Found this on the docs of 3G: http://insidetronics.blogspot.com/2007/09/teardown-ipod-nano-3g.html So it's a S5L8702 but I haven't found any documentation.
Am 19.02.2009, 09:37 Uhr, schrieb The Seven <[email protected]>: > Yes, it can well be possible that the stack address of the data buffer > varies. I hoped it didn't, however, it seems like I was either wrong > there, or it has indeed an execution protection on the stack. That makes > it a lot harder. However, the notes files were generated for 2G, not 3G, > so it could be, that 3G uses different addresses at all. To confirm this > and to generate the files for 3G, I need detailed docs of the processor. > > Sebastian Schutte schrieb: >> Hi, >> >> I checked another 20 tonight (35-55). No freezing, but there are timing >> differences. I then retried 27 and 29 to confirm that they did not show >> any effect. This time, they led to normal reboots! I swear that I didn't >> mess up on that one. Yesterday, they did not lead to reboots. But maybe >> the problem is that it seems very hard to reproduce the crash behaviour: >> The timing of the first crash, for example, always varies. When I try to >> enter the notes folder, it takes something between and eye blink and a >> second before the screen turns dark. Then I had the two files that did >> not work yesterday, but today. What does that mean? Can the overflow >> occur in a non-deterministic memory environment, leading to such >> different effects? I hope this is helpful to anybody. >> >> The Seven wrote: >>> If the 0x00s would have been a problem or the link qould not have been >>> recognized, it would not have crashed. >>> >>> Taylor Gordon schrieb: >>> >>>> Hmmm... SO so far, it seems that none of the notes have made the ipod >>>> freeze, right? I wonder why 27 and 29 didn't display anything at all >>>> though. >>>> >>>> @TheSeven: Maybe different opcodes with a '0' messed the file up? Or >>>> it >>>> didn't think it was a valid link. >>>> >>>> On Wed, Feb 18, 2009 at 2:49 AM, Sebastian Schutte >>>> <[email protected]>wrote: >>>> >>>> >>>>> Both files (27&29) opened, but only showed a blank screen. I could >>>>> open/close them repeatedly without reboot. I also noted timing >>>>> differences for the reboot duration. But I think we'd have to check >>>>> that >>>>> later systematically if no freezing can be observed at all. >>>>> >>>>> >>>>> The Seven wrote: >>>>> >>>>>> I'll double check that later today, but it sounds interesting... >>>>>> However, I expect the behavior to be generation dependent, so please >>>>>> make sure that all files are checked on 2G at least. >>>>>> >>>>>> Sebastian, were you able to view the content of the notes 27 and 29? >>>>>> What did you see? >>>>>> >>>>>> Sebastian Schutte schrieb: >>>>>> >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I tested some files (25-35) on an Ipod nano 3rd gen. Except 27 >>>>>>> and >>>>>>> 29, they only led to repeated reboots. No freezing so far. For 27 >>>>>>> and >>>>>>> 29 there was no effect at all. >>>>>>> >>>>>>> Cheers, >>>>>>> Sebastian >>>>>>> >>>>>>> >>>>>>> Taylor Gordon wrote: >>>>>>> >>>>>>> >>>>>>>> Update: I've tried note_0 and note_89 and they DONT work - so try >>>>>>>> the >>>>>>>> >>>>> other >>>>> >>>>>>>> 126 for now :) >>>>>>>> >>>>>>>> On Tue, Feb 17, 2009 at 4:07 PM, The Seven <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> The first test note files are ready! >>>>>>>>> Get them at http://taylor.fileave.com/lockup.zip >>>>>>>>> >>>>>>>>> There are 128 files named note_XXX.txt >>>>>>>>> One of them will hopefully make the iPod lock up or show some >>>>>>>>> other >>>>>>>>> unexpected behavior. If we find that one, we're a huge step >>>>>>>>> closer. >>>>>>>>> >>>>>>>>> It could also be that it just takes longer (or even shorter?) to >>>>>>>>> reboot... So if one of the files shows a DIFFERENT behavior than >>>>>>>>> the >>>>>>>>> others, please tell me. >>>>>>>>> >>>>>>>>> Placing multiple of them on the iPod at once will NOT work! >>>>>>>>> >>>>>>>>> 3mpty schrieb: >>>>>>>>> > 2009/2/17 The Seven <[email protected]> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>> 3mpty schrieb: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>>> Target address range is 0x22000000 to 0x2203fff (SRAM) >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> The second number is 0x22003FFF or 0x2203FFF0? A digit is >>>>>>>>>>>> missing >>>>>>>>>>>> >>>>> (am I >>>>> >>>>>>>>>>> wrong?) >>>>>>>>>>> 0x2203FFFF, or rather a little below since our shellcode will >>>>>>>>>>> have a >>>>>>>>>>> >>>>> nop >>>>> >>>>>>>>>>> zone of 2KB >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> I'm trying right now some text file. >>>>>>>>>> >>>>>>>>>> 0x22 at the addresses where we need it (odd ones) will not hurt >>>>>>>>>> in >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> unicode. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> Oh, I forgot the endianess, stupid error, you are right >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Paolo >>>>>>>>>> _______________________________________________ >>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>> [email protected] >>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>> http://www.linux4nano.org >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Linux4nano-dev mailing list >>>>>>>>> [email protected] >>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>> http://www.linux4nano.org >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Linux4nano-dev mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>> http://www.linux4nano.org >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> Linux4nano-dev mailing list >>>>>>> [email protected] >>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>> http://www.linux4nano.org >>>>>>> >>>>>>> >>>>>>> >>>>>> _______________________________________________ >>>>>> Linux4nano-dev mailing list >>>>>> [email protected] >>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>> http://www.linux4nano.org >>>>>> >>>>>> >>>>>> >>>>> _______________________________________________ >>>>> Linux4nano-dev mailing list >>>>> [email protected] >>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>> http://www.linux4nano.org >>>>> >>>>> >>>> _______________________________________________ >>>> Linux4nano-dev mailing list >>>> [email protected] >>>> https://mail.gna.org/listinfo/linux4nano-dev >>>> http://www.linux4nano.org >>>> >>>> >>> >>> _______________________________________________ >>> Linux4nano-dev mailing list >>> [email protected] >>> https://mail.gna.org/listinfo/linux4nano-dev >>> http://www.linux4nano.org >>> >>> >> >> >> _______________________________________________ >> Linux4nano-dev mailing list >> [email protected] >> https://mail.gna.org/listinfo/linux4nano-dev >> http://www.linux4nano.org >> > > > _______________________________________________ > Linux4nano-dev mailing list > [email protected] > https://mail.gna.org/listinfo/linux4nano-dev > http://www.linux4nano.org -- Erstellt mit Opera: http://www.opera.com _______________________________________________ Linux4nano-dev mailing list [email protected] https://mail.gna.org/listinfo/linux4nano-dev http://www.linux4nano.org
