Difference between revisions of "RetailOS"
LemonJesus (talk | contribs) m (Un-dead the Twitter link talking about Pixo.) |
LemonJesus (talk | contribs) m (add a RTXC 3.2 training manual I found on archive.org) |
||
Line 444: | Line 444: | ||
* [https://web.archive.org/web/19990220054659/http://www.rtxc.com/Products/RTXC/Services.htm RTXC Kernel Services (1999)] | * [https://web.archive.org/web/19990220054659/http://www.rtxc.com/Products/RTXC/Services.htm RTXC Kernel Services (1999)] | ||
+ | * [https://archive.org/details/manualzilla-id-5752851 RTXC 3.2 Training Manual] |
Latest revision as of 21:44, 9 May 2024
The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface.
Contents
Naming
The only 'official' name seems to be 'retailOS', found in the Nano 3G WTF. It is also referred to as 'osos' per the file name in the resource partition of the firmware bundle.
Architecture
retailOS is a small, embedded, single-user, single-binary, real time operating system. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games.
The core of the system is based on RTXC 3.2, with the end-user interface based on intellectual property from a company called Pixo. [1]
Security
As evidenced by the success of the Notes vulnerability, at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer retailOS bugs trivial.
Boot chain
retailOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM.
While other stages of the boot chain (eg. the bootloader, WTF mode in newer devices, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, retailOS is a single binary blob without any built-in modularity.
eApp Signing
Not yet documented fully. Each game seems to ship with a Manifest.plist.p7p which is a PKCS#7 signature for the main Manifest.plist.
Options
We have found some 'secret' options that can be set by creating specially named files. See Options.
Analysis / Memory Layout
Loading RetailOS correctly into a decompiler/disassembler is tricky, as the contents of the IMG1 image are a binary blob which self-relocates to the correct places in memory.
These are the memory segments within RetailOS that we know of (at least on Nano 5G):
Name | Marker | Location in memory | Description |
---|---|---|---|
sram.text | n/a | SRAM 0x22000000 | SRAM-resident code, most of RTXC lives here. |
sram.bss | n/a | SRAM 0x22030000 | SRAM-resident zero data. |
sram.data | n/a | SRAM 0x22030000 + sram_bss_size | SRAM-resident data. |
dram.textdata | hibe | DRAM 0x08000000 | Combined .text and .data which lives in DRAM. Bulk of code lives here. |
dram.frameworks | miscTBD | DRAM 0x08000000 + dram_textdata_size | 'Framework' system of some kind, interfaces used by eApps. |
dram.bss | n/a | DRAM 0x08000000 + dram_textdata_size + dram_frameworks_size | DRAM-resident zero data. |
And here's how the segments are built up within the RetailOS binary blob:
Address | Name | Size |
---|---|---|
Start | sram.text | sram_text_size |
sram.bss | sram_bss_size | |
sram.data | sram_data_size | |
dram.text | dram_text_size | |
End | dram.frameworks | dram_frameworks_size |
(yes, the firmware blob ships a sram.bss physically in the file)
So the goal to be able to load the binary is to figure out the segment sizes and then load them into a decompiler/disassembler.
Here, we'll show how to figure out the segment sizes for N5G. First, load the RetailOS body (without the header!) at 0x22000000 in a decompiler. We load it there (intead of into DRAM as it is done on the device) as the stub relocates to this address first by performing the SRAM .text/.data copies very early in the process, and the code is position independent for only a short time.
