SoniqCast Aireo / Element Electronics Aireo MP3 Player

* UPDATED! (03/12/06) 3GB and 4GB Cornice Drives!*

Hacking and Exploring the
SoniqCast / Element Electronics Aireo
SQ-1000 MP3 Player (with 802.11b Wireless capabilities)

Last update: 03/12/06
Last to Last update: 08/21/05
Last Last Last update: 08/11/05
Last Last Last to Last update: 07/07/05
Last Last Last to Last to Last update: 06/14/05
Last Last Last to Last to Last to Last update: 03/03/05
(Getting annoying yet?)

Currently Your #1 Source for Aireo
(and Aireo2) Information, News, and "Secrets" (wtf!?)

Why the Aireo? And why is this page here?

I bought the Element Electronics/SoniqCast Aireo MP3 player in December of 2004 from an eBay seller after looking around for an MP3 player and blatantly disregarding the (still somewhat expensive) iPod. This page is just sort of my own research journal, and for anyone else that cares to read anything I write. Those of you that are also interested in the inner workings of the Aireo should email (mozy@[deleteme]mozy.org) me if you have any questions comments or ideas. This page is continually in progress so nothing is final. (Disclaimer: As of right now I have no intentions of figuring out a way to put Linux on this little device. What you see here is experimental and an ongoing learning process. Do not try this at home.)

0. Latest Info Gathered
1. Specs and Review of Specs.
2. (OLD) Hardware/Firmware hacking research.
3. INTERNAL PICTURES! (My de-virginized Aireo)

Entry Legend:

FOUND/LEARNED SOMETHING GOOD.

GETTING SOMEWHERE...

NO LUCK / NO SUCCESS / NOTHING NEW

MISC.

[ 0 ]
NEWEST STUFF:

03/12/2006 - 7PM - Finally an update. So how about that Hard-Drive upgrade?

Ok, wow, its been FOREVER since I last updated this page. Anyway, on to the news:

I acquired 2 Cornice "Storage Elements" (SE's or mini Hard-Drives) from an anonymous source (outside of Cornice Co.). Lets just say they are used in the semi-new Archos GMini XS 100 MP3 players. =) The SE's are 3GB and 4GB in size and are identical to the original 1.5GB Aireo HD, here's a picture of them:

SO... on the important details. Do these drives work when placed inside the Aireo? The very short answer: NO. After taking out the original 1.5GB Aireo drive and doing a quick visual inspection, the drives and cabling and all the electronics look exactly identical. Upon connecting the drives to the Aireo's electronics and turning on the player, I got the usual and very unwelcome message telling me there's no music on the drive. I connected the Aireo's USB plug to my PC and the Aireo came up as a "Aireo USB Drive" but did not get a drive letter. The drive did not show up in Disk Management in Windows XP. SO basically, the Aireo doesn't recognize the 3GB or 4GB drives (hardware properties showed the "removable storage" as being 0MB in size). It could be a hardware or firmware limitation, I have no clue. But quite a number of people asked me if it's possible to replace the Aireo's drive with something bigger and now we all know the answer. Thats it for this update.

08/21/2005 - 5PM - Updates galore...and a SPECIAL SURPRISE! (Free stuff!)

       Hey, time for another update. This time thanks goes out to fellow Aireo hackers Mathias Dietz and drizzle who have inspired me to do some more research. Mathias has written me an e-mail in which he showed me his new Java-based Aireo MP3 syncing software that he wrote, its a nice piece of code and now all you Linux guys don't have to fret because you don't need the stinking "SoniqSync" anymore! He wrote a parser for Aireo's special SPL playlist format and made it a breeze to do everything SoniqSync does (in Windows only). Mathias's website is right here: http://www.dietzm.de/blog/index.html, you can ask him about the software yourself maybe he'll send you a copy. Thanks Mathias!
    drizzle fired off a very nice E-Mail to me as well in which we discussed the bottom connector on the Aireo. It's a unique connector and I mentioned there is a possibility of a serial connection being built into that. I have been unable to find a supplier for these plugs so I'm S.O.L as of right now. I'm going to try to see what else I can figure out concerning the bottom connector. I have been unable to visually trace any kind of connection between the bottom connector and the PCB's but maybe I haven't really given it that hard a look. I'll try again. Theres a very very good chance that the plug has what we are looking for...but right now it's kind of hard to figure out how to get what I need from it. Its a long learning process.
    drizzle also wondered what the Aireo software calls the SD card internally, as everyone might remember the Aireo refers to its HD as "\Disk\" well the SD card is referred to as "\Storage Card\" from what I can pull out of PlayerAppMain.exe.

    And now, the best part of this update and again a very very very greatful thanks to drizzle for this:
A guide to increasing the transmission power/range of your Aireo's FM Transmitter!!
All free, gratis, here in this PDF: http://mozy.org/aireo/Aireo-Tuning.pdf
You typically have to either find this info yourself or go on eBay and pay some guy to sell it to you...but thaanks to drizzle we have this here for you for free! Enjoy! I'll be attempting this mod in the near future.

Thanks to both guys for contacting me, and thanks to everyone else thats contacted me so far. It's always great hearing from fellow Aireo hackers. Everyone has great ideas and lots of enthusiasm for this little device. Here's to progress! - roto/mozy

08/11/2005 - 5PM - Attack the FLASH through JTAG!

Again was bored and decided to do some research, this time on JTAG. I'm not really trying hard to find the pads for the JTAG pins on the PCB but that would be a good idea. This document ( http://www.intel.com/design/pca/applicationsprocessors/manuals/27878002.pdf ) has all the pin-outs for the PXA255 CPU and tells me which pins are for JTAG connections. Obviously there's no JTAG header in plain view so they did hide it a bit. I'm kinda weary of soldering to the microBGA solder pads.....so I want to see if SoniqCast did a good thing and added some separate pads for JTAG connections...time for some tracing...
Here's what I've gathered so far on JTAG pins on the PXA255:

PXA255 microBGA JTAG Test Pins

Name	Pin #
nTRST	H11
TDI	H15
TDO	H16
TMS	H13
TCK	H12
-	-
TEST	G12
TESTCLK	G11

So whats the point of this? Well, I want to see if I can interrupt the Aireo boot process through JTAG communication then possibly load up a different bootloader to ultimately....yep...boot Linux! I didn't really want to but hey why not. Maybe theres a way to dump/reflash the Aireo flash through JTAG communications? This would be of GREAT help incase I tried one of my modified Aireo.bin firmware images and something didn't work right...
So this could be very very useful. Now to stop being lazy and actually make the JTAG cable and find the right JTAG pads....

Some JTAG links for later reference:
http://openwince.sourceforge.net/jtag/
http://lapwww.epfl.ch/dev/arm/jelie/

07/07/2005 - 12AM - QA Test?

Decided to look at PlayerAppMain.exe again in IDA and found some very interesting information. I always suspected there is some kind of option to test Aireo settings because of the random strings that I gathered here and there and now I know, there IS a "test menu" and/or debug feature already built into the PlayerAppMain.exe code...now I gotta figure out a way to START it! I thought it might be some keypad pressing combinations (like some SNES games or something, haha) but dropped that stupid idea after a while... It's hard to tell if this is activated by some outside plug or some kind of trigger or something. I can't even figure out where the subroutine for the testing portion starts! Damn!

