GOOD WORK. please continue when you have more info I love seeing progress
and will help out when I can.
On 9/27/07, Fabrice Desclaux <[EMAIL PROTECTED]> wrote:
>
> yep
> On Wed, Sep 26, 2007 at 11:52:38PM -0700, mat h wrote:
> > so the 90 was a nop,
>
> humm if it's not x86 but arm, it's not a nop: if it's arm code, it's a
> part of mnemonic starting with:
> EB 3C 90 XX (missing one byte XX to have a mnemonic)
>
> HERE is the interesting part:
> in ARM in bigendian, :
> this means:
> ROM:00005E00 EB 3C 90 4D BL F29F3C
>
> yes man, it's a JUMP (even if it's not x86, you smelled right)
> so at 0xF29F3C:
>
> ROM:00F29F3C 59 DC C9 DD LDMPLIB R12,
> {R0,R2-R4,R6-R8,R11,LR,PC}^
>
> this means:
> LDMPLIB decomposes in:
> LDM Load from memory
> PL (if positiv or null...)
> IB pre increment register
>
> from where:
> R12
> what may i load:
> {R0,R2-R4,R6-R8,R11,LR,PC}^
>
>
> OOO by the way PC is program COUNTER (yes in arm you can write directly to
> PC (differs from x86 :))
>
> so it loads all those registers from memory located at R12
> the big question is : what is the start value of R12???
> if we get this, we can go on NEXT address to disassemble...
>
>
> another trick to guess this is to disassemble everywhere and whatch for
> valid code;.. humm time consuming.
>
> This is all valid if it's really arm processor and entry point is
> effectively at 5E00 and it's big endian and blahblah !
>
>
> but erf, it smells good :)
> + serpilliere
>
>
>
>
>
> Anyway my theory is that if the encryption is a stream
> > based cypher that mabey in order to prevent us cracking it easily
> between
> > different releases they might change the decryption code, which would be
> loaded
> > on boot from the fat16 partition. Unless anyone else can think of a use
> of
> > FAT16 boot code unencrypted?
> >
> > On 9/26/07, Fabrice Desclaux <[EMAIL PROTECTED]> wrote:
> >
> > oki, no problem.
> >
> >
> > in fact if it's really arm on ipod, the basic think is arm
> instruction
> > lenght are 4 bytes long (always ) and addresses are then multiples
> of 4
> > so it' a bit easier to disasm :)
> >
> > little doc can be found at bear.ces.cwru.edu/eecs_382/
> > ARM7-TDMI-manual-pt2.pdf
> >
> > Note: IDA (from datarescue) supports ARM (most ARMs in fact) (it's
> sexy,
> > and all...)
> > but erf, if you don't have IDA you can try disassembling using other
> tools
> > A funny one to do this could be METASM (cr0.org).
> >
> > I know, it's rubby vangog style code but erf, it disasm arm :)
> > another one could be objdump for arm !
> >
> >
> > +
> > serpilliere
> >
> >
> > On Wed, Sep 26, 2007 at 11:31:48PM -0700, mat h wrote:
> > > Sorrry all I dont know much about asm, Im not sure weather its a
> nop or
> > the end
> > > of an address. As I said, I need someone that knows ASM
> particualarly ARM
> > asm
> > >
> > > On 9/26/07, Fabrice Desclaux <[EMAIL PROTECTED]> wrote:
> > >
> > > humm sorry about that but i think i missed something.
> > >
> > > You say there is a jump &nop at 0x5E00:
> > > EB 3C 90
> > >
> > > but this is x86 assembly mnemonic. The Ipod isn't in ARM?
> > >
> > >
> > > another question:
> > > the x86 jump is effectively EB 3C at 3C is the relative offset
> so
> > when you
> > > say:
> > > unencrypted boot loader should be located around 0x5E00+0x3c90
> =
> > 0x9A90 or
> > > 39568. Again I dont
> > >
> > > shouldn't it be:
> > > 0x5E00+ 0x3C ?
> > > (thus, if it's x86 again..)
> > >
> > >
> > >
> > >
> > > +
> > > serpilliere
> > >
> > >
> > >
> > >
> > >
> > > On Thu, Sep 27, 2007 at 03:15:28PM +1000, mat h wrote:
> > > > Btw I may be off slightly with that offset.
> > > >
> > > > On 9/27/07, mat h < [EMAIL PROTECTED]> wrote:
> > > >
> > > > Since ur new Ill re send part of my previous mail:
> > > > Before I continue I think I found the program used to
> make the
> > disk
> > > image
> > > > and the FAT16 header:
> > > > Fat16 header: 5E00 after all the 0's
> > > > jump instruction (3bytes):
> > > >
> > > > 0xEB - something in asm
> > > > 0x3C - something in asm
> > > > 0x90 - asm nop
> > > >
> > > > bytes per sector - 0x02,0x03 i think
> > > > im not sure if theres any padding. but i think the fat16
> > partition
> > > starts
> > > > at 5E00
> > > >
> > > >
> > > >
> > > > 5E10 - total number of file alocation tables, has to be
> 2 and
> > it is 2
> > > >
> > > >
> > > >
> > > >
> > > > OEM name (8bytes):
> > > > MTOOL399 - reference to MTOOLS version 3.99
> > > >
> > > >
> > > >
> > > > Try keys like: MTOOLS, MTOOLS399 etc, look for ascii
> strings in
> > the
> > > > firmware
> > > >
> > > > BTW. the boot loader start with the following code
> > > > 0xEB - short jump (EB JMP SHORT rel8)
> > > > 0x3C - value part 1
> > > > 0x90 - value part 2
> > > >
> > > > I'm no expert at asm but If im correct then the
> unencrypted
> > boot
> > > loader
> > > > should be located around 0x5E00+0x3c90 = 0x9A90 or
> 39568. Again
> > I
> > > dont
> > > > program in much assembelly so could someone more
> knowlegable
> > please
> > > confirm
> > > > this.
> > > >
> > > > On 9/27/07, Jeremy Prater < [EMAIL PROTECTED] >
> wrote:
> > > >
> > > >
> > > > Hey team, I just got on the linux4nano team mailing
> list
> > because
> > > I have
> > > > a 2g nano and don't like apple anymore because they
> decided
> > to
> > > encrypt
> > > > the osos. Anyways I decided to do some key breaking.
> > Anyways im
> > > sad
> > > > now,I assumed a 32-bit RC4 key which is a big
> assumption,I
> > used
> > > visual
> > > > studio and got some rc4 decrypting functions from
> > sourceforge and
> > > > started coding a little app. Sure, ill crack this
> code? in
> > 57,732
> > > days
> > > > my app predicted yeah. So much for a core2 duo t5600
> doing
> > high
> > > speed.
> > > > Lol, guess .net framework isn't optimized for speed.
> 2^32
> > keys is
> > > a lot
> > > > of keyspace. Anyways, so the brute force idea is
> pretty
> > much out
> > > I
> > > > guess. Unless someone has a mega-cluster of
> computers. I
> > don't
> > > really
> > > > know what is going on with the mailing group the
> gna.org
> > list
> > > kinda
> > > > sucks to join in and catch up on. I like the idea
> of a
> > ram-dump
> > > of to
> > > > get the un-encrypted firmware. Before my brute force
> attack
> > I
> > > used
> > > > sg3_tools and the ipod in diagnostic mode, no luck.
> The
> > ipod
> > > vendor/
> > > > device in diagnostic mode is 0000/0000 and does not
> respond
> > to
> > > any usb
> > > > commands. A usb dump of the ram is kinda silly. To
> do that
> > we
> > > need to
> > > > run our own code on the cpu, which means we need to
> write
> > an
> > > encrypted
> > > > osos so the bootloader will parse it correctly.
> Which came
> > first
> > > the
> > > > chicken or the egg? The decipher key or the
> memdumper?
> > Haha.
> > > Using
> > > > buffer overruns seems safe b/c osos will crash and
> reboot
> > into
> > > the
> > > > bootloader, too bad they're aren't any. Well this is
> what I
> > have
> > > read/
> > > > discovered the last 30 hours or so trying to brick
> my ipod.
> > Any
> > > ideas?
> > > > ? Jeremy
> > > >
> > > >
> > > > _______________________________________________
> > > > Linux4nano-dev mailing list
> > > > [email protected]
> > > > https://mail.gna.org/listinfo/linux4nano-dev
> > > > http://www.linux4nano.org
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > We explore... and you call us criminals.
> > > > We seek after knowledge... and you call us criminals.
> > > > We exist without skin color, without nationality,
> without
> > religious
> > > bias...
> > > > and you call us criminals.
> > > > You build atomic bombs, you wage wars, you murder,
> cheat, and
> > lie to
> > > us and
> > > > try to make us believe it's for our own good...
> > > > ....yet we're the criminals.
> > > >
> > > > ____________WAUSHARE ROX ______________
> > > > Join the dark side we've got cheese
> > > > Annoying people since 1992
> > > > If you hate me, I love you too. It ain't my fault I'm
> better
> > than you
> > > > Save Water, Drink Beer
> > > > God Made Women First, Then He Had A Better Idea.
> > > > If Barbie is soo popular...how come you have to buy her
> > friends?
> > > > Don't play stupid with me... I'm better at it!
> > > > You were so cute when you were a baby...What happened?
> > > > My folks were always asking me to wear underpants. What
> am I,
> > the
> > > pope?
> > > > I'm calling the police!... Right after I flush some
> tings.
> > > > Join the army, see the world, meet interesting people,
> and kill
> > them.
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > We explore... and you call us criminals.
> > > > We seek after knowledge... and you call us criminals.
> > > > We exist without skin color, without nationality, without
> religious
> > > bias... and
> > > > you call us criminals.
> > > > You build atomic bombs, you wage wars, you murder, cheat,
> and lie
> > to us
> > > and try
> > > > to make us believe it's for our own good...
> > > > ....yet we're the criminals.
