The iPhone Wiki - User contributions [en]

Main Page

2014-04-12T23:14:52Z

Chpwn:

[[File:Iptwiki.png|center]]
{{:Main Page/Welcome}}

== Jailbreak/Unlock Status ==

More information, including information for older devices, is available on the [[Firmware]] and [[Jailbreak]] pages.
{| class="wikitable" style="font-size:1em; width:100%;"
|-
! style="width:15%;" | [[Models|Device]]
! [[k66ap|Apple TV 2G]]
! [[Apple TV 3G]]
! [[iPhone 4]]
! [[iPad 2]] and newer<br />[[iPad mini 1G]] and newer<br />[[n94ap|iPhone 4S]] and newer<br /> [[iPod touch 5G]]
|-
! Latest [[firmware]]
| colspan="2" | 6.1 <small>(Build 11D169b)</small>
| colspan="2" | 7.1 <small>(Build 11D167 or 11D169)</small>
|-
! [[Jailbreak]] available?
| colspan="2" {{no}}
| {{partial|}} Tethered
| {{no}}
|-
! Software [[unlock]] available?<br /><small>(if carrier locked)</small>
| colspan="2" {{n/a}}
| colspan="2" {{no}}
|}

{| style="width:100%"
|-
| style="width:50%; text-align:left; vertical-align:text-top;" |
== Software ==
* [[Apple Internal Apps]]
* [[:Category:File Formats|File formats]]
* [[/|Filesystem]]
* [[Firmware]]
** [[Beta Firmware]]
** [[OTA Updates]]
* [[iTunes]]
** [[iTunes Errors]]
** [[iTunes Modes]]
** [[MobileDevice Library]]
* [[Keys]]
** [[AES Keys]]
** [[CERT|Apple Certificate]]
** [[Baseband RSA Keys|RSA Keys]]
** [[Baseband TEA Keys|TEA Keys]]
** [[Firmware Keys]]
*** [[Decrypting Firmwares]]
** [[GID Key]]
** [[NCK]]
* [[Protocols]]
** [[Baseband Bootrom Protocol]]
** [[DFU (Protocol)|DFU]]
** [[Interactive Mode|Baseband Bootloader Protocol]]
** [[Normal Mode]]
** [[Recovery Mode (Protocols)|Recovery Mode]]
** [[Restore Mode]]
* [[System Log|System Log (syslog)]]

==== [[:Category:Jailbreaks|Jailbreak Software]] ====
* [[Absinthe]]
* [[blackra1n]]
* [[Corona]]
* [[evasi0n]]
* [[evasi0n7]]
* [[Greenpois0n (jailbreak)|greenpois0n]]
* [[JailbreakMe]]
* [[limera1n]]
* [[p0sixspwn]]
* [[PwnageTool]]
* [[redsn0w]]
* [[Rocky Racoon]]
* [[Seas0nPass]]
* [[sn0wbreeze]]
* [[Spirit]]
* [[unthredera1n]]

==== [[:Category:Patches|Patches]] ====
* [[Kernel Patches|Kernel]]
** [[AMFI Binary Trust Cache Patch]]
** [[PE i can has debugger Patch]]
** [[Sandbox Patch]]
** [[Vm map enter Patch]]
** [[Vm map protect Patch]]
* [[:Category:Ramdisk Patches|Ramdisk]]: [[ASR]]

==== [[:Category:Exploits|Vulnerabilities and Exploits]] ====
* [[0x24000 Segment Overflow]] (24kpwn)
* [[BPF STX Kernel Write Exploit]]
* [[CVE-2013-0964]]
* [[HFS Heap Overflow]]
* [[HFS Legacy Volume Name Stack Buffer Overflow]] (feedface)
* [[Incomplete Codesign Exploit]]
* [[IOSurface Kernel Exploit]]
* [[Limera1n Exploit]]
* [[Malformed CFF Vulnerability]]
* [[MobileBackup Copy Exploit]]
* [[ndrv_setspec() Integer Overflow]]
* [[Packet Filter Kernel Exploit]]
* [[Racoon String Format Overflow Exploit]]
* [[SHA-1 Image Segment Overflow]] (SHAtter)
* [[usb_control_msg(0x21, 2) Exploit]]
* [[usb_control_msg(0xA1, 1) Exploit]] (steaks4uce)
* [[Symbolic Link Vulnerability]]

