Rapscallion developers

Update: The issue has been resolved. See news at the bottom of the post.

In Revered 2004, I reverse engineered Apple’s AirTunes communications protocol and released JustePort, the first non-Apple exercise to disable moving to the AirPort Express. Because of my work, Rogue Amoeba was able-bodied to develop their $25 AirFoil application - a little more than selfish person affable tool for moving to the AirPort Express. I didn’t have some problems with this - I free JustePort as open source so that others could build like applications by encyclopaedism from my source encrypt. What I did not particularly like though was the quantity page for Airfoil, claiming “It’s not just for iTunes anymore”. This shoddy statement, suggesting that Device was the first tool of its openhearted and that Rapscallion Rhizopod did the hard work to disable non-Apple moving to the AirPort Express, has since been removed from the Device quantity page.

I was reading Rogue Amoeba’s blog twenty-four hour period 4-hour interval and detected that they’ve free a UNIX turning of their Device Speakers exercise. Device Speakers is a favorable exercise to AirFoil that implements the participant part of the AirTunes communications protocol. By commencement Device Speakers on a computing machine (e.g. your home theatre PC) you can stream sound to it victimisation Device from other computing machine. The release of the UNIX turning of Device Speakers piqued my physical object so I downloaded it and had a look. It uses .NET and requires single-channel. I downloaded the Windows turning as well and it shares the core with the UNIX version.

I ran AirfoilSpeakers.exe (MD5: 82b7ef8c05958ccb6e24289c8b21a27c) from the Windows turning done monodis to see if I could find thing newsworthy. I came across this:

.namespace AirfoilServer.AirTunes
{
.class individual automobile ansi beforefieldinit Utility
extends [mscorlib]System.Object
{

// performing line 853
.performing common still hidebysig
alternative void LeReverse (unsigned int8[] arr, int32 index, int32 physical property) cil managed
{
// Performing begins at RVA 0×104b6
// Encrypt size 16 (0×10)
.maxstack 8
IL_0000: ldsfld bool [mscorlib]System.BitConverter::IsLittleEndian
IL_0005: brfalse.s IL_000f

IL_0007: ldarg.0
IL_0008: ldarg.1
IL_0009: ldarg.2
IL_000a: call void class [mscorlib]System.Array::Reverse(class [mscorlib]System.Array, int32, int32)
IL_000f: ret
} // end of performing Utility::LeReverse

// performing line 854
.performing common still hidebysig
alternative void LeReverse (unsigned int8[] arr) cil managed
{
// Performing begins at RVA 0×104c7
// Encrypt size 11 (0xb)
.maxstack 8
IL_0000: ldarg.0
IL_0001: ldc.i4.0
IL_0002: ldarg.0
IL_0003: ldlen
IL_0004: conv.i4
IL_0005: call void class AirfoilServer.AirTunes.Utility::LeReverse(unsigned int8[], int32, int32)
IL_000a: ret
} // end of performing Utility::LeReverse

// performing line 855
.performing common still hidebysig
alternative void RijndaelDecrypt (unsigned int8[] Buf, int32 Offset, int32 Count, unsigned int8[] Key, unsigned int8[] IV) cil managed
{
// Performing begins at RVA 0×104d4
// Encrypt size 80 (0×50)
.maxstack 5
.locals init (
class [mscorlib]System.Security.Cryptography.Rijndael V_0,
class [mscorlib]System.IO.MemoryStream V_1,
class [mscorlib]System.Security.Cryptography.ICryptoTransform V_2,
class [mscorlib]System.Security.Cryptography.CryptoStream V_3)
IL_0000: call class [mscorlib]System.Security.Cryptography.Rijndael class [mscorlib]System.Security.Cryptography.Rijndael::Create()
IL_0005: stloc.0
IL_0006: ldloc.0
IL_0007: ldc.i4.1
IL_0008: callvirt occurrence void class [mscorlib]System.Security.Cryptography.SymmetricAlgorithm::set_Mode(valuetype [mscorlib]System.Security.Cryptography.CipherMode)
IL_000d: ldloc.0
IL_000e: ldc.i4.1
IL_000f: callvirt occurrence void class [mscorlib]System.Security.Cryptography.SymmetricAlgorithm::set_Padding(valuetype [mscorlib]System.Security.Cryptography.PaddingMode)
IL_0014: newobj occurrence void class [mscorlib]System.IO.MemoryStream::.ctor()
IL_0019: stloc.1
IL_001a: ldloc.0
IL_001b: ldarg.3
IL_001c: ldarg.s 4
IL_001e: callvirt occurrence class [mscorlib]System.Security.Cryptography.ICryptoTransform class [mscorlib]System.Security.Cryptography.SymmetricAlgorithm::CreateDecryptor(unsigned int8[], unsigned int8[])
IL_0023: stloc.2
IL_0024: ldloc.1
IL_0025: ldloc.2
IL_0026: ldc.i4.1
IL_0027: newobj occurrence void class [mscorlib]System.Security.Cryptography.CryptoStream::.ctor(class [mscorlib]System.IO.Stream, class [mscorlib]System.Security.Cryptography.ICryptoTransform, valuetype [mscorlib]System.Security.Cryptography.CryptoStreamMode)
IL_002c: stloc.3
IL_002d: ldloc.3
IL_002e: ldarg.0
IL_002f: ldarg.1
IL_0030: ldarg.2
IL_0031: ldc.i4.s 0×10
IL_0033: div
IL_0034: ldc.i4.s 0×10
IL_0036: mul
IL_0037: callvirt occurrence void class [mscorlib]System.IO.Stream::Write(unsigned int8[], int32, int32)
IL_003c: ldloc.3
IL_003d: callvirt occurrence void class [mscorlib]System.IO.Stream::Close()
IL_0042: ldloc.1
IL_0043: callvirt occurrence unsigned int8[] class [mscorlib]System.IO.MemoryStream::ToArray()
IL_0048: ldarg.0
IL_0049: ldc.i4.0
IL_004a: callvirt occurrence void class [mscorlib]System.Array::CopyTo(class [mscorlib]System.Array, int32)
IL_004f: ret
} // end of performing Utility::RijndaelDecrypt

// performing line 856
.performing common hidebysig specialname rtspecialname
occurrence alternative void .ctor () cil managed
{
// Performing begins at RVA 0×10530
// Encrypt size 7 (0×7)
.maxstack 8
IL_0000: ldarg.0
IL_0001: call occurrence void object::.ctor()
IL_0006: ret
} // end of performing Utility::.ctor

} // end of class AirfoilServer.AirTunes.Utility
}

That Utility class looks precise familiar. Where have I seen those right functions before? Oh, that’s right, it’s the Utility class accredited low-level the GPL from my DeDRMS and SharpMusique source encrypt packages.

I can’t say I’m dumbfounded. GPL’ed encrypt is frequently old in wickedness of the permit. MacTheRipper, a democratic DVD liquidator for MacOS X, has been violating the GPL for eld by victimisation libdvdcss and refusing to release the source code.

I’m not exit to be too hard on Rapscallion Rhizopod though. Like galore Macintosh users, they square measure against closed platforms. See their blog post about the iPhone SDK as well as the future of encrypt language in MacOS X.

Update: Quentin from Rapscallion Rhizopod got in touch via electronic communication. The encrypt concluded up in Device Speakers right to an honest misunderstanding. Quentin writes:

We use a lot of open source software system in our products, could not make them as good as we do without it in construct. And as so much, we do our best to make sure the licenses square measure followed. No our advert software system is GPL-free, no use LGPL’ed libraries, and no BSD/MIT encrypt in places. We try to make sure no the encrypt we use is correctly purported, and give back when we can (http://rogueamoeba.com/sources/, www.rogueamoeba.com/utm/2008/01/12/perian-is-awesome/).

