--- Log opened Sat Nov 26 00:08:54 2011
03:03 -!- Keripo [~Keripo@eng441.wireless-resnet.upenn.edu] has joined #freemyipod
03:29 -!- [7] [~TheSeven@rockbox/developer/TheSeven] has quit [Disconnected by services]
03:29 -!- TheSeven [~TheSeven@rockbox/developer/TheSeven] has joined #freemyipod
05:18 -!- Keripo [~Keripo@eng441.wireless-resnet.upenn.edu] has quit [Quit: Leaving.]
05:29 -!- Keripo [~Keripo@eng441.wireless-resnet.upenn.edu] has joined #freemyipod
06:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has joined #freemyipod
06:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has quit [Remote host closed the connection]
08:15 -!- n1s [~n1s@nl118-175-223.student.uu.se] has joined #freemyipod
08:15 -!- n1s [~n1s@nl118-175-223.student.uu.se] has quit [Changing host]
08:15 -!- n1s [~n1s@rockbox/developer/n1s] has joined #freemyipod
09:16 -!- n1s [~n1s@rockbox/developer/n1s] has quit [Quit: Ex-Chat]
10:04 -!- ShapeShifter499 [~ShapeShif@c-98-244-33-205.hsd1.ca.comcast.net] has joined #freemyipod
10:09 -!- Keripo [~Keripo@eng441.wireless-resnet.upenn.edu] has quit [Quit: Leaving.]
10:42 -!- ShapeShifter499 [~ShapeShif@c-98-244-33-205.hsd1.ca.comcast.net] has quit [Quit: Leaving]
12:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has joined #freemyipod
12:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has quit [Remote host closed the connection]
12:36 -!- ShapeShifter499 [~ShapeShif@c-98-244-33-205.hsd1.ca.comcast.net] has joined #freemyipod
13:16 -!- ShapeShifter499 [~ShapeShif@c-98-244-33-205.hsd1.ca.comcast.net] has quit [Quit: Leaving]
14:34 -!- DarkMalloc [~jlt@2.29.160.246] has joined #freemyipod
14:37 < DarkMalloc> who should I speak with about the Nano 6G?
14:38 < DarkMalloc> I've started researching it lately, and am wondering if there is anyone else in this particular scene that has taken a look at it?
14:39 < DarkMalloc> some of you might recognise me from the iPhone scene, if you're wondering about credentials.
15:52 -!- DarkMalloc_ [~jlt@2.29.160.246] has joined #freemyipod
15:53 -!- DarkMalloc [~jlt@2.29.160.246] has quit [Read error: Connection reset by peer]
15:53 -!- DarkMalloc_ is now known as DarkMalloc
15:54 -!- DarkMalloc_ [~jlt@2.29.160.246] has joined #freemyipod
15:54 -!- DarkMalloc [~jlt@2.29.160.246] has quit [Read error: Connection reset by peer]
15:54 -!- DarkMalloc_ is now known as DarkMalloc
15:56 -!- DarkMalloc_ [~jlt@2.29.160.246] has joined #freemyipod
15:56 -!- DarkMalloc [~jlt@2.29.160.246] has quit [Read error: Connection reset by peer]
15:56 -!- DarkMalloc_ is now known as DarkMalloc
16:14 < user890104> DarkMalloc: if there's anything that's new to us, we'd be happy to hear about it
16:14 < DarkMalloc> I know of a memory corruption vulnerability that is semi-exploitable
16:15 < user890104> if it's some private information about new exploits or so, better use the freemyipod-dev mailing list (freemyipod-dev at lists.freemyipod.org)
16:15 < DarkMalloc> on the iPhone, it replaces 1 byte in a non-sysimportant area of memory
16:15 < DarkMalloc> I don't have a Nano to test it on
16:15 < DarkMalloc> but I'm pretty confident it would have some effect on the Nano
16:16 < DarkMalloc> both are very similar platforms
16:16 < DarkMalloc> the 8723 format is basically the 8900 format
16:17 < user890104> TheSeven is the project leader, so he might be interested to hear about that
16:18 < DarkMalloc> sure, TheSeven feel free to hit me up.
