Hardware-based bootrom exploits like limera1n and checkm8 can’t be patched by Apple via software updates and are infrequent occurrences that we’d consider ourselves lucky to witness once every several years. With that in mind, a newly announced bootrom exploit for the iPod Nano 3rd, 4th, and 5th generation dubbed wInd3x may pique some interest.
Almost nobody uses the iPod Nano 3rd, 4th, and 5th generation these days, and the iPhone’s popularity plays a big part in that reality. The iPhone can do everything an iPod Nano can do and more, and the same logic defines why Apple officially retired the iPod touch 7th generation in 2022.
In a detailed write-up post, security researcher Serge Bazanski discusses wInd3x and how it works, as well as a proof of concept for using it. We can gather that code execution isn’t yet untethered on supported devices because users will need to run code over USB.
Bazanski notes that he wants to get code execution running on the iPod Nano 6th and 7th generation as well, however this will require another bug as they aren’t susceptible to wInd3x. Bazanski also wants to reverse engineer more peripherals for the iPod Nano 5th generation and finish a Linux port.
Near the end of the write-up, Bazanski states that the exploit also affects the iPhone 3G, and possibly even the original iPhone, but a working PoC hasn’t been published for those devices.
The freemyipod project on GitHub was recently updated with documentation and support for the wInd3x bootrom exploit, which means that the tool now supports a wider variety of devices as a result. Instructions for using it are posted there, but it’s a little complicated for the average Joe to grasp. That said, it’s only intended for those who know what they’re doing.
Obviously, the iPod Nano isn’t a robust device by any means, so capabilities will be quite limited. The input controls are limited by a click wheel interface, and the processor isn’t anywhere near as fast as what we find in today’s iPhones. Regardless, the fact that hackers are still working their way into the security systems of these legacy handsets is actually quite incredible.