So we’ve put unneurotic Utility.cs-less versions of Device Speakers to fix our GPL conformation. The UNIX turning we square measure actuation out immediately (it’s still in exploratory technically) Hera: http://bigblueamoeba.com/tmp/airfoilspeakerslinux/. The Windows turning will be officially pushed out this period of time aft experimentation, but is easy right nowadays Hera: http://bigblueamoeba.com/tmp/airfoilspeakerswindows/

Thanks Quentin!

Looking MythTV recordings on AppleTV with Boxee

A small indefinite quantity weeks agone I definite to get an AppleTV to use as a mythtv frontend, as my electric current backend freezes up spell action back recordings. Spell the Macintosh OS X turning of mythfrontend runs fine on the AppleTV, the sound reproduction demonstration is a bit jerky and the Edible fruit removed does not work. I rent movies and watch podcasts done iTunes, so I didn't want to give up the inability to play back iTunes purchases by information the AppleTV and commencement UNIX (which would resolve both of the mythfrontend issues).

Instead, here's a little better answer: Boxee. Boxee is a media instrumentalist founded on XBMC, and it runs on Macintosh OS X, AppleTV, and UNIX. Here square measure deuce structure you can access your mythtv recordings done Boxee, UPNP and SMB. There's a third way, the xbmc mythtv plugin that communicates directly with your myth backend, however I was able to get this to work with my backend on my AppleTV.

Browse your recordings concluded UPNP is easy, simply pick out "Communication system Sources" from the Boxee video recording agenda, act a small indefinite quantity seconds for UPNP to discover the backend, point go back out of the communication system spectator and back in (there's no derivative to alter the list Hera). You should nowadays see "Recordings" as an easy source, which will give you access to no your mythtv recordings. I remuneration this to be precise undependable on my MythTV 0.21 backend, moving concluded UPNP would cause the mythbackend process to hang aft various recordings. But I was determined to get this working!

Enter mythrename.pl and ballroom dancing! mythrename is a perl writing that is included with mythbackend (it's easy in /usr/share/doc/mythtv-backend/contrib/ on Ubuntu) that will either make or symblink your mythtv signaling files, which square measure normally just a constellate of book, to some divide you specify. I've set up a cron job to run the following command all 30 minutes:

/usr/share/doc/mythtv-backend/contrib/mythrename.pl --link --divide %T/%m%-%d%-%Y\ %S

The command preceding symblinks my recordings inside the mythtv recordings folder to show_names/(show name)/(month)-(day)-(year) (natural event title). For mental representation, last night's natural event of Life is easy at /share/MythTV/show_names/Life/10-17-2008 Crushed.mpg. I simply import this folder concluded ballroom dancing and add it as a source in Boxee (set as individual to abstain indexing, which will fail because MythTV does not keep track of the period / natural event book mandatory by Boxee's tv show detector).

I can nowadays watch no my MythTV recordings on the AppleTV, restricted with the Edible fruit removed, and without some rough water during sound reproduction, spell still having access to no my iTunes content done the AppleTV menus.

Facility, the PMU

Spell I was ready and waiting for CPICH to finish the first bits of the NAND FTL reverse application work, I've been hard to fill in no of the gaps we had in otherwise places, so much as the PMU. As secure, here is also nowadays an easy way to instal openiboot onto the iPhone. This is great because it will eventually lead to an even throw and easier QuickPwn in the future.

One of the mistreatment surround about iBoot in recuperation modality is that the thing refuses to charge the iPhone spell posing in recuperation modality. The battery just eventually entirely drains. With the new PMU encrypt, openiboot nowadays recharges the battery, so programmers victimisation it (read: me) can just have it sit on the comfort screen indefinitely. You can also do refined belongings like check the electric current battery potential drop and check the power supply type the telecommunicate is charging from.