Here's what I've found that got me excited and confused again. The testing portion seems to be interactive because it requires physical button presses in certain situations...so this is why I'm thinking it is done ON the Aireo and is visible on the Aireo screen. Or maybe it could be transmitted through the "debug" output...which would be kind of weird. Oh well.:

.data1:000998A4 aQaTestStartVer unicode 0, <QA Test Start: Version %d.%d >,0
.data1:000998A4                                         ; DATA XREF: .text:0001C384o
.data1:000998E2                 ALIGN 4
.data1:000998E4 aStartingQaTest unicode 0, <Starting QA Testing..>,0
.data1:000998E4                                         ; DATA XREF: .text:0001C380o
.data1:00099910 aFreqidCTxDRxD unicode 0, <FreqID: %c TX: %d RX: %d >,0
.data1:00099910                                         ; DATA XREF: .text:0001C370o
.data1:00099948 aPressAnyButton unicode 0, <Press any button to continue>,0
.data1:00099948                                         ; DATA XREF: .text:0001C36Co
.data1:00099982                 DCB    0 ;
.data1:00099983                 DCB    0 ;
.data1:00099984                 DCB    0 ;
.data1:00099985                 DCB    0 ;
.data1:00099986                 DCB    0 ;
.data1:00099987                 DCB    0 ;
.data1:00099988 a___TestingComp unicode 0, <... Testing Complete: FAILED ...>,0
.data1:00099988                                         ; DATA XREF: sub_1C6CC+100o
.data1:000999CC aS_1            unicode 0, < %s >,0     ; DATA XREF: sub_1C6CC+E8o
.data1:000999D6                 ALIGN 4
.data1:000999D8 aPressAnyKeyToC unicode 0, < Press any key to continue >,0
.data1:000999D8                                         ; DATA XREF: sub_1C6CC+E4o
.data1:00099A12                 ALIGN 4
.data1:00099A14 aS_2            unicode 0, <%s>,0       ; DATA XREF: sub_1C6CC+168o
.data1:00099A1A                 ALIGN 4
.data1:00099A1C aQaTestNextStat unicode 0, <QA Test - Next Station >,0
.data1:00099A1C                                         ; DATA XREF: sub_1C6CC+268o
.data1:00099A4C aQaTestD_DStati unicode 0, <QA Test: %d.%d     Station: %d>,0
.data1:00099A4C                                         ; DATA XREF: sub_1C6CC+260o
.data1:00099A8A                 ALIGN 4
.data1:00099A8C aQaTestD_D      unicode 0, <QA Test: %d.%d >,0 ; DATA XREF: sub_1C6CC+354o
.data1:00099AAC                 DCB    0 ;
.data1:00099AAD                 DCB    0 ;
.data1:00099AAE                 DCB    0 ;
.data1:00099AAF                 DCB    0 ;
.data1:00099AB0 aNoYes          unicode 0, <         NO                          YES>,0
.data1:00099AB0                                         ; DATA XREF: sub_1C6CC+350o
.data1:00099B02                 ALIGN 4
.data1:00099B04 aD_DS           unicode 0, < %d.%d: %s>,0 ; DATA XREF: sub_1C6CC+438o
.data1:00099B1A                 ALIGN 4
.data1:00099B1C aQaTest         unicode 0, <   QA Test >,0 ; DATA XREF: sub_1C6CC+4E0o
.data1:00099B36                 ALIGN 4
.data1:00099B38 a____AllTestsCo unicode 0, <.... ALL TESTS COMPLETE ....>,0
.data1:00099B38                                         ; DATA XREF: sub_1C6CC+4DCo
.data1:00099B74 aPlayerStatusPa unicode 0, <Player Status: PASSED>,0
.data1:00099B74                                         ; DATA XREF: sub_1C6CC+4D8o
.data1:00099BA2                 ALIGN 4
.data1:00099BA4 aQaTest_0       unicode 0, <   QA Test >,0 ; DATA XREF: .text:0001CCBCo
.data1:00099BBE                 ALIGN 4
.data1:00099BC0 aNumberOfFailur unicode 0, <Number of Failures: %d >,0
.data1:00099BC0                                         ; DATA XREF: .text:0001CCACo
.data1:00099BF0 aTestingRtc     unicode 0, <Testing RTC>,0 ; DATA XREF: .text:0001CF38o
.data1:00099C08 aInvalidYear    unicode 0, <Invalid Year>,0 ; DATA XREF: .text:0001CF2Co
.data1:00099C22                 ALIGN 4
.data1:00099C24 aInvalidDayofwe unicode 0, <Invalid DayOfWeek>,0
.data1:00099C24                                         ; DATA XREF: .text:0001CF28o
.data1:00099C48 aInvalidDay     unicode 0, <Invalid Day>,0 ; DATA XREF: .text:0001CF24o
.data1:00099C60 aInvalidHour    unicode 0, <Invalid Hour>,0 ; DATA XREF: .text:0001CF20o
.data1:00099C7A                 ALIGN 4
.data1:00099C7C aInvalidMinute unicode 0, <Invalid Minute>,0 ; DATA XREF: .text:0001CF1Co
.data1:00099C9A                 ALIGN 4
.data1:00099C9C aInvalidSecond unicode 0, <Invalid Second>,0 ; DATA XREF: .text:0001CF18o
.data1:00099CBA                 ALIGN 4
.data1:00099CBC aInvalidMillise unicode 0, <Invalid Millisecs>,0
.data1:00099CBC                                         ; DATA XREF: .text:0001CF14o
.data1:00099CE0 aInvalidMonth   unicode 0, <Invalid Month>,0 ; DATA XREF: .text:0001CF10o
.data1:00099CFC aTimeNotUpdatin unicode 0, <Time Not Updating>,0
.data1:00099CFC                                         ; DATA XREF: .text:0001CF04o
.data1:00099D20 aTimeUpdate     unicode 0, <Time Update>,0 ; DATA XREF: .text:0001CF00o
.data1:00099D38 aTesting32kCloc unicode 0, <Testing 32K Clock>,0
.data1:00099D38                                         ; DATA XREF: .text:0001CFE8o
.data1:00099D5C aClockNotStable unicode 0, <Clock Not Stable>,0 ; DATA XREF: .text:0001CFDCo
.data1:00099D7E                 ALIGN 4
.data1:00099D80 aTestingSysmon unicode 0, <Testing SysMon>,0 ; DATA XREF: .text:0001D1ECo
.data1:00099D9E                 ALIGN 4
.data1:00099DA0 aTestingSysmon_ unicode 0, <Testing SysMon..>,0 ; DATA XREF: .text:0001D1E0o
.data1:00099DC2                 ALIGN 4
.data1:00099DC4 aMvChargeLow    unicode 0, <mV Charge Low>,0 ; DATA XREF: .text:0001D1D0o
.data1:00099DE0 aChargeLvlInval unicode 0, <Charge Lvl Invalid>,0
.data1:00099DE0                                         ; DATA XREF: .text:0001D1CCo
.data1:00099E06                 ALIGN 4
.data1:00099E08 aHeadphoneBitLo unicode 0, <HeadPhone Bit Low>,0
.data1:00099E08                                         ; DATA XREF: .text:0001D1C8o
.data1:00099E2C aUsbBitLow      unicode 0, <USB Bit Low>,0 ; DATA XREF: .text:0001D1C4o
.data1:00099E44 aDockBitHigh    unicode 0, <Dock Bit High>,0 ; DATA XREF: .text:0001D1C0o
