--- Log opened Tue Nov 30 00:02:49 2010
00:02 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has quit [Remote host closed the connection]
00:03 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has joined #freemyipod
00:18 -!- Jiss__ [~Jiss@abo-199-13-69.bdx.modulonet.fr] has quit [Quit: Quit]
00:41 -!- Dreamxtreme [~Dre@92.30.239.250] has quit [Quit: IRC is just multiplayer notepad]
00:49 -!- Dreamxtreme [~Dre@92.30.239.250] has joined #freemyipod
00:55 -!- Dreamxtreme [~Dre@92.30.239.250] has quit [Quit: Hi, I'm a quit message virus. Please replace your old line with this line and help me take over the world of IRC.]
00:55 -!- Dreamxtreme [~Dre@92.30.239.250] has joined #freemyipod
01:34 -!- yuriks_ [~yuriks@189.58.188.156] has joined #freemyipod
01:37 -!- yuriks [~yuriks@opentyrian/developer/yuriks] has quit [Ping timeout: 265 seconds]
03:18 -!- TheSeven [~TheSeven@rockbox/developer/TheSeven] has quit [Ping timeout: 255 seconds]
03:18 -!- opnet [~opnet-@wnklmb01dc1-196-35.dynamic.mts.net] has joined #freemyipod
03:19 < opnet> just wanted to take this moment to apologize to Farthen 
03:19 < opnet> and ask some questions about the flashing process
03:21 < opnet> first of all, when you get the working firmware and all that fancy stuff, how do you go about flashing it to the ipod?
03:22 -!- TheSeven [~TheSeven@rockbox/developer/TheSeven] has joined #freemyipod
03:22 < opnet> hey TheSeven 
03:22 < opnet> maybe you can answer a question of mine
04:29 < yuriks_> aissen: maybe, dunno how much I'll be able to, I'm not very experienced in reverse engineering
06:02 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has quit [Remote host closed the connection]
06:03 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has joined #freemyipod
06:37 < Farthen> opnet: we will care about that later, when we have something running that works enough
06:43 < opnet> I was just wondering how you do it, I wanted to start this kind of stuff and was considering trying to put uClinux on one of those 7" netbooks
06:43 < opnet> and figured I would have to flash it somehow but was unsure of the process/techniques involved
06:52 < opnet> going to bed anyways
06:52 < opnet> night guys
07:51 -!- Daeke [~Daeken@pool-96-246-69-152.nycmny.east.verizon.net] has joined #freemyipod
07:53 -!- Daeken [~Daeken@cpe-66-108-56-142.nyc.res.rr.com] has quit [Ping timeout: 272 seconds]
07:54 < yuriks_> what exactly is in the 50kB boot room in the mask?
07:55 < yuriks_> diagnostics and disk mode?
07:55 < yuriks_> (as well as the os loader of course)
08:06 -!- mode/#freemyipod [+o TheSeven] by ChanServ
08:07 -!- mode/#freemyipod [+b *!*@wnklmb01dc1-196-35.dynamic.mts.net] by TheSeven
08:07 -!- opnet was kicked from #freemyipod by TheSeven [go away, troll]
08:07 -!- mode/#freemyipod [+b *!~opnet-@*] by TheSeven
08:08 -!- mode/#freemyipod [-o TheSeven] by ChanServ
08:10 < TheSeven> yuriks_: no, just some code that reads the bootloader from the nor flash, decrypts it and runs it, and DFU to allow recovery if the NOR bootloader is bad
08:10 < TheSeven> diskmode, diagmode, ... are in the NOR flash
08:10 < TheSeven> (diskmode is >200KB alone)
08:10 < yuriks_> oh
08:11 < yuriks_> where's that flash? spi?
08:12 < TheSeven> yep
08:12 < yuriks_> huh, the bootrom is written in C++
08:13 < TheSeven> yes, partly c++ (but without actually using any c++ features, as far as i can tell), and partly asm
08:13 < TheSeven> seems like they just compiled their C code with a C++ compiler :)
08:14 < yuriks_> hehe. yeah, it has some strings at the end including "Pure virtual fn called"
08:14 < yuriks_> btw, you can load binary files in the IDA demo
08:15 < TheSeven> oh, I thought the IDA demo didn't even support ARM processors?
