Difference between revisions of "Modes"

From freemyipod.org
Jump to: navigation, search
(Added DFU lsusb -v of nano 4g)
(Sorry for this one, used a corrupt lsusb. will redo it tomorrow.)
Line 90: Line 90:
   (Bus Powered)
   (Bus Powered)
Verbose Output from a Nano 4g in DFU mode:
Bus XXX Device YYY Apple Computer, Inc.
Device Descriptor:
  bLength                18
  bDescriptorType        1
  bcdUSB              1.00
  bDeviceClass            9 Hub
  bDeviceSubClass        0 Unused
  bDeviceProtocol        0 Full speed (or root) hub
  bMaxPacketSize0        8
  idVendor          0x05ac Apple Computer, Inc.
  idProduct          0x8005
  bcdDevice            1.10
  iManufacturer          2
  iProduct                1
  iSerial                0
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                10
    bDescriptorType        2
    wTotalLength          27
    bNumInterfaces          1
    bConfigurationValue    1
    iConfiguration          0
    bmAttributes        0x60
      (Missing must-be-set bit!)
      Self Powered
      Remote Wakeup
    MaxPower                0mA
    Interface Descriptor:
      bLength                9
      bDescriptorType        4
      bInterfaceNumber        0
      bAlternateSetting      0
      bNumEndpoints          1
      bInterfaceClass        9 Hub
      bInterfaceSubClass      0 Unused
      bInterfaceProtocol      0 Full speed (or root) hub
      iInterface              0
      Endpoint Descriptor:
        bLength                8
        bDescriptorType        5
        bEndpointAddress    0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type              None
          Usage Type              Data
        wMaxPacketSize    0x0008  1x 8 bytes
        bInterval              32
can't get hub descriptor: Undefined error: 0
Device Status:    0x0001
  Self Powered
===Crafting a DFU util for the Nanos===
===Crafting a DFU util for the Nanos===

Revision as of 04:08, 22 August 2009

Nanos have special modes that they can boot into called disk mode, DFU mode, and debug mode.

Disk mode

Disk mode has existed ever since the iPod has existed. Disk mode is stored in the 1MB NOR auxillary flash (along with the bootloader), so this is pretty much always there, no matter what sort of tampering you have done. Disk mode basically makes the iPod behave as a massive storage device, allowing the computer to directly read and write the data flash chip. For more information on how to enter Disk mode (or Reboot), refer to the Key Combination page from iPodLinux Wiki.


(iPodLinux project)

DFU mode

DFU (Device Firmware Upgrade) mode is a relatively new standard for upgrading firmware that is used in many devices like the OpenMoko and the newer iPods. DFU mode (since nano 3G) is probably contained in the on-processor's bootrom. Newer iPods have both DFU mode and disk mode, while iPod Touch and iPhones have exclusively DFU mode. It is worth noting that DFU mode was implemented at the exact time that Apple switched from PortalPlayer to Samsung processors, and also exactly when the firmware was encrypted. There could be a relationship.

The nano 2G also has a DFU mode, but that one is probably booted of the NOR flash instead of mask ROM, and doesn't seem to have anything in common with the newer DFU modes. It is not yet found out how to communicate with a Nano 2G in DFU mode, not even iTunes can do that.

Getting DFU mode on 3G/4G

  1. Make sure your iPod is turned on and connected to your computer.
    N4G DFU.png
  2. Press the menu button and select (central) button simultaneously.
  3. The iPod's screen will go black, and the Apple logo will shortly appear.
  4. Keep on pressing till the Apple logo turns into a black screen. This is about 10 seconds.
  5. Release the menu and select buttons.

You should see this device on you usb listing (lsusb):

Bus XXX Device YYY: ID 05ac:1223 Apple, Inc.  (for 3G)
Bus XXX Device YYY: ID 05ac:1224 Apple, Inc.  (also possible for 3G)
Bus XXX Device YYY: ID 05ac:1225 Apple, Inc.  (for 4G)

The product ID depends on whether the iPod is in DFU mode or not.

Nano 4G *not* in DFU mode : Bus XXX Device YYY: ID 05ac:1263 Apple, Inc.
Nano 3G *not* in DFU mode : Bus XXX Device YYY: ID 05ac:1262 Apple, Inc. 

05ac is the vendor ID (apple), and the number after the colon is the Product ID. It might be worth finding out whether different firmwares return different product IDs in DFU or normal mode.

To the right is an image of the 4G's DFU specifications. The DFU seems to be version 1.1 based on USB's spec documents (see below links). We need more devices! Email on mailing list if you can help!

The 4G Nano's .ipsw file has a file named N58s.bootloader.release.rb3, and it is possible that this file is used for DFU mode.

More verbose output from lsusb run on a Nano 3G in DFU mode :

Bus XXX Device YYY: ID 05ac:1223 Apple, Inc. 
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x05ac Apple, Inc.
  idProduct          0x1223 
  bcdDevice            0.01
  iManufacturer           1 Apple Computer, Inc.
  iProduct                2 USB DFU Device
  iSerial                 3 87020000000001
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           27
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0x80
      (Bus Powered)
    MaxPower              100mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           0
      bInterfaceClass       254 Application Specific Interface
      bInterfaceSubClass      1 Device Firmware Update
      bInterfaceProtocol      2 
      iInterface              0 
      ** UNRECOGNIZED:  09 21 03 0a 00 00 08 00 01
Device Qualifier (for other device speed):
  bLength                10
  bDescriptorType         6
  bcdUSB               2.00
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  bNumConfigurations      1
Device Status:     0x0000
  (Bus Powered)

Crafting a DFU util for the Nanos

While in DFU mode, you should be able to read and write the iPod's firmware. The most promising DFU utility out there is the modified dfu-util by planetbeing in the xpwn repositiory. This is a modified version of OpenMoko's original. It can be used with the iPod Touch and the iPhone. Those and the iPod Nanos most likely use similar protocols, so it might work right away or with little modification. This is probably most compatible with the 4G Nano. As stated by this mailing list post, there is also another DFU utility for the Meizu player in the Rockbox SVN repo. The Meizu uses a 8700 series processor, just like the older Nanos do. We could use a USB sniffer on a Windows machine and examine the protocol. Using our knowledge of the iPod Nano's DFU protocol, we could make any necessary changes to the Meizu DFU util and be able to use it with the Nanos.

Cmwslw has already set up a Windows virtual box and gotten a sniffer up an running, but he has not yet tried running iTunes with an iPod in DFU mode.

Debug (diagnostics) mode

This mode will give quite a lot of info about your iPod. Except for the very first iPods, it can be accessed by holding center and rewind when the apple logo appears during reboot.

Helpful pages