Difference between revisions of "Address bruteforcing"
(added tested files table) |
|||
Line 4: | Line 4: | ||
OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. | OK, so here's how to help out: first of all download a copy of [http://l4n.clustur.com/data/sweep/sweep.7z sweep.7z]. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go. | ||
− | This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first. This will increase your chances of finding an address that works. | + | This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files, but just the A files if you are in the 080aXXXX.htm range. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first, and which .7z archive to use. This will increase your chances of finding an address that works. It is best to try the addresses in order, not just randomly. |
You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range | You can use the files in [http://l4n.clustur.com/data/sweep/sweepdelayedcrash.7z sweepdelayedcrash.7z] if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range |
Revision as of 17:20, 22 August 2009
The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. Regardless of technical experience, anyone can help us out and get Rockbox and iPodLinux ported to the Nano's quicker. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems.
Setup
OK, so here's how to help out: first of all download a copy of sweep.7z. Don't be fooled by it's small size, because uncompressed this archive is ~250MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go.
This process involves trying out various sweep files in the sweep.7z archive. The files are .htm format. They are prefixed with either an 'a' or a 'b' and then the address they jump to. You should try both the A and B prefixed files, but just the A files if you are in the 080aXXXX.htm range. As you can see, there are many sweep files, and only some of them will do anything interesting. If you are about to try this, jump on over to #linux4nano-dev on freenode and ask the developers for a recommendation of which region of files to try first, and which .7z archive to use. This will increase your chances of finding an address that works. It is best to try the addresses in order, not just randomly.
You can use the files in sweepdelayedcrash.7z if you are brute forcing in the lower parts of the ram where freezes are normal. ie. a2004 range
Known problems
Note: if you are using your ipod with a Mac, your note files will not do anything. You will need to reformat the iPod to FAT32, and restore using iTunes on a Windows machine.
Also, the 1.0.4 firmware release for the nano 4g has patched the notes vulnerability. Do not upgrade to it (there are no new features). I would suggest not upgrading any other iPods either as of August 21. If you already upgraded to 1.0.4, you can follow this guide, except use this file and this file as the firmware.
Steps
- Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it.
- Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios:
- The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off
- The iPod works completely normally. You can navigate menus, play music, etc. without any problems.
- The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes
- The iPod freezes up entirely.
- The next step is to get into disk mode in order to remove the notes file. First, you need to reboot by holding menu+center. If your note causes a type #1 behavior, the iPod is always rebooting and you do not need to reboot manually. When the apple logo shows up, hold the play and center buttons until the disk mode screen comes up. Repeat these steps to try another sweep file.
Please record the ranges of files you test in the table below. (no point in having people try the same thing twice) Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them in the second table (you have to be registered on the wiki first). You can also drop in at #linux4nano-dev if you have anything interesting to report and discuss it with the developers.
Table of tested files
Username | iPod generation | Firmware version | Windows/Mac | Starting filename | Ending filename |
---|---|---|---|---|---|
Farthen | 4G Nano | 1.0.3 | Windows | a080a2004.htm | a080a4e04.htm |
Table of non-#1 behaviors
If you leave an entry in here and don't normally hang out on IRC, send your email address to me at (cwalker32 AT gmail DOT com). This will give us a way to contact you if necessary.
Username | iPod generation | Firmware version | Windows/Mac | Sweep filename | Behavior type | Notes |
---|---|---|---|---|---|---|
Sto | 2G Nano | 1.1.3 | Windows | a08640568.htm | #4 | Direct jump to buffer |
Empty | 1G Classic | 1.0.3 | Windows | a080a2004.htm | #4 | Indirect - an ldmia instruction in firmware portion of ram jumps to the correct buffer location |
PharaohsVizier | 2G Classic | 2.0.1 | Windows | a09352f04.htm a09352a04.htm a09352b04.htm | #2 | Unknown, definitely check this out |
farthen, cmwslw, kylemsguy | 4G Nano | 1.0.4 | Windows/Mac | All | #2 | Not exploitable, as the bug is fixed in 1.0.4 |
farthen | 4G Nano | 1.0.3 | Mac | All | #2 | Not exploitable because it's a macpod |
Superandy | 3G Nano | Latest (idk) | Windows | a08010c04 | Freezes when I play a song | Pretty cool |