SoniqCast Aireo / Element Electronics Aireo MP3 Player

* UPDATED! (03/12/06) 3GB and 4GB Cornice Drives!*

Hacking and Exploring the
SoniqCast / Element Electronics Aireo
SQ-1000 MP3 Player (with 802.11b Wireless capabilities)

Last update: 03/12/06
Last to Last update: 08/21/05
Last Last Last update: 08/11/05
Last Last Last to Last update: 07/07/05
Last Last Last to Last to Last update: 06/14/05
Last Last Last to Last to Last to Last update: 03/03/05
(Getting annoying yet?)

Currently Your #1 Source for Aireo
(and Aireo2) Information, News, and "Secrets" (wtf!?)

Why the Aireo? And why is this page here?

I bought the Element Electronics/SoniqCast Aireo MP3 player in December of 2004 from an eBay seller after looking around for an MP3 player and blatantly disregarding the (still somewhat expensive) iPod. This page is just sort of my own research journal, and for anyone else that cares to read anything I write. Those of you that are also interested in the inner workings of the Aireo should email (mozy@[deleteme]mozy.org) me if you have any questions comments or ideas. This page is continually in progress so nothing is final. (Disclaimer: As of right now I have no intentions of figuring out a way to put Linux on this little device. What you see here is experimental and an ongoing learning process. Do not try this at home.)

0. Latest Info Gathered
1. Specs and Review of Specs.
2. (OLD) Hardware/Firmware hacking research.
3. INTERNAL PICTURES! (My de-virginized Aireo)

Entry Legend:

FOUND/LEARNED SOMETHING GOOD.

GETTING SOMEWHERE...

NO LUCK / NO SUCCESS / NOTHING NEW

MISC.

[ 0 ]
NEWEST STUFF:

03/12/2006 - 7PM - Finally an update. So how about that Hard-Drive upgrade?

Ok, wow, its been FOREVER since I last updated this page. Anyway, on to the news:

I acquired 2 Cornice "Storage Elements" (SE's or mini Hard-Drives) from an anonymous source (outside of Cornice Co.). Lets just say they are used in the semi-new Archos GMini XS 100 MP3 players. =) The SE's are 3GB and 4GB in size and are identical to the original 1.5GB Aireo HD, here's a picture of them:

SO... on the important details. Do these drives work when placed inside the Aireo? The very short answer: NO. After taking out the original 1.5GB Aireo drive and doing a quick visual inspection, the drives and cabling and all the electronics look exactly identical. Upon connecting the drives to the Aireo's electronics and turning on the player, I got the usual and very unwelcome message telling me there's no music on the drive. I connected the Aireo's USB plug to my PC and the Aireo came up as a "Aireo USB Drive" but did not get a drive letter. The drive did not show up in Disk Management in Windows XP. SO basically, the Aireo doesn't recognize the 3GB or 4GB drives (hardware properties showed the "removable storage" as being 0MB in size). It could be a hardware or firmware limitation, I have no clue. But quite a number of people asked me if it's possible to replace the Aireo's drive with something bigger and now we all know the answer. Thats it for this update.

08/21/2005 - 5PM - Updates galore...and a SPECIAL SURPRISE! (Free stuff!)

       Hey, time for another update. This time thanks goes out to fellow Aireo hackers Mathias Dietz and drizzle who have inspired me to do some more research. Mathias has written me an e-mail in which he showed me his new Java-based Aireo MP3 syncing software that he wrote, its a nice piece of code and now all you Linux guys don't have to fret because you don't need the stinking "SoniqSync" anymore! He wrote a parser for Aireo's special SPL playlist format and made it a breeze to do everything SoniqSync does (in Windows only). Mathias's website is right here: http://www.dietzm.de/blog/index.html, you can ask him about the software yourself maybe he'll send you a copy. Thanks Mathias!
    drizzle fired off a very nice E-Mail to me as well in which we discussed the bottom connector on the Aireo. It's a unique connector and I mentioned there is a possibility of a serial connection being built into that. I have been unable to find a supplier for these plugs so I'm S.O.L as of right now. I'm going to try to see what else I can figure out concerning the bottom connector. I have been unable to visually trace any kind of connection between the bottom connector and the PCB's but maybe I haven't really given it that hard a look. I'll try again. Theres a very very good chance that the plug has what we are looking for...but right now it's kind of hard to figure out how to get what I need from it. Its a long learning process.
    drizzle also wondered what the Aireo software calls the SD card internally, as everyone might remember the Aireo refers to its HD as "\Disk\" well the SD card is referred to as "\Storage Card\" from what I can pull out of PlayerAppMain.exe.

    And now, the best part of this update and again a very very very greatful thanks to drizzle for this:
A guide to increasing the transmission power/range of your Aireo's FM Transmitter!!
All free, gratis, here in this PDF: http://mozy.org/aireo/Aireo-Tuning.pdf
You typically have to either find this info yourself or go on eBay and pay some guy to sell it to you...but thaanks to drizzle we have this here for you for free! Enjoy! I'll be attempting this mod in the near future.

Thanks to both guys for contacting me, and thanks to everyone else thats contacted me so far. It's always great hearing from fellow Aireo hackers. Everyone has great ideas and lots of enthusiasm for this little device. Here's to progress! - roto/mozy

08/11/2005 - 5PM - Attack the FLASH through JTAG!

Again was bored and decided to do some research, this time on JTAG. I'm not really trying hard to find the pads for the JTAG pins on the PCB but that would be a good idea. This document ( http://www.intel.com/design/pca/applicationsprocessors/manuals/27878002.pdf ) has all the pin-outs for the PXA255 CPU and tells me which pins are for JTAG connections. Obviously there's no JTAG header in plain view so they did hide it a bit. I'm kinda weary of soldering to the microBGA solder pads.....so I want to see if SoniqCast did a good thing and added some separate pads for JTAG connections...time for some tracing...
Here's what I've gathered so far on JTAG pins on the PXA255:

PXA255 microBGA JTAG Test Pins

Name	Pin #
nTRST	H11
TDI	H15
TDO	H16
TMS	H13
TCK	H12
-	-
TEST	G12
TESTCLK	G11

So whats the point of this? Well, I want to see if I can interrupt the Aireo boot process through JTAG communication then possibly load up a different bootloader to ultimately....yep...boot Linux! I didn't really want to but hey why not. Maybe theres a way to dump/reflash the Aireo flash through JTAG communications? This would be of GREAT help incase I tried one of my modified Aireo.bin firmware images and something didn't work right...
So this could be very very useful. Now to stop being lazy and actually make the JTAG cable and find the right JTAG pads....

Some JTAG links for later reference:
http://openwince.sourceforge.net/jtag/
http://lapwww.epfl.ch/dev/arm/jelie/

07/07/2005 - 12AM - QA Test?

Decided to look at PlayerAppMain.exe again in IDA and found some very interesting information. I always suspected there is some kind of option to test Aireo settings because of the random strings that I gathered here and there and now I know, there IS a "test menu" and/or debug feature already built into the PlayerAppMain.exe code...now I gotta figure out a way to START it! I thought it might be some keypad pressing combinations (like some SNES games or something, haha) but dropped that stupid idea after a while... It's hard to tell if this is activated by some outside plug or some kind of trigger or something. I can't even figure out where the subroutine for the testing portion starts! Damn!

Here's what I've found that got me excited and confused again. The testing portion seems to be interactive because it requires physical button presses in certain situations...so this is why I'm thinking it is done ON the Aireo and is visible on the Aireo screen. Or maybe it could be transmitted through the "debug" output...which would be kind of weird. Oh well.:

.data1:000998A4 aQaTestStartVer unicode 0, <QA Test Start: Version %d.%d >,0
.data1:000998A4                                         ; DATA XREF: .text:0001C384o
.data1:000998E2                 ALIGN 4
.data1:000998E4 aStartingQaTest unicode 0, <Starting QA Testing..>,0
.data1:000998E4                                         ; DATA XREF: .text:0001C380o
.data1:00099910 aFreqidCTxDRxD unicode 0, <FreqID: %c TX: %d RX: %d >,0
.data1:00099910                                         ; DATA XREF: .text:0001C370o
.data1:00099948 aPressAnyButton unicode 0, <Press any button to continue>,0
.data1:00099948                                         ; DATA XREF: .text:0001C36Co
.data1:00099982                 DCB    0 ;
.data1:00099983                 DCB    0 ;
.data1:00099984                 DCB    0 ;
.data1:00099985                 DCB    0 ;
.data1:00099986                 DCB    0 ;
.data1:00099987                 DCB    0 ;
.data1:00099988 a___TestingComp unicode 0, <... Testing Complete: FAILED ...>,0
.data1:00099988                                         ; DATA XREF: sub_1C6CC+100o
.data1:000999CC aS_1            unicode 0, < %s >,0     ; DATA XREF: sub_1C6CC+E8o
.data1:000999D6                 ALIGN 4
.data1:000999D8 aPressAnyKeyToC unicode 0, < Press any key to continue >,0
.data1:000999D8                                         ; DATA XREF: sub_1C6CC+E4o
.data1:00099A12                 ALIGN 4
.data1:00099A14 aS_2            unicode 0, <%s>,0       ; DATA XREF: sub_1C6CC+168o
.data1:00099A1A                 ALIGN 4
.data1:00099A1C aQaTestNextStat unicode 0, <QA Test - Next Station >,0
.data1:00099A1C                                         ; DATA XREF: sub_1C6CC+268o
.data1:00099A4C aQaTestD_DStati unicode 0, <QA Test: %d.%d     Station: %d>,0
.data1:00099A4C                                         ; DATA XREF: sub_1C6CC+260o
.data1:00099A8A                 ALIGN 4
.data1:00099A8C aQaTestD_D      unicode 0, <QA Test: %d.%d >,0 ; DATA XREF: sub_1C6CC+354o
.data1:00099AAC                 DCB    0 ;
.data1:00099AAD                 DCB    0 ;
.data1:00099AAE                 DCB    0 ;
.data1:00099AAF                 DCB    0 ;
.data1:00099AB0 aNoYes          unicode 0, <         NO                          YES>,0
.data1:00099AB0                                         ; DATA XREF: sub_1C6CC+350o
.data1:00099B02                 ALIGN 4
.data1:00099B04 aD_DS           unicode 0, < %d.%d: %s>,0 ; DATA XREF: sub_1C6CC+438o
.data1:00099B1A                 ALIGN 4
.data1:00099B1C aQaTest         unicode 0, <   QA Test >,0 ; DATA XREF: sub_1C6CC+4E0o
.data1:00099B36                 ALIGN 4
.data1:00099B38 a____AllTestsCo unicode 0, <.... ALL TESTS COMPLETE ....>,0
.data1:00099B38                                         ; DATA XREF: sub_1C6CC+4DCo
.data1:00099B74 aPlayerStatusPa unicode 0, <Player Status: PASSED>,0
.data1:00099B74                                         ; DATA XREF: sub_1C6CC+4D8o
.data1:00099BA2                 ALIGN 4
.data1:00099BA4 aQaTest_0       unicode 0, <   QA Test >,0 ; DATA XREF: .text:0001CCBCo
.data1:00099BBE                 ALIGN 4
.data1:00099BC0 aNumberOfFailur unicode 0, <Number of Failures: %d >,0
.data1:00099BC0                                         ; DATA XREF: .text:0001CCACo
.data1:00099BF0 aTestingRtc     unicode 0, <Testing RTC>,0 ; DATA XREF: .text:0001CF38o
.data1:00099C08 aInvalidYear    unicode 0, <Invalid Year>,0 ; DATA XREF: .text:0001CF2Co
.data1:00099C22                 ALIGN 4
.data1:00099C24 aInvalidDayofwe unicode 0, <Invalid DayOfWeek>,0
.data1:00099C24                                         ; DATA XREF: .text:0001CF28o
.data1:00099C48 aInvalidDay     unicode 0, <Invalid Day>,0 ; DATA XREF: .text:0001CF24o
.data1:00099C60 aInvalidHour    unicode 0, <Invalid Hour>,0 ; DATA XREF: .text:0001CF20o
.data1:00099C7A                 ALIGN 4
.data1:00099C7C aInvalidMinute unicode 0, <Invalid Minute>,0 ; DATA XREF: .text:0001CF1Co
.data1:00099C9A                 ALIGN 4
.data1:00099C9C aInvalidSecond unicode 0, <Invalid Second>,0 ; DATA XREF: .text:0001CF18o
.data1:00099CBA                 ALIGN 4
.data1:00099CBC aInvalidMillise unicode 0, <Invalid Millisecs>,0
.data1:00099CBC                                         ; DATA XREF: .text:0001CF14o
.data1:00099CE0 aInvalidMonth   unicode 0, <Invalid Month>,0 ; DATA XREF: .text:0001CF10o
.data1:00099CFC aTimeNotUpdatin unicode 0, <Time Not Updating>,0
.data1:00099CFC                                         ; DATA XREF: .text:0001CF04o
.data1:00099D20 aTimeUpdate     unicode 0, <Time Update>,0 ; DATA XREF: .text:0001CF00o
.data1:00099D38 aTesting32kCloc unicode 0, <Testing 32K Clock>,0
.data1:00099D38                                         ; DATA XREF: .text:0001CFE8o
.data1:00099D5C aClockNotStable unicode 0, <Clock Not Stable>,0 ; DATA XREF: .text:0001CFDCo
.data1:00099D7E                 ALIGN 4
.data1:00099D80 aTestingSysmon unicode 0, <Testing SysMon>,0 ; DATA XREF: .text:0001D1ECo
.data1:00099D9E                 ALIGN 4
.data1:00099DA0 aTestingSysmon_ unicode 0, <Testing SysMon..>,0 ; DATA XREF: .text:0001D1E0o
.data1:00099DC2                 ALIGN 4
.data1:00099DC4 aMvChargeLow    unicode 0, <mV Charge Low>,0 ; DATA XREF: .text:0001D1D0o
.data1:00099DE0 aChargeLvlInval unicode 0, <Charge Lvl Invalid>,0
.data1:00099DE0                                         ; DATA XREF: .text:0001D1CCo
.data1:00099E06                 ALIGN 4
.data1:00099E08 aHeadphoneBitLo unicode 0, <HeadPhone Bit Low>,0
.data1:00099E08                                         ; DATA XREF: .text:0001D1C8o
.data1:00099E2C aUsbBitLow      unicode 0, <USB Bit Low>,0 ; DATA XREF: .text:0001D1C4o
.data1:00099E44 aDockBitHigh    unicode 0, <Dock Bit High>,0 ; DATA XREF: .text:0001D1C0o
.data1:00099E60 aChargeBitLow   unicode 0, <Charge Bit Low>,0 ; DATA XREF: .text:0001D1BCo
.data1:00099E7E                 ALIGN 4
.data1:00099E80 aLowBatteryHigh unicode 0, <Low Battery High>,0 ; DATA XREF: .text:0001D1B8o
.data1:00099EA2                 ALIGN 4
.data1:00099EA4 aPortableBitHig unicode 0, <Portable Bit High>,0
.data1:00099EA4                                         ; DATA XREF: .text:0001D1B4o
.data1:00099EC8 aOnadapterBitLo unicode 0, <OnAdapter Bit Low>,0
.data1:00099EC8                                         ; DATA XREF: .text:0001D1B0o
.data1:00099EEC aOnextbatBitHig unicode 0, <OnExtBat Bit High>,0
.data1:00099EEC                                         ; DATA XREF: .text:0001D1ACo
.data1:00099F10 aEngineonBitHig unicode 0, <EngineOn Bit High>,0
.data1:00099F10                                         ; DATA XREF: .text:0001D1A8o
.data1:00099F34 aTestingRxSig_0 unicode 0, <Testing RX Signal>,0
.data1:00099F34                                         ; DATA XREF: .text:0001D318o
.data1:00099F58 aTestingRxSigna unicode 0, <Testing RX Signal..>,0
.data1:00099F58                                         ; DATA XREF: .text:0001D30Co
.data1:00099F80 aRxSignalTooWea unicode 0, <RX Signal Too Weak>,0
.data1:00099F80                                         ; DATA XREF: .text:0001D2FCo
.data1:00099FA6                 ALIGN 4
.data1:00099FA8 aQaTest_1       unicode 0, <   QA Test >,0 ; DATA XREF: .text:0001D3C4o
.data1:00099FC2                 ALIGN 4
.data1:00099FC4 aAutomatedTesti unicode 0, <Automated Testing started...>,0
.data1:00099FC4                                         ; DATA XREF: .text:0001D3C0o
.data1:00099FFE                 ALIGN 4
.data1:0009A000 aIsBacklightOn unicode 0, <Is Backlight ON?>,0 ; DATA XREF: .text:0001D410o
.data1:0009A022                 ALIGN 4
.data1:0009A024 aBacklight      unicode 0, <Backlight>,0 ; DATA XREF: .text:0001D43Co
.data1:0009A038 aIsBacklightOff unicode 0, <Is Backlight OFF?>,0
.data1:0009A038                                         ; DATA XREF: .text:0001D488o
.data1:0009A05C aBacklight_0    unicode 0, <Backlight>,0 ; DATA XREF: .text:0001D4BCo
.data1:0009A070 aBadPixels      unicode 0, <Bad Pixels>,0 ; DATA XREF: .text:0001D528o
.data1:0009A086                 ALIGN 4
.data1:0009A088 aAreAllPixelsBl unicode 0, <Are ALL Pixels BLACK>,0
.data1:0009A088                                         ; DATA XREF: .text:0001D51Co
.data1:0009A0B2                 ALIGN 4
.data1:0009A0B4 aInBlackRegion unicode 0, <In Black Region?>,0 ; DATA XREF: .text:0001D518o
.data1:0009A0D6                 ALIGN 4
.data1:0009A0D8 aNoYes_0        unicode 0, <         NO                          YES>,0
.data1:0009A0D8                                         ; DATA XREF: .text:0001D5E4o
.data1:0009A12A                 ALIGN 4
.data1:0009A12C aBadPixels_0    unicode 0, <Bad Pixels>,0 ; DATA XREF: .text:0001D654o
.data1:0009A142                 ALIGN 4
.data1:0009A144 aAreAllPixels_0 unicode 0, <Are ALL Pixels BLACK>,0
.data1:0009A144                                         ; DATA XREF: .text:0001D648o
.data1:0009A16E                 ALIGN 4
.data1:0009A170 aInBlackRegio_0 unicode 0, <In Black Region?>,0 ; DATA XREF: .text:0001D644o
.data1:0009A192                 DCB    0 ;
.data1:0009A193                 DCB    0 ;
.data1:0009A194                 DCB    0 ;
.data1:0009A195                 DCB    0 ;
.data1:0009A196                 DCB    0 ;
.data1:0009A197                 DCB    0 ;
.data1:0009A198 aNoYes_1        unicode 0, <         NO                          YES>,0
.data1:0009A198                                         ; DATA XREF: .text:0001D6F4o
.data1:0009A1EA                 ALIGN 4
.data1:0009A1EC aMenuKey        unicode 0, <MENU key>,0 ; DATA XREF: .text:0001D7B0o
.data1:0009A1FE                 ALIGN 4
.data1:0009A200 aPressMenuKey   unicode 0, <Press MENU key>,0 ; DATA XREF: .text:0001D7A8o
.data1:0009A21E                 ALIGN 4
.data1:0009A220 aFailsInD       unicode 0, <Fails in: %d   >,0 ; DATA XREF: .text:0001D7A4o
.data1:0009A240 aFailsInD_0     unicode 0, <Fails in: %d   >,0 ; DATA XREF: .text:0001D814o
.data1:0009A260 aModeKey        unicode 0, <MODE key>,0 ; DATA XREF: .text:0001D8A8o
.data1:0009A272                 ALIGN 4
.data1:0009A274 aPressModeKey   unicode 0, <Press MODE key>,0 ; DATA XREF: .text:0001D8A0o
.data1:0009A292                 ALIGN 4
.data1:0009A294 aFailsInD_1     unicode 0, <Fails in: %d   >,0 ; DATA XREF: .text:0001D89Co
.data1:0009A2B4 aLeftKey        unicode 0, <Left key>,0 ; DATA XREF: .text:0001D940o
.data1:0009A2C6                 ALIGN 4
.data1:0009A2C8 aPressLeftKey   unicode 0, <Press LEFT key>,0 ; DATA XREF: .text:0001D938o
.data1:0009A2E6                 ALIGN 4
.data1:0009A2E8 aFailsInD_2     unicode 0, <Fails in: %d   >,0 ; DATA XREF: .text:0001D934o
.data1:0009A308 aUpKey          unicode 0, <Up key>,0   ; DATA XREF: .text:0001D9D8o
.data1:0009A316                 ALIGN 4
.data1:0009A318 aPressUpKey     unicode 0, <Press UP key>,0 ; DATA XREF: .text:0001D9D0o
.data1:0009A332                 ALIGN 4
.data1:0009A334 aFailsInD_3     unicode 0, <Fails in: %d   >,0 ; DATA XREF: .text:0001D9CCo
.data1:0009A354 aRightKey       unicode 0, <Right key>,0 ; DATA XREF: .text:0001DA70o
.data1:0009A368 aPressRightKey unicode 0, <Press RIGHT key>,0 ; DATA XREF: .text:0001DA68o
.data1:0009A388 aFailsInD_4     unicode 0, <Fails in: %d   >,0 ; DATA XREF: .text:0001DA64o
.data1:0009A3A8 aDownKey        unicode 0, <Down key>,0 ; DATA XREF: .text:0001DB08o
.data1:0009A3BA                 ALIGN 4
.data1:0009A3BC aPressDownKey   unicode 0, <Press DOWN key>,0 ; DATA XREF: .text:0001DB00o
.data1:0009A3DA                 ALIGN 4
.data1:0009A3DC aFailsInD_5     unicode 0, <Fails in: %d   >,0 ; DATA XREF: .text:0001DAFCo
.data1:0009A3FC aCenterKey      unicode 0, <Center key>,0 ; DATA XREF: .text:0001DBA0o
.data1:0009A412                 ALIGN 4
.data1:0009A414 aPressCenterKey unicode 0, <Press CENTER key>,0 ; DATA XREF: .text:0001DB98o
.data1:0009A436                 ALIGN 4
.data1:0009A438 aFailsInD_6     unicode 0, <Fails in: %d   >,0 ; DATA XREF: .text:0001DB94o
.data1:0009A458 aRedLedBadRedLe unicode 0, <Red LED: Bad Red LED>,0
.data1:0009A458                                         ; DATA XREF: .text:0001DC40o
.data1:0009A482                 ALIGN 4
.data1:0009A484 aIsRedLedFlashi unicode 0, <Is RED LED Flashing?>,0
.data1:0009A484                                         ; DATA XREF: .text:0001DC34o
.data1:0009A4AE                 ALIGN 4
.data1:0009A4B0 aBadRedLed      unicode 0, <Bad RED LED>,0 ; DATA XREF: .text:0001DD0Co
.data1:0009A4C8 aGreenLedBadGre unicode 0, <Green LED: Bad Green LED>,0
.data1:0009A4C8                                         ; DATA XREF: .text:0001DDA0o
.data1:0009A4FA                 ALIGN 4
.data1:0009A4FC aIsGreenLedFlas unicode 0, <Is GREEN LED Flashing?>,0
.data1:0009A4FC                                         ; DATA XREF: .text:0001DD94o
.data1:0009A52A                 ALIGN 4
.data1:0009A52C aBadGreenLed    unicode 0, <Bad Green LED>,0 ; DATA XREF: .text:0001DDD0o
.data1:0009A548 aGreenLedBadBlu unicode 0, <Green LED: Bad Blue LED>,0
.data1:0009A548                                         ; DATA XREF: .text:0001DE60o
.data1:0009A578 aIsBlueLedFlash unicode 0, <Is BLUE LED Flashing?>,0
.data1:0009A578                                         ; DATA XREF: .text:0001DE54o
.data1:0009A5A4 aBadBlueLed     unicode 0, <Bad Blue LED>,0 ; DATA XREF: .text:0001DE90o
.data1:0009A5BE                 ALIGN 4
.data1:0009A5C0 aDoesRxSignalRe unicode 0, <Does RX Signal Register>,0
.data1:0009A5C0                                         ; DATA XREF: .text:0001DFE0o
.data1:0009A5F0 aNotRecieving   unicode 0, <Not Recieving>,0 ; DATA XREF: .text:0001E068o
.data1:0009A60C aDoesTxSignalRe unicode 0, <Does TX Signal Register>,0
.data1:0009A60C                                         ; DATA XREF: .text:0001E110o
.data1:0009A63C aNotTransmittin unicode 0, <Not Transmitting>,0 ; DATA XREF: .text:0001E198o
.data1:0009A65E                 ALIGN 4
.data1:0009A660 aDoesSpdifSigna unicode 0, <Does SPDif Signal Register>,0
.data1:0009A660                                         ; DATA XREF: .text:0001E238o
.data1:0009A696                 ALIGN 4
.data1:0009A698 aNotFunctioning unicode 0, <Not Functioning>,0 ; DATA XREF: .text:0001E270o
.data1:0009A6B8 aDoesAudioOutSi unicode 0, <Does Audio Out Signal>,0
.data1:0009A6B8                                         ; DATA XREF: .text:0001E2FCo
.data1:0009A6E4 aRegisterOnSJac unicode 0, <Register on %s jack>,0
.data1:0009A6E4                                         ; DATA XREF: .text:0001E2F0o
.data1:0009A70C aNotFunctioni_0 unicode 0, <Not Functioning>,0 ; DATA XREF: .text:0001E348o
.data1:0009A72C aOpenningSessio unicode 0, <Openning Session>,0 ; DATA XREF: .text:0001E540o
.data1:0009A74E                 ALIGN 4
.data1:0009A750 aWifiOpensessio unicode 0, <WiFi: OpenSession>,0
.data1:0009A750                                         ; DATA XREF: .text:0001E538o
.data1:0009A774 aWifiDriverLoad unicode 0, <WiFi: Driver Load>,0
.data1:0009A774                                         ; DATA XREF: .text:0001E534o
.data1:0009A798 aLoadingDrivers unicode 0, <Loading Drivers>,0 ; DATA XREF: .text:0001E530o
.data1:0009A7B8 aWifiConnection unicode 0, <WiFi: Connection>,0 ; DATA XREF: .text:0001E52Co
.data1:0009A7DA                 ALIGN 4
.data1:0009A7DC aConnecting___ unicode 0, <Connecting...>,0 ; DATA XREF: .text:0001E528o
.data1:0009A7F8 aS_13           unicode 0x6F, <s>       ; DATA XREF: .text:0001E524o
.data1:0009A7FA aN              unicode 0x69, <n>
.data1:0009A7FC aQ_0            unicode 0x63, <q>
.data1:0009A7FE aA_1            unicode 0x73, <a>
.data1:0009A800 aT              unicode 0, <t>,0
.data1:0009A804 aConnectSuccess unicode 0, <Connect Successful...>,0
.data1:0009A804                                         ; DATA XREF: .text:0001E520o
.data1:0009A830 aTestingSignalS unicode 0, <Testing Signal Strength..>,0
.data1:0009A830                                         ; DATA XREF: .text:0001E51Co
.data1:0009A864 aUnloadingDrive unicode 0, <Unloading Driver>,0 ; DATA XREF: .text:0001E514o
.data1:0009A886                 ALIGN 4
.data1:0009A888 aClosingSession unicode 0, <Closing Session>,0 ; DATA XREF: .text:0001E510o
.data1:0009A8A8 aDoesTxSignal_0 unicode 0, <Does TX Signal Register>,0
.data1:0009A8A8                                         ; DATA XREF: .text:0001E5C4o
.data1:0009A8D8 aBadUsbBit      unicode 0, <Bad USB Bit>,0 ; DATA XREF: .text:0001E5BCo
.data1:0009A8F0 aBadChargeBit   unicode 0, <Bad Charge Bit>,0 ; DATA XREF: .text:0001E5B8o
.data1:0009A90E                 ALIGN 4
.data1:0009A910 aImproperSetup unicode 0, <Improper Setup>,0 ; DATA XREF: .text:0001E668o
.data1:0009A92E                 ALIGN 4
.data1:0009A930 aDidDriveLetter unicode 0, <Did drive letter show on PC?>,0
.data1:0009A930                                         ; DATA XREF: .text:0001E65Co
.data1:0009A96A                 ALIGN 4
.data1:0009A96C aImproperSetu_0 unicode 0, <Improper Setup>,0 ; DATA XREF: .text:0001E704o
.data1:0009A98A                 ALIGN 4
.data1:0009A98C aWasRedLedOn    unicode 0, <Was RED LED ON>,0 ; DATA XREF: .text:0001E6F8o
.data1:0009A9AA                 ALIGN 4
.data1:0009A9AC aBeforePowerup unicode 0, <    before PowerUp?>,0
.data1:0009A9AC                                         ; DATA XREF: .text:0001E6F4o
.data1:0009A9D4 aResetFailure   unicode 0, <Reset Failure>,0 ; DATA XREF: .text:0001E7BCo
.data1:0009A9F0 aPressResetButt unicode 0, <Press RESET button on back>,0
.data1:0009A9F0                                         ; DATA XREF: .text:0001E7B4o
.data1:0009AA26                 ALIGN 4
.data1:0009AA28 aIfPlayerPowers unicode 0, <If player powers off>,0
.data1:0009AA28                                         ; DATA XREF: .text:0001E7B0o
.data1:0009AA52                 ALIGN 4
.data1:0009AA54 aThenThisTestPa unicode 0, <   then this test passed.>,0
.data1:0009AA54                                         ; DATA XREF: .text:0001E7ACo

