--- Log opened Tue Nov 16 00:01:52 2010
00:01 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has quit [Remote host closed the connection]
00:02 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has joined #freemyipod
03:54 -!- TheSeven [~TheSeven@rockbox/developer/TheSeven] has quit [Ping timeout: 264 seconds]
03:59 -!- TheSeven [~TheSeven@rockbox/developer/TheSeven] has joined #freemyipod
05:40 -!- [Saint] [S_a_i_n_t@203.184.0.163] has quit [Quit: I'm only going to Heaven if it tastes like caramel...]
05:46 -!- S_a_i_n_t [S_a_i_n_t@203.184.4.111] has joined #freemyipod
05:54 -!- johngreek [~johngreek@ppp-94-66-253-97.home.otenet.gr] has joined #freemyipod
06:02 -!- johngreek [~johngreek@ppp-94-66-253-97.home.otenet.gr] has quit [Quit: johngreek]
06:02 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has quit [Remote host closed the connection]
06:02 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has joined #freemyipod
06:30 -!- n1s [~n1s@nl118-174-240.student.uu.se] has joined #freemyipod
06:30 -!- n1s [~n1s@nl118-174-240.student.uu.se] has quit [Changing host]
06:30 -!- n1s [~n1s@rockbox/developer/n1s] has joined #freemyipod
06:52 -!- MrShlee [~Default@182-239-155-187.ip.adam.com.au] has joined #freemyipod
06:58 -!- n1s [~n1s@rockbox/developer/n1s] has quit [Quit: Lämnar]
08:19 -!- Jiss [~Jiss@abo-199-13-69.bdx.modulonet.fr] has joined #freemyipod
08:20 -!- MrShlee [~Default@182-239-155-187.ip.adam.com.au] has quit [Ping timeout: 276 seconds]
08:32 -!- perror [~fleury@aldebaran.labri.fr] has joined #freemyipod
08:36 -!- user890104 [Venci@Venci-Notebook-LAN.ipv6.6bez10.info] has quit [Ping timeout: 272 seconds]
09:18 -!- timccc [~timccc@112.166.15.141] has quit [Ping timeout: 240 seconds]
09:32 -!- timccc [~timccc@112.166.15.141] has joined #freemyipod
09:55 -!- TheSeven [~TheSeven@rockbox/developer/TheSeven] has quit [Ping timeout: 265 seconds]
10:44 -!- TheSeven [~TheSeven@rockbox/developer/TheSeven] has joined #freemyipod
11:59 -!- user890104 [Venci@Venci-Notebook-LAN.ipv6.6bez10.info] has joined #freemyipod
12:02 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has quit [Remote host closed the connection]
12:02 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has joined #freemyipod
12:06 -!- S_a_i_n_t [S_a_i_n_t@203.184.4.111] has quit [Ping timeout: 255 seconds]
12:10 -!- S_a_i_n_t [S_a_i_n_t@203.184.0.7] has joined #freemyipod
12:38 -!- Jiss [~Jiss@abo-199-13-69.bdx.modulonet.fr] has quit [Quit: Quit]
13:12 -!- n1s [~n1s@rockbox/developer/n1s] has joined #freemyipod
13:15 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has joined #freemyipod
13:48 < TheSeven> benedikt93: now that i have an ipod classic, i'll try to dump the nor flash, decrypt it, and probably port embios :)
13:48 < benedikt93> do you have the full set of nor code from the N3G?
13:49 < TheSeven> nope
13:49 < benedikt93> as the bootroms are the same, the code should actually work
13:49 < TheSeven> yes, of course
13:49 < TheSeven> do you have a standalone tool, or is it still using parts of the rom?
13:50  * benedikt93 puts together that stuff
13:50 < benedikt93> it calls into bootrom
13:50 < TheSeven> ok, then that's basically what serpilliere gave me?
