Add some notes describing how the bin2note exploit works

git-svn-id: svn://svn.rockbox.org/rockbox/trunk@21904 a1c6a512-1295-4272-9138-f99709370657
2009-07-16 17:40:55 +00:00 · 2009-07-16 17:40:55 +00:00 · f8ec7e4ad4
parent 38754e7a9e
commit f8ec7e4ad4
1 changed files with 24 additions and 0 deletions
--- a/utils/ipod/bin2note/README
+++ b/utils/ipod/bin2note/README
@ -15,3 +15,27 @@ It is known to work on the 2nd generation Nano.
 The Makefile contains rules for compiling an ARM assembler file
 "test.S" into a notes file "test.htm".  Just put test.S in this
 directory and type "make test.htm".
+
+
+How it works
+------------
+
+When the Apple firmware boots, it scans the Notes folder and loads
+each note in turn in order to check its content.
+
+When it reaches our specially crafted note, a buffer overflows onto
+the stack, writing the entry point of our code over the top of an
+existing return address.
+
+This entry point was determined by "stooo1" as part of the
+"linux4nano" investigations into the Nano 2G.  He managed to attach a
+JTAG debugger to his Nano 2G and dump the RAM after a notes file was
+loaded.
+
+Only certain return addresses can be used, as it is converted
+internally to utf-8.  Hence we are currently using the address of the
+last instruction in the buffer, which is a branch back to our real
+entry point.
+
+You also need to ensure that there are no more than 64KB of notes in
+your Notes folder.