MediaWiki API result
This is the HTML representation of the JSON format. HTML is good for debugging, but is unsuitable for application use.
Specify the format parameter to change the output format. To see the non-HTML representation of the JSON format, set format=json.
See the complete documentation, or the API help for more information.
{
"batchcomplete": "",
"continue": {
"gapcontinue": "RetailOS_Options",
"continue": "gapcontinue||"
},
"query": {
"pages": {
"416": {
"pageid": 416,
"ns": 0,
"title": "Restore iPod without iTunes",
"revisions": [
{
"contentformat": "text/x-wiki",
"contentmodel": "wikitext",
"*": "Ok, so you have an iPod Classic (80, 120 or 160 GB), or a Nano (3G or 4G should work, can't speak for the newer models). You have done something bad to it, like changing the firmware or deleting something you shouldn't have deleted, and you want to bring it to life? Great, that's the article you're looking for!\n\nFirst, you should try restoring it with iTunes. But it probably won't recognise it, unless you put it in DFU mode. Here's a video on how to achieve this:\n\nhttps://www.youtube.com/watch?v=Y_bIDtBohnE\n\nThen use iTunes' Restore option. It should actually ask you to do it, just accept it and it would be back to life in a minute or two.\n\n''But, .... it doesn't work! What should I do? It's BROKEN!''\n\nCalm down, and keep reading...\n\n=The standard disclaimer=\n'''THE SOFTWARE AND INSTRUCTIONS ARE PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR INSTRUCTIONS, OR THE USE OR OTHER DEALINGS IN THE SOFTWARE OR INSTRUCTIONS.'''\n\nContinue reading only if your agree.\n\n=Prerequisites=\n* An iPod (Classic - also known as iPod 6G/7G) (It works for Nanos, but the files are different!)\n* Computer with Windows (Linux tutorial coming soon, it's mostly the same except that you don't need to care about drivers, but need to build ipodscsi from source)\n* Patience\n\n=Overview of the procedure=\n# You put the iPod into DFU mode\n# You send the first stage of the restore firmware (called \"WTF\") to the iPod using mks5lboot\n# The iPod reconnects with a different USB IDs\n# You send the second stage of the restore firmware (called \"FIRMWARE\") to the iPod using mks5lboot\n# The iPod shows a monochrome disk mode screen\n# You repartition the hard disk, upload the new firmware and reboot the iPod - all these three at once using ipodscsi\n# Your iPod is working again. Yay!\n\nYou're ready? Ok, let's do it!\n\n=Steps to restore=\n\n<s>There's also a video of (almost) the whole procedure. The commands are longer, because I have the files in different directories. Also, it doesn't show USB driver installation, because I already have them installed.\n\nLink to the video: https://www.youtube.com/watch?v=6-nEXXv8_PY</s>\n\nThe video is outdated, showing the old procedure (using Python/pyusb and ipoddfu.py).\n\n==Putting the iPod into DFU mode==\n# Get an USB to iPod dock cable.\n# Connect it to your computer.\n# Get your iPod.\n# Lock the '''HOLD''' switch, then unlock it after a second.\n# Connect the USB cable to the iPod.\n# During the next two steps, disregard what happens on the iPod's screen, just do what we ask you to.\n# Hold down '''MENU''' + '''SELECT''' (the center button) for 12 seconds (count to 12, just to be sure that your timing is right).\n# Release the buttons.\n# You're in DFU mode.\n\nHere's a video, to make it more clear: https://www.youtube.com/watch?v=Y_bIDtBohnE\n\n==Uploading the first restore stage (WTF)==\n\"What the f*ck\"? No, probably means '''W'''riting '''T'''he '''F'''irmware or '''W'''aiting for '''T'''he '''F'''irmware - we never found out. Who cares, anyway.