freemyipod - User contributions [en]

Nanotron 3000

2009-09-22T12:06:24Z

Tucenaber: /* tucenaber */

Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO.

== Nanotrons ==
=== Farthen ===
[[File:Nanotron-3000-farthen-1.jpg|200px]]
[[File:Nanotron-3000-farthen-2.jpg|200px]]

This is my first nanotron. I had some mechanical difficulties and needed to rebuild it. I'll upload some pictures of the second one at some time.
==== Specific technical details of my nanotron ====
* motor for pressing menu is connected to motor slot 1
* motor for pressing select is connected to motor slot 2
* motor for pressing play is connected to motor slot 3
* all motors press the buttons when powered to the "upright" direction

=== TheSeven ===
[[File:Nanotron2G-TheSeven-1.jpg|200px]]
[[File:Nanotron2G-TheSeven-2.jpg|200px]]
[[File:Nanotron2G-TheSeven-3.jpg|200px]]
[[File:Nanotron2G-TheSeven-4.jpg|200px]]
[[File:Nanotron2G-TheSeven-5.jpg|200px]]

My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though.
==== Specific technical details of my nanotron ====
* light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it).
* motor for pressing the menu+select combo is connected to motor port A
* motor for pressing the select+play combo is connected to motor port C

=== cmwslw ===
[[File:IMG_0016.JPG|200px]]
[[File:IMG_0017.JPG|200px]]
[[File:IMG_0018.JPG|200px]]
[[File:IMG_0019.JPG|200px]]
[[File:IMG_0020.JPG|200px]]

My Nanotron is currently the only NXT-based one. I am working on the software for this using the nxt-python module. Instead of using diagonal rods to press buttons down, this uses 3 motors to use levers to press the buttons. It also has a light sensor (for backlight detection), and a touch sensor (for debugging and user intervention). Hopefully this design will prove to be very reliable.

=== tucenaber ===
[[File:Nanotron3g1.jpg]]
[[File:Nanotron3g2.jpg]]
[[File:Nanotron3g3.jpg]]
[[File:Nanotron3g4.jpg]]

This nanotron is built from stuff I either had or could buy cheaply and is constructed for hacking the Nano 3g. The main parts are the servo motor and the Arduino microcontroller. Both are extremely cheap and the whole thing is powered entirely through USB. The two arms which rests on one rubber ring each, comes from a bicylce wheel and as can be seen in the pictures they bent too easily and had to be reinforced by steel wire. One such ring, when placed correctly, is enough to push down two buttons on the iPod simultaneously. The servo was also not entirely up to the task which explains the complicated pulling arrangement. The Arduino program is five lines long, and on the whole it is extremely easy to set up.
The software is a slightly modified version of cmwslw's code.

== Technical details for 4G ==
*Time to hold down menu and center buttons to restart: exactly 5 seconds
=== Cable disconnected ===
*Time to reboot to main menu: 17.5 seconds
*Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it
=== Cable connected ===
*Time to reboot to main menu: 35 seconds
*Time to reboot to disk mode: 11 seconds

For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable.

Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode:
# Take off old note file, put in new one (half a second)
# Hold down menu and select to reboot (5 seconds)
# Wait for boot (35 seconds)
# Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot)
# Boot to disk mode and start from beginning (11 seconds)

So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons.

We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical.

TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell...

=== Testing for freeze ===
Currently, the easiest way to test for a working iPod is to look for a line similar to:
[ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0
in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know.

TODO: post kernel logs and investigate reboot log behavior

File:Nanotron3g4.jpg

2009-09-22T11:29:14Z

Tucenaber: Nanotron 3g

Nanotron 3g

File:Nanotron3g3.jpg

2009-09-22T11:25:17Z

Tucenaber: Nanotron 3g

Nanotron 3g

File:Nanotron3g2.jpg

2009-09-22T11:20:08Z

Tucenaber: Nanotron 3g

Nanotron 3g

Nanotron 3000

2009-09-22T11:14:06Z

Tucenaber: /* tucenaber */

Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO.

== Nanotrons ==
=== Farthen ===
[[File:Nanotron-3000-farthen-1.jpg|200px]]
[[File:Nanotron-3000-farthen-2.jpg|200px]]

This is my first nanotron. I had some mechanical difficulties and needed to rebuild it. I'll upload some pictures of the second one at some time.
==== Specific technical details of my nanotron ====
* motor for pressing menu is connected to motor slot 1
* motor for pressing select is connected to motor slot 2
* motor for pressing play is connected to motor slot 3
* all motors press the buttons when powered to the "upright" direction

=== TheSeven ===
[[File:Nanotron2G-TheSeven-1.jpg|200px]]
[[File:Nanotron2G-TheSeven-2.jpg|200px]]
[[File:Nanotron2G-TheSeven-3.jpg|200px]]
[[File:Nanotron2G-TheSeven-4.jpg|200px]]
[[File:Nanotron2G-TheSeven-5.jpg|200px]]

My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though.
==== Specific technical details of my nanotron ====
* light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it).
* motor for pressing the menu+select combo is connected to motor port A
* motor for pressing the select+play combo is connected to motor port C

=== cmwslw ===
[[File:IMG_0016.JPG|200px]]
[[File:IMG_0017.JPG|200px]]
[[File:IMG_0018.JPG|200px]]
[[File:IMG_0019.JPG|200px]]
[[File:IMG_0020.JPG|200px]]

My Nanotron is currently the only NXT-based one. I am working on the software for this using the nxt-python module. Instead of using diagonal rods to press buttons down, this uses 3 motors to use levers to press the buttons. It also has a light sensor (for backlight detection), and a touch sensor (for debugging and user intervention). Hopefully this design will prove to be very reliable.

=== tucenaber ===
[[File:Nanotron3g1.jpg]]
[[File:Nanotron3g2.jpg]]
[[File:Nanotron3g3.jpg]]
[[File:Nanotron3g4.jpg]]

This nanotron is built from stuff I either had or could buy cheaply and is constructed for hacking the Nano 3g. The main parts are the servo motor and the Arduino microcontroller. Both are extremely cheap and the whole thing is powered entirely through USB. The two arms which rests on one rubber rings each, comes from a bicylce wheel and as can be seen in the pictures they bent too easily and had to be reinforced by steel wire. One such ring, when placed correctly, is enough to push down two buttons on the iPod simultaneously. The servo was also not entirely up to the task which explains the complicated pulling arrangement. The Arduino program is five lines long, and on the whole it is extremely easy to set up.

