daniel:// stenberg://Dec 7, 2023

How the first gen ipod was reverse engineered to run #Rockbox:

1. Someone figured out that when loading a particular HTML page (for viewing on the device), the device would reboot. It crashed. A buffer overflow in the HTML viewer!

2. The device remembered what it did before the crash, so it would reload the HTML page again after boot. Unless you connected to it over USB and removed the HTML file it would stick in this cycle.

(continues...)

Show threaddaniel:// stenberg://Dec 7, 2023

3. The buffer in the HTML file had to be written without using a zero byte, and someone wrote a ARM assembler loop that would just write data to memory. We had a rough idea what SoC was in there, so we knew a little of what to try.

4. Eventually, one day, that operation made the LCD backlight blink! The LCD controller was found in memory.

(..)

Show threaddaniel:// stenberg://Dec 7, 2023

5. Now the exploit was rewritten to read memory, and *blink* out the contents using the LCD backlight. A LEGO construction was built and a webcam would register the binary stream of a few megabytes of memory contents. Slooooow.

6. Using this method, the USB controller memory mapped registers were found and it was similar to another device Rockbox did USB on. The memory-dump code was rewritten to instead dump the entire memory over USB.

(...)

Show threaddaniel:// stenberg://

7. The initial bootloader to load Rockbox was then just such a crafted HTML file that would load the correct firmware, and since it still worked after reboots it was a pretty neat hack.

8. Eventually the encryption key for the bootloader was found in the SRAM of the running device, and we could encrypt and create custom "real" bootloaders for the devices.

9. Rockbox would then boot and run natively on ipods.

The rest is history.

Dec 7, 2023 at 9:10amWeb
Show threadSamuelDec 7, 2023
@bagder Awesome story!
Show threadWolf480plDec 7, 2023
@bagder I think the html method is cooler, because if you screw up you can just delete the html file if something goes wrong
Show threadsrslypascalDec 7, 2023
@bagder This story sounds almost like curl started as a bootloader for Rockbox :D
Show threadŋozze Dec 7, 2023
@bagder I love hackers!
Show threaddaveDec 7, 2023
@bagder best hacking story I've heard in awhile! I never had an ipod, but I used rockbox on my cheap sandisk sansa for many years. so much better than the stock firmware. thanks, rockbox.
Show threadDavid BuchananDec 7, 2023
@bagder Was is definitely the first-gen that required this hack? I was under the impression that the first few generations (all those with portalplayer SoCs) had completely unencrypted bootloaders. I think the nano 2nd gen was the first one to put up a fight https://www.rockbox.org/wiki/IPodNano2GPort.html
IPodNano2GPort < Main < Wiki

IPodNano2GPort

Show thread760ceb3b9c0ba4872cadf3ce35a7a4Dec 7, 2023
@retr0id @bagder the lego stuff and the html reminds me think theyre talking about the notes hack
Show threadAaron Sawdey, Ph.D.Dec 8, 2023
@retr0id @bagder Also the first gen iPods had FireWire not USB
Show threaddaniel:// stenberg://Dec 8, 2023
@acsawdey @retr0id it was a long time ago, but I think I was thinking of the nano models
Show threadMrCDec 8, 2023

@bagder
It's funny how many devices have been jailbroken by HTML/Javascript.

I hadn't heard the whole story for the iPod that's really cool.

Show threadCyberPunkerDec 8, 2023

@bagder nice story!

Still using a Sansa Clip (+ i think) with Rockbox when i am out for a walk or have to use public transport, love it!

Show threadalfDec 8, 2023
@bagder
Awesome, thanks for sharing! I still have my sandisk player running RockBox. I used it back in the day as a backup music player when performing electronic music live sets, because it would play 24bit flac! Saved my ass more than once when my pc would crash in the middle of a set! :D
Show threadcoldclimateDec 8, 2023
@bagder wild
Show threadspvDec 10, 2023
@bagder i remember hearing about a hack using the piezo speaker to beep the contents