--- Log opened Sat Oct 02 00:06:04 2010
00:06 -!- fmibot [~fmibot@static.225.178.40.188.clients.your-server.de] has joined #freemyipod
02:22 -!- TheSeven [~TheSeven@rockbox/developer/TheSeven] has quit [Ping timeout: 276 seconds]
02:26 -!- TheSeven [~TheSeven@rockbox/developer/TheSeven] has joined #freemyipod
05:01 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has quit [Remote host closed the connection]
05:01 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has joined #freemyipod
07:47 -!- Guest75106 [~tim@112.166.15.141] has quit [Quit: Leaving.]
07:47 -!- timc [~tim@112.166.15.141] has joined #freemyipod
07:47 -!- timc is now known as Guest55869
07:55 -!- Guest55869 [~tim@112.166.15.141] has quit [Quit: Leaving.]
08:09 -!- n1s [~n1s@rockbox/developer/n1s] has joined #freemyipod
10:56 -!- n1s [~n1s@rockbox/developer/n1s] has quit [Quit: Lämnar]
10:59 -!- funman [~fun@rockbox/developer/funman] has joined #freemyipod
11:01 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has quit [Remote host closed the connection]
11:01 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has joined #freemyipod
11:30 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has joined #freemyipod
11:44 -!- benedikt93 is now known as benedikt93|AFK
11:47 -!- funman [~fun@rockbox/developer/funman] has quit [Quit: free(random());]
11:56 -!- benedikt93|AFK is now known as benedikt93
13:44 < benedikt93> hi
13:45 < benedikt93> TheSeven, has there actually been any progress on Nano 3G in the last time I do not know of (I read the logs)?
13:51 -!- user890104 [Venci@Venci-Notebook-LAN.ipv6.6bez10.info] has joined #freemyipod
14:32 -!- n1s [~n1s@rockbox/developer/n1s] has joined #freemyipod
14:53 < user890104> can someone please apply this: http://pastie.org/1195348
14:53 < user890104> i think it's correct according to the help inside the code
14:55 < Farthen> user890104: no, unfortunately it does not work this way
14:56 < Farthen> appclications have a header with their base address written in it. they are not relocatable
14:57 < Farthen> also this needs to be generic and portable to other platforms where the ram might not be at 0x8000000
14:57 < user890104> so it's not that easy as i thought
14:57 < Farthen> for firmwares it is the same thing
14:57 < user890104> i saw that the help says that it's uploading in the beginning of the user memory
14:58 < user890104> but the function requires an address
14:58 < Farthen> well, that is simply outdated and wrong
14:58 < Farthen> i once did that but TheSeven pointed out that it was not te way to go
14:58 < user890104> ok, didn't know that
14:59 < Farthen> i will have some free time in one week, then i will try to fix all kind of things in (lib)embios.py
14:59 < user890104> maybe some variables with addresses which are selected depending on the device connected?
15:00 < user890104> so they are not hard-coded and easy to change
15:07 < TheSeven> user890104: for applications, the address the application should be loaded at is contained in the application header
15:07 < TheSeven> so embios.py can just grab it from there
15:07 < TheSeven> for firmwares, you'll need to specify it, as they're headerless
15:08 < TheSeven> most of them will run from 0x08000000 or even relocate themselves, but not all of them
15:12 < user890104> can we set a default address for firmwares - 0x08000000, and make the address optional parameter so if you don't specify one it will upload in the default
15:12 < user890104> about apps, i don't know so much, thanks both for explaining
15:29 < benedikt93> TheSeven, do you have an idea what might be at address 0x38100000 ?
15:30 < TheSeven> on which platform?
15:30 < benedikt93> Nano 3G, its in NOR code
15:31 < benedikt93> there are weird things written there
15:31 < TheSeven> in which efi module is it?
15:32 < benedikt93> how do I recognize? there are strings for seccore and preefi in my file, the rest is still encrypted
15:32 < TheSeven> ah, so you didn't run it through xfv3 yet?
15:32 < TheSeven> ok, so it must be peicore or seccore
15:32 < TheSeven> so it's something very low-level
15:33 < TheSeven> which address is it at?
15:33 < benedikt93> did serpilliere manage to decrypt the rest?
15:33 < benedikt93> one moment..
15:33 < TheSeven> it's not encrypted, just compressed
15:33 < benedikt93> 2200E664
15:34 < benedikt93> is this an ida plugin? where can one get it?
15:35 < TheSeven> no, it isn't
15:35 < TheSeven> and it's lying around in my tools tree
15:36 < TheSeven> http://theseven.freemyipod.org/download/snapshot-201003100612-public.7z
15:37 < TheSeven> there is no valid code ad the 2200e664 in my dump
15:37 < TheSeven> where did you load full_dec.bin?
