[00:13:00] *** Quits: [Franklin] (~franklin@unaffiliated/franklin) (Ping timeout: 256 seconds)
[00:19:42] *** Joins: [Franklin] (~franklin@cpe-071-071-039-006.triad.res.rr.com)
[01:22:23] *** Quits: benedikt93 (~benedikt9@unaffiliated/benedikt93) (Ping timeout: 240 seconds)
[02:06:24] *** Joins: shadowcoder (shadowcode@2a00:dcc0:eda:3748:247:48:123:beef)
[05:13:25] *** Quits: [Franklin] (~franklin@cpe-071-071-039-006.triad.res.rr.com) (Ping timeout: 272 seconds)
[05:16:23] <shadowcoder> I think I might have found something ^_^
[05:47:08] <shadowcoder> Okey
[05:47:13] <shadowcoder> I screwed something up pretty bad
[05:47:18] <shadowcoder> so I think I'm doing pretty well
[06:41:27] *** Quits: TheSeven (~quassel@rockbox/developer/TheSeven) (Ping timeout: 272 seconds)
[06:42:00] *** Joins: TheSeven (~quassel@rockbox/developer/TheSeven)
[10:20:51] *** Joins: benedikt93 (~benedikt9@unaffiliated/benedikt93)
[10:47:04] *** Quits: benedikt93 (~benedikt9@unaffiliated/benedikt93) (Ping timeout: 255 seconds)
[15:57:25] *** Quits: Elfish (amba@2001:1608:12:1:13:3:3:7) (Ping timeout: 258 seconds)
[16:01:09] <user890104> shadowcoder: what did you find?
[16:02:25] *** Joins: Elfish (amba@2001:1608:12:1:13:3:3:7)
[18:34:06] *** Joins: franklin (~quassel@cpe-071-071-039-006.triad.res.rr.com)
[18:34:18] *** franklin is now known as [Franklin]
[18:34:24] *** Quits: [Franklin] (~quassel@cpe-071-071-039-006.triad.res.rr.com) (Changing host)
[18:34:24] *** Joins: [Franklin] (~quassel@unaffiliated/franklin)
[18:49:28] *** Quits: [Franklin] (~quassel@unaffiliated/franklin) (Ping timeout: 255 seconds)
[18:53:05] *** Joins: franklin (~quassel@cpe-071-071-039-006.triad.res.rr.com)
[19:08:54] *** franklin is now known as [Franklin]
[19:09:01] *** Quits: [Franklin] (~quassel@cpe-071-071-039-006.triad.res.rr.com) (Changing host)
[19:09:01] *** Joins: [Franklin] (~quassel@unaffiliated/franklin)
[19:40:43] *** Joins: benedikt93 (~benedikt9@unaffiliated/benedikt93)
[19:55:56] *** Quits: [Franklin] (~quassel@unaffiliated/franklin) (Remote host closed the connection)
[21:59:54] <benedikt93>  Hi :)
[21:59:55] <benedikt93> Need to satisfy the curiosity.. what is this new vulnerability about?
[22:13:45] <shadowcoder> benedikt93: which? ^_^
[22:19:59] <TheSeven> looks like we have two vulns already
[22:20:11] <TheSeven> but nothing that allows code execution yet
[22:20:22] <TheSeven> just things that increase the attack surface dramatically ;)
[22:21:19] <benedikt93> Both by means of freetype? I only read some short log snippet, so I probably missed most of the discussion
[22:22:00] <TheSeven> no, we haven't managed to break freetype yet, looks like it was compiled with a reduced feature set that reduces the attack surface quite a bit
[22:22:24] <TheSeven> but shadowcoder found a way to circumvent the RSRC partition sigcheck, so we can mess with e.g. fonts and other resource types
[22:23:08] <shadowcoder> indeed
[22:23:23] <TheSeven> and there's another semi-useful vuln that basically allows to write memory contents to the LCD as pixel color values, not sure how bad the address constraints on that one are
[22:24:02] <TheSeven> that one might possibly become useful for debugging other exploits
[22:24:27] <shadowcoder> or maybe disassembling bits of the OS to look for vulsn
[22:24:29] <shadowcoder> *vulns
[22:27:52] <benedikt93> nice work then, shadowcoder ;) is this only you working on the n6g (? or which ipods does this apply to, the log snippet was really short...)
