OUR NETWORK: TechLore Explore3DTV MyOpenRouter MediaSmart home TiVoCommunity See all... About UsAdvertiseContact Us

Learn about scoring Forum's Raw Score: 2720980.0
October 4, 2008 12:50 PM

Categories: Rovio

Rating (0 votes)
  • 1
  • 2
  • 3
  • 4
  • 5
Rate This!

Member Avatar


Joined: 10/18/2006

(potential starting places if someone wants to hack this device)

Using the Rovio USB connection, there are two USB devices, that are mutually exclusive (both vendor ID 0x0416)
Product ID 0x7021 - A serial connection (identifies as a virtual COM port).  I don't know if this is used, but it could be a useful debug com port.
Product ID 0x7020 - a 2MB disk, using a non standard file system (ie. RAW). More details below.

I haven't figured the details which device is selected. It may depend on the order it is connected (turn on Rovio, wait for light on, plug in cable - or plug in cable first ???)
The 2MB disk appears to be mostly-direct image of the flash ROM in the Rovio. The first 1MB appears to be valid. The second 1MB appears to be blank (0xFF, or it may not exist)

The way I capture it (raw disk copy using MacOSX) gives a 16byte header.
After the header, the next part (830KB currently) is *exactly* the same as the firmware update .bin (see below)
After that, there are a few additional spaces used, but it is mostly blank (0xFF)

Starting at 0xFD800 are the user settings. These include your WEP settings, account names, passwords etc.

The Rovio setup program must set these values before the WiFi connection will work.
I don't know if the setup program writes to these locations directly, or uses another method for access. I haven't tried writing to the 2MB disk (that's dangerous)

re: Firmware update format
The firmware update .bin is relatively straight forward. It is a direct ARM image. There is no encryption. Some parts of the .bin file (especially the data 'files') are "Gzip" compressed. After the ARM code (easy to disassemble with IdaPro or other tools), there is a directory of data 'files' mid-way in the big .bin file, and the data 'file' data at the end (usually compressed, eg: 'rovio.js.gz')
For data 'files' that map directly to webserver files (see http://www.robocommunity.com/forum/thread/14158/Rovio-WebServer-URLs-JavaScript-and-tech-stuff/) you can download the files using your web browser (the server will handle the GZIP decompression automatically for you)

Exact details to be worked out (if anyone cares ;-), and to see if a custom firmware .bin could be created. It doesn't look like there are major roadblocks.

Known firmware versions: (for your disassembling pleasure ;-)
(original version - 4.00? - not available on web, but I have a capture)

Discussion:    Add a Comment | Comments 1-15 of 15 | Latest Comment

October 4, 2008 8:58 PM updated: October 4, 2008 9:30 PM

You missed the pkzip header, containing a single files called CameraTest.bin at 0x5a48 in the 4.02 firmware image.

USB device select appears to be based entirely on when the Rovio is connected. If you connect before the power button lights up, you get the mass storage device, after the power button lights up, the serial device (used to configure the Rovio by the setup program). Which would be why the setup advises you to turn it on and wait for the light before connecting it.

I haven't spotted anything like a checksum in the image yet (I assume and hope there is one).

RoboGuide - Your guide to hacking all things WowWee

October 5, 2008 10:12 AM

> You missed the pkzip header...
(that's part of the next installment ;-)

The main eCos program that does all the processing is called "CameraTest.bin"
It is compressed (using PKZIP) and stored before the file directory.
When expanded it is over 1MB in size. When stored in RAM, it is the brains of the Camera processor. Easy to disassemble using IdaPro (or other ARM tools).
BTW: Lots more details to write up (maybe next week, if anyone cares). There is much functionality in that module, including most of the Rovio camera and IR location features (but not the robot motion and path system AFAIK).
Most of it is what you would expect from a Web-enabled camera. There are a number of unused/undocumented features.

Best one found so far ;->

October 5, 2008 5:49 PM

Your better at this that I am, so I (at least) await your further discoveries with breathless anticipation.

RoboGuide - Your guide to hacking all things WowWee

October 5, 2008 6:04 PM

RobosapienPet said: ... BTW: Lots more details to write up (maybe next week, if anyone cares)...
I'm interested as well ;)

Watch out, don't step in the anthropomorphization.

October 5, 2008 7:39 PM updated: October 5, 2008 7:44 PM

Don't get your hopes up, it is mostly the webcam stuff ;->
It appears the "NS" (North Star) system is hooked into /dev/ser0, and the robot control into /dev/ser1.
Has anyone taken their Rovio apart yet?

On a totally related note, the CameraTest.bin program is using eCos.
eCos is an open source embedded OS http://ecos.sourceware.org/
It is released under a GPL-like license.
I'm not sure if their boot loader is as well, but that is far less critical.

"....In the simplest terms, when you distribute anything containing eCos code, you must make the source code to eCos available under the terms of the GPL."
"...However you would not need to make available any other code, such as the code of a wholly separate application linked with eCos."

So WowWee owes us the source code for at least part of the software.

I will create a separate post for this.

October 5, 2008 9:59 PM updated: October 5, 2008 10:00 PM

Minor additional: (also see the URL thread for stupid CGI tricks)

According to this article the Rovio has 8MB of RAM and 2MB of flash ROM.
They also confirm that it is running under 'eCos' (which is difficult to hide)
As mentioned earlier, currently less than 1MB of flash ROM is used.

DISCLAIMER: some guesswork follows
I'm guessing the CPU is a WinBond W99802. It is mentioned in the eCos program.
(has block diagram on page 3, haven't found specs for it)

There are at least two serial ports (UARTs)
/dev/ser0 is used as the "NS" com port which I assume is the North Star system.
/dev/ser1 appears to handle the "mcu" commands for motor control. Similar to the RSMedia.
Once someone takes it apart it will be interesting to see exact chips.

December 13, 2008 8:51 AM updated: December 13, 2008 9:07 AM

RobosapienPet said: Don't get your hopes up, it is mostly the webcam stuff...

That sounds exciting enough, maybe changing some settings can improve the low-light performance? I'll cross my fingers for what you smart guys can figure out (I'm just a user, most of this stuff is way over my head).

EDIT: I just realized I am commenting on a 2-month old statement!

December 14, 2008 5:39 AM

quick question. Do you think we can restore a firmware from this usb rawfs connection ?

I exeplain, my rovio is dead since a firmware update and don't boot anymore.
Do you have any idea how i could restore a new rawfs partition ?

perhaps with somehting like dd on linux ?

Would it be possible someone provide a backup image of his system ?


December 19, 2008 2:52 PM

My advise, don't do firmware update at any device just for fun only if there is problem and "know" fix about that.

by the way the USB cable that they provide some times does not work, only with sort USB cable (like NOKIA) USB cable for mobile phones, that happens because the power through the cable from computer to device has "noice" or is not made of good matterials.

WowWee Thank you :)

January 28, 2009 12:32 PM

sounds like you have a handle on this rovio... i have three of them one is dead right out of the box. not power light at all and usb when hooked up is unreconized, the blue lites come one and the rovio is show to be an external hard drive of 2 mb. i think this would be a great robo cadaver for this experiment. if the data is raw then i should not format the memory. if i can get a full complete picture of the software i maybe able to cut and past???? perhaps. any ideas i would like to get this rovio up and runnning asap. it maybe worth a try. send me an email. we can do some robo frankinstine type sergery. heheh.Laughing

February 15, 2009 12:12 PM

has anyone found out how to remove the writeprotection of Rovio^s usb flash memory to write directly? I 've tried everything without success. would greatly appreciate your help.

February 18, 2010 1:01 AM

Rob said:
RobosapienPet said: Don't get your hopes up, it is mostly the webcam stuff...
That sounds exciting enough, maybe changing some settings can improve the low-light performance? I'll cross my fingers for what you smart guys can figure out (I'm just a user, most of this stuff is way over my head). EDIT: I just realized I am commenting on a 2-month old statement!

I second this opinion. As I know from another thread, the camera chip is OV7670. I don't believe that the video brightness is so poor with this chip as it is common used in PC camera and said to be high perf for low-light.

I have dug out the OV7670 datasheet with complete settings guidelines.

Can any more latest investigation findings of the camera control be advertised so that we may find a way to figur out the bug for Woewee? (If it is really due to software bug.... )

RovioBrighter - brighter your Rovio!

March 7, 2010 10:53 AM

Got the exact same issue.. even the updater does not recognise the Rovio. IT just died and I have spent 15 minutes on pushing the powerbuton.


May 14, 2010 10:59 PM

I just got a Rovio from the last Woot BOC....and it has the "no boot" problem too. The blue LEDs light up, but that's it. It's not recognized as a USB device on my XP PC at all. Can anyone help? Thanks in advance.

June 17, 2010 11:37 AM

Hello sorry for my bad English, I ask them what type of memory the program is recorded Rovio, eprom, the microprocessor, excuse my ignorance but I need to know the location of the program that recorded the robot

I would appreciate your help thanks

Discussion:    Add a Comment | Back to Top | Comments 1-15 of 15 | Latest Comment

Add Your Reply

(will not be displayed)

Email me when comments are added to this thread


Please log in or register to participate in this community!

Log In


Not a member? Sign up!

Did you forget your password?

You can also log in using OpenID.

close this window
close this window