Rockbox Technical Forums

Rockbox Development => New Ports => Topic started by: mctubster on September 14, 2006, 11:44:55 PM

Title: Nano 2G
Post by: mctubster on September 14, 2006, 11:44:55 PM
Looks like the new Nano 2G is not based on the PortalPlayer chips

http://www.eet.com/news/latest/showArticle.jhtml?articleID=193000601

from the article ...

According to the report, the design contrasts with the first-generation Nano, where there were no Apple-marked chips. Wedbush Morgan Securities (Los Angeles) believes one of the Apple-marked chips is Samsung Electronics Co. Ltd.'s S5L8701B05 ARM processor (part #337S3291-8701), occupying the socket formerly supplied by PortalPlayer.

The second mysterious chip is the audio driver and codec (part #338S0310), a socket formerly owned by Wolfson Microelectronics plc. NXP, formerly Philips Semiconductors, provided the power-management chip in the older-generation Nano.

Title: Re: Nano 2G
Post by: scorche on September 15, 2006, 12:06:49 AM
Llorean shared this on IRC, and it seems relevant to put here.  Sadly, they are more stylish photos than high-res scans, but they do the job (somewhat)

iPod nano 2G Disassembly pics (http://gallery.ilounge.com/ipod/thumbnails.php?album=61&page=1)

This (we believe) is the processor:
http://gallery.ilounge.com/ipod/displayimage.php?album=61&pos=29

Sadly, it might be a while before Rockbox will work under these new nanos.

EDIT: I have been searching on Samsung's site for more information (or what little bits I can scrounge up).  The chip is not listed under either their ARM7 or ARM9 product list.  From this page (http://www.samsung.com/Products/Semiconductor/Support/Label_CodeInfo/SystemLSIProductCodeConcept.htm), we know this about the chip so far:
Large Classification: MOS
Small Classification: L
Feature/Serial Number: 8701
Version: B
Mask Option: 05

EDIT #2: Found dissection instructions.  Will be useful if someone (anyone) who reads this and has their hands on one (and the bravery to take it apart) in order to get us some hi-res scans :-)
Link here (http://www.ifixit.com/Guide/iPod/iPod-Nano-Remastered/Complete-Disassembly-Page-1-Complete-Disassembly)
Title: Re: Nano 2G
Post by: Potter on September 15, 2006, 04:07:51 AM
Jus picked 1 of these up..how long does anyone it may concern suspect it will be before there's a rockbox release for it? I don't dare try since the current builds since the "Compatible Ipods" on this site only lists Nano 1st Edition.
Title: Re: Nano 2G
Post by: scorche on September 15, 2006, 04:35:03 AM
Your post was in the wrong place.  I have merged it with the correct place for this.  Also, please search the forums/read the posting guidelines before posting.  :)

That being said, it appears that the 2nd gen Nano uses a Samsung processor, so Rockbox will require some tweaking to get things working.  It is not worth trying a current Rockbox build on it.

If you wish to push along the port effort, we still need some high-resolution scans of the internals (disassembly instructions are in my previous post).  All that is required is a decent scanner, a shared curiosity of what is inside with us, and the mettle to take apart your new toy (this will not break it provided you are careful).  If you are not willing to do this, and if you have a decent knowledge of C, you may have to wait a while, but you can most likely still help.  If not, you can sit on the sidelines and wait.  ;)
Title: Re: Nano 2G
Post by: linuxstb on September 15, 2006, 05:49:20 AM
That being said, it appears that the 2nd gen Nano uses a Samsung processor, so Rockbox will require some tweaking to get things working.  It is not worth trying a current Rockbox build on it.

It's going to be a little more than "some tweaking" - it's basically a completely new port.

Interestingly, the eetimes article has changed since I read it yesteday.  In the first version of the article, they quoted Wedbush Morgan Securities as speculating that the processor was an "SA5B450X03" - which I assumed should have been the SA58450X03, the same processor that is used in most of the current iriver players.  They've now edited the article to claim it's an S5L8701B05.  

Not that it really makes much difference - both seem to lack any publicly available datasheets, but at least the SA58450X03 has a little bit of information available on Samsung's website:

http://www.samsung.com/products/semiconductor/SystemLSI/DigitalMedia/OpticalASSP/OpticalPlayer/MP3/SA58450/SA58450.htm

So the usual rules for new ports are going to apply:

1) Physically disassemble a player and identify as many chips as possible

2) Disassemble the original firmware in order to find information about the hardware and how to control it.

3) Work out the boot process on the player, crack any encryption that may be in use, and find a safe way to run your own code without risk of bricking.

4) Port Rockbox...
Title: Re: Nano 2G
Post by: Llorean on September 15, 2006, 06:11:58 AM
The Apple chip actually has the number "8701" on it, which according to Samsung's site for decoding the "S5L8701B05" style numbers is the "Serial Number or Function" or something like that (my memory is slightly fuzzy, it was quite a few hours ago I looked there) so my bet is that it is actually the S5L8701B05 chip.
Title: Re: Nano 2G
Post by: saratoga on September 15, 2006, 03:20:31 PM
On the upside, the 940 is basically a classic 5 stage RISC processor, so performnace should be a lot better running the same code as the pp chips.  It should also clock higher.  Additionally, it seems we now have a hardware MAC instruction too, which should be nice for codecs (at least according to the samsung link above).
Title: Re: Nano 2G
Post by: linuxstb on September 17, 2006, 07:42:25 PM
I couldn't resist the shiny aluminium case and picked up a 2nd gen Nano today.