[22:28:12] <shadowcoder> I'm the only one actively working onit,
[22:28:18] <shadowcoder> [Franklin] has been helping out,
[22:28:23] <shadowcoder> but it's much more passive
[22:28:37] <shadowcoder> (moral support + "try putting 0xFF in this field" kind of thing)
[22:29:14] <TheSeven> I suspect that the RSRC circumvention thing might apply to nano5g as well
[22:29:25] <shadowcoder> Likely
[22:29:25] <benedikt93> :D searching for vulns is really a thing I would not even know where to start..
[22:29:40] <TheSeven> basically everything that doesn't have a monolithic firmware anymore
[22:29:51] <TheSeven> not quite sure if they split out the resources in that fashion in the 5g already
[22:30:00] <shadowcoder> and a close friend at school (not sure what to call him) has a 7G which he would definitely be willing to donate in the name of science :p
[22:30:03] <TheSeven> but one can probably easily tell that from a quick look at the firmware.mse file for that model
[22:30:39] <benedikt93> Hmm, the n3g is really the only ipod where I've any clue at all about firmware layout
[22:30:47] <shadowcoder> haha
[22:30:59] <TheSeven> nano3g layout mostly applies to nano2g-4g and classic
[22:31:20] <TheSeven> with the difference that the 4g doesn't have a NOR flash anymore, but seems to have the same data on a separate NAND partition
[22:31:21] <shadowcoder>  <benedikt93> :D searching for vulns is really a thing I would not even know where to start..
[22:31:21] <shadowcoder> I think I have a gift for it :P But really, just put random stuff in random places, get something *almost* bricked, and then think of a way to unbrick it
[22:31:44] <TheSeven> starting with 5g or 6g they killed that partition altogether and integrated things like disk mode into the main firmware partition
[22:31:56] <TheSeven> which allows for that RSRC exploit
[22:32:35] <benedikt93> So there's now a nand driver in rom that's buggy?
[22:32:47] <TheSeven> no
[22:32:52] <shadowcoder> it's not a bug or a vuln per say,
[22:32:57] <shadowcoder> It's more.. manipulation
[22:33:01] <TheSeven> it's more of a logic flaw ;)
[22:33:04] <shadowcoder> It's not something they could really patch
[22:33:24] <TheSeven> hm, well, they could start factoring the image name into the signature, that would easily fix it
[22:33:47] <TheSeven> or sigcheck rsrc from within osos
[22:33:48] <benedikt93> Well they could signature check the whole of rsrc, if I correctly understand what you did..
[22:33:59] <TheSeven> doing that before loading OSOS is kinda silly anyway
[22:34:07] <shadowcoder> benedikt93: they do
[22:34:24] <shadowcoder> if the signature is wrong, it boots into disk mode to "protect itself" or something
[22:35:04] <benedikt93> but?
[22:35:19] <TheSeven> well, we can feed it a correctly signed OSOS image as the disk mode image ;)
[22:35:37] <TheSeven> and osos itself doesn't do any sigchecks on rsrc, it relies on an earlier stage to do that
[22:42:41] <benedikt93> ah, I guess I finally got how this works :D
[22:49:36] <shadowcoder> benedikt93: have we fulfilled your curiousity?
[22:52:12] <benedikt93> Well, I think so :D I very much doubt that I'll soon get heaps of spare time to continue reverse engineering ipods
[23:09:37] *** Joins: [Franklin] (~franklin@unaffiliated/franklin)
[23:14:53] *** [Franklin] is now known as [User890104]
[23:14:55] *** [User890104] is now known as [Franklin]
[23:21:01] <shadowcoder> wat
[23:21:30] <[Franklin]> nothing
[23:21:31] <[Franklin]> :)
[23:30:52] *** [Franklin] is now known as [Unix]
[23:30:59] *** [Unix] is now known as [Franklin]