13:51 < benedikt93> almost
13:52 < benedikt93> there's some check of a gpio in bootrom which distinguishs between the SPIs used
13:52 < benedikt93> serpilliere had left that out IIRC
13:58 < benedikt93> I think I didn't change the decrypting code, though
14:00  * TheSeven would like to get rid of that and rewrite the SPI code
14:00 < TheSeven> that can't be too hard
14:01 < TheSeven> seems to be a total of like 8 subroutines, of which at least 3 are rather trivial (waiting for a bit to get set etc.)
14:01 < benedikt93> the SPI code is relativly easy, from what I can tell, but I did only look briefly at this
14:03  * benedikt93 is going to figure out what's wrong with his sdram  init code now
14:08 < benedikt93> TheSeven, can ibugger call thumb code or only arm?
14:10 -!- opnet [~opnet@wnklmb01dc1-214-9.dynamic.mts.net] has joined #freemyipod
14:14 < opnet> are you guys looking at the nano 6g yet?
14:14 < opnet> I have one and would love to help out
14:14 < opnet> I can't talk right now but I'll bbl
14:15 < benedikt93> noone works on it as of now, and there has no way been found to execute unsigned code on it yet
14:15 < benedikt93> though some of the iphone exploits *could* work
14:16 < benedikt93> also, the main devs here do afaik not own a nano6g (and some even dislike the "ipad shuffle" ...)
14:19 < benedikt93> TheSeven, nvm it can't as I had to experience..
14:23 -!- MrShlee [~Default@182-239-155-187.ip.adam.com.au] has joined #freemyipod
14:27 < TheSeven> it can probably only call ARM directly, but you can of course write a little wrapper that jumps into the thumb code
14:27 < TheSeven> what would you need thumb for anyway?
14:30 < benedikt93> for nothing, but the makefile forced thumb code which was one reason why it didn't return
14:31 -!- n1s [~n1s@rockbox/developer/n1s] has quit [Quit: Lämnar]
14:47 < timccc> it'll be good to see work on the ipod classic :D
14:57 < MrShlee> I will donate $100US once classic is supported.
15:00 < MrShlee> I'm sure others would join me.
15:05 < TheSeven> benedikt93: that's because space was quite tight for the ftl stub, just remove it
15:06 < benedikt93> It seems to work now, but when I try to write to the sdram and read from it again, the result doesn't equal what I've written there :/
15:08 < TheSeven> IIRC you were calling three norboot functions?
15:08 < TheSeven> have you tried doing one part yourself and letting norboot do the rest?
15:11 < benedikt93> now I have everything rewritten
15:12 < benedikt93> I just disassembled what I compiled and am checking it against peicore
15:16 -!- S_a_i_n_t [S_a_i_n_t@203.184.0.7] has quit [Ping timeout: 255 seconds]
15:30 < benedikt93> memory controller init fail .. actually my fail ..
15:30 < benedikt93> should I commit the i2c/pmu/timer stuff?
15:34 < TheSeven> benedikt93: does that mean that you found the bug?
15:35 < TheSeven> and where do you want to commit what to?
15:35 < benedikt93> yep, a missing "~" and a "!"
15:35 < benedikt93> a new "ipodnano3g" folder in embios/target probably
15:36 < benedikt93> what does embiosloader actually do?
15:36 < benedikt93> does it only setup some basic hw or is it kind of ibugger-like?
15:38 -!- S_a_i_n_t [S_a_i_n_t@203.184.0.76] has joined #freemyipod
15:43 < TheSeven> both
15:44 < TheSeven> it's initializing everything up to the SDRAM, PMU and LCD, and provides a recovery mode option (that's ibugger-like) on nano2g
15:44 < TheSeven> on the 3g and later we won't need that recovery mode because we have DFU
15:46 < TheSeven> IIUC interrupt.c, i2c.c, timer.c and probably lcd.S should be very similar to the nano4g
15:49 < TheSeven> oh, and clockgate.c
15:53  * TheSeven decides to go home now
16:05 -!- MrShlee [~Default@182-239-155-187.ip.adam.com.au] has quit [Quit: Leaving]
16:15 -!- TheSeven [~TheSeven@rockbox/developer/TheSeven] has quit [Ping timeout: 255 seconds]
17:29 -!- TheSeven [~TheSeven@rockbox/developer/TheSeven] has joined #freemyipod
18:02 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has quit [Remote host closed the connection]
18:02 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has joined #freemyipod
18:03 -!- Jiss [Jiss@abo-199-13-69.bdx.modulonet.fr] has joined #freemyipod
18:48 < TheSeven> benedikt93: OK, i think i've understood how the bootrom's SPI flash reading code works
19:15 < opnet> what do you guys use for tools to find this stuff out?
