Quote:
Originally Posted by geekmaster
You could do an automated search in an emulator, intercepting a reboot or lockup, and just systematically try all utf-8 addresses to see if one of them gives you control. It is possible that jumping into the middle of an instruction (or data) might surprise you. Undefined instruction opcodes might be useful too. They can have undefined behavior that depends on the chip die layout (parasitic transistors, etc.), but that undefined behavior may be beneficial in this case. Or at least, a block of random code may *eventually* lead to code that does something useful. Of course, this empirical approach is a last resort, and a planned attack using known vulnerabilities should be tried first.
Undefined instructions may behave different in an software emulator though, so an ICE (In-Circuit Emulator is really needed to exploit them). Again, this is just another option to explore if a usable instruction sequence cannot be found at a utf-8 compatible address.
So, it appears that we are waiting for you to get your hands on a spare KT then?
|
Basically. I need a nand dump before I can do any more. I thought the Touch and the Kindle 4 would be similar but I was wrong, they are more different than K4 and K3. Different binaries, different libraries, and different java frameworks. Everything.