kuroneko wrote:
block_stat is very likely the spare area ECC. This is based on info I got from nem and I could confirm that it looks like an ECC for the samples I got. It only covers 8 bytes (12bit ECC), so I assume it includes everything except sector ECC, block status (block_invalid), spare area ECC and the last two reserved bytes.
As for the different formats, I can't help you with that because I don't have a complete image dump.
HTH
I have confirmed that what I called block_stat is indeed the ECC of the spare area from bytes 4 to 12, with the final MSB nibble always set.
Updated definition:
Code: Select all
typedef struct {
        char    user_ecc[3];    /* calculated per 512 byte page of user data */
        char    block_use;      /* 0xff = empty, might just be a sideeffect */
        char    block_fmt;      /* 0xff = IPL, 0x00 = FAT */
        char    block_stat;     /* 0xff = valid block */
        char    block_addr[2];  /* logical block number for FAT, mostly 0xff 0xff for IPL */
        char    unknown[4];     /* 0x38 0x4a 0xc6 0x6d for IPL area */
                                /* 0x00 0x00 0x00 0x00 for others? */
                                /* also 0x01 0x01 0xff 0xff in IPL */
        char    spare_ecc[2];   /* calculated from byte 4-12 on spare area */
        char    reserved[2];    /* always 0xff 0xff */
} spare_area_t;
That means everything needed for working on the FAT portion of the flash is now available. The IPL area is a little mysterious still. What is the purpose of the unknown 4 bytes? And what does the block_addr mean in IPL?
Here are the different values used in IPL:
Code: Select all
00010000  a9 56 55 00 ff ff ff ff  38 4a c6 6d 89 fd ff ff  |.VU.....8J.m....|
00040000  a5 a6 99 00 ff ff ff ff  38 4a c6 6d 89 fd ff ff  |........8J.m....|
000c0000  c3 ff fc 00 ff ff ff ff  ff ff ff ff 00 f0 ff ff  |................|
000d4000  56 a6 65 00 ff ff 73 01  01 01 ff ff 86 f1 ff ff  |V.e...s.........|
The first is for the block pointers for IPL and the second is for the real IPL itself. Only the user_ecc field changes. The third and forth are for the second portion of the "IPL" that starts at 0xc0000. The fourth is interesting because the block_addr field is used for something! The part this refers to is quite short and reproduced here:
Code: Select all
000d4000  20 01 21 01 22 01 23 01  24 01 25 01 26 01 27 01  | .!.".#.$.%.&.'.|
000d4010  28 01 29 01 2a 01 2b 01  2c 01 2d 01 2e 01 2f 01  |(.).*.+.,.-.../.|
000d4020  30 01 31 01 32 01 33 01  34 01 35 01 36 01 37 01  |0.1.2.3.4.5.6.7.|
000d4030  38 01 39 01 3a 01 3b 01  3c 01 3d 01 3e 01 3f 01  |8.9.:.;.<.=.>.?.|
000d4040  10 00 11 00 12 00 13 00  14 00 15 00 16 00 17 00  |................|
000d4050  18 00 19 00 1a 00 1b 00  1c 00 1d 00 1e 00 1f 00  |................|
000d4060  20 00 21 00 22 00 23 00  24 00 25 00 26 00 27 00  | .!.".#.$.%.&.'.|
000d4070  28 00 29 00 2a 00 2b 00  2c 00 2d 00 2e 00 2f 00  |(.).*.+.,.-.../.|
000d4080  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
000d4090  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
000d40a0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
000d40b0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
000d40c0  0f 00 50 00 45 00 46 00  04 00 05 00 06 00 41 00  |..P.E.F.......A.|
000d40d0  42 00 43 00 40 01 44 00  40 00 30 00 31 00 32 00  |B.C.@.D.@.0.1.2.|
000d40e0  33 00 34 00 35 00 36 00  37 00 38 00 39 00 3a 00  |3.4.5.6.7.8.9.:.|
000d40f0  3b 00 3c 00 3d 00 3e 00  3f 00 ff ff ff ff ff ff  |;.<.=.>.?.......|
000d4100  00 01 01 01 02 01 03 01  04 01 05 01 06 01 07 01  |................|
000d4110  08 01 09 01 0a 01 0b 01  0c 01 0d 01 0e 01 0f 01  |................|
000d4120  10 01 11 01 12 01 13 01  14 01 15 01 16 01 17 01  |................|
000d4130  18 01 19 01 1a 01 1b 01  1c 01 1d 01 1e 01 1f 01  |................|
000d4140  f5 ff f5 ff f5 ff f5 ff  f5 ff f5 ff f5 ff f5 ff  |................|
000d4150  f5 ff f5 ff f5 ff f5 ff  f5 ff f5 ff f5 ff f5 ff  |................|
000d4160  f5 ff f5 ff f5 ff f5 ff  f5 ff f5 ff f5 ff f5 ff  |................|
000d4170  f5 ff f5 ff f5 ff f5 ff  f5 ff f5 ff f5 ff f5 ff  |................|
Exciting :)
Anyway, the data in the 0xc0000 section is not static unlike the IPL. I compared two different 1.5 flashes and the above for instance appears in different location and the data changes also. Possibly this is to do with downgrading from 2.0 but I don't know...