--- Log opened Mon Nov 29 00:03:06 2010
00:03 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has joined #freemyipod
00:05 -!- nls [~n1s@nl118-174-240.student.uu.se] has quit [Quit: Lämnar]
01:12 -!- Jiss__ [~Jiss@abo-199-13-69.bdx.modulonet.fr] has quit [Read error: Connection reset by peer]
01:12 -!- Jiss__ [~Jiss@abo-199-13-69.bdx.modulonet.fr] has joined #freemyipod
02:25 -!- Jiss__ [~Jiss@abo-199-13-69.bdx.modulonet.fr] has quit [Read error: Connection reset by peer]
02:25 -!- Jiss__ [Jiss@abo-199-13-69.bdx.modulonet.fr] has joined #freemyipod
02:32 -!- Jiss__ [Jiss@abo-199-13-69.bdx.modulonet.fr] has quit [Read error: Connection reset by peer]
02:32 -!- Jiss__ [Jiss@abo-199-13-69.bdx.modulonet.fr] has joined #freemyipod
02:54 -!- AriX [~Ari@c-76-99-118-183.hsd1.pa.comcast.net] has quit [Remote host closed the connection]
03:20 -!- TheSeven [~TheSeven@rockbox/developer/TheSeven] has quit [Ping timeout: 276 seconds]
03:23 -!- TheSeven [~TheSeven@rockbox/developer/TheSeven] has joined #freemyipod
04:03 -!- Jiss__ [Jiss@abo-199-13-69.bdx.modulonet.fr] has quit [Quit: Quit]
06:02 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has quit [Remote host closed the connection]
06:03 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has joined #freemyipod
06:30 -!- yuriks [~yuriks@opentyrian/developer/yuriks] has joined #freemyipod
07:57 < yuriks> is there anything that needs to be done for the ipod 3g atm?
07:57 < yuriks> testing or programming wise
07:57 < yuriks> (I'm not sure how useful I am at reverse engineering, probably not at all)
07:57 < yuriks> nano 3g*
09:15  * teuf finds back his ipod cable
09:15 < teuf> TheSeven: I'll be able to run these tests tonight
09:25 < yuriks> so, how do you load code on n3g's right now?
09:25 < yuriks> I saw some unfinished iBugger stuff in the wiki but I'm not sure that's the most up to date exploit
09:36 < TheSeven> it is
09:37 < TheSeven> there's not much more than that for the nano3g yet
09:37 < yuriks> hmm
09:37 < yuriks> what do I need to try it?
09:38 < yuriks> (I'm setting up my linux vm atm)
09:38 < TheSeven> you don't even really need linux, i'm doing most of the work on windows
09:38 < yuriks> hm, I thought libusb required linux
09:38 < TheSeven> no, there's a windows version of it
09:39 < yuriks> oh
09:39 < yuriks> well, I'm sure linux will come in handy at a point so I'll keep it around anyway
09:39 < TheSeven> there's that drivier signing trouble on windows 7 though, so you might need to a BCD change to make the kernel accept unsigned drivers
09:39 < yuriks> oh, I'm in test mode already
09:39 < yuriks> so I just need to test sign drivers
09:40 < TheSeven> http://files.freemyipod.org/misc/windows_driver.zip
09:41 < TheSeven> then you'll probably want to check out a working copy of our svn
09:41 < TheSeven> and you'll need python (at least 2.6, i'm not sure if 3.x works), and pyusb 1.0.0alpha
09:42 < TheSeven> http://sourceforge.net/projects/pyusb/files/PyUSB 1.0/1.0.0-alpha-0/pyusb-1.0.0-a0.zip/download
09:42 < yuriks> is that libusb 1.0 or 0.1?
09:42 < TheSeven> a fixed version of 0.1 IIRC
09:43 < TheSeven> alternatively you can try setting up with libusb1.0 or even winusb, but at least winusb didn't work quite right for me yet
09:43 < TheSeven> if someone figures out how we can use winusb directly without any crazy hacks, that would be cool :)
09:43 < yuriks> I'll wait until I get things working
09:44 < TheSeven> winusb would have the advantage that it won't have driver signing problems :)
09:46 < yuriks> how do I install the libusb drivers?
09:46 < yuriks> erm
09:46 < yuriks> nvm
09:47 < yuriks> if I got this ritght... plug in the ipod and manually override it's drivers in the device manager?
09:48 < TheSeven> yes
09:49 < TheSeven> if you already have drivers installed for it (itunes), you might also just use the libusb1.0 filter driver manager instead of the driver i provide
09:49 < yuriks> I don't have itunes installed, will that interfer with anything?
09:49 < yuriks> ah ok
09:49 < TheSeven> it will mean that you probably don't have drivers installed anyway
09:49 < yuriks> I use it as a mass storage device fine
09:49 < yuriks> win7 has drivers for it I guess
09:50 < yuriks> dunno if you need any other usb service though
09:50 < TheSeven> only for the mass storage device
09:50 < TheSeven> the exploit attacks dfu mode, so that won't interfere
09:50 < yuriks> hmm, are they called 'services' in usb? or... no, devices under a composite device, that's right
09:51 < TheSeven> to enter dfu mode, press and hold menu+select for between 10 and 15 seconds with USB connected (it will reset a second time and then stay dark)
09:51 < yuriks> installing driver software...
09:52 < yuriks> hmm, didn't know about this double reset before
09:52 < yuriks> that must've been why another one I was trying to diag (dead battery) died sometimes when I held it for too long =P
09:54 < yuriks> iPod Classic/Nano 3G Bootrom DFU
09:54 < yuriks> so that worked without signing anything I guess
09:54 < TheSeven> yep
09:55 < yuriks> uploaded that binary you sent me before
09:55 < yuriks> it detected another device
09:55 < yuriks> oh, unified ibugger
09:55 < yuriks> nice =)
09:56 < TheSeven> now you have full access to the hardware :)
09:56 < yuriks> what do I use to interface with the debugger?
09:56 < TheSeven> ibugger.py
09:56 < yuriks> is that on the svn?
09:57 < TheSeven> nope :)
09:57 < yuriks> oh, you card :)
09:57 < yuriks> http://www.freemyipod.org//data/theseven/releases
09:57 < yuriks> hmm, so, 404
09:57 < TheSeven> http://theseven.freemyipod.org/download/snapshot-201003100612-public.7z
09:58 < TheSeven> that's where all the old tools are :)
09:58 < yuriks> you should really leave some of these things accessible =P
09:58 < TheSeven> the link above broke when we moved to the new domain
09:59 < yuriks> aww, I can't even turn on the backlight :V
10:00 < yuriks> time to read up a bunch I guess
10:18 < yuriks> O_o, I can't put it into DFU mode anymore
10:18 < yuriks> it just boots to the apple os
10:20 < yuriks> oh, I have to release the buttons after a while =P
10:20 < TheSeven> yes, more than 15 seconds won't work
10:20 < TheSeven> it needs to be in the 10-15 range
10:20 < TheSeven> basically the only things that work in that ibugger are upload/download/execute
10:21 < TheSeven> and you only have 224KB of RAM so far
10:22 < yuriks> I'm trying to figure out how to write code to make it reset for now
10:22 < TheSeven> (only the on-chip ram of the processor, the big SDRAM isn't initialized yet)
10:23 < TheSeven> *((uint32_t volatile*)0x3c800000) = 0x100000; IIRC
10:23  * yuriks needs to get an arm assembler
10:23  * TheSeven uses the yagarto toolchain
10:25 < yuriks> >SAMSUNG CONFIDENTIAL
10:25 < yuriks> 'oops'
10:26 < yuriks> oh, the lcd interface is integrated right into the soic, that's good, I thought you had to poke around until you found the magic adresses for the display controller
10:27 < TheSeven> which datasheet are you looking at? s5l8700?
10:27 < yuriks> yeah
10:27 < yuriks> how different is it from the apple chip?
