Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Hardware Hacking Media Media (Apple)

Piezo-Acoustic iPod Hack 397

jugander writes "nilss over at the iPodLinux Project (previously on /.) has performed one of the coolest and most bizzare hacks I've seen in a while. He was able to extract the bootloader from the 4G iPod by sounding out ticks with the iPod's squeaky piezo. With some tweaking and a makeshift recording studio, he was able to dump the 64 kb file at 5 bytes/sec. And yes, this means that 4G iPods can now boot linux!"
This discussion has been archived. No new comments can be posted.

Piezo-Acoustic iPod Hack

Comments Filter:
  • Yup (Score:3, Funny)

    by ryanr ( 30917 ) * <ryan@thievco.com> on Saturday January 29, 2005 @05:47PM (#11516056) Homepage Journal
    I thought the sound output trick was highly clever, bravo. I'm looking forward to having Linux on my mini.
    • Re:Yup (Score:3, Insightful)

      The sound output trick is clever, yes... and also really quite old and (until not so long ago) part of any embedded system programmer's bag of debugging trick, along with flashing LEDs, bit toggling on ports and other niceties. Hell, even the Linux kernel can oops in morse code through the PC speaker or the keyboard LEDs (iirc).
      • by ryanr ( 30917 ) *
        Well, I really meant the whole thing, not just using sound as an output. Taking a set of hardware that he doesn't have the specs for, and being able to get enough running to get that far. The older iPods use a somewhat different processor, so it's not as simple as just running the old stuff.
    • Re:Yup (Score:5, Interesting)

      by Xyrus ( 755017 ) on Saturday January 29, 2005 @08:05PM (#11516906) Journal
      Reminds of how I dumped the gameboy advance rom. You wouldn't access the rom memory directly no matter what you did. However, that didn't stop you from using the video interrupts with a pointer at location zero. :)

      And even more related, you could do the same thing with the sound registers, except that you could get a hardware buffer instead of interpreting the sounds.

      ~X~
  • /.ed already?
  • by bird603568 ( 808629 ) on Saturday January 29, 2005 @05:48PM (#11516069)
    i know its cool to have a penguin on bootup, and play ogg vorbis, but is it worth 400$ and the possiblity of bricking it to get a less that ipod quality mp3 player?
    • by Anonymous Coward
      -1 Where's your geek spirit?
    • by Amgine007 ( 88004 ) on Saturday January 29, 2005 @07:41PM (#11516790)
      is it worth 400$ and the possiblity of bricking it to get a less that ipod quality mp3 player?

      You can't see it now, but the iPod linunx site states clearly that, to their knowledge, no one has bricked an iPod due to installing iPodLinux on it -- even since the long-ago development days.

      In fact, iPodLinux's installer sets it up so you can dual boot into Linux and the Apple firmware, and you can make one the default. I installed this on my 1G and the other day, and it indeed works very, very easily. It is one of the more underrated hacks going on today, IMO.

      Its sweet but does it ahve a point?

      To satisfy your slashdotty interests: imagine you and a friend have iPods, and imagine you connect them with a firewire cable. You both boot into linux, transfer files, and reboot (back in to the Apple firmware). The use is left as an exercise to the hacker.
    • by Lord Kano ( 13027 ) on Sunday January 30, 2005 @01:19AM (#11518264) Homepage Journal
      You are aware that this is Slashdot, right?

      I'm waiting for someone to get an electric toothbrush to run Linux. Then he'll get WiFi working with it and modulate the pulses so that his skull resonates at the right frequencies to hear it for the purposes of streaming Ogg files directly into his brain.

      Why would someone do it? Well, because no one else has and to get linked on Slashdot.

