diff options
author | Dave Chapman <dave@dchapman.com> | 2009-07-16 17:40:55 +0000 |
---|---|---|
committer | Dave Chapman <dave@dchapman.com> | 2009-07-16 17:40:55 +0000 |
commit | f8ec7e4ad457a7a3a428f18eaf35f50a28d752b4 (patch) | |
tree | cc0707339955fc4aef2d08b44c7e219cd1938a76 /utils/ipod/bin2note/README | |
parent | 38754e7a9e8945cac11b0d45019b95e2ee26994f (diff) | |
download | rockbox-f8ec7e4ad457a7a3a428f18eaf35f50a28d752b4.tar.gz rockbox-f8ec7e4ad457a7a3a428f18eaf35f50a28d752b4.zip |
Add some notes describing how the bin2note exploit works
git-svn-id: svn://svn.rockbox.org/rockbox/trunk@21904 a1c6a512-1295-4272-9138-f99709370657
Diffstat (limited to 'utils/ipod/bin2note/README')
-rw-r--r-- | utils/ipod/bin2note/README | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/utils/ipod/bin2note/README b/utils/ipod/bin2note/README index 0dbc9e465d..61e03b9981 100644 --- a/utils/ipod/bin2note/README +++ b/utils/ipod/bin2note/README | |||
@@ -15,3 +15,27 @@ It is known to work on the 2nd generation Nano. | |||
15 | The Makefile contains rules for compiling an ARM assembler file | 15 | The Makefile contains rules for compiling an ARM assembler file |
16 | "test.S" into a notes file "test.htm". Just put test.S in this | 16 | "test.S" into a notes file "test.htm". Just put test.S in this |
17 | directory and type "make test.htm". | 17 | directory and type "make test.htm". |
18 | |||
19 | |||
20 | How it works | ||
21 | ------------ | ||
22 | |||
23 | When the Apple firmware boots, it scans the Notes folder and loads | ||
24 | each note in turn in order to check its content. | ||
25 | |||
26 | When it reaches our specially crafted note, a buffer overflows onto | ||
27 | the stack, writing the entry point of our code over the top of an | ||
28 | existing return address. | ||
29 | |||
30 | This entry point was determined by "stooo1" as part of the | ||
31 | "linux4nano" investigations into the Nano 2G. He managed to attach a | ||
32 | JTAG debugger to his Nano 2G and dump the RAM after a notes file was | ||
33 | loaded. | ||
34 | |||
35 | Only certain return addresses can be used, as it is converted | ||
36 | internally to utf-8. Hence we are currently using the address of the | ||
37 | last instruction in the buffer, which is a branch back to our real | ||
38 | entry point. | ||
39 | |||
40 | You also need to ensure that there are no more than 64KB of notes in | ||
41 | your Notes folder. | ||