Previous day | Jump to hour: 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | Next day

Seconds: Show Hide | Joins: Show Hide | View raw
Font: Serif Sans-Serif Monospace | Size: Small Medium Large

Click in the nick column to highlight everything a person has said.
The Logo icon identifies that the person is a core developer (has commit access).

#rockbox log for 2013-08-07

00:04:34[7]well, IDA isn't really designed for debugging roms :)
00:13:15wodzHmm, that makes me think about stepping through rk27xx nand bootloader running in hacked skyeye :-)
00:14:27wodzI need to digg up my notes about this
00:17:31 Join tripper [0] (
00:17:45tripperis amayer on much
00:18:00tripperone of his themes is breaking and I wanted to ask him about it
00:23:31***Saving seen data "./dancer.seen"
00:31:36 Quit wodz (Quit: Leaving)
00:32:57 Quit rdn (Remote host closed the connection)
00:42:08[7]pamaury: damn, it always ends up crashing into the data abort handler somehow if I single step the USB IRQ handler
00:43:56pamauryI think I'm slowly trying to understand how all this works
00:44:18[7]pamaury: look like you're quicker than me then...
00:44:44[7]could you make use of remote access to a GDB'ed clip+?
00:45:03pamauryI have found more or less how the descriptors are generated, I think this will help me to figure out many things
00:45:12pamaurycurrently not
00:48:00 Join sciopat [0] (
00:48:37pamauryI suspect everything is done with classes. For example the mass storage would be something like usb_add_interface(new ums_recover_intf_t())
00:48:37pamauryI'll send you the ida back at some point, so you can have a look if you can
00:49:18[7]pamaury: would a RAM dump of the running state be of any use?
00:50:06 Quit sciopath (Ping timeout: 246 seconds)
00:50:18pamaurycurrently no, I haven't found the addresses of useful stuff. It's incredible how much bookeeping this thing done instead of actually *doing* things
00:51:20[7]pamaury: where's IRAM/DRAM on this one?
00:51:24[7](address and size)
00:52:07pamauryiram is at 0x81000000
00:52:53pamaurydram at 0x30000000
00:53:06[7]dram is 4MB? how much is IRAM?
00:54:12pamauryI think on clip+ there 1MB of IRAM
00:54:37pamauryand on the older versions, 320KB
00:55:07pamaury./configure says clip+ has 8MB of dram
00:55:54[7]ok that's gonna take a while to dump
00:56:03[7]I'll try to correlate it with the mass storage drive contents
00:56:24 Quit sciopat (Ping timeout: 246 seconds)
01:00:44[7]0x30000000 through 0x30800000 is all zeroes :/
01:01:11 Join sciopath [0] (
01:01:19pamauryI haven't find any reference to the DRAM currently
01:01:43[7]so that 4MB drive might after all be flash?
01:01:55[7]wait... 4MB is exactly the size of an eMMC boot area, right?
01:02:12[7]writing was noticably slower than reading
01:06:15pamauryI have no idea how this thing boots and which part we flash when we write the rockbox bootloader
01:06:37[7]who has a clue about that? bertrik?
01:07:44bertrik[7]: the rockbox bootloader is written in the main (big) flash
01:08:14[7]so I guess we have a way to get at the boot area contents from a working one's eMMC somehow?
01:08:42bertrikthe firmware uses the first 0x10000 blocks or so
01:09:19pamaurybertrik: of the user area ? or of the boot area ? does it have a boot area ?
01:09:41[7]hm..... no, the contents of the 4MB drive do NOT stick across a reboot...
01:10:31bertrikpamaury: I don't know if there's a user or boot area, I though there was just one flat internal flash memory, of which the first 32 MB or so is reserved for the OF
01:10:53[7]hm, the data on the drive doesn't read back properly AT ALL
01:11:00bertrikI seem to remember that the reserved area is about twice the size of a firmware upgrade image, perhaps an active firmware and a spare
01:11:05 Quit sciopath (Ping timeout: 246 seconds)
01:11:35bertrikin our sd driver for AMS, we always skip the first 32 MB
01:11:41pamaurybertrik: do you know if the dram needs some init of some kind ?
01:12:11bertrikI don't know, but generally I guess so
01:12:43bertrikwe do some magic write IIRC in the rockbox initcode too
01:13:05bertrikwhich is interpreted by the SDRAM controller
01:13:07[7]ok, so that drive is completely fake
01:13:20[7]if I write it and read it back I just get thousands of copies of the last written sector
01:13:37 Join sciopath [0] (
01:13:40 Join sakax [0] (
01:14:24bertrik[7]: oh, I thought it was consistent at least in between reboots
01:14:36bertrikor maybe that was linux caching?
01:14:54pamauryhaha, I *might* be wrong but apparently the ums interface might expose two vendor specific commands
01:14:58pamaury(control type)
01:15:00[7]straight write and read back with dd returns duplicated last sector data
01:15:07[7]without even disconnecting in between
01:15:42[7]interesting... which ones?
01:15:52pamaury0xfe and 0xff
01:16:00pamaurythat's just a wild at this point
01:16:05[7]that looks like standard USB mass storage stuff
01:16:07bertrikaren't those the microsoft extensions to UMS?
01:16:10[7]get max lun and mass storage reset
01:17:01[7]technically those aren't vendor specific ones but standard ones, addressed at the mass storage interface instead of the device
01:17:04pamauryand I didn't remember these were 0xff and 0xfe control transfers, so that's good :)
01:17:23[7]so you've already located the place where these things are hooked?
01:19:11pamaurymore or less, you won't believe me...
01:19:42*[7] tends to believe absolutely everything given what kind of mess this is
01:20:57pamaurycurrently I have only located the hooks for controls, apparently each "config" (could be device or interface) has a list of "handlers", each "handler" specify the command it handles and the function to call
01:21:19saratoga[7]: the 4MB drive is completely fake
01:21:20[7]kinda reminds me of that IRQ hook list
01:21:52saratogatheres another mode where you get a full 32 MB drive that corresponds to the NAND first 32 MB blocks
01:22:30pamaury[7]: I can give you the adresses but these are mostly useless, control transfers aren't useful
01:22:34saratogano one knows what the purpose of the 4MB drive is, but usually it means the device is broken somehow
01:22:37pamaurywe need to locate the bulk ones
01:22:52saratogathe 32MB one will mount if you short out the NAND pins during power up, once you unshort them it is writeable
01:23:35 Quit sciopath (Ping timeout: 276 seconds)
01:23:56[7]saratoga: hm, this is a NAND or eMMC device? I'm puzzled.
01:24:08saratogaits actually a NAND connected to a sandisk made SD controller
01:24:13saratogasoftware wise it looks like SD
01:24:36[7]so you actually mean the first 32MB of that SD card?
01:24:36bertrik"many clips died to bring us this information"
01:24:38saratogawe actually use the same driver for both the internal and external SD cards
01:24:58saratogayeah its the first 32 MB worth of blocks on the internal SD
01:25:08pamauryoh, so the ams chips does the FTL ?
01:25:19saratogai think its a sandisk chip
01:25:23pamaurylol, that's interesting
01:25:42pamaurythis chip is really amazing, everything you would expect is just not true here
01:25:43bertrikthat made things so much easier with AMS
01:26:07 Quit zu_ (Read error: Operation timed out)
01:26:12[7]saratoga: in case you didn't follow the discussion, I've JTAGed a donated dead clip and we're now looking into what that 4MB drive actually is and if it allows non-jtag recovery of some kind
01:26:25saratogamy theory about the 4MB drive is that when Sandisk customized the AS3525, parts of the original ROM were left in place but not necessarily working, hence when the device is bricked you can end up in the original ROM and get that 4MB drive (or the working 32 MB drive)
01:26:48saratoga[7]: just caught up, I saw the JTAG, but thought you were looking at the internal ROM on the device?
01:27:10[7]we're disassembling the internal ROM to figure out what that 4MB thing is
01:27:13pamaurythere is only one ROM on that thing, right ?
