--- Log opened Sat Mar 26 00:40:02 2011 00:40 -!- Dreamxtreme [~Dre@92.18.113.46] has quit [Read error: Connection reset by peer] 00:41 -!- Dreamxtreme [~Dre@92.18.113.46] has joined #freemyipod 00:46 -!- Dreamxtreme [~Dre@92.18.113.46] has quit [Read error: Connection reset by peer] 00:51 -!- Dreamxtreme [~Dre@92.18.113.46] has joined #freemyipod 00:59 -!- Dreamxtreme [~Dre@92.18.113.46] has quit [Read error: Connection reset by peer] 01:03 -!- Dreamxtreme [~Dre@92.18.113.46] has joined #freemyipod 01:06 -!- timccc [~timccc@112.166.15.141] has quit [Ping timeout: 246 seconds] 01:10 -!- Dreamxtreme [~Dre@92.18.113.46] has quit [Ping timeout: 276 seconds] 01:15 -!- Dreamxtreme [~Dre@92.18.113.46] has joined #freemyipod 01:46 -!- [Saint] [~st.lasciv@202-180-120-92.callplus.net.nz] has quit [Ping timeout: 252 seconds] 02:03 -!- geek7 [~geek@2001:c08:3700:ffff::5d59] has joined #freemyipod 02:14 -!- faileas [~geek@cm89.gamma26.maxonline.com.sg] has joined #freemyipod 02:16 -!- geek7 [~geek@2001:c08:3700:ffff::5d59] has quit [Ping timeout: 260 seconds] 02:18 -!- timccc [~timccc@112.166.15.141] has joined #freemyipod 02:22 -!- Keripo [~Keripo@165.123.49.243] has joined #freemyipod 02:28 -!- Keripo [~Keripo@165.123.49.243] has quit [Ping timeout: 252 seconds] 02:29 -!- Keripo [~Keripo@dhcp0101.kin.resnet.group.upenn.edu] has joined #freemyipod 03:28 -!- [Saint] [~st.lasciv@202-180-120-92.callplus.net.nz] has joined #freemyipod 03:29 -!- [Saint] [~st.lasciv@202-180-120-92.callplus.net.nz] has quit [Client Quit] 03:36 -!- TheSeven [~TheSeven@rockbox/developer/TheSeven] has quit [Ping timeout: 260 seconds] 03:41 -!- TheSeven [~TheSeven@rockbox/developer/TheSeven] has joined #freemyipod 04:50 -!- timccc1 [~timccc@112.166.15.141] has joined #freemyipod 04:50 -!- timccc [~timccc@112.166.15.141] has quit [Quit: Leaving.] 04:54 -!- timccc1 [~timccc@112.166.15.141] has quit [Read error: Connection reset by peer] 04:54 -!- timccc [~timccc@112.166.15.141] has joined #freemyipod 04:58 -!- timccc [~timccc@112.166.15.141] has quit [Read error: Connection reset by peer] 05:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has quit [Remote host closed the connection] 05:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has joined #freemyipod 07:09 -!- timccc [~timccc@112.166.15.141] has joined #freemyipod 07:34 -!- kyle6513 [~kyle6513@CPE-121-208-218-78.mjcz2.cha.bigpond.net.au] has joined #freemyipod 09:16 -!- Farthen [~Farthen@static.225.178.40.188.clients.your-server.de] has quit [*.net *.split] 09:25 -!- Farthen [~Farthen@static.225.178.40.188.clients.your-server.de] has joined #freemyipod 11:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has quit [Remote host closed the connection] 11:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has joined #freemyipod 12:25 -!- user890104 [~Venci@6bez10.info] has quit [] 12:50 -!- dan1495 [4a2f563a@gateway/web/freenode/ip.74.47.86.58] has joined #freemyipod 12:52 < dan1495> I'm just curious, has anyone been having problems getting doom to play? Mine freezes up as soon as it starts loading the graphics engine, then I need to restart. 12:54 < dan1495> oops, sorry, wrong channel... 12:54 -!- dan1495 [4a2f563a@gateway/web/freenode/ip.74.47.86.58] has left #freemyipod 13:35 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has joined #freemyipod 15:06 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has quit [Ping timeout: 276 seconds] 15:12 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has joined #freemyipod 15:17 -!- Keripo [~Keripo@dhcp0101.kin.resnet.group.upenn.edu] has quit [Quit: Leaving.] 15:26 < fmibot> New commit by farthen (r675): emcore tools: rename user memory to malloc pool, libemcore.getusermemrange() to libemcore.getmallocpoolbounds() and emcore.getinfo("usermemrange") to emcore.getinfo("mallocpoolbounds") 15:27 < fmibot> r675 build result: emcore: All green! 15:28 -!