Page 18 has a diagram of the 3rd geneneration internals: http://www.freescale.com/files/ftf_2008/presentations/China/PC112_SigmaTelMultimediaProductsiMXStrengtheningFreescalesiMXMultimediaEcosystem.pdf
Taylor Gordon wrote: > Thanks! > > On Thu, Feb 19, 2009 at 12:20 PM, Raoul Guggenheim <[email protected]> wrote: > > >> Found this on the docs of 3G: >> http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html >> So it's a S5L8702 but I haven't found any documentation. >> >> >> Am 19.02.2009, 09:37 Uhr, schrieb The Seven <[email protected]>: >> >> >>> Yes, it can well be possible that the stack address of the data buffer >>> varies. I hoped it didn't, however, it seems like I was either wrong >>> there, or it has indeed an execution protection on the stack. That makes >>> it a lot harder. However, the notes files were generated for 2G, not 3G, >>> so it could be, that 3G uses different addresses at all. To confirm this >>> and to generate the files for 3G, I need detailed docs of the processor. >>> >>> Sebastian Schutte schrieb: >>> >>>> Hi, >>>> >>>> I checked another 20 tonight (35-55). No freezing, but there are timing >>>> differences. I then retried 27 and 29 to confirm that they did not show >>>> any effect. This time, they led to normal reboots! I swear that I didn't >>>> mess up on that one. Yesterday, they did not lead to reboots. But maybe >>>> the problem is that it seems very hard to reproduce the crash behaviour: >>>> The timing of the first crash, for example, always varies. When I try to >>>> enter the notes folder, it takes something between and eye blink and a >>>> second before the screen turns dark. Then I had the two files that did >>>> not work yesterday, but today. What does that mean? Can the overflow >>>> occur in a non-deterministic memory environment, leading to such >>>> different effects? I hope this is helpful to anybody. >>>> >>>> The Seven wrote: >>>> >>>>> If the 0x00s would have been a problem or the link qould not have been >>>>> recognized, it would not have crashed. >>>>> >>>>> Taylor Gordon schrieb: >>>>> >>>>> >>>>>> Hmmm... SO so far, it seems that none of the notes have made the ipod >>>>>> freeze, right? I wonder why 27 and 29 didn't display anything at all >>>>>> though. >>>>>> >>>>>> @TheSeven: Maybe different opcodes with a '0' messed the file up? Or >>>>>> it >>>>>> didn't think it was a valid link. >>>>>> >>>>>> On Wed, Feb 18, 2009 at 2:49 AM, Sebastian Schutte >>>>>> <[email protected]>wrote: >>>>>> >>>>>> >>>>>> >>>>>>> Both files (27&29) opened, but only showed a blank screen. I could >>>>>>> open/close them repeatedly without reboot. I also noted timing >>>>>>> differences for the reboot duration. But I think we'd have to check >>>>>>> that >>>>>>> later systematically if no freezing can be observed at all. >>>>>>> >>>>>>> >>>>>>> The Seven wrote: >>>>>>> >>>>>>> >>>>>>>> I'll double check that later today, but it sounds interesting... >>>>>>>> However, I expect the behavior to be generation dependent, so please >>>>>>>> make sure that all files are checked on 2G at least. >>>>>>>> >>>>>>>> Sebastian, were you able to view the content of the notes 27 and 29? >>>>>>>> What did you see? >>>>>>>> >>>>>>>> Sebastian Schutte schrieb: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I tested some files (25-35) on an Ipod nano 3rd gen. Except 27 >>>>>>>>> and >>>>>>>>> 29, they only led to repeated reboots. No freezing so far. For 27 >>>>>>>>> and >>>>>>>>> 29 there was no effect at all. >>>>>>>>> >>>>>>>>> Cheers, >>>>>>>>> Sebastian >>>>>>>>> >>>>>>>>> >>>>>>>>> Taylor Gordon wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> Update: I've tried note_0 and note_89 and they DONT work - so try >>>>>>>>>> the >>>>>>>>>> >>>>>>>>>> >>>>>>> other >>>>>>> >>>>>>> >>>>>>>>>> 126 for now :) >>>>>>>>>> >>>>>>>>>> On Tue, Feb 17, 2009 at 4:07 PM, The Seven <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> The first test note files are ready! >>>>>>>>>>> Get them at