On the outside, it appears the same as any other ipod - the usual key combinations all work (MENU+SELECT for reboot, SELECT+PLAY for disk mode, SELECT+LEFT for diagnostics mode), and the disk is organised the same as the previous ipods - a relatively small (100MB) firmware partition, and a FAT32 paritition taking up the rest of the disk with the usual iPod_Control folder.

As an aside, the diagnostics mode features a "line-in recording" test - so it seems Apple have included recording functionality in the new Nano.  Although it's not accessible via Apple's firmware...

The firmware partition is very similar to the v1.2 Nano firmware partition - it contains an "osos" image with the main firmware, an "rsrc" image containing the Nike-related files, and an "aupd" update image (this is the image that gets flashed).

For those that don't know the Apple firmware partition layout, details of the previous firmware partitions are in the IPL wiki: http://ipodlinux.org/Firmware

But there are some differences.  Firstly, the images are now prefixed with string "DNAN" instead of "!ATA", and secondly both the main firmware and the aupd image appear to be encrypted.

In the PortalPlayer based ipods, the main firmware was unencrypted (but protected by a simple checksum), and only the aupd image was encrypted.

So the first step towards a port would be to understand this encryption - so we can both unencrypt the Apple firmware image for disassembly and also encrypt our own code in order to run it on the ipod.
Title: Re: Nano 2G
Post by: Bagder on September 18, 2006, 03:10:34 AM
But there are some differences.  Firstly, the images are now prefixed with string "DNAN" instead of "!ATA", and secondly both the main firmware and the aupd image appear to be encrypted.

A guess is that "NAND" instead of "ATA!" could imply that they don't access the flash using ATA.
Title: Re: Nano 2G
Post by: iconoclast on September 18, 2006, 04:02:54 PM
I ordered one of these when they were first announced.  From the announcement, it seemed the changes were mostly the case, the battery, and software,  so I'd hoped the internals would be similar enough to the first gen nano that rockbox would easily run.  Now of course we know that's not the case.  Anyway, mine arrived in the mail today, and if there's anything I can do to help out in the porting, please let me know.  I don't have any current experience at the sort of low-level coding the firmware folks are doing, but if you still need scans of the internals for example, or something similar, just tell me what you need.
Title: Re: Nano 2G
Post by: Bagder on September 18, 2006, 04:51:47 PM
We do need scans, but we probably even more need to start working on figuring out the encryption.
Title: Re: Nano 2G
Post by: linuxstb on September 18, 2006, 06:27:11 PM
Another (better) set of photos of the Nano's internals is here:

http://pc.watch.impress.co.jp/docs/2006/0915/apple.htm
Title: Re: Nano 2G
Post by: iconoclast on September 18, 2006, 11:53:57 PM
Another tiny change...  It seems they aren't using the SysInfo file anymore.  On the Nano 2G, the file iPod_Control/Device/SysInfo exists, but is zero bytes long.
Title: Re: Nano 2G
Post by: dmd on September 19, 2006, 10:34:53 AM
I don't know if it's much worth, but here's some close-ups of the chips:
http://arstechnica.com/reviews/hardware/ipod-2g.ars/4

btw doesn't seem to be very durable player, one drop and the screen died  :o
Title: Re: Nano 2G
Post by: ssx on October 07, 2006, 06:31:19 PM
So the first step towards a port would be to understand this encryption - so we can both unencrypt the Apple firmware image for disassembly and also encrypt our own code in order to run it on the ipod.
is it bootloader who decrypts the code?
someone was able to get it from the new nano?
Title: Re: Nano 2G
Post by: dstan on October 20, 2006, 11:27:03 PM
if it would help apple just released a new firmware and the people at ipw got ipodwizard to detect the new nanos
Title: Re: Nano 2G
Post by: axlgreasetires on October 23, 2006, 08:09:51 PM
I'm Somewhat glad Rockbox doesn't work on the 2nd gens yet.  I'm thinking of getting one.  The reason for that is I messed around with experimental 5g programming and stuff.  So now I won't be able to mess up the nano because Ipodlinux also doesn't work for it yet.  I'm going to take my 5g to the Apple store to see if I can get it replaced.  Is there any busy work I could do that could somehow help devel.  I will not do hi-res scans or any disecting of the nano.
Title: Re: Nano 2G
Post by: L on October 24, 2006, 07:32:52 PM
If you take your 5g to be replaced, chances are, it will be replace with a new 5.5g and that doesn't work with RockBox either. Well officially at least.
Title: Re: Nano 2G
Post by: homielowe on October 25, 2006, 12:14:59 AM
nope,i replaced my 5G after the 5.5G came out and I just got another black 5G
Title: Re: Nano 2G
Post by: mila61 on October 26, 2006, 02:51:31 PM
The 2G iPod Nano has very different hardware. It may be quite some time before a compatible version is available.

How can we help on getting Rockbox on the 2G Nano? Is there something we can do - beside of ripping the iPod apart? ;) P.ex.: I have VERY limited knowledge of C - and if I say "VERY limited", I mean it  :D

We need someone with cryptography experience (or a very good understanding of ARM assembly) to crack the encryption used in the Apple firmware.  Then interested developers could start reverse engineering work by looking at Apple's firmware.  Until someone does this, its unlikely that any progress will be made.

