rockbox/utils/ipod/bin2note
Dave Chapman f8ec7e4ad4 Add some notes describing how the bin2note exploit works
git-svn-id: svn://svn.rockbox.org/rockbox/trunk@21904 a1c6a512-1295-4272-9138-f99709370657
2009-07-16 17:40:55 +00:00
..
bin2note.c
Makefile
README

bin2note
--------

bin2note implements the buffer overflow exploit documented here:

http://l4n.clustur.com/index.php/Nano2G_getting_exec


It is used to turn a blob of ARM code into an iPod notes file.  This
ARM code will then be executed on the iPod.

It is known to work on the 2nd generation Nano.


The Makefile contains rules for compiling an ARM assembler file
"test.S" into a notes file "test.htm".  Just put test.S in this
directory and type "make test.htm".


How it works
------------

When the Apple firmware boots, it scans the Notes folder and loads
each note in turn in order to check its content.

When it reaches our specially crafted note, a buffer overflows onto
the stack, writing the entry point of our code over the top of an
existing return address.

This entry point was determined by "stooo1" as part of the
"linux4nano" investigations into the Nano 2G.  He managed to attach a
JTAG debugger to his Nano 2G and dump the RAM after a notes file was
loaded.

Only certain return addresses can be used, as it is converted
internally to utf-8.  Hence we are currently using the address of the
last instruction in the buffer, which is a branch back to our real
entry point.

You also need to ensure that there are no more than 64KB of notes in
your Notes folder.