/dev/random

Note: See the update at the bottom of this post, which may remove the need for an external power supply.

In a previous post I described how to create a serial cable to be able to communicate with your iPod. Now this is great, but getting a microcontroller to do the same allows you to create accessories for your iPod which add extra features. For example you could turn your iPod into a TV remote, add GPS, or create a dongle which is able to perform the arm7_go exploit required for the (only publically available) iPod 2G jailbreak, redsn0w. Throughout this post I will be referring to the previous tutorial, so make sure you have read it, even if you don't need a serial cable (having one is recommended, though).

It is by no means a complete howto on creating a portable dongle solution, but it will provide a sample implementation which is able to boot a redsn0w prepared iPod without the use of a PC. With a little (electronics engineering) creativity an avid tinkerer might be able to turn it into something one can actually carry around.

You will need to prepare your iPod by installing redsn0w, as well as preparing the arm7_go exploit commands in an iBoot environment variable for easy execution. Preparing your iPod is outside the scope of this tutorial, but hints on doing so can be found at the Dev Team wiki.

Components

The microcontroller used in this example is Atmel's ATtiny2313, as it's cheap, easily obtainable, and has a hardware USART which makes setting up a serial connection a breeze. Last but not least, there's a port of GCC for AVR, so you're able to compile C code for AVR microcontrollers on all major platforms. If you're already familiar with eg. PICs, you can of course use one of those, but the microcontroller pinout and example code will be quite useless.

Just like in the previous tutorial, you will need an iPod dock connector (or PodBreakout for easier soldering) and a 3.3V power source. Ideally a dongle would be powered by the iPod itself, but some testing shows that the VCC pins are only powered when the Apple OS boots - the exploit needs to be performed before that, so the VCC pin cannot be used. As an alternative you can use a wall adapter and a few batteries together with a LM1117-3.3 until someone comes up with a better solution. Refer to the previous post for more information on where to get the dock connector and how to build the LM1117-3.3 power supply.

You will need at least the following parts:

• An ATtiny2313
• An AVR programmer
• iPod dock connector
• 470KΩ resistor
• 3.6864Mhz crystal
• 2x 22pF capacitor
• A soldering iron, tin, a piece of prototyping board, some wire and preferably a breadboard for easy testing.

Optional (and recommended):

• A serial cable which supports 3.3V TTL to be able to individually verify whether both your iPod and AVR's serial interface works. You can use a FTDI USB serial TTL module (available at the FTDI shop, Sparkfun or eBay) or follow the previous tutorial to build a MAX3232 based converter (serial port required).

If you do not have an AVR programmer yet, you can either buy a preassembled one (USB, serial or parallel) or simply build one yourself. A DB25 connector, four resistors and some wire is all you need for a (working) AVR parallel programmer. A nice schematic can be found here. You can either program the AVR out of circuit, or add a header/socket suitable for your programmer and program the AVR in-system (ISP). Commonly a 6 or 10 pin connector is used for the ISP, as shown below. Page 2 of the ATtiny2313 datasheet describes the corresponding pins on the microcontroller itself.

The 470KΩ resistor is required to enable serial communication on the iPod side. Once again, you can find a more detailed pinout of the dock connector (as it's used in this guide) in the previous post.

As the serial protocol requires very specific timings, the internal oscillator of the AVR might be too far off (it can have up to a 10% error according to the datasheet). Using an external crystal solves this problem, especially when a specific frequency is used which is in sync with all common baud rates. While you may have some succes running the USART at 2400 baud using the internal oscillator, iBoot uses 115.200 baud, at which it certainly won't work correctly. You can find a neat overview of error percentages at specific frequencies/baud rates here. We will be using a 3.6864Mhz crystal, but you could replace for any other value with a 0% error rate at 115.200 baud (Atmel recommendeds a 2.0% max error). Be sure to stay well below 13Mhz, as this is the maximum frequency the ATtiny will operate at using a 3.3V input voltage.

Building

Putting everything together is fairly straightforward. Although the ATtiny RX to iPod TX line isn't required to make a working dongle, you'll need it if you'd like to do anything with data coming from the iPod. If you're using an in-system programmer which supplies power to the μC , make sure you disconnect the rest of the circuit (the iPod dock connector) to avoid frying your iPod - most ISPs supply 5v. The 3.3V power supply (used for normal operation) should work fine for programming as well.

Software

The example program allows the ATtiny to boot your iPod using the redsn0w exploit. To allow for easier verification of a correctly working micrcontroller (e.g. by connecting it to your computer using a serial cable) 'run rs\n' is sent every second in an infinite loop.

You can program the AVR using avrdude on any platform. The code may be compiled using avr-gcc. If you're using Windows, you should install WinAVR, which includes a nice editor (Programmer's Notepad) as well as a compiler and avrdude. Linux users probably have a package for avr-gcc and avrdude in their distro's repositories.

A download link is provided at the end of this tutorial. Included is the code, a Makefile and the program in (compiled) intel .hex format (for a 3.6864Mhz crystal). You can either open the included project in Programmer's Notepad (on Windows), and program using Tools > [WinAVR] Program or on any other platform simply cd to the directory and issue a 'make program'. Be sure to edit the Makefile first, especially paying attention to the AVRDUDE_PROGRAMMER and AVRDUDE_PORT variables. The settings can be left unchanged if you built the parallel programmer to which I've provided a link before. If you're using a different crystal you should change the F_CPU variable and recompile before programming.

Fuses

Atmel allows you to reconfigure several AVR device settings by setting so-called fuses (they're not actual fuses, but simply bits stored in flash). The factory default fuse settings tell the ATtiny2313 to use the internal RC oscillator as a clock source (controlled using the CKDIV3..1 bits), divided by 8 (by enabling the CKDIV8 bit). The internal oscillator runs at 8Mhz, which results in a 1Mhz clock when divided by 8. We will have to change the fuse bits so the external 3.6864Mhz crystal is used instead. Avrdude can modify the fuses for you, by running the following command:

avrdude -c pony-stk200 -p attiny2313 -P lpt1 -U lfuse:w:0 xEC:m -U hfuse:w:0xDF:m

This writes the correct lfuse and hfuse bytes for use with our crystal (and disables CLKDIV8). If you're using a different programmer, adapt the -P and -c option accordingly.

To obtain a nice list of all supported programmer types, run:

avrdude -c ?

For a full overview of all fuse settings, take a look at the ATtiny2313 datasheet.

Testing

Having built the circuit, programmed the software and fuses you should be all set up. Power on your iPod and enter recovery mode. Then insert the dock connector, and the iPod should boot the jailbroken Apple OS. Mission complete.

You can download the example code and Makefile from: http://pargon.nl/iphone/files/ipt2g_rs_dongle.zip

Update: It was previously suggested to me that pin 27 is +3.3V, but I did not find anything on my iPod (which is a 1G). MuscleNerd was kind enough to check both his 1G and 2G, and was able to confirm that USB D+ (pin 27) is powered only on the 2G (thanks!).

You may be able to power your microcontroller from it - thus removing the need for the LM1117-3.3 and external power source, although I'm not sure whether Apple intended it to be used in that way.

This entry was posted on Saturday, February 28th, 2009 at 00:07 and is filed under iPhone. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.