I'm also thinking more about editing stuff and finally uploading it to the Aireo... I want to just edit one or two bytes and insert PlayerAppMain.exe back into Aireo.bin and then do a compare to see what's changed...it has to be done just right. I also have to buckle down and figure out how to re-compress Aireo.bin after dumping it... So i'm thinking "Thanks for choosing Aireo!" in the "About" menu is a good starting candidate to edit... it's stored at offset 0x00085250 in PlayerAppMain.exe ...heh...I guess this will be my first modification target. Simple yet profound (not!). I'm used to debugging x86 but this ARM stuff is a little bit tough for me still...and the fact that I rarely if ever used IDA doesn't help. Still trying to figure out where a function gets entered into..like when a call is made to go to the "About" part of the program...ugh I feel dumb.

I also went back to SoniqSync.exe in IDA and tried to find some kind of trigger for Aireo's QA Test function...nothing... Obviously Arden has debug output features already but they are PC side only it seems...they don't do any kind of real-time Aireo interaction. Would have been nice though. Back to the drawing board.

06/14/2005 - 9PM - SoniqCast Aireo 2 Coming Q3-2005 from...Tao?

Well it looks like the Aireo2 will finally see the light of day in the form of a yet un-named "Wireless MP3 player" from Tao (http://taolife.com/tao-main.html). Looks like Tao is the maker of XM2GO, so hopefully this is good news for our Aireo2 . The page has some nice images of the player in black (looks sexier than the first Aireo2 pics in white).
I guess I need to get off my butt and get back to Aireo hackin' because from the looks of it, the technology behind Aireo2 will be pretty similar. I can't wait for this thing to come out, even if it will cost $349.99....I'll take it.

06/09/2005 - 5PM - Cornice Storage Element roundup.

Decided to look at Cornice's website again to see if anyone new is using their Storage Element (Hard Drive inside the Aireo). First thing that caught my eye was the Seagate/Cornice lawsuit....as I understand it...CORNICE CEASED PRODUCTION OF THE DRIVES?!? What the hell?
On a lighter note...I found a bunch of products that are supposed to use Cornice SE's, here's a list:

Rio Nitrus Urban (Old product, eBay == ~$80) - Uses 1.5GB drive.
Garmin Street Pilot 2620 (Still on sale, Best Buy == ~$999) - Uses 2GB drive.
SigmaTel powered MP3 players...can't find more info on this yet.

IS CORNICE "DEAD BY LAWSUIT"? I hope not...I want that damn Aireo2! (Well wait, Cornice doesn't have any 20GB SE's...and Aireo2 will use a 20GB drive....OK...Cornice is out of the equation.)

06/06/2005 - 9PM - Hmm...playlists?

Wow, EXACTLY three months (and 6 hours) since I updated this page...weeeiirrrdddd. Anyway, decided to play around with the playlists (pun intended). They are stored on the Aireo under \Playlists\ where else? These are not just any standard WinAmp playlists...kinda funky looking. Anyway, all I've got so far is that the 7th byte (Offset 0x6) holds the number of songs in that particular playlist (I'm pretty confident of this fact because 3 of the playlists I checked backed up this finding). Other than that I found out that the Aireo player refers to its drive as "\Disk\" so that might be useful in the future. I'm still wanting to come back to Firmware reversing. Hmm, now that I think about it, this update is pretty pointless. I don't really feel like getting too deep into playlist creation other than the fact that someone asked me if it's possible to make playlists in Linux...since Linux doesn't have SoniqSync it's not that easy. Bah, maybe later.

Decided to look at the connector on the bottom of the Aireo again, too tired to think but here's a pic incase I get inspired in the future:

03/06/2005 - 3PM - Slowdown.

I'm really lagging behind on this little pursuit, too much real-life stuff to do first. But then again, I'm not really in a race with anyone...am I? I don't know of any other person who's as deeply involved in this project as I am. Not to gloat, I just honestly can't find a single other person who's doing what I'm doing. It'd be alot easier if I had some help..heh! My Aireo work directory has reached 236MB...thats a buttload of stuff. Mostly duplicate images of Aireo.bin but alot of other tools and images and stuff too. I need to start working on redesigning this page so that it can actually be of any use.
But anyway, not much progress in the past week or two. I need to refocus my attention onto re-compressing the BIN's extracted using splitrom.pl back to their original size/type so they can be uploaded to the Aireo. I might try updating the Aireo with the newly extracted BIN (it's 30.xxMB's compared to the ready-to-flash BIN that comes with SoniqCast which is about 8MB's.) Although, if I use splitrom.pl to extract the BIN that I need from Aireo.bin and use viewbin.exe, both firmware images are almost exactly identical...EXCEPT for the obvious sizes, here's a comparison:

Differences are bolded and italicized.

ORIGINAL AIREO.BIN

NEW.BIN (UNCOMPRESSED AIREO.BIN)

ViewBin... Aireo.bin
Image Start = 0x80040000, length = 0x0073EE38
        Start address = 0x80041000
Found pTOC = 0x8024E0B8
Checking record #17 for potential TOC (ROMOFFSET = 0x00000000)
ROMOFFSET = 0x00000000

ROMHDR ----------------------------------------
    DLL First           : 0x01E801F6
    DLL Last            : 0x02000000
    Physical First      : 0x80040000
    Physical Last       : 0x8077EE38
    RAM Start           : 0x80780000
    RAM Free            : 0x807A9000
    RAM End             : 0x81E98000
    Kernel flags        : 0x00000000
    Prof Symbol Offset : 0x00000000
    Num Copy Entries    :          1
    Copy Entries Offset : 0x80250FB4
    Num Modules         :         69
    Num Files           :         46
    Kernel Debugger     :         No
    CPU                 :     0x01c2 (Thumb)
    Extensions          : 0x80043644

ROMHDR Extensions -----------------------------
    PID[0] = 0x000008D4
    PID[1] = 0x004D454F
    PID[2] = 0x0009EB1C
    PID[3] = 0x0000D33A
    PID[4] = 0x00000000
    PID[5] = 0x00000000
    PID[6] = 0x00000000
    PID[7] = 0x00000000
    PID[8] = 0x00000000
    PID[9] = 0x00000000

COPY Sections ---------------------------------
    Src: 0x8026B8D8   Dest: 0x80786000   CLen: 0x6FF      DLen: 0x22F5C

