osos/disk swapping bug
The osos/disk swapping bug is a bug in the boot process of the iPod nano (3rd generation and later) allowing for untethered boot of the retailOS with a modified resource partition.
Explanation
In the firmware, the retailOS is stored in the osos
partition, and disk mode is stored in the disk
partition.
The retailOS on the iPod nano reads from from the rsrc
partition, a FAT16 filesystem containing UI images, translation strings, fonts, and more. Unlike all other partitions ever included in official firmware, the rsrc
partition is signed, but not encrypted. The disk mode does not use the rsrc
partition.
When the device is powered on, it decides whether to boot into disk mode or retailOS based on whether a button is pressed (on the iPod nano (6th generation), this is the Volume Up button). The basic logic is this:
if volume up pressed: boot "disk" else: if "rsrc" signature check passed: boot "osos" else: error out
If the firmware is modified so that the disk
and osos
partitions are swapped - that is, the names of the two partitions are switched - the behavior reverses, meaning the iPod will boot into disk mode by default and retailOS if the volume up button is held. This is where the bug exists: if the iPod is booted with the volume up button pressed, the iPod, expecting to boot disk mode, will boot into retailOS without performing a signature check on rsrc
.
Notes
On at least the iPod nano (6th generation), booting osos
this way seems to make the filesystem read only to the device: no actions taken on the device persist after a reboot.