01:28:01saratogayeah, its built into the AMS chip
01:28:04saratoga128KB IIRC
01:28:22pamauryyes that's it
01:28:36[7]saratoga: so you say you can't reach this 4MB drive state by just overwriting the first 32MB?
01:29:26saratoga[7]: i think you end up with the 4MB state if the internal memory is corrupted badly enough
01:29:43saratogathe 32MB state seems to happen if the NAND itself fails to talk to the controller during boot
01:29:57saratogaso i think a software problem means the 4MB one, and a hardware problem the 32 MB
01:30:03saratogaat least thats what people in the forums report
01:30:04 Join zu [0] (
01:30:08[7]I wonder if I should try booting the OF on this dead one
01:30:10bertriksaratoga: or perhaps if some checksum fails
01:30:13[7]just to see if it works
01:30:30saratogapeople have bricked their players flashing a bad firmware and got the 4MB ROM, then shorted the NAND chip and got the 32MB, then copied over a good firmware and recovered a working player
01:30:39saratogayes a checksum would make sense
01:31:06saratoga"4MB ROM" => "4MB disk" (no idea if its actually a ROM or even anything at all)
01:31:12saratogaanyway, have to step out for a minute
01:31:18saratogawill check back
01:40:19 Quit Raptors (Ping timeout: 248 seconds)
01:42:35 Join Raptors [0] (
01:47:08 Quit Raptors (Ping timeout: 246 seconds)
01:48:18 Join Raptors [0] (
02:02:56 Quit bertrik (Ping timeout: 256 seconds)
02:05:49[7]hm, the instructions on fail
02:06:12[7]one reason for that is that they expect code to be execuring from RAM, however in my case ROM is still mapped to address 0
02:08:30 Quit lebellium (Quit: ChatZilla [Firefox 23.0/20130729175331])
02:09:48pamaury[7]: there is a register to change the memory map iirc
02:09:58[7]yes but that didn't help either
02:09:59funmanwhat are you guys doing?
02:10:07[7]i.e. remapping worked, but it didn't boot regardless
02:10:20[7]funman: trying to figure out what's the matter with that AMS 4MB mode
02:10:42funmani could never make any sense of it
02:10:42[7]I have JTAG'ed a 4MB mode clip+ that someone donated
02:10:55[7]so we can finally have a peek into the inside of it :)
02:11:07funmannice :)
02:11:34funmandid you find SDRAM init code?
02:12:10[7]it looks like the bootrom doesn't use SDRAM, which was kinda to be expected
02:12:16[7]sdram address space reads as all zeros
02:12:28funmanOF is loaded in SRAM
02:14:14pamauryI'm disassembling the bootrom currently
02:15:23[7]funman: how much IRAM does the clip+ have?
02:15:30funman[7]: what is mapped at 0?
02:15:42[7]I get a data abort trying to read from 0x81039000
02:16:17[7]funman: rom is mapped to 0 in that state, but it executes from 0x80000000
02:17:10funman[7]: try 0xc1039000
02:17:12[7]hm, interesting... tried a second time, didn't get a data abort
02:17:40funmanin as3525v2.h : #define IRAM_SIZE 0x100000
02:17:59 Nick SuperBrainAK is now known as DormantBrain (
02:18:15funmanthe bootrom remaps IRAM at 0x0
02:18:53funmanhmm maybe not on clip+,
02:19:19[7]I wouldn't expect the rom to differ within an SoC series
02:19:34[7]maybe it remaps it before executing the firmware, but not before entering this recovery mode
02:20:38[7]pamaury: the pattern that I get when reading from the mass storage drive appeas in IRAM at 0xec6c0
02:20:42pamauryThe bootrom I have set remap bit
02:20:53pamauryit the clip+ one
02:21:08 Quit froggyman (Ping timeout: 245 seconds)
02:21:50funmanclip+ OF starts with iram at 0x0
02:22:10[7]0xc8100008 reads 0x00000002 in the state I captured it in (i.e. sitting in that while(true); loop)
02:22:35funmanit's read only
02:22:52[7]nah, bit 1 is read only, not bit 0
02:22:57funmanDefault : GPIOC(0)
02:23:06funmanah yes
02:23:32***Saving seen data "./dancer.seen"
02:23:36funmancan you upload rb bootloader to IRAM and set bit 0 ?
02:23:52[7]if you have a binary for me, sure
02:24:43[7]rockbox boots with CPSR=0x600000D3 (supervisor mode, IRQ/FIQ disabled) I assume?
02:24:50[7]and caches disabled
02:25:20funmaniirc yes
02:26:19 Join froggyman [0] (~froggyman@unaffiliated/froggyman)
02:27:18[7]funman: so where can I get a bootloader binary that should work?
02:30:18[7]ATA error -2 :)
02:30:32funmannot bad
02:31:00funmanstorage_init returns -2
02:32:02funmanthis means the 'card' (internal storage) timeouts when reading OCR
02:32:24funmanmaybe we could make a bootloader that loads from SD slot
02:32:50funmanfirmware/target/arm/as3525/sd-as3525v2.c +511
02:33:00[7]I've now halted it in the state where it displays the ata error so that we can look at regs
02:33:16funmannot sure if regs would help
02:33:35funmanIMO you should play with SD commands
02:33:54funmanbootloader.bin is created when building clip+ bootloader btw, no special command
02:33:55[7]well access to SD controller regs is playing with SD commands :)
02:34:05funmanbut controller looks ok
02:34:31funmanwe don't get errors when sending commands
02:34:46funmanit's rather that the storage doesn't respond to our commands
02:35:12funmanlet me try something
02:39:58[7]so I guess that needs a microsd card?
02:40:30[7]hm, can you build a binary from that? I don't even have the RB toolchain set up right now
02:40:38funman actually builds
02:41:13funmanjust put any usd card and see if the boot progresses further
02:41:46funmanmy patch might be horribly wrong
02:43:39funmanit might have been enough to force GPIOB_PIN(5) to 0 in send_cmd
02:43:45 Quit wipt (Ping timeout: 260 seconds)
02:43:53[7]file not found => bootloader USB mode :)
02:44:04funmandoes it mount?
02:44:36[7]well it attached to USB at least
02:44:47[7]it probably has a 32MB offset now, so it doesn't find any partitions
02:44:56funmannah there should be no offset
02:45:13funman /* skip SanDisk OF */
02:45:13funman if (drive == INTERNAL_AS3525)
02:45:13funman start += AMS_OF_SIZE;
02:45:27funmanbut i force drive to SD_SLOT_AS3525
02:45:34funmanxxd /dec/sdc|head ?
02:45:53[7]hm it says no media present
02:45:55funmanmight be worth to dd some data and then check with a real card reader
02:47:08 Quit yosafbridge (Ping timeout: 256 seconds)
02:47:20[7]I'm wondering if the USB mode picks the right card
02:47:30funman :
02:48:52 Join yosafbridge [0] (
02:48:58 Quit advcomp2019__ (Ping timeout: 268 seconds)
02:49:04funman :
02:49:40[7]the first one is ata error 2 again
02:50:14[7]the second one again
02:51:14funmanhmm which ams_variant do you have?
02:51:30[7]clip+, whatever that is
02:51:40funmanthere are 2 variants
02:51:48[7]how do I tell?
02:52:05funman GPIOB_DIR &= ~(1<<5);
02:52:05funman amsv2_variant = !!GPIOB_PIN(5);
02:52:39[7]hm... addresses? ;)
02:53:19funman :
02:53:37funman#define GPIOB_DIR (*(volatile unsigned char*)(GPIOB_BASE+0x400))
02:53:43funman#define GPIOB_DATA (*(volatile unsigned char*)(GPIOB_BASE+(0xff<<2)))
02:53:49funman#define GPIOB_BASE 0xC80C0000
02:55:27[7]amsv2_variant is zero then
02:55:35[7]0xc80c0400: 00000045
02:55:35[7]0xc80c03fc: 000000c4
02:55:35[7]0xc80c0080: 00000000
02:55:47funmanlast binary should work better then
02:56:17[7]yes, it mounted :)
02:56:51funmannow the same patch should be applied to main rockbox but revised a bit to disable internal storage
02:57:41pamaurywhat does this patch do ?
