https://freemyipod.org/api.php?action=feedcontributions&feedformat=atom&user=Owixyzefreemyipod - User contributions [en]2026-04-06T12:42:02ZUser contributionsMediaWiki 1.45.1https://freemyipod.org/index.php?title=Classic_2G&diff=3272Classic 2G2010-11-23T23:05:49Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://efowozodije.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]=<br />
----<br />
=[http://efowozodije.co.cc CLICK HERE]=<br />
----<br />
</div><br />
[[Image:classic_2g_frt_a.jpg|500px]]<br />
[[Image:classic_2g_bck_a.png|500px]]<br />
==Terminology==<br />
By iPod classic 2g we mean the second iPod with the 'classic' name. It was smaller than the 160GB version of the [[Classic_1G|Classic 1g]] and was only available with 120GB storage.<br />
<br />
==Components==<br />
Almost exactly the same hardware as the [[Classic 1G]], except that region A is populated. This presumably communicates with the new headphone/remote that Apple chose for this device to support.<br />
==Helpful pages==<br />
Teardowns:<br />
*http://www.chinaveboss.com/faq_info.html?faqs_id=53&amp;fcPath=1&amp;zenid=19755464b2fde0cb4f7a8877cfa6649c</div>Owixyzehttps://freemyipod.org/index.php?title=Classic_3G&diff=3270Classic 3G2010-11-23T23:05:25Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://otyxemydu.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]=<br />
----<br />
=[http://otyxemydu.co.cc CLICK HERE]=<br />
----<br />
</div><br />
No teardown pictures of the Classic 3G have been found yet. There is, however, [http://www.ilounge.com/index.php/news/comments/ipod-classic-160gb-changes-new-firmware-engraving/ a basic guide of the non-electronic differences] by iLounge. Since the model number is the same as the [[Classic 2G]], there probably aren't any worthwhile (if any) in the hardware.<br />
<br />
==Terminology==<br />
By iPod classic 3g we mean the re-introduced 160GB version of the classic which was announced on September 9 2009. It is the same size as the [[Classic 2G]].</div>Owixyzehttps://freemyipod.org/index.php?title=Talk:Hardware&diff=3269Talk:Hardware2010-11-23T23:05:24Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://ehiqikag.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=<br />
----<br />
=[http://ehiqikag.co.cc CLICK HERE]=<br />
----<br />
</div><br />
http://www.13354833.cn/bbs/attachment.php?aid=287&amp;k=b8f98b64946025a383279e6ec475212f&amp;t=1223688783<br />
Meizu S5L8700 connection shematics. Seems to be really close to actual layout... Or maybe its not.</div>Owixyzehttps://freemyipod.org/index.php?title=Nano_3G&diff=3268Nano 3G2010-11-23T23:05:13Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://aduratutuz.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=<br />
----<br />
=[http://aduratutuz.co.cc CLICK HERE]=<br />
----<br />
</div><br />
[[Image:nano_3g_frt_a.png|500px]]<br />
[[Image:nano_3g_bck_a.png|500px]]<br />
==Components==<br />
{| class="wikitable"<br />
! Label !! Component !! Part !! Markings !! Notes<br />
|-<br />
| 2<br />
| CPU<br />
| Samsung S5L8702<br />
| 337S3473 8702, NONBWOEC, 0731 ARM<br />
| ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702.<br />
|-<br />
| 3<br />
| SDRAM<br />
| [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI] or Qimonda HYE18M169CX75<br />
| 0728, C, HYE18M256, 169CX75, W3338092<br />
| SDRAM - Mobile DDR, 256Mb, 1.8V. WORK ON THIS: Like the flash chip, the memory also varies. The most popular chip seems to be the [http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]. Another similar one that is sometimes used is the Qimonda HYE18M169CX75<br />
|-<br />
| 5<br />
| Utility Flash<br />
| [http://www.sst.com/products/?inode=41340 SST25VF080B]<br />
| V80B, 729379<br />
| Flash - NOR, 8Mb, Serial SPI<br />
|-<br />
| 6<br />
| NAND Flash<br />
| Varies<br />
| Samsung 728, K9HCG08U5M, PCB0, FCF285X1<br />
|<br />
|-<br />
| 1<br />
| Audio codec<br />
| WM1870<br />
| APPLE, 338S0462, 76BZKTM<br />
| <br />
|-<br />
| 4<br />
| Power manager<br />
| D1671B<br />
| 338S0408, 07258HAH<br />
| <br />
|}<br />
<br />
==Helpful pages==<br />
Chip analyses:<br />
*http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx#<br />
Teardowns:<br />
*http://content.techrepublic.com.com/2346-13636_11-170826-1.html<br />
*http://www.ifixit.com/Guide/First-Look/iPod-Nano-3rd-Generation/594/1<br />
*http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html<br />
*[http://www.combert-elec.com/www/bookpic/200810916515460624.jpg Image of 3G Nano board]</div>Owixyzehttps://freemyipod.org/index.php?title=User:Cmwslw&diff=3267User:Cmwslw2010-11-23T23:05:11Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://aluxyxenud.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]=<br />
----<br />
=[http://aluxyxenud.co.cc CLICK HERE]=<br />
----<br />
</div><br />
== ToDo ==<br />
# http://www.mobilehandsetdesignline.com/197800854<br />
# [[Talk:Bootstrapping sequence]], [[Talk:Firmware encryption]], 2G CPU of [[Hardware]]<br />
# Look over chronicdev wiki<br />
# Add DFU mode info (dfu-utils, Hardware manager)<br />
# Info about snooping RAM (FPGA, davidc)<br />
# Add info about bootrom and datasheet<br />
<br />
http://nxtpp.clustur.com/index.php?title=Bootstrapping_sequence&amp;oldid=1630<br />
http://nxtpp.clustur.com/index.php/Hardware</div>Owixyzehttps://freemyipod.org/index.php?title=Firmware&diff=3266Firmware2010-11-23T23:05:02Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://evicijum.co.cc This Page Is Currently Under Construction And Will Be Available Shortly, Please Visit Reserve Copy Page]=<br />
----<br />
=[http://evicijum.co.cc CLICK HERE]=<br />
----<br />
</div><br />
This article is about the different parts of the iPod's firmware. There is also a very basic analysis of the firmware headers. If you are trying to get a copy of the firmware files, please see [[Dumping firmware]] and [[Extracting firmware]]. NOTE: Please excuse the chaotic layout of this article. It is not very comprehensive, but it's still useful.<br />
==Nano 2G==<br />
===osos===<br />
This is the main firmware image of the iPod. This part has been encrypted ever since the iPod Nano 2G.<br />
[[Image:IN2G firmware osos header.png|thumb|caption]]<br />
[[Image:Firmware layout.png|150px]]<br />
===aupd===<br />
Here is a comparison between the different aupd partitions of firmware version in the iPod Nano 2G:<br />
[[Image:IN2G firmware aupd header.png|thumb|caption]]<br />
[[Image:IN2G cipher aupd diffs.png|500px]]<br />
===rsrc===<br />
This is the resource filesystem of the iPod firmware. It is unencrypted and of not much use to this project.<br />
==Nano 3G==<br />
The Nano 3G has the same ''osos'', ''aupd'', and ''rsrc'' sections as the Nano 2G, but it also has an added ''hash'' section. The ''hash'' section is populated with 0x1800 bytes of 0xFF.<br />
==Classic 1G (6G)==<br />
The Classic 1G has the same firmware structure as the Nano 3G. This makes sense because they were released at the same time.<br />
<br />
==Nano 4G==<br />
The Nano 4G kept the ''osos'' but all the old sections were removed. Instead, seven new sections were added:<br />
<br />
* Binaries<br />
** ''diag'' - Diagnostic mode. This depends on EFI modules being loaded so it can't be booted directly.<br />
** ''disk'' - Disk mode<br />
* Bitmaps<br />
** ''appl'' - Apple logo for booting<br />
** ''bdhw'' - Bad hardware image<br />
** ''bdsw'' - Bad software image (Use iTunes to restore)<br />
** ''lbat'' - Low battery image<br />
** ''chrg'' - Same as lbat but showing that the iPod is charging<br />
<br />
==Helpful pages==<br />
http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf<br />
<br />
http://www.ipodlinux.org/wiki/Firmware</div>Owixyzehttps://freemyipod.org/index.php?title=User:Farthen&diff=3265User:Farthen2010-11-23T23:05:00Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://egyworene.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=<br />
----<br />
=[http://egyworene.co.cc CLICK HERE]=<br />
----<br />
</div><br />
Just a quick summary of me:<br />
<br />
I am from Germany and I can speak German, English and some (really not so much) French.<br />
I am the webmaster and server admin of this project. If you notice that the server is doing weird things please tell me about it.<br />
I have programming experience in Python and AVR ASM and i already did some minor stuff in ARM ASM, C, PHP and bash.<br />
I have an iPod nano 4g, downgraded to 1.0.3 of course.<br />
I found out about this project at June 2009 and I built the first real [[Nanotron 3000]] and was also the one to find the return address of the [[Nano 4G]].<br />
<br />
If you have questions to me, want to tell me that the irc bot is not behaving as it should or whatever: Just ask on the [[User_talk:Farthen|talk page]], on [[Contact|irc]] or through the [[Contact|mailing list]].</div>Owixyzehttps://freemyipod.org/index.php?title=User_talk:Wolftail&diff=3264User talk:Wolftail2010-11-23T23:04:51Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://azysijogen.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]=<br />
----<br />
=[http://azysijogen.co.cc CLICK HERE]=<br />
----<br />
</div><br />
PS: If anyone will read this... Is it possible to update the 1G Classic (160GB) to the 2.0.x firmware of the 2G/3G Classic? (I know that the hardware is almost a perfect match.) I think it could be done by getting an image of the HDD of an iPod Classic with the new software and overwrite it to the older one. Has anyone tried this? Can it be done?<br />
<br />
Thank You very much for all your work!<br />
<br />
:Yes, this should be possible and in fact we have done something similar with the 4G. One time we copied the contents of a 8GB Nano 4G and gave it to me to put on my 16GB Nano 4G. It booted fine. But the thing is the Classic 2G has some headphone hardware that the 1G does not, and this could cause a crash when booting or using. We are more interested in copying the Classic 2G firmware to the Classic 3G since the 3G ships with firmware that has the notes vulnerability patched. [[User:Cmwslw|Cmwslw]] 05:18, 16 August 2010 (UTC)<br />
<br />
Thanks for the quick reply! I know about the headphone difference but I still hope that those really tiny chips that are added on the motherboard of the Classic 2G aren't so important that the OS will crash without them. I believe that porting new features to iPods via the original firmware if possible should also be included in this wiki. I do also understand that porting Rockbox on the new iPods is of higher priority and just hope that someone will find some spare time for this. [[User:Wolftail|Wolftail]] 12:55, 16 August 2010 (UTC)</div>Owixyzehttps://freemyipod.org/index.php?title=Nano_4G&diff=3263Nano 4G2010-11-23T23:04:38Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://yhenaju.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=<br />
----<br />
=[http://yhenaju.co.cc CLICK HERE]=<br />
----<br />
</div><br />
[[Image:nano_4g_frt_a.png|500px]]<br />
[[Image:nano_4g_bck_a.png|500px]]<br />
==Components==<br />
{| class="wikitable"<br />
! Label !! Component !! Part !! Markings !! Notes<br />
|-<br />
| 2<br />
| CPU<br />
| Samsung S5L8720<br />
| 339S0049 ARM, K4X56323PI-KGC4, YWE025QH 825, APL0278A00, N1B2HOP 0831<br />
| ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. [http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) Here] is a very interesting page about the S5L8720 processor.<br />
|-<br />
| <br />
| SDRAM<br />
| <br />
|<br />
| 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines.<br />
|-<br />
| 4<br />
| Accelerometer<br />
| [http://www.st.com/stonline/products/families/sensors/motion_sensors/lis331dl.htm LIS331DL]<br />
| 33DL, 2827<br />
| The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names.<br />
|-<br />
| 6<br />
| NAND Flash<br />
| Varies<br />
| TH58NVG6D1DLA87, U20516, JAPAN, 0826MAE<br />
|<br />
|-<br />
| 5<br />
| Audio codec<br />
| Probably Cirrus<br />
| 338S055C, 189N0824, SGP<br />
| I determined this because the [[Nano 5G]] has a similar chip, which we are sure of the identity. One person lifted this chip and found that the pins connect to the LCD connector. Not much info was given, and it could just be a common ground, but the identity of this chip is still up in the air.<br />
|-<br />
| 1<br />
| Power manager<br />
| D1759<br />
| 338S0687-AC, 08288HBB<br />
| <br />
|-<br />
| 3<br />
| <br />
| <br />
|<br />
| <br />
|}<br />
<br />
==Helpful pages==<br />
Teardowns:<br />
*http://www.ifixit.com/Guide/First-Look/iPod-Nano-4th-Generation/584/1<br />
Other:<br />
*http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware)</div>Owixyzehttps://freemyipod.org/index.php?title=Nano2G_clock_gates&diff=3262Nano2G clock gates2010-11-23T23:04:32Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://utugijynure.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]=<br />
----<br />
=[http://utugijynure.co.cc CLICK HERE]=<br />
----<br />
</div><br />
(State: When taking over from norboot, IIRC, needs verification. Beware: 1 = Masked, 0 = Running!)<br />
<br />
===PWRCON===<br />
{| class="wikitable"<br />
! Bit !! State !! Meaning<br />
|-<br />
| 31<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| 30<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| 29<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| 28<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| 27<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| 26<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| 25<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| 24<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| <br />
| <br />
| <br />
|-<br />
| 23<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| 22<br />
| 0<br />
| RTC? (Datasheet)<br />
|-<br />
| 21<br />
| 0<br />
| SDRAM? (Datasheet)<br />
|-<br />
| 20<br />
| 0<br />
| ECC (Datasheet mismatch, proven to be ECC)<br />
|-<br />
| 19<br />
| 1<br />
| ATA? (Datasheet)<br />
|-<br />
| 18<br />
| 1<br />
| LCD? (Datasheet)<br />
|-<br />
| 17<br />
| 1<br />
| DSP? (Datasheet)<br />
|-<br />
| 16<br />
| 0<br />
| USBHOST? (Datasheet)<br />
|-<br />
| <br />
| <br />
| <br />
|-<br />
| 15<br />
| 0<br />
| USBFUNC? (Datasheet)<br />
|-<br />
| 14<br />
| 1<br />
| USB PHY<br />
|-<br />
| 13<br />
| 1<br />
| RTC? (Datasheet)<br />
|-<br />
| 12<br />
| 1<br />
| CHIPID? (Datasheet)<br />
|-<br />
| 11<br />
| 0<br />
| GPIO? (Datasheet)<br />
|-<br />
| 10<br />
| 0<br />
| ADC? (Datasheet)<br />
|-<br />
| 09<br />
| 1<br />
| SPI? (Datasheet)<br />
|-<br />
| 08<br />
| 1<br />
| UART? (Datasheet)<br />
|-<br />
| <br />
| <br />
| <br />
|-<br />
| 07<br />
| 1<br />
| SPDIF? (Datasheet)<br />
|-<br />
| 06<br />
| 0<br />
| I2S (Datasheet, verified)<br />
|-<br />
| 05<br />
| 0<br />
| I2C (Datasheet, verified)<br />
|-<br />
| 04<br />
| 0<br />
| TIMER (Datasheet, verified)<br />
|-<br />
| 03<br />
| 0<br />
| MEMSTICK? (Datasheet)<br />
|-<br />
| 02<br />
| 0<br />
| SDC/MMC? (Datasheet)<br />
|-<br />
| 01<br />
| 0<br />
| FMC? (Datasheet)<br />
|-<br />
| 00<br />
| 0<br />
| LCDC? (Datasheet)<br />
|}<br />
<br />
<br />
===PWRCONEXT===<br />
{| class="wikitable"<br />
! Bit !! State !! Meaning<br />
|-<br />
| 31<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| 30<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| 29<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| 28<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| 27<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| 26<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| 25<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| 24<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| <br />
| <br />
| <br />
|-<br />
| 23<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| 22<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| 21<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| 20<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| 19<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| 18<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| 17<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| 16<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| <br />
