--- Log opened Wed Mar 18 00:00:01 2009 00:00 < soap> courtc: outside your dismissive answer, I think it is a legit question. IF my description of the 2G as a stepping stone is correct, there is only so much information which can be gleaned from it, and IF the attack vector is similar across targets it just seems like an odd one to start on. 00:01 < davidc__> soap - In any case; the attack should be portable to any one that doesn't have the ram in-package 00:02 < davidc__> oh, and 2.5 - reball + resolder both interposer and dram 00:03 < soap> let's assume for a second the interposer board is a given...Do you have (or know anyone who has) experience removing an underfilled bga chip? 00:03 < davidc__> soap: I've talked to a few people that have done that kind of thing, and the answer is "it depends on the underfill" 00:03 < davidc__> Some of the epoxies weaken under hot air. Some don't. 00:03 < soap> can the a replacement dram chip simply be sourced, and the original sacrificed in an effort to preserve the underlying pads? 00:04 < davidc__> soap - quite likely; drams are pretty generic 00:04 < soap> what use is a broken one? Pratice on dram removal? 00:04 < davidc__> precisely. 00:04 < cmwslw> I agree with davidc 00:04 < soap> practice 00:04 < soap> do you have the focused hot-air gun? 00:05 < davidc__> yes; I have hot air tools 00:05 < davidc__> and nice soldering gear 00:05 < davidc__> and access to a milling machine 00:05 < cmwslw> the 2G can still help us understand the encryption process 00:05 < davidc__> thinking we can also physically mill the chip off 00:05 < courtc> soap: Sorry, my answer was not meant to be dismissive. I was trying to illustrate the microsteps we must often take to achieve an end goal. 00:05 < soap> why do we assuming the encryption is common between the 2, 3, and 4? 00:05 < cmwslw> do we know if the 2G and 3G both have underfilled RAM chips? 00:05 < soap> wow spelling 00:05 < soap> s/assuming/assume/ 00:05 < davidc__> cmwslw: from the photos I've seen, yes 00:06 < cmwslw> It might not be exact, but it will no doubt be similar 00:06 < davidc__> Its done for reliability reasons 00:06 < davidc__> soap - silicon is expensive to change; if they can stick with the same die, all the cheaper. 00:06 < cmwslw> Apple doesn't do major changes 00:06 < soap> you don't think this encryption was an off-the-shelf solution? 00:06 < davidc__> soap: I think the die is custom; with a fairly-off-the-shelf crypto core; or more likely 00:06 < davidc__> done purely in software 00:06 < davidc__> with that big 50k boot rom 00:06 < cmwslw> if there was no problem with the previous encryption system, why would they change it? 00:07 < soap> Where I was going with that was: If they purchased a turn-key solution for the 2nd, and changed hardware again for the 4th - what is the reason to believe they used the same turn-key solution. 00:07 < davidc__> soap: well; do we know if the processor was significantly revved 00:07 < davidc__> it is dram-in-package 00:07 < soap> as to "why would they change it" - because they changed vendors. and the "package deal" changed. 00:07 < cmwslw> that is a good question 00:08 < davidc__> soap: erm, they're still with samsung for the 4th gen, no? 00:08 < cmwslw> the vendor has been samsung ever since the firmware was encrypted 00:08 < soap> and samsung -> apple w/o any middle layer? 00:08 < cmwslw> and they all use S5L87xx processors 00:09 < davidc__> soap - likely. Its a custom processor for apple. Apple easily has the purchasing power to get samsung to do their bidding. 00:09 < soap> I guess that is where I'm going with this - how much of this is apple's design and how much of this is an off-the-shelf solution by either samsung or a middle-man? 00:09 < soap> (and I think you just answered that) 00:09 < davidc__> My suspicion is that its essentially an off the shelf S5L87xx , with knocked out peripherals that they don't use 00:09 < davidc__> and a custom boot rom 00:09 * courtc agrees 00:10 < cmwslw> well given that the processor has no datasheets whatsoever, it probably is a processor exclusively for apple 00:10 < davidc__> they've got 50k of boot rom, according to the S5L docs, which is tons to do crypto in sw 00:10 < cmwslw> but it is not likely that it is custom designed for apple 00:10 < soap> what changed between 2 and 3 that the 2 can't support video? Or is that solely a support decision? 