Thank You for your continued support and contributions!
Quote from: slowcoder on October 29, 2006, 03:16:29 AMQuote from: saratoga on October 28, 2006, 08:43:22 PMHas anyone suceeded in dumping the bootloader ROM? Not yet.. If any one of you guys have experience in reading Flash-ROMs and the equipment to snoop off a very high density BGA chip, let us know. Looking at the specs, its got 16 address and 16 data pins, plus power, RE, etc crammed into a half cm^2. I think thats going to take someone with access to a dead nano and a BGA capable programmer (or a DIP flash programmer and a really impressive adapter),
Quote from: saratoga on October 28, 2006, 08:43:22 PMHas anyone suceeded in dumping the bootloader ROM? Not yet.. If any one of you guys have experience in reading Flash-ROMs and the equipment to snoop off a very high density BGA chip, let us know.
Has anyone suceeded in dumping the bootloader ROM?
--------top-------------1: 337S32918701 N042DQS 0636 ARM2: SEC 637 GG75 K4M56163PG AQH373P13: SST39WF800A 90-4C-C2QE 0631287-A4: National Semiconductor JM66RJ L34910B5: APPLE 338S0310 68BTST86: Linear Technology 6H 4066 B89667: 1.8432 6388: KAET89: VE10: 24.000 63911: TXU12: KAET813: VE14: VE15: BG16: TVP17: TXU--------bottom----------B1: TOSHIBA P11023 JAPAN 0636 KAE TP0560 TH58NVG5D4CTG20B2: APPLE 338S0261 P29T6 04 cPG0637Y 01/N2-----back of display LS015A7UC01 B 6XG002309
From: Franco Zavatti Date: 19-Mar-2007 04:17Subject: Firmware protection, a way to decrypt!To: JD Ok let's do it "Telegraph" style1-I don't own a Nano! I own a 5G, and all my work is based on the 5G2-I'm a crypto expert and I like to test real world systems, the Nanocould be interesting for me.3-I just realized 3 days ago, the Nano firmware was protected, So Idecided to help!4-I think I can help, because I have reversed the protection ofprevious Firmware version.5-Previous Firmware version work with a 32 bits key and a RC4 cihper.The key is in the security block which prepend every file. I already send the details on the iPodLinux forum.6-I have a dump of the firmware from the firmware partition of theNano 2G. It won't be enough for me to decrypt.We need the actual decripted version from the flashrom!7-I need the help of someone who own a Nano to extract the flashrom,with a technique I'm about to explain.But first...The Security block:The security block, is the random looking data that prepend every fileon firmware version 3.There is 2 version of it. I know all the details of the version 1. Theversion 2 is the Nano 2G version, which is different.The security block V1 is 512 bytes long. The Security block V2 is 2048byte long (but with the first 512 with actual data)The security block tells the bootloader if the following file isencrypted or not, and if it is, it will gives you the key!In the case of V1, the cipher is standard RC4, and the key is only 32bits long. Short enough for a brute force attack.I don't know much about the V2 version. That's why we need to worktogether to get this thing done.How did I reversed the Security block V1: with an emulator!I wrote an emulator based on the MESS system (based itself on MAME)So I have trace the code and it took me less than a day to get thedecryption working but to do that, I need the firmware from theflashrom.How can we get the firmware from the flash?If we can run native code in the iPod, we will be able to dump the flashrom.I have already wrote a memDumper for the 5G, but in that case, I wrotethe data to the HDD. I don't know flash based player.To write the memdumper we need to know:Processor type (ARM)Rom address (probably 0x00000000)A way to write to the main storage flash (?)How can we run native code in the iPod Nano?We need to modify a boot file (AUPD or OSOS) and it will be executedby the bootloader.We cannot write code that override AUPD or OSOS because the files are encrypted!False, I have notice the file RSCS is not protected, and the Securityblock V2 (2048 bytes) is all filled with F!So we replace the security block of OSOS by an all "F" one, tellingthe bootloader the file is not protected.Then we overwrite OSOS with the memDumper code. We recalculate thechecksum in the directory and Voila!I assume a lot of things, and I know this is a new hardware, but howdifferent it is?Who can write ARM code and know enough already existing iPod hardwareto write the memDumper and store the dump to the flash storage?So, what do you think? Comments?
Page created in 0.207 seconds with 71 queries.