16:18 < DarkMalloc> I won't always be connected here
16:18 < DarkMalloc> but @DarkMalloc on Twitter or darkmalloc@gmail.com
16:18 < DarkMalloc> also, have you tried 24kpwn on it?
16:20 < user890104> i think that someone tried pwnage 2.0 that is used on the previous nano models (8702 which is nano3g/classic)
16:20 < user890104> but it didn't work on those
16:20 < DarkMalloc> nope, pwnage 2.0 was fixed in an earlier ten I believe...
16:21 < user890104> exactly
16:21 < DarkMalloc> however, pwnage 2.0 is rudimentary compared to 24kpwn
16:21 < DarkMalloc> well, fairly.
16:22 < user890104> what does it exploit? dfu?
16:22 < DarkMalloc> 24kpwn?
16:23 < user890104> yes
16:23 < DarkMalloc> yes, the BootROM
16:23 < DarkMalloc> when it loads LLB, it takes it's size from the non-sigchecked header
16:24 < DarkMalloc> if you increase the payload size to 0x24000 you cause an overflow
16:25 < DarkMalloc> may also be worth checking out SHAtter on it
16:26 < DarkMalloc> SHAtter works by convincing the BootROM to believe the size of the uploaded image is larger than in reality
16:26 < DarkMalloc> then the BootROM realises this, so tries to wipe it out
16:26 < DarkMalloc> however,
16:26 < DarkMalloc> only the memory sufficient for the actual size was allocated for that image
16:27 < DarkMalloc> so it tried to wipe it all out with 0s (including the size that it was tricked into thinking it was) and wipes out the BootROM
16:27 < DarkMalloc> obviously, you can then wipe the sha1 registers to 0's!
16:27 < DarkMalloc> when it copies, the image is copied over the bootrom!
16:28 < DarkMalloc> poof!
16:28 < DarkMalloc> no bootrom, just your code!
16:29 < DarkMalloc> very clever in practice!
16:31 < DarkMalloc> btw
16:31 < DarkMalloc> have you guys ever got anything running in the US, user890104?
16:31 < DarkMalloc> erh
16:31 < DarkMalloc> OS*
16:33 < user890104> DarkMalloc: you mean our code on top of the original firmware?
16:33 < DarkMalloc> yeah, such as a system process or anything?
16:34 < user890104> no, just exploited an application of it (Notes) to overwrite the program counter (so it executes custom code)
16:34 < user890104> but it doesn't return to the OF anymore
16:41 < DarkMalloc> yeah, heard about that
16:42 < DarkMalloc> return to the OF?
16:44 < user890104> i mean it doesn't execute code of the OF once we get the PC overwritten
16:44 < DarkMalloc> ah right ok
16:45 < DarkMalloc> it runs Pixo, right?
16:46  * user890104 doesn't know
16:47 < DarkMalloc> I believe it does,
16:47 < DarkMalloc> if it runs the same as the other few hundred million iPods
16:48 < user890104> i mean, no one has mentioned that name so far, that's why i haven't heard of it
17:03 -!- DarkMalloc [~jlt@2.29.160.246] has quit [Quit: DarkMalloc]
17:11 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has joined #freemyipod
18:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has joined #freemyipod
18:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has quit [Remote host closed the connection]
18:54 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has joined #freemyipod
19:08 -!- Keripo [~Keripo@seas726.wireless-pennnet.upenn.edu] has joined #freemyipod
21:58 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has quit [Quit: Bye ;)]
22:13 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has quit [Remote host closed the connection]
22:13 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has joined #freemyipod
22:14 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has quit [Remote host closed the connection]
22:14 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has joined #freemyipod
22:15 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has quit [Remote host closed the connection]
23:50 -!- Keripo [~Keripo@seas726.wireless-pennnet.upenn.edu] has quit [Quit: Leaving.]
--- Log closed Sun Nov 27 00:02:20 2011