\n\n1. Press the Start menu button.\n\n2. Type '''cmd''' and press '''Enter'''.\n\n3. In the black window that opens, type '''cd Desktop''' and press '''Enter'''.\n\n4. Download one of these files to your Desktop, depending on the Windows version you have (x86 = 32 bit, x64 = 64-bit): \n[https://files.freemyipod.org/~user890104/bootloader-ipodclassic-v1_0/Windows/mks5lboot32.exe mks5lboot32.exe] OR [https://files.freemyipod.org/~user890104/bootloader-ipodclassic-v1_0/Windows/mks5lboot64.exe mks5lboot64.exe] (Right-click, then choose Save link as...).\n\n5. And this one too, from Apple's servers: [http://appldnld.apple.com/iPod/SBML/osx/bundles/041-8552.20121203.Bile3/x12230000_Recovery.ipsw x12230000_Recovery.ipsw] (I hope they won't delete it at some point, because we can't legally host it on our server).\n\n6. Go to your desktop, and rename the '''ipsw''' file to '''zip'''.\n\n7. Use your favourite tool to extract the zip, '''WinZip''', '''WinRAR''' and '''7-zip''' will do it well, even Windows' integrated ZIP extractor will do.\n\n8. Open the extracted folder, and go to '''Firmware''' -> '''dfu'''. There should be a file named '''WTF.x1223.RELEASE.dfu''' there. Copy it to the desktop.\n\n'''Please note that the commands here are for the 32-bit version, which should work on all Windows versions - if you choose to use the 64-bit version, please enter mks5lboot64.exe instead of mks5lboot32.exe in the following commands!'''\n\n9. Back in the black window, type: (or copy/paste)\n mks5lboot32.exe --dfuscan\nand press Enter.\n\nYou should see a message similar to the following, showing that your iPod is detected. If not, please ask for support and do not continue.\n mks5lboot Version -170303\n This is free software; see the source for copying conditions. There is NO\n warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.<br>\n [INFO] DFU scan:\n [INFO] winapi: found \\\\?\\USB#VID_05AC&PID_1223#87020000000001#{B8085869-FEB9-404B-8CB1-1E5C14FA8C54}\\0001\n [INFO] DFU device state: 2\n10. Enter the following command:\n mks5lboot32.exe --dfusend WTF.x????.RELEASE.dfu\nYou should see the following output:\n mks5lboot Version -170303\n This is free software; see the source for copying conditions. There is NO\n warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.<br>\n [INFO] winapi: found \\\\?\\USB#VID_05AC&PID_1223#87020000000001#{B8085869-FEB9-404B-8CB1-1E5C14FA8C54}\\0001\n [INFO] DFU image sent successfully (35955 bytes)\nIf you see something different, stop here. Otherwise, go ahead.\n==Uploading the second restore stage (FIRMWARE)==\n1. Enter the following command:\n mks5lboot32.exe --dfuscan\nYou should see the following output:\n mks5lboot Version -170303\n This is free software; see the source for copying conditions. There is NO\n warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.<br>\n [INFO] DFU scan:\n [INFO] winapi: found \\\\?\\USB#VID_05AC&PID_1245#87020000000001#{B8085869-FEB9-404B-8CB1-1E5C14FA8C54}\\0001\n [INFO] DFU device state: 2\n2. On the line that has a \"found\" text, look for the USB Product ID. It is the four symbols after the text '''PID_'''. In this example, it's 1245 which means a Classic 2G (120GB)\n\n3. Download one of the following files, depending on your iPod's model/product ID.\n* For '''Classic 1G''' (USB PID 1241), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4728.20080707.Vlo09/x12410000_Recovery.ipsw x12410000_Recovery.ipsw].