--- Log opened Sun Nov 27 00:02:20 2011
00:02 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has joined #freemyipod
00:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has joined #freemyipod
00:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has quit [Remote host closed the connection]
00:45 -!- DarkMalloc [~jlt@2.24.96.39] has joined #freemyipod
00:45 < DarkMalloc> user890104: no one has mentioned Pixo? :O
00:45 < DarkMalloc> http://en.wikipedia.org/wiki/Pixo
00:46 < user890104> DarkMalloc: yeah, i read about that when you mentioned it today
00:46 < DarkMalloc> I believe it runs Pixo
00:46 < DarkMalloc> however,
00:46 < DarkMalloc> the similarities between the iPhone 1G and the Nano 6G combined with the SoC is making me wonder.
00:48 < DarkMalloc> I'd really like to see some notes that anyone has on the Nano 6G
00:48 < user890104> about the exploits: 24kpwn won't help running custom code, because we need to inject it somehow in the first place
00:48 < DarkMalloc> what do you mean inject?
00:48 < DarkMalloc> 24kpwn allows you to bootstrap your own code
00:48 < user890104> upload the payload to device's memory
00:48 < DarkMalloc> oh that's the easy opart
00:48 < user890104> from the boot flash, right?
00:48 < DarkMalloc> part*
00:49 < DarkMalloc> the nano will have a load address
00:49 < DarkMalloc> I don't know what that is,
00:49 < DarkMalloc> but it's where images are stored before loading
00:49 < DarkMalloc> after being sent via usb
00:49 < DarkMalloc> (which is easy)
00:49 < user890104> do we need a bootrom dump of the SoC?
00:50 < DarkMalloc> that's my dream
00:50 < DarkMalloc> and eventual goal
00:50 < DarkMalloc> once I have a BootROM dump, I can actually do some reversing
00:50 < DarkMalloc> until then, it's all guesswork!
00:50 < DarkMalloc> my device comm wrapper -> http://pastie.org/2926304
00:53 < user890104> so do you have some code/PoC at the moment, or you're still seeking more information?
00:53 < user890104> finding a way to inject code in the OF would be a nice starting point i think
00:53 < DarkMalloc> OF?
00:54 < user890104> since everything is initialized (sdram, lcd, etc)
00:56 < TheSeven> DarkMalloc: Pixo OS? What's that? Another name for RTXC Quadros?
00:56 < DarkMalloc> TheSeven: I believed the 6G ran Pixo?
00:56 < TheSeven> (that's what they're using on the nano2g-4g and classic)
00:56 < DarkMalloc> TheSeven: http://en.wikipedia.org/wiki/Pixo
00:57 < TheSeven> yeah, just read that, which suggests that it was used in the 1G
00:57 < DarkMalloc> interesting
00:57 < DarkMalloc> I appreciate that
00:57 < TheSeven> so either they dropped that on the 6G/nano2g, or what we're seeing is actually the same OS with a different name
00:57 < TheSeven> there's lots of hints that it's RTXC, which is nowadays called Quadros
00:58 < DarkMalloc> I'm more interested in the lower level parts, so that doesn't really matter much to me.
00:58 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has quit [Remote host closed the connection]
00:58 < DarkMalloc> TheSeven: you don't happen to have any documentation on the 6g?
00:58 < TheSeven> what does matter about RTXC is that it's one big monolithic blob with all application code compiled in, and everything running in supervisor mode
00:59 < DarkMalloc> hm
00:59 < DarkMalloc> so it's all a single binary?
00:59 < TheSeven> so in the past any app-layer exploit allowed to take over the whole device
00:59 < TheSeven> yes
00:59 < TheSeven> like 6-10MB in size, depending on the generation
00:59 < DarkMalloc> that's kind of good news
00:59 < DarkMalloc> like I said, you don't happen to have any documentation pertaining to the 6g specifically?
01:00 < TheSeven> btw, OF is an acronym for "original firmware" that's widely used in the Rockbox scene
01:01 < TheSeven> no, we don't really know anything about the >4g nano
01:01 < DarkMalloc> ah ok
01:01 < DarkMalloc> thanks
01:01 < DarkMalloc> and hm ok
01:01 < DarkMalloc> TheSeven: do you have a 6G Nano?
01:01 < TheSeven> 5g is supposed to be similar, I think it's an 8730 or something (have to check), but the 6g seems to be a bit different
01:01 < DarkMalloc> I'm sure the 6G is more similar to the iPhone arch
01:01 < TheSeven> no, i have a 2g, 4g and two classics, one of which has a weirdly behaving HDD
01:01 < DarkMalloc> fuck
01:02 < DarkMalloc> know of anyone trustworthy that could test something?
01:02 < TheSeven> but IIRC teuf has one of nearly every generation... possibly also a 6g
01:02 < TheSeven> have you seen that nano6g hacking project that's out there?
01:03 < DarkMalloc> what project? O_o
01:03 < user890104> nanohack.me?
01:03 < TheSeven> yes
01:03 < DarkMalloc> uhrm
01:03 < DarkMalloc> <<
01:03 < TheSeven> seems to be down right now
01:03 < DarkMalloc> it was me a while ago
01:03 < DarkMalloc> well,
01:03 < DarkMalloc> James Whelton
01:03 < DarkMalloc> but he knew nothing of it really
01:04 < DarkMalloc> I wrote a info parser, mounted rsrc and documented a bit
01:04 < DarkMalloc> this was back last year now I think
01:04 < DarkMalloc> well, early this year
01:04  * TheSeven knew he remembered that nickname from somewhere :)
01:04 < DarkMalloc> who, mine?