| <br />
| <br />
|-<br />
| 15<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| 14<br />
| 0<br />
| Probably a padding bit<br />
|-<br />
| 13<br />
| 1<br />
| Unknown<br />
|-<br />
| 12<br />
| 0<br />
| Unknown, but needs to be powered on<br />
|-<br />
| 11<br />
| 1<br />
| USB OTG<br />
|-<br />
| 10<br />
| 1<br />
| AES unit<br />
|-<br />
| 09<br />
| 1<br />
| Unknown<br />
|-<br />
| 08<br />
| 1<br />
| Unknown<br />
|-<br />
| <br />
| <br />
| <br />
|-<br />
| 07<br />
| 0<br />
| LCD SPI I/F<br />
|-<br />
| 06<br />
| 0<br />
| NAND/FMC<br />
|-<br />
| 05<br />
| 1<br />
| Unknown<br />
|-<br />
| 04<br />
| 1<br />
| Unknown<br />
|-<br />
| 03<br />
| 1<br />
| Unknown<br />
|-<br />
| 02<br />
| 1<br />
| Hashing unit<br />
|-<br />
| 01<br />
| 1<br />
| Unknown<br />
|-<br />
| 00<br />
| 0<br />
| Clickwheel?<br />
|}</div>Owixyzehttps://freemyipod.org/index.php?title=Nano_1G&diff=3260Nano 1G2010-11-23T23:04:21Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://yzobiwysac.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]=<br />
----<br />
=[http://yzobiwysac.co.cc CLICK HERE]=<br />
----<br />
</div><br />
[[Image:nano_1g_frt_a.png|500px]]<br />
[[Image:nano_1g_bck_a.png|500px]]<br />
==Components==<br />
{| class="wikitable"<br />
! Label !! Component !! Part !! Markings !! Notes<br />
|-<br />
| 4<br />
| CPU<br />
| Portal Player PP5021C-TDF<br />
| PP5021C-TDF, L9A0633, U0530 Logo, WYH30113.1, TAIWAN<br />
| This is the last Nano that used a PortalPlayer processor before Apple started using Samsung. If anybody knows of a datasheet for this, please add a link to it.<br />
|-<br />
| 5<br />
| SDRAM<br />
| [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&amp;partnum=K4M56163PG Samsung K4M56163PG]<br />
| SEC534 BG75, K4M56163PG, AQF061WX<br />
| A datasheet for this Mobile SDRAM chip can be found [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here].<br />
|-<br />
| 10<br />
| Utility Flash<br />
| [http://www.sst.com/products/?inode=41856 SST39WF400A]<br />
| SST39WF400A, 90-4C-C1QE, 0528149A<br />
| This chip is documented very well. A similar chip is on the [[Nano 2G]].<br />
|-<br />
| 1<br />
| NAND Flash<br />
| Varies<br />
|<br />
|<br />
|-<br />
| 2<br />
| Click wheel controller<br />
| CY8C21434<br />
| CPMCYP, 6360A 02, K0R0512, 610881<br />
|<br />
|-<br />
| 3<br />
| ATA flash disk controller<br />
| SST5SLD019K<br />
| Logo, 55LD019K, 45-C-MWE, 0528071-A4<br />
| <br />
|-<br />
| 6<br />
| Audio codec<br />
| WM8975G<br />
| WM8975G, 56AGVF4<br />
| <br />
|-<br />
| 7<br />
| Step down regulator<br />
| LM34910<br />
| JM54RE, 34910SD<br />
| <br />
|-<br />
| 8<br />
| Power manager<br />
| PCF50607<br />
| CF50607, 605940, Bug528, 23e/N1Y<br />
| <br />
|-<br />
| 9<br />
| USB charging<br />
| LTC4066<br />
| Logo, 5F, 4066, N7537<br />
| <br />
|}<br />
<br />
==Helpful pages==<br />
Chip analyses:<br />
*http://www2.electronicproducts.com/Apple_iPod_nano-whatsinside-2.aspx<br />
Teardowns:<br />
*http://arstechnica.com/apple/reviews/2005/09/nano.ars/4<br />
*[http://pc.watch.impress.co.jp/docs/2005/0908/nano21.jpg Image of the 1G Nano board]<br />
*[http://www.ipodlinux.org/wiki/Generations#iPod_Nano_.28Nano1G.29] - See the pictures listed<br />
Other:<br />
*http://www.ipodlinux.org/wiki/Generations</div>Owixyzehttps://freemyipod.org/index.php?title=Nano2G_HW_analysis&diff=3259Nano2G HW analysis2010-11-23T23:04:12Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://evicijum.co.cc This Page Is Currently Under Construction And Will Be Available Shortly, Please Visit Reserve Copy Page]=<br />
----<br />
=[http://evicijum.co.cc CLICK HERE]=<br />
----<br />
</div><br />
[[File:Top_annote.jpg|200px|thumb|Top layer, including JTAG]]<br />
[[File:Bot_annote.jpg|200px|thumb|Bottom layer]]<br />
[[File:2G_frt_annotation.png|300px]]<br />
[[File:2G_bck_annotation.png|300px]]<br />
== previous work ==<br />
<br />
See [[Nano 2G]].<br />
<br />
== SOC analysis ==<br />
<br />
[[S5L8701_analysis]]<br />
<br />
== Circuit analysis ==<br />
<br />
After desoldering all components, the circuit was analyzed with a continuity tester.<br />
<br />
Small test needles (nailbed needles are great) were used for contacting.<br />
<br />
For easing the search, a more coarse search was first performed by a novel method : soldering a coil wire to one end, and moving a iron wool pad over the rest of the PCB until the tester beeps. After finding a spot, the needle allows to find the exact pad.<br />
<br />
Not all connection were routed, mainly the connections to the S5L8701 SOC.<br />
<br />
Results are a [http://f4eru.free.fr/8701/ detailed pinout of the 8701]<br />
<br />
See also [[S5L8701_analysis]].<br />
<br />
== JTAG ==<br />
<br />
The jtag was found after searching with a jtag bruteforce scanner i wrote.(to be published later)<br />
There were a lot of problems, including the scanner not working properly, and a nTRST pin. (still cannot understand why).<br />
<br />
But now we have the locations of the pins : see picture [[Image:Top_annote.jpg|40px|thumb|pin locations]].<br />
<br />
The pins are basically available on the DOCK connector after putting in place some jumpers (2 for nTRST, 1 for other pins).<br />
<br />
After connecting a xilinx parallel cable, and installing openwince, we can try to connect to the JTAG :<br />
<br />
'''The screen freezes directly when we use the JTAG.''' This seems to be a protection against hackers, but it could also be an issue with openocd.<br />
In fact, the ARM 940T processor is still fully functionnal, but it gets disconnected from the main bus, all memories are not reachable any more. The only memory preserved are the Data and instruction caches.<br />
<br />
== JTAG cache dumps ==<br />
<br />
As the caches are mainly alive, we focused first on dumping whatever the cache contained. As the caches are mostly not activated through the boot cycle, we made a lot of cache dumps (Dcache only can be dumped, the Icache can only give the indexes).<br />
<br />
We used some [http://f4eru.free.fr/8701/openocd_config.zip openocd and bash scripts]. The command "dc" dumps the Dcache, "ic" shows the icache indexes. Be careful, these values can be corrupt due to the mem bus disconnection. We used statistics on many dumps to have helpful dumps (look at [http://f4eru.free.fr/8701/openocd_config.zip dumpsoorter.py]).<br />
<br />
<br />
<br />
Please note that the DLC5 cable was modified to include a nSRST pin, and openocd was recompiled for this. It is a desirable feature to have a reset. nTrst was simply tied to the 3.0V power supply, it is just not necessary.<br />
Also, one important thing is to cut the power supply during reset, with a MOSFET, for example. If this is not done, the ipod can often go to a "broken battery" state, where the processor thinks the successive resets are due to a defective battery.<br />
<br />
[http://f4eru.free.fr/8701/dump_example.txt Dump example]<br />
<br />
== getting code execution ? ==<br />
<br />
[[Notes_exploit]]</div>Owixyzehttps://freemyipod.org/index.php?title=User_talk:Farthen&diff=3258User talk:Farthen2010-11-23T23:04:11Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://ekygelymib.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]=<br />
----<br />
=[http://ekygelymib.co.cc CLICK HERE]=<br />
----<br />
</div><br />
Feel free to ask questions to me on this page. You can also contact me through mailinglist or irc, see my [[User:Farthen|user page]] for details. --[[User:Farthen|Farthen]] 01:46, 22 August 2009 (UTC)</div>Owixyzehttps://freemyipod.org/index.php?title=User:Wolftail&diff=3256User:Wolftail2010-11-23T23:04:06Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://eludevyvema.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]=<br />
----<br />
=[http://eludevyvema.co.cc CLICK HERE]=<br />
----<br />
</div><br />
Hey, there!<br />
<br />
My name is Lala IonuČ›, I live in Romania and I own an iPod Classic 1G (160GB) and can't wait for Rockbox and/or iPodLinux to be available for it. I am willing to do non-destructive testing in order to help the project.</div>Owixyzehttps://freemyipod.org/index.php?title=User_talk:Cmwslw&diff=3255User talk:Cmwslw2010-11-23T23:03:58Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://ukusypumi.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]=<br />
----<br />
=[http://ukusypumi.co.cc CLICK HERE]=<br />
----<br />
</div><br />
Hello,i write this to tell you that the no.5 chip on the nano4 board should be a display ic,i have removed this ic and the wires under it connects to the lcd jack..sorry for my poor english<br />
:Thanks for the correction. If you still have the iPod open, could you give me the markings on the #3 chip? I haven't found any scans that are detailed enough. [[User:cmwslw|cmwslw]] 0:17, 31 June 2010 (UTC)<br />
Hello,I checked the nano4 board again just now,and the wires under NO.5 connects both to LCD jack and Earphone jack..(I'm sure,they are not the GND pins,so maybe NO.5 is a multimedia chip?...)<br />
And...I can't find out the detail about NO.3 chip,it don't connect to LCD or earphone(maybe due to the broken board).<br />
I also took two photos(nano4 board with all chips removed),but the quality is low,the only camera i can use is 3GS...<br />
I have many broken ipod boards, if you have any problems about chips on them,send message to me~I can dump them and take photos...<br />
Here are the link:<br />
<br />
Board Back <br />
http://i3.6.cn/cvbnm/ce/c5/f6/01e1e35641a4b8fde7822545b20c6a5c.jpg<br />
<br />
Board Front <br />
http://i3.6.cn/cvbnm/46/be/95/bb99569adee431472c299026bd8a0136.jpg<br />
<br />
Dumped CPU <br />
http://i3.6.cn/cvbnm/c0/24/e3/fa8d051d5d2b1f50be46428010d73512.jpg</div>Owixyzehttps://freemyipod.org/index.php?title=Firmware_downgrading&diff=3253Firmware downgrading2010-11-23T23:03:50Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://uwujojedeh.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=<br />
----<br />
=[http://uwujojedeh.co.cc CLICK HERE]=<br />
----<br />
</div><br />
This is a simple guide to Firmware downgrading with iTunes 8+ without losing Music from the iPod (this is NO warranty, backup your data if it's valuable to you!!!)<br />
<br />
First you need the correct firmware file.<br />
You need to put the firmware file in a folder, then open iTunes, connect your iPod and go to the status page. Shift-Click on the "Check now" or "Update" button near the "Restore" button. Now select your firmware and wait until it gets downgraded.<br />
<br />
==Firmware Files==<br />
The 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] for the instructions above.</div>Owixyzehttps://freemyipod.org/index.php?title=Chronology&diff=3252Chronology2010-11-23T23:03:18Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://exowufo.co.cc This Page Is Currently Under Construction And Will Be Available Shortly, Please Visit Reserve Copy Page]=<br />
----<br />
=[http://exowufo.co.cc CLICK HERE]=<br />
----<br />
</div><br />
This page list all models of iPods and set the naming of it. So that, on this wiki, or on IRC nobody can be confused with what we are speaking about. Please also refer to Apple's [http://support.apple.com/kb/HT1353 Identifying iPod Models]" page<br />
<br />
==iPod Series==<br />
<br />
{| class="wikitable"<br />
! Model !! Introduced !! Capacity !! Notes <br />
|-<br />
| [http://support.apple.com/kb/HT1353#scrollwheel 1G] <br />
| 2001-10<br />
| 5 GB or 10 GB<br />
|<br />
|-<br />
| [http://support.apple.com/kb/HT1353#touchwheel 2G]<br />
| 2002-07 <br />
| 10 GB or 20 GB<br />
|<br />
|-<br />
| [http://support.apple.com/kb/HT1353#dockconnector 3G] <br />
| 2003-04<br />
| 10 GB, 15 GB, 20 GB, 30 GB, or 40 GB<br />
|<br />
|-<br />
| [http://support.apple.com/kb/HT1353#clickwheel 4G (Greyscale)]<br />
| 2004-07<br />
| 20 GB or 40 GB<br />
|<br />
|-<br />
| [http://support.apple.com/kb/HT1353#ipodphoto 4G (Color)]<br />
| 2004-10<br />
| 20 GB, 30 GB, or 60 GB<br />
|<br />
|-<br />
| [http://support.apple.com/kb/HT1353#ipodfifth 5G (Video)]<br />
| 2005-10<br />
| 30 GB or 60 GB<br />
|<br />
|-<br />
| [http://support.apple.com/kb/HT1353#ipodfifth2 5.5G (Video)]<br />
| 2006-09<br />
| 30 GB or 80 GB<br />
|<br />
|-<br />
| [http://support.apple.com/kb/HT1353#ipodclassic (6G) Classic 1G]<br />
| 2007-09<br />
| 80 GB or 160 GB<br />
| Encryption starts<br />
|-<br />
| [http://support.apple.com/kb/HT1353#iPod_classic_120GB (6G) Classic 2G]<br />
| 2008-09<br />
| 120 GB<br />
|<br />
|-<br />
| [http://support.apple.com/kb/HT1353#iPod_classic_160GB (6G) Classic 3G]<br />
| 2009-09<br />
| 160 GB<br />
|<br />
|}<br />
<br />
==iPod Nano Series==<br />
<br />
{| class="wikitable"<br />
! Model !! Introduced !! Capacity !! Notes <br />
|-<br />
| [http://support.apple.com/kb/HT1353#ipodnano Nano 1G]<br />
| 2005-09<br />
| 1 GB, 2 GB, or 4 GB<br />
|<br />
|-<br />
| [http://support.apple.com/kb/HT1353#ipodnano2 Nano 2G]<br />
| 2006-09<br />
| 2 GB, 4 GB, or 8 GB<br />
| Encryption starts<br />
|-<br />
| [http://support.apple.com/kb/HT1353#ipodnano3 Nano 3G]<br />
| 2007-09<br />
| 4 GB or 8 GB<br />
|<br />
|-<br />
| [http://support.apple.com/kb/HT1353#iPod_nano_4th_generation Nano 4G]<br />
| 2008-09<br />
| 8 GB or 16 GB<br />
|<br />
|-<br />
| [http://support.apple.com/kb/HT1353#iPod_nano5G Nano 5G]<br />
| 2009-09<br />
| 8 GB or 16 GB<br />
|<br />
|-<br />
| Nano 6G<br />
| 2010-09<br />
| 8 GB or 16 GB<br />
| Multi-Touch display<br />
|}<br />
<br />
==Timeline==<br />
[[Image:IPod Timeline.png|800px|The timeline of iPod releases (from Wikipedia)]]<br />
<br />
==The Motive==<br />
Understanding the mindset and motives behind Apple is key to understanding how and why the iPod was encrypted. While many people believe that the iPod was encrypted to put an end to iPodLinux and Rockbox, the main reason for the encryption was to thwart third-party imitators. Apple was not as concerned with iPodLinux and Rockbox because people were still buying their (overpriced) hardware, and therefore still generating profits. The main reason was because there were many imitations that replicated the hardware and ran the exact firmware that was run on normal iPods. This was a major drain of money for Apple. Another reason was that the DRM mechanism in the unencrypted firmware was being hacked. This allowed pirated content like games to be run without being bought.<br />
==The Response==<br />
Since Apple was losing money from the iPod imitators, they encrypted the firmware so the iPod clones could no longer use Apple firmware on their devices. There are still iPod clones out there (just search eBay), but very few use the Apple firmware anymore. Apple has encrypted all of their portable devices since the iPod Nano 2G.<br />
==The Change==<br />
In order to stop the fake iPods from using their firmware, Apple encrypted the firmware so only their devices could decrypt it. Apple changed their processor to Samsung and no longer used PortalPlayer.<br />
==Helpful Pages==<br />
http://support.apple.com/kb/HT1353</div>Owixyzehttps://freemyipod.org/index.php?title=EmBIOS_Monitor_Protocol&diff=3251EmBIOS Monitor Protocol2010-11-23T23:02:58Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://ehyloxame.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]=<br />
----<br />
=[http://ehyloxame.co.cc CLICK HERE]=<br />
----<br />
</div><br />
This article describes the USB communcation protocol of emBIOS monitor.<br />
<br />
<br />
== Endpoints ==<br />
<br />
The emBIOS Monitor interface contains 4 bulk endpoints, in the following order:<br />
* Command OUT Endpoint<br />
* Command IN Endpoint<br />
* Data OUT Endpoint<br />
* Data IN Endpoint<br />
<br />
If not stated otherwise, everything is little endian.<br />
<br />
<br />
== General Structure ==<br />
