humm sorry about that but i think i missed something. You say there is a jump &nop at 0x5E00: EB 3C 90
but this is x86 assembly mnemonic. The Ipod isn't in ARM? another question: the x86 jump is effectively EB 3C at 3C is the relative offset so when you say: unencrypted boot loader should be located around 0x5E00+0x3c90 = 0x9A90 or 39568. Again I dont shouldn't it be: 0x5E00+ 0x3C ? (thus, if it's x86 again..) + serpilliere On Thu, Sep 27, 2007 at 03:15:28PM +1000, mat h wrote: > Btw I may be off slightly with that offset. > > On 9/27/07, mat h <[EMAIL PROTECTED]> wrote: > > Since ur new Ill re send part of my previous mail: > Before I continue I think I found the program used to make the disk image > and the FAT16 header: > Fat16 header: 5E00 after all the 0's > jump instruction (3bytes): > > 0xEB - something in asm > 0x3C - something in asm > 0x90 - asm nop > > bytes per sector - 0x02,0x03 i think > im not sure if theres any padding. but i think the fat16 partition starts > at 5E00 > > > > 5E10 - total number of file alocation tables, has to be 2 and it is 2 > > > > > OEM name (8bytes): > MTOOL399 - reference to MTOOLS version 3.99 > > > > Try keys like: MTOOLS, MTOOLS399 etc, look for ascii strings in the > firmware > > BTW. the boot loader start with the following code > 0xEB - short jump (EB JMP SHORT rel8) > 0x3C - value part 1 > 0x90 - value part 2 > > I'm no expert at asm but If im correct then the unencrypted boot loader > should be located around 0x5E00+0x3c90 = 0x9A90 or 39568. Again I dont > program in much assembelly so could someone more knowlegable please > confirm > this. > > On 9/27/07, Jeremy Prater <[EMAIL PROTECTED] > wrote: > > > Hey team, I just got on the linux4nano team mailing list because I > have > a 2g nano and don't like apple anymore because they decided to encrypt > the osos. Anyways I decided to do some key breaking. Anyways im sad > now,I assumed a 32-bit RC4 key which is a big assumption,I used visual > studio and got some rc4 decrypting functions from sourceforge and > started coding a little app. Sure, ill crack this code? in 57,732 days > my app predicted yeah. So much for a core2 duo t5600 doing high speed. > Lol, guess .net framework isn't optimized for speed. 2^32 keys is a > lot > of keyspace. Anyways, so the brute force idea is pretty much out I > guess. Unless someone has a mega-cluster of computers. I don't really > know what is going on with the mailing group the gna.org list kinda > sucks to join in and catch up on. I like the idea of a ram-dump of to > get the un-encrypted firmware. Before my brute force attack I used > sg3_tools and the ipod in diagnostic mode, no luck. The ipod vendor/ > device in diagnostic mode is 0000/0000 and does not respond to any usb > commands. A usb dump of the ram is kinda silly. To do that we need to > run our own code on the cpu, which means we need to write an encrypted > osos so the bootloader will parse it correctly. Which came first the > chicken or the egg? The decipher key or the memdumper? Haha. Using > buffer overruns seems safe b/c osos will crash and reboot into the > bootloader, too bad they're aren't any. Well this is what I have read/ > discovered the last 30 hours or so trying to brick my ipod. Any ideas? > ? Jeremy > > > _______________________________________________ > Linux4nano-dev mailing list > [email protected] > https://mail.gna.org/listinfo/linux4nano-dev > http://www.linux4nano.org > > > > > -- > We explore... and you call us criminals. > We seek after knowledge... and you call us criminals. > We exist without skin color, without nationality, without religious > bias... > and you call us criminals. > You build atomic bombs, you wage wars, you murder, cheat, and lie to us > and > try to make us believe it's for our own good... > ....yet we're the criminals. > > ____________WAUSHARE ROX ______________ > Join the dark side we've got cheese > Annoying people since 1992 > If you hate me, I love you too. It ain't my fault I'm better than you > Save Water, Drink Beer > God Made Women First, Then He Had A Better Idea. > If Barbie is soo popular...how come you have to buy her friends? > Don't play stupid with me... I'm better at it! > You were so cute when you were a baby...What happened? > My folks were always asking me to wear underpants. What am I, the pope? > I'm calling the police!... Right after I flush some tings. > Join the army, see the world, meet interesting people, and kill them. > > > > > -- > We explore... and you call us criminals. > We seek after knowledge... and you call us criminals. > We exist without skin color, without nationality, without religious bias... > and > you call us criminals. > You build atomic bombs, you wage wars, you murder, cheat, and lie to us and > try > to make us believe it's for our own good... > ....yet we're the criminals. > > ____________WAUSHARE ROX ______________ > Join the dark side we've got cheese > Annoying people since 1992 > If you hate me, I love you too. It ain't my fault I'm better than you > Save Water, Drink Beer > God Made Women First, Then He Had A Better Idea. > If Barbie is soo popular...how come you have to buy her friends? > Don't play stupid with me... I'm better at it! > You were so cute when you were a baby...What happened? > My folks were always asking me to wear underpants. What am I, the pope? > I'm calling the police!... Right after I flush some tings. > Join the army, see the world, meet interesting people, and kill them. > _______________________________________________ > Linux4nano-dev mailing list > [email protected] > https://mail.gna.org/listinfo/linux4nano-dev > http://www.linux4nano.org _______________________________________________ Linux4nano-dev mailing list [email protected] https://mail.gna.org/listinfo/linux4nano-dev http://www.linux4nano.org
