da hab ich doch was gefunden.....
Das klingt scheinbar nach guten Nachrichten, den Ipod Nano 2G betreffend. Scheinbar hat da ein alter Fuchs einen Weg gefunden, die Firmware zu entschlüsseln.... aber ließt selbst:
Linux4nano-dev] Fwd: Firmware protection, a way to decrypt!
JD
Mon, 19 Mar 2007 03:47:14 -0800
---------- Forwarded message ----------
From: Franco Zavatti <[EMAIL PROTECTED]>
Date: 19-Mar-2007 04:17
Subject: Firmware protection, a way to decrypt!
To: JD <[EMAIL PROTECTED]>
I send this message to you because I have a problem with my mail
service (Doramail), could you please forward
this to the mailing list?
Ok let's do it "Telegraph" style
1-I don't own a Nano! I own a 5G, and all my work is based on the 5G
2-I'm a crypto expert and I like to test real world systems, the Nano
could be interesting for me.
3-I just realized 3 days ago, the Nano firmware was protected, So I
decided to help!
4-I think I can help, because I have reversed the protection of
previous Firmware version.
5-Previous Firmware version work with a 32 bits key and a RC4 cihper.
The key is in the security block
which prepend every file. I already send the details on the iPodLinux forum.
6-I have a dump of the firmware from the firmware partition of the
Nano 2G. It won't be enough for me to decrypt.
We need the actual decripted version from the flashrom!
7-I need the help of someone who own a Nano to extract the flashrom,
with a technique I'm about to explain.
But first...
The Security block:
The security block, is the random looking data that prepend every file
on firmware version 3.
There is 2 version of it. I know all the details of the version 1. The
version 2 is the Nano 2G version, which is different.
The security block V1 is 512 bytes long. The Security block V2 is 2048
byte long (but with the first 512 with actual data)
The security block tells the bootloader if the following file is
encrypted or not, and if it is, it will gives you the key!
In the case of V1, the cipher is standard RC4, and the key is only 32
bits long. Short enough for a brute force attack.
I don't know much about the V2 version. That's why we need to work
together to get this thing done.
How did I reversed the Security block V1: with an emulator!
I wrote an emulator based on the MESS system (based itself on MAME)
So I have trace the code and it took me less than a day to get the
decryption working but to do that, I need the firmware from the
flashrom.
How can we get the firmware from the flash?
If we can run native code in the iPod, we will be able to dump the flashrom.
I have already wrote a memDumper for the 5G, but in that case, I wrote
the data to the HDD. I don't know flash based player.
To write the memdumper we need to know:
Processor type (ARM)
Rom address (probably 0x00000000)
A way to write to the main storage flash (????)
How can we run native code in the iPod Nano?
We need to modify a boot file (AUPD or OSOS) and it will be executed
by the bootloader.
We cannot write code that override AUPD or OSOS because the files are encrypted!
False, I have notice the file RSCS is not protected, and the Security
block V2 (2048 bytes) is all filled with F!
So we replace the security block of OSOS by an all "F" one, telling
the bootloader the file is not protected.
Then we overwrite OSOS with the memDumper code. We recalculate the
checksum in the directory and Voila!
I assume a lot of things, and I know this is a new hardware, but how
different it is?
Who can write ARM code and know enough already existing iPod hardware
to write the memDumper and store the dump to the flash storage?
So, what do you think? Comments?
gefunden unter: http://www.mail-archive.com/linux4nano-dev@gna.org/msg00107.html