Skip to content

m-gsch/S5Late

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
stub.bin
stub.bin
 
 
stub.c
stub.c
 
 

Repository files navigation

S5Late

Tethered iPod bootrom/DFU exploit.

Currently only supports Nano 7G, to support Nano 6G offsets need to be updated.

Running

  • Put your iPod into DFU mode.
  • Then run:
./S5Late hax

[2024-12-15T23:11:34Z INFO  S5Late] We found an Apple Device in DFU mode.
[2024-12-15T23:11:34Z INFO  S5Late] Succesfully exploited the device!

If the exploit ran succesfully now you can load unencrypted images without signature by running:

./S5Late load <image_path>

[2024-12-15T23:04:19Z INFO  S5Late] We found an Apple Device in DFU mode.
[2024-12-15T23:04:19Z INFO  S5Late] Image (<image_path>) loaded to the device.

Note: The images still need the IMG1 header just change the format from '3' to '4'

Vulnerability

This exploits a vulnerability in DFU_DNLOAD packet parsing code, where no check exists for the total amount of bytes received. This means we can keep sending bytes until we overwrite some pointers at the end of SRAM.

Thanks

  • q3k - for general help
  • CUB3D - for ipod_sun

About

iPod Nano 7G bootrom exploit a bit too late

Resources

Readme

License

GPL-2.0 license
Activity

Stars

72 stars

Watchers

4 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages