Rockbox Development > New Ports
Nano 2G
saratoga:
I haven't looked at the frimware, but in general I would assume the following:
The Apple firmware (or the Apple bootloader) has a small segment of code that is loaded initially that decrypts the firmware. The decrypted firmware is then loaded into memory and executed, but never stored on disk or rom.
So what I would do is dissassemble the Apple firmware. Theres probably only a small amount of code, and a lot of "data" (actually encrypted code). If theres no code, then maybe its in the bootloader. Eventually the program will jump into a location that contains data (or nothing at all). This is where it begins executing the decrypted code.
If Apple is really lazy, they may just store the decryption key in the ROM somewhere, load it, and then iterate over the data section generating the code. In this case, just reading the assembly, looking for a value thats loaded and then applied to the encrypted data, and then writing down that value will be enough. If they're evil, well, entire books have been written about making it hard/impossible to decrypt. In this case, your knowledge of encryption will probably be essential.
This page explains the process as it happens on the Sandisk Sansa players:
http://daniel.haxx.se/sansa/mi4code.html
The Apple firmware may or may not work like that. Unless I've missed something, no one has posted any real info about how this process works, so I'm just speculating about how it could work. I may be totally wrong.
slowcoder:
Here's what we've discovered over at the iPL camp.
Much of this is speculation, but it's based on actual investigations of the Nano 2G.
The entire OSOS image (the "Apple OS") is encrypted. There's no magic piece of code that decrypts the rest of the image.
The image probably gets decrypted by the FlashROM bootloader (i.e, the one not on disk)
The image appears to use a 512 bit hash. (Potentially SHA-1)
Since we know _nothing_ about the hardware in the Nano 2G (when it comes to IO ports, etc), we can't really try to inject code into it, as we wouldn't know if it succeeded or not.
The options we're looking at now is to make a hardware attack, and see if we can get some readable code out of it that way.
/James
Bagder:
Yes, figuring out this hardware is definately gonna require that the encryption is cracked so that disassembly can start.
If Apple did their job properly, getting the digital signature/hash done right in a generated firmware can become really tricky.
On the mi4 front, we've been lucky since the PP guys apparently left a big wide backdoor open (signature-wise) for people like us.
saratoga:
--- Quote from: slowcoder on October 28, 2006, 04:43:52 PM ---Here's what we've discovered over at the iPL camp.
Much of this is speculation, but it's based on actual investigations of the Nano 2G.
The entire OSOS image (the "Apple OS") is encrypted. There's no magic piece of code that decrypts the rest of the image.
The image probably gets decrypted by the FlashROM bootloader (i.e, the one not on disk)
--- End quote ---
Has anyone suceeded in dumping the bootloader ROM?
slowcoder:
--- Quote from: saratoga on October 28, 2006, 09:43:22 PM ---Has anyone suceeded in dumping the bootloader ROM? Â
--- End quote ---
Not yet.. If any one of you guys have experience in reading Flash-ROMs and the equipment to snoop off a very high density BGA chip, let us know.
/James
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version