Difference between revisions of "Address bruteforcing"

From freemyipod.org
Jump to: navigation, search
m (Added link to firmware downgrading guide)
m (Fix some broken links (they were outdated but still broken :))
 
(23 intermediate revisions by 12 users not shown)
Line 1: Line 1:
'''NOTICE: Do not do this if you have a 2G or 4G Nano or the 1G Classic (80GB and 160GB models): we already have execution on them.''' We might not even need this done on the 2G Classic (120GB) either, but feel free to try. The main iPod we still need execution on is the 3G Nano, but someone has already built an automated bruteforcer for this one.
+
{{Outdated|reason=This process is no longer needed. Anybody left trying this is wasting their time, but we are preserving it for reference.}}
  
The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems.
+
The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the freemyipod team will gladly help you out on IRC if you encounter any problems.
  
 
== Setup ==
 
== Setup ==
OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://l4n.clustur.com/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_Downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go.
+
OK, so here's how to help out: first of all download a copy of [http://freemyipod.org/w/data/sweep/sweepfreeze.7z sweepfreeze.7z]. You will also need [http://freemyipod.org/w/data/sweep/sweepcrash.7z sweepcrash.7z]. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or [[Firmware_downgrading|downgrade]] to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go.
  
 
This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off.
 
This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off.
Line 13: Line 13:
 
Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine.
 
Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine.
  
Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow [http://spr33.co.uk/wp/?p=29 this guide], except use [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw this file] and [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-5583.20081111.Bhyui/iPod_31.1.0.3.ipsw.signature this file] as the firmware.
+
As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see [[Firmware_downgrading|firmware downgrading]].
  
 
== Steps ==
 
== Steps ==
Line 27: Line 27:
  
 
== Table of reserved or tested files ==
 
== Table of reserved or tested files ==
{| border="1"
+
{| class="wikitable"
 
|-
 
|-
 
! Username
 
! Username
Line 156: Line 156:
 
| a080f7f04.htm
 
| a080f7f04.htm
 
| Tested
 
| Tested
 +
|-
 +
| JoeWheeler
 +
| 3G Nano
 +
| 1.1.3
 +
| Windows
 +
| a08100104.htm
 +
| a08100904.htm
 +
| Reserved
 
|}
 
|}
  
 
== Table of non-#1 (or non-#4) behaviors ==
 
== Table of non-#1 (or non-#4) behaviors ==
 
If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary.
 
If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary.
{| border="1"
+
{| class="wikitable"
 
|-
 
|-
 
! Username
 
! Username
Line 304: Line 312:
 
|Windows
 
|Windows
 
|a080a4b04.htm
 
|a080a4b04.htm
|VERY Strange..hard to describe
+
|VERY Strange..hard to describe <sup>1</sup>
 
|Check this out..  Same for the sweepcrash..
 
|Check this out..  Same for the sweepcrash..
 
|-
 
|-
Line 314: Line 322:
 
|#3
 
|#3
 
|Freezes when I play a song.  Sweepcrash is #3 too.  Sweepdelay is #3...
 
|Freezes when I play a song.  Sweepcrash is #3 too.  Sweepdelay is #3...
 +
|-
 +
|KAB123
 +
|2G Classic
 +
|2.0.1
 +
|Windows
 +
|09196804.htm 08334d04.htm
 +
|#4 for sweepfreeze, #4 for sweepcrash.
 +
|
 
|}
 
|}
 +
 +
<sup>1</sup> - I have added video demonstration, d00p3k: [http://www.youtube.com/watch?v=qPNLKXXpmMM]

Latest revision as of 16:33, 27 January 2011

Warning The information and/or topic discussed here is not up to date.

This process is no longer needed. Anybody left trying this is wasting their time, but we are preserving it for reference.

The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the freemyipod team will gladly help you out on IRC if you encounter any problems.

Setup

OK, so here's how to help out: first of all download a copy of sweepfreeze.7z. You will also need sweepcrash.7z. Don't be fooled by the small sizes, because uncompressed these archives are ~250MB. Each one contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware (except for the 4G Nano - update or downgrade to 1.0.3) because we want everyone to have the same version. Once you have these things set up, you are ready to go.

This process involves trying out various sweep files in the .7z archives. The files in sweepfreeze.7z will freeze if code has executed and the files in sweepcrash.7z will crash if code is executed. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try only the A files for right now. As you can see, there are many sweep files, and only some of them will do anything interesting. If nobody has started on your iPod yet, start trying files starting at a080a2004.htm, otherwise continue where the others have left off.

Be sure to reserve a range for yourself to test in the table below. (we don't wont anyone doing the same files at the same time) Reserve small amounts at a time.

Known problems

Note: if you are using your iPod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine.

As stated above, this will not work with the 4G Nano with the 1.0.4 firmware or the 5G Nano. If you have 1.0.4, see firmware downgrading.

Steps

  1. Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweepfreeze.7z archive in there. Unmount your iPod and disconnect it.
  2. Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios:
    1. The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off
    2. The iPod works completely normally. You can navigate menus, play music, etc. without any problems.
    3. The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes
    4. The iPod freezes up entirely.
  3. The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps for the next file, but read the paragraph below first!

Most sweep files will usually either crash(#1) or freeze(#4). If you have one/s that is not either of these, record it in the table. If you have one that crashes, you will need to test the same address again with the sweepcrash.7z archive. If the iPod crashes or does anything different this time, it is a good sign that we have execution. Definitely record any of these incidents in the table!