02:57:53[7]I just tried, it successfully boots the main binary from the microsd card
02:57:56funmansend commands to uSD controller
02:58:11funman[7]: hmm can you browse?
02:58:21[7]no, it dies with ata error -2 again
02:58:28funmanoh of course
02:58:38funmanlet me build main binary with that same patch
02:58:53pamauryhum, but does the main binary knows how to talk to the uSB already ?
02:58:58[7]anyway, looks like we're dealing with a screwed up FTL here
02:59:08funmanpamaury: sure
02:59:12funmanuSD slots always worked
02:59:20[7]I wonder how that controller chip behaves if the nand isn't accessible, it probably recreates all internal structures as it becomes accessible again?
02:59:30pamauryah ok,
03:00:01pamaurymaybe the controller has some magic commands
03:00:50funman :
03:04:34[7]OK, I can browse files now
03:04:39[7]quite interesting
03:04:48funmanplay some mp3!!!
03:04:49[7]this is mounted as both internal and external storage now :)
03:05:07funmanmy patch might need some work
03:05:12funmandid you take first or 2nd version ?
03:05:19[7]the second one, didn't try the first
03:05:29funmani thought that one would only mount once
03:05:55[7]well the file browser displays .rockbox and <microSD1> containin another .rockbox
03:06:06[7]could possibly be just aliased and not actually mounted twice of course
03:06:38[7]anyway, we know who's the culprit on this particular device. now how do we fix it? :)
03:07:05funman0 clue
03:07:21funmanyou could try to solder some wires directly to the NAND
03:07:52[7]I'm less concerned about this particular device than about finding a general, real solution for this kind of problem
03:08:15[7]which would mean 2 things: a way to boot through that 4MB drive, and a way to tell that SD controller chip to reinitialize the NAND
03:08:43[7]could possibly that this one is just bricked even worse than some others... IIRC it failed to respond to the "unbrick pin" trick
03:08:45funmani'd guess NAND is just broken at that point
03:08:47pamauryI can do the first one, but for the second it's unlikely the bootrom help in any way
03:09:16[7]I should probably double check if I can unbrick this one the other way
03:13:03funmancan you put a breakpoint in JTAG when the bootrom initializes the internal storage?
03:13:33[7]I can, if you tell me where that is :)
03:13:45funmanif you send me your boot rom i will
03:13:54[7]I could also try setting up a memory access breakpoint
03:14:14funmangtg.. good luck with this
03:15:20[7]that's the rom from that particular device
03:15:56[7]funman:"> is the ida database
03:16:12[7]but pamaury has already worked on improving that, so you might be more interested in his one
03:16:33funman"Please use newer version of IDA"
03:16:54[7]that's an ida 5.5 database
03:17:01[7]my ida was complaining that it's too old :)
03:17:06funmani use 5.2
03:17:14*[7] uses 6.1 these days
03:23:25pamaury[7]: this is looking good, I now have a much more solid understanding of that thing
03:41:06 Join Scr0mple [0] (~Simon@
03:41:32[7]now what kind of awards should we give that bootrom?
03:42:58pamaurythere are so many we couldn't count them
03:43:02funman[7]: 0x80012C40 sets MCI_CTRL |= INT_ENABLE and MCI_PWREN = 1<<1
03:43:30 Quit Scromple (Ping timeout: 260 seconds)
03:43:34funman0x12ca4 : writes MCI_CTRL 0x12ca8 : writes MCI_PWREN
03:44:11funmanthe code is not identical to my disassembly of clipv2 OF though
03:45:04*funman gone
03:45:22*[7] as well
03:47:48*pamaury too will go to bed
03:57:58 Quit Marex (Ping timeout: 260 seconds)
03:57:58 Quit uwe_mobile (Ping timeout: 260 seconds)
03:58:14pamaury[7]: funman: I found all the scsi requests of the bootrom. As far as I can tell it has the same one as our stack + verify 10 and format unit (might be useful). And it is possible that it has an additional 3 vendor specific commands at 0xD0, 0xD1 and 0xD2 (still unsure, need more disassembly)
03:58:26 Join uwe_mobile [0] (
03:58:30 Join Marex [0] (~Marex@
04:01:48 Join ungali [0] (~yaaic@
04:05:50saratogavery neat
04:09:02 Quit pamaury (Ping timeout: 240 seconds)
04:09:23 Quit olspookishmagus (Quit: All for nothing)
04:15:51 Quit amiconn (Disconnected by services)
04:15:52 Quit pixelma (Disconnected by services)
04:15:52 Join pixelma_ [0] (pixelma@rockbox/staff/pixelma)
04:15:52 Join amiconn_ [0] (amiconn@rockbox/developer/amiconn)
04:15:54 Nick pixelma_ is now known as pixelma (pixelma@rockbox/staff/pixelma)
04:15:57 Nick amiconn_ is now known as amiconn (amiconn@rockbox/developer/amiconn)
04:23:34***Saving seen data "./dancer.seen"
04:56:21 Join Strife89 [0] (
05:00:19 Nick plop is now known as gurgle (
05:00:29 Nick gurgle is now known as fizz (
05:00:38 Nick fizz is now known as BOOM (
05:00:43 Nick BOOM is now known as x56 (
05:00:43DBUGEnqueued KICK x56
05:03:57 Quit Strife89 (Ping timeout: 276 seconds)
05:16:52 Join Strife89 [0] (
05:37:37 Quit [7] (Disconnected by services)
05:37:46 Join TheSeven [0] (~quassel@rockbox/developer/TheSeven)
06:00:51CtcpIgnored 1 channel CTCP requests in 0 seconds at the last flood
06:00:51*[Saint] applauds the work done here last night
06:01:10[Saint]You awesome bastards.
06:01:22[Saint]The scrollback was a highly interesting read.
06:15:03saratogathe AS3525 datasheet does mention a USB firmware update mode if the main storage can't be read
06:16:13[Saint]so, if I read correctly - assuming the hardware is good, we can now breath some life back into these bricked devices?
06:16:22saratogano idea
06:16:36saratogaperhaps that is the USB people see when the NAND is shorted
06:17:35[Saint]well, from what I read, that magnificent bastard managed to get a Clip booting from the sdcard from the "4MB" state.
06:17:54saratogayeah but with JTAG
06:18:01saratogaso unless you're going to do a lot of difficult soldering
06:18:11saratogaa better solution would be nice
06:19:15*[Saint] often forgets that Johnny Normal will flinch at hand soldering JTAg and almost certainly don't have a wiggler lying around.
06:22:36 Join kevku [0] (~kevku@2001:470:27:773:0:feed:c0f:fee)
06:23:37***Saving seen data "./dancer.seen"
06:37:36 Quit ungali (Quit: Yaaic - Yet another Android IRC client -
07:05:25[Saint]I just tried out,43307.msg220177.html#msg220177
07:05:40 Quit sakax (Quit: Leaving)
07:06:07[Saint]and there is indeed a rather audible click/thump
07:14:27 Quit saratoga (Quit: Page closed)
07:29:15 Join sciopath [0] (
07:30:33copperI can't solder
07:31:00copperI don't understand how I'm supposed to make a teeny tiny soldering job with a big fat iron… thingy
07:31:15coppereh, soldering iron
07:31:32 Join mortalis [0] (~kvirc@
07:31:46copperI flunked the soldering class at school
07:44:36 Join saratoga [0] (123e1c0a@gateway/web/freenode/ip.
07:45:44saratogacopper: use a sharp soldering iron, use flux, heat the parts you want to solder, then touch the solder to the fluxed surface, it'll be sucked up and coat the flux.
07:47:19[Saint]for the really fine stuff, I use a heat torch.
