Could also be a slightly-off return addr. it probably jumped right into the middle of my code, and waits for usb events without having initialized the controller...
I'll prepare you a more robust file later... You modified the address in iBugger? How does it behave if you don't do this? The address you reported earlier just can't be right. That's in the middle of firmware code, which probably locks up... 08600104 upward is the interesting range... Did the other files crash? If everything hangs, something is weird. 3mpty schrieb: > :( My bad, the code isn't getting executed... > All the misunderstanding is due to the fact that windows started to > say that a new unknow USB device was detected... A quick run of lsusb > on linux showed that the iPod isn't listed on its output. > > So, here is the situation: > With the mentioned .htm file the ipod just freeze. I think that the > cause of iBugger not working is that (from what I can see) the return > address is stored only once in the file, so it should be put in the > right place... while in the test txt the return address fills a lot of > bytes. > I think that with a bit of experimenting I can manage to execute > iBugger... Because otherwise the iPod freezing is just something I > can't explain :) > But, it is quite weird that the iBugger file (with the address taken > from the test file) doesn't crash: it still freeze. > > Any idea of what is going on? > > 2009/7/13, The Seven <[email protected]>: >> @all of you: adding exact ipod gen/model, FW rev, host OS, ... to mails >> would avoid confusion. >> >> Sorry, there is no way to find the freezing file faster, if there is >> one, which we also can't guarantee. We're working in parallel on another >> buffer overflow in DFU mode, which is probably easier to exploit, but >> which requires a lot of background knowledge about the iPhone exploits. >> I hope planetbeing will help us with this... >> >> Tyler Steinmetz schrieb: >>> Just so everyone knows mine is windows formatted and I'm using a linux box >>> to do the work on it. >>> >>> On Mon, Jul 13, 2009 at 12:39 PM, Tyler Steinmetz < >>> [email protected]> wrote: >>> >>>> Unfortunately I'm not so lucky, as far as I've tried I have had no luck >>>> in >>>> freezing the iPod. Only constant reboots... This might take a while. >>>> >>>> Is there a faster way to find which file will do the trick? >>>> >>>> >>>> On Mon, Jul 13, 2009 at 11:24 AM, The Seven <[email protected]> wrote: >>>> >>>>> Wow. I hadn't expected iBugger to just work. That's awesome. >>>>> You can also play with it on windows, just take the generic libusb >>>>> driver and pyusb or some such. >>>>> The device does log on to windows as "TheSeven's iBuggerLoader v0.1"? >>>>> >>>>> 3mpty schrieb: >>>>>> Ok, update, TheSeven's iBuggerLoader seems to work (Windows finds a >>>>>> new "unknown" USB device) so the code is actually executed... Time to >>>>>> reboot windows, start Linux and to begin to play with it :) >>>>>> >>>>>> 2009/7/13, 3mpty <[email protected]>: >>>>>>> Well guys, I think I'm quite lucky xD >>>>>>> First try on my 6G, a080a2004.htm (choosen randomly :D), after a few >>>>>>> seconds after the reboot the iPod freezes (Menu doesn't work >>>>>>> anymore)... I can only reset it :) >>>>>>> >>>>>>> Details: >>>>>>> iPod Win version (with FAT) >>>>>>> Model: MB147 >>>>>>> FW version: 1.0.3 PC >>>>>>> >>>>>>> Btw, I'll try to execute some code on it, so how can I reset the iPod >>>>>>> from SW? Or will the reset key combination still works? >>>>>>> Guys, this is awesome >>>>>>> >>>>>>> 2009/7/13, Tyler Steinmetz <[email protected]>: >>>>>>>> Yes, as far as I have tested the files are constantly rebooting my >>>>> iPod. >>>>>>>> I'm not having any problems at all with that. >>>>>>>> >>>>>>>> On Sun, Jul 12, 2009 at 7:05 PM, The Seven <[email protected]> wrote: >>>>>>>> >>>>>>>>> taylor told me, that somebody with a 4g was reporting