\n* For '''Classic 2G''' (USB PID 1245), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4962.20080909.Aaqs3/x12450000_Recovery.ipsw x12450000_Recovery.ipsw].\n* For '''Classic 3G''' (USB PID 1247), download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-7299.20091217.Bghyt/x12470000_Recovery.ipsw x12470000_Recovery.ipsw].\n4. As before, rename it to zip and extract it.\n\n5. Go inside the folder '''Firmware''' -> '''dfu''', and copy the file to your desktop. It should be named '''FIRMWARE.x****.RELEASE.dfu''' where **** is the USB ID of your iPod at the moment.\n\n6 Enter the following command:\n mks5lboot32.exe --dfusend FIRMWARE.x????.RELEASE.dfu\nand press Enter.\nYou should see the following output:\n mks5lboot Version -170303\n This is free software; see the source for copying conditions. There is NO\n warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.<br>\n [INFO] winapi: found \\\\?\\USB#VID_05AC&PID_1245#87020000000001#{B8085869-FEB9-404B-8CB1-1E5C14FA8C54}\\0001\n [INFO] DFU image sent successfully (1157699 bytes)\nAfter 10-20 seconds, you should see an Apple logo on the screen, and after a couple more second a white screen with a stop sign and text '''Do not disconnect''' at the bottom. Windows might want to reformat it, say '''No''' if it does. Continue to the next step.\n==Final step: Install Apple's firmware==\n# You're almost there. Go to http://www.felixbruns.de/iPod/firmware/ and download the latest firmware for your iPod model.\n# As you might have guessed, you need to rename the '''ipsw''' to '''zip''', and extract it.\n# In that folder, you'll find a file named '''Firmware-XX-X.X.X''' (X's depending on the model and version). Copy it to the desktop.\n# Download [http://files.freemyiPod.org/misc/ipodscsi.exe ipodscsi.exe] to your desktop.\n# Open '''Windows Explorer''', and look for your iPod. It should be in the Removable drives section. Take a note of its drive letter (e.g. '''F:''').\n# Open the black window, and type:\n ipodscsi.exe F: ipod6g writefirmware -p -r Firmware-*\nYou should see:\n ipodscsi v. 0.1.0 r959 - Copyright 2011 by Michael Sparmann (TheSeven)\n This is free software; see the source for copying conditions. There is NO\n warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n \n Repartitioning... done\n Initiating firmware transfer... done\n Writing firmware................................................................\n ................................................................................\n ................................................................................\n ................................................................................\n ................................................................................\n ................................................................................\n ................................................................................\n ................................................................................\n ................................................................................\n ................................................................................\n ................................................................................\n ................................................................................\n ................................................................................