== Technical details for 4G ==
*Time to hold down menu and center buttons to restart: exactly 5 seconds
=== Cable disconnected ===
*Time to reboot to main menu: 17.5 seconds
*Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it
=== Cable connected ===
*Time to reboot to main menu: 35 seconds
*Time to reboot to disk mode: 11 seconds

For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable.

Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode:
# Take off old note file, put in new one (half a second)
# Hold down menu and select to reboot (5 seconds)
# Wait for boot (35 seconds)
# Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot)
# Boot to disk mode and start from beginning (11 seconds)

So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons.

We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical.

TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell...

=== Testing for freeze ===
Currently, the easiest way to test for a working iPod is to look for a line similar to:
[ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0
in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know.

TODO: post kernel logs and investigate reboot log behavior

File:Nanotron3g1.jpg

2009-09-22T11:01:19Z

Tucenaber: Nanotron 3g

Nanotron 3g

Nanotron 3000

2009-09-22T11:00:32Z

Tucenaber: /* Nanotrons */

Because of the immense amount of time it will take to brute force the 3G and the 4G by hand, the Linux4nano team has hatched an ambitious idea. We have decided to build a brute forcing robot with LEGO Mindstorms. We can leave this bot running overnight and hopefully find out the correct addresses. If the LEGO idea is not feasible we can resort to using transistors like Sto used on the 2G. This would be more expensive but easier IMO.

== Nanotrons ==
=== Farthen ===
[[File:Nanotron-3000-farthen-1.jpg|200px]]
[[File:Nanotron-3000-farthen-2.jpg|200px]]

This is my first nanotron. I had some mechanical difficulties and needed to rebuild it. I'll upload some pictures of the second one at some time.
==== Specific technical details of my nanotron ====
* motor for pressing menu is connected to motor slot 1
* motor for pressing select is connected to motor slot 2
* motor for pressing play is connected to motor slot 3
* all motors press the buttons when powered to the "upright" direction

=== TheSeven ===
[[File:Nanotron2G-TheSeven-1.jpg|200px]]
[[File:Nanotron2G-TheSeven-2.jpg|200px]]
[[File:Nanotron2G-TheSeven-3.jpg|200px]]
[[File:Nanotron2G-TheSeven-4.jpg|200px]]
[[File:Nanotron2G-TheSeven-5.jpg|200px]]

My Nanotron2G was designed as a hardware proof of concept, and as a development platform for the software (and thus was the first one to actually work). It's designed for a Nano 2G, but adapting it to other players should be easy. It also has the advantage that the Nano can easily be removed from it. This Nanotron will probably never do real bruteforcing work, though, as I currently don't have a player that hasn't already been cracked. It took me about 4 hours to design and build that. If you need information on how to build it, just ask. The pictures aren't up to date any more, as I have replaced parts of the front construction by technic bars for enhanced stability. The moving parts have stayed the same, though.
==== Specific technical details of my nanotron ====
* light sensor is connected to sensor port 1 and faced in direction of the screen (~1mm above it).
* motor for pressing the menu+select combo is connected to motor port A
* motor for pressing the select+play combo is connected to motor port C

=== cmwslw ===
[[File:IMG_0016.JPG|200px]]
[[File:IMG_0017.JPG|200px]]
[[File:IMG_0018.JPG|200px]]
[[File:IMG_0019.JPG|200px]]
[[File:IMG_0020.JPG|200px]]

My Nanotron is currently the only NXT-based one. I am working on the software for this using the nxt-python module. Instead of using diagonal rods to press buttons down, this uses 3 motors to use levers to press the buttons. It also has a light sensor (for backlight detection), and a touch sensor (for debugging and user intervention). Hopefully this design will prove to be very reliable.

=== tucenaber ===
[[File:Nanotron3g1.jpg]]

This nanotron is built from stuff I either had or could buy cheaply and is constructed for hacking the Nano 3g. The main parts are the servo motor and the Arduino microcontroller. Both are extremely cheap and the whole thing is powered entirely through USB. The two arms which rests on one rubber rings each, comes from a bicylce wheel and as can be seen in the pictures they bent too easily and had to be reinforced by steel wire. One such ring, when placed correctly, is enough to push down two buttons on the iPod simultaneously. The servo was also not entirely up to the task which explains the complicated pulling arrangement. The Arduino program is five lines long, and on the whole it is extremely easy to set up.

== Technical details for 4G ==
*Time to hold down menu and center buttons to restart: exactly 5 seconds
=== Cable disconnected ===
*Time to reboot to main menu: 17.5 seconds
*Time to reboot to disk mode: 2-3 seconds depending on how quick you can press it
=== Cable connected ===
*Time to reboot to main menu: 35 seconds
*Time to reboot to disk mode: 11 seconds

For some reason booting up with the cable connected doubles the time to boot up, but we pretty much have to use the cable.

Using the times I've gathered, we can make a timeline of how our process will work, starting from disk mode:
# Take off old note file, put in new one (half a second)
# Hold down menu and select to reboot (5 seconds)
# Wait for boot (35 seconds)
# Find out what state the iPod is in and react accordingly (5 seconds if we have to force reboot)
# Boot to disk mode and start from beginning (11 seconds)

So the amount of time to test one file would take roughly 56.5 seconds (most likely 60 seconds with some delays in between). With that time we can test about 1440 files a day. With a 16-byte step (4 instructions, maybe we should do 2?) we could bust through a whopping 23040 bytes a day (0x5A00). Some addresses will have to be skipped for UTF-8 reasons.

We might end up having to try both the freeze and the crash files for the same address, which would double the time, but still be very practical.

TODO: work out ways from the robot's perspective to determine how the iPod reacts to the notes file. The easiest way seems to use the backlight, but this needs to be looked into. Perhaps we could use the iPod's USB status to tell...

=== Testing for freeze ===
Currently, the easiest way to test for a working iPod is to look for a line similar to:
[ 9275.123081] scsi 17:0:0:0: Direct-Access Apple iPod 1.62 PQ: 0 ANSI: 0
in the kernel logs. There is a delay of a few seconds before this is displayed. Frozen iPods will either keep generating USB errors or show nothing at all (if the cable was plugged in late). Careful attention will need to be made to make sure past log entries do not interfere with the current test. Perhaps we could fiddle with the log level/verbosity to only show important info. If anyone knows an easier way to test this, let us know.

TODO: post kernel logs and investigate reboot log behavior

Address bruteforcing

2009-09-12T18:16:55Z

Tucenaber: /* Table of reserved or tested files */

'''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try.

The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems.

