--- Log opened Fri Nov 18 00:02:15 2011
00:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has joined #freemyipod
00:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has quit [Remote host closed the connection]
01:54 -!- Keripo [~Keripo@eng334.wireless-resnet.upenn.edu] has quit [Quit: Leaving.]
02:25 -!- Keripo [~Keripo@eng334.wireless-resnet.upenn.edu] has joined #freemyipod
02:59 -!- Keripo [~Keripo@eng334.wireless-resnet.upenn.edu] has quit [Quit: Leaving.]
03:36 -!- Keripo [~Keripo@eng334.wireless-resnet.upenn.edu] has joined #freemyipod
03:50 -!- [7] [~TheSeven@rockbox/developer/TheSeven] has quit [Disconnected by services]
03:51 -!- TheSeven [~TheSeven@rockbox/developer/TheSeven] has joined #freemyipod
05:04 -!- IG-88 [~J@c-98-228-201-152.hsd1.in.comcast.net] has joined #freemyipod
05:24 -!- Elfish [amba@fuplz.co.cc] has quit [Read error: Operation timed out]
05:24 -!- Elfish [amba@2a01:4f8:100:90a1:abc:abc:abc:abc] has joined #freemyipod
06:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has joined #freemyipod
06:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has quit [Remote host closed the connection]
06:21  * IG-88 is away: Gone away for now
06:35  * IG-88 is back.
07:12 -!- IG-88 [~J@c-98-228-201-152.hsd1.in.comcast.net] has left #freemyipod
08:13 -!- GaveUp [gaveup@your.friendly.neighborhood.hellmouth.info] has quit [Quit: I owe you pain.]
08:14 -!- GaveUp [gaveup@your.friendly.neighborhood.hellmouth.info] has joined #freemyipod
09:04 -!- Keripo [~Keripo@eng334.wireless-resnet.upenn.edu] has quit [Quit: Leaving.]
10:11 -!- scorche [~scorche@rockbox/administrator/scorche] has quit [Ping timeout: 260 seconds]
10:12 -!- scorche [~scorche@rockbox/administrator/scorche] has joined #freemyipod
11:08 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has joined #freemyipod
12:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has joined #freemyipod
12:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has quit [Remote host closed the connection]
12:49 < fmibot> New commit by user890104 (r785): emCOREFS: remove all those unneeded const qualifiers for arguments passed as values, also make the whole thing compile on both ubuntu (gcc 4.5.2) and osx (gcc 4.2.1).
12:50 < fmibot> r785 build result: emcore: All green!
12:50 < fmibot> r785 build result: umsboot: All green!
12:58 < fmibot> New commit by user890104 (r786): emCOREFS: fix a couple more memleaks (thanks to cppcheck), also a x64 int formatting issue.
12:58 < fmibot> r786 build result: emcore: All green!
12:58 < fmibot> r786 build result: umsboot: All green!
13:45 < fmibot> New commit by theseven (r787): (lib)emcore.py: Add ipodclassic_readbbt command, make ipodclassic_writebbt work with Python 3
13:45 < fmibot> r787 build result: emcore: All green!
13:45 < fmibot> r787 build result: umsboot: All green!
15:10 -!- n1s [~n1s@nl118-175-223.student.uu.se] has joined #freemyipod
15:10 -!- n1s [~n1s@nl118-175-223.student.uu.se] has quit [Changing host]
15:10 -!- n1s [~n1s@rockbox/developer/n1s] has joined #freemyipod
15:32 < fmibot> New commit by theseven (r788): (lib)ipodcrypt.py: Make this work in Python 3
15:32 < fmibot> r788 build result: emcore: All green!
15:32 < fmibot> r788 build result: umsboot: All green!
15:43 < fmibot> New commit by theseven (r789): (lib)ipoddfu.py: Make this work in Python 3
15:43 < fmibot> r789 build result: emcore: All green!
15:43 < fmibot> r789 build result: umsboot: All green!
15:53 < user890104> TheSeven: can you please test my fuse app?
16:41 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has joined #freemyipod
17:03 -!- Keripo [~Keripo@SEAS297.wlan.seas.upenn.edu] has joined #freemyipod
17:35 < fmibot> New commit by user890104 (r790): emCOREFS: fix variable reusing fail, and finally make printing of ssize_t portable
17:35 < fmibot> r790 build result: emcore: All green!
17:35 < fmibot> r790 build result: umsboot: All green!
17:57 -!- Keripo [~Keripo@SEAS297.wlan.seas.upenn.edu] has quit [Quit: Leaving.]
18:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has joined #freemyipod
18:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has quit [Remote host closed the connection]
18:04 < fmibot> New commit by theseven (r791): emcore.py: Add ipodclassic_disablebbt and ipodclassic_reloadbbt commands
18:04 < fmibot> r791 build result: emcore: All green!
18:04 < fmibot> r791 build result: umsboot: All green!
18:17 -!- Keripo [~Keripo@dhcp0751.kin.resnet.group.UPENN.EDU] has joined #freemyipod
18:28 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has quit [Quit: Bye ;)]
18:52 < TheSeven> aha...
18:52 < TheSeven> so the MBR that the user gets presented in disk mode is actually sector 16447 on the hdd
18:53 < TheSeven> the firmware partition starts at 63 and is 16384 sectors in size on my classic1g 80gb
18:53 < TheSeven> however that size was different on my classic3g...
18:55 < user890104> how many bytes per sector are there?
18:55  * user890104 announces the official availability of emCOREFS for Mac OS X
19:05 < TheSeven> apple seems to default to 4096
19:06 < TheSeven> and it looks like there are in fact 2 cascaded partition tables
19:07 < TheSeven> the outer one contains the firmware partition (starting at 63) and the user-visible area (starting at end_of_firmwarepartition+1), the inner one in the user-visible area contains just the user data partition, starting at 63 into the user-visible area
19:07 < TheSeven> so the first sector of the second partition on the hdd (actually the first partition table entry, the second one is the fw partition) actually contains the MBR that disk mode exposes as the first sector
19:15 < user890104> so if some offset is added to the sector accessing functions, emcore/rockbox should work with apple's layout?
19:15 < user890104> or it's more complicated
19:16 < TheSeven> i can influence what disk mode thinks is the first sector by changing the first physical sector
19:20 < TheSeven> now let's try exploiting that bootloader...
19:28 < user890104> so copying the fake mbr over the real one should work?
19:49 -!- Keripo [~Keripo@dhcp0751.kin.resnet.group.UPENN.EDU] has quit [Quit: Leaving.]
20:45 < TheSeven> heh
20:46 < TheSeven> apparently the inner volume can be superfloppy-formatted, and at on my classic3g it was
20:46 < TheSeven> however when I corrupted the outer MBR, it was reinitialized by the bootloader, and an inner MBR containing a data partition was written as well
20:46 < TheSeven> and my classic1g refuses to boot my classic3g factory image
21:02 < TheSeven> the ipod-generated outer mbr has a 49152 sectors firmware partition
21:02 < TheSeven> er, the itunes-generated one
21:03 < TheSeven> the ipod-generated (when an invalid one is found on boot) is 16384 sectors
22:05 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has joined #freemyipod
22:12 < TheSeven> grr. can only manage to get it to freeze but not crash
22:15 < TheSeven> and can't get any sign of my payload in a coldboot dump, probably because it was overwritten
22:34 < fmibot> New commit by theseven (r792): emcore.py: Fix a couple bugs
22:34 < fmibot> r792 build result: emcore: All green!
22:34 < fmibot> r792 build result: umsboot: All green!
22:36 < fmibot> New commit by theseven (r793): (lib)ipodcrypto.py: Add s5l8702-genpwnage800 command

22:36 < fmibot> r793 build result: emcore: All green!
22:36 < fmibot> r793 build result: umsboot: All green!
22:40  * benedikt93 wonders what pwnage800 is
22:41 < TheSeven> yet another slightly modified pwnage2.0 exploit
22:42 < TheSeven> different payload offset within the image and different entrypoint address, hopefully suitable for being executed from the firmware partition
22:44 < TheSeven> yeah!
22:44 < TheSeven> got an sramloader going from the fw partition!
22:44 < TheSeven> pretty much straightforward exploit
22:45  * TheSeven suspects that this will need a bit of additional hw setup code to be able to run emcore
22:45  * benedikt93 should definitly poke at the N3G NAND again
22:49 < TheSeven> someone should finally fully reverse engineer that itunes update protocol
23:01 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has quit [Quit: Bye ;)]
23:06 < user890104> TheSeven: i think i can help with that, but i need to find out how to send scsi commands with libusb
23:06 < user890104> or find some scsi-libusb library
23:06 < user890104> or write one
23:07 < teuf> you can send scsi commands to usb devices using libsg
23:07 < teuf> (on linux)
23:07 < teuf> libgpod is doing this
23:07  * TheSeven thinks there's some ioctl to do it through linux's usb-scsi layer
23:08 < user890104> teuf: thanks for the information, i need to learn using libsg then
23:08 < teuf> user890104: https://gitorious.org/libgpod/libgpod/blobs/master/tools/ipod-scsi.c
23:09 -!- Utchybann [~Utchy@rps6752.ovh.net] has quit [Ping timeout: 240 seconds]
23:09 < teuf> but for newer ipods we are using https://gitorious.org/libgpod/libgpod/blobs/master/tools/ipod-usb.c
23:09 < teuf> which is no longer scsi as far as I know, just some magic usb thing
23:09 -!- n1s [~n1s@rockbox/developer/n1s] has quit [Quit: Ex-Chat]
23:10 -!- Utchybann [~Utchy@rps6752.ovh.net] has joined #freemyipod
23:24 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has quit [Remote host closed the connection]
23:27  * user890104 agrees that it's some magic usb thing
23:29  * Farthen catches up with all the stuff that happened
--- Log closed Sat Nov 19 00:02:09 2011