Re: Antwort: Re: Antwort: Re: [Bug-gnupod] Support for 4th gen iPod Shuffle

[H. Langos]

Hi David,

On Mon, Jun 01, 2009 at 02:10:46PM +0200, address@hidden wrote:
> "H. Langos" <address@hidden> wrote on 01.06.2009 11:44:57:
> 
> > On Mon, Jun 01, 2009 at 01:14:20AM +0200, address@hidden 
> wrote:
> > > "H. Langos" <address@hidden> wrote on 30.05.2009 23:23:59:
> > You should make it very clear that this is the new iTunsSD format.
> > The older foramt was much simpler.
> > 
> > The 4 bytes at offset 0x4 are not total size. they seem to always be
> > 02 00 00 03 independen of size.
> > 
> > I wrote some more details in my last posting to the "bug-gnupod" list.
> 
> Okay.
> 
> I updated the http://evil.madrax.de/ipod/itunessd.php script according to 
> your informations. Now it looks a bit more clear. And i moved the iTunesDB 
> script to http://evil.madrax.de/ipod/itunesdb.php
> I'm adding file uplpoad support this week so everybody may have his 
> iTunesXX file analysed. Hoping that it will be helpful to someone.

I have some suggestions:

1. Add a hexdump either for the complete chunk or for the decoded fields.
   That helps to verify the information we already know (or belief to know) and
   also shows how wide the decoded field was.

Example:  [header_length]               => 64 (40 00 00 00)

2. Separate bytes in the hexdump by a single space and groups of 8 (or 4) bytes 
   by two spaces and add line break after 16 bytes.
Example: [unknown3]    => 40 02 00 00 9c 0c 00 00  24 d8 b7 00 00 00 00 00 
                          38 c1 69 00 00 00 00 00  81 00 00 00

3. When decoded output is shown in hex, add the "0x" prefix

Example:  [playlist_header_chunk_offset]=> 0x0000b964 (64 b9 00 00)

4. When allowing users to upload files, create a separate directory
for each user session and ask the users to upload the iTunesDB as 
well as the iTunesSD. This will help to transfer existing knowledge
about the iTunesDB to the iTunesSD. (i.e. identifying fields we 
already know in the iTunesDB)

Also ask the user to add as much information as possible. Like: 
- which version of iTunes was used to create the database,
- which iPod device (incl last three letters of the serial number),
- what kind of files were added, volume adjustments, and so on.

Make it clear that data that users upload will be stored for an 
unlimited time and that it will be made available to the public.
This way you can create a data collections that may help to decode
the last unknown fields.


Some words of warning because I don't know how much of a security 
background you already have. When allowing users to send data to your
server, don't let them specify the filename. Don't add user input
(or data derived from user input) to function calls that could be
harmfull. When you output user data always use either htmlspecialchars()
or htmlentities().

cheers
-henrik