MP3 Player Recovery and Hacking
The MP3 player itself is a remarkably simple device. After removing the two visible screws at the USB plug end, the case simply popped open, as shown below.
The board inside was quite simple to remove from the case, and revealed the board model and revision, MD218IFD-PCB-V2.0, 2006.06.20.
Hunting through pages turned up by Google from the board model number turned up a player manufactured by Yuraku (SYMP3-MD218iFD), again with no downloadable firmware. They also never responded to support queries. Further results also turned up the same player under another brandname, Egoman, however the result was the same, with no downloadable firmware and no response to support queries.
The next step was to look at what else was on the board.
There were only two significant ICs on the board, one being the block of flash memory, and the other being the CPU. The CPU is a M5661R B1 made by ALi.
Unfortunately there did not seem to be any datasheets out there for this, however these devices apparently contain a 24-bit 80MHz audio DSP and support NAND flash and various other flash devices, such as MMC and SD cards. They also have DRM support and have an integrated 8-bit 120MHz MCU. (If any of this information is incorrect, please let me know and I will gladly correct it. Actually, if anyone has the datasheet for any of the M5661 devices, I would love a link to it!) (source: http://www.rockbox.org/twiki/bin/view/Main/CobyInfo)
Hunting around on Google for information on M5661 based MP3 players brought me to the S1MP3 firmware project S1MP3.org (Also mentioned on HackADay.com with a hack for increasing the flash memory on board). While this information wasn't relevant to this player, it did provide some useful directions through posts on the forums and the wiki, such as one method for setting the player into loader mode, as discussed in the next section.
One of the most useful sites was a polish electronics forum, elektroda.pl. If anyone knows Polish and could accurately translate the entries related to this device, I would greatly appreciate a translation.
In the next section, the real fun starts!