Difference between revisions of "Nano 4G"

From freemyipod.org
Jump to: navigation, search
m (Reverted edits by Owixyze (talk) to last revision by TheSeven)
Line 47: Line 47:
 
|  
 
|  
 
|}
 
|}
 +
 +
==Executing Code==
 +
As of now the only way to execute code on the nano 4g is through the [[Notes vulnerability]] and with [[Pwnage 2.0]]. As we don't know yet how to initialize the SDRAM on the nano 4g the only useful method is by using the Notes vulnerability. The only working note at the moment is an [[IBugger | iBugger loader]].
 +
 +
'''Attention''': The Notes vulnerability was patched in the v1.0.4 firmware update of the nano 4g. You need to [[Firmware_downgrading | downgrade to v1.0.3]] to still use the Notes vulnerability.
 +
 +
To run iBugger loader download the [http://files.freemyipod.org/targets/iPod%20nano%204g/n4g_ibugger_libusb1.zip nano 4g iBugger package]. To use the scripts in there you need a working [[Toolchain#Python_Scripts | Python Toolchain]]
 +
 +
Simply put the "n4g-ibugger.bootnote" in the "Notes" directory of your iPod and safely remove it. A Mandelbrot set should be displayed on the screen with some text stating it is Unified iBugger loader v0.1.1 running on Nano 4G.
 +
 +
To run [[emBIOS]] (which is most certainly what you want) run these commands:
 +
python ibugger.py upload 08000000 embios-ipodnano4g-rXYZ.bin
 +
python ibugger.py execute 08000000 0a000000
 +
You can then use the emBIOS tools to communicate with emBIOS
  
 
==Helpful pages==
 
==Helpful pages==

Revision as of 18:33, 10 January 2011

Nano 4g frt a.png Nano 4g bck a.png

Components

Label Component Part Markings Notes
2 CPU Samsung S5L8720 339S0049 ARM, K4X56323PI-KGC4, YWE025QH 825, APL0278A00, N1B2HOP 0831 ARM1136JZF-S processor. It is definitely worth knowing that this is the exact same processor used in the iTouch 2G. This could mean that some of the same exploits for that could possibly be used. Here is a very interesting page about the S5L8720 processor.
SDRAM 32MB, probably MDDR. Integrated into the processor, similar to the iPod Touch and iPhone lines.
4 Accelerometer LIS331DL 33DL, 2827 The newer Touch's, iPhone's, and even the iPad have similar accelerometers, and I've discovered a pattern in the chip names.
6 NAND Flash Varies TH58NVG6D1DLA87, U20516, JAPAN, 0826MAE
5 Audio codec Probably Cirrus 338S055C, 189N0824, SGP I determined this because the Nano 5G has a similar chip, which we are sure of the identity. One person lifted this chip and found that the pins connect to the LCD connector. Not much info was given, and it could just be a common ground, but the identity of this chip is still up in the air.
1 Power manager D1759 338S0687-AC, 08288HBB
3

Executing Code

As of now the only way to execute code on the nano 4g is through the Notes vulnerability and with Pwnage 2.0. As we don't know yet how to initialize the SDRAM on the nano 4g the only useful method is by using the Notes vulnerability. The only working note at the moment is an iBugger loader.

Attention: The Notes vulnerability was patched in the v1.0.4 firmware update of the nano 4g. You need to downgrade to v1.0.3 to still use the Notes vulnerability.

To run iBugger loader download the nano 4g iBugger package. To use the scripts in there you need a working Python Toolchain

Simply put the "n4g-ibugger.bootnote" in the "Notes" directory of your iPod and safely remove it. A Mandelbrot set should be displayed on the screen with some text stating it is Unified iBugger loader v0.1.1 running on Nano 4G.

To run emBIOS (which is most certainly what you want) run these commands:

python ibugger.py upload 08000000 embios-ipodnano4g-rXYZ.bin
python ibugger.py execute 08000000 0a000000

You can then use the emBIOS tools to communicate with emBIOS

Helpful pages

Teardowns:

Other: