Thanks! On Thu, Feb 19, 2009 at 12:20 PM, Raoul Guggenheim <[email protected]> wrote:
> Found this on the docs of 3G: > http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html > So it's a S5L8702 but I haven't found any documentation. > > > Am 19.02.2009, 09:37 Uhr, schrieb The Seven <[email protected]>: > > > Yes, it can well be possible that the stack address of the data buffer > > varies. I hoped it didn't, however, it seems like I was either wrong > > there, or it has indeed an execution protection on the stack. That makes > > it a lot harder. However, the notes files were generated for 2G, not 3G, > > so it could be, that 3G uses different addresses at all. To confirm this > > and to generate the files for 3G, I need detailed docs of the processor. > > > > Sebastian Schutte schrieb: > >> Hi, > >> > >> I checked another 20 tonight (35-55). No freezing, but there are timing > >> differences. I then retried 27 and 29 to confirm that they did not show > >> any effect. This time, they led to normal reboots! I swear that I didn't > >> mess up on that one. Yesterday, they did not lead to reboots. But maybe > >> the problem is that it seems very hard to reproduce the crash behaviour: > >> The timing of the first crash, for example, always varies. When I try to > >> enter the notes folder, it takes something between and eye blink and a > >> second before the screen turns dark. Then I had the two files that did > >> not work yesterday, but today. What does that mean? Can the overflow > >> occur in a non-deterministic memory environment, leading to such > >> different effects? I hope this is helpful to anybody. > >> > >> The Seven wrote: > >>> If the 0x00s would have been a problem or the link qould not have been > >>> recognized, it would not have crashed. > >>> > >>> Taylor Gordon schrieb: > >>> > >>>> Hmmm... SO so far, it seems that none of the notes have made the ipod > >>>> freeze, right? I wonder why 27 and 29 didn't display anything at all > >>>> though. > >>>> > >>>> @TheSeven: Maybe different opcodes with a '0' messed the file up? Or > >>>> it > >>>> didn't think it was a valid link. > >>>> > >>>> On Wed, Feb 18, 2009 at 2:49 AM, Sebastian Schutte > >>>> <[email protected]>wrote: > >>>> > >>>> > >>>>> Both files (27&29) opened, but only showed a blank screen. I could > >>>>> open/close them repeatedly without reboot. I also noted timing > >>>>> differences for the reboot duration. But I think we'd have to check > >>>>> that > >>>>> later systematically if no freezing can be observed at all. > >>>>> > >>>>> > >>>>> The Seven wrote: > >>>>> > >>>>>> I'll double check that later today, but it sounds interesting... > >>>>>> However, I expect the behavior to be generation dependent, so please > >>>>>> make sure that all files are checked on 2G at least. > >>>>>> > >>>>>> Sebastian, were you able to view the content of the notes 27 and 29? > >>>>>> What did you see? > >>>>>> > >>>>>> Sebastian Schutte schrieb: > >>>>>> > >>>>>> > >>>>>>> Hi, > >>>>>>> > >>>>>>> I tested some files (25-35) on an Ipod nano 3rd gen. Except 27 > >>>>>>> and > >>>>>>> 29, they only led to repeated reboots. No freezing so far. For 27 > >>>>>>> and > >>>>>>> 29 there was no effect at all. > >>>>>>> > >>>>>>> Cheers, > >>>>>>> Sebastian > >>>>>>> > >>>>>>> > >>>>>>> Taylor Gordon wrote: > >>>>>>> > >>>>>>> > >>>>>>>> Update: I've tried note_0 and note_89 and they DONT work - so try > >>>>>>>> the > >>>>>>>> > >>>>> other > >>>>> > >>>>>>>> 126 for now :) > >>>>>>>> > >>>>>>>> On Tue, Feb 17, 2009 at 4:07 PM, The Seven <[email protected]> > >>>>>>>> wrote: > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> The first test note files are ready! > >>>>>>>>> Get them at http://taylor.fileave.com/lockup.zip > >>>>>>>>> > >>>>>>>>> There are 128 files named note_XXX.txt > >>>>>>>>> One of them will hopefully make the iPod lock up or show some > >>>>>>>>> other > >>>>>>>>> unexpected behavior. If we find that one, we're a huge step > >>>>>>>>> closer. > >>>>>>>>> > >>>>>>>>> It could also be that it just takes longer (or