      LK
  • by sakura the mc ( 795726 ) on Saturday January 29, 2005 @05:48PM (#11516070)
    does the motherfucker run *bsd?
  • by glomph ( 2644 ) on Saturday January 29, 2005 @05:49PM (#11516080) Homepage Journal
    that your tongue sticks to it!
  • According to an article, the iPod processor is too weak to run ogg. What is the point of running Linux on the iPod (besides saying that "we did it") if you one is unable to run a Linux application on it? Would not it be better to focus resources somewhere else?
  • piezo? (Score:5, Interesting)

    by puck01 ( 207782 ) * on Saturday January 29, 2005 @05:50PM (#11516094)
    I was curious was a piezo is. I found this explanation:


    Short for piezoelectricity or piezoelectric effect. Piezoelectricity is an electric charge that occurs in some substances when they are squeezed or otherwise subjected to mechanical stress. It is also possible to cause these materials to vibrate when a voltage is applied to them. Quartz is one of the better known piezoelectric materials, and is commonly fabricated into small pieces, called "crystals" that are used for frequency standards. A crystal of specific size and shape will vibrate at a predictable and very stable rate when a voltage is applied. This makes them ideal for use in things like watches or clocks for digital audio equipment. Piezoelectric elements have also been used various types of transducers such as phonograph cartridges, microphones and loudspeakers. Piezo microphones can be quite small and still have relatively high output at a low cost; however, their less than ideal frequency response prohibits use in critical applications. Piezo loudspeakers usually come in the form of tweeters, or very high frequency elements. They generally have very low distortion in the 5 kHz and above range, but haven't widely been used in sound reinforcement due in part to their relatively low output levels. It takes dozens of the average piezo tweeter to equal the output of one medium-sized compression driver



    I'm still confused (and I did RTFA) how the bits of the bootloader were translated to sound. Anyone care to explain?
    • He used particular tones to represet a set of bits, recorded them, and converted the sound back to bits. Rather like a modem.

      Or is that not the part you didnt understand?
      • I obviously did a poor job wording my question. I'm just wondering how he got the bootloader bits to be fed thru the piezo. Not how he converted it to sound, since I now know what a piezo. He must have done something weird to specifically feed the bootloader bits thur the piezo, right?
        • Re:piezo? (Score:4, Informative)

          by ryanr ( 30917 ) * <ryan@thievco.com> on Saturday January 29, 2005 @06:11PM (#11516258) Homepage Journal
          Based on previous experience with Linux on the earlier iPods, he knew how to click the piezo. I don't know off the top of my head if it's the same hardware addresses on the PP5002 and PP5020, but one you have the address, you know how to do it. There is no memory manager on these processors, so it's just a flat memory model with no protection. From there, you just have to write portable arm code that can read addresses 0 through 65535, and write the piezo address appropriately.
      • Re:piezo? (Score:5, Funny)

        by tomhudson ( 43916 ) <barbara@hudson.barbara-hudson@com> on Saturday January 29, 2005 @06:10PM (#11516240) Journal
        So now we can say:
        This is the sound of your ipod "zzz ZZ zz zz ZZZ zz"

        This is the sound of your ipod running as a webserver being slashdotted "zzz ZZZZZZZZ ZZZZZZZWTF!!!!!! _______________"
    • Re:piezo? (Score:5, Informative)

      by steveha ( 103154 ) on Saturday January 29, 2005 @06:18PM (#11516285) Homepage
      I'm still confused (and I did RTFA) how the bits of the bootloader were translated to sound.

      His goal: extract the data from the ROM.

      His problem: he didn't know very much about the hardware. Sending the data through the FireWire port was not an option, since he had no idea how to access that port.

      His opportunity: someone showed him how to make the piezo make sounds.

      So, he picked one sound to represent a 1 bit, and picked a different sound (more of a click) to represent a 0 bit. Then he wrote code to read data from the ROM, and bit by bit, look at each bit and play the appropriate sound. He recorded the sound. It took hours to dump the whole ROM this way.

      Then it was a matter of sampling the recording with a desktop computer, and writing code to detect the two different sounds, turn them into data bits, and save the data bits on disk.

      steveha
      • You know. I was thinking. If he couldn't get access to write to any other device (such as USB, Firewire, or even the disk drive), he probably could have simplified the task by directly wiring the board's piezo output to his sound card's line in, thereby eliminating noise. Alternatively, he could have wired it to some other input device.
        • I big problem with the linux for the 4g ipod was that nearly none of their good devs had them. Maybe he just dindt wanna risking the only one he had.

          That beeing said..what you said is eactly what I would have done.
    • If you want to know a little bit more about piezos... piezoelectric materials are of a certain structure group based on the asymmetry of the unit cell. When compressed or streched, a charge displacement occurs within the single cell and you get pos/neg 'terminals' at opposing ends of the crystal. Have enough of these single unit cells, and you end up with a bulk material that shows a large deformation/charge relationship (relatively large...)... with the small frequency response mentioned by the parent p
  • Google Cache (Score:5, Informative)

    by UID1000000 ( 768677 ) on Saturday January 29, 2005 @05:51PM (#11516096) Homepage Journal
    Google Cache [64.233.167.104]

    The Sound of iPod

    I got an iPod for christmas. The ipodlinux project was one of the main reasons for my choice and so I started exploring the iPod as far as I was able to. I patched the bootloader and got some basic code to run but there was no way to access any hardware other than the two CPUs yet. To get the LCD, Clickwheel and the harddisk working we needed to reverse engineer the bootloader in the flashrom. But to do that we first had to find a way to get that code. Seems quite impossible without any knowlegde about the IO-Hardware but I found a solution...

    The whole idea started last week when leachbj gave me a piece of code that caused the piezo in the iPod to make some *squeek*-sound. I played around with that code, changed some values and somehow was able to produce different sounds. Just for fun I came up with the idea of using this different sounds for transferring data. Some minutes later I dropped the idea because I thought that just won't work and I won't be able to write a decoder for that. Two days later I woke up and somehow just tried encoding a 32bit value into different beeps. It worked so made a loop around it to dump about 4kb of memory.

    The problem with that idea was that I could only transfer 8bit/s. Anyway, I tried writing a decoder and it seemed to work. Well, it didn't really work but it decoded about the first 256 bits correctly. The decoder was some Perlscript that loaded the whole audio into RAM and used about 1GB RAM for a 20MB audio file. It worked ok with some tweaking but still the RAM usage was way to high because if I wanted to dump the whole 64kb I would have an 1200MB audio file or something.

    Some ideas came to my mind after thinking about the problems I had. The first one was to use compression so the transfer won't take too long. It would have taken about 45hours with the code we had. With compression maybe only 22h. To solve the memory problem I decided to rewrite the decoder in C that only reads about 96bytes chunks of audio data and then decodes that. Davidc_ helped me with that.

    This was the first time I thought I this could really work. Again I played with the piezo code and figured out, how the piezo really works. I was able to produce some more unique beeps. Later I made the beep for 0 (the last bleep you can see in the picture) much shorter so it sounded more like a click. I even managed to make the first bleep shorter so I got about 5byte/s.

    When we thought we got the encoder in the iPod with zlib and the decoder working, I decided to try recording the whole dump at night. So I put the iPod in the "iPod Recording Studio" and went to sleep. The iPod is just a cardboard box in which Samsung send me my laptop back. It has foam in it so I thought it would be ideal for recording the bleeping of the iPod. (Move your mouse over the picture.)

    The next day I woke up quite early. The first thing I did was looking at the recording. I heard the iPod stopped bleeping so I thought everything went fine. In fact nothing worked at all. I recorded 8 hours full of zeros. Furthermore, the iPod's battery became empty though it was plugged into the USB port of my laptop the firmware wasn't loaded so it didn't request power over USB. So what you can see in the picture is the harddrive spinning down, then the iPod goes off for some minutes and then reboots. The harddriver was spinning during the whole recording session because there was no way to turn it off.

