Planetbeing has adapted the Pwnage 2.0 exploit to work on the iPod Nano and Classic line. This exploit is at the bootrom level, so it cannot be patched by Apple. Apple built in the functionality to upload a WTF recovery stage to the iPod when it is in DFU mode. There is a bug in the certificate parsing code that permits an unauthorized jump to an arbitrary location. It is also convenient that a payload can be embedded in the main body of the WTF. It is know that the entire WTF is copied to 0x22000000. If you put your exploit payload at 0x800 in the WTF, you should jump to 0x22000800.
To be continued...