hum.
in fact in others firmware (.2 for example), there is tht BL as well but code
there seems a bit strange,
going here and there and stop on data code (cannot disasm..))
in the .1 I don't find "Tool" string (at pos 5E00 or near..)
so it could be obfuscated code, but i think it may be just not a good solution
:/
+
serpilliere
On Thu, Sep 27, 2007 at 01:33:27AM -0700, mat h wrote:
> GOOD WORK. please continue when you have more info I love seeing progress and
> will help out when I can.
>
> On 9/27/07, Fabrice Desclaux < [EMAIL PROTECTED]> wrote:
>
> yep
> On Wed, Sep 26, 2007 at 11:52:38PM -0700, mat h wrote:
> > so the 90 was a nop,
>
> humm if it's not x86 but arm, it's not a nop: if it's arm code, it's a
> part
> of mnemonic starting with:
> EB 3C 90 XX (missing one byte XX to have a mnemonic)
>
> HERE is the interesting part:
> in ARM in bigendian, :
> this means:
> ROM:00005E00 EB 3C 90 4D BL F29F3C
>
> yes man, it's a JUMP (even if it's not x86, you smelled right)
> so at 0xF29F3C:
>
> ROM:00F29F3C 59 DC C9 DD LDMPLIB R12,
> {R0,R2-R4,R6-R8,R11,LR,PC}^
>
> this means:
> LDMPLIB decomposes in:
> LDM Load from memory
> PL (if positiv or null...)
> IB pre increment register
>
> from where:
> R12
> what may i load:
> {R0,R2-R4,R6-R8,R11,LR,PC}^
>
>
> OOO by the way PC is program COUNTER (yes in arm you can write directly to
> PC (differs from x86 :))
>
> so it loads all those registers from memory located at R12
> the big question is : what is the start value of R12???
> if we get this, we can go on NEXT address to disassemble...
>
>
> another trick to guess this is to disassemble everywhere and whatch for
> valid code;.. humm time consuming.
>
> This is all valid if it's really arm processor and entry point is
> effectively at 5E00 and it's big endian and blahblah !
>
>
> but erf, it smells good :)
> + serpilliere
>
>
>
>
>
> Anyway my theory is that if the encryption is a stream
> > based cypher that mabey in order to prevent us cracking it easily
> between
> > different releases they might change the decryption code, which would be
> loaded
> > on boot from the fat16 partition. Unless anyone else can think of a use
> of
> > FAT16 boot code unencrypted?
> >
> > On 9/26/07, Fabrice Desclaux <[EMAIL PROTECTED]> wrote:
> >
> > oki, no problem.
> >
> >
> > in fact if it's really arm on ipod, the basic think is arm
> instruction
> > lenght are 4 bytes long (always ) and addresses are then multiples
> of
> 4
> > so it' a bit easier to disasm :)
> >
> > little doc can be found at bear.ces.cwru.edu/eecs_382/
> > ARM7-TDMI-manual-pt2.pdf
> >
> > Note: IDA (from datarescue) supports ARM (most ARMs in fact) (it's
> sexy,
> > and all...)
> > but erf, if you don't have IDA you can try disassembling using other
> tools
> > A funny one to do this could be METASM (cr0.org).
> >
> > I know, it's rubby vangog style code but erf, it disasm arm :)
> > another one could be objdump for arm !
> >
> >
> > +
> > serpilliere
> >
> >
> > On Wed, Sep 26, 2007 at 11:31:48PM -0700, mat h wrote:
> > > Sorrry all I dont know much about asm, Im not sure weather its a
> nop or
> > the end
> > > of an address. As I said, I need someone that knows ASM
> particualarly ARM
> > asm
> > >
> > > On 9/26/07, Fabrice Desclaux < [EMAIL PROTECTED]> wrote:
> > >
> > > humm sorry about that but i think i missed something.
> > >
> > > You say there is a jump &nop at 0x5E00:
> > > EB 3C 90
> > >
> > > but this is x86 assembly mnemonic. The Ipod isn't in ARM?