07:49:32copperalso, unless you have a big house in the 'burbs or whatever, I suspect most people living in appartments don't have a soldering iron with a workspace for doing that sort of thing
07:50:52saratogawell i have an entire laboratory for this kind of thing but it only takes a square foot or two of table space to solder
07:51:23copperAre you an electrical engineer?
07:51:47[Saint]I often solder at my desk, I just shift the laptop off.
07:52:08[Saint]it requires only as much space as whatever you're working on, really.
07:58:48 Quit saratoga (Ping timeout: 250 seconds)
08:07:43 Join WeDOS [0] (
08:08:38WeDOSanyone alive?
08:09:04WeDOSi was wondering can i put my iPod Classic 160GB into diagnostics mode somehow? i'm using freemyipod to boot Rockbox.
08:09:16WeDOSi have bad blocks on the harddisk :/
08:09:42WeDOSi was wondering about something like that... after freemyipod i can't use "normal" firmware.
08:09:59WeDOSbut can i use Linux or Windows to format the drive and do read/write test to map the bad blocks?
08:10:07[Saint]No, you can not.
08:10:15[Saint]re: diagmode.
08:10:31[Saint]You can certainly use a host OS to do so, though.
08:11:14WeDOSLinux has atleast command called bad blocks
08:11:27WeDOSis it possible (easy?) to exchange iPod Classic HD?
08:11:38WeDOSi just love the hardware with Rockbox
08:11:42[Saint]Possible? Yes. Easy? No.
08:12:12[Saint]It is rather non-trivial to disassemble the Classics.
08:12:13WeDOSi wonder what Apple seller would say if i would return it to repairs?
08:12:36WeDOSwhat do you mean?
08:12:38[Saint]This is the 6G "fat" one, yes?
08:13:16[Saint]Yeah, those are known to crap their discs out I believe.
08:13:19WeDOSi was also wondering that if i'll buy a new MP3 player are there any recommendations for durable MP3 player i can use Rockbox with?
08:13:30WeDOS[Saint]: i've also understood so...
08:13:43[Saint]Regarding what I mean, it isn't particularly easy to disassemble the Classic series.
08:14:02WeDOSi wonder what new drives cost and what kinda drives they are?
08:14:09[Saint]The older (non-Nano/Touch) iPods are very easy to service.
08:14:12WeDOSmaybe i just better buy a new player
08:14:15[Saint]The Classics, not so much.
08:14:20[Saint]But its still possible.
08:14:28WeDOS[Saint]: everything is possible :)
08:14:36[Saint]ifixit has very nice teardown instructions.
08:14:47WeDOSany recommendations for a new MP3 player?
08:15:06[Saint]Depends on your requirements.
08:15:12WeDOSlargeish HD
08:15:17[Saint]I happen to think the player you have is one of the best on offer.
08:15:24WeDOS32GB would probably be enough
08:15:27[Saint]I also have several.
08:15:32[Saint]They're great.
08:16:11[Saint]If 32GB is enough, you might want to look at the Clip+/Clip Zip or possible Fuse+
08:16:46[Saint]But, personally, I'd rather keep the Classic. :)
08:16:57[Saint]Put an mSATA SSD in there. :)
08:18:38[Saint]I have one with a 64GB SSD, and the (rather large at 850mAh) battery in the "fat" Classic lasts forever.
08:19:04[Saint]I'd like to put a larger disc in, but, cost.
08:19:43[Saint](even though I could get at least double the capacity now for what I payed for it then...)
08:21:30WeDOShow much is 64GB SSD disc about?
08:21:44WeDOSlargeish HD
08:22:04WeDOSdunno if Clip+/Clip Zip or Fuse are available in Finland
08:23:13copper[Saint]: why did you assume he has the "fat" iPod?
08:23:14[Saint]I payed around $300NZD at the time, a long while ago, they're less than half that now.
08:23:28copperthe fat one is the older one
08:23:30[Saint]copper: 160Gb and disc trouble. :)
08:23:39***Saving seen data "./dancer.seen"
08:23:42copperI have 160GB and it's the thin one
08:24:09[Saint]160GB+disc issues==fat Classic is a pretty good guess.
08:28:51WeDOSbut how do i reformat the player with badblock mapping enabled?
08:28:57WeDOSmkfs.vfat on linux?
08:29:00copperWeDOS: I'm very happy with my Fuze+ and a fast 64GB microsdxc card
08:29:09WeDOSthere's also program called badblocks
08:29:51copperWeDOS: mkfs.vat -l: "Read the bad blocks list from filename"
08:30:14 Join Zagor [242] (~bjst@rockbox/developer/Zagor)
08:30:28copperand I guess "badblocks -o filename"
08:36:35[Saint]latter before the former.
08:39:34 Quit WeDOS (Ping timeout: 245 seconds)
08:39:52 Join WeDOS [0] (
08:48:11WeDOS[Saint]: so i should just run Rockbox and map the badblocks?
08:48:20WeDOSand mount it normally or in some DFU mode or sumthing?
08:48:56[Saint]DFU mode won't help here, no.
08:49:49WeDOSso just normal Rockbox mode
08:49:59WeDOSiPod is seen in Linux as mass storage
08:50:11WeDOSi'll check if mkfs.vfat has badblock scan ability
08:50:27WeDOSnot that familiar with little weirder commandline options
08:52:44WeDOShas some info
08:53:04[Saint]badblocks -b block_size -o output_file /path/to/device && mkfs.vfat -l output_file_from_badblocks /path/to/device
08:53:09[Saint]should suffice.
08:54:15[Saint]though I believe you can do "mkfs.vfat -c" to do essentially the same thing.
08:54:15WeDOSFor comfortably passing badblocks error output to the filesystem it has to be written to a file.
08:54:18WeDOS# badblocks -wsv -o /root/<badblocks.txt> /dev/<device>
08:56:19[Saint]you do NOT want -w
08:56:30[Saint]...unless you don;t care about the data on the device.
08:56:52 Join DexterLB [0] (~dex@
08:56:55[Saint]I'm assuming you don't, but, in case you need to backup - do that first.
08:57:26WeDOSi've done it already
08:58:15[Saint]that's cool. -w isn't safe if you want to keep data, just checking. :)
08:58:32[Saint]-n is used in that instance.
08:59:19WeDOShow about i should target it directly to /dev/sdb
09:01:54WeDOSofcourse :)
09:01:58WeDOSit's running now
09:02:03WeDOSi guess it'll take a LONG time
09:03:08[Saint]it will, yes.
09:04:20 Join LinusN [0] (
09:05:19WeDOS1% done
09:05:24WeDOS3min 49sec gone
09:05:47WeDOSso under 400minutes
09:05:52WeDOShopefully :)
09:06:17[Saint]it doesn't quite work that way. Some blocks will require multiple passes.
09:16:30WeDOSalready 4,46% and 14min
09:16:43WeDOSi really like this player though
09:16:53 Quit DexterLB (Quit: So long and thanks for all the fish)
09:16:54WeDOSso i should probably get someone to replace the drive with SSD
09:18:24WeDOSwhy there isn't bad block mapping built in for Rockbox?
09:18:29WeDOSlike format with -c
09:19:06 Join Guest97565 [0] (
09:20:43[Saint]because a host is much better suited for this.
09:22:03[Saint]There's nothing against anyone making a disc scan plugin, but there's no desire to have this functionality in-core.
09:24:01 Nick DormantBrain is now known as SuperBrainAK (
09:24:08 Join rdn [0] (
09:27:17 Join petur [0] (~petur@rockbox/developer/petur)
09:33:01 Nick SuperBrainAK is now known as DormantBrain (
09:35:18WeDOSmkfs.vfat -l badblocks.txt /dev/sdb
09:35:25WeDOSshould do the filesystem after the check
09:52:06 Quit froggyman (Ping timeout: 264 seconds)
09:53:26 Join froggyman [0] (
09:53:31 Quit froggyman (Changing host)
09:53:31 Join froggyman [0] (~froggyman@unaffiliated/froggyman)
09:55:14 Join wodz [0] (
09:58:26wodzpamaury: (log) in hwstub whats the usage of usb_drv_configure_endpoint()? I thought the stub uses ctrl transfers only but it tries to setup bulk and interrupt endpoints
10:02:26 Join einhirn [0] (
10:11:15 Quit AlexP (Ping timeout: 264 seconds)
10:21:05wodzpamaury: (log) I cannot make rk27xx enumerate with hwstub. I get device descriptor read/64, error -110 in dmesg. Any hints?
