ok, it seems to match this: our mod# here is: ROM:00004068 23 DCB 0x23 ; # ROM:00004069 64 DCB 0x64 ; d ROM:0000406A 6F DCB 0x6F ; o ROM:0000406B 4D DCB 0x4D ; M ROM:0000406C 4D DCB 0x4D ; M ROM:0000406D 41 DCB 0x41 ; A ROM:0000406E 34 DCB 0x34 ; 4 ROM:0000406F 37 DCB 0x37 ; 7 ROM:00004070 37 DCB 0x37 ; 7
so MA477 our fwid : ROM:00004030 00 00 00 01 DCD 0x1000000 ROM:00004034 DA FA F5 19 DCD 0x19F5FADA ROM:00004038 00 27 0A 00 DCD 0xA2700 ROM:0000403C 00 00 00 00 DCD 0 and so on ... as the ipod number... Erf so there is the IPod number of our seller in the mail... sorry about that. For each 4 section, I XOR the while sections data with 0xDD400490 and it appear that: for each section data: ____ we have clear data (len etc, ...) and a 0x14 blob, so plenty of 0 another 0x14 blob ____ and random data the data between ___ is 0x200 long, and note that on disk (on dump in fact) SECTION 1 offset + 0x200 + SECTION len == SECTION 2 offset :) So the section header points to a sections, but data seems to starts after 0x200 bytes Maybe one of the blob could be the SHA1 of the clear data, (the SHA1 doesn't match directly here.) the Other blog may be a KEY. NOTE: For section logoflsh and logo the 2 blobs are the same... and the data are exactly the same which could confirm the theoy of one blob being the key: -----section 0 ----- offset 0xcac80 len 0x34f80 blob 1 0000: 13 24 80 F3 03 AD 69 71 EF 7A 33 F2 A1 27 1A 36 0010: 0F C3 AD 21 blob 2 0000: BB AC 6A 5F 8E 2D 29 0F A8 8E A0 56 E6 F1 05 FF 0010: DE 8A 47 DC -----section 1 ----- offset 0xb5c40 len 0x14e40 blob 1 0000: 0E 94 E9 28 AB 71 C3 F4 D6 51 EB FA 73 01 40 E7 0010: 56 59 70 BC blob 2 0000: 03 56 D2 77 C3 98 D4 1A 0F 62 AE A9 D1 AF AF 9E 0010: 23 94 6B 44 -----section 2 ----- offset 0xb3440 len 0x2600 blob 1 0000: F6 71 A2 E8 2D C3 3D A8 E8 9C B5 CE E1 E7 35 C8 0010: 8A 6F B6 FD blob 2 0000: F5 53 52 C4 9F 21 EF A3 B0 6D 7E EF 1E 75 C2 EB 0010: CB 5F 49 E4 -----section 3 ----- offset 0x55b80 len 0x2600 blob 1 0000: F6 71 A2 E8 2D C3 3D A8 E8 9C B5 CE E1 E7 35 C8 0010: 8A 6F B6 FD blob 2 0000: F5 53 52 C4 9F 21 EF A3 B0 6D 7E EF 1E 75 C2 EB 0010: CB 5F 49 E4 + serpilliere Raoul Guggenheim wrote: > Well I have an iPod Nano 3G. but I assume they have plenty stuff in > common. So this is my about screen. > > About Information > > SrNm:My 11 digit Serial number > Mod#:MA978 > Regn:1 0 2 0 32 0 1 > FwId:01000000 > 1aa16a73 > 000a2700 > 00000000 > HwVr:00140010 > vrsn:1.32.f.2 > > MENU to continue > > If you need a screen I'll search a camera :D > > >> Thx for the information >> (in fact I couldn't see this, I don't have any