Author Topic: Nano 2G (Read 124661 times)

dstan · « **Reply #15 on:** October 20, 2006, 11:27:03 PM »

if it would help apple just released a new firmware and the people at ipw got ipodwizard to detect the new nanos

axlgreasetires · « **Reply #16 on:** October 23, 2006, 08:09:51 PM »

I'm Somewhat glad Rockbox doesn't work on the 2nd gens yet. I'm thinking of getting one. The reason for that is I messed around with experimental 5g programming and stuff. So now I won't be able to mess up the nano because Ipodlinux also doesn't work for it yet. I'm going to take my 5g to the Apple store to see if I can get it replaced. Is there any busy work I could do that could somehow help devel. I will not do hi-res scans or any disecting of the nano.

L · « **Reply #17 on:** October 24, 2006, 07:32:52 PM »

If you take your 5g to be replaced, chances are, it will be replace with a new 5.5g and that doesn't work with RockBox either. Well officially at least.

homielowe · « **Reply #18 on:** October 25, 2006, 12:14:59 AM »

nope,i replaced my 5G after the 5.5G came out and I just got another black 5G

mila61 · « **Reply #19 on:** October 26, 2006, 02:51:31 PM »

Quote from: saratoga on October 23, 2006, 12:55:39 AM

Quote from: mila61 on October 23, 2006, 12:18:57 AM
Quote from: Llorean on October 22, 2006, 11:05:12 AM
The 2G iPod Nano has very different hardware. It may be quite some time before a compatible version is available.

How can we help on getting Rockbox on the 2G Nano? Is there something we can do - beside of ripping the iPod apart? P.ex.: I have VERY limited knowledge of C - and if I say "VERY limited", I mean it

We need someone with cryptography experience (or a very good understanding of ARM assembly) to crack the encryption used in the Apple firmware. Then interested developers could start reverse engineering work by looking at Apple's firmware. Until someone does this, its unlikely that any progress will be made.

Theres no need for anyone to open up their ipod, that wouldn't tell you much of anything useful at this point.

Ok, I am willing to help. I know symmetric and assymetric encryption. How am I gonna start?

saratoga · « **Reply #20 on:** October 26, 2006, 11:34:01 PM »

I haven't looked at the frimware, but in general I would assume the following:

The Apple firmware (or the Apple bootloader) has a small segment of code that is loaded initially that decrypts the firmware. The decrypted firmware is then loaded into memory and executed, but never stored on disk or rom.

So what I would do is dissassemble the Apple firmware. Theres probably only a small amount of code, and a lot of "data" (actually encrypted code). If theres no code, then maybe its in the bootloader. Eventually the program will jump into a location that contains data (or nothing at all). This is where it begins executing the decrypted code.

If Apple is really lazy, they may just store the decryption key in the ROM somewhere, load it, and then iterate over the data section generating the code. In this case, just reading the assembly, looking for a value thats loaded and then applied to the encrypted data, and then writing down that value will be enough. If they're evil, well, entire books have been written about making it hard/impossible to decrypt. In this case, your knowledge of encryption will probably be essential.

This page explains the process as it happens on the Sandisk Sansa players:
http://daniel.haxx.se/sansa/mi4code.html

The Apple firmware may or may not work like that. Unless I've missed something, no one has posted any real info about how this process works, so I'm just speculating about how it could work. I may be totally wrong.

slowcoder · « **Reply #21 on:** October 28, 2006, 04:43:52 PM »

Here's what we've discovered over at the iPL camp.

Much of this is speculation, but it's based on actual investigations of the Nano 2G.

The entire OSOS image (the "Apple OS") is encrypted. There's no magic piece of code that decrypts the rest of the image.
The image probably gets decrypted by the FlashROM bootloader (i.e, the one not on disk)

The image appears to use a 512 bit hash. (Potentially SHA-1)

Since we know _nothing_ about the hardware in the Nano 2G (when it comes to IO ports, etc), we can't really try to inject code into it, as we wouldn't know if it succeeded or not.

