Where Are We Now ?
- Rockbox bootloader is booting a 2G (but stop there for
now because we are still missing drivers).
- We are able to execute arbitrary code in a stable
fashion on the nano (at least on firmware 1.1.3, we have
not tried the others yet, but they should also work with a
little patching);
- The iPod has a hardware crypto engine, with a hardware
key, that cannot be read out. The key is directly used to
decrypt the NOR flash, in contrast to the iPhone;
- We didn't manage to dump the decrypted NOR flash yet
because of some issues with that crypto hardware, which
we'll need to investigate further later;
- Right now we have a debugger that connect to a PC via a
UART/serial port (we are struggling to have it also
working via USB);
- Getting iPodLinux or Rockbox to run on the iPod in a
usable fashion will still need at least
months. (The biggest problem there
is that we'll need to write lots of drivers for all the
hardware);
-
- The above statements are for 2G nanos. We haven't yet
seriously tried to get an exploit for the newer nanos
working, but we know of at least two vulnerabilities
that should be exploitable on them. We'll look into this
soon.
Current Goal(s)
- Writing a debugger that will connect the iPod to a PC
either via UART/serial port (done) or USB (ongoing);
- Cryptanalysis of the keys or the cipher scheme.
Possible Ideas to Investigate Further
- Identify the cipher algorithm
(2008-01-07).
- List potential exploitable bugs;
- Understand iTunesDB internals
[1];
- Write an exploit to execute arbitrary code;
- Look for an hardware way to dump memory at runtime;
- Rewrite and update documents.