Dumping the nano bootloader – A quick summary
The Notes' bug
On February, 14th 2009, Taylor (n00b81) first found a bug in the 'Notes' application (see here). This bug was indeed a buffer-overflow, presumably because the filesystem of the iPod Nano cannot handle files with very long names and crash if one is encountered. The way to reproduce it is the following:
- On your computer, create an
HTML file with only the following
code:
<a href="A<267 times>">Crash!</a> - Plug your iPod Nano and copy this file onto your iPod's 'Notes' application.
Once this is done, your iPod should reboot endlessly...
To get out of this, first set your iPod to 'Disk-mode' (press simultaneously 'Play/Pause' and 'Select' for a while). Then, plug your iPod on your computer and remove the HTML file. Finally, reboot your iPod (hold simultaneously 'Menu' and 'Select' for a while).
This bug seems to have been confirmed on iPod Nano 2G/3G/4G.
Reaching the debug mode of the Samsung S5L8701
Once this bug has been found, exploitation of it was extremely hazardous without any knowledge of what happen in memory. Efforts have been focused on a way to enable the debug mode on the CPU of the iPod Nano (an ARM Samsung S5L8701). Here is a quick sum up of the events in chronological order:
- 13 May 2009: tof starts the analysis of the S5L8701;
- 31 May 2009: Dan Andrew gives away an iPod Nano silver for tof's analysis;
- 14 Jun 2009: tof (with the help of Cory Walker) find the JTAG;
- 20 Jun 2009: tof activate the ARM core debug mode but few problems are still there;
- 25 Jun 2009: tof and Taylor try to exploit the vuln in debug mode but dumps are difficult to read;
- 25 Jun 2009: A first prototype of the parser is coded by Bahattin Tozyilmaz with the help of Cory and Taylor on IRC;
- 25 Jun 2009: A second dumpsorter is coded by Cory Walker (dumpsorter.py);
- 01 Jul 2009: tof manage to get a dump out of the iPod Nano;