Posted on December 27, 2010 by Revenge
So I won pink 8gb iPod Nano at some awards I was at recently and hacked it on the flight home. I’ve successfully done a basic springboard hack, figured out how to bypass the cache comparison and uncovered some interesting stuff as whats to come on the iPod Nano.
The springboard hack is just the removal of a app and creation of a blank space. Not that amazing, but whats important is the bypass of Nano’s cache comparison, which compares any modded SB file and reverts it if it doesn’t like it, this opens up the possibility of hacking and modding, while not adding bootloaders or any of that fun stuff.
Next is the discovery in some of the device’s plists of reference to support of Movies, TV Shows, Apps, Games, vCards, Calender events and so on, with a few other cool things like a passcode lock. With the bypass I figured out, I hope to enable these pretty soon. It seems like the OS is a rehashed version of the previous Nano’s OS.
If we can get a bootloader or something on it, I think it’d be an awesome device and may be easier as it has disk mode available. Seemingly there is a difference between the PC and Mac formats of the device. You can follow or get involved in the new touch Nano hacking process at http://nanohack.me or follow me on twitter (@jwhelton) to track how I’m doing.
At the moment I’m still figuring out one or two things, but I’m gonna release a tutorial in the next day or two, which I’ll announce on Twitter
Posted on December 28, 2010 by Revenge
Just a quick post before I gotto bed, the iPod Nano hasn’t been “jailbroken” as some sites claim, I do not have root access over the device. I did not “install” an app. I figured out how to remove them and insert a blank space into the springboard.
What I have also done is figured out a way for the iPod to boot with modified files (eg the SpingBoard Plist), bypassing the procedure it takes to stop this, I hope this will allow us to figure out a way to jailbreak it. I am primarily focusing on exposing some of the (for now) hidden features of the device.
The hack is simple. It may lead to greater things. I just don’t want people getting their hopes up that’s it’s jailbroken just yet or what I have done to be blown out of proportion.
I’ll write up more tomorrow. Any questions, contact me on twitter: @jwhelton
Posted on December 29, 2010 by Revenge
Before I start posting exploits, tutorials and whatnot here, I just wanna get a few things down
Jailbreaking real possibility: The hack and things I’ve been playing around with and have done use the already available ‘disk use’ of the device. The hack is simple, like Forrest Gump simple, the importance is that it got the Nano hack got attention and thankfully attracted some kickass hackers and developers who wish to work on it with me, I’m gonna be doing all I can to facilitate this. iPod Nano hacking is nothing new (http://ipodlinuxinstl.sourceforge.net/). If I am correct and it is a rehashed version, then there’ll be a few bugs and pre-existing code can be used to hack it. Dudes, gimme time :)
Introducing the SyncTug: (blame DarkMalloc for the name). The SyncTug is the process of hard-rebooting the iPod Nano (by holding down the minus volume button and lock button at the same time) and as soon as it begins to reboot (screen flashes black for a moment), you unplug the iPod cable from it. See normally when a user edits a file and disconnects the Nano, the Nano compares the modded file to its current cache and reverts the modded file to its original state, thus removing any mod. By SyncTugging it, the Nano is forced to boot using this modded file, bypassing this cache comparison. Its simple, but it works! Using this, one could edit the Icon State plist to reveal hidden icons!
The Fear: My own fear is that people have over hyped a simple hack I did to remove icons, however this ‘hype’, as mentioned, allowed better devs and hackers to contact me. I plan on learning a lot on this hacking trip and do some serious stuff, this silly hack is a starting point/
All this is very small progress, but hell its better than where 6G Nano hacking was 2 days ago. The current goals are small measurable steps like custom clock faces and backgrounds, longer term is fully jailbreaking it and maybe even linux on it. Be patient :)
Also a useful site is http://www.freemyipod.org/wiki/Main_Page who’ve hacked the older iPod Nanos and now are also looking at the 6G
Posted on December 29, 2010 by Revenge
This tutorial enables you to remove apps from the 6G iPod Nano Springboard and insert blank spaces into the springboard. The iPod Nano in this running the current 1.0 firmware and is Windows formated, have not yet tested this with a Mac formated one. Its fairly basic and simple, but shows that booting with a user modded file is possible and is a nice proof of concept and is the first small ‘hack’ as such for the new iPod Nano. Before doing this, read the iPod Nano hacking primer I wrote here: http://nanohack.me/?p=33
- Make sure “Enable disk use” is ticked in iTunes when the Nano is plugged in.