15:38 < benedikt93> I loaded my dump (from my ipod on the latest fw), decrypted with serpillieres tool, at 22000000
15:38 < benedikt93> probably the fw version
15:39 < TheSeven> oh, it was just THUMB
15:39 * TheSeven didn't think of that
15:41 < TheSeven> a wild guess would be that it's the memory controller, which used to be on 0x38200000 on the 2g
15:43 < benedikt93> about xfv3, can this be applied on an ida db?
15:47 < TheSeven> no
15:47 < TheSeven> you need to cut off the first 256 bytes and full_dec.bin and feed the rest to xfv-3
15:48 < benedikt93> damn, so I would loose all my comments
15:48 < TheSeven> you'll probably need to do it on linux or maybe windows xp, win7 doesn't seem to work for an unknown reason
15:49 < TheSeven> this will give you the individual files on the efi volume
15:49 < TheSeven> you'll probably want to import those at some arbitrary addresses into your ida db and figure out the entry points etc. (i have a script for that)
15:50 < TheSeven> this won't change anything with seccore/peicore so your comments can be kept :)
15:50 < TheSeven> you just need the other modules (dxecore and everything loaded by it)
15:52 < benedikt93> is peicore that preefi thing? and do seccore/peicore uncompress the next module and load it?
15:53 < TheSeven> seccore sets up the most basic things to allow peicore to execute (cp15 regs and stacks), it's the part at 0x2201fXXX
15:54 < TheSeven> it then jumps into peicore (pei = pre-efi initialization)
15:54 < TheSeven> that one sets up things like the memory controller, mounts the efi firmware volume somehow, decompresses peicore and runs it
15:54 < TheSeven> it might also set up the internal memory manager
15:54 < TheSeven> decompresses dxecore*
15:55 < TheSeven> dxecore will then load and run the other modules, it's basically the EFI kernel
15:55 < TheSeven> think of peicore as a bootloader and dxecore as a kernel
15:56 -!- timc [~tim@112.166.15.141] has joined #freemyipod
15:56 -!- timc is now known as Guest16524
16:38 < benedikt93> when xfv-3 ends up saying "Not a EFI firmware volume (sig missing)", does this actually mean it finshed the file?
17:01 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has quit [Remote host closed the connection]
17:01 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has joined #freemyipod
17:09 < benedikt93> TheSeven, or anyone else who knows enough about ida: how can i import additional code into my ida database? thx
17:10 < TheSeven> if it says "not a firmware volume" after extracting a lot of things, it's just complaining about some trailing garbage
17:10 < TheSeven> file => load file => additional binary file
17:11 < TheSeven> http://pastie.org/1195529
17:12 < TheSeven> this is the IDC script I used to load and analyze the modules
17:12 < TheSeven> you'll probably have to change the contents of the main() function massively
17:12 < TheSeven> the rest shouldn't need to be changed
17:12 < TheSeven> benedikt93: ^
19:54 < thomas_sch> benedikt93: what's the status on nano 3g right now?^^
19:55 < benedikt93> thomas_sch, from my side nothing new, but probably serpilliere or funman might have achieved sthg (-> TheSeven will know)
19:56 < TheSeven> no, sadly I don't know of anything
19:59 < benedikt93> I myself might do something again the next weeks, autumn holidays are approaching :P
20:12 < thomas_sch> a rss feed or anything where you post your progress or anything?^^ or you could start a blog and tell the world (and me) what you guys exactly do^^ I mean do you write asm code and try to run it or search new exploits or try to enhance your code execution capabilitys/rights?
20:27 < benedikt93> reverse engineer the iPods => try to read out the code on the iPods (therefore, we need code execution through exploits) and then examine it in order to find out how the iPods work internally as there is no documentation for them
20:35 -!- MrShlee [~Default@219-90-214-141.ip.adam.com.au] has joined #freemyipod
21:12 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has quit [Quit: Bye ;)]
22:24 -!- n1s [~n1s@rockbox/developer/n1s] has quit [Quit: Lämnar]
22:28 -!- MrShlee [~Default@219-90-214-141.ip.adam.com.au] has quit [Quit: Leaving]
22:32 -!- user890104_ [Venci@Venci-Notebook-WLAN.ipv6.6bez10.info] has joined #freemyipod
22:33 -!- user890104 [Venci@Venci-Notebook-LAN.ipv6.6bez10.info] has quit [Ping timeout: 272 seconds]
22:46 -!- user890104_ is now known as user890104
23:01 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has quit [Remote host closed the connection]
23:01 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has joined #freemyipod
--- Log closed Sun Oct 03 01:03:13 2010