--- Log opened Tue Sep 28 00:00:01 2004 00:51 -!- danalien [~danalien@h211n1fls29o1061.bredband.comhem.se] has quit ["Lost terminal"] 01:04 -!- pbrook [~paul@81-178-235-178.dsl.pipex.com] has quit [Remote closed the connection] 01:17 -!- Random [~random@Peterborough-ppp111014.sympatico.ca] has quit [Remote closed the connection] 01:18 -!- Random [~random@Peterborough-ppp111014.sympatico.ca] has joined #ipodlinux 01:18 -!- Random [~random@Peterborough-ppp111014.sympatico.ca] has quit [Remote closed the connection] 02:17 -!- KuRcZ [~jeff_kurc@d57-31-222.home.cgocable.net] has quit [Connection timed out] 02:25 -!- Ghaazi [~Ghaazi_7@pool-68-161-24-215.ny325.east.verizon.net] has joined #ipodlinux 02:25 < Ghaazi> y0 02:34 < Ghaazi> anyone alive? 02:36 -!- Ghaazi [~Ghaazi_7@pool-68-161-24-215.ny325.east.verizon.net] has quit ["EOF"] 03:56 -!- KuRcZ [~jeff_kurc@d57-31-222.home.cgocable.net] has joined #ipodlinux 04:23 -!- Snadder [sander@062016179110.customer.alfanett.no] has joined #ipodlinux 04:42 -!- Snadder [sander@062016179110.customer.alfanett.no] has quit [Read error: 110 (Connection timed out)] 05:15 -!- Snadder [sander@062016179110.customer.alfanett.no] has joined #ipodlinux 05:47 -!- KuRcZ [~jeff_kurc@d57-31-222.home.cgocable.net] has quit [Read error: 110 (Connection timed out)] 05:49 -!- oxygen77 [~Chris@pauguste-7-82-66-87-78.fbx.proxad.net] has joined #ipodlinux 05:49 -!- oxygen77 [~Chris@pauguste-7-82-66-87-78.fbx.proxad.net] has left #ipodlinux ["Cho"] 06:32 -!- Stereo [~stereo@212.76.255.91] has quit [Read error: 104 (Connection reset by peer)] 06:53 -!- tlg [~tlg@211-197.241.81.adsl.skynet.be] has quit [Read error: 110 (Connection timed out)] 07:25 -!- KuRcZ [~jeff_kurc@d57-31-222.home.cgocable.net] has joined #ipodlinux 08:05 -!- KuRcZ [~jeff_kurc@d57-31-222.home.cgocable.net] has quit [Read error: 110 (Connection timed out)] 08:51 -!- tlg [~tlg@197-235-183-194.adsl.perceval.be] has joined #ipodlinux 09:45 -!- KuRcZ [~jeff_kurc@d57-31-222.home.cgocable.net] has joined #ipodlinux 10:53 -!- KuRcZ [~jeff_kurc@d57-31-222.home.cgocable.net] has quit [Read error: 110 (Connection timed out)] 10:59 -!- Random [~random@Peterborough-ppp111014.sympatico.ca] has joined #ipodlinux 11:16 -!- Random [~random@Peterborough-ppp111014.sympatico.ca] has quit [Remote closed the connection] 11:27 -!- tlg [~tlg@197-235-183-194.adsl.perceval.be] has quit ["leaving"] 12:34 -!- KuRcZ [~jeff_kurc@d57-31-222.home.cgocable.net] has joined #ipodlinux 13:58 -!- mogorman [~mogorman@216.207.244.182] has left #ipodlinux [] 14:20 -!- oxygen77 [~Chris@pauguste-7-82-66-87-78.fbx.proxad.net] has joined #ipodlinux 15:16 -!- dpalffy [dpalffy@rainstorm.omikk.bme.hu] has joined #ipodlinux 15:33 -!- pbrook [~paul@81-178-235-178.dsl.pipex.com] has joined #ipodlinux 16:16 -!- mogorman [~mogorman@216.207.244.182] has joined #ipodlinux 16:45 * oxygen77 is away: chui pas là 16:46 -!- leachbj [~leachbj@pD9EAB87B.dip.t-dialin.net] has joined #ipodlinux 16:46 -!- mode/#ipodlinux [+o leachbj ] by ChanServ 16:46 < leachbj> hey all 16:47 < mogorman> mornign 16:48 < mogorman> so i was asking yesterday about the state of ipod linux 16:48 < mogorman> and what it was capable of 16:49 < leachbj> pbrook: nice work with the 4g ;) 16:49 < leachbj> mogorman: have you had a look at the forums/website? 16:53 -!