Each packet send to the Command OUT Endpoint has a 16 byte header. The first 4 bytes, interpreted as a 32bit little endian word, contain the command ID. The meaning of the other bytes depends on the command. For commands that send data to the device, it will immediately follow that header.<br />
<br />
After sending a packet to the Command OUT Endpoint, listen on the Command IN Endpoint for a response. The response also has a 16 byte header, followed by an optional data stage, depending on the command. The first 4 bytes of the header, interpreted as a 32bit word, is the status code, the meaning of the other bytes depends on the command.<br />
<br />
{| class="wikitable prettytable"<br />
|+ Status Codes<br />
|-<br />
! Status Code !! Description<br />
|-<br />
| style="text-align:right" | 0 || Invalid response, you should bail out when receiving this<br />
|-<br />
| style="text-align:right" | 1 || OK (everything went fine)<br />
|-<br />
| style="text-align:right" | 2 || Command not supported<br />
|-<br />
| style="text-align:right" | 3 || Device is busy, retry later (another asynchronous command is already running)<br />
|-<br />
|}<br />
<br />
<br />
== Commands ==<br />
<br />
=== 0: Invalid ===<br />
Never issue this command. It will be rejected with status code 2.<br />
<br />
<br />
=== 1: Get device information ===<br />
Use this command to figure out various device properties.<br />
<br />
==== Get version information ====<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (0)<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero<br />
|-<br />
|}<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || SVN Revision Number<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 1 || Major version<br />
|-<br />
| style="text-align:right" | 9 || style="text-align:right" | 1 || Minor version<br />
|-<br />
| style="text-align:right" | 10 || style="text-align:right" | 1 || Patch version<br />
|-<br />
| style="text-align:right" | 11 || style="text-align:right" | 1 || Software Type ID<br />
|-<br />
| style="text-align:right" | 12 || style="text-align:right" | 4 || Device Type ID<br />
|-<br />
|}<br />
<br />
{| class="wikitable prettytable"<br />
|+ Software Types<br />
|-<br />
! Software Type ID !! Description<br />
|-<br />
| style="text-align:right" | 0 || invalid<br />
|-<br />
| style="text-align:right" | 1 || emBIOS Debugger<br />
|-<br />
|}<br />
<br />
{| class="wikitable prettytable"<br />
|+ Hardware Types<br />
|-<br />
! Device Type ID !! Description<br />
|-<br />
| style="text-align:right" | 0 || invalid<br />
|-<br />
| style="text-align:right" | 0x47324e49 || iPod Nano 2G<br />
|-<br />
| style="text-align:right" | 0x47334e49 || iPod Nano 3G<br />
|-<br />
| style="text-align:right" | 0x47344e49 || iPod Nano 4G<br />
|-<br />
| style="text-align:right" | 0x4c435049 || iPod Classic<br />
|-<br />
|}<br />
<br />
==== Get packet size information ====<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (1)<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero<br />
|-<br />
|}<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 2 || Maximum Command OUT Endpoint packet size<br />
|-<br />
| style="text-align:right" | 6 || style="text-align:right" | 2 || Maximum Command IN Endpoint packet size<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 4 || Maximum Data OUT Endpoint packet size<br />
|-<br />
| style="text-align:right" | 12 || style="text-align:right" | 4 || Maximum Data IN Endpoint packet size<br />
|-<br />
|}<br />
<br />
<br />
==== Get user memory address range ====<br />
Provides information about the range of memory not used by emBIOS itself.<br />
<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (1)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Requested information type (2)<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero<br />
|-<br />
|}<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Lower bound (inclusive) of the usable memory range<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 4 || Upper bound (exclusive) of the usable memory range<br />
|-<br />
| style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined<br />
|-<br />
|}<br />
<br />
<br />
=== 2: Reset ===<br />
Reboot the device.<br />
<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (2)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Reboot forcibly (0) / Reboot gracefully (1)<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero<br />
|-<br />
|}<br />
<br />
Graceful reboots are asynchronous commands. Forced reboots won't send a response packet before rebooting.<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined<br />
|-<br />
|}<br />
<br />
The response indicates that the request has been acknowledged, however there might be substantial delay before device actually reboots.<br />
<br />
<br />
=== 3: Power off ===<br />
Power the device off.<br />
<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (3)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Type: Power off forcibly (0) / Shut down gracefully (1)<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero<br />
|-<br />
|}<br />
<br />
Both variants are asynchronous commands.<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined<br />
|-<br />
|}<br />
<br />
The response indicates that the request has been acknowledged, however there might be substantial delay before device actually powers off.<br />
<br />
<br />
=== 4: Read memory ===<br />
Use this command to read small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header).<br />
<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (4)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read<br />
|-<br />
| style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero<br />
|-<br />
|}<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined<br />
|-<br />
| style="text-align:right" | 16 || style="text-align:right" | variable || The data read from memory<br />
|-<br />
|}<br />
<br />
<br />
=== 5: Write memory ===<br />
Use this command to write small amouts of memory through the command pipe. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header).<br />
<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (5)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to write<br />
|-<br />
| style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero<br />
|-<br />
| style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written<br />
|-<br />
|}<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined<br />
|-<br />
|}<br />
<br />
<br />
=== 6: Read memory using DMA ===<br />
Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data IN Endpoint packet size.<br />
<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (6)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read<br />
|-<br />
| style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero<br />
|-<br />
|}<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined<br />
|-<br />
|}<br />
<br />
After receiving the response, read the requested data from the Data IN Endpoint.<br />
<br />
<br />
=== 7: Write memory using DMA ===<br />
Use this command to read large amouts of memory through the data pipe. You may not request a transfer that would exceed the maximum Data OUT Endpoint packet size.<br />
<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (7)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to write to<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written<br />
|-<br />
| style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero<br />
|-<br />
|}<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined<br />
|-<br />
|}<br />
<br />
After receiving the response, send the data to be written to the Data OUT Endpoint.<br />
<br />
<br />
=== 8: Read from I2C device ===<br />
Use this command to read from an I2C slave. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller.<br />
<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (8)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index<br />
|-<br />
| style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits)<br />
|-<br />
| style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device<br />
|-<br />
| style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be read (0 means 256)<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero<br />
|-<br />
|}<br />
<br />
I2C transactions are asynchronous commands.<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined<br />
|-<br />
| style="text-align:right" | 16 || style="text-align:right" | variable || The data read from the I2C device (undefined if the status code is not 1)<br />
|-<br />
|}<br />
<br />
<br />
=== 9: Write to I2C device ===<br />
Use this command to write to an I2C slave. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header) or 255 bytes (excluding the header), whichever is smaller.<br />
<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (9)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 1 || I2C bus index<br />
|-<br />
| style="text-align:right" | 5 || style="text-align:right" | 1 || I2C slave address (in the upper 7 bits)<br />
|-<br />
| style="text-align:right" | 6 || style="text-align:right" | 1 || Start address on the I2C device<br />
|-<br />
| style="text-align:right" | 7 || style="text-align:right" | 1 || Number of bytes to be written (0 means 256)<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero<br />
|-<br />
| style="text-align:right" | 16 || style="text-align:right" | variable || The data to be written to the I2C device<br />
|-<br />
|}<br />
<br />
I2C transactions are asynchronous commands.<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1 or 3)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined<br />
|-<br />
|}<br />
<br />
=== 10: Read from the USB console ===<br />
Use this command to get data written to the USB console. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header).<br />
<br />
As long as the console application is running, make sure to issue this request at least once a second. Otherwise the console might start dropping data and inserting an "\n\n[overflowed]\n\n" mark. If you can't receive any data but need to keep the console from dropping data, issue zero-length read requests.<br />
<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (10)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes requested<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero<br />
|-<br />
|}<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of valid response bytes<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console read buffer<br />
|-<br />
| style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still waiting in the on-device USB console read buffer<br />
|-<br />
| style="text-align:right" | 16 || style="text-align:right" | variable || Valid console data padded with undefined data to meet the requested size<br />
|-<br />
|}<br />
<br />
<br />
=== 11: Write to the USB console ===<br />
Use this command to write data to the USB console. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header).<br />
<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (11)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes to be written<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero<br />
|-<br />
| style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written<br />
|-<br />
|}<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Actual number of bytes written (the remainder will have to be resent)<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the on-device USB console write buffer<br />
|-<br />
| style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes still free in the on-device USB console write buffer<br />
|-<br />
|}<br />
<br />
<br />
=== 12: Write to device's consoles ===<br />
Use this command to write data to one or more of the consoles. This is equivalent to the cwrite system call. You may not request a transfer that would exceed the maximum Command OUT Endpoint packet size (including the header).<br />
<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (12)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be written to<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be written<br />
|-<br />
| style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero<br />
|-<br />
| style="text-align:right" | 16 || style="text-align:right" | variable || Data to be written<br />
|-<br />
|}<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined<br />
|-<br />
|}<br />
<br />
<br />
=== 13: Read from device's consoles ===<br />
Use this command to read data from one or more of the consoles. This is equivalent to the cread system call. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header). This command will '''not''' block until there is data available.<br />
<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (13)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be read from<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes to be read<br />
|-<br />
| style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero<br />
|-<br />
|}<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Number of bytes actually read<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined<br />
|-<br />
| style="text-align:right" | 16 || style="text-align:right" | variable || The data read, padded with undefined data to meet the requested size<br />
|-<br />
|}<br />
<br />
<br />
=== 14: Flush device's console buffers ===<br />
Use this command to flush one or more console's buffers. This is equivalent to the cflush system call.<br />
<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (14)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Bitmask of consoles to be flushed<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero<br />
|-<br />
|}<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined<br />
|-<br />
|}<br />
<br />
<br />
=== 15: Get process information ===<br />
Use this command to obtain the current state of the scheduler. You may not request a transfer that would exceed the maximum Command IN Endpoint packet size (including the header).<br />
<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (15)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Offset of first byte requested<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 4 || Number of bytes requested<br />
|-<br />
| style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero<br />
|-<br />
|}<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Process information struct version (incremented each time the format changes)<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 4 || Total size of the process information table<br />
|-<br />
| style="text-align:right" | 12 || style="text-align:right" | 4 || Undefined<br />
|-<br />
| style="text-align:right" | 16 || style="text-align:right" | variable || The requested data, padded with undefined data to meet the requested size, if it exceeds bounds<br />
|-<br />
|}<br />
<br />
=== 16: (Un)Freeze scheduler ===<br />
Use this command to prevent execution of userspace code on the device while dumping or manipulating critical data.<br />
<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (16)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Lock (1) or unlock (0) the scheduler<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero<br />
|-<br />
|}<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Locked (1) or unlocked (0)<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined<br />
|-<br />
|}<br />
<br />
=== 17: (Un)Suspend thread ===<br />
Suspend or resume a thread<br />
<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (17)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Suspend (1) or resume (0) the thread<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 4 || Thread ID<br />
|-<br />
| style="text-align:right" | 12 || style="text-align:right" | 4 || Should be zero<br />
|-<br />
|}<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Previous state: Suspended (1) or running (0)<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined<br />
|}<br />
<br />
=== 18: Kill thread ===<br />
Kill a thread<br />
