Hi all, I've been trying out several things during this past few days.
First of all, we have a pretty clear idea of the hardware inside [1,2]. But we also know several things just by analyzing differences among the several firmwares we got [3]. For example, we have identified several fields inside the firmware, the first ones are definitely the "directory entry" located at 0x4800 in the firmware (see [2] p.11 for more details). Note that the checksum in it is probably a CRC32 checksum (it looks like one at least, I didn't check it) but has NO IMPACT on boot (see [4] p.6 for more details). I changed it to "FF FF FF FF" and the nano had a clean boot. Then, further inside we got aupd.fw, osos.fw and rsrc.fw. rsrc.fw is definitely uninteresting. It's the file system and it's not ciphered at all. Then aupd.fw and osos.fw have about the same structure: http://www.labri.fr/perso/fleury/hacks/ipodnano/firmware_layout.png aupd.fw is probably the /bin, /usr/bin where all the softwares lies. Surprisingly, you can modify it at will, the iPod will boot anyway. osos.fw is more likely the kernel on which all the system rely. This one cannot be touched in any manner without having an error message at boot claiming that the firmware you just used is bad. Modifying the firmware is quite easy in fact (but can probably made it quicker thought I didn't find how). 1) Plug your iPod on your computer and dump your firmware: dd if=/dev/sda1 of=iPod_firmware.ipsw 2) Save it in a safe place and create a working copy, e.g. iPod_firmware_wc.ipsw 3) Modify the working copy with your favorite hex editor. 4) Reinject the working copy in the iPod: dd if=iPod_firmware_wc.ipsw of=/dev/sda1 5) Unplug your iPod. It will just realize by itself that you changed something and will reboot. 6) When boot is finished or had failed, just restore the firmware or keep going on modifying the working copy and go to 4). The headers of aupd.fw and osos.fw are laid out in the following way: http://www.labri.fr/perso/fleury/hacks/ipodnano/IN2G_firmware_aupd_header.png http://www.labri.fr/perso/fleury/hacks/ipodnano/IN2G_firmware_osos_header.png As I said, modifications on aupd.fw won't prevent boot but osos.fw. Another astonishing fact is that modifying the zeroed area in osos.fw won't affect boot in anyway. So it makes me think that the two changing pink fields in the headers are checksums for: a- the header of osos/aupd b- the payload of osos/aupd They are 160-bit long, so I did immediately though at sha/sha1/rmd160 and ... why not, md5 with padding... or something else. So, I did try to put together little/big-endianess, checksums algorithms, different parts of the header file (full, header only, payload only, partial header starting after 0x20). Here are my results: ========================================================================== Original files -------------- - osos.fw - header.osos.fw: dd bs=4 count=128 if=osos.fw of=header-osos.fw - partial-header.osos.fw: dd bs=4 skip=12 count=116 if=osos.fw of=partial-header-osos.fw - payload.osos.fw: dd bs=4 skip=512 if=osos.fw of=payload-osos.fw Reordered in little-endian (4,8,16,32) -------------------------------------- http://freshmeat.net/projects/convertingbinary/ - little-x.osos.fw: for i in 4 8 16 32; do byte-swap -w ${i} < osos.fw > little-${i}.osos.fw; done - little-x.header-osos.fw: for i in 4 8 16 32; do byte-swap -w ${i} < header-osos.fw > little-${i}.header-osos.fw; done - little-x/partial-header-osos.fw: for i in 4 8 16 32; do byte-swap -w ${i} < partial-header-osos.fw > little-${i}.partial-header-osos.fw; done - little-x.payload-osos.fw: for i in 4 8 16 32; do byte-swap -w ${i} < payload-osos.fw > little-${i}.payload-osos.fw; done Checksums --------- shasum: for file in *osos*; do openssl dgst -sha ${file}; done sha1sum: for file in *osos*; do openssl dgst -sha1 ${file}; done md2sum: for file in *osos*; do openssl dgst -md2 ${file}; done md5sum: for file in *osos*; do openssl dgst -md5 ${file}; done rmd160: for file in *osos*; do openssl dgst -rmd160 ${file}; done MD2 --- MD2(header-osos.fw)= 6719ed3c0fd2c50f29d5f81e439ab015 MD2(little-16.header-osos.fw)= ecf8a985835b5bb2d22422886281745a MD2(little-16.osos.fw)= 5eba8714e33a84802db4135c5dad0240 MD2(little-16.partial-header-osos.fw)= c87edf98f96cdef37bb1e59f63c8dc35 MD2(little-16.payload-osos.fw)= 870a87fe4119a0cc46a150e413cef2f6 MD2(little-32.header-osos.fw)= bbf7e651f6ed66a813986844fd4c97a9 MD2(little-32.osos.fw)= de3db2cbc920e2f757b7fa54e8722026 MD2(little-32.partial-header-osos.fw)= 8350e5a3e24c153df2275c9f80692773 MD2(little-32.payload-osos.fw)= eac67e9b2ed20bacb15d2c7835a8a6f3 MD2(little-4.header-osos.fw)= 90f50ec19659b632192aa99560495f50 MD2(little-4.osos.fw)= 8fd00ec104cffb3b15dc3ca41f947094 MD2(little-4.partial-header-osos.fw)= c67468564d5dfafda80c412039a2725d MD2(little-4.payload-osos.fw)= 3c7613ca6f93b2a5f058737caabe15eb MD2(little-8.header-osos.fw)= 40074862766f9177492cdf4d88d1f029 MD2(little-8.osos.fw)= cd7f776d89933ea32a84b8ba7827b902 MD2(little-8.partial-header-osos.fw)= 6cdb208a79652f18ca4e86693f125faf MD2(little-8.payload-osos.fw)= d7ca167485f5fa472c2e8023dcee607a MD2(osos.fw)= f060c8937a97e71de716de6c48132802 MD2(partial-header-osos.fw)= 1ab5d637aa3b637041c7abbc78ff2e15 MD2(payload-osos.fw)= 1108a8d259579f812aa498e5ee165df9 MD5 --- MD5(header-osos.fw)= 80c4868a1e1a77313fa9b10dd4b0d922 MD5(little-16.header-osos.fw)= fb4ba319ae79bd076ea4dc73806b5b79 MD5(little-16.osos.fw)= 476b49cfbe06c7dbe0ec829a07b47990 MD5(little-16.partial-header-osos.fw)= 0def7a2ceb828452288c35ed58f3c56c MD5(little-16.payload-osos.fw)= b027ed44e0e94a43bdf5a8201074eabc MD5(little-32.header-osos.fw)= 37a805c907297e47baa0a1d287051ae7 MD5(little-32.osos.fw)= cbcf992a5fe8ff6d3cdf4c84808e0ef9 MD5(little-32.partial-header-osos.fw)= d41d8cd98f00b204e9800998ecf8427e MD5(little-32.payload-osos.fw)= 739c45e98b2b1d4b4cc0086df79b5ed0 MD5(little-4.header-osos.fw)= abc08a368715359f6deb8f84b2f676de MD5(little-4.osos.fw)= 9c9784d0993b884b9776456e07f19356 MD5(little-4.partial-header-osos.fw)= a963fd285b1ea31b4f112851f8fe4f4a MD5(little-4.payload-osos.fw)= fef6adf2fb0d2085de389726c1f6548d MD5(little-8.header-osos.fw)= 528fd320a4bcd190bf60f74e668327bc MD5(little-8.osos.fw)= 6bf8359d8dfb73eb97c18e1c148bf706 MD5(little-8.partial-header-osos.fw)= 105d2b5852c2ca722d9fc95e11864ddb MD5(little-8.payload-osos.fw)= b9326d22f1b8609388548ea77eed24e0 MD5(osos.fw)= 254a22c5d450356605b5b2eefdbe4972 MD5(partial-header-osos.fw)= 9ad1eff99c3e4ccdf2c3491b014ed00e MD5(payload-osos.fw)= 0454408333ae862e7b8c1673d75f616a RMD-160 ------- RIPEMD160(header-osos.fw)= 78c3e9e41894fb618c6c84391c3b1b4775c9b322 RIPEMD160(little-16.header-osos.fw)= 