*Since ur new Ill re send part of my previous mail:* Before I continue I think I found the program used to make the disk image and the FAT16 header: Fat16 header: 5E00 after all the 0's jump instruction (3bytes):
0xEB - something in asm 0x3C - something in asm 0x90 - asm nop bytes per sector - 0x02,0x03 i think im not sure if theres any padding. but i think the fat16 partition starts at 5E00 5E10 - total number of file alocation tables, has to be 2 and it is 2 OEM name (8bytes): MTOOL399 - reference to MTOOLS <http://mtools.linux.lu/> version 3.99 Try keys like: MTOOLS, MTOOLS399 etc, look for ascii strings in the firmware BTW. the boot loader start with the following code 0xEB - short jump *(EB JMP SHORT rel8)* 0x3C - value part 1 0x90 - value part 2 I'm no expert at asm but If im correct then the unencrypted boot loader should be located around 0x5E00+0x3c90 = 0x9A90 or 39568. Again I dont program in much assembelly so could someone more knowlegable please confirm this. On 9/27/07, Jeremy Prater <[EMAIL PROTECTED]> wrote: > > Hey team, I just got on the linux4nano team mailing list because I have a > 2g nano and don't like apple anymore because they decided to encrypt the > osos. Anyways I decided to do some key breaking. Anyways im sad now,I > assumed a 32-bit RC4 key which is a big assumption,I used visual studio and > got some rc4 decrypting functions from sourceforge and started coding a > little app. Sure, ill crack this code… in 57,732 days my app predicted yeah. > So much for a core2 duo t5600 doing high speed. Lol, guess .net framework > isn't optimized for speed. 2^32 keys is a lot of keyspace. Anyways, so the > brute force idea is pretty much out I guess. Unless someone has a > mega-cluster of computers. I don't really know what is going on with the > mailing group the gna.org list kinda sucks to join in and catch up on. I > like the idea of a ram-dump of to get the un-encrypted firmware. Before my > brute force attack I used sg3_tools and the ipod in diagnostic mode, no > luck. The ipod vendor/device in diagnostic mode is 0000/0000 and does not > respond to any usb commands. A usb dump of the ram is kinda silly. To do > that we need to run our own code on the cpu, which means we need to write an > encrypted osos so the bootloader will parse it correctly. Which came first > the chicken or the egg? The decipher key or the memdumper? Haha. Using > buffer overruns seems safe b/c osos will crash and reboot into the > bootloader, too bad they're aren't any. Well this is what I have > read/discovered the last 30 hours or so trying to brick my ipod. Any ideas? > – Jeremy > > _______________________________________________ > Linux4nano-dev mailing list > [email protected] > https://mail.gna.org/listinfo/linux4nano-dev > http://www.linux4nano.org > -- We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good... ....yet we're the criminals. ____________WAUSHARE ROX ______________ Join the dark side we've got cheese Annoying people since 1992 If you hate me, I love you too. It ain't my fault I'm better than you Save Water, Drink Beer God Made Women First, Then He Had A Better Idea. If Barbie is soo popular...how come you have to buy her friends? Don't play stupid with me... I'm better at it! You were so cute when you were a baby...What happened? My folks were always asking me to wear underpants. What am I, the pope? I'm calling the police!... Right after I flush some tings. Join the army, see the world, meet interesting people, and kill them.
_______________________________________________ Linux4nano-dev mailing list [email protected] https://mail.gna.org/listinfo/linux4nano-dev http://www.linux4nano.org
