--- Log opened Sun Jan 02 00:00:20 2011
00:00 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has quit [Remote host closed the connection]
00:00 -!- Keripo [~Keripo@CPE0022b0d4bdb7-CM001a6680d4fe.cpe.net.cable.rogers.com] has joined #freemyipod
00:00 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has joined #freemyipod
00:00 < [7]> the preliminary datasheet of the s5l8700 is the closest match that we have
00:00 < [7]> and it isn't very accurate for the 8702, most of it was reverse-engineered from apple code
00:02 < asmmonkey> where was that apple code? NOR flash?
00:02 < asmmonkey> firmware?
00:04 < [7]> both
00:06 < asmmonkey> do you have an unencrypted NOR dump?
00:06 < asmmonkey> Does serpilliere?
00:06 < [7]> i have one, yes
00:07 < [7]> and you can obtain your own one using some code i have lying around
00:07 < asmmonkey> I am very interesting in that code, could you give it to me?
00:08 < asmmonkey> *interested
00:08 < asmmonkey> which crypto it uses?
00:09 < [7]> the UID hardware key
00:09 < [7]> with an AES128-CBC algorithm
00:09 < [7]> http://files.freemyipod.org/misc/spireader-8702.7z
00:09 < asmmonkey> thanks
00:10 < asmmonkey> UID = Unique ID?
00:10 < [7]> yes, a unique per-device AES key
00:11 < asmmonkey> how I can get it?
00:12 < [7]> there is no way that we know of
00:12 < [7]> you can only let the hardware AES coprocessor use it to encrypt/decrypt things
00:18 < [7]> so if you want to get a decrypted copy of your second-stage bootloader, do the following:
00:18 < [7]> put the sramloader at 0x6000 into the exploit container
00:18 < [7]> change the entrypoint to 0x22006000
00:19 < [7]> run ipoddfu.py <filename>
00:19 < [7]> then run ibugger.py upload 22008000 spireader.bin
00:19 < [7]> ibugger.py execute 22008000 22010000
00:20 < [7]> ibugger.py download 22020000 20000 norboot.8702.decrypted
00:20 < [7]> ibugger.py is in the old tools snapshot (http://theseven.freemyipod.org/download/snapshot-201003100612-public.7z)
00:21 < asmmonkey> Perfect, I really, really appreciate your help.
00:22 < [7]> and i really, really appreciate it if you take over further development for that platform :)
00:22 < [7]> helping you is the easiest way for me to offload work to you :-P
00:23 < asmmonkey> I will, I promise. I am very interested in ARM deveplopment and embedded devices hacking. :D
00:24 < asmmonkey> also I have an ipod nano 3g getting dust :-p
00:25 < asmmonkey> Ok, that's enough for today, I am going to sleep (here it is 1:25 AM), and tomorrow I will start reverse engineering. Thank you!
00:26 -!- asmmonkey [503acd20@gateway/web/freenode/ip.80.58.205.32] has quit [Quit: Page closed]
00:35 -!- n1s [~n1s@rockbox/developer/n1s] has quit [Quit: Lämnar]
00:46 -!- Keripo1 [~Keripo@CPE0022b0d4bdb7-CM001a6680d4fe.cpe.net.cable.rogers.com] has joined #freemyipod
00:48 -!- Keripo [~Keripo@CPE0022b0d4bdb7-CM001a6680d4fe.cpe.net.cable.rogers.com] has quit [Ping timeout: 250 seconds]
01:33 < fmibot> New commit by theseven (r405): emBIOS: Fix wrong variable type in iPod Classic ATA driver
01:33 < fmibot> r405 build result: All green!
02:14 -!- timccc [~timccc@112.166.15.141] has quit [Ping timeout: 246 seconds]
02:19 -!- veeloc [~veeloc@pool-71-163-147-246.washdc.fios.verizon.net] has joined #freemyipod
02:20 < veeloc> Anyone working on 6G's here?
02:21 -!- timccc [~timccc@112.166.15.141] has joined #freemyipod
02:21 < [7]> veeloc: 6g nano? or do you mean the classic?
02:21 < veeloc> [7]: nano
02:21 < [7]> i don't think anyone is actively working on them
02:21 < veeloc> [7]: by any chance are you TheSeven?
02:21 < [7]> yep
02:22 < [7]> there's some strange site called "nanohack.me"
02:22 < veeloc> mhm, just read through it
02:22  * [7] realizes they stole extract2g from us :)
02:22 < veeloc> haha, they credited you though!
02:23 < veeloc> the nano's firmware update contains a bootloader (encrypted) and then the firmware file (mostly encrypted) as well as a signature.
02:23 < veeloc> [7]: any ideas on decrypting on device?
02:25 < [7]> not as long as we have no access to the device
02:26 < veeloc> how'd it go on the other nanos?
02:29 < fmibot> New commit by theseven (r406): embios.py: Add recursive file system access functions
02:29 < [7]> through other exploits
02:29 < fmibot> r406 build result: All green!
02:32 < veeloc> [7]: yeah exploits will be hard to find given the fw is encrypted now and there's no exploits available to decrypt.
02:32 < [7]> exactly.
02:32 < veeloc> and no notes on these
02:33 < veeloc> ;P
02:48 < fmibot> New commit by theseven (r407): embios.py: Error handling cosmetics
02:48 < fmibot> r407 build result: All green!
03:01 -!- [7] [~TheSeven@rockbox/developer/TheSeven] has quit [Disconnected by services]
03:01 -!- TheSeven [~TheSeven@rockbox/developer/TheSeven] has joined #freemyipod
04:03 -!- TheSeven [~TheSeven@rockbox/developer/TheSeven] has quit [Ping timeout: 240 seconds]
04:07 -!- TheSeven [~TheSeven@rockbox/developer/TheSeven] has joined #freemyipod
05:00 -!- MrShlee [~ParadisoS@219-90-173-153.ip.adam.com.au] has joined #freemyipod
05:49 -!- veeloc [~veeloc@pool-71-163-147-246.washdc.fios.verizon.net] has quit [Quit: veeloc]
06:00 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has quit [Remote host closed the connection]
06:00 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has joined #freemyipod
06:16 -!- Keripo1 [~Keripo@CPE0022b0d4bdb7-CM001a6680d4fe.cpe.net.cable.rogers.com] has quit [Quit: Leaving.]
07:33 -!- MrShlee [~ParadisoS@219-90-173-153.ip.adam.com.au] has quit [Quit: Leaving]
07:39 -!- user890104 [Venci@venci-notebook-lan.ipv6.6bez10.info] has quit [Ping timeout: 272 seconds]
07:40 -!- user890104 [~Venci@6bez10.info] has joined #freemyipod
08:11 -!- [Saint] [S_a_i_n_t@203.184.3.36] has joined #freemyipod
09:38 -!- n1s [~n1s@90-230-78-242-no134.tbcn.telia.com] has joined #freemyipod
09:38 -!- n1s [~n1s@90-230-78-242-no134.tbcn.telia.com] has quit [Changing host]
09:38 -!- n1s [~n1s@rockbox/developer/n1s] has joined #freemyipod
10:25 -!- Jiss [~Jiss@ip-11.net-82-216-242.rev.numericable.fr] has joined #freemyipod
11:35 -!- asmmonkey [503acd20@gateway/web/freenode/ip.80.58.205.32] has joined #freemyipod
12:00 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has quit [Remote host closed the connection]
12:00 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has joined #freemyipod
12:07 < asmmonkey> TheSeven, are you there?
13:56 < TheSeven> yep
14:03 -!- [Saint] [S_a_i_n_t@203.184.3.36] has quit [Ping timeout: 255 seconds]
14:11 -!- [Saint] [S_a_i_n_t@203.184.0.102] has joined #freemyipod
14:36 -!- asmmonkey [503acd20@gateway/web/freenode/ip.80.58.205.32] has quit [Ping timeout: 265 seconds]
14:50 -!- asmmonkey [503acd20@gateway/web/freenode/ip.80.58.205.32] has joined #freemyipod
14:50 < asmmonkey> sudo python2 tools/ipoddfu.py sramloader.dfu
14:50 < asmmonkey> Connected to S5L8702 Bootrom DFU mode, USB version 1 Upload: .................................................................. done Exception usb.core.USBError: USBError('No such device (it may have been disconnected)',) in <bound method Device.__del__ of <usb.core.Device object at 0x1734550>> ignore
14:51 < asmmonkey> It seems that it uploads the code right, but after running the command the ipod resets. TheSeven, any clue?
14:53 < TheSeven> did you patch the entry point address correctly?
14:53 < asmmonkey> Yes.
14:53 < TheSeven> if you put the loader at 0x6000, the "RDDA" bytes need to be 00 60 00 22
14:54 < asmmonkey> 0001fff0  00 00 00 00 00 00 00 60  00 22 00 00 00 00 00 00  |.......`."......|
14:54 < TheSeven> looks good.
14:54 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has joined #freemyipod
14:54 < asmmonkey> I have also tryed building the DFU with planetbeing's utility, fucc. Same result.
14:56 < benedikt93> is that serpillierees code?
14:57 < TheSeven> it's code I wrote a year ago, which serpilliere also used
14:58 < benedikt93> wasn't the nor read & decrypt code position dependent to be at 0x22000000 ?
15:00 < TheSeven> ah, you mean the spireader... this is just the ibugger sramloader
15:01 < TheSeven> the spireader file i uploaded isn't position-independent, and it's not serpilliere's one either
15:01 < TheSeven> i wrote my own reader in the meantime which doens't call into the rom
15:01 < benedikt93> yep, i remember
15:04 < benedikt93> asmmonkey, though, when it says done, the code should actually be executed. So try connecting to it via ibugger.py
15:05 < asmmonkey> I have tried that, no luck.
15:06 < asmmonkey> But I made a working DFU using fucc. So now I have code running :D
15:10 < asmmonkey> Question: I have found code (or data) at  0x20000000. What is it? Bootrom?
15:14 < benedikt93> yep, it is
15:14 < benedikt93> this does init some very basic hw, then load the image from nor, check the signature, decrypt it and run it
15:15 < benedikt93> that's the second stage boot loader for what they used EFI
15:18 < asmmonkey> EFI?
15:19 < benedikt93> Extensible Firmware Interface, some BIOS replacement
15:19 < benedikt93> of course totally overengineered for a portable media player
15:25 < asmmonkey> Ufff, it is going to be hard! :-P
15:29 < benedikt93> this is why I myself am only advancing slowly (besides my lack of time, knowledge and experience ofc), as I'd actually like to fully understand what the EFI does
15:29 < benedikt93> and it's really hell to RE
15:33 < benedikt93> you can uncompress the EFI firmware volume with xfv-3, it's contained in TheSeven's code snapshot: http://theseven.freemyipod.org/download/snapshot-201003100612-public.7z
15:36 < asmmonkey> thanks
16:00 -!- Keripo [~Keripo@CPE0022b0d4bdb7-CM001a6680d4fe.cpe.net.cable.rogers.com] has joined #freemyipod
16:03 -!- asmmonkey [503acd20@gateway/web/freenode/ip.80.58.205.32] has quit [Ping timeout: 265 seconds]
16:33 -!- liar [~liar@188-22-211-66.adsl.highway.telekom.at] has joined #freemyipod
16:39 -!- liar [~liar@188-22-211-66.adsl.highway.telekom.at] has quit [Read error: Operation timed out]
18:00 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has quit [Remote host closed the connection]
18:00 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has joined #freemyipod
18:24 -!- asmmonkey [503acd20@gateway/web/freenode/ip.80.58.205.32] has joined #freemyipod
20:37 -!- asmmonkey [503acd20@gateway/web/freenode/ip.80.58.205.32] has quit [Quit: Page closed]
22:03 -!- Keripo1 [~Keripo@CPE0022b0d4bdb7-CM001a6680d4fe.cpe.net.cable.rogers.com] has joined #freemyipod
22:04 -!- Keripo [~Keripo@CPE0022b0d4bdb7-CM001a6680d4fe.cpe.net.cable.rogers.com] has quit [Ping timeout: 264 seconds]
22:24 -!- TheSeven [~TheSeven@rockbox/developer/TheSeven] has quit []
22:24 -!- TheSeven [~TheSeven@rockbox/developer/TheSeven] has joined #freemyipod
22:33 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has quit [Quit: Bye ;)]
22:44 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has quit [*.net *.split]
22:44 -!- Farthen [~Farthen@static.225.178.40.188.clients.your-server.de] has quit [*.net *.split]
22:44 -!- linuxstb [~linuxstb@rockbox/developer/linuxstb] has quit [*.net *.split]
22:44 -!- n1s [~n1s@rockbox/developer/n1s] has quit [*.net *.split]
22:44 -!- soap [~soap@rockbox/staff/soap] has quit [*.net *.split]
22:45 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has joined #freemyipod
22:45 -!- Farthen [~Farthen@static.225.178.40.188.clients.your-server.de] has joined #freemyipod
22:45 -!- linuxstb [~linuxstb@rockbox/developer/linuxstb] has joined #freemyipod
22:46 -!- n1s [~n1s@rockbox/developer/n1s] has joined #freemyipod
22:46 -!- soap [~soap@rockbox/staff/soap] has joined #freemyipod
22:54 -!- timccc [~timccc@112.166.15.141] has quit [*.net *.split]
22:54 -!- Kuitsi [~Kuitsi@a88-113-118-171.elisa-laajakaista.fi] has quit [*.net *.split]
22:54 -!- Utchy [~Utchy@rps6752.ovh.net] has quit [*.net *.split]
22:54 -!- n1s [~n1s@rockbox/developer/n1s] has quit [*.net *.split]
22:54 -!- soap [~soap@rockbox/staff/soap] has quit [*.net *.split]
22:58 -!- Kuitsi [~Kuitsi@a88-113-118-171.elisa-laajakaista.fi] has joined #freemyipod
23:03 -!- n1s [~n1s@rockbox/developer/n1s] has joined #freemyipod
23:03 -!- soap [~soap@rockbox/staff/soap] has joined #freemyipod
23:10 -!- Utchy [~Utchy@rps6752.ovh.net] has joined #freemyipod
23:11 -!- timccc [~timccc@112.166.15.141] has joined #freemyipod
23:15 -!- asmmonkey [~asmmonkey@182.Red-88-21-175.staticIP.rima-tde.net] has joined #freemyipod
23:17 -!- asmmonkey [~asmmonkey@182.Red-88-21-175.staticIP.rima-tde.net] has quit [Client Quit]
23:18 -!- Keripo1 [~Keripo@CPE0022b0d4bdb7-CM001a6680d4fe.cpe.net.cable.rogers.com] has quit [Quit: Leaving.]
23:18 -!- asmmonkey [~asmmonkey@182.Red-88-21-175.staticIP.rima-tde.net] has joined #freemyipod
23:19 -!- n1s [~n1s@rockbox/developer/n1s] has quit [Quit: Lämnar]
23:27 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has quit [*.net *.split]
23:27 -!- Farthen [~Farthen@static.225.178.40.188.clients.your-server.de] has quit [*.net *.split]
23:27 -!- linuxstb [~linuxstb@rockbox/developer/linuxstb] has quit [*.net *.split]
23:27 -!- teuf [~teuf@scytale.myrix.net] has quit [*.net *.split]
23:29 -!- teuf [~teuf@scytale.myrix.net] has joined #freemyipod
23:29 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has joined #freemyipod
23:29 -!- Farthen [~Farthen@static.225.178.40.188.clients.your-server.de] has joined #freemyipod
23:29 -!- linuxstb [~linuxstb@rockbox/developer/linuxstb] has joined #freemyipod
23:51 -!- Keripo [~Keripo@CPE0022b0d4bdb7-CM001a6680d4fe.cpe.net.cable.rogers.com] has joined #freemyipod
--- Log closed Mon Jan 03 00:00:21 2011