    After this I was really disappointed and I dropped the project for the rest of the day but in the evening I tried again with a better decoder. It worked quite well but we weren't able to decompress the file. I concluded that was caused by the malloc() hack and zlib would allocate the same memory twice or something like that. Anyway, I haven't had much sleep that weekend so I was tired and just went to bed and thought about dropping the whole
  • Clever hack (Score:3, Interesting)

    by cyberfunk2 ( 656339 ) on Saturday January 29, 2005 @05:51PM (#11516100)
    This is a truely clever hack, I'm glad I donated money to these guys for a new 4G ipod.. now my ipod can run linux !

    Sweetness !
    • This is a truely clever hack, I'm glad I donated money to these guys for a new 4G ipod.. now my ipod can run linux !

      Hey, if you donate an ipod to me, I'll even make it play music :-)
  • by thinkliberty ( 593776 ) on Saturday January 29, 2005 @05:52PM (#11516105)
    Does this mean the ipod will support ogg-vorbis now? And they said it would never happen.
    • You do know that iPod Linux has been out now for several years, don't you? The problem is that there is no Ogg decoder efficient enough to run on the iPod's underpowered CPU (under Linux).
      • Re:Does this mean? (Score:3, Interesting)

        by ryanr ( 30917 ) *
        The newer iPods (the ones in this article) have at least twice as much CPU power. So, the Ogg question may be worth revisiting.
    • Re:Does this mean? (Score:3, Informative)

      by Anonymous Coward
      It could happen. Newer iPods have two processors, and probably have enough horsepower to decode Vorbis. The biggest problem is that Vorbis is a more complicated codec than MP3, so a decompressor will not only be bigger but also need more resources (RAM, CPU time, etc.).

      Vorbis gives you better quality for the same number of bits, or a smaller file for similar quality. Partly this is because it's just newer technology and does some stuff better, but it's also because it's a little more complicated. While
  • Wow, just wow... (Score:5, Insightful)

    by still_sick ( 585332 ) * on Saturday January 29, 2005 @05:54PM (#11516127)
    The sheer creativity and resourcefulness of some Hackers is just mind-boggling.

    If Apple / NASA / (et all) had any sense at all, they'd be beating down this guy's door to hire him into a think-tank.
    • by Anonymous Coward on Saturday January 29, 2005 @07:46PM (#11516824)
      The sheer creativity and resourcefulness of some Hackers is just mind-boggling.

      Clever, sure. But remember this is how 300 baud modems work, too. This is also how fluke multimeters are tested in the factory. They have no IO, so they chirp data back to a tester.

      What is clever to one person is old hat to many others.
  • by TheMysteriousFuture ( 707972 ) * <TheMysteriousFuture@gmail. c o m> on Saturday January 29, 2005 @05:54PM (#11516129) Journal
    THIS is why I read slashdot. News for Nerds Stuff that matters.

    All in favor?

    Mod me down.
  • by Second_Derivative ( 257815 ) on Saturday January 29, 2005 @06:06PM (#11516218)
    but I remember seeing a Google application form somewhere with "What's the coolest hack you've ever done?" on it. Can you imagine putting "Dumping an 64k firmware chip through a piezo sounder" on that?

    Who cares if it's not that useful, it's lateral thinking for you...
  • by MajorDick ( 735308 ) on Saturday January 29, 2005 @06:09PM (#11516234)
    This is slick, everything old is new again ? Reminds me of loading Adventure on my Apple II

    Data transmission via acoustics is certainly nothing new, but getting something OUT thats not meant to be exposed on a MODERN device this way is just too cool.

    Right now there are MANY P'o'd execs at Apple, and a bunch of engineers going crap (but quietly thinking man is this cool)

    I wonder how many other things this can be applied to , for reverse engineering of bootloaders, roms, etc.