== Setup ==
OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go.

This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off.

Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time.

== Known problems ==
Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine.

Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware.

== Steps ==
# Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it.
# Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios:
## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off
## The iPod works completely normally. You can navigate menus, play music, etc. without any problems.
## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes
## The iPod freezes up entirely.
# The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first!

Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table!

== Table of reserved or tested files ==
{| border="1"
|-
! Username
! iPod generation
! Firmware version
! Windows/Mac
! Starting filename
! Ending filename
! Status
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2004.htm
| a080a4e04.htm
| Tested
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a4f04.htm
| a080b3f04.htm
| Tested
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080b4004.htm
| a080b7f04.htm
| Reserved
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080c0104.htm
| a080c1004.htm
| Tested
|-
| clueX
| 4G Nano
| 1.0.3
| Windows
| a080d0a04.htm
| a080d0f04.htm
| Tested (All #1)
|-
| clueX
| 4G Nano
| 1.0.3
| Windows
| a080d0104.htm
| a080d1004.htm
| Tested (All #1, except a080d0304 #4)
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080d1104.htm
| a080d2f04.htm
| Reserved
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08010b04.htm
| a08027f04.htm
| Tested
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08050104.htm
| a08057f04.htm
| Tested
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a0a04
| a080a1904
| Tested Results Below
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a2004.htm
| a080a5904.htm
| Tested!
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a080a6104.htm
| a080c7f04.htm
| Tested
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a080d0104.htm
| a080d7f04.htm
| Tested
|-
| BlackLotus
| 3G Nano
| 1.1.3
| Windows
| a080e0104.htm
| a080e7f04.htm
| Reserved
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a080f0104.htm
| a080f7f04.htm
| Tested
|}

== Table of non-#1 (or non-#4) behaviors ==
If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary.
{| border="1"
|-
! Username
! iPod generation
! Firmware version
! Windows/Mac
! Sweep filename
! Behavior type
! Notes
|-
| Sto
| 2G Nano
| 1.1.3
| Windows
| a08640568.htm
| #4
| Direct jump to buffer
|-
| 3mpty
| 1G Classic
| 1.0.3
| Windows
| a080a2004.htm
| #4
| Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location
|-
| PharaohsVizier
| 2G Classic
| 2.0.1
| Windows
| a09352f04.htm a09352a04.htm a09352b04.htm
| #2
| Unknown, definitely check this out
|-
| farthen, cmwslw, kylemsguy
| 4G Nano
| 1.0.4
| Windows/Mac
| All
| #2
| Not exploitable, as the bug is fixed in 1.0.4
|-
| farthen
| 4G Nano
| 1.0.3
| Mac
| All
| #2
| Not exploitable because it's a macpod
|-
| Superandy
| 3G Nano
| 1.1.3
| Windows
| a08010c04
| Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :)
Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze.
| Pretty cool
|-
| Jwnordquist
| 2G Nano
| latest
| Windows
| a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm
| #4
|
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm
| #4
| I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer.
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2f04.htm, a080a3a04.htm,
| #2
| I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer.
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a4f04.htm, a080a6c04 to a080a7504 inc.
| #4
| Same result with crash and freeze files.
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a5c04.htm
| #2
| Same result with crash and freeze files.
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080c0304.htm
| #4
| The results for the sweep files were the same
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm
| #4
| Same result with crash and freeze files, they both froze.
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm
| #2
| Same result for both freeze & crash files
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08012b04.htm a08026104.htm
| #4 for sweepfreeze #1 for sweepcrash!
| Seems interesting to me but these are low addresses (below a080a2004)
|-
|Eosphere46
|3G Nano
|1.1.3
|Windows
|a080a2f04.htm a080a3a04.htm a080a5c04.htm
|#2 for sweepfreeze #2 for sweepcrash
|Probably nothing much, but check it out.
|-
|Eosphere46
|3G Nano
|1.1.3
|Windows
|a080a4b04.htm
|VERY Strange..hard to describe
|Check this out.. Same for the sweepcrash..
|-
|Eosphere46
|3G Nano
|1.1.3
|Windows
|a080a1004.htm
|#3
|Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3...
|}

Address bruteforcing

2009-09-05T18:16:49Z

Tucenaber: /* Table of reserved or tested files */

'''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try.

The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems.

== Setup ==
OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go.

This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off.

Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time.

== Known problems ==
Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine.

Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware.

== Steps ==
# Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it.
# Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios:
## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off
## The iPod works completely normally. You can navigate menus, play music, etc. without any problems.
## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes
## The iPod freezes up entirely.
# The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first!

Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table!

== Table of reserved or tested files ==
{| border="1"
|-
! Username
! iPod generation
! Firmware version
! Windows/Mac
! Starting filename
! Ending filename
! Status
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2004.htm
| a080a4e04.htm
| Tested
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a4f04.htm
| a080b3f04.htm
| Tested
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080b4004.htm
| a080b7f04.htm
| Reserved
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080c0104.htm
| a080c1004.htm
| Tested
|-
| clueX
| 4G Nano
| 1.0.3
| Windows
| a080d0a04.htm
| a080d0f04.htm
| Tested (All #1)
|-
| clueX
| 4G Nano
| 1.0.3
| Windows
| a080d0104.htm
| a080d1004.htm
| Tested (All #1, except a080d0304 #4)
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080d1104.htm
| a080d2f04.htm
| Reserved
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08010b04.htm
| a08027f04.htm
| Tested
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08050104.htm
| a08057f04.htm
| Tested
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a2004.htm
| a080a5004.htm
| Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one.
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a080a6104.htm
| a080c7f04.htm
| Tested
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a080d0104.htm
| a080d7f04.htm
| Reserved
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a0a04
| a080a1904
| Reserved
|}