ipod :) >> >> >> But If someone has IPOd, is the string mNrSYM7240KUVQ5 "seems like" >> firmware id, >> or 0x19F5FADA 0xA2700 is more favorable to a possible displayed firmware >> id in diagnostic mode ? >> >> (i didn't find any correct picture on google..) >> >> >> By the way, I definitively missed something;: in section all section, if >> you look for more ahead: >> ROM:000CAC80 00 00 00 00 DCD 0 >> ROM:000CAC84 02 00 00 00 DCD 2 >> ROM:000CAC88 02 00 00 00 DCD 2 >> ROM:000CAC8C 40 00 00 00 DCD 0x40 >> ROM:000CAC90 00 00 00 00 DCD 0 >> ROM:000CAC94 80 4F 03 00 DCD 0x34F80 >> ROM:000CAC98 90 04 40 DD DCD 0xDD400490 >> ROM:000CAC9C 83 20 C0 2E DCD 0x2EC02083 >> ROM:000CACA0 93 A9 29 AC DCD 0xAC29A993 >> ROM:000CACA4 7F 7E 73 2F DCD 0x2F737E7F >> ROM:000CACA8 31 23 5A EB DCD 0xEB5A2331 >> ROM:000CACAC 9F C7 ED FC DCD 0xFCEDC79F >> ROM:000CACB0 90 04 40 DD DCD 0xDD400490 >> ROM:000CACB4 90 04 40 DD DCD 0xDD400490 >> ROM:000CACB8 90 04 40 DD DCD 0xDD400490 >> ROM:000CACBC 90 04 40 DD DCD 0xDD400490 >> ROM:000CACC0 90 04 40 DD DCD 0xDD400490 >> ROM:000CACC4 90 04 40 DD DCD 0xDD400490 >> ROM:000CACC8 90 04 40 DD DCD 0xDD400490 >> ROM:000CACCC 90 04 40 DD DCD 0xDD400490 >> ROM:000CACD0 90 04 40 DD DCD 0xDD400490 >> ROM:000CACD4 90 04 40 DD DCD 0xDD400490 >> ROM:000CACD8 90 04 40 DD DCD 0xDD400490 >> ROM:000CACDC 90 04 40 DD DCD 0xDD400490 >> ROM:000CACE0 90 04 40 DD DCD 0xDD400490 >> ROM:000CACE4 90 04 40 DD DCD 0xDD400490 >> ROM:000CACE8 90 04 40 DD DCD 0xDD400490 >> ROM:000CACEC 90 04 40 DD DCD 0xDD400490 >> ROM:000CACF0 90 04 40 DD DCD 0xDD400490 >> ROM:000CACF4 90 04 40 DD DCD 0xDD400490 >> ROM:000CACF8 90 04 40 DD DCD 0xDD400490 >> ROM:000CACFC 90 04 40 DD DCD 0xDD400490 >> ROM:000CAD00 90 04 40 DD DCD 0xDD400490 >> ROM:000CAD04 90 04 40 DD DCD 0xDD400490 >> ROM:000CAD08 90 04 40 DD DCD 0xDD400490 >> ROM:000CAD0C 90 04 40 DD DCD 0xDD400490 >> ROM:000CAD10 90 04 40 DD >> >> >> humm seems plenty of 0xDD400490 (XOR key ? :) and thus, for all 4 >> "sections" >> >> >> + >> serpilliere >> >> >> >> Raoul Guggenheim wrote: >> >>> That FwId and Regn reminded me of the ipod diagnostics mode. In the abou >>> screen you'll find there exactly those strings. I see progress has been >>> done :-D >>> >>> >>> >>>> look at offset 0xFFE00 >>>> It seems we have an array of size 4 with following structure, sort of >>>> section headers: >>>> >>>> *name (reversed string) >>>> *0 >>>> *offset in dump >>>> *len in dump >>>> *0x8000000 >>>> *0 >>>> *0 >>>> *0x10005 >>>> *addresse in memory? >>>> >>>> >>>> Moreover on disk we have (raw offset+ len):: >>>> diagflsh raw offset + diagflsh