    I would have fried a dozen gamecubes 2 years ago trying this method had I been given the idea then, (Yeah I know all the goofy bootloader stuff NOW in the last 6 months ) for GC is out,

    KUDOS, now I might actually buy one.
    • by Stiletto ( 12066 ) on Saturday January 29, 2005 @06:27PM (#11516337)
      Right now there are MANY P'o'd execs at Apple, and a bunch of engineers going crap (but quietly thinking man is this cool)

      I don't know of any software or hardware engineer who would give a damn if one of their users coaxed something out of their product that they were told to try to hide. Most engineers understand the futility of trying to prevent users from accessing their code or data. I've never heard an engineer introduce the idea of encrypting their own data or code--the idea always comes from the bean counters or management.
      • True , but usually its the engineer in the end that gets the shitstorm from above when it DOES get hacked. REGARDLESS of if its their fault or NOT

        Why ? the beancounters and deadweight,,,, uhh managment for the most part have no clue what really make things tick. Now Jobs or the like are probably thee ones who would get it , and may be kind enough to run interference for the engineers...yeah right...

        IN the end the bean counters will blame the engineers out loud, but not do anything about it because down de
        • "Why ? the beancounters and deadweight,,,, uhh managment for the most part have no clue what really make things tick. Now Jobs or the like are probably thee ones who would get it , and may be kind enough to run interference for the engineers...yeah right..."

          I've a feeling Jobs has been running interference for The Rest of Us for quite a long time now. He's playing the record industry, stockholders, and the movie industry in a carefully planned game that will break the way we used to do a lot of things. He'
    • The other way is to make the CPU and related circuitry "talk" via an AM radio sitting by the case. Of course back when the CPU was 2-4MHz this was easy as this was within only a few harmonics of the band - but at the near and beyond GHZ this might be a bit problematic.

      And then there was playing the 1812 on the chain printer... but that's a different story ;)

    • by teknomage1 ( 854522 ) on Saturday January 29, 2005 @07:20PM (#11516664) Homepage
      I intend to use this technique to revere engineer the clock on my VCR. That 12:00 just keeps blinking at me, defiantly.
  • by Tjoppen ( 831002 ) on Saturday January 29, 2005 @06:10PM (#11516246)
    I have fiddled a little bit with similar stuff.. Transmitting data via sound.
    Basically I made a program that analyzes(FFT-ish) whatever comes in through the mic.
    The sent data was beeps at 375Hz(zero) and 1500Hz(one). I was able to recieve data from a range of ~5m at around 50bps. In real-time no less.

    As an added bonus it annoyed the hell out of my roommates(beepbeepboopboopbeep..)
    • You might want to read up on FFSK. You get a much higher data rate for the same bandwidth. We did FFSK modems in software on crappy processors years ago. Sampling at 8 times data rate works quite well.

      Or you could really go for it, and use a well known modem algorighm. People can do 56k modems in software - but you need to have an A to D resolution of more than one bit!

      If using piezo, you might want to concentrate around 3khz or so for best response.

  • by jean-guy69 ( 445459 ) on Saturday January 29, 2005 @06:12PM (#11516262)
    isn't this what we usually call a modem ?

  • blindPod? (Score:3, Interesting)

    by Doc Ruby ( 173196 ) on Saturday January 29, 2005 @06:15PM (#11516277) Homepage Journal
    I read the Googlecached story, karmawhored into this thread. It seems he kept the Apple bootloader, but rewrote the iPod "OS" with Linux. Then wrote a program to cat the stored bootloader to the piezo speaker, recorded that, then decoded the audio back to its bits - revealing the bootloader bit image.