10:23:43***Saving seen data "./dancer.seen"
10:33:47 Join lebellium [0] (
10:49:41 Quit wodz (Quit: Leaving)
10:50:04 Join bertrik [0] (~quassel@rockbox/developer/bertrik)
10:55:49 Quit WeDOS (Ping timeout: 240 seconds)
10:56:26 Join WeDOS [0] (
11:13:59*bertrik is reading the backlog regarding last nights experiments with the AMS 4MB "bricked" mode
11:14:22[Saint]very interesting indeed.
11:21:15 Quit [Saint] (Remote host closed the connection)
11:22:21 Join [Saint] [0] (~saint@rockbox/user/saint)
11:36:52TheSevencopper: I used a $10 12V 7W mini soldering iron for this
11:38:12TheSevenhm, ipod classic diagmode is another thing we should take care of
11:38:44TheSevenand a read/write test won't behave well on broken ipod drives
11:39:07TheSeventhere's a reason I've wrote hddscan2, and it's mainly buggy firmware
11:39:43 Quit WeDOS (Ping timeout: 246 seconds)
11:42:00TheSevenand i think rockbox locks up on the classic when it hits a bad block?
11:42:03mortaliswodz: pamaury: HID doesn't have any an influence for me. Sometimes transfer fails right after connect, and I'm not able to run tests. Few times transfer of 1G was successful, but usually it's not.
12:03:49 Quit thegeek_ (Ping timeout: 264 seconds)
12:11:19 Join wodz [0] (
12:21:37 Join Dexter_LB [0] (~dex@
12:22:02 Quit Dexter_LB (Client Quit)
12:22:13 Join DexterLB [0] (~dex@
12:23:46***Saving seen data "./dancer.seen"
12:34:32 Join pamaury [0] (~quassel@rockbox/developer/pamaury)
12:36:50 Quit [Saint] (Remote host closed the connection)
12:37:57 Join [Saint] [0] (~saint@rockbox/user/saint)
12:38:29 Join ender` [0] (
12:38:53pamaurywodz: usb_drv_configure_endpoints is probably a leftover from rockbox
12:39:25pamauryTheSeven: I found all the callbacks for scsi transfers in the bootrom
12:39:39pamaurymaybe the format_unit could help
12:39:55TheSevendid you find the REAL callbacks or just these wrappers of wrappers of wrappers?
12:41:02TheSeventhere's this weird function at 80C8 which seems to somehow defer a SCSI command, but I haven't figured out where this actually ends up yet
12:41:32pamauryDon't know yet, we'll see
12:42:50pamaurydid you last my last comment after you left ?
12:43:01TheSevenI have a feeling that 9734 might be the one who picks up these deferred commands, but it does so many indirect calls that I couldn't really figure out
12:43:40TheSevenyes, I saw that
12:43:52TheSevenI'm wondering why these handlers are being registered in a different place though
12:44:43pamauryoh, the callback stack of the read_10 handler only has 4 functions I don't know about ^^ could be worse
12:44:53funmanTheSeven: btw could you write data on the usb interface of this 4MB mode, and try to find where it landed in RAM?
12:44:57pamauryI have no idea what are the parameters though
12:44:57funmanor IRAM
12:45:10TheSevenhm, they're registered not too far apart actually...
12:46:56pamauryTheSeven: you can have a look, at 0x8000B290 that's the READ(10) handler
12:48:37wodzpamaury: what about descriptor read/64, error -110, where to start looking?
12:49:13TheSevenwodz: I'm spotting some data that I wrote at 0x810ec8be
12:49:34pamaurywodz: broken control transfer, could be anything. I should really have a go with the usb analyser
12:49:34TheSevener, 0x810ec8c0
12:49:44wodzTheSeven: this is not message for me most probably
12:50:14TheSeven0x810ec6c0-0x810ecbbf actually
12:50:24TheSevener, funman: ^
12:51:25TheSevenwodz: your message typically means "device didn't respond at all to the very first request, kept sending NAK for several seconds"
12:51:48TheSevenso it might actually mean that your USB stack didn't receive the request in the first place
12:52:28wodzok, gonna setup backligh so I will have minimal feedback
12:52:48TheSevenpamaury: that function is just such a "defer this scsi command" thing
12:53:17TheSevenpamaury: all of those call 80c8 somewhere with the command number, which writes it at offset 0x10 in some structure
12:54:16TheSeventhey also load another handler address and store it at offset 0 in that structure/object
12:54:48TheSeventhere's a handler for each command, but they're 100% identical, duplicated code
12:55:11TheSeventhey all call 9734 and then possibly free up some object
12:55:28TheSevenand I haven't managed to track down what 9734 does yet
12:56:09*TheSeven wonders how pamaury keeps analyzing this weird code so quickly
12:57:34 Join bluebrother [0] (~dom@rockbox/developer/bluebrother)
12:59:00pamauryI think I need to analyse more of the usb core driver, currently I haven't figured out where the transfer functions are
12:59:17pamauryI *only* have the generic usb part
12:59:42 Quit fs-bluebot (Ping timeout: 245 seconds)
12:59:48TheSeventhe functions which check the CBW signature and write the CSW signature are easy to locate
13:00:43 Quit bluebrother^ (Ping timeout: 260 seconds)
13:00:59 Join fs-bluebot [0] (
13:02:09TheSevenpamaury: I'm fairly certain that the call at F752 ends up sending a bulk packet. but I have no idea how you manage to track those calls :)
13:02:42pamauryTheSeven: out of curiosity could you try to reformat your unit using the sg_* tools (ie send FORMAT_UNIT) ?
13:02:54pamaurysg_format <dev> I think
13:03:39TheSevennot yet
13:03:43TheSevenlet me try
13:05:54TheSevenhm, sg_format sends an inquiry first that the device doesn't understand
13:06:22TheSeven"mode_page 1 not supported?"
13:06:30pamaurydamn, can you send a raw SCSI command ?
13:08:12bertrikso, the 4MB mode allows access to IRAM, right? To be useful as a debug mode, you also need something like "run from address X", could it be that the unidentified 0xD0/D1/D2 commands do that?
13:08:40pamaurysg_raw <dev> 0x4 x 0 0 y
13:08:47TheSevensudo sg_raw /dev/sdc 04 00 00 00 00 00 gets me a "SCSI status: Good" immediately
13:09:23TheSevenbertrik: so far we haven't identified a way to access a significant portion of IRAM through it. what we spotted looks more like a transfer buffer
13:09:44pamaurygood, at least one command which format !
13:10:01pamaurynow can you retry to read the internal storage with rockbox ?
13:12:04TheSevenstill ata error -2
13:14:05 Join maruk [0] (
13:14:15pamaurybelieve or not but I'm beginning to like this bootrom; I mean it's crazy to program it this way, for a rom, but it's elegant and consistent, you can see the pattern of the programmer
13:19:10TheSevenwell, IF you can spot one...
13:19:46TheSevenhow do you figure out which of those dozens of object pointers being passed around refer to the same thing?
13:21:42pamaurymethod ^^ I create tons of structures and type each one I spot a new and I slowly give meaning to them. The trick is to identify the constructors
13:24:37TheSevenbut how can you track WHICH one of those structs will be passed into a function as the "this" (r0) argument?
13:25:40pamauryfor a random function you can, you need to track everything from the constructors, that's the only way
13:25:44pamaury*you can't
13:26:35TheSevenso you have to follow the full control flow between the constructor and the function that the object is passed into. which can get even more funny if that object is stored into another object in between.