.data1:00099E60 aChargeBitLow   unicode 0, <Charge Bit Low>,0 ; DATA XREF: .text:0001D1BCo
.data1:00099E7E                 ALIGN 4
.data1:00099E80 aLowBatteryHigh unicode 0, <Low Battery High>,0 ; DATA XREF: .text:0001D1B8o
.data1:00099EA2                 ALIGN 4
.data1:00099EA4 aPortableBitHig unicode 0, <Portable Bit High>,0
.data1:00099EA4                                         ; DATA XREF: .text:0001D1B4o
.data1:00099EC8 aOnadapterBitLo unicode 0, <OnAdapter Bit Low>,0
.data1:00099EC8                                         ; DATA XREF: .text:0001D1B0o
.data1:00099EEC aOnextbatBitHig unicode 0, <OnExtBat Bit High>,0
.data1:00099EEC                                         ; DATA XREF: .text:0001D1ACo
.data1:00099F10 aEngineonBitHig unicode 0, <EngineOn Bit High>,0
.data1:00099F10                                         ; DATA XREF: .text:0001D1A8o
.data1:00099F34 aTestingRxSig_0 unicode 0, <Testing RX Signal>,0
.data1:00099F34                                         ; DATA XREF: .text:0001D318o
.data1:00099F58 aTestingRxSigna unicode 0, <Testing RX Signal..>,0
.data1:00099F58                                         ; DATA XREF: .text:0001D30Co
.data1:00099F80 aRxSignalTooWea unicode 0, <RX Signal Too Weak>,0
.data1:00099F80                                         ; DATA XREF: .text:0001D2FCo
.data1:00099FA6                 ALIGN 4
.data1:00099FA8 aQaTest_1       unicode 0, <   QA Test >,0 ; DATA XREF: .text:0001D3C4o
.data1:00099FC2                 ALIGN 4
.data1:00099FC4 aAutomatedTesti unicode 0, <Automated Testing started...>,0
.data1:00099FC4                                         ; DATA XREF: .text:0001D3C0o
.data1:00099FFE                 ALIGN 4
.data1:0009A000 aIsBacklightOn unicode 0, <Is Backlight ON?>,0 ; DATA XREF: .text:0001D410o
.data1:0009A022                 ALIGN 4
.data1:0009A024 aBacklight      unicode 0, <Backlight>,0 ; DATA XREF: .text:0001D43Co
.data1:0009A038 aIsBacklightOff unicode 0, <Is Backlight OFF?>,0
.data1:0009A038                                         ; DATA XREF: .text:0001D488o
.data1:0009A05C aBacklight_0    unicode 0, <Backlight>,0 ; DATA XREF: .text:0001D4BCo
.data1:0009A070 aBadPixels      unicode 0, <Bad Pixels>,0 ; DATA XREF: .text:0001D528o
.data1:0009A086                 ALIGN 4
.data1:0009A088 aAreAllPixelsBl unicode 0, <Are ALL Pixels BLACK>,0
.data1:0009A088                                         ; DATA XREF: .text:0001D51Co
.data1:0009A0B2                 ALIGN 4
.data1:0009A0B4 aInBlackRegion unicode 0, <In Black Region?>,0 ; DATA XREF: .text:0001D518o
.data1:0009A0D6                 ALIGN 4
.data1:0009A0D8 aNoYes_0        unicode 0, <         NO                          YES>,0
.data1:0009A0D8                                         ; DATA XREF: .text:0001D5E4o
.data1:0009A12A                 ALIGN 4
.data1:0009A12C aBadPixels_0    unicode 0, <Bad Pixels>,0 ; DATA XREF: .text:0001D654o
.data1:0009A142                 ALIGN 4
.data1:0009A144 aAreAllPixels_0 unicode 0, <Are ALL Pixels BLACK>,0
.data1:0009A144                                         ; DATA XREF: .text:0001D648o
.data1:0009A16E                 ALIGN 4
.data1:0009A170 aInBlackRegio_0 unicode 0, <In Black Region?>,0 ; DATA XREF: .text:0001D644o
.data1:0009A192                 DCB    0 ;
.data1:0009A193                 DCB    0 ;
.data1:0009A194                 DCB    0 ;
.data1:0009A195                 DCB    0 ;
.data1:0009A196                 DCB    0 ;
.data1:0009A197                 DCB    0 ;
.data1:0009A198 aNoYes_1        unicode 0, <         NO                          YES>,0
.data1:0009A198                                         ; DATA XREF: .text:0001D6F4o
.data1:0009A1EA                 ALIGN 4
.data1:0009A1EC aMenuKey        unicode 0, <MENU key>,0 ; DATA XREF: .text:0001D7B0o
.data1:0009A1FE                 ALIGN 4
.data1:0009A200 aPressMenuKey   unicode 0, <Press MENU key>,0 ; DATA XREF: .text:0001D7A8o
.data1:0009A21E                 ALIGN 4
.data1:0009A220 aFailsInD       unicode 0, <Fails in: %d   >,0 ; DATA XREF: .text:0001D7A4o
.data1:0009A240 aFailsInD_0     unicode 0, <Fails in: %d   >,0 ; DATA XREF: .text:0001D814o
.data1:0009A260 aModeKey        unicode 0, <MODE key>,0 ; DATA XREF: .text:0001D8A8o
.data1:0009A272                 ALIGN 4
.data1:0009A274 aPressModeKey   unicode 0, <Press MODE key>,0 ; DATA XREF: .text:0001D8A0o
.data1:0009A292                 ALIGN 4
.data1:0009A294 aFailsInD_1     unicode 0, <Fails in: %d   >,0 ; DATA XREF: .text:0001D89Co
.data1:0009A2B4 aLeftKey        unicode 0, <Left key>,0 ; DATA XREF: .text:0001D940o
.data1:0009A2C6                 ALIGN 4
.data1:0009A2C8 aPressLeftKey   unicode 0, <Press LEFT key>,0 ; DATA XREF: .text:0001D938o
.data1:0009A2E6                 ALIGN 4
.data1:0009A2E8 aFailsInD_2     unicode 0, <Fails in: %d   >,0 ; DATA XREF: .text:0001D934o
.data1:0009A308 aUpKey          unicode 0, <Up key>,0   ; DATA XREF: .text:0001D9D8o
.data1:0009A316                 ALIGN 4
.data1:0009A318 aPressUpKey     unicode 0, <Press UP key>,0 ; DATA XREF: .text:0001D9D0o
.data1:0009A332                 ALIGN 4
.data1:0009A334 aFailsInD_3     unicode 0, <Fails in: %d   >,0 ; DATA XREF: .text:0001D9CCo
.data1:0009A354 aRightKey       unicode 0, <Right key>,0 ; DATA XREF: .text:0001DA70o
.data1:0009A368 aPressRightKey unicode 0, <Press RIGHT key>,0 ; DATA XREF: .text:0001DA68o
.data1:0009A388 aFailsInD_4     unicode 0, <Fails in: %d   >,0 ; DATA XREF: .text:0001DA64o
.data1:0009A3A8 aDownKey        unicode 0, <Down key>,0 ; DATA XREF: .text:0001DB08o
.data1:0009A3BA                 ALIGN 4
.data1:0009A3BC aPressDownKey   unicode 0, <Press DOWN key>,0 ; DATA XREF: .text:0001DB00o
.data1:0009A3DA                 ALIGN 4
.data1:0009A3DC aFailsInD_5     unicode 0, <Fails in: %d   >,0 ; DATA XREF: .text:0001DAFCo
.data1:0009A3FC aCenterKey      unicode 0, <Center key>,0 ; DATA XREF: .text:0001DBA0o
.data1:0009A412                 ALIGN 4
.data1:0009A414 aPressCenterKey unicode 0, <Press CENTER key>,0 ; DATA XREF: .text:0001DB98o
