Your looking at the unencrypted rsrc.fw file inside of the firmware. There are 3 parts osos aupd and rsrc. I looked the the offset you said 5e00 which matches up in my dump.img from my 2g nano. After I did extract2g on the firmware I matched the same hex up at 0e00 in the rsrc.fw file. So yeah it’s the un-encrypted file. It doesn’t contain the bootloader, it is in the 8mb flash that we cant dump inside the ipod. Ive been at this for a few days now, and im pretty experienced at dissassembily/hex editing so I caught on pretty quick, I think the best way is to take the 1.1.1 fw and the 1.1.2 fw (since they have the most # of same bytes in the beginning) and see what differences we have between them, right. Because if it’s a stream cipher which it seems like it is. Take the osos file and do a byte compare until you get to a byte that doesn’t compare then from that byte generate a set of keys that could make that byte work, then do it for the next and the next and the next, eventually all the wrong keys would be rejected, and we’ll have the one that is the correct key to unlock this turd. The only problem is this is assuming the encryption is rc4 or some pattern we know. I need to to research on the rc4 encryption scheme and see if you can reverse generate a key. Hmm you know it just occurred to me that it wont work because we don’t have the un-encrypted result to compare against.
Btw I have 1.1.1 and 1.1.3, does anyone have a copy of 1.1.2 I can grab so I can so some testing. Thanks. -- Jeremy From: mat h [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 26, 2007 10:11 PM To: Hardware and developpement mailing list. Subject: Re: [Linux4nano-dev] RC4 key. Since ur new Ill re send part of my previous mail: Before I continue I think I found the program used to make the disk image and the FAT16 header: Fat16 header: 5E00 after all the 0's jump instruction (3bytes): 0xEB - something in asm 0x3C - something in asm 0x90 - asm nop bytes per sector - 0x02,0x03 i think im not sure if theres any padding. but i think the fat16 partition starts at 5E00 5E10 - total number of file alocation tables, has to be 2 and it is 2 OEM name (8bytes): MTOOL399 - reference to MTOOLS <http://mtools.linux.lu/> version 3.99 Try keys like: MTOOLS, MTOOLS399 etc, look for ascii strings in the firmware BTW. the boot loader start with the following code 0xEB - short jump (EB JMP SHORT rel8) 0x3C - value part 1 0x90 - value part 2 I'm no expert at asm but If im correct then the unencrypted boot loader should be located around 0x5E00+0x3c90 = 0x9A90 or 39568. Again I dont program in much assembelly so could someone more knowlegable please confirm this. On 9/27/07, Jeremy Prater <[EMAIL PROTECTED]> wrote: Hey team, I just got on the linux4nano team mailing list because I have a 2g nano and don't like apple anymore because they decided to encrypt the osos. Anyways I decided to do some key breaking. Anyways im sad now,I assumed a 32-bit RC4 key which is a big assumption,I used visual studio and got some rc4 decrypting functions from sourceforge and started coding a little app. Sure, ill crack this code… in 57,732 days my app predicted yeah. So much for a core2 duo t5600 doing high speed. Lol, guess .net framework isn't optimized for speed. 2^32 keys is a lot of keyspace. Anyways, so the brute force idea is pretty much out I guess. Unless someone has a mega-cluster of computers. I don't really know what is going on with the mailing group the gna.org <http://gna.org/> list kinda sucks to join in and catch up on. I like the idea of a ram-dump of to get the un-encrypted firmware. Before my brute force attack I used sg3_tools and the ipod in diagnostic mode, no luck. The ipod vendor/device in diagnostic mode is 0000/0000 and does not respond to any usb commands. A usb dump of the ram is kinda silly. To do that we need to run our own code on the cpu, which means we need to write an encrypted osos so the bootloader will parse it correctly. Which came first the chicken or the egg? The decipher key or the memdumper? Haha. Using buffer overruns seems safe b/c osos will crash and reboot into the bootloader, too bad they're aren't any. Well this is what I have read/discovered the last 30 hours or so trying to brick my ipod. Any ideas? – Jeremy _______________________________________________ Linux4nano-dev mailing list [email protected] https://mail.gna.org/listinfo/linux4nano-dev http://www.linux4nano.org <http://www.linux4nano.org/> -- We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good... ...yet we're the criminals. ____________WAUSHARE ROX ______________ Join the dark side we've got cheese Annoying people since 1992 If you hate me, I love you too. It ain't my fault I'm better than you Save Water, Drink Beer God Made Women First, Then He Had A Better Idea. If Barbie is soo popular...how come you have to buy her friends? Don't play stupid with me... I'm better at it! You were so cute when you were a baby...What happened? My folks were always asking me to wear underpants. What am I, the pope? I'm calling the police!... Right after I flush some tings. Join the army, see the world, meet interesting people, and kill them.
_______________________________________________ Linux4nano-dev mailing list [email protected] https://mail.gna.org/listinfo/linux4nano-dev http://www.linux4nano.org