13:27:09 Quit Strife89 (Ping timeout: 246 seconds)
13:27:22pamauryyes exactly, and this using constructors are called in other constructors, you end up with the big hierarchy of objects lying in each other
13:27:50*TheSeven guesses that pamaury has actually written C++ code before :)
13:27:53pamauryit gets more difficult when you have inheritance
13:29:58 Quit bzed (Remote host closed the connection)
13:30:12pamauryYou know i've disassembled all the weird models of microsoft like COM which make C++ look like it's super easy at times ^^
13:30:22 Join bzed [0] (
13:36:51funmanTheSeven: 5 * 256bytes buffer?
13:39:07pamauryah, nightmarish code: intf_desc->config_desc->dev_desc->obj->string_manager->do()
13:40:42funmanpolymorph boot rom? :)
13:40:52funmancode doesn't need to be encrypted to be undecipherable!
14:05:49 Join thegeek [0] (
14:23:50***Saving seen data "./dancer.seen"
14:35:10 Join amayer [0] (
15:40:52 Quit Zarggg (Quit: Zarggg)
15:53:41TheSevenpamaury: I've tried to track down where it parses the scsi requests
15:54:07TheSeventhere is this function which is registered as a handler to the various commands which stores the command number somewhere
15:54:28TheSeventhat number is read back only in two code locations
15:54:49TheSevenboth just use it to determine the size of the command, and don't use the command value themselves
15:54:58TheSevenso I must be missing something somewhere
15:57:04 Quit shamus (Read error: Connection reset by peer)
15:57:26 Join shamus [0] (
15:58:05 Quit Guest97565 (Ping timeout: 264 seconds)
15:59:45funmanare there no calls/access to IRAM?
16:02:22 Join Guest97565 [0] (
16:04:46 Join Rower [0] (
16:06:36pamauryTheSeven: can't help you, currently I'm lost in the high level objects of the usb driver
16:10:29amayertripper: ping
16:23:53***Saving seen data "./dancer.seen"
16:37:54 Quit [Saint] (Read error: Connection reset by peer)
16:39:01 Join [Saint] [0] (~saint@rockbox/user/saint)
16:49:21TheSevenpamaury: that function which registers all of those scsi handlers, could it be that this one is being run for every single request, timer IRQ or something else?
16:49:41TheSevenmy debugger says they're re-registered dozens of times per second
16:50:46pamauryI cannot currently, the suggest this is cached
16:50:57pamaury*cannot tell *the code
16:56:36TheSevenpamaury: can you send me your current IDB?
16:58:17pamauryI fear it won't be terribly using at this point
16:58:58TheSevenwe really need an open source IDA + collabREate :)
16:59:12pamauryyes, definitely
16:59:38pamaurybut writing ida from scrath...well that's a massive task
17:04:06TheSevenI wonder what happened to the EDA project
17:04:54 Quit einhirn (Quit: Miranda IM! Smaller, Faster, Easier.
17:05:43wodzwhat I would really like to see is a mix of ida and emulator
17:06:13wodzits f*** frustrating to track all regs changes by hand
17:06:33TheSevenwell IDA + JTAG kinda solves this :)
17:07:08wodzrk270x doesn't have JTAG port (or at least that is what doc says)
17:09:19TheSevenhm, last commit on EDA was 4 years ago
17:11:21pamaurythe way I see it, you would have to start something, fail to learn what is necessary and restart, probably in loop
17:11:51pamaurybuilding a generic disassembler core is not trivial, depending on where you want to put the logic
17:17:59 Part LinusN
17:42:03 Quit petur (Quit: Nettalk6 -
17:57:48 Quit Scr0mple (Read error: Connection reset by peer)
17:57:55 Join Scromple_ [0] (~Simon@
18:04:27 Quit Zagor (Quit: Clint excited)
18:16:21 Quit nosa-j (Ping timeout: 256 seconds)
18:19:48 Join nosa-j [0] (~m00k@
18:23:55 Join y4n [0] (~y4n@unaffiliated/y4ndexx)
18:23:57***Saving seen data "./dancer.seen"
18:29:06 Part maruk
18:33:13 Quit gevaerts (Ping timeout: 264 seconds)
18:35:01 Quit nosa-j (Ping timeout: 240 seconds)
18:36:19 Join nosa-j [0] (~m00k@
18:41:29 Quit Rower (Quit: Hmmm...)
18:42:06 Join gevaerts [0] (~fg@rockbox/developer/gevaerts)
18:43:17 Join Rower [0] (
18:45:20TheSevenafter soldering a jumper to these unbricking pins the jtag interface refuses to work :/
18:45:28TheSevenI should really have glued that down
18:46:19TheSevencan't spot anything by visual inspection...
18:52:08 Quit mortalis (Quit: KVIrc 4.3.1 Aria
18:54:03pamauryTheSeven: I'm getting closer, I have all classes except one from the way down to endpoint descriptor to the irq handler
18:55:18pamaurytime for a break
18:57:20 Join AlexP [0] (~alex@rockbox/staff/AlexP)
18:59:04pamauryTheSeven: can you recall me which stm32 usb core matches this one and has the doc in the datasheet
18:59:16TheSevenall of the biger ones
18:59:23TheSevenstm32f2/stm32f4 series
18:59:38TheSevenI think even some f1 ones
18:59:43TheSevenbut only some :)
19:01:49pamauryoh they have two of them
19:08:02*TheSeven fixed the jtag
19:10:05TheSevenFYI: shorting the nand pins results in ata error -2 as well
19:10:25TheSeven...and still a 4MB drive
19:10:45TheSevenso either these pins aren't connected properly, or we have a different problem here
19:10:46bertrikTheSeven: you load the bootloader over jtag?
19:10:54 Join n1s [0] (
19:10:54 Quit n1s (Changing host)
19:10:54 Join n1s [0] (~n1s@rockbox/developer/n1s)
19:14:20TheSeventhe pins that I short (as indicated on the SansaAMSUnbrick page) read 2.7V if non-shorted, and have a short current of about 50µA
19:14:46TheSevenhm wait, this will probably need a full power cycle and not just a jtag reset
19:15:56TheSevenhm nope, behaves the same way
19:16:00TheSevenno response to that jumper at all
19:16:07 Quit wodz (Quit: Leaving)
19:16:15 Join saratoga [0] (123e1c0a@gateway/web/freenode/ip.
19:16:55saratogayou're trying to branch into that 32 MB disk code?
19:18:51TheSevenwell I'm trying to figure out what's up with the sd controller in the first place
19:19:46pamauryTheSeven: I'm confused by your register map in your repo, it seems that there is a shift in the device registers
19:19:59pamaurydinep1msk is after deachmsk
19:20:06pamaurybut in the doc there is a gap :-/
19:23:15saratogaFWIW, the datasheet has a flow chart for entering USB prom mode, it depends on a GPIO, so if sandisk didn't change i guess the check for the gpio pin state might still be there
19:23:36TheSevenpamaury: my code seems to match the stm32 doc
19:24:14TheSevendeachmsk is 0x83c, dinep1msk is 0x840
19:24:49TheSeven(in the document they're called OTG_HS_DEACHINTMSK and OTG_HS_DIEPEACHMSK1)
19:25:06pamauryTheSeven: in the STM32F205xx datasheet, OTG_HS_DIEPEACHMSK1 0x844
19:25:31TheSeventhat regs.h file is in fact a parsed and recreated version of a header from the stm32 demo code, so I guess it's right
19:25:47 Quit saratoga (Quit: Page closed)
19:26:00TheSevenso I guess one of the datasheets is off
19:27:02TheSevenand the OTG_FS core doesn't list those regs at all
19:27:33pamauryhum, same error in STM32F4 datasheet, probably the same synopsys doc though
19:30:45TheSevenhm... does someone know what that "nand unbrick" jumper is actually connected to?
19:30:58TheSevenit shows a constant voltage for me
19:33:01TheSevennothing but the initial ramp up during powerup, nothing during rockbox boot, ...
19:33:11TheSeventoasted sd controller?