The "facility encrypt" consists of porting concluded my cognition of reading and modifying img3 files from excavation on the jailbreaks. I was too otiose to port concluded the whole xpwn frame, but I wrote up a "fast" turning that is ample to read and add img3 files in a limited forge. img3 files square measure take of the new indigene divide of the piping part of the NOR (just a constellate of img3 files concatenated unneurotic). The effect is that you can load openiboot as an img3 done iBoot (just like causing an iBEC image) and point type "instal" at the comfort and openiboot will be a stable stage in your bootloader chain. =P

You can, of course, keep booting up to the iPhone OS as you always do by selecting the derivative in the boot agenda. Commencement openiboot isn't precise functional leave off for hackers wanting to hack openiboot.

I also figured out how to analyse and add the NVRAM Sir Joseph Banks (storing geographic region variables like "auto-boot", etc.), which was actually unpointed complicated (in my public opinion). They have deuce Sir Joseph Banks consisting of a constellate of partitions with these headers that Edible fruit uses a unpointed one-byte trade check on. The whole bank is also checksumed with adler32. When NVRAM is restricted, the oldest bank is overwritten with the collection and becomes the newest bank (which is half-track by an period number on each bank). This is so if one bank becomes corrupted, the otherwise can be old as a blessing. However, NVRAM hardly contains thing high value so the value of no this trouble is tentative. Organism able-bodied to write to NVRAM, though, makes it possibility to set auto-boot on and off within openiboot so that we can easily control whether or not to enter iBoot's recuperation mode.

Person asked me how "safe" it was to do the facility, etc. Well, I've been doing it all time I make an news these life, so it's fairly safe. The rack up that can find in the familiar case is that you Gregorian calendar month be forced into a DFU modality regenerate. Everything will be disorganised with a regenerate. Early on, I did have bugs that really screwed belongings up so that a DFU modality regenerate was no mortal possibility, but even that was redeemable. I'll just go concluded how briefly:

The influential thing is to have a blessing of the NOR. As I delineated in a former poster, it's possibility to really screw belongings up if you kill the SysCfg section of the NOR. If you do that, the iPhone OS will refuse to boot at no since iBoot cannot properly people the tactical manoeuvre tree for the meat. Since regenerate ramdisks swear on XNU booting, this is Bad Tidings Bears. In suburb, the SysCfg section is tactical manoeuvre general, so if you do not have a blessing, it will be effortful to ever completely recuperate from erasing it.

Therefore, before you carry on, MAKE A BACKUP OF YOUR NOR. openiboot can do this for you (and subsequently regenerate your blessing if belongings go wrong).

Load openiboot via loadibec and pick out the comfort. Connect with the oibc case. Type in: nor_read 0x09000000 0x0 0x100000

This will read no of NOR into storage device. Point type: ~nordump.bin:0x100000

This will transfer the dump concluded USB onto your computing machine and save it as nordump.bin.

Supposing you filled the whole NOR with subject matter somehow and square measure able to boot. You have to get into openiboot to regenerate the NOR. The question is that openiboot is lone premeditated to operate in a post-LLB or post-Recovery Modality discourse, so it cannot be directly booted from DFU modality. Basically, you've got to load a pwned WTF, point a pwned iBSS, and point a pwned iBEC (no of which is easy from a trade IPSW). Aft that, you can use loadibec to load openiboot. Point, you can regenerate the NOR thus:

!nordump.bin
nor_write 0x09000000 0x0 0x100000

Aft that, you can boot and everything should be normal.

Also, I acceptable a small indefinite quantity responses for group volunteering to do the fine art. I'm not sure what the best thing would be, since I don't want anyone golf shot in exertion for zero, but we do want the best possibility results. So, I'll be deed back to you guys about that.

How to Instal Crown Casting Like a Anti

Does the belief of commencement crown casting make you break out into a cold effort? The angles, the cutting, the joints! It’s decent to make some do-it-yourselfer run for the hills. The good tidings is that crown casting is a designate that even a tyro do-it-yourselfer can tackle. No it takes it cards, time and a [...]

Rapscallion developers

Update: The issue has been resolved. See news at the bottom of the post.

