string lengths are possible, would be perfect for translating I guess :D
cstringsnx2pcy6mzi.jpg


Some info: Strings are stored in UTF-16BE encoding, every character has 2 bytes which are reversed.
 
Strings.bin decompiler/compiler first beta - tested and working:

Usage:
First decompile a strings.bin file
java -jar strings.jar decompile /path/to/strings.bin
This command will generate a strings.head and strings.csv file in the directory where strings.bin is located. Do not edit strings.head. Open strings.csv with Notepad++ (or anything like that - or import the file into Excel using pipe | as split character) and modify the language vars. You can use longer or shorter texts than the original. No problem.

If you finished modifying strings.csv run strings.jar again:
java -jar strings.jar compile /path/to/ (dont use a file as path, just enter the path where strings.head is located)
This will generate a file called stringscompiled.bin which can be used with RomKitchen (build a rfs section with this strings binary - dont forget to rename it)

v0.1: http://dc.p-mc.eu/romkitchen/strings.jar
 
I just got my camera and I have noticed that the motion capture feature cuts out REALLY fast. Like after 15 seconds.

So it cuts out just sitting at a light. How hard do you think it would be to extend that? I realize that is probably fairly deep in the assembly language but... Then again, maybe there is a simpler solution to my issue.

Awesome work by the way!
 
If you could tell me the exact time value I could give it a try
 
Sorry, it is currently set to 10 seconds. Yes, 1 minute would be ok, really though, 2-3 would be better.
 
jokiin, you worked with them right? Maybe you can suggest making itconfigurable in their next update? ;)
 
It's not something they'd likely be able to offer a user configurable option for, don't think this is supported in the SDK, a longer value may be possible, would certainly be more practical at least
 
@Tobi@s

Great work (Tolle Arbeit - vielen Dank für deinen Support)
here is a complete translation file (German/English) for the 2040308 firmware.

What I do not understand within the settiings: Picture size: means this the Image size or the distance from the camera to the focus point? I personal interpret this settings as photo quality/size.
 

Attachments

You must log in or register to reply here.
Back
Top