This sounds interesting. Maybe the ARM7 Go exploit (http://theiphonewiki.com/wiki/index.php?title=ARM7_Go) could be used on the iPod Nano 4G? Be sure to look at the 'Talk' page for the previous link; it has some good info. You use iRecovery (http://theiphonewiki.com/wiki/index.php?title=IRecovery) to execute arm7_go. A W wrote: > I have stuck. Must be a lack of experience on exploiting things. > Most important question: what kind of code can be used to understand when > this code is actually executed? There is no point on wasting time searching > exploit entry address, unless you shure you'll notice the hit. I were > thinkin of some kind of dead loop, but my iPod freezed few times just at > overflow, so its probably not the best way. > And what kind of data one must corrupt to completely freeze iPod? > > The overflow I'm tryin to exploit is at A tag: [a href="here"]; iPod goes > reboot when target file name is longer than 266 bytes. And Notes does handle > such names with out any problems, so I think its goes out of bounds > somewhere at file existance check (inside interrupt handler?). > Notes apply some restrictions to exploit code: it turns bytes with value>127 > to two-byte (UTF?) sequences and, probably, converts lowercase latin > chars(0x61-0x7A) to uppercase. This makes unusable some conditional codes > (including ALWAYS), branches to negative offset, few ALU instructions, and > some other, less useful things. Still I think there is enough freedom to > code something interesting, and its always possible to generate necessary > instructions in-place. > _______________________________________________ > Linux4nano-dev mailing list > [email protected] > https://mail.gna.org/listinfo/linux4nano-dev > http://www.linux4nano.org >
_______________________________________________ Linux4nano-dev mailing list [email protected] https://mail.gna.org/listinfo/linux4nano-dev http://www.linux4nano.org
