:( My bad, the code isn't getting executed... All the misunderstanding is due to the fact that windows started to say that a new unknow USB device was detected... A quick run of lsusb on linux showed that the iPod isn't listed on its output.
So, here is the situation: With the mentioned .htm file the ipod just freeze. I think that the cause of iBugger not working is that (from what I can see) the return address is stored only once in the file, so it should be put in the right place... while in the test txt the return address fills a lot of bytes. I think that with a bit of experimenting I can manage to execute iBugger... Because otherwise the iPod freezing is just something I can't explain :) But, it is quite weird that the iBugger file (with the address taken from the test file) doesn't crash: it still freeze. Any idea of what is going on? 2009/7/13, The Seven <[email protected]>: > @all of you: adding exact ipod gen/model, FW rev, host OS, ... to mails > would avoid confusion. > > Sorry, there is no way to find the freezing file faster, if there is > one, which we also can't guarantee. We're working in parallel on another > buffer overflow in DFU mode, which is probably easier to exploit, but > which requires a lot of background knowledge about the iPhone exploits. > I hope planetbeing will help us with this... > > Tyler Steinmetz schrieb: >> Just so everyone knows mine is windows formatted and I'm using a linux box >> to do the work on it. >> >> On Mon, Jul 13, 2009 at 12:39 PM, Tyler Steinmetz < >> [email protected]> wrote: >> >>> Unfortunately I'm not so lucky, as far as I've tried I have had no luck >>> in >>> freezing the iPod. Only constant reboots... This might take a while. >>> >>> Is there a faster way to find which file will do the trick? >>> >>> >>> On Mon, Jul 13, 2009 at 11:24 AM, The Seven <[email protected]> wrote: >>> >>>> Wow. I hadn't expected iBugger to just work. That's awesome. >>>> You can also play with it on windows, just take the generic libusb >>>> driver and pyusb or some such. >>>> The device does log on to windows as "TheSeven's iBuggerLoader v0.1"? >>>> >>>> 3mpty schrieb: >>>>> Ok, update, TheSeven's iBuggerLoader seems to work (Windows finds a >>>>> new "unknown" USB device) so the code is actually executed... Time to >>>>> reboot windows, start Linux and to begin to play with it :) >>>>> >>>>> 2009/7/13, 3mpty <[email protected]>: >>>>>> Well guys, I think I'm quite lucky xD >>>>>> First try on my 6G, a080a2004.htm (choosen randomly :D), after a few >>>>>> seconds after the reboot the iPod freezes (Menu doesn't work >>>>>> anymore)... I can only reset it :) >>>>>> >>>>>> Details: >>>>>> iPod Win version (with FAT) >>>>>> Model: MB147 >>>>>> FW version: 1.0.3 PC >>>>>> >>>>>> Btw, I'll try to execute some code on it, so how can I reset the iPod >>>>>> from SW? Or will the reset key combination still works? >>>>>> Guys, this is awesome >>>>>> >>>>>> 2009/7/13, Tyler Steinmetz <[email protected]>: >>>>>>> Yes, as far as I have tested the files are constantly rebooting my >>>> iPod. >>>>>>> I'm not having any problems at all with that. >>>>>>> >>>>>>> On Sun, Jul 12, 2009 at 7:05 PM, The Seven <[email protected]> wrote: >>>>>>> >>>>>>>> taylor told me, that somebody with a 4g was reporting crashes, so >>>> this >>>>>>>> is pretty weird. i think somebody else with a different 3g should >>>> have a >>>>>>>> look what happens for him, to check whether this is related to 3g in >>>>>>>> general, or to your device. >>>>>>>> >>>>>>>> can you open the note file on the ipod? what do you see in there? >>>>>>>> >>>>>>>> tyler, did they crash your ipod? >>>>>>>> >>>>>>>> Finn Wilke schrieb: >>>>>>>>> So what shall I do now? >>>>>>>>> >>>>>>>>> Should I refomat the iPod to FAT32? >>>>>>>>> And: Does it make any sense to test these files atm? >>>>>>>>> >>>>>>>>> Finn >>>>>>>>> >>>>>>>>> Am 13.07.2009 um 00:55 schrieb tof: >>>>>>>>> >>>>>>>>>> Finn Wilke a écrit : >>>>>>>>>> >>>>>>>>>>> P.S: Does it make any change whether the iPod is Windows or Mac >>>>>>>>>>> formatted? >>>>>>>>>>> >>>>>>>>>> yes ! >>>>>>>>>> >>>>>>>>>> it could make a difference. as the overflow is happening in a >>>>>>>>>> function very close to the file system, and the link(file) size >>>>>>>>>> limit could have to do with the FD limits, we could have >>>> differences. >>>>>>>>>> >>>>>>>>>>> I also have a 4th gen nano and have already tried out some files. >>>>>>>>>>> There was no file that froze or reboot-looped the ipod, it was >>>>>>>>>>> always >>>>>>>>>>> working as before. >>>>>>>>>> It is not normal to have no crash, perhaps the simplification of >>>> the >>>>>>>>>> link to a shorter overflow has "broken the portability" of the >>>> notes >>>>>>>>>> bug. >>>>>>>>>> I remember Taylor mentionning that the link size for crash was >>>>>>>>>> different depending n the model... >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> sto >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Am 12.07.2009 um 22:28 schrieb Taylor Gordon: >>>>>>>>>>> >>>>>>>>>>>> If you see anything earth shattering (like the ipod freezes) >>>>>>>>>>>> just >>>>>>>>>>>> feel free >>>>>>>>>>>> to let us know on the ML. >>>>>>>>>>>> >>>>>>>>>>>> Taylor >>>>>>>>>>>> >>>>>>>>>>>> On Sun, Jul 12, 2009 at 3:48 PM, Tyler Steinmetz < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Alright, I'm on it... where can I post the results I experience >>>> on >>>>>>>>>>>>> my 4g >>>>>>>>>>>>> nano? Is the wiki fine? >>>>>>>>>>>>> >>>>>>>>>>>>> On Sun, Jul 12, 2009 at 2:38 PM, The Seven <[email protected]> >>>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> As a little hint: a0864.... upward is the most probable range. >>>>>>>>>>>>>> you >>>>>>>>>>>>>> can >>>>>>>>>>>>>> also try the b variants. i wouldn't expect lower numbers than >>>>>>>>>>>>>> 0864...., >>>>>>>>>>>>>> though. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Taylor Gordon schrieb: >>>>>>>>>>>>>>> Just to let everyone know, and kind of in response to Tyler's >>>>>>>>>>>>>>> message: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Because we don't have JTAG on the 3g or 4g nano (yet >>>>>>>>>>>>>>> anyways), >>>>>>>>>>>>>>> we >>>>>>>>>>>>>>> can't >>>>>>>>>>>>>>> clearly see the return address for the PoC files. TheSeven >>>>>>>>>>>>>>> has >>>>>>>>>>>>> generated >>>>>>>>>>>>>>> some test files which all have different return addresses. >>>>>>>>>>>>>>> Hopefully, >>>>>>>>>>>>> if >>>>>>>>>>>>>> we >>>>>>>>>>>>>>> can try some of these, we will eventually find the correct >>>> file >>>>>>>>>>>>>>> that >>>>>>>>>>>>> has >>>>>>>>>>>>>> the >>>>>>>>>>>>>>> desired behavior. Please refer to >>>>>>>>>>>>>>> http://n00b81.fileave.com/ipod/sweep.txtfor more details >>>> about >>>>>>>>>>>>>>> what >>>>>>>>>>>>>>> you want to be looking out for. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Also, just two quick warnings. This is a 500 kb archive, but >>>>>>>>>>>>>>> there are >>>>>>>>>>>>>> 65000 >>>>>>>>>>>>>>> files in there :) So if you extract it, it will be about 500 >>>> mb >>>>>>>>>>>>>>> worth >>>>>>>>>>>>> of >>>>>>>>>>>>>>> files, so I suggest you extract them a few at a time, or all >>>>>>>>>>>>>>> together, >>>>>>>>>>>>>> your >>>>>>>>>>>>>>> choice ;) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Remember you'll have to put your ipod into disk mode if it >>>> gets >>>>>>>>>>>>>>> into an >>>>>>>>>>>>>>> endless crash-reboot loop. You can feel free to try these on >>>> 6g >>>>>>>>>>>>>> classic/3g >>>>>>>>>>>>>>> nano/4g nano which all have the bug also. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Both the Readme and the archive for the testing files can be >>>>>>>>>>>>>>> found >>>>>>>>>>>>> here: >>>>>>>>>>>>>>> http://n00b81.fileave.com/ipod. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hopefully we will find the file that freezes the ipod :) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Taylor >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Sun, Jul 12, 2009 at 12:17 PM, Tyler Steinmetz < >>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Great work, thanks so much... >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Any chance we can get this working on 3rd or 4th gen? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Sun, Jul 12, 2009 at 1:32 AM, mat h <[email protected]> >>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Very interesting read thanks >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 7/12/09, tof <[email protected]> wrote: >>>>>>>>>>>>>>>>>> Hello >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> I put on the wiki some useful info about the HW part, and >>>> the >>>>>>>>>>>>>>>> exploit... >>>>>>>>>>>>>>>>>> http://l4n.clustur.com/index.php/Nano2G_getting_exec >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> sto >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>>>>>> >>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>>>>> >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>>>> [email protected] >>>>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>>>> >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>>> [email protected] >>>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>> [email protected] >>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>> [email protected] >>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>> http://www.linux4nano.org >>>>>>>>> _______________________________________________ >>>>>>>>> Linux4nano-dev mailing list >>>>>>>>> [email protected] >>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>> http://www.linux4nano.org >>>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Linux4nano-dev mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>> http://www.linux4nano.org >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> Linux4nano-dev mailing list >>>>>>> [email protected] >>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>> http://www.linux4nano.org >>>>>>> >>>>> _______________________________________________ >>>>> Linux4nano-dev mailing list >>>>> [email protected] >>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>> http://www.linux4nano.org >>>>> >>>> >>>> _______________________________________________ >>>> Linux4nano-dev mailing list >>>> [email protected] >>>> https://mail.gna.org/listinfo/linux4nano-dev >>>> http://www.linux4nano.org >>>> >>> >> _______________________________________________ >> Linux4nano-dev mailing list >> [email protected] >> https://mail.gna.org/listinfo/linux4nano-dev >> http://www.linux4nano.org >> > > > _______________________________________________ > Linux4nano-dev mailing list > [email protected] > https://mail.gna.org/listinfo/linux4nano-dev > http://www.linux4nano.org _______________________________________________ Linux4nano-dev mailing list [email protected] https://mail.gna.org/listinfo/linux4nano-dev http://www.linux4nano.org
