Address bruteforcing

Revision as of 17:01, 21 August 2009 by Cmwslw (talk | contribs)
Jump to: navigation, search

The best way people can help us out right now is by helping find the correct address we need to jump to in order to execute code. This has already been done on the 2G Nano and the 1G Classic. But now we really need help with the other iPods. If you find the correct return address, you can rightfully brag about being the first person to run non-Apple code on that iPod :-). I'd also like to point out that your iPod cannot be bricked by this process and the Linux4nano team will gladly help you out on IRC if you encounter any problems.

OK, so here's how to help out: first of all download a copy of sweep.7z. Don't be fooled by it's small size, because uncompressed this archive is ~500MB. It contains every return address that can possibly be jumped to. The best way to get the files is to just extract the files you need one by one, rather than the whole thing. Also update your iPod to the latest firmware because we want everyone to have the same version. Once you have these things set up, you are ready to go.

  1. Connect your iPod to the computer if it isn't already and browse to it's Notes directory. Clear out any previous notes files and put a new one from the sweep.7z archive in there. Unmount your iPod and disconnect it.
  2. Reboot your iPod by holding the menu and center buttons for a few seconds. The apple logo will show while it is booting, and when the iPod is done booting you will see 1 of 4 scenarios:

1. The iPod reboots automatically the instant the main menu is shown. This will lead to an endless reboot cycle until the note is taken off 2. The iPod works completely normally. You can navigate menus, play music, etc. without any problems. 3. The iPod seems to work normally ie. you can still navigate menus, but when you try to play a song it freezes or crashes 4. The iPod freezes up entirely. Most sweep files will generate a #1 behavior. Record any non-#1 behaviors and the address that causes them on this wiki.

  1. The next step is to get into disk mode. First, you need to

Matrix of working devices

This is a still incomplete matrix of working devices at the moment. It'll be updated and will at some time also include the actual address to jump in for each device.

devices/partition type Windows-formatted (FAT) Mac-Formatted (HFS)
iPod nano 2g Yes Untested
iPod nano 3g No No
iPod nano 4g crashed No
iPod classic 1g Yes Untested
iPod classic 2g No No

The staus "crashed" means that the device has crashed when putting in the modified notes but we couldn't find a address (yet) that is exploitable.