lazy notes about the musicstore hdd format

the firmware is stored on the hard drive (weird huh). ".text" starts at 0x0 and continues until 0x75090 (exclusive). the next 0x2588 bytes (from 0x75090 to 0x77618, exclusive) are the ".data" section of the firmware image.

both .text and .data sections are loaded one after another at address 0. there's a .bss section which is at addresses 0x77618 to 0x81dbc (exclusive). the firmware is classic ARM (we all know the chip is probably yet another ARM926EJ-S deal), big endian.

the initialisation of .data and .bss are in a function at 0x00033614 - beware of the fact that .data is copied from where it was loaded straight back to where it's already loaded. i think that's just a silly linker script heckup.

it's a bit of a c++ nightmare with vtables everywhere. good luck.

seems like it runs something resembling an rtos. there are what look like tasks being started in a function at 0x00005980.

be really careful with the tail calls - there are a lot which are just b to a tail call'd function and ghidra is Not good at picking up on them.

there's some registers in a region starting at 0x01ff0000. ones near 0x01ffb004/0x01ffb005 seem to be gpio used to drive the LCD (yeah, just a mega standard hitachi deal). there's some kind of ata controller at 0x03fd0000, where the command block registers are mapped 0x03fd0040 + DA2..DA0 * 4. they maintain the same read/write semantics as the ata spec says they should.

the filesystem is FAT like. there's a table of file-ish things (i called them "entries", naming is hard) beginning at 0x400000. each is 128 bytes long and begins with a 4-byte BE tag value. there's 4096 entries, and a tag of 0x20 is given to unused entries.

there's a cluster chain esque system which begins at 0x480000. there are 4096 4-byte BE values which are the next sector in the chain (i.e. there's a big array of dwords at 0x480000 which you index into with your current sector value and you get back the next sector value). if the next sector is 0, the thing you're reading is finished. if it's 0xffffffff, the sector is unallocated.

each sector from the file system's perspective is 0x20000 long - 256x 512-byte sectors.

the sectors in the cluster chain are all relative to the start of the disk - they don't have any offsets to ignore the code. this is also probably why the first cluster chain exists - it's just one which covers all the data from 0x0 to 0x400000. if you look at the cluster chains themselves there are a few odd ones which don't have mp3 data in them. no clue what they do.

you can use the fs.py file to poke at some of this. run it with the .img file as the first command line argument and uncomment the functions at the bottom of the file to do different things (dump entries, dump cluster chains, dump mp3s). you'll need the construct library but that's it.

no idea. they have the right structure, i think - that is, they start with the right header with sync word and sensible looking data (44.1khz, etc), but software freaks out reading them. the size of the files seem to make sense for their lengths, considering the bitrate + sample rate.