Hardware Specs

First let's take a look at the motherboard. There's the Samsung S5L8702 SoC (ARM926EJ-S Processor), 256Mb/32MB mobile DDR SDRAM, 8Mb/1MB Utility NOR Flash, the WM1870 Wolfson DAC, the D1671B Power Manager and finally the MLC Nand Flash.

In my unit it's a Toshiba TH58NVG5D1DTG20 and after a quick search I found a naming scheme diagram. It's a 3.3V, 32Gbit/4GB and 8-bit wide MLC NAND, so pretty standard.

From a hardware perspective the upgrade is quite feasible.

Rockbox NAND Table

But it can't be that easy right? No.. Of course not, well maybe. Sadly there is no rockbox and/or ipodlinux port for the third gen.
Weird because we already have code execution and a port for the same SoC (Classic 6G Port).

After some digging in the rockbox source code I found a NAND driver for the second gen iPod Nano. It's based on the same SoC family (S5L8701), so we have an idea how they implemented it.
There's a list of DeviceIDs, Blocks, Identifiers e.t.c. It determines the size of the NAND and the partition that will be allocated.

iPod Partition Scheme

The iPod has two partitions.
A hidden system partition where the bootloader and the Realtime Operating System is stored and a Fat32/HFS partition for storing media.
What if a similar method is used in the original firmware? Since there's no Rockbox port we'd need to decrypt the raw firmware image and hack it.

Hardware Hacking

But back to the hardware part. I decided to desolder the NAND and solder a TSOP-48 breakout board to test various NAND ICs and maybe tap into it.
And here is the process of me soldering 0.15mm enamelt magnet wire to an 0.5mm pitch TSOP footprint. Keep in mind to leave the magnet wire as short as possible to avoid interference.
A time consuming process but at the end it looks very cool.
Now to the NAND IC selection. I actually have access to the Micron Confidential Datasheets (Makes it much easier). First we don't know if we have a software limitation in the stock firmware then we have to understand the ONFI (Open NAND Flash Interface) TSOP pinout.
It's an 8-bit wide multiplexed bus with additional Chip Enable and Ready/Busy signals. The amount of Chip Enable and Ready/Busy signals determine the maximum addressable capacity.
The 3rd gen Nano has two CE and R/B signals, so a maximum addressable capacity of 512Gbit/64GB  (only NAND Flash with one or two CE signals will work).

Firmware

If you extract the .IPSW firmware image you have the following files: OSOS.fw, aupd.fw and rsrc.fw. The OSOS file has a 512 Byte Header, 1536 Bytes of Zeros and the encrypted payload. There are 8 markers (offsets) that are enabled by default. When disabled (and the key retrieved) you can decrypt the payload with the RC4 decrypton method. But this only works on aupd.fw. OSOS.fw needs a 2nd key. It's in the SoC's internal Flash (AES CBC 128). There is an overflow exploit that let's you dump the SoC's flash and the NOR utility flash.

aupd.fwApple NOR flash updater image
encrypted
osos.fw
Apple OS
encrypted
rsrc.fwApple File Systemunencrypted


Status

I'll test a 8GB and 16GB MLC (without OS mod) the next weeks and I'm currently working on decrypting the Firmware but most of the work done 2007 is gone (most likely Apple DMCA)



Extra

400GB of Video Footage at this point. Eventually I'll produce a video so make sure to subscribe to my YouTube Channel.

Because I needed a more reliable and detailed source for teardowns I reverse engineered the IHS Markit Teardown distribution system and wrote an API and a Frontend. Hold on it's legal!