Turtlehead

Aparently mDNSResponder 58.8 is no longer available from the apple site preventing wmamp from building.
Fortunately I found a copy I had archived

mDNSResponder-58.8.tar.gz

Linksys have finally released the GPL code for the wma11b. At first glance they’ve done a nice job packaging it up. They’ve even provided the object files to the closed source portions of the code so we should be able to build a near duplicate of the existing flash. Which is nice of them..

http://www.linksys.com/support/opensourcecode/wma11b/1106/wma11B_GPL.zip

Many thanks to Rich for letting me know about this release. I’d given up checking the Linksys GPL page.

I always thought it was unsociable to have the TV on whist listening to music so here’s the latest hack.
It’s very early at the moment and only prints a little info out and no control is yet possible. That will change when I get to it.

Thanks to Al for the idea..

The LCD is from PJRC.

Andy Wild just mailed to say he has written a bootloader for the wma so it can be booted from any other OS.
Check it out here…
This could be wma11b independence day… ;-p

Here’s a quick update to let you know how things are progressing. The hardware problems with the rack have been sorted and nightly builds should be running again.
I’ve also rebuilt the compiler again to target the xscale processor directly so we sould be able to get better executables from it, and I also patched it to correct some bugs in the last compilers floating point for arm processors. The new compiler will target the nwfpe floating point emulation in the kernel directly now. Although it appears that the floating point compiled into the kernel on the wma has debugging enable which is why you get all these exception messages in the kernel log. Never mind, eh?… I’ll upload it shortly once I’ve tested it a little more.
I’ve also branched the source tree and I’m working on moving the existing code base to use Evas for all it’s graphics. If it works well and doesn’t take too much memory the results should be very nice indeed, and we’ll get some nice alpha blending too.. ;-p
After Evas is working I plan in integrating the EWL widget library so we can replace my crappy listboxes and dialogue boxes.
Then I plan on replacing the flashed kernel with a newer one and a decent boot loader once that’s all done.
Until next time…

You may have noticed recently that the nightly builds haven’t updated over the last few days. Unfortunately I’ve lost the network card in main build machine due to a power failiure / spike and it’s not coming back online. Because it’s a rackmount it’s not a simple case of replacing the NIC. I hope to get it back online in the next few days if I can get a replacement.

Download a tool to extract and split the wma rom..
A map of the ROM so far appears to be this..

00000 Bootloader

0E000 non-volatile parameters, ssid, wep key, etc…

10000 Kernel uncompressor

12990 Kernel (gzip image)

9C000 filesystem (gzip image)

Download  readwma11brom.tar.gz…
Upload readflash to your wma11b and run from /tmp it will create a dump of the devices 2meg ROM. Transfer the wma11b.rom file to your pc / linux box and run splitrom (after you’ve compiled it) and it will chuck out all the bits of the rom I’ve discovered so far.
I’m not brave enough to reflash it yet.
Now in theory we should be able to hack the gzip area after 9C000 to contain a new filesystem so we can ditch the squishguave image totally and all the pc based software.
You can mount the filesystem image after uncompressing it with this command…

$ mount ./ramdisc -o loop /mnt/wma/

Let me know if you discover anymore…
Oh, and if you really really want to play about writing to the flash, email me and I’ll let you know the ioctl commands to erase and unlock the write protect on it. Just let me know you wont blame me if you can never use it again… ;-p

Well, as has now been well publicised, I was beaten to the punch with the airport express public key.There appears to actually be a total of 255 keys in iTunes, but as far as I know only one is used to communicate with the airport express.

Anyway. If you’d like to rip all the keys I’ve uploaded some of the code I used to rip them from itunes.exe and dump them as asn1 objects as they’re stored internally.

Download here.

You’ll probably have to tweak the code a little to point to your location of itunes.exe.. And you may want to download dumpasn1 to display the keys.

Read the rest of this entry »

Well not really. But, If you’ve wondered why you don’t see much in itunes if you try hacking it that relates to remote audio, it’s because they’ve encrypted little chunks of the code here and there.It’s really easy to hack once you notice this and find the decryption code and it makes it a lot easier to place your breakpoints.
Here’s an example to decrypt the Apple-Challenge and Apple-Response header lines. Note: This only decodes that text, not the actual content of the challenge and the header.
Has anyone else even looked at the airport express and air tunes yet? The only stuff I can find on the net is very slim and what there is (cocoadev.org for example) is pretty incorrect in places.

Just a quick note to say I got an Airport Express today. Finally. Took a little mucking about to get it on the network but no problems once I sorted it out..

Well I’ve not done much with it yet apart from the obvious but here’s a little network dump just to give you an idea. It looks like it’s got some heavy encryption going on so this one may be a sucker to crack. Although I’m going to give it a little go…

Also some scanning software reported ports 53 (DNS) 161 (SNMP) 5000 (The dreaded uPnp) and 10000 (Network data management protocol) are all open. It also reports it’s running NetApp OnTap 5.3.5r2 as the Os.. Interesting eh?

Read the rest of this entry »