The iPod once reigned supreme in the realm of portable music. Hackers are now working on preserving one of its less lauded functions — gaming. [via Ars Technica]

The run of 54 titles from 2006-2009 may not have made the iPod a handheld gaming success, but many still have fond memories of playing games on the devices. Unfortunately, Apple’s Fairplay DRM has made it nearly impossible to get those games back unless you happened to backup your library since those games can’t be downloaded again and are tied to both the account and iTunes installation that originally purchased the game.

Fortunately, intrepid hackers found syncing their iPods (or iTunes libraries) with working copies of the games could reauthorize the games via Apple’s servers to a secondary iTunes installation. Any supported iPod could then be linked to this installation and get the games as well. Through the wonders of virtualization, the iPod Clickwheel Games Preservation Project by [Olsro] allows you to install many of these games on your own iPod with an iTunes install inside a Windows 10 VM which saves the expense of shipping iPods all over the place.

Looking for some more ways to get into iPod hacking? How about some upgrades or a look back at how the first iPod hacks started?

In the late 90s as MP3s and various file sharing platforms became more common, most of us were looking for better players than the default media players that came with our operating systems, if they were included at all. To avoid tragedies like Windows Media Center, plenty of us switched to Winamp instead, a much more customizable piece of software that helped pave the way for the digital music revolution of that era. Although there are new, official versions of Winamp currently available, nothing really tops the nostalgia of the original few releases of the software which this project faithfully replicates in handheld form.

The handheld music player uses a standard Raspberry Pi (in this case, a 3B) and a 3.5″ TFT touchscreen display, all enclosed in a clear plastic case. With all of the Pi configuration out of the way, including getting the touchscreen working properly, the software can be set up. It uses QMMP as a media player with a Winamp skin since QMMP works well on Linux systems with limited resources. After getting it installed there’s still some configuration to do to get the Pi to start it at boot and also to fit the player perfectly into the confines of the screen without any of the desktop showing around the edges.

Although it doesn’t use the original Winamp software directly, as that would involve a number of compatibility layers and/or legacy hardware at this point, we still think it’s a faithful recreation of how the original looked and felt on our Windows 98 machines. With a battery and a sizable SD card, this could have been the portable MP3 player many of us never knew we wanted until the iPod came out in the early 00s, and would certainly still work today for those of us not chained to a streaming service. A Raspberry Pi is not the only platform that can replicate the Winamp experience, though. This player does a similar job with the PyPortal instead.

While the proliferation of the smartphone has caused the personal music player (PMP) market to mostly evaporate, there are still those who prefer a standalone device for their music. The Melodio Self-Mate is one such spiritual successor to the iPod.

Music-only devices really benefit from the wheel interface pioneered by Apple, so we still see it in many of the new Open Source PMPs including this one and the Tangara. The Melodio uses the ubiquitous ESP32 for its brains coupled with a TI PCM5102A DAC and TI TPA6130A2 headphone amp for audio. A slider on the side of the device allows you to switch it between mass storage mode and programming mode for the ESP32.

Since this device packs a little more horsepower and connectivity than the original iPods, things like listening to Spotify are doable once assembled, instead of having to completely rebuild the device. Speaking of building, there are only renders on the GitHub, so we’re not sure if this project has made the jump IRL yet. With more people concerned about the distractions of smartphones, maybe this renaissance of open PMPs will lead to a new golden age of music on the go?

Miss the halcyon days of the iPod? They’re easier to hack now than ever, and if you really want to go old school, how about a podcast on a floppy?

If someone makes a device, someone else will want to break it open and run their own software on it. When the original manufacturer is Apple this is never made easy, and as [Daniel Stenberg] reminds us in the case of one of the earlier iPod models it required an unusual approach.

In short, an HTML file was found which triggered a reboot, meaning a buffer overrun had been found in the firmware. After much experimenting, the memory location was found which would flash the backlight, and from there a piece of ARM code could be injected which would dump the firmware very slowly bitwise by flashing the light. Enough code could be extracted to find the address of the USB serial port, allowing new code to be made which dumped the firmware via USB. We remember the earliest models using FireWire instead of USB, so perhaps we can zero in on the 3rd or 4th generation. From there enough could be deduced to run the Rockbox music player firmware. We remember seeing friends doing this back in the day, something which was for a while the height of open-source coolness.

Fast forward twenty years or so, and we’re still covering people chipping away at Apple’s defenses. We don’t know whether a first-generation iPod could run Doom, but we know Rockbox was capable of it on other players.

The Apple Pencil is a neat tool for digital creativity, but the user experience is a bit blah when it comes to charging. You either have to plug it into an iPhone or iPad directly, or an iPhone charger using a special adapter. It’s a bit below Apple’s usual seamless best. [Handy Bear] got around this fuss by building their own Apple Pencil dock.