53482f32c20b3a894b17ddcee130acf296fadfbf RIPEMD160(little-16.osos.fw)= 84dad8908a1c642a5032f30f047ad3d38a8d1ae0 RIPEMD160(little-16.partial-header-osos.fw)= 069cb53adfec8f3e45829d29cf525b661291fe72 RIPEMD160(little-16.payload-osos.fw)= af421dbb46f13b373205aacab1ab4a0d2a680e54 RIPEMD160(little-32.header-osos.fw)= 6afb434b1dcb21ec0638001678b3f28d1143166c RIPEMD160(little-32.osos.fw)= 8a0082236487b59c344eb3a3cdee3fa956d4c47c RIPEMD160(little-32.partial-header-osos.fw)= 9c1185a5c5e9fc54612808977ee8f548b2258d31 RIPEMD160(little-32.payload-osos.fw)= a9f1ee323dc4a8071d1ac2caa9bf94277009a186 RIPEMD160(little-4.header-osos.fw)= 6f1a95602d8697288266816b84ffc6a0aed48628 RIPEMD160(little-4.osos.fw)= 8a2f7227cf0897ca7fd5d8e4e12c46ea623aab71 RIPEMD160(little-4.partial-header-osos.fw)= 0574e9c98db48fc5e9d8c4dcf73a9433d604def8 RIPEMD160(little-4.payload-osos.fw)= 578fcf8a1f528dc8962557e41db7e3602c780d37 RIPEMD160(little-8.header-osos.fw)= 4e23ea409916fa7a7d04b531fa3d3ed2cbc4a8a4 RIPEMD160(little-8.osos.fw)= 42052ce0a3ae27d02e021becb433be3ee128ceef RIPEMD160(little-8.partial-header-osos.fw)= 123ed31fdfe3c0a3dab079522806aeabb2bcb5da RIPEMD160(little-8.payload-osos.fw)= 93731c5c5cdad2a77446cfa4fc531f0e642e79f8 RIPEMD160(osos.fw)= 0b970999ec0a9ba72706aa92c8f45153f1f9c9cc RIPEMD160(partial-header-osos.fw)= 79a152710762cf660ce20e8138820771b56f6f17 RIPEMD160(payload-osos.fw)= 35046d89bc93b352cf6759bb11234bde8d59ad50 SHA --- SHA(header-osos.fw)= 73d2e07a2ba8bf7a36329f7039c8fc101b8c4bff SHA(little-16.header-osos.fw)= 912c38af5b1879e913f549ddd176d01915a5b459 SHA(little-16.osos.fw)= db691d7772881edca861133cbf672617081621a4 SHA(little-16.partial-header-osos.fw)= 3410b2b2fa088e3fbd4a65234753fe2809fb941a SHA(little-16.payload-osos.fw)= ed8b4ec1d973897de4becd783989b81617a7016d SHA(little-32.header-osos.fw)= be541abbf26bfa821fe085ae0680a458921821ae SHA(little-32.osos.fw)= 62b6e1b02701cc915f9a89eed828902bf49c135b SHA(little-32.partial-header-osos.fw)= f96cea198ad1dd5617ac084a3d92c6107708c0ef SHA(little-32.payload-osos.fw)= e4b91b05b1efbb24c0d7716c0dfae4188cf37118 SHA(little-4.header-osos.fw)= 35c7b33dcaf784055e9f53aace8094e7435e046f SHA(little-4.osos.fw)= d1faccfb6a4d6c49f97df64a7780cdffd7aeabaf SHA(little-4.partial-header-osos.fw)= ac87d464291762fc2d9106fb623ebeb273e300dc SHA(little-4.payload-osos.fw)= 77cd25653422e502a451acc21664420c0db2a0be SHA(little-8.header-osos.fw)= 8ce4c038e649d89753656450cd1f6a9d81400964 SHA(little-8.osos.fw)= 73552186db1e9bfb04322ca1c74949fae3a74e02 SHA(little-8.partial-header-osos.fw)= df89abd8c6c6d48d33fc1ad001300180cfbf0ebd SHA(little-8.payload-osos.fw)= cd7ebef6a3bd67e012eb35d7c0293bc967b333ca SHA(osos.fw)= b0b58941d90f9b46d03157bc54bd36bf9f04e218 SHA(partial-header-osos.fw)= 43d51089b5fe28536ee89a2d0680890b1d9cf4e6 SHA(payload-osos.fw)= 4423c33a168553c73af9a793741f45b52a744fb5 SHA1 ---- 10fd 1143 59dc fa13 f568 e9e6 01cf 4561 5ce9 ce5c osos.fw 0c11 b5d2 b11c acd7 61fe 5b41 5b89 aa0c 22cc 8695 header-osos.fw b5c4 e016 810f c3c7 5316 ad3b 69a3 29c6 3f84 bf47 partial-header-osos.fw 76a8 575c 811b eba4 85a7 e266 0fb7 1c65 2203 fe40 payload-osos.fw 4fec 2390 4a5e 7aab 49b1 a4df 195d 1f48 d2a0 944c little-4.osos.fw a7de 1a89 4e80 8afd 72a6 fa0b e4d0 5a0a 7548 bafd little-4.header-osos.fw 6447 3d39 061c f7a6 05c3 ddaa 3be2 aa56 fa56 7201 little-4.partial-header-osos.fw 0cf8 918a 3bca 5b72 c164 ad9f b011 