- kyle6513 [~kyle6513@CPE-121-208-218-78.mjcz2.cha.bigpond.net.au] has quit [Quit: Leaving] 15:31 < Farthen> any nano 4g users out there with a working emcore python toolchain? 15:31 < TheSeven> what is a python toolchain? 15:32 < Farthen> libusb, pyusb, python 15:32 < Farthen> IMHO it is some kind of "toolchain" as in "chain of tools" 15:33 < Farthen> i was just wondering if the least significant bit of the security epoch is the same on all devices 17:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has quit [Remote host closed the connection] 17:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has joined #freemyipod 17:52 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has quit [Ping timeout: 252 seconds] 19:46 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has joined #freemyipod 20:09 -!- hiddeboomsma [~hiddeboom@151-254.surfsnel.dsl.internl.net] has joined #freemyipod 20:15 -!- adiblol [~adiblol@a20071105100857.zb.lnet.pl] has joined #freemyipod 20:25 < adiblol> does notes bug work on nano 5g? how can i contribute to break it with GNU/Linux on PC? 20:52 < Farthen> unfortunately it does not work 20:53 < Farthen> if you want to contribute please see http://www.freemyipod.org/wiki/Contributing 20:53 < Farthen> see "Vulnerabilities" 20:56 < adiblol> so there are no known bugs on nano 5g? :( 20:59 < adiblol> what about hacking hardware? eavesdropping communication between MCU and other chips? i don't mind bricking my nano because i got it against my will ;) 21:05 < Farthen> you could try it but you need at least a logic analyzer and a lot of experience with this stuff 21:05 < Farthen> and i doubt it would lead to success 21:06 < Farthen> do you have any experience with embedded hardware development/reverse engineering? 21:09 * Farthen is wondering if you could inject code into the ram by compromising the lcd dma interface 21:11 < adiblol> no, only with electronics, mostly analog 21:13 < Farthen> the problem is that most of the stuff is in one BGA SoC and the traces are *very* small 21:14 < adiblol> and nano 5g really *never* hangs? 21:14 < Farthen> you can try to find a vuln 21:14 < Farthen> we did not yet experiment with it 21:14 < Farthen> i think none of us eves has one of these devices 21:15 < Farthen> so it could very well be that you find a bug that crashes/freezes the whole thing 21:16 -!- user890104 [~Venci@6bez10.info] has joined #freemyipod 21:16 < Farthen> and if you are very lucky you could even find a way to execute code on it 21:16 < Farthen> but we didn't find anything yet 21:16 < adiblol> well, AFAIR it is impossible to upload anything to nano music database using free software 21:17 < Farthen> does it not show up as a mass stoarge device? 21:17 < adiblol> but there is usb mass storage... 21:17 < user890104> Farthen: i saw in the logs you were looking for someone with nano4g, is there anything to test? 21:17 < Farthen> user890104: just a small thing 21:18 < adiblol> yes it does show, but there are no music files in it 21:18 < adiblol> only recordings afair 21:18 < Farthen> user890104: can you run "emcore downloadint 0x3c80000C" and give me the result? 21:18 < adiblol> uploading music requires itunes, real or unofficial 21:19 < Farthen> you could still find a way to mess with the usb interface 21:19 < Farthen> like they did with the ps3, it could be very well possible that there is some kind of buffer overflow there 21:20 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has quit [Ping timeout: 240 seconds] 21:20 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has joined #freemyipod 21:24 < TheSeven> [22:09] * Farthen is wondering if you could inject code into the ram by compromising the lcd dma interface << that's internal to the chip :/ 21:24 < TheSeven> if anything, compromise the mDDR interface 21:26 < user890104> Farthen: Connected to emCORE Debugger v0.2.0 r675 running on iPod nano 4g 21:26 < user890104> Read '0x1' from address 0x3C80000C 21:26 < Farthen> ups, wrong address 21:27 < Farthen> try 0x3D100008 21:28 < user890104> Read '0x8720000F' from address 0x3D100008 21:28 < user890104> 8720 - the cpu model? 