len >>>> 0xB5C40+ 0x14E40 = CAA80 >>>> >>>> and CAA80 is near flshdisk raw offset (0xCAC80) with seems to confirm >>>> sort of section header descriptors >>>> >>>> addresses in memory may be interesting: >>>> 0x810C848 >>>> 0x80F7808 >>>> 0x80F5008 >>>> >>>> because they seem to reflect len on disk: >>>> 0x810C848-0x80F7808 = 0x15040 and diagflsh may be 0x14E40 bytes on disk >>>> 0x80F7808-0x80F5008 = 0x2800 and logoflsh may be 0x2600 on disk >>>> >>>> and for example on PE header, there is file alignment , and memory >>>> alignment which may be different from one to another. (this is just to >>>> compare) >>>> >>>> >>>> >>>> ROM:000FFE00 68 73 6C 66 DCD >>>> 0x666C7368 ; flshdisk >>>> ROM:000FFE04 6B 73 69 64 DCD 0x6469736B >>>> ROM:000FFE08 00 00 00 00 DCD 0 >>>> ROM:000FFE0C 80 AC 0C 00 DCD 0xCAC80 >>>> ROM:000FFE10 80 4F 03 00 DCD 0x34F80 >>>> ROM:000FFE14 00 00 00 08 DCD 0x8000000 >>>> ROM:000FFE18 00 00 00 00 DCD 0 >>>> ROM:000FFE1C 00 00 00 00 DCD 0 >>>> ROM:000FFE20 05 00 01 00 DCD 0x10005 >>>> ROM:000FFE24 48 C8 10 08 DCD 0x810C848 >>>> >>>> ROM:000FFE28 68 73 6C 66 DCD >>>> 0x666C7368 ; diagflsh >>>> ROM:000FFE2C 67 61 69 64 DCD 0x64696167 >>>> ROM:000FFE30 00 00 00 00 DCD 0 >>>> ROM:000FFE34 40 5C 0B 00 DCD 0xB5C40 >>>> ROM:000FFE38 40 4E 01 00 DCD 0x14E40 >>>> ROM:000FFE3C 00 00 00 08 DCD 0x8000000 >>>> ROM:000FFE40 00 00 00 00 DCD 0 >>>> ROM:000FFE44 00 00 00 00 DCD 0 >>>> ROM:000FFE48 05 00 01 00 DCD 0x10005 >>>> ROM:000FFE4C 08 78 0F 08 DCD 0x80F7808 >>>> >>>> ROM:000FFE50 68 73 6C 66 DCD >>>> 0x666C7368 ; logoflsh >>>> ROM:000FFE54 6F 67 6F 6C DCD 0x6C6F676F >>>> ROM:000FFE58 00 00 00 00 DCD 0 >>>> ROM:000FFE5C 40 34 0B 00 DCD 0xB3440 >>>> ROM:000FFE60 00 26 00 00 DCD 0x2600 >>>> ROM:000FFE64 00 00 00 08 DCD 0x8000000 >>>> ROM:000FFE68 00 00 00 00 DCD 0 >>>> ROM:000FFE6C 00 00 00 00 DCD 0 >>>> ROM:000FFE70 05 00 01 00 DCD 0x10005 >>>> ROM:000FFE74 08 50 0F 08 DCD 0x80F5008 >>>> >>>> ROM:000FFE78 00 00 00 00 DCD >>>> 0 ; logo >>>> ROM:000FFE7C 6F 67 6F 6C DCD 0x6C6F676F >>>> ROM:000FFE80 00 00 00 00 DCD 0 >>>> ROM:000FFE84 80 5B 05 00 DCD 0x55B80 >>>> ROM:000FFE88 00 26 00 00 DCD 0x2600 >>>> ROM:000FFE8C 00 00 00 08 DCD 0x8000000 >>>> ROM:000FFE90 00 00 00 00 DCD 0 >>>> ROM:000FFE94 00 00 00 00 DCD 0 >>>> ROM:000FFE98 05 00 01 00 DCD 0x10005 >>>> ROM:000FFE9C FF FF FF FF DCD 0xFFFFFFFF >>>> >>>> >>>> >>>> Next, when we look at each raw offset : >>>> >>>> 0xCAC80 (flshdisk) >>>> ROM:000CAC80 00 00 00 00 DCD 0 >>>> ROM:000CAC84 02 00 00 00 DCD 2 >>>> ROM:000CAC88 02 00 00 00 DCD 2 >>>> ROM:000CAC8C 40 00 00 00 DCD 0x40 >>>> ROM:000CAC90 00 00 00 00 