19:34:15TheSeventhe sd controller is inside the soc, right?
19:38:13 Nick DormantBrain is now known as SuperBrainAK (
19:38:45bertrikTheSeven: the as3525 datasheet does also mention some kind of boot selection pins
19:39:25pamauryTheSeven: actually you are right, the descriptors might be created on every irq
19:39:42bertrikamong them is pin B4 I think, I'll look it up
19:42:36TheSevenhm, the read enable pin of the flash toggles during boot
19:42:51bertrikfrom the datasheet "The update button is located between xpa[4] and xpa[0]." where xpa is the same as GPIO port A
19:43:23bertrikbut that is from the as3525 datasheet or "AMSv1", while the clip+ is an "AMSv2"
19:45:55TheSevenbertrik: so you think that this jumper actually tells the soc to boot something else?
19:46:04TheSevenI thought it just shorted some nand pins?
19:46:27bertrikI'm not sure
19:46:55bertriksomeone documented on our wiki that GPIO B4 is the "unbrick pad"
19:46:59bertrikfor the clip+
19:49:21bertrikMichaelChicoine did it in revision 73 of
19:51:37 Join nkf [0] (
19:52:15 Quit Galois (Disconnected by services)
19:52:16 Nick nkf is now known as Galois (
19:52:52 Join wodz [0] (
19:55:38TheSevenhm... no way of soldering directly to the flash chip, that won't work
19:58:01wodzTheSeven: TSSOP54 package? With 0.5mm pitch it is possible to solder very fine kynar wire. I did it once.
19:58:28TheSevennot with my tools
19:58:36TheSevenI didn't get solder to stick to the flash pins *at all*
19:58:50wodzuse more aggressive flux then
19:59:12TheSeventhen it'll short out all over the place
19:59:34TheSevenno way to get that done with my tools, I'd rather leave that thing undamaged
19:59:58wodzsafer for sure
20:04:25wodzTheSeven: Are you running IDA in wine, in vm or natively on windows?
20:05:14TheSevenoh noes, a JTAG pin broke loose again :/
20:06:32TheSevengpioa = 0x20, gpiob = 0xc4
20:09:52TheSevenwtf, ever had the screen show upside down on a clip+?
20:10:19pamaurylol ^^
20:10:31pamaurythere might be a setting for that
20:10:44TheSevenguess I just broke the ribbon cable :/
20:11:00 Quit GodEater (Quit: Coyote finally caught me)
20:11:55 Join GodEater [0] (
20:12:44TheSevenindeed, that recovery pin toggles GPIO B4
20:13:48pamauryhaha, reverse enginerring can be cool some times:
20:13:49pamauryint __cdecl usb_truc__ctor(usb_truc_t *this, usb_thing_t *thing, void **otg_base_ptr, usb_obj_t *obj)
20:14:37 Quit GodEater (Changing host)
20:14:37 Join GodEater [0] (~whoknows@rockbox/staff/GodEater)
20:14:46 Quit nosa-j (Read error: No route to host)
20:16:32bertrikTheSeven: great to have that confirmed
20:17:06pamaurycan someone explain what is about this pin ?
20:17:12*pamaury has not followed the whole discussion
20:17:47*pamaury is running out of names: truc, thing, obj. What's next ? machin !
20:17:53TheSevenpamaury: that's what the "unbrick" pin on the PCB seems to be connected to
20:18:25 Join saratoga [0] (123e1c0a@gateway/web/freenode/ip.
20:19:01TheSevenare there *any* success reports of that pin fixing a 4mb drive clip+?
20:19:02saratogadoes the ROM obfuscate its GPIO reads?
20:19:02pamauryso it just switches the boot mode ?
20:19:23pamauryno, there are a few reads in the ROM for the GPIO
20:19:31saratogaTheSeven: AFAIK people have never fixed a clip in the 4MB mode without getting it into 32MB mode, but the latter has been done
20:19:34TheSevenfor that particular pin?
20:19:43pamauryGPIO B4 ? let me see
20:19:46TheSevensaratoga: and that was done by means of this pin?
20:20:07saratogalet me check
20:20:18pamauryapparently not, it reads GPIO B5
20:21:07pamauryand GPIO C[2:1] if I read correctly
20:21:14TheSevenB5 is 0 for me
20:21:30TheSevenC2 and C1 are zero as well
20:23:12tripperamayer: I got the theme to work
20:23:22tripperturns out I had to upgrade to the latest testing build
20:24:00***Saving seen data "./dancer.seen"
20:24:01amayertripper: oh you had a problem with the progress bar?
20:24:33amayerI updated how they worked because before they were implemented weird.
20:25:15saratogathis log is long, but someone starts out with a 4MB disk and eventually gets a 32 MB one if I understand correctly:
20:27:50tripperamayer: no, the WPS would load fine but the SBS wouldn't load at all
20:28:00tripperthen I upgraded to the latest rockbox image and everything was fine
20:28:02saratogafrom what people have said in the channel over the years, usually a dead firmware gives you a 4MB partition, shorting that pin gives you a 32 MB or, depending on the player, a 1GB on that is the entire first SD bank
20:28:19saratogathat 1GB may be AMSv1 though, not sure
20:29:51 Quit GodEater (Quit: Coyote finally caught me)
20:30:00 Join GodEater [0] (
20:30:02saratogahmm no the logs here indicate that someone got a 1GB disk on a clipv2 which is amsv2:
20:30:11amayertripper: which theme are you talking about?
20:30:36 Join GodEater_ [0] (~GodEater@rockbox/staff/GodEater)
20:31:36 Quit GodEater (Disconnected by services)
20:31:43 Join GodEater [0] (
20:32:03TheSeventhat log suggests that bertrik has already unbricked a clip+? was that ever in a 4MB state?
20:32:25tripperamayer: the hazard twins
20:32:30saratogai think funman unbricked one as well
20:32:48tripperoh and also I've been working on a modification of hazard light with antialiased fonts and more track information like bitrate and samplerate
20:32:54tripperit looks pretty great
20:33:37 Quit GodEater (Disconnected by services)
20:33:44 Join GodEater [0] (
20:33:58saratogafunman said: "If the reported drive is 4MB then you should attempt the unbrick procedure again until you see the correct size, it's very difficult to have the correct drive come at the first attempt, for me it always required between 3 and 10 attempts until it worked."
20:34:13 Quit GodEater_ (Client Quit)
20:34:34 Join GodEater_ [0] (~GodEater@rockbox/staff/GodEater)
20:34:36 Quit GodEater_ (Client Quit)
20:38:12 Quit GodEater (Changing host)
20:38:12 Join GodEater [0] (~whoknows@rockbox/staff/GodEater)
20:42:30 Join Zarggg [0] (
20:42:33TheSevenfrom that IRC log we learn three things:
20:42:33TheSeven- the clipv2 identifies as "m200plus" as well
20:42:33TheSeven- it might come up as a gigabyte drive, which works as well
20:42:33DBUGEnqueued KICK TheSeven
20:42:33TheSeven- shorting nand pins might actually put it into 4MB mode
20:44:43copperThat definitely qualifies as "hacking".
20:46:18 Join petur [0] (~petur@rockbox/developer/petur)
20:46:23 Quit GodEater (Quit: Coyote finally caught me)
20:46:33 Join GodEater [0] (
20:47:49TheSevenwhat's the matter with that amsv2_variant thing btw?
20:48:42amayertripper: thats awesome! let me know when they are finished. I would love to see them
20:49:16pamauryTheSeven: ever heard of a register 0xa0003c0a in this synopsys otg ?
20:49:35TheSevenso base + 3c0a?
20:50:41tripperSo is there development work being done on the rockbox utility and bootloader to support the Classic?