Then, look at the start function (follow the reset vector):
void start(void) { // 0x2200505c offs = relocation_offset(); /* ... peeks/pokes to bus matrix periph at 0x3ff00000 ... */ if (offs != 0) { relocate(offs); } (*0x22000000) = 0xea000007; zero_bss(); }
relocation_offset will return 0 if the stub is already at 0x22000000, so will return 0 for the way we've loaded it. On a real device, this will be 0x22000000 - 0x08000000 == 0x1a000000, as the real device loads RetailOS into DRAM first. Thus, relocate() will be called:
void relocate(int offs) { // 0x22005ec8 int iVar1 = -offs; void *blob_start = iVar1 + 0x22000000; memmove(0x22000000, blob_start, 0xe27c); // copy sram.text memzero(0x22000000 + 0xe27c, 0xbc4); // zero out sram.bss within blob memmove(0x22030000, 0x22000000 + 0xe27c + iVar1, 0x20000); // copy sram.bss + sram.data jump_offset(offs); memmove(0x08000000, 0x22000000 + 0xe27c + 0x20000 + iVar1, 0x6c3768); // copy dram.textdata memmove(0x08000000 + 0x6c3768, iVar1 + 0x22000000 + 0xe27c + 0x20000 + 0x6c3768), 0xc40); // copy dram.frameworks start(); return; }
The above listing shows reconstituted address calculations - in a plain decompilation, all the additions will of course be simplified to a single constant. But you should be able to figure out the following:
- sram_text_size is 0xe27c
- sram_bss_size is 0xbc4
- sram_bss_size + sram_data_size is 0x20000
- dram_textdata_size is 0x6c3768
- dram_frameworks_size is 0xc40
Then, in zero_bss we can find the size of dram.bss:
void zero_bss(void) { // 0x22005fec memzero(0x2200e27c, 0xbc4); // zero out sram.bss // inlined memzero: void *start = 0x08000000 + 0x6c3768 + 0xc40; int size = 0x790a84; // ... }
From which we can figure out that the dram.bss segment size is 0x790a84.
Thus we can load the file like so (combining sram.bss and sram.data) into a 'clean' decompiler/disassembler session:
Name | Memory Address | File Offset |
---|---|---|
sram.text | 0x22000000 | 0x00000000 |
sram.bssdata | 0x22030000 | 0x0000e27c |
dram.textdata | 0x08000000 | 0x0002e27c (0xe27c + 0x20000) |
dram.frameworks | 0x086c3768 | 0x006f19e4 (0xe27c + 0x20000 + 0x6c3768) |
dram.bss | 0x086c43a | n/a (0x790a84 zeroes) |
Writing an automated converter into ELF from arbitrary RetailOS blobs is an exercise left to the reader.
RTXC
Documentation
This seems to be the best public document available about RTXC 3.2: DSAAXSA0003458.pdf. It contains example code for most services, but unfortunately is still missing any structure definitions.
There's also some training slides available: 5752851.pdf. These introduce the general architecture and concept of RTXC 3.2.
Services / Syscalls
While RTXC documentation speaks mostly of 'kernel services' (which are defined as C function signatures/symbols), we like to talk about 'syscalls' and 'syscall numbers' when reverse engineering retailOS. All service functions go through a central dispatch function and that's the easiest point to start reverse engineering the kernel service interface.
The dispatcher receives a saved caller state which contains a pointer to a serialized syscall request in its saved R0. The syscall request is a trivial structure containing a syscall number and arguments. The dispatcher is executed with interrupts enabled (and thus is non-preemptable) and performs actual work on kernel structures. There is no privilege-granting 'gate' mechanism, all caller code is just as privileged as the kernel code.
Service functions in turn prepare the syscall request structure (including syscall number), and then call an intermediary state saving function which then calls the dispatcher after disabling interrupts. Some syscall numbers are used by multiple service functions, with some extra arguments in the request being used to decide on the behaviour of the service call (eg. blocking/nonblocking).
The following table comes from cross-referencing retailOS, publicly available RTXC PDFs and publicly availble RTXC binaries with debug symbols.