Theres no need for anyone to open up their ipod, that wouldn't tell you much of anything useful at this point.

Ok, I am willing to help. I know symmetric and assymetric encryption. How am I gonna start?
Title: Re: Nano 2G
Post by: saratoga on October 26, 2006, 11:34:01 PM
I haven't looked at the frimware, but in general I would assume the following:

The Apple firmware (or the Apple bootloader) has a small segment of code that is loaded initially that decrypts the firmware.  The decrypted firmware is then loaded into memory and executed, but never stored on disk or rom.  

So what I would do is dissassemble the Apple firmware.  Theres probably only a small amount of code, and a lot of "data" (actually encrypted code).  If theres no code, then maybe its in the bootloader.  Eventually the program will jump into a location that contains data (or nothing at all).  This is where it begins executing the decrypted code.

If Apple is really lazy, they may just store the decryption key in the ROM somewhere, load it, and then iterate over the data section generating the code.  In this case, just reading the assembly, looking for a value thats loaded and then applied to the encrypted data, and then writing down that value will be enough.  If they're evil, well, entire books have been written about making it hard/impossible to decrypt.  In this case, your knowledge of encryption will probably be essential.

This page explains the process as it happens on the Sandisk Sansa players:
http://daniel.haxx.se/sansa/mi4code.html

The Apple firmware may or may not work like that.  Unless I've missed something, no one has posted any real info about how this process works, so I'm just speculating about how it could work.  I may be totally wrong.
Title: Re: Nano 2G
Post by: slowcoder on October 28, 2006, 04:43:52 PM
Here's what we've discovered over at the iPL camp.

Much of this is speculation, but it's based on actual investigations of the Nano 2G.

The entire OSOS image (the "Apple OS") is encrypted. There's no magic piece of code that decrypts the rest of the image.
The image probably gets decrypted by the FlashROM bootloader (i.e, the one not on disk)

The image appears to use a 512 bit hash. (Potentially SHA-1)

Since we know _nothing_ about the hardware in the Nano 2G (when it comes to IO ports, etc), we can't really try to inject code into it, as we wouldn't know if it succeeded or not.

The options we're looking at now is to make a hardware attack, and see if we can get some readable code out of it that way.

/James
Title: Re: Nano 2G
Post by: Bagder on October 28, 2006, 05:02:14 PM
Yes, figuring out this hardware is definately gonna require that the encryption is cracked so that disassembly can start.

If Apple did their job properly, getting the digital signature/hash done right in a generated firmware can become really tricky.

On the mi4 front, we've been lucky since the PP guys apparently left a big wide backdoor open (signature-wise) for people like us.
Title: Re: Nano 2G
Post by: saratoga on October 28, 2006, 09:43:22 PM
Here's what we've discovered over at the iPL camp.

Much of this is speculation, but it's based on actual investigations of the Nano 2G.

The entire OSOS image (the "Apple OS") is encrypted. There's no magic piece of code that decrypts the rest of the image.
The image probably gets decrypted by the FlashROM bootloader (i.e, the one not on disk)


Has anyone suceeded in dumping the bootloader ROM?  
Title: Re: Nano 2G
Post by: slowcoder on October 29, 2006, 03:16:29 AM
Has anyone suceeded in dumping the bootloader ROM?  

Not yet..  If any one of you guys have experience in reading Flash-ROMs and the equipment to snoop off a very high density BGA chip, let us know.

/James
Title: Re: Nano 2G
Post by: saratoga on October 31, 2006, 10:48:57 PM
Has anyone suceeded in dumping the bootloader ROM?  

Not yet..  If any one of you guys have experience in reading Flash-ROMs and the equipment to snoop off a very high density BGA chip, let us know.

Looking at the specs, its got 16 address and 16 data pins, plus power, RE, etc crammed into a half cm^2.  I think thats going to take someone with access to a dead nano and a BGA capable programmer (or a DIP flash programmer and a really impressive adapter),
Title: Re: Nano 2G
Post by: exca on December 27, 2006, 02:29:21 PM
What if i had a prime...

I know this guy who works with apple and has a rather high function there.
If you could ask him 1 thing (apart from the decryption code) what would it be that could help you with the port :)
i'll ask him.

I want as good as you guys rockbox on my nano, i'll help to get trough this p.o.s. encrypted code...

I've done a look by myself. I'm not an expert in it, but i've modded files with hex edit. Same with this?
Title: Re: Nano 2G
Post by: scocarl on December 31, 2006, 10:20:41 AM
Has anyone suceeded in dumping the bootloader ROM?  

Not yet..  If any one of you guys have experience in reading Flash-ROMs and the equipment to snoop off a very high density BGA chip, let us know.

/James

Is it possible to do it like this guy over at iPL did a dump?
http://ipodlinux.org/stories/piezo/index.html
Title: Re: Nano 2G
Post by: GodEater on December 31, 2006, 02:03:07 PM
Not really.