MODULES ---------------------------------------
    12/20/2004 19:34:29      273920 nk.exe
    12/20/2004 19:39:41      461824 coredll.dll
    12/20/2004 19:39:41      201728 filesys.exe
    12/20/2004 19:39:42      545280 gwes.exe
    12/20/2004 19:26:18       25600 device.exe
    12/20/2004 19:26:49        6144 regenum.dll
    12/20/2004 19:26:17       33792 pm.dll
    12/20/2004 19:26:58       55808 fatfsd.dll
    12/20/2004 19:39:43       34816 fatutil.dll
    12/20/2004 19:39:44      350720 commctrl.dll
    12/20/2004 19:39:41       66560 commdlg.dll
    12/20/2004 19:26:57       60928 fsdmgr.dll
    12/20/2004 19:34:24       12288 sdmmc.dll
    12/20/2004 19:26:58       17408 mspart.dll
    12/20/2004 19:39:43       55296 waveapi.dll
    12/20/2004 19:27:00       27648 audevman.dll
    12/20/2004 19:26:20        7168 ceddk.dll
    12/20/2004 19:39:42      189952 netui.dll
    12/20/2004 19:26:52        8192 ethman.dll
    12/20/2004 19:26:33       11264 cxport.dll
    12/20/2004 19:26:37       53760 iphlpapi.dll
    12/20/2004 19:26:35        5632 winsock.dll
    12/20/2004 19:26:34       34816 ws2.dll
    12/20/2004 19:26:35        5632 ws2instl.dll
    12/20/2004 19:26:35        9216 wspm.dll
    12/20/2004 19:26:36       10240 nspm.dll
    12/20/2004 19:26:36       78336 afd.dll
    12/20/2004 19:26:39      135168 ndis.dll
    12/20/2004 19:26:55       17408 ndisuio.dll
    12/20/2004 19:26:51       25600 dhcp.dll
    12/20/2004 19:26:40      330752 tcpstk.dll
    12/20/2004 19:26:50       27648 serial.dll
    12/20/2004 19:26:47        6656 mmtimer.dll
    12/20/2004 19:28:01      179200 ole32.dll
    12/20/2004 19:28:02      184320 oleaut32.dll
    12/20/2004 19:39:46      121344 mlang.dll
    12/20/2004 19:39:45      134656 shlwapi.dll
    12/20/2004 19:39:45       29696 IECEExt.dll
    12/20/2004 19:28:32      289280 shdocvw.dll
    12/20/2004 19:39:45      473600 wininet.dll
    12/20/2004 19:39:46      289792 urlmon.dll
    12/20/2004 19:39:46      203776 ceshell.dll
    12/20/2004 19:39:46      261120 explorer.exe
    12/20/2004 19:29:04        9728 shcore.dll
    12/20/2004 19:39:46       16384 control.exe
    12/20/2004 19:29:08        6656 ctlpnl.exe
    12/20/2004 19:39:46      187904 cplmain.cpl
    12/20/2004 19:39:47       47616 intll.cpl
    12/20/2004 19:39:47       22016 stguil.cpl
    12/20/2004 19:39:45      384512 quartz.dll
    12/20/2004 19:29:24       26624 msdmo.dll
    12/20/2004 19:29:35        4608 acmdwrap.dll
    12/20/2004 19:29:25       49152 mp3dmod.dll
    12/20/2004 19:39:45      483328 dxmasf.dll
    12/20/2004 19:29:25      123904 wmadmod.dll
    12/20/2004 19:29:26      332800 wmsdmod.dll
    12/20/2004 19:37:06      708608 PlayerAppMain.exe
    12/20/2004 19:34:33       19456 sqcache.dll
    12/20/2004 19:34:22       39936 umsdrv.dll
    12/20/2004 19:34:21       19968 cfdisk.dll
    12/20/2004 19:34:24        7168 sdmmc_loader.dll
    12/20/2004 19:34:23       55296 ddi.dll
    12/20/2004 19:34:22       35328 wavedev.dll
    12/20/2004 19:34:23        9216 kbdmouse.dll
    12/20/2004 19:39:46       49152 pcmcia.dll
    12/20/2004 19:34:22       18432 battdrvr.dll
    12/20/2004 19:34:28        5632 pmudll.dll
     6/05/2004 00:52:54       73728 AReadyLB.dll
    10/14/2003 12:41:38      699392 prism3.dll

FILES ----------------------------------------
     12/20/2004 19:27:10 C_R_       1809       8022                ceconfig.h (ROM 0x801954BC)
     12/20/2004 19:39:39 _HRS          0     210958                 wince.nls (ROM 0x80733784)
     12/20/2004 19:39:40 CHRS       3156      18144               initobj.dat (ROM 0x80215338)
     12/20/2004 19:39:39 CHRS      26187     127218               default.fdf (ROM 0x80766F94)
     12/20/2004 19:39:40 CHRS       1903       5434                initdb.ini (ROM 0x802354B4)
      3/21/2003 05:00:00 _HR_          0        134                 close.2bp (ROM 0x8007FB7C)
      3/21/2003 05:00:00 _HR_          0        134                    ok.2bp (ROM 0x8007FC04)
      3/21/2003 05:00:00 CHR_        598       1030                 stdsm.2bp (ROM 0x8007FC8C)
      3/21/2003 05:00:00 CHR_        456        838                viewsm.2bp (ROM 0x80195BD0)
      3/21/2003 05:00:00 CHR_        702       2038                 stdsm.bmp (ROM 0x80235C24)
      3/21/2003 05:00:00 CHR_        518       1654                viewsm.bmp (ROM 0x80195D98)
     12/20/2004 19:39:42 C_R_        802       3584                netmui.dll (ROM 0x80250424)
      3/21/2003 05:00:00 _HRS          0         69               appdata.ini (ROM 0x8007FEE4)
      3/21/2003 05:00:00 _HRS          0         69      desktopdirectory.ini (ROM 0x8007FF2C)
      3/21/2003 05:00:00 _HRS          0         69             favorites.ini (ROM 0x8007FF74)
      3/21/2003 05:00:00 _HRS          0         69                 fonts.ini (ROM 0x80195FA0)
      3/21/2003 05:00:00 _HRS          0         69           mydocuments.ini (ROM 0x80235EE4)
      3/21/2003 05:00:00 _HRS          0         69          programfiles.ini (ROM 0x80235F2C)
      3/21/2003 05:00:00 _HRS          0         69              programs.ini (ROM 0x80235F74)
      3/21/2003 05:00:00 _HRS          0         69                recent.ini (ROM 0x80250748)
      3/21/2003 05:00:00 _HRS          0         69               startup.ini (ROM 0x80250790)
      3/21/2003 05:00:00 _HRS          0         24               explore.lnk (ROM 0x804F0FE4)
      3/21/2003 05:00:00 C_RS       7397      55990             windowsce.bmp (ROM 0x8076D5E0)
      3/21/2003 05:00:00 _HRS          0         23               control.lnk (ROM 0x80633FD4)
      3/21/2003 05:00:00 CHRS        502        739               copyrts.txt (ROM 0x802507D8)
      3/21/2003 05:00:00 C_RS       1862       3116              asterisk.wav (ROM 0x80634410)
      3/21/2003 05:00:00 C_RS       1822       3388                 close.wav (ROM 0x80246404)
      3/21/2003 05:00:00 C_RS       2610       2970              critical.wav (ROM 0x806153FC)
      3/21/2003 05:00:00 C_RS        898       2682               default.wav (ROM 0x802509D0)
      3/21/2003 05:00:00 C_RS       2984       3946                 empty.wav (ROM 0x800EC3D8)
      3/21/2003 05:00:00 C_RS       3734       9204                exclam.wav (ROM 0x801C2164)
      3/21/2003 05:00:00 C_RS       2283       5656                infbeg.wav (ROM 0x801AC238)
      3/21/2003 05:00:00 C_RS       1000       1778                infend.wav (ROM 0x80634B58)
      3/21/2003 05:00:00 C_RS       1980       2088               infintr.wav (ROM 0x804821F8)
      3/21/2003 05:00:00 C_RS        824        834               menupop.wav (ROM 0x80246B24)
      3/21/2003 05:00:00 __RS          0        360               menusel.wav (ROM 0x80250D54)
      3/21/2003 05:00:00 C_RS       1964       3388              openprog.wav (ROM 0x806011F4)
      3/21/2003 05:00:00 C_RS       1314       1836              question.wav (ROM 0x804829B4)
      3/21/2003 05:00:00 C_RS       6624       8508               startup.wav (ROM 0x8076F2C8)
      3/21/2003 05:00:00 C_RS       2112       2712               windmax.wav (ROM 0x8022317C)
      3/21/2003 05:00:00 C_RS       2140       2866               windmin.wav (ROM 0x80253100)
      3/21/2003 05:00:00 C_RS       1964       3388              recstart.wav (ROM 0x806140CC)
      3/21/2003 05:00:00 C_RS       1822       3388                recend.wav (ROM 0x80614878)
     10/14/2003 12:41:39 _HRS          0       4240               sqfonts.fon (ROM 0x80770CA8)
      3/21/2003 05:00:00 _HRS          0      53504                 arial.fon (ROM 0x80771D38)
      3/21/2003 05:00:00 C_RS        932        974             unlatched.wav (ROM 0x801ACB24)
Done.

ViewBin... New.bin
Image Start = 0x80040000, length = 0x01EC0000
        Start address = 0x80040000
Found pTOC = 0x8024E0B8
ROMOFFSET = 0x00000000

ROMHDR ----------------------------------------
    DLL First           : 0x01E801F6
    DLL Last            : 0x02000000
    Physical First      : 0x80040000
    Physical Last       : 0x8077EE38
    RAM Start           : 0x80780000
    RAM Free            : 0x807A9000
    RAM End             : 0x81E98000
    Kernel flags        : 0x00000000
    Prof Symbol Offset : 0x00000000
    Num Copy Entries    :          1
    Copy Entries Offset : 0x80250FB4
    Num Modules         :         69
    Num Files           :         46
    Kernel Debugger     :         No
    CPU                 :     0x01c2 (Thumb)
    Extensions          : 0x80043644

ROMHDR Extensions -----------------------------
    PID[0] = 0x000008D4
    PID[1] = 0x004D454F
    PID[2] = 0x0009EB1C
    PID[3] = 0x0000D33A
    PID[4] = 0x00000000
    PID[5] = 0x00000000
    PID[6] = 0x00000000
    PID[7] = 0x00000000
    PID[8] = 0x00000000
    PID[9] = 0x00000000

COPY Sections ---------------------------------
    Src: 0x8026B8D8   Dest: 0x80786000   CLen: 0x6FF      DLen: 0x22F5C

MODULES ---------------------------------------
    12/20/2004 19:34:29      273920 nk.exe
    12/20/2004 19:39:41      461824 coredll.dll
    12/20/2004 19:39:41      201728 filesys.exe
    12/20/2004 19:39:42      545280 gwes.exe
    12/20/2004 19:26:18       25600 device.exe
    12/20/2004 19:26:49        6144 regenum.dll
    12/20/2004 19:26:17       33792 pm.dll
    12/20/2004 19:26:58       55808 fatfsd.dll
    12/20/2004 19:39:43       34816 fatutil.dll
    12/20/2004 19:39:44      350720 commctrl.dll
    12/20/2004 19:39:41       66560 commdlg.dll
    12/20/2004 19:26:57       60928 fsdmgr.dll
    12/20/2004 19:34:24       12288 sdmmc.dll
    12/20/2004 19:26:58       17408 mspart.dll
    12/20/2004 19:39:43       55296 waveapi.dll
    12/20/2004 19:27:00       27648 audevman.dll
    12/20/2004 19:26:20        7168 ceddk.dll
    12/20/2004 19:39:42      189952 netui.dll
    12/20/2004 19:26:52        8192 ethman.dll
    12/20/2004 19:26:33       11264 cxport.dll
    12/20/2004 19:26:37       53760 iphlpapi.dll
    12/20/2004 19:26:35        5632 winsock.dll
    12/20/2004 19:26:34       34816 ws2.dll
    12/20/2004 19:26:35        5632 ws2instl.dll
    12/20/2004 19:26:35        9216 wspm.dll
    12/20/2004 19:26:36       10240 nspm.dll
    12/20/2004 19:26:36       78336 afd.dll
    12/20/2004 19:26:39      135168 ndis.dll
    12/20/2004 19:26:55       17408 ndisuio.dll
    12/20/2004 19:26:51       25600 dhcp.dll
    12/20/2004 19:26:40      330752 tcpstk.dll
    12/20/2004 19:26:50       27648 serial.dll
    12/20/2004 19:26:47        6656 mmtimer.dll
    12/20/2004 19:28:01      179200 ole32.dll
    12/20/2004 19:28:02      184320 oleaut32.dll
    12/20/2004 19:39:46      121344 mlang.dll
    12/20/2004 19:39:45      134656 shlwapi.dll
    12/20/2004 19:39:45       29696 IECEExt.dll
    12/20/2004 19:28:32      289280 shdocvw.dll
    12/20/2004 19:39:45      473600 wininet.dll
    12/20/2004 19:39:46      289792 urlmon.dll
    12/20/2004 19:39:46      203776 ceshell.dll
    12/20/2004 19:39:46      261120 explorer.exe
    12/20/2004 19:29:04        9728 shcore.dll
    12/20/2004 19:39:46       16384 control.exe
    12/20/2004 19:29:08        6656 ctlpnl.exe
    12/20/2004 19:39:46      187904 cplmain.cpl
    12/20/2004 19:39:47       47616 intll.cpl
    12/20/2004 19:39:47       22016 stguil.cpl
    12/20/2004 19:39:45      384512 quartz.dll
    12/20/2004 19:29:24       26624 msdmo.dll
    12/20/2004 19:29:35        4608 acmdwrap.dll
    12/20/2004 19:29:25       49152 mp3dmod.dll
    12/20/2004 19:39:45      483328 dxmasf.dll
    12/20/2004 19:29:25      123904 wmadmod.dll
    12/20/2004 19:29:26      332800 wmsdmod.dll
    12/20/2004 19:37:06      708608 PlayerAppMain.exe
    12/20/2004 19:34:33       19456 sqcache.dll
    12/20/2004 19:34:22       39936 umsdrv.dll
    12/20/2004 19:34:21       19968 cfdisk.dll
    12/20/2004 19:34:24        7168 sdmmc_loader.dll
    12/20/2004 19:34:23       55296 ddi.dll
    12/20/2004 19:34:22       35328 wavedev.dll
    12/20/2004 19:34:23        9216 kbdmouse.dll
    12/20/2004 19:39:46       49152 pcmcia.dll
    12/20/2004 19:34:22       18432 battdrvr.dll
    12/20/2004 19:34:28        5632 pmudll.dll
     6/05/2004 00:52:54       73728 AReadyLB.dll
    10/14/2003 12:41:38      699392 prism3.dll

FILES ----------------------------------------
     12/20/2004 19:27:10 C_R_       1809       8022                ceconfig.h (ROM 0x801954BC)
     12/20/2004 19:39:39 _HRS          0     210958                 wince.nls (ROM 0x80733784)
     12/20/2004 19:39:40 CHRS       3156      18144               initobj.dat (ROM 0x80215338)
     12/20/2004 19:39:39 CHRS      26187     127218               default.fdf (ROM 0x80766F94)
     12/20/2004 19:39:40 CHRS       1903       5434                initdb.ini (ROM 0x802354B4)
      3/21/2003 05:00:00 _HR_          0        134                 close.2bp (ROM 0x8007FB7C)
      3/21/2003 05:00:00 _HR_          0        134                    ok.2bp (ROM 0x8007FC04)
      3/21/2003 05:00:00 CHR_        598       1030                 stdsm.2bp (ROM 0x8007FC8C)
      3/21/2003 05:00:00 CHR_        456        838                viewsm.2bp (ROM 0x80195BD0)
      3/21/2003 05:00:00 CHR_        702       2038                 stdsm.bmp (ROM 0x80235C24)
      3/21/2003 05:00:00 CHR_        518       1654                viewsm.bmp (ROM 0x80195D98)
     12/20/2004 19:39:42 C_R_        802       3584                netmui.dll (ROM 0x80250424)
      3/21/2003 05:00:00 _HRS          0         69               appdata.ini (ROM 0x8007FEE4)
      3/21/2003 05:00:00 _HRS          0         69      desktopdirectory.ini (ROM 0x8007FF2C)
      3/21/2003 05:00:00 _HRS          0         69             favorites.ini (ROM 0x8007FF74)
      3/21/2003 05:00:00 _HRS          0         69                 fonts.ini (ROM 0x80195FA0)
      3/21/2003 05:00:00 _HRS          0         69           mydocuments.ini (ROM 0x80235EE4)
      3/21/2003 05:00:00 _HRS          0         69          programfiles.ini (ROM 0x80235F2C)
      3/21/2003 05:00:00 _HRS          0         69              programs.ini (ROM 0x80235F74)
      3/21/2003 05:00:00 _HRS          0         69                recent.ini (ROM 0x80250748)
      3/21/2003 05:00:00 _HRS          0         69               startup.ini (ROM 0x80250790)
      3/21/2003 05:00:00 _HRS          0         24               explore.lnk (ROM 0x804F0FE4)
      3/21/2003 05:00:00 C_RS       7397      55990             windowsce.bmp (ROM 0x8076D5E0)
      3/21/2003 05:00:00 _HRS          0         23               control.lnk (ROM 0x80633FD4)
      3/21/2003 05:00:00 CHRS        502        739               copyrts.txt (ROM 0x802507D8)
      3/21/2003 05:00:00 C_RS       1862       3116              asterisk.wav (ROM 0x80634410)
      3/21/2003 05:00:00 C_RS       1822       3388                 close.wav (ROM 0x80246404)
      3/21/2003 05:00:00 C_RS       2610       2970              critical.wav (ROM 0x806153FC)
      3/21/2003 05:00:00 C_RS        898       2682               default.wav (ROM 0x802509D0)
      3/21/2003 05:00:00 C_RS       2984       3946                 empty.wav (ROM 0x800EC3D8)
      3/21/2003 05:00:00 C_RS       3734       9204                exclam.wav (ROM 0x801C2164)
      3/21/2003 05:00:00 C_RS       2283       5656                infbeg.wav (ROM 0x801AC238)
      3/21/2003 05:00:00 C_RS       1000       1778                infend.wav (ROM 0x80634B58)
      3/21/2003 05:00:00 C_RS       1980       2088               infintr.wav (ROM 0x804821F8)
      3/21/2003 05:00:00 C_RS        824        834               menupop.wav (ROM 0x80246B24)
      3/21/2003 05:00:00 __RS          0        360               menusel.wav (ROM 0x80250D54)
      3/21/2003 05:00:00 C_RS       1964       3388              openprog.wav (ROM 0x806011F4)
      3/21/2003 05:00:00 C_RS       1314       1836              question.wav (ROM 0x804829B4)
      3/21/2003 05:00:00 C_RS       6624       8508               startup.wav (ROM 0x8076F2C8)
      3/21/2003 05:00:00 C_RS       2112       2712               windmax.wav (ROM 0x8022317C)
      3/21/2003 05:00:00 C_RS       2140       2866               windmin.wav (ROM 0x80253100)
      3/21/2003 05:00:00 C_RS       1964       3388              recstart.wav (ROM 0x806140CC)
      3/21/2003 05:00:00 C_RS       1822       3388                recend.wav (ROM 0x80614878)
     10/14/2003 12:41:39 _HRS          0       4240               sqfonts.fon (ROM 0x80770CA8)
      3/21/2003 05:00:00 _HRS          0      53504                 arial.fon (ROM 0x80771D38)
      3/21/2003 05:00:00 C_RS        932        974             unlatched.wav (ROM 0x801ACB24)
Done.

So, once again I need to figure out how to compress the NEW BIN back to the OLD BIN's size...I'm working on figuring that out. After I figure that out I'll start working on injecting files into the BIN's and ultimately updating the Aireo firmware with my fresh new firmware images.

03/03/2005 - 2PM - Aireo2 (software) "insider" info and speculation.

