Lego iPod hacking robot

800px-Nanotron-3000-farthen-1

The Linux4nano project has been working to port the Linux kernel onto the iPod Nano along with other iPods in general. Although the iPodLinux project has had luck with some older iPods, newer models protect firmware updates with encryption. One of the ways they plan on running code on the device is through a vulnerability in the notes program; it causes the processor to jump to a specific instruction and execute arbitrary code. To take advantage of this, they first need to figure out where their injected code ends up in the memory. Currently, they are testing every memory location by painstakingly loading in a bogus note and recording its effect. Each note takes about a minute to test and they have tens of thousands of addresses to check over several devices.

Although they’ve cracked the 2G Nano, they still have a lot of work ahead of them. To make it easier, they’re working on automating it with button-pressing Lego Mindstorms-based robots. Dubbed Nanotron 3000, this line of robots can press the 3 buttons needed to test the iPod. Ideally, these robots should be able to go through over 23,000 addresses a day, which is much more efficient than doing it by hand. With luck, they’ll crack it soon.

Related: iPhone Linux

[via NYC Resistor]

Comments

  1. frg says:

    “nanotron 3000″ i like the sound of that XD

  2. bort says:

    brute force ftw

  3. sly says:

    mystery nano theater 3000

  4. Hiroe says:

    you’d figure theyd just take a micro controller and wire it directly to the inputs, although it would probably destroy the ipod…

  5. tjhooker says:

    More vendors are figuring out starting packed signature chains from unmodifiable resources is the way to go on embedded devices for integrity. Now if they can just start using page locking.

    On an unmodified signature chain with page locking bus tapping and code modification are useless if the feature are implemented right. You add LPAR it’s actually impossible without die modification which nobody can do. They use LPAR on the ps3 for almost every and the vital code is in a local store controller the host lpar..

  6. @frg I 2nd that notion

  7. threepointone says:

    totally agree with hiroe, don’t have any clue why they don’t just wire up the darn switches directly to a uC. Definitely won’t fry it if you know what you’re doing, and if you’re really concerned just use a relay. I’ve got several MP3 players hooked up like this for cheap media playback for quite a number of my projects.

  8. dext0rb says:

    cool about the robot but i found the part about the notes app jumping and running arbitrary code more interesting.

  9. Cool hack! We also provide some tips for Lego robots in our site. It’w written in catalan but you’re welcome anyway!

  10. mykeyFinn says:

    Its the psp all over again, I bought the dam thing, now your trying to tell me what I can do with 250 dollars I spent. Screw that I bought it Ill do what I like, and if you “protect” it I am well within my rights to break said protection. Why do companies always try to limit what can be done with their tech. I understand when it’s software, but the hardware is already bought. As long as companies lock their physical product then Well keep hacking it.

  11. Jeff says:

    beyond awesome

  12. Tyramis says:

    We should definitely help out the linux4nano team some more I heard a guy say if they got a 3rd gen donation they could have those hacked as well. anyone hav a 3g….??????

  13. signal7 says:

    @mykeyfinn: This issue has to do with licensing. I can’t really say for certain why apple would do this, but in the case of the PSP, the development costs of the PSP are subsidized by the sale of games and accessories. If you run whatever code *you* want to run on the device, it breaks the subsidy chain. In other words, it all comes down to money and Sony wants to ensure that they make money on the device. This is especially true when these devices are being sold at a price point that’s below the build cost. The PS3 is a perfect example of a device that (used to) cost more to manufacture than the price consumers paid for it.

    But anyway… I’ll agree with others that commented saying that building the bot is way over complicating things. Take it apart and wire directly to the button contacts. It would probably be faster and you wouldn’t wear out the buttons iteratively running tests.

  14. Hillshum says:

    More people are likely to have mindstorms sets and want to hack their iPod than want to take the thing apart.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 94,628 other followers