20:51:00 Quit Zarggg (Read error: Connection reset by peer)
20:51:11tripperemCORE bootloading works absolutely fine but the rockbox port itself is so advanced that it would be a shame to discourage people by listing it as "unusable"
20:53:02TheSevenpamaury: that's somewhere in TX FIFO 2 access area
20:53:39 Quit GodEater (Changing host)
20:53:39 Join GodEater [0] (~whoknows@rockbox/staff/GodEater)
20:54:06TheSeventripper: show me a way to install through something other than DFU, and I'll take a look
20:54:11pamauryTheSeven: no base address is 0xc6000000 :-/
20:54:41TheSevenhow is 0xa0003c0a related to synopsysotg then?
20:56:26pamauryit builds one structure per usb register used and there is this one among them
20:57:57tripperTheSeven: would it be bad if the rockbox utility asked the user to enter DFU mode?
20:58:07tripperit could give target-specific instructions
20:59:10TheSeventhe whole driver mess behind dfu on windows is the problem
21:00:38 Quit GodEater (Quit: Coyote finally caught me)
21:00:47 Join GodEater [0] (
21:07:18pamauryTheSeven: I have located where the bootrom inits its "registers". It builds one small structure per register with its address and there is this one in the middle , very strange
21:18:08 Quit ender` (Ping timeout: 264 seconds)
21:23:21 Join ender` [0] (
21:30:49pamauryTheSeven: what is at otg_base + 0x928 ?
21:31:31pamauryah no forget about that
21:32:35 Quit saratoga (Ping timeout: 250 seconds)
21:33:20TheSeventhat's some endpoint reg
21:50:48pamauryTheSeven: what is the content of GHWCFG1 ?
21:51:22TheSevenon the clip+?
21:52:03pamauryno the meaning sorry
21:53:26TheSevenit contains some information about the synthesis parameters, such as available fifo size, available endpoints, ...
21:53:57pamauryah no wait, arg I'm messing with offsets, there are too many of them
21:56:14 Quit Rower (Quit: Hmmm...)
21:58:11pamaurynumdevmodinend, what's that ? number of in endpoints ?
21:59:43tripperamayer: the most ridiculous part is I'm developing them using entirely the rockbox text editor
22:00:21CtcpIgnored 1 channel CTCP requests in 0 seconds at the last flood
22:00:21*pamaury spots someone using the rockbox text editor and is shocked
22:07:34 Quit __jae__ (Quit: leaving)
22:13:12TheSevenpamaury: yes, that's a bitmap of present endpoints IIRC
22:13:47 Join Strife89 [0] (
22:15:30amayertripper: that is rediculous!
22:16:41 Join __jae__ [0] (
22:16:48 Quit wodz (Read error: Connection reset by peer)
22:17:43pamauryTheSeven: funman: bertrik: what is at 0x10000000 on amsv2 ?
22:18:07TheSevenno idea
22:18:44pamaurydatasheet says "External Memory IF"
22:18:52pamaury(Ext Flash or Ext ROM)
22:22:30 Join wodz [0] (
22:24:03***Saving seen data "./dancer.seen"
22:24:11TheSevenpamaury: FYI, these SCSI handler functions are called from C8F6
22:24:26tripperimagine bundling a c compiler with rockbox
22:27:12wodztripper: what for?
22:28:31tripperfor laughs
22:28:54tripperthe lua interpreter is already there though for writing short little programs in the rockbox text editor if you're up to such torture
22:31:46wodztripper: there is also my unfinished port of ficl forth kernel on gerrit
22:32:51 Quit y4n (Quit: We're fucking 3LN!)
22:33:46 Quit kevku (Ping timeout: 260 seconds)
22:41:27TheSevenCDE0 is probably the function that takes care of actually *processing* scsi commands
22:58:13 Quit amayer (Quit: Leaving)
23:03:18 Quit freqmod (Read error: Operation timed out)
23:05:32 Quit n1s (Quit: Ex-Chat)
23:06:00 Join freqmod [0] (
23:07:05 Quit Guest97565 (Ping timeout: 264 seconds)
23:17:26 Join nosa-j [0] (~m00k@
23:22:09pamaurythe reversing of the bootrom is now getting hardcore
23:27:50 Join Topy44 [0] (~Topy44@
23:30:53TheSevenpamaury: I'm tempted to bet that we could have squeezed the same functionality into an 8KB ROM :)
23:31:32pamauryI think so too
23:31:54pamauryinterestingly, your "scsi processing" function at CDE0 uses the same "buffer builder" as the descriptor functions
23:32:02pamauryI don't have its complete layout though
23:32:15pamauryI think this bootrom also has a notion of thread
23:32:45TheSevenlooks like that function doesn't really process it but instead just copies it into yet another buffer
23:33:02TheSevenyes, it must be multitasked
23:33:38TheSeventhis stuff isn't running in IRQ mode, and you know there is this idle loop
23:33:40pamauryI must say I'm kind of lost in the high level structures, there are list and vectors but I don't know of *what*
23:34:15pamauryand I still haven't found the actual usb driver !
23:34:20TheSeventhe "main loop" of the thread that calls the scsi processing stuff seems to be sub_800108f4
23:34:57 Quit Topy44 (Quit: ZNC -
23:35:26pamaurycould be
23:35:30pamauryor could not be ^^
23:35:51TheSevenwell that's a noreturn function that this whole scsi mess returns to
23:36:14TheSevenI've also found some stuff that looks like mutexes
23:36:15pamauryactually this function is in the virtual table of some high level object
23:36:18pamaurymake sense
23:36:29pamaurydo you have the addresses of these "mutexes" ?
23:36:42TheSevenso it might actually be that the scsi commands are enqueued somewhere and then processed by another thread
23:38:00pamauryI'm trying to understand how the threading works, it uses objects *of course*
23:38:17pamauryI may have found the thread ctor
23:38:21TheSevensome mutex-ish stuff is at 4db8
23:38:24TheSeven(and its xrefs)
23:39:20pamauryarf, this is a bit too arm-technical for me, do you know what it does exactly ?
23:40:08TheSeventhe ORR 0x80 one at the top locks out IRQs and the BICEQ 0x80 one at the bottom reenables them
23:41:30TheSevenand 0b98 switches to supervisor mode (and a different stack) and back to system mode, that looks like some kind of syscall interface wrapper
23:41:42funmansaratoga: iirc unbrick works exactly the same for amsv1 and amsv
23:41:43funmansaratoga: iirc unbrick works exactly the same for amsv1 and amsv2
23:41:46pamauryI hope we won't duplicate too much work
23:42:06TheSeven4408 is executed in supervisor mode
23:42:18pamauryI have noticed that the "thread" seem to be in system mode
23:42:24TheSevenyes, that makes sense
23:42:35TheSeven"system" mode is essentially privileged usermode
23:42:36pamaurythis is insane in a bootrom :-X
23:43:14 Join Topy44 [0] (~Topy44@
23:43:19TheSevenI guess they took some RTOS kernel which they had the USB and mass storage drivers for anyway and plugged it all together
23:44:34funmanTheSeven: ams variant is not very interesting, it's just that they handle a few things (like uSD controller selection) differently between the 2 variants
23:44:36pamauryyeah, the architecture is nice actually, just not for a bootrom
23:46:26funmanTheSeven: pamaury: : my clipv2 (OF) disassembly
23:46:39funmanthere might be some identical functions already reversed in it
23:46:39pamauryfunman: is that OF or bootrom ?
23:46:53funmanpamaury: as is said, OF
23:47:33funmani spent 30 mins on clip+ bootrom yesterday and SD code didn't look identical
23:47:52funmani was disappointed because for AMSv1, bootrom and OF were mostly identical
23:48:22funmanwell, feel free to use it or not :)
23:48:50funmanplease disregard the curse words in comments ^_^
23:49:05funman"@ fuck" means the function and its subfunctions are not "interesting" iirc
23:50:30pamaurydamn, that the point where I realise the threading functions are connected to the "wtf" functions I was stuck on
23:55:46TheSeven95% sure the same RTOS base!
23:56:46pamaurydid you reverse anything about thread/mutex/queue/usb ?
23:57:42TheSevenif that was directed to me, I didn't find much interesting stuff yet
23:57:54TheSevenbut that OF IDB looks somewhat promising

Previous day | Next day