DCD 0 >>>> ROM:000CAC94 80 4F 03 00 DCD 0x34F80 >>>> ROM:000CAC98 90 04 40 DD DCD 0xDD400490 >>>> ROM:000CAC9C 83 20 C0 2E DCD 0x2EC02083 >>>> >>>> at 0xB5C40 (diagflsh) >>>> ROM:000B5C40 00 00 00 00 DCD 0 >>>> ROM:000B5C44 02 00 00 00 DCD 2 >>>> ROM:000B5C48 02 00 00 00 DCD 2 >>>> ROM:000B5C4C 40 00 00 00 DCD 0x40 >>>> ROM:000B5C50 00 00 00 00 DCD 0 >>>> ROM:000B5C54 40 4E 01 00 DCD 0x14E40 >>>> ROM:000B5C58 90 04 40 DD DCD 0xDD400490 >>>> ROM:000B5C5C 9E 90 A9 F5 DCD 0xF5A9909E >>>> >>>> 000B3440 : (logoflsh) >>>> ROM:000B3440 00 00 00 00 DCD 0 >>>> ROM:000B3444 02 00 00 00 DCD 2 >>>> ROM:000B3448 02 00 00 00 DCD 2 >>>> ROM:000B344C 40 00 00 00 DCD 0x40 >>>> ROM:000B3450 00 00 00 00 DCD 0 >>>> ROM:000B3454 00 26 00 00 DCD 0x2600 >>>> ROM:000B3458 90 04 40 DD DCD 0xDD400490 >>>> ROM:000B345C 66 75 E2 35 DCD 0x35E27566 >>>> >>>> >>>> at 00055B80 (logo) >>>> ROM:00055B80 00 00 00 00 DCD 0 >>>> ROM:00055B84 02 00 00 00 DCD 2 >>>> ROM:00055B88 02 00 00 00 DCD 2 >>>> ROM:00055B8C 40 00 00 00 DCD 0x40 >>>> ROM:00055B90 00 00 00 00 DCD 0 >>>> ROM:00055B94 00 26 00 00 DCD 0x2600 >>>> ROM:00055B98 90 04 40 DD DCD 0xDD400490 >>>> ROM:00055B9C 66 75 E2 35 DCD 0x35E27566 >>>> >>>> >>>> we can see the LEN is repeated ; >>>> the section logo & logoflsh (0x2600 both) are the same >>>> So if stream cipher with same key, xor of both sould result in xor >>>> unciphered versions. (erf :) >>>> >>>> >>>> >>>> Another interesting offset: 0x4000 >>>> at 00004000 4 bytes stand for SCfg (config?) >>>> at 00004018 strange string mNrSYM7240KUVQ5 >>>> at 0000402C 4 bytes stand for Fwid (firmware id?) >>>> at 00004040 4 bytes for Hwid (hardware id?) >>>> at 0000407C 4 b: Regn (region??) >>>> at 00004090 ?? DrmV (DRM version, kikoolol . ) >>>> >>>> >>>> ROM:00004000 67 DCB 0x67 ; g >>>> ROM:00004001 66 DCB 0x66 ; f >>>> ROM:00004002 43 DCB 0x43 ; C >>>> ROM:00004003 53 DCB 0x53 ; S >>>> ROM:00004004 A4 00 00 00 DCD 0xA4 >>>> ROM:00004008 00 20 00 00 DCD 0x2000 >>>> ROM:0000400C 01 00 01 00 DCD 0x10001 >>>> ROM:00004010 00 00 00 00 DCD 0 >>>> ROM:00004014 07 00 00 00 DCD 7 >>>> ROM:00004018 6D DCB 0x6D ; m >>>> ROM:00004019 4E DCB 0x4E ; N >>>> ROM:0000401A 72 DCB 0x72 ; r >>>> ROM:0000401B 53 DCB 0x53 ; S >>>> ROM:0000401C 59 DCB 0x59 ; Y >>>> ROM:0000401D 4D DCB 0x4D ; M >>>> ROM:0000401E 37 DCB 0x37 ; 7 >>>> ROM:0000401F 32 DCB 0x32 ; 2 >>>> ROM:00004020 34 DCB 0x34 ; 4 >>>> ROM:00004021 30 DCB 0x30 ; 0 >>>> ROM:00004022 4B DCB 0x4B ; K >>>> ROM:00004023 55 DCB 0x55 ; U >>>> ROM:00004024 56 DCB 0x56 ; V >>>> ROM:00004025 51 DCB 0x51 ; Q >>>> ROM:00004026 35 DCB 0x35 ; 5 >>>> ROM:00004027 