== Table of non-#1 (or non-#4) behaviors ==
If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary.
{| border="1"
|-
! Username
! iPod generation
! Firmware version
! Windows/Mac
! Sweep filename
! Behavior type
! Notes
|-
| Sto
| 2G Nano
| 1.1.3
| Windows
| a08640568.htm
| #4
| Direct jump to buffer
|-
| 3mpty
| 1G Classic
| 1.0.3
| Windows
| a080a2004.htm
| #4
| Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location
|-
| PharaohsVizier
| 2G Classic
| 2.0.1
| Windows
| a09352f04.htm a09352a04.htm a09352b04.htm
| #2
| Unknown, definitely check this out
|-
| farthen, cmwslw, kylemsguy
| 4G Nano
| 1.0.4
| Windows/Mac
| All
| #2
| Not exploitable, as the bug is fixed in 1.0.4
|-
| farthen
| 4G Nano
| 1.0.3
| Mac
| All
| #2
| Not exploitable because it's a macpod
|-
| Superandy
| 3G Nano
| Latest (idk)
| Windows
| a08010c04
| Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :)
Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze.
| Pretty cool
|-
| Jwnordquist
| 2G Nano
| latest
| Windows
| a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm
| #4
|
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm
| #4
| I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer.
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2f04.htm, a080a3a04.htm,
| #2
| I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer.
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a4f04.htm, a080a6c04 to a080a7504 inc.
| #4
| Same result with crash and freeze files.
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a5c04.htm
| #2
| Same result with crash and freeze files.
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080c0304.htm
| #4
| The results for the sweep files were the same
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a3504.htm
| #4
| Same result with crash and freeze files, they both froze.
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm
| #2
| Same result for both freeze & crash files
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08012b04.htm a08026104.htm
| #4 for sweepfreeze #1 for sweepcrash!
| Seems interesting to me but these are low addresses (below a080a2004)
|-
|Eosphere46
|3G Nano
|1.1.3
|Windows
|a080a2f04.htm a080a3a04.htm a080a5c04.htm
|#2 for sweepfreeze #2 for sweepcrash
|Probably nothing much, but check it out.
|-
|Eosphere46
|3G Nano
|1.1.3
|Windows
|a080a4b04.htm
|VERY Strange..hard to describe
|Check this out.. Same for the sweepcrash..
|}

Address bruteforcing

2009-09-04T22:09:04Z

Tucenaber: /* Table of reserved or tested files */

'''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try.

The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems.

== Setup ==
OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go.

This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off.

Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time.

== Known problems ==
Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine.

Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware.

== Steps ==
# Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it.
# Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios:
## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off
## The iPod works completely normally. You can navigate menus, play music, etc. without any problems.
## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes
## The iPod freezes up entirely.
# The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first!

Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table!

== Table of reserved or tested files ==
{| border="1"
|-
! Username
! iPod generation
! Firmware version
! Windows/Mac
! Starting filename
! Ending filename
! Status
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2004.htm
| a080a4e04.htm
| Tested
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a4f04.htm
| a080b3f04.htm
| Tested
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080b4004.htm
| a080b7f04.htm
| Reserved
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080c0104.htm
| a080c1004.htm
| Tested
|-
| clueX
| 4G Nano
| 1.0.3
| Windows
| a080d0a04.htm
| a080d0f04.htm
| Tested (All #1)
|-
| clueX
| 4G Nano
| 1.0.3
| Windows
| a080d0104.htm
| a080d1004.htm
| Tested (All #1, except a080d0304 #4)
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080d1104.htm
| a080d2f04.htm
| Reserved
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08010b04.htm
| a08027f04.htm
| Tested
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08050104.htm
| a08057f04.htm
| Tested
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a2004.htm
| a080a5004.htm
| Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one.
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a080b0104.htm
| a080b7f04.htm
| Reserved
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a0a04
| a080a1904
| Reserved
|}

== Table of non-#1 (or non-#4) behaviors ==
If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary.
{| border="1"
|-
! Username
! iPod generation
! Firmware version
! Windows/Mac
! Sweep filename
! Behavior type
! Notes
|-
| Sto
| 2G Nano
| 1.1.3
| Windows
| a08640568.htm
| #4
| Direct jump to buffer
|-
| 3mpty
| 1G Classic
| 1.0.3
| Windows
| a080a2004.htm
| #4
| Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location
|-
| PharaohsVizier
| 2G Classic
| 2.0.1
| Windows
| a09352f04.htm a09352a04.htm a09352b04.htm
| #2
| Unknown, definitely check this out
|-
| farthen, cmwslw, kylemsguy
| 4G Nano
| 1.0.4
| Windows/Mac
| All
| #2
| Not exploitable, as the bug is fixed in 1.0.4
|-
| farthen
| 4G Nano
| 1.0.3
| Mac
| All
| #2
| Not exploitable because it's a macpod
|-
| Superandy
| 3G Nano
| Latest (idk)
| Windows
| a08010c04
| Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :)
Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze.
| Pretty cool
|-
| Jwnordquist
| 2G Nano
| latest
| Windows
| a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm
| #4
|
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm
| #4
| I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer.
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2f04.htm, a080a3a04.htm,
| #2
| I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer.
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a4f04.htm, a080a6c04 to a080a7504 inc.
| #4
| Same result with crash and freeze files.
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a5c04.htm
| #2
| Same result with crash and freeze files.
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080c0304.htm
| #4
| The results for the sweep files were the same
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a3504.htm
| #4
| Same result with crash and freeze files, they both froze.
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm
| #2
| Same result for both freeze & crash files
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08012b04.htm a08026104.htm
| #4 for sweepfreeze #1 for sweepcrash!
| Seems interesting to me but these are low addresses (below a080a2004)
|}

Address bruteforcing

2009-09-04T21:59:30Z

Tucenaber: /* Table of reserved or tested files */

'''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try.

The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems.

== Setup ==
OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go.

This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off.

Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time.

== Known problems ==
Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine.

Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware.

== Steps ==
# Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it.
# Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios:
## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off
## The iPod works completely normally. You can navigate menus, play music, etc. without any problems.
## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes
## The iPod freezes up entirely.
# The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first!

Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table!

== Table of reserved or tested files ==
{| border="1"
|-
! Username
! iPod generation
! Firmware version
! Windows/Mac
! Starting filename
! Ending filename
! Status
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2004.htm
| a080a4e04.htm
| Tested
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a4f04.htm
| a080b3f04.htm
| Tested
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080b4004.htm
| a080b7f04.htm
| Reserved
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080c0104.htm
| a080c1004.htm
| Tested
|-
| clueX
| 4G Nano
| 1.0.3
| Windows
| a080d0a04.htm
| a080d0f04.htm
| Tested (All #1)
|-
| clueX
| 4G Nano
| 1.0.3
| Windows
| a080d0104.htm
| a080d1004.htm
| Tested (All #1, except a080d0304 #4)
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080d1104.htm
| a080d2f04.htm
| Reserved
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08010b04.htm
| a08027f04.htm
| Tested
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08050104.htm
| a08057f04.htm
| Tested
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a2004.htm
| a080a5004.htm
| Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one.
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a0a04
| a080a1904
| Reserved
|}

