The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Talk:0x24000 Segment Overflow"
Line 10: | Line 10: | ||
Nice work guys. Did you use a debugger of some sort? this would be difficult without a debugger. Here's how I understand it, so we overwrite pointers pointing to where and what data is written. By writing to the stack, we can overwrite the subroutine's return address(LR). The subroutine will now return to the payload. Is this correct?--[[User:Paul0|paulzero]] 11:23, 13 March 2009 (UTC) |
Nice work guys. Did you use a debugger of some sort? this would be difficult without a debugger. Here's how I understand it, so we overwrite pointers pointing to where and what data is written. By writing to the stack, we can overwrite the subroutine's return address(LR). The subroutine will now return to the payload. Is this correct?--[[User:Paul0|paulzero]] 11:23, 13 March 2009 (UTC) |
||
+ | |||
+ | Hi Paul0. No debugger at all. Only hundreds of tests to find the LR in the stack :) [thx to posixninja for the tests, planetbeing for the analysis of the tests]. |
Revision as of 11:29, 13 March 2009
I have questions. What is the LR? How do we write to the NOR?
LR is the link register. it usually contains a pointer to where the current routine is to return to. NOR is written by putting the device into dfu mode and writing to the nor0 block device using a tools like iRecovery --posixninja 17:58, 12 March 2009 (UTC)
I rewrote the article as one geared more toward the technical/security community than hobbyists trying to manually perform the patch. My hope is that it will be more useful in this form for the linux4nano community, who are trying to jailbreak the iPod Nano 4G, which apparently uses the same SoC. --Planetbeing 07:46, 13 March 2009 (UTC)
Nice work guys. Did you use a debugger of some sort? this would be difficult without a debugger. Here's how I understand it, so we overwrite pointers pointing to where and what data is written. By writing to the stack, we can overwrite the subroutine's return address(LR). The subroutine will now return to the payload. Is this correct?--paulzero 11:23, 13 March 2009 (UTC)
Hi Paul0. No debugger at all. Only hundreds of tests to find the LR in the stack :) [thx to posixninja for the tests, planetbeing for the analysis of the tests].