How the first gen ipod was reverse engineered to run #Rockbox:
1. Someone figured out that when loading a particular HTML page (for viewing on the device), the device would reboot. It crashed. A buffer overflow in the HTML viewer!
2. The device remembered what it did before the crash, so it would reload the HTML page again after boot. Unless you connected to it over USB and removed the HTML file it would stick in this cycle.
(continues...)
This entry was edited (11 months ago)
Peter Vágner likes this.
reshared this
daniel:// stenberg://
in reply to daniel:// stenberg:// • • •3. The buffer in the HTML file had to be written without using a zero byte, and someone wrote a ARM assembler loop that would just write data to memory. We had a rough idea what SoC was in there, so we knew a little of what to try.
4. Eventually, one day, that operation made the LCD backlight blink! The LCD controller was found in memory.
(..)
daniel:// stenberg://
in reply to daniel:// stenberg:// • • •5. Now the exploit was rewritten to read memory, and *blink* out the contents using the LCD backlight. A LEGO construction was built and a webcam would register the binary stream of a few megabytes of memory contents. Slooooow.
6. Using this method, the USB controller memory mapped registers were found and it was similar to another device Rockbox did USB on. The memory-dump code was rewritten to instead dump the entire memory over USB.
(...)
daniel:// stenberg://
in reply to daniel:// stenberg:// • • •7. The initial bootloader to load Rockbox was then just such a crafted HTML file that would load the correct firmware, and since it still worked after reboots it was a pretty neat hack.
8. Eventually the encryption key for the bootloader was found in the SRAM of the running device, and we could encrypt and create custom "real" bootloaders for the devices.
9. Rockbox would then boot and run natively on ipods.
The rest is history.
Samuel
in reply to daniel:// stenberg:// • • •Wolf480pl
in reply to daniel:// stenberg:// • • •srslypascal
in reply to daniel:// stenberg:// • • •ŋozze
in reply to daniel:// stenberg:// • • •MrC
in reply to daniel:// stenberg:// • • •It's funny how many devices have been jailbroken by HTML/Javascript.
I hadn't heard the whole story for the iPod that's really cool.
David Buchanan
in reply to daniel:// stenberg:// • • •IPodNano2GPort < Main < Wiki
www.rockbox.orgAaron Sawdey, Ph.D.
in reply to David Buchanan • • •daniel:// stenberg://
in reply to Aaron Sawdey, Ph.D. • • •CyberPunker
in reply to daniel:// stenberg:// • • •nice story!
Still using a Sansa Clip (+ i think) with Rockbox when i am out for a walk or have to use public transport, love it!
alf
in reply to daniel:// stenberg:// • • •coldclimate
in reply to daniel:// stenberg:// • • •spv
in reply to daniel:// stenberg:// • • •Irenes (many)
in reply to daniel:// stenberg:// • • •will strafach
in reply to daniel:// stenberg:// • • •Adam Bell
in reply to daniel:// stenberg:// • • •Max
in reply to daniel:// stenberg:// • • •Mattias Wadman
in reply to daniel:// stenberg:// • • •The Sound of iPod
web.archive.orgJoan Westenberg
in reply to daniel:// stenberg:// • • •Alex Markley
in reply to daniel:// stenberg:// • • •Ivan
in reply to daniel:// stenberg:// • • •Colin McMillen
in reply to daniel:// stenberg:// • • •vurpo 🏳️⚧️
in reply to daniel:// stenberg:// • • •Colby Russell
in reply to daniel:// stenberg:// • • •greatquux
in reply to daniel:// stenberg:// • • •Nina "Erina" Satragno 💫
in reply to daniel:// stenberg:// • • •Anthony Lee
in reply to daniel:// stenberg:// • • •Tim Ward ⭐🇪🇺🔶 #FBPE
in reply to daniel:// stenberg:// • • •Aral Balkan
in reply to daniel:// stenberg:// • • •“Now the exploit was rewritten to read memory, and *blink* out the contents using the LCD backlight. A LEGO construction was built and a webcam would register the binary stream of a few megabytes of memory contents.”
Bloody hell… wow.
uhuh_guillermo
in reply to daniel:// stenberg:// • • •