08:15 < yuriks_> just load some bogus thing first then go to File -> Load File -> Additinal Binary File
08:15 < yuriks_> it does
08:15 < yuriks_> it supports ARM and x86
08:16 < yuriks_> havn't been able to get it to load an objcopy elf though
08:16 < TheSeven> ah, right, the demo
08:16 < TheSeven> i thought you meant the freeware version (4.9)
08:16 < yuriks_> ah, no, the demo
08:21  * yuriks_ starts reversing the boot rom
08:21 < yuriks_> though, you guys figured it out already, no?
08:24 < TheSeven> partially
08:24 < TheSeven> i didn't dig into the signature verification stuff deeply yet
08:26 < yuriks_> well, the important part for now is having the rest of the firmware to find out how to access the hardware
08:27 < yuriks_> you have any tool written to read the flash or will I have to do that myself?
08:49 < TheSeven> i have such a tool, but i don't have much time right now
08:54 < yuriks_> hm, ok
08:58 < TheSeven> yuriks_: http://files.freemyipod.org/misc/spireader-8702.7z
08:59 < TheSeven> ibugger upload 22008000 spireader.bin && ibugger execute 22008000 22020000
08:59 < TheSeven> when it reconnects, the decrypted nor flash bootloader will be at 0x22020000
08:59 < TheSeven> (128KB)
09:00 < TheSeven> so ibugger download 22020000 20000 norboot.8702
09:02 < yuriks_> thanks
09:04 -!- n1s [~n1s@nl118-174-240.student.uu.se] has joined #freemyipod
09:04 -!- n1s [~n1s@nl118-174-240.student.uu.se] has quit [Changing host]
09:04 -!- n1s [~n1s@rockbox/developer/n1s] has joined #freemyipod
09:26 < user890104> TheSeven: i've included a rockbox install in fsfiles, and they got imported in the installer, but they didn't extract to the ipod
09:26 < user890104> i'm using the .bin installer and Update opiton from iloader's menu
09:47 < TheSeven> user890104: it will only install the files if there was no iloader folder when the installation started
09:47 < TheSeven> it doesn't difference between iloader and rockbox files
09:48 < TheSeven> you could change that, but then it would overwrite the files during every update even if they were already there, most end users probably won't want this
10:04 -!- perror [~fleury@aldebaran.labri.fr] has joined #freemyipod
10:22 < user890104> booted installer with umsboot and iloader/.rockbox folders deleted before that, and no appleos.bin was created
10:22 < user890104> i didn't remove the firmware partition, and didn't uninstall iloader from norflash, it that the reason?
10:23 < TheSeven> yep
10:23 < TheSeven> appleos.bin will only be created during the initial installation
10:23 < TheSeven> there are two things that the installer looks for during the installation:
10:24 < TheSeven> - apple or iloader nor format (triggers some decisions on what to do with the apple firmware and disk/diagmode)
10:24 < TheSeven> - was there a bootnote in the notes folder (makes it use osos instead of osbk, and delete the bootnote)
10:26 < user890104> is it possible to look for the firmware partition with apple's firmware in it, in case there isn't iloader folder, and to create appleos.bin from the partition
10:26 < user890104> and if that fails, to check for aupd image and extract appleos from it (if it's possible)
10:26 < TheSeven> one should probably just look for a valid firmware partition, and check if osbk is present
10:27 < TheSeven> if there's osbk, use that, else use osos, if that also isn't present or there's no firmware partition at all, do nothing
10:27 < TheSeven> and maybe do nothing if there's already an appleos.bin
10:27 < user890104> exactly
10:27 < TheSeven> but that would need some rework of the installer's control flow
10:28  * TheSeven needs to go to work now
10:28 < user890104> it would be useful if someone just formats his ipod, and then wants to use umsboot
10:29 -!- user890104 [Venci@Venci-Notebook-LAN.ipv6.6bez10.info] has quit []
10:32 -!- TheSeven [~TheSeven@rockbox/developer/TheSeven] has quit [Ping timeout: 272 seconds]
10:49 -!- n1s [~n1s@rockbox/developer/n1s] has quit [Quit: Lämnar]
12:02 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has quit [Remote host closed the connection]
12:03 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has joined #freemyipod
12:36 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has joined #freemyipod
13:14 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has joined #freemyipod
13:20 -!- MrShlee [~Default@219-90-187-210.ip.adam.com.au] has joined #freemyipod
13:28 -!- benedikt93 is now known as benedikt93|AFK
13:39 -!- TheSeven [~TheSeven@rockbox/developer/TheSeven] has joined #freemyipod
14:06 < yuriks_> TheSeven: is that image I downloaded with spireader crypted still? I can't find any code or strings in it
14:06 < yuriks_> (though you use the hw crypt module in the reader so I was assuming not)
14:07 < TheSeven> it should decrypt it
14:07 < TheSeven> the image should start with "87021.0" and then a lot of null bytes
14:08 < yuriks_> it starts with that
14:08 < yuriks_> but I've ran strings on it and poked around with ida and didn't find any valid looking code
14:08 < yuriks_> it has a bunch of nulls, then some FF
14:08 < TheSeven> there should be at least two strings
14:08 < yuriks_> oh, yeah, there are two paths
14:09 < TheSeven> exactly
14:09 < TheSeven> the source file names of seccore and peicore
14:09 < yuriks_> yup
14:09 < yuriks_> but, what's on the rest of the flash then?