\n ................................................................................\n ................................................................................\n ................................................................................\n ................................................................................\n ................................................................................\n ...... done\n Rebooting device... done\n\nYour iPod will reboot. You'll see a black screen with an Apple logo, and a progress bar at the bottom. Then it will again, show you another Apple logo for a while, and finally start Apple's firmware.\n\nIt should be safe to format it at this point. Use '''FAT32''' as filesystem. Windows isn't going to allow you format large devices with '''FAT32''', so you might need to use a third-party tool. [http://www.ridgecrop.demon.co.uk/index.htm?guiformat.htm FAT32 Format] is a good choice.\n\nThen use iTunes to manage your music/videos. Or [https://files.freemyipod.org/~user890104/bootloader-ipodclassic.html install Rockbox].\n\nEnjoy your unbricked iPod!\n\n=Related info=\n* [[Modes|USB Modes of iPods]]\n* [[Nano4G_firmware_upgrade_process|Nano 4G (also Nano 3G and Classics') firmware upgrade process]]\n* [http://www.felixbruns.de/iPod/firmware/ iPod Firmware download (from Apple's servers)]\n* [http://phobos.apple.com/version Links to all firmware packages of i-devices, hosted by Apple (warning - very large file)]"
}
]
},
"6426": {
"pageid": 6426,
"ns": 0,
"title": "RetailOS",
"revisions": [
{
"contentformat": "text/x-wiki",
"contentmodel": "wikitext",
"*": "The stock operating system running on non-iOS iPods. It runs everything from device drivers to the clickwheel user interface.\n\n== Naming ==\n\nThe only 'official' name seems to be 'retailOS', found in the [[Nano 3G]] WTF. It is also referred to as 'osos' per the file name in the resource partition of the firmware bundle.\n\n== Architecture ==\n\nretailOS is a small, embedded, single-user, single-binary, real time operating system. With time it acquire more and more complex functionality, like PowerVR drivers and being able to load external applications ('eApps') which are used for games.\n\nThe core of the system is based on RTXC 3.2, with the end-user interface based on intellectual property from a company called Pixo. <ref>https://web.archive.org/web/20230224105131/https://twitter.com/johnwhitley/status/1451952369248264201</ref>\n\n== Security ==\n\nAs evidenced by the success of the [[Notes vulnerability]], at least up to Nano 4G there was no kind of security hardening, and in fact all processes, including games, seem to be running in ARM system mode. This should make exploitation of newer retailOS bugs trivial.\n\n=== Boot chain ===\n\nretailOS is loaded by the second-stage bootloader (stored on NOR/NAND depending on the device generation), from NAND into DRAM.\n\nWhile other stages of the boot chain (eg. the bootloader, WTF mode in newer devices, the diagnostics tool) are based around EFI firmware volumes and an EFI runtime, retailOS is a single binary blob without any built-in modularity.\n\n=== eApp Signing ===\n\nNot yet documented fully. Each game seems to ship with a Manifest.plist.p7p which is a PKCS#7 signature for the main Manifest.plist.\n\n== Options ==\n\nWe have found some 'secret' options that can be set by creating specially named files. See [[RetailOS_Options|Options]].