00:10 < cmwslw> after all, the chip has many features that the ipod will never need 00:11 < davidc__> soap - one other thing I want broken ones for is to de-package the main IC 00:11 < cmwslw> the processors are similar 00:11 < davidc__> I have access to SEM gear through a friend 00:11 < cmwslw> the 2G has less storage for video 00:11 < davidc__> although I can't physically read the bootrom that way [no etching gear, not enough SEM time] 00:11 < davidc__> I can get all the codes off the die, and determine how custom the die is 00:11 < cmwslw> and by making only the 3G video capable, apple reaps the profits from people upgrading 00:12 < davidc__> also - just changing the mask rom = 1-3 masks changed 00:12 < soap> If I were to start you off with a small, focused, donation - what is the first thing(s) you want? 00:12 < davidc__> broken nano 2g/whatever. 00:12 < davidc__> soap - you're with rockbox? 00:13 < davidc__> or nano4linux? 00:13 < scorche> rockbox 00:13 < davidc__> er, linux4nano 00:13 < cmwslw> back to when davidc mentioned a custom bootrom, why would the product info page list the bootrom if it was custom for apple 00:13 < scorche> davidc__: so you do have a friend then?...i believe last time we talked about this (not in this channel), you mentioned you werent sure, and i mentioned that I could do it... 00:13 < scorche> regarding the SEM bit 00:13 < cmwslw> i think the bootrom is standard for all S5L processors 00:13 < davidc__> scorche: I have someone working in a SEM lab this summer 00:13 < davidc__> that has time to do that for me. If he falls through, I'll send it your way. 00:14 < scorche> ok 00:14 < davidc__> cmwslw: Its likely that all procs have a bootrom, but apple has custom code in there 00:14 < cmwslw> ok, I understand what you meant now 00:14 < davidc__> Again, changing the bootrom is 1-3 mask layers, vs changing the whole chip 00:14 < davidc__> which is a heck of a lot more 00:15 < davidc__> also; its a much lower risk - changing the boot rom you don't need to worry about putting the whole chip through validation again 00:15 < davidc__> remember, a full mask set costs 1million 00:15 < davidc__> so you don't want to do that twice... so there's tons of validation time, lots of other expenses. 00:16 < cmwslw> does everyone know about the articles on electronicproducts.com 00:17 < cmwslw> http://www2.electronicproducts.com/Applie_iPod_Nano_(4GB)_3rd_Generation-whatsinside-16.aspx# 00:18 < scorche> there are many disassembly pictures,,, 00:18 < cmwslw> but do they look at the die markings 00:18 < cmwslw> disassembly pictures can only determine what apple paints on their chips 00:18 < cmwslw> not what the actual dies are 00:19 < cmwslw> That is how we know all of the hardware components 00:19 < taylor_> woah 00:19 < taylor_> I missed a lot! 00:20 < cmwslw> and I will be putting a section that annotates the hardware of all the nano generations on the wiki 00:20 < davidc__> Logo, 337S3473 8702, NOKZ9PT, 0731 ARM (Die Marking: S5L8702X01) BGA 00:20 < davidc__> sounds like an S5l series 00:20 < cmwslw> exactly 00:21 < taylor_> what have I missed? 00:21 < cmwslw> we know every chip on the ipod except for two on the 4G 00:21 < cmwslw> many of them have datasheets except for the processors 00:21 < scorche> taylor_: read 00:22 < taylor_> thats what Im doing - reading the LONG scrollback :) 00:22 < davidc__> Ok; well if we can get our hands on a broken 4G 00:22 < cmwslw> I would check this wiki: http://nxtpp.clustur.com/index.php/Linux4nano_Wiki 00:22 < davidc__> and get that package etched 00:22 < davidc__> and die shots 00:22 < cmwslw> during the next couple of days 00:22 < taylor_> davidc__: was perror going to send you his ipod(s)? 00:23 < davidc__> they claim its an S5L8720 00:23 < davidc__> and the same one as the iTouch 2G 00:23 < cmwslw> we know it's an S5L8270 00:23 < davidc__> Interesting 00:23 < cmwslw> it mentions it in the firmware multiple times 00:23 < cmwslw> many other chips are common to the touch 2G also 00:24 < taylor_> the iphone/itouch are all very common, the ipods could very well be also 00:24 < taylor_> The encryption is different though 00:24 < cmwslw> how do you know? 00:25 < taylor_> TheSeven tried to decrypt the firmware with the 8900decrypt. Im guessing thats what would tell us. 00:25 < davidc__> head->desk 00:26 < cmwslw> the 8900 is for the iphone 00:26 < taylor_> and itouch? 00:26 < soap> I'm about to leave town for ~5 days. I just dropped some offers on eight nanos in a variety of conditions. I'll see who bites. scorche and I keep in touch. 00:27 < soap> (don't expect 8) ;)\ 00:27 < taylor_> ok 00:28 < cmwslw> http://theiphonewiki.com/wiki/index.php?title=S5L8720_(Hardware) 00:30 < davidc__> I have fairly good connections with the iphone dev team 00:30 < davidc__> I was on the team for a while, but drifted away due to lack of HW and time 00:31 < cmwslw> david, are you a student at a university or something else 00:31 < scorche> davidc__: we have been in touch with planetbeing, too 00:31 < courtc> davidc__: I'm sure you don't want your iPhone anymore then? I need a new xknx platform... ;D 00:31 < cmwslw> how do you have access to SECs 00:32 < scorche> cmwslw: it isnt tough... 00:32 < davidc__> never had one in the first place :P 00:32 * scorche spent a few summers playing with them 00:32 < davidc__> cmwslw: freelance engineer 00:32 < cmwslw> interesting 00:33 < cmwslw> well not everyone can just use that sort of microscope if they want 00:34 -!- g4p [n=jp@p4FCE398B.dip.t-dialin.net] has quit ["Ex-Chat"] 00:52 -!- cmwslw [n=cmwslw@c-68-59-238-111.hsd1.tn.comcast.net] has quit ["Ex-Chat"] 00:55 -!- cmwslw [n=cmwslw@c-68-59-238-111.hsd1.tn.comcast.net] has joined #ipodlinux 01:03 -!- cmwslw [n=cmwslw@c-68-59-238-111.hsd1.tn.comcast.net] has quit ["Ex-Chat"] 01:03 -!- cmwslw [n=cmwslw@c-68-59-238-111.hsd1.tn.comcast.net] has joined #ipodlinux 01:04 -!- cmwslw [n=cmwslw@c-68-59-238-111.hsd1.tn.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 01:04 -!- cmwslw [n=cmwslw@c-68-59-238-111.hsd1.tn.comcast.net] has joined #ipodlinux 01:06 -!- fxb__ is now known as fxb 01:09 < taylor_> whats up? 01:28 -!- fxb is now known as fxb__ 01:33 < taylor_> will someone be willing to donate an ipod to iPL then? 01:38 < cmwslw> Quoted from soap: " I'm about to leave town for ~5 days. I just dropped some offers on eight nanos in a variety of conditions. I'll see who bites. scorche and I keep in touch." 01:38 < cmwslw> I don't know if this means he is donating or he wants donations 01:39 < cmwslw> Soap is still on: can you clarify if you are donating or requesting Nanos? 01:40 < cmwslw> If anyone gets an iPod it should be davidc, because he seems to have a viable plan and access to resources that most people don't have 01:41 < cmwslw> like fast FPGAs and scanning electron microscopes 01:51 < taylor_> soap: what do you mean? 01:52 < taylor_> where did you put those offers? 01:53 < scorche> he is busy packing...go away... 01:55 < taylor_> scorche: how do you know what he's doing? 01:55 < taylor_> :) 01:55 < scorche> because...uh...he said so? 01:55 < scorche> now shoo 01:56 < taylor_> dont word it like that 02:16 < cmwslw> About the previous discussion with davidc, I just thought of something 02:16 < cmwslw> how would retrieving the unencrypted firmware from the RAM help us at all 02:17 < cmwslw> It would not tell us anything about where the key is and how the firmware is decrypted 02:17 < cmwslw> Unless comparing the encrypted and unencrypted data can yield a key, I see no purpose in this 02:17 < taylor_> thats ture 02:17 < taylor_> *true 02:17 < taylor_> I think 02:17 < taylor_> but if we put in a FPGA 02:18 < taylor_> we can view boot up mem? 02:18 < cmwslw> hmm... 02:19 < cmwslw> that might work 02:20 < cmwslw> and that would solve the problem of not knowing where in the bootrom the processor starts executing 02:20 < cmwslw> but do we even know if the bootrom is copied over to the RAM? 02:21 < taylor_> davidc would be able to map out the specifics of what a FPGA wiil be able to do 02:21 < cmwslw> why would it need to, if the code is right there 02:21 < cmwslw> ok, well I'm off to bed 02:21 < taylor_> ok see you tomorrow 02:21 < taylor_> ? 