More iPod Nano 7G discoveries! gsch discovered that...

More iPod Nano 7G discoveries!

gsch discovered that if you boot diags from WTF (instead of from bootloader), you actually get a serial console... with full memory read/write.

Turns out this works because WTF ships with an EFI UART/Serial driver, but the bootloader doesn't. So if you run diags from WTF, you get that very nice serial console. And since both WTF and the bootloader are signed, you can just send them over DFU.

Who need exploits when you have built-in functionality? :)

Terminal:

:-) md 20000000 20
20000000: 00 F0 21 E1 00 F0 21 E1 00 F0 21 E1 00 F0 21 E1 |..!...!...!...!.|
20000010: 00 F0 21 E1 00 F0 21 E1 00 F0 21 E1 00 F0 21 E1 |..!...!...!...!.|
:-) memrw w 3c500048 0
Old value of address 0x3C500048 = 0x001BA585
New value of address 0x3C500048 = 0x00000000
:-) md 20000000 20
20000000: 28 00 00 EA 84 F0 9F E5 84 F0 9F E5 84 F0 9F E5 |(...............|
20000010: 84 F0 9F E5 00 F0 20 E3 80 F0 9F E5 80 F0 9F E5 |...... .........|
:-)

Like 6 January at 2:07 | Open on social.hackerspace.pl

6 comments

q3k :blobcatcoffee:

Which means if we want, we can actually make a 'super'-diags by combining EFI drivers from different payloads. We then end-up with a nicely debug enabled boot chain, with full serial logs and an EFI console which can even read FAT32 on NAND.

This requires signature bypass, as the EFI firmware volumes are signed as a whole, but we thankfully have that for a few days now! In fact, you just can now `wInd3x cfw superdiags` to get this.

Next step: custom drivers/modules... in Rust? :)

Terminal:

AppleMobile UEFI Oct 26 2012
(c) 2000-2010 Apple Inc.

Poe local build 1.0 (00A0001). Built by @ on Oct 26 2012 at 01:26:29 from changelist 9999.
Device Info: iPod N31 cpu S5L8740 (rev B1, production)

Terminal:

:-) blockdev
Firmware Volume Devices:
fv0: 0x0BFCF000 - 0x0BFF37FF : 0x00024800
fv1: 0x0BE7D000 - 0x0BEB9CFF : 0x0003CD00
fv2: 0x0BFC3000 - 0x0BFC43FF : 0x00001400
fv3: 0x0BC41010 - 0x0BC5170F : 0x00010700
fv4: 0x0B9FE010 - 0x0BBFE00F : 0x00200000
File System Devices:
fs0: Image1Fs: ReadOnly
fs1: :
Block IO Devices:
blk0: Size = 0x3B9ACA000
blk1: Partition Size = 0x3ADA8A000
blk2: Partition Size = 0xC000000
blk3: Partition Size = 0x4000
blk4: Partition Size = 0x3ADA4A000
:-) dir fs1:
<DIR> iPod_Control
0 .metadata_never_index
671,286 .VolumeIcon.icns
:-)

6 January at 2:12 | Open on social.hackerspace.pl

q3k :blobcatcoffee:

extremely normal binary

6 January at 2:23 | Open on social.hackerspace.pl

Andy

@q3k LMAO! DXE!

Are you doing naughty things again and try to run stuff on an iPod that somehow runs UEFI because Apple engineers thought "why the fuck not?" back in the day?

(edit: Oh lol, you actually do. I didn't see the thread at first. Top Mastodon user experience 👌)

6 January at 3:21 | Open on infosec.exchange

the vessel of morganna

@G33KatWork @q3k UEFI on the iPod lineup always had me a little stunned. certainly a choice

6 January at 3:51 | Open on social.treehouse.systems

Leah :spinny_cat_trans: :verifiedcat:

@q3k i actually have a 7g i'm excited for more discoveries with hacking it :3 also thank you @ellie for boosting this

6 January at 3:26 | Open on donotsta.re

Specjalna Shift extra flesz

@q3k Holy shit, @linus you could get Kiesel running in bootloader on an iPod Nano 7G

6 January at 6:12 | Open on chaos.social