\n\n== Analysis / Memory Layout ==\n\nLoading RetailOS correctly into a decompiler/disassembler is tricky, as the contents of the IMG1 image are a binary blob which self-relocates to the correct places in memory.\n\nThese are the memory segments within RetailOS that we know of (at least on Nano 5G):\n\n{| class=\"wikitable\"\n|-\n! Name !! Marker !! Location in memory !! Description\n|-\n| sram.text || n/a || SRAM 0x22000000 || SRAM-resident code, most of RTXC lives here.\n|-\n| sram.bss || n/a || SRAM 0x22030000 || SRAM-resident zero data.\n|-\n| sram.data || n/a || SRAM 0x22030000 + sram_bss_size || SRAM-resident data.\n|-\n| dram.textdata || hibe || DRAM 0x08000000 || Combined .text and .data which lives in DRAM. Bulk of code lives here.\n|-\n| dram.frameworks || miscTBD || DRAM 0x08000000 + dram_textdata_size || 'Framework' system of some kind, interfaces used by eApps.\n|-\n| dram.bss || n/a || DRAM 0x08000000 + dram_textdata_size + dram_frameworks_size || DRAM-resident zero data.\n|}\n\nAnd here's how the segments are built up within the RetailOS binary blob:\n\n{| class=\"wikitable\"\n|-\n! Address !! Name !! Size\n|-\n| Start || sram.text || sram_text_size\n|-\n| || sram.bss || sram_bss_size\n|-\n| || sram.data || sram_data_size\n|-\n| || dram.text || dram_text_size\n|-\n| End || dram.frameworks || dram_frameworks_size\n|}\n\n(yes, the firmware blob ships a sram.bss physically in the file)\n\nSo the goal to be able to load the binary is to figure out the segment sizes and then load them into a decompiler/disassembler. \n\nHere, we'll show how to figure out the segment sizes for N5G. First, load the RetailOS body (without the header!) at 0x22000000 in a decompiler. We load it there (intead of into DRAM as it is done on the device) as the stub relocates to this address first by performing the SRAM .text/.data copies very early in the process, and the code is position independent for only a short time.\n\nThen, look at the start function (follow the reset vector):\n\n<pre>\nvoid start(void) { // 0x2200505c\n offs = relocation_offset();\n /* ... peeks/pokes to bus matrix periph at 0x3ff00000 ... */\n if (offs != 0) {\n relocate(offs);\n }\n (*0x22000000) = 0xea000007;\n zero_bss();\n}\n</pre>\n\nrelocation_offset will return 0 if the stub is already at 0x22000000, so will return 0 for the way we've loaded it. On a real device, this will be 0x22000000 - 0x08000000 ==\n0x1a000000, as the real device loads RetailOS into DRAM first. Thus, relocate() will be called:\n\n<pre>\nvoid relocate(int offs) { // 0x22005ec8\n int iVar1 = -offs;\n void *blob_start = iVar1 + 0x22000000;\n memmove(0x22000000, blob_start, 0xe27c); // copy sram.text\n memzero(0x22000000 + 0xe27c, 0xbc4); // zero out sram.bss within blob\n memmove(0x22030000, 0x22000000 + 0xe27c + iVar1, 0x20000); // copy sram.bss + sram.data\n jump_offset(offs);\n memmove(0x08000000, 0x22000000 + 0xe27c + 0x20000 + iVar1, 0x6c3768); // copy dram.textdata\n memmove(0x08000000 + 0x6c3768, iVar1 + 0x22000000 + 0xe27c + 0x20000 + 0x6c3768), 0xc40); // copy dram.frameworks\n start();\n return;\n}\n</pre>\n\nThe above listing shows reconstituted address calculations - in a plain decompilation, all the additions will of course be simplified to a single constant. But you should be able to figure out the following:\n\n# sram_text_size is 0xe27c\n# sram_bss_size is 0xbc4\n# sram_bss_size + sram_data_size is 0x20000\n# dram_textdata_size is 0x6c3768\n# dram_frameworks_size is 0xc40\n\nThen, in zero_bss we can find the size of dram.bss:\n\n<pre>\nvoid zero_bss(void) { // 0x22005fec\n memzero(0x2200e27c, 0xbc4); // zero out sram.bss\n // inlined memzero:\n void *start = 0x08000000 + 0x6c3768 + 0xc40;\n int size = 0x790a84;\n // ...