14:09 < TheSeven> there will be an MZ ... PE signature a bit before
14:10 < TheSeven> the bytes between the offset of the MZ + 0x220 to the beginning of that file name string should be code/data/bss
14:10 < benedikt93|AFK> actually at the very beginning of that dump should be a jump to a jump to seccore
14:10 -!- benedikt93|AFK is now known as benedikt93
14:11 < yuriks_> the boot rom had that
14:11 < TheSeven> at the beginning of the payload, which is 0x800 in the file
14:11 < yuriks_> oh, it doesn't read the entire file into memory
14:11 < TheSeven> if you want to poke at it in ida, strip off the first 0x800 bytes and load it to 0x22000000
14:12 < TheSeven> there are basically those two efi modules (seccore and peicore), which are responsible for loading all the other (compressed) modules
14:12 < yuriks_> they use efi on a music player? =P
14:13 < yuriks_> ok, I guess
14:13 < TheSeven> it's apple
14:13 < TheSeven> bloatware all over the place
14:13 < TheSeven> that's why it takes longer for the apple bootloader to even show its boot logo than for rockbox to boot completely :)
14:14 < yuriks_> you have any idea if the minis were like that too? (just curious)
14:14 < TheSeven> no
14:14 < benedikt93> efi started with nano 3g and the classics
14:14 < TheSeven> that fun was introduced with the nano3g and the classic1g
14:14 < yuriks_> ah
14:16 < yuriks_> so those two modules load more modules off the flash too?
14:17 < benedikt93> they decompress the other modules in the dump
14:17 < benedikt93> seccore does not much more than  setting up the stacks
14:17 < yuriks_> hmm, right
14:18 < yuriks_> TheSeven said disk mode was about 200kb yesterday I was thinking 128kb was a bit small
14:18 < yuriks_> but that's compression for you =P
14:18 < benedikt93> peicore setups the plls, i2c, the pmu, memory controller, sdram
14:18 < benedikt93> and then alloctaes lots of stuff in sdram and loads dxecore there and executes it which then continues the boot process
14:19 < benedikt93> nope, diskmode is a seperate file in nor that will be loaded only if needed
14:19 < yuriks_> I want to find out how to initialize the lcd or the piezo so I can get some feedback and then figure out the ram
14:19 < benedikt93> also diagmode is a seperate file as are the logos
14:20 < benedikt93> check our svn, TheSeven already figured out LCD AFAIK
14:20 < yuriks_> hmm, are they in the nor flash then? (diskmode being in the disk doesn't make much sense...)
14:20 < benedikt93> also sdram init is possible
14:20 < yuriks_> oh?
14:21 < benedikt93> you can uncompress the efi pe's with xfv-3 in TheSeven's tools package
14:21 < benedikt93> there are three or so which handle LCD
14:21 < benedikt93> though I think TheSeven used diagmode to figure out how this works
14:21 < benedikt93> *the diagmode code
14:23 < yuriks_> yeah, there's lcd code
14:23 < yuriks_> I should really stop trusting the wiki =P
14:23 < benedikt93> it's almost never updated
14:23 < benedikt93> the most reliable source are the IRC logs
14:23 < yuriks_> I read most from this month, not all though
14:30 < yuriks_> what's umsboot?
14:31 < TheSeven> the status page on the wiki is up to date
14:31 < TheSeven> the nano2g has both a different gpio configuration and a different power manager chip than the classics
14:31 < TheSeven> also it might have different lcds that need different init commands
14:32 < yuriks_> so that code in target/lcd.c doesn't really work?
14:32 < TheSeven> the "ipodnano3g" code base in the svn is basically ipod classic code that might be shared with the nano3g later, but it won't work out of the box
14:32 < yuriks_> target/ipodnano3g*
14:32 < yuriks_> hm
14:33 < TheSeven> the problem is that we don't have a datasheet for that dialog PMU
14:33 < benedikt93> TheSeven, how can the diagmode actually be decrypted?
14:33 < benedikt93> the same way as efi?
14:33 < TheSeven> similar... different header size etc.
14:34 < TheSeven> yuriks_: the first thing that needs to be done now is disassembling peicore and figuring out all the initialisation code, then disassembling the LCD efi module and figuring out the LCD init, and then finally writing an embios loader for the nano3g
14:36 < benedikt93> TheSeven, I'm mostly finished with peicore
14:37 < TheSeven> the whole peicore or just those five functions?
14:37 < TheSeven> on the classic it was sufficient to look at those five functions and a bunch of efi modules for the LCD/DMA init (which will hopefully be the same as on the classic)
14:39 < TheSeven> hm, the lcd module is binary identical, that's good news :)
14:40 < benedikt93> except that, it does not initialize much more (MMU) but setup all the data structures in sdram, which I think I mostly understood by now
14:41 < TheSeven> hm, and there must be a lot of tiano decompression code in peicore :)
14:42 < benedikt93> that's the thing I didn't yet look at. Is there some documentation of the (de-)compresion somewhere?
14:46 -!- benedikt93_ [~benedikt9@pD9E24FF8.dip.t-dialin.net] has joined #freemyipod
14:47 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has quit [Ping timeout: 240 seconds]
14:48 -!- benedikt93_ is now known as benedikt93
14:48 -!- benedikt93 [~benedikt9@pD9E24FF8.dip.t-dialin.net] has quit [Changing host]
14:48 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has joined #freemyipod
15:03 < yuriks_> huh, I just realized that EFI uses PE
15:03 < yuriks_> that's... odd
15:03 < yuriks_> I'd expect them to use elf or something
15:11 < Farthen> yuriks_: yeah, that is weird
15:11 < yuriks_> TheSeven: shouldn't there be two PE signatures in the file since there are two modules?
15:12 < TheSeven> yes, there are
15:12 < TheSeven> one in front of peicore and one in front of seccore
15:12 < yuriks_> huh... IDA is only finding one...
15:15 < benedikt93> seccore has a slightly different header IIRC
15:16 < yuriks_> D=
15:20 -!- mode/#freemyipod [+o TheSeven] by ChanServ
15:20 -!- mode/#freemyipod [+b opnet!*@*] by TheSeven
15:20 -!- mode/#freemyipod [-o TheSeven] by ChanServ
15:53 -!- Daeke [~Daeken@pool-96-246-69-152.nycmny.east.verizon.net] has quit [Ping timeout: 240 seconds]
16:02 -!- TheSeven [~TheSeven@rockbox/developer/TheSeven] has quit [Ping timeout: 255 seconds]
16:12 < yuriks_> heh, one of the PE headers has the architeture set as i386 =P
16:14 < yuriks_> benedikt93: are those headers correct at all? they don't seem to make any sense
16:15 < benedikt93> I don't know, I actually have no clue about pe's
16:15 < yuriks_> I'm following the values
16:16 < yuriks_> one of them seem to skip a lot of the header and has a lot of garbage
16:16 < yuriks_> and another has nonsensical values (though the header size and magics match)
16:16 < benedikt93> but one thing you experience when going through the dumps is, that apple did a lot of weird stuff, so maybe they changed the format
16:18  * yuriks_ tries to keep reversing the boot rom instead
16:19 < yuriks_> boot rom doesn't reference PE or MZ at all, so my guess is it pays no attention to the headers
16:20 < yuriks_> (and it must know the magic strings if it parsed them, since one of them has the wrong size, the only way it could read it is by scanning for the second magic)
16:22 < benedikt93> bootrom doesn't read the pe header at all
16:22 < benedikt93> it reads the header of the encrypted file in nor
16:23 < benedikt93> loads and decrypts it
16:23 < benedikt93> and jumps to the entrypoint which at the very beginning of the file
16:24 < yuriks_> the first 4 bytes?
