Skip to main content

How the first gen ipod was reverse engineered to run #Rockbox:

1. Someone figured out that when loading a particular HTML page (for viewing on the device), the device would reboot. It crashed. A buffer overflow in the HTML viewer!

2. The device remembered what it did before the crash, so it would reload the HTML page again after boot. Unless you connected to it over USB and removed the HTML file it would stick in this cycle.

(continues...)

#rockbox
This entry was edited (5 months ago)

reshared this

in reply to daniel:// stenberg://

daniel:// stenberg://
daniel:// stenberg://

3. The buffer in the HTML file had to be written without using a zero byte, and someone wrote a ARM assembler loop that would just write data to memory. We had a rough idea what SoC was in there, so we knew a little of what to try.

4. Eventually, one day, that operation made the LCD backlight blink! The LCD controller was found in memory.

(..)

in reply to daniel:// stenberg://

daniel:// stenberg://
daniel:// stenberg://

5. Now the exploit was rewritten to read memory, and *blink* out the contents using the LCD backlight. A LEGO construction was built and a webcam would register the binary stream of a few megabytes of memory contents. Slooooow.

6. Using this method, the USB controller memory mapped registers were found and it was similar to another device Rockbox did USB on. The memory-dump code was rewritten to instead dump the entire memory over USB.

(...)

in reply to daniel:// stenberg://

daniel:// stenberg://
daniel:// stenberg://

7. The initial bootloader to load Rockbox was then just such a crafted HTML file that would load the correct firmware, and since it still worked after reboots it was a pretty neat hack.

8. Eventually the encryption key for the bootloader was found in the SRAM of the running device, and we could encrypt and create custom "real" bootloaders for the devices.

9. Rockbox would then boot and run natively on ipods.

The rest is history.

in reply to daniel:// stenberg://

Wolf480pl
Wolf480pl
I think the html method is cooler, because if you screw up you can just delete the html file if something goes wrong
in reply to daniel:// stenberg://

srslypascal
srslypascal
This story sounds almost like curl started as a bootloader for Rockbox :D
in reply to daniel:// stenberg://

MrC
MrC

It's funny how many devices have been jailbroken by HTML/Javascript.

I hadn't heard the whole story for the iPod that's really cool.

in reply to daniel:// stenberg://

David Buchanan
David Buchanan
Was is definitely the first-gen that required this hack? I was under the impression that the first few generations (all those with portalplayer SoCs) had completely unencrypted bootloaders. I think the nano 2nd gen was the first one to put up a fight https://www.rockbox.org/wiki/IPodNano2GPort.html

IPodNano2GPort < Main < Wiki

www.rockbox.org
in reply to daniel:// stenberg://

CyberPunker
CyberPunker

nice story!

Still using a Sansa Clip (+ i think) with Rockbox when i am out for a walk or have to use public transport, love it!

in reply to daniel:// stenberg://

alf
alf
Awesome, thanks for sharing! I still have my sandisk player running RockBox. I used it back in the day as a backup music player when performing electronic music live sets, because it would play 24bit flac! Saved my ass more than once when my pc would crash in the middle of a set! :D
in reply to daniel:// stenberg://

spv
spv
i remember hearing about a hack using the piezo speaker to beep the contents
in reply to daniel:// stenberg://

will strafach
will strafach
I love this! in 2009, we did something very similar attempting to use an iBoot vulnerability in iPhoneOS to read back the binary for that version of iBoot, when we realized we could write to a certain address range to display RGBA values on the screen (32 bits per pixel)
in reply to daniel:// stenberg://

Joan Westenberg
Joan Westenberg
I find stories like this to be so interesting. And inspiring. Just the level of ingenuity from people who find the ways to hack this stuff together.
in reply to daniel:// stenberg://

Alex Markley :mbetv:
Alex Markley :mbetv:
this is really awesome. I had Rockbox on one of the later-gen iPods and used it as my daily driver for YEARS.
in reply to daniel:// stenberg://

Dan Neuman
Dan Neuman
I'm confused about which iPod you mean since I don't recall the first one being able to load HTML. Was that also a hack? I did load RockBox onto mine, but stopped using it when the headphone jack started cutting out. Now I don't know if I even have the FireWire charger for it.
in reply to daniel:// stenberg://

Jessica, the Lavender Mess
Jessica, the Lavender Mess

stories like these amaze me. Thanks for sharing

(Edited for typo)

This entry was edited (5 months ago)
in reply to daniel:// stenberg://

greatquux
greatquux
it was so awesome. gapless mp3 was great for listening to live shows, and i just had to throw them in alpha order in a folder, no worrying about how some custom firmware was going to interpret mp3 tags or sort things. copy files, go to the gym, and run and lift to awesome music on my sansa clip with #Rockbox!
#rockbox
in reply to daniel:// stenberg://

Sesquipedality
Sesquipedality
if I knew this at the time my mind has blanked the sheer horror. This is why I stuck to the high level stuff like UI and documentation.
This entry was edited (4 months ago)
in reply to daniel:// stenberg://

Anthony Lee
Anthony Lee
what? Are you talking about the iPod Touch? There is no web viewer on the iPods nor the first gen….
in reply to daniel:// stenberg://

Tim Ward ⭐🇪🇺🔶 #FBPE
Tim Ward ⭐🇪🇺🔶 #FBPE
... and we spend so much of our lives trying to avoid poison pills ... I fixed one only yesterday ...
in reply to daniel:// stenberg://

Aral Balkan
Aral Balkan

“Now the exploit was rewritten to read memory, and *blink* out the contents using the LCD backlight. A LEGO construction was built and a webcam would register the binary stream of a few megabytes of memory contents.”

Bloody hell… wow.

This entry was edited (4 months ago)