The concept is simple. At its heart, it’s not dissimilar from a regular pen holder. It consists of a 3D printed round base filled with quick cement for heft. The base weighs almost a pound, and has a cork base so it sits nicely on a desk. A Lightning charge cable is fed into the base of the device, with the Apple Pencil adapter permanently fitted. All one has to do is remove the cap from the Apple Pencil, slot it into the adapter, and place the cap in the storage hole provided. The base then keeps the device charged, upright, and ready for use.

It’s not a complicated build, but it solves a fundamental problem with the Apple Pencil. It’s hard to imagine fancy-schmancy creatives are leaving these things just floating around on their desks with cables going everywhere; you’d think Apple would be selling a $99 dock for these by now. Instead, it’s up to the DIYers and the aftermarket.

You might also consider some high-end mods to your Apple Pencil for greater finesse.

GitHub Desktop may have stopped working for you yesterday, Febuary 2nd. The reason was an unauthorized access to some decidedly non-public repositories. The most serious bit of information that escaped was code signing certificates, notably used for GitHub Desktop and Atom. Those certificates were password protected, so it’s unlikely they’ve been abused yet. Even so, Github is taking the proper steps of revoking those certificates.

The only active certificate that was revoked was used for signing the Mac releases of GitHub Desktop, so quite a few older versions of that software is no longer easily installed. If nothing else, it’s a reminder that even a project with a well run security team can have problems.

Sh1mmer-ing Chromebooks

There’s a new, clever attack on the Chromebook, specifically with the goal of unenrolling the device from an educational organization. And the “vulnerability” is a documented feature, the RMA Shim. That’s a special boot loader target that contains a valid signature, but allows the booting of other code, intended for troubleshooting and fixing devices in a repair center. Quite a few of those images have leaked, and Sh1mmer combines the appropriate image with a boot menu with some interesting options.

The first is unenrolling, so the device will act like a privately owned computer. This gets rid of content blocks and allows removing extensions. But wait, there’s more. Like rooting the device, a raw Bash terminal, and re-enabling developer mode. Now, as far as we can tell, this doesn’t *directly* break device encryption, but it’s likely that the RMA shim could be abused to tamper with the device’s filesystem. Meaning that the leak of a bunch of signed shims is a big problem for device security. If you use a Chromebook, it might be time to do some research on whether that model’s shim has been leaked.

Google Fi Fouled

Google Fi customers have received notice of a breach, in which some bits of customer data was leaked. The timing suggests that it could be related to the T-mobile breach about the same time. There’s more worrying element of this, at least one user seems to have been the victim of a SIM swap attack, pulled off as a result of the breach. Just a reminder, that SMS as a two factor authentication method is a terrible idea.

Realtek

There’s a big ongoing campaign against Realtek-based devices, and it’s because of CVE-2021-35394, a vulnerability in the Realtek Jungle SDK. Buckle up, this one has been known to lead to double-facepalms.

Back in 2015, a handful of vulnerabilities were found and disclosed in D-Link and TRENDnet devices. One of those was the UDPServer process, which seems to be a debugging interface. It listens on UDP port 9034, and just executes whatever commands are received. Totally unauthenticated. And on some devices, this process starts automatically. Oof.

This was reported in 2015, and Realtek fixed it. Observe:

if(!memcmp(buf, "orf", 3)){
  strcat(buf, " > /tmp/MP.txt");
  system(buf);
}

Yes, this is the solution they went with. Make sure the command string starts with orf, then redirect the output to a temp file. So secure. And now, someone is spamming port 9034 all across the internet, with orf;malicious_command. Shodan shows 80 different models on the Internet with this port open, and it’s possible even more won’t normally start the vulnerable service, but can be launched via an unauthenticated web endpoint, reachable if the device is configured to allow remote management. It speaks badly of Realtek to fumble a fix this badly, and even worse of vendors to have left this service in place. Patches are available for many of the affected devices.

Hacking your Ipod With wInd3x

[Serge Bazanski] found a new hobby to ride out Covid, and he’s finally ready to share it with the world. Hacking ancient iPods. The goal here is to crack open the platform, get a Linux kernel booting, and then finally engaging in that most noble of pursuits, running Doom on unexpected hardware.

But even in 2008, the iPod Nano 4G was doing a sort of secure boot, and was designed to not load arbitrary boot images. The bootloader will only load properly signed images, and the signing key never leaked. But that’s only a foolproof system so long as there’s not a big bug in the boot sequence that bypasses the security.