That hack required being able to run code on the target in a limited fashion already - we don't have that capability at all.
Title: Re: Nano 2G
Post by: smp500 on December 31, 2006, 03:33:40 PM
I noticed on my nano 2g, like my 5.5g ipod, that the logical sectors are 2048 and the physical are still 512, if that matters.
Title: Re: Nano 2G
Post by: tnt23 on January 02, 2007, 11:12:57 AM
Sorry if it may sound silly, but do all those games for iPod out there run on Nano 2G?
If yes, then probably it is possible to develop a piece of code that'd dump the unencryped firmware (assuming it is stored somewhere in RAM), and download it just as any other game?
Title: Re: Nano 2G
Post by: rlowens on January 02, 2007, 05:10:58 PM
The Nanos (1G and 2G) don't support the iTunes downloadable games.
Title: Re: Nano 2G
Post by: Tim H. on January 04, 2007, 05:15:48 AM
I'm stupid, I have read the posts of this forum to quickly and read over the small link in scorche's post.

I removed the top and the bottom of my ipod. Then I pulled out the headphone-jack, but I have not seen that there is a connector between the flexible printed Circuit and the main PCB. Next I removed the screws and pushed the main PCB out. With this action I have distroyed the flexible PCB. Now my Ipod is only a huge Flash USB-Disk  :-[ :-[ :'(

For everybody who wants to open his Ipod nano 2.gen
Read this disassembly procedure, otherwise you would destroy your IPod (http://www.ifixit.com/Guide/iPod/iPod-Nano-Remastered/Complete-Disassembly-Page-1-Complete-Disassembly)
It is important to disconnect the flexible PCB from the main PCB before pushing out the main PCB!!

You will get high resolution scans/photos of the ipod in the near future.

Tim

P.S. I'm sorry for the huge font-size but I don't want anybody to kill another ipod.

Title: Re: Nano 2G
Post by: GodEater on January 04, 2007, 05:44:34 AM
Well done - that enormous fonted link doesn't work.
Title: Re: Nano 2G
Post by: bascule on January 04, 2007, 07:54:55 AM
But this will...

http://www.ifixit.com/Guide/iPod/iPod-Nano-Remastered/Complete-Disassembly-Page-1-Complete-Disassembly
Title: Re: Nano 2G
Post by: tnt23 on January 05, 2007, 10:23:31 AM
Has anyone suceeded in dumping the bootloader ROM?  

Not yet..  If any one of you guys have experience in reading Flash-ROMs and the equipment to snoop off a very high density BGA chip, let us know.

Looking at the specs, its got 16 address and 16 data pins, plus power, RE, etc crammed into a half cm^2.  I think thats going to take someone with access to a dead nano and a BGA capable programmer (or a DIP flash programmer and a really impressive adapter),

Could it be that the boot flash and storage flash share the same data and address lines? It then could be much easier to tap these at storage flash pins which luckily isn't BGA.
Title: Re: Nano 2G
Post by: Tim H. on January 06, 2007, 06:52:14 PM
I'm not sure whether anybody still needs them but here are the high resolution scans:

top view (http://www.timhansen.de/ipod/ipod_nano_2gen_top.jpg)
bottom view (http://www.timhansen.de/ipod/ipod_nano_2gen_bottom.jpg)
list of chips (http://www.timhansen.de/ipod/list_of_chips.txt)

here ist the list of chips I could read:
Code: [Select]
--------top-------------

1: 337S32918701
N042DQS
0636 ARM

2: SEC 637 GG75
K4M56163PG
AQH373P1

3: SST39WF800A
90-4C-C2QE
0631287-A

4: National Semiconductor
JM66RJ
L34910B

5: APPLE
338S0310
68BTST8

6: Linear Technology  
6H
4066
B8966

7: 1.8432
638

8: KAET8

9: VE

10: 24.000
639

11: TXU

12: KAET8

13: VE

14: VE

15: BG

16: TVP

17: TXU

--------bottom----------
B1: TOSHIBA P11023
JAPAN 0636 KAE
TP0560
TH58NVG5D4CTG20

B2: APPLE
338S0261
P29T6  04
cPG0637Y
01/N2

-----back of display

LS015A7UC01 B
6XG002309

Tim

P.S. There seems to be a bug in the forum-software. If I leave away the "http://" in the link the preview is ok. But in the final post the link goes to "http://forums.rockbox.org/www....."
Title: Re: Nano 2G
Post by: scox on January 09, 2007, 03:26:13 PM
We start with some friends to work to port linux on the iPod Nano 2nd Generation.
For more information you can see our website http://www.linux4nano.org
Title: Re: Nano 2G
Post by: Llorean on January 23, 2007, 03:39:41 PM
Just to reiterate: THIS IS A DEVELOPMENT THREAD.

Posts here must be directly related to the attempt to get Rockbox working on the 2G Nano.
Title: Re: Nano 2G
Post by: keenanpepper on March 15, 2007, 12:03:21 AM
Hi, I just won one of these at a TopCoder programming contest, but it's no use to me because my music library is mostly Ogg Vorbis. I'm thinking of selling it, but I could also donate it if there are developers willing to hack it but lacking hardware. Email me if you think you can convince me to donate it.
Title: Re: Nano 2G
Post by: Der Papst on April 04, 2007, 07:58:43 AM
I don't have a nano but with a bit of googleling i found something interesting (<-- link) (https://mail.gna.org/public/linux4nano-dev/2007-03/msg00023.html):

Edit: BlaBlox is the guy who found out how to decrypt the aupd image in the Apple Firmware (Flash_Decryption (http://www.ipodlinux.org/Flash_Decryption)) and he has successfully decrypted 2 iPodGames (Tetris and Vortex) with the help of a memdumper (self-)implemented in the Apple Firmware.

