During Christmas vacation, I had some thoughts about what Apple could have done to the firmware, if they were pretty clever. I've had a look at some Nano3G firmware images recently, which sadly seem to support that theory. They have changed something on the Nano3G, there is some unencrypted data at the end of the the OSOS and AUPD images. It pretty much looks like some kind of footer which is INCLUDED in the file size given in the directory-like structure, unlike the header. That footer contains something that looks like a digital signature of the firmware image or some other kind of certificate. It contains the string "SecureBoot", which further supports the guess that it's a signature. Even if we manage to hack the encryption, that would mean, that we need to get our hands on their private key in order to recreate that signature, which seems pretty impossible. So even if we extract the bootloader (and all the other things that might be in that utility flash chip), we can not modify the firmware, unless we do a hardware-based reflash of the bootloader. That would hack ONE iPod, but wouldn't be of any use to iPodLinux users, as they won't disassemble their iPods and rip off chips just to be able to use iPodLinux. So we would still need a software security leak in order to enable users to perform that reflash using a software-only hack. But a hardware flash dump would of course be of much use in order to work out a software exploit. But would the users really want to take the risk of reflashing the boot chip? If something goes wrong there, their iPods are toast and warranty is probably void. So the only approach left would be to directly boot iPodLinux through a software exploit every time, by playing the "Start iPodLinux" song ;) Now the question is, how different are the Nano2Gs to the Nano3Gs? While, on the 3Gs, it looks like a digital signature was used, we could hope, that on the 2Gs, there is only some kind of checksum, which we can break by reverse engineering the boot loader. Is the digital signature just somewhere else on the 2Gs? Or is there really just a checksum? A hardware-based dump is probably the only way to find an answer to that question... Is it possible to rip that flash chip off the base board without damaging it? How realistic is a JTAG attack? How many touch points are there on the base board? How many of them are right beside the ARM? BTW What about setting up a wiki or using a section of the iPL wiki? Could be pretty useful.
_______________________________________________ Linux4nano-dev mailing list [email protected] https://mail.gna.org/listinfo/linux4nano-dev http://www.linux4nano.org
