Difference between revisions of "Modes"

From freemyipod.org
Jump to: navigation, search
 
(36 intermediate revisions by 10 users not shown)
Line 1: Line 1:
Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode.
+
iPods have special modes that they can boot into called disk mode, DFU mode, and debug mode.
  
 
==Disk mode==
 
==Disk mode==
Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the [http://www.ipodlinux.org/wiki/Key_Combinations Key Combination] page from iPodLinux Wiki.
+
Disk mode has existed ever since the iPod has existed. Disk mode is stored in different locations (depends on the iPod model). Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode, refer to [http://support.apple.com/kb/ht1363 this Apple support document].
  
 
[[Image:Diskmode.jpg]]  
 
[[Image:Diskmode.jpg]]  
Line 9: Line 9:
  
 
==DFU mode==
 
==DFU mode==
DFU mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship.
+
DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 2G) is contained in the on-processor bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors.
  
The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that.
+
The Nano 2G also has a DFU mode, but this mode can only be entered by shorting testpoints on the circuit board or flashing the NOR with an image with a wrong signature/hash. There's a NOR DFU mode though, that can be entered by holding down BACK+PLAY right after rebooting the device.
  
===Getting DFU mode on 3G/4G===
+
===Getting DFU mode on iPod Classic, Nano 3G and newer ===
 +
There is a video that explain how to do this. [http://youtu.be/Y_bIDtBohnE Watch it here].
 
# Make sure your iPod is turned on and connected to your computer.
 
# Make sure your iPod is turned on and connected to your computer.
# Press the menu button and select (central) button simultaneously.
+
# Press and hold the menu and select buttons for between 10 and 15 seconds (The iPod starts to reboot after about 5 seconds, keep holding the buttons until it seems to turn off completely)
# The iPod's screen will go black, and the Apple logo will shortly appear.
+
# The display of your iPod should now stay black, and a new USB device called "USB DFU Device" should connect to your PC.  
# Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds.
 
# Release the menu and select buttons.
 
  
You should see this device on you usb listing (lsusb):
+
You can use lsusb to determine if your iPod is in DFU mode. 05ac is the Vendor ID (Apple), and the number after the colon is the Product ID. The Product ID depends on whether the iPod is in DFU mode or not. Here is a table of Product IDs:
<pre>
+
{| class="wikitable"
Bus XXX Device YYY: ID 05ac:1224 Apple, Inc.  (for 3G)
+
! Device !! Normal !! DFU !! WTF
Bus XXX Device YYY: ID 05ac:1225 Apple, Inc.  (for 4G)
+
|-
</pre>
+
| Nano 2G
 +
| 1260
 +
| 1220
 +
| 1240
 +
|-
 +
| Nano 3G
 +
| 1262
 +
| 1223/1224
 +
| 1242
 +
|-
 +
| Nano 4G
 +
| 1263
 +
| 1225
 +
| 1243
 +
|-
 +
| Nano 5G
 +
| 1265
 +
| 1231
 +
| 1246
 +
|-
 +
| Nano 6G
 +
| 1266
 +
| 1232
 +
| 1248
 +
|-
 +
| Classic 1G
 +
| 1261
 +
| 1223
 +
| 1241
 +
|-
 +
| Classic 2G
 +
| 1261
 +
| 1223
 +
| 1245
 +
|-
 +
| Classic 3G
 +
| 1261
 +
| 1223
 +
| 1247
 +
|}
  
The product ID depends on whether the iPod is in DFU mode or not. For example, when a 4G Nano is not in DFU mode, lsusb returns:
+
Sources:
<pre>
 
Bus XXX Device YYY: ID 05ac:1263 Apple, Inc.
 
*example for 3G needed*
 
</pre>
 
  
05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode.
+
http://www.linux-usb.org/usb.ids
  
The 4G Nano's .ipsw file has a file named N58s.bootloader.release.rb3, and it is possible that this file is used for DFU mode.
+
http://www.trejan.com/projects/ipod/phobos.html#DFURECOVERY
  
===Using the dfu-utils===
+
===DFU utility===
While in DFU mode, you should be able to read and write the iPod's firmware. The tool that allows this is called dfu-util. On a Debian-based system, it can be obtained by the following command:
+
TheSeven has written libipoddfu.py for communicating with the iPod's DFU interface. It also has a utility called ipoddfu.py for uploading files in DFU mode. These utilities can be found in [http://svn.freemyipod.org/tools/ipoddfu/ the SVN repository].
<pre>apt-get dfu-util</pre>
 
We have not yet been able to extract the firmware off of the iPod via DFU mode. Using this command, the same 64-byte sequence is repeated until the command is aborted. This should be worked on to figure out how to properly read and write the firmware using dfu-util.
 
<pre>dfu-util -t 64 -U ipod</pre>
 
  
 
==Debug (diagnostics) mode==
 
==Debug (diagnostics) mode==
Line 46: Line 77:
  
 
==Helpful pages==
 
==Helpful pages==
 +
http://www.ipodlinux.org/wiki/Key_Combinations
 +
 
http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/
 
http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/
  
 
http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf
 
http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf
 +
 +
http://www.usb.org/developers/devclass_docs/usbdfu10.pdf

Latest revision as of 20:34, 1 April 2012

iPods have special modes that they can boot into called disk mode, DFU mode, and debug mode.

Disk mode

Disk mode has existed ever since the iPod has existed. Disk mode is stored in different locations (depends on the iPod model). Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode, refer to this Apple support document.

Diskmode.jpg

(iPodLinux project)

DFU mode

DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 2G) is contained in the on-processor bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors.

The Nano 2G also has a DFU mode, but this mode can only be entered by shorting testpoints on the circuit board or flashing the NOR with an image with a wrong signature/hash. There's a NOR DFU mode though, that can be entered by holding down BACK+PLAY right after rebooting the device.

Getting DFU mode on iPod Classic, Nano 3G and newer

There is a video that explain how to do this. Watch it here.

  1. Make sure your iPod is turned on and connected to your computer.
  2. Press and hold the menu and select buttons for between 10 and 15 seconds (The iPod starts to reboot after about 5 seconds, keep holding the buttons until it seems to turn off completely)
  3. The display of your iPod should now stay black, and a new USB device called "USB DFU Device" should connect to your PC.

You can use lsusb to determine if your iPod is in DFU mode. 05ac is the Vendor ID (Apple), and the number after the colon is the Product ID. The Product ID depends on whether the iPod is in DFU mode or not. Here is a table of Product IDs:

Device Normal DFU WTF
Nano 2G 1260 1220 1240
Nano 3G 1262 1223/1224 1242
Nano 4G 1263 1225 1243
Nano 5G 1265 1231 1246
Nano 6G 1266 1232 1248
Classic 1G 1261 1223 1241
Classic 2G 1261 1223 1245
Classic 3G 1261 1223 1247

Sources:

http://www.linux-usb.org/usb.ids

http://www.trejan.com/projects/ipod/phobos.html#DFURECOVERY

DFU utility

TheSeven has written libipoddfu.py for communicating with the iPod's DFU interface. It also has a utility called ipoddfu.py for uploading files in DFU mode. These utilities can be found in the SVN repository.

Debug (diagnostics) mode

This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot.

Helpful pages

http://www.ipodlinux.org/wiki/Key_Combinations

http://daniel.haxx.se/blog/2008/09/03/dfu-mode-on-2nd-gen-nanos/

http://www.usb.org/developers/devclass_docs/DFU_1.1.pdf

http://www.usb.org/developers/devclass_docs/usbdfu10.pdf