[00:10:09] *** Joins: shadowcoder (shadowcode@2a00:dcc0:eda:3748:247:48:123:beef)
[00:15:01] <shadowcoder> In the iPod Nano firmwares (Firmware.MSE / the file format that extract2g works with), what is the significance of the bytes between the end of one section and the beginning of the next within the payload part of the file?
[00:17:43] <shadowcoder> (Hopefully successfully) I'm writing a program to take the extracted files from extract2g (presumably edited) and output a working firmware that can be flashed onto the device
[00:21:01] <user890104> uhm...
[00:21:36] <user890104> you want to repack them?
[00:27:34] *** Quits: nialv7 (~nialv7@adm-129-49-227-231.wi-fi.stonybrook.edu) (Ping timeout: 250 seconds)
[00:29:23] *** Joins: nialv7 (~nialv7@adm-129-49-227-231.wi-fi.stonybrook.edu)
[00:35:12] <shadowcoder> user890104: I suppose. I probably should have elaborated: I'm looking to hack the 6th gen nano 
[00:35:25] <shadowcoder> , and it's running old freetype..
[00:35:45] *** Quits: nialv7 (~nialv7@adm-129-49-227-231.wi-fi.stonybrook.edu) (Ping timeout: 258 seconds)
[00:36:32] <shadowcoder> so, if I get a bad font to load, I can write an exploit, but without a web browser, there is no way to install fonts? or is there.. resource section is unecrypted and I'm hoping to be able to reflash it without modified resources, you know, to make it looker cooler..
[00:36:45] <shadowcoder> and possibly also overflow the helvetica, that too :P
[00:38:19] <user890104> ah, i see. TheSeven might be able to help you with this :)
[00:38:45] <user890104> we never looked for exploits on n5g+
[00:38:56] <shadowcoder> to be fair, I have no interest in linux4nano type stuff,
[00:39:26] <shadowcoder> my end goal is mostly to get anything but iPod OS on here :P
[00:39:48] <user890104> it's even possible that some of the iphone bootrom exploits also work on the nanos (like the ipt2g exploit on n4g)
[00:40:06] <TheSeven> hm
[00:40:24] <TheSeven> I'd be very puzzled if apple didn't encrypt or at least sign the resources section in the .mse
[00:40:52] <shadowcoder> it's not encrypted (regular FAT16 that can be mounted according to Internet) possible signed
[00:41:15] <TheSeven> what does that firmware look like? is this still an image with these osos, aupd and rsrc files?
[00:41:26] <TheSeven> and the rsrc section being the fat16 thing?
[00:41:39] <TheSeven> I guess the section has an 8730 or whatever header in front of it?
[00:42:09] <shadowcoder> pretty sure it's documented on your own wiki, but that might be on ipodlinux
[00:42:37] <shadowcoder> TheSeven: But in general, it looks like 4G
[00:43:16] <TheSeven> ok, so still an old-style ipod firmware partition, nothing fancy iphone-like
[00:49:31] <shadowcoder> TheSeven: right. hence my asking here :)
[00:57:26] <shadowcoder> TheSeven: So, any ideas on what the data in between the sections would be?
[01:02:24] <user890104> shadowcoder: it's unlikely to work, but have you tried modifying the mse file directly? i mean finding the offset where some plaintext file lies, then modifying some of its data
[01:02:53] <shadowcoder> user890104: I would want to do that, lengths and offsets, etc..
[01:03:05] <user890104> if apple trusts the zip container for calculating the checksum of the whole package, this might work
[01:03:54] <user890104> IIUC you want to extract the pieces from firmware.mse, then reassemble them
[01:04:02] <shadowcoder> user890104: are the checksums documented?