10:28 < TheSeven> that's not a hundred percent accurate for those SoCs, but all those apple chips share lots of things
10:28 < TheSeven> usually they use the s5l8700 as a starting point and improve it a bit :)
10:28 < TheSeven> some things are also similar to the s3c6400
10:28 < TheSeven> but we know for example the LCD controller pretty well by now
10:29 < yuriks> I was looking for the memory map, actually
10:29 < TheSeven> what's holding us back from using it is that we neither know how to power it on (no datasheet for the power management unit) or how to initialize that particular LCD
10:29 < yuriks> hmm
10:30 < TheSeven> the ahb/apb peripheral addresses in the s5l8700 datasheet are sadly off quite a bit
10:30 < yuriks> damned confidential manuals
10:30 < TheSeven> http://code.google.com/p/chronicdev/wiki/N72APDevTree and http://theiphonewiki.com/wiki/index.php?title=S5L8720_%28Hardware sometimes provide better information
10:30 < gevaerts> There's a version somewhere that has the "confidential" edited out :)
10:30 < yuriks> haha
10:31 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has quit [Ping timeout: 255 seconds]
10:34 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has joined #freemyipod
10:36  * yuriks needs to brush up on his arm...
11:19 < yuriks> gah, doesn't gas have a simply 'raw binary' output format? <_<
11:22 < TheSeven> no, you need to objcopy
11:23 < yuriks> that's dumb
11:23 < yuriks> but I guess that's gcc for you
11:28 < yuriks> TheSeven: yay, I managed to reboot it xD
11:30 < TheSeven> how did you upload your code?
11:30 < yuriks> upload 0x22000000 ..\..\binary.bin
11:31 < yuriks> execute 0x22000000 0x0
11:31 < TheSeven> oh, that was luck :)
11:31 < yuriks> D=
11:31 < TheSeven> you may use the 0x22008000 - 0x22020000 memory range
11:31 < TheSeven> the memory below that is used by ibugger
11:31 < yuriks> oh, figured
11:31 < yuriks> but since I'm rebooting anyway...
11:32 < TheSeven> oh wait, that's an 8702, so you can use 0x22008000-0x2203ffff
11:32 < TheSeven> and IIRC there's also some small chunk at the beginning of ram, 0x22000000-0x22001fff or something, that's probably why it worked
11:33 < yuriks> hmm
11:33 < TheSeven> if you only use 0x22008000 upward, you're on the safe side :)
11:34 < yuriks> so this memory map is completely bonkers xD
11:34 < TheSeven> yep
11:34 < TheSeven> as long as we don't have SDRAM, things are a bit funny
11:34 < yuriks> the s5l8700 datasheet says internal sram starts on 0x22000000 so I thought I would try there
11:35 < yuriks> I wasn't really expecting it to work
11:35 < TheSeven> usually we use 0x08000000 to 0x09efffff for userspace things and 0x22000000-0x22003fff and 0x09f00000-0x09ffffff for the kernel
11:35 < TheSeven> those parts of the datasheet are actually correct
11:37 < yuriks> so sdram is from 0x0800 0000 to 0x1fff ffff, assuming all memory modules
11:37 < TheSeven> there's only 32MB present on the nano3g, wrapping a single time
11:38 < yuriks> and internal sram is from 0x2200 0000 to 0x2203 FFFF
11:38 < TheSeven> 0x08000000-0x09ffffff and 0x0a000000-0x0bffffff end up accessing the same 32MB of SDRAM
11:38 < yuriks> mhmm
11:38 < TheSeven> the addresses above 0x0c000000 read zeroes IIRC
11:39 < yuriks> 0x09f00000-0x09ffffff
11:39 < yuriks> hmm, is that ram too?
11:39 < TheSeven> yes, that's the last megabyte of SDRAM
11:39 < yuriks> acoording to the mmap it's right in sdram
11:39 < yuriks> oh yeah yeah, nvm
11:40 < yuriks> I was associating kernel == sram, for some reason =P
11:40 < yuriks> no external sram, I take?
11:40 < TheSeven> yep
11:40 < yuriks> well, this is a better start than I was hoping for
11:40 < TheSeven> the boot flash is connected through SPI
11:41 < yuriks> now for the fun part, poking random bus adresses in search of devices
11:41 < yuriks> I feel like documenting this on the wiki
11:41 < TheSeven> reading disassemblies of the code accessing them is usually the easier way :)
11:41 < yuriks> oh, I guess
11:41 < TheSeven> feel free to do so, i'm usually too lazy :)
11:41 < yuriks> my IDA-fu is weak
11:42 < yuriks> but you have a point
11:42 < yuriks> in an ideal world we would just have nice datasheets but where's the fun in that
11:42 < TheSeven> yep
11:46 < yuriks> I should probably sleep a bit <_< I havn't slept in 26 hours
11:50  * TheSeven wonders why one starts dealing with such stuff when one hasn't slept for 21 hours :)
11:51 < yuriks> :) indeed
11:52 < yuriks> ack, the wiki editor removes all newlines from the textbox every time I paste something
11:52 < TheSeven> the wiki wysiwyg editor is full of bugs
11:52 < TheSeven> copy&paste is a bad idea if you try to use it :)
11:55 -!- aissen__ is now known as aissen
11:55 -!- aissen [~aissen@10.174.62.62.9lyon1-0-ro-bas-1.9tel.net] has quit [Changing host]
11:55 -!- aissen [~aissen@unaffiliated/aissen] has joined #freemyipod
12:02 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has quit [Remote host closed the connection]
12:03 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has joined #freemyipod
12:03 < yuriks> http://www.freemyipod.org/wiki/Nano_3G/Memory_Map
12:03 < yuriks> I'll add as I learn, I guess <_<
12:11 < TheSeven> you can add the bootrom, 0xc800 bytes at 0x20000000
12:12 < TheSeven> and usually there's a mirror of the SRAM mapped to 0x00000000
12:12 < TheSeven> and most of this (everything besides the SRAM and SDRAM sizes) is applicable to all devices we're working on
12:12 < yuriks> oh, I wasn't sure if the layout was the same
12:13 < TheSeven> s5l8701 has 176KB SRAM, s5l8702 has 256KB, s5l8720 has 192KB
12:13 < yuriks> devices change though, don
12:13 < yuriks> don't they?* so if I add that later...
12:13 < TheSeven> and everything besides the ipod classic has 32MB of SDRAM being wrapped one time, the ipod classic has 64MB
12:20 < yuriks> boot rom is encrypted, right?
12:21 < TheSeven> nope
12:21 < yuriks> oh, duh
12:21 < yuriks> how would it be executed then =P
12:22 < TheSeven> everything else is encrypted, but the bootrom can't be for obvious reason :)
12:22 < TheSeven> reasons*
12:23 < yuriks> so, on the datasheet there are 4 remapping modes, and they change what's mapped onto 0x0000 0000 to 0x07FFF FFFF
12:23 < yuriks> which one is the 3g set as?
12:23 < yuriks> or does it start as boot rom and then change it to sram?
12:27 < TheSeven> i don't think this part of the datasheet is applicable
12:27 < TheSeven> as far as i understand, the bootrom is mapped during boot and afterwards the sram
12:27 < TheSeven> but they are handling that through the MMU
12:28 < yuriks> starting the processor with the rom mapped on an address and then replacing that with something else and not letting you change it back is a quite common way of protecting the rom
12:28 < TheSeven> they let you change it back
12:28 < yuriks> but since the rom is mapped up there it isn't the case here
12:29 < yuriks> well, I'll leave it blank
12:29 < yuriks> what's the OTG?
12:31 < TheSeven> usb on-the-go
12:32 < yuriks> isn't that the usb host for gadgets thing?
12:32 < TheSeven> it's basically bidirectional usb
12:32 < yuriks> hmm
12:32 < TheSeven> you can connect multiple otg-capable gadgets with each other and they'll negotiate on who's the host
12:40 < yuriks> http://code.google.com/p/chronicdev/wiki/N72APDevTree
12:40 < yuriks> where did this info come from?
