How The First iPod Was Blown Wide Open

If someone makes a device, someone else will want to break it open and run their own software on it. When the original manufacturer is Apple this is never made easy, and as [Daniel Stenberg] reminds us in the case of one of the earlier iPod models it required an unusual approach.

In short, an HTML file was found which triggered a reboot, meaning a buffer overrun had been found in the firmware. After much experimenting, the memory location was found which would flash the backlight, and from there a piece of ARM code could be injected which would dump the firmware very slowly bitwise by flashing the light. Enough code could be extracted to find the address of the USB serial port, allowing new code to be made which dumped the firmware via USB. We remember the earliest models using FireWire instead of USB, so perhaps we can zero in on the 3rd or 4th generation. From there enough could be deduced to run the Rockbox music player firmware. We remember seeing friends doing this back in the day, something which was for a while the height of open-source coolness.

Fast forward twenty years or so, and we’re still covering people chipping away at Apple’s defenses. We don’t know whether a first-generation iPod could run Doom, but we know Rockbox was capable of it on other players.



How The First iPod Was Blown Wide Open
Source: Manila Flash Report

Post a Comment

0 Comments