The loader consists of 4 firmware modules, namely 1D, 1E, and two modules on track 41.
The first module is located at offset 0x200 and is preceded by a header of size 0x40 bytes.
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
000001C0 71 78 37 07 00 00 00 00 00 3C 00 01 04 00 4A 00 qx7......<....J.
000001D0 00 00 03 00 0D 60 02 00 99 00 01 00 06 10 09 20 .....`..™......
000001E0 00 00 00 00 40 00 03 00 00 00 00 00 00 00 00 00 ....@...........
000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0C B2 ...............²
00000200 04 00 00 00 06 61 40 FC 00 00 03 00 02 00 00 00 .....a@ü........
00000210 30 82 10 06 00 00 00 00 00 00 00 00 00 00 0F 06 0‚..............
00000220 44 F2 2F 00 FF FF FF FF FF FF FF FF FF FF FF FF Dò/.ÿÿÿÿÿÿÿÿÿÿÿÿ
00000230 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF ....ÿÿÿÿÿÿÿÿÿÿÿÿ
00000240 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000250 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000260 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
00000270 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
........
000301E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000301F0 00 00 00 00 00 00 00 00 00 00 00 00 77 FF 00 00 ............wÿ..
The header begins with a magic number, "71 78 37 07".
Offset 0x1D0 contains the size of the data section, namely 0x30000.
Offset 0x1E4 is the size of the data section plus header, namely 0x30040.
Offset 0x1FE is the checksum word for the header. It is calculated in such a way that the 16-bit little-endian sum, including the checksum word, is 0x0000.
Offset 0x1CC is the module ID, namely 0x0004, which is reflected in the first word of the data section.
Offset 0x1CE is the data type, 0x4A. I believe this denotes an SA overlay.
Offsets 0x1D8 - 0x1DF are the time/date stamp. The date is 2009/10/06.
The header "template" can be found by searching for the magic number within the firmware module:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
0000F440 71 78 37 07 00 00 00 00 00 3C 00 01 qx7......<..
0000F450 04 00 0A 00 00 00 03 00 0D 60 02 00 99 00 01 00 .........`..™...
0000F460 06 10 09 20 00 00 00 00 00 00 00 00 00 00 00 00 ... ............
0000F470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000F480 00 00 00 00 ....
Certain changes need to be made to this template, as explained above.
Preceding each module and its 0x40 byte header is another 0x40 byte header with its own 0x180 byte data section:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 ................
00000010 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 €...............
00000020 00 00 00 00 00 08 07 00 00 00 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 72 F6 ..............rö
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
........
000001B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
This first header has a type of 0x07 (offset 0x0E).
Offset 0x10 is the size of the data section, 0x180.
Offset 0x24 is the size of the entire loader, 0x70800.
Offset 0x3E is the checksum.
Offsets 0x40 - 0x1BF constitute the data section, which is empty.
Here is the next firmware module:
Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00030200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 ................
00030210 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 €...............
00030220 00 00 00 00 00 02 02 00 00 00 00 00 00 00 00 00 ................
00030230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 77 FC ..............wü
00030240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
........
000303B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000303C0 71 78 37 07 00 00 00 00 00 3C 00 01 05 00 4A 00 qx7......<....J.
000303D0 00 00 02 00 0D 60 02 00 99 00 01 00 06 10 09 20 .....`..™......
000303E0 00 00 00 00 40 00 02 00 00 00 00 00 00 00 00 00 ....@...........
000303F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0D B2 ...............²
00030400 05 00 00 00 0C C1 40 FC 00 00 02 00 02 00 00 00 .....Á@ü........
00030410 CC 6C 13 06 00 00 00 00 00 00 00 00 00 00 12 06 Ìl..............
00030420 08 64 33 00 FF FF FF FF FF FF FF FF FF FF FF FF .d3.ÿÿÿÿÿÿÿÿÿÿÿÿ
00030430 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
........
000503E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000503F0 00 00 00 00 00 00 00 00 00 00 00 00 4B 7B 00 00 ............K{..
The size of the data section is 0x20000, and the module ID is 0x05.
One significant difference is in the main header. Whereas the first header contained the size of the entire loader, this header reflects the size of the firmware module plus the size of the all the header information preceding it (0x20000 + 0x200 = 0x20200).
We repeat this process two more times for the remaining modules.