Lego IPod Hacking Robot


The Linux4nano project has been working to port the Linux kernel onto the iPod Nano along with other iPods in general. Although the iPodLinux project has had luck with some older iPods, newer models protect firmware updates with encryption. One of the ways they plan on running code on the device is through a vulnerability in the notes program; it causes the processor to jump to a specific instruction and execute arbitrary code. To take advantage of this, they first need to figure out where their injected code ends up in the memory. Currently, they are testing every memory location by painstakingly loading in a bogus note and recording its effect. Each note takes about a minute to test and they have tens of thousands of addresses to check over several devices.

Although they’ve cracked the 2G Nano, they still have a lot of work ahead of them. To make it easier, they’re working on automating it with button-pressing Lego Mindstorms-based robots. Dubbed Nanotron 3000, this line of robots can press the 3 buttons needed to test the iPod. Ideally, these robots should be able to go through over 23,000 addresses a day, which is much more efficient than doing it by hand. With luck, they’ll crack it soon.

Related: iPhone Linux

[via NYC Resistor]

14 thoughts on “Lego IPod Hacking Robot

  1. More vendors are figuring out starting packed signature chains from unmodifiable resources is the way to go on embedded devices for integrity. Now if they can just start using page locking.

    On an unmodified signature chain with page locking bus tapping and code modification are useless if the feature are implemented right. You add LPAR it’s actually impossible without die modification which nobody can do. They use LPAR on the ps3 for almost every and the vital code is in a local store controller the host lpar..

  2. totally agree with hiroe, don’t have any clue why they don’t just wire up the darn switches directly to a uC. Definitely won’t fry it if you know what you’re doing, and if you’re really concerned just use a relay. I’ve got several MP3 players hooked up like this for cheap media playback for quite a number of my projects.

  3. Its the psp all over again, I bought the dam thing, now your trying to tell me what I can do with 250 dollars I spent. Screw that I bought it Ill do what I like, and if you “protect” it I am well within my rights to break said protection. Why do companies always try to limit what can be done with their tech. I understand when it’s software, but the hardware is already bought. As long as companies lock their physical product then Well keep hacking it.

  4. We should definitely help out the linux4nano team some more I heard a guy say if they got a 3rd gen donation they could have those hacked as well. anyone hav a 3g….??????

  5. @mykeyfinn: This issue has to do with licensing. I can’t really say for certain why apple would do this, but in the case of the PSP, the development costs of the PSP are subsidized by the sale of games and accessories. If you run whatever code *you* want to run on the device, it breaks the subsidy chain. In other words, it all comes down to money and Sony wants to ensure that they make money on the device. This is especially true when these devices are being sold at a price point that’s below the build cost. The PS3 is a perfect example of a device that (used to) cost more to manufacture than the price consumers paid for it.

    But anyway… I’ll agree with others that commented saying that building the bot is way over complicating things. Take it apart and wire directly to the button contacts. It would probably be faster and you wouldn’t wear out the buttons iteratively running tests.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.