- Go to My Computer and then into the Nano. Enable hidden folders and go into the iPod_Control, then into Device.
- Make a backup of IconState.plist (save it to your desktop or something) and then proceed to open the original with Notepad or any text editor, here is what you’ll see this:
- For this tutorial I removed the SBPhotos part of the corresponding string and deleted the SBAlbums and SBGenres. (Note: you aren’t actually deleting the apps, simply removing their visibility from the system).
- Save this file.
- SyncTug it: hold down the minus volume button and lock button at the same time and as soon as it begins to reboot (screen flashes black for a moment), unplug the iPod cable from it.
- Watch it boot and show that the Photos and Genres app are missing and a space before the Settings app.
Its that simple and the same ‘SyncTug’ technique can be used on the iPodSettings.xml file to change stuff like wallpaper and whatnot (so far just playing, I’ve altered a few setting with it, have not looked greatly into it). Play around with it and post your findings. In the case you muck something up, just connect it your computer and replace the IconState.plist with the backup one we made earlier and SyncTug. Failing that, simply restore in iTunes. Something to note also is that if you attempt to press down on an icon and move it, the iPod nano will do a quick reset as it can’t understand why the hell theres a blankspace. The iPod will also sync fine in iTunes and retain this hack.
Posted on December 29, 2010 by Revenge
Was on iChat was my buddy Steven Troughton-Smith and he made some interesting progress, this is taken from his blog:
After musing with James Whelton about his iPod nano homescreen hack (http://nanohack.me/), I set out to see if there was anything interesting you could do to the iPod.
Discovered what may be DFU mode: hold down the restart buttons until you get a black screen (it reboots twice) and iTunes sees the device and alerts you.
Afterwards, modified iRecovery to work with the iPod nano (had to add its DFU/Recovery USB ID) and allow it send files, and tested with some files I had extracted from the iPod nano 6G firmware (using the extract2g tool somewhere from http://www.freemyipod.org/ ).
disk.fw and osos.fw work (one boots disk mode, the other boots to a homescreen). The other files make the nano boot to a white screen, but go no further.
So, basically, it seems we can send encrypted firmware files to the iPod, and have them execute, similar to what is used to jailbreak the iPhone. If the nano rejects the file (i.e. unsigned, invalid), it reboots.
While this by itself isn’t that cool, hopefully the info will inspire someone else to finally hack this thing and give us custom ‘apps’.
Make sure to click ’720p’ to see what’s going on.
I’ll be talking to Steven tonight, so we’ll see what we can do with this new discovery. Visit the original post: http://blog.steventroughtonsmith.com/2010/12/ipod-nano-6g-irecovery.html
Posted on December 29, 2010 by Revenge
For any of you wanting to poke around with the 6G 1.0 firmware, heres a link to:
http://appldnld.apple.com/iPod/SBML/osx/bundles/061-9054.20100907.VKPt5/iPod_1.0_36A00403.ipsw
Posted on December 29, 2010 by Revenge
If you wanna poke around the 6th generation Nano firmware, heres how to dump the firmware:
- Download the current 1.0 Nano firmware from: http://appldnld.apple.com/iPod/SBML/osx/bundles/061-9054.20100907.VKPt5/iPod_1.0_36A00403.ipsw
- Rename:
iPod_1.0_36A00403.ipswtoiPod_1.0_36A00403.zipand unzip - Download Extract2g from here, cd to the same folder as files and build it (using the
makecommand in Terminal:make -f Makefile) - In the unzipped
Pod_1.0_36A00403folder you’ll find a file calledFirmware.MSE, drag that into the same folder as your built Extract2g file - Now in Terminal, while in the same folder, go:
./extract2g -A -4 Firmware.MSE - That will dump the fw files as shown in the screenshot above
(Credit to FreeMyiPod.org - http://www.freemyipod.org/wiki/Extracting_firmware)
Posted on December 29, 2010 by Revenge
DarkMalloc has successfully started to reverse engineer the header of the firmware, check it out here: https://github.com/DarkMalloc/Nanotomy/blob/master/Apple8723Container.h
Posted on December 30, 2010 by Revenge
Hey guys, to fill you in, Steven Troughton-Smith and DarkMalloc have successfully mounted the Nanos resources, heres a screenshot:
This is great progress in hacking the Nano and discovering how it works and its structure. Also unearthed is Strings from the device, you can take a gander at the text file here: http://nanohack.me/files/SilverDB.txt; Srings that interest me are:
A microphone is required for recording.