- piratePenguin [1000@159-134-210-224.as1.csy.castleblaney.eircom.net] has joined #ipodlinux 16:54 < pbrook> leachbj: Ta:) 16:54 < leachbj> what kind of code have you gotten to run sofar? 16:55 < pbrook> Very little. I tried the bootloader, but it locked up 16:55 < piratePenguin> someone gonna port itunes to the ipod :) 16:55 < pbrook> It feels like the address of teh LCD has changed. 16:56 < leachbj> pbrook: I haven't done any rev engineering on the new firmware so I'm not sure. I'd be pretty surprised if things were very different 16:56 < leachbj> have you seen the patch_fw program in CVS? 16:56 < leachbj> that will let you replace the firmware with real simple programs for testing 16:57 < leachbj> e.g. a simple test that just turns the backlight on... or take the diag code from a 3g and run it on the 4g... 16:57 < piratePenguin> how do I format the music partition on my ipod ? 16:57 < mogorman> i have looked at forums and website but wasnt sure if you have gotten any further 16:58 < leachbj> piratePenguin: why do you need to format it? 16:58 < piratePenguin> I think it's curropted... My brother coppied 6gb of crap onto it (from Window$) and I cant get it off :( 16:58 < piratePenguin> s/crap/data/ 16:59 < leachbj> mogorman: as compared to the "status" on the website we've made some good progress... podzilla has a bunch of games, voice recording has been added, mp3 playback for 128kbps is now flawless. 16:59 < leachbj> piratePenguin: just run the restore util on it and it will restore the ipod to its factory defaults (reformats etc) 16:59 < mogorman> oh really that is great, what about ogg? I am really intrested in sox as well, do a lot of phone work, with gsm, ilbc etc 17:00 < leachbj> sox _should_ work but I had some strange problems with wav playback and recording... I'm not sure what the problem was. 17:00 < piratePenguin> leachbj: will linux still be on it? Where do I get the restore util? 17:01 < leachbj> ogg is still no-go. there were some attempts to optimise it but nothing was really effective. 17:01 < leachbj> piratePenguin: no you'll need to re-install linux afterwards. the restore util is from Apple and comes on your iPod CD. 17:01 < piratePenguin> I windows app no doubt 17:02 < leachbj> yup 17:03 < pbrook> piratePenguin: Or you could try mkfs -t vfat. No promises though. 17:04 < leachbj> pbrook: you have a working arm toolchain right? 17:04 < pbrook> Yes. 17:05 < piratePenguin> hmm... Cant I just format the one partition and make the ipod directories in Ephpod thru wine? 17:05 < pbrook> piratePenguin: Probably, yes. 17:06 < leachbj> cool, I'll send you some basic code that u can use to do some experiments (assuming you're interested of course!) 17:06 < piratePenguin> pbrook: how do I format /dev/sda2 ? 17:07 < pbrook> piratePenguin: "man mkfs" 17:07 < piratePenguin> thanks 17:08 < pbrook> leachbj: Yes, I'm interested. It may be a few days before I can spend any real time playing with it though. 17:09 < leachbj> pbrook: no problems. 17:10 < leachbj> I've just sent it, the code just makes a noise on the piezo so if you hear that then you know it runs ;) 17:10 < leachbj> another good test tool is to switch the back light on which is also quite easy 17:10 < pbrook> I'm fairly sure I trues something similar, and it didn't work. 17:11 < leachbj> probably try comiliing it for 0x40000000 and setting that as the load address in patch_fw... 17:13 < pbrook> I'm fairly sure C_PROCESSOR_ID is 0x60000000, not 0xc4000000 on the new ipods. 