Without changing the address iBugger just reboot my iPod as with any other crafted note file. I tried also the txt before and after the "working" one and they both cause a crash.
If the address I reported can't be right then there's something really odd happening. 2009/7/13, The Seven <[email protected]>: > Could also be a slightly-off return addr. > it probably jumped right into the middle of my code, and waits for usb > events without having initialized the controller... > > I'll prepare you a more robust file later... > > You modified the address in iBugger? How does it behave if you don't do > this? > The address you reported earlier just can't be right. > That's in the middle of firmware code, which probably locks up... > > 08600104 upward is the interesting range... > Did the other files crash? If everything hangs, something is weird. > > 3mpty schrieb: >> :( My bad, the code isn't getting executed... >> All the misunderstanding is due to the fact that windows started to >> say that a new unknow USB device was detected... A quick run of lsusb >> on linux showed that the iPod isn't listed on its output. >> >> So, here is the situation: >> With the mentioned .htm file the ipod just freeze. I think that the >> cause of iBugger not working is that (from what I can see) the return >> address is stored only once in the file, so it should be put in the >> right place... while in the test txt the return address fills a lot of >> bytes. >> I think that with a bit of experimenting I can manage to execute >> iBugger... Because otherwise the iPod freezing is just something I >> can't explain :) >> But, it is quite weird that the iBugger file (with the address taken >> from the test file) doesn't crash: it still freeze. >> >> Any idea of what is going on? >> >> 2009/7/13, The Seven <[email protected]>: >>> @all of you: adding exact ipod gen/model, FW rev, host OS, ... to mails >>> would avoid confusion. >>> >>> Sorry, there is no way to find the freezing file faster, if there is >>> one, which we also can't guarantee. We're working in parallel on another >>> buffer overflow in DFU mode, which is probably easier to exploit, but >>> which requires a lot of background knowledge about the iPhone exploits. >>> I hope planetbeing will help us with this... >>> >>> Tyler Steinmetz schrieb: >>>> Just so everyone knows mine is windows formatted and I'm using a linux >>>> box >>>> to do the work on it. >>>> >>>> On Mon, Jul 13, 2009 at 12:39 PM, Tyler Steinmetz < >>>> [email protected]> wrote: >>>> >>>>> Unfortunately I'm not so lucky, as far as I've tried I have had no luck >>>>> in >>>>> freezing the iPod. Only constant reboots... This might take a while. >>>>> >>>>> Is there a faster way to find which file will do the trick? >>>>> >>>>> >>>>> On Mon, Jul 13, 2009 at 11:24 AM, The Seven <[email protected]> wrote: >>>>> >>>>>> Wow. I hadn't expected iBugger to just work. That's awesome. >>>>>> You can also play with it on windows, just take the generic libusb >>>>>> driver and pyusb or some such. >>>>>> The device does log on to windows as "TheSeven's iBuggerLoader v0.1"? >>>>>> >>>>>> 3mpty schrieb: >>>>>>> Ok, update, TheSeven's iBuggerLoader seems to work (Windows finds a >>>>>>> new "unknown" USB device) so the code is actually executed... Time to >>>>>>> reboot windows, start Linux and to begin to play with it :) >>>>>>> >>>>>>> 2009/7/13, 3mpty <[email protected]>: >>>>>>>> Well guys, I think I'm quite lucky xD >>>>>>>> First try on my 6G, a080a2004.htm (choosen randomly :D), after a few >>>>>>>> seconds after the reboot the iPod freezes (Menu doesn't work >>>>>>>> anymore)... I can only reset it :) >>>>>>>> >>>>>>>> Details: >>>>>>>> iPod Win version (with FAT) >>>>>>>> Model: MB147 >>>>>>>> FW version: 1.0.3 PC >>>>>>>> >>>>>>>> Btw, I'll try to execute some code on it, so how can I reset the >>>>>>>> iPod >>>>>>>> from SW? Or will the reset key combination still works? >>>>>>>> Guys, this is awesome >>>>>>>> >>>>>>>> 2009/7/13, Tyler Steinmetz <[email protected]>: >>>>>>>>> Yes, as far as I have tested the files are constantly rebooting my >>>>>> iPod. >>>>>>>>> I'm