We massage the DFU mode into attempting to send us X+0x40 bytes, and failing after 0x40 bytes, thereby leaving the counter at X bytes and executing code at address X. We abuse the fact that wIndex = 3 for bmRequest 0x40 treats a 'bytes left to sent over USB' counter as a function pointer and calls it with r0 = address of SETUP. For Nano 4G the only one such instruction is at offset 0x3b0, and for Nano 5G there is such instruction at 0x37c. The first requirement is to find a suitable (blx r0) instruction in the bootrom code of the device. This exploits a vulnerability in the standard SETUP packet parsing code of the bootrom, in which the wIndex parameter is not checked for bmRequest =, but is still used to index an array of interface/class handlers (that in the Bootrom has a length of 1). We should find a better way to get code execution for this kind of tasks. Decryption/dumping is slow, as every 0x30/0x40 we run the exploit again.If you have a flat binary file which expects to run from DFU mode and be loaded at address 0x22000000, you can use the makedfu command to wrap it in a Haxed DFU compatible DFU image. To make your own DFU images, you should thus make format '4' images, not encrypt them and not sign them. We will change things around soon on all generations and use format '0' for unencrypted instead, and check explicitly for that type. Nano3G/Classic Note: haxed DFU currently always boots images as unencrypted. Pwnage 2.0 images might work if they are built to be able to run without having to exploit footer signature checking.Images with format '4' will not be sigchecked and will not be decrypted.Images with format '3' (like WTF) will not be sigchecked, but will be decrypted.However, signature checking (in header and footer) is disabled. When in haxed DFU mode, the DFU will continue as previously, and you will still be able to send properly signed and encrypted images (like WTF). No Rockbox port is available for the supported platform(s).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |