How the first gen ipod was reverse engineered to run #Rockbox:
1. Someone figured out that when loading a particular HTML page (for viewing on the device), the device would reboot. It crashed. A buffer overflow in the HTML viewer!
2. The device remembered what it did before the crash, so it would reload the HTML page again after boot. Unless you connected to it over USB and removed the HTML file it would stick in this cycle.
(continues...)
3. The buffer in the HTML file had to be written without using a zero byte, and someone wrote a ARM assembler loop that would just write data to memory. We had a rough idea what SoC was in there, so we knew a little of what to try.
4. Eventually, one day, that operation made the LCD backlight blink! The LCD controller was found in memory.
(..)
5. Now the exploit was rewritten to read memory, and *blink* out the contents using the LCD backlight. A LEGO construction was built and a webcam would register the binary stream of a few megabytes of memory contents. Slooooow.
6. Using this method, the USB controller memory mapped registers were found and it was similar to another device Rockbox did USB on. The memory-dump code was rewritten to instead dump the entire memory over USB.
(...)
7. The initial bootloader to load Rockbox was then just such a crafted HTML file that would load the correct firmware, and since it still worked after reboots it was a pretty neat hack.
8. Eventually the encryption key for the bootloader was found in the SRAM of the running device, and we could encrypt and create custom "real" bootloaders for the devices.
9. Rockbox would then boot and run natively on ipods.
The rest is history.
@bagder Awesome story!
@bagder I think the html method is cooler, because if you screw up you can just delete the html file if something goes wrong
@bagder This story sounds almost like curl started as a bootloader for Rockbox :D
ŋozze @bagder I love hackers!
@bagder best hacking story I've heard in awhile! I never had an ipod, but I used rockbox on my cheap sandisk sansa for many years. so much better than the stock firmware. thanks, rockbox.
@bagder
It's funny how many devices have been jailbroken by HTML/Javascript.
I hadn't heard the whole story for the iPod that's really cool.
@bagder nice story!
Still using a Sansa Clip (+ i think) with Rockbox when i am out for a walk or have to use public transport, love it!
@bagder
Awesome, thanks for sharing! I still have my sandisk player running RockBox. I used it back in the day as a backup music player when performing electronic music live sets, because it would play 24bit flac! Saved my ass more than once when my pc would crash in the middle of a set! :D
@bagder i remember hearing about a hack using the piezo speaker to beep the contents
@bagder oh AMAZING. that is such a delightful strategy
@bagder I love this! in 2009, we did something very similar attempting to use an iBoot vulnerability in iPhoneOS to read back the binary for that version of iBoot, when we realized we could write to a certain address range to display RGBA values on the screen (32 bits per pixel)
@qwertyoruiop @bagder I cannot recall with a reasonable level of confidence how it ultimately ended up getting solved (it was back when iBoot was encrypted and on a new device - maybe iPhone 3GS or iPod Touch 3rd Gen - so no pre-existing AES access).
I _think_ we ended up not being able to get exact data, but comparing the visual output against a device for which we already knew what iBoot looked like, making it easier to brute force what we were after (truly wish I remembered this better).
@bagder omg that’s awesome
@bagder I love the LEGO part! 
@wader thanks sooo much… I remember reading that page back in the days and I could not find it again for the sake of me.
@Ced first thought maybe it was badger who wrote it back in days but was separate hack! :)
@bagder I find stories like this to be so interesting. And inspiring. Just the level of ingenuity from people who find the ways to hack this stuff together.
@yacc143 @Daojoan @bagder First of all, I think all devices should be fully unlocked/decrypted/documented by their EOL dates, by law.
However, lots of customers blissfully install 3rd-party software but go to the manufacturer for support. Then when rightfully denied, they’ll generate bad PR anyway. For devices that sells in the millions, even a small % is an expensive nuisance.
Plus, devices like iPods have a contractual duty to content owners to enforce DRM.
Full disclosure: ex-Apple.
@yacc143 @Daojoan @bagder You’re preaching to the choir, and I think more legal reforms should address DRM and copyright in general. I was just trying to explain the rationale from the manufacturer’s side.
Consumers at large *are* getting what they want, though. Someday they might become irritated by DRM’ed media or EOL’ed devices, but they’re really not that bothered.
It’s also why the gratis part of free software has always been more appealing to the general public than the libre part.
@mariani1
DRM literally is making the preservation of our heritage problematic.
Furthermore, if the corporate copyright holders believe so very strongly in their system of IP being genially accepted by the population, catching the some illegal users can be done via digital watermarks, can't it?
As it is, Amazon breaking the dedrm toolchain literally made me stop buying ebooks from Amazon.
@Daojoan @bagder
@mariani1 @Daojoan @bagder
I find it more fascinating, that the fact that e.g. Apple has an absolute control what runs on its hardware (not only iOS, but also macOS, yes one can disable the signature checks on macOS, but it's literally something that is discouraged, due to being important part of macOS security), does not cause bad PR, despite that it can cause breakage as it creates central points of failure.
@bagder this is really awesome. I had Rockbox on one of the later-gen iPods and used it as my daily driver for YEARS.
@bagder the first gen ipod had an HTML viewer?
@bagder [citation needed]
@bagder it was so awesome. gapless mp3 was great for listening to live shows, and i just had to throw them in alpha order in a folder, no worrying about how some custom firmware was going to interpret mp3 tags or sort things. copy files, go to the gym, and run and lift to awesome music on my sansa clip with #Rockbox!
@bagder I read "roblox" and was expecting a different writeup
@bagder what? Are you talking about the iPod Touch? There is no web viewer on the iPods nor the first gen….
@anthonylee
The Notes function understands (understood?) some html tags. You could link to songs. No <blink> iirc
@bagder
#FBPE @bagder ... and we spend so much of our lives trying to avoid poison pills ... I fixed one only yesterday ...
@bagder “Now the exploit was rewritten to read memory, and *blink* out the contents using the LCD backlight. A LEGO construction was built and a webcam would register the binary stream of a few megabytes of memory contents.”
Bloody hell… wow.