19:23 -!- user890104 [Venci@Venci-Notebook-LAN.ipv6.6bez10.info] has quit []
19:27 < opnet> alright, I'm going to try my hand at this
19:27 < opnet> I'm not really sure what I'm doing so I'm just going to use dd to pull all the data off of the ipod
19:28 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has joined #freemyipod
19:31 < TheSeven> opnet: that won't help anyone, as apple isn't exposing the firmware partition any more since the nano3g
19:31 < TheSeven> i'm currently digging through a dumped bootrom image using ida pro
19:33 < opnet> hmm, alright. going to download and try that out
19:34 < opnet> should I get 4.9 or 5.7?
19:38 -!- perror [~fleury@aldebaran.labri.fr] has quit [Quit: Bye all !]
19:46 < TheSeven> first of all you'll need a bootrom dump, and to acquire that, you probably need an exploit
19:46 < TheSeven> chicken'n'egg problem
19:53 < opnet> hrm, alright
19:54 < opnet> how did you find your exploit?
19:54 < opnet> and how would you utilize it?
19:55 < benedikt93> TheSeven, do you have an idea why peicore would wait each time it changes an i2c reg for someother i2c reg to become zero again? and what kind of register that could be?
19:56 < TheSeven> i2c reg in terms of i2c core apb register or i2c device register?
19:56 < TheSeven> which spi port is the boot flash connected to?
19:56 < TheSeven> (it's determined at runtime by some gpio)
19:57 < benedikt93> check serpillieres code, he did replace the check by a value
19:58 < benedikt93> but I'd leave the check in as there could be differences between hw revisions or N3G and the classics
19:58 < benedikt93> i2c regs in the core (what does apb mean?)
20:08 < TheSeven> advanced peripheral bus
20:08 < TheSeven> which reg and bit is being checked?
20:10 < benedikt93> the complete reg at IICCON + 0x10 for being zero
20:17 < TheSeven> that's some multi-master arbitration thing that's probably completely unneccessary here
20:18 < TheSeven> see S3C6400X_UserManual_rev1-0_2008-02_661558um.pdf, page 1011
20:22 < benedikt93> I just checked, it works without
20:23 -!- n1s [~n1s@rockbox/developer/n1s] has joined #freemyipod
20:30 < benedikt93> though i suspect that it's what that datasheet says, at least I wouldn't know for what it checks then
20:37 < Farthen> opnet: our notes exploit was found by just trial and error while looking for some buffer overflows in various parts in the apple firmware
20:39 < benedikt93> basically, to find exploits, you provide a device at it's data inputs with malformed data
20:40 < benedikt93> when this causes the device behave differently than usual (eg crash or freeze), that would be a possible bug in the firmware that could be used
20:41 < Farthen> but this alone does not help much. you need to understand exactly what the device is doing with your input to utilize it to your benefit
20:42 < Farthen> or have really lots of luck
20:43 < benedikt93> though there's also the chance that eg limera1n would work on the nano 6g
20:46 < Farthen> yeah, someone needs to try it sometime
20:47 < benedikt93> though I haven't yet seen some complete description of it
20:47 < Farthen> as the nano 6g is probably not using iOS (would be a waste of resources anyway to run a full unix on it) we can't use any high level exploits for the touch/iphone/ipad
20:48 < Farthen> i'm wondering if the kernel is still the same as on the older ipods
20:48 < benedikt93> but wasn't limera1n in both bootrom and iBoot?
20:51 < Farthen> yeah, limera1n is using two exploits. one in userland to run the code and one to be able to load every boot
20:52 < Farthen> but the exploit is not described in any way (at least not on the exploit page on the iphone wiki)
20:54 < Farthen> the problem here is that those jailbreak teams are working pretty much undercover and try to release as less information as possible to force apple to reverse engineer their exploits themselves giving them at least some days :)
20:56 < benedikt93> what the **** ????
20:57 < Farthen> at least i don't really see any exploit information for the latest exploits
20:57 < benedikt93> is it possible that the pmu doesn't even need to be set up for th sdram to be powered ip??
20:57 < Farthen> well, depends on how the pmu is left behind when your exploit is run
20:58  * benedikt93 provided it all the time with garbage data and it still worked
20:58 < benedikt93> it's run through dfu
20:58 < TheSeven> i'd expect it to be powered down then
20:58 < TheSeven> but we don't know anything for sure on this platform :)
20:59 < Farthen> try some different garbage data. maybe you were ust lucky finding the right garbage? xD
20:59 < benedikt93> that would be pretty weird
21:00 < benedikt93> I always sent (device << 1) as device internal address
21:00 < benedikt93> due to a copy&paste error
21:00 < TheSeven> hm
21:00  * TheSeven wonders what he's doing wrong with SPI
21:00 < TheSeven> the bootrom code appears to work, but mine doesn't
21:00 < benedikt93> TheSeven, probably it isn't shut down properly when resetting the ipod
21:00 < TheSeven> depends on the way it is reset
21:01 < TheSeven> menu+select usually also resets the PMU, or at least parts of it
21:01 -!- user890104 [Venci@Venci-Notebook-WLAN.ipv6.6bez10.info] has joined #freemyipod
21:01 < benedikt93> I've no clue how the reset is implemented, so everything is possible
21:04 < Farthen> IIRC the reset was a watchdog reset resetting at least the arm core and i think the most part of the SoC if not all
21:07 < benedikt93> TheSeven, what is this "yield()" function called for?
21:07 < TheSeven> this is basically a sleep(0);
21:07 < TheSeven> it passes control to a different thread in case one is waiting, but doesn't block the current thread
21:08 < TheSeven> i.e. "allow other things to use the cpu while we're only waiting anyway"
21:08 < benedikt93> ok
21:09 < benedikt93> the i2c code was even more screwed up than I thought :/
21:16 < TheSeven> why are you rewriting this at all?
21:17  * TheSeven doesn't manage to rewrite sub_20008F90
21:19 < TheSeven> IMO this boils down to http://pastie.org/1303756
21:19 < benedikt93> I rewrote in c what I found in peicore and when putting this into the embios-compliant versions I compared with what there is for N4G
21:19 < TheSeven> in theory you should be able to just rip out rockbox's driver for the nano2g and use that for the init code
21:20 < TheSeven> rockbox is currently using a busy waiting variant, because the IRQ-driven one was acting up
21:33 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has quit [Quit: Bye ;)]
21:44  * TheSeven just figured out that apple's SPI code is probably only working because of a lot of luck regarding timing :)
21:46 < opnet> Farthen: I know how exploits work as far as software goes, just not when it comes to hw
21:50 < TheSeven> opnet: we first need a good software exploit before we can do anything about the hardware
21:57 < opnet> alright
21:58 < opnet> I'll start googling
21:58 < opnet> you need the firmware to find the exploit, but how would you do that?
22:02 < opnet> http://theiphonewiki.com/wiki/index.php?title=Talk:Firmware
22:03 < opnet> "I wouldn't add the recovery IPSWs on this page... maybe they could have its own page, though. The "1.0" firmware that you linked to is definitely not for the iPod touch 1G; it's not set up like an IPSW that contains/uses iOS (there are only three files inside of it, one of which references "N20", not "N45"), and the URL has a reference to the date September 7, 2010. I believe the URL is for the iPod nano 6G's firmware. --Dialexio 15:3
22:03 < opnet> 3, 29 October 2010 (UTC)"
22:03 < opnet> mainly pointing out the nano 6g comment
22:03 < opnet> definitely could've shortened that :p
22:13 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has quit [Ping timeout: 240 seconds]
22:15 < TheSeven> opnet: you can't do much with the firmware, it's encrypted.
