It’s been a hot minute since the year 2012, which is when Apple announced the seventh-generation iPod Nano. In fact, despite the fact that the iPod was one of Apple’s most successful products, the company doesn’t even sell iPods anymore.
But that hasn’t stopped reverse engineers and security researchers from tinkering with these legacy devices, which brings us to today’s news – a newly-announced hardware-based bootrom exploit for the iPod Nano 7th generation, shared by X (formerly Twitter) user @__gsch over the weekend.
Hardware-based bootrom exploits are particularly rare, and what makes them exclusively unique is the fact that the exploit resides in the device’s hardware as opposed to software. This means that Apple can’t simply will the exploit away by way of a software update; they’d have to recall every device and solder in an upgraded chip, which would be too exhaustive of a feat to tackle.
Two of the most well-known bootrom exploits to date are the checkm8 and limera1n exploits, each of which targeted the Apple processor in various Apple devices, enabling jailbreaks for these devices for essentially their entire operational life.
While users are unlikely to jailbreak an iPod Nano given the limited use cases for such a low-power device compared to more advanced devices like the iPod touch or iPhone, the fact remains that the emergence of a bootrom exploit for the iPod Nano 7th generation is a fantastic accomplishment.
The discoverer jokingly calls this exploit ‘a bit too late’ because the iPod Nano 7th generation is now so old that hardly anyone even uses one anymore. Most music listeners have switched to streaming services on their more powerful smartphones as alternatives to locally stored music libraries.
Citing the project’s GitHub page, the S5Late bootrom exploit is tethered by nature, which means that users must boot their device up with a computer via DFU mode every time they turn their device back on when using it.
“This exploits a vulnerability in DFU_DNLOAD packet parsing code, where no check exists for the total amount of bytes received,” the security researcher explains on the GitHub page. “This means we can keep sending bytes until we overwrite some pointers at the end of SRAM.”
It may be possible to adapt the bootrom exploit to the iPod Nano 6th generation as well, but offsets would need to be updated to make this possible.
It remains to be seen if we will ever see another bootrom exploit for the iPhone or iPad series of devices again. If we did, it would open a whole new chapter of jailbreaking for years to come…