One of the tricks the iPod has under its metaphorical hat is to boot off USB for recovery, using Device Firmware Update (DFU). The implication is that the bootloader has to have a USB stack to pull this trick off, and that’s a good place to look for a vulnerability. And there’s a pretty nifty one, where data provided in the USB setup packet is used to index another array, without any sanity checks.

This just happens to be a function pointer lookup, and code execution jumps to the lookup result. Send something bogus, and it crashes the device. Massage the program state correctly, and execution jumps to a bit of code that works as a “trampoline”, bouncing execution back to … *wait-for-it* … The beginning of the USB packet that triggered the vulnerability.

[Serge] is proud of this part, and rightfully so. His exploit is a polyglot — it’s both a valid USB packet, and valid ARM code. It works on the Nano 4G, but he really wanted to take a crack at the 5G, which doesn’t even have boot ROM dumps available. The vulnerability worked, but the memory layout was different enough that the exploit would need re-engineered. The first task was trying to find that trampoline code, and brute-forcing the possible locations led to an interesting finding. One memory location resulted in a device restart when triggered. Time to throw the polyglot packet at it and see what happened. It worked, and he had code execution, but blind execution with no map. He would need the rest of the memory layout to do something useful.

He could make the device do something, at least. Jumping code execution to memory location 0 did a reboot. And triggering an infinite loop made it hang. So, just manually leak memory layout information one bit at a time. That’s a lot of dedication just to run Doom on an iPod. And the work is still in progress, but it looks like the iPod nano Gen5 finally has a booting Linux kernel. Bravo!

PlugX

USB malware still lives. It’s thankfully not as bad as the old days, when Windows would actually autorun a binary as soon as the USB drive was plugged in to the computer. But some new tricks make for a pretty effective trap for the insufficiently wary.

The core trick is that folder names using the Unicode 00A0 character, non-breaking space, don’t render correctly in Windows Explorer, and the folders are not displayed at all as a result. An infected USB drive contains one of these invisible folders, as well as a shortcut bearing the same name as the drive. That shortcut points to a legitimate copy of the x32dbg.exe debugger binary, in the hidden directory, but also lurking there is a malicious x32bridge.dll file.

A quirk of the Windows library loading procedure is that the local directory will be checked first, even if the DLL exists in a system directory. And since DLLs aren’t signed like executables are, this DLL side loading has become a popular technique for running malware without any warning prompts. In the case of PlugX, it runs the payload, and then opens another hidden folder that serves as the fake root of the drive. All your expected files are there. And if you’re not paying attention, the extra step of launching the shortcut would be easy enough to overlook.

Bits and Bytes

The new Meta Account Center had no rate limiting for SMS verification codes, until [Gtm Mänôz] discovered and reported the issue. This allowed an interesting attack, where you could add a phone number belonging to another account, and by brute-forcing the six digit code, the number would be unlinked from the legitimate Facebook or Instagram account. If it was being used for 2FA, that security feature would simply be turned off on that account. The issue was fixed, and he earned a nice $27,200 for the find.

An international effort managed to take down the infrastructure behind Hive Ransomware. Law enforcement was able to compromise Hive servers several months ago, and ran a scam on the scammers, quietly handing out decryption keys to victims. In time, physical servers were located, in Los Angeles of all places, and the scheme shut down. Unfortunately there have yet to be any arrests announced as part of the operation.

Grey Hat really doesn’t do [Shashwat Kumar] justice. This hack is definitely a Chaotic Good action. After learning about a scammy free points offer, he discovered a malicious app that collected credit card information, and copied incoming SMS messages to a remote server. On that server, he found a dashboard with a SQL injection flaw. Upon confirming that this was indeed a malicious scam, the natural course of action was to abuse another SQL injection flaw to wipe the database of data. And then, change the app’s welcome message to warn users that it was malicious. Technically illegal, but obviously for the greater good. Huzzah!

The iPod Nano was one of Apple’s masterworks, but it’s really tied down by its dependence on wired headphones. At least, that’s what [Tucker Osman] must have thought, as he spent an unreasonable amount of time designing a Bluetooth mod for the 3rd gen Nano. And it’s a thing of beauty — temperamental, brutally difficult to build, and fragile in use, but still beautiful. And while some purists try to keep their signal analog, [Tucker]’s coup d’etat is to intercept the iPod’s audio signal before the DAC chip, keeping the entire signal path digital to the Bluetooth speaker. Oh, and he also managed to make the volume and track skip buttons work, back across the wireless void.

Now we know you’re itching to use the beautiful instructions and source code at the link above, and try to replicate this hack. And if you *really* want to, go for it. But know that the soldering required is a nightmare, the case needs modification to fit the extra board, and the resulting device has a battery life measured in minutes instead of hours. But since when has that stopped us? And if more iPod hacking is your thing, check out [Tucker]’s other project!