not having any problems at all with that. >>>>>>>>> >>>>>>>>> On Sun, Jul 12, 2009 at 7:05 PM, The Seven <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> taylor told me, that somebody with a 4g was reporting crashes, so >>>>>> this >>>>>>>>>> is pretty weird. i think somebody else with a different 3g should >>>>>> have a >>>>>>>>>> look what happens for him, to check whether this is related to 3g >>>>>>>>>> in >>>>>>>>>> general, or to your device. >>>>>>>>>> >>>>>>>>>> can you open the note file on the ipod? what do you see in there? >>>>>>>>>> >>>>>>>>>> tyler, did they crash your ipod? >>>>>>>>>> >>>>>>>>>> Finn Wilke schrieb: >>>>>>>>>>> So what shall I do now? >>>>>>>>>>> >>>>>>>>>>> Should I refomat the iPod to FAT32? >>>>>>>>>>> And: Does it make any sense to test these files atm? >>>>>>>>>>> >>>>>>>>>>> Finn >>>>>>>>>>> >>>>>>>>>>> Am 13.07.2009 um 00:55 schrieb tof: >>>>>>>>>>> >>>>>>>>>>>> Finn Wilke a écrit : >>>>>>>>>>>> >>>>>>>>>>>>> P.S: Does it make any change whether the iPod is Windows or Mac >>>>>>>>>>>>> formatted? >>>>>>>>>>>>> >>>>>>>>>>>> yes ! >>>>>>>>>>>> >>>>>>>>>>>> it could make a difference. as the overflow is happening in a >>>>>>>>>>>> function very close to the file system, and the link(file) size >>>>>>>>>>>> limit could have to do with the FD limits, we could have >>>>>> differences. >>>>>>>>>>>>> I also have a 4th gen nano and have already tried out some >>>>>>>>>>>>> files. >>>>>>>>>>>>> There was no file that froze or reboot-looped the ipod, it was >>>>>>>>>>>>> always >>>>>>>>>>>>> working as before. >>>>>>>>>>>> It is not normal to have no crash, perhaps the simplification of >>>>>> the >>>>>>>>>>>> link to a shorter overflow has "broken the portability" of the >>>>>> notes >>>>>>>>>>>> bug. >>>>>>>>>>>> I remember Taylor mentionning that the link size for crash was >>>>>>>>>>>> different depending n the model... >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> sto >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> Am 12.07.2009 um 22:28 schrieb Taylor Gordon: >>>>>>>>>>>>> >>>>>>>>>>>>>> If you see anything earth shattering (like the ipod freezes) >>>>>>>>>>>>>> just >>>>>>>>>>>>>> feel free >>>>>>>>>>>>>> to let us know on the ML. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Taylor >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Sun, Jul 12, 2009 at 3:48 PM, Tyler Steinmetz < >>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Alright, I'm on it... where can I post the results I >>>>>>>>>>>>>>> experience >>>>>> on >>>>>>>>>>>>>>> my 4g >>>>>>>>>>>>>>> nano? Is the wiki fine? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Sun, Jul 12, 2009 at 2:38 PM, The Seven <[email protected]> >>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> As a little hint: a0864.... upward is the most probable >>>>>>>>>>>>>>>> range. >>>>>>>>>>>>>>>> you >>>>>>>>>>>>>>>> can >>>>>>>>>>>>>>>> also try the b variants. i wouldn't expect lower numbers >>>>>>>>>>>>>>>> than >>>>>>>>>>>>>>>> 0864...., >>>>>>>>>>>>>>>> though. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Taylor Gordon schrieb: >>>>>>>>>>>>>>>>> Just to let everyone know, and kind of in response to >>>>>>>>>>>>>>>>> Tyler's >>>>>>>>>>>>>>>>> message: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Because we don't have JTAG on the 3g or 4g nano (yet >>>>>>>>>>>>>>>>> anyways), >>>>>>>>>>>>>>>>> we >>>>>>>>>>>>>>>>> can't >>>>>>>>>>>>>>>>> clearly see the return address for the PoC files. TheSeven >>>>>>>>>>>>>>>>> has >>>>>>>>>>>>>>> generated >>>>>>>>>>>>>>>>> some test files which all have different return addresses. >>>>>>>>>>>>>>>>> Hopefully, >>>>>>>>>>>>>>> if >>>>>>>>>>>>>>>> we >>>>>>>>>>>>>>>>> can try some of these, we will eventually find the correct >>>>>> file >>>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>> has >>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>> desired behavior. Please refer to >>>>>>>>>>>>>>>>> http://n00b81.fileave.com/ipod/sweep.txtfor more details >>>>>> about >>>>>>>>>>>>>>>>> what >>>>>>>>>>>>>>>>> you want to be looking out for. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Also, just two quick warnings. This is a 500 kb archive, >>>>>>>>>>>>>>>>> but >>>>>>>>>>>>>>>>> there are >>>>>>>>>>>>>>>> 65000 >>>>>>>>>>>>>>>>> files in there :) So if you extract it, it will be about >>>>>>>>>>>>>>>>> 500 >>>>>> mb >>>>>>>>>>>>>>>>> worth >>>>>>>>>>>>>>> of >>>>>>>>>>>>>>>>> files, so I suggest you extract them a few at a time, or >>>>>>>>>>>>>>>>> all >>>>>>>>>>>>>>>>> together, >>>>>>>>>>>>>>>> your >>>>>>>>>>>>>>>>> choice ;) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Remember you'll have to put your ipod into disk mode if it >>>>>> gets >>>>>>>>>>>>>>>>> into an >>>>>>>>>>>>>>>>> endless crash-reboot loop. You can feel free to try these >>>>>>>>>>>>>>>>> on >>>>>> 6g >>>>>>>>>>>>>>>> classic/3g >>>>>>>>>>>>>>>>> nano/4g nano which all have the bug also. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Both the Readme and the archive for the testing files can >>>>>>>>>>>>>>>>> be >>>>>>>>>>>>>>>>> found >>>>>>>>>>>>>>> here: >>>>>>>>>>>>>>>>> http://n00b81.fileave.com/ipod. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Hopefully we will find the file that freezes the ipod :) >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Taylor >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Sun, Jul 12, 2009 at 12:17 PM, Tyler Steinmetz < >>>>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Great work, thanks so much... >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Any chance we can get this working on 3rd or 4th gen? >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On Sun, Jul 12, 2009 at 1:32 AM, mat h <[email protected]> >>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Very interesting read thanks >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On 7/12/09, tof <[email protected]> wrote: >>>>>>>>>>>>>>>>>>>> Hello >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I put on the wiki some useful info about the HW part, >>>>>>>>>>>>>>>>>>>> and >>>>>> the >>>>>>>>>>>>>>>>>> exploit... >>>>>>>>>>>>>>>>>>>> http://l4n.clustur.com/index.php/Nano2G_getting_exec >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> sto >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>>>>>> >>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>>>> [email protected] >>>>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>>> [email protected] >>>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>> [email protected] >>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>> [email protected] >>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>> http://www.linux4nano.org >>>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Linux4nano-dev mailing list >>>>>>>>> [email protected] >>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>> http://www.linux4nano.org >>>>>>>>> >>>>>>> _______________________________________________ >>>>>>> Linux4nano-dev mailing list >>>>>>> [email protected] >>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>> http://www.linux4nano.org >>>>>>> >>>>>> _______________________________________________ >>>>>> Linux4nano-dev mailing list >>>>>> [email protected] >>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>> http://www.linux4nano.org >>>>>> >>>> _______________________________________________ >>>> Linux4nano-dev mailing list >>>> [email protected] >>>> https://mail.gna.org/listinfo/linux4nano-dev >>>> http://www.linux4nano.org >>>> >>> >>> _______________________________________________ >>> Linux4nano-dev mailing list >>> [email protected] >>> https://mail.gna.org/listinfo/linux4nano-dev >>> http://www.linux4nano.org >> >> _______________________________________________ >> Linux4nano-dev mailing list >> [email protected] >> https://mail.gna.org/listinfo/linux4nano-dev >> http://www.linux4nano.org >> > > > _______________________________________________ > Linux4nano-dev mailing list > [email protected] > https://mail.gna.org/listinfo/linux4nano-dev > http://www.linux4nano.org _______________________________________________ Linux4nano-dev mailing list [email protected] https://mail.gna.org/listinfo/linux4nano-dev http://www.linux4nano.org