02:22 < cmwslw> ok 02:22 < cmwslw> bye 02:22 < taylor_> goodnight 02:23 < taylor_> see ya! 02:23 -!- cmwslw [n=cmwslw@c-68-59-238-111.hsd1.tn.comcast.net] has quit ["Ex-Chat"] 02:29 -!- davidc__ [n=davidc__@S01060002b360aacd.vc.shawcable.net] has quit [] 02:29 -!- taylor_ [n=taylor@c-24-91-82-205.hsd1.ma.comcast.net] has quit ["Leaving"] 02:29 -!- site_name [n=email@hlfxns01bbf-142177228061.pppoe-dynamic.ns.aliant.net] has joined #ipodlinux 02:31 < courtc> bahahaha. 02:32 < courtc> nice linux4nano guys. I see you guys really know what you are doing. 02:33 < scorche|sh> .... 02:33 < scorche|sh> heh 02:34 < courtc> scorche: I can see you are a needed voice in here. 02:34 < courtc> "now shoo" 02:34 < scorche|sh> yes 02:34 < scorche|sh> me = snarky 02:34 < scorche|sh> ask Bleullama 02:36 -!- R31D [n=email@hlfxns01bbf-142177228071.pppoe-dynamic.ns.aliant.net] has quit [Read error: 145 (Connection timed out)] 02:55 -!- rvvs89 [n=ivo@pdpc/supporter/base/rvvs89] has quit [Read error: 60 (Operation timed out)] 03:02 -!- bmxr [n=bmxr@S01060018f3b11a22.vf.shawcable.net] has joined #ipodlinux 03:03 -!- _hc [n=hanschri@i-195-137-32-144.freedom2surf.net] has quit [] 03:15 -!- _hc [n=hanschri@i-195-137-32-144.freedom2surf.net] has joined #ipodlinux 03:22 < site_name> i have 3rd gen can i run ZeroSlackr on it ? 03:22 < site_name> babo 03:22 < site_name> nano* 03:23 < bmxr> no 03:24 < bmxr> Title says : No progress for 2nd Gen nanos yet so 3G obvious is a no 03:40 -!- _hc [n=hanschri@i-195-137-32-144.freedom2surf.net] has quit [Read error: 113 (No route to host)] 04:50 -!- xSlack_ [n=brett@173-17-70-78.client.mchsi.com] has quit [Client Quit] 05:18 -!- bmxr [n=bmxr@S01060018f3b11a22.vf.shawcable.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.7/2009030423]"] 05:37 -!- rvvs89 [n=ivo@pdpc/supporter/base/rvvs89] has joined #ipodlinux 07:05 -!- Guest618 [n=Guest618@ppp-70-255-107-205.dsl.hstntx.swbell.net] has joined #ipodlinux 07:06 < Guest618> need assistance compiling installer2, linux mint, iPod 5G, getting make errors from installer.cc regarding complexwizard.h 07:26 -!- Keripo4 [n=Keripo@eng422.wireless-resnet.upenn.edu] has quit ["Leaving."] 07:30 < Guest618> will trade my sister 08:13 -!- g4p [n=jp@p4FCE39F4.dip.t-dialin.net] has joined #ipodlinux 08:18 < Guest618> would have helped if i found the ipodlinux page before i found the disk mode page, so i didn't hard reset my ipod and lose all my music 08:19 < Guest618> so far that i've researched, you -can- install IPL/rockbox on 5G but it's unsupported, problem is how to install it though? 08:21 < rvvs89> Guest618: Several ways, easiest is to use http://sourceforge.net/projects/zeroslackr/ 08:22 < Guest618> nice 08:22 < Guest618> will try that 08:54 < Guest618> can't detect it 08:54 < Guest618> even in disk mode 08:58 < rvvs89> Confirm your iPod generation at http://ipodlinux.org/wiki/Generations 09:03 < Guest618> oh well that explains a lot of things 09:03 < Guest618> 6G 09:42 -!- Guest618 [n=Guest618@ppp-70-255-107-205.dsl.hstntx.swbell.net] has quit ["iPodLinux rocks!"] 10:56 -!- g4p [n=jp@p4FCE39F4.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 10:57 -!- g4p [n=jp@p4FCE39F4.dip.t-dialin.net] has joined #ipodlinux 11:12 -!- fxb__ is now known as fxb 13:27 -!- g4p [n=jp@p4FCE39F4.dip.t-dialin.net] has quit ["Ex-Chat"] 14:04 -!- taylor_ [n=taylor@c-24-91-82-205.hsd1.ma.comcast.net] has joined #ipodlinux 14:27 -!- rulli [n=raoul@84-73-67-214.dclient.hispeed.ch] has joined #ipodlinux 14:59 -!- taylor_ [n=taylor@c-24-91-82-205.hsd1.ma.comcast.net] has quit ["Leaving"] 15:03 -!- bmxr [n=bmxr@S01060018f3b11a22.vf.shawcable.net] has joined #ipodlinux --- Log closed Wed Mar 18 15:20:10 2009