    Clever, but necessary? Does iPod Linux not give HW access for sending data over the iPod Firewire? If he can strobe the speaker, can't he strobe the headphone jack, for better fidelity and bandwidth? I understand the esthetics of this goofy, clever hack - worth doing even if just for the sake of weirdness. But was it necessary?
    • Re:blindPod? (Score:3, Informative)

      by ryanr ( 30917 ) *
      Yes. At the time, the only bit of hardware he knew how to control was the piezo. In the PP5020 models, most of the hardware is at a different address, so the knowledge from previosu models was of limited use. The existing iPodLinux would essentially die right away on the 4Gs and above.

      Now that he has dumped the firmware, he knows where most of the other hardware is mapped.
  • by deutschemonte ( 764566 ) <lane,montgomery&gmail,com> on Saturday January 29, 2005 @06:20PM (#11516301) Homepage
    Sure but can it run linux?

    Wait, umm....

    Oh!

    Imagine a Beowulf Cluster of these things!
  • ... that is one of the most impressive pieces of lateral thinking that I have ever seen. I am thoroughly impressed.
  • Combining this story with the previous one:
    http://science.slashdot.org/article.pl?sid=05/01/2 9/1815242&tid=217&tid=14 [slashdot.org]
    and I for one welcome our new iPod overlords.
  • by Drunken_Jackass ( 325938 ) on Saturday January 29, 2005 @06:33PM (#11516371) Homepage
    I read the Google cache, and Google should hire him. If he doesn't already work there. This type of thinking is what Google is all about. I think. I'm not smart enough to be sure.
  • Leave it to some meth-head to figure this crap out. :-P
  • I'm sure plenty of users here have used WinAmp over the years. You've probably also used any number of different "plugins" for it. Some of my favorites are the ones that do "AGC" (Automatic Gain Control) on the playback audio. The better ones have settings for attack/release, min/max gain, etc. This process works to keep the playback volume relatively constant: Quiet passages are brought up, loud ones reduced.

    It would be cool if the iPod/Linux software could incorporate such functionality, along with some
  • Instead of sitting by idly for 213 minutes while the data transferred, he could have taken some of that time to implement compression, thus increasing throughput and decreasing the overall transfer time. :)

    http://slashdot.org/comments.pl?sid=137702&cid=11 5 15142 [slashdot.org]

    On a serious note, that was an admirable (and true) hack. Although there were several potential routes to extract the bootloader (FireWire, iPod's normal file transfer mechanism, analog data out the headphone jack), he took the path of lea
  • by TJ_Phazerhacki ( 520002 ) on Saturday January 29, 2005 @08:29PM (#11517011) Journal
    This is reminiscent of certain payphones and CC Whistles.... Kudos for thinking outside the box - I am honestly more impressed with this than just about any hack I'v seen in recent months. And as for functionality - Who cares? Doing it for the sake of doing it - thats where things like Linux and the whole open source movement are founded.
  • Bizarre! HURMMPH! (Score:3, Interesting)

    by smchris ( 464899 ) on Saturday January 29, 2005 @08:51PM (#11517124)
    I'll have that young whippersnapper know that those of us who loaded up our home computers from cassette tape recorders could tell by the volume whether we would get a good load and even learn to tell when the load was about done for specific programs.
  • by wtarreau ( 324106 ) on Sunday January 30, 2005 @02:20AM (#11518502) Homepage
    On an old computer 15 years ago (it was not really a PC yet), I had no sound output and wanted to experiment with sound processing. so I used the 5" floppy drive's LED which I could blink up to about 100 kHz, in front of which I put a photodiode connected to my amplifier's input. I had to turn of the lights to remove the 50 Hz background noise, but then I could hear the sounds really well. I even played using a PWM code to be able to output analogue levels.

    It was funny to do all this when computers were not as equipped as they are today. Now we're just users and nothing more.
  • by ArbitraryConstant ( 763964 ) on Sunday January 30, 2005 @02:22AM (#11518518) Homepage
    I assume someone's going to try this with the iPod shuffles.

    I guess they'll have to use the LED lights to blink the signal out. Hell, they'll probably have to use the LEDs to blink the interface out too.

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...