.data1:0009A436                 ALIGN 4
.data1:0009A438 aFailsInD_6     unicode 0, <Fails in: %d   >,0 ; DATA XREF: .text:0001DB94o
.data1:0009A458 aRedLedBadRedLe unicode 0, <Red LED: Bad Red LED>,0
.data1:0009A458                                         ; DATA XREF: .text:0001DC40o
.data1:0009A482                 ALIGN 4
.data1:0009A484 aIsRedLedFlashi unicode 0, <Is RED LED Flashing?>,0
.data1:0009A484                                         ; DATA XREF: .text:0001DC34o
.data1:0009A4AE                 ALIGN 4
.data1:0009A4B0 aBadRedLed      unicode 0, <Bad RED LED>,0 ; DATA XREF: .text:0001DD0Co
.data1:0009A4C8 aGreenLedBadGre unicode 0, <Green LED: Bad Green LED>,0
.data1:0009A4C8                                         ; DATA XREF: .text:0001DDA0o
.data1:0009A4FA                 ALIGN 4
.data1:0009A4FC aIsGreenLedFlas unicode 0, <Is GREEN LED Flashing?>,0
.data1:0009A4FC                                         ; DATA XREF: .text:0001DD94o
.data1:0009A52A                 ALIGN 4
.data1:0009A52C aBadGreenLed    unicode 0, <Bad Green LED>,0 ; DATA XREF: .text:0001DDD0o
.data1:0009A548 aGreenLedBadBlu unicode 0, <Green LED: Bad Blue LED>,0
.data1:0009A548                                         ; DATA XREF: .text:0001DE60o
.data1:0009A578 aIsBlueLedFlash unicode 0, <Is BLUE LED Flashing?>,0
.data1:0009A578                                         ; DATA XREF: .text:0001DE54o
.data1:0009A5A4 aBadBlueLed     unicode 0, <Bad Blue LED>,0 ; DATA XREF: .text:0001DE90o
.data1:0009A5BE                 ALIGN 4
.data1:0009A5C0 aDoesRxSignalRe unicode 0, <Does RX Signal Register>,0
.data1:0009A5C0                                         ; DATA XREF: .text:0001DFE0o
.data1:0009A5F0 aNotRecieving   unicode 0, <Not Recieving>,0 ; DATA XREF: .text:0001E068o
.data1:0009A60C aDoesTxSignalRe unicode 0, <Does TX Signal Register>,0
.data1:0009A60C                                         ; DATA XREF: .text:0001E110o
.data1:0009A63C aNotTransmittin unicode 0, <Not Transmitting>,0 ; DATA XREF: .text:0001E198o
.data1:0009A65E                 ALIGN 4
.data1:0009A660 aDoesSpdifSigna unicode 0, <Does SPDif Signal Register>,0
.data1:0009A660                                         ; DATA XREF: .text:0001E238o
.data1:0009A696                 ALIGN 4
.data1:0009A698 aNotFunctioning unicode 0, <Not Functioning>,0 ; DATA XREF: .text:0001E270o
.data1:0009A6B8 aDoesAudioOutSi unicode 0, <Does Audio Out Signal>,0
.data1:0009A6B8                                         ; DATA XREF: .text:0001E2FCo
.data1:0009A6E4 aRegisterOnSJac unicode 0, <Register on %s jack>,0
.data1:0009A6E4                                         ; DATA XREF: .text:0001E2F0o
.data1:0009A70C aNotFunctioni_0 unicode 0, <Not Functioning>,0 ; DATA XREF: .text:0001E348o
.data1:0009A72C aOpenningSessio unicode 0, <Openning Session>,0 ; DATA XREF: .text:0001E540o
.data1:0009A74E                 ALIGN 4
.data1:0009A750 aWifiOpensessio unicode 0, <WiFi: OpenSession>,0
.data1:0009A750                                         ; DATA XREF: .text:0001E538o
.data1:0009A774 aWifiDriverLoad unicode 0, <WiFi: Driver Load>,0
.data1:0009A774                                         ; DATA XREF: .text:0001E534o
.data1:0009A798 aLoadingDrivers unicode 0, <Loading Drivers>,0 ; DATA XREF: .text:0001E530o
.data1:0009A7B8 aWifiConnection unicode 0, <WiFi: Connection>,0 ; DATA XREF: .text:0001E52Co
.data1:0009A7DA                 ALIGN 4
.data1:0009A7DC aConnecting___ unicode 0, <Connecting...>,0 ; DATA XREF: .text:0001E528o
.data1:0009A7F8 aS_13           unicode 0x6F, <s>       ; DATA XREF: .text:0001E524o
.data1:0009A7FA aN              unicode 0x69, <n>
.data1:0009A7FC aQ_0            unicode 0x63, <q>
.data1:0009A7FE aA_1            unicode 0x73, <a>
.data1:0009A800 aT              unicode 0, <t>,0
.data1:0009A804 aConnectSuccess unicode 0, <Connect Successful...>,0
.data1:0009A804                                         ; DATA XREF: .text:0001E520o
.data1:0009A830 aTestingSignalS unicode 0, <Testing Signal Strength..>,0
.data1:0009A830                                         ; DATA XREF: .text:0001E51Co
.data1:0009A864 aUnloadingDrive unicode 0, <Unloading Driver>,0 ; DATA XREF: .text:0001E514o
.data1:0009A886                 ALIGN 4
.data1:0009A888 aClosingSession unicode 0, <Closing Session>,0 ; DATA XREF: .text:0001E510o
.data1:0009A8A8 aDoesTxSignal_0 unicode 0, <Does TX Signal Register>,0
.data1:0009A8A8                                         ; DATA XREF: .text:0001E5C4o
.data1:0009A8D8 aBadUsbBit      unicode 0, <Bad USB Bit>,0 ; DATA XREF: .text:0001E5BCo
.data1:0009A8F0 aBadChargeBit   unicode 0, <Bad Charge Bit>,0 ; DATA XREF: .text:0001E5B8o
.data1:0009A90E                 ALIGN 4
.data1:0009A910 aImproperSetup unicode 0, <Improper Setup>,0 ; DATA XREF: .text:0001E668o
.data1:0009A92E                 ALIGN 4
.data1:0009A930 aDidDriveLetter unicode 0, <Did drive letter show on PC?>,0
.data1:0009A930                                         ; DATA XREF: .text:0001E65Co
.data1:0009A96A                 ALIGN 4
.data1:0009A96C aImproperSetu_0 unicode 0, <Improper Setup>,0 ; DATA XREF: .text:0001E704o
.data1:0009A98A                 ALIGN 4
.data1:0009A98C aWasRedLedOn    unicode 0, <Was RED LED ON>,0 ; DATA XREF: .text:0001E6F8o
.data1:0009A9AA                 ALIGN 4
.data1:0009A9AC aBeforePowerup unicode 0, <    before PowerUp?>,0
.data1:0009A9AC                                         ; DATA XREF: .text:0001E6F4o
.data1:0009A9D4 aResetFailure   unicode 0, <Reset Failure>,0 ; DATA XREF: .text:0001E7BCo
.data1:0009A9F0 aPressResetButt unicode 0, <Press RESET button on back>,0
.data1:0009A9F0                                         ; DATA XREF: .text:0001E7B4o
.data1:0009AA26                 ALIGN 4
.data1:0009AA28 aIfPlayerPowers unicode 0, <If player powers off>,0
.data1:0009AA28                                         ; DATA XREF: .text:0001E7B0o
.data1:0009AA52                 ALIGN 4
.data1:0009AA54 aThenThisTestPa unicode 0, <   then this test passed.>,0
.data1:0009AA54                                         ; DATA XREF: .text:0001E7ACo