even shorter?) to > >>>>>>>>> reboot... So if one of the files shows a DIFFERENT behavior than > >>>>>>>>> the > >>>>>>>>> others, please tell me. > >>>>>>>>> > >>>>>>>>> Placing multiple of them on the iPod at once will NOT work! > >>>>>>>>> > >>>>>>>>> 3mpty schrieb: > >>>>>>>>> > 2009/2/17 The Seven <[email protected]> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>>>> 3mpty schrieb: > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>>>> Target address range is 0x22000000 to 0x2203fff (SRAM) > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>> The second number is 0x22003FFF or 0x2203FFF0? A digit is > >>>>>>>>>>>> missing > >>>>>>>>>>>> > >>>>> (am I > >>>>> > >>>>>>>>>>> wrong?) > >>>>>>>>>>> 0x2203FFFF, or rather a little below since our shellcode will > >>>>>>>>>>> have a > >>>>>>>>>>> > >>>>> nop > >>>>> > >>>>>>>>>>> zone of 2KB > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> I'm trying right now some text file. > >>>>>>>>>> > >>>>>>>>>> 0x22 at the addresses where we need it (odd ones) will not hurt > >>>>>>>>>> in > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> unicode. > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>>> Oh, I forgot the endianess, stupid error, you are right > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> Paolo > >>>>>>>>>> _______________________________________________ > >>>>>>>>>> Linux4nano-dev mailing list > >>>>>>>>>> [email protected] > >>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev > >>>>>>>>>> http://www.linux4nano.org > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> _______________________________________________ > >>>>>>>>> Linux4nano-dev mailing list > >>>>>>>>> [email protected] > >>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev > >>>>>>>>> http://www.linux4nano.org > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>> _______________________________________________ > >>>>>>>> Linux4nano-dev mailing list > >>>>>>>> [email protected] > >>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev > >>>>>>>> http://www.linux4nano.org > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> _______________________________________________ > >>>>>>> Linux4nano-dev mailing list > >>>>>>> [email protected] > >>>>>>> https://mail.gna.org/listinfo/linux4nano-dev > >>>>>>> http://www.linux4nano.org > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> _______________________________________________ > >>>>>> Linux4nano-dev mailing list > >>>>>> [email protected] > >>>>>> https://mail.gna.org/listinfo/linux4nano-dev > >>>>>> http://www.linux4nano.org > >>>>>> > >>>>>> > >>>>>> > >>>>> _______________________________________________ > >>>>> Linux4nano-dev mailing list > >>>>> [email protected] > >>>>> https://mail.gna.org/listinfo/linux4nano-dev > >>>>> http://www.linux4nano.org > >>>>> > >>>>> > >>>> _______________________________________________ > >>>> Linux4nano-dev mailing list > >>>> [email protected] > >>>> https://mail.gna.org/listinfo/linux4nano-dev > >>>> http://www.linux4nano.org > >>>> > >>>> > >>> > >>> _______________________________________________ > >>> Linux4nano-dev mailing list > >>> [email protected] > >>> https://mail.gna.org/listinfo/linux4nano-dev > >>> http://www.linux4nano.org > >>> > >>> > >> > >> > >> _______________________________________________ > >> Linux4nano-dev mailing list > >> [email protected] > >> https://mail.gna.org/listinfo/linux4nano-dev > >> http://www.linux4nano.org > >> > > > > > > _______________________________________________ > > Linux4nano-dev mailing list > > [email protected] > > https://mail.gna.org/listinfo/linux4nano-dev > > http://www.linux4nano.org > > > > -- > Erstellt mit Opera: http://www.opera.com > > > > _______________________________________________ > Linux4nano-dev mailing list > [email protected] > https://mail.gna.org/listinfo/linux4nano-dev > http://www.linux4nano.org > _______________________________________________ Linux4nano-dev mailing list [email protected] https://mail.gna.org/listinfo/linux4nano-dev http://www.linux4nano.org