== Table of non-#1 (or non-#4) behaviors ==
If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary.
{| border="1"
|-
! Username
! iPod generation
! Firmware version
! Windows/Mac
! Sweep filename
! Behavior type
! Notes
|-
| Sto
| 2G Nano
| 1.1.3
| Windows
| a08640568.htm
| #4
| Direct jump to buffer
|-
| 3mpty
| 1G Classic
| 1.0.3
| Windows
| a080a2004.htm
| #4
| Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location
|-
| PharaohsVizier
| 2G Classic
| 2.0.1
| Windows
| a09352f04.htm a09352a04.htm a09352b04.htm
| #2
| Unknown, definitely check this out
|-
| farthen, cmwslw, kylemsguy
| 4G Nano
| 1.0.4
| Windows/Mac
| All
| #2
| Not exploitable, as the bug is fixed in 1.0.4
|-
| farthen
| 4G Nano
| 1.0.3
| Mac
| All
| #2
| Not exploitable because it's a macpod
|-
| Superandy
| 3G Nano
| Latest (idk)
| Windows
| a08010c04
| Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :)
Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze.
| Pretty cool
|-
| Jwnordquist
| 2G Nano
| latest
| Windows
| a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm
| #4
|
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm
| #4
| I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer.
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2f04.htm, a080a3a04.htm,
| #2
| I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer.
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a4f04.htm, a080a6c04 to a080a7504 inc.
| #4
| Same result with crash and freeze files.
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a5c04.htm
| #2
| Same result with crash and freeze files.
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080c0304.htm
| #4
| The results for the sweep files were the same
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a3504.htm
| #4
| Same result with crash and freeze files, they both froze.
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm
| #2
| Same result for both freeze & crash files
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08012b04.htm a08026104.htm
| #4 for sweepfreeze #1 for sweepcrash!
| Seems interesting to me but these are low addresses (below a080a2004)
|}

Address bruteforcing

2009-09-04T00:16:11Z

Tucenaber: /* Table of non-#1 (or non-#4) behaviors */

'''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try.

The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems.

== Setup ==
OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go.

This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off.

Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time.

== Known problems ==
Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine.

Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware.

== Steps ==
# Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it.
# Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios:
## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off
## The iPod works completely normally. You can navigate menus, play music, etc. without any problems.
## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes
## The iPod freezes up entirely.
# The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first!

Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table!

== Table of reserved or tested files ==
{| border="1"
|-
! Username
! iPod generation
! Firmware version
! Windows/Mac
! Starting filename
! Ending filename
! Status
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2004.htm
| a080a4e04.htm
| Tested
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a4f04.htm
| a080b3f04.htm
| Tested
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080b4004.htm
| a080b7f04.htm
| Reserved
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080c0104.htm
| a080c1004.htm
| Tested
|-
| clueX
| 4G Nano
| 1.0.3
| Windows
| a080d0a04.htm
| a080d0f04.htm
| Tested (All #1)
|-
| clueX
| 4G Nano
| 1.0.3
| Windows
| a080d0104.htm
| a080d1004.htm
| Tested (All #1, except a080d0304 #4)
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080d1104.htm
| a080d2f04.htm
| Reserved
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08010b04.htm
| a08027f04.htm
| Tested with sweepfreeze
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a2004.htm
| a080a5004.htm
| Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one.
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a0a04
| a080a1904
| Reserved
|}

== Table of non-#1 (or non-#4) behaviors ==
If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary.
{| border="1"
|-
! Username
! iPod generation
! Firmware version
! Windows/Mac
! Sweep filename
! Behavior type
! Notes
|-
| Sto
| 2G Nano
| 1.1.3
| Windows
| a08640568.htm
| #4
| Direct jump to buffer
|-
| 3mpty
| 1G Classic
| 1.0.3
| Windows
| a080a2004.htm
| #4
| Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location
|-
| PharaohsVizier
| 2G Classic
| 2.0.1
| Windows
| a09352f04.htm a09352a04.htm a09352b04.htm
| #2
| Unknown, definitely check this out
|-
| farthen, cmwslw, kylemsguy
| 4G Nano
| 1.0.4
| Windows/Mac
| All
| #2
| Not exploitable, as the bug is fixed in 1.0.4
|-
| farthen
| 4G Nano
| 1.0.3
| Mac
| All
| #2
| Not exploitable because it's a macpod
|-
| Superandy
| 3G Nano
| Latest (idk)
| Windows
| a08010c04
| Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :)
Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze.
| Pretty cool
|-
| Jwnordquist
| 2G Nano
| latest
| Windows
| a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm
| #4
|
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm
| #4
| I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer.
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2f04.htm, a080a3a04.htm,
| #2
| I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer.
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a4f04.htm, a080a6c04 to a080a7504 inc.
| #4
| Same result with crash and freeze files.
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a5c04.htm
| #2
| Same result with crash and freeze files.
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080c0304.htm
| #4
| The results for the sweep files were the same
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a3504.htm
| #4
| Same result with crash and freeze files, they both froze.
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm
| #2
| Same result for both freeze & crash files
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08012b04.htm a08026104.htm
| #4 for sweepfreeze #1 for sweepcrash!
| Seems interesting to me but these are low addresses (below a080a2004)
|}

Address bruteforcing

2009-09-03T20:13:12Z

Tucenaber: /* Table of non-#1 (or non-#4) behaviors */

'''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try.

The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems.

== Setup ==
OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go.

This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off.

Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time.

== Known problems ==
Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine.

Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware.

== Steps ==
# Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it.
# Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios:
## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off
## The iPod works completely normally. You can navigate menus, play music, etc. without any problems.
## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes
## The iPod freezes up entirely.
# The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first!

Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table!