17:14 < leachbj> hmm, that would be pretty strange for an address like that to change.... 17:15 < mogorman> so i have an ipod that is formated for macos, and i have a linux box with hfs + support 17:16 < leachbj> but then the change from 0x2800:0000 to 0x1000:0000 is also strange. 17:16 < leachbj> its possible though that the bootloader is setting up some memory mapping.... 17:17 < pbrook> Or they decided to change the mappings, maybe to make space for new hardware. 17:17 < mogorman> or should i format for windows? 17:18 < leachbj> mogorman: I would normally go for fat32 under linux since its a bit more mature but either should work 17:20 < leachbj> pbrook: is it the same key patterns with the 4g to get to forced disk mode? 17:21 < pbrook> No. Reset is the same (select+menu), but forced disk is select+play after reset. 17:21 < leachbj> cool, as long as it works the same way ;) 17:22 < dpalffy> hi! 17:22 < leachbj> hey dpalffy! 17:24 < dpalffy> about 4g: we should agree on a firmware to look at to figure out the serial port address to dump the flash... 17:25 < mogorman> hfs+ is prefered to fat32 for stability in my opinion, but i can flash it either way 17:25 < dpalffy> Firmware-4.3.0.1 ? Do you have that? 17:25 < leachbj> dpalffy: yup thats the one I just loaded ;) 17:26 < leachbj> yeah, if we can get something simple that will just read flash and dump it out the serial port that will make the re effort much simpler 17:32 < dpalffy> i'm still wondering what loadAddr: 0x048D0040 means... 17:36 < pbrook> My firmware has loadAddr=0xffffffff 17:37 < dpalffy> dunno - i don't have a mac, i just got the image from someone at irc... 17:37 < leachbj> thats the diff between the "to flash image" and the image after it gets flashed 17:37 < dpalffy> but cpuid seems to be at 0x60000000, right 17:38 < dpalffy> leachbj: look at 0x22c 17:38 < pbrook> Yes. That much I managed to figure out by reverse-engineering. 17:38 < leachbj> have you dropped the 512 bytes at the start? 17:38 < pbrook> Yes. 17:39 < dpalffy> yes. 17:39 < leachbj> cool 17:39 < leachbj> sorry just on the phone 17:41 < dpalffy> but before that, they seem to mess with the MPU... 17:41 -!- Stereo [~stereo@212.76.255.91] has joined #ipodlinux 17:42 < pbrook> How do I figure out the firmware version? (so's I can tell if I'm looking at the same version as you guys) 17:44 < leachbj> pbrook did you update with the latest update? 17:44 < pbrook> Yes. 17:44 < dpalffy> then you have ours. 17:45 < dpalffy> and the exception table is loaded at 0x10000000 which is later mapped to 0x00000000 17:46 < dpalffy> look at 0x220 - they load [0x2d8] = 0x228 to pc 17:47 < dpalffy> so there's the magic to map ourself to 0x0 17:52 -!- jedix [~jedix@CPE0050bf9eb1bb-CM014090213885.cpe.net.cable.rogers.com] has joined #ipodlinux 17:52 < jedix> hey 17:52 < jedix> bernard here? 17:52 < leachbj> hey 17:53 < jedix> hey, I'm Liam 17:54 < jedix> we spoke through email 17:54 < leachbj> ah great, dpalffy & pbrook are also here & chatting about the 4g firmware 17:54 < dpalffy> hi jedix! 17:54 < jedix> hello 17:55 < jedix> am I the only one with a 4g? 17:55 * pbrook also has one 17:55 < jedix> ok, cool. 17:56 < jedix> so what have they done to the firmware? encrypted it? 17:56 < pbrook> No, just added a block of padding to the front, and changed a magic version number. 17:56 < dpalffy> for the os. but the diags is encrypted. 