---------- Forwarded message ---------- From: Franco Zavatti <[EMAIL PROTECTED]> Date: 19-Mar-2007 04:17 Subject: Firmware protection, a way to decrypt! To: JD <[EMAIL PROTECTED]>
I send this message to you because I have a problem with my mail service (Doramail), could you please forward this to the mailing list? Ok let's do it "Telegraph" style 1-I don't own a Nano! I own a 5G, and all my work is based on the 5G 2-I'm a crypto expert and I like to test real world systems, the Nano could be interesting for me. 3-I just realized 3 days ago, the Nano firmware was protected, So I decided to help! 4-I think I can help, because I have reversed the protection of previous Firmware version. 5-Previous Firmware version work with a 32 bits key and a RC4 cihper. The key is in the security block which prepend every file. I already send the details on the iPodLinux forum. 6-I have a dump of the firmware from the firmware partition of the Nano 2G. It won't be enough for me to decrypt. We need the actual decripted version from the flashrom! 7-I need the help of someone who own a Nano to extract the flashrom, with a technique I'm about to explain. But first... The Security block: The security block, is the random looking data that prepend every file on firmware version 3. There is 2 version of it. I know all the details of the version 1. The version 2 is the Nano 2G version, which is different. The security block V1 is 512 bytes long. The Security block V2 is 2048 byte long (but with the first 512 with actual data) The security block tells the bootloader if the following file is encrypted or not, and if it is, it will gives you the key! In the case of V1, the cipher is standard RC4, and the key is only 32 bits long. Short enough for a brute force attack. I don't know much about the V2 version. That's why we need to work together to get this thing done. How did I reversed the Security block V1: with an emulator! I wrote an emulator based on the MESS system (based itself on MAME) So I have trace the code and it took me less than a day to get the decryption working but to do that, I need the firmware from the flashrom. How can we get the firmware from the flash? If we can run native code in the iPod, we will be able to dump the flashrom. I have already wrote a memDumper for the 5G, but in that case, I wrote the data to the HDD. I don't know flash based player. To write the memdumper we need to know: Processor type (ARM) Rom address (probably 0x00000000) A way to write to the main storage flash (????) How can we run native code in the iPod Nano? We need to modify a boot file (AUPD or OSOS) and it will be executed by the bootloader. We cannot write code that override AUPD or OSOS because the files are encrypted! False, I have notice the file RSCS is not protected, and the Security block V2 (2048 bytes) is all filled with F! So we replace the security block of OSOS by an all "F" one, telling the bootloader the file is not protected. Then we overwrite OSOS with the memDumper code. We recalculate the checksum in the directory and Voila! I assume a lot of things, and I know this is a new hardware, but how different it is? Who can write ARM code and know enough already existing iPod hardware to write the memDumper and store the dump to the flash storage? So, what do you think? Comments?
----- Original Message ----- From: JD <[EMAIL PROTECTED]> To: "Franco Zavatti" <[EMAIL PROTECTED]> Subject: Re: Your www.linux4nano.org account Date: Sun, 18 Mar 2007 11:17:41 +0100 Hi, thanks and welcome aboard ;) We have extracted 3 different firmwares versions from various ipods, we simply mount the ipod in disk mode just like a standard usb-stick drive. A non-formated area on the disk is the firmware. About the JTAG it is probably present on the iPod but without schematics ou it we're unable to find him (no pins with JTAG written on, or even 4 pins lost together in the middle of the board ;) You can access the dump files by following the differents articles on the website. Thanks, JD. On 17/03/07, Franco Zavatti <[EMAIL PROTECTED]> wrote: > > Did someone ever extracted the Nano 2g Firmware from the > flashrom? With a JTAG or something? > > If you have access to a dump file, I would like to take a look at it. > > > > > ----- Original Message ----- > > From: JD <[EMAIL PROTECTED]> > > To: undisclosed-recipients, : > > Subject: Your www.linux4nano.org account > > Date: Sat, 17 Mar 2007 10:31:56 +0100 > > > > > > Hi, > > I'm the www.linux4nano.org administrator, > > to be sure that you're not a bot or something nasty > > please reply to this mail. ;) > > > > Thanks, > > JD. > > > > > > -- > _______________________________________________ > Get your free email from http://mail.doramail.com > > Powered by Outblaze >
-- _______________________________________________ Get your free email from http://mail.doramail.com Powered by Outblaze _______________________________________________ Linux4nano-dev mailing list [email protected] https://mail.gna.org/listinfo/linux4nano-dev http://www.linux4nano.org
