[00:41:39] <shadowcoder> [Franklin]: I've been busy with IRL stuff; just got back
[00:41:58] <shadowcoder> If I start talking giberrish, sorry in advance
[00:44:12] <shadowcoder> potato monkeys taste like [Franklin]'s TTF exploit
[01:22:31] <shadowcoder> [Franklin]: Going to make a test to see if bytecode is enabled
[01:22:38] <[Franklin]> ok
[01:22:54] <[Franklin]> if not, it'll complicate things a bit
[01:23:05] <[Franklin]> but there should still be a way in
[01:23:43] <shadowcoder> [Franklin]: Do me a favor and try to find a reference on the bytecode format itself while I finish writing up what I did last night
[01:24:02] <[Franklin]> oh sure
[01:33:58] <[Franklin]> I really can't find any good docs on it
[01:34:10] <[Franklin]> perhaps the best reference would be the freetype code itself
[04:22:30] *** Joins: benedikt93 (~benedikt9@unaffiliated/benedikt93)
[04:32:20] *** Quits: [Franklin] (~franklin@cpe-071-071-039-006.triad.res.rr.com) (Remote host closed the connection)
[06:10:50] *** Quits: benedikt93 (~benedikt9@unaffiliated/benedikt93) (Ping timeout: 264 seconds)
[06:44:15] *** Quits: TheSeven (~quassel@rockbox/developer/TheSeven) (Ping timeout: 265 seconds)
[06:45:25] *** Joins: TheSeven (~quassel@rockbox/developer/TheSeven)
[09:58:47] *** Quits: gevaerts (~fg@rockbox/developer/gevaerts) (Read error: Connection reset by peer)
[09:59:42] *** Joins: gevaerts (~fg@rockbox/developer/gevaerts)
[13:17:01] *** Joins: benedikt93 (~benedikt9@unaffiliated/benedikt93)
[14:59:01] *** Quits: benedikt93 (~benedikt9@unaffiliated/benedikt93) (Read error: Connection reset by peer)
[16:55:31] *** Quits: krnlyng (~liar@83.175.90.24) (Read error: No route to host)
[16:56:12] *** Joins: krnlyng (~liar@83.175.90.24)
[17:04:04] <shadowcoder> welcome, krnlyng
[17:08:56] <shadowcoder> TheSeven: I can't seem to find docs about JTAG on the older nanos
[17:10:58] <krnlyng> ahoi shadowcoder 
[17:13:31] <shadowcoder> krnlyng: what brings you to #freemyipod?
[17:15:33] <krnlyng> shadowcoder: i was involved (not a lot) in hacking around with the nano2g, still have this channel in my autojoin list :) (and don't plan to remove it, might come back one day ;))
[17:15:40] <shadowcoder> :)
[17:15:45] <krnlyng> but that was under the nickname liar ^^
[17:17:34] <krnlyng> shadowcoder: i see you're quite active here these days, what are you working on?
[17:17:56] <shadowcoder> trying to get code execution on the iPod Nano 6G
[17:18:06] <krnlyng> oh nice
[17:18:15] <krnlyng> any luck?
[17:18:16] <shadowcoder> If I succeed, I honestly think it would be the most useful device since the original iPhone IMO
[17:18:48] <shadowcoder> krnlyng: I can modify the resource system arbitrarily, and am looking into a few potential vulnerabilities, but no actual code yet
[17:19:55] <krnlyng> well it's a start :)
[17:21:46] <shadowcoder> A bunch of heap overflows, tho, so even once I can crash it, it might take a bit of time to actually run code
[18:04:09] <shadowcoder> About to flash this thing with my pretty bad font
[18:04:22] <shadowcoder> *pleasedontbrickpleasedontbrickpleasedontbrick*
[18:22:59] * shadowcoder sighs
[18:23:06] <shadowcoder> bytecode seems to be disabled
[19:10:49] *** Joins: [Franklin] (~franklin@unaffiliated/franklin)
[19:21:29] *** Quits: [Franklin] (~franklin@unaffiliated/franklin) (Read error: No route to host)
[19:23:28] *** Joins: [Franklin] (~franklin@unaffiliated/franklin)
[19:26:07] <shadowcoder> [Franklin]
[19:26:08] <shadowcoder> bad news
[19:26:45] <[Franklin]> :(}
[19:27:03] <[Franklin]> what is it?
[19:27:11] <shadowcoder> Bytecode is disabled, it appears
[19:27:50] <[Franklin]> nooo
[19:27:59] <[Franklin]> but there's other exploits
[19:28:03] <shadowcoder> yeah
[19:28:07] <shadowcoder> just need trivial
[19:28:23] <shadowcoder> good news is that there are also opentype fonts in there
[19:28:32] <[Franklin]> hmm?
[19:28:41] <shadowcoder> And we might be able to use opentype exploits in addition to truetype
[19:28:46] <shadowcoder> (freetype does both)
[19:28:58] <[Franklin]> which is good
[19:32:17] *** Joins: benedikt93 (~benedikt9@unaffiliated/benedikt93)
[19:34:54] <shadowcoder> [Franklin]: let's see if we can find non-bytecode based vulns that work with TTF
[19:35:04] <shadowcoder> http://www.cvedetails.com/vulnerability-list/vendor_id-4535/product_id-7835/version_id-96259/Freetype-Freetype-2.3.7.html
[20:42:03] *** Quits: [Franklin] (~franklin@unaffiliated/franklin) (Ping timeout: 255 seconds)
[20:42:39] *** Joins: [Franklin] (~franklin@cpe-071-071-039-006.triad.res.rr.com)
[21:01:10] <shadowcoder> [Saint]: Ping
[21:19:18] <shadowcoder> [Saint]: Could you hook up an iPod Nano 6G to a serial connector, and send me logs of its bootup sequence?
[21:24:41] <TheSeven> shadowcoder: I doubt it will log anything on serial
[21:24:53] <TheSeven> the ipods typically only use serial for accessory communication, not for debugging
[21:24:56] <shadowcoder> TheSeven: I 
[21:24:58] <TheSeven> at least that's how it was on the old ones
[21:25:15] <shadowcoder> TheSeven: I doubt that a 5000 character link will do anything ;)
[21:25:40] <TheSeven> do you have any specific questions about jtag?
[21:26:03] <shadowcoder> Just, in general
[21:26:04] <TheSeven> on the nano2g there was a jtag port on some unused dock connector pins (used for e.g. video out on other devices)
[21:26:18] <TheSeven> but you needed to close some solder bridges on the PCB to actually connect it
[21:26:37] <shadowcoder> hmm
[21:26:58] <TheSeven> and even then accessing the JTAG interface seemed to kill the system bus, presumably to prevent an attack from that side
[21:27:15] <shadowcoder> Just sort of running out of ideas on how to get code on here
[21:27:18] <TheSeven> there is probably some secret access sequence that needs to be performed in order to re-enable it
[21:27:43] <TheSeven> we never figured that out, access to the CPU core was sufficient to get the notes exploit going, which in turn allowed us to break the crypto, taking over the whole device
[21:30:09] <shadowcoder> I'm mostly trying to think of a way to get a memory dump
[21:31:00] <[Franklin]> wasn't the Wii's NAND dumped by soldering a similar USB chip onto the boarD?
[21:32:02] <TheSeven> dumping the nand is fairly easy: desolder it from the board, solder it to something that reads it
[21:32:11] <TheSeven> but that won't help us much
[21:34:15] <shadowcoder> We control the NAND
[21:34:22] <shadowcoder> No code on there IIRC
[21:34:44] <TheSeven> well the firmware is on the nand - it's just encrypted
[21:36:00] <shadowcoder> s/plaintext code/code/
[21:36:14] <shadowcoder> did I do that syntax backwards? oh well
[21:40:45] <[Franklin]> I was thinking of doing something similar with the ram
[21:40:45] <[Franklin]> except... it's a SoC
[21:41:32] <TheSeven> is the ram in the same chip?
