Following recent proof of concept for iPod nano’s file system hack, Steven Troughton-Smith has figured out a way to put the device into DFU mode to install custom firmware files. “First hold down the restart buttons until you get a black screen, a double reboots and iTunes sees the device and alerts you.
Afterwards, Troughton-Smith modified iRecovery to work with the iPod nano (had to add its DFU/Recovery USB ID) and allow it send files, and tested with some files had extracted from the iPod nano 6G firmware (using the extract2g tool). disk.fw and osos.fw work (one boots disk mode, the other boots to a homescreen). The other files make the nano boot to a white screen, but go no further.”
So, basically, it seems we can send encrypted firmware files to the iPod, and have them execute, similar to what’s used to jailbreak the iPhone. If the nano rejects the file (i.e. unsigned, invalid), it reboots.