SoniqSync Version 3.7.0 - Rolf ?
Went through SoniqCast's website again and found another interesting file: SoniqSync_3_7_0_Rolf_3.zip. Again inside there's a SoniqSync.exe.
This is the SoniqCast software for the new (yet to be released) Aireo2! It looks like they're just beta testing the software (because there's still pictures and references to the first Aireo), but looking through it there's no doubt it's targeted for the Aireo2 (the 7 in 3.7.0 should be a hint that this is a VERY new version). Inside there are references to Aireo2 such as this one:

And this:

    Looking through the Menu string references I noticed something that said "Download Add-ins..." right below "Update Software..." Could this be some new fangled magical feature that will make the SoniqSync software better? Could be. Something like an Ogg-to-MP3 "Add-In" could be usefull..
    Further on in the file I found a dialog that contains some references to ReplayRadio. Seems that this version of SoniqSync (And the Aireo2 player) will have integrated access to ReplayRadio (http://www.replay-radio.com/) content:

On a lighter note, users will need Windows Media Player 9+ to access the new SoniqSync:

Final Aireo2 thoughts:
    So just by looking at this file alone I can speculate that Aireo2 will be using MOST if not all of the same technology as the previous Aireo. Just with improvements, of course. It will still be running some version of Windows CE possibly (preferably) 5.0. And the updates seem to be made the same way so working with the Firwmare will be fun.
    Finally, I think (just my personal guess) that the SoniqCast team uses code names for the Aireo's...Arden for Aireo and Rolf for Aireo2. Just a guess untill I see something that tells me I'm wrong. Hmm, or it could be just code names for the releases of SoniqSync...who knows?
    From all I've seen of Aireo2 on SoniqCast's website, it looks like a great player...too bad I might not be able to buy it for a while (hint: PSP).

02/27/2005 - 11PM - Moving along nicely.

Had a BRILLIANT idea. Use SoniqSync 3.2.2 to "upgrade" Aireo's firmware...but with the OLD 3.2.1 Aireo.bin firmware...IT WORKED!! I actually hinted at this idea on 02/14 but never got around to it until now. What I did: Upgraded SoniqCast to 3.2.2, copied over 3.2.1's Aireo.bin into SoniqSync's directory. Fired up SoniqSync_Arden.exe and it popped up with the "your Aireo needs to be upgraded message", I clicked "Upgrade" knowing full well that I had 3.2.1's Aireo/EBOOT .bins in there. The upgrade went perfect. Aireo rebooted and I plugged the cable back in only to be greeted with the same message again...AND THATS EXACTLY WHAT I WANTED!

Here is the Ssp.log (thanks SoniqSync_Arden.exe!):

<INFO>   ********** Log initialized **********     - c:\soniqcastsw\sharedsw\log.cpp(106)
<INFO>   InitInstance START     - c:\soniqcastsw\hostsw\soniqcast\ssp\ssp.cpp(109)
<INFO>   Opened file: C:\Program Files\SoniqCast\SoniqSync\Sched.db     - c:\soniqcastsw\sharedsw\cfiledb.cpp(187)
<INFO>   SCHEDDB: Calculating minutes until sync for an entry...     - c:\soniqcastsw\hostsw\soniqcast\sss\cscheddb.cpp(927)
<INFO>   SCHEDDB: dtPrev = 02/27/05 03:00:00     - c:\soniqcastsw\hostsw\soniqcast\sss\cscheddb.cpp(928)
<INFO>   SCHEDDB: dtNext = 02/28/05 03:00:00     - c:\soniqcastsw\hostsw\soniqcast\sss\cscheddb.cpp(929)
<INFO>   SCHEDDB: dtLast = 12/23/04 13:05:14     - c:\soniqcastsw\hostsw\soniqcast\sss\cscheddb.cpp(930)
<INFO>   SCHEDDB: dtNOW = 02/27/05 23:48:47     - c:\soniqcastsw\hostsw\soniqcast\sss\cscheddb.cpp(931)
<INFO>   SCHEDDB: iMinTillSync = 191     - c:\soniqcastsw\hostsw\soniqcast\sss\cscheddb.cpp(982)
<INFO>   SCHEDDB: Calculated next sync (min): 188     - c:\soniqcastsw\hostsw\soniqcast\sss\cscheddb.cpp(1354)
<INFO>   SCHEDDB: Calculated next sync (abs): -112800000000     - c:\soniqcastsw\hostsw\soniqcast\sss\cscheddb.cpp(1357)
<INFO>   InitInstance DoModal     - c:\soniqcastsw\hostsw\soniqcast\ssp\ssp.cpp(357)
<INFO>   CSSS: Found the following local MACs:     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(2558)
<INFO>   MAC #0 = 00-00-E8-XX-XX-XX     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(2562)
<INFO>   CSS: Found existing primary MAC: 00-00-E8-XX-XX-XX     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(2355)
<INFO>   CSS: Existing primary MAC still present     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(2366)
<INFO>   CSSS: Using primary MAC: 00-00-E8-XX-XX-XX     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(2388)
<INFO>   UDP: Receiving on local IP address     - c:\soniqcastsw\sharedsw\cudprecvmsg.cpp(360)
<INFO>   IP address: 0.0.0.0:3803     - c:\soniqcastsw\sharedsw\scnet.cpp(577)
<INFO>   UDP: Sending on IP address     - c:\soniqcastsw\sharedsw\cudpsendmsg.cpp(286)
<INFO>   IP address: 0.0.0.0     - c:\soniqcastsw\sharedsw\scnet.cpp(577)
<INFO>   TCP: Server listening on local IP address     - c:\soniqcastsw\hostsw\soniqcast\sss\ctcpserver.cpp(328)
<INFO>   IP address: 0.0.0.0:3803     - c:\soniqcastsw\sharedsw\scnet.cpp(577)
<INFO>   CSSS: Init() waited 0 ms for base class msg window creation     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(178)
<INFO>   CSSS: SoniqSync Server initialized     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(185)
<INFO>   USB: Checking USB devices...     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(1744)
<ERROR> DeviceIoControl() failed: 1     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(1961)
<INFO>   USB: Connecting device: 00-0A-E9-XX-XX-XX     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(1861)
<INFO>   USB: New connection accepted on drive E     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(1320)
<INFO>   Device wants to connect: 00-0A-E9-XX-XX-XX     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(1425)
<INFO>   Device allowed to connect: 00-0A-E9-XX-XX-XX     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(1474)
<INFO>   CON: 00-0A-E9-XX-XX-XX: Thread starting     - c:\soniqcastsw\sharedsw\cconn.cpp(304)
<INFO>   Device has older firmware: 3002001     - c:\soniqcastsw\hostsw\soniqcast\sss\csssusbconn.cpp(147)
<INFO>   USB: Finished checking USB devices     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(1908)
<INFO>   Notify MSG: [00-0A-E9-XX-XX-XX] eCONN_START Ok 0 0
     - c:\soniqcastsw\hostsw\soniqcast\ssp\sspdlg.cpp(5104)
<INFO>   Notify REQ: FW Upgrade     - c:\soniqcastsw\hostsw\soniqcast\ssp\sspdlg.cpp(7049)
<INFO>   Firmware upgrade request declined     - c:\soniqcastsw\hostsw\soniqcast\sss\csssusbconn.cpp(157)
<INFO>   CSS: Connection to 00-0A-E9-XX-XX-XX ended     - c:\soniqcastsw\sharedsw\csoniqsync.cpp(835)
<INFO>   CON: 00-0A-E9-XX-XX-XX: Stopping...     - c:\soniqcastsw\sharedsw\cconn.cpp(129)
<INFO>   Notify MSG: [00-0A-E9-XX-XX-XX] eCONN_END Bad software version 3002002 3002001
     - c:\soniqcastsw\hostsw\soniqcast\ssp\sspdlg.cpp(5104)
<INFO>   CON: 00-0A-E9-XX-XX-XX: Thread returning     - c:\soniqcastsw\sharedsw\cconn.cpp(309)
<INFO>   CON: 00-0A-E9-XX-XX-XX: Stopped     - c:\soniqcastsw\sharedsw\cconn.cpp(174)
<INFO>   CSS: Destructor closing all connections     - c:\soniqcastsw\sharedsw\csoniqsync.cpp(64)
<INFO>   CSS: CloseConnection(ALL)     - c:\soniqcastsw\sharedsw\csoniqsync.cpp(398)
<INFO>   CSS: Destructor waiting for all connections to end     - c:\soniqcastsw\sharedsw\csoniqsync.cpp(72)
<INFO>   CSS: All connections have ended     - c:\soniqcastsw\sharedsw\csoniqsync.cpp(100)
<INFO>   ********** Log initialized **********     - c:\soniqcastsw\sharedsw\log.cpp(106)
<INFO>   InitInstance START     - c:\soniqcastsw\hostsw\soniqcast\ssp\ssp.cpp(109)
<INFO>   Opened file: C:\Program Files\SoniqCast\SoniqSync\Sched.db     - c:\soniqcastsw\sharedsw\cfiledb.cpp(187)
<INFO>   SCHEDDB: Calculating minutes until sync for an entry...     - c:\soniqcastsw\hostsw\soniqcast\sss\cscheddb.cpp(927)
<INFO>   SCHEDDB: dtPrev = 02/27/05 03:00:00     - c:\soniqcastsw\hostsw\soniqcast\sss\cscheddb.cpp(928)
<INFO>   SCHEDDB: dtNext = 02/28/05 03:00:00     - c:\soniqcastsw\hostsw\soniqcast\sss\cscheddb.cpp(929)
<INFO>   SCHEDDB: dtLast = 12/23/04 13:05:14     - c:\soniqcastsw\hostsw\soniqcast\sss\cscheddb.cpp(930)
<INFO>   SCHEDDB: dtNOW = 02/27/05 23:52:27     - c:\soniqcastsw\hostsw\soniqcast\sss\cscheddb.cpp(931)
<INFO>   SCHEDDB: iMinTillSync = 187     - c:\soniqcastsw\hostsw\soniqcast\sss\cscheddb.cpp(982)
<INFO>   SCHEDDB: Calculated next sync (min): 184     - c:\soniqcastsw\hostsw\soniqcast\sss\cscheddb.cpp(1354)
<INFO>   SCHEDDB: Calculated next sync (abs): -110400000000     - c:\soniqcastsw\hostsw\soniqcast\sss\cscheddb.cpp(1357)
<INFO>   InitInstance DoModal     - c:\soniqcastsw\hostsw\soniqcast\ssp\ssp.cpp(357)
<INFO>   CSSS: Found the following local MACs:     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(2558)
<INFO>   MAC #0 = 00-00-E8-XX-XX-XX     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(2562)
<INFO>   CSS: Found existing primary MAC: 00-00-E8-XX-XX-XX     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(2355)
<INFO>   CSS: Existing primary MAC still present     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(2366)
<INFO>   CSSS: Using primary MAC: 00-00-E8-XX-XX-XX     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(2388)
<INFO>   UDP: Receiving on local IP address     - c:\soniqcastsw\sharedsw\cudprecvmsg.cpp(360)
<INFO>   IP address: 0.0.0.0:3803     - c:\soniqcastsw\sharedsw\scnet.cpp(577)
<INFO>   UDP: Sending on IP address     - c:\soniqcastsw\sharedsw\cudpsendmsg.cpp(286)
<INFO>   IP address: 0.0.0.0     - c:\soniqcastsw\sharedsw\scnet.cpp(577)
<INFO>   TCP: Server listening on local IP address     - c:\soniqcastsw\hostsw\soniqcast\sss\ctcpserver.cpp(328)
<INFO>   IP address: 0.0.0.0:3803     - c:\soniqcastsw\sharedsw\scnet.cpp(577)
<INFO>   CSSS: Init() waited 0 ms for base class msg window creation     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(178)
<INFO>   CSSS: SoniqSync Server initialized     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(185)
<INFO>   USB: Checking USB devices...     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(1744)
<ERROR> DeviceIoControl() failed: 1     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(1961)
<INFO>   USB: Connecting device: 00-0A-E9-XX-XX-XX     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(1861)
<INFO>   USB: New connection accepted on drive E     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(1320)
<INFO>   Device wants to connect: 00-0A-E9-XX-XX-XX     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(1425)
<INFO>   Device allowed to connect: 00-0A-E9-XX-XX-XX     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(1474)
<INFO>   CON: 00-0A-E9-XX-XX-XX: Thread starting     - c:\soniqcastsw\sharedsw\cconn.cpp(304)
<INFO>   Device has older firmware: 3002001     - c:\soniqcastsw\hostsw\soniqcast\sss\csssusbconn.cpp(147)
<INFO>   USB: Finished checking USB devices     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(1908)
<INFO>   Notify MSG: [00-0A-E9-XX-XX-XX] eCONN_START Ok 0 0
     - c:\soniqcastsw\hostsw\soniqcast\ssp\sspdlg.cpp(5104)
<INFO>   Notify REQ: FW Upgrade     - c:\soniqcastsw\hostsw\soniqcast\ssp\sspdlg.cpp(7049)
<INFO>   CON: 00-0A-E9-XX-XX-XX: Transaction start: eMSG_FW_UPG_REQ     - c:\soniqcastsw\sharedsw\cconn.cpp(431)
<INFO>   Number of files to add = 2     - c:\soniqcastsw\hostsw\soniqcast\sss\csssusbconn.cpp(1490)
<INFO>   Notify MSG: [00-0A-E9-XX-XX-XX] eTRANS_START Ok eMSG_FW_UPG_REQ 2
     - c:\soniqcastsw\hostsw\soniqcast\ssp\sspdlg.cpp(5104)
<INFO>   Deleted file: E:\SoniqCast\FwUpg\EBOOT.bin     - c:\soniqcastsw\sharedsw\scfile.cpp(47)
<INFO>   Deleted file: E:\SoniqCast\FwUpg\Aireo.bin     - c:\soniqcastsw\sharedsw\scfile.cpp(47)
<INFO>   Removed directory: E:\SoniqCast\FwUpg     - c:\soniqcastsw\sharedsw\scfile.cpp(80)
<INFO>   Notify MSG: [00-0A-E9-XX-XX-XX] eFILE_START Ok 109127 0 C:\Program Files\SoniqCast\SoniqSync\EBOOT.bin
     - c:\soniqcastsw\hostsw\soniqcast\ssp\sspdlg.cpp(5104)
<INFO>   Notify MSG: [00-0A-E9-XX-XX-XX] eFILE_END Ok 0 0
     - c:\soniqcastsw\hostsw\soniqcast\ssp\sspdlg.cpp(5104)
<INFO>   Notify MSG: [00-0A-E9-XX-XX-XX] eFILE_START Ok 7554367 0 C:\Program Files\SoniqCast\SoniqSync\Aireo.bin
     - c:\soniqcastsw\hostsw\soniqcast\ssp\sspdlg.cpp(5104)
<INFO>   Notify MSG: [00-0A-E9-XX-XX-XX] eFILE_END Ok 0 0
     - c:\soniqcastsw\hostsw\soniqcast\ssp\sspdlg.cpp(5104)
<INFO>   Notify MSG: [00-0A-E9-XX-XX-XX] eTRANS_END Ok eMSG_FW_UPG_REQ 0
     - c:\soniqcastsw\hostsw\soniqcast\ssp\sspdlg.cpp(5104)
<INFO>   CON: 00-0A-E9-XX-XX-XX: Transaction end: eMSG_FW_UPG_REQ     - c:\soniqcastsw\sharedsw\cconn.cpp(465)
<INFO>   CON: 00-0A-E9-XX-XX-XX: Thread returning     - c:\soniqcastsw\sharedsw\cconn.cpp(309)
<INFO>   CSS: Connection to 00-0A-E9-XX-XX-XX ended     - c:\soniqcastsw\sharedsw\csoniqsync.cpp(835)
<INFO>   CON: 00-0A-E9-XX-XX-XX: Stopping...     - c:\soniqcastsw\sharedsw\cconn.cpp(129)
<INFO>   Notify MSG: [00-0A-E9-XX-XX-XX] eCONN_END Ok eMSG_PING_REQ 0
     - c:\soniqcastsw\hostsw\soniqcast\ssp\sspdlg.cpp(5104)
<INFO>   USB: Detected removal of drive E:     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(1710)
<INFO>   USB: Checking USB devices...     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(1744)
<ERROR> DeviceIoControl() failed: 1     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(1961)
<INFO>   USB: Finished checking USB devices     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(1908)
<INFO>   USB: Detected arrival of drive E:     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(1706)
<INFO>   USB: Checking USB devices...     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(1744)
<ERROR> DeviceIoControl() failed: 1     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(1961)
<INFO>   USB: Connecting device: 00-0A-E9-XX-XX-XX     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(1861)
<INFO>   USB: New connection accepted on drive E     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(1320)
<INFO>   Device wants to connect: 00-0A-E9-XX-XX-XX     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(1425)
<INFO>   Device allowed to connect: 00-0A-E9-XX-XX-XX     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(1474)
<INFO>   CON: 00-0A-E9-XX-XX-XX: Thread starting     - c:\soniqcastsw\sharedsw\cconn.cpp(304)
<INFO>   Device has older firmware: 3002001     - c:\soniqcastsw\hostsw\soniqcast\sss\csssusbconn.cpp(147)
<INFO>   USB: Finished checking USB devices     - c:\soniqcastsw\hostsw\soniqcast\sss\csss.cpp(1908)
<INFO>   Notify MSG: [00-0A-E9-XX-XX-XX] eCONN_START Ok 0 0
     - c:\soniqcastsw\hostsw\soniqcast\ssp\sspdlg.cpp(5104)
<INFO>   Notify REQ: FW Upgrade     - c:\soniqcastsw\hostsw\soniqcast\ssp\sspdlg.cpp(7049)
<INFO>   Firmware upgrade request declined     - c:\soniqcastsw\hostsw\soniqcast\sss\csssusbconn.cpp(157)
<INFO>   CSS: Connection to 00-0A-E9-XX-XX-XX ended     - c:\soniqcastsw\sharedsw\csoniqsync.cpp(835)
<INFO>   CON: 00-0A-E9-XX-XX-XX: Stopping...     - c:\soniqcastsw\sharedsw\cconn.cpp(129)
<INFO>   Notify MSG: [00-0A-E9-XX-XX-XX] eCONN_END Bad software version 3002002 3002001
     - c:\soniqcastsw\hostsw\soniqcast\ssp\sspdlg.cpp(5104)
<INFO>   CON: 00-0A-E9-XX-XX-XX: Thread returning     - c:\soniqcastsw\sharedsw\cconn.cpp(309)
<INFO>   CON: 00-0A-E9-XX-XX-XX: Stopped     - c:\soniqcastsw\sharedsw\cconn.cpp(174)
<INFO>   CSS: Destructor closing all connections     - c:\soniqcastsw\sharedsw\csoniqsync.cpp(64)
<INFO>   CSS: CloseConnection(ALL)     - c:\soniqcastsw\sharedsw\csoniqsync.cpp(398)
<INFO>   CSS: Destructor waiting for all connections to end     - c:\soniqcastsw\sharedsw\csoniqsync.cpp(72)
<INFO>   CSS: All connections have ended     - c:\soniqcastsw\sharedsw\csoniqsync.cpp(100)

ALOT of interesting information! This is the Ssp.log of me UPGRADING the Aireo firmware afterwhich SoniqCast tells me that it needs to upgrade again (remember I upgraded using 3.2.1 firmware so there wasn't really an upgrade). This seems simple enough...Aireo.bin and EBOOT.bin are copied over to E:\SoniqCast\FwUpg\ (the old ones are deleted first) then it seems that the software sends a signal that tells the Aireo "ok, we're done, now FLASH YOURSELF" what could this signal be? Could it be "eMSG_FW_UPG_REQ 0"? Oh well, will figure that out later. Would be good for writing my own "Flashing" program that basically copies the new firmware to E:\SoniqCast\FwUpg\ and sends that "upgrade yourself" command over USB.

So, as it stands, I don't really need to crack SoniqSync.exe anymore (at least not yet). Although it was a fun pursuit and I know I can still do it, I found an easier way and for now I'll stick with this method. To recap, SoniqSync 3.2.2's Aireo.bin did NOT want to "extract" like 3.2.1's. So I decided to stick with the 3.2.1 firmware image. I'll keep working on extracting 3.2.2 but as of right now the main goal has shifted to injecting Aireo.bin with my own files.

This page is turning out to be REALLY huge. I never thought I'd do this much "tinkering" with the Aireo...but the little bugger is just so giving! Going to have to split up this page and actually make some sense out of it.

02/26/2005 - 11PM - SoniqSync...Arden? Gran Turismo 4 eats time.

    Took a long-overdue vacation from everything. Also Gran Turismo 4 is starting to eat up most of my time.

Just upgraded to SoniqSync 3.2.2...SEEMS THAT 3.2.2's ROM FIRMWARE DOESN'T WANT TO PLAY NICE AND EXTRACT! Shit.

Debugging SoniqSync.exe (Original 3.2.2):
Plugged SoniqSync.exe into the Debugger part of IDA and found these interesting debug output messages when the Aireo is plugged in:

       Debugger message: Notify MSG: [00-0A-E9-XX-XX-XX] eCONN_START Ok 0 0
       Debugger message: Notify MSG: [00-0A-E9-XX-XX-XX] eCONN_END Bad software version 3002002 3002001

SoniqSync (Arden)?:
    Went back to SoniqCast's site to try to find SoniqSync 3.2.1 but instead found something VERY interesting...something called "SoniqSync_Arden.zip"
    What is it? At first glance it seems to be just the regular old SoniqCast 3.2.2 software. (Inside that zip there is a 5.0MB SoniqSync.exe as opposed to the regular SoniqSync.exe which is 4.92MB.) I ran the program and it looked all normal, untill I noticed a new file was created in the same folder as SoniqSync_Arden.exe (I renamed it). That file is "Ssp.log" and here's what it holds:

    Hmm, alot of very weird and interesting details. This SEEMS to be a "debug" build of SoniqSync!...thanks SoniqCast! Heh.
    BTW, SoniqSync_Arden.zip is GONE from their website now....but I got backups.

Debugging SoniqSync_Arden.exe:
    I then pumped SoniqSync_Arden.exe into IDA and found this INTERESTING tidbit of text!

.rdata:007EE04C aFirmwareUpgrad db 'Firmware upgrade request declined',0
.rdata:007EE04C                                         ; DATA XREF: .text:006C0030o
.rdata:007EE06E                 db    0 ;
.rdata:007EE06F                 db    0 ;
.rdata:007EE070                 db    0 ;
.rdata:007EE071                 db    0 ;
.rdata:007EE072                 db    0 ;
.rdata:007EE073                 db    0 ;
.rdata:007EE074 aDeviceHasOlder db 'Device has older firmware: ',0
.rdata:007EE074                                         ; DATA XREF: .text:006BFF89o
.rdata:007EE090                 db    0 ;

[...]

.rdata:007EE0D7                 db    0 ;
.rdata:007EE0D8 aDeviceHasNewer db 'Device has newer firmware: ',0
.rdata:007EE0D8                                         ; DATA XREF: .text:006BFEF1o
.rdata:007EE0F4                 db    0 ;

[...]

.rdata:007EE184 aGetversionexFa db 'GetVersionEx() failed: ',0 ; DATA XREF: .text:006C3E55o
.rdata:007EE19C                 db    0 ;
.rdata:007EE19D                 db    0 ;
.rdata:007EE19E                 db    0 ;
.rdata:007EE19F                 db    0 ;
.rdata:007EE1A0 aNoFilesSpecifi db 'No files specified for firmware upgrade',0

Very interesting indeed, now to find the "upgrade Aireo" portion of the code and patch it's "Firmware version is current" code to signal the need to upgrade; thus a version of SoniqCast to upgrade the firmware of Aireo as often as needed will be born.
Added breakpoints on GetVersionEx, all calls to "Firmware" related strings (reads). On startup, SoniqSynq_Arden.exe makes a check of the firmware and calls "Device has older firmware" five times...hmm! Then after I press "Cancel" on the screen that asks me if I want to upgrade, SoniqSynq_Arden.exe calls the "Firmware upgrade request declined" function...and then IDA crashed, heh. Weird.

006bff89??

02/18/2005 - 1AM - Bad injection.

GOAL: Inject Firmware BIN (First New.bin then Aireo.bin) with new PlayerAppMain.exe.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wcepb40/html/_wcepb_how_a_rom_image_is_created.asp <-- how a ROM image is created

Extracted Aireo splash bitmap using ResHacker (#147).
Edited it. Plugged it back into ResHacker.

Used dumprom.exe to find offset of PlayerAppMain.exe in "New.bin" remember "New.bin" was extracted from Aireo.bin (-wo New.bin).

8024e80c - 8024e82c L00000020 modent 56 00000001 01c4e6cb49cc6b67 708608 8082f000 PlayerAppMain.exe

80268fd8 - 80268fea L00000012 modname PlayerAppMain.exe

80392c7c - 80392ce8 L0000006c e32 struct 5 objs, img=010f entrypt=0007e784 base=00010000 v4.20 tp9 PlayerAppMain.exe
80392ce8 - 80392d60 L00000078 o32 struct PlayerAppMain.exe

8053e000 - 805bbb34 L0007db34 o32 region_0 rva=00001000 vsize=0007db34 real=00011000 psize=0007dc00 f=60000020 for PlayerAppMain.exe

perl splitrom.pl New.bin -rm PlayerAppMain.exe:0x80392c7c -wo New2.bin <--- REPLACES WRONG DATA (blank data, and adds in Player) <- bad..but a start.

Figure out EXACT location of WHOLE file....

02/16/2005 - 11PM - Oh. My. God. This is fun! Hmm, this isn't AOL...

SUCCESS!! (For real this time.)

(Yep, thats all the files extracted from Aireo.bin!) (Version 3.2.1)

    OH, MY, GOD! I did it. I FINALLY DID IT!
After 3 days straight of staying up untill 4pm and neglecting almost everything....I succeeded in doing what I came out to do: extract something (ANYTHING) out of Aireo.bin. YES, OH GOD YES!
    What good is this? I don't know yet. But I WANTED to do this and I DID IT. I mean, you can't just plug this thing into the USB port and copy the files off...THESE FILES ARE SACRED..mainly "PlayerAppMain.exe" which I found a reference to and got VERY excited about yesterday.

    I put all my brain-power into this. No, I didn't write mkrom or dumprom. But I did find them and after spending so many days trying and trying finally got it to work. dumprom and the mkrom toolset were written for the CE OS but for a different architecture, so it took some time and guess-and-check work to actually be able to get something useful. This is all the information I am able to spew out and I will obviously forget something usefull or interesting. I am dead tired and excited at the same time so some of this might seem boring or stupid.

The story so far:
    Like I (might have) mentioned yesterday, I found some interesting tools to play with the Firmware images. Mainly "viewbin.exe" from MS's Platform Builder toolset and "dumprom and mkrom" tools from here. I was playing around with dumprom.exe trying to throw Aireo.bin/EBOOT.bin at it but it kept choking. No results. I kept changing the offset but nothing. So I decided to go in manually and try to extract PlayerAppMain.exe from Aireo.bin with the information I gathered from viewbin.exe. That was not much of a success. Sure viewbin.exe helped me actually figure out there is a "PlayerAppMain.exe" and it told me it's actual size and the SUPPOSED offset that it is at as shown here:
    ==== PlayerAppMain.exe ===============================
    TOCentry (PlayerAppMain.exe) -------------------------
        dwFileAttributes    : 0x1
        ftTime              : 12/20/2004 19:37:06
        nFileSize           : 0xAD000 (708608)
        ulE32Offset         : 0x80392C7C
        ulO32Offset         : 0x80392CE8
        ulLoadOffset        : 0x8082F000 <-- LOAD PlayerAppMain.exe INTO THIS RAM ADDRESS
    e32_rom (PlayerAppMain.exe) --------------------------
        e32_objcnt          : 5
        e32_imageflags      : 0x10F
        e32_entryrva        : 0x7E784
        e32_vbase           : 0x10000
        e32_subsysmajor     : 0x4
        e32_subsysminor     : 0x14
        e32_stackmax        : 0x10000
        e32_vsize           : 0xC1000
    o32_rom[0] (PlayerAppMain.exe) ------------------------
    Here is the rest of that file

    But that didn't help me figure out how to EXRACT the file. I later figured out (duh) that the files in Aireo.bin are COMPRESSED. Anyway, that little detail is good to know. Also knowing the exact size of PlayerAppMain.exe was REALLY useful. This tool is invaluable to me.
    So after dropping the idea of manually extracting what I wanted, I decided to grind Aireo.bin through IDA (Interactive Disassembler) Pro. This was a semi-success...I mean...I got all the RAM/ROM locations, offsets, and sizes right...and IDA ripped apart teh BIN pretty well. But it didn't help me in my attempt to FIND and EXTRACT what I wanted. So I dropped that.

    I was taking a break and decied to check out the XDAtools wiki, and saw something called "dumpxip.pl" a supposed remake of the "dumrom" tool. Because I am in a Windows environment, I immediately fired up my browser to get ActivePerl. I got it, intalled it and ran dumpxip.pl. Shit. Nothing. I even did the patch that is required in dumpxip.pl. Ran "dumpxip.pl" wtih Aireo.bin, it "looked busy" for a bit the declared to be "finished"...so where are the files? No where. I kept at it a couple of times unitll I decided to run FileMon . FileMon was showing that Perl.exe (running dumpxip.pl) was READING for a long time then...BAM! "BUFFER_OVERFLOW" and Perl.exe ends. Great. So dumpxip.pl is done with. I was about to uninstall ActivePerl....

    Then I went back to the mkrom zip that I downloaded yesterday and looked around. I found something titled "splitrom.pl' and decided to give it a try. mkrom tools has "splitrom.pl" which SPLITS the BIN I give it and spits a .BIN file that is acceptable to dumprom (my original Aireo.bin was NOT taken by dumprom)(Mind you I've already been mucking around for 6 hours or so). I threw Aireo.bin at splitrom.pl and WOW! I got some success...so I dumped the split'ed BIN into dumprom.exe and to my surprise and total shock: IT WORKED. Then I told it to output files and the rest is what you read above. splitrom.pl is what I neeeded to try the first time. This was a God-send.

Touchdown Replay:

perl splitrom.pl Aireo.bin -wo New.bin
copy New.bin ..\Test.bin
cd ..
mkdir files
dumprom -4 Test.bin files
OOOMMGGG!!!! (Complete log of all actions)

Here's a table of the output from viewbin.exe and the actual extracted files (more for me to make sure file sizes match up):

MODULES ---------------------------------------
19:34:29      273920 nk.exe
19:39:41      461824 coredll.dll
19:39:41      201728 filesys.exe
19:39:42      545280 gwes.exe
19:26:18       25600 device.exe
19:26:49        6144 regenum.dll
19:26:17       33792 pm.dll
19:26:58       55808 fatfsd.dll
19:39:43       34816 fatutil.dll
19:39:44      350720 commctrl.dll
19:39:41       66560 commdlg.dll
19:26:57       60928 fsdmgr.dll
19:34:24       12288 sdmmc.dll
19:26:58       17408 mspart.dll
19:39:43       55296 waveapi.dll
19:27:00       27648 audevman.dll
19:26:20        7168 ceddk.dll
19:39:42      189952 netui.dll
19:26:52        8192 ethman.dll
19:26:33       11264 cxport.dll
19:26:37       53760 iphlpapi.dll
19:26:35        5632 winsock.dll
19:26:34       34816 ws2.dll
19:26:35        5632 ws2instl.dll
19:26:35        9216 wspm.dll
19:26:36       10240 nspm.dll
19:26:36       78336 afd.dll
19:26:39      135168 ndis.dll
19:26:55       17408 ndisuio.dll
19:26:51       25600 dhcp.dll
19:26:40      330752 tcpstk.dll
19:26:50       27648 serial.dll
19:26:47        6656 mmtimer.dll
19:28:01      179200 ole32.dll
19:28:02      184320 oleaut32.dll
19:39:46      121344 mlang.dll
19:39:45      134656 shlwapi.dll
19:39:45       29696 IECEExt.dll
19:28:32      289280 shdocvw.dll
19:39:45      473600 wininet.dll
19:39:46      289792 urlmon.dll
19:39:46      203776 ceshell.dll
19:39:46      261120 explorer.exe
19:29:04        9728 shcore.dll
19:39:46       16384 control.exe
19:29:08        6656 ctlpnl.exe
19:39:46      187904 cplmain.cpl
19:39:47       47616 intll.cpl
19:39:47       22016 stguil.cpl
19:39:45      384512 quartz.dll
19:29:24       26624 msdmo.dll
19:29:35        4608 acmdwrap.dll
19:29:25       49152 mp3dmod.dll
19:39:45      483328 dxmasf.dll
19:29:25      123904 wmadmod.dll
19:29:26      332800 wmsdmod.dll
19:37:06      708608 PlayerAppMain.exe
19:34:33       19456 sqcache.dll
19:34:22       39936 umsdrv.dll
19:34:21       19968 cfdisk.dll
19:34:24        7168 sdmmc_loader.dll
19:34:23       55296 ddi.dll
19:34:22       35328 wavedev.dll
19:34:23        9216 kbdmouse.dll
19:39:46       49152 pcmcia.dll
19:34:22       18432 battdrvr.dll
19:34:28        5632 pmudll.dll
00:52:54       73728 AReadyLB.dll
12:41:38      699392 prism3.dll

FILES ----------------------------------------
1809       8022                ceconfig.h (ROM 0x801954BC)
0     210958                 wince.nls (ROM 0x80733784)
3156      18144               initobj.dat (ROM 0x80215338)
26187     127218               default.fdf (ROM 0x80766F94)
1903       5434                initdb.ini (ROM 0x802354B4)
0        134                 close.2bp (ROM 0x8007FB7C)
0        134                    ok.2bp (ROM 0x8007FC04)
598       1030                 stdsm.2bp (ROM 0x8007FC8C)
456        838                viewsm.2bp (ROM 0x80195BD0)
702       2038                 stdsm.bmp (ROM 0x80235C24)
518       1654                viewsm.bmp (ROM 0x80195D98)
802       3584                netmui.dll (ROM 0x80250424)
0         69               appdata.ini (ROM 0x8007FEE4)
0         69      desktopdirectory.ini (ROM 0x8007FF2C)
0         69             favorites.ini (ROM 0x8007FF74)
0         69                 fonts.ini (ROM 0x80195FA0)
0         69           mydocuments.ini (ROM 0x80235EE4)
0         69          programfiles.ini (ROM 0x80235F2C)
0         69              programs.ini (ROM 0x80235F74)
0         69                recent.ini (ROM 0x80250748)
0         69               startup.ini (ROM 0x80250790)
0         24               explore.lnk (ROM 0x804F0FE4)
7397      55990             windowsce.bmp (ROM 0x8076D5E0)
0         23               control.lnk (ROM 0x80633FD4)
502        739               copyrts.txt (ROM 0x802507D8)
1862       3116              asterisk.wav (ROM 0x80634410)
1822       3388                 close.wav (ROM 0x80246404)
2610       2970              critical.wav (ROM 0x806153FC)
898       2682               default.wav (ROM 0x802509D0)
2984       3946                 empty.wav (ROM 0x800EC3D8)
3734       9204                exclam.wav (ROM 0x801C2164)
2283       5656                infbeg.wav (ROM 0x801AC238)
1000       1778                infend.wav (ROM 0x80634B58)
1980       2088               infintr.wav (ROM 0x804821F8)
824        834               menupop.wav (ROM 0x80246B24)
0        360               menusel.wav (ROM 0x80250D54)
1964       3388              openprog.wav (ROM 0x806011F4)
1314       1836              question.wav (ROM 0x804829B4)
6624       8508               startup.wav (ROM 0x8076F2C8)
2112       2712               windmax.wav (ROM 0x8022317C)
2140       2866               windmin.wav (ROM 0x80253100)
1964       3388              recstart.wav (ROM 0x806140CC)
1822       3388                recend.wav (ROM 0x80614878)
0       4240               sqfonts.fon (ROM 0x80770CA8)
0      53504                 arial.fon (ROM 0x80771D38)
932        974             unlatched.wav (ROM 0x801ACB24)