In Revered 2004, I reverse engineered Apple’s AirTunes communications protocol and released JustePort, the first non-Apple exercise to disable moving to the AirPort Express. Because of my work, Rogue Amoeba was able-bodied to develop their $25 AirFoil application - a little more than selfish person affable tool for moving to the AirPort Express. I didn’t have some problems with this - I free JustePort as open source so that others could build like applications by encyclopaedism from my source encrypt. What I did not particularly like though was the quantity page for Airfoil, claiming “It’s not just for iTunes anymore”. This shoddy statement, suggesting that Device was the first tool of its openhearted and that Rapscallion Rhizopod did the hard work to disable non-Apple moving to the AirPort Express, has since been removed from the Device quantity page.

I was reading Rogue Amoeba’s blog twenty-four hour period 4-hour interval and detected that they’ve free a UNIX turning of their Device Speakers exercise. Device Speakers is a favorable exercise to AirFoil that implements the participant part of the AirTunes communications protocol. By commencement Device Speakers on a computing machine (e.g. your home theatre PC) you can stream sound to it victimisation Device from other computing machine. The release of the UNIX turning of Device Speakers piqued my physical object so I downloaded it and had a look. It uses .NET and requires single-channel. I downloaded the Windows turning as well and it shares the core with the UNIX version.

I ran AirfoilSpeakers.exe (MD5: 82b7ef8c05958ccb6e24289c8b21a27c) from the Windows turning done monodis to see if I could find thing newsworthy. I came across this:

.namespace AirfoilServer.AirTunes
{
.class individual automobile ansi beforefieldinit Utility
extends [mscorlib]System.Object
{

// performing line 853
.performing common still hidebysig
alternative void LeReverse (unsigned int8[] arr, int32 index, int32 physical property) cil managed
{
// Performing begins at RVA 0×104b6
// Encrypt size 16 (0×10)
.maxstack 8
IL_0000: ldsfld bool [mscorlib]System.BitConverter::IsLittleEndian
IL_0005: brfalse.s IL_000f

IL_0007: ldarg.0
IL_0008: ldarg.1
IL_0009: ldarg.2
IL_000a: call void class [mscorlib]System.Array::Reverse(class [mscorlib]System.Array, int32, int32)
IL_000f: ret
} // end of performing Utility::LeReverse

// performing line 854
.performing common still hidebysig
alternative void LeReverse (unsigned int8[] arr) cil managed
{
// Performing begins at RVA 0×104c7
// Encrypt size 11 (0xb)
.maxstack 8
IL_0000: ldarg.0
IL_0001: ldc.i4.0
IL_0002: ldarg.0
IL_0003: ldlen
IL_0004: conv.i4
IL_0005: call void class AirfoilServer.AirTunes.Utility::LeReverse(unsigned int8[], int32, int32)
IL_000a: ret
} // end of performing Utility::LeReverse