22:15 < TheSeven> chick'n'egg.
22:15 < TheSeven> but if you want to have a look nevertheless, check out this site: http://www.trejan.com/projects/ipod/phobos.html
22:17 < opnet> alright
22:18 < opnet> N20.bootloader.release.rb3
22:18 < opnet> what would that be?
22:18 < TheSeven> the second stage bootloader (sometimes referred to as norboot or llb)
22:19 < opnet> ok, cool
22:19 < TheSeven> this might be one of the very few unencrypted parts, did you have a look?
22:19 < opnet> at the file or the site?
22:19 < TheSeven> at the file
22:19 < TheSeven> you could also grab a WTF or disk mode dfu image, those were unencrypted for some ipod touches at least
22:20 < opnet> how would you so that?
22:20 < TheSeven> s/so/see/?
22:20 < opnet> the file just looks like a binary file, I probably don't know how to open it
22:21 < opnet> do*
22:21 < TheSeven> with a hex editor or disassembler
22:21 < opnet> ah alright
22:21 < TheSeven> is it completely garbage or are there patterns?
22:21 < TheSeven> there's probably a 2KB header
22:21 < opnet> haven't opened it with a hex editor, but I haven't really looked at it
22:22 < opnet> just quickly glanced
22:22 < TheSeven> you could check the entropy of the part after the header
22:22 < TheSeven> if all possible bytes values appear roughly the same number of times, it's probably encrypted
22:23 < TheSeven> if there are spikes, and lots of 0xE? values at (x mod 4) == 3 offsets, it's ARM executable code
22:23 < TheSeven> thumb can't be detected that easily
22:24 < TheSeven> however you can still distinguish it from encrypted data based on the entropy
22:24 < TheSeven> also, the very first four bytes would be interesting to know
22:24  * TheSeven guesses "8740" :)
22:24 < TheSeven> (the nano5g was an S5L8730)
22:25 < opnet> I'm not really sure what I'm doing here so I'll just paste the first line from vi
22:25 < opnet> 0000000: 3837 3233 322e 3003 0000 0000 003b 0200  87232.0......;..
22:28 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has joined #freemyipod
22:39 < TheSeven> oh, interesting numbering
22:39 < TheSeven> so the nano6g is an S5L8723 apparently
22:39 < opnet> what does that mean?
22:40 < TheSeven> not much at all
22:40 < opnet> oh ..
22:40 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has quit [Ping timeout: 255 seconds]
22:40 < TheSeven> if we also find that e.g. on the iphone5, it would point to the fact that they are using the same processor, which might mean they have the same bugs :)
22:41 < opnet> hrm, alright
22:41 < opnet> can't you find out what processor it's using by looking at the insides?
22:41 < Farthen> what's the iphone 4 arm core?
22:41 < TheSeven> IIRC an S5L89xx
22:42 < TheSeven> and it contains some cortex a-series CPU
22:42 < Farthen> i zhink it's a cortex a8 but i might be wrong
22:43 < Farthen> but it isn't important anyway
22:44 < opnet> if it's not encrypted what can I do with it?
22:44 < Farthen> you can disassemble it
22:44 < opnet> oooh
22:44 < Farthen> but you need to know arm assembly pretty well to understand the disassembly
22:44 < Farthen> this is where i fail btw xD
22:46 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has joined #freemyipod
22:47 < opnet> heh
22:47 < opnet> alright, time to go to work
22:47 < opnet> bbl
22:47  * Farthen goes to sleep rather than to work
22:48 < opnet> opnet@bitdumpster:~/extract2g$ objdump -x N20.bootloader.release.rb3 
22:48 < opnet> objdump: N20.bootloader.release.rb3: File format not recognized
22:49 < opnet> insert yerdoinitwrong here
22:49 < Farthen> objdump won't really get you very far i think
22:50 < Farthen> you might be able to extract the code but anything apart from that will be very hard
23:40  * TheSeven just dumped his classic's NOR flash without relying on the bootrom :)
--- Log closed Wed Nov 17 00:02:28 2010