I'm also thinking more about editing stuff and finally uploading it to the Aireo... I want to just edit one or two bytes and insert PlayerAppMain.exe back into Aireo.bin and then do a compare to see what's changed...it has to be done just right. I also have to buckle down and figure out how to re-compress Aireo.bin after dumping it... So i'm thinking "Thanks for choosing Aireo!" in the "About" menu is a good starting candidate to edit... it's stored at offset 0x00085250 in PlayerAppMain.exe ...heh...I guess this will be my first modification target. Simple yet profound (not!). I'm used to debugging x86 but this ARM stuff is a little bit tough for me still...and the fact that I rarely if ever used IDA doesn't help. Still trying to figure out where a function gets entered into..like when a call is made to go to the "About" part of the program...ugh I feel dumb.

I also went back to SoniqSync.exe in IDA and tried to find some kind of trigger for Aireo's QA Test function...nothing... Obviously Arden has debug output features already but they are PC side only it seems...they don't do any kind of real-time Aireo interaction. Would have been nice though. Back to the drawing board.

06/14/2005 - 9PM - SoniqCast Aireo 2 Coming Q3-2005 from...Tao?

Well it looks like the Aireo2 will finally see the light of day in the form of a yet un-named "Wireless MP3 player" from Tao (http://taolife.com/tao-main.html). Looks like Tao is the maker of XM2GO, so hopefully this is good news for our Aireo2 . The page has some nice images of the player in black (looks sexier than the first Aireo2 pics in white).
I guess I need to get off my butt and get back to Aireo hackin' because from the looks of it, the technology behind Aireo2 will be pretty similar. I can't wait for this thing to come out, even if it will cost $349.99....I'll take it.

06/09/2005 - 5PM - Cornice Storage Element roundup.

Decided to look at Cornice's website again to see if anyone new is using their Storage Element (Hard Drive inside the Aireo). First thing that caught my eye was the Seagate/Cornice lawsuit....as I understand it...CORNICE CEASED PRODUCTION OF THE DRIVES?!? What the hell?
On a lighter note...I found a bunch of products that are supposed to use Cornice SE's, here's a list:

Rio Nitrus Urban (Old product, eBay == ~$80) - Uses 1.5GB drive.
Garmin Street Pilot 2620 (Still on sale, Best Buy == ~$999) - Uses 2GB drive.
SigmaTel powered MP3 players...can't find more info on this yet.

IS CORNICE "DEAD BY LAWSUIT"? I hope not...I want that damn Aireo2! (Well wait, Cornice doesn't have any 20GB SE's...and Aireo2 will use a 20GB drive....OK...Cornice is out of the equation.)

06/06/2005 - 9PM - Hmm...playlists?

Wow, EXACTLY three months (and 6 hours) since I updated this page...weeeiirrrdddd. Anyway, decided to play around with the playlists (pun intended). They are stored on the Aireo under \Playlists\ where else? These are not just any standard WinAmp playlists...kinda funky looking. Anyway, all I've got so far is that the 7th byte (Offset 0x6) holds the number of songs in that particular playlist (I'm pretty confident of this fact because 3 of the playlists I checked backed up this finding). Other than that I found out that the Aireo player refers to its drive as "\Disk\" so that might be useful in the future. I'm still wanting to come back to Firmware reversing. Hmm, now that I think about it, this update is pretty pointless. I don't really feel like getting too deep into playlist creation other than the fact that someone asked me if it's possible to make playlists in Linux...since Linux doesn't have SoniqSync it's not that easy. Bah, maybe later.

Decided to look at the connector on the bottom of the Aireo again, too tired to think but here's a pic incase I get inspired in the future:

03/06/2005 - 3PM - Slowdown.

I'm really lagging behind on this little pursuit, too much real-life stuff to do first. But then again, I'm not really in a race with anyone...am I? I don't know of any other person who's as deeply involved in this project as I am. Not to gloat, I just honestly can't find a single other person who's doing what I'm doing. It'd be alot easier if I had some help..heh! My Aireo work directory has reached 236MB...thats a buttload of stuff. Mostly duplicate images of Aireo.bin but alot of other tools and images and stuff too. I need to start working on redesigning this page so that it can actually be of any use.
But anyway, not much progress in the past week or two. I need to refocus my attention onto re-compressing the BIN's extracted using splitrom.pl back to their original size/type so they can be uploaded to the Aireo. I might try updating the Aireo with the newly extracted BIN (it's 30.xxMB's compared to the ready-to-flash BIN that comes with SoniqCast which is about 8MB's.) Although, if I use splitrom.pl to extract the BIN that I need from Aireo.bin and use viewbin.exe, both firmware images are almost exactly identical...EXCEPT for the obvious sizes, here's a comparison:

Differences are bolded and italicized.

ORIGINAL AIREO.BIN

NEW.BIN (UNCOMPRESSED AIREO.BIN)

ViewBin... Aireo.bin
Image Start = 0x80040000, length = 0x0073EE38
        Start address = 0x80041000
Found pTOC = 0x8024E0B8
Checking record #17 for potential TOC (ROMOFFSET = 0x00000000)
ROMOFFSET = 0x00000000

ROMHDR ----------------------------------------
    DLL First           : 0x01E801F6
    DLL Last            : 0x02000000
    Physical First      : 0x80040000
    Physical Last       : 0x8077EE38
    RAM Start           : 0x80780000
    RAM Free            : 0x807A9000
    RAM End             : 0x81E98000
    Kernel flags        : 0x00000000
    Prof Symbol Offset : 0x00000000
    Num Copy Entries    :          1
    Copy Entries Offset : 0x80250FB4
    Num Modules         :         69
    Num Files           :         46
    Kernel Debugger     :         No
    CPU                 :     0x01c2 (Thumb)
    Extensions          : 0x80043644

ROMHDR Extensions -----------------------------
    PID[0] = 0x000008D4
    PID[1] = 0x004D454F
    PID[2] = 0x0009EB1C
    PID[3] = 0x0000D33A
    PID[4] = 0x00000000
    PID[5] = 0x00000000
    PID[6] = 0x00000000
    PID[7] = 0x00000000
    PID[8] = 0x00000000
    PID[9] = 0x00000000

COPY Sections ---------------------------------
    Src: 0x8026B8D8   Dest: 0x80786000   CLen: 0x6FF      DLen: 0x22F5C

