Difference between revisions of "RetailOS"

From freemyipod.org
Jump to: navigation, search
m (Q3k moved page OSOS to RetailOS)
Line 7: Line 7:
 
== Architecture ==
 
== Architecture ==
  
OSOS is a small, embedded, single-user, single-binary, real time operating system. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games.
+
RetailOS is a small, embedded, single-user, single-binary, real time operating system. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games.
  
 
The core of the system is based on RTXC 3.2, with the end-user interface based on intellectual property from a company called Pixo. <ref>https://twitter.com/johnwhitley/status/1451952369248264201</ref>
 
The core of the system is based on RTXC 3.2, with the end-user interface based on intellectual property from a company called Pixo. <ref>https://twitter.com/johnwhitley/status/1451952369248264201</ref>
Line 13: Line 13:
 
== Security ==
 
== Security ==
  
As evidenced by the success of the [[Notes vulnerability]], at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer OSOS bugs trivial.
+
As evidenced by the success of the [[Notes vulnerability]], at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer RetailOS bugs trivial.
  
 
=== Boot chain ===
 
=== Boot chain ===
  
OSOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM.
+
RetailOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM.
  
While other stages of the boot chain (eg. the bootloader, WTF mode, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, OSOS is a single binary blob without any built-in modularity.
+
While other stages of the boot chain (eg. the bootloader, WTF mode in newer devices, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, RetailOS is a single binary blob without any built-in modularity.
  
 
=== eApp Signing ===
 
=== eApp Signing ===
Line 27: Line 27:
 
== Options ==
 
== Options ==
  
We have found some 'secret' options that can be set by creating specially named files. See [[OSOS_Options|Options]].
+
We have found some 'secret' options that can be set by creating specially named files. See [[RetailOS_Options|Options]].
  
 
== External links ==
 
== External links ==
  
 
* [https://web.archive.org/web/19990220054659/http://www.rtxc.com/Products/RTXC/Services.htm RTXC Kernel Services (1999)]
 
* [https://web.archive.org/web/19990220054659/http://www.rtxc.com/Products/RTXC/Services.htm RTXC Kernel Services (1999)]

Revision as of 16:13, 12 February 2023

The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface.

Naming

The only 'official' name seems to be 'RetailOS', found in the Nano 3G WTF. It is also referred to as 'osos' per the file name in the resource partition of the firmware bundle.

Architecture

RetailOS is a small, embedded, single-user, single-binary, real time operating system. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games.

The core of the system is based on RTXC 3.2, with the end-user interface based on intellectual property from a company called Pixo. [1]

Security

As evidenced by the success of the Notes vulnerability, at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer RetailOS bugs trivial.

Boot chain

RetailOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM.

While other stages of the boot chain (eg. the bootloader, WTF mode in newer devices, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, RetailOS is a single binary blob without any built-in modularity.

eApp Signing

Not yet documented fully. Each game seems to ship with a Manifest.plist.p7p which is a PKCS#7 signature for the main Manifest.plist.

Options

We have found some 'secret' options that can be set by creating specially named files. See Options.

External links

  • https://twitter.com/johnwhitley/status/1451952369248264201