2009-07-13 18:31:42 +00:00
|
|
|
bin2note
|
|
|
|
--------
|
|
|
|
|
|
|
|
bin2note implements the buffer overflow exploit documented here:
|
|
|
|
|
|
|
|
http://l4n.clustur.com/index.php/Nano2G_getting_exec
|
|
|
|
|
|
|
|
|
|
|
|
It is used to turn a blob of ARM code into an iPod notes file. This
|
|
|
|
ARM code will then be executed on the iPod.
|
|
|
|
|
|
|
|
It is known to work on the 2nd generation Nano.
|
2009-07-13 19:17:41 +00:00
|
|
|
|
|
|
|
|
|
|
|
The Makefile contains rules for compiling an ARM assembler file
|
|
|
|
"test.S" into a notes file "test.htm". Just put test.S in this
|
|
|
|
directory and type "make test.htm".
|
2009-07-16 17:40:55 +00:00
|
|
|
|
|
|
|
|
|
|
|
How it works
|
|
|
|
------------
|
|
|
|
|
|
|
|
When the Apple firmware boots, it scans the Notes folder and loads
|
|
|
|
each note in turn in order to check its content.
|
|
|
|
|
|
|
|
When it reaches our specially crafted note, a buffer overflows onto
|
|
|
|
the stack, writing the entry point of our code over the top of an
|
|
|
|
existing return address.
|
|
|
|
|
|
|
|
This entry point was determined by "stooo1" as part of the
|
|
|
|
"linux4nano" investigations into the Nano 2G. He managed to attach a
|
|
|
|
JTAG debugger to his Nano 2G and dump the RAM after a notes file was
|
|
|
|
loaded.
|
|
|
|
|
|
|
|
Only certain return addresses can be used, as it is converted
|
|
|
|
internally to utf-8. Hence we are currently using the address of the
|
|
|
|
last instruction in the buffer, which is a branch back to our real
|
|
|
|
entry point.
|
|
|
|
|
|
|
|
You also need to ensure that there are no more than 64KB of notes in
|
|
|
|
your Notes folder.
|