Lego iPod hacking robot

posted Aug 30th 2009 3:53pm by Zach Banks
filed under: ipod hacks, linux hacks, robots hacks

800px-Nanotron-3000-farthen-1

The Linux4nano project has been working to port the Linux kernel onto the iPod Nano along with other iPods in general. Although the iPodLinux project has had luck with some older iPods, newer models protect firmware updates with encryption. One of the ways they plan on running code on the device is through a vulnerability in the notes program; it causes the processor to jump to a specific instruction and execute arbitrary code. To take advantage of this, they first need to figure out where their injected code ends up in the memory. Currently, they are testing every memory location by painstakingly loading in a bogus note and recording its effect. Each note takes about a minute to test and they have tens of thousands of addresses to check over several devices.

Although they’ve cracked the 2G Nano, they still have a lot of work ahead of them. To make it easier, they’re working on automating it with button-pressing Lego Mindstorms-based robots. Dubbed Nanotron 3000, this line of robots can press the 3 buttons needed to test the iPod. Ideally, these robots should be able to go through over 23,000 addresses a day, which is much more efficient than doing it by hand. With luck, they’ll crack it soon.

Related: iPhone Linux

[via NYC Resistor]

Comments [14]

tagged: apple, brute force, ipod, iPodLinux, lego, lego mindstorms, Lego NXT, linux, linux4nano, nanotron 3000, robot

Reader Comments

“nanotron 3000″ i like the sound of that XD

Posted at 4:20 pm on Aug 30th, 2009 by frg

brute force ftw

Posted at 4:55 pm on Aug 30th, 2009 by bort

mystery nano theater 3000

Posted at 4:57 pm on Aug 30th, 2009 by sly

you’d figure theyd just take a micro controller and wire it directly to the inputs, although it would probably destroy the ipod…

Posted at 5:10 pm on Aug 30th, 2009 by Hiroe

More vendors are figuring out starting packed signature chains from unmodifiable resources is the way to go on embedded devices for integrity. Now if they can just start using page locking.

On an unmodified signature chain with page locking bus tapping and code modification are useless if the feature are implemented right. You add LPAR it’s actually impossible without die modification which nobody can do. They use LPAR on the ps3 for almost every and the vital code is in a local store controller the host lpar..

Posted at 5:52 pm on Aug 30th, 2009 by tjhooker

@frg I 2nd that notion

Posted at 9:26 pm on Aug 30th, 2009 by ProGamingLife.com

totally agree with hiroe, don’t have any clue why they don’t just wire up the darn switches directly to a uC. Definitely won’t fry it if you know what you’re doing, and if you’re really concerned just use a relay. I’ve got several MP3 players hooked up like this for cheap media playback for quite a number of my projects.

Posted at 10:04 pm on Aug 30th, 2009 by threepointone

cool about the robot but i found the part about the notes app jumping and running arbitrary code more interesting.

Posted at 11:08 pm on Aug 30th, 2009 by dext0rb

Cool hack! We also provide some tips for Lego robots in our site. It’w written in catalan but you’re welcome anyway!

Posted at 11:48 pm on Aug 30th, 2009 by AutoRecerca't

Its the psp all over again, I bought the dam thing, now your trying to tell me what I can do with 250 dollars I spent. Screw that I bought it Ill do what I like, and if you “protect” it I am well within my rights to break said protection. Why do companies always try to limit what can be done with their tech. I understand when it’s software, but the hardware is already bought. As long as companies lock their physical product then Well keep hacking it.

Posted at 12:48 am on Aug 31st, 2009 by mykeyFinn

beyond awesome

Posted at 1:59 am on Aug 31st, 2009 by Jeff

We should definitely help out the linux4nano team some more I heard a guy say if they got a 3rd gen donation they could have those hacked as well. anyone hav a 3g….??????

Posted at 6:40 am on Aug 31st, 2009 by Tyramis

@mykeyfinn: This issue has to do with licensing. I can’t really say for certain why apple would do this, but in the case of the PSP, the development costs of the PSP are subsidized by the sale of games and accessories. If you run whatever code *you* want to run on the device, it breaks the subsidy chain. In other words, it all comes down to money and Sony wants to ensure that they make money on the device. This is especially true when these devices are being sold at a price point that’s below the build cost. The PS3 is a perfect example of a device that (used to) cost more to manufacture than the price consumers paid for it.

But anyway… I’ll agree with others that commented saying that building the bot is way over complicating things. Take it apart and wire directly to the button contacts. It would probably be faster and you wouldn’t wear out the buttons iteratively running tests.

Posted at 1:59 pm on Sep 3rd, 2009 by signal7

More people are likely to have mindstorms sets and want to hack their iPod than want to take the thing apart.

Posted at 12:03 pm on Sep 7th, 2009 by Hillshum

Lego iPod hacking robot

Recent Posts

Reader Comments

Leave a Reply

Hacks

Resources

RSS newsfeeds

Most commented on (30 days)

Recent comments