(potential starting places if someone wants to hack this device)
Using the Rovio USB connection, there are two USB devices, that are mutually exclusive (both vendor ID 0x0416)
Product ID 0x7021 - A serial connection (identifies as a virtual COM port). I don't know if this is used, but it could be a useful debug com port.
Product ID 0x7020 - a 2MB disk, using a non standard file system (ie. RAW). More details below.
I haven't figured the details which device is selected. It may depend on the order it is connected (turn on Rovio, wait for light on, plug in cable - or plug in cable first ???)
The 2MB disk appears to be mostly-direct image of the flash ROM in the Rovio. The first 1MB appears to be valid. The second 1MB appears to be blank (0xFF, or it may not exist)
The way I capture it (raw disk copy using MacOSX) gives a 16byte header.
After the header, the next part (830KB currently) is *exactly* the same as the firmware update .bin (see below)
After that, there are a few additional spaces used, but it is mostly blank (0xFF)
Starting at 0xFD800 are the user settings. These include your WEP settings, account names, passwords etc.
The Rovio setup program must set these values before the WiFi connection will work.
I don't know if the setup program writes to these locations directly, or uses another method for access. I haven't tried writing to the 2MB disk (that's dangerous)
re: Firmware update format
The firmware update .bin is relatively straight forward. It is a direct ARM image. There is no encryption. Some parts of the .bin file (especially the data 'files') are "Gzip" compressed. After the ARM code (easy to disassemble with IdaPro or other tools), there is a directory of data 'files' mid-way in the big .bin file, and the data 'file' data at the end (usually compressed, eg: 'rovio.js.gz')
Exact details to be worked out (if anyone cares ;-), and to see if a custom firmware .bin could be created. It doesn't look like there are major roadblocks.
Known firmware versions: (for your disassembling pleasure ;-)
(original version - 4.00? - not available on web, but I have a capture)