[00:40:42] *** Quits: n1s (~n1s@rockbox/developer/n1s) (Quit: Ex-Chat)
[01:26:55] *** Joins: user890104 (Venci@unaffiliated/user890104)
[01:26:55] *** Server sets mode: +nt 
[06:36:55] *** Quits: TheSeven (~quassel@rockbox/developer/TheSeven) (Ping timeout: 252 seconds)
[06:38:25] *** Joins: TheSeven (~quassel@rockbox/developer/TheSeven)
[06:49:39] *** Joins: steffengy (~quassel@p57B49A5B.dip0.t-ipconnect.de)
[06:52:56] *** Quits: steffengy1 (~quassel@p5088F2AE.dip0.t-ipconnect.de) (Ping timeout: 260 seconds)
[13:57:46] *** Joins: n1s (~n1s@c-26d572d5.010-215-7570701.cust.bredbandsbolaget.se)
[13:57:46] *** Quits: n1s (~n1s@c-26d572d5.010-215-7570701.cust.bredbandsbolaget.se) (Changing host)
[13:57:46] *** Joins: n1s (~n1s@rockbox/developer/n1s)
[15:01:38] *** Quits: n1s (~n1s@rockbox/developer/n1s) (Quit: Ex-Chat)
[15:28:19] *** Joins: bcobco (~bcobco@77.225.204.119)
[15:35:24] *** Quits: bcobco (~bcobco@77.225.204.119) (Remote host closed the connection)
[15:35:48] *** Joins: bcobco (~bcobco@77.225.204.119)
[15:59:16] *** el3ctrik-away is now known as el3ctrik
[16:51:03] *** Quits: bcobco (~bcobco@77.225.204.119) (Remote host closed the connection)
[16:51:25] *** Joins: bcobco (~bcobco@77.225.204.119)
[17:18:18] * TheSeven is confused
[17:19:14] <TheSeven> user890104: once emcore has touched that tarkan CF adapter, it will refuse to work with the OF/diskmode as well until it gets power cycled
[17:34:55] <TheSeven> holy crap. now it started to just work with emcore.
[17:35:10] <[Saint]> Maaaaaaaaaaaaaaaaaaaagiiiiiiiiiiiiiic.
[17:35:14] <[Saint]> <hand waves>
[17:36:32] <TheSeven> this is just crazy.
[17:36:52] <TheSeven> now I tried out the OF boot thing, which previously failed on my classic3g
[17:36:56] <TheSeven> on the classic1g it just works
[17:37:49] <[Saint]> shitty traces and poor manufacturing tolerances?
[17:37:57] <[Saint]> ie. bad contacts?
[17:38:40] <[Saint]> Seems like a logical answer to a seemingly illogical solution.
[17:38:50] <[Saint]> Slight flex or torsion, bam, no worky.
[17:38:59] <TheSeven> not really logical either if it previously reproducibly worked with the OF but not our code
[17:38:59] <[Saint]> Or, perhaps, worky.
[17:39:10] <[Saint]> Ah. Hmmm.
[17:39:26] <[Saint]> I wasn't aware it worked reliably anywhere at all.
[17:40:01] <TheSeven> well according to copper it worked reliably with the OF
[17:40:17] * TheSeven plays around some more with the OF
[17:44:03] *** Quits: bcobco (~bcobco@77.225.204.119) (Remote host closed the connection)
[17:44:29] *** Joins: bcobco (~bcobco@77.225.204.119)
[19:16:53] *** Quits: Basstard` (~sturgeon@host-95-195-153-67.mobileonline.telia.com) (Ping timeout: 248 seconds)
[19:23:35] *** Joins: Basstard` (~sturgeon@host-95-195-153-67.mobileonline.telia.com)
[19:29:27] <user890104> TheSeven: did you manage to boot OF using emcore (and without crashes)?