01:05 < TheSeven> yeah
01:05 < DarkMalloc> you probably know me from the iPhone scene too
01:05 < DarkMalloc> there's some overlap
01:05 < DarkMalloc> I wrote OpenPwn, which was an open-source exploitation platform
01:05 < DarkMalloc> allowed people to easily exec their own code in iboot :)
01:05 < TheSeven> yeah, too many people to keep track of in the iphone scene :)
01:06 < DarkMalloc> such as an AES decryptor: http://pastebin.com/T8xpC3j7
01:06 < DarkMalloc> :)
01:08 < DarkMalloc> teuf: don't happen to be around?
01:10 < DarkMalloc> TheSeven: do you have a bootrom dump of any nano revision?
01:10 < TheSeven> up to the 4G yes
01:11 < TheSeven> which - interestingly enough - has an 8720 soc, but doesn't have anything in common with the ipt2g bootrom
01:11 < DarkMalloc> hm
01:11 < DarkMalloc> TheSeven: would you be able to share it with me please?
01:11 < DarkMalloc> the 4G
01:12 < TheSeven> planetbeing recognized that rom from some older iphone, and successfully attacked it with pwnage2.0, which we also used on the 8702 soc subsequently
01:12 < DarkMalloc> hm
01:13 < DarkMalloc> TheSeven: able to share?
01:13 < DarkMalloc> ignore that
01:18 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has joined #freemyipod
02:25 -!- DarkMalloc [~jlt@2.24.96.39] has quit [Quit: DarkMalloc]
02:38 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has quit [Remote host closed the connection]
03:28 -!- TheSeven [~TheSeven@rockbox/developer/TheSeven] has quit [Disconnected by services]
03:28 -!- [7] [~TheSeven@rockbox/developer/TheSeven] has joined #freemyipod
05:41 -!- Keripo [~Keripo@eng187.wireless-resnet.upenn.edu] has joined #freemyipod
05:50 -!- Keripo [~Keripo@eng187.wireless-resnet.upenn.edu] has quit [Read error: Connection reset by peer]
05:54 -!- Keripo [~Keripo@dhcp0751.kin.resnet.group.UPENN.EDU] has joined #freemyipod
06:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has joined #freemyipod
06:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has quit [Remote host closed the connection]
06:24 -!- Keripo [~Keripo@dhcp0751.kin.resnet.group.UPENN.EDU] has quit [Read error: Connection reset by peer]
06:29 -!- Keripo [~Keripo@dhcp0751.kin.resnet.group.upenn.edu] has joined #freemyipod
10:03 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has joined #freemyipod
12:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has joined #freemyipod
12:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has quit [Remote host closed the connection]
12:46 -!- Keripo [~Keripo@dhcp0751.kin.resnet.group.upenn.edu] has quit [Quit: Leaving.]
14:00 -!- n1s [~n1s@rockbox/developer/n1s] has joined #freemyipod
14:31 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has joined #freemyipod
15:23 -!- Farthen [~Farthen@2a01:4f8:101:2a4:0:bc28:b2e1:9] has quit [Read error: Operation timed out]
15:27 -!- Farthen [~Farthen@2a01:4f8:101:2a4:0:bc28:b2e1:9] has joined #freemyipod
16:00 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has quit [Read error: Connection timed out]
16:14 -!- user890104 [~Venci@212.50.15.241] has quit [Quit: .]
16:17 -!- user890104 [~Venci@2001:470:1f0b:71a::] has joined #freemyipod
16:37 -!- user890104 [~Venci@2001:470:1f0b:71a::] has quit [Quit: .]
16:37 -!- user890104 [~Venci@Addicted.to.Minecraft.ipv6.6bez10.info] has joined #freemyipod
18:01 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has joined #freemyipod
18:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has joined #freemyipod
18:02 -!- clustur [~logger@c-98-249-104-118.hsd1.tn.comcast.net] has quit [Remote host closed the connection]
18:30 -!- r100 [565596a2@gateway/web/freenode/ip.86.85.150.162] has joined #freemyipod
20:06 -!- benedikt93 [~benedikt9@unaffiliated/benedikt93] has quit [Quit: Bye ;)]
21:05 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has quit [Read error: Connection timed out]
22:36 -!- n1s [~n1s@rockbox/developer/n1s] has quit [Quit: Ex-Chat]
22:41 -!- GaveUp [gaveup@your.friendly.neighborhood.hellmouth.info] has quit [*.net *.split]
22:41 -!- Utchybann [~Utchy@rps6752.ovh.net] has quit [*.net *.split]
22:41 -!- Poodlemastah [~Poodlemas@h-241-205.a218.priv.bahnhof.se] has quit [*.net *.split]
22:41 -!- Poodlemastah [~Poodlemas@h-241-205.a218.priv.bahnhof.se] has joined #freemyipod
22:41 -!- Utchybann [~Utchy@rps6752.ovh.net] has joined #freemyipod
22:41 -!- GaveUp [gaveup@your.friendly.neighborhood.hellmouth.info] has joined #freemyipod
22:42 -!- r100 [565596a2@gateway/web/freenode/ip.86.85.150.162] has quit [Quit: Page closed]
23:06 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has joined #freemyipod
23:27 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has quit [Remote host closed the connection]
23:55 -!- liar [~liar@clnet-p09-185.ikbnet.co.at] has joined #freemyipod
--- Log closed Mon Nov 28 00:02:26 2011