The iPhone Wiki - User contributions [en]

AES Keys

2011-01-14T10:04:08Z

Apocolipse:

The SoC in each device have an AES coprocessor with the [[GID-key]] and [[UID-key]] built in.

==Running The Engine==
Currently, there are several ways to run the hardware AES engine:
* Use the [http://forums.openpwn.org/viewtopic.php?f=8&t=19&p=101#p101 AES payload] released on OpenPwn.
* Patch [[iBoot (Bootloader)|iBoot]] to jump to aes_decrypt.
* Use [http://github.com/planetbeing/iphonelinux/tree/master OpenIBoot].
* Use the crypto bundle provided in [[XPwn]] to utilize it via userland. This method requires a kernel patch.
* Use [[Greenpois0n]] console.

If you want to decrypt [[IMG3 File Format|IMG3]] files you need to use this. The [[GID-key]] currently has not been extracted from the phone, so the only way to use it is on the phone itself.

See [[Easier method of getting Img3 Key / IV]] for an [[iBoot (Bootloader)|iBoot]] patch.

==Key 0x837==
Generated by encrypting 345A2D6C5050D058780DA431F0710E15 with the [[S5L8900]] [[GID-key]] to get 188458A6D15034DFE386F23B61D43774

It is used as the encryption key for [[S5L File Formats#IMG2|IMG2 files]]. With the introduction of [[IMG3 File Format|IMG3]] in 2.0, [[KBAG]]s are now used instead of the 0x837 key.

==Using [[Greenpois0n]] to get the keys==
* Run steps 1 thru 5 from [[PwnStrap]]
* Use 'xpwntool file.img3 /dev/null' to extract the KBAG hex string from ''file.img3''
* Start Greenpois0n console: irecovery -s
* Execute 'go aes dec _KBAG_STRING_' in irecovery console

==Resources==
[http://wikee.iphwn.org/s5l8900:encryption_keys Dev Team wiki]

PurpleRestore

2010-10-22T04:58:56Z

Apocolipse:

''PurpleRestore'' is a cross-platform tool used for flashing iDevices. Barely anything is known about it, this tool provides far more customization than [[iTunes]].

PurpleRestore is made entirely of 2 stacked rainbows on top of each other, a "Double Rainbow" if you will, but not across the sky, across your iphone. PurpleRestore will give reacharounds. PurpleRestore has the ability to install Windows 7 on your iDevice. PurpleRestore won an Emmy in 2003 for Best Supporting Actor in an independant film.

Greenpois0n (jailbreak)

2010-10-15T04:16:01Z

Apocolipse: /* Decompiled Exploit Code */

[[Image:Gp.png|180px|right]]

Greenpois0n is both a cross-platform hacker toolkit (that helps users to find their own exploits for jailbreaks, write custom ramdisks, and create custom firmwares) as well as a [[jailbreak]] tool for iDevices written by [[Chronic Dev]].

== Current Toolset ==

*[http://github.com/chronicdev/cyanide GreenPois0n Cyanide]: [[iBoot]] payload toolkit to help developers discover new vulnerabilities and design super fast, low-level iBoot jailbreaks and exploit payloads, much like the way [[blackra1n]]/[[purplera1n]] works.
*[http://github.com/chronicdev/libdioxin GreenPois0n Dioxin]: MobileDevice toolkit designed to help developers design awesome userland jailbreaks, like how [[Spirit]] works.
*[http://github.com/chronicdev/anthrax GreenPois0n Anthrax]: iPhone ramdisk toolkit to help developers design extremely stable and portable ramdisk jailbreaks, much like the same way [[QuickPwn]]/[[redsn0w]] works.
*[http://github.com/chronicdev/arsenic GreenPois0n Arsenic]: custom firmware toolkit to help developers design jailbreaks to help preserve [[Baseband Firmware|baseband]] and keep unlocks, much in the same way [[PwnageTool]]/[[sn0wbreeze]] works.