MODULES ---------------------------------------
    12/20/2004 19:34:29      273920 nk.exe
    12/20/2004 19:39:41      461824 coredll.dll
    12/20/2004 19:39:41      201728 filesys.exe
    12/20/2004 19:39:42      545280 gwes.exe
    12/20/2004 19:26:18       25600 device.exe
    12/20/2004 19:26:49        6144 regenum.dll
    12/20/2004 19:26:17       33792 pm.dll
    12/20/2004 19:26:58       55808 fatfsd.dll
    12/20/2004 19:39:43       34816 fatutil.dll
    12/20/2004 19:39:44      350720 commctrl.dll
    12/20/2004 19:39:41       66560 commdlg.dll
    12/20/2004 19:26:57       60928 fsdmgr.dll
    12/20/2004 19:34:24       12288 sdmmc.dll
    12/20/2004 19:26:58       17408 mspart.dll
    12/20/2004 19:39:43       55296 waveapi.dll
    12/20/2004 19:27:00       27648 audevman.dll
    12/20/2004 19:26:20        7168 ceddk.dll
    12/20/2004 19:39:42      189952 netui.dll
    12/20/2004 19:26:52        8192 ethman.dll
    12/20/2004 19:26:33       11264 cxport.dll
    12/20/2004 19:26:37       53760 iphlpapi.dll
    12/20/2004 19:26:35        5632 winsock.dll
    12/20/2004 19:26:34       34816 ws2.dll
    12/20/2004 19:26:35        5632 ws2instl.dll
    12/20/2004 19:26:35        9216 wspm.dll
    12/20/2004 19:26:36       10240 nspm.dll
    12/20/2004 19:26:36       78336 afd.dll
    12/20/2004 19:26:39      135168 ndis.dll
    12/20/2004 19:26:55       17408 ndisuio.dll
    12/20/2004 19:26:51       25600 dhcp.dll
    12/20/2004 19:26:40      330752 tcpstk.dll
    12/20/2004 19:26:50       27648 serial.dll
    12/20/2004 19:26:47        6656 mmtimer.dll
    12/20/2004 19:28:01      179200 ole32.dll
    12/20/2004 19:28:02      184320 oleaut32.dll
    12/20/2004 19:39:46      121344 mlang.dll
    12/20/2004 19:39:45      134656 shlwapi.dll
    12/20/2004 19:39:45       29696 IECEExt.dll
    12/20/2004 19:28:32      289280 shdocvw.dll
    12/20/2004 19:39:45      473600 wininet.dll
    12/20/2004 19:39:46      289792 urlmon.dll
    12/20/2004 19:39:46      203776 ceshell.dll
    12/20/2004 19:39:46      261120 explorer.exe
    12/20/2004 19:29:04        9728 shcore.dll
    12/20/2004 19:39:46       16384 control.exe
    12/20/2004 19:29:08        6656 ctlpnl.exe
    12/20/2004 19:39:46      187904 cplmain.cpl
    12/20/2004 19:39:47       47616 intll.cpl
    12/20/2004 19:39:47       22016 stguil.cpl
    12/20/2004 19:39:45      384512 quartz.dll
    12/20/2004 19:29:24       26624 msdmo.dll
    12/20/2004 19:29:35        4608 acmdwrap.dll
    12/20/2004 19:29:25       49152 mp3dmod.dll
    12/20/2004 19:39:45      483328 dxmasf.dll
    12/20/2004 19:29:25      123904 wmadmod.dll
    12/20/2004 19:29:26      332800 wmsdmod.dll
    12/20/2004 19:37:06      708608 PlayerAppMain.exe
    12/20/2004 19:34:33       19456 sqcache.dll
    12/20/2004 19:34:22       39936 umsdrv.dll
    12/20/2004 19:34:21       19968 cfdisk.dll
    12/20/2004 19:34:24        7168 sdmmc_loader.dll
    12/20/2004 19:34:23       55296 ddi.dll
    12/20/2004 19:34:22       35328 wavedev.dll
    12/20/2004 19:34:23        9216 kbdmouse.dll
    12/20/2004 19:39:46       49152 pcmcia.dll
    12/20/2004 19:34:22       18432 battdrvr.dll
    12/20/2004 19:34:28        5632 pmudll.dll
     6/05/2004 00:52:54       73728 AReadyLB.dll
    10/14/2003 12:41:38      699392 prism3.dll

FILES ----------------------------------------
     12/20/2004 19:27:10 C_R_       1809       8022                ceconfig.h (ROM 0x801954BC)
     12/20/2004 19:39:39 _HRS          0     210958                 wince.nls (ROM 0x80733784)
     12/20/2004 19:39:40 CHRS       3156      18144               initobj.dat (ROM 0x80215338)
     12/20/2004 19:39:39 CHRS      26187     127218               default.fdf (ROM 0x80766F94)
     12/20/2004 19:39:40 CHRS       1903       5434                initdb.ini (ROM 0x802354B4)
      3/21/2003 05:00:00 _HR_          0        134                 close.2bp (ROM 0x8007FB7C)
      3/21/2003 05:00:00 _HR_          0        134                    ok.2bp (ROM 0x8007FC04)
      3/21/2003 05:00:00 CHR_        598       1030                 stdsm.2bp (ROM 0x8007FC8C)
      3/21/2003 05:00:00 CHR_        456        838                viewsm.2bp (ROM 0x80195BD0)
      3/21/2003 05:00:00 CHR_        702       2038                 stdsm.bmp (ROM 0x80235C24)
      3/21/2003 05:00:00 CHR_        518       1654                viewsm.bmp (ROM 0x80195D98)
     12/20/2004 19:39:42 C_R_        802       3584                netmui.dll (ROM 0x80250424)
      3/21/2003 05:00:00 _HRS          0         69               appdata.ini (ROM 0x8007FEE4)
      3/21/2003 05:00:00 _HRS          0         69      desktopdirectory.ini (ROM 0x8007FF2C)
      3/21/2003 05:00:00 _HRS          0         69             favorites.ini (ROM 0x8007FF74)
      3/21/2003 05:00:00 _HRS          0         69                 fonts.ini (ROM 0x80195FA0)
      3/21/2003 05:00:00 _HRS          0         69           mydocuments.ini (ROM 0x80235EE4)
      3/21/2003 05:00:00 _HRS          0         69          programfiles.ini (ROM 0x80235F2C)
      3/21/2003 05:00:00 _HRS          0         69              programs.ini (ROM 0x80235F74)
      3/21/2003 05:00:00 _HRS          0         69                recent.ini (ROM 0x80250748)
      3/21/2003 05:00:00 _HRS          0         69               startup.ini (ROM 0x80250790)
      3/21/2003 05:00:00 _HRS          0         24               explore.lnk (ROM 0x804F0FE4)
      3/21/2003 05:00:00 C_RS       7397      55990             windowsce.bmp (ROM 0x8076D5E0)
      3/21/2003 05:00:00 _HRS          0         23               control.lnk (ROM 0x80633FD4)
      3/21/2003 05:00:00 CHRS        502        739               copyrts.txt (ROM 0x802507D8)
      3/21/2003 05:00:00 C_RS       1862       3116              asterisk.wav (ROM 0x80634410)
      3/21/2003 05:00:00 C_RS       1822       3388                 close.wav (ROM 0x80246404)
      3/21/2003 05:00:00 C_RS       2610       2970              critical.wav (ROM 0x806153FC)
      3/21/2003 05:00:00 C_RS        898       2682               default.wav (ROM 0x802509D0)
      3/21/2003 05:00:00 C_RS       2984       3946                 empty.wav (ROM 0x800EC3D8)
      3/21/2003 05:00:00 C_RS       3734       9204                exclam.wav (ROM 0x801C2164)
      3/21/2003 05:00:00 C_RS       2283       5656                infbeg.wav (ROM 0x801AC238)
      3/21/2003 05:00:00 C_RS       1000       1778                infend.wav (ROM 0x80634B58)
      3/21/2003 05:00:00 C_RS       1980       2088               infintr.wav (ROM 0x804821F8)
      3/21/2003 05:00:00 C_RS        824        834               menupop.wav (ROM 0x80246B24)
      3/21/2003 05:00:00 __RS          0        360               menusel.wav (ROM 0x80250D54)
      3/21/2003 05:00:00 C_RS       1964       3388              openprog.wav (ROM 0x806011F4)
      3/21/2003 05:00:00 C_RS       1314       1836              question.wav (ROM 0x804829B4)
      3/21/2003 05:00:00 C_RS       6624       8508               startup.wav (ROM 0x8076F2C8)
      3/21/2003 05:00:00 C_RS       2112       2712               windmax.wav (ROM 0x8022317C)
      3/21/2003 05:00:00 C_RS       2140       2866               windmin.wav (ROM 0x80253100)
      3/21/2003 05:00:00 C_RS       1964       3388              recstart.wav (ROM 0x806140CC)
      3/21/2003 05:00:00 C_RS       1822       3388                recend.wav (ROM 0x80614878)
     10/14/2003 12:41:39 _HRS          0       4240               sqfonts.fon (ROM 0x80770CA8)
      3/21/2003 05:00:00 _HRS          0      53504                 arial.fon (ROM 0x80771D38)
      3/21/2003 05:00:00 C_RS        932        974             unlatched.wav (ROM 0x801ACB24)
Done.