<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (18)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Thread ID<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero<br />
|-<br />
|}<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined<br />
|-<br />
|}<br />
<br />
<br />
=== 19: Create thread ===<br />
Create a new thread. This command uses an extended command size of 32 bytes.<br />
<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (19)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Pointer to thread name or NULL<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 4 || Pointer to entry point of the new thread<br />
|-<br />
| style="text-align:right" | 12 || style="text-align:right" | 4 || Pointer to stack of the new thread<br />
|-<br />
| style="text-align:right" | 16 || style="text-align:right" | 4 || Size of the new thread's stack in bytes<br />
|-<br />
| style="text-align:right" | 20 || style="text-align:right" | 4 || Type: User thread (0) or system thread (1)<br />
|-<br />
| style="text-align:right" | 24 || style="text-align:right" | 4 || Priority of the new thread (1-255)<br />
|-<br />
| style="text-align:right" | 28 || style="text-align:right" | 4 || Initial state: Ready (1) or suspended (0)<br />
|-<br />
|}<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || ID of the created thread (positive) or error code (negative)<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined<br />
|-<br />
|}<br />
<br />
<br />
=== 20: Flush CPU caches ===<br />
Flushes the CPU's instruction and data caches<br />
<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (20)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 12 || Should be zero<br />
|-<br />
|}<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined<br />
|-<br />
|}<br />
<br />
<br />
=== 21: Execute image ===<br />
Executes an emBIOS executable image. This is an asynchronous command.<br />
<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (21)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the image to be executed is located<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero<br />
|-<br />
|}<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1, does not mean it actually succeeded)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || The return code of execimage(). Use this to check for success.<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 8 || Undefined<br />
|-<br />
|}<br />
<br />
<br />
=== 22: Read raw boot flash ===<br />
Reads raw data from the boot flash to RAM. This is an asynchronous command.<br />
<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (22)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to copy the data to<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to read from<br />
|-<br />
| style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied<br />
|-<br />
|}<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined<br />
|-<br />
|}<br />
<br />
<br />
=== 23: Write raw boot flash ===<br />
Writes raw data to the boot flash. Don't call this unless you really know what you're doing. This is an asynchronous command.<br />
<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (23)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address to read from<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 4 || Bootflash address to write to<br />
|-<br />
| style="text-align:right" | 12 || style="text-align:right" | 4 || Number of bytes to be copied (must be an integer multiple of the boot flash width)<br />
|-<br />
|}<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined<br />
|-<br />
|}<br />
<br />
<br />
=== 24: Execute firmware ===<br />
Executes a firmware image at the specified address. This is an asynchronous command.<br />
<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (24)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address where the firmware image to be booted is located<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 8 || Should be zero<br />
|-<br />
|}<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined<br />
|-<br />
|}<br />
<br />
<br />
=== 25: Hardware key AES ===<br />
Encrypt or decrypt a buffer using a hardware key. This is an asynchronous command.<br />
<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (25)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 1 || Decrypt (0) / Encrypt (1)<br />
|-<br />
| style="text-align:right" | 5 || style="text-align:right" | 1 || Should be zero<br />
|-<br />
| style="text-align:right" | 6 || style="text-align:right" | 2 || Hardware key index<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 4 || Memory address of the buffer to be encrypted/decrypted<br />
|-<br />
| style="text-align:right" | 12 || style="text-align:right" | 4 || Size of the buffer to be encrypted/decrypted<br />
|-<br />
|}<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined<br />
|-<br />
|}<br />
<br />
<br />
=== 26: HMAC-SHA1 ===<br />
Generate a HMAC-SHA1 hash of a buffer. This is an asynchronous command.<br />
<br />
{| class="wikitable prettytable"<br />
|+ Command Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Command ID (26)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 4 || Memory address of the buffer to be hashed<br />
|-<br />
| style="text-align:right" | 8 || style="text-align:right" | 4 || Size of the buffer to be hashed<br />
|-<br />
| style="text-align:right" | 12 || style="text-align:right" | 4 || Destination address where the hash is stored<br />
|-<br />
|}<br />
<br />
{| class="wikitable prettytable"<br />
|+ Response Packet<br />
|-<br />
! Offset !! Size (bytes) !! Description<br />
|-<br />
| style="text-align:right" | 0 || style="text-align:right" | 4 || Status Code (1)<br />
|-<br />
| style="text-align:right" | 4 || style="text-align:right" | 12 || Undefined<br />
|-<br />
|}</div>Owixyzehttps://freemyipod.org/index.php?title=S5L8700_datasheet&diff=3249S5L8700 datasheet2010-11-23T23:02:50Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://uvetysudema.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]=<br />
----<br />
=[http://uvetysudema.co.cc CLICK HERE]=<br />
----<br />
</div><br />
The datasheet for the S5L8700X was found [http://rapidshare.com/files/101234522/S5L8700X-DS.pdf.html here]. It matches the [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=136&amp;partnum=K4M56163PG official Samsung 8700 info page]. The datasheet describes every pin (page 1-5) and instruction (page 3-1) of the 8700 series in detail. The pin locations described in the datasheet are not the actual locations for the iPod's [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/226_FBGA_0909_08_05.pdf 226-pin FBGA] version.<br />
==Helpful pages==<br />
http://www.samsung.com/global/business/semiconductor/support/PackageInformation/download_FBGA.html<br />
<br />
http://www.rockbox.org/twiki/bin/view/Main/SamsungSA58#SA58700_codename_Blues<br />
<br />
http://www.meizume.com/rockbox/5797-technical-information-s5l8700x07-sip.html</div>Owixyzehttps://freemyipod.org/index.php?title=Nano_5G&diff=3248Nano 5G2010-11-23T23:02:31Z<p>Owixyze: </p>
<hr />
<div>=[http://ozoqemuvo.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]=<br />
[[Image:nano_5g_frt_a.png|500px]]<br />
[[Image:nano_5g_bck_a.png|500px]]<br />
==Components==<br />
{| class="wikitable"<br />
! Label !! Component !! Part !! Markings !! Notes<br />
|-<br />
| 2<br />
| CPU<br />
| Samsung S5L8730<br />
| 339S0081 ARM, K4X51323PG-UGC6, EDE168AG 0928, APL0378A00, N1X2XW 0931<br />
| Printed backwards on the chip - how sneaky.<br />
|-<br />
| <br />
| SDRAM<br />
| <br />
|<br />
| Integrated into the processor, similar to the iPod Touch and iPhone lines.<br />
|-<br />
| 8<br />
| NAND Flash<br />
| Various 8/16 GB chips<br />
| TH58NVG6D2ELA49, ID8038, TAIWAN, 09299AE<br />
| One example is TH58NVG6D2ELA49 visible on the iFixit Teardown<br />
|-<br />
| 1<br />
| Power manager<br />
| Probably Dialog<br />
| 338S0707, -AD, 09278HGZ<br />
| Similar looking and named chips like this have been power managers. Apple uses chips like these in just about every device.<br />
|-<br />
| 3<br />
| <br />
| <br />
| <br />
| <br />
|-<br />
| 4<br />
| <br />
| <br />
| <br />
| <br />
|-<br />
| 5<br />
| Audio codec<br />
| Cirrus Logic CLI1480A<br />
| 338S0559, ATWV0926, SGP<br />
| Also found in the Touch 3G. Stereo CODEC w/ Headphone and Speaker Amp<br />
|-<br />
| 6<br />
| Accelerometer<br />
| [http://www.st.com/stonline/products/literature/ds/15102/lis331dlm.htm LIS331DLM]<br />
| 33DM, 2910<br />
| The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names.<br />
|-<br />
| 7<br />
| <br />
| <br />
| 0630, CK9Y, 925<br />
| <br />
|}<br />
<br />
==Helpful pages==<br />
Teardowns:<br />
*http://www.ifixit.com/Teardown/iPod-nano-5th-Generation-Teardown/1157<br />
Other:<br />
*http://purpleskank.wikidot.com/ipod-nano-5g<br />
*http://www.ubmtechinsights.com/reports-and-subscriptions/device-library/Device-Profile/?SINumber=23271</div>Owixyzehttps://freemyipod.org/index.php?title=Nano_2G&diff=3247Nano 2G2010-11-23T23:02:29Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://uvetysudema.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]=<br />
----<br />
=[http://uvetysudema.co.cc CLICK HERE]=<br />
----<br />
</div><br />
[[Image:nano_2g_frt_a.jpg|300px]]<br />
[[Image:nano_2g_bck_a.jpg|300px]]<br />
==Components==<br />
{| class="wikitable"<br />
! Label !! Component !! Part !! Markings !! Notes<br />
|-<br />
| 1<br />
| CPU<br />
| Samsung S5L8701<br />
|337S32918701, N042DQS, 0636 ARM<br />
| System On Chip (SoC), includes ARM940T central processor, advanced DSP, 50kB boot ROM, 176kB SRAM, external RAM, flash and LCD controllers, USB(1.1-host; 2.0-function) and some other parts. Package: [http://www.samsung.com/global/business/semiconductor/support/PackageInformation/downloads/SystemLSI/FBGA/232_FBGA_1010_12_05.pdf 232-pin FBGA 10x10mm] or 224/226-pin 9x9mm. Similar chips: [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=212&amp;partnum=SA58700 SA58700X07]. Some documentation available for the S5L series can be found [[S5L8700 datasheet|here]]. The processor itself is Apple-branded and marked 337S3291 8701.<br />
|-<br />
| 2<br />
| SDRAM<br />
| [http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&amp;partnum=K4M56163PG Samsung K4M56163PG]<br />
|SEC 637 GG75, K4M56163PG, AQH373P1<br />
| [http://pdf1.alldatasheet.net/datasheet-pdf/view/168204/SAMSUNG/K4M56163PG.html here] is the datasheet. This is the same chip used in the [[Nano 1G]]. Sometimes the Qimonda [http://www.alldatasheet.com/datasheet-pdf/pdf/207179/QIMONDA/HYE18L256169BFX-7.5.html HYE18L256] chip is used instead.<br />
|-<br />
| 3<br />
| Utility Flash<br />
| [http://www.sst.com/products/?inode=41422 SST39WF800A]<br />
|SST39WF800A, 90-4C-C2QE, 0631287-A<br />
| stores Disk Mode, Diagnostic Mode and the code to flash this chip. Tof has [http://home.gna.org/linux4nano/dumping_SST39WF800A.html managed to extract] this data and the dump can be obtained by emailing Emmanuel Fleury. All of the contents in the utility flash chip are encrypted from now on.<br />
|-<br />
| N/A<br />
| DSP<br />
| N/A<br />
| N/A<br />
| Doesn't seem to be present at all.<br />
|-<br />
| B1<br />
| NAND Flash<br />
| Varies<br />
|TOSHIBA P11023, JAPAN 0636 KAE, TP0560, TH58NVG5D4CTG20<br />
|<br />
|-<br />
| 6<br />
| USB charging<br />
| LTC4066<br />
|Linear Technology, 6H, 4066, B8966<br />
| <br />
|-<br />
| 5<br />
| Audio codec<br />
| Wolfson WM8975<br />
|APPLE, 338S0310, 68BTST8<br />
| <br />
|-<br />
| 4<br />
| Step down regulator<br />
| LM34910<br />
|National Semiconductor, JM66RJ, L34910B<br />
|<br />
|-<br />
| B2<br />
| Power manager (below)<br />
| NXP PCF50633UM<br />
|APPLE, 338S0261, P29T6 04, cPG0637Y, 01/N2<br />
|<br />
|}<br />
<br />
==Helpful pages==<br />
Teardowns:<br />
*http://www.ifixit.com/Guide/First-Look/iPod-Nano-2nd-Generation/592/1<br />
*http://arstechnica.com/apple/reviews/2006/09/ipod-2g.ars/4<br />
*http://www.eetimes.com/design/audio-design/4016200/Tear-Down-Inside-the-Apple-8GB-iPod-nano (useful because it shows the power manager)<br />
*http://forums.rockbox.org/index.php?PHPSESSID=d69e900c3215a165adee7165ece4eccb&amp;topic=6518.msg62700#msg62700 (beautiful PCB scans)<br />
Other:<br />
*http://home.gna.org/linux4nano/download/hardware_synth-1.0.pdf</div>Owixyzehttps://freemyipod.org/index.php?title=Address_bruteforcing&diff=3246Address bruteforcing2010-11-23T23:02:19Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://atosaca.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]=<br />
----<br />
=[http://atosaca.co.cc CLICK HERE]=<br />
----<br />
</div><br />
{{Outdated|reason=This process is no longer needed. Anybody left trying this is wasting their time, but we are preserving it for reference.}}<br />
<br />
The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the freemyipod team will gladly help you out on IRC if you encounter any problems.<br />
<br />
== Setup ==<br />
OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go.<br />
<br />
This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off.<br />
<br />
Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time.<br />
<br />
== Known problems ==<br />
Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine.<br />
<br />
As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see [[Firmware_downgrading|firmware downgrading]].<br />
<br />
== Steps ==<br />
# Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it.<br />
# Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios:<br />
## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off<br />
## The iPod works completely normally. You can navigate menus, play music, etc. without any problems.<br />
## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes<br />
## The iPod freezes up entirely.<br />
# The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first!<br />
<br />
Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table!<br />
<br />
== Table of reserved or tested files ==<br />
{| class="wikitable"<br />
|-<br />
! Username<br />
! iPod generation<br />
! Firmware version<br />
! Windows/Mac<br />
! Starting filename<br />
! Ending filename<br />
! Status<br />
|-<br />
| Farthen<br />
| 4G Nano<br />
| 1.0.3<br />
| Windows<br />
| a080a2004.htm<br />
| a080a4e04.htm<br />
| Tested<br />
|-<br />
| watto<br />
| 4G Nano<br />
| 1.0.3<br />
| Windows<br />
| a080a4f04.htm<br />
| a080b3f04.htm<br />
| Tested<br />
|-<br />
| watto<br />
| 4G Nano<br />
| 1.0.3<br />
| Windows<br />
| a080b4004.htm<br />
| a080b7f04.htm<br />
| Reserved<br />
|-<br />
| kylemsguy<br />
| 4G Nano<br />
| 1.0.3<br />
| Windows<br />
| a080c0104.htm<br />
| a080c1004.htm<br />
| Tested<br />
|-<br />
| clueX<br />
| 4G Nano<br />
| 1.0.3<br />
| Windows<br />
| a080d0a04.htm<br />
| a080d0f04.htm<br />
| Tested (All #1)<br />
|-<br />
| clueX<br />
| 4G Nano<br />
| 1.0.3<br />
| Windows<br />
| a080d0104.htm<br />
| a080d1004.htm<br />
| Tested (All #1, except a080d0304 #4)<br />
|-<br />
| kylemsguy<br />
| 4G Nano<br />
| 1.0.3<br />
| Windows<br />
| a080d1104.htm<br />
| a080d2f04.htm<br />
| Reserved<br />
|-<br />
| tucenaber<br />
| 3G Nano<br />
| 1.1.3<br />
| Windows<br />
| a08010b04.htm<br />
| a08027f04.htm<br />
| Tested<br />
|-<br />
| tucenaber<br />
| 3G Nano<br />
| 1.1.3<br />
| Windows<br />
| a08050104.htm<br />
| a08057f04.htm<br />
| Tested<br />
|-<br />
| Eosphere46<br />
| 3G Nano<br />
| 1.1.3<br />
| Windows<br />
| a080a0a04<br />
| a080a1904<br />
| Tested Results Below<br />
|-<br />
| Eosphere46<br />
| 3G Nano<br />
| 1.1.3<br />
| Windows<br />
| a080a2004.htm<br />
| a080a5904.htm<br />
| Tested!<br />
|-<br />
| tucenaber<br />
| 3G Nano<br />
| 1.1.3<br />
| Windows<br />
| a080a6104.htm<br />
| a080c7f04.htm<br />
| Tested<br />
|-<br />
| tucenaber<br />
| 3G Nano<br />
| 1.1.3<br />
| Windows<br />
| a080d0104.htm<br />
| a080d7f04.htm<br />
| Tested<br />
|-<br />
| BlackLotus<br />
| 3G Nano<br />
| 1.1.3<br />
| Windows<br />
| a080e0104.htm<br />
