Nano2G HW analysis

From freemyipod.org
Revision as of 01:04, 24 November 2010 by Owixyze (talk | contribs)
Jump to: navigation, search


This Page Is Currently Under Construction And Will Be Available Shortly, Please Visit Reserve Copy Page


CLICK HERE


Top layer, including JTAG
Bottom layer

Nano 2g frt a.png Nano 2g bck a.png

previous work

See Nano 2G.

SOC analysis

S5L8701_analysis

Circuit analysis

After desoldering all components, the circuit was analyzed with a continuity tester.

Small test needles (nailbed needles are great) were used for contacting.

For easing the search, a more coarse search was first performed by a novel method : soldering a coil wire to one end, and moving a iron wool pad over the rest of the PCB until the tester beeps. After finding a spot, the needle allows to find the exact pad.

Not all connection were routed, mainly the connections to the S5L8701 SOC.

Results are a detailed pinout of the 8701

See also S5L8701_analysis.

JTAG

The jtag was found after searching with a jtag bruteforce scanner i wrote.(to be published later) There were a lot of problems, including the scanner not working properly, and a nTRST pin. (still cannot understand why).

But now we have the locations of the pins : see picture

pin locations

.

The pins are basically available on the DOCK connector after putting in place some jumpers (2 for nTRST, 1 for other pins).

After connecting a xilinx parallel cable, and installing openwince, we can try to connect to the JTAG :

The screen freezes directly when we use the JTAG. This seems to be a protection against hackers, but it could also be an issue with openocd. In fact, the ARM 940T processor is still fully functionnal, but it gets disconnected from the main bus, all memories are not reachable any more. The only memory preserved are the Data and instruction caches.

JTAG cache dumps

As the caches are mainly alive, we focused first on dumping whatever the cache contained. As the caches are mostly not activated through the boot cycle, we made a lot of cache dumps (Dcache only can be dumped, the Icache can only give the indexes).

We used some openocd and bash scripts. The command "dc" dumps the Dcache, "ic" shows the icache indexes. Be careful, these values can be corrupt due to the mem bus disconnection. We used statistics on many dumps to have helpful dumps (look at dumpsoorter.py).


Please note that the DLC5 cable was modified to include a nSRST pin, and openocd was recompiled for this. It is a desirable feature to have a reset. nTrst was simply tied to the 3.0V power supply, it is just not necessary. Also, one important thing is to cut the power supply during reset, with a MOSFET, for example. If this is not done, the ipod can often go to a "broken battery" state, where the processor thinks the successive resets are due to a defective battery.

Dump example

getting code execution ?

Notes_exploit