Directory of C:\XXX\Aireo\dumprom\files

02/16/2005 11:40 PM    <DIR>          .
02/16/2005 11:40 PM    <DIR>          ..
02/16/2005 11:07 PM             3,712 acmdwrap.dll
02/16/2005 11:07 PM            75,952 afd.dll
02/16/2005 11:07 PM                69 appdata.ini
02/16/2005 11:07 PM            72,187 AReadyLB.dll
02/16/2005 11:07 PM            53,504 arial.fon
02/16/2005 11:07 PM             3,116 asterisk.wav
02/16/2005 11:07 PM            26,120 audevman.dll
02/16/2005 11:07 PM            17,408 battdrvr.dll
02/16/2005 11:07 PM             8,022 ceconfig.h
02/16/2005 11:07 PM             6,456 ceddk.dll
02/16/2005 11:07 PM           198,840 ceshell.dll
02/16/2005 11:07 PM            18,488 cfdisk.dll
02/16/2005 11:07 PM               134 close.2bp
02/16/2005 11:07 PM             3,388 close.wav
02/16/2005 11:07 PM           344,888 commctrl.dll
02/16/2005 11:07 PM            64,972 commdlg.dll
02/16/2005 11:07 PM            16,064 control.exe
02/16/2005 11:07 PM                23 control.lnk
02/16/2005 11:07 PM               739 copyrts.txt
02/16/2005 11:07 PM           452,568 coredll.dll
02/16/2005 11:07 PM           185,008 cplmain.cpl
02/16/2005 11:07 PM             2,970 critical.wav
02/16/2005 11:07 PM             6,404 ctlpnl.exe
02/16/2005 11:07 PM            10,528 cxport.dll
02/16/2005 11:07 PM            53,268 ddi.dll
02/16/2005 11:07 PM           127,218 default.fdf
02/16/2005 11:07 PM             2,682 default.wav
02/16/2005 11:07 PM                69 desktopdirectory.ini
02/16/2005 11:07 PM            25,096 device.exe
02/16/2005 11:07 PM            24,544 dhcp.dll
02/16/2005 11:07 PM           468,184 dxmasf.dll
02/16/2005 11:07 PM             3,946 empty.wav
02/16/2005 11:07 PM             7,368 ethman.dll
02/16/2005 11:07 PM             9,204 exclam.wav
02/16/2005 11:07 PM                24 explore.lnk
02/16/2005 11:07 PM           260,844 explorer.exe
02/16/2005 11:07 PM            54,176 fatfsd.dll
02/16/2005 11:07 PM            33,636 fatutil.dll
02/16/2005 11:07 PM                69 favorites.ini
02/16/2005 11:07 PM           201,380 filesys.exe
02/16/2005 11:07 PM                69 fonts.ini
02/16/2005 11:07 PM            57,696 fsdmgr.dll
02/16/2005 11:07 PM           545,204 gwes.exe
02/16/2005 11:07 PM            28,436 IECEExt.dll
02/16/2005 11:07 PM             5,656 infbeg.wav
02/16/2005 11:07 PM             1,778 infend.wav
02/16/2005 11:07 PM             2,088 infintr.wav
02/16/2005 11:07 PM             5,434 initdb.ini
02/16/2005 11:07 PM            18,144 initobj.dat
02/16/2005 11:07 PM            45,860 intll.cpl
02/16/2005 11:07 PM            51,888 iphlpapi.dll
02/16/2005 11:07 PM             8,392 kbdmouse.dll
02/16/2005 11:07 PM               834 menupop.wav
02/16/2005 11:07 PM               360 menusel.wav
02/16/2005 11:07 PM           116,496 mlang.dll
02/16/2005 11:07 PM             5,768 mmtimer.dll
02/16/2005 11:07 PM            48,012 mp3dmod.dll
02/16/2005 11:07 PM            25,104 msdmo.dll
02/16/2005 11:07 PM            16,672 mspart.dll
02/16/2005 11:07 PM                69 mydocuments.ini
02/16/2005 11:07 PM           131,928 ndis.dll
02/16/2005 11:07 PM            16,824 ndisuio.dll
02/16/2005 11:07 PM             3,584 netmui.dll
02/16/2005 11:07 PM           186,464 netui.dll
02/16/2005 11:07 PM           266,208 nk.exe
02/16/2005 11:07 PM             9,376 nspm.dll
02/16/2005 11:07 PM               134 ok.2bp
02/16/2005 11:07 PM           173,936 ole32.dll
02/16/2005 11:07 PM           179,948 oleaut32.dll
02/16/2005 11:07 PM             3,388 openprog.wav
02/16/2005 11:07 PM            47,604 pcmcia.dll
02/16/2005 11:07 PM           708,116 PlayerAppMain.exe
02/16/2005 11:07 PM            32,240 pm.dll
02/16/2005 11:07 PM             4,752 pmudll.dll
02/16/2005 11:07 PM           695,824 prism3.dll
02/16/2005 11:07 PM                69 programfiles.ini
02/16/2005 11:07 PM                69 programs.ini
02/16/2005 11:07 PM           368,708 quartz.dll
02/16/2005 11:07 PM             1,836 question.wav
02/16/2005 11:07 PM             3,388 recend.wav
02/16/2005 11:07 PM                69 recent.ini
02/16/2005 11:07 PM             3,388 recstart.wav
02/16/2005 11:07 PM             5,168 regenum.dll
02/16/2005 11:07 PM            11,528 sdmmc.dll
02/16/2005 11:07 PM             6,296 sdmmc_loader.dll
02/16/2005 11:07 PM            26,448 serial.dll
02/16/2005 11:07 PM             8,968 shcore.dll
02/16/2005 11:07 PM           274,208 shdocvw.dll
02/16/2005 11:07 PM           131,340 shlwapi.dll
02/16/2005 11:07 PM            17,952 sqcache.dll
02/16/2005 11:07 PM             4,240 sqfonts.fon
02/16/2005 11:07 PM                69 startup.ini
02/16/2005 11:07 PM             8,508 startup.wav
02/16/2005 11:07 PM             1,030 stdsm.2bp
02/16/2005 11:07 PM             2,038 stdsm.bmp
02/16/2005 11:07 PM            21,020 stguil.cpl
02/16/2005 11:07 PM           323,080 tcpstk.dll
02/16/2005 11:07 PM            38,328 umsdrv.dll
02/16/2005 11:07 PM               974 unlatched.wav
02/16/2005 11:07 PM           281,592 urlmon.dll
02/16/2005 11:07 PM               838 viewsm.2bp
02/16/2005 11:07 PM             1,654 viewsm.bmp
02/16/2005 11:07 PM            53,252 waveapi.dll
02/16/2005 11:07 PM            34,240 wavedev.dll
02/16/2005 11:07 PM           210,958 wince.nls
02/16/2005 11:07 PM             2,712 windmax.wav
02/16/2005 11:07 PM             2,866 windmin.wav
02/16/2005 11:07 PM            55,990 windowsce.bmp
02/16/2005 11:07 PM           462,416 wininet.dll
02/16/2005 11:07 PM             4,880 winsock.dll
02/16/2005 11:07 PM           121,736 wmadmod.dll
02/16/2005 11:07 PM           328,536 wmsdmod.dll
02/16/2005 11:07 PM            33,584 ws2.dll
02/16/2005 11:07 PM             4,640 ws2instl.dll
02/16/2005 11:07 PM             8,536 wspm.dll
             119 File(s)     15,233,238 bytes
               2 Dir(s)   6,419,562,496 bytes free

BTW, IDA Pro loves PlayerAppMain.exe (it recognizes it as an ARM binary immediatly). Make sure you set "Thumb" mode (ALT+G then 1 into T reg).

Here's some info on PlayerAppMain.exe from MS's COFF/PE Executable "info dumper":

C:\XXX\Aireo\CETools\bin2>dumpbin
Microsoft (R) COFF/PE Dumper Version 6.24.3077
Copyright (C) Microsoft Corporation. All rights reserved.

usage: DUMPBIN [options] [files]

   options:

      /ALL
      /ARCHIVEMEMBERS
      /DEPENDENTS
      /DIRECTIVES
      /DISASM[:{BYTES|CONCAN|NOBYTES}]
      /EXPORTS
      /FPO
      /HEADERS
      /IMPORTS[:filename]
      /LINENUMBERS
      /LINKERMEMBER[:{1|2}]
      /LOADCONFIG
      /OUT:filename
      /PDATA
      /RAWDATA[:{NONE|1|2|4|8}[,#]]
      /RELOCATIONS
      /SECTION:name
      /SUMMARY
      /SYMBOLS
      /UNWINDINFO

C:\XXX\Aireo\CETools\bin2>dumpbin /headers PlayerAppMain.exe
Microsoft (R) COFF/PE Dumper Version 6.24.3077
Copyright (C) Microsoft Corporation. All rights reserved.

Dump of file PlayerAppMain.exe

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
             1C0 machine (ARM)
               5 number of sections
        41C729E2 time date stamp Mon Dec 20 11:37:06 2004
               0 file pointer to symbol table
               0 number of symbols
              E0 size of optional header
             10F characteristics
                   Relocations stripped
                   Executable
                   Line numbers stripped
                   Symbols stripped
                   32 bit word machine

OPTIONAL HEADER VALUES
             10B magic # (PE32)
            6.01 linker version
           7DB34 size of code
           40D6E size of initialized data
               0 size of uninitialized data
           7E784 entry point (0008E784)
            1000 base of code
           7F000 base of data
           10000 image base (00010000 to 000D0FFF)
            1000 section alignment
             200 file alignment
            4.00 operating system version
            0.00 image version
            4.20 subsystem version
               0 Win32 version
           C1000 size of image
             400 size of headers
               0 checksum
               9 subsystem (Windows CE GUI)
               0 DLL characteristics
           10000 size of stack reserve
            1000 size of stack commit
          100000 size of heap reserve
            1000 size of heap commit
               0 loader flags
              10 number of directories
               0 [       0] RVA [size] of Export Directory
           815BC [      A0] RVA [size] of Import Directory
           B3000 [    D614] RVA [size] of Resource Directory
           AD000 [    5C90] RVA [size] of Exception Directory
               0 [       0] RVA [size] of Certificates Directory
               0 [       0] RVA [size] of Base Relocation Directory
               0 [       0] RVA [size] of Debug Directory
               0 [       0] RVA [size] of Architecture Directory
               0 [       0] RVA [size] of Global Pointer Directory
               0 [       0] RVA [size] of Thread Storage Directory
               0 [       0] RVA [size] of Load Configuration Directory
               0 [       0] RVA [size] of Bound Import Directory
               0 [       0] RVA [size] of Import Address Table Directory
               0 [       0] RVA [size] of Delay Import Directory
               0 [       0] RVA [size] of COM Descriptor Directory
               0 [       0] RVA [size] of Reserved Directory

SECTION HEADER #1
   .text name
   7DB34 virtual size
    1000 virtual address (00011000 to 0008EB33)
   7DB34 size of raw data
     400 file pointer to raw data (00000400 to 0007DF33)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
60000020 flags
         Code
         Execute Read

SECTION HEADER #2
   .data name
    2EDE virtual size
   7F000 virtual address (0008F000 to 00091EDD)
    2EDE size of raw data
   7E000 file pointer to raw data (0007E000 to 00080EDD)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         Read Only

SECTION HEADER #3
.data1 name
   2ABEC virtual size
   82000 virtual address (00092000 to 000BCBEB)
   188B9 size of raw data
   81000 file pointer to raw data (00081000 to 000998B8)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C0000040 flags
         Initialized Data
         Read Write

SECTION HEADER #4
.data2 name
    5C90 virtual size
   AD000 virtual address (000BD000 to 000C2C8F)
    5C90 size of raw data
   99A00 file pointer to raw data (00099A00 to 0009F68F)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         Read Only

SECTION HEADER #5
.data3 name
    D614 virtual size
   B3000 virtual address (000C3000 to 000D0613)
    D614 size of raw data
   9F800 file pointer to raw data (0009F800 to 000ACE13)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         Read Only

Summary

        3000 .data
       2B000 .data1
        6000 .data2
        E000 .data3
       7E000 .text

C:\XXX\Aireo\CETools\bin2>

Now, time to sleep (12:40am).

02/15/2005 - Found SOMETHING...

SUCCESS! (Well, somewhat....)
Windows CE Platform Builder Tools:

    I decided to search for some tools from Microsoft to see what they have for me to play with. I couldn't find the "Windows CE Platform Builder" so I went ahead and downloaded eMbedded Visual C++ 4.0 and the SP3 update. I looked around inside the packages and saw what kind of tools I could pull out for my use and I extracted a program called "viewbin.exe"...oh man it's sexy. I extracted some other programs like "dumpbin.exe" that les you gather info on CE binaries (not flash firmware binaries as I later gathered...grr!).

    viewbin.exe is VERY VERY sexy...it shows EVERYTHING that is in Aireo.bin here's a sampling:
    NOTICE THE BOLDED lines =D

C:\XXX\Aireo\CETools>viewbin
Filename required
Usage: viewbin [ options ] <filename>
Options:
-d[ata]     Prints all data bytes (potentially huge output!)
-t[oc]      Prints Table of Contents
-o[bj]      Prints Table of Contents and Objects Information
-r[ec]      Prints Record Information
-sym        Prints Profiling Symbol Information
C:\XXX\Aireo\CETools>viewbin -t Aireo.bin
ViewBin... Aireo.bin
Image Start = 0x80040000, length = 0x00757544
                Start address = 0x80041000
Found pTOC = 0x806100CC
Checking record #41 for potential TOC (ROMOFFSET = 0x00000000)
ROMOFFSET = 0x00000000

ROMHDR ----------------------------------------
    DLL First           : 0x01E901F7
    DLL Last            : 0x02000000
    Physical First      : 0x80040000
    Physical Last       : 0x80797544
    RAM Start           : 0x807A0000
    RAM Free            : 0x807C9000
    RAM End             : 0x81E98000
    Kernel flags        : 0x00000000
    Prof Symbol Offset : 0x00000000
    Num Copy Entries    :          1
    Copy Entries Offset : 0x80250F20
    Num Modules         :         68
    Num Files           :         47
    Kernel Debugger     :         No
    CPU                 :     0x01c2 (Thumb)
    Extensions          : 0x80043644

ROMHDR Extensions -----------------------------
    PID[0] = 0x000008D4
    PID[1] = 0x004D454F
    PID[2] = 0x0009EB1C
    PID[3] = 0x0000D33A
    PID[4] = 0x00000000
    PID[5] = 0x00000000
    PID[6] = 0x00000000
    PID[7] = 0x00000000
    PID[8] = 0x00000000
    PID[9] = 0x00000000

COPY Sections ---------------------------------
    Src: 0x8026B8D8   Dest: 0x807A6000   CLen: 0x6FF      DLen: 0x22F5C

MODULES ---------------------------------------
     7/08/2004 12:54:53      273920 nk.exe
     7/08/2004 13:00:19      461824 coredll.dll
     7/08/2004 13:00:19      201728 filesys.exe
     7/08/2004 13:00:19      545280 gwes.exe
     7/08/2004 12:48:15       25600 device.exe
     7/08/2004 12:48:43        6144 regenum.dll
     7/08/2004 12:48:14       33792 pm.dll
     7/08/2004 12:48:50       55808 fatfsd.dll
     7/08/2004 13:00:20       34816 fatutil.dll
     7/08/2004 13:00:21      350720 commctrl.dll
     7/08/2004 13:00:19       66560 commdlg.dll
     7/08/2004 12:48:49       60928 fsdmgr.dll
     7/08/2004 12:54:47       12288 sdmmc.dll
     7/08/2004 12:48:50       17408 mspart.dll
     7/08/2004 13:00:20       55296 waveapi.dll
     7/08/2004 12:48:51       27136 audevman.dll
     7/08/2004 12:48:17        7168 ceddk.dll
     7/08/2004 13:00:19      189952 netui.dll
     7/08/2004 12:48:45        8192 ethman.dll
     7/08/2004 12:48:30       11264 cxport.dll
     7/08/2004 12:48:32       53760 iphlpapi.dll
     7/08/2004 12:48:31        5632 winsock.dll
     7/08/2004 12:48:30       34816 ws2.dll
     7/08/2004 12:48:31        5632 ws2instl.dll
     7/08/2004 12:48:31        9216 wspm.dll
     7/08/2004 12:48:31       10240 nspm.dll
     7/08/2004 12:48:32       78336 afd.dll
     7/08/2004 12:48:35      135168 ndis.dll
     7/08/2004 12:48:48       17408 ndisuio.dll
     7/08/2004 12:48:45       25600 dhcp.dll
     7/08/2004 12:48:37      330240 tcpstk.dll
     7/08/2004 12:48:44       27648 serial.dll
     7/08/2004 12:48:42        6656 mmtimer.dll
     7/08/2004 12:49:28      179200 ole32.dll
     7/08/2004 12:49:29      184320 oleaut32.dll
     7/08/2004 13:00:24      121344 mlang.dll
     7/08/2004 13:00:22      134656 shlwapi.dll
     7/08/2004 13:00:23       29696 IECEExt.dll
     7/08/2004 12:49:51      289280 shdocvw.dll
     7/08/2004 13:00:23      473088 wininet.dll
     7/08/2004 13:00:23      289280 urlmon.dll
     7/08/2004 13:00:24      203264 ceshell.dll
     7/08/2004 13:00:24      261120 explorer.exe
     7/08/2004 12:50:37        9728 shcore.dll
     7/08/2004 13:00:25       16384 control.exe
     7/08/2004 12:50:41        6656 ctlpnl.exe
     7/08/2004 13:00:25      187904 cplmain.cpl
     7/08/2004 13:00:26       47616 intll.cpl
     7/08/2004 13:00:26       22016 stguil.cpl
     7/08/2004 13:00:22      384512 quartz.dll
     7/08/2004 12:50:57       26624 msdmo.dll
     7/08/2004 12:51:11        4608 acmdwrap.dll
     7/08/2004 12:50:57       49152 mp3dmod.dll
     7/08/2004 13:00:22      482304 dxmasf.dll
     7/08/2004 12:50:58      123904 wmadmod.dll
     7/08/2004 12:50:58      332800 wmsdmod.dll
     7/08/2004 12:57:38      707072 PlayerAppMain.exe
     7/08/2004 12:54:46       39936 umsdrv.dll
     7/08/2004 12:54:46       19968 cfdisk.dll
     7/08/2004 12:54:47        7168 sdmmc_loader.dll
     7/08/2004 12:54:47       55296 ddi.dll
     7/08/2004 12:54:46       35328 wavedev.dll
     7/08/2004 12:54:47        9216 kbdmouse.dll
     7/08/2004 13:00:24       49152 pcmcia.dll
     7/08/2004 12:54:46       18432 battdrvr.dll
     7/08/2004 12:54:52        5632 pmudll.dll
     6/08/2004 17:18:44       73728 AReadyLB.dll
    10/14/2003 12:41:38      699392 prism3.dll

FILES ----------------------------------------
      7/08/2004 12:48:54 C_R_       1819       8071                ceconfig.h (ROM 0x801954DC)
      7/08/2004 13:00:17 _HRS          0     210958                 wince.nls (ROM 0x8072F578)
      7/08/2004 13:00:18 CHRS       3162      18954               initobj.dat (ROM 0x804363A0)
      7/08/2004 13:00:18 CHRS      26175     127182               default.fdf (ROM 0x80762D88)
      7/08/2004 13:00:18 CHRS       1933       6676                initdb.ini (ROM 0x802354B4)
      3/21/2003 06:00:00 _HR_          0        134                 close.2bp (ROM 0x8007FDC8)
      3/21/2003 06:00:00 _HR_          0        134                    ok.2bp (ROM 0x8007FE50)
      3/21/2003 06:00:00 CHR_        598       1030                 stdsm.2bp (ROM 0x80195BF8)
      3/21/2003 06:00:00 CHR_        456        838                viewsm.2bp (ROM 0x80235C44)
      3/21/2003 06:00:00 CHR_        702       2038                 stdsm.bmp (ROM 0x80250414)
      3/21/2003 06:00:00 CHR_        518       1654                viewsm.bmp (ROM 0x802506D4)
      3/21/2003 06:00:00 _HRS          0     117028                arialk.ttf (ROM 0x807693C8)
      7/08/2004 13:00:20 C_R_        810       3584                netmui.dll (ROM 0x802508DC)
      3/21/2003 06:00:00 _HRS          0         69               appdata.ini (ROM 0x8007FED8)
      3/21/2003 06:00:00 _HRS          0         69      desktopdirectory.ini (ROM 0x8007FF20)
      3/21/2003 06:00:00 _HRS          0         69             favorites.ini (ROM 0x8007FF68)
      3/21/2003 06:00:00 _HRS          0         69                 fonts.ini (ROM 0x8007FFB0)
      3/21/2003 06:00:00 _HRS          0         69           mydocuments.ini (ROM 0x80195E50)
      3/21/2003 06:00:00 _HRS          0         69          programfiles.ini (ROM 0x80195E98)
      3/21/2003 06:00:00 _HRS          0         69              programs.ini (ROM 0x80195EE0)
      3/21/2003 06:00:00 _HRS          0         69                recent.ini (ROM 0x80195F28)
      3/21/2003 06:00:00 _HRS          0         69               startup.ini (ROM 0x80195F70)
      3/21/2003 06:00:00 _HRS          0         24               explore.lnk (ROM 0x804F4FE8)
      3/21/2003 06:00:00 C_RS       7397      55990             windowsce.bmp (ROM 0x80785CEC)
      3/21/2003 06:00:00 _HRS          0         23               control.lnk (ROM 0x802FCFE8)
      3/21/2003 06:00:00 CHRS        502        739               copyrts.txt (ROM 0x80250C08)
      3/21/2003 06:00:00 C_RS       1862       3116              asterisk.wav (ROM 0x80630410)
      3/21/2003 06:00:00 C_RS       1822       3388                 close.wav (ROM 0x80246404)
      3/21/2003 06:00:00 C_RS       2610       2970              critical.wav (ROM 0x806113FC)
      3/21/2003 06:00:00 C_RS        898       2682               default.wav (ROM 0x80630B58)
      3/21/2003 06:00:00 C_RS       2984       3946                 empty.wav (ROM 0x800EC3D8)
      3/21/2003 06:00:00 C_RS       3734       9204                exclam.wav (ROM 0x801C2164)
      3/21/2003 06:00:00 C_RS       2283       5656                infbeg.wav (ROM 0x80215338)
      3/21/2003 06:00:00 C_RS       1000       1778                infend.wav (ROM 0x80246B24)
      3/21/2003 06:00:00 C_RS       1980       2088               infintr.wav (ROM 0x8021422C)
      3/21/2003 06:00:00 C_RS        824        834               menupop.wav (ROM 0x80215C24)
      3/21/2003 06:00:00 __RS          0        360               menusel.wav (ROM 0x80235E0C)
      3/21/2003 06:00:00 C_RS       1964       3388              openprog.wav (ROM 0x804821F8)
      3/21/2003 06:00:00 C_RS       1314       1836              question.wav (ROM 0x802149E8)
      3/21/2003 06:00:00 C_RS       6624       8508               startup.wav (ROM 0x807879D4)
      3/21/2003 06:00:00 C_RS       2112       2712               windmax.wav (ROM 0x805FD1F4)
      3/21/2003 06:00:00 C_RS       2140       2866               windmin.wav (ROM 0x8022317C)
      3/21/2003 06:00:00 C_RS       1964       3388              recstart.wav (ROM 0x80253100)
      3/21/2003 06:00:00 C_RS       1822       3388                recend.wav (ROM 0x802538AC)
     10/14/2003 12:41:39 _HRS          0       4240               sqfonts.fon (ROM 0x807893B4)
      3/21/2003 06:00:00 _HRS          0      53504                 arial.fon (ROM 0x8078A444)
      3/21/2003 06:00:00 C_RS        932        974             unlatched.wav (ROM 0x804829A4)
Done.

