HunterDavis.com 4.0!

14Feb/1019

Leapfrog Crammer – 10$ ogg vorbis/mp3 etc with disassembly

Reccomended to me on the comments of a previous thread, I picked up the leapfrog crammer for 10$ at big lots. I've seen these all over the discount stores (along with didj's, which I have one of Claude's cartridges for and will be porting software sometime soon). For 10$ ogg vorbis support and a touch screen (kind of ..) is a heck of a deal. More info after the jump.

crammer guts

The animation on the games is pretty good, better than I was expecting. The "touch screen" is actually just a 4-way rocker. Pretty fun way to control games, but obscures the screen for no good reason. It takes 3x aaa batteries, no word yet on battery life as they're still holding a good charge. You can pop off the battery case with a small screwdriver or coin. After which you can pop off the front blue bezel, which exposes 4 small screws holding in the mobo. You pop this out just like an eee mobo (one pin, careful with the ports). Looks like it's running a samsung-831 firmware, K9G8G08UOB pcbo nand. No transistors between the battery compartment and the mobo, taking straight 4.5v. Plays mp3, wav, and ogg. Another potential rockbox target?

Tagged as: Leave a comment
Comments (19) Trackbacks (0)
  1. Nonya-Biz
    February 16th, 2010 - 19:11

    any chance we can get some pictures of the othere side of the board?

  2. hunter
    February 16th, 2010 - 19:25

    Still haven’t been brave enough to pry the screen off, seems to be glued on? Maybe take the heat gun to it?

  3. zonemad96
    February 18th, 2010 - 06:48

    someone made a blog about this and deleted it or something was that u?
    first you plug the crammer in and wait for it to connect on
    the leapfrog connect program thing
    then you go to
    \Application Data\Leapfrog\LeapFrog Connect\mnt
    go their and keep click on the folders
    untill u get to a spot with a bunch of folders
    once your their thats all the stuff on the crammer … i dont know what to do with it but yea

    they say Finally if you have done everything correcly, you should be able to run the crammer application, run the new update, and have the diagnostic menu be in place of the flashcard app.
    My final goal is to have an open source firmware running on the Crammer, sort of like rockbox or uClinux.

    but its way to complex for me to do shit with

    “What I Have Done WIth the Crammer
    Currently the Leapfrog Crammer, has been partly reverse engineered by me. CrammerVerDict.xml holds many secrets. It is located in “C:\Documents and Settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates”. The update files are located in “C:\Documents and Settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Crammer”, not the “Update” folder. If you read the CrammerVerDict.xml, you can see what the file names correspond to. You should use Wordpad, not Notepad or Internet Explorer. If you open the firmware update file in Winrar, after renaming it with a zip extension, you should be able to extract “Master.DAT” when you have master.dat extracted, you can search for FAT16 in a hex editor like XVI32. A few lines before that you should see “E9″ in the hex editor section. Click on the two digits behind the “E9″, and open the edit menu, and click “delete to cursor”. Then save this as a “img” extension. Finally open WinImage, then go to “File->Open” and navigate to the .img file and open it. You should be able to see the BXC OS filesystem, if you want to go further, extract the DIAGNOSE.EXE to c:\ then rename and inject it to another EXE like flshcard.exe to replace that app with the diagnostic menu. I will have some pictures attached to show what it looks like. Then delete from cursor while you are selecting the E9, not the one before it in XVI32. create an extra FF in the insert hex window. Then inject the the img file after saving it. and save it as master.dat in another directory. compress this in the same zip file after editing meta.xml to change the version number, in the same directory, and finally rename it to lfp. I take no responsibilty if anything goes wrong with your device, and I will not cover any damages, espically if you follow the steps after here. edit the hosts file to set the update server to 172.0.0.1. To find this, you need wireshark. I don’t want anybody with little experience doing this, so I will not give the hostname, and I have ommited some details above, which should be easy to find. Set up a http server, and copy the proper files into the proper directories, you can find these with wireshark. Then start the http server. Make sure to copy the CrammerVerDict.xml to the proper filename, and edit it to change the version number. Finally if you have done everything correcly, you should be able to run the crammer application, run the new update, and have the diagnostic menu be in place of the flashcard app.
    My final goal is to have an open source firmware running on the Crammer, sort of like rockbox or uClinux.”

  4. zonemad96
    February 18th, 2010 - 14:39

    i found a way to put your own wav file in a spanish flash card set its pretty easy

    you go to the leapfrog connect program and make a spanish flash card set and get rid of all the other spanish flash card sets on the crammer then go to

    C:\Documents and Settings\All Users\Application Data\Leapfrog\LeapFrog Connect\mnt\(some long number)\crammer\flashcards\custom\audio

    then copy the name of the wav file already their usualy spt and a number after it then delete the wav file the put the wav file you want in the folder and rename it the name of the old wav file and thats it instead of haveing the spanish person talking it plays what ever wav file you put in their … not that theirs any point to it but yea

    so if you wanted to put rockbox or uclinux or something on it you could put it in
    C:\Documents and Settings\All Users\Application Data\Leapfrog\LeapFrog Connect\mnt\(some long number)\crammer\
    but im not good at that stuff so yea but you can change around what ever you want in their

  5. Hunter Davis
    February 18th, 2010 - 14:52

    Hey ZoneMad96,

    Very cool info! I had not seen that page, nor did I know about the debug interface. Very neat, I’ll be sure to try that out shortly. Great find!