====Various Software====
* [[Cydia.app|Cydia]]
* [[EDA]]
* [[iDroid]]
* [[iFaith]]
* [[iPhone Tracker]]
* [[SemiRestore]]
* [[TinyUmbrella]]

| style="width:50%; text-align:left; vertical-align:text-top;" |
== Hardware ==
==== Devices ====
{{see also|Models|Prototypes}}
* [[iPhone]]
** iPhone ([[m68ap]])
** iPhone 3G ([[n82ap]])
** iPhone 3GS ([[n88ap]])
** [[iPhone 4]] ([[n90ap]], [[n90bap]], [[n92ap]])
** iPhone 4S ([[n94ap]])
** [[iPhone 5]] ([[n41ap]], [[n42ap]])
** [[iPhone 5c]] ([[n48ap]], [[n49ap]])
** [[iPhone 5s]] ([[n51ap]], [[n53ap]])
* [[iPod touch]]
** iPod touch ([[n45ap]])
** iPod touch 2G ([[n72ap]])
** iPod touch 3G ([[n18ap]])
** iPod touch 4G ([[n81ap]])
** [[iPod touch 5G]] ([[n78ap]], [[n78aap]])
* [[iPad]]
** iPad ([[k48ap]])
** [[iPad 2]] ([[k93ap]], [[k94ap]], [[k95ap]], [[k93aap]])
** [[iPad 3]] ([[j1ap]], [[j2ap]], [[j2aap]])
** [[iPad 4]] ([[p101ap]], [[p102ap]], [[p103ap]])
** [[iPad Air]] ([[j71ap]], [[j72ap]], [[j73ap]])
* [[iPad mini]]
** [[iPad mini 1G]] ([[p105ap]], [[p106ap]], [[p107ap]])
** [[iPad mini 2G]] ([[j85ap]], [[j86ap]], [[j87ap]])
* [[Apple TV]]
** Apple TV 2G ([[k66ap]])
** [[Apple TV 3G]] ([[j33ap]], [[j33iap]])

==== [[Application Processor]]s ====
* [[S5L8900]] ([[m68ap|iPhone 2G]], [[n45ap|iPod touch 1G]], [[n82ap|iPhone 3G]])
* [[S5L8720]] ([[n72ap|iPod touch 2G]])
* [[S5L8920]] ([[n88ap|iPhone 3GS]])
* [[S5L8922]] ([[n18ap|iPod touch 3G]])
* [[S5L8930]] A4 ([[k48ap|iPad]], [[iPhone 4]], [[n81ap|iPod touch 4G]], [[k66ap|Apple TV 2G]])
* [[S5L8940]] A5 ([[iPad 2]], [[n94ap|iPhone 4S]])
* [[S5L8942]] A5 Rev A ([[j33ap|Apple TV 3G]], [[k93aap|iPad 2 (iPad2,4)]], [[iPod touch 5G]], [[iPad mini 1G]])
* [[S5L8945]] A5X ([[iPad 3]])
* [[S5L8947]] A5 Rev B ([[j33iap|Apple TV 3G (AppleTV3,2)]])
* [[S5L8950]] A6 ([[iPhone 5]], [[iPhone 5c]])
* [[S5L8955]] A6X ([[iPad 4]])
* [[S5L8960]] A7 ([[iPhone 5s]], [[iPad mini 2G]])
* [[S5L8965]] A7 Variant ([[iPad Air]])

