Difference between revisions of "Osos/disk swapping bug"

From freemyipod.org
Jump to: navigation, search
m (reword)
m
 
Line 21: Line 21:
  
 
== Notes ==
 
== Notes ==
On at least the iPod nano (6th generation), booting <code>osos</code> this way seems to make the filesystem read only to the device: no actions taken on the device persist after a reboot.
+
On at least the iPod nano (6th generation), booting retailOS this way seems to make the filesystem read only to the device: no actions taken on the device persist after a reboot.

Latest revision as of 06:42, 4 August 2024

Simplified visualization of the boot logic of an iPod nano (6th generation)

The osos/disk swapping bug is a bug in the boot process of the iPod nano (3rd generation and later) allowing for untethered boot of the retailOS with a modified resource partition.

Explanation

In the firmware, the retailOS is stored in the osos partition, and disk mode is stored in the disk partition. The retailOS on the iPod nano reads from from the rsrc partition, a FAT16 filesystem containing UI images, translation strings, fonts, and more. Unlike all other partitions ever included in official firmware, the rsrc partition is signed, but not encrypted. The disk mode does not use the rsrc partition.

When the device is powered on, it decides whether to boot into disk mode or retailOS based on whether a button is pressed (on the iPod nano (6th generation), this is the Volume Up button). The basic logic is this:

   if volume up pressed:
       boot "disk"
   else:
       if "rsrc" signature check passed:
           boot "osos"
       else:
           error out

If the firmware is modified so that the disk and osos partitions are swapped - that is, the names of the two partitions are switched - the behavior reverses, meaning the iPod will boot into disk mode by default and retailOS if the volume up button is held. This is where the bug exists: if the iPod is booted with the volume up button pressed, the iPod, expecting to boot disk mode, will boot into retailOS without performing a signature check on rsrc.

Notes

On at least the iPod nano (6th generation), booting retailOS this way seems to make the filesystem read only to the device: no actions taken on the device persist after a reboot.