Name | Number | Description |
---|---|---|
void KS_pend(SEMA sema) |
0x03 | Semaphore DONE -> PENDING. |
RTXCMSG *KS_receive(MBOX mailbox, TASK task) |
0x05 | Receive from mailbox. |
KSRC KS_enqueue[w](QUEUE queue, void *entry) |
0x0c | Push into FIFO (and block if full with 'w' variant). |
void KS_dequeue[w](QUEUE queue, void *dest) |
0x0d | Pop from FIFO (and block if empty with 'w' variant). |
KSRC KS_lock(RESOURCE resource) |
0x0e | Lock a resource. |
KSRC KS_lockt(RESOURCE resource, TICKS timoeut) |
0x0e | Lock a resource with timeout. |
KSRC KS_unlock(RESOURCE resource) |
0x0f | Unlock an owned resource. |
CLKBLK *KS_alloc_timer(void) |
0x10 | Allocate next free timer from pool. |
CLKBLK *KS_start_timer(CLKBLK *timer, TICKS initial_period, TICKS cycle_time, SEMA sema) |
0x12 | Start timer. |
KSRC KS_stop_timer(CLKBLK *timer) |
0x13 | Stop timer. |
void KS_delay(TASK task, TICKS period) |
0x14 | Block specified task for a period of time. |
void KS_execute(TASK task) |
0x15 | Start a task from its beginning address. |
KSRC KS_deftask(TASK task, PRIORITY priority, char *stack, size_t stacksize, void (*entry)(void)) |
0x16 | Define the attributes of an inactive task. |
TASK KS_alloc_task(void) |
0x17 | Allocate the next available Task Control Block from the pool of free TCBs. |
void KS_terminate(TASK task) |
0x18 | Stop a task by setting it to INACTIVE. |
void KS_suspend(TASK task) |
0x19 | Suspend a task until resumed or re-executed. |
void KS_defpriority(TASK task, PRIORITY priority) |
0x1b | Define or set priority of task. |
void KS_yield(void) |
0x1c | Voluntary release of control to any other task of the same priority. |
SEMA KS_waitm(SEMA *semalist) |
0x22 | Wait on multiple semaphores. |
time_t KS_inqtime(void) |
0x24 | Get current time-of-day. |
void KS_deftime(time_t time) |
0x25 | Set current time-of-day. |
TASK KS_inqres(RESOURCE resource) |
0x26 | Get owner of resource. |
KSRC KS_defres(RESOURCE resource, RESATTR condition) |
0x27 | Define priority inversion on resource. |
void *KS_inqtask_arg(TASK task) |
0x28 | Get environment arguments of task. |
void KS_deftask_arg(TASK task, void *arg) |
0x29 | Set environment arguments for task. |
KSRC KS_defqueue(QUEUE queue, size_t width, int depth, void *body, int currsize) |
0x2e | Define queue. |
int KS_user(int (*func) (void *), void *arg) |
0x30 | Execute function as if it were kernel service. |
The RTXC memory allocation facilities (KS_alloc/free/create_part/alloc_part/defpart/free_part
) are not used by retailOS and not built into the service dispatcher, at least on Nano 5G.
Semaphores
The following semaphores are defined in the Nano 3G retailOS:
Number | Name | Description |
---|---|---|
0x01 | S_FW_PWR_CHANGE |
|
0x02 | S_BAT_PWR_CHANGE |
|
0x03 | S_USB_PWR_CHANGE |
|
0x04 | S_CNA_CHANGE |
|
0x05 | S_WHEEL_CHANGE |
|
0x06 | S_DISKMGRQ |
|
0x07 | S_TOPPLUG_SWITCH |
|
0x08 | S_RTCTIMERMGR |
|
0x09 | S_ALARM_01 |
|
0x0a | S_ALARM_02 |
|
0x0b | S_ALARM_03 |
|
0x0c | S_WATCHDOG |
|
0x0d | S_CPUMGRQ |
|
0x0e | S_PCFPOWERMGR |
|
0x0f | S_POWER_STATE_AC |
|
0x10 | S_CGR_STATE_TMR |
|
0x11 | S_DEEPSLEEP |
|
0x12 | S_ALARM_DONE |
|
0x13 | S_PIEZOMGR |
|
0x14 | S_PIEZOMGRSNDR |
|
0x15 | S_PIEZODONE |
|
0x16 | S_ACCPOWER |
|
0x17 | S_ACC_REINIT |
|
0x18 | S_TOPPLUGSENSER |
|
0x19 | S_TOPPLUGCHANGE |
|
0x1a | S_BTMCONNECT |
|
0x1b | S_BTMPLUGCHANGE |
|
0x1c | S_BTMREVERIFY |
|
0x1d | S_BTMREVERTIMED |
|
0x1e | S_BTMVERCOMP |
|
0x1f | S_TOPACCPKTRCVD |
|
0x20 | S_BTMACCPKTRCVD |
|
0x21 | S_SERIALIDRCVD |
|
0x22 | S_UARTATXEMPTY |
|
0x23 | S_UARTBTXEMPTY |
|
0x24 | S_HDDSCANCOMP |
|
0x25 | S_BL_ON |
|
0x26 | S_BL_OFF |
|
0x27 | S_BL_RAMPDOWN |
|
0x28 | S_BL_RAMPUP |
|
0x29 | S_BL_TIMESUP |
|
0x2a | S_BATT_TIMESUP |
|
0x2b | S_BATT_AC_PWR |
|
0x2c | S_BATT_TMR_RST |
|
0x2d | S_GRAPHMGR |
|
0x2e | S_VBL |
|
0x2f | S_DTVRECOVERY |
|
0x30 | S_CM_HEADPHONE |
|
0x31 | S_CM_EXTPOWER |
|
0x32 | S_CM_ACCATTACHED |
|
0x33 | S_CM_DAC_SETUP |
|
0x34 | S_ATAWRKLPRDY |
|
0x35 | S_RTXCBUG |
|
0x36 | S_BLOCKDEVICE |
|
0x37 | S_BLOCKDEVICEQ |
|
0x38 | S_DISPLAY |
|
0x39 | S_ARB_READY |
|
0x3a | S_I2C_DONE |
|
0x3b | S_VSYNC |
There are three more semaphores (0x3c, 0x3d, 0x3e) that have no name defined and are likely unused. Anything 0x3f and up is a 'Dynamic' semaphore defined at runtime (which we haven't reversed yet).
Queues
The following queues are defined in the Nano 3G retailOS:
Number | Name | Description |
---|---|---|
0x01 | PIXORESQ | |
0x02 | PIXOSEMAQ | |
0x03 | POSIXRESQ | |
0x04 | POSIXSEMAQ |
Mailboxes
The following mailboxes are defined in the Nano 3G retailOS:
Number | Name | Description |
---|---|---|
0x01 | M_DISKMGR | |
0x02 | M_PIEZOMGR | |
0x03 | M_GRAPHMGR | |
0x04 | M_BLOCKDEVICE | |
0x05 | M_DISPLAY |
Resources
The following lockable resources are defined in the Nano 3G retailOS:
Number | Name | Description |
---|---|---|
0x01 | GPIO_REG_WRITE | |
0x02 | GPIO_INT_INIT | |
0x03 | RTC_TIME_ADJUST | |
0x04 | RTC_ALARM_ADJUST | |
0x05 | I2C_MASTER | |
0x06 | USB_GRANT | |
0x07 | USB_RESP_INIT | |
0x08 | USB_RESPONDER | |
0x09 | DISKPWRMGRSEND | |
0x0a | PIEZOMGRSEND | |
0x0b | SERIALVERIFIER | |
0x0c | RESISTORVERIFIER | |
0x0d | FW_IRAM | |
0x0e | ACCPOWER | |
0x0f | UARTA | |
0x10 | UARGB | |
0x11 | PMU_LOCK | |
0x12 | ADC_LOCK | |
0x13 | DTV_ENC_INIT | |
0x14 | BACKLIGHT |