Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The iPod 1G Touch was the first version in an amazing line of devices from Apple. So, the author wanted to emulate the device for future generations to enjoy. This was done via a branch of QEMU; in particular, they emulated all of the hardware required for booting and basic functionality.

The first iPod touch was an ArmV6 little endian instruction set. The author attempted to run the BootRom code on the device, but it jumped to code at an address they did not know; the same thing happened to the low level bootloader (LLB). So, they moved onto emulating from iBoot instead.

To understand how iBoot works, they read through the source code of an open source implementation of it then referred back to the raw binary code. From doing this, they were able to figure out how every boots up, hardware components needed and everything else. Eventually, they were able to redirect print statements to the QEMU console.

First, iBoot initializes hardware components, read images from NOR memory, a few other things and finally read kernel images from NAND flash. The NOR image read files, like the Apple logo, and several device properties. The NAND image contains the XNU kernel. Loading the image is not very simple because of NAND drivers containing ohter algorithms, such as ECC, bad block management and other things. The author had to write drivers for reading both the NOR and NAND flash properly.

To get the XNU kernel going, the author had to decrypt the image. iBoot jumps to code that the author did not have at the time to decrypt with a 8900 encryption scheme. They were able to decrypt it in QEMU logic instead. There were other hardware components like the Power Management Unit (PMU) and other things.

The XNU kernel is open source but Apple has their own fork of it. To understand how the system boots up, they were able to look at the open source code for the most part. From MMIO to loading the device tree to 30 different drivers that needed to be loaded correctly. The hardest one was the Flash Memory Controller (FMC), which had no documentation or source code available.

Finally, after this launchd starts up. This is PID 1 or the first process that starts everything else on the device. While launching Springboard (the main UI on the iPod), the device crashes because of a graphics processor trying to be used. While reverse engineering the application, the author learned that the environment variable LK_ENABLE_MBX2D disables the graphics processor. Finally, the home screen appears!

The final step was getting touch screen working. The iPhone simulator simulates touch by converting a click into an (x,y) coordinate pair. The kernel communicates with the Multitouch device SPI. By reverse engineering this protocol and looking at the bus traffic, the author figured out how to inject QEMU window touches into frames for the Multitouch device. This included velocity, (x,y) coordinates, home button and more.

After a few more small changes, such as adding some files that were missing from the stock NAND flash, they were able to get the iPod working in the emulator! There is still much work to be done, including emulating the second generation but this is amazing work. Love the article and the processes that went into getting this working with QEMU.