Rockbox Development > New Ports

Nano 2G

<< < (9/17) > >>

Der Papst:
I don't have a nano but with a bit of googleling i found something interesting (

Mutmatt:
Ok so this is my nano 2ng gen.... i've been up all night searching just about every forum i could find and the ... the sgold_bootrom bootneuter thing seem quite interesting and should be looked into... at least in my mind after a sleepless night it should be haha


i included the save file and a picture

http://www.msprotege.com/members/Mutmatt/nanobackup

HJRodrigo:
Rockbox may get a port yet, a major break through has occured tof managed to extract the contents of the SST39WF800A chip and disassembling started. Just contact THEM if you want to get the dump and help with the reverse engineering.

Bagder:
We're already in touch with them and we cooperate on bringing facts and efforts to this. This thing shares the same/similar CPU with the Meizu M6 effort.

The 1MB flash dump is still mostly encrypted and nobody has yet figured it out.

Der Papst:
This is a email Emmanuel sent me.
Hi,

Der Papst wrote:
> Thanks for sending me the dump :-)

You're welcome! :)

> We had a first look at it and i have to admit i don't know anything
> about arm asm. However 0x0 seems to jump to 0x8000. There i'm able to
> disassemble 15 more instructions.
>
> ROM:00008000                 STRMI   R7, [R9],#0x3DD
> ROM:00008004                 ANDLS   R6, PC, R3,LSL#8
> ROM:00008008                 BLLE    0xFFFFFFFFFE3BE444
> ROM:0000800C                 STCMI   p5, c0, [R7],#0x3A0!
> ROM:00008010                 LDRVCHT R7, [R9],#-0x68
> ROM:00008014                 LDMLTIB R11!, {R1,R5-R9,R11-PC}
> ROM:00008018                 SBCNE   R10, R4, #0xED00000
> ROM:0000801C                 STMCSIB R3!, {R0,R1,R6,R7,R9,SP,PC}
> ROM:00008020                 STRVCB  R7, [PC],#0xAD1
> ROM:00008024                 STRLTT  R5, [SP],#-0x4D8
> ROM:00008028                 STCPLL  p5, c0, [R10],#0x3C0
> ROM:0000802C                 TST     R3, R12,ROR#6
> ROM:00008030                 RSBLTS  R1, R8, #0xD9000000
> ROM:00008034                 SWIEQ   0x2E0C30
> ROM:00008038                 EOR     R0, R7, R10,LSL R12
>
> Then disassembling stops because the next instructions seem invalid.

Yes. We do have the same.

> Now i do some quoting...
>
> What does this first code do? It jumps to encrypted stuff.

In a matter of fact, we do think approximately the same. We are now
hitting the last level of protection, which is probably hidden inside
the processor. Hopefully here, encryption is just performed through a
last XOR applied by the processor (hopefully).

What make us guess that it was the right representation of the binaries
was the preamble and the end of the binary file which were both
perfectly meaningful in ARM asm.

Nevertheless, it seems that large area of the binary have been encrypted
(see: http://www.labri.fr/~fleury/download/ipodnano/bootloader_swap16_swap32.png).

Actually, understanding what is going on in this file is our main
concern now. :)

> It's probably some sort of failsafe or god knows what. Whatever it jumps
> to looks like one of the classic examples of 'invalid code'. Sure, it
> converts to instructions but they don't make sense. How to see that
> it's invalid? Well, lots of conditional code without any code
> actually checking for a condition. And there is more. About 6 or 7
> to-self jumps right after the first one. The disassembler doesn't
> find them because no code references them. That's about it.

Yes, we had the exact same reasoning. Which make us think to an
encryption (or a compression) algorithm.

> So we think (more guess) that this code is decrypted by the CPU since
> it has about 50kb embedded boot rom.

By any chance, did you ever break or analyze such a scheme where the
processor itself was involved in decrypting the BIOS or similar data ?
This kind of things are highly related to embedded systems and I have to
admit I quite unexperimented on this side.

> I hope you find out some more (and of course more encouraging) stuff.

At least, you had the exact same conclusion as we did. This is more or
less strengthening our hypothesis.

Regards
--
Emmanuel

That being said please don't contact them for the dump. It's not of use for you anyway unless you're a god at cryptography. Emmanuel told be he's harassed by people now and I don't want him to get mad at us.

Additional information can be found here: http://ipodlinux.org/Nano2G (iPL Server currently down. We're working on recovering it.)

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version