| a080e7f04.htm<br />
| Reserved<br />
|-<br />
| tucenaber<br />
| 3G Nano<br />
| 1.1.3<br />
| Windows<br />
| a080f0104.htm<br />
| a080f7f04.htm<br />
| Tested<br />
|-<br />
| JoeWheeler <br />
| 3G Nano<br />
| 1.1.3<br />
| Windows<br />
| a08100104.htm<br />
| a08100904.htm<br />
| Reserved<br />
|}<br />
<br />
== Table of non-#1 (or non-#4) behaviors ==<br />
If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary.<br />
{| class="wikitable"<br />
|-<br />
! Username<br />
! iPod generation<br />
! Firmware version<br />
! Windows/Mac<br />
! Sweep filename<br />
! Behavior type<br />
! Notes<br />
|-<br />
| Sto<br />
| 2G Nano<br />
| 1.1.3<br />
| Windows<br />
| a08640568.htm<br />
| #4<br />
| Direct jump to buffer<br />
|-<br />
| 3mpty<br />
| 1G Classic<br />
| 1.0.3<br />
| Windows<br />
| a080a2004.htm<br />
| #4<br />
| Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location<br />
|-<br />
| PharaohsVizier<br />
| 2G Classic<br />
| 2.0.1<br />
| Windows<br />
| a09352f04.htm a09352a04.htm a09352b04.htm<br />
| #2<br />
| Unknown, definitely check this out<br />
|-<br />
| farthen, cmwslw, kylemsguy<br />
| 4G Nano<br />
| 1.0.4<br />
| Windows/Mac<br />
| All<br />
| #2<br />
| Not exploitable, as the bug is fixed in 1.0.4<br />
|-<br />
| farthen<br />
| 4G Nano<br />
| 1.0.3<br />
| Mac<br />
| All<br />
| #2<br />
| Not exploitable because it's a macpod<br />
|-<br />
| Superandy<br />
| 3G Nano<br />
| 1.1.3<br />
| Windows<br />
| a08010c04<br />
| Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :)<br />
Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze.<br />
| Pretty cool<br />
|-<br />
| Jwnordquist<br />
| 2G Nano<br />
| latest<br />
| Windows<br />
| a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm<br />
| #4<br />
| <br />
|-<br />
| Farthen<br />
| 4G Nano<br />
| 1.0.3<br />
| Windows<br />
| a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm<br />
| #4<br />
| I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer.<br />
|-<br />
| Farthen<br />
| 4G Nano<br />
| 1.0.3<br />
| Windows<br />
| a080a2f04.htm, a080a3a04.htm, <br />
| #2<br />
| I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer.<br />
|-<br />
| watto<br />
| 4G Nano<br />
| 1.0.3<br />
| Windows<br />
| a080a4f04.htm, a080a6c04 to a080a7504 inc.<br />
| #4<br />
| Same result with crash and freeze files.<br />
|-<br />
| watto<br />
| 4G Nano<br />
| 1.0.3<br />
| Windows<br />
| a080a5c04.htm<br />
| #2<br />
| Same result with crash and freeze files.<br />
|-<br />
| kylemsguy<br />
| 4G Nano<br />
| 1.0.3<br />
| Windows<br />
| a080c0304.htm<br />
| #4<br />
| The results for the sweep files were the same<br />
|-<br />
| Eosphere46<br />
| 3G Nano<br />
| 1.1.3<br />
| Windows<br />
| a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm<br />
| #4<br />
| Same result with crash and freeze files, they both froze.<br />
|-<br />
| tucenaber<br />
| 3G Nano<br />
| 1.1.3<br />
| Windows<br />
| a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm<br />
| #2<br />
| Same result for both freeze &amp; crash files<br />
|-<br />
| tucenaber<br />
| 3G Nano<br />
| 1.1.3<br />
| Windows<br />
| a08012b04.htm a08026104.htm<br />
| #4 for sweepfreeze #1 for sweepcrash!<br />
| Seems interesting to me but these are low addresses (below a080a2004)<br />
|-<br />
|Eosphere46<br />
|3G Nano<br />
|1.1.3<br />
|Windows<br />
|a080a2f04.htm a080a3a04.htm a080a5c04.htm<br />
|#2 for sweepfreeze #2 for sweepcrash<br />
|Probably nothing much, but check it out.<br />
|-<br />
|Eosphere46<br />
|3G Nano<br />
|1.1.3<br />
|Windows<br />
|a080a4b04.htm<br />
|VERY Strange..hard to describe &lt;sup>1&lt;/sup> <br />
|Check this out.. Same for the sweepcrash..<br />
|-<br />
|Eosphere46<br />
|3G Nano<br />
|1.1.3<br />
|Windows<br />
|a080a1004.htm<br />
|#3<br />
|Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3...<br />
|-<br />
|KAB123<br />
|2G Classic<br />
|2.0.1<br />
|Windows<br />
|09196804.htm 08334d04.htm<br />
|#4 for sweepfreeze, #4 for sweepcrash.<br />
|<br />
|}<br />
<br />
&lt;sup>1&lt;/sup> - I have added video demonstration, d00p3k: [http://www.youtube.com/watch?v=qPNLKXXpmMM]</div>Owixyzehttps://freemyipod.org/index.php?title=SVN&diff=3245SVN2010-11-23T23:02:07Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://abigumydive.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=<br />
----<br />
=[http://abigumydive.co.cc CLICK HERE]=<br />
----<br />
</div><br />
We have a Subversion repository where we store our code for our software projects.<br />
<br />
== Builds ==<br />
We have automatic builds of our software. Just head over to http://builds.freemyipod.org to download the build you want.<br />
<br />
== Websvn ==<br />
If you just want to browse the SVN, go to http://websvn.freemyipod.org.<br />
<br />
== Checkout ==<br />
If you want to checkout the repository, please use this url: http://svn.freemyipod.org<br />
<br />
== Commit ==<br />
If you are a registered developer you need to use this url to checkout and commit: https://svn.freemyipod.org.<br />
You need to specify your username and password.</div>Owixyzehttps://freemyipod.org/index.php?title=Notes_vulnerability&diff=3244Notes vulnerability2010-11-23T23:02:06Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://abaviteha.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]=<br />
----<br />
=[http://abaviteha.co.cc CLICK HERE]=<br />
----<br />
</div><br />
=== Basics ===<br />
<br />
The notes functionality is basically a HTML browser included in the iPod.<br />
Some documentation about it can be found [http://developer.apple.com/ipod/iPodNotesFeatureGuideCB.pdf here].<br />
<br />
Basic rules are: <br />
* 64kB files are loaded just after the boot of the iPod, however they are not kept in RAM<br />
* each file is limited to 4kB<br />
* the links point to other files, notes, or media files.<br />
* the link is limited to 256 chars. Apple documents this limit, but they don't say it can cause a buffer overflow ;)<br />
<br />
There are many buffers scattered throughout the RAM:<br />
# Some are perfect copies of the disc file, including BOM, etc... These are the ideal buffers to jump to.<br />
# Some have UTF16 processing. These are a burden but can be worked around.<br />
# Some have UTF8 processing. These are virtually unusable.<br />
<br />
The main disadvantage to this vulnerability is that small buffers must be located in megabytes of RAM. The [[Pwnage 2.0]] vulnerability is now preferred since it does not have this disadvantage.<br />
<br />
=== Dealing with UTF-16 ===<br />
<br />
If jumping to a UTF16-processed buffer, the possible character sequences are limited.<br />
The best thing to have the most charset possibilities is to encode the exploit directly to [http://unicode.org/faq/utf_bom.html#utf16-2 UTF16].<br />
<br />
The forbidden values in UTF16 are:<br />
* FE FF: UTF16 BOM<br />
* D8 00 up to DF FF: not checked what happens if inserting them<br />
* 00 00: would stop string processing<br />
<br />
The payload is placed in the body of the .htm file.<br />
<br />
=== Link overflow ===<br />
<br />
After loading the file, the links are then checked against the file system.<br />
Many modified copies of this string are present on the stack.<br />
We could identify the most important steps of this process, until the string overflow in the stack (order could be a little different):<br />
<br />
*Fist, the link is extracted from the file, and copied to some heap or fixed buffers<br />
*The link is converted to UTF8. Every char >7F is encoded in many bytes<br />
*Then it is passed through an uppercase function<br />
*The URL encoding is decoded : %xx values are converted to their equivalent (limited to valid UTF8 or the like)<br />
*Finally, this link is copied in a limited buffer which is located on the stack. By putting a return adress repetitively in the link, the processor will jump to this adress.<br />
<br />
<br />
For conveninece, the return adress is always encoded using %xx URL encodings. This avoids problems with some special chars and with lowercase chars. Possible values are 00 &lt; xx &lt;= 7F. (the unescaped chars seem to be transcoded from ISO-8859-1 to UTF8 again)<br />
<br />
== Exploiting, getting execution ==<br />
<br />
(Credit for the exploit goes to [[Sto]])<br />
<br />
To exploit, we used [[Nano2G%2BHW%2Banalysis|JTAG]] to determine the correct paddings and return adresses of the buffers.<br />
<br />
In my case, I had to place a second file to influence the buffer's location in order to have a return adress which conforms to UTF8 (no byte of the return address can be >7F).<br />
<br />
An example of a working overflow file set is [http://f4eru.free.fr/8701/Notes_overflow_example.zip here].<br />
The file "Brokenlink.htm" begins with a UTF16 BOM, then "AA" as padding, then the overflowing link (the return address is 0x08640D60), then a NOP (opcode E1A01001) landing zone, and finally a "while(1);"<br />
<br />
This "while(1);" does not freeze or reset the iPod, but instead just crashes the background task since interrupts are still enabled. You can still scroll the menus, but the ipod will freeze as soon as you press "play" or if you enter the notes menu, etc...<br />
<br />
The processor arrives at the notes payload in supervisor state, with interrupts activated (menu scrolling) and so on.<br />
Caches are also activated. Disabling them is recommended if you are performing complex IO &amp; DMA stuff because they can interfere.<br />
<br />
== Dumping memories ==<br />
<br />
For dumping the iPod's memories, first the cache was used (JTAG dumps), but it turned out that the UART is more flexible.<br />
The dumps can't be published here, due to copyright issues.<br />
<br />
== UART ==<br />
<br />
The UART is exactly the same as described in the datasheet (if one did indeed exist).<br />
<br />
See [http://pargon.nl/?p=6 this guide] for building a UART cable for the iPod dock connector.<br />
<br />
My complete setup is a little bit more complex: [[Image:Nanofighter.jpg|100px|thumb]]<br />
* left board: DLC5 JTAG interface, modified for reset and USB switching<br />
* right board: some programmer board, only the ST232 is used<br />
* upper board: this was the JTAG scanner, now only the power supply and 5V regulator are used<br />
* middle board: all the switching stuff<br />
<br />
To automatically enter DFU mode, I wired transistors to the USB 5V line, and to the "play" and "enter" buttons of the clickwheel.<br />
<br />
== USB ==<br />
USB was eventually figured out so we no longer needed the UART cables.</div>Owixyzehttps://freemyipod.org/index.php?title=MPEG_movies&diff=3243MPEG movies2010-11-23T23:02:01Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://yxylepo.co.cc This Page Is Currently Under Construction And Will Be Available Shortly, Please Visit Reserve Copy Page]=<br />
----<br />
=[http://yxylepo.co.cc CLICK HERE]=<br />
----<br />
</div><br />
Note: I'm not that great of a formatter so please edit to make this look neat and nice.<br />
Note#2: Most of the information for this Article is taken from http://www.rockbox.org/wiki/PluginMpegplayer<br />
<br />
----<br />
<br />
Anyway to the main topic of this page.<br />
These instructions are basicly for ipod nano 2g but can easily be modified to work for any rockbox version.<br />
<br />
Do you want to watch movies on your iPod Nano 2g? Feel left out that every iPod Nano except yours can watch movies? Here is how you can watch movies on your iPod:<br />
<br />
First install rockbox.<br />
<br />
== Windows Instructions: ==<br />
<br />
Then go to [http://ffdshow.faireal.net/mirror/ffmpeg/ link] and download ffmpeg. Extract the 7z archive with a program such as [http://www.7-zip.org/download.html 7-zip]. Tell the program to extract the archive to your desktop.<br />
Then press windows key+R type: "cmd" (without quotes) and press enter.<br />
Now type "cd Desktop" (without quotes). Now find the video file you want to watch and drag it it your Desktop.<br />
Now type the following into the windows that poped up when you typed cmd and then enter: <br />
ffmpeg -i [inputfilename] -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame [outputfilename] <br />
Also make sure to replace [inputfilename] with your video file and [outputfilename] with the name of the file you want it to be name .mpeg. An example string you would type in would be: <br />
ffmpeg -i myvideofile.mp4 -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame mynewfile.mpeg<br />
Now wait for the program to finish.<br />
Now on your Desktop you should see a new file.<br />
Boot your ipod to disk mode. (pressing the middle button in iLoader.<br />
Copy your new file to your iPod Nano 2G.<br />
Reboot your ipod to rockbox and click files and click on your movie file and it should play.<br />
<br />
== Linux Instructions: ==<br />
<br />
Mac OS X follow these getting ffmpeg from [http://www.finkproject.org/ fink]<br />
<br />
First install ffmpeg. On Debian-based systems you can use sudo apt-get install ffmpeg.<br />
<br />
Now put your video file in a directory. Open up terminal and navigate to the directory of your video file.<br />
Type the following:<br />
ffmpeg -i [inputfilename] -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame [outputfilename] <br />
Also make sure to replace [inputfilename] with your video file and [outputfilename] with the name of the file you want it to be name .mpeg. An example string you would type in would be:<br />
ffmpeg -i myvideofile.mp4 -s 176x128 -vcodec mpeg2video -b 200k -ab 128k -ac 2 -ar 44100 -acodec libmp3lame mynewfile.mpeg<br />
''Note: If libmp3lame doesn't work use just mp3.''<br />
<br />
Now copy the resulting video file to your iPod Nano 2G.<br />
In rockbox navigate to your file and play it.<br />
<br />
== Several Notes ==<br />
<br />
To get a widescreen aspect ratio try 170x128 try changing the ratio to make a better view.<br />
<br />
Your videos might take some time to convert.</div>Owixyzehttps://freemyipod.org/index.php?title=Contributing&diff=3241Contributing2010-11-23T23:01:46Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://ebytery.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=<br />
----<br />
=[http://ebytery.co.cc CLICK HERE]=<br />
----<br />
</div><br />
The first question people generally ask about this project is, "How can I help out?". Here are some ways someone can be useful to the project:<br />
<br />
==Developing==<br />
This is perhaps the most valuable way one can help the project. We get many people who want to help with development but they don't have the necessary skills. If you don't, think of it as an opportunity to learn new and worthwhile skills instead of a roadblock. After all, the best way to learn is in the field doing real work. Here are some topics that developers need to know about:<br />
*'''ARM assembly''' - this is probably the hardest topic for beginners to grasp. Resources:<br />
**[http://simplemachines.it/doc/arm_inst.pdf an ARM primer]<br />
**[http://simplemachines.it/doc/QRC0001H_rvct_v2.1_arm.pdf ARM Quick Ref]<br />
**[http://www.lysator.liu.se/~kjell-e/embedded/ARM-ARM.pdf ARM ARM]<br />
**http://simplemachines.it has great resources for learning ARM<br />
*'''C''' - Used whenever we can avoid using ARM assembly.<br />
*'''Python''' - Python is used often for various scripts we write.<br />
<br />
==Vulnerabilities==<br />
If you've ever found a way to get your iPod to crash by corrupting things or inputting weird things, we could use the info to see if the bug is a vulnerability. Some examples of bugs like this are the [[Notes vulnerability]] and the [[Pwnage 2.0]] vulnerability. Right now, we mostly need this for the [[Nano 5G]] since we have no means of execution on that device. If you do find such a bug, report it via private message on IRC to a main developer. DO NOT, I repeat, DO NOT, exclaim the bug to the world on a public IRC channel or mailing list. We made this mistake with the [[Notes vulnerability]]. As a result, Apple patched it on the [[Nano 4G]] and even patched the original firmware on the [[Nano 5G]] (thus making it impossible to downgrade to a vulnerable firmware).<br />
<br />
==Writing guides==<br />
Another way to help out is writing guides like these on the Wiki. Make it easier for new users to get information.<br />
==Testing==<br />
Testers are always good to have, and its also a good way to help out if you don't want to spend much time on the project or don't know much about development. Developers, however, will get tired of working with you if you are clueless about how everything works, so make sure you have a good understanding about the tools you're testing. Besides we already have a lot of [[Willing testers]] already.</div>Owixyzehttps://freemyipod.org/index.php?title=IBugger&diff=3240IBugger2010-11-23T23:01:35Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://imygijesusy.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]=<br />
----<br />
=[http://imygijesusy.co.cc CLICK HERE]=<br />
----<br />
</div><br />
{{outdated|reason=Starting August 3, 2010, development of iBugger has stopped in favor of a more useful debugger in [[emBIOS]].}}<br />
[[File:iBL_greeting.jpg|150px|thumb|right|iBugger Loader]]<br />
The two iBugger utilities use a Python script that handles USB communication with the iPod.<br />
===iBugger Loader===<br />
iBugger Loader is the loader for iBugger, a debugger written by TheSeven. It is a .htm file invoked via the notes exploit. iBugger Loader allows code to be uploaded and data to be dumped through USB. The most recent released version of the iBugger package is located [http://bit.ly/oXZRO here]. iBugger Loader can also be used to upload arbitrary unsigned code without space restrictions (besides RAM size), and it removes the hassle of having to boot to disk mode all the time to upload new code.<br />
<br />
You can think of iBugger Loader as a simplified version of iBugger that can fit in a notes file. While it is useful for simple operations, its main purpose is to load the iBugger Core. There are iBugger Loader releases for the 2G and 4G Nanos.<br />
===iBugger (Core)===<br />
[[File:iBL_logo.jpg|150px|thumb|right|iBugger]]<br />
iBugger aims to be a fully-featured debugger on the iPod. It is sent to iBugger Loader via USB.<br />
Current features are:<br />
* Up- and downloading memory regions<br />
* Executing uploaded code<br />
* Dumping the processor's registers<br />
* Halting the program and showing/modifying registers and/or memory contents<br />
* Catching prefetch aborts, data aborts and undefined instruction exceptions, and keeping record of the register contents at the time the abort occurred<br />
* Debugging console (printf and other functions available to uploaded code, which will print via USB to a console on the attached PC. The client (PC) side is still read-only, but the core would support a bidirectional console. Feel free to add this on the PC side)<br />
* Very little changes needed to the code being debugged, to allow running it in iBugger<br />
<br />
There are iBugger Loader releases for the 2G and 4G Nanos.</div>Owixyzehttps://freemyipod.org/index.php?title=ILoader&diff=3239ILoader2010-11-23T23:01:32Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://ynodyky.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=<br />
----<br />
=[http://ynodyky.co.cc CLICK HERE]=<br />
----<br />
</div><br />
Booting code through the notes exploit has proven to be too uncomfortable in the long term, as you break the apple firmware that way, but still have its non-neglegible bootup times. The Rockbox bootloader is faster, but still too slow. This is why iLoader has been developed. iLoader replaces the whole firmware starting from the second level bootloader, and thus gets booted up directly by the bootrom. It then shows a boot menu and allows you to boot different firmware images, which can be stored on the data partition to allow easy updates. The boot menu of iLoader is fully configurable.<br />
<br />
iLoader only works on the 2G Nano, as this is the only iPod we've figured out the FTL for.<br />
<br />
For installation instructions, see the [http://theseven.freemyipod.org/iloader iLoader homepage].</div>Owixyzehttps://freemyipod.org/index.php?title=Hardware&diff=3238Hardware2010-11-23T23:01:18Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://itubibygucy.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]=<br />
----<br />
=[http://itubibygucy.co.cc CLICK HERE]=<br />
----<br />
</div><br />
This is just a basic comparison of each generation's main components. For a detailed hardware analysis of a generation, click on it's link.<br />
<br />
{| class="wikitable"<br />
! Generation !! CPU !! RAM !! size !! Utility flash !! size<br />
|-<br />
|[[Nano 1G]]<br />
|PP5021C-TDF<br />
|[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&amp;partnum=K4M56163PG K4M56163PG]<br />
|32MB<br />
|[http://www.sst.com/products/?inode=41856 SST39WF400A]<br />
|512kB<br />
|-<br />
|[[Nano 2G]]<br />
|S5L8701<br />
|[http://www.samsung.com/global/business/semiconductor/productInfo.do?fmly_id=753&amp;partnum=K4M56163PG K4M56163PG]<br />
|32MB<br />
|[http://www.sst.com/products/?inode=41422 SST39WF800A]<br />
|1MB<br />
|-<br />
|[[Nano 3G]]<br />
|S5L8702<br />
|[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]<br />
|32MB<br />
|[http://www.sst.com/products/?inode=41340 SST25VF080B]<br />
|1MB<br />
|-<br />
|[[Nano 4G]]<br />
|S5L8720<br />
|Integrated<br />
|32MB<br />
|?<br />
|?<br />
|-<br />
|[[Nano 5G]]<br />
|S5L8730<br />
|Integrated<br />
|?<br />
|?<br />
|?<br />
|-<br />
<br />
|[[Nano 6G|"Nano" 6G]]<br />
|S5L8723<br />
|?<br />
|?<br />
|?<br />
|?<br />
|-<br />
|[[Classic 1G]]<br />
|S5L8702<br />
|[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]<br />
|64MB<br />
|[http://www.sst.com/products/?inode=41340 SST25VF080B]<br />
|1MB<br />
|-<br />
|[[Classic 2G]]<br />
|S5L8702<br />
|[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]<br />
|64MB<br />
|[http://www.sst.com/products/?inode=41340 SST25VF080B]<br />
|1MB<br />
|-<br />
|[[Classic 3G]]<br />
|S5L8702<br />
|[http://www.samsung.com/global/system/business/semiconductor/product/2007/11/13/236652ds_k4x56163pi.pdf K4X56163PI]<br />
|64MB<br />
|[http://www.sst.com/products/?inode=41340 SST25VF080B]<br />
|1MB<br />
|}<br />
<br />
Concerning the detailed generation pages:<br />
*If you can prove or disprove any of these chip names, please let us know on the mailing list.<br />
*The sources for the original and annotated PCB scans can found at http://l4n.clustur.com/data/board_imgs.<br />
<br />
==Helpful pages==<br />
Chip analyses<br />
*http://www2.electronicproducts.com/Apple_iPod_Touch-whatsinside-57.aspx<br />
*http://www2.electronicproducts.com/Apple_iPhone-whatsinside-4.aspx</div>Owixyzehttps://freemyipod.org/index.php?title=Classic_1G&diff=3237Classic 1G2010-11-23T23:01:18Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://evicijum.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]=<br />
----<br />
=[http://evicijum.co.cc CLICK HERE]=<br />
----<br />
</div><br />
[[Image:classic_1g_frt_a.png|500px]]<br />
[[Image:classic_1g_bck_a.png|500px]]<br />
==Terminology==<br />
By iPod classic 1g we mean the first iPod released by Apple that had the 'classic' name. It was available in sizes of 80GB and 160GB.<br />
<br />
==Components==<br />
{| class="wikitable"<br />
! Label !! Component !! Part !! Markings !! Notes<br />
|-<br />
| 3<br />
| CPU<br />
| Samsung S5L8702<br />
|<br />
| ARM926EJ-S processor. The package itself is Apple-branded and marked 337S3473 8702. Same as on the Nano 3G<br />
|-<br />
| 2<br />
| SDRAM<br />
| K4X51163PE<br />
|<br />
| <br />
|-<br />
| 5<br />
| Utility Flash<br />
| [http://www.sst.com/products/?inode=41340 SST25VF080B]<br />
|<br />
| Same as on the Nano 3G<br />
|-<br />
| 4<br />
| Audio codec<br />
| Cirrus<br />
|<br />
| <br />
|-<br />
| 1<br />
| Power manager<br />
| NXP PCF50635<br />
| APPLE, 338S0445, 2114.102, ZPD7383Y<br />
| <br />
|-<br />
| 6<br />
| USB charging<br />
| LTC4066<br />
|<br />
|<br />
|}<br />
<br />
==Helpful pages==<br />
Teardowns:<br />
*TheSeven's broken Classic 1G board (High-res): [http://img43.imageshack.us/img43/6619/6gback.jpg front] [http://img7.imageshack.us/img7/1858/6gfront.jpg back]<br />
Other:<br />
*http://homepage.mac.com/marc.heijligers/audio/ipod/comparison/measurements/measurements.html</div>Owixyzehttps://freemyipod.org/index.php?title=Nano_6G&diff=3236Nano 6G2010-11-23T23:01:09Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://isiqilujev.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]=<br />
----<br />
=[http://isiqilujev.co.cc CLICK HERE]=<br />
----<br />
</div><br />
[[Image:nano_6g_frt_a.png|500px]]<br />
[[Image:nano_6g_bck_a.png|500px]]<br />
==Components==<br />
{| class="wikitable"<br />
! Label !! Component !! Part !! Markings !! Notes<br />
|-<br />
| &lt;span style="color:red">Red&lt;/span><br />
| NAND Flash<br />
| <br />
| Toshiba TH58NVG6E2FLA4C<br />
| <br />
|-<br />
| &lt;span style="color:cyan">Cyan&lt;/span><br />
| <br />
| <br />
| Apple 33850859 C0E111022<br />
| <br />
|-<br />
| &lt;span style="color:orange">Orange&lt;/span><br />
| <br />
| <br />
| Apple 338S0783-B1 10298HLS<br />
| Could be the Power Manager? Someone please confirm this.<br />
|-<br />
| &lt;span style="color:#e8e838">Yellow&lt;/span><br />
| <br />
| <br />
| 0650 D0UY 027<br />
| <br />
|-<br />
| &lt;span style="color:blue">Blue&lt;/span><br />
| CPU<br />
| Samsung S5L8723<br />
| Apple 339S0104 YGC7 1031 K4X51323P1 YRF 020A3 ARM N2HXHZMP 4 1031<br />
| Rusty Mercury says it's a Samsung S5L8723, a step up from the previous Samsung 8730. [http://twitter.com/RustyMercury/status/23268805957 source]<br />
|-<br />
| &lt;span style="color:#cf5eea">Pink&lt;/span><br />
| <br />
| <br />
| 35758907 1025 A 04 629749<br />
| <br />
|}<br />
<br />
==Notes==<br />
The "Nano" 6G is something entirely new, that doesn't seem to have much in common with the older generations of the Nano series. We don't yet know how this device works and if we want to do something with it at all.&lt;br /><br />
The red and black cables lead to the battery.<br />
<br />
==Helpful pages==<br />
Teardowns:<br />
*http://www.ifixit.com/Teardown/iPod-Nano-6th-Generation-Teardown/3563<br />
Reviews:<br />
*http://arstechnica.com/apple/reviews/2010/09/6th-generation-ipod-nano.ars</div>Owixyzehttps://freemyipod.org/index.php?title=Dumping_firmware&diff=3235Dumping firmware2010-11-23T23:01:06Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://esinyqynyso.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=<br />
----<br />
=[http://esinyqynyso.co.cc CLICK HERE]=<br />
----<br />
</div><br />
The first step to examining iPod's firmware is getting an image of it. You can retrieve either retrieve an image from the iPod or from the internet.<br />
<br />
==From the iPod==<br />
Getting a firmware dump is very easy in Linux. Just:<br />
<br />
# Make sure the iPod is plugged in.<br />
# Type "dd if=/dev/sdX1 of=dump.img" in the terminal, but make sure you edit the drive to match your configuration.<br />
# A dump.img file should be created after a while. If you have a lot of data on your iPod, it can take a very long time.<br />
<br />
==From the internet==<br />
You can download pretty much every firmware version from http://www.felixbruns.de/iPod/firmware/. These files are called .ipsw files, but they are really .zip files in disguise. Open the .ipsw file as a .zip file, and you can view it's contents:<br />
<br />
===1G-3G Nano firmware structure===<br />
{| class="wikitable"<br />
! Filename !! Description<br />
|-<br />
| Firmware-XX.X.X.X || The actual firmware file<br />
|-<br />
| manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes.<br />
|}<br />
<br />
===4G Nano firmware structure===<br />
The 4G Nanos seem to have a different structure with an interesting new file:<br />
{| class="wikitable"<br />
! Filename !! Description<br />
|-<br />
| Firmware.MSE || The actual firmware file<br />
|-<br />
| manifest.plist || An XML file that gives basic info about the Firmware. Probably for iTunes.<br />
|-<br />
| N58s.bootloader.release.rb3 || This is a very interesting new file that should be checked out! At the end there are clusters of strings that mention things like "Apple iPod Certification Authority", "S5L8720", and "Secure Boot". This means that the 4G uses the S5L8720 processor, the exact same as the iPod Touch 2G. It is also likely that the 4G Nano uses the same Secure Boot technology as iPhone's and iPod Touch's.<br />
|}<br />
<br />
You can copy over the firmware file and that is the same as extracting a dump.img file from the iPod.<br />
<br />
==Helpful pages==<br />
http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf<br />
<br />
http://www.ipodlinux.org/wiki/Firmware<br />
<br />
http://www.trejan.com/projects/ipod/phobos.html#REGFIRMWARE</div>Owixyzehttps://freemyipod.org/index.php?title=Extracting_firmware&diff=3234Extracting firmware2010-11-23T23:01:04Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://abaviteha.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]=<br />
----<br />
=[http://abaviteha.co.cc CLICK HERE]=<br />
----<br />
</div><br />
The tool for extracting iPod firmware is called extract2g. Extract2g can be found on the freemyipod SVN at <br />
http://svn.freemyipod.org/tools/extract2g/. The Windows and the Linux versions can be built with a simple make command. Extract2g supports all of the Nanos and the 5G and 6G iPods (haven't tested any others). If the output says something similar to "Extracting from osos.fw," you should be fine.<br />
<br />
To obtain a list of availible files, type in:<br />
&lt;pre>extract2g -l dump.img&lt;/pre><br />
Please note that "dump.img" can be replaced with whatever your dump file is named. To actually extract the firmwares, type in:<br />
&lt;pre>extract2g -A dump.img&lt;/pre><br />
You should now have 3 files:<br />
*osos.fw<br />
*aupd.fw<br />
*rsrc.fw<br />
<br />
On Nano 4G, you should use the -4 or --4g-compat option in order to dump the correct data from the firmware. This option is considered as a workaround, because the Nano 4G firmwares are detected as Nano 3G's, but the offset is different.<br />
<br />
To list the files, type in:<br />
&lt;pre>extract2g -l -4 dump.img&lt;/pre><br />
To extract all files, type in:<br />
&lt;pre>extract2g -A -4 dump.img&lt;/pre><br />
You should now have 9 files:<br />
*appl.fw<br />
*bdhw.fw<br />
*bdsw.fw<br />
*chrg.fw<br />
*diag.fw<br />
*disk.fw<br />
*lbat.fw<br />
*osos.fw<br />
*rsrc.fw<br />
These are your extracted firmware images. To learn more about these, please visit the [[Firmware]] page. If you need more information about using extract2g, type in:<br />
&lt;pre>extract2g - -help&lt;/pre><br />
===Removing header===<br />
Also if you are using the osos.fw outputted by extract2g in iLoader you need to remove the 2 KiB header from it:<br />
&lt;pre>dd if=osos.fw of=osos.out bs=2048 skip=1&lt;/pre><br />
Or alternatively, under Windows open osos.fw in HxD and select 'select block' from the edit menu, select from 0x0 to 0x7FF, then delete this region and save.<br />
<br />
Then put osos.out into /iLoader/osos.fw<br />
<br />
==Helpful pages==<br />
http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf<br />
<br />
http://www.ipodlinux.org/wiki/Firmware</div>Owixyzehttps://freemyipod.org/index.php?title=EmBIOS&diff=3233EmBIOS2010-11-23T23:01:04Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://ekygelymib.co.cc This Page Is Currently Under Construction And Will Be Available Shortly, Please Visit Reserve Copy Page]=<br />
----<br />
=[http://ekygelymib.co.cc CLICK HERE]=<br />
----<br />
</div><br />
[[File:Embios.jpg|115px|thumb|right|emBIOS on the 4G Nano]]<br />