\n}\n</pre>\n\nFrom which we can figure out that the dram.bss segment size is 0x790a84.\n\nThus we can load the file like so (combining sram.bss and sram.data) into a 'clean' decompiler/disassembler session:\n\n{| class=\"wikitable\"\n|-\n! Name !! Memory Address !! File Offset\n|-\n| sram.text || 0x22000000 || 0x00000000\n|-\n| sram.bssdata || 0x22030000 || 0x0000e27c\n|-\n| dram.textdata || 0x08000000 || 0x0002e27c (0xe27c + 0x20000)\n|-\n| dram.frameworks || 0x086c3768 || 0x006f19e4 (0xe27c + 0x20000 + 0x6c3768)\n|-\n| dram.bss || 0x086c43a || n/a (0x790a84 zeroes)\n|}\n\nWriting an automated converter into ELF from arbitrary RetailOS blobs is an exercise left to the reader.\n\n== RTXC == \n\n=== Documentation ===\n\nThis seems to be the best public document available about RTXC 3.2: [https://web.archive.org/web/20230218212424/https://datasheet.datasheetarchive.com/originals/library/Datasheets-AS2/DSAAXSA0003458.pdf DSAAXSA0003458.pdf]. It contains example code for most services, but unfortunately is still missing any structure definitions.\n\nThere's also some training slides available: [https://ia801800.us.archive.org/26/items/manualzilla-id-5752851/5752851.pdf 5752851.pdf]. These introduce the general architecture and concept of RTXC 3.2. \n\n=== Services / Syscalls ===\n\nWhile RTXC documentation speaks mostly of 'kernel services' (which are defined as C function signatures/symbols), we like to talk about 'syscalls' and 'syscall numbers' when reverse engineering retailOS. All service functions go through a central dispatch function and that's the easiest point to start reverse engineering the kernel service interface.\n\nThe dispatcher receives a saved caller state which contains a pointer to a serialized syscall request in its saved R0. The syscall request is a trivial structure containing a syscall number and arguments. The dispatcher is executed with interrupts enabled (and thus is non-preemptable) and performs actual work on kernel structures. There is no privilege-granting 'gate' mechanism, all caller code is just as privileged as the kernel code.\n\nService functions in turn prepare the syscall request structure (including syscall number), and then call an intermediary state saving function which then calls the dispatcher after disabling interrupts. Some syscall numbers are used by multiple service functions, with some extra arguments in the request being used to decide on the behaviour of the service call (eg. blocking/nonblocking).\n\nThe following table comes from cross-referencing retailOS, publicly available RTXC PDFs and publicly availble RTXC binaries with debug symbols.\n\n{| class=\"wikitable\"\n|-\n! Name !! Number !! Description\n|-\n| <code>void KS_pend(SEMA sema)</code> || 0x03 || Semaphore DONE -> PENDING.\n|-\n| <code>RTXCMSG *KS_receive(MBOX mailbox, TASK task)</code> || 0x05 || Receive from mailbox.\n|-\n| <code>KSRC KS_enqueue[w](QUEUE queue, void *entry)</code> || 0x0c || Push into FIFO (and block if full with 'w' variant).\n|-\n| <code>void KS_dequeue[w](QUEUE queue, void *dest)</code> || 0x0d || Pop from FIFO (and block if empty with 'w' variant).\n|-\n| <code>KSRC KS_lock(RESOURCE resource)</code> || 0x0e || Lock a resource.\n|-\n| <code>KSRC KS_lockt(RESOURCE resource, TICKS timoeut)</code> || 0x0e || Lock a resource with timeout.\n|-\n| <code>KSRC KS_unlock(RESOURCE resource)</code> || 0x0f || Unlock an owned resource.