76f8 b9bf fe8d little-4.payload-osos.fw 9626 ae9c 7e0e f69c 2355 fa05 760e 6a51 b91f 60ba little-8.osos.fw acc5 6b20 9b16 b8a0 cdaa 50b2 137d 3138 2fa3 476b little-8.header-osos.fw 2a3e 1630 277b 4fdf a20e 5704 696e 2b10 3d27 1527 little-8.partial-header-osos.fw 15a6 069c d6f3 a7ac 82ae 51fc 9aee 6c68 51cc f9da little-8.payload-osos.fw a435 d82f ddbc bf02 bb39 a24f 6796 5126 9c16 f7fb little-16.osos.fw 5834 4936 bd2b 6197 2cf7 7f01 9813 7adb 8682 c4c9 little-16.header-osos.fw cd31 4863 a0fb 1884 c11c 67b4 216f 81ea f730 e071 little-16.partial-header-osos.fw 5faf 5405 5c13 5d3a 0178 875c c899 a4c4 67c5 4217 little-16.payload-osos.fw bc60 725d 27ee 5619 b155 1676 a438 4c40 347c c472 little-32.osos.fw b14a 2818 6f56 71dd def4 1896 852b e0a4 5ee0 a2a9 little-32.header-osos.fw da39 a3ee 5e6b 4b0d 3255 bfef 9560 1890 afd8 0709 little-32.partial-header-osos.fw fc10 8c2d 9fd7 a363 26b6 abf4 d258 0233 23b6 5ab1 little-32.payload-osos.fw ========================================================================== Unfortunately, none of them was matching. :-/ I don't know if I did something wrong or if I missed something. But my hypothesis that the pink fields are checksums seems to be quite valid. Oh well... Last, but not least, we noticed that the differences between the different ciphered payload unveil the fact that the very same key is reused each time. See: http://www.labri.fr/perso/fleury/hacks/ipodnano/IN2G_cipher_aupd_diffs.png In the case of a stream cipher, this kind of weakness can lead to an attack called 'reused key attack' [5]. Xoring the different ciphers can give us some informations... and if not, we would know that it's not a stream cipher but a block cipher. :) I didn't have the time to investigate this deeper but if somebody has time we would be please to include his work in [6] and it would be a giant step forward if we could know if the cipher is a stream cipher or not. Well, well, well, I'll be quite busy next week (exams, you know!!!). So, if somebody can get a bit further be my guest ! ;) PS: Franco Zavatti will be working next week on JTAGging the iPod nano 2G, if anyone of you has some experience in this field and can give us some time, please contact him at <badblox at doramail dot com>. References: ----------- [1] What we found inside Apple's iPod (Chipworks: Inside Technology) http://www.ice-corp.com/uploadedFiles/CW_iPOD_%20Nov%202006.pdf (special thanks to Franco Zavatti) [2] Concerning iPod Nano hardware: http://www.linux4nano.org/drupal/files/hardware_synth.pdf [3] Known firmwares archive: http://www.labri.fr/perso/fleury/hacks/ipodnano/ipod-nano-firmwares.tar.bz2 [4] iPod Nano as a blackbox: http://www.linux4nano.org/drupal/files/synth_blackbox.pdf [5] Stream cipher attack: http://en.wikipedia.org/wiki/Stream_cipher_attack [6] Concerning iPod Nano 2G and Cryptography: http://www.linux4nano.org/drupal/files/crypto_synth_0.pdf That's all folks !!! -- Emmanuel Fleury | Room: 261 Associate Professor, | Phone: +33 (0)5 40 00 69 34 LaBRI, Domaine Universitaire | Fax: +33 (0)5 40 00 66 69 351, Cours de la Libération | Email: [EMAIL PROTECTED] 33405 Talence Cedex, France | URL: http://www.labri.fr/~fleury _______________________________________________ Linux4nano-dev mailing list [EMAIL PROTECTED] https://mail.gna.org/listinfo/linux4nano-dev http://www.linux4nano.org
