https://freemyipod.org/api.php?action=feedcontributions&feedformat=atom&user=TISFMiPfreemyipod - User contributions [en]2026-04-09T07:11:59ZUser contributionsMediaWiki 1.45.1https://freemyipod.org/index.php?title=ByteFau1t&diff=22176ByteFau1t2025-12-01T03:19:17Z<p>TISFMiP: Article about the new vulnerability ByteFau1t</p>
<hr />
<div>== ByteFau1t Vulnerability ==<br />
{{DISPLAYTITLE:ByteFau1t}}<br />
<br />
ByteFau1t is a flaw in the IMG1 partition-type handling logic inside the SecureROM of the<br />
iPod nano (7th generation). The bug causes the integrity verification step for certain<br />
IMG1 images to be skipped, allowing modified data inside the rsrc partition to load<br />
without any signature checks.<br />
<br />
The issue was discovered by Fong and publicly disclosed on 30 June 2025.<br />
<br />
=== Affected Devices ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! Device !! Vulnerable? !! Notes<br />
|-<br />
| iPod nano 7G (2012) || Yes || Verified working<br />
|-<br />
| iPod nano 7G (rev A)(2015) || Yes || Same SecureROM code path<br />
|-<br />
| iPod nano 6G || ? || Early tests suggest it does not work<br />
|-<br />
| Other S5L-based devices || Unknown || No confirmed evidence<br />
|}<br />
<br />
=== Summary ===<br />
<br />
The vulnerability is triggered by modifying the *format byte* inside the IMG1 header<br />
stored within the rsrc partition. Inside the IPSW, this byte is found in the MSE file.<br />
There is only one instance of the signature:<br />
<br />
38 37 34 30 32 2E 30 04<br />
<br />
The final byte (04) represents an *unencrypted + signed* IMG1 image.<br />
Changing it to 03 marks the image as *encrypted + signed*.<br />
<br />
When SecureROM processes an IMG1 image marked as encrypted (03) but whose contents are<br />
actually unencrypted, it enters an alternative decryption-handling path. This path has<br />
an unhandled condition for unencrypted data, causing the entire integrity verification<br />
step to be skipped. As a result, SecureROM accepts and loads modified IMG1 data as if<br />
it were valid.<br />
<br />
=== What ByteFau1t Allows ===<br />
<br />
* Modification of rsrc contents without using any previous untethered exploits And it doesn't require pressing any buttons.<br />
<br />
ByteFau1t does **not** provide full SecureROM code execution, but it enables UI<br />
customization, resource patching, and limited modification of system content embedded<br />
in rsrc.<br />
<br />
=== Technical Details ===<br />
<br />
* The MSE file holds multiple IMG1 headers<br />
* The format byte determines the SecureROM decryption/verification path<br />
* The “encrypted + signed” path (03) expects a specific internal decoder state<br />
* Feeding unencrypted data into this path results in an inconsistent state<br />
* In this state, the final cryptographic integrity check is skipped entirely<br />
* SecureROM proceeds as though the image were verified<br />
<br />
This is a logic flaw, not a memory-corruption vulnerability.<br />
<br />
=== Status / Fix ===<br />
<br />
{| class="wikitable"<br />
|-<br />
! Property !! Value<br />
|-<br />
| Fixed in || Not fixed<br />
|-<br />
| Patched devices || None<br />
|-<br />
| Discovered by || Fong<br />
|-<br />
| Disclosed || 30 June 2025<br />
|}<br />
<br />
=== Nano 6G Possibility ===<br />
<br />
Attempts to apply the method to the iPod nano 6G were unsuccessful.<br />
Nano 6 SecureROM uses a probably different circuit.<br />
Current research status: incompatible.</div>TISFMiP