From f8ec7e4ad457a7a3a428f18eaf35f50a28d752b4 Mon Sep 17 00:00:00 2001 From: Dave Chapman Date: Thu, 16 Jul 2009 17:40:55 +0000 Subject: Add some notes describing how the bin2note exploit works git-svn-id: svn://svn.rockbox.org/rockbox/trunk@21904 a1c6a512-1295-4272-9138-f99709370657 --- utils/ipod/bin2note/README | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/utils/ipod/bin2note/README b/utils/ipod/bin2note/README index 0dbc9e465d..61e03b9981 100644 --- a/utils/ipod/bin2note/README +++ b/utils/ipod/bin2note/README @@ -15,3 +15,27 @@ It is known to work on the 2nd generation Nano. The Makefile contains rules for compiling an ARM assembler file "test.S" into a notes file "test.htm". Just put test.S in this directory and type "make test.htm". + + +How it works +------------ + +When the Apple firmware boots, it scans the Notes folder and loads +each note in turn in order to check its content. + +When it reaches our specially crafted note, a buffer overflows onto +the stack, writing the entry point of our code over the top of an +existing return address. + +This entry point was determined by "stooo1" as part of the +"linux4nano" investigations into the Nano 2G. He managed to attach a +JTAG debugger to his Nano 2G and dump the RAM after a notes file was +loaded. + +Only certain return addresses can be used, as it is converted +internally to utf-8. Hence we are currently using the address of the +last instruction in the buffer, which is a branch back to our real +entry point. + +You also need to ensure that there are no more than 64KB of notes in +your Notes folder. -- cgit v1.2.3