Please connect a microphone to continue recording.
The microphone has been disconnected.
Please reconnect the microphone to continue recording or stop and save.
Delete Memos
Delete Memo
This rental has expired.
You can resume to finish your movie.
World Clock
Alarms
Stopwatch
Timer
Time On Wake
Enter Passcode
Re-enter Passcode
Wrong Passcode
Try Again
Enter Old Passcode
Enter New Passcode
Enter a different passcode
slide to unlock
TV Programmes
Films
Camera Videos
%d Video Playlists
1 Video Playlist
%d Movies
1 Movie
%d TV Shows
1 TV Show
Episode %d of %d
Chapter %d of %d
Chapter %d
Lyrics detected, but unable to retrieve
Running
Soccer
Stepper
Walking
Calibrate Workout
Run Calibration
Walk Calibration
Reset Walk
Reset Run
If you
ve already calibrated your stride, this will undo that calibration
Sensor Found
Searching…
Heart Rate Monitor
Please wear Heart Rate Monitor
Linking Monitor
iPod has not found a Heart Rate Monitor
iPod has found the new Heart Rate Monitor
iPod is already linked with a Heart Rate Monitor
iPod will no longer be linked to Heart Rate Monitor
Unlinking Monitor
Heart Rate Monitor has been unlinked
iPod has detected multiple Heart Rate Monitors
This movie cannot be played.
Please reconnect to iTunes to watch this movie.
Reconnect to iTunes
Delete this unwatched movie?
%s expires in 1 day.
%s expires in %d days.
%d Days Remaining
1 Day Remaining
%d Hours Remaining
1 Hour Remaining
%d Minutes Remaining
1 Minute Remaining
Rental Has Expired
Expires in %d Days
Expires in 1 Day
Expires in %d Hours
Expires in 1 Hour
Expires in %d Minutes
Expires in 1 Minute
Camera Roll
Events
Faces
Places
%d Events
1 Event
%d Faces
1 Face
%d Places
1 Place
Slide
Push
Fade Through Black
Zoom
Cube
Flip
Ken Burns
Origami
Enable TVOut?
Please connect TVOUT cable
Radio
Delete
Scan Logging
%u Station Found
%u Stations Found
Local Stations
Favorites
Tagged Songs
Recent Songs
Radio Band
Write Scan Log (TEST)
Edit
Done
Clear
Refresh
Favorites
No Favorites
Press the Favorites icon in the tuner to save the tuned station.
Tagged Songs
No Tagged Songs
Press songs marked with the Tag symbol. Sync with iTunes to preview and purchase available Tagged songs.
Recent Songs
No Recent Songs
Listen to the Radio to view a list of recently played songs you can Tag and sync to iTunes.
Radio
Passcode OK !
Power up key OK !
Cell Background
This
is a
pretty
little
table
Unlock Screen
Power Down Screen
slide to power off
Cancel
Insert Cell
Append Cell
Delete Cell
Rearrange Cells
Games
Debug Apps
Video Camera
Piezo Test
Voice Memos
Label
Recording
There is reference to a Slide to Unlock function, apps, games, a camera, movies and more! A massive find! Follow this site and myself (@jwhelton), @DarkMalloc and @stroughtonsmith on Twitter for more breaking news.
