Patreon

In 2021 this is still an active project for those asking and is still being actively developed. if you would like to support this project here is the patreon: https://www.patreon.com/user?u=48474083&fan_landing=true why become a patron? the video production as stated below has many hours put into it and will be available on youtube when this project is complete. Becoming a patron helps us purchase any supplies we need to complete this project like (programming supplies, solder supplies etc.) The Patreon will be updated soon and merch may also become a reality. Please spread this project to ensure completetion.

Hardware Specs

First let's take a look at the motherboard. There's the Samsung S5L8702 SoC (ARM926EJ-S Processor), 256Mb/32MB mobile DDR SDRAM, 8Mb/1MB Utility NOR Flash, the WM1870 Wolfson DAC, the D1671B Power Manager and finally the MLC Nand Flash.

In my unit it's a Toshiba TH58NVG5D1DTG20 and after a quick search I found a naming scheme diagram. It's a 3.3V, 32Gbit/4GB and 8-bit wide MLC NAND, so pretty standard.

From a hardware perspective the upgrade is quite feasible.

Rockbox NAND Table

But it can't be that easy right? No.. Of course not, well maybe. Sadly there is no rockbox and/or ipodlinux port for the third gen.
Weird because we already have code execution and a port for the same SoC (Classic 6G Port).

After some digging in the rockbox source code I found a NAND driver for the second gen iPod Nano. It's based on the same SoC family (S5L8701), so we have an idea how they implemented it.
There's a list of DeviceIDs, Blocks, Identifiers e.t.c. It determines the size of the NAND and the partition that will be allocated.

iPod Partition Scheme

The iPod has two partitions.
A hidden system partition where the bootloader and the Realtime Operating System is stored and a Fat32/HFS partition for storing media.
What if a similar method is used in the original firmware? Since there's no Rockbox port we'd need to decrypt the raw firmware image and hack it.

Hardware Hacking

But back to the hardware part. I decided to desolder the NAND and solder a TSOP-48 breakout board to test various NAND ICs and maybe tap into it.
And here is the process of me soldering 0.15mm enamelt magnet wire to an 0.5mm pitch TSOP footprint. Keep in mind to leave the magnet wire as short as possible to avoid interference.
A time consuming process but at the end it looks very cool.
     Now to the NAND IC selection. I actually have access to the Micron Confidential Datasheets (Makes it much easier). First we don't know if we have a software limitation in the stock firmware then we have to understand the ONFI (Open NAND Flash Interface) TSOP pinout.
It's an 8-bit wide multiplexed bus with additional Chip Enable and Ready/Busy signals. The amount of Chip Enable and Ready/Busy signals determine the maximum addressable capacity.
     The 3rd gen Nano has four CE and R/B signals, as does the ipod nano 2g and 1st gen. The chips come stacked, dual config, single config and in the case of the Ipod Nano 1g it comes with a daughter board, this is most likely due to chip availability to Apple at the time of manufacture. in dual stacked configs 2 of the rb and ce legs are cut and the ce and rb re routed on different legs. Some of the hynix chips come with 4ce and 4rb. The a maximum addressable capacity of 512Gbit/64GB  (only NAND Flash with one or two or 4 CE signals will work).

Firmware

If you extract the .IPSW firmware image you have the following files: OSOS.fw, aupd.fw and rsrc.fw. The OSOS file has a 512 Byte Header, 1536 Bytes of Zeros and the encrypted payload. There are 8 markers (offsets) that are enabled by default. When disabled (and the key retrieved) you can decrypt the payload with the RC4 decrypton method. But this only works on aupd.fw. OSOS.fw needs a 2nd key. It's in the SoC's internal Flash (AES CBC 128). There is an overflow exploit that let's you dump the SoC's flash...

Read more »