[19:30:03] <TheSeven> on 1g yes, on 3g no
[19:30:12] <TheSeven> still trying to figure out why
[19:30:47] <TheSeven> from what it looks like the 1g and 3g firmwares are incomatible with each other
[19:31:06] <TheSeven> itunes installes 1.0.2 on a 1g, 2.x.x on a 3g
[19:37:02] <user890104> what about 2g? what do i need to do in order to test it?
[19:48:23] <TheSeven> user890104: test what exactly? usb?
[19:48:31] <TheSeven> just my patches on gerrit...
[19:48:42] <TheSeven> the first one (reverting that really old commit) should be optional
[19:48:45] <user890104> test OF on classic 2g
[19:48:55] <TheSeven> ah, I was implying nano when hearing 2g :P
[19:49:00] <user890104> :)
[19:49:09] <TheSeven> I suspect that the 2g is basically a 1g with a different drive
[19:49:31] <user890104> do you have an installer that has an OF option
[19:49:31] <TheSeven> grab an appleos binary (decrypted osos) matching your device
[19:49:45] <user890104> or i need to "runfirmware" it?
[19:50:08] <TheSeven> runfirmware should work on the emcore version in that huge archive that I sent you
[19:50:50] <user890104> so i don't need a patched emcore version?
[19:50:58] <TheSeven> the patch is in that tree
[19:52:44] *** Quits: el3ctrik (~el3ctrik@2a00:1c10:5:202:216:3eff:fe98:c8f1) (Ping timeout: 240 seconds)
[19:56:08] <TheSeven> crap
[19:56:37] <TheSeven> hm, do we know which generation we're running on? seems like the different bootloader versions handle some sysinfo fields differently
[19:56:54] <TheSeven> we found that field in the flash sysinfo, right?
[19:57:35] <TheSeven> seems like 1g sets vrsn=0x1308004, 3g sets vrsn=0x1708004
[19:59:39] <user890104> which field is that?
[19:59:51] <user890104> i have a 2g sysinfo somewhere
[20:00:20] <TheSeven> hm, do you have a SystemConfig.efi from a 2g somewhere?
[20:02:14] <user890104> what's that? isn't efi used only in n3g+?
[20:02:30] <TheSeven> classic == n3g for that matter, both are s5l8702
[20:02:45] <TheSeven> on n3g the also implemented diagmode that way, on classic that's still monolithic
[20:03:59] <user890104> which image contains this module?
[20:04:15] <TheSeven> norboot
[20:05:35] <TheSeven> 3g HwVr seems to be 0x130200
[20:07:13] <TheSeven> 1g HwVr seems to be 0x130000
[20:07:35] <TheSeven> so 2g is probably 0x130100
[20:07:43] <user890104> 0x130100 (as you might have expected) :)
[20:07:54] <TheSeven> hm...
[20:08:07] <TheSeven> do you have a sram snapshot after norboot was running somewhere?
[20:08:47] <user890104> no, but i can make one
[20:09:03] <TheSeven> I need that vrsn value from the runtime syscfg of a 2g
[20:09:31] <TheSeven> I'm wondering if this might be related to the software version rather than hardware generation
[20:09:45] <TheSeven> however is there even any overlap between software versions of the various generations?
[20:13:08] <user890104> can we make norboot run that memory upload/download stub?
[20:15:11] <TheSeven> hm, if we manage to chainload it without confusing it too badly...
[20:15:46] <TheSeven> and if you know an address where you can set a breakpoint after it has set up the syscfg
[20:16:04] <TheSeven> that part is a bit tricky due to all those modules being loaded and decompressed at runtime, so you can't easily inject the breakpoint
[20:29:47] <TheSeven> hm, fixing the vrsn field didn't help, still data aborting...
[20:29:48] <TheSeven> Hit abort (05) at 08034838 (accessing 00ffc3ea)!