\n|-\n| <code>CLKBLK *KS_alloc_timer(void)</code> || 0x10 || Allocate next free timer from pool.\n|-\n| <code>CLKBLK *KS_start_timer(CLKBLK *timer, TICKS initial_period, TICKS cycle_time, SEMA sema)</code> || 0x12 || Start timer.\n|-\n| <code>KSRC KS_stop_timer(CLKBLK *timer)</code> || 0x13 || Stop timer.\n|-\n| <code>void KS_delay(TASK task, TICKS period)</code> || 0x14 || Block specified task for a period of time.\n|-\n| <code>void KS_execute(TASK task)</code> || 0x15 || Start a task from its beginning address.\n|-\n| <code>KSRC KS_deftask(TASK task, PRIORITY priority, char *stack, size_t stacksize, void (*entry)(void))</code> || 0x16 || Define the attributes of an inactive task.\n|-\n| <code>TASK KS_alloc_task(void)</code> || 0x17 || Allocate the next available Task Control Block from the pool of free TCBs. \n|-\n| <code>void KS_terminate(TASK task)</code> || 0x18 || Stop a task by setting it to INACTIVE.\n|-\n| <code>void KS_suspend(TASK task)</code> || 0x19 || Suspend a task until resumed or re-executed.\n|-\n| <code>void KS_defpriority(TASK task, PRIORITY priority)</code> || 0x1b || Define or set priority of task.\n|-\n| <code>void KS_yield(void)</code> || 0x1c || Voluntary release of control to any other task of the same priority.\n|-\n| <code>SEMA KS_waitm(SEMA *semalist)</code> || 0x22 || Wait on multiple semaphores.\n|-\n| <code>time_t KS_inqtime(void)</code> || 0x24 || Get current time-of-day.\n|-\n| <code>void KS_deftime(time_t time)</code> || 0x25 || Set current time-of-day.\n|-\n| <code>TASK KS_inqres(RESOURCE resource)</code> || 0x26 || Get owner of resource.\n|-\n| <code>KSRC KS_defres(RESOURCE resource, RESATTR condition)</code> || 0x27 || Define priority inversion on resource.\n|-\n| <code>void *KS_inqtask_arg(TASK task)</code> || 0x28 || Get environment arguments of task.\n|-\n| <code>void KS_deftask_arg(TASK task, void *arg)</code> || 0x29 || Set environment arguments for task.\n|-\n| <code>KSRC KS_defqueue(QUEUE queue, size_t width, int depth, void *body, int currsize)</code> || 0x2e || Define queue.\n|-\n| <code>int KS_user(int (*func) (void *), void *arg)</code> || 0x30 || Execute function as if it were kernel service.\n|}\n\nThe RTXC memory allocation facilities (<code>KS_alloc/free/create_part/alloc_part/defpart/free_part</code>) are ''not'' used by retailOS and not built into the service dispatcher, at least on [[Nano 5G]].\n\n=== Semaphores ===\n\nThe following semaphores are defined in the [[Nano 3G]] retailOS:\n\n{| class=\"wikitable\"\n|-\n! Number !! Name !! Description\n|-\n| 0x01 || <code>S_FW_PWR_CHANGE</code> || \n|-\n| 0x02 || <code>S_BAT_PWR_CHANGE</code> || \n|-\n| 0x03 || <code>S_USB_PWR_CHANGE</code> || \n|-\n| 0x04 || <code>S_CNA_CHANGE</code> || \n|-\n| 0x05 || <code>S_WHEEL_CHANGE</code> || \n|-\n| 0x06 || <code>S_DISKMGRQ</code> || \n|-\n| 0x07 || <code>S_TOPPLUG_SWITCH</code> || \n|-\n| 0x08 || <code>S_RTCTIMERMGR</code> || \n|-\n| 0x09 || <code>S_ALARM_01</code> || \n|-\n| 0x0a || <code>S_ALARM_02</code> || \n|-\n| 0x0b || <code>S_ALARM_03</code> || \n|-\n| 0x0c || <code>S_WATCHDOG</code> || \n|-\n| 0x0d || <code>S_CPUMGRQ</code> || \n|-\n| 0x0e || <code>S_PCFPOWERMGR</code> || \n|-\n| 0x0f || <code>S_POWER_STATE_AC</code> || \n|-\n| 0x10 || <code>S_CGR_STATE_TMR</code> || \n|-\n| 0x11 || <code>S_DEEPSLEEP</code> || \n|-\n| 0x12 || <code>S_ALARM_DONE</code> || \n|-\n| 0x13 || <code>S_PIEZOMGR</code> || \n|-\n| 0x14 || <code>S_PIEZOMGRSNDR</code> || \n|-\n| 0x15 || <code>S_PIEZODONE</code> || \n|-\n| 0x16 || <code>S_ACCPOWER</code> || \n|-\n| 0x17 || <code>S_ACC_REINIT</code> || \n|-\n| 0x18 || <code>S_TOPPLUGSENSER</code> || \n|-\n| 0x19 || <code>S_TOPPLUGCHANGE</code> || \n|-\n| 0x1a || <code>S_BTMCONNECT</code> || \n|-\n| 0x1b || <code>S_BTMPLUGCHANGE</code> || \n|-\n| 0x1c || <code>S_BTMREVERIFY</code> || \n|-\n| 0x1d || <code>S_BTMREVERTIMED</code> || \n|-\n| 0x1e || <code>S_BTMVERCOMP</code> || \n|-\n| 0x1f || <code>S_TOPACCPKTRCVD</code> || \n|-\n| 0x20 || <code>S_BTMACCPKTRCVD</code> || \n|-\n| 0x21 || <code>S_SERIALIDRCVD</code> || \n|-\n| 0x22 || <code>S_UARTATXEMPTY</code> || \n|-\n| 0x23 || <code>S_UARTBTXEMPTY</code> || \n|-\n| 0x24 || <code>S_HDDSCANCOMP</code> || \n|-\n| 0x25 || <code>S_BL_ON</code> || \n|-\n| 0x26 || <code>S_BL_OFF</code> || \n|-\n| 0x27 || <code>S_BL_RAMPDOWN</code> || \n|-\n| 0x28 || <code>S_BL_RAMPUP</code> || \n|-\n| 0x29 || <code>S_BL_TIMESUP</code> || \n|-\n| 0x2a || <code>S_BATT_TIMESUP</code> || \n|-\n| 0x2b || <code>S_BATT_AC_PWR</code> || \n|-\n| 0x2c || <code>S_BATT_TMR_RST</code> || \n|-\n| 0x2d || <code>S_GRAPHMGR</code> || \n|-\n| 0x2e || <code>S_VBL</code> || \n|-\n| 0x2f || <code>S_DTVRECOVERY</code> || \n|-\n| 0x30 || <code>S_CM_HEADPHONE</code> || \n|-\n| 0x31 || <code>S_CM_EXTPOWER</code> || \n|-\n| 0x32 || <code>S_CM_ACCATTACHED</code> || \n|-\n| 0x33 || <code>S_CM_DAC_SETUP</code> || \n|-\n| 0x34 || <code>S_ATAWRKLPRDY</code> || \n|-\n| 0x35 || <code>S_RTXCBUG</code> || \n|-\n| 0x36 || <code>S_BLOCKDEVICE</code> || \n|-\n| 0x37 || <code>S_BLOCKDEVICEQ</code> || \n|-\n| 0x38 || <code>S_DISPLAY</code> || \n|-\n| 0x39 || <code>S_ARB_READY</code> || \n|-\n| 0x3a || <code>S_I2C_DONE</code> || \n|-\n| 0x3b || <code>S_VSYNC</code> || \n|}\n\nThere are three more semaphores (0x3c, 0x3d, 0x3e) that have no name defined and are likely unused. Anything 0x3f and up is a 'Dynamic' semaphore defined at runtime (which we haven't reversed yet).\n\n=== Queues ===\n\nThe following queues are defined in the [[Nano 3G]] retailOS:\n\n{| class=\"wikitable\"\n|-\n! Number !! Name !! Description\n|-\n| 0x01 || PIXORESQ ||\n|-\n| 0x02 || PIXOSEMAQ ||\n|-\n| 0x03 || POSIXRESQ ||\n|-\n| 0x04 || POSIXSEMAQ ||\n|}\n\n=== Mailboxes ===\n\nThe following mailboxes are defined in the [[Nano 3G]] retailOS:\n\n{| class=\"wikitable\"\n|-\n! Number !! Name !! Description\n|-\n| 0x01 || M_DISKMGR ||\n|-\n| 0x02 || M_PIEZOMGR ||\n|-\n| 0x03 || M_GRAPHMGR ||\n|-\n| 0x04 || M_BLOCKDEVICE ||\n|-\n| 0x05 || M_DISPLAY ||\n|}\n\n=== Resources ===\n\nThe following lockable resources are defined in the [[Nano 3G]] retailOS:\n\n{| class=\"wikitable\"\n|-\n! Number !! Name !! Description\n|-\n| 0x01 || GPIO_REG_WRITE ||\n|-\n| 0x02 || GPIO_INT_INIT ||\n|-\n| 0x03 || RTC_TIME_ADJUST ||\n|-\n| 0x04 || RTC_ALARM_ADJUST ||\n|-\n| 0x05 || I2C_MASTER ||\n|-\n| 0x06 || USB_GRANT ||\n|-\n| 0x07 || USB_RESP_INIT ||\n|-\n| 0x08 || USB_RESPONDER ||\n|-\n| 0x09 || DISKPWRMGRSEND ||\n|-\n| 0x0a || PIEZOMGRSEND ||\n|- \n| 0x0b || SERIALVERIFIER ||\n|-\n| 0x0c || RESISTORVERIFIER ||\n|-\n| 0x0d || FW_IRAM ||\n|-\n| 0x0e || ACCPOWER ||\n|-\n| 0x0f || UARTA ||\n|-\n| 0x10 || UARGB ||\n|-\n| 0x11 || PMU_LOCK ||\n|-\n| 0x12 || ADC_LOCK ||\n|-\n| 0x13 || DTV_ENC_INIT ||\n|-\n| 0x14 || BACKLIGHT ||\n|}\n\n== External links ==\n\n* [https://web.archive.org/web/19990220054659/http://www.rtxc.com/Products/RTXC/Services.htm RTXC Kernel Services (1999)]\n* [https://archive.org/details/manualzilla-id-5752851 RTXC 3.2 Training Manual]"
}
]
}
}
}
}