16:24 < yuriks_> "8702"
16:25 < benedikt93> at +0xC is the size
16:25 < benedikt93> for me 0x1F800
16:26 < yuriks_> you're talking about the encrypted or the decrypted rom?
16:26 < benedikt93> encrypted
16:26 < yuriks_> oh
16:26 < yuriks_> mine's decrypted already
16:27 < yuriks_> what a weird scheme
16:27 < yuriks_> why not simply encrypt the entry point too? O_o
16:27 < benedikt93> it is encrypted
16:28  * yuriks_ is a bit confused about this...
16:29 < yuriks_> lemme see if I got this
16:29 < yuriks_> the bootrom reads the 128kB file from nor
16:30 < yuriks_> decrypts it, reads the offset from a fixed position in the file, and jumps there?
16:30 < benedikt93> it loads the header of the ~128KB file
16:31 < yuriks_> oh, THAT has a header too
16:31 < benedikt93> and within this one, at +0xC is the size of the actual file
16:32 < yuriks_> hmm, ok
16:32 < yuriks_> I need to download this header too then
16:33 < yuriks_> no, wait, it's already dled
16:34 < yuriks_> OH, ok, I got it now
16:35 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has quit [Quit: Bye ;)]
16:36 < yuriks_> I drove him away with my inane questions =P
16:36 < Dreamxtreme> lol
16:40  * yuriks_ is still wondering what's the significance of the "8702" header
16:51 < yuriks_> well, derp, that's the cpu model
17:04 -!- TheSeven [~TheSeven@rockbox/developer/TheSeven] has joined #freemyipod
17:08 -!- MrShlee [~Default@219-90-187-210.ip.adam.com.au] has quit [Quit: Leaving]
18:02 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has quit [Remote host closed the connection]
18:03 -!- clustur [~logger@c-76-127-58-39.hsd1.ga.comcast.net] has joined #freemyipod
18:05 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has joined #freemyipod
19:05 -!- user890104 [Venci@venci-notebook-lan.ipv6.6bez10.info] has joined #freemyipod
19:23 -!- AlexP [~alex@rockbox/staff/AlexP] has quit [Read error: Operation timed out]
19:26 -!- AlexP [~alex@rockbox/staff/AlexP] has joined #freemyipod
19:38 -!- Dreamxtreme is now known as nicktella
19:38 -!- nicktella is now known as Dreamxtreme
20:16 -!- perror [~fleury@aldebaran.labri.fr] has quit [Quit: Bye all !]
20:51 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has quit [Quit: Bye ;)]
21:04 -!- Stephen__ [~S@86.42.179.232] has joined #freemyipod
21:04 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has quit [Ping timeout: 255 seconds]
21:06 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has joined #freemyipod
21:15 < Stephen__> TheSeven, need any testing on a classic 1g 160gb ?
21:15 < TheSeven> at a later point, yes
21:15 < TheSeven> IIUC this is the one with the weird CE-ATA disk
21:16 < Stephen__> just shout if needs be i read the logs a lot so i'll know if you just ask
21:17 < Stephen__> Yeah I reckon you're right judging by http://www.rockbox.org/wiki/HardDriveReplacement#Toshiba_AN1
21:18 < user890104> so, the classics are using a hard drive to store the data (and probaly the firmware?) and the 3g nano is using a nand flash chip, right? but the CPUs are the same
21:18 < TheSeven> yep
21:18 < Stephen__> how you getting on with ATA ?
21:19 < TheSeven> the drive is doing nonsense
21:20 < TheSeven> i manage to read sector 0 from time to time, but not if i send it the command that would actually be correct :)
21:21 < Stephen__> ah nuts.
21:21 < Stephen__> pesky apple!
21:21 -!- Jiss [~Jiss@abo-199-13-69.bdx.modulonet.fr] has joined #freemyipod
21:44 -!- n1s [~n1s@nl118-174-240.student.uu.se] has joined #freemyipod
21:44 -!- n1s [~n1s@nl118-174-240.student.uu.se] has quit [Changing host]
21:44 -!- n1s [~n1s@rockbox/developer/n1s] has joined #freemyipod
22:56 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has quit [Ping timeout: 255 seconds]
23:02 -!- Stephen__ [~S@86.42.179.232] has quit [Quit: Leaving]
23:42 -!- user890104 [Venci@venci-notebook-lan.ipv6.6bez10.info] has quit [Ping timeout: 272 seconds]
--- Log closed Wed Dec 01 00:01:23 2010