iPod Nano 5g

Portable media player. Released in September 2009.

Operating system

Nano runs propertiary Apple firmware. Nothing more is known about it since it's encrypted.

Hardware

CPU: Samsung S5L8730 SoC (iPod Touch 2G has S5L8720)
8/16 GB NAND flash (depending on model)

Tinkering

Key combinations:
Select+Menu - Reboot
Select+Prev - Diags Menu (hold during startup - see below)
Select+Play - Disk Mode

Diags

Hardware checks and system information. About menu displays SysCfg contents and other things (for example… EFI Version)

DFU Mode

Nano has a DFU Mode. Uses the same protocol as iPhone.

To enter DFU, plug in USB cable, hold Select+Menu until screen goes off, then press Select+Menu again. If iTunes is running, it will download WTF and then FIRMWARE file that launches Disk Mode, allowing firmware restore.

Files downloaded by iTunes when it detects Nano in DFU

x12310000_Recovery.ipsw

x12310000_Recovery/
    Restore.plist                //parsed by iTunes - nothing interesting in here
    Firmware/
            dfu/ 
                WTF.x1231.RELEASE.dfu    //encrypted in the same way as N33.bootloader.release.rb3

x12460000_Recovery.ipsw

When iTunes sends it to Nano, screen stays white for a few seconds and then Disk Mode is executed.

x12460000_Recovery/
    Restore.plist
    Firmware/
            dfu/
                FIRMWARE.x1246.RELEASE.dfu //encrypted in the same way as N33.bootloader.release.rb3

Playing with iRecovery

Change Product IDs in iRecovery source and compile it. It works fine with nano. Sending WTF twice causes white screen and USB communication loss

IPSW contents

Note: IPSW files are normal ZIP files with changed file extension

Firmware.MSE

The actual firmware file. Copied to NAND during restore. Divided into 9 sections:

  • disk (Disk mode - shows a iPod1G-style Disk Mode screen)
  • diag (Diagnostics)
  • appl (probably Apple boot logo)
  • lbat (low battery image - loaded instead of osos image when battery is low)
  • bdsw (Connect to iTunes screen)
  • bdhw (Need Service screen?)
  • chrg
  • rsrc (OS resources - graphics, fonts, localization strings etc.)
  • osos (iPod operating system - encrypted)

N33.bootloader.release.rb3

Encrypted bootloader. This is a 8730 file (variation of iPhone1,1 8900 file format).

bootldr-hexdump.png

manifest.plist

iTunes parses this during restore.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>FirmwarePayload</key>
    <dict>
        <key>FirmwareName</key>
        <string>Firmware.MSE</string>
        <key>BootloaderName</key>
        <string>N33.bootloader.release.rb3</string>
        <key>BuildVersion</key>
        <string>34A20020</string>
        <key>ProductVersion</key>
        <string>1.0.2</string>
        <key>UpdaterFamilyID</key>
        <integer>34</integer>
        <key>FamilyID</key>
        <integer>16</integer>
    </dict>
</dict>
</plist>

Links

Linux4Nano wiki
iPod Linux project
the iPhone Wiki - some information applicable to nano

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License