RetailOS
The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface.
Contents
Naming
The only 'official' name seems to be 'RetailOS', found in the Nano 3G WTF. It is also referred to as 'osos' per the file name in the resource partition of the firmware bundle.
Architecture
RetailOS is a small, embedded, single-user, single-binary, real time operating system. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games.
The core of the system is based on RTXC 3.2, with the end-user interface based on intellectual property from a company called Pixo. [1]
Security
As evidenced by the success of the Notes vulnerability, at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer RetailOS bugs trivial.
Boot chain
RetailOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM.
While other stages of the boot chain (eg. the bootloader, WTF mode in newer devices, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, RetailOS is a single binary blob without any built-in modularity.
eApp Signing
Not yet documented fully. Each game seems to ship with a Manifest.plist.p7p which is a PKCS#7 signature for the main Manifest.plist.
Options
We have found some 'secret' options that can be set by creating specially named files. See Options.
RTXC
Services / Syscalls
This table comes from cross-referencing RetailOS, publicly available RTXC PDFs and publicly availble RTXC binaries with debug symbols.
Name | Number | Description |
---|---|---|
void KS_pend(SEMA sema) |
0x03 | Semaphore DONE -> PENDING. |
RTXCMSG *KS_receive(MBOX mailbox, TASK task) |
0x05 | Receive from mailbox. |
KSRC KS_enqueue[w](QUEUE queue, void *entry) |
0x0c | Push into FIFO (and block if full with 'w' variant). |
void KS_dequeue[w](QUEUE queue, void *dest) |
0x0d | Pop from FIFO (and block if empty with 'w' variant). |
KSRC KS_lock(RESOURCE resource) |
0x0e | Lock a resource. |
KSRC KS_lockt(RESOURCE resource, TICKS timoeut) |
0x0e | Lock a resource with timeout. |
KSRC KS_unlock(RESOURCE resource) |
0x0f | Unlock an owned resource. |
CLKBLK *KS_alloc_timer(void) |
0x10 | Allocate next free timer from pool. |
CLKBLK *KS_start_timer(CLKBLK *timer, TICKS initial_period, TICKS cycle_time, SEMA sema) |
0x12 | Start timer. |
KSRC KS_stop_timer(CLKBLK *timer) |
0x13 | Stop timer. |
void KS_delay(TASK task, TICKS period) |
0x14 | Block specified task for a period of time. |
void KS_execute(TASK task) |
0x15 | Start a task from its beginning address. |
KSRC KS_deftask(TASK task, PRIORITY priority, char *stack, size_t stacksize, void (*entry)(void)) |
0x16 | Define the attributes of an inactive task. |
TASK KS_alloc_task(void) |
0x17 | Allocate the next available Task Control Block from the pool of free TCBs. |
void KS_terminate(TASK task) |
0x18 | Stop a task by setting it to INACTIVE. |
void KS_suspend(TASK task) |
0x19 | Suspend a task until resumed or re-executed. |
void KS_defpriority(TASK task, PRIORITY priority) |
0x1b | Define or set priority of task. |
void KS_yield(void) |
0x1c | Voluntary release of control to any other task of the same priority. |
SEMA KS_waitm(SEMA *semalist) |
0x22 | Wait on multiple semaphores. |
time_T KS_inqtime(void) |
0x24 | Get current time-of-day. |
??? | 0x25 | Used in RetailOS. |
TASK KS_inqres(RESOURCE resource) |
0x26 | Get owner of resource. |
KSRC KS_defres(RESOURCE resource, RESATTR condition) |
0x27 | Define priority inversion on resource. |
void *KS_inqtask_arg(TASK task) |
0x28 | Get environment arguments of task. |
void KS_deftask_arg(TASK task, void *arg) |
0x29 | Set environment arguments for task. |
KSRC KS_defqueue(QUEUE queue, size_t width, int depth, void *body, int currsize) |
0x2e | Define queue. |
??? | 0x30 | Used in RetailOS. |