> > >
> > >
> > > another question:
> > > the x86 jump is effectively EB 3C at 3C is the relative offset
> so
> > when you
> > > say:
> > > unencrypted boot loader should be located around 0x5E00+0x3c90
> =
> > 0x9A90 or
> > > 39568. Again I dont
> > >
> > > shouldn't it be:
> > > 0x5E00+ 0x3C ?
> > > (thus, if it's x86 again..)
> > >
> > >
> > >
> > >
> > > +
> > > serpilliere
> > >
> > >
> > >
> > >
> > >
> > > On Thu, Sep 27, 2007 at 03:15:28PM +1000, mat h wrote:
> > > > Btw I may be off slightly with that offset.
> > > >
> > > > On 9/27/07, mat h < [EMAIL PROTECTED]> wrote:
> > > >
> > > > Since ur new Ill re send part of my previous mail:
> > > > Before I continue I think I found the program used to
> make the
> > disk
> > > image
> > > > and the FAT16 header:
> > > > Fat16 header: 5E00 after all the 0's
> > > > jump instruction (3bytes):
> > > >
> > > > 0xEB - something in asm
> > > > 0x3C - something in asm
> > > > 0x90 - asm nop
> > > >
> > > > bytes per sector - 0x02,0x03 i think
> > > > im not sure if theres any padding. but i think the fat16
> > partition
> > > starts
> > > > at 5E00
> > > >
> > > >
> > > >
> > > > 5E10 - total number of file alocation tables, has to be
> 2
> and
> > it is 2
> > > >
> > > >
> > > >
> > > >
> > > > OEM name (8bytes):
> > > > MTOOL399 - reference to MTOOLS version 3.99
> > > >
> > > >
> > > >
> > > > Try keys like: MTOOLS, MTOOLS399 etc, look for ascii
> strings in
> > the
> > > > firmware
> > > >
> > > > BTW. the boot loader start with the following code
> > > > 0xEB - short jump (EB JMP SHORT rel8)
> > > > 0x3C - value part 1
> > > > 0x90 - value part 2
> > > >
> > > > I'm no expert at asm but If im correct then the
> unencrypted
> > boot
> > > loader
> > > > should be located around 0x5E00+0x3c90 = 0x9A90 or
> 39568.
> Again
> > I
> > > dont
> > > > program in much assembelly so could someone more
> knowlegable
> > please
> > > confirm
> > > > this.
> > > >
> > > > On 9/27/07, Jeremy Prater < [EMAIL PROTECTED] >
> wrote:
> > > >
> > > >
> > > > Hey team, I just got on the linux4nano team mailing
> list
> > because
> > > I have
> > > > a 2g nano and don't like apple anymore because they
> decided
> > to
> > > encrypt
> > > > the osos. Anyways I decided to do some key breaking.
> > Anyways im
> > > sad
> > > > now,I assumed a 32-bit RC4 key which is a big
> assumption,I
> > used
> > > visual
> > > > studio and got some rc4 decrypting functions from
> > sourceforge and
> > > > started coding a little app. Sure, ill crack this
> code? in
> > 57,732
> > > days
> > > > my app predicted yeah. So much for a core2 duo t5600
> doing
> > high
> > > speed.
> > > > Lol, guess .net framework isn't optimized for speed.
> 2^32
> > keys is
> > > a lot
> > > > of keyspace. Anyways, so the brute force idea is
> pretty
> > much out
> > > I
> > > > guess. Unless someone has a mega-cluster of
> computers. I
> > don't
> > > really
> > > > know what is going on with the mailing group the
> gna.org
> > list
> > > kinda
> > > > sucks to join in and catch up on. I like the idea
> of
> a
> > ram-dump
> > > of to
> > > > get the un-encrypted firmware. Before my brute force
> attack
> > I
> > > used
> > > > sg3_tools and the ipod in diagnostic mode, no luck.
> The
> > ipod
> > > vendor/
> > > > device in diagnostic mode is 0000/0000 and does not
> respond
> > to
> > > any usb
> > > > commands. A usb dump of the ram is kinda silly. To
> do
> that
> > we
> > > need to
> > > > run our own code on the cpu, which means we need to
> write
> > an
> > > encrypted
> > > > osos so the bootloader will parse it correctly.
> Which
> came
> > first
> > > the
> > > > chicken or the egg? The decipher key or the
> memdumper?
> > Haha.
> > > Using
> > > > buffer overruns seems safe b/c osos will crash and
> reboot
> > into
> > > the
> > > > bootloader, too bad they're aren't any. Well this is
> what I
> > have
> > > read/
> > > > discovered the last 30 hours or so trying to brick
> my
> ipod.
> > Any
> > > ideas?
> > > > ? Jeremy
> > > >
> > > >
> > > > _______________________________________________
> > > > Linux4nano-dev mailing list
> > > > [email protected]
> > > > https://mail.gna.org/listinfo/linux4nano-dev
> > > > http://www.linux4nano.org
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > We explore... and you call us criminals.
> > > > We seek after knowledge... and you call us criminals.
> > > > We exist without skin color, without nationality,
> without
> > religious
> > > bias...
> > > > and you call us criminals.
> > > > You build atomic bombs, you wage wars, you murder,
> cheat,
> and
> > lie to
> > > us and
> > > > try to make us believe it's for our own good...
> > > > ....yet we're the criminals.
> > > >
> > > > ____________WAUSHARE ROX ______________
> > > > Join the dark side we've got cheese
> > > > Annoying people since 1992
> > > > If you hate me, I love you too. It ain't my fault I'm
> better
> > than you
> > > > Save Water, Drink Beer
> > > > God Made Women First, Then He Had A Better Idea.
> > > > If Barbie is soo popular...how come you have to buy her
> > friends?
> > > > Don't play stupid with me... I'm better at it!
> > > > You were so cute when you were a baby...What happened?
> > > > My folks were always asking me to wear underpants. What
> am I,
> > the
> > > pope?
> > > > I'm calling the police!... Right after I flush some
> tings.
> > > > Join the army, see the world, meet interesting people,
> and kill
> > them.
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > We explore... and you call us criminals.
> > > > We seek after knowledge... and you call us criminals.
> > > > We exist without skin color, without nationality, without
> religious
> > > bias... and
> > > > you call us criminals.
> > > > You build atomic bombs, you wage wars, you murder, cheat,
> and
> lie
> > to us
> > > and try
> > > > to make us believe it's for our own good...
> > > > ....yet we're the criminals.
> > > >
> > > > ____________WAUSHARE ROX ______________
> > > > Join the dark side we've got cheese
> > > > Annoying people since 1992
> > > > If you hate me, I love you too. It ain't my fault I'm better
> than
> > you
> > > > Save Water, Drink Beer
> > > > God Made Women First, Then He Had A Better Idea.
> > > > If Barbie is soo popular...how come you have to buy her
> friends?
> > > > Don't play stupid with me... I'm better at it!
> > > > You were so cute when you were a baby...What happened?
> > > > My folks were always asking me to wear underpants. What am
> I,
> the
> > pope?
> > > > I'm calling the police!... Right after I flush some tings.
> > > > Join the army, see the world, meet interesting people, and
> kill
> > them.
> > >
> > > > _______________________________________________
> > > > Linux4nano-dev mailing list
> > > > [email protected]
> > > > https://mail.gna.org/listinfo/linux4nano-dev
> > > > http://www.linux4nano.org
> > >
> > > _______________________________________________
> > > Linux4nano-dev mailing list
> > > [email protected]
> > > https://mail.gna.org/listinfo/linux4nano-dev
> > > http://www.linux4nano.org
> > >
> > >
> > >
> > >
> > > --
> > > We explore... and you call us criminals.
> > > We seek after knowledge... and you call us criminals.
