| Dave Chapman | af624e0 | 2009-07-13 18:31:42 +0000 | [diff] [blame] | 1 | bin2note |
| 2 | -------- |
| 3 | |
| 4 | bin2note implements the buffer overflow exploit documented here: |
| 5 | |
| 6 | http://l4n.clustur.com/index.php/Nano2G_getting_exec |
| 7 | |
| 8 | |
| 9 | It is used to turn a blob of ARM code into an iPod notes file. This |
| 10 | ARM code will then be executed on the iPod. |
| 11 | |
| 12 | It is known to work on the 2nd generation Nano. |
| Dave Chapman | b3f3300 | 2009-07-13 19:17:41 +0000 | [diff] [blame] | 13 | |
| 14 | |
| 15 | The Makefile contains rules for compiling an ARM assembler file |
| 16 | "test.S" into a notes file "test.htm". Just put test.S in this |
| 17 | directory and type "make test.htm". |
| Dave Chapman | f8ec7e4 | 2009-07-16 17:40:55 +0000 | [diff] [blame] | 18 | |
| 19 | |
| 20 | How it works |
| 21 | ------------ |
| 22 | |
| 23 | When the Apple firmware boots, it scans the Notes folder and loads |
| 24 | each note in turn in order to check its content. |
| 25 | |
| 26 | When it reaches our specially crafted note, a buffer overflows onto |
| 27 | the stack, writing the entry point of our code over the top of an |
| 28 | existing return address. |
| 29 | |
| 30 | This entry point was determined by "stooo1" as part of the |
| 31 | "linux4nano" investigations into the Nano 2G. He managed to attach a |
| 32 | JTAG debugger to his Nano 2G and dump the RAM after a notes file was |
| 33 | loaded. |
| 34 | |
| 35 | Only certain return addresses can be used, as it is converted |
| 36 | internally to utf-8. Hence we are currently using the address of the |
| 37 | last instruction in the buffer, which is a branch back to our real |
| 38 | entry point. |
| 39 | |
| 40 | You also need to ensure that there are no more than 64KB of notes in |
| 41 | your Notes folder. |