Quote from: BadBlox
From: Franco Zavatti
Date: 19-Mar-2007 04:17
Subject: Firmware protection, a way to decrypt!
To: JD

Ok let's do it "Telegraph" style

1-I don't own a Nano! I own a 5G, and all my work is based on the 5G
2-I'm a crypto expert and I like to test real world systems, the Nano
could be interesting for me.
3-I just realized 3 days ago, the Nano firmware was protected, So I
decided to help!
4-I think I can help, because I have reversed the protection of
previous Firmware version.
5-Previous Firmware version work with a 32 bits key and a RC4 cihper.
The key is in the security block
 which prepend every file. I already send the details on the iPodLinux forum.
6-I have a dump of the firmware from the firmware partition of the
Nano 2G. It won't be enough for me to decrypt.
We need the actual decripted version from the flashrom!
7-I need the help of someone who own a Nano to extract the flashrom,
with a technique I'm about to explain.


But first...

The Security block:

The security block, is the random looking data that prepend every file
on firmware version 3.
There is 2 version of it. I know all the details of the version 1. The
version 2 is the Nano 2G version, which is different.

The security block V1 is 512 bytes long. The Security block V2 is 2048
byte long (but with the first 512 with actual data)

The security block tells the bootloader if the following file is
encrypted or not, and if it is, it will gives you the key!

In the case of V1, the cipher is standard RC4, and the key is only 32
bits long. Short enough for a brute force attack.

I don't know much about the V2 version. That's why we need to work
together to get this thing done.

How did I reversed the Security block V1: with an emulator!

I wrote an emulator based on the MESS system (based itself on MAME)

So I have trace the code and it took me less than a day to get the
decryption working but to do that, I need the firmware from the
flashrom.

How can we get the firmware from the flash?

If we can run native code in the iPod, we will be able to dump the flashrom.
I have already wrote a memDumper for the 5G, but in that case, I wrote
the data to the HDD. I don't know flash based player.

To write the memdumper we need to know:

Processor type (ARM)
Rom address (probably 0x00000000)
A way to write to the main storage flash (????)


How can we run native code in the iPod Nano?

We need to modify a boot file (AUPD or OSOS) and it will be executed
by the bootloader.

We cannot write code that override AUPD or OSOS because the files are
encrypted!

False, I have notice the file RSCS is not protected, and the Security
block V2 (2048 bytes) is all filled with F!

So we replace the security block of OSOS by an all "F" one, telling
the bootloader the file is not protected.

Then we overwrite OSOS with the memDumper code. We recalculate the
checksum in the directory and Voila!

I assume a lot of things, and I know this is a new hardware, but how
different it is?

Who can write ARM code and know enough already existing iPod hardware
to write the memDumper and store the dump to the flash storage?

So, what do you think? Comments?
Title: Re: Nano 2G
Post by: Mutmatt on May 05, 2008, 07:47:01 AM
Ok so this is my nano 2ng gen.... i've been up all night searching just about every forum i could find and the ... the sgold_bootrom bootneuter thing seem quite interesting and should be looked into... at least in my mind after a sleepless night it should be haha


i included the save file and a picture
(http://www.msprotege.com/members/Mutmatt/untitled.JPG)
http://www.msprotege.com/members/Mutmatt/nanobackup
Title: Re: Nano 2G
Post by: HJRodrigo on May 15, 2008, 05:57:10 PM
Rockbox may get a port yet, a major break through has occured tof managed to extract the contents of the SST39WF800A chip and disassembling started. Just contact THEM (https://mail.gna.org/public/linux4nano-dev/2008-05/threads.html) if you want to get the dump and help with the reverse engineering.
Title: Re: Nano 2G
Post by: Bagder on May 16, 2008, 03:06:51 AM
We're already in touch with them and we cooperate on bringing facts and efforts to this. This thing shares the same/similar CPU with the Meizu M6 effort.

The 1MB flash dump is still mostly encrypted and nobody has yet figured it out.
Title: Re: Nano 2G
Post by: Der Papst on May 16, 2008, 08:14:28 AM
This is a email Emmanuel sent me.
Hi,

Der Papst wrote:
> Thanks for sending me the dump :-)

You're welcome! :)

> We had a first look at it and i have to admit i don't know anything
> about arm asm. However 0x0 seems to jump to 0x8000. There i'm able to
> disassemble 15 more instructions.
>
> ROM:00008000                 STRMI   R7, [R9],#0x3DD
> ROM:00008004                 ANDLS   R6, PC, R3,LSL#8
> ROM:00008008                 BLLE    0xFFFFFFFFFE3BE444
> ROM:0000800C                 STCMI   p5, c0, [R7],#0x3A0!
> ROM:00008010                 LDRVCHT R7, [R9],#-0x68
> ROM:00008014                 LDMLTIB R11!, {R1,R5-R9,R11-PC}
> ROM:00008018                 SBCNE   R10, R4, #0xED00000
> ROM:0000801C                 STMCSIB R3!, {R0,R1,R6,R7,R9,SP,PC}
> ROM:00008020                 STRVCB  R7, [PC],#0xAD1
> ROM:00008024                 STRLTT  R5, [SP],#-0x4D8
> ROM:00008028                 STCPLL  p5, c0, [R10],#0x3C0
> ROM:0000802C                 TST     R3, R12,ROR#6
> ROM:00008030                 RSBLTS  R1, R8, #0xD9000000
> ROM:00008034                 SWIEQ   0x2E0C30
> ROM:00008038                 EOR     R0, R7, R10,LSL R12
>
> Then disassembling stops because the next instructions seem invalid.

Yes. We do have the same.

> Now i do some quoting...
>
> What does this first code do? It jumps to encrypted stuff.

In a matter of fact, we do think approximately the same. We are now
hitting the last level of protection, which is probably hidden inside
the processor. Hopefully here, encryption is just performed through a
last XOR applied by the processor (hopefully).

What make us guess that it was the right representation of the binaries
was the preamble and the end of the binary file which were both
perfectly meaningful in ARM asm.

Nevertheless, it seems that large area of the binary have been encrypted
(see: http://www.labri.fr/~fleury/download/ipodnano/bootloader_swap16_swap32.png).

Actually, understanding what is going on in this file is our main
concern now. :)

> It's probably some sort of failsafe or god knows what. Whatever it jumps
> to looks like one of the classic examples of 'invalid code'. Sure, it
> converts to instructions but they don't make sense. How to see that
> it's invalid? Well, lots of conditional code without any code
> actually checking for a condition. And there is more. About 6 or 7
> to-self jumps right after the first one. The disassembler doesn't
> find them because no code references them. That's about it.

Yes, we had the exact same reasoning. Which make us think to an
encryption (or a compression) algorithm.

> So we think (more guess) that this code is decrypted by the CPU since
> it has about 50kb embedded boot rom.

By any chance, did you ever break or analyze such a scheme where the
processor itself was involved in decrypting the BIOS or similar data ?
This kind of things are highly related to embedded systems and I have to
admit I quite unexperimented on this side.

> I hope you find out some more (and of course more encouraging) stuff.

At least, you had the exact same conclusion as we did. This is more or
less strengthening our hypothesis.

Regards
--
Emmanuel


That being said please don't contact them for the dump. It's not of use for you anyway unless you're a god at cryptography. Emmanuel told be he's harassed by people now and I don't want him to get mad at us.

Additional information can be found here: http://ipodlinux.org/Nano2G (iPL Server currently down. We're working on recovering it.)
Title: Re: Nano 2G
Post by: markun on September 03, 2008, 07:23:34 AM
We now have a tool which lets us run code directly from RAM through the DFU mode of the Meizu players (which have the same Samsung CPU as the Nano 2g and Shuffle 2g)

I've seen some posts online about Nanos and Shuffles being stuck in DFU mode. Does anyone know how to trigger this mode? The Meizu's have a special key combo, but perhaps it only works with a broken firmware on the apples.

If we can get our code running we could try to dump the internal firmware by flashing the backlight for example :)
Title: Re: Nano 2G
Post by: tucoz on September 03, 2008, 09:06:57 AM
Maybe the tools found on this page will help. They say can be used to communicate with ipods, which looks promising.
http://www.jungo.com/st/usb_ipod_driver.html
http://www.jungo.com/st/usb_dfu_driver_firmware_upgrade.html

Title: Re: Nano 2G
Post by: saratoga on September 03, 2008, 10:10:08 AM
We now have a tool which lets us run code directly from RAM through the DFU mode of the Meizu players (which have the same Samsung CPU as the Nano 2g and Shuffle 2g)

I've seen some posts online about Nanos and Shuffles being stuck in DFU mode. Does anyone know how to trigger this mode? The Meizu's have a special key combo, but perhaps it only works with a broken firmware on the apples.

If we can get our code running we could try to dump the internal firmware by flashing the backlight for example :)

Shorting out some of the data pins or the chip enable pin on the NAND would be a good bet.
Title: Re: Nano 2G
Post by: LambdaCalculus on September 03, 2008, 07:43:33 PM
I've taken the liberty of whipping up a very preliminary wiki page for the 2nd gen nano:

http://www.rockbox.org/twiki/bin/view/Main/IpodNano2GPort

Any good, useful information anyone has can go up there now.

(EDIT) I found DFU Mode on the 2nd gen nano. Basically I reset the iPod while it was attached to the PC, then hit BACK+PLAY. This brought up an image of the dock connector with the Apple support URL printed underneath.

Do be warned, however, that you have to destroy the firmware partition first!

lsusb -v in Linux shows this:

Code: [Select]
Bus 003 Device 025: ID 05ac:1240 Apple Computer, Inc.
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0
  bDeviceProtocol         0
  bMaxPacketSize0        64
  idVendor           0x05ac Apple Computer, Inc.
  idProduct          0x1240
  bcdDevice            0.01
  iManufacturer           1 Apple Computer, Inc.
  iProduct                2 iPod Recovery
  iSerial                 3 87010000000001
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength           27
    bNumInterfaces          1
    bConfigurationValue     1
    iConfiguration          0
    bmAttributes         0x80
      (Bus Powered)
    MaxPower              100mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           0
      bInterfaceClass       254 Application Specific Interface
      bInterfaceSubClass      1 Device Firmware Update
      bInterfaceProtocol      2
      iInterface              0
Device Qualifier (for other device speed):
  bLength                10
  bDescriptorType         6
  bcdUSB               2.00
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0
  bDeviceProtocol         0
  bMaxPacketSize0        64
  bNumConfigurations      1
Device Status:     0x0000
  (Bus Powered)