C:\XXX\Aireo\CETools>viewbin -r Aireo.bin
ViewBin... Aireo.bin
Image Start = 0x80040000, length = 0x0073EE38
Record [ 0] : Start = 0x80040000, Length = 0x00000004, Chksum = 0x000001EB
Record [ 1] : Start = 0x80040040, Length = 0x00000008, Chksum = 0x0000034C
Record [ 2] : Start = 0x80041000, Length = 0x0003EFFC, Chksum = 0x018FF583
Record [ 3] : Start = 0x80080000, Length = 0x00001FFC, Chksum = 0x000898B9
Record [ 4] : Start = 0x80082000, Length = 0x00063DA0, Chksum = 0x0281439D
Record [ 5] : Start = 0x800E5DA0, Length = 0x000071E0, Chksum = 0x001E9E46
Record [ 6] : Start = 0x800ED000, Length = 0x0002F07C, Chksum = 0x0125F45D
Record [ 7] : Start = 0x8011D000, Length = 0x000000A4, Chksum = 0x00000B4E
Record [ 8] : Start = 0x8011E000, Length = 0x000774BC, Chksum = 0x02FE6580
Record [ 9] : Start = 0x801954BC, Length = 0x00017A0C, Chksum = 0x0095CA02
Record [ 10] : Start = 0x801AD000, Length = 0x00015FFC, Chksum = 0x0089359F
Record [ 11] : Start = 0x801C3000, Length = 0x0005123C, Chksum = 0x020310F7
Record [ 12] : Start = 0x8021423C, Length = 0x00000D30, Chksum = 0x000647B1
Record [ 13] : Start = 0x80215000, Length = 0x00000F8C, Chksum = 0x00061170
Record [ 14] : Start = 0x80216000, Length = 0x0000D9BC, Chksum = 0x0059D919
Record [ 15] : Start = 0x80224000, Length = 0x00022E5C, Chksum = 0x00D2CB8A
Record [ 16] : Start = 0x80247000, Length = 0x000070B8, Chksum = 0x002A406B
Record [ 17] : Start = 0x8024E0B8, Length = 0x00000054, Chksum = 0x00000CD8
Record [ 18] : Start = 0x8024E10C, Length = 0x00000DA8, Chksum = 0x0004AF9D
Record [ 19] : Start = 0x8024F000, Length = 0x00001FC4, Chksum = 0x000CBBCF
Record [ 20] : Start = 0x80251000, Length = 0x0000295C, Chksum = 0x0010F5BC
Record [ 21] : Start = 0x80254000, Length = 0x0002C000, Chksum = 0x011149CA
Record [ 22] : Start = 0x80280000, Length = 0x00028FF8, Chksum = 0x0104A5F8
Record [ 23] : Start = 0x802A9000, Length = 0x0004CC40, Chksum = 0x01EF9DC5
Record [ 24] : Start = 0x802F5C40, Length = 0x0002F448, Chksum = 0x012DE1F2
Record [ 25] : Start = 0x80326000, Length = 0x00040000, Chksum = 0x01778B47
Record [ 26] : Start = 0x80366000, Length = 0x00006FB0, Chksum = 0x001D9AE4
Record [ 27] : Start = 0x8036D000, Length = 0x00025FF8, Chksum = 0x00EDAA79
Record [ 28] : Start = 0x80393000, Length = 0x0003F0AC, Chksum = 0x019ACD82
Record [ 29] : Start = 0x803D3000, Length = 0x000635A0, Chksum = 0x026E724B
Record [ 30] : Start = 0x804365A0, Length = 0x0000A9D8, Chksum = 0x00269FBF
Record [ 31] : Start = 0x80441000, Length = 0x0003E000, Chksum = 0x018B4A9A
Record [ 32] : Start = 0x8047F000, Length = 0x00003ED8, Chksum = 0x00109AC8
Record [ 33] : Start = 0x80483000, Length = 0x0002EFF8, Chksum = 0x011642C6
Record [ 34] : Start = 0x804B2000, Length = 0x0001C030, Chksum = 0x00A889B8
Record [ 35] : Start = 0x804CF000, Length = 0x0003F000, Chksum = 0x015B6710
Record [ 36] : Start = 0x8050E000, Length = 0x0002701C, Chksum = 0x00AEFE90
Record [ 37] : Start = 0x80536000, Length = 0x00006010, Chksum = 0x00256BD9
Record [ 38] : Start = 0x8053D000, Length = 0x00000FF8, Chksum = 0x00069E5F
Record [ 39] : Start = 0x8053E000, Length = 0x0007DB34, Chksum = 0x0345CCC7
Record [ 40] : Start = 0x805BBB34, Length = 0x000234E4, Chksum = 0x00E3574C
Record [ 41] : Start = 0x805E0000, Length = 0x000219A0, Chksum = 0x00D5C17B
Record [ 42] : Start = 0x80602000, Length = 0x00012F98, Chksum = 0x00807481
Record [ 43] : Start = 0x80615000, Length = 0x00000E30, Chksum = 0x00065084
Record [ 44] : Start = 0x80616000, Length = 0x0001EF40, Chksum = 0x00C9CA7C
Record [ 45] : Start = 0x80635000, Length = 0x0001C854, Chksum = 0x00DC2B7E
Record [ 46] : Start = 0x80651854, Length = 0x0003109C, Chksum = 0x017B5845
Record [ 47] : Start = 0x806828F0, Length = 0x00037E24, Chksum = 0x01B0B088
Record [ 48] : Start = 0x806BA714, Length = 0x0003DC70, Chksum = 0x01E18AC4
Record [ 49] : Start = 0x806F8384, Length = 0x0003B400, Chksum = 0x01CB5BA3
Record [ 50] : Start = 0x80733784, Length = 0x0003E5B4, Chksum = 0x0102B1E5
Record [ 51] : Start = 0x80771D38, Length = 0x0000D100, Chksum = 0x001D4228
Record [ 52] : Start = 0x00000000, Length = 0x80041000, Chksum = 0x00000000
                Start address = 0x80041000
Found pTOC = 0x8024E0B8
Checking record #17 for potential TOC (ROMOFFSET = 0x00000000)
ROMOFFSET = 0x00000000
Done
C:\XXX\Aireo\CETools>viewbin -o Aireo.bin
ViewBin... Aireo.bin
Image Start = 0x80040000, length = 0x0073EE38
        Start address = 0x80041000
Found pTOC = 0x8024E0B8
Checking record #17 for potential TOC (ROMOFFSET = 0x00000000)
ROMOFFSET = 0x00000000

ROMHDR ----------------------------------------
    DLL First           : 0x01E801F6
    DLL Last            : 0x02000000
    Physical First      : 0x80040000
    Physical Last       : 0x8077EE38
    RAM Start           : 0x80780000
    RAM Free            : 0x807A9000
    RAM End             : 0x81E98000
    Kernel flags        : 0x00000000
    Prof Symbol Offset : 0x00000000
    Num Copy Entries    :          1
    Copy Entries Offset : 0x80250FB4
    Num Modules         :         69
    Num Files           :         46
    Kernel Debugger     :         No
    CPU                 :     0x01c2 (Thumb)
    Extensions          : 0x80043644

ROMHDR Extensions -----------------------------
    PID[0] = 0x000008D4
    PID[1] = 0x004D454F
    PID[2] = 0x0009EB1C
    PID[3] = 0x0000D33A
    PID[4] = 0x00000000
    PID[5] = 0x00000000
    PID[6] = 0x00000000
    PID[7] = 0x00000000
    PID[8] = 0x00000000
    PID[9] = 0x00000000

COPY Sections ---------------------------------
    Src: 0x8026B8D8   Dest: 0x80786000   CLen: 0x6FF      DLen: 0x22F5C

<...TRUNCATED...>

    ==== PlayerAppMain.exe ===============================
    TOCentry (PlayerAppMain.exe) -------------------------
        dwFileAttributes    : 0x1
        ftTime              : 12/20/2004 19:37:06
        nFileSize           : 0xAD000 (708608)    <--- Size to extract from .BIN
        ulE32Offset         : 0x80392C7C
        ulO32Offset         : 0x80392CE8
        ulLoadOffset        : 0x8082F000
    e32_rom (PlayerAppMain.exe) --------------------------
        e32_objcnt          : 5
        e32_imageflags      : 0x10F
        e32_entryrva        : 0x7E784
        e32_vbase           : 0x10000
        e32_subsysmajor     : 0x4
        e32_subsysminor     : 0x14
        e32_stackmax        : 0x10000
        e32_vsize           : 0xC1000
    o32_rom[0] (PlayerAppMain.exe) ------------------------
        o32_vsize           : 0x7DB34
        o32_rva             : 0x1000
        o32_psize           : 0x7DC00
        o32_dataptr         : 0x8053E000
        o32_realaddr        : 0x11000
        o32_flags           : 0x60000020
    o32_rom[1] (PlayerAppMain.exe) ------------------------
        o32_vsize           : 0x2EDE
        o32_rva             : 0x7F000
        o32_psize           : 0x3000
        o32_dataptr         : 0x805BC000
        o32_realaddr        : 0x8F000
        o32_flags           : 0x40000040
    o32_rom[2] (PlayerAppMain.exe) ------------------------
        o32_vsize           : 0x2ABEC
        o32_rva             : 0x82000
        o32_psize           : 0x535E
        o32_dataptr         : 0x806F8384
        o32_realaddr        : 0x92000
        o32_flags           : 0xC0002040
    o32_rom[3] (PlayerAppMain.exe) ------------------------
        o32_vsize           : 0x5C90
        o32_rva             : 0xAD000
        o32_psize           : 0x2BB3
        o32_dataptr         : 0x806FD6E4
        o32_realaddr        : 0xBD000
        o32_flags           : 0x40002040
    o32_rom[4] (PlayerAppMain.exe) ------------------------
        o32_vsize           : 0xD614
        o32_rva             : 0xB3000
        o32_psize           : 0xD800
        o32_dataptr         : 0x805BF000
        o32_realaddr        : 0xC3000
        o32_flags           : 0x40000040
.<...TRUNCATED...>

(Sorry to Netscape/Firefox viewers if text is too small).

    We see some interesting files. .2bp files are just PocketPC Bitmaps. But then we see PlayerAppMain.exe, OH MAN!
I'm currently working on a program to extract files from Aireo.bin. I have some code that took me forever to find (yes someone else started it), but its VERY VERY rough. It's a hit and miss kind of thing. So far the code does run and extracts a bunch of filees, but the offsets are wrong (printed right, extracted wrong). It's going to need some major rework. So I'll see what I can do. Unless I continue my quest and find a program to dump the files from the bin...I mean if viewbin.exe from MS can read the pTOC, why isn't it possible to extract those files?
    Nk.exe seems to be the CE Kernel as mentioned by "During the boot process, the system first calls OAL startup. Next, the kernel, Nk.exe, is initialized and then booted." on http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wcemain4/html/cmconnkexebootprocess.asp (Nk.exe Boot Process)
    windowsce.bmp MIGHT be the Aireo boot splash...who knows.

    I tried installing Microsoft's eMbedded Visual C++ 4.0 and Windows CE SDK but that failed MISERABLY, 4 times. The setup is messed up and they don't even want to fix it. Screw it. I guess I won't be able to develop CE apps...for now. At least I got the tools that I wanted from the SP4 archive.

A little info on the format of Aireo.bin and EBOOT.bin: http://wiki.xda-developers.com/index.php?pagename=WallabyFileFormats%2Fbin

02/14/2005 - A different path.

Reverse Engineering the SoniqSync software:
I decided to take a look at the files inside the SoniqSync software directory. Putting them through a disassembler and a debugger.

\SoniqSync\AReadyLB.dll - This looks like the interface DLL to Audible. Has alot of peculiar looking URLs and Audible-connection specific functions.
\SoniqSync\SoniqSync.exe - Jeez this thing took a long time to disassemble (~35 miutes). Obviously this is the main software for the Aireo (does everything, transfers music updates the firmware, etc). So what I want to do is find where the Firmware update subroutine is triggered and where the "if (aireo.version()) < 3.2.2; update();" code is. Why? To patch the code so I can update the firmware at will, of course!

Looking at the Resources (through ResHacker) I found the Dialog Frame Record (#244/#280,1033) that asks you to click to upgrade the Aireo player. Now to find where that Dialog(s) are called. Here's the screeny:

String Reference #19,1033 has something interesting: "298, "This Feature is Under Construction.\n\nProceed at your own risk.\nYou may need to restart SoniqSync to continue." and 303, "Aireo Firmware"

More string reference (#26, 1033) stuff, this is the sequence of events that occurs when a new version of SoniqCast is installed:

410,     "SoniqSync appears to be running for the first time.\nClick 'Yes' to check for available updates.\nWe recommend doing this now, but if you prefer to wait\nyou can update at anytime via the system tray menu."
411,     "SoniqSync - Update Player"
413,     "Player Firmware needs to be upgraded to work with SoniqSync.\nWould you like to upgrade the player now?\nPlayer: "
414,     "SoniqSync - Upgrade Player Firmware"
415,     "SoniqSync Compatible Player Firmware is Uploading\nPlayer: "

DEBUG IT WITH OLLY?? figure out call to "dlgFirmwareOlder" or "eMSG_FW_UPG_REQ" (@0x007CFF60) <-- Tells SoniqSync it's time to upgrade! (USB SEND_MSG?) BP on 0x0059F390. Time to upgrade to 3.2.2 but NOT upgrade Aireo F/W.
Registry Peeking:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\SoniqCast]
"SoniqSyncInstallPath"="C:\\Program Files\\SoniqCast\\SoniqSync\\"

[HKEY_LOCAL_MACHINE\SOFTWARE\SoniqCast\SoniqSync Plugin]

[HKEY_LOCAL_MACHINE\SOFTWARE\SoniqCast\SoniqSync Plugin\Settings]
"First Run"=dword:00000000        <----- CHANGE==NOTHING
"Show Splash Screen"=dword:00000001   <----- CHANGE==NO SPLASH
"Show Main Dialog"=dword:00000001
"Show Tip Main"=dword:00000001
"Show Tip Copy Music"=dword:00000001
"Show Tip SoniqMix"=dword:00000001
"Show Tip Set Rules"=dword:00000001
"Show Tip Player Prefs"=dword:00000001
"Sync Schedules"=dword:00000000
"Sync Notification"=dword:00000001
"Sync Time"="3:00:00 AM"
"Last Device"="00-0A-E9-XX-XX-XX"    <----- I changed this for obvious reasons.
"Automated Details"=dword:00000000
"Audible Library Last Refresh"="12/22/2004 7:41:49 PM"
"Audible Library Next Refresh"="12/22/2004 7:41:49 PM"
"Windows Media Library Last Refresh"="12/22/2004 8:57:12 PM"
"Windows Media Library Next Refresh"="12/29/2004 8:57:12 PM"

[HKEY_LOCAL_MACHINE\SOFTWARE\SoniqCast\SoniqSync Server]
"Version"=dword:002dce91

[HKEY_LOCAL_MACHINE\SOFTWARE\SoniqCast\SoniqSync Server\Devices]

[HKEY_LOCAL_MACHINE\SOFTWARE\SoniqCast\SoniqSync Server\Devices\00-0A-E9-XX-XX-XX]
"MAC"="00-0A-E9-XX-XX-XX"
"Name"="Aireo"
"Installed"=dword:00000001
"Docked"=dword:00000000
"Syncing"=dword:00000000
"Operation In-Progress"=dword:00000000
"Last Sync"="12/23/04 13:05:14"
"USB Drive"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\SoniqCast\SoniqSync Server\Settings]
"Primary MAC"="00-00-E8-XX-XX-XX"
"SoniqCast MAC"="0E-53-A9-XX-XX-XX"

[HKEY_LOCAL_MACHINE\SOFTWARE\SoniqCast\Test] <----- WTF IS THIS???

Changing "FirstRun" to "1" doesn't do anything. But changing "Show Splash Screen" to "0" prevents the lame looking Splash screen from showing up. You know the one, with the woman and dog in a car.

More (Lame) Firwmare thoughts:
Googling around and reading more about how WinCE firmware works and how firmware images are burnt...it occured to me that the EBOOT.bin might be the bootloader and Aireo.bin is just a chunk of software that makes up all of the MP3 players functions. The firmware updates do not in fact update any part of the Windows CE 4.2.0 OS firwmare, the only thing that is updated is the Aireo "firmware" (program). I found a couple of tools to gather info about Microsofts .BIN files. Here is a website (http://www.xs4all.nl/~itsme/projects/xda/wince-flashfile-formats.html) that has a short description of the BIN firmware format (and this is the page that made me consider the fact that the firmware image is pretty small). This fact that the firmware image for the Aireo is only a part-firmware makes me weary of seeing something like Linux on the Aireo. Oh and editing the boot-up Aireo spalsh screen BMP is now out of the question. The WindowsCE bootup image is stored in the WindowsCE firmware (~30.75mb), thats the firmware that we don't have access to. Not to contradict myself, but now I'm again looking inside the Aireo.bin and EBOOT.bin and see traces of "boot" calls and operations, I'm really confused.

Pre - 02/14/2005 info

[ 1 ]
Specs and stuff.

Here are the specs again ( I've bolded some very interesting features of this unit. The player itself is pretty nice, the only downside is the 1.5 gig HD (which isn't even Flash based....lame) ):

TRI-FI CAPABILITIES

* Wi-Fi – Downloads MP3 music wirelessly and automatically <-- Yippee!
* Txi-Fi – Transmit your MP3 music directly to your car stereo. No wires necessary <-- Eh....
* Hi-Fi – Premium quality sound

KEY FEATURES

* Wireless MP3 Player (Wi-Fi) allows automatic wireless music downloads      <-- Don't plan to use this, no need really.
* SoniqStart™ automatically turns Aireo on and off in your car
* SoniqSync™ Music Manager provides automated playlist management
* Find this and other MP3 players at ubid.com
* Scheduled wireless downloads
* Supports Windows Media 9 and Musicmatch playlists
* Supports MP3 and WMA
* File Caddy for storing computer files to transport between home and work
* SD/MMC Card Slot provides additional memory capacity     <--- MMMmmmm....
* FM receiver (Hi-Fi) provides premium stereo sound      <-- Works as expected.
* FM Transmitter (Txi-Fi) for transmitting your music to your car radio <-- More of a gimmick...
* HotSpotz™ provides a fun and easy way to find Wi-Fi hotspots!      <-- How can you not love this?

TECHNICAL SPECIFICATIONS

* Size: 7.112 x 11.43 x 2.286 cm (2.8” x4.5” x 0.9”)
* Weight: 192.777 g (6.8 oz.)
* Capacity: 1.5GB hard drive
* Power: DC 5V
* Battery life: Up to 8 hours of continuous playtime
* Interface: SD card slot      <-- Upgradeability! Yay! Now to find some cheap 1gb SD cards....
* Playback formats: MPEG Audio Layer 3 (MP3), Windows Media™ Audio (WMA)
* Signal to noise ratio: Up to 96dB (headphones)
* Channel Separation: Up to 75dB (headphones)
* Frequency response: 20Hz – 20kHz
* Harmonic distortion output: <0.1%
* Operating system/firmware: Reprogrammable       <-- VERY INTERESTING!
* Headphone out: Dual 3.5 mm (2x18”) stereo mini-jack, 100mW       <-- Two is better than one!
* LCD display: 128x64 pixel resolution blue LED-backlit display
* Data connector: USB

This player has A LOT of potential, IF it can be "hacked".

FM transmitter/receiver:
    The FM transmitter is pretty sucktacular, in my car (which has an antenna built into the windshield) the reception is staticy and worthless, so I use a tape-adapter. But when I put the Aireo next to a boombox radio, it's just fine. Oh well. The FM receiver is also touch and go, inside a department store, the reception is dead. Outside, it's fine. *shrug*

802.11b:
    The coolest thing about this unit is that it has "HotSpotz"; a pretty stupid name for a really neat feature. It's an 802.11b AP scanner bult into the player. It works pretty good so far, the antenna reach is very minimal. But it can pick up AP's that don't broadcast the SSID =) although the name comes up as "[]", oh and it also displays whether or not WEP is enabled. You can find your Aireo's MAC address by going into "Menu->Preferences->About" The WiFi antennas reach is pretty good actually, it gets my neighbors Linksys AP from across the street and a couple of houses down. I had a BUTTLOAD of trouble getting the HotSpotz/SoniqSync thing to work with my OWN AP, so that was kind of a pain. One neat (scratch that, AWESOME) feature is if you go into HotSpotz, then select an AP that you know is open (From scanning with HotSpotz) and is WEP free, you can basically attach to that AP, get an IP address and a little bar graph showing the signal strength shows up for you to test the signal strength! I haven't tested it too much yet, but so far it could be usefull in finding the exact location of an AP. It just can't get any better for this price.
Hmm...now to test the battery life of that feature

    Sniff:
    The HotSpotz scan basically goes through every channel by sending an 802.11 Probe Request to the Broadcast destination. Basic WiFi scanner. The SSID request name it sends out is "PRISM-SSID"...weird. Aireo to PC communication is pretty cryptic, I couldn't find anything that would make me go "AHA!" thats how this works. When I tried sending some music, or telling the player to erase some music, my sniffer basically sniffed a bunch of garbage (probably control codes) and then some file name lists. Nothing special at all. Ho hum.

USB:
    The USB transfer of MP3's is pretty slow, it took me almost an hour to transfer 1.4gigs of music. Yikes. The USB port does not recharge the Aireo, only the power adapter does. I guess thats pretty standard not to do that, but it would have been a neat feature.

Battery:
    The battery life so far is not great, I mean, I've only used the player like 10 times (turned on and off) for a max of 15 minutes each time, and the battery level is at "1". Maybe I need to cycle the battery a couple of times.

Equalizer:
    You can get to the equalizer in Preferences, it's pretty cool. I'm so glad I found it (heh, I should have read the manual) because the music sounded like it needed a little more bass and I was starting to feel remorse because I thought the player was not going to give me the full experience ( I like the bass). Yay for the EQ!

[ 2 ]

Hardware / Firmware Research
(Alot of OLD stuff...pre-01/2005. Stuff that I gathered REALLY quick after getting the Aireo. ~12/2004)

Intro:
    The Aireo comes with software called "SoniqSync" which updates the firmware as soon as a new version comes out. When I first got the Aireo, it had an older firmware. As soon as I installed the SoniqSync software, it asked if I wanted to update the firmware..and I did, not thinking ahead. As soon as it finished updating the firmware, and after I power cycled. I noticed a complete overhaul of the Aireo interface. Which got me kind of excited, knowing that such huge changes could be made just by firmware tweaking. The biggest thing I noticed right away was the Playing time and Time Left on the MP3 player, and the Mode switching looked like Windows' ALT+TAB. This means that this thing is pretty powerful, so I decied to research it a bit.
    I have yet to rip apart the Aireo to see what's inside (this would probably make some of the chip research much easier, but I want to keep this thing virignal for just a little bit. And I want to see the challenge in learning as much as I can about this thing with limited resources.

Firmware:
    Ok, now I didn't know where SonicSync kept the firmware, so I didn't really know where to start. But common sense told me to search the SoniqSync directory on my HD, and bingo! Looking through there I see two files: "Aireo.bin" and "EBOOT.bin" Now, I might not be a big time engineer, but something tells me those files might just hold some usefull stuff.

Looking into EBOOT.bin, I found this string at offset 0x000008C7:

*******Beginning System Initialization******* CPU ID = A0 PXA255 CPU ID = B0 Cotulla. CPU ID = B1 Cotulla

A quick search of the CPU ID yielded the "Intel® PXA255 Processor with Intel XScale® Technology" .... very interesting!
There's a PDF of some info about the CPU here: PXA255_PB.pdf

"Cotulla" seems to be the 400mhz version of the PXA255 CPU, damn...why does an MP3 player need 400mhz?? This CPU is widely used in Multimedia Cell Phones / PDA's and seems to be really powerfull, kinda weird that it was chosen to be a lowly MP3 player.
Anyway, this thing is nice and powerfull. Very sexy. Supposedly there is a possibility of a JTAG interface? How to build one. Or another one.

EBOOT.bin seems to be the bootloader for the Aireo firmware image. As it has alot of "initialization" stuff in it. Looking through the .bin image, it just seems to me that there HAS to be a serial debug port somewhere on this thing. Or maybe even some debug option that can be visible on the Aireo?

From what I've gathered so far EBOOT.bin is a typical part Windows CE firmware.

There seems to be alot of interactivity that is possible once a debugging connection is made, now I NEED to figure out how this is done, where the debug port is and how to SEE it...

Firmware Strings Extracted:
    Here are the strings extracted from EBOOT.bin: EBOOT_strings.txt

Firwmare Upgrade info:
    When I upgraded from SoniqSync 3.2.0 to 3.2.1, on my Aireo's HD a little directory called "FwUpg" appeared holding what else but "Aireo.bin" and "Eboot.bin" yippee. Creation date and time was the same as when I upgraded. A byte by byte comparison shows that this is EXACTLY the same files as the ones in the /Program Files/SoniqCast directory (the Aireo.bin and Eboot.bin files are the new firmware files). Going to have to see if THIS is what the Aireo reads on bootup (actually, common sense says "no" because of the Upg [upgrade] thing). This could be just a backup location for the firmware, in an emergency? We'll see later. UPDATE: Yep, renaming/deleting these files does nothing, so it's just a backup.

Wi-Fi Settings:
    The Aireo wifi settings (Aireo's IP, subnet mask, gateway ip and WAP SSID) are stored in <Aireo Drive>/SoniqCast/devnets.db. Still looking for a way to edit the MAC....man that would be awesome...

accepts pings, doesn't seem to have any open ports except 1025 UPD...dunno.

NIC seems to be AirVast Tech (according to nmap)

sems that alot of the data goes through port 1026 (TCP)

Windows???
    Microsoft Windows CE .NET 4.2. Could it be? Ok, I did a search for EBOOT.bin and the first result that came up was from Microsoft. Now, on the Intel specs page, it says that the PXA255 uses an ARM architecture, so I guess this isn't too far fetched. Anyway from the MS site explains a bit about the procedure to modify .bib files to produce a .bin image. What's a .bib files you say? Damned if I know. On that page there is a link to "Creating a Test .bin File for Download" which seems to be a page about creating a test image file for the Flash device. DAMN thats too much info at one time. My head is overflowing. Shall I build a boot selector (bootloader) to pick between the MP3 player's original image and some custom software?? Care for a handheld open/default passwored AP scanner? Why not! I just have to make sure I'm not completely wrong about this .NET thing.

Back to EBOOT.bin, yep it's Windows CE 4.2.0 allright. Great. Time to grab the SDK!

C:\WINCE420\platform\SQ42v2\target\ARMV4I\retail\EBOOT.pdb

Confirmation:

ARM Windows CE Kernel for ARM (Thumb Enabled) Built on Nov 7 2003 at 18:51:43

Logo Modification:
    OK, so I decided to see what I can do as a stepping stone. What does everyone want to do first when they buy something? Personalize it. Thats right, time for some logo modification. So I went through Aireo.bin to see if I can find any semblence of a bitmap and what do you know, I found a PART of a bitmap header, mainly 0x42 0x4D (which signifies it's a bitmap), the next byte (according to the bitmap file format) specifies the size of the bitmap. In some instances of the bitmap sections of the Aireo.bin file, the format goes like this "0x42,0x4D,0x86" If I include the 0x86 filze size byte, the size of the data that holds the image is exactly 86 bytes. But there doesn't seem to be an image there....and anyway it would be too small...I gotta look back into this, I can't figure it out right now.

Bitmap Extraction Update:
    Took some time to create a plain black monochrome bitmap, then extracted 0x25F bytes from the Aireo.bin and placed it into the bitmap, here's what I found:

    Getting close to actually finding something...heh.

    UPDATE:
    Getting closer to actually something useful:

       Image is 16x16 (0x10, 0x10) Extracted from Aireo.bin. This document really helped with figuring out the Bitmap file format. Still have a long ways to go.

TODO: 18th byte == width, 0x80 == 128==width, then 00 then 0x40 == 68==height

Serial Debug Port:
    Where is it? Gotta find it and plug into it. According to the "Building The SoniqCast Aireo" article below:
"The Aireo itself has various software debug capabilities including a debug serial comm port, a JTAG CPU emulator port, and a dump-to-non-volatile memory capability."
WHERE IS THE DEBUG SERIAL COMM PORT?!?

    UPDATE:
    Playing with Microsoft's RNDIS. Strings in EBOOT.bin and Aireo.bin led me to research RNDIS. Here's a link to download some RNDIS drivers (http://www.microsoft.com/whdc/device/network/NDIS/rndis.mspx). Trying to install these drivers took some editing of the example RNDIS.inf that they provide. First couple of errors say that the driver was written for Windows 95 or later (DUH!)....hmm it says the driver is missing a necessary entry. Well a couple more edits later and my PC rebooted itself...screw this.
    Took a step back and realized that I can't debug RNDIS because it's a system-specific thing. I can't debug Aireo's USB RNDIS because I can't access Aireo's WindowsCE OS. Duh.

Low-Level Hard-Drive (Cornice Storage Element) Investigation:
    Wow, I just found some awesome tools to do love level disk investigation. One of the best ones is called "Disk Investigator" it's FREEWARE and it rocks. Going to play with it a bit. Here's a screenshot.

Company Research:
    Here I'll do a little research on SoniqCast and try to see if I can find any interesting articles on the Aireo. I found one already: Building The SoniqCast Aireo
In that article, they go into a little detail about the development and design of the Aireo as well as name off the President of SoniqCast Kurt Thielen as well as the Lead Hardware Designer Gary Stein. Now searching for Gary Stein and a combination of Aireo or SoniqCast didn't come out too good, but Kurt Thielen's search yielded his email address ( kurt_thielen@soniqcast.com ) I wonder if Gary's email is gary_stein@soniqcast.com ? I should try that one day. I'd love to pick his brain and see what he can divulge to me. Here is another article that talks just a bit about the history of SoniqCast and it's inception. It also has a pic of Kurt.....hmmm....why does that matter? No clue.

Just for me:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wcehardware5/html/wce50tskimplementingtheserialdebugfunctions.asp
^----SERIAL DEBUG PORT INFO?
http://www.microsoft.com/downloads/details.aspx?FamilyID=a120e012-ca31-4be9-a3bf-b9bf4f64ce72&displaylang=en

http://www.google.com/search?hl=en&lr=&q=Windows+CE+.NET+device+emulator

http://www.google.com/search?hl=en&q=eboot.bin

Links to other Aireo Hackers:
    Tim - http://timgray.blogspot.com/ - Blog of fellow Aireo hacker. Needs a dedicated Aireo page. =P
    *UPDATE* No longer has Aireo...boo.

[ 3 ]

The Aireo, raw.

As far as I know, these are the only internal pictures of the Aireo in existance, on the internet. They were taken on 1/25/05. Oh Joy!

Simple disassembly, only 4 screws:

Battery on left, SD slot and HD on right. Black wire on top is to the Wi-Fi card. That thing is IMPOSSIBLE to take out. I tried and tried and stripped my fingers for hours. Forget it. It stays on.

More HD pics. Also visible is the Xilinx (FPGA?) chip.

Again, HD. It's a Cornice 1.5GB "Storage Element" links on HD bellow. Model number 150GMSHE3CJ. The HD's dimensions are 35x40mm

Wi-Fi card. This PCB connects to the one on the right with that little white connector.
The right-most PCB is the one that houses the LCD and buttons.

HD removed. What do we have here? It's the Intel PXA255 cpu and some chip with a
Microsoft Windows CE sticker on it...hmm, BIOS??

Another chip pic.

PXA255 chip closeup.

HD Closeup.

HD removed again.

More HD removed pics. It was actually kinda easy.

Websites about the HDD:
http://www.mobilemag.com/content/100/102/C1561/
http://www.extremetech.com/article2/0,3973,1390898,00.asp <-- this one lists some other players that use this HDD.
http://www.corniceco.com/products/ <-- W00T!! 2GB/3GB Models!
This is an interesting one, supposedly I can buy a 3GB "sample" Storage Element (hard drive) from them for $100..

Removing the HD and booting the Aireo did nothing but pause on the Aireo logo. After I pressed Play the Aireo printed "No content on Aireo". Most of the functionality remained (minus stuff that requires content). So basically it can boot without the HD (boots from flash, duh!) and might not have a problem if I replace the HD with a 3GB unit :)

Upgrade Options?

A DevKit:

Mmmm....Storage Element Devkit...Here's the info about it, stolen from the Cornice website:

2GB Cornice Demo / Development Kit
Includes:

Storage Element & Transition IC mounted on USB2.0 card. When plugged into PC USB port the SE comes up as an additional drive.

Card also supports CF - TRUE IDE MODE ONLY - See CF Specification for details.

6" USB 2.0 Cable

Mechanical sample of SE

NOTE: Documentation must be ordered separately. See 001101-71.

Price: $199.00 US

Ideas (to-do):

* Update Aireo with unpacked Aireo.bin... then edit single byte (text?) in PlayerAppMain.exe and stuff back into Aireo.bin...compare differences, should be MINIMAL.
stuff PlayerAppMain.exe back into Aireo.bin. First with original PlayerAppMain.exe, then with one with single-edited pixel on splash, then etc.
       Check out HKLM\Software\SoniqCast\SoniqSync Server\Version??
*   SNIFF UPDATING OF FIRMWARE WITH USBMONITOR!!! <-- command to dump FLASH!???

*    Check the port on bottom of Aireo for +5V?? SERIAL COM PORT??
*** splitrom Aireo.bin -t B000FF -wo New.bin == extracted BIN (30mb) figure out how to stuff back in!
Inject using scripts? region_0 length=xxx, then region_1 length_xx <-- can splitrom do that?
*Write a little prog to tell me version of BIN i am currently looking at, make it drag and drop in C++ (use Bloodshed with GUI?). Or just drag BIN onto program (it takes it as argv) and print out version number (using offsets H = 3.2.2, 8 = 3.2.1, 3.2.0?). then system("PAUSE");
* DUMP STRINGS FROM SoniqSync_Rolf_3!!

*    Review "NDIS Drivers" and "ethernet over USB" and ethernet bootloader EBOOT (http://www.jungo.com/components_rndis.html)

*** SEND SPLIT'ed BIN TO CE EMULATOR?? create CE EMULATOR rom?

*    Debug SoniqSync to find "if aireo_firmware.version < 3.2.2; update;" <-- UPDATE TO 3.2.2 first...NOT AIREO!

*    Update to 3.2.2 Software, figure out how Firmware gets upgraded. Where is firmware stored after upgrade? Can it be RE-Updated?
*    Clone Aireo's HD image for backup purposes? (Get rid of all music first!!)
*    WHERE IS THAT STINKING SERIAL COMM DEBUG PORT. <- STILL HAVEN'T FOUND IT.

Page by mozy/roto
Created: 12/14/04 - 11am