== History ==
Greenpois0n was originally written using two exploits: [[SHAtter]] (a [[bootrom]] [[exploit]]) as well as a userland [[exploit]] provided by [[User:Comex|Comex]] to make the jailbreak [[untethered jailbreak|untethered]]. A release date of 10/10/10 10:10:10 AM (GMT) was announced, as well as the list of supported devices. Due to the nature of [[SHAtter]], only iDevices using the [[S5L8930|A4 Processor]] were supported.
[[user:geohot|geohot]] later released another jailbreak ([[limera1n]] using a different [[bootrom]] [[exploit]]) on 9 October 2010, which led to a delay in greenpois0n's release (to implement geohot's exploit, not SHAtter).

=== Controversy ===
There was much controversy surrounding the sudden release of [[limera1n]] and the motives behind it. The main reasons for the [[limera1n]] release were:

#Use an exploit that Apple already knew about (newer [[iBoot]]s shows the exploit patched)
#Supports more iDevices than [[SHAtter]]
#Hopefully save the [[SHAtter]] [[bootrom]] [[exploit]] for future iDevices

The reason for this is [[bootrom]] [[exploit]]s are not patchable with software updates. It requires new hardware to fix the security hole. Since the [[limera1n]] hole was already discovered and patched by Apple, it benefits the community if [[SHAtter]] is saved in hopes of using it with new hardware, like the 5th generation iPhone/iPod touch and the iPad 2G.

=== Output ===
[[N90ap|iPhone 4]] with [[greenpois0n]] output (via [[irecovery]]):

Attempting to initialize greenpois0n
Initializing commands
Searching for cmd_ramdisk
Found cmd_ramdisk string at 0x8401c7ac
Found cmd_ramdisk reference at 0x84000d64
Found cmd_ramdisk function at 0x84000cd1
Initializing patches
Initializing memory
Initializing aes
Searching for aes_crypto_cmd
Found aes_crypto_cmd string at 0x84021a8c
Found aes_crypto_cmd reference at 0x84017bb8
Found aes_crypto_cmd fnction at 0x84017b51
Initializing bdev
Initializing image
Initializing nvram
Initializing kernel
Greenpois0n initialized

==Decompiled Exploit Code==
Apocolipse has provided a decompiled version of the exploit function (note. it is incomplete, x86 decompilers can only do so much)

signed int __cdecl upload_exploit()
{
int v0; // eax@1
signed int v1; // edx@2
int v2; // ebx@2
int v3; // eax@4
char *v4; // eax@5
unsigned int v5; // ebx@8
int v6; // ecx@14
signed int result; // eax@15
signed int v8; // ST38_4@18
int v9; // eax@28
signed int v10; // [sp+38h] [bp-1030h]@4
signed int v11; // [sp+3Ch] [bp-102Ch]@2
char v12; // [sp+4Ch] [bp-101Ch]@3
char v13; // [sp+84Ch] [bp-81Ch]@5
int v14; // [sp+104Ch] [bp-1Ch]@1

v14 = *MK_FP(__GS__, 20);
v0 = *(_DWORD *)(device + 16);
if ( v0 == 8930 )
{
v11 = 174080;
v1 = -2080198655;
v2 = -2080129124;
}
else
{
v1 = -2080231423;
v11 = 141312;
v2 = (((v0 == 8920) - 1) & 0xFFFFFFF4) - 2080161884;
}
memset(&v12, 0, 0x800u);
memcpy(&v12, exploit, 0x230u);
if ( libpois0n_debug )
{
v8 = v1;
((void (__cdecl *)(int, signed int, _DWORD))__fprintf_chk)(stderr, 1, "Resetting device counters\n");
v1 = v8;
}
v10 = v1;
v3 = irecv_reset_counters(client);
if ( v3 )
{
irecv_strerror(v3);
__fprintf_chk(stderr, 1, &aCannotFindS[12]);
result = -1;
}
else
{
memset(&v13, -858993460, 0x800u);
v4 = &v13;
do
{
*(_DWORD *)v4 = 1029;
*((_DWORD *)v4 + 1) = 257;
*((_DWORD *)v4 + 2) = v10;
*((_DWORD *)v4 + 3) = v2;
v4 += 64;
}
while ( (int *)v4 != &v14 );
if ( libpois0n_debug )
((void (__cdecl *)(int, signed int, _DWORD))__fprintf_chk)(stderr, 1, "Sending chunk headers\n");
v5 = 0;
irecv_control_transfer(client, 33, 1, 0, 0, &v13, 2048);
memset(&v13, -858993460, 0x800u);
do
{
v5 += 2048;
irecv_control_transfer(client, 33, 1, 0, 0, &v13, 2048);
}
while ( v5 < v11 );
if ( libpois0n_debug )
((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Sending exploit payload\n");
irecv_control_transfer(client, 33, 1, 0, 0, &v12, 2048);
if ( libpois0n_debug )
((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Sending fake data\n");
memset(&v13, -1145324613, 0x800u);
irecv_control_transfer(client, 161, 1, 0, 0, &v13, 2048);
irecv_control_transfer(client, 33, 1, 0, 0, &v13, 2048);
if ( libpois0n_debug )
((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Executing exploit\n");
irecv_control_transfer(client, 33, 2, 0, 0, &v13, 0);
irecv_reset(client);
irecv_finish_transfer(client);
if ( libpois0n_debug )
{
((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Exploit sent\n");
if ( libpois0n_debug )
((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Reconnecting to device\n");
}
client = (void *)irecv_reconnect(client, 2u);
if ( client )
{
result = 0;
}
else
{
if ( libpois0n_debug )
{
v9 = irecv_strerror(0);
__fprintf_chk(stderr, 1, &aCannotFindS[12], v9);
}
__fprintf_chk(stderr, 1, "Unable to reconnect\n");
result = -1;
}
}
if ( *MK_FP(__GS__, 20) != v14 )
__stack_chk_fail(v6, *MK_FP(__GS__, 20) ^ v14);
return result;
}

Greenpois0n (jailbreak)

2010-10-15T04:12:54Z

Apocolipse:

[[Image:Gp.png|180px|right]]

Greenpois0n is both a cross-platform hacker toolkit (that helps users to find their own exploits for jailbreaks, write custom ramdisks, and create custom firmwares) as well as a [[jailbreak]] tool for iDevices written by [[Chronic Dev]].

== Current Toolset ==

*[http://github.com/chronicdev/cyanide GreenPois0n Cyanide]: [[iBoot]] payload toolkit to help developers discover new vulnerabilities and design super fast, low-level iBoot jailbreaks and exploit payloads, much like the way [[blackra1n]]/[[purplera1n]] works.
*[http://github.com/chronicdev/libdioxin GreenPois0n Dioxin]: MobileDevice toolkit designed to help developers design awesome userland jailbreaks, like how [[Spirit]] works.
*[http://github.com/chronicdev/anthrax GreenPois0n Anthrax]: iPhone ramdisk toolkit to help developers design extremely stable and portable ramdisk jailbreaks, much like the same way [[QuickPwn]]/[[redsn0w]] works.
*[http://github.com/chronicdev/arsenic GreenPois0n Arsenic]: custom firmware toolkit to help developers design jailbreaks to help preserve [[Baseband Firmware|baseband]] and keep unlocks, much in the same way [[PwnageTool]]/[[sn0wbreeze]] works.

== History ==
Greenpois0n was originally written using two exploits: [[SHAtter]] (a [[bootrom]] [[exploit]]) as well as a userland [[exploit]] provided by [[User:Comex|Comex]] to make the jailbreak [[untethered jailbreak|untethered]]. A release date of 10/10/10 10:10:10 AM (GMT) was announced, as well as the list of supported devices. Due to the nature of [[SHAtter]], only iDevices using the [[S5L8930|A4 Processor]] were supported.
[[user:geohot|geohot]] later released another jailbreak ([[limera1n]] using a different [[bootrom]] [[exploit]]) on 9 October 2010, which led to a delay in greenpois0n's release (to implement geohot's exploit, not SHAtter).