Looks like we're starting to get somewhere now. ;)
Title: Re: Nano 2G
Post by: Donny on December 09, 2008, 08:31:29 PM
I have a 2nd gen ipod nano 8gb, and I was wondering if there is anyway that I can do tests like thease.
Title: Re: Nano 2G
Post by: GodEater on December 10, 2008, 02:31:08 AM
Sure, there's no-one stopping you.
Title: Re: Nano 2G
Post by: Donny on December 16, 2008, 03:48:45 PM
I meant to ask if somebody could help me figure out how, i have no idea how to even attempt this.
Title: Re: Nano 2G
Post by: NicolasP on December 16, 2008, 07:34:52 PM
I'm afraid this is a situation where no one can hold your hand and guide you through the process. If you want to help, you'll have to educate yourself to be able to achieve it. You can learn an awful lot, but getting up to speed requires great motivation, patience and plenty of time. This is especially true in the case of the Nano 2G, because of the encryption.
Basically, if it were simple enough that someone could tell you what to do to get things going, they would already have done it.
Title: Re: Nano 2G
Post by: sinless on December 29, 2008, 02:56:44 AM
I have two nano2G,a 4GB RED and a 2GB sliver,Last week the 4GB one was broken...Then i removed its flash to the 2gb one,and it works well now.....Also,I dumped all the chips from the broken one(use the hot air),Can it help port rockbox onto nano2g?
Title: Re: Nano 2G
Post by: saratoga on December 29, 2008, 02:57:46 AM
What chips did you dump?  And how did you do it?
Title: Re: Nano 2G
Post by: sinless on December 29, 2008, 03:01:01 AM
cpu ram....all the chips.but i don't how to do next..(see this http://home.gna.org/linux4nano/dumping_SST39WF800A.html)
I dumped them successfully.but can't do any more.
Title: Re: Nano 2G
Post by: saratoga on December 29, 2008, 03:05:23 AM
You mean you removed them from the PCB?
Title: Re: Nano 2G
Post by: sinless on December 31, 2008, 03:24:19 AM
Yes,I removed all the chips from the pcb.
Title: Re: Nano 2G
Post by: boxerorange on January 14, 2009, 03:33:13 PM
Hi. I recently took apart a 2nd Gen Nano and have high resolution photos of it.

I am hoping to help contribute to the scene.
Title: Re: Nano 2G
Post by: LambdaCalculus on January 14, 2009, 03:50:26 PM
Those photos should go to the wiki, then.
Title: Re: Nano 2G
Post by: sinless on January 15, 2009, 10:01:34 AM
Hi,
I removed all chips from a broken nano2,and took photos..how can I send them to rockbox wiki?
Title: Re: Nano 2G
Post by: Febs on January 15, 2009, 10:30:25 AM
http://www.rockbox.org/twiki/bin/view/TWiki/TWikiRegistration
Title: Re: Nano 2G
Post by: sinless on January 18, 2009, 09:42:16 PM
I have got a twiki ID,but when i edit the nano2g page,it changed to a blank page...
Title: Re: Nano 2G
Post by: Chronon on January 19, 2009, 01:24:59 AM
Did you also receive write permission as described on that page?
Title: Re: Nano 2G
Post by: sinless on February 02, 2009, 10:30:00 PM
Hmm..how can i receive write permission as described on that page?
Title: Re: Nano 2G
Post by: saratoga on February 02, 2009, 10:32:01 PM
Hmm..how can i receive write permission as described on that page?

Which of the two steps is confusing you?
Title: Re: Nano 2G
Post by: Spoonman on March 16, 2009, 02:59:40 PM
i guess it was:

2. Important: Join the #rockbox IRC channel, introduce yourself and ask for Wiki write permissions. You will not be able to edit any Wiki pages until you do this.

i know it is a pain in the a... to repeat always the same answers in forums, but it cant be that hard to judge from importance if it pays to give a proper answer. sometimes i do not understand people in this and also some other mainly open source related boards. i mean this guy has maybe useful hardware pics that we do not have and just wants a possibility to give them to us, and instead to give him the right hint, no matter if it is described clearly somewhere else, only thing he gets is a somehow offensive question in reply. so we still have no pics on the wiki....

sorry got a little offtopic ;-)
Title: Re: Nano 2G
Post by: Febs on March 16, 2009, 08:28:06 PM
so we still have no pics on the wiki....

