iPodLinux

I know, I know; This topic has been done to death with hundreds of topics, most of them on these very boards. I've read a lot of them so trust me, I know.

I also know that I'm probably opening a can of worms by even asking, but I just had an idea that I haven't seen come up (it's probably really stupid, but I must ask, flames be damned)...

instead of completely hacking the firmware and loading a new OS onto the ipod classic, what about finding/exposing a buffer overflow, like they did with the Wii? Is this possible, or am I just being stupid? ><

Trust me, if there was an exploit, it would be found.

Finding a bug is tedious but not overly difficult (just do a lot of poking around). Finding an exploitable bug is harder (just hope its a buffer overflow). Finding an exploitable bug that can execute a payload is even harder (i.e. the buffer overflow must allow enough payload code to actually do something useful). Finding an exploitable bug that can execute a payload with privileges would mean a "cracked"/"unlocked"/"hacked" device. For game consoles, its much easier since 1) the systems are so overly complicated with so many features that there's many areas to poke, 2) the systems already have this "executable" environment ready so hackers can write their own custom "game" payload that can lead to loading homebrew, and 3) the user base is so much larger and the benefits very real. For something like the iPod, features are limited, functions are simple, and the user base is small - people generally expect their iPods to play music and nothing else, so there's generally little interest in hacking without much of an end result; people who do get involved usually do it as a hobby or a learning experience (the case for myself).

iPod exploits such as the notes header crash is probably a buffer overflow, but not really a big one, not easily exploited, and very unlikely to be able to lead anywhere outside of the notes functionality (the minimalistic html engine they use was probably written in-house as well so it probably doesn't allow for much playing around with). The libtiff exploit isn't too unexpected considering the open-source nature of libtiff and its general instability/oddity as an image format with many known/previous bugs. It lead to exploiting the PSP and the iPhone (silly enough the exploits were almost identical) but as far as I know, the libtiff bug found on the iPod is nothing more than a mishandling bug/error/lazy coding for dealing with tiff images with a 0 dimension. Exploitable? Maybe. Unfortunately as far as I can tell, the discoverers of the bug haven't a clue about hacking. The most probable source of actual exploitation would of course be the iPod games. Find a bug in their encryption-checking or a bug allowing circumventing of the encryption checking and you'll be able to run your own custom "game"/homebrew launcher. There's been much documentation on it and analyzing of formats but as far as I know, not much discoveries. You can make a custom game that crashes the iPod by creating a malformed game, but finding out what crashes and where would require analyzing a dump of the iPod's memory at the time of the crash. Which would require some expensive hardware equipment. Its been done before (by Badblox I think was his name and some people on the iPodWizard forums I think) but don't think its been repeated much and I guess finding the right people with access to the right equipment and convincing them to spend time/money for a small project for a small crowd isn't too easy.

Remember that even the original iPodLinux on the 1st/2nd gens was mostly done by a few individuals, particularly driven by David Carne (davidc) and Bernard Leach (leachbj), just "because they can". Later support was thanks to Nils Schneider (nilss) and his famous "piezo hack". Again, driven by interest/hobby, access to some fancy equipment, and lots of free time. Thereon after was mostly a bunch of random people interested in this and that and contributing here and there - latest "breakthrough" I guess would be Vincent Huisman (datagh0st)'s work in adding 5.5G support to the kernel. There are still small groups such as the nano 2G working on documenting and hopefully reverse engineering the nano 2G's firmware (they have the equipment and they have the support of a few univ profs I believe), but other than that, there's not much active work. Nothing compared to the interest and involvement level of homebrew communities for things like gaming consoles. Just look at the Zune "hacking" community. As far as I know (note that I don't bother keeping up), all the "hacks" discovered so far are nothing more than "tricks". On the other hand, look at the upcoming Pandora hand-held gaming console. With a already-established strong development community from the GP2X, exceedingly powerful hardware (touch screen + d-pads + analog sticks + full QWERTY keyboard + wifi + 900MHz + 600 MHz processor + more), and full open-source nature, it won't be surprising to see PSP/etc. devs flock to the scene (I personally can't wait until they sort out the manufacturing issues and open up ordering again). A device with good hardware and potential will naturally attract developers compared to a small, limited device such as the iPod.

Long post short, yes, finding a buffer-overflow in the firmware would be ideal but there's just not enough people interested. Can the new iPods be hacked? Most likely yes. Will they get hacked? Eventually by some random bored individual or by a small interest group. Will it happen any time soon? Maybe, maybe not, but likely no. I'm just a software programmer and semi-hobbyist, not a hacker, so I can only speculate.

~Keripo