I got an iPod for christmas. The ipodlinux project was one of the main reasons for my choice and so I started exploring the iPod as far as I was able to. I patched the bootloader and got some basic code to run but there was no way to access any hardware other than the two CPUs yet. To get the LCD, Clickwheel and the harddisk working we needed to reverse engineer the bootloader in the flashrom. But to do that we first had to find a way to get that code. Seems quite impossible without any knowlegde about the IO-Hardware but I found a solution...

The whole idea started last week when leachbj gave me a piece of code that caused the piezo in the iPod to make some *squeek*-sound. I played around with that code, changed some values and somehow was able to produce different sounds. Just for fun I came up with the idea of using this different sounds for transferring data. Some minutes later I dropped the idea because I thought that just won't work and I won't be able to write a decoder for that. Two days later I woke up and somehow just tried encoding a 32bit value into different beeps. It worked so made a loop around it to dump about 4kb of memory.

The problem with that idea was that I could only transfer 8bit/s. Anyway, I tried writing a decoder and it seemed to work. Well, it didn't really work but it decoded about the first 256 bits correctly. The decoder was some Perlscript that loaded the whole audio into RAM and used about 1GB RAM for a 20MB audio file. It worked ok with some tweaking but still the RAM usage was way to high because if I wanted to dump the whole 64kb I would have an 1200MB audio file or something.

Some ideas came to my mind after thinking about the problems I had. The first one was to use compression so the transfer won't take too long. It would have taken about 45hours with the code we had. With compression maybe only 22h. To solve the memory problem I decided to rewrite the decoder in C that only reads about 96bytes chunks of audio data and then decodes that. Davidc_ helped me with that.

This was the first time I thought I this could really work. Again I played with the piezo code and figured out, how the piezo really works. I was able to produce some more unique beeps. Later I made the beep for 0 (the last bleep you can see in the picture) much shorter so it sounded more like a click. I even managed to make the first bleep shorter so I got about 5byte/s.

When we thought we got the encoder in the iPod with zlib and the decoder working, I decided to try recording the whole dump at night. So I put the iPod in the "iPod Recording Studio" and went to sleep. The iPod is just a cardboard box in which Samsung send me my laptop back. It has foam in it so I thought it would be ideal for recording the bleeping of the iPod. (Move your mouse over the picture.)

The next day I woke up quite early. The first thing I did was looking at the recording. I heard the iPod stopped bleeping so I thought everything went fine. In fact nothing worked at all. I recorded 8 hours full of zeros. Furthermore, the iPod's battery became empty though it was plugged into the USB port of my laptop the firmware wasn't loaded so it didn't request power over USB. So what you can see in the picture is the harddrive spinning down, then the iPod goes off for some minutes and then reboots. The harddriver was spinning during the whole recording session because there was no way to turn it off.

After this I was really disappointed and I dropped the project for the rest of the day but in the evening I tried again with a better decoder. It worked quite well but we weren't able to decompress the file. I concluded that was caused by the malloc() hack and zlib would allocate the same memory twice or something like that. Anyway, I haven't had much sleep that weekend so I was tired and just went to bed and thought about dropping the whole project again. I and davidc_ wrote a really good decoder and we changed the bleeps again but it just didn't work.

On the next day i finally succeeded. I read through sox(1) and came up with some really good filters for removing the noise and the like. I tested that on a 30 minutes record and it really worked. Then I waited the next 8 hours for the record to finish. With yet some more tweaking in the decoder I was able to get a really clean file for decoding as you can see in the picture. I decoded it and finally got the 64kb of the flashrom.

I made some audio files in case you'd like to know how it sounds. The second was recorded in the "iPod Recording Studio" and the first one was rather a test. 1 2

Thanks to leachbj and davidc_ for help :)

Nils "nilss" Schneider

Contact

You can find me on freenode or euIRC or you can contact me by email: nils��a�t��wonderwall��de