ViewBin... New.bin
Image Start = 0x80040000, length = 0x01EC0000
        Start address = 0x80040000
Found pTOC = 0x8024E0B8
ROMOFFSET = 0x00000000

ROMHDR ----------------------------------------
    DLL First           : 0x01E801F6
    DLL Last            : 0x02000000
    Physical First      : 0x80040000
    Physical Last       : 0x8077EE38
    RAM Start           : 0x80780000
    RAM Free            : 0x807A9000
    RAM End             : 0x81E98000
    Kernel flags        : 0x00000000
    Prof Symbol Offset : 0x00000000
    Num Copy Entries    :          1
    Copy Entries Offset : 0x80250FB4
    Num Modules         :         69
    Num Files           :         46
    Kernel Debugger     :         No
    CPU                 :     0x01c2 (Thumb)
    Extensions          : 0x80043644

ROMHDR Extensions -----------------------------
    PID[0] = 0x000008D4
    PID[1] = 0x004D454F
    PID[2] = 0x0009EB1C
    PID[3] = 0x0000D33A
    PID[4] = 0x00000000
    PID[5] = 0x00000000
    PID[6] = 0x00000000
    PID[7] = 0x00000000
    PID[8] = 0x00000000
    PID[9] = 0x00000000

COPY Sections ---------------------------------
    Src: 0x8026B8D8   Dest: 0x80786000   CLen: 0x6FF      DLen: 0x22F5C

MODULES ---------------------------------------
    12/20/2004 19:34:29      273920 nk.exe
    12/20/2004 19:39:41      461824 coredll.dll
    12/20/2004 19:39:41      201728 filesys.exe
    12/20/2004 19:39:42      545280 gwes.exe
    12/20/2004 19:26:18       25600 device.exe
    12/20/2004 19:26:49        6144 regenum.dll
    12/20/2004 19:26:17       33792 pm.dll
    12/20/2004 19:26:58       55808 fatfsd.dll
    12/20/2004 19:39:43       34816 fatutil.dll
    12/20/2004 19:39:44      350720 commctrl.dll
    12/20/2004 19:39:41       66560 commdlg.dll
    12/20/2004 19:26:57       60928 fsdmgr.dll
    12/20/2004 19:34:24       12288 sdmmc.dll
    12/20/2004 19:26:58       17408 mspart.dll
    12/20/2004 19:39:43       55296 waveapi.dll
    12/20/2004 19:27:00       27648 audevman.dll
    12/20/2004 19:26:20        7168 ceddk.dll
    12/20/2004 19:39:42      189952 netui.dll
    12/20/2004 19:26:52        8192 ethman.dll
    12/20/2004 19:26:33       11264 cxport.dll
    12/20/2004 19:26:37       53760 iphlpapi.dll
    12/20/2004 19:26:35        5632 winsock.dll
    12/20/2004 19:26:34       34816 ws2.dll
    12/20/2004 19:26:35        5632 ws2instl.dll
    12/20/2004 19:26:35        9216 wspm.dll
    12/20/2004 19:26:36       10240 nspm.dll
    12/20/2004 19:26:36       78336 afd.dll
    12/20/2004 19:26:39      135168 ndis.dll
    12/20/2004 19:26:55       17408 ndisuio.dll
    12/20/2004 19:26:51       25600 dhcp.dll
    12/20/2004 19:26:40      330752 tcpstk.dll
    12/20/2004 19:26:50       27648 serial.dll
    12/20/2004 19:26:47        6656 mmtimer.dll
    12/20/2004 19:28:01      179200 ole32.dll
    12/20/2004 19:28:02      184320 oleaut32.dll
    12/20/2004 19:39:46      121344 mlang.dll
    12/20/2004 19:39:45      134656 shlwapi.dll
    12/20/2004 19:39:45       29696 IECEExt.dll
    12/20/2004 19:28:32      289280 shdocvw.dll
    12/20/2004 19:39:45      473600 wininet.dll
    12/20/2004 19:39:46      289792 urlmon.dll
    12/20/2004 19:39:46      203776 ceshell.dll
    12/20/2004 19:39:46      261120 explorer.exe
    12/20/2004 19:29:04        9728 shcore.dll
    12/20/2004 19:39:46       16384 control.exe
    12/20/2004 19:29:08        6656 ctlpnl.exe
    12/20/2004 19:39:46      187904 cplmain.cpl
    12/20/2004 19:39:47       47616 intll.cpl
    12/20/2004 19:39:47       22016 stguil.cpl
    12/20/2004 19:39:45      384512 quartz.dll
    12/20/2004 19:29:24       26624 msdmo.dll
    12/20/2004 19:29:35        4608 acmdwrap.dll
    12/20/2004 19:29:25       49152 mp3dmod.dll
    12/20/2004 19:39:45      483328 dxmasf.dll
    12/20/2004 19:29:25      123904 wmadmod.dll
    12/20/2004 19:29:26      332800 wmsdmod.dll
    12/20/2004 19:37:06      708608 PlayerAppMain.exe
    12/20/2004 19:34:33       19456 sqcache.dll
    12/20/2004 19:34:22       39936 umsdrv.dll
    12/20/2004 19:34:21       19968 cfdisk.dll
    12/20/2004 19:34:24        7168 sdmmc_loader.dll
    12/20/2004 19:34:23       55296 ddi.dll
    12/20/2004 19:34:22       35328 wavedev.dll
    12/20/2004 19:34:23        9216 kbdmouse.dll
    12/20/2004 19:39:46       49152 pcmcia.dll
    12/20/2004 19:34:22       18432 battdrvr.dll
    12/20/2004 19:34:28        5632 pmudll.dll
     6/05/2004 00:52:54       73728 AReadyLB.dll
    10/14/2003 12:41:38      699392 prism3.dll