> > > We exist without skin color, without nationality, without
> religious
> > bias... and
> > > you call us criminals.
> > > You build atomic bombs, you wage wars, you murder, cheat, and lie
> to us
> > and try
> > > to make us believe it's for our own good...
> > > ....yet we're the criminals.
> > >
> > > ____________WAUSHARE ROX ______________
> > > Join the dark side we've got cheese
> > > Annoying people since 1992
> > > If you hate me, I love you too. It ain't my fault I'm better than
> you
> > > Save Water, Drink Beer
> > > God Made Women First, Then He Had A Better Idea.
> > > If Barbie is soo popular...how come you have to buy her friends?
> > > Don't play stupid with me... I'm better at it!
> > > You were so cute when you were a baby...What happened?
> > > My folks were always asking me to wear underpants. What am I, the
> pope?
> > > I'm calling the police!... Right after I flush some tings.
> > > Join the army, see the world, meet interesting people, and kill
> them.
> >
> > > _______________________________________________
> > > Linux4nano-dev mailing list
> > > [email protected]
> > > https://mail.gna.org/listinfo/linux4nano-dev
> > > http://www.linux4nano.org
> >
> > _______________________________________________
> > Linux4nano-dev mailing list
> > [email protected]
> > https://mail.gna.org/listinfo/linux4nano-dev
> > http://www.linux4nano.org
> >
> >
> >
> >
> > --
> > We explore... and you call us criminals.
> > We seek after knowledge... and you call us criminals.
> > We exist without skin color, without nationality, without religious
> bias... and
> > you call us criminals.
> > You build atomic bombs, you wage wars, you murder, cheat, and lie to us
> and try
> > to make us believe it's for our own good...
> > ....yet we're the criminals.
> >
> > ____________WAUSHARE ROX ______________
> > Join the dark side we've got cheese
> > Annoying people since 1992
> > If you hate me, I love you too. It ain't my fault I'm better than you
> > Save Water, Drink Beer
> > God Made Women First, Then He Had A Better Idea.
> > If Barbie is soo popular...how come you have to buy her friends?
> > Don't play stupid with me... I'm better at it!
> > You were so cute when you were a baby...What happened?
> > My folks were always asking me to wear underpants. What am I, the pope?
> > I'm calling the police!... Right after I flush some tings.
> > Join the army, see the world, meet interesting people, and kill them.
>
> > _______________________________________________
> > Linux4nano-dev mailing list
> > [email protected]
> > https://mail.gna.org/listinfo/linux4nano-dev
> > http://www.linux4nano.org
>
> _______________________________________________
> Linux4nano-dev mailing list
> [email protected]
> https://mail.gna.org/listinfo/linux4nano-dev
> http://www.linux4nano.org
>
>
>
>
> --
> We explore... and you call us criminals.
> We seek after knowledge... and you call us criminals.
> We exist without skin color, without nationality, without religious bias...
> and
> you call us criminals.
> You build atomic bombs, you wage wars, you murder, cheat, and lie to us and
> try
> to make us believe it's for our own good...
> ....yet we're the criminals.
>
> ____________WAUSHARE ROX ______________
> Join the dark side we've got cheese
> Annoying people since 1992
> If you hate me, I love you too. It ain't my fault I'm better than you
> Save Water, Drink Beer
> God Made Women First, Then He Had A Better Idea.
> If Barbie is soo popular...how come you have to buy her friends?
> Don't play stupid with me... I'm better at it!
> You were so cute when you were a baby...What happened?
> My folks were always asking me to wear underpants. What am I, the pope?
> I'm calling the police!... Right after I flush some tings.
> Join the army, see the world, meet interesting people, and kill them.
> _______________________________________________
> Linux4nano-dev mailing list
> [email protected]
> https://mail.gna.org/listinfo/linux4nano-dev
> http://www.linux4nano.org
_______________________________________________
Linux4nano-dev mailing list
[email protected]
https://mail.gna.org/listinfo/linux4nano-dev
http://www.linux4nano.org
