Yes, it can well be possible that the stack address of the data buffer varies. I hoped it didn't, however, it seems like I was either wrong there, or it has indeed an execution protection on the stack. That makes it a lot harder. However, the notes files were generated for 2G, not 3G, so it could be, that 3G uses different addresses at all. To confirm this and to generate the files for 3G, I need detailed docs of the processor.
Sebastian Schutte schrieb: > Hi, > > I checked another 20 tonight (35-55). No freezing, but there are timing > differences. I then retried 27 and 29 to confirm that they did not show > any effect. This time, they led to normal reboots! I swear that I didn't > mess up on that one. Yesterday, they did not lead to reboots. But maybe > the problem is that it seems very hard to reproduce the crash behaviour: > The timing of the first crash, for example, always varies. When I try to > enter the notes folder, it takes something between and eye blink and a > second before the screen turns dark. Then I had the two files that did > not work yesterday, but today. What does that mean? Can the overflow > occur in a non-deterministic memory environment, leading to such > different effects? I hope this is helpful to anybody. > > The Seven wrote: >> If the 0x00s would have been a problem or the link qould not have been >> recognized, it would not have crashed. >> >> Taylor Gordon schrieb: >> >>> Hmmm... SO so far, it seems that none of the notes have made the ipod >>> freeze, right? I wonder why 27 and 29 didn't display anything at all though. >>> >>> @TheSeven: Maybe different opcodes with a '0' messed the file up? Or it >>> didn't think it was a valid link. >>> >>> On Wed, Feb 18, 2009 at 2:49 AM, Sebastian Schutte >>> <[email protected]>wrote: >>> >>> >>>> Both files (27&29) opened, but only showed a blank screen. I could >>>> open/close them repeatedly without reboot. I also noted timing >>>> differences for the reboot duration. But I think we'd have to check that >>>> later systematically if no freezing can be observed at all. >>>> >>>> >>>> The Seven wrote: >>>> >>>>> I'll double check that later today, but it sounds interesting... >>>>> However, I expect the behavior to be generation dependent, so please >>>>> make sure that all files are checked on 2G at least. >>>>> >>>>> Sebastian, were you able to view the content of the notes 27 and 29? >>>>> What did you see? >>>>> >>>>> Sebastian Schutte schrieb: >>>>> >>>>> >>>>>> Hi, >>>>>> >>>>>> I tested some files (25-35) on an Ipod nano 3rd gen. Except 27 and >>>>>> 29, they only led to repeated reboots. No freezing so far. For 27 and >>>>>> 29 there was no effect at all. >>>>>> >>>>>> Cheers, >>>>>> Sebastian >>>>>> >>>>>> >>>>>> Taylor Gordon wrote: >>>>>> >>>>>> >>>>>>> Update: I've tried note_0 and note_89 and they DONT work - so try the >>>>>>> >>>> other >>>> >>>>>>> 126 for now :) >>>>>>> >>>>>>> On Tue, Feb 17, 2009 at 4:07 PM, The Seven <[email protected]> wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> The first test note files are ready! >>>>>>>> Get them at http://taylor.fileave.com/lockup.zip >>>>>>>> >>>>>>>> There are 128 files named note_XXX.txt >>>>>>>> One of them will hopefully make the iPod lock up or show some other >>>>>>>> unexpected behavior. If we find that one, we're a huge step closer. >>>>>>>> >>>>>>>> It could also be that it just takes longer (or even shorter?) to >>>>>>>> reboot... So if one of the files shows a DIFFERENT behavior than the >>>>>>>> others, please tell me. >>>>>>>> >>>>>>>> Placing multiple of them on the iPod at once will NOT work! >>>>>>>> >>>>>>>> 3mpty schrieb: >>>>>>>> > 2009/2/17 The Seven <[email protected]> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>>> 3mpty schrieb: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>> Target address range is 0x22000000 to 0x2203fff (SRAM) >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> The second number is 0x22003FFF or 0x2203FFF0? A digit is missing >>>>>>>>>>> >>>> (am I >>>> >>>>>>>>>> wrong?) >>>>>>>>>> 0x2203FFFF, or rather a little below since our shellcode will have a >>>>>>>>>> >>>> nop >>>> >>>>>>>>>> zone of 2KB >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> I'm trying right now some text file. >>>>>>>>> >>>>>>>>> 0x22 at the addresses where we need it (odd ones) will not hurt in >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> unicode. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> Oh, I forgot the endianess, stupid error, you are right >>>>>>>>> >>>>>>>>> >>>>>>>>> Paolo >>>>>>>>> _______________________________________________ >>>>>>>>> Linux4nano-dev mailing list >>>>>>>>> [email protected] >>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>> http://www.linux4nano.org >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Linux4nano-dev mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>> http://www.linux4nano.org >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> Linux4nano-dev mailing list >>>>>>> [email protected] >>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>> http://www.linux4nano.org >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> _______________________________________________ >>>>>> Linux4nano-dev mailing list >>>>>> [email protected] >>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>> http://www.linux4nano.org >>>>>> >>>>>> >>>>>> >>>>> _______________________________________________ >>>>> Linux4nano-dev mailing list >>>>> [email protected] >>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>> http://www.linux4nano.org >>>>> >>>>> >>>>> >>>> _______________________________________________ >>>> Linux4nano-dev mailing list >>>> [email protected] >>>> https://mail.gna.org/listinfo/linux4nano-dev >>>> http://www.linux4nano.org >>>> >>>> >>> _______________________________________________ >>> Linux4nano-dev mailing list >>> [email protected] >>> https://mail.gna.org/listinfo/linux4nano-dev >>> http://www.linux4nano.org >>> >>> >> >> _______________________________________________ >> Linux4nano-dev mailing list >> [email protected] >> https://mail.gna.org/listinfo/linux4nano-dev >> http://www.linux4nano.org >> >> > > > _______________________________________________ > Linux4nano-dev mailing list > [email protected] > https://mail.gna.org/listinfo/linux4nano-dev > http://www.linux4nano.org > _______________________________________________ Linux4nano-dev mailing list [email protected] https://mail.gna.org/listinfo/linux4nano-dev http://www.linux4nano.org
