| blob | 61e03b9981b98405373c8974b321c1671fdb362c |
1 bin2note
2 --------
4 bin2note implements the buffer overflow exploit documented here:
6 http://l4n.clustur.com/index.php/Nano2G_getting_exec
9 It is used to turn a blob of ARM code into an iPod notes file. This
10 ARM code will then be executed on the iPod.
12 It is known to work on the 2nd generation Nano.
15 The Makefile contains rules for compiling an ARM assembler file
16 "test.S" into a notes file "test.htm". Just put test.S in this
17 directory and type "make test.htm".
20 How it works
21 ------------
23 When the Apple firmware boots, it scans the Notes folder and loads
24 each note in turn in order to check its content.
26 When it reaches our specially crafted note, a buffer overflows onto
27 the stack, writing the entry point of our code over the top of an
28 existing return address.
30 This entry point was determined by "stooo1" as part of the
31 "linux4nano" investigations into the Nano 2G. He managed to attach a
32 JTAG debugger to his Nano 2G and dump the RAM after a notes file was
33 loaded.
35 Only certain return addresses can be used, as it is converted
36 internally to utf-8. Hence we are currently using the address of the
37 last instruction in the buffer, which is a branch back to our real
38 entry point.
40 You also need to ensure that there are no more than 64KB of notes in
41 your Notes folder.