== Table of reserved or tested files ==
{| border="1"
|-
! Username
! iPod generation
! Firmware version
! Windows/Mac
! Starting filename
! Ending filename
! Status
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2004.htm
| a080a4e04.htm
| Tested
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a4f04.htm
| a080b3f04.htm
| Tested
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080b4004.htm
| a080b7f04.htm
| Reserved
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080c0104.htm
| a080c1004.htm
| Tested
|-
| clueX
| 4G Nano
| 1.0.3
| Windows
| a080d0a04.htm
| a080d0f04.htm
| Tested (All #1)
|-
| clueX
| 4G Nano
| 1.0.3
| Windows
| a080d0104.htm
| a080d1004.htm
| Tested (All #1, except a080d0304 #4)
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080d1104.htm
| a080d2f04.htm
| Reserved
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08010b04.htm
| a08027f04.htm
| Tested with sweepfreeze
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a2004.htm
| a080a5004.htm
| Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one.
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a0a04
| a080a1904
| Reserved
|}

== Table of non-#1 (or non-#4) behaviors ==
If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary.
{| border="1"
|-
! Username
! iPod generation
! Firmware version
! Windows/Mac
! Sweep filename
! Behavior type
! Notes
|-
| Sto
| 2G Nano
| 1.1.3
| Windows
| a08640568.htm
| #4
| Direct jump to buffer
|-
| 3mpty
| 1G Classic
| 1.0.3
| Windows
| a080a2004.htm
| #4
| Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location
|-
| PharaohsVizier
| 2G Classic
| 2.0.1
| Windows
| a09352f04.htm a09352a04.htm a09352b04.htm
| #2
| Unknown, definitely check this out
|-
| farthen, cmwslw, kylemsguy
| 4G Nano
| 1.0.4
| Windows/Mac
| All
| #2
| Not exploitable, as the bug is fixed in 1.0.4
|-
| farthen
| 4G Nano
| 1.0.3
| Mac
| All
| #2
| Not exploitable because it's a macpod
|-
| Superandy
| 3G Nano
| Latest (idk)
| Windows
| a08010c04
| Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :)
Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze.
| Pretty cool
|-
| Jwnordquist
| 2G Nano
| latest
| Windows
| a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm
| #4
|
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm
| #4
| I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer.
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2f04.htm, a080a3a04.htm,
| #2
| I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer.
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a4f04.htm, a080a6c04 to a080a7504 inc.
| #4
| Same result with crash and freeze files.
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a5c04.htm
| #2
| Same result with crash and freeze files.
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080c0304.htm
| #4
| The results for the sweep files were the same
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a3504.htm
| #4
| Same result with crash and freeze files, they both froze.
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm
| #2
| Have not tested sweepcrash files
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08010304.htm a08010c04.htm a08012404.htm a08012b04.htm a08014204.htm a08014c04.htm a08016204.htm a08016c04.htm a08016e04.htm a08017204.htm a08020d04.htm a08026104.htm a08026604.htm a08027704.htm
| #4
| Have not tested sweepcrash files
|}

Address bruteforcing

2009-09-03T20:11:42Z

Tucenaber: /* Table of reserved or tested files */

'''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try.

The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems.

== Setup ==
OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go.

This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off.

Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time.

== Known problems ==
Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine.

Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware.

== Steps ==
# Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it.
# Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios:
## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off
## The iPod works completely normally. You can navigate menus, play music, etc. without any problems.
## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes
## The iPod freezes up entirely.
# The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first!

Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table!

== Table of reserved or tested files ==
{| border="1"
|-
! Username
! iPod generation
! Firmware version
! Windows/Mac
! Starting filename
! Ending filename
! Status
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2004.htm
| a080a4e04.htm
| Tested
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a4f04.htm
| a080b3f04.htm
| Tested
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080b4004.htm
| a080b7f04.htm
| Reserved
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080c0104.htm
| a080c1004.htm
| Tested
|-
| clueX
| 4G Nano
| 1.0.3
| Windows
| a080d0a04.htm
| a080d0f04.htm
| Tested (All #1)
|-
| clueX
| 4G Nano
| 1.0.3
| Windows
| a080d0104.htm
| a080d1004.htm
| Tested (All #1, except a080d0304 #4)
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080d1104.htm
| a080d2f04.htm
| Reserved
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08010b04.htm
| a08027f04.htm
| Tested with sweepfreeze
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a2004.htm
| a080a5004.htm
| Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one.
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a0a04
| a080a1904
| Reserved
|}

== Table of non-#1 (or non-#4) behaviors ==
If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary.
{| border="1"
|-
! Username
! iPod generation
! Firmware version
! Windows/Mac
! Sweep filename
! Behavior type
! Notes
|-
| Sto
| 2G Nano
| 1.1.3
| Windows
| a08640568.htm
| #4
| Direct jump to buffer
|-
| 3mpty
| 1G Classic
| 1.0.3
| Windows
| a080a2004.htm
| #4
| Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location
|-
| PharaohsVizier
| 2G Classic
| 2.0.1
| Windows
| a09352f04.htm a09352a04.htm a09352b04.htm
| #2
| Unknown, definitely check this out
|-
| farthen, cmwslw, kylemsguy
| 4G Nano
| 1.0.4
| Windows/Mac
| All
| #2
| Not exploitable, as the bug is fixed in 1.0.4
|-
| farthen
| 4G Nano
| 1.0.3
| Mac
| All
| #2
| Not exploitable because it's a macpod
|-
| Superandy
| 3G Nano
| Latest (idk)
| Windows
| a08010c04
| Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :)
Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze.
| Pretty cool
|-
| Jwnordquist
| 2G Nano
| latest
| Windows
| a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm
| #4
|
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm
| #4
| I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer.
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2f04.htm, a080a3a04.htm,
| #2
| I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer.
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a4f04.htm, a080a6c04 to a080a7504 inc.
| #4
| Same result with crash and freeze files.
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a5c04.htm
| #2
| Same result with crash and freeze files.
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080c0304.htm
| #4
| The results for the sweep files were the same
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a3504.htm
| #4
| Same result with crash and freeze files, they both froze.
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08012f04.htm a08013a04.htm a08015c04.htm
| #2
| Have not tested sweepcrash files
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08010304.htm a08010c04.htm a08012404.htm a08012b04.htm a08014204.htm a08014c04.htm a08016204.htm a08016c04.htm a08016e04.htm a08017204.htm
| #4
| Have not tested sweepcrash files
|}

Address bruteforcing

2009-09-03T04:12:45Z

Tucenaber: /* Table of reserved or tested files */

'''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try.

The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems.

== Setup ==
OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go.

This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off.

Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time.

== Known problems ==
Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine.

Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware.

== Steps ==
# Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it.
# Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios:
## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off
## The iPod works completely normally. You can navigate menus, play music, etc. without any problems.
## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes
## The iPod freezes up entirely.
# The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first!

Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table!