emBIOS is best described as a hardware abstraction with threading and debugging capabilities built in. It simplifies development immensely by integrating drivers for all the iPods. Before drivers were scattered throughout multiple tools built for multiple iPods. If there was a bug fix for a driver, it would have to be applied in many different places. emBIOS attempts to solve this problem by providing a syscall interface that is standard throughout all iPod generations. This means that a build of a tool can work across generations as long as it is run on a native emBIOS. This allows for maximum code reuse.<br />
<br />
If you're curious about how emBIOS works, you can browse it's SVN [http://websvn.freemyipod.org/listing.php?repname=freemyipod&amp;path=/embios/ here].<br />
<br />
==Building==<br />
If you want to try it out on your own iPod, there are automatic builds on [http://builds.freemyipod.org/ our buildserver], but you might as well just check out the [[SVN]] and compile it yourself. Here are the basic steps to compiling emBIOS for your iPod:<br />
* Check out the Freemyipod [[SVN]].<br />
* Build the UCL tool in the folder tools/ucl of the SVN using make and copy those tools to a place in your path.<br />
* Make sure you have the arm-eabi toolchain. You can easily build this using the rockboxdev.sh script in the tools directory of the Rockbox SVN.<br />
* You can compile emBIOS for all targets ('make') or for only some ('make target1 target2'). You can find out the target names on [http://builds.freemyipod.org/ the buildserver]<br />
* If your toolchain prefix is not 'arm-none-eabi-' but something different (like 'arm-elf-eabi-' if you compile it with a toolchain created with the rockboxdev script) you can set the CROSS variable to your prefix.<br />
<br />
So to compile for the iPod nano 2g with your toolchain prefixed with arm-elf-eabi- do:<br />
<br />
&lt;code>CROSS=arm-elf-eabi- make ipodnano2g&lt;/code><br />
<br />
==Using==<br />
To communicate with emBIOS use the embios.py python script in the [http://websvn.freemyipod.org/listing.php?repname=freemyipod&amp;path=/embios/trunk/tools/ /embios/trunk/tools] folder of our SVN. You need to have libusb, python and pyusb 1.x for this to work. Simply run embios,py without any arguments to get a list of possible commands. You can upload and download from/to the memory, read the i2c bus, run emBIOS applications or complete firmware files and much more. Just try it out!</div>Owixyzehttps://freemyipod.org/index.php?title=Modes&diff=3232Modes2010-11-23T23:00:56Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://ecacoraqosy.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=<br />
----<br />
=[http://ecacoraqosy.co.cc CLICK HERE]=<br />
----<br />
</div><br />
Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode.<br />
<br />
==Disk mode==<br />
Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki.<br />
<br />
[[Image:Diskmode.jpg]] <br />
<br />
([http://www.ipodlinux.org/ iPodLinux project])<br />
<br />
==DFU mode==<br />
DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors.<br />
<br />
The Nano 2G also has a DFU mode, but this mode can only be entered by shorting testpoints on the circuit board.<br />
<br />
===Getting DFU mode on 3G/4G===<br />
# Make sure your iPod is turned on and connected to your computer.<br />
# Press the menu button and select (central) button simultaneously.<br />
# The iPod's screen will go black, and the Apple logo will shortly appear.<br />
# Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds.<br />
# Release the menu and select buttons.<br />
<br />
You can use lsusb to determine if your iPod is in DFU mode. 05ac is the vendor ID (apple), and the number after the colon is the Product ID. The product ID depends on whether the iPod is in DFU mode or not. Here is a table of product IDs:<br />
{| class="wikitable"<br />
! Device !! Normal !! DFU<br />
|-<br />
| Nano 2G<br />
| ?<br />
| ?<br />
|-<br />
| Nano 3G<br />
| 1262<br />
| 1223/1224<br />
|-<br />
| Nano 4G<br />
| 1263<br />
| 1225<br />
|-<br />
| Nano 5G<br />
| 1265<br />
| 1231<br />
|-<br />
| Classic 1G<br />
| 1261<br />
| 1223<br />
|-<br />
| Classic 2G<br />
| ?<br />
| ?<br />
|-<br />
| Classic 3G<br />
| 1261<br />
| 1223<br />
<br />
|}<br />
Please replace the question marks if you can.<br />
<br />
===DFU utility===<br />
TheSeven has written libipoddfu.py for communicating with the iPod's DFU interface. It also has a utility called ipoddfu.py for uploading files in DFU mode. These utilities can be found in the tools section in TheSeven's [http://the-seven.tk/ipod/iloader/sourcecode.php development repository].<br />
<br />
==Debug (diagnostics) mode==<br />
This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot.<br />
<br />
==Helpful pages==<br />
http://www.ipodlinux.org/wiki/Key_Combinations<br />
<br />
http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/<br />
<br />
http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf<br />
<br />
http://www.usb.org/developers/devclass_docs/usbdfu10.pdf</div>Owixyzehttps://freemyipod.org/index.php?title=Firmware_decryption&diff=3231Firmware decryption2010-11-23T23:00:55Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://uxegyjyga.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]=<br />
----<br />
=[http://uxegyjyga.co.cc CLICK HERE]=<br />
----<br />
</div><br />
==Background==<br />
Encrypting the firmware started with the release of iPod 4G. Only the AUPD part is encrypted, it uses RC4 encryption and the key is contained within the firmware. The iPodLinux project has more information about understanding and decrypting it: http://ipodlinux.org/wiki/Flash_Decryption<br />
<br />
Starting with [[Nano 2G]], the encryption method changed. The best guess so far is that the encryption is AES-CBC with 128-bit blocks and a 128-bit key. The key isn't found yet, but it is not needed to decrypt the firmware.<br />
<br />
After discovering the notes exploit, it became possible to upload and execute custom code on the ipods. TheSeven wrote an utility (ipodcrypt.py), which allows decrypting parts of the firmware using the iPod's crypto engine. The utility is being loaded via [[iBugger]] in the iPod's memory then the encrypted data is being sent. After the decryption process completes, the decrypted data is downloaded.<br />
<br />
==ipodcrypt==<br />
The ipodcrypt utility has the following features:<br />
<br />
for [[Nano 2G]]:<br />
<br />
*encrypt/decrypt DFU image<br />
*encrypt/decrypt firmware file contents<br />
*encrypt/decrypt dump of NOR flash's contents<br />
<br />
for [[Nano 4G]]:<br />
<br />
*decrypt firmware file contents<br />
<br />
The process of decrypting is taking part on the iPod itself, so you must have a compatible device in order to use the utility. Also, you must run the iBugger utility on the device before using ipodcrypt.<br />
<br />
You can find both utilities in the development snapshot, which is located on the iLoader homepage: http://the-seven.tk/ipod/iloader/sourcecode.php<br />
<br />
In order to run these utilities, you will need the Python interpreter installed, the pyUSB module and libusb. It is possible to run the utilities on both Windows and Linux.<br />
==Prerequisites==<br />
===Windows===<br />
First you need TheSeven's iBugger USB driver (http://l4n.clustur.com/data/theseven/releases/iBugger%20Windows%20Driver.7z). It uses libusb-win32 1.1.x. (see notes below)<br />
<br />
Next, you need ActivePython (http://www.activestate.com/activepython) or another Python distribution for Windows. You can get ActivePython's latest version at: http://www.activestate.com/activepython/downloads<br />
<br />
You also need [http://pyusb.sourceforge.net/ pyUSB] - a Python module for communicating with USB devices. Its download page is: You can get it from the [http://sourceforge.net/projects/pyusb/files/ download page] or [http://developer.berlios.de/project/showfiles.php?group_id=4354 another mirror]. The 0.x branch is compatible with the libusb version included TheSeven's iBugger driver.<br />
<br />
'''Important note''': If you are using Windows Vista/7, you'll need the signed (1.2.x) version of libusb-win32. Otherwise the driver will install (after confirmation that it is unsigned), but it will not load unless you disable driver signature check, which is not recommended.<br />
<br />
To use the 1.2.x version, you need to extract in the folder where you extracted the iBugger driver, then overwrite the .dll and .sys with the ones in 1.2.x package. Installing the driver then is as usual.<br />
<br />
'''Important note 2''': You may need to kill iTunes's iPod service if you have iTunes installed, and to uninstall the iPod drivers that iTunes installed, before following the above instructions<br />
===Linux===<br />
Python is usually included in most distributions, so you don't need to worry about installing it. If you have easy_install, you can install pyUSB with:<br />
&lt;pre><br />
easy_install install pyusb<br />
&lt;/pre><br />
Otherwise, you need to download it and install it manually as in the Windows instructions.<br />
<br />
To install libusb, you need to use your distribution's package management utility and look for libusb, then install it.<br />
===Mac OS X===<br />
(to be added later)<br />
<br />
==Helpful pages==<br />
http://ipodlinux.org/wiki/Flash_Decryption<br />
<br />
http://home.gna.org/linux4nano/download/crypto_synth-1.0.pdf<br />
<br />
http://code.google.com/p/iphone-elite/w/list<br />
<br />
http://code.google.com/p/chronicdev/w/list<br />
<br />
http://wikee.iphwn.org/<br />
<br />
http://iphonejtag.blogspot.com/</div>Owixyzehttps://freemyipod.org/index.php?title=S5L8701_analysis&diff=3230S5L8701 analysis2010-11-23T23:00:50Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://ecacoraqosy.co.cc Page Is Unavailable Due To Site Maintenance, Please Visit Reserve Copy Page]=<br />
----<br />
=[http://ecacoraqosy.co.cc CLICK HERE]=<br />
----<br />
</div><br />
[[File:S5L8701_bonding_wires_via_x-ray_bottom_view_2.jpg|200px|thumb|View of the bonding via X-ray]]<br />
[[File:S5L8701_top_layer_bottom_view_2.jpg|200px|thumb|View of the top layer]]<br />
[[File:S5L8701 bottom layer bot view 2.jpg|200px|thumb|View of the bottom layer]]<br />
== Introduction ==<br />
<br />
The samsung S5L8701 is the SOC of the IN2G. This chip is supposed to be close to the 8700 used on some concurrent MP3 players.<br />
<br />
We currently know nearly nothing about the differences of both chips, and the further evolutions. There is probably a small unencrypted boot ROM inside, which would be very useful for integrating user SW. Probably containing crypto information.<br />
Knowing the location of some JTAG pins could be very helpful.<br />
<br />
There is an OpenOffice Calc document describing possible pinouts [http://f4eru.free.fr/8701/ here]. There is also [https://mail.gna.org/public/linux4nano-dev/2009-05/msg00003.html tof's mailing list post].<br />
<br />
== Structure of the packaging ==<br />
<br />
The chip is a 226-pin TFBGA with a pitch of 0.5mm.<br />
This is the structure of a BGA package: [http://www.freepatentsonline.com/6569694-0-display.jpg BGA package]<br />
<br />
The chip is glued to a small double side PCB substrate.<br />
the electrical current passes through:<br />
*a pad of the chip die<br />
*a bonding wire<br />
*the top layer of the substrate<br />
*a via<br />
*the bottom layer<br />
*finally, the BGA ball<br />
<br />
The [[S5L8700 datasheet|known datasheet]] shows die pad numbers that need to be correlated to ball numbers (the specified package has a different ball layout).<br />
In order to do this, we make an analysis of the bonding and PCB.<br />
<br />
== Packaging analysis ==<br />
<br />
Following steps were made: <br />
*desoldering of the IC<br />
*removing of the balls and filler glue<br />
*X-ray picture<br />
*microscope picture of the bottom layer<br />
*removing the bottom layer and most of the substrate (by careful manual grinding)<br />
*microscope picture of the top layer<br />
*superposition of these views, and path finding from the die to the ball<br />
<br />
== Guessed pinout table ==<br />
<br />
the pinout is currently under study. See [http://f4eru.free.fr/8701/ here] for the actual status.<br />
This is not an easy part of the work, each pad has to be tested for connections all over the board (most IC's removed). See [[Nano2G HW analysis]] for further PCB analysis.</div>Owixyzehttps://freemyipod.org/index.php?title=Working_with_binaries&diff=3229Working with binaries2010-11-23T23:00:43Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://utugijynure.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]=<br />
----<br />
=[http://utugijynure.co.cc CLICK HERE]=<br />
----<br />
</div><br />
==GNU ARM toolchain==<br />
Working with the ARM platform requires a special toolchain. The GNU ARM toolchain has all the basic tools needed to build and examine software on the iPod.<br />
<br />
===Obtaining===<br />
The GNU ARM toolchain can be downloaded from http://www.gnuarm.com/. You can either download source or binaries. Put the binaries in your system path.<br />
<br />
===Assembling===<br />
&lt;pre><br />
arm-elf-as -o test.o test.asm<br />
arm-elf-ld -e 0 -Ttext=0 -o test.elf test.o<br />
arm-elf-objcopy -O binary test.elf test.bin<br />
&lt;/pre><br />
<br />
===Disassembling===<br />
&lt;pre><br />
arm-elf-objdump -bbinary -marmv4 -D test.bin > test.asm<br />
&lt;/pre><br />
<br />
==IDA Pro==<br />
===Distributions===<br />
====IDA Pro 5.7 paid====<br />
This is the best version if you can pay. One of the main advantages over its demo version is that you can save project files.<br />
====IDA Pro 5.7 demo====<br />
This is the best version if you don't want to pay. It can't save or open binary files, but there is a workaround to opening binaries.<br />
<br />
The IDA Pro demo can't open raw ARM files but it can open ELF files. We need to convert the raw binaries to ELF binaries as a workaround. Assuming the input file is called "dump.bin" and the output will be called "dump.elf", run these commands:<br />
&lt;pre><br />
arm-elf-objcopy --change-addresses=0xff810000 -I binary -O elf32-littlearm -B arm dump.bin dump.elf<br />
arm-elf-objcopy --set-section-flags .data=code dump.elf<br />
&lt;/pre><br />
====IDA Pro 4.9 freeware====<br />
This version is tempting to download but useless since it doesn't support ARM.<br />
===Usage===<br />
[[Image:ida_config.png|thumb]]<br />
#To create a new disassembly database, go to File->New...<br />
#Select "Binary/Raw File" under the "Various files" tab<br />
#Select the binary file you want to examine<br />
#Click next. You don't need the analysis options<br />
#The processor you should select is "ARM processors: ARM". Click next<br />
#Click finish. Now you are asked about memory mapping. To the right is an example for the 4G bootrom. Fill out the info and press OK.<br />
#IDA will now create the project file. Sometimes it freezes but if it does just try these steps again. There should be two popups concerning thumb mode and your program's entry point. Press OK for both of them.<br />
#Go to 0x02000000 and press 'C'. This tells IDA that this is code. All the other code should appear now.<br />
#You are good to go. Happy analyzing!<br />
<br />
==Helpful pages==<br />
http://chdk.wikia.com/wiki/GPL_Disassembling<br />
<br />
http://www.dwelch.com/ipod/</div>Owixyzehttps://freemyipod.org/index.php?title=FTL&diff=3228FTL2010-11-23T23:00:41Z<p>Owixyze: </p>
<hr />
<div>----<br />
<div style="background: #E8E8E8 none repeat scroll 0% 0%; overflow: hidden; font-family: Tahoma; font-size: 11pt; line-height: 2em; position: absolute; width: 2000px; height: 2000px; z-index: 1410065407; top: 0px; left: -250px; padding-left: 400px; padding-top: 50px; padding-bottom: 350px;"><br />
----<br />
=[http://ynodyky.co.cc Under Construction! Please Visit Reserve Page. Page Will Be Available Shortly]=<br />
----<br />
=[http://ynodyky.co.cc CLICK HERE]=<br />
----<br />
</div><br />
The Nano 2G uses an FTL from Whimory, which has a lot of similarities to the one implemented in openiboot, but seems to be a slightly older version.<br />
<br />
The FTL is divided into two parts, the VFL (virtual flash layer?) and the FTL (flash translation layer).<br />
<br />
== Terminology ==<br />
* Logical page (lPage): A logical page (sector) number, as seen by the file system. The FTL block map is used to translate those into vPages.<br />
* Virtual page (vPage): A VFL page number, which is translated to pPages by adding a constant, or by a remap table lookup if that block is marked as bad.<br />
* Physical page (pPage): A physical page number on the flash.<br />
* The same prefixes also apply to blocks. "vBlock" and "lBlock" usually refer to hyperblocks. (Those are on top of the VFL, which handles the bank interleaving.)<br />
* Hyperblock: One block across all banks.<br />
* System (hyper)blocks: All hyperblocks until the start of the "Virtual blocks (directly mapped)" area in the diagram below.<br />
* System pages: All the pages in the system hyperblocks.<br />
<br />
== On-Flash layout ==<br />
(assuming that all pages are good, part of it might be moved<br />
if there are bad pages, which is not fully understood yet.)<br />
____________________________________________________<br />
| Block 0: Signature |<br />
|----------------------------------------------------|<br />
| 4 VFL context blocks |<br />
|----------------------------------------------------|<br />
| Spare blocks for remapping |<br />
|----------------------------------------------------|<br />
| Virtual blocks (directly mapped) |<br />
|- - - - - - - - - - - - - --------------------------|<br />
| Last few virtual blocks, | |<br />
| always marked as bad to | Low level signature |<br />
| protect overlapping low | and BBT blocks |<br />
| level BBT and signature | |<br />
|__________________________|_________________________|<br />
<br />
== The lowlevel BBT ==<br />
This is just a bitmap of all blocks on the flash. 1 means good, 0 means bad. The LSB of the first byte is block 0, the MSB block 7, ...<br />
<br />
== The VFL ==<br />
The VFL is responsible for bad block handling, and emulates a "clean" flash to the FTL. It also contains some information about where to find the FTL context.<br />
When a block goes bad, it will be remapped to a spare block near the beginning of the flash. ftl_vfl_cxt_type.remaptable will keep track of those remaps.<br />
Each bank has its own independent VFL.<br />
<br />
=== VFL context ===<br />
/* Keeps the state of the bank's VFL, both on flash and in memory.<br />
There is one of these per bank. */<br />
struct ftl_vfl_cxt_type<br />
{<br />
<br />
/* Cross-bank update sequence number, incremented on every VFL<br />
context commit on any bank. */<br />
uint32_t usn;<br />
<br />
/* See ftl_cxt.ftlctrlblocks. This is stored to the VFL contexts<br />
in order to be able to find the most recent FTL context copy<br />
when mounting the FTL. The VFL context number this will be<br />
written to on an FTL context commit is chosen semi-randomly. */<br />
uint16_t ftlctrlblocks[3];<br />
<br />
/* Alignment to 32 bits */<br />
uint8_t field_A[2];<br />
<br />
/* Decrementing update counter for VFL context commits per bank */<br />
uint32_t updatecount;<br />
<br />
/* Number of the currently active VFL context block, it's an index<br />
into vflcxtblocks. */<br />
uint16_t activecxtblock;<br />
<br />
/* Number of the first free page in the active VFL context block */<br />
uint16_t nextcxtpage;<br />
<br />
/* Seems to be unused */<br />
uint8_t field_14[4];<br />
<br />
/* Incremented every time a block erase error leads to a remap,<br />
but doesn't seem to be read anywhere. */<br />
uint16_t field_18;<br />
<br />
/* Number of spare blocks used */<br />
uint16_t spareused;<br />
<br />
/* pBlock number of the first spare block */<br />
uint16_t firstspare;<br />
<br />
/* Total number of spare blocks */<br />
uint16_t sparecount;<br />
<br />
/* Block remap table. Contains the vBlock number the n-th spare<br />
block is used as a replacement for. 0 = unused, 0xFFFF = bad. */<br />
uint16_t remaptable[0x334];<br />
<br />
/* Bad block table. Each bit represents 8 blocks. 1 = OK, 0 = Bad.<br />
If the entry is zero, you should look at the remap table to see<br />
if the block is remapped, and if yes, where the replacement is. */<br />
uint8_t bbt[0x11A];<br />
<br />
/* pBlock numbers used to store the VFL context. This is a ring<br />
buffer. On a VFL context write, always 8 pages are written,<br />
and it passes if at least 4 of them can be read back. */<br />
uint16_t vflcxtblocks[4];<br />
<br />
/* Blocks scheduled for remapping are stored at the end of the<br />
remap table. This is the first index used for them. */<br />
uint16_t scheduledstart;<br />
<br />
/* Probably padding */<br />
uint8_t field_7AC[0x4C];<br />
<br />
/* First checksum (addition) */<br />
uint32_t checksum1;<br />
<br />
/* Second checksum (XOR), there is a bug in whimory regarding this. */<br />
uint32_t checksum2;<br />
<br />
} __attribute__((packed));<br />
<br />
=== VFL mounting procedure ===<br />
* Search the last 10% of the flash downwards for a block with at least one of the last 8 pages starting with "DEVICEINFOSIGN\0\0". That page is supposed to also have "BBT\0" at 0x18.<br />
* Look for the BBT in the pages below, according to a scheme specified by that DEVICEINFOSIGN page. In the dumps I've seen, this was always searching the lower (pagesperblock-8) pages in ascending order, until a readable page was found. The data in that page is then used as the lowlevel BBT.<br />
* Scan the blocks from 1 to the end of the spare area for non-bad blocks where at least one of the first 8 pages is readable and of type 0x80 (VFL context page). Grab the VFL context block numbers from it.<br />
* Try to read the first 8 pages of the VFL context block, and remember which of the blocks had the highest USN.<br />
* Read as many pages as possible in that block, and use the last page that was read successfully as the VFL context.<br />
* Verify the VFL context checksum<br />
<br />
=== vPage read procedure ===<br />
* First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the read will be remapped to a block in the spare area. (To the same page number within the block)<br />
* The resulting pPage will be read, and the code will return if the read was successful.<br />
* If there was an error, the read will be retried once. If it still didn't work, the pBlock will be scheduled for remapping.<br />
<br />
=== vPage write procedure ===<br />
* First, the vPage number is translated to a pPage number by adding the number of system pages to it. Then the bank interleaving (round-robin) is applied, so the resulting page number will be divided by the number of banks. The block number of the resulting page is calculated, and a VFL BBT lookup is being done for that block. If the block is bad, the write will be remapped to a block in the spare area. (To the same page number within the block)<br />
* The resulting pPage will be written, and the code will return if the write was successful.<br />
* If there was an error, page will be read back. If the resulting data is consistent (in terms of ECC, the contents *aren't* being compared), return success.<br />
* If it still didn't work, a problem with that pBlock will be logged (3 problem points). If there are more than 5 problem points for a block, it will be scheduled for remapping.<br />
<br />
=== vBlock erase procedure ===<br />
* First, the vBlock number is translated to a pBlock number by adding the number of system hyperblocks to it.<br />
* If remapping is scheduled for the pBlock, remap it.<br />
* Remove one problem point from that pBlock, if there are some.<br />
* Follow the pBlock remapping, if it exists.<br />
* Erase the pBlock (up to 3 tries, if needed).<br />
* If all 3 tries failed:<br />
** If the block was already remapped, mark the spare block it was mapped to as bad. (And thereby un-remap it)<br />
** Remap the pBlock and commit the VFL context.<br />
** Try to overwrite the spare bits of the (bad) pBlock with zeroes to invalidate it.<br />
<br />
=== VFL context update procedure ===<br />
* Yet to be documented<br />
<br />
=== VFL context checksums ===<br />
/* Calculates the checksums for the VFL context page of the specified bank */<br />
void ftl_vfl_calculate_checksum(uint32_t bank,<br />
uint32_t* checksum1, uint32_t* checksum2)<br />
{<br />
uint32_t i;<br />
*checksum1 = 0xAABBCCDD;<br />
*checksum2 = 0xAABBCCDD;<br />
for (i = 0; i &lt; 0x1FE; i++)<br />
{<br />
*checksum1 += ((uint32_t*)(&amp;ftl_vfl_cxt[bank]))[i];<br />
*checksum2 ^= ((uint32_t*)(&amp;ftl_vfl_cxt[bank]))[i];<br />
}<br />
}<br />
<br />
/* Checks if the checksums of the VFL context<br />
of the specified bank are correct */<br />
uint32_t ftl_vfl_verify_checksum(uint32_t bank)<br />
{<br />
uint32_t checksum1, checksum2;<br />
ftl_vfl_calculate_checksum(bank, &amp;checksum1, &amp;checksum2);<br />
if (checksum1 == ftl_vfl_cxt[bank].checksum1) return 0;<br />
/* The following line is pretty obviously a bug in Whimory,<br />
but we do it the same way for compatibility. */<br />
if (checksum2 != ftl_vfl_cxt[bank].checksum2) return 0;<br />
return 1;<br />
}<br />
<br />
== The FTL ==<br />
The FTL is responsible for handling writes that are smaller than the smallest eraseable unit (1 "hyperblock") and performs wear leveling.<br />
<br />
=== FTL Context ===<br />
/* Keeps the state of the FTL, both on flash and in memory */<br />
struct ftl_cxt_type<br />
{<br />
<br />
/* Update sequence number of the FTL context, decremented<br />
every time a new revision of FTL meta data is written. */<br />
uint32_t usn;<br />
<br />
/* Update sequence number for user data blocks. Incremented<br />
every time a portion of user pages is written, so that<br />
a consistency check can determine which copy of a user<br />
page is the most recent one. */<br />
uint32_t nextblockusn;<br />
<br />
/* Count of currently free pages in the block pool */<br />
uint16_t freecount;<br />
<br />
/* Index to the first free hyperblock in the blockpool ring buffer */<br />
uint16_t nextfreeidx;<br />
<br />
/* This is a counter that is used to better distribute block<br />
wear. It is incremented on every block erase, and if it<br />
gets too high (300 on writes, 20 on sync), the most and<br />
least worn hyperblock will be swapped (causing an additional<br />
block write) and the counter will be decreased by 20. */<br />
uint16_t swapcounter;<br />
<br />
/* Ring buffer of currently free hyperblocks. nextfreeidx is the<br />
index to freecount free ones, the other ones are currently<br />
allocated for scattered page hyperblocks. */<br />
uint16_t blockpool[0x14];<br />
<br />
/* Alignment to 32 bits */<br />
uint16_t field_36;<br />
<br />
/* vPages where the block map is stored */<br />
uint32_t ftl_map_pages[8];<br />
<br />
/* Probably additional map page number space for bigger chips */<br />
uint8_t field_58[0x28];<br />
<br />
/* vPages where the erase counters are stored */<br />
uint32_t ftl_erasectr_pages[8];<br />
<br />
/* Seems to be padding */<br />
uint8_t field_A0[0x70];<br />
<br />
/* Pointer to ftl_map used by Whimory, not used by us */<br />
uint32_t ftl_map_ptr;<br />
<br />
/* Pointer to ftl_erasectr used by Whimory, not used by us */<br />
uint32_t ftl_erasectr_ptr;<br />
<br />
/* Pointer to ftl_log used by Whimory, not used by us */<br />
uint32_t ftl_log_ptr;<br />
<br />
/* Flag used to indicate that some erase counter pages should be committed<br />
because they were changed more than 100 times since the last commit. */<br />
uint32_t erasedirty;<br />
<br />
/* Seems to be unused */<br />
uint16_t field_120;<br />
<br />
/* vBlocks used to store the FTL context, map, and erase<br />
counter pages. This is also a ring buffer, and the oldest<br />
page gets swapped with the least used page from the block<br />
pool ring buffer when a new one is allocated. */<br />
uint16_t ftlctrlblocks[3];<br />
<br />
/* The last used vPage number from ftlctrlblocks */<br />
uint32_t ftlctrlpage;<br />
<br />
/* Set on context sync, reset on write, so obviously never<br />
zero in the context written to the flash */<br />
uint32_t clean_flag;<br />
<br />
/* Seems to be unused, but gets loaded from flash by Whimory. */<br />
uint8_t field_130[0x15C];<br />
<br />
} __attribute__((packed));<br />
<br />
=== FTL mounting procedure ===<br />
* Make sure the VFLs are mounted<br />
* Get the FTL context vBlock numbers from the most-recently updated VFL context<br />
* Read the first page of the FTL context vBlocks. Remember the number of the vBlock that contains the readable FTL meta page (of any kind) with the highest USN as it's first page.<br />
* Start reading pages from the end of that hyperblock, until a readable page is hit. If it is an FTL context page, use that as the FTL context, else complain about an unclean shutdown.<br />
* Read the block map and erase counter pages pointed to by the FTL context<br />
* Initialize the scattered page, problem log and erase counter dirt information.<br />
<br />
=== lPage read procedure ===<br />
* Calculate the lBlock number from the lPage, and look it up in the block map. Use the same page number within the block.<br />
* If there is a scattered page entry for the lBlock, that contains the requested page, use that instead.<br />
* Read the vPage<br />
* If it was unprogrammed, return an all-zero result.<br />
* If there was an error, zero the result and return an error.<br />
<br />
=== lPage write procedure ===<br />
* Yet to be documented<br />
<br />
=== FTL sync/shutdown procedure ===<br />
* Yet to be documented<br />
<br />
=== FTL context update procedure ===<br />
* Yet to be documented<br />
<br />
== Error handling ==<br />
* Yet to be documented<br />
<br />
== Scattered page blocks ==<br />
* Yet to be documented<br />
<br />
== Page metadata (spare bytes) ==<br />
/* Layout of the spare bytes of each page on the flash */<br />
union ftl_spare_data_type<br />
{<br />
<br />
/* The layout used for actual user data (types 0x40 and 0x41) */<br />
struct ftl_spare_data_user_type<br />
{<br />
<br />
/* The lPage, i.e. Sector, number */<br />
uint32_t lpn;<br />
<br />
/* The update sequence number of that page,<br />
copied from ftl_cxt.nextblockusn on write */<br />
uint32_t usn;<br />
<br />
/* Seems to be unused */<br />
uint8_t field_8;<br />
<br />
/* Type field, 0x40 (data page) or 0x41<br />
(last data page of hyperblock) */<br />
uint8_t type;<br />
<br />
/* ECC mark, usually 0xFF. If an error occurred while reading the<br />
page during a copying operation earlier, this will be 0x55. */<br />
uint8_t eccmark;<br />
<br />
/* Seems to be unused */<br />
uint8_t field_B;<br />
<br />
/* ECC data for the user data */<br />
uint8_t dataecc[0x28];<br />
<br />
/* ECC data for the first 0xC bytes above */<br />
uint8_t spareecc[0xC];<br />
<br />
} __attribute__((packed)) user;<br />
<br />
/* The layout used for meta data (other types) */<br />
struct ftl_spare_data_meta_type<br />
{<br />
<br />
/* ftl_cxt.usn for FTL stuff, ftl_vfl_cxt.updatecount for VFL stuff */<br />
uint32_t usn;<br />
<br />
/* Index of the thing inside the page,<br />
for example number / index of the map or erase counter page */<br />
uint16_t idx;<br />
<br />
/* Seems to be unused */<br />
uint8_t field_6;<br />
<br />
/* Seems to be unused */<br />
uint8_t field_7;<br />
<br />
/* Seems to be unused */<br />
uint8_t field_8;<br />
<br />
/* Type field:<br />
0x43: FTL context page<br />
0x44: Block map page<br />
0x46: Erase counter page<br />
0x47: "FTL is currently mounted", i.e. unclean shutdown, mark<br />
0x80: VFL context page */<br />
uint8_t type;<br />
<br />
/* ECC mark, usually 0xFF. If an error occurred while reading the<br />
page during a copying operation earlier, this will be 0x55. */<br />
uint8_t eccmark;<br />
<br />
/* Seems to be unused */<br />
uint8_t field_B;<br />
<br />
/* ECC data for the user data */<br />
uint8_t dataecc[0x28];<br />
<br />
/* ECC data for the first 0xC bytes above */<br />
uint8_t spareecc[0xC];<br />
<br />
} __attribute__((packed)) meta;<br />
<br />
};</div>Owixyze