Email or username:

Password:

Forgot your password?
All posts daniel://'s posts Post Back to profile
daniel:// stenberg://

How the first gen ipod was reverse engineered to run #Rockbox:

1. Someone figured out that when loading a particular HTML page (for viewing on the device), the device would reboot. It crashed. A buffer overflow in the HTML viewer!

2. The device remembered what it did before the crash, so it would reload the HTML page again after boot. Unless you connected to it over USB and removed the HTML file it would stick in this cycle.

(continues...)

7 Dec 2023 at 9:09 | Open on mastodon.social
14 comments
daniel:// stenberg://

3. The buffer in the HTML file had to be written without using a zero byte, and someone wrote a ARM assembler loop that would just write data to memory. We had a rough idea what SoC was in there, so we knew a little of what to try.

4. Eventually, one day, that operation made the LCD backlight blink! The LCD controller was found in memory.

(..)

7 Dec 2023 at 9:09 | Open on mastodon.social
daniel:// stenberg://

5. Now the exploit was rewritten to read memory, and *blink* out the contents using the LCD backlight. A LEGO construction was built and a webcam would register the binary stream of a few megabytes of memory contents. Slooooow.

6. Using this method, the USB controller memory mapped registers were found and it was similar to another device Rockbox did USB on. The memory-dump code was rewritten to instead dump the entire memory over USB.

(...)

7 Dec 2023 at 9:10 | Open on mastodon.social
daniel:// stenberg://

7. The initial bootloader to load Rockbox was then just such a crafted HTML file that would load the correct firmware, and since it still worked after reboots it was a pretty neat hack.

8. Eventually the encryption key for the bootloader was found in the SRAM of the running device, and we could encrypt and create custom "real" bootloaders for the devices.

9. Rockbox would then boot and run natively on ipods.

The rest is history.

7 Dec 2023 at 9:10 | Open on mastodon.social
Samuel
Wolf480pl

@bagder I think the html method is cooler, because if you screw up you can just delete the html file if something goes wrong

7 Dec 2023 at 9:41 | Open on mstdn.io
jack

@bagder I loved Rockbox. I had an iPod Mini (found discarded in a house move) and put Rockbox on it in preference to entering the iTunes ecosystem. I configured the clickwheel so a long press Up would toggle "shuffle all". I could navigate to any album/track by doing this, hitting Next until I reached the right album, turning off shuffle and then Next/Back to get to the start of the album or the desired track. All with one hand and keeping my eyes and attention on the road. Not possible with touchscreen UIs!

7 Dec 2023 at 11:42 | Open on strangeobject.space
srslypascal

@bagder This story sounds almost like curl started as a bootloader for Rockbox :D

7 Dec 2023 at 11:57 | Open on chaos.social
Max

@bagder I love the LEGO part! 😄

7 Dec 2023 at 9:37 | Open on det.social
Mattias Wadman
Joan Westenberg

@bagder I find stories like this to be so interesting. And inspiring. Just the level of ingenuity from people who find the ways to hack this stuff together.

7 Dec 2023 at 11:13 | Open on mastodon.social
Andreas K

@Daojoan @bagder Ah, and how much simpler it would be if the manufacturer would not insist on welding the bonnet shut.

Reminds me, that some unis nowadays don't consider iPads computers, as they are so locked down, that you cannot do even their intro to programming courses on them in a sensible way.

7 Dec 2023 at 14:47 | Open on mastodon.social
Alex Markley :mbetv:

@bagder this is really awesome. I had Rockbox on one of the later-gen iPods and used it as my daily driver for YEARS.

7 Dec 2023 at 13:46 | Open on blog.mbe.tv
Ivan
Colin McMillen

@bagder The first gen ipod had a feature to view HTML pages ?? #TIL

7 Dec 2023 at 14:59 | Open on piaille.fr
Go Up