// performing line 855
.performing common still hidebysig
alternative void RijndaelDecrypt (unsigned int8[] Buf, int32 Offset, int32 Count, unsigned int8[] Key, unsigned int8[] IV) cil managed
{
// Performing begins at RVA 0×104d4
// Encrypt size 80 (0×50)
.maxstack 5
.locals init (
class [mscorlib]System.Security.Cryptography.Rijndael V_0,
class [mscorlib]System.IO.MemoryStream V_1,
class [mscorlib]System.Security.Cryptography.ICryptoTransform V_2,
class [mscorlib]System.Security.Cryptography.CryptoStream V_3)
IL_0000: call class [mscorlib]System.Security.Cryptography.Rijndael class [mscorlib]System.Security.Cryptography.Rijndael::Create()
IL_0005: stloc.0
IL_0006: ldloc.0
IL_0007: ldc.i4.1
IL_0008: callvirt occurrence void class [mscorlib]System.Security.Cryptography.SymmetricAlgorithm::set_Mode(valuetype [mscorlib]System.Security.Cryptography.CipherMode)
IL_000d: ldloc.0
IL_000e: ldc.i4.1
IL_000f: callvirt occurrence void class [mscorlib]System.Security.Cryptography.SymmetricAlgorithm::set_Padding(valuetype [mscorlib]System.Security.Cryptography.PaddingMode)
IL_0014: newobj occurrence void class [mscorlib]System.IO.MemoryStream::.ctor()
IL_0019: stloc.1
IL_001a: ldloc.0
IL_001b: ldarg.3
IL_001c: ldarg.s 4
IL_001e: callvirt occurrence class [mscorlib]System.Security.Cryptography.ICryptoTransform class [mscorlib]System.Security.Cryptography.SymmetricAlgorithm::CreateDecryptor(unsigned int8[], unsigned int8[])
IL_0023: stloc.2
IL_0024: ldloc.1
IL_0025: ldloc.2
IL_0026: ldc.i4.1
IL_0027: newobj occurrence void class [mscorlib]System.Security.Cryptography.CryptoStream::.ctor(class [mscorlib]System.IO.Stream, class [mscorlib]System.Security.Cryptography.ICryptoTransform, valuetype [mscorlib]System.Security.Cryptography.CryptoStreamMode)
IL_002c: stloc.3
IL_002d: ldloc.3
IL_002e: ldarg.0
IL_002f: ldarg.1
IL_0030: ldarg.2
IL_0031: ldc.i4.s 0×10
IL_0033: div
IL_0034: ldc.i4.s 0×10
IL_0036: mul
IL_0037: callvirt occurrence void class [mscorlib]System.IO.Stream::Write(unsigned int8[], int32, int32)
IL_003c: ldloc.3
IL_003d: callvirt occurrence void class [mscorlib]System.IO.Stream::Close()
IL_0042: ldloc.1
IL_0043: callvirt occurrence unsigned int8[] class [mscorlib]System.IO.MemoryStream::ToArray()
IL_0048: ldarg.0
IL_0049: ldc.i4.0
IL_004a: callvirt occurrence void class [mscorlib]System.Array::CopyTo(class [mscorlib]System.Array, int32)
IL_004f: ret
} // end of performing Utility::RijndaelDecrypt

// performing line 856
.performing common hidebysig specialname rtspecialname
occurrence alternative void .ctor () cil managed
{
// Performing begins at RVA 0×10530
// Encrypt size 7 (0×7)
.maxstack 8
IL_0000: ldarg.0
IL_0001: call occurrence void object::.ctor()
IL_0006: ret
} // end of performing Utility::.ctor

} // end of class AirfoilServer.AirTunes.Utility
}

That Utility class looks precise familiar. Where have I seen those right functions before? Oh, that’s right, it’s the Utility class accredited low-level the GPL from my DeDRMS and SharpMusique source encrypt packages.

I can’t say I’m dumbfounded. GPL’ed encrypt is frequently old in wickedness of the permit. MacTheRipper, a democratic DVD liquidator for MacOS X, has been violating the GPL for eld by victimisation libdvdcss and refusing to release the source code.

I’m not exit to be too hard on Rapscallion Rhizopod though. Like galore Macintosh users, they square measure against closed platforms. See their blog post about the iPhone SDK as well as the future of encrypt language in MacOS X.

Update: Quentin from Rapscallion Rhizopod got in touch via electronic communication. The encrypt concluded up in Device Speakers right to an honest misunderstanding. Quentin writes:

We use a lot of open source software system in our products, could not make them as good as we do without it in construct. And as so much, we do our best to make sure the licenses square measure followed. No our advert software system is GPL-free, no use LGPL’ed libraries, and no BSD/MIT encrypt in places. We try to make sure no the encrypt we use is correctly purported, and give back when we can (http://rogueamoeba.com/sources/, www.rogueamoeba.com/utm/2008/01/12/perian-is-awesome/).

So we’ve put unneurotic Utility.cs-less versions of Device Speakers to fix our GPL conformation. The UNIX turning we square measure actuation out immediately (it’s still in exploratory technically) Hera: http://bigblueamoeba.com/tmp/airfoilspeakerslinux/. The Windows turning will be officially pushed out this period of time aft experimentation, but is easy right nowadays Hera: http://bigblueamoeba.com/tmp/airfoilspeakerswindows/

Thanks Quentin!