FILES ----------------------------------------
     12/20/2004 19:27:10 C_R_       1809       8022                ceconfig.h (ROM 0x801954BC)
     12/20/2004 19:39:39 _HRS          0     210958                 wince.nls (ROM 0x80733784)
     12/20/2004 19:39:40 CHRS       3156      18144               initobj.dat (ROM 0x80215338)
     12/20/2004 19:39:39 CHRS      26187     127218               default.fdf (ROM 0x80766F94)
     12/20/2004 19:39:40 CHRS       1903       5434                initdb.ini (ROM 0x802354B4)
      3/21/2003 05:00:00 _HR_          0        134                 close.2bp (ROM 0x8007FB7C)
      3/21/2003 05:00:00 _HR_          0        134                    ok.2bp (ROM 0x8007FC04)
      3/21/2003 05:00:00 CHR_        598       1030                 stdsm.2bp (ROM 0x8007FC8C)
      3/21/2003 05:00:00 CHR_        456        838                viewsm.2bp (ROM 0x80195BD0)
      3/21/2003 05:00:00 CHR_        702       2038                 stdsm.bmp (ROM 0x80235C24)
      3/21/2003 05:00:00 CHR_        518       1654                viewsm.bmp (ROM 0x80195D98)
     12/20/2004 19:39:42 C_R_        802       3584                netmui.dll (ROM 0x80250424)
      3/21/2003 05:00:00 _HRS          0         69               appdata.ini (ROM 0x8007FEE4)
      3/21/2003 05:00:00 _HRS          0         69      desktopdirectory.ini (ROM 0x8007FF2C)
      3/21/2003 05:00:00 _HRS          0         69             favorites.ini (ROM 0x8007FF74)
      3/21/2003 05:00:00 _HRS          0         69                 fonts.ini (ROM 0x80195FA0)
      3/21/2003 05:00:00 _HRS          0         69           mydocuments.ini (ROM 0x80235EE4)
      3/21/2003 05:00:00 _HRS          0         69          programfiles.ini (ROM 0x80235F2C)
      3/21/2003 05:00:00 _HRS          0         69              programs.ini (ROM 0x80235F74)
      3/21/2003 05:00:00 _HRS          0         69                recent.ini (ROM 0x80250748)
      3/21/2003 05:00:00 _HRS          0         69               startup.ini (ROM 0x80250790)
      3/21/2003 05:00:00 _HRS          0         24               explore.lnk (ROM 0x804F0FE4)
      3/21/2003 05:00:00 C_RS       7397      55990             windowsce.bmp (ROM 0x8076D5E0)
      3/21/2003 05:00:00 _HRS          0         23               control.lnk (ROM 0x80633FD4)
      3/21/2003 05:00:00 CHRS        502        739               copyrts.txt (ROM 0x802507D8)
      3/21/2003 05:00:00 C_RS       1862       3116              asterisk.wav (ROM 0x80634410)
      3/21/2003 05:00:00 C_RS       1822       3388                 close.wav (ROM 0x80246404)
      3/21/2003 05:00:00 C_RS       2610       2970              critical.wav (ROM 0x806153FC)
      3/21/2003 05:00:00 C_RS        898       2682               default.wav (ROM 0x802509D0)
      3/21/2003 05:00:00 C_RS       2984       3946                 empty.wav (ROM 0x800EC3D8)
      3/21/2003 05:00:00 C_RS       3734       9204                exclam.wav (ROM 0x801C2164)
      3/21/2003 05:00:00 C_RS       2283       5656                infbeg.wav (ROM 0x801AC238)
      3/21/2003 05:00:00 C_RS       1000       1778                infend.wav (ROM 0x80634B58)
      3/21/2003 05:00:00 C_RS       1980       2088               infintr.wav (ROM 0x804821F8)
      3/21/2003 05:00:00 C_RS        824        834               menupop.wav (ROM 0x80246B24)
      3/21/2003 05:00:00 __RS          0        360               menusel.wav (ROM 0x80250D54)
      3/21/2003 05:00:00 C_RS       1964       3388              openprog.wav (ROM 0x806011F4)
      3/21/2003 05:00:00 C_RS       1314       1836              question.wav (ROM 0x804829B4)
      3/21/2003 05:00:00 C_RS       6624       8508               startup.wav (ROM 0x8076F2C8)
      3/21/2003 05:00:00 C_RS       2112       2712               windmax.wav (ROM 0x8022317C)
      3/21/2003 05:00:00 C_RS       2140       2866               windmin.wav (ROM 0x80253100)
      3/21/2003 05:00:00 C_RS       1964       3388              recstart.wav (ROM 0x806140CC)
      3/21/2003 05:00:00 C_RS       1822       3388                recend.wav (ROM 0x80614878)
     10/14/2003 12:41:39 _HRS          0       4240               sqfonts.fon (ROM 0x80770CA8)
      3/21/2003 05:00:00 _HRS          0      53504                 arial.fon (ROM 0x80771D38)
      3/21/2003 05:00:00 C_RS        932        974             unlatched.wav (ROM 0x801ACB24)
Done.

So, once again I need to figure out how to compress the NEW BIN back to the OLD BIN's size...I'm working on figuring that out. After I figure that out I'll start working on injecting files into the BIN's and ultimately updating the Aireo firmware with my fresh new firmware images.

03/03/2005 - 2PM - Aireo2 (software) "insider" info and speculation.

SoniqSync Version 3.7.0 - Rolf ?
Went through SoniqCast's website again and found another interesting file: SoniqSync_3_7_0_Rolf_3.zip. Again inside there's a SoniqSync.exe.
This is the SoniqCast software for the new (yet to be released) Aireo2! It looks like they're just beta testing the software (because there's still pictures and references to the first Aireo), but looking through it there's no doubt it's targeted for the Aireo2 (the 7 in 3.7.0 should be a hint that this is a VERY new version). Inside there are references to Aireo2 such as this one:

And this:

    Looking through the Menu string references I noticed something that said "Download Add-ins..." right below "Update Software..." Could this be some new fangled magical feature that will make the SoniqSync software better? Could be. Something like an Ogg-to-MP3 "Add-In" could be usefull..
    Further on in the file I found a dialog that contains some references to ReplayRadio. Seems that this version of SoniqSync (And the Aireo2 player) will have integrated access to ReplayRadio (http://www.replay-radio.com/) content:

On a lighter note, users will need Windows Media Player 9+ to access the new SoniqSync:

Final Aireo2 thoughts:
    So just by looking at this file alone I can speculate that Aireo2 will be using MOST if not all of the same technology as the previous Aireo. Just with improvements, of course. It will still be running some version of Windows CE possibly (preferably) 5.0. And the updates seem to be made the same way so working with the Firwmare will be fun.
    Finally, I think (just my personal guess) that the SoniqCast team uses code names for the Aireo's...Arden for Aireo and Rolf for Aireo2. Just a guess untill I see something that tells me I'm wrong. Hmm, or it could be just code names for the releases of SoniqSync...who knows?
    From all I've seen of Aireo2 on SoniqCast's website, it looks like a great player...too bad I might not be able to buy it for a while (hint: PSP).

02/27/2005 - 11PM - Moving along nicely.

Had a BRILLIANT idea. Use SoniqSync 3.2.2 to "upgrade" Aireo's firmware...but with the OLD 3.2.1 Aireo.bin firmware...IT WORKED!! I actually hinted at this idea on 02/14 but never got around to it until now. What I did: Upgraded SoniqCast to 3.2.2, copied over 3.2.1's Aireo.bin into SoniqSync's directory. Fired up SoniqSync_Arden.exe and it popped up with the "your Aireo needs to be upgraded message", I clicked "Upgrade" knowing full well that I had 3.2.1's Aireo/EBOOT .bins in there. The upgrade went perfect. Aireo rebooted and I plugged the cable back in only to be greeted with the same message again...AND THATS EXACTLY WHAT I WANTED!

Here is the Ssp.log (thanks SoniqSync_Arden.exe!):

<INFO>   ********** Log initialized **********     - c:\soniqcastsw\sharedsw\log.cpp(106)
<INFO>   InitInstance START     - c:\soniqcastsw\hostsw\soniqcast\ssp\ssp.cpp(109)
<INFO>   Opened file: C:\Program Files\SoniqCast\SoniqSync\Sched.db     - c:\soniqcastsw\sharedsw\cfiledb.cpp(187)
<INFO>   SCHEDDB: Calculating minutes until sync for an entry...     - c:\soniqcastsw\hostsw\soniqcast\sss\cscheddb.cpp(927)
<INFO>   SCHEDDB: dtPrev = 02/27/05 03:00:00     - c:\soniqcastsw\hostsw\soniqcast\sss\cscheddb.cpp(928)
<INFO>   SCHEDDB: dtNext = 02/28/05 03:00:00     - c:\soniqcastsw\hostsw\soniqcast\sss\cscheddb.cpp(929)
<INFO>   SCHEDDB: dtLast = 12/23/04 13:05:14     - c:\soniqcastsw\hostsw\soniqcast\sss\cscheddb.cpp(930)
<INFO>   SCHEDDB: dtNOW = 02/27/05 23:48:47     - c:\soniqcastsw\hostsw\soniqcast\sss\cscheddb.cpp(931)
<INFO>   SCHEDDB: iMinTillSync = 191     - c:\soniqcastsw\hostsw\soniqcast\sss\cscheddb.cpp(982)
<INFO>   SCHEDDB: Calculated next sync (min): 188     - c:\soniqcastsw\hostsw\soniqcast\sss\cscheddb.cpp(1354)
<INFO>   SCHEDDB: Calculated next sync (abs): -112800000000     - c:\soniqcastsw\hostsw\soniqcast\sss\cscheddb.cpp(1357)
<INFO>   InitInstance DoModal     - c:\soniqcastsw\hostsw\soniqcast\ssp\ssp.cpp(357)
<INFO>   CSSS: Found the following local MACs:     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(2558)