IPod Nano 6g Closer To Being Cracked

[Steven Troughton-Smith] figured out how to push signed firmware through to the iPod Nano 6g. This is accomplished by modifying iRecovery to recognize the device on the USB after forcing a recovery mode reboot. So no, this doesn’t mean that it has been cracked since it checks the firmware you push and reboots if it’s not approved. But if you can figure out how to craft a custom image that passes the check you can call yourself a jailbreak author.

[youtube=http://www.youtube.com/watch?v=u_c8VM7lVo4&w=470]

[Thanks RavK via NanoHack]

32 thoughts on “IPod Nano 6g Closer To Being Cracked

  1. Maybe I am not the average consumer, but I can assure you that I won’t buy this thing unless it gets cracked and someone finds a way to put new software on it. So at least for me it would be a benefit for Apple if this thing got cracked.

  2. They use a boot rom to set the ARM partition bit and load the isolated loader just like all other Apple products. The iphone devs do things through shellcode exploits, even the SHA1 based exploit they haven’t released yet..

    -ARM stuff has the loaders on the other side of a domain bit mapped by a rom you can rewrite if you can write&reflow if you can do BGA stencils

    -X360 has a boot rom that loads an embedded NT kernel that has code for per session encyption, execute disable, and signing

    -PS3 has a boot rom that loads from a NAND descriptor into isolated SPUs loaders that use DMA PKI with the ROM for crypto and signing(but they left disc auth, lv1/HV and a lot of other stuff in RAM(you still can’t encrypt and sign, even geohot couldn’t..he hashed an update package with pre-encrypted binaries)

    They all take memory corruption o_o

    ..Wait till these vendors learn to actually properly use hardware isolation and execute disable, that will actually be worth spamming twitter about if someone defeats it, this stuff people do every day on other platform..

  3. So all that is left is to obtain Apple’s private encryption key and digitally sign the package? That’s all?

    Sounds like an impossible task. You would be much better off finding some sort of permissions escalation exploit which would be able to bypass signature checks all together.

    This is a well known feature in ALL IOS based products.

  4. @Shield Typing in two numbers which are easily found into an existing utility without any other changes is hard to do and newsworthy? I’ll inform the newspapers. You can handle the TV shows.

  5. @GotNoTime: Don’t expect people who didn’t know RCE existed before Geohot and iphone to understand technical aspects of security architecture..

    What’s funny is out of all the ARM devices in the world Apple products aren’t even close to being the most secure. Especially compared to ARM industrial robotic FPGA IP markets that use the same arch, just better developers..

  6. u can kinda read the words if you put it in 720p. maybe on a bigger monitor. on a more related topic: someone needs to perfect the arc reactor so that we can have wireless earbuds, and never have to change the batteries in that fancy wristwatch u got thurr

  7. I’d never want to “crack” it. What a waist of time. It’s a freaking iPod. It does what it does – play music.

    Ya know – you don’t have to “hack” everything.

  8. @Bill D. Williams- Killjoy. It does what it does – play music. Then why did they lock it down?
    Why hack everything? Well, just the fact that you could hack into something is reason enough to be happy about your skills, irrespective of whether the hacked device has any use or not.

  9. “I’d never want to “crack” it. What a waist of time. It’s a freaking iPod. It does what it does – play music.

    Ya know – you don’t have to “hack” everything.”

    Argument from someone with an extreme lack of imagination.

    You could, for example, hack it to not require iTunes, so you could use it like a storage drive, moving the mp3s and other files in and out from the desktop.

  10. @snake:It does crypto from the other side of the partition bit just like the others..It takes shellcode exploits, which I doubt the person in this article will come to realize and learn before giving up…it’s got two ARM chips and a media SOC, there is really nothing to jailbreak except to do CFW..

  11. “You could, for example, hack it to not require iTunes, so you could use it like a storage drive, moving the mp3s and other files in and out from the desktop.”

    Or you could just buy an MP3 player that already supports this and stop supporting a company that are so anti-hacker.

  12. @Shield

    Shut up? U mad bro?

    And yes, I have previously done a lot of work for the iPhone and iPod touch. I am perfectly capable of typing in two numbers into an open source tool if I felt the need to but I guess you’re not capable. There are various guides online about how to do copy & paste if you wish to find out more.

    1. Add PID/VID to existing tool

    2. ???

    3. Profit and/or Custom Firmware!

    I’ll let you work out #2 at which point it will actually be newsworthy unlike this.

  13. “You could, for example, hack it to not require iTunes, so you could use it like a storage drive, moving the mp3s and other files in and out from the desktop.”

    Does SharePod not work on these anymore? I got a free ipod a few years ago. I hate itunes so I went searching for something else. Found SharePod and never looked back. Then came internet radio on my smartphone and make portable mp3 players obsolete…

  14. Hey – all I’m saying is that none of you rocket scientists are going to “hack it” and make it better than what it already is.

    At this point an iPod nano is like a shovel. It does one thing, and it does it well. Sure, you could use a shovel as a canoe paddle, but it wouldn’t be very good at it, now would it?

    All that’s going to happen is that someone will find a way to play doom on it, and then we’ll all sit here and talk about the next iPod nano and when will it be cracked. It’s kinda pointless.

    Go build something and stop commenting on HAD. ;)

  15. @ charlie yeppers
    @ jb lol
    @ filespace we will never know
    @ bill I find it quite fun to hack something to play doom just for the sake of accomplishing something. Ya I’ve never played doom but it doesn’t mean I don’t load t and execute it on some unintended platform.

  16. Damn right hack it.

    Bend it over and have your way with it, because you bought it and you can do what you want with the stuff you bought, as long as you understand the consequences.

    If you don’t want to, then don’t…genius.

  17. If the 6G nano is ever hacked, i implore someone to PUT A F*#$#NG ALARM CLOCK ON IT. Supposedly it was a design decision not too, because it doesn’t have an external speaker but WHY DIDN”T THEY JUST LEAVE IT IN, now docks/speakers without built in alarms won’t have alarms at all.

  18. any of you have any idea about how u can change the function of every ke..

    for example making the volume down button do the function of sleep/wake button

    you see my sleep/wake button is stuck!!…so i was wondering if i can make the volume down button do that job!!

  19. What’s with all you Negative Nancies?

    For one, I want to hack it just for the fun of hacking it!

    And two, maybe I just want to see pointless little video loops flashing on that tiny screen.

Leave a Reply to Mike SzczysCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.