17:57 < jedix> diags? 17:58 < dpalffy> i couldn't really find the cop sleep routine... might it be at 0x888? then 0x70000000 is the cop control 17:58 < jedix> it's a different processor/usb/firewire chipset on the 4g as well, right? 17:58 < dpalffy> yes, it's quite different. 17:58 < jedix> I have a meeting, I'll bbl. 17:59 < dpalffy> pbrook noticed that we can run programs on the 4g, but it's very hard to RE the main image, so we'd need the diags image 17:59 < dpalffy> we're trying to locate the most basic things to do a serial dump of the flash of a 4g 18:02 -!- piratePenguin [1000@159-134-210-224.as1.csy.castleblaney.eircom.net] has quit [Read error: 60 (Operation timed out)] 18:05 < dpalffy> leachbj, pbrook: what's the 8th exception? 18:06 < pbrook> FIQ 18:06 < pbrook> (Fast Interrupt Request) 18:07 < dpalffy> thx, i know what fiq means... just trying to find the cop wakeup location... 18:28 < dpalffy> are you still here? 18:29 < dpalffy> I can't find the cop sleep routine... the startup is quite different. 18:29 < pbrook> bugger 18:29 < dpalffy> but i think i'll look for parts of the old serial code in the image 18:29 < dpalffy> if i can find sth similar, we can easily find the serial port address. 18:29 < pbrook> Yeah. 18:29 < leachbj> the only problem with that can be sometimes there is old code but its unused 18:30 < dpalffy> and we could simply put the cop in a loop while dumping the flash... 18:30 < leachbj> pbrook if you can get that test code to boot then that tests one of the serial ports... 18:30 < leachbj> the piezo is connected to one serial port the remote to the other 18:31 < pbrook> Oh, I see. The piezo code does nothing (locks up) 18:31 < leachbj> did you mod it to use 6000:0000 for the cpuid? 18:31 < pbrook> Yes 18:31 < leachbj> ;) sorry dumb question... the other thing to try is the backlight... have you seen that code in the kernel? 18:32 < pbrook> I'm fiarly sure the coproc sleep code isn't working either. 18:32 < leachbj> if you don't mind the race conditions you can kinda ignore the coproc 18:32 < pbrook> Err, I think there's some code for that in startup.s. I'll give it a try. 18:33 < leachbj> it should be something like c0001000 |= 0x2 18:33 < pbrook> Yep, that's it. 18:34 < leachbj> ok, I'm back up with re tool... so the first bit of code sets two memory mapped regions. 18:35 < pbrook> Nope, the backlight code doesn't work either. 18:39 < dpalffy> i think we can forget about 0xc0000000 and 0xcf000000. both only occur at very few places in the code 18:39 < dpalffy> these addresses will be moved, too 18:47 < leachbj> yeah it looks like interrupt registers start at 60004000 instead of cf000000 18:49 < dpalffy> i'm doing grep -v e[0-9a-f]\{7\} on the dump... 18:51 < dpalffy> f000f000 is still referenced, the cache control is there but might work differently 18:51 < leachbj> hmmm the code is compiled for a base address of 0x1000:0000... 18:51 < dpalffy> 60007000 is also often referenced 18:53 < dpalffy> whleachbj: are you sure? i'd say 0x0 18:53 < leachbj> its such a pain to re this image... :( 18:53 < dpalffy> yes... 18:54 < leachbj> even in the startup it uses a 1000: address... just looking at the interrupt handling code and there is another.. I think it just remaps for the interrupts. 18:57 < leachbj> hmmm.. then again maybe not... 18:58 < jedix> isn't the display different from the 3g to the 4g? 18:58 < dpalffy> after the startup it uses 0x0 as the base look at 0x220, it loads 0x228 to pc 18:59 < dpalffy> sotty, I have to go... 18:59 < leachbj> yup... it may be using both, one for code & one for data. 18:59 < dpalffy> sorry, i can't type 18:59 < leachbj> np 18:59 < leachbj> ;) 19:00 < dpalffy> bye 19:00 -!- dpalffy [dpalffy@rainstorm.omikk.bme.hu] has quit ["BitchX: its not your ordinary stick of gum"] 19:02 < jedix> how are you reading the calls? through a hex dump? 19:03 < leachbj> you can use the arm cross compiler tools to dump the asm 19:04 < jedix> oh, cool 19:04 < leachbj> arm-elf-objdump --target=binary --architecture=arm --disassemble-all -z 19:05 < pbrook> I've also written a small utility that reads in a binary image and a list of symbols, and outputs an assembly file with symbols in it. 19:07 < leachbj> there is a great program called IDA pro which can do a lot of work but you can't buy it as an individual 19:08 < jedix> oh. I'm just looking through the apt repository right now 19:30 < leachbj> pbrook: did you say earlier that when you zero'ed the 512 byte section and rebooted the ipod it came up ok right? 19:32 < pbrook> yes 19:34 < leachbj> cool. I'm looking for the lcd controller so we can use that for testing 20:04 < leachbj> pbrook u still there? 20:04 < pbrook> yes 20:05 < leachbj> cool, try setting 0x7000a0010 |= 0x80000000 for the backlight 20:06 < leachbj> for the startup code do a "b ." for the cop then if not cop execute that 0x7... 20:09 < pbrook> No, that doesn't switch the backlight on 20:10 < leachbj> :( 21:26 -!- Random [~random@Peterborough-ppp111014.sympatico.ca] has joined #ipodlinux 21:28 -!- oxygen77 [~Chris@pauguste-7-82-66-87-78.fbx.proxad.net] has left #ipodlinux ["Cho"] 21:35 -!- leachbj_ [~leachbj@pD9EAB03D.dip.t-dialin.net] has joined #ipodlinux 21:53 -!- leachbj [~leachbj@pD9EAB87B.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 22:01 -!- randomdestructio [~random@Peterborough-ppp111014.sympatico.ca] has joined #ipodlinux 22:01 -!- Random [~random@Peterborough-ppp111014.sympatico.ca] has quit [Read error: 104 (Connection reset by peer)] 22:05 < leachbj_> pbrook: do you have a serial port connector for your ipod? e.g. something you can hook up to your pc? I was looking at sorting out the serial comms but didnt quite get to the bottom of the indirection yet :( 22:06 < pbrook> No. 22:07 < pbrook> I guess I might be able to make something. I assume it uses the little connector on the top next to the 'phone jack? 22:10 < leachbj_> see http://ipodlinux.sourceforge.net/forums/viewtopic.php?t=187&postdays=0&start=15 22:11 < leachbj_> or pins 11,12,13 on the dock connector 22:16 < pbrook> Ah, I see. I guess I can probably cobble something together. 22:17 < leachbj_> probably the best bet is to try and get serial working on the 4g so we can dump the flash. from there we can reverse engineer the bootloader/diag much easier 22:18 < pbrook> Yeah, makes sense. 22:19 < leachbj_> anyhow I'm off to bed... night all. 22:24 -!- leachbj_ [~leachbj@pD9EAB03D.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 23:04 -!- jedix_ [~jedix@CPE0050bf9eb1bb-CM014090213885.cpe.net.cable.rogers.com] has joined #ipodlinux 23:06 < jedix_> !commands 23:06 < jedix_> !G4 23:15 < jedix_> hey 23:44 -!- BlindSpy [~blindspy@tark-b-139.resnet.purdue.edu] has joined #ipodlinux --- Log closed Wed Sep 29 00:00:01 2004