Code execution on the iPod nano 6th and 7th generation

This tool builds a modified firmware image that abuses two iPod bugs in order to gain code execution:

By swapping the 'disk' and 'osos' sections in a firmware image, the iPod will boot into the standard RetailOS when holding the buttons for disk mode. But, when booting into disk mode the iPod won't verify the 'rsrc' partition as disk mode usually doesn't use it.

By using a malformed OTF font, we can trigger a stack overflow in CFF parsing. See src/exploit.rs for details

Custom SCSI command added that can read/write memory and execute arbitrary code.

For python3:

pyfatfs
fonttools

Native:

arm-none-eabi-gcc

• iPod Nano 6th Generation
• iPod Nano 7th Generation (Mid 2015)

Some devices are not able to boot into DFU, this may be caused by a non-functional battery.

Bad payloads, incorrectly packed firmware and many other causes CAN and HAVE caused permanent bricks.

# Build the patched firmware
cargo r --release -- --device=nano7-refresh

# Flash Firmware-repack.MSE over DFU

# Enable the VROM clock gates
sudo sg_raw -o /dev/null -r 512 -vvv /dev/sdc c6 96 04 00 00 00 00

# Dump the rom
cd tools/scsi_dumper
cargo r --release -- 0x20000000 0x10000 n7g_bootrom.bin

See tools/scsi_decrypter

Base.ttf is one of the payloads from star, used as a CFF template

helpers/viafont/original sourced from here

q3k for the SCSI handler example and for wInd3x

760ceb3b9c0ba4872cadf3ce35a7a494 for ipodhax which inspired a lot of the firmware un/packing code