The options we're looking at now is to make a hardware attack, and see if we can get some readable code out of it that way.

/James

Bagder · « **Reply #22 on:** October 28, 2006, 05:02:14 PM »

Yes, figuring out this hardware is definately gonna require that the encryption is cracked so that disassembly can start.

If Apple did their job properly, getting the digital signature/hash done right in a generated firmware can become really tricky.

On the mi4 front, we've been lucky since the PP guys apparently left a big wide backdoor open (signature-wise) for people like us.

saratoga · « **Reply #23 on:** October 28, 2006, 09:43:22 PM »

Quote from: slowcoder on October 28, 2006, 04:43:52 PM

Here's what we've discovered over at the iPL camp.

Much of this is speculation, but it's based on actual investigations of the Nano 2G.

The entire OSOS image (the "Apple OS") is encrypted. There's no magic piece of code that decrypts the rest of the image.
The image probably gets decrypted by the FlashROM bootloader (i.e, the one not on disk)

Has anyone suceeded in dumping the bootloader ROM?

slowcoder · « **Reply #24 on:** October 29, 2006, 03:16:29 AM »

Quote from: saratoga on October 28, 2006, 09:43:22 PM

Has anyone suceeded in dumping the bootloader ROM? Â

Not yet.. If any one of you guys have experience in reading Flash-ROMs and the equipment to snoop off a very high density BGA chip, let us know.

/James

saratoga · « **Reply #25 on:** October 31, 2006, 10:48:57 PM »

Quote from: slowcoder on October 29, 2006, 03:16:29 AM

Quote from: saratoga on October 28, 2006, 09:43:22 PM
Has anyone suceeded in dumping the bootloader ROM?

Not yet.. If any one of you guys have experience in reading Flash-ROMs and the equipment to snoop off a very high density BGA chip, let us know.

Looking at the specs, its got 16 address and 16 data pins, plus power, RE, etc crammed into a half cm^2. I think thats going to take someone with access to a dead nano and a BGA capable programmer (or a DIP flash programmer and a really impressive adapter),

exca · « **Reply #26 on:** December 27, 2006, 02:29:21 PM »

What if i had a prime...

I know this guy who works with apple and has a rather high function there.
If you could ask him 1 thing (apart from the decryption code) what would it be that could help you with the port

i'll ask him.

I want as good as you guys rockbox on my nano, i'll help to get trough this p.o.s. encrypted code...

I've done a look by myself. I'm not an expert in it, but i've modded files with hex edit. Same with this?

scocarl · « **Reply #27 on:** December 31, 2006, 10:20:41 AM »

Quote from: slowcoder on October 29, 2006, 03:16:29 AM

Quote from: saratoga on October 28, 2006, 09:43:22 PM
Has anyone suceeded in dumping the bootloader ROM?

Not yet.. If any one of you guys have experience in reading Flash-ROMs and the equipment to snoop off a very high density BGA chip, let us know.

/James

Is it possible to do it like this guy over at iPL did a dump?
http://ipodlinux.org/stories/piezo/index.html

GodEater · « **Reply #28 on:** December 31, 2006, 02:03:07 PM »

Not really.

That hack required being able to run code on the target in a limited fashion already - we don't have that capability at all.

smp500 · « **Reply #29 on:** December 31, 2006, 03:33:40 PM »

I noticed on my nano 2g, like my 5.5g ipod, that the logical sectors are 2048 and the physical are still 512, if that matters.

Author Topic: Nano 2G (Read 124661 times)

dstan

Re: Nano 2G

axlgreasetires

Re: Nano 2G

L

Re: Nano 2G

homielowe

Re: Nano 2G

mila61

Re: Nano 2G

saratoga

Re: Nano 2G

slowcoder

Re: Nano 2G

Bagder

Re: Nano 2G

saratoga

Re: Nano 2G

slowcoder

Re: Nano 2G

saratoga

Re: Nano 2G

exca

Re: Nano 2G

scocarl

Re: Nano 2G

GodEater

Re: Nano 2G

smp500

Re: Nano 2G