Add some notes describing how the bin2note exploit works

git-svn-id: svn://svn.rockbox.org/rockbox/trunk@21904 a1c6a512-1295-4272-9138-f99709370657
author: Dave Chapman <dave@dchapman.com> 2009-07-16 17:40:55 +0000
committer: Dave Chapman <dave@dchapman.com> 2009-07-16 17:40:55 +0000
commit: f8ec7e4ad457a7a3a428f18eaf35f50a28d752b4 (patch)
tree: cc0707339955fc4aef2d08b44c7e219cd1938a76
parent: 38754e7a9e8945cac11b0d45019b95e2ee26994f (diff)
download: rockbox-f8ec7e4ad457a7a3a428f18eaf35f50a28d752b4.tar.gz
rockbox-f8ec7e4ad457a7a3a428f18eaf35f50a28d752b4.zip
1 files changed, 24 insertions, 0 deletions
diff --git a/utils/ipod/bin2note/README b/utils/ipod/bin2note/README
index 0dbc9e465d..61e03b9981 100644
--- a/utils/ipod/bin2note/README
+++ b/utils/ipod/bin2note/README
@@ -15,3 +15,27 @@ It is known to work on the 2nd generation Nano.
 The Makefile contains rules for compiling an ARM assembler file
 "test.S" into a notes file "test.htm".  Just put test.S in this
 directory and type "make test.htm".
+How it works
+------------
+When the Apple firmware boots, it scans the Notes folder and loads
+each note in turn in order to check its content.
+When it reaches our specially crafted note, a buffer overflows onto
+the stack, writing the entry point of our code over the top of an
+existing return address.
+This entry point was determined by "stooo1" as part of the
+"linux4nano" investigations into the Nano 2G.  He managed to attach a
+JTAG debugger to his Nano 2G and dump the RAM after a notes file was
+loaded.
+Only certain return addresses can be used, as it is converted
+internally to utf-8.  Hence we are currently using the address of the
+last instruction in the buffer, which is a branch back to our real
+entry point.
+You also need to ensure that there are no more than 64KB of notes in
+your Notes folder.
author	Dave Chapman <dave@dchapman.com>	2009-07-16 17:40:55 +0000
committer	Dave Chapman <dave@dchapman.com>	2009-07-16 17:40:55 +0000
commit	f8ec7e4ad457a7a3a428f18eaf35f50a28d752b4 (patch)
tree	cc0707339955fc4aef2d08b44c7e219cd1938a76
parent	38754e7a9e8945cac11b0d45019b95e2ee26994f (diff)
download	rockbox-f8ec7e4ad457a7a3a428f18eaf35f50a28d752b4.tar.gz rockbox-f8ec7e4ad457a7a3a428f18eaf35f50a28d752b4.zip

diff --git a/utils/ipod/bin2note/README b/utils/ipod/bin2note/README index 0dbc9e465d..61e03b9981 100644 --- a/utils/ipod/bin2note/README +++ b/utils/ipod/bin2note/README
@@ -15,3 +15,27 @@ It is known to work on the 2nd generation Nano.
15	The Makefile contains rules for compiling an ARM assembler file	15	The Makefile contains rules for compiling an ARM assembler file
16	"test.S" into a notes file "test.htm". Just put test.S in this	16	"test.S" into a notes file "test.htm". Just put test.S in this
17	directory and type "make test.htm".	17	directory and type "make test.htm".
		18
		19
		20	How it works
		21	------------
		22
		23	When the Apple firmware boots, it scans the Notes folder and loads
		24	each note in turn in order to check its content.
		25
		26	When it reaches our specially crafted note, a buffer overflows onto
		27	the stack, writing the entry point of our code over the top of an
		28	existing return address.
		29
		30	This entry point was determined by "stooo1" as part of the
		31	"linux4nano" investigations into the Nano 2G. He managed to attach a
		32	JTAG debugger to his Nano 2G and dump the RAM after a notes file was
		33	loaded.
		34
		35	Only certain return addresses can be used, as it is converted
		36	internally to utf-8. Hence we are currently using the address of the
		37	last instruction in the buffer, which is a branch back to our real
		38	entry point.
		39
		40	You also need to ensure that there are no more than 64KB of notes in
		41	your Notes folder.