Finally, some significant progress to report!
The linux4nano-dev people have managed to exploit a buffer overflow in the Apple firmware's handling of notes files, meaning we now have a way to run code on the Nano2G.
Notes files are limited to 4KB, and the exploit allows us to put about 3.5KB of code into a notes file and then run it. Code to do this is in utils/ipod/bin2note/ in Rockbox SVN.
TheSeven has been working on a debugging tool he's called "iBugger". The first part of this is a loader for it, called iBuggerLoader. This consists of a notes file (loader.htm) containing code that communicates with a host PC over USB.
This loader allows a developer (amongst other things) to upload files to the Nano2G's RAM and execute them.
The current version of this (including a PC-side program written in python) can be found here:http://linuxstb.cream.org/nano2g/iBuggerLoader-0.1d.tar.gz
TheSeven (I think - it may have been someone else in #linux4nano-dev) has also managed to decrypt and dump the contents of the NOR flash - giving us the diagnostics mode code to reverse-engineer in order to start writing drivers.
I've added a Nano 2G target to the Rockbox build system, and committed the start of an LCD driver. It appears the Nano 2Gs can have one of two LCD types, and the code in SVN has successfully displayed the Rockbox logo on one type of LCD:http://img232.imageshack.us/img232/6335/img9088.jpg
My Nano 2G contains the other type of LCD, and I have almost got this working (but the code isn't in SVN yet). TheSeven has worked out how to detect the lcd type at run-time, so we should hopefully soon have a functional LCD driver for both Nano LCD types in SVN.
Hopefully this notes exploit won't be the final way to install Rockbox (or other third-party code) on the Nano2G, as it involves starting the Apple firmware first, and also makes the Apple firmware unusable. But it's a good start.
Finally, an important note for anyone wishing to run Rockbox in the future - DO NOT UPDATE YOUR APPLE FIRMWARE BEYOND 1.1.3
. Even though Apple haven't released firmware updates for the Nano 2G for a while, there is always the possibility that they will in the future, and that they decide they want to close this exploit.
If you want to run the Rockbox bootloader code on your Nano, then you will need to download the Rockbox SVN, select "Nano 2G" from tools/configure, and then "B" for bootloader builds. Running "make" will then give you a bootloader.bin file.
You now need to copy the loader.htm file from iBuggerLoader-0.1d.tar.gz to the Notes folder on your ipod, and then reboot. Your ipod should now freeze on the main menu.
Now you need to run the following commands (control.py is in iBuggerLoader - it requires the python-usb package):
control.py upload 0x22000000 bootloader.bin
control.py execute 0x22000000
With current SVN, you may or may not see a logo on the screen, depending on the lcd type in your nano.