[01:04:46] <user890104> shadowcoder: i mean the checksum of the outer container (*.ipsw)
[01:05:30] <user890104> it should have a checksum for firmware.mse, as it's a plain ZIP file
[01:05:38] <shadowcoder> OH that checksum
[01:05:46] *** Joins: nialv7 (~nialv7@adm-129-49-227-231.wi-fi.stonybrook.edu)
[01:06:04] <shadowcoder> Still, would seem rather anti-apple not to have other checksums (within the file itself perhaps)
[01:06:21] <user890104> yeah, that's just a wild guess
[01:07:41] <user890104> we also didn't expect that they don't check the length of hyperlinks' URLs inside notes, but looks like they missed that part :)
[01:07:58] <shadowcoder> hehe fair
[01:08:31] <TheSeven> what does the data that you're talking about look like? (the thing in between sections)
[01:09:02] <TheSeven> I'd expect to see an 8720-style header right before all secure sections
[01:09:08] <shadowcoder> TheSeven: basically, it has more of the same Secure Boot references,
[01:09:19] <shadowcoder> some binary crap which is either encrypted or some sort of header,
[01:09:34] <shadowcoder> then a lot of all 0/all 255/one of the above with one or two bytes changed
[01:10:09] <TheSeven> some 0x200 or 0x800 byte sized block right before the file's start would typically be the header, starting with "87" or "89"
[01:10:31] <shadowcoder> Hold on, flashing a lightly modified firmware, cross any and all fingers and toes you may have for me :)
[01:10:50] * user890104 downloads a n6g firmware image from http://www.felixbruns.de/iPod/firmware/
[01:11:22] <shadowcoder> user890104: looks like we borked it. well, I just found a really fast painless way to get into disk mode!
[01:12:07] *** Quits: ChanServ (ChanServ@services.) (shutting down)
[01:12:31] <TheSeven> if just modifying a random byte of the contents of RSRC makes it boot into disk mode, I suspect that you won't have success patching that thing
[01:12:49] <shadowcoder> well, good we found that much out now rather than later
[01:14:09] <user890104> TheSeven: the sections begin with "87232.0"
[01:14:23] <TheSeven> oh, a new header version ,)
[01:15:22] *** Joins: ChanServ (ChanServ@services.)
[01:15:24] *** asimov.freenode.net sets mode: +o ChanServ   
[01:15:55] <shadowcoder> Does the URL http://www.apple.com/appleca/root.crl mean anything to you?
[01:16:14] <shadowcoder> It's in the gibberish secure boot section between the firmware..
[01:16:19] <TheSeven> well that's the certificate revocation list URL of the certificate that they signed something with
[01:16:36] <TheSeven> so what you're looking at is an SSL certificate
[01:17:00] <TheSeven> (the use of a CRL URL in such an embedded system is completely pointless, but I guess it's generated by default by their CA)
[01:17:38] <shadowcoder> Hehe... No wifi? No ethernet? Doesn't matter, we'll put in the certificate anyway if we ever decide to do dialup through the headphone jack! ~Apple logic
[01:18:26] <user890104> IIRC some of the ipods' firmware has code for booting from CD
[01:18:56] <shadowcoder> user890104: Exploit found!
[01:18:57] <TheSeven> must have been nano4f
[01:19:04] <TheSeven> nano4g*
[01:19:05] <shadowcoder> Shove a CD in the dock connector and you can boot Linux!
[01:19:12] <user890104> lol
[01:19:13] <TheSeven> that thing has a UEFI BIOS ;)
[01:19:21] <shadowcoder> TheSeven: So does the 6G
[01:19:34] <TheSeven> yeah I guess everything since the 4G has that
[01:19:53] <TheSeven> but the 4G is the only one of those that we have analyzed (we can't even dump the rom of the newer ones)
[01:20:30] <TheSeven> I guess your best bet is to look for some leaked iphone bootrom exploits from that device generation and try to apply those to the nano
[01:20:38] <user890104> if the ipod boots into disk mode, does this mean that it has actually written the firmware successfully?
