iPod firmware reverse engineered

I'm sorry what did you say? Whatever it was, it ruled.

Daaaaaaaaaaaaaaaaaaaaaamn. Super l33t.

I wish this story wasn't over a month old:

http://slashdot.org/article.pl?sid=05/01/29/2017244

sweet, now if someone could just get voice recording on the mini ill be all set...

He is the developer for Linux on the iPod.

He did this a while back.
You can see what he has been doing at:
http://www.ipodlinux.org.

1337est of the 1337

this is old news, why post it now?

Hmm. As an electronics engineer, I would guess that "extracting the firmware" is not what this person has done. I wish there was more information about this because it's a fairly difficult task and not one that Apple would allow to occur easily. The system microcontroller isn't just going to be spitting out firmware code, it's going to be buried in the device software. What can be observed is the effects of the boot loader on powerup, external to the device, but for most microcontrollers (FPGAs as well), there are a whole host of processes taking place internally -- configuring registers, initializing external devices, etc. On a device with firmware such as a micro (assuming the device doesn't have a crypto-engine or software lock, which most do), the 'hacker' would have to boot-strap the device by pulling certain pins lo or high on powerup, putting it into diagnostic or boot strap modes. Often to read data out of a chip requires an external clock signal as well, and it doesn't mention anything such as that. Additionally, the data that could be read out is going to be in machine code, and without development tools for the particular microcontroller housing the firmware, it would be phenomenally difficult for youyr everyday person to interpret, as each device has a different instruction set. Looking into it, I discovered the iPod uses PortalPlayer's PP5002 ARM-7 based microcontroller. The device brief is found here: http://www.portalplayer.com/products/documents/5002_brief_0108_Public.pdf

It's got a JTAG interface. For testing (ATE) and programming, there has to be pads for the JTAG on the board. This would be the easiest way to extract the firmware, but you would need a development kit for the PortalPlayer device, which is easy to get if you're willing to spend the money.

All that aside, even if this guy did get the system micro to spit out its firmware, using a modulated audio signal to read it out is like building a house by hand! There are a whole host of ways to read out data. The easiest being with a software-based protocol analyzer. You could see the data in hex format firsthand, without having to convert it to audio and write another program to convert it back.

Again, I'm guessing that this is not the whole story, and more hype than anything.

All THAT aside, if I were on the development team at Apple, I would have the foresight to think that some super-nerd out there would try to hack the firmware and I would build encryption into the code. Given that it is the core of the system, it would be costly to have competitors getting their hands on it. Not to mention the returns they would get for people claiming that the iPod "just stopped working" after screwing with code in the firmware that they should not have been.

I give the guy thumbs up for trying, but thumbs down for how he did it, and another thumbs down for likely not succeeding.

If anyone is curious, Electronic Design Magazine tore one down a few months ago and discussed it. To see the images, you have to click the figure numbers in the text:

http://www.elecdesign.com/Articles/Index.cfm?AD=1&ArticleID=9500

Apple lawsuit in 3...2...1...

dd if=/dev/sda1 of=firmware.img

maybe that's not the same thing he's talking about, but it's where all the images and icons for the UI are stored.