Giters

760ceb3b9c0ba4872cadf3ce35a7a494 / ipodhax

my work on iPod nano 6g and 7g pwning

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

ipod

ipodhax

my work on iPod nano 6g and 7g pwning. right now we have no code-exec on these devices.

MSE

MSE is a container format for multiple IMG1s. it is present in IPSW files with the name Firmware.MSE.

each IMG1 is assigned a name. the nano 6g has disk, diag, appl, lbat, bdsw, bdhw, chrg, rsrc, and osos, with the 7g adding fv00 and gpfw.

see https://freemyipod.org/wiki/Firmware for (incomplete) technical details!

unpack

unpacks an MSE file into a directory as a series of IMG1 files.

from pathlib import Path
from ipodhax.mse import unpack_mse

input_path = Path("Firmware.MSE")
output_dir = Path("firmware")
output_dir.mkdir()

with open(input_path, "rb") as mse_stream:
  unpack_mse(mse_stream, output_dir)

pack

packs a directory containing IMG1 files into an MSE file.

from pathlib import Path
from ipodhax.mse import pack_mse

input_dir = Path("firmware")
output_path = Path("Firmware.MSE")

with open(output_path, "wb") as mse_stream:
  pack_mse(mse_stream, input_dir)

IMG1

IMG1 is an image format used by non-iOS iPods based on the S5L CPU (there are a lot of them) and some early iOS devices.

newer IMG2 and IMG3 formats were used in newer iOS devices, and the IMG4 format lives on in iOS and Apple Watch devices to this day. however non-iOS iPods (classic, nano, and shuffle) continued to use the IMG1 format, and starting with the 4th generation nano a newer 2.0 version of IMG1 is used, which this code implements.

see https://freemyipod.org/wiki/IMG1 for technical details!

unpack

unpacks an IMG1 file into a directory containing head.json, body.bin, cert.bin and sign.bin.

from pathlib import Path
from ipodhax.img1 import unpack_img1

input_path = Path("firmware") / "rsrc.img1"
output_dir = Path("rsrc")
output_dir.mkdir()

with open(input_path, "rb") as img1_stream:
  unpack_img1(img1_stream, output_dir)

pack

packs an unpacked IMG1 directory into an IMG1 file.

from pathlib import Path
from ipodhax.img1 import pack_img1

input_path = Path("rsrc")
output_path = Path("rsrc.img1")
device = 6  # 6th or 7th generation

with open(output_path, "wb") as img1_stream:
  pack_img1(img1_stream, output_path, device=device)

About

my work on iPod nano 6g and 7g pwning

ipod

License:MIT License

Languages

Language:Python 100.0%