[21:41:39] <TheSeven> or is it some PoP thing?
[21:41:58] <TheSeven> on the old ones, the RAM was external
[21:42:12] <[Franklin]> I'd think so
[21:42:14] <TheSeven> but intercepting that requires some serious equipment and effort
[21:42:41] <[Franklin]> yep, it's PoP
[21:43:06] <TheSeven> that might make such an attack possible in theory - feasibility is another question
[21:43:53] * [Franklin] wonders if programming the SoC by poking it with a little magnetized needle would be possible XD
[21:47:29] <[Franklin]> wait... does rockbox run on the n4g?
[21:47:42] <[Franklin]> the freemyipod.org homepage shows emcore running on it
[21:47:53] <benedikt93> nope, n2g is the last ipod to support rockbox
[21:48:16] <benedikt93> all later nanos lack substantial amounts of re work
[21:48:23] <TheSeven> [Franklin]: we never got around to writing a nand driver for the nano4g
[21:48:29] <[Franklin]> aha
[21:48:43] <[Franklin]> so the rockbox menu option doesn't do anything
[21:51:12] <TheSeven> yes, that was just a stripped down boot menu as a demo
[21:51:19] <TheSeven> it doesn't even have a clickwheel driver ;)
[21:52:22] <[Franklin]> lol
[21:52:43] <[Franklin]> perhaps that's how far the n6g will get :)
[21:59:07] <shadowcoder> eh
[21:59:22] <shadowcoder> right now it's in DFU mode and I'm trying to make it do something interesting
[21:59:27] <shadowcoder> not much success 
[22:00:00] <[Franklin]> what are you trying?
[22:01:16] <shadowcoder> Anything
[22:02:07] <[Franklin]> like?
[22:02:17] <shadowcoder> fuzzers, etc.
[22:02:27] <shadowcoder> can't even seem to get USB communication working (thanks iTunes!)
[22:02:42] <[Franklin]> lol
[22:06:36] <shadowcoder> whenever I forcequit the daemon, it comes right back >.<
[22:06:45] <[Franklin]> lol crapple
[22:24:16] <[Franklin]> while true; do ; kill -SIGTERM <PID> ; done
[22:24:31] <[Franklin]> that ought to solve all your iProblems
[22:29:48] <shadowcoder> haha
[22:30:33] <[Franklin]> or, even better, rm -rf `find / | grep "[Aa]pple"` :)
[22:30:46] <user890104> lol
[22:31:17] <user890104> yes, the n4g on the homepage is running a modified version of emcore, that fakes a clickwheel driver
[22:31:37] <user890104> because i was too lazy to patch it in ui.emcorelib
[22:42:34] <shadowcoder> TheSeven: What are the chances that there is a buffer overflow in the Firmware.MSE file itself?
[22:45:57] <TheSeven> you mean in the code that processes the filesystem structure itself? rather unlikely
[22:46:10] <TheSeven> especially as we can't modify many aspects of it due to signing
[22:49:25] <shadowcoder> OK, clearly I'm no good at this whole finding-vulns thing :P
[22:52:27] <TheSeven> probably better than anyone else here though ;)
[22:52:43] <shadowcoder> not better than you I imagine
[22:54:15] *** Quits: benedikt93 (~benedikt9@unaffiliated/benedikt93) (Quit: Bye ;))
[23:07:29] <shadowcoder> not certain, but I think I might have found something..
[23:08:41] <[Franklin]> :O
[23:43:52] *** Joins: benedikt93 (~benedikt9@unaffiliated/benedikt93)
[23:45:34] <[Franklin]> what is it?
[23:47:50] <shadowcoder> nvm
[23:48:59] <[Franklin]> :(