Osos/disk swapping bug - Revision history

760ceb3b9c0ba4872cadf3ce35a7a494 at 04:42, 4 August 2024

2024-08-04T04:42:23Z

← Older revision		Revision as of 04:42, 4 August 2024
Line 21:		Line 21:

	== Notes ==		== Notes ==
	On at least the iPod nano (6th generation), booting ~~<code>osos</code>~~ this way seems to make the filesystem read only to the device: no actions taken on the device persist after a reboot.		On at least the iPod nano (6th generation), booting retailOS this way seems to make the filesystem read only to the device: no actions taken on the device persist after a reboot.

760ceb3b9c0ba4872cadf3ce35a7a494: reword

2024-08-04T04:41:50Z

reword

← Older revision		Revision as of 04:41, 4 August 2024
Line 18:		Line 18:
	error out		error out

	If the firmware is modified so that the <code>disk</code> and <code>osos</code> partitions are swapped - that is, the names of the two partitions are switched - the behavior reverses, meaning the iPod will boot into disk mode by default and retailOS if the ~~power~~ up button is held. This is where the bug exists: ~~because~~ the iPod ~~expects~~ to boot disk mode, ~~which does not usually utilize the <code>rsrc</code> partition, it doesn't perform~~ a signature check on <code>rsrc</code> ~~before booting~~.		If the firmware is modified so that the <code>disk</code> and <code>osos</code> partitions are swapped - that is, the names of the two partitions are switched - the behavior reverses, meaning the iPod will boot into disk mode by default and retailOS if the volume up button is held. This is where the bug exists: if the iPod is booted with the volume up button pressed, the iPod, expecting to boot disk mode, will boot into retailOS without performing a signature check on <code>rsrc</code>.

	== Notes ==		== Notes ==
	On at least the iPod nano (6th generation), booting <code>osos</code> this way seems to make the filesystem read only to the device: no actions taken on the device persist after a reboot.		On at least the iPod nano (6th generation), booting <code>osos</code> this way seems to make the filesystem read only to the device: no actions taken on the device persist after a reboot.

760ceb3b9c0ba4872cadf3ce35a7a494: osos/disk swapping bug explanation

2024-08-04T04:24:49Z

osos/disk swapping bug explanation

New page

{{DISPLAYTITLE:osos/disk swapping bug}}
[[File:Disk swap visualization.png|thumb|right|Simplified visualization of the boot logic of an iPod nano (6th generation)]]

The osos/disk swapping bug is a bug in the boot process of the iPod nano (3rd generation and later) allowing for untethered boot of the [[retailOS]] with a modified resource partition.

== Explanation ==
In the firmware, the retailOS is stored in the <code>osos</code> partition, and disk mode is stored in the <code>disk</code> partition.
The retailOS on the iPod nano reads from from the <code>rsrc</code> partition, a FAT16 filesystem containing UI images, translation strings, fonts, and more. Unlike all other partitions ever included in official firmware, the <code>rsrc</code> partition is signed, but not encrypted. The disk mode does not use the <code>rsrc</code> partition.

When the device is powered on, it decides whether to boot into disk mode or retailOS based on whether a button is pressed (on the iPod nano (6th generation), this is the Volume Up button). The basic logic is this:

if volume up pressed:
boot "disk"
else:
if "rsrc" signature check passed:
boot "osos"
else:
error out

If the firmware is modified so that the <code>disk</code> and <code>osos</code> partitions are swapped - that is, the names of the two partitions are switched - the behavior reverses, meaning the iPod will boot into disk mode by default and retailOS if the power up button is held. This is where the bug exists: because the iPod expects to boot disk mode, which does not usually utilize the <code>rsrc</code> partition, it doesn't perform a signature check on <code>rsrc</code> before booting.

== Notes ==
On at least the iPod nano (6th generation), booting <code>osos</code> this way seems to make the filesystem read only to the device: no actions taken on the device persist after a reboot.