[20:29:48] <TheSeven> r00: 08b30820, r04: 00ffc3ea, r08: 0000000f, r12: ea00ffc3
[20:29:48] <TheSeven> r01: 200000d3, r05: 00000001, r09: 39a00094, r13: 08b30820
[20:29:49] <TheSeven> r02: 000000c0, r06: 089aed2c, r10: 00008000, r14: 08034838
[20:29:51] <TheSeven> r03: 02000000, r07: 0812cc38, r11: 00000020, r15: 0803483c
[20:29:53] <TheSeven> spsr: 200000d3, cpsr: 200000d7, fsr: 00000005, far: 00ffc3ea
[20:29:55] <TheSeven> Enabled IRQs: 0 1 2 3 8 16 17 18 21 23 24 29 33 (IRQs globally disabled!)
[20:54:40] <TheSeven> let me backtrace that:
[20:55:16] <TheSeven> 08034838 crashes because R4 is nonsense, which was passed to 08034824 as r0
[20:55:21] <TheSeven> er, r1
[20:56:04] <TheSeven> that gets called from 08034cdc, the bad pointer is passed to 08034ccc as r0
[20:56:43] <TheSeven> that in turn gets jumped to from 080a50b8, with r0 being dereferenced
[20:56:59] <TheSeven> (that's 080a50b4)
[20:57:18] <TheSeven> that in turn gets jumped to from a veneer at 22003598
[20:57:45] <TheSeven> which gets called from 22002f40
[20:58:28] <TheSeven> which is only called if r8 (which ends up in r0) is nonzero
[20:58:38] <TheSeven> so whatever we're dereferencing there is nonsense, but not null
[21:00:45] * TheSeven jumps back to that location to capture the pointer
[21:01:06] <TheSeven> seems like it's 09829b08, which is likely a heap allocation :/
[21:02:08] <TheSeven> hm, or not...
[21:02:18] <TheSeven> it's likely not the first loop iteration that's crashing here
[21:02:30] * TheSeven wonders what kind of data that function is processing
[21:13:45] <TheSeven> user890104: can you try a coldboot attack on your 2g?
[21:14:31] <TheSeven> i.e. flash OF and then boot into DFU, upload the dumper, and capture the SRAM contents
[21:14:51] <TheSeven> then search for "vrsm" or that in reverse, and tell me the 4 bytes after that
[21:14:57] <TheSeven> er, "vrsn" of course
[21:15:33] <user890104> what's the address and size of the sram area?
[21:18:33] <TheSeven> 0x22000000 0x00040000
[21:21:10] <TheSeven> hm, this seems to be some resource lookup code that's crashing here
[21:51:59] <user890104> "the dumper" == usbstub, right?
[21:53:01] <user890104> do you happen to have a build?
[21:55:48] <TheSeven> should be in that huge 7z
[22:02:48] <user890104> in /tmp?
[22:03:09] <TheSeven> yes
[22:03:44] <user890104> classic1g_dbgldr.bin
[22:04:07] <TheSeven> yes
[22:14:23] <user890104> TheSeven: is only restoing the bootflash enough?
[22:14:30] <TheSeven> should be
[22:14:41] <TheSeven> possibly even chainloading norboot through emcore
[22:14:57] <user890104> ok, let's see...
[22:15:09] <user890104> i need to wrap your binary in pwnage, right?
[22:16:18] <TheSeven> hm yes, should work
[22:16:25] <TheSeven> I don't think it will need a boot stub
[22:16:52] <user890104> ok
[22:17:09] <user890104> i just made a build using: make TYPE=release usbstub/ipodclassic
[22:24:50] <user890104> TheSeven: looks like it locked up
[22:25:13] <TheSeven> what exactly?
[22:26:10] <user890104> i used embed.exe and the 128kB container to wrap my build of usbstub
[22:26:22] <user890104> then loaded it using ipoddfu.py
[22:26:32] <TheSeven> and no usb reaction?
[22:26:37] <user890104> and the dfu device didn't disappear
[22:26:54] <TheSeven> and nothing appears after a reconnect?
[22:27:06] <TheSeven> ("broken device" after 10 seconds or so)
[22:27:25] <user890104> exactly
[22:27:33] <TheSeven> hm
[22:27:39] <TheSeven> try wrapping it into a bootstub then
[22:27:44] <user890104> ok
[22:36:25] <user890104> that's better :)
[22:38:48] <TheSeven> interesting...
[22:38:58] <TheSeven> not quite sure what it's relying on, probably page tables
[22:40:11] <TheSeven> the boot stub will trash quite some hw state, but I hope it leaves the ram in question intact
[22:45:08] <user890104> usb.core.USBError: [Errno None] b'libusb0-dll:err [control_msg] sending control message failed, win error: A device attached to the system is not functioning.\r\n\n'
[22:48:48] <user890104> TheSeven: http://paste.pm/raw/i3a
[22:49:38] <TheSeven> hm
[22:49:43] <TheSeven> probably bulk endpoints broken
[22:49:52] <TheSeven> try commenting the relevant parts of libemcore as a workaround
[22:53:15] <user890104> it's a ctrl_transfer
[22:53:38] <user890104> it probably fails at getting a descriptor
[22:55:01] <user890104> i've commented out self.bulk[in,out] = ep, but it still fails
[22:56:10] <TheSeven> if it would fail at getting a descriptor, it wouldn't get anywhere near that far
[22:56:22] <TheSeven> it failed after attempting the first bulk transaction
[22:56:27] <user890104> again at ctrl_transfer (triggered by getversioninfo)
[22:56:32] <TheSeven> so I guess it will work if you limit it to control only
[22:56:50] <user890104> http://paste.pm/raw/i3b
[22:57:06] <TheSeven> that was with the ipod already hung, right?
[22:58:00] <user890104> ah :)
[22:58:54] <user890104> sending it to you on skype
[23:05:44] <TheSeven> damn
[23:05:52] <TheSeven> no traces of sysinfo in there
[23:11:09] <user890104> i can try again
[23:11:32] <TheSeven> I need the string "nsrv" to be in there
[23:19:26] <user890104> can we patch norboot to jump to our usb stub after running the code you're interested in?
[23:22:35] <TheSeven> not easily
[23:23:06] <TheSeven> to do that we'd have to unpack and repack it, which is more effort than extracting the code in question in the first place
[23:23:25] <user890104> ah
[23:23:30] <TheSeven> any idea what "Mikey" might stand for? ("MikeyTask")
[23:23:55] <user890104> name of a developer :P
[23:24:08] <TheSeven> I've seen that turn up in multiple spots in apple firmwares, but never figured out what it means
[23:26:42] <TheSeven> full list of tasks that I've found: http://paste.pm/i3c.m (and MikeyTask is the one that data aborts)
[23:28:24] <user890104> task_USBAudioTask sounds interesting
[23:36:01] <TheSeven> could "Mikey" be the headphone remote?
[23:36:05] <TheSeven> that name would actually make sense...
[23:36:11] <TheSeven> and it would differentiate it from the 1g
[23:37:01] <user890104> http://bluemic.com/mikey_digital/
[23:37:05] <user890104> looks like you're right
[23:38:08] <TheSeven> not sure if that's related...
[23:38:10] <user890104> actually, http://bluemic.com/mikey_for_ipod/
[23:38:48] <user890104> MikeyTask == RecordingTask?
[23:39:41] <TheSeven> possibly
[23:41:03] <user890104> It works with the first three generations of the iPod touch, the second-through-fifth generations of the iPod nano, all iPod classics, the fifth generation iPod, and the iPhone 3GS and earlier.
[23:44:44] <TheSeven> hm, so it's *not* 3g specific
[23:51:22] * TheSeven spots some code that deals with postscript fonts
[23:57:01] <user890104> TheSeven: what are you disassembling at the moment?
[23:57:08] <TheSeven> 3g of
[23:57:22] <TheSeven> specifically the area that data aborts