=== Controversy ===
There was much controversy surrounding the sudden release of [[limera1n]] and the motives behind it. The main reasons for the [[limera1n]] release were:

#Use an exploit that Apple already knew about (newer [[iBoot]]s shows the exploit patched)
#Supports more iDevices than [[SHAtter]]
#Hopefully save the [[SHAtter]] [[bootrom]] [[exploit]] for future iDevices

The reason for this is [[bootrom]] [[exploit]]s are not patchable with software updates. It requires new hardware to fix the security hole. Since the [[limera1n]] hole was already discovered and patched by Apple, it benefits the community if [[SHAtter]] is saved in hopes of using it with new hardware, like the 5th generation iPhone/iPod touch and the iPad 2G.

=== Output ===
[[N90ap|iPhone 4]] with [[greenpois0n]] output (via [[irecovery]]):

Attempting to initialize greenpois0n
Initializing commands
Searching for cmd_ramdisk
Found cmd_ramdisk string at 0x8401c7ac
Found cmd_ramdisk reference at 0x84000d64
Found cmd_ramdisk function at 0x84000cd1
Initializing patches
Initializing memory
Initializing aes
Searching for aes_crypto_cmd
Found aes_crypto_cmd string at 0x84021a8c
Found aes_crypto_cmd reference at 0x84017bb8
Found aes_crypto_cmd fnction at 0x84017b51
Initializing bdev
Initializing image
Initializing nvram
Initializing kernel
Greenpois0n initialized

==Decompiled Exploit Code==
Apocolipse has provided a decompiled version of the exploit function (note. it is incomplete, x86 decompilers can only do so much)
[code]
signed int __cdecl upload_exploit()
{
int v0; // eax@1
signed int v1; // edx@2
int v2; // ebx@2
int v3; // eax@4
char *v4; // eax@5
unsigned int v5; // ebx@8
int v6; // ecx@14
signed int result; // eax@15
signed int v8; // ST38_4@18
int v9; // eax@28
signed int v10; // [sp+38h] [bp-1030h]@4
signed int v11; // [sp+3Ch] [bp-102Ch]@2
char v12; // [sp+4Ch] [bp-101Ch]@3
char v13; // [sp+84Ch] [bp-81Ch]@5
int v14; // [sp+104Ch] [bp-1Ch]@1

v14 = *MK_FP(__GS__, 20);
v0 = *(_DWORD *)(device + 16);
if ( v0 == 8930 )
{
v11 = 174080;
v1 = -2080198655;
v2 = -2080129124;
}
else
{
v1 = -2080231423;
v11 = 141312;
v2 = (((v0 == 8920) - 1) & 0xFFFFFFF4) - 2080161884;
}
memset(&v12, 0, 0x800u);
memcpy(&v12, exploit, 0x230u);
if ( libpois0n_debug )
{
v8 = v1;
((void (__cdecl *)(int, signed int, _DWORD))__fprintf_chk)(stderr, 1, "Resetting device counters\n");
v1 = v8;
}
v10 = v1;
v3 = irecv_reset_counters(client);
if ( v3 )
{
irecv_strerror(v3);
__fprintf_chk(stderr, 1, &aCannotFindS[12]);
result = -1;
}
else
{
memset(&v13, -858993460, 0x800u);
v4 = &v13;
do
{
*(_DWORD *)v4 = 1029;
*((_DWORD *)v4 + 1) = 257;
*((_DWORD *)v4 + 2) = v10;
*((_DWORD *)v4 + 3) = v2;
v4 += 64;
}
while ( (int *)v4 != &v14 );
if ( libpois0n_debug )
((void (__cdecl *)(int, signed int, _DWORD))__fprintf_chk)(stderr, 1, "Sending chunk headers\n");
v5 = 0;
irecv_control_transfer(client, 33, 1, 0, 0, &v13, 2048);
memset(&v13, -858993460, 0x800u);
do
{
v5 += 2048;
irecv_control_transfer(client, 33, 1, 0, 0, &v13, 2048);
}
while ( v5 < v11 );
if ( libpois0n_debug )
((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Sending exploit payload\n");
irecv_control_transfer(client, 33, 1, 0, 0, &v12, 2048);
if ( libpois0n_debug )
((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Sending fake data\n");
memset(&v13, -1145324613, 0x800u);
irecv_control_transfer(client, 161, 1, 0, 0, &v13, 2048);
irecv_control_transfer(client, 33, 1, 0, 0, &v13, 2048);
if ( libpois0n_debug )
((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Executing exploit\n");
irecv_control_transfer(client, 33, 2, 0, 0, &v13, 0);
irecv_reset(client);
irecv_finish_transfer(client);
if ( libpois0n_debug )
{
((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Exploit sent\n");
if ( libpois0n_debug )
((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Reconnecting to device\n");
}
client = (void *)irecv_reconnect(client, 2u);
if ( client )
{
result = 0;
}
else
{
if ( libpois0n_debug )
{
v9 = irecv_strerror(0);
__fprintf_chk(stderr, 1, &aCannotFindS[12], v9);
}
__fprintf_chk(stderr, 1, "Unable to reconnect\n");
result = -1;
}
}
if ( *MK_FP(__GS__, 20) != v14 )
__stack_chk_fail(v6, *MK_FP(__GS__, 20) ^ v14);
return result;
}
[/code]