Posted on December 30, 2010 by Revenge
DarkMalloc has been coding some iPod Nano 6G hacking tools. Hes just finished Secformation, a command line tool that provides information on various .fw files
grab it from GitHub!
mattlawer says:
December 30, 2010 at 9:30 pm
I have :
Magic: 8723
Version: 2.0
Format: 0×3
Unknown 1: 0×0
Size of Data: 0x8580d4
Footer Signature Offset: 0x858d43
Footer Certificate Offset: 0×858160
Footer Certificate Length: 0xbe3
Salt:
Unknown 2: 0×0
Epoch: 0×0
Header Signature: 24986b5c6c8aacea6ac3aeb6d02334dd2fe7a8a5
Padding:
Posted on December 30, 2010 by Revenge
Discovered by Steven Troughton-Smith and DarkMalloc, here is how to mount the 6th gen iPod Nano’s resource partition, the prerequisite to this is that you have extracted the 9 partition files using Extract2G using this guide here: http://nanohack.me/?p=51
- Open Terminal and cd into the folder containing the extracted firmware files
- Run this command:
dd if=rsrc.fw of=rsrc.img iseek=2 count=284672 - The file
rsrc.imgwill be created. Click it in Finder to mount it. - Have fun exploring.
This partition contains SilverImagesDB.LE.bin, (‘Silver’=codeword?) the file which contains all the images for the Nano OS, if we can mod it and get it back onto the Nano, theming, custom clock faces, custom backgrounds and so on, should be possible.
Here is Steven’s blogpost about it: http://blog.steventroughtonsmith.com/2010/12/mount-ipod-nano-6g-resource-partition.html
Zom-B says:
December 31, 2010 at 3:53 pm
For Window susers, you can use OSFMount (free software) to mount the img file.
I’ve programmed a BIN file unpacker and I’m currently programming an image viewer as they seem to be in a proprietary format.
File formats for BIN and the images:
http://pastebin.com/3y4CqSTU
After musing with James Whelton about his iPod nano homescreen hack (http://nanohack.me/), I set out to see if there was anything interesting you could do to the iPod.
Discovered what may be DFU mode: hold down the restart buttons until you get a black screen (it reboots twice) and iTunes sees the device and alerts you.
Afterwards, modified iRecovery to work with the iPod nano (had to add its DFU/Recovery USB ID) and allow it send files, and tested with some files I had extracted from the iPod nano 6G firmware (using the extract2g tool somewhere from http://www.freemyipod.org/).
disk.fw and osos.fw work (one boots disk mode, the other boots to a homescreen). The other files make the nano boot to a white screen, but go no further.
So, basically, it seems we can send encrypted firmware files to the iPod, and have them execute, similar to what is used to jailbreak the iPhone. If the nano rejects the file (i.e. unsigned, invalid), it reboots.
While this by itself isn't that cool, hopefully the info will inspire someone else to finally hack this thing and give us custom 'apps'.
Make sure to click '720p' to see what's going on.
When you run extract2g (-4 -A) against the iPod firmware.MSE file, you end up with nine partitions. Eight of those are encrypted, so not much use right now (asides disk.fw and osos.fw, which you can force-boot using iRecovery). The ninth partition is the resource partition, which is not encrypted, so you're able to extract the contents (a FAT16 disk image, no less).
Use the following command to strip the header and extract the file:
dd if=rsrc.fw of=rsrc.img iseek=2 count=284672
(If you're not working from the 1.0/36A00403 firmware bundle, you can strip the first 1024 bytes from the rsrc.fw file, and run fdisk on it to find the sector count - 'fdisk -e rsrc.fw'. For the 1.0 bundle, the sector count is 284672).
Double-click the resulting .img file on Mac OS X to have it mount so you can browse it. There's not a lot of interesting stuff there (fonts, etc), but there are two files of interest: SilverDB and SilverImagesDB. SilverImagesDB contains all the image resources for the OS; wallpapers, icons, buttons, etc, including some curious leftover pieces like camera shutter images.
'Silver' I presume is the name or codename of the UI framework on the iPod's Pixo OS (similar to how 'Purple' was used to describe iPhone apps).
Maybe once we find a way to flash a modified rsrc partition back to the iPod (remember, it's not encrypted) then you should, in theory, be able to modify wallpapers and other images/resources.
Which links back to
Hands on (and in) the iPod nano 6th generation reveals hints of video playback support
Which links to a filesystem dump
Hi, any updates?