How the first gen ipod was reverse engineered to run #Rockbox:
1. Someone figured out that when loading a particular HTML page (for viewing on the device), the device would reboot. It crashed. A buffer overflow in the HTML viewer!
2. The device remembered what it did before the crash, so it would reload the HTML page again after boot. Unless you connected to it over USB and removed the HTML file it would stick in this cycle.
(continues...)
3. The buffer in the HTML file had to be written without using a zero byte, and someone wrote a ARM assembler loop that would just write data to memory. We had a rough idea what SoC was in there, so we knew a little of what to try.
4. Eventually, one day, that operation made the LCD backlight blink! The LCD controller was found in memory.
(..)
5. Now the exploit was rewritten to read memory, and *blink* out the contents using the LCD backlight. A LEGO construction was built and a webcam would register the binary stream of a few megabytes of memory contents. Slooooow.
6. Using this method, the USB controller memory mapped registers were found and it was similar to another device Rockbox did USB on. The memory-dump code was rewritten to instead dump the entire memory over USB.
(...)
@qwertyoruiop @bagder I cannot recall with a reasonable level of confidence how it ultimately ended up getting solved (it was back when iBoot was encrypted and on a new device - maybe iPhone 3GS or iPod Touch 3rd Gen - so no pre-existing AES access).
I _think_ we ended up not being able to get exact data, but comparing the visual output against a device for which we already knew what iBoot looked like, making it easier to brute force what we were after (truly wish I remembered this better).
daniel:// stenberg://
will strafach
qwertyoruiopz