[01:20:42] <TheSeven> that's basically what cracked the nano4g open
[01:20:48] <shadowcoder> alright
[01:20:53] <TheSeven> user890104: quite likely
[01:20:56] <shadowcoder> IIRC this is the itouch 2G processor
[01:21:02] <TheSeven> nope
[01:21:04] <TheSeven> that's the 8720
[01:21:12] <TheSeven> you have an 8723, which is much newer
[01:21:14] <shadowcoder> user890104: well, yeah, used iTunes :P
[01:21:27] <TheSeven> the 8720 was cracked long ago ;)
[01:21:28] <shadowcoder> (and yet it still can't run full iOS. wow apple)
[01:22:31] <TheSeven> I'd look at all exploits that are newer than pwnage 2.0
[01:23:31] <user890104> also 8730 is older than 8723. they seem to have changed their numbering for some reason
[01:23:56] <user890104> (all SoC model numbers are here: http://www.freemyipod.org/wiki/Hardware)
[01:23:58] <TheSeven> and 8720 is newer than 8920 I think ;)
[01:27:45] <shadowcoder> TheSeven: Would limera1n be relevant?
[01:27:50] <TheSeven> possibly
[01:28:00] <TheSeven> it's from the right timeframe at least
[02:14:45] <shadowcoder> TheSeven: If I build a dock-connector-serial -> normal serial connector, what's the likelihood it would help me find anything remotely interesting?
[02:15:30] <TheSeven> very unlikely
[02:15:47] <TheSeven> it might be helpful to figure out more details once you have custom code running on the device
[02:15:56] <TheSeven> but it won't be of any help before you have an attack vector
[02:16:08] <TheSeven> well, unlike you're looking for a flaw in the dock handling code
[02:19:03] <shadowcoder> Sigh
[05:36:13] *** Quits: nialv7 (~nialv7@adm-129-49-227-231.wi-fi.stonybrook.edu) (Ping timeout: 265 seconds)
[06:06:58] *** Joins: nialv7 (~nialv7@130.245.229.159)
[06:48:56] *** Quits: TheSeven (~quassel@rockbox/developer/TheSeven) (Ping timeout: 272 seconds)
[06:49:49] *** Joins: TheSeven (~quassel@rockbox/developer/TheSeven)
[09:14:58] *** Quits: nialv7 (~nialv7@130.245.229.159) (Ping timeout: 264 seconds)
[15:00:44] <shadowcoder> the directory header DOES have a checksum field, which would explain why the blind editing of the rsrc portion would break things... except for the fact in all of the sections, the checksum is 0? 
[16:20:42] <user890104> hm... strange
[16:21:10] <user890104> is it possible that the whole rsrc partition is signed using an SSL certificate?
[17:39:21] *** Quits: krnlyng (~liar@83.175.90.24) (Ping timeout: 255 seconds)
[17:44:50] *** Joins: krnlyng (~liar@83.175.90.24)
[18:32:10] *** Quits: STeeF (~STeeF@office.hostnetbv.nl) (Remote host closed the connection)
[19:08:58] <TheSeven> at least on older generations (up to 4G I think) the rsrc section didn't need to be there at all. if it was missing, that would just affect some (fairly unimportant) features of the OF
[19:09:31] <TheSeven> all resources required by the core firmware itself were compiled into the main firmware image (OSOS)
[20:28:28] *** Joins: nialv7 (~nialv7@130.245.229.159)
[20:36:29] *** Quits: nialv7 (~nialv7@130.245.229.159) (Ping timeout: 264 seconds)
[21:45:16] *** Joins: nialv7 (~nialv7@adm-129-49-227-93.wi-fi.stonybrook.edu)
[22:31:22] <shadowcoder> user890104: doubtful as it's plaintext, although I'm not very well-versed with cryptography so I wouldn't know. Would explain what all the Secure Boot references mean in context of the sections themselves
[22:31:34] <shadowcoder> TheSeven: What are you suggesting?
[22:58:43] * [Saint] wonders what shadowcoder is doing
[22:59:00] <[Saint]> It surprises me immensely that anyone still (or ever) cared about this device.
[22:59:03] <shadowcoder> [Saint]: Trying to hack (not sure what word I'd like to use here) a nano 6G
[22:59:27] <[Saint]> I have a few of 'em around here.
[22:59:57] <[Saint]> I tried my hand at playing with a few of the various iPhone/iPT exploits of the time, but to no avail.
[23:00:18] <[Saint]> They locked the fucker up fairly well.