21:28 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has quit [Read error: No route to host] 21:28 < Farthen> yep 21:29 < adiblol> what about brute-force cracking the key? through distributed computing? using GPU? devices like EFF DES Cracker? 21:29 < Farthen> and F is the security epoch => the same as mine 21:29 < Farthen> thanks 21:29 < Farthen> adiblol: would take too long i think 21:32 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has joined #freemyipod 21:37 < adiblol> where is the key that it cant be downloaded from ipod? 21:38 < Farthen> it is somewhere in the crypto engine 21:38 < Farthen> you can't even read it out 21:38 < Farthen> not even if you have execution 21:38 < Farthen> but if you have execution you can use the crypto engine to enrypt anything you want 21:39 < adiblol> is it in MCU, written in production process? 21:41 < Farthen> it should be somewhere in the SoC and it is probably written in the production process, yes 21:42 < Farthen> but we don't really know the physical location of the crypto engine. we just know how to use it to encrypt and decrypt data 21:45 < adiblol> so crypto engine, CPU and RAM are in the same chip, difficult to be eavesdropped... 21:45 < Farthen> yep 21:45 < adiblol> ...but not impossible http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=10625082 21:45 < Farthen> you can try it... 21:47 < adiblol> no, someone with experience and special devices could try it. 21:48 < Farthen> and as we don't have anyone who can do this... 21:58 < user890104> does the notes exploit work on nano 3g? or it just crashes it? 22:02 < benedikt93> it does for some unknown reason not work 22:02 < benedikt93> so there's only pwnage 2 22:06 < Farthen> we did not find any return address for the nano 3g 22:08 < Farthen> we found the address for the nano 4g with my nanotron 3000 ;) 22:13 < user890104> so is it possible (in theory) to find the address in a simmilar way? 22:13 < user890104> i have a nano 3g which i don't use at all (i actually bought it to test any non-apple stuff on it) 22:14 < Farthen> yes it is. but you don't really need it 22:15 < Farthen> if anyone would find out the init sequence for the sdram an emcore port would not be far away 22:16 < adiblol> is the firmware header encrypted too? 22:20 < Farthen> what would you need it for? 22:29 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has quit [Quit: The quality of my life is going straight up now that i have a shotgun.] 22:30 < adiblol> somewhere it reads that initial jump address is in the header... 22:32 < adiblol> what if new exploits against ipods are being discovered, you dont want to disclose it to prevent apple from patching it, so how will they work? 22:38 < Farthen> sorry, i don't understand your question 22:40 < adiblol> http://www.freemyipod.org/wiki/Contributing --> "DO NOT, exclaim the bug to the world on a public IRC channel or mailing list" 22:41 < adiblol> so if someone discovers the bug, how would we hide it from apple in unofficial firmware installer? 22:54 < Farthen> as the bug most of the time only needed to gain execution for the first time this is not a problem 22:54 < Farthen> once we have execution on any ipod we can use the crypto engine to encrypt the firmware for any ipod and upload them 22:55 < Farthen> at least this was the case for any ipod up to nano 4g. we don't know a lot about the nano 6g and if you can still encrypt data with the crypto engine this easily 23:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has quit [Remote host closed the connection] 23:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has joined #freemyipod --- Log closed Sun Mar 27 00:06:27 2011