==== [[Baseband Device]]s ====
* [[S-Gold 2|PMB8876 or S-Gold 2]] ([[m68ap|iPhone]])
* [[X-Gold 608|PMB8878 or X-Gold 608]] ([[n82ap|iPhone 3G]], [[n88ap|iPhone 3GS]], [[k48ap|iPad]])
* [[XMM 6180|XMM6180 or X-Gold 618]] ([[iPhone 4]] ([[n90ap|iPhone3,1]] and [[n90bap|iPhone3,2]]), [[k94ap|iPad 2 (iPad2,2)]])
* [[MDM6600]] ([[n92ap|iPhone 4 (iPhone3,3)]], [[k95ap|iPad 2 (iPad2,3)]])
* [[MDM6610]] ([[n94ap|iPhone 4S]])
* [[MDM9x00]] ([[iPad 3]])
* [[MDM9615]] ([[iPhone 5]], [[iPad 4]], [[iPad mini 1G]], [[iPhone 5c]], [[iPhone 5s]], [[iPad Air]], [[iPad mini 2G]])

==== [[Motion Processor|Motion Co-processors]] ====
* [[LPC18A1]] M7 ([[iPhone 5s]], [[iPad Air]], [[iPad mini 2G]])

==== WLAN/[[Bluetooth]] ====
* [[Marvell 88x8686]]
* [[BlueCore 4]]
* [[BlueCore 6]]
* [[BCM4325]]
* [[BCM4329]]
* [[BCM4330]]
* [[BCM4334]]
* [[BCM43342]]

==== [[Compass.app|Compass]] ====
* [[AKM8973]]
* [[AKM8975]]
* [[AK8963]]

==== Other ====
* [[Accelerometer]]
* [[Gyroscope]]: [[AGD1 2022 FP6AQ]]
* Connectors: [[30-pin Connector|30-pin]], [[Lightning Connector|Lightning]]
|}

{| style="width:100%"
|-
| style="width:50%; text-align:left; vertical-align:text-top;" |
== Development ==
==== [[:Category:Hackers|iPhone Hackers]] ====
* [[User:comex|comex]]
* [[User:geohot|geohot]]
* [[User:MuscleNerd|MuscleNerd]]
* [[User:planetbeing|planetbeing]]
* [[User:posixninja|posixninja]]
* [[User:pod2g|pod2g]]
* [[Pimskeks]]
* [[User:iH8sn0w|iH8sn0w]]
* [[User:winocm|winocm]]
* [[saurik]]

==== iPhone Hacker Teams ====
* [[Chronic Dev (team)|Chronic Dev]]
* [[iPhone Dev Team]]
* [[Dream Team]]
* [[Evad3rs|evad3rs]]

==== Application Development ====
* [[Apple Certification Process]]
* [[Bypassing iPhone Code Signatures]]
* [[Distribution Methods]]
* [[/System/Library/Frameworks|Frameworks]]
* [[MobileDevice Library]]
* [[Mobile Substrate]]
* [[Toolchain]] (Includes tutorials)
* [[Toolchain 2.0]] (Includes tutorials)
* [http://iphonedevwiki.net iPhoneDevWiki]

==== Application Copy Protection ====
* [[Application Structure and Signatures]]
* [[Bugging Debuggers]]
* [[Copy Protection Overview]]
* [[Defeating Cracks]]
* [[Mach-O Loading Process]]

| style="width:50%; text-align:left; vertical-align:text-top;" |
== Help ==
==== Guides ====
* [[Tutorials]]
* [[Useful Links]]

==== Definitions ====
* [[Activation]] and [[Hacktivation]]
* [[ASLR]]
* [[Baseband Device|Baseband]]
* [[Baseband Bootloader|Bootloader]]
* [[Bootchain]]
* [[Bootrom]] / [[VROM]]
* [[Bricked]]
* [[CHIPID]]
* [[DFU Mode]]
* [[Failbreak]]
* [[iBEC]]
* [[iBoot (Bootloader)|iBoot]]
* [[iBSS]]
* [[IMG3 File Format|IMG3]] tags
** [[BORD]]
** [[CERT]]
** [[CHIP]]
** [[CPID]]
** [[DATA]]
** [[ECID]]
** [[KBAG]]
** [[PROD]]
** [[SDOM]]
** [[SEPO]]
** [[SHSH]]
** [[TYPE]]
** [[VERS]]
* [[Jailbreak]]
** [[Tethered jailbreak]]
** [[Untethered jailbreak]]
* [[Kernel]]
* [[launchd]]
* [[LLB]]
* [[NAND]]
* [[NOR]]
* [[NORID]]
* [[Unlock]]
* [[Userland]]
|}
__NOTOC____NOEDITSECTION__

User:Chpwn

2012-09-23T23:59:25Z

Chpwn:

{{DISPLAYTITLE:chpwn}}
Grant Paul, known as chpwn (pronounced "cee-aitch pone"), lives in San Francisco. He was somewhat involved in the development of [[Spirit]], [[Star]] and [[Greenpois0n (jailbreak)|greenpois0n]], and worked with [[User:Westbaer|westbaer]] on Star's website, [[JailbreakMe]].

He also has developed tweaks available in [[Cydia Application|Cydia]], such as ProSwitcher (with Ryan Petrich), Infinidock, Infiniboard, Infinifolders, Gridlock. He has also done some work on [[Cydia Application|Cydia]] itself (update to version 1.1.1).

== Links ==
* [http://chpwn.com/ website]
* [http://chpwn.com/blog/ blog]
* [https://twitter.com/chpwn twitter]
[[Category:Hackers]]

User:Chpwn

2010-10-22T07:21:35Z

Chpwn:

{{DISPLAYTITLE:chpwn}}
Grant Paul, known as chpwn, lives in San Francisco. He was somewhat involved in the development of [[Spirit]], [[Star]] and [[greenpois0n]], and worked with [[User:Westbaer|westbaer]] on Star's website, [[JailbreakMe]].

He also has developed tweaks available in [[Cydia Application|Cydia]], such as ProSwitcher.

== Links ==
* [http://www.ievolution.ca/iphone/iphone-dev-interview-grant-paul-chpwn Interview in iEvolution.ca]
* [http://chpwn.com/blog/ His blog]
* [https://twitter.com/chpwn chpwn on Twitter]
[[Category:Hackers]]

User:Chpwn

2010-09-10T01:48:16Z

Chpwn: reduced importance of myself

{{DISPLAYTITLE:chpwn}}
Grant Paul, known as chpwn, lives in San Francisco. He was somewhat involved in the development of [[Spirit]] and [[Star]], and worked with [[User:Westbaer|westbaer]] on Star's website, [[Jailbreakme]].

He also has developed tweaks available in [[Cydia]], such as ProSwitcher.

== Links ==
* [http://www.ievolution.ca/iphone/iphone-dev-interview-grant-paul-chpwn Interview in iEvolution.ca]
* [http://chpwn.com/blog/ His blog]
* [https://twitter.com/chpwn chpwn on Twitter]
[[Category:Hackers]]

Usb control msg(0x21, 2) Exploit

2010-09-10T01:47:43Z

Chpwn: fix :

{{DISPLAYTITLE:usb_control_msg(0x21, 2) Exploit}}
A null pointer dereference vulnerability exists in the versions of [[iBoot]]/[[iBSS]]/[[iBEC]] found in firmwares 3.1/3.1.1 and 3.1.2 (and presumably everything before) on all iDevices. It was fixed in [[iBoot-636.66.33]], which was included with 3.1.3. [[N88ap|iPhone 3GS]] ([[iBoot-359.3.2|new bootrom]]) and [[N18ap|iPod touch 3G]] owners who saved their [[SHSH]] for the aforementioned firmwares, and MC-model [[N72ap|iPod touch 2G]] owners can use it for a [[tethered jailbreak]] on 4.0. [http://ih8sn0wforums.com/viewtopic.php?f=56&t=1928] [http://blog.qwertyoruiop.com/?p=154]

== Credit (Alphabetical) ==
* '''vulnerability''': [[pod2g]] and [[westbaer]], also discovered independently by [[gray]], also discovered independently by [[geohot]]
* '''exploitation''': [[ius]], [[chronic]], [[pod2g]], and [[posixninja]], also [[geohot]]
* '''payload:''' [[geohot]] ([[blackra1n]]), [[chronic]] and [[posixninja]] ([[greenpois0n]])

== Vulnerability ==
'''[[pod2g]]''' and '''[[westbaer]]''' discovered, via some reversing + fuzzing, you could overwrite the content of 0x0 thanks to Apple not checking the contents of a register they should have, shown in the disassm below. This can be exploited because MMU maps whatever is running ([[LLB]], [[iBoot]], etc.) to 0x0 so that if an exception vector is triggered, it would jump to the one designed to be used with what is running, versus jumping to what is normally located at 0x0, the [[S5L8920 (Bootrom)|bootrom]].

