Well, I know several nano3G users, that's the reason I discovered how the games are stored on these. To modify something, you'll need to install a modified firmware image. But dows anybody know what we could do to the ttfs in order to find an exploit? This kinda looks like brute force hacking to me. A much quicker approach would probably be to find the JTAG pins, download an unencrypted firmware image and have a look for bugs in there. If we find them that way, it'll be much easier to write an exploit. (Supposed that the hardware dump doesn't enable us to directly install a modified firmware, which is just a wild guess by now.)
[EMAIL PROTECTED] schrieb: > I have a cousin with a 3rd gen nano i will ask her for a download of > Vortex,Iquiz etc.So if any one can put in the Modified tff as a > bootloader for ipodlinux,into the games for the nano, I will be able > to do that. > > > -----Original Message----- > From: MsTiFtS <[EMAIL PROTECTED]> > To: Hardware and developpement mailing list. <[email protected]> > Sent: Fri, 4 Jan 2008 12:39 pm > Subject: Re: [Linux4nano-dev] I had some (rather sad) thoughts... > > On 2G, there are no games. > On 3G, the games are digitally signed, so we can't modify them. > > But there are some TTFs in RSRC.fw on 3G, which we can probably modify. > > mat h schrieb: > > I was thinking just putting them in the photos or games, after all the > > games are just zip files extracted when installed. Although I dont > > have a game to test it on. > > > > On Jan 4, 2008 8:36 PM, MsTiFtS <[EMAIL PROTECTED] <mailto:[EMAIL > > PROTECTED]>> wrote: > > > >> Uh... Is there a possibility to load TTF/PNG files on a nano2G? On 3G > >> this may indeed work, there are a lot of them in the games and in RSRC. > >> > >> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> schrieb: > >> > >> > >>> I like the idea of Play "Start Ipodlinux" song But Try a TFF or PNG > >>> exploit. > >>> > >>> -----Original Message----- > >>> From: MsTiFtS <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> > >>> To: Hardware and developpement mailing list. <[email protected] > >>> <mailto:[email protected]>> > >>> Sent: Sun, 30 Dec 2007 12:12 pm > >>> Subject: [Linux4nano-dev] I had some (rather sad) thoughts... > >>> > >>> During Christmas vacation, I had some thoughts about what Apple could > >>> have done to the firmware, if they were pretty clever. I've had a look > >>> at some Nano3G firmware images recently, which sadly seem to support > >>> that theory. They have changed something on the Nano3G, there is some > >>> unencrypted data at the end of the the OSOS and AUPD images. It pretty > >>> much looks like some kind of footer which is INCLUDED in the file size > >>> given in the directory-like structure, unlike the header. That footer > >>> contains something that looks like a digital signature of the firmware > >>> image or some other kind of certificate. It contains the string > >>> "SecureBoot", which further supports the guess that it's a signature. > >>> Even if we manage to hack the encryption, that would mean, that we need > >>> to get our hands on their private key in order to recreate that > >>> signature, which seems pretty impossible. So even if we extract the > >>> bootloader (and all the other things that might be in that utility flash > >>> chip), we can not modify the firmware, unless we do a hardware-based > >>> reflash of the bootloader. That would hack ONE iPod, but wouldn't be of > >>> any use to iPodLinux users, as they won't disassemble their iPods and > >>> rip off chips just to be able to use iPodLinux. So we would still need a > >>> software security leak in order to enable users to perform that reflash > >>> using a software-only hack. But a hardware flash dump would of course be > >>> of much use in order to work out a software exploit. But would the users > >>> really want to take the risk of reflashing the boot chip? If something > >>> goes wrong there, their iPods are toast and warranty is probably void. > >>> So the only approach left would be to directly boot iPodLinux through a > >>> software exploit every time, by playing the "Start iPodLinux" song ;) > >>> Now the question is, how different are the Nano2Gs to the Nano3Gs? > >>> While, on the 3Gs, it looks like a digital signature was used, we could > >>> hope, that on the 2Gs, there is only some kind of checksum, which we can > >>> break by reverse engineering the boot loader. Is the digital signature > >>> just somewhere else on the 2Gs? Or is there really just a checksum? A > >>> hardware-based dump is probably the only way to find an answer to that > >>> question... Is it possible to rip that flash chip off the base board > >>> without damaging it? How realistic is a JTAG attack? How many touch > >>> points are there on the base board? How many of them are right beside > >>> the ARM? > >>> BTW What about setting up a wiki or using a section of the iPL wiki? > >>> Could be pretty useful. > >>> > >>> _______________________________________________ > >>> Linux4nano-dev mailing list > >>> [email protected] <mailto:[email protected]> > >>> <mailto:[email protected] <mailto:[EMAIL PROTECTED]>> > >>> https://mail.gna.org/listinfo/linux4nano-dev > >>> http://www.linux4nano.org <http://www.linux4nano.org/> > >>> <http://www.linux4nano.org/> > >>> ------------------------------------------------------------------------ > >>> More new features than ever. Check out the new AIM(R) Mail > >>> <http://o.aolcdn.com/cdn.webmail.aol.com/mailtour/aol/en-us/text.htm?ncid=aimcmp00050000000001>! > >>> ------------------------------------------------------------------------ > >>> > >>> _______________________________________________ > >>> Linux4nano-dev mailing list > >>> [email protected] <mailto:[email protected]> > >>> https://mail.gna.org/listinfo/linux4nano-dev > >>> http://www.linux4nano.org <http://www.linux4nano.org/> > >>> > >> _______________________________________________ > >> Linux4nano-dev mailing list > >> [email protected] <mailto:[email protected]> > >> https://mail.gna.org/listinfo/linux4nano-dev > >> http://www.linux4nano.org <http://www.linux4nano.org/> > >> > >> > > > > > > > > > > > _______________________________________________ > Linux4nano-dev mailing list > [email protected] <mailto:[email protected]> > https://mail.gna.org/listinfo/linux4nano-dev > http://www.linux4nano.org <http://www.linux4nano.org/> > ------------------------------------------------------------------------ > More new features than ever. Check out the new AIM(R) Mail > <http://o.aolcdn.com/cdn.webmail.aol.com/mailtour/aol/en-us/text.htm?ncid=aimcmp00050000000001>! > ------------------------------------------------------------------------ > > _______________________________________________ > Linux4nano-dev mailing list > [email protected] > https://mail.gna.org/listinfo/linux4nano-dev > http://www.linux4nano.org _______________________________________________ Linux4nano-dev mailing list [email protected] https://mail.gna.org/listinfo/linux4nano-dev http://www.linux4nano.org