> > > >
> > > > ____________WAUSHARE ROX ______________
> > > > Join the dark side we've got cheese
> > > > Annoying people since 1992
> > > > If you hate me, I love you too. It ain't my fault I'm better
> than
> > you
> > > > Save Water, Drink Beer
> > > > God Made Women First, Then He Had A Better Idea.
> > > > If Barbie is soo popular...how come you have to buy her
> friends?
> > > > Don't play stupid with me... I'm better at it!
> > > > You were so cute when you were a baby...What happened?
> > > > My folks were always asking me to wear underpants. What am
> I, the
> > pope?
> > > > I'm calling the police!... Right after I flush some tings.
> > > > Join the army, see the world, meet interesting people, and
> kill
> > them.
> > >
> > > > _______________________________________________
> > > > Linux4nano-dev mailing list
> > > > [email protected]
> > > > https://mail.gna.org/listinfo/linux4nano-dev
> > > > http://www.linux4nano.org
> > >
> > > _______________________________________________
> > > Linux4nano-dev mailing list
> > > [email protected]
> > > https://mail.gna.org/listinfo/linux4nano-dev
> > > http://www.linux4nano.org
> > >
> > >
> > >
> > >
> > > --
> > > We explore... and you call us criminals.
> > > We seek after knowledge... and you call us criminals.
> > > We exist without skin color, without nationality, without
> religious
> > bias... and
> > > you call us criminals.
> > > You build atomic bombs, you wage wars, you murder, cheat, and lie
> to us
> > and try
> > > to make us believe it's for our own good...
> > > ....yet we're the criminals.
> > >
> > > ____________WAUSHARE ROX ______________
> > > Join the dark side we've got cheese
> > > Annoying people since 1992
> > > If you hate me, I love you too. It ain't my fault I'm better than
> you
> > > Save Water, Drink Beer
> > > God Made Women First, Then He Had A Better Idea.
> > > If Barbie is soo popular...how come you have to buy her friends?
> > > Don't play stupid with me... I'm better at it!
> > > You were so cute when you were a baby...What happened?
> > > My folks were always asking me to wear underpants. What am I, the
> pope?
> > > I'm calling the police!... Right after I flush some tings.
> > > Join the army, see the world, meet interesting people, and kill
> them.
> >
> > > _______________________________________________
> > > Linux4nano-dev mailing list
> > > [email protected]
> > > https://mail.gna.org/listinfo/linux4nano-dev
> > > http://www.linux4nano.org
> >
> > _______________________________________________
> > Linux4nano-dev mailing list
> > [email protected]
> > https://mail.gna.org/listinfo/linux4nano-dev
> > http://www.linux4nano.org
> >
> >
> >
> >
> > --
> > We explore... and you call us criminals.
> > We seek after knowledge... and you call us criminals.
> > We exist without skin color, without nationality, without religious
> bias... and
> > you call us criminals.
> > You build atomic bombs, you wage wars, you murder, cheat, and lie to us
> and try
> > to make us believe it's for our own good...
> > ....yet we're the criminals.
> >
> > ____________WAUSHARE ROX ______________
> > Join the dark side we've got cheese
> > Annoying people since 1992
> > If you hate me, I love you too. It ain't my fault I'm better than you
> > Save Water, Drink Beer
> > God Made Women First, Then He Had A Better Idea.
> > If Barbie is soo popular...how come you have to buy her friends?
> > Don't play stupid with me... I'm better at it!
> > You were so cute when you were a baby...What happened?
> > My folks were always asking me to wear underpants. What am I, the pope?
> > I'm calling the police!... Right after I flush some tings.
> > Join the army, see the world, meet interesting people, and kill them.
>
> > _______________________________________________
> > Linux4nano-dev mailing list
> > [email protected]
> > https://mail.gna.org/listinfo/linux4nano-dev
> > http://www.linux4nano.org
>
> _______________________________________________
> Linux4nano-dev mailing list
> [email protected]
> https://mail.gna.org/listinfo/linux4nano-dev
> http://www.linux4nano.org
>
--
We explore... and you call us criminals.
We seek after knowledge... and you call us criminals.
We exist without skin color, without nationality, without religious bias...
and you call us criminals.
You build atomic bombs, you wage wars, you murder, cheat, and lie to us and
try to make us believe it's for our own good...
....yet we're the criminals.
____________WAUSHARE ROX ______________
Join the dark side we've got cheese
Annoying people since 1992
If you hate me, I love you too. It ain't my fault I'm better than you
Save Water, Drink Beer
God Made Women First, Then He Had A Better Idea.
If Barbie is soo popular...how come you have to buy her friends?
Don't play stupid with me... I'm better at it!
You were so cute when you were a baby...What happened?
My folks were always asking me to wear underpants. What am I, the pope?
I'm calling the police!... Right after I flush some tings.
Join the army, see the world, meet interesting people, and kill them.
_______________________________________________
Linux4nano-dev mailing list
[email protected]
https://mail.gna.org/listinfo/linux4nano-dev
http://www.linux4nano.org