http://taylor.fileave.com/lockup.zip >>>>>>>>>>> >>>>>>>>>>> There are 128 files named note_XXX.txt >>>>>>>>>>> One of them will hopefully make the iPod lock up or show some >>>>>>>>>>> other >>>>>>>>>>> unexpected behavior. If we find that one, we're a huge step >>>>>>>>>>> closer. >>>>>>>>>>> >>>>>>>>>>> It could also be that it just takes longer (or even shorter?) to >>>>>>>>>>> reboot... So if one of the files shows a DIFFERENT behavior than >>>>>>>>>>> the >>>>>>>>>>> others, please tell me. >>>>>>>>>>> >>>>>>>>>>> Placing multiple of them on the iPod at once will NOT work! >>>>>>>>>>> >>>>>>>>>>> 3mpty schrieb: >>>>>>>>>>> > 2009/2/17 The Seven <[email protected]> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>>> 3mpty schrieb: >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>>> Target address range is 0x22000000 to 0x2203fff (SRAM) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> The second number is 0x22003FFF or 0x2203FFF0? A digit is >>>>>>>>>>>>>> missing >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>> (am I >>>>>>> >>>>>>> >>>>>>>>>>>>> wrong?) >>>>>>>>>>>>> 0x2203FFFF, or rather a little below since our shellcode will >>>>>>>>>>>>> have a >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>> nop >>>>>>> >>>>>>> >>>>>>>>>>>>> zone of 2KB >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> I'm trying right now some text file. >>>>>>>>>>>> >>>>>>>>>>>> 0x22 at the addresses where we need it (odd ones) will not hurt >>>>>>>>>>>> in >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> unicode. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> Oh, I forgot the endianess, stupid error, you are right >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Paolo >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>>> [email protected] >>>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>> [email protected] >>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>> [email protected] >>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>> http://www.linux4nano.org >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Linux4nano-dev mailing list >>>>>>>>> [email protected] >>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>> http://www.linux4nano.org >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Linux4nano-dev mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>> http://www.linux4nano.org >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> Linux4nano-dev mailing list >>>>>>> [email protected] >>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>> http://www.linux4nano.org >>>>>>> >>>>>>> >>>>>>> >>>>>> _______________________________________________ >>>>>> Linux4nano-dev mailing list >>>>>> [email protected] >>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>> http://www.linux4nano.org >>>>>> >>>>>> >>>>>> >>>>> _______________________________________________ >>>>> Linux4nano-dev mailing list >>>>> [email protected] >>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>> http://www.linux4nano.org >>>>> >>>>> >>>>> >>>> _______________________________________________ >>>> Linux4nano-dev mailing list >>>> [email protected] >>>> https://mail.gna.org/listinfo/linux4nano-dev >>>> http://www.linux4nano.org >>>> >>>> >>> _______________________________________________ >>> Linux4nano-dev mailing list >>> [email protected] >>> https://mail.gna.org/listinfo/linux4nano-dev >>> http://www.linux4nano.org >>> >> >> -- >> Erstellt mit Opera: http://www.opera.com >> >> >> >> _______________________________________________ >> Linux4nano-dev mailing list >> [email protected] >> https://mail.gna.org/listinfo/linux4nano-dev >> http://www.linux4nano.org >> >> > _______________________________________________ > Linux4nano-dev mailing list > [email protected] > https://mail.gna.org/listinfo/linux4nano-dev > http://www.linux4nano.org > > _______________________________________________ Linux4nano-dev mailing list [email protected] https://mail.gna.org/listinfo/linux4nano-dev http://www.linux4nano.org