  6. Calvin Balke
    March 5th, 2010 - 17:33

    I didn’t know that anybody wanted to do the same thing as me. I created the blog. I am currently 13 years old. there are actually 3 different partitions in the crammer firmware. The leapfrog connect startup files partition, the firmware partition, and the mnt partition that zonemad was talking about. If you go into computer management, scroll down to disk management, click on that, then you should be able to see the leapfrog crammer disk partition, right click on it, and click change the mount points. Then you can mount it as a drive instead of that long directory. So far, I have seen no way to access the internal partition without rewriting the firmware. If you want, I could send you a diagnostic enabled firmware image. You would still have to copy it to the right location, and start a web server. Another strange thing, is the executable type. It is a portable executable, sort of like windows ce arm, but the crammer seems to be running dos, probably modified rom-dos. If you want to contact me, my email is cbalke@charter.net

  7. hunter
    March 5th, 2010 - 17:42

    Hey Calvin,

    The great thing about the internet is that there’s always somebody interested :) That’s great info, thanks for posting it up for us! I’m had no idea it was running a type of dos, that’ll make generating executables interesting. Thanks!

  8. speedsthatbeat
    April 18th, 2010 - 18:04

    All,
    it seems that the crammer runs PocketPC 2003 arm4 with some specific library developed for the crammer board. Did any one tried the crammer executables on a pocketPC 2003 arm4?

  9. Hunter
    April 18th, 2010 - 18:47

    Hey speedsthatbeat,

    That’s quite an interesting suggestion! Does anyone have a ppc2003 device to test with? Perhaps there’s an emulator that would suffice? A mystery! Great find!

  10. speedsthatbeat
    April 19th, 2010 - 10:45

    Hunter,

    I tried without success with emulator for WM 5 that you can find here http://www.microsoft.com/downloads/details.aspx?FamilyID=A120E012-CA31-4BE9-A3BF-B9BF4F64CE72&displaylang=en but I probably i have not set it up correctly because other applications that should have worked did not.
    If you look inside the crammer binaries you find a lot of references to PocketPC 2003 so I guess the crammer is running some form of Wince 3 Arm and the hw specifics are handled by the sdklib.dll that you find in the firmware in the directory system following the instructions above.
    In addition someone figured out what are the .dat files/ (i.e. music.dat quiz.dat)?

  11. hunter
    April 20th, 2010 - 06:56

    Hey speedsthatbeat,,

    Now we’re getting somewhere. I recall I had an old jornada that ran winCE 3.0 arm as well. Actually that’s the jornada that played nintendo vs iteself for a year straight. I’ll see if I can dig out my old visual studio 6 install and try and compile something :) Let me know if you figure out how to decode those .dat files, I have not looked at they yet. Fun stuff!

  12. speedsthatbeat
    April 25th, 2010 - 07:14

    All,
    here is more info about the crammer hw and the os.

    HW
    The Crammer is based on a Nuvoton W55pA71 that is an ARM7-TDMI running @ 81MHz. You can find more detailed specs just googling for W55pA71.

    It is possible to put the crammer in diagnostic mode pressing the reset and the enter button (top right) together and powering up the unit.

    OS: the os seems to be a flavor of wince. The appications are wince 32 console (all the binaries are potrable executable) while the key libraries sdklib.dll and krnllib.dll are for a wince32 4.2 (pocketpc2003)(gui) arm subsystem.

    Applications: when executed in a pocketpc 2003 environment the application starts but does not show any output. The dll menioned have been moved to the windows directory to be found by the application.
    I had to reboot the wince device afterwards os caution is advised.

  13. hunter
    April 25th, 2010 - 11:55

    Hey speedsthatbeat,

    Excellent info! Now we’ve got all sorts of fun stuff to try! Thanks for the post!

  14. Calvin Balke
    June 17th, 2010 - 18:50

    The sdklib.dll and krnllib.dll have processor svc calls, so it won’t be compatible in another kernel. I know this, because I opened the dll up in IDA disassembler, and I read the instruction set for the arm architecture.

  15. Calvin Balke
    June 17th, 2010 - 19:00

    Nuvoton might be able to give me the source code, but I can’t distribute it. I can’t distribute the datasheet either as far as I know. I want to avoid any legal trouble.

  16. Hunter Davis
    June 18th, 2010 - 08:51

    Quite interesting, but we understand all about legal trouble. GL

  17. speedsthatbeat
    June 29th, 2010 - 14:52

    Calvin,
    is there anything at higher level that you can share? The crammer seems a nice platform to play with…

  18. Calvin Balke
    July 5th, 2010 - 12:57

    You could also ask them for the source code and the datasheet. I have not received the source code yet. I Think that Erik, the person who I was emailing, thought that I wanted Besta’s source code. I just sent another email. It supports ECOS, the open source embedded os. They already have a bootloader. Since the only part of the board that I can access is the flash IC, I am planning on making it so anybody could short two pins to put it in a special recovery mode.

  19. speedsthatbeat
    July 5th, 2010 - 14:21

    Calvin,
    great. Can you send me in an email the contact person?

    thanks


Leave a comment


No trackbacks yet.

« Site Upgrades! 75$, 20 watt blue ray player (with video and kill-a-watt goodness) »

Search

Pages

Archives

Calendar

July 2010
M T W T F S S
« May    
 1234
567891011
12131415161718
19202122232425
262728293031  

Recent Posts

Recent Comments

Meta

Personal Pages

Web Comics