diff options
Diffstat (limited to 'utils/ipod/bin2note/README')
| -rw-r--r-- | utils/ipod/bin2note/README | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/utils/ipod/bin2note/README b/utils/ipod/bin2note/README index 0dbc9e465d..61e03b9981 100644 --- a/utils/ipod/bin2note/README +++ b/utils/ipod/bin2note/README | |||
| @@ -15,3 +15,27 @@ It is known to work on the 2nd generation Nano. | |||
| 15 | The Makefile contains rules for compiling an ARM assembler file | 15 | The Makefile contains rules for compiling an ARM assembler file |
| 16 | "test.S" into a notes file "test.htm". Just put test.S in this | 16 | "test.S" into a notes file "test.htm". Just put test.S in this |
| 17 | directory and type "make test.htm". | 17 | directory and type "make test.htm". |
| 18 | |||
| 19 | |||
| 20 | How it works | ||
| 21 | ------------ | ||
| 22 | |||
| 23 | When the Apple firmware boots, it scans the Notes folder and loads | ||
| 24 | each note in turn in order to check its content. | ||
| 25 | |||
| 26 | When it reaches our specially crafted note, a buffer overflows onto | ||
| 27 | the stack, writing the entry point of our code over the top of an | ||
| 28 | existing return address. | ||
| 29 | |||
| 30 | This entry point was determined by "stooo1" as part of the | ||
| 31 | "linux4nano" investigations into the Nano 2G. He managed to attach a | ||
| 32 | JTAG debugger to his Nano 2G and dump the RAM after a notes file was | ||
| 33 | loaded. | ||
| 34 | |||
| 35 | Only certain return addresses can be used, as it is converted | ||
| 36 | internally to utf-8. Hence we are currently using the address of the | ||
| 37 | last instruction in the buffer, which is a branch back to our real | ||
| 38 | entry point. | ||
| 39 | |||
| 40 | You also need to ensure that there are no more than 64KB of notes in | ||
| 41 | your Notes folder. | ||