-
Notifications
You must be signed in to change notification settings - Fork 11
M7MU Firmware Format
Georg Lukas edited this page Oct 13, 2023
·
2 revisions
The DATANX3000.bin file has a 1024 byte header that matches closely the M7MU firmware header for Samsung K Zoom that was luckily dumped by the Samsung Android team. Looks like the strings are off, but the relevant data fields seem to match. Use this project's firmware header decoder or write your own.
What's known so far:
- 1024 byte header includes meta-data, SDRAM and NAND initialization, some pointers to (file?) sections (some ASCII strings have the high bits set)
- bootloader code starts at
0x400in the file, is most probably mapped to0x40000400and is uncompressed - actual application code seems to start at
0x50000and uses some sort of run-length-encoded compression or other weirdness that adds two bytes of unknown data every 16 bytes or somesuch. - Given the SDRAM and NAND init structures, it is well possible that the firmware image is written to flash 1:1 and directly mapped into the M7MU's address space, where it performs initialization from.
- It's unclear whether the bootloader uncompresses the application from flash into RAM or whether the firmware is uncompressed when flashing.
Header dump of DATANXmini.bin version 1.10:
| Field | Value |
|---|---|
| block_size |
0x400 (1024) |
| writer_load_size |
0x4fc00 (326656) |
| write_code_entry |
0x40000400 (1073742848) |
| sdram_param_size |
0x90 (144) |
| nand_param_size |
0xe1 (225) |
| sdram_data | snipped |
| nand_data | snipped |
| code_size |
0xafee12 (11529746) |
| offset_code |
0x50000 (327680) |
| version1 | "01.10" |
| log | "201501162119" |
| version2 | "GLUAOA2" |
| model | "NXMINI" |
| section_info | snipped |
| pdr | "" |
| ddr | 00 b3 3f db 26 02 08 00 d7 31 08 29 01 80 00 7c 8c 07 |
| epcr | 00 00 3c db 00 00 08 30 26 00 f8 38 00 00 00 3c 0c 07 |
Header dump of RS_M7MU.bin from Samsung K-Zoom (this is the firmware file that the Android CPU sends to the M7MU CPU, apparently):
| Field | Value |
|---|---|
| block_size |
0x400 (1024) |
| writer_load_size |
0x3fc00 (261120) |
| write_code_entry |
0x40000400 (1073742848) |
| sdram_param_size |
0x90 (144) |
| nand_param_size |
0xe1 (225) |
| sdram_data | snipped |
| nand_data | snipped |
| code_size |
0x5dee12 (6155794) |
| offset_code |
0x40000 (262144) |
| version1 | "00.01" |
| log | "201405289234" |
| version2 | "D20FSHE" |
| model | "06DAGCM2" |
| section_info | snipped |
| pdr | " " |
| ddr | 00 12 3f db 17 00 08 00 17 10 08 29 00 00 00 3c ac 07 |
| epcr | 10 00 3c db 00 00 08 30 26 00 f8 38 00 00 00 3c 0c 07 |