The iPod 4G was very similar to its predecessors. The software was stored on the internal drive, kind of like the MBR of a PC. In addition, the iPod had a mode where it would act as a regular USB storage device (or firewire). That firmware was stored in a flash. Even with a blank drive the USB storage mode was always accessible. This made this whole hack somewhat safe.
With custom code put at the correct offset with some magic numbers in the right places the iPod would start executing code from the first sectors of its drive. This was just a dd if=mycode.bin of=/dev/sdb, so no exploit or anything special was needed. A few people on the #ipodlinux channel helped me with C and creating position-independent binaries without any external libraries. I had some experience writing a toy OS in assembler on x86 which came in handy.
The piezo was controlled by writing to some memory addresses. Someone else already figured that out. I toyed around with various values until I had two distinct noises, one for 0 and the other for 1. Then I write code for loop over a memory region one bit at a time while the piezo played either of those noises. I had audacity (an audio recorder) open on my computer and just started recording using a cheap dynamic microphone. The decoding software was embarrassingly stupid but I had no clue about signal analysis in 2005. It would have been possible to use a modulation method to speed up the process quite a lot. I opted for a compression algorithm instead.
I think I tried different memory regions until I found one that started with data that looked like ARM opcodes. When I found that region the final dump took a few hours over night.
After sending the extracted binary over to the other devs we had a kernel running not much later.
This project taught me a lot: ARM assembler, C, SDL (for visualization), sox (audio processing tools) and patching/porting the linux kernel for new hardware. It also got me job offers from a few big companies but I did not take any of them as I had different plans already. I kept on hacking and contributing to various open-source projects over the years, spent way too much time on hyper-optimizing crypto mining algorithms, and eventually got back to hacking more meaningful code again. Basically, my career after this hack has been almost exclusively open-source projects.
Till today, I use the "unhackable" iPod Nano 7g. I collected a ton of information what would be needed to hack it, but unfortunately, I did not have the time.
In case you are interested in getting functional / non-functional devices to experiment, reach out on https://pilabor.com (I'm from Germany).
My plan was to desolder the 16GB flash chip (it's LGA60) and try to reprogram it with a device like this:
https://de.aliexpress.com/i/32951067630.html
Maybe soldering it back on the iPod with this in between to debug / reprogram faster:
https://de.aliexpress.com/item/32844952323.html
Old iPhones (I think the 5s has the same LGA60 Nand) can be reprogrammed with a JC Pro 1000S Programmer, but they don't have a setting for iPods AFAIK. So maybe with a lot of effort it would be possible to use it to reprogram a Nand Chip having an Apple Serial No.
There also was a project called Nand-AID (https://www.timeextension.com/news/2023/04/modder-is-resurre...) providing a microSD-Card replacement for dead nands on the Wii U consoles. Sounded interesting to try on the iPod Nano 7G :-)
lemonjesus (https://github.com/lemonjesus/iPodBluetooth) created a bootloader Hack for the iPod Nano 3g enabling him to use a bluetooth device. He also made a youtube video about it.
But I never got into it too far. I just found out that milling out the backplate of an iPod Nano 7g can fit an iPod Mini 600mah battery and make it "replaceable" without opening the device again - so as long as the Nand does not die, I'll keep using my iPods :-)
The next device I'm planning to buy is the HiBy M300. It's way bigger but runs Android 13 and is a real DAP.
CUB3D recently got code execution on n6g/n7g via a freetype 1day (comex's star vuln/exploit, after using another bug which allowed disabling resource partition checks).
Perhaps it it was a shellcode exploit, he maybe only had a few hundred bytes of his own code to play with, and maybe no knowledge of memory addresses needed to access 'easier' peripherals like serial UART's.
It got rather warm, and just seemed crazy silly at the time. For context, smart phones weren't quite a thing yet and capacitative touch screens were an emerging technology.
Phone + Bluetooth is more convenient but something about the experience of the iPod, perhaps the lack of distraction makes it more visceral.
IIRC, a research group succeeded to extract the private key by power starving a server and analysis its power draw at the same time. OpenSSL had to implement some randomization to thwart it.
Looks like it's still something: https://medium.com/@shipeiqu1998/power-analysis-attack-how-t...
What do they say? Possession is nine tenths of the law.
If I have it in one hand and some time on the other, eventually I'll find out how it works. A security posture based on any other assumption is naive. Which is why appliance computing and DRM using "trusted consumer modules" is a fools errand.
EDIT: I missed the fact that there was already a "Linux on iPod" distro to build upon.
http://www.ipodlinux.org/stories/piezo
I got an iPod for christmas. The ipodlinux project was one of the main reasons for my choice and so I started exploring the iPod as far as I was able to. I patched the bootloader and got some basic code to run but there was no way to access any hardware other than the two CPUs yet. To get the LCD, Clickwheel and the harddisk working we needed to reverse engineer the bootloader in the flashrom. But to do that we first had to find a way to get that code. Seems quite impossible without any knowlegde about the IO-Hardware but I found a solution...I wound up deleting that one but I have another one I want to put through some kind of transcriber, curious what if any data is being transmitted.
Also: push-to-Siri is maybe the least convenient, but also least annoying and most consistent trigger. Apple Watch comes with "raise-to-Siri" on by default; picture chatting with someone while chilling on the couch, moving your wrist the wrong way, and Siri randomly interjecting based on something you said, taken completely out-of-context. I tend to disable features like these as soon as they come out.
This is exactly what I’m curious about with these calls, especially after reading the article and the curious transcription of the voicemail — might they be intended to trigger the watch or iPad or another iPhone or something when played aloud? Probably not but I’m curious.
Hackers just can’t catch a break. Linux is not illegal, free the bootloaders!
Was this a hardware mod? Is there information online about this process?