Talk:Android

2010-04-23T06:10:04Z

Apocolipse: /* This is just a suggestion for anyone intending to do this. */

== Easy Stuff ==
*Virtual buttons have been "put down" in favor for such a combination (subject to change):

Tap Home Button -> Menu.

Hold Home Button 1s -> Home screen.

Hold Home Button 3s (or however long is standard in Android for this) -> Task Switcher.

Lock Button -> Back.

Hold Lock Button -> Sleep.

==== This is just a suggestion for anyone intending to do this. ====
--> Courtesy BHSPitMonkey

Firmware Extraction: Simple extractor + injector to add firmware to images
3.x.x Firmware locations:
/private/var/stash/share/firmware/multitouch/iPhone.mtprop
/usr/share/firmware/multitouch/iPhone.mtprops
base64 encoded

2.x.x Firmware:
Run as root on iPhone, over SSH:
(Requires iokittools, coreutils, vim)
REVISED to avoid ugly hard-coded byte offsets:
-
ioreg -l -w 0 | grep '"Firmware" =' | cut -d '<' -f2 | cut -d '>' -f1 | xxd -r -ps - zephyr_main.bin
ioreg -l -w 0 | grep '"A-Speed Firmware" =' | cut -d '<' -f2 | cut -d '>' -f1 | xxd -r -ps - zephyr_aspeed.bin
~~ Courtesy of Apocolipse

== Harder Stuff ==
*Just making the section for you, remove when actually starting a discussion.

== Porting ==
*Just making the section for you, remove when actually starting a discussion.

Talk:Android

2010-04-23T06:03:01Z

Apocolipse:

== Easy Stuff ==
*Virtual buttons have been "put down" in favor for such a combination (subject to change):

Tap Home Button -> Menu.

Hold Home Button 1s -> Home screen.

Hold Home Button 3s (or however long is standard in Android for this) -> Task Switcher.

Lock Button -> Back.

Hold Lock Button -> Sleep.

==== This is just a suggestion for anyone intending to do this. ====
--> Courtesy BHSPitMonkey

Firmware Extraction: Simple extractor + injector to add firmware to images
3.x.x Firmware locations:
/private/var/stash/share/firmware/multitouch/iPhone.mtprop
/usr/share/firmware/multitouch/iPhone.mtprops
base64 encoded

2.x.x Firmware:
Run as root on iPhone, over SSH:
(Requires iokittools, coreutils, vim)

REVISED to avoid ugly hard-coded byte offsets:

ioreg -l -w 0 | grep '"Firmware" =' | cut -d '<' -f2 | cut -d '>' -f1 | xxd -r -ps - zephyr_main.bin
ioreg -l -w 0 | grep '"A-Speed Firmware" =' | cut -d '<' -f2 | cut -d '>' -f1 | xxd -r -ps - zephyr_aspeed.bin
~~ Courtesy of Apocolipse

== Harder Stuff ==
*Just making the section for you, remove when actually starting a discussion.

== Porting ==
*Just making the section for you, remove when actually starting a discussion.