== Table of reserved or tested files ==
{| border="1"
|-
! Username
! iPod generation
! Firmware version
! Windows/Mac
! Starting filename
! Ending filename
! Status
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2004.htm
| a080a4e04.htm
| Tested
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a4f04.htm
| a080b3f04.htm
| Tested
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080b4004.htm
| a080b7f04.htm
| Reserved
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080c0104.htm
| a080c1004.htm
| Tested
|-
| clueX
| 4G Nano
| 1.0.3
| Windows
| a080d0a04.htm
| a080d0f04.htm
| Tested (All #1)
|-
| clueX
| 4G Nano
| 1.0.3
| Windows
| a080d0104.htm
| a080d1004.htm
| Tested (All #1, except a080d0304 #4)
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080d1104.htm
| a080d2f04.htm
| Reserved
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08010b04.htm
| a08017f04.htm
| Tested with sweepfreeze
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08020104.htm
| a08027f04.htm
| Reserved
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a2004.htm
| a080a5004.htm
| Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one.
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a0a04
| a080a1904
| Reserved
|}

== Table of non-#1 (or non-#4) behaviors ==
If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary.
{| border="1"
|-
! Username
! iPod generation
! Firmware version
! Windows/Mac
! Sweep filename
! Behavior type
! Notes
|-
| Sto
| 2G Nano
| 1.1.3
| Windows
| a08640568.htm
| #4
| Direct jump to buffer
|-
| 3mpty
| 1G Classic
| 1.0.3
| Windows
| a080a2004.htm
| #4
| Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location
|-
| PharaohsVizier
| 2G Classic
| 2.0.1
| Windows
| a09352f04.htm a09352a04.htm a09352b04.htm
| #2
| Unknown, definitely check this out
|-
| farthen, cmwslw, kylemsguy
| 4G Nano
| 1.0.4
| Windows/Mac
| All
| #2
| Not exploitable, as the bug is fixed in 1.0.4
|-
| farthen
| 4G Nano
| 1.0.3
| Mac
| All
| #2
| Not exploitable because it's a macpod
|-
| Superandy
| 3G Nano
| Latest (idk)
| Windows
| a08010c04
| Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :)
Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze.
| Pretty cool
|-
| Jwnordquist
| 2G Nano
| latest
| Windows
| a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm
| #4
|
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm
| #4
| I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer.
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2f04.htm, a080a3a04.htm,
| #2
| I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer.
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a4f04.htm, a080a6c04 to a080a7504 inc.
| #4
| Same result with crash and freeze files.
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a5c04.htm
| #2
| Same result with crash and freeze files.
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080c0304.htm
| #4
| The results for the sweep files were the same
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a3504.htm
| #4
| Same result with crash and freeze files, they both froze.
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08012f04.htm a08013a04.htm a08015c04.htm
| #2
| Have not tested sweepcrash files
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08010304.htm a08010c04.htm a08012404.htm a08012b04.htm a08014204.htm a08014c04.htm a08016204.htm a08016c04.htm a08016e04.htm a08017204.htm
| #4
| Have not tested sweepcrash files
|}

Address bruteforcing

2009-09-03T04:02:24Z

Tucenaber: /* Table of reserved or tested files */

'''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try.

The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems.

== Setup ==
OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go.

This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off.

Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time.

== Known problems ==
Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine.

Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware.

== Steps ==
# Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it.
# Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios:
## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off
## The iPod works completely normally. You can navigate menus, play music, etc. without any problems.
## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes
## The iPod freezes up entirely.
# The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first!

Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table!

== Table of reserved or tested files ==
{| border="1"
|-
! Username
! iPod generation
! Firmware version
! Windows/Mac
! Starting filename
! Ending filename
! Status
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2004.htm
| a080a4e04.htm
| Tested
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a4f04.htm
| a080b3f04.htm
| Tested
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080b4004.htm
| a080b7f04.htm
| Reserved
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080c0104.htm
| a080c1004.htm
| Tested
|-
| clueX
| 4G Nano
| 1.0.3
| Windows
| a080d0a04.htm
| a080d0f04.htm
| Tested (All #1)
|-
| clueX
| 4G Nano
| 1.0.3
| Windows
| a080d0104.htm
| a080d1004.htm
| Tested (All #1, except a080d0304 #4)
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080d1104.htm
| a080d2f04.htm
| Reserved
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08010b04.htm
| a08017f04.htm
| Tested with sweepfreeze
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a2004.htm
| a080a5004.htm
| Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one.
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a0a04
| a080a1904
| Reserved
|}

== Table of non-#1 (or non-#4) behaviors ==
If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary.
{| border="1"
|-
! Username
! iPod generation
! Firmware version
! Windows/Mac
! Sweep filename
! Behavior type
! Notes
|-
| Sto
| 2G Nano
| 1.1.3
| Windows
| a08640568.htm
| #4
| Direct jump to buffer
|-
| 3mpty
| 1G Classic
| 1.0.3
| Windows
| a080a2004.htm
| #4
| Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location
|-
| PharaohsVizier
| 2G Classic
| 2.0.1
| Windows
| a09352f04.htm a09352a04.htm a09352b04.htm
| #2
| Unknown, definitely check this out
|-
| farthen, cmwslw, kylemsguy
| 4G Nano
| 1.0.4
| Windows/Mac
| All
| #2
| Not exploitable, as the bug is fixed in 1.0.4
|-
| farthen
| 4G Nano
| 1.0.3
| Mac
| All
| #2
| Not exploitable because it's a macpod
|-
| Superandy
| 3G Nano
| Latest (idk)
| Windows
| a08010c04
| Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :)
Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze.
| Pretty cool
|-
| Jwnordquist
| 2G Nano
| latest
| Windows
| a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm
| #4
|
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm
| #4
| I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer.
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2f04.htm, a080a3a04.htm,
| #2
| I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer.
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a4f04.htm, a080a6c04 to a080a7504 inc.
| #4
| Same result with crash and freeze files.
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a5c04.htm
| #2
| Same result with crash and freeze files.
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080c0304.htm
| #4
| The results for the sweep files were the same
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a3504.htm
| #4
| Same result with crash and freeze files, they both froze.
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08012f04.htm a08013a04.htm a08015c04.htm
| #2
| Have not tested sweepcrash files
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08010304.htm a08010c04.htm a08012404.htm a08012b04.htm a08014204.htm a08014c04.htm a08016204.htm a08016c04.htm a08016e04.htm a08017204.htm
| #4
| Have not tested sweepcrash files
|}

Address bruteforcing

2009-09-03T04:00:38Z

Tucenaber: /* Table of non-#1 (or non-#4) behaviors */

'''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try.

The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems.

== Setup ==
OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go.

This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off.

Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time.

== Known problems ==
Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine.

Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware.

== Steps ==
# Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it.
# Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios:
## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off
## The iPod works completely normally. You can navigate menus, play music, etc. without any problems.
## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes
## The iPod freezes up entirely.
# The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first!

Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table!