crashes, so >>>>> this >>>>>>>>> is pretty weird. i think somebody else with a different 3g should >>>>> have a >>>>>>>>> look what happens for him, to check whether this is related to 3g in >>>>>>>>> general, or to your device. >>>>>>>>> >>>>>>>>> can you open the note file on the ipod? what do you see in there? >>>>>>>>> >>>>>>>>> tyler, did they crash your ipod? >>>>>>>>> >>>>>>>>> Finn Wilke schrieb: >>>>>>>>>> So what shall I do now? >>>>>>>>>> >>>>>>>>>> Should I refomat the iPod to FAT32? >>>>>>>>>> And: Does it make any sense to test these files atm? >>>>>>>>>> >>>>>>>>>> Finn >>>>>>>>>> >>>>>>>>>> Am 13.07.2009 um 00:55 schrieb tof: >>>>>>>>>> >>>>>>>>>>> Finn Wilke a écrit : >>>>>>>>>>> >>>>>>>>>>>> P.S: Does it make any change whether the iPod is Windows or Mac >>>>>>>>>>>> formatted? >>>>>>>>>>>> >>>>>>>>>>> yes ! >>>>>>>>>>> >>>>>>>>>>> it could make a difference. as the overflow is happening in a >>>>>>>>>>> function very close to the file system, and the link(file) size >>>>>>>>>>> limit could have to do with the FD limits, we could have >>>>> differences. >>>>>>>>>>>> I also have a 4th gen nano and have already tried out some files. >>>>>>>>>>>> There was no file that froze or reboot-looped the ipod, it was >>>>>>>>>>>> always >>>>>>>>>>>> working as before. >>>>>>>>>>> It is not normal to have no crash, perhaps the simplification of >>>>> the >>>>>>>>>>> link to a shorter overflow has "broken the portability" of the >>>>> notes >>>>>>>>>>> bug. >>>>>>>>>>> I remember Taylor mentionning that the link size for crash was >>>>>>>>>>> different depending n the model... >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> sto >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> Am 12.07.2009 um 22:28 schrieb Taylor Gordon: >>>>>>>>>>>> >>>>>>>>>>>>> If you see anything earth shattering (like the ipod freezes) >>>>>>>>>>>>> just >>>>>>>>>>>>> feel free >>>>>>>>>>>>> to let us know on the ML. >>>>>>>>>>>>> >>>>>>>>>>>>> Taylor >>>>>>>>>>>>> >>>>>>>>>>>>> On Sun, Jul 12, 2009 at 3:48 PM, Tyler Steinmetz < >>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Alright, I'm on it... where can I post the results I experience >>>>> on >>>>>>>>>>>>>> my 4g >>>>>>>>>>>>>> nano? Is the wiki fine? >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Sun, Jul 12, 2009 at 2:38 PM, The Seven <[email protected]> >>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> As a little hint: a0864.... upward is the most probable range. >>>>>>>>>>>>>>> you >>>>>>>>>>>>>>> can >>>>>>>>>>>>>>> also try the b variants. i wouldn't expect lower numbers than >>>>>>>>>>>>>>> 0864...., >>>>>>>>>>>>>>> though. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Taylor Gordon schrieb: >>>>>>>>>>>>>>>> Just to let everyone know, and kind of in response to Tyler's >>>>>>>>>>>>>>>> message: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Because we don't have JTAG on the 3g or 4g nano (yet >>>>>>>>>>>>>>>> anyways), >>>>>>>>>>>>>>>> we >>>>>>>>>>>>>>>> can't >>>>>>>>>>>>>>>> clearly see the return address for the PoC files. TheSeven >>>>>>>>>>>>>>>> has >>>>>>>>>>>>>> generated >>>>>>>>>>>>>>>> some test files which all have different return addresses. >>>>>>>>>>>>>>>> Hopefully, >>>>>>>>>>>>>> if >>>>>>>>>>>>>>> we >>>>>>>>>>>>>>>> can try some of these, we will eventually find the correct >>>>> file >>>>>>>>>>>>>>>> that >>>>>>>>>>>>>> has >>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>> desired behavior. Please refer to >>>>>>>>>>>>>>>> http://n00b81.fileave.com/ipod/sweep.txtfor more details >>>>> about >>>>>>>>>>>>>>>> what >>>>>>>>>>>>>>>> you want to be looking out for. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Also, just two quick warnings. This is a 500 kb archive, but >>>>>>>>>>>>>>>> there are >>>>>>>>>>>>>>> 65000 >>>>>>>>>>>>>>>> files in there :) So if you extract it, it will be about 500 >>>>> mb >>>>>>>>>>>>>>>> worth >>>>>>>>>>>>>> of >>>>>>>>>>>>>>>> files, so I suggest you extract them a few at a time, or all >>>>>>>>>>>>>>>> together, >>>>>>>>>>>>>>> your >>>>>>>>>>>>>>>> choice ;) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Remember you'll have to put your ipod into disk mode if it >>>>> gets >>>>>>>>>>>>>>>> into an >>>>>>>>>>>>>>>> endless crash-reboot loop. You can feel free to try these on >>>>> 6g >>>>>>>>>>>>>>> classic/3g >>>>>>>>>>>>>>>> nano/4g nano which all have the bug also. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Both the Readme and the archive for the testing files can be >>>>>>>>>>>>>>>> found >>>>>>>>>>>>>> here: >>>>>>>>>>>>>>>> http://n00b81.fileave.com/ipod. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hopefully we will find the file that freezes the ipod :) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Taylor >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Sun, Jul 12, 2009 at 12:17 PM, Tyler Steinmetz < >>>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Great work, thanks so much... >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Any chance we can get this working on 3rd or 4th gen? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Sun, Jul 12, 2009 at 1:32 AM, mat h <[email protected]> >>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Very interesting read thanks >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 7/12/09, tof <[email protected]> wrote: >>>>>>>>>>>>>>>>>>> Hello >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I put on the wiki some useful info about the HW part, and >>>>> the >>>>>>>>>>>>>>>>> exploit... >>>>>>>>>>>>>>>>>>> http://l4n.clustur.com/index.php/Nano2G_getting_exec >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> sto >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>>>>>> >>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>>>>> >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>>>> [email protected] >>>>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>>> [email protected] >>>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>>> [email protected] >>>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>>> http://www.linux4nano.org >>>>>>>>>> _______________________________________________ >>>>>>>>>> Linux4nano-dev mailing list >>>>>>>>>> [email protected] >>>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>>> http://www.linux4nano.org >>>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Linux4nano-dev mailing list >>>>>>>>> [email protected] >>>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>>> http://www.linux4nano.org >>>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Linux4nano-dev mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>>>> http://www.linux4nano.org >>>>>>>> >>>>>> _______________________________________________ >>>>>> Linux4nano-dev mailing list >>>>>> [email protected] >>>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>>> http://www.linux4nano.org >>>>>> >>>>> _______________________________________________ >>>>> Linux4nano-dev mailing list >>>>> [email protected] >>>>> https://mail.gna.org/listinfo/linux4nano-dev >>>>> http://www.linux4nano.org >>>>> >>> _______________________________________________ >>> Linux4nano-dev mailing list >>> [email protected] >>> https://mail.gna.org/listinfo/linux4nano-dev >>> http://www.linux4nano.org >>> >> >> _______________________________________________ >> Linux4nano-dev mailing list >> [email protected] >> https://mail.gna.org/listinfo/linux4nano-dev >> http://www.linux4nano.org > > _______________________________________________ > Linux4nano-dev mailing list > [email protected] > https://mail.gna.org/listinfo/linux4nano-dev > http://www.linux4nano.org > _______________________________________________ Linux4nano-dev mailing list [email protected] https://mail.gna.org/listinfo/linux4nano-dev http://www.linux4nano.org