12:49 < yuriks> TheSeven: I ran iBugger core and the usb went nuts
12:49 < yuriks> is that normal?
12:50 < TheSeven> this info comes from the ipod touch 2g, which uses an s5l8720 soc
12:50 < TheSeven> and ibugger core won't work yet
12:50 < yuriks> oh
12:50 < yuriks> but I mean, how was it gathered?
12:57 < yuriks> you think that messing around with the gpio could damage the hardware? <_<
12:58 < TheSeven> i wouldn't switch input bits to output at least
12:58 < TheSeven> and the devtree info was gathered from some structure that the darwin kernel on the ipod touch uses
12:58 < yuriks> oh
12:58 < yuriks> well, I figure all pins will come preset to a 'neutered' state
13:05 -!- Jiss [~Jiss@abo-199-13-69.bdx.modulonet.fr] has joined #freemyipod
13:06 -!- user890104 [Venci@Venci-Notebook-LAN.ipv6.6bez10.info] has quit [Ping timeout: 272 seconds]
13:08 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has joined #freemyipod
13:16 < yuriks> well, I'm calling it a day
13:16 < yuriks> gonna get some sleep
13:16 < yuriks> thanks for the attention so far =)
13:21 -!- user890104 [Venci@Venci-Notebook-LAN.ipv6.6bez10.info] has joined #freemyipod
13:55 -!- timccc [~timccc@112.166.15.141] has quit [Ping timeout: 265 seconds]
14:14 -!- MrShlee [~Default@219.90.187.210] has joined #freemyipod
14:15 -!- timccc [~timccc@112.166.15.141] has joined #freemyipod
15:07 < aissen> hello :-)
15:07 < aissen> yuriks: you're working on supporting nano 3G ?
15:14 -!- perror [~fleury@aldebaran.labri.fr] has joined #freemyipod
15:25  * benedikt93 is slowly understanding how that efi calling/allocation crap works
15:40 -!- Jiss_ [~Jiss@abo-199-13-69.bdx.modulonet.fr] has joined #freemyipod
15:40 -!- Jiss_ [~Jiss@abo-199-13-69.bdx.modulonet.fr] has quit [Read error: Connection reset by peer]
15:41 -!- Jiss_ [Jiss@abo-199-13-69.bdx.modulonet.fr] has joined #freemyipod
15:42 -!- Jiss [~Jiss@abo-199-13-69.bdx.modulonet.fr] has quit [Ping timeout: 240 seconds]
15:48 -!- Jiss__ [~Jiss@abo-199-13-69.bdx.modulonet.fr] has joined #freemyipod
15:52 -!- Jiss_ [Jiss@abo-199-13-69.bdx.modulonet.fr] has quit [Ping timeout: 276 seconds]
15:54 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has quit [Quit: Bye ;)]
16:09 -!- MrShlee [~Default@219.90.187.210] has quit [Quit: Leaving]
18:02 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has quit [Remote host closed the connection]
18:03 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has joined #freemyipod
18:33 -!- perror [~fleury@aldebaran.labri.fr] has quit [Quit: Bye all !]
19:09 -!- Dreamxtreme [~Dre@92.30.25.205] has quit [Ping timeout: 260 seconds]
19:23 -!- Dreamxtreme [~Dre@92.30.239.250] has joined #freemyipod
19:33 < teuf> TheSeven: 00000000  0c 00 00 00                                       |....|
19:33 < teuf> when I get data.bin as you asked me to do yesterday
19:34 < TheSeven> oops
19:34 < TheSeven> the file you send should be 0x01 0x11 0x00 0x11
19:34 < TheSeven> (reversed)
19:36 < teuf> ok
19:41 < teuf> TheSeven: I got all 0
19:42 < TheSeven> hm
19:42 < teuf> I tried it twice
19:42 < TheSeven> so that's also an ata drive, not ce-ata
19:50 < teuf> ok
21:50 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has quit [Quit: Leaving]
21:54 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has joined #freemyipod
22:24 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has quit [Quit: Bye ;)]
--- Log closed Tue Nov 30 00:02:48 2010