== Table of reserved or tested files ==
{| border="1"
|-
! Username
! iPod generation
! Firmware version
! Windows/Mac
! Starting filename
! Ending filename
! Status
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2004.htm
| a080a4e04.htm
| Tested
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a4f04.htm
| a080b3f04.htm
| Tested
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080b4004.htm
| a080b7f04.htm
| Reserved
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080c0104.htm
| a080c1004.htm
| Tested
|-
| clueX
| 4G Nano
| 1.0.3
| Windows
| a080d0a04.htm
| a080d0f04.htm
| Tested (All #1)
|-
| clueX
| 4G Nano
| 1.0.3
| Windows
| a080d0104.htm
| a080d1004.htm
| Tested (All #1, except a080d0304 #4)
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080d1104.htm
| a080d2f04.htm
| Reserved
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08010b04.htm
| a08017f04.htm
| Reserved
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a2004.htm
| a080a5004.htm
| Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one.
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a0a04
| a080a1904
| Reserved
|}

== Table of non-#1 (or non-#4) behaviors ==
If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary.
{| border="1"
|-
! Username
! iPod generation
! Firmware version
! Windows/Mac
! Sweep filename
! Behavior type
! Notes
|-
| Sto
| 2G Nano
| 1.1.3
| Windows
| a08640568.htm
| #4
| Direct jump to buffer
|-
| 3mpty
| 1G Classic
| 1.0.3
| Windows
| a080a2004.htm
| #4
| Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location
|-
| PharaohsVizier
| 2G Classic
| 2.0.1
| Windows
| a09352f04.htm a09352a04.htm a09352b04.htm
| #2
| Unknown, definitely check this out
|-
| farthen, cmwslw, kylemsguy
| 4G Nano
| 1.0.4
| Windows/Mac
| All
| #2
| Not exploitable, as the bug is fixed in 1.0.4
|-
| farthen
| 4G Nano
| 1.0.3
| Mac
| All
| #2
| Not exploitable because it's a macpod
|-
| Superandy
| 3G Nano
| Latest (idk)
| Windows
| a08010c04
| Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :)
Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze.
| Pretty cool
|-
| Jwnordquist
| 2G Nano
| latest
| Windows
| a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm
| #4
|
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm
| #4
| I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer.
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2f04.htm, a080a3a04.htm,
| #2
| I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer.
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a4f04.htm, a080a6c04 to a080a7504 inc.
| #4
| Same result with crash and freeze files.
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a5c04.htm
| #2
| Same result with crash and freeze files.
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080c0304.htm
| #4
| The results for the sweep files were the same
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a3504.htm
| #4
| Same result with crash and freeze files, they both froze.
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08012f04.htm a08013a04.htm a08015c04.htm
| #2
| Have not tested sweepcrash files
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08010304.htm a08010c04.htm a08012404.htm a08012b04.htm a08014204.htm a08014c04.htm a08016204.htm a08016c04.htm a08016e04.htm a08017204.htm
| #4
| Have not tested sweepcrash files
|}

Address bruteforcing

2009-09-02T22:54:59Z

Tucenaber: /* Table of reserved or tested files */

'''NOTICE: Do not do this if you have a 2G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try.

The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems.

== Setup ==
OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go.

This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off.

Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time.

== Known problems ==
Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine.

Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/archives/downgrading-apple-ipod-firmware-102-101 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware.

== Steps ==
# Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it.
# Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios:
## The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off
## The iPod works completely normally. You can navigate menus, play music, etc. without any problems.
## The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes
## The iPod freezes up entirely.
# The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first!

Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table!

== Table of reserved or tested files ==
{| border="1"
|-
! Username
! iPod generation
! Firmware version
! Windows/Mac
! Starting filename
! Ending filename
! Status
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2004.htm
| a080a4e04.htm
| Tested
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a4f04.htm
| a080b3f04.htm
| Tested
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080b4004.htm
| a080b7f04.htm
| Reserved
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080c0104.htm
| a080c1004.htm
| Tested
|-
| clueX
| 4G Nano
| 1.0.3
| Windows
| a080d0a04.htm
| a080d0f04.htm
| Tested (All #1)
|-
| clueX
| 4G Nano
| 1.0.3
| Windows
| a080d0104.htm
| a080d1004.htm
| Tested (All #1, except a080d0304 #4)
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080d1104.htm
| a080d2f04.htm
| Reserved
|-
| tucenaber
| 3G Nano
| 1.1.3
| Windows
| a08010b04.htm
| a08017f04.htm
| Reserved
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a2004.htm
| a080a5004.htm
| Tested! All #1 Except A080a3504, which was a #4. The SweepCrash was also a #4 for that one.
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a0a04
| a080a1904
| Reserved
|}

== Table of non-#1 (or non-#4) behaviors ==
If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary.
{| border="1"
|-
! Username
! iPod generation
! Firmware version
! Windows/Mac
! Sweep filename
! Behavior type
! Notes
|-
| Sto
| 2G Nano
| 1.1.3
| Windows
| a08640568.htm
| #4
| Direct jump to buffer
|-
| 3mpty
| 1G Classic
| 1.0.3
| Windows
| a080a2004.htm
| #4
| Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location
|-
| PharaohsVizier
| 2G Classic
| 2.0.1
| Windows
| a09352f04.htm a09352a04.htm a09352b04.htm
| #2
| Unknown, definitely check this out
|-
| farthen, cmwslw, kylemsguy
| 4G Nano
| 1.0.4
| Windows/Mac
| All
| #2
| Not exploitable, as the bug is fixed in 1.0.4
|-
| farthen
| 4G Nano
| 1.0.3
| Mac
| All
| #2
| Not exploitable because it's a macpod
|-
| Superandy
| 3G Nano
| Latest (idk)
| Windows
| a08010c04
| Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :)
Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze.
| Pretty cool
|-
| Jwnordquist
| 2G Nano
| latest
| Windows
| a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm
| #4
|
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm
| #4
| I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer.
|-
| Farthen
| 4G Nano
| 1.0.3
| Windows
| a080a2f04.htm, a080a3a04.htm,
| #2
| I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer.
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a4f04.htm, a080a6c04 to a080a7504 inc.
| #4
| Same result with crash and freeze files.
|-
| watto
| 4G Nano
| 1.0.3
| Windows
| a080a5c04.htm
| #2
| Same result with crash and freeze files.
|-
| kylemsguy
| 4G Nano
| 1.0.3
| Windows
| a080c0304.htm
| #4
| The results for the sweep files were the same
|-
| Eosphere46
| 3G Nano
| 1.1.3
| Windows
| a080a3504.htm
| #4
| Same result with crash and freeze files, they both froze.
|}