Then don't you think it would have been more productive for you to actually give him the answer than to complain about the other responses?
Title: Re: Nano 2G
Post by: Spoonman on March 17, 2009, 08:38:29 AM
actually i am not a dev or moderator, so i am not the one to help him there, i have even never been on irc, so i dont know how to help him...
Title: Re: Nano 2G
Post by: Chronon on March 17, 2009, 02:26:29 PM
Anyone with write privilege on the wiki can grant write privilege to others (moderator, dev, etc. status on the forums doesn't have any relevance).  The point is that you have to tell someone who has write privilege your WikiName so they can add you.  IRC is simply the fastest way to do this.
Title: Re: Nano 2G
Post by: Ste- on June 15, 2009, 04:02:09 PM
Not sure how relevant this is but JTAG has been found.
Read on the list below.
https://mail.gna.org/public/linux4nano-dev/2009-06/index.html
Title: Re: Nano 2G
Post by: LambdaCalculus on June 19, 2009, 01:37:14 PM
Excellent, now to follow along with what they find. :)
Title: Re: Nano 2G
Post by: Paullo on July 01, 2009, 01:15:57 PM
They dumped the bootrom.
https://mail.gna.org/public/linux4nano-dev/2009-07/msg00003.html
Title: Re: Nano 2G
Post by: GodEater on July 02, 2009, 11:42:38 AM
A number of Rockbox developers have now got their hands on this dump, and it's been disassembled. They're now going through the rather laborious process of reverse engineering to understand what it does, and whether this helps with decrypting the firmware.
Title: Re: Nano 2G
Post by: linuxstb on July 16, 2009, 10:00:08 AM
Finally, some significant progress to report!

The linux4nano-dev people have managed to exploit a buffer overflow in the Apple firmware's handling of notes files, meaning we now have a way to run code on the Nano2G.

Notes files are limited to 4KB, and the exploit allows us to put about 3.5KB of code into a notes file and then run it.  Code to do this is in utils/ipod/bin2note/ in Rockbox SVN.

TheSeven has been working on a debugging tool he's called "iBugger".  The first part of this is a loader for it, called iBuggerLoader.  This consists of a notes file (loader.htm) containing code that communicates with a host PC over USB.

This loader allows a developer (amongst other things) to upload files to the Nano2G's RAM and execute them.

The current version of this (including a PC-side program written in python) can be found here:

http://linuxstb.cream.org/nano2g/iBuggerLoader-0.1d.tar.gz

TheSeven (I think - it may have been someone else in #linux4nano-dev) has also managed to decrypt and dump the contents of the NOR flash - giving us the diagnostics mode code to reverse-engineer in order to start writing drivers.

I've added a Nano 2G target to the Rockbox build system, and committed the start of an LCD driver.  It appears the Nano 2Gs can have one of two LCD types, and the code in SVN has successfully displayed the Rockbox logo on one type of LCD:

http://img232.imageshack.us/img232/6335/img9088.jpg

My Nano 2G contains the other type of LCD, and I have almost got this working (but the code isn't in SVN yet).  TheSeven has worked out how to detect the lcd type at run-time, so we should hopefully soon have a functional LCD driver for both Nano LCD types in SVN.

Hopefully this notes exploit won't be the final way to install Rockbox (or other third-party code) on the Nano2G, as it involves starting the Apple firmware first, and also makes the Apple firmware unusable.  But it's a good start.

Finally, an important note for anyone wishing to run Rockbox in the future - DO NOT UPDATE YOUR APPLE FIRMWARE BEYOND 1.1.3.  Even though Apple haven't released firmware updates for the Nano 2G for a while, there is always the possibility that they will in the future, and that they decide they want to close this exploit.

If you want to run the Rockbox bootloader code on your Nano, then you will need to download the Rockbox SVN, select "Nano 2G" from tools/configure, and then "B" for bootloader builds.  Running "make" will then give you a bootloader.bin file.

You now need to copy the loader.htm file from iBuggerLoader-0.1d.tar.gz to the Notes folder on your ipod, and then reboot.  Your ipod should now freeze on the main menu.

Now you need to run the following commands (control.py is in iBuggerLoader - it requires the python-usb package):

Code: [Select]
control.py upload 0x22000000 bootloader.bin
control.py execute 0x22000000

With current SVN, you may or may not see a logo on the screen, depending on the lcd type in your nano.
Title: Re: Nano 2G
Post by: angelwolf71885 on August 28, 2009, 11:57:31 PM
has anyone tested the methed in the post above mine on a  nano 3G?
Title: Re: Nano 2G
Post by: GodEater on September 01, 2009, 03:56:43 AM
Yes - it doesn't work yet.
Title: Re: Nano 2G
Post by: BdN3504 on September 01, 2009, 02:28:11 PM
HAHAHA!
They are using Lego Mindstorms robots to press the buttons in order to reboot the devices repeatedly... :D :D :D
http://hackaday.com/2009/08/30/lego-ipod-hacking-robot/
Title: Re: Nano 2G
Post by: Lhn on September 09, 2009, 03:25:37 AM
Okay as far as im seeing huge progress again. linux4nano has a working dual booting bootloader for the 2g
Title: Re: Nano 2G
Post by: linuxstb on October 13, 2009, 07:32:16 AM
As the Nano2G port has moved up the front page to "Unstable" (i.e. it works, but not as well as other devices), and the latest ipodpatcher release now supports it, I'm locking this thread.

As always, for details on the Nano2G port, see http://www.rockbox.org/wiki/IPodNano2GPort
Title: Re: Nano 2G
Post by: mcco2242 on December 17, 2009, 03:55:12 PM
I don't know if these infos are what so ever usefull about anything, but i found these things on my ipod nano 2g by pressing left arrow + enter while booting:

FLASH checksum: 0x7746
Nand_spec
Nand LBA = 1982464

There where much more informations there, i hope that it can be useful :P
(Sorry for my poor English)