Skip to content

Latest commit

 

History

History
69 lines (48 loc) · 1.96 KB

README.md

File metadata and controls

69 lines (48 loc) · 1.96 KB

ipod_sun

Code execution on the iPod nano 6th and 7th generation

How?

This tool builds a modified firmware image that abuses two iPod bugs in order to gain code execution:

1) Disk swapping

By swapping the 'disk' and 'osos' sections in a firmware image, the iPod will boot into the standard RetailOS when holding the buttons for disk mode. But, when booting into disk mode the iPod won't verify the 'rsrc' partition as disk mode usually doesn't use it.

2) CVE-2010-1797 (better known as star)

By using a malformed OTF font, we can trigger a stack overflow in CFF parsing. See src/exploit.rs for details

The result

Custom SCSI command added that can read/write memory and execute arbitrary code.

Dependencies

For python3:

pyfatfs
fonttools

Native:

arm-none-eabi-gcc

Supported devices:

  • iPod Nano 6th Generation
  • iPod Nano 7th Generation (Mid 2015)

WARNING!

Some devices are not able to boot into DFU, this may be caused by a non-functional battery.

Bad payloads, incorrectly packed firmware and many other causes CAN and HAVE caused permanent bricks.

Usage

# Build the patched firmware
cargo r --release -- --device=nano7-refresh

# Flash Firmware-repack.MSE over DFU

Dumping bootroms

# Enable the VROM clock gates
sudo sg_raw -o /dev/null -r 512 -vvv /dev/sdc c6 96 04 00 00 00 00

# Dump the rom
cd tools/scsi_dumper
cargo r --release -- 0x20000000 0x10000 n7g_bootrom.bin

Decrypting firmware

See tools/scsi_decrypter

Attribution

Base.ttf is one of the payloads from star, used as a CFF template

helpers/viafont/original sourced from here

Thanks

q3k for the SCSI handler example and for wInd3x

760ceb3b9c0ba4872cadf3ce35a7a494 for ipodhax which inspired a lot of the firmware un/packing code