Table of reserved or tested files

Username iPod generation Firmware version Windows/Mac Starting filename Ending filename Status
Farthen 4G Nano 1.0.3 Windows a080a2004.htm a080a4e04.htm Tested
watto 4G Nano 1.0.3 Windows a080a4f04.htm a080b3f04.htm Tested
watto 4G Nano 1.0.3 Windows a080b4004.htm a080b7f04.htm Reserved
kylemsguy 4G Nano 1.0.3 Windows a080c0104.htm a080c1004.htm Tested
clueX 4G Nano 1.0.3 Windows a080d0a04.htm a080d0f04.htm Tested (All #1)
clueX 4G Nano 1.0.3 Windows a080d0104.htm a080d1004.htm Tested (All #1, except a080d0304 #4)
kylemsguy 4G Nano 1.0.3 Windows a080d1104.htm a080d2f04.htm Reserved
tucenaber 3G Nano 1.1.3 Windows a08010b04.htm a08027f04.htm Tested
tucenaber 3G Nano 1.1.3 Windows a08050104.htm a08057f04.htm Tested
Eosphere46 3G Nano 1.1.3 Windows a080a0a04 a080a1904 Tested Results Below
Eosphere46 3G Nano 1.1.3 Windows a080a2004.htm a080a5904.htm Tested!
tucenaber 3G Nano 1.1.3 Windows a080a6104.htm a080c7f04.htm Tested
tucenaber 3G Nano 1.1.3 Windows a080d0104.htm a080d7f04.htm Tested
BlackLotus 3G Nano 1.1.3 Windows a080e0104.htm a080e7f04.htm Reserved
tucenaber 3G Nano 1.1.3 Windows a080f0104.htm a080f7f04.htm Tested
JoeWheeler 3G Nano 1.1.3 Windows a08100104.htm a08100904.htm Reserved

Table of non-#1 (or non-#4) behaviors

If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary.

Username iPod generation Firmware version Windows/Mac Sweep filename Behavior type Notes
Sto 2G Nano 1.1.3 Windows a08640568.htm #4 Direct jump to buffer
3mpty 1G Classic 1.0.3 Windows a080a2004.htm #4 Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location
PharaohsVizier 2G Classic 2.0.1 Windows a09352f04.htm a09352a04.htm a09352b04.htm #2 Unknown, definitely check this out
farthen, cmwslw, kylemsguy 4G Nano 1.0.4 Windows/Mac All #2 Not exploitable, as the bug is fixed in 1.0.4
farthen 4G Nano 1.0.3 Mac All #2 Not exploitable because it's a macpod
Superandy 3G Nano 1.1.3 Windows a08010c04 Freezes when I play a song - Please try a08010c04 from http://tinyurl.com/sweepdelay and post behavior :)

Ok, done that. It does the same thing, freezes. The 1st boot it froze stright away as soon as it loaded the album artwork for the menu. The second time it took about 10 seconds to freeze.

Pretty cool
Jwnordquist 2G Nano latest Windows a08010404.htm a08010504.htm a08010d04.htm a08010e04.htm a08010f04.htm a08011204.htm a08011304.htm a08011404.htm a08011904.htm #4
Farthen 4G Nano 1.0.3 Windows a080a2104.htm, a080a3b04.htm, a080a3e04.htm, a080a4604.htm, a080a4d04.htm #4 I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer.
Farthen 4G Nano 1.0.3 Windows a080a2f04.htm, a080a3a04.htm, #2 I don't know why I record this, *maybe* it can help. Should be of no interest but who knows... Crasher files have same result as freezer.
watto 4G Nano 1.0.3 Windows a080a4f04.htm, a080a6c04 to a080a7504 inc. #4 Same result with crash and freeze files.
watto 4G Nano 1.0.3 Windows a080a5c04.htm #2 Same result with crash and freeze files.
kylemsguy 4G Nano 1.0.3 Windows a080c0304.htm #4 The results for the sweep files were the same
Eosphere46 3G Nano 1.1.3 Windows a080a3504.htm a080a0104.htm a080a0204.htm a080a0304.htm a080a0404.htm a080a0504.htm a080a0604.htm a080a0704.htm a080a0804.htm a080a0904.htm #4 Same result with crash and freeze files, they both froze.
tucenaber 3G Nano 1.1.3 Windows a08012f04.htm a08013a04.htm a08015c04.htm a08022f04.htm a08023a04.htm a08025c04.htm #2 Same result for both freeze & crash files
tucenaber 3G Nano 1.1.3 Windows a08012b04.htm a08026104.htm #4 for sweepfreeze #1 for sweepcrash! Seems interesting to me but these are low addresses (below a080a2004)
Eosphere46 3G Nano 1.1.3 Windows a080a2f04.htm a080a3a04.htm a080a5c04.htm #2 for sweepfreeze #2 for sweepcrash Probably nothing much, but check it out.
Eosphere46 3G Nano 1.1.3 Windows a080a4b04.htm VERY Strange..hard to describe 1 Check this out.. Same for the sweepcrash..
Eosphere46 3G Nano 1.1.3 Windows a080a1004.htm #3 Freezes when I play a song. Sweepcrash is #3 too. Sweepdelay is #3...
KAB123 2G Classic 2.0.1 Windows 09196804.htm 08334d04.htm #4 for sweepfreeze, #4 for sweepcrash.

1 - I have added video demonstration, d00p3k: [1]