00 DCB 0 >>>> ROM:00004028 00 00 00 00 DCD 0 >>>> ROM:0000402C 64 DCB 0x64 ; d >>>> ROM:0000402D 49 DCB 0x49 ; I >>>> ROM:0000402E 77 DCB 0x77 ; w >>>> ROM:0000402F 46 DCB 0x46 ; F >>>> ROM:00004030 00 00 00 01 DCD 0x1000000 >>>> ROM:00004034 DA FA F5 19 DCD 0x19F5FADA >>>> ROM:00004038 00 27 0A 00 DCD 0xA2700 >>>> ROM:0000403C 00 00 00 00 DCD 0 >>>> ROM:00004040 64 DCB 0x64 ; d >>>> ROM:00004041 49 DCB 0x49 ; I >>>> ROM:00004042 77 DCB 0x77 ; w >>>> ROM:00004043 48 DCB 0x48 ; H >>>> ROM:00004044 FF FF FF FF DCD 0xFFFFFFFF >>>> ROM:00004048 FF FF FF FF DCD 0xFFFFFFFF >>>> ROM:0000404C FF FF FF FF DCD 0xFFFFFFFF >>>> ROM:00004050 FF FF FF FF DCD 0xFFFFFFFF >>>> ROM:00004054 72 DCB 0x72 ; r >>>> ROM:00004055 56 DCB 0x56 ; V >>>> ROM:00004056 77 DCB 0x77 ; w >>>> ROM:00004057 48 DCB 0x48 ; H >>>> ROM:00004058 00 00 00 00 DCD 0 >>>> ROM:0000405C 09 00 10 00 DCD 0x100009 >>>> ROM:00004060 00 00 00 00 DCD 0 >>>> ROM:00004064 00 00 00 00 DCD 0 >>>> ROM:00004068 23 DCB 0x23 ; # >>>> ROM:00004069 64 DCB 0x64 ; d >>>> ROM:0000406A 6F DCB 0x6F ; o >>>> ROM:0000406B 4D DCB 0x4D ; M >>>> ROM:0000406C 4D DCB 0x4D ; M >>>> ROM:0000406D 41 DCB 0x41 ; A >>>> ROM:0000406E 34 DCB 0x34 ; 4 >>>> ROM:0000406F 37 DCB 0x37 ; 7 >>>> ROM:00004070 37 DCB 0x37 ; 7 >>>> ROM:00004071 00 DCB 0 >>>> ROM:00004072 00 DCB 0 >>>> ROM:00004073 00 DCB 0 >>>> ROM:00004074 00 00 00 00 DCD 0 >>>> ROM:00004078 00 00 00 00 DCD 0 >>>> ROM:0000407C 6E DCB 0x6E ; n >>>> ROM:0000407D 67 DCB 0x67 ; g >>>> ROM:0000407E 65 DCB 0x65 ; e >>>> ROM:0000407F 52 DCB 0x52 ; R >>>> ROM:00004080 01 00 02 00 DCD 0x20001 >>>> ROM:00004084 02 00 02 00 DCD 0x20002 >>>> ROM:00004088 00 00 00 00 DCD 0 >>>> ROM:0000408C 00 00 00 00 DCD 0 >>>> ROM:00004090 56 DCB 0x56 ; V >>>> ROM:00004091 6D DCB 0x6D ; m >>>> ROM:00004092 72 DCB 0x72 ; r >>>> ROM:00004093 44 DCB 0x44 ; D >>>> ROM:00004094 00 00 00 00 DCD 0 >>>> ROM:00004098 06 00 00 00 DCD 6 >>>> ROM:0000409C 00 00 00 00 DCD 0 >>>> ROM:000040A0 00 00 00 00 DCD 0 >>>> >>>> >>>> >>>> + >>>> serpilliere >>>> >>>> >>>> >>>> _______________________________________________ >>>> Linux4nano-dev mailing list >>>> [email protected] >>>> https://mail.gna.org/listinfo/linux4nano-dev >>>> http://www.linux4nano.org >>>> >>>> >>> >>> >>> >> _______________________________________________ >> Linux4nano-dev mailing list >> [email protected] >> https://mail.gna.org/listinfo/linux4nano-dev >> http://www.linux4nano.org >> > > > > _______________________________________________ Linux4nano-dev mailing list [email protected] https://mail.gna.org/listinfo/linux4nano-dev http://www.linux4nano.org