[23:00:23] *** Quits: nialv7 (~nialv7@adm-129-49-227-93.wi-fi.stonybrook.edu) (Ping timeout: 240 seconds)
[23:00:31] <[Saint]> Everything past the Nano4G is basically impenetrable.
[23:01:19] <[Saint]> Though, I'd put money on them leaving /something/ fucking stupid wide open.
[23:01:29] <[Saint]> I mean...hello...Notes?
[23:01:34] <[Saint]> That was laughable.
[23:02:39] <[Saint]> shadowcoder: whereabouts are you, like, geographically?
[23:03:06] <[Saint]> If you'd like, I could send you a couple to play with.
[23:03:13] <shadowcoder> :P I'm good, thanks :P
[23:03:17] <[Saint]> I'm assuming you don't want to destroy the one you have.
[23:03:37] <[Saint]> But I have a couple that are functional and disassembled.
[23:03:46] <[Saint]> Thought it may be of interest to you.
[23:04:26] <[Saint]> I don't use 'em. ANd if you have a use case for them, with a clear end goal, you're welcome to them.
[23:04:28] <shadowcoder> Like, it is, but I'm also a minor (living with parents, for obvious reasons), so... ^_^
[23:04:47] * user890104 was gifted a disassembled n4g with dead battery and no glass
[23:05:16] <[Saint]> shadowcoder: just so we're clear - I'm not suggesting you should pay for them
[23:05:34] <[Saint]> If shipping isn't too much, like, if you don't live in Antarctica, you're welcome to them.
[23:05:49] <shadowcoder> [Saint]: I meant, like, can't realistically give away address
[23:06:01] <[Saint]> Aha.
[23:06:28] <shadowcoder> And there is no (non-insane) way of transporting goods without either using an address or meeting face-to-face
[23:06:58] <user890104> you should be able to get it delivered to the nearest post office, and pick it up yourself
[23:07:22] <[Saint]> I appreciate the concern, though. Wise man.
[23:07:30] <[Saint]> You don't know me from a bar of soap.
[23:08:13] <shadowcoder> ...wat
[23:10:07] <shadowcoder> [Saint]: Now, if we could engineer a way for me to control all aspects of the device remotely without going "[Saint] Try applying a voltage to pin 987545".. that would be cool ^_^
[23:10:21] *** Joins: nialv7 (~nialv7@adm-129-49-227-93.wi-fi.stonybrook.edu)
[23:10:37] <[Saint]> we kinda have that for N2G and Classic.
[23:11:06] <[Saint]> user890104 and TheSeven once set up a remote emCORE console. Quite cool.
[23:11:56] <user890104> that's a very ugly hack... :)
[23:12:09] <user890104> i'm not proud of it
[23:12:59] <shadowcoder> afk
[23:18:53] <shadowcoder> [Saint]: Right, I forgot to introduce myself. I'm shadowcoder, an absolutely insane software engineer who has developed an interest in hacking. I'm a hardcore minimalist on accomplishing tasks, but if there is a cooler (note: not better) way to do something, I'll take it. (https://github.com/bobbybee/theoretical-vs-experimental-sim). My handle of shadowcoder was born out of my associations with a reverse engineering project 
[23:18:54] <shadowcoder> which I only somewhat trusted at the time; this username just sticks around now for legacy reasons. In the context, my solution to this would be something more like getting a BeagleBone Black, connecting every possible pin on the nano to the BeagleBone's GPIO, connecting it to the Internet, and then giving me SSH access :P Maybe also hook up a webcam while you're at it ^_^. See what I mean?
[23:19:29] <shadowcoder> s/the context/this context/
[23:21:11] <[Saint]> Well, if at some point in the near future you find a way that enables you and your family to stay anonymous, and for me to also ship a couple of devices to you, let me know.
[23:21:38] <[Saint]> They're doing nothing useful here.
[23:21:57] <user890104> ... and i thought that making my nano4g a USB HID game controller using the integrated accelerometer is crazy enough
[23:22:05] <[Saint]> If you even thought you /might/, *one day* do something with them, you've more use for them than I.
[23:22:48] <[Saint]> The only reason I still have them is because I seem to be incapable of throwing any electronic devices away.
[23:22:58] <user890104> [Saint]: i also accept junk hardware, as long as it boots
[23:22:59] <[Saint]> Much to the dismay of Ms. [Saint].
[23:23:25] <shadowcoder> Hehe.
[23:23:42] <[Saint]> One of them would need to be re-assembled, one of them is disassembled, but still attached and booting, but has no screen.
[23:23:53] <user890104> but this n4g i have in front of me, has a dead battery and disfunctional dock connector
[23:24:06] <user890104> so i guess there's not much i can do with it
[23:24:06] <[Saint]> Its all taken to bits but all the ribbons are still attached and its still functional.
[23:24:22] <shadowcoder> [Saint]: I remember reading that the screen is connected via a ribbon cable. Wouldn't that mean a disassemble 6G would still be usable?
[23:24:37] <shadowcoder> (i.e.: you could still prod at pins and break stuff while the circuit is alive?)
[23:24:51] <[Saint]> Yes.
[23:25:03] <[Saint]> It doesn't seem to care that the screen is missing whatsoever.
[23:25:34] <[Saint]> I was going to replace the screen, but they're _foolishly_ expensive.
[23:25:38] <shadowcoder> Hehehehe. Once I get a bit better with a soldering iron.. this might be interesting ^_^
[23:26:21] <[Saint]> The LCD is somewhere in the order of ~$180USD IIRC
[23:26:28] <[Saint]> Ridiculous.
[23:27:11] <shadowcoder> ...I can buy a lightly used device for half that on Amazon...
[23:29:53] <shadowcoder> have to do history hw (>.<), apologies if I have a long ping time
[23:36:51] <user890104> http://i.imgur.com/q5UeEsn.jpg
[23:39:41] <user890104> [Saint]: do you want to play a game? you find all your nano4gs, then i give you a dfu image. then you upload it to each of them, and if it resets, you win a point. we play until i figure out if the lcd init code for all types is working :)
[23:41:18] <[Saint]> http://i.imgur.com/EdmIrit.png
[23:42:17] <user890104> it should be painless for both you and your devices
[23:42:37] <shadowcoder> [Saint]: http://www.ebay.com/itm/New-LCD-Display-Screen-Replacement-For-iPod-Nano-6th-6-Gen-LCD-Screen-Tools-/330765232842
[23:42:40] <user890104> we have lcd types 0xb3 and 0xc4 confirmed to work
[23:42:42] <shadowcoder> Can't tell if this is legitimate or not tho
[23:43:07] <user890104> we need to verify that 0xd5 and 0xe6 are also correct
[23:45:06] <shadowcoder> user890104: Those are just random numbers to me; explain?
[23:45:47] <shadowcoder> Wait, the 1's place is always the 16's place minus 8.. hmm
[23:46:38] <user890104> http://websvn.freemyipod.org/filedetails.php?repname=freemyipod&path=%2Fapps%2Finstaller-ipodnano4g%2Fbootstub%2Fbootstub.S
[23:46:45] <user890104> then look for lcd_sequences
[23:47:02] <shadowcoder> you're Farthen?
[23:47:14] <user890104> no
[23:47:54] <user890104> there are 4 types of screens in n4g, and we have confirmed that our code works for two of them
[23:50:30] <shadowcoder> rather off-topic: what's a good resource for learning ARM assembly? I can read and write x86 and 6502 ASM, so I know the theory, but if I'm serious about this kind of work, I need to add ARM ASM to my list of languages 
[23:52:02] <user890104> well, the ARM ARM (architecture reference manual) is a good resource AFAIK
[23:52:38] <user890104> apart from that, i have 3-4 pages of ARM cheat sheet next to me when i read/write ARM assembly code
[23:52:59] <user890104> this one: http://users.ece.utexas.edu/~valvano/Volume1/QuickReferenceCard.pdf
[23:54:29] <shadowcoder> Reverse?
[23:55:01] <shadowcoder> like, I get what it does, but still... WAT
[23:56:52] <user890104> well, if you need to convert between little endian and big endian, it should come in handy