All you need to do is send the following (assuming you're using libusb 0.1.x)...
usb_control_msg(iDev, 0x21, 2, 0, 0, 0, 0, 1000);
And thanks to our vulnerability, it will do this:
memcpy(0, LOAD_ADDR, 0x2000);

As you can see, we now have full control over the first 0x2000 bytes of iBoot.

=== Disassm ===
<pre>
// R5: a pointer to a buffer is here if requesttype==0xA1.
// however, if requesttype==0x21, R5 is undefined.

SRAM:22009ED2 code_1 ; CODE XREF: handle_file_io_control_req+62�j
SRAM:22009ED2 014 36 49 LDR R1, =usb_file_loadaddr
SRAM:22009ED4 014 36 4B LDR R3, =usb_file_offset
SRAM:22009ED6 014 28 68 LDR R0, [R5]
SRAM:22009ED8 014 09 68 LDR R1, [R1]
SRAM:22009EDA 014 1B 68 LDR R3, [R3]
SRAM:22009EDC 014 22 1C ADDS R2, R4, #0
SRAM:22009EDE 014 C9 18 ADDS R1, R1, R3
SRAM:22009EE0 014 07 F0 94 EF BLX memcpy
SRAM:22009EE4 014 00 2E CMP R6, #0
SRAM:22009EE6 014 53 D0 BEQ return
SRAM:22009EE8 014 01 23 MOVS R3, #1
SRAM:22009EEA 014 33 60 STR R3, [R6]
SRAM:22009EEC 014 50 E0 B return
</pre>

== Exploitation ==
By using a [http://www.juniper.net/solutions/literature/white_papers/Vector-Rewrite-Attack.pdf vector rewrite attack], it's possible to replace the address of the irq vector handler (0x38) within a 0x2000 [[iBoot]] chunk that we send, with the location of the payload to be executed. Although, since we are hijacking the irq exception vector, you must disable interrupts first. Here is the basic procedure:
* Call enter_critical_task(); disabling interrupts, so that your code can reliably execute.
* Restore 0x38 (irq handler) with the original irq vector address
* '''DO WHAT YOU WANT AT THIS POINT, YOU MAY NOT USE INTERRUPTS'''.
* Call exit_critical_task(); re-enabling interrupts.
* Call the irq handler so that the interrupt request that you hijacked can execute.

=== Roadblocks ===
If what you send is not 0x2000 bytes, the remainder is filled in with zeroes, which is bad. Due to this, you need to restore the first 0x2000 of iBoot before your payload returns execution to [[iBoot]]. Also you must disable interrupts, to prevent iBoot from calling the irq vector while your payload is being executed. Because of this, it rules out the possibility of reading the 0x2000 iBoot chunk needed from [[NOR]], from within iBoot itself, since nor_read(); requires interrupts.

One way to get around the need of sending the 0x2000 [[iBoot]] chunk is to hook the image_load(); function in the [[LLB]] which is sitting intact in memory. This was successfully done in [[blackra1n]].

The [[PwnageTool]] method requires an [[IPSW]] to be input in order to create a custom firmware anyway, so the 0x2000 chunk is not an issue. It can just be copied from the [[iBoot]] in the [[IPSW]].

=== Implementation ===
* [[blackra1n]]
* [[redsn0w]]

[[Category:Exploits]]

Usb control msg(0x21, 2) Exploit

2010-09-10T01:45:26Z

Chpwn: add geohot

{{DISPLAYTITLE:usb_control_msg(0x21, 2) Exploit}}
A null pointer dereference vulnerability exists in the versions of [[iBoot]]/[[iBSS]]/[[iBEC]] found in firmwares 3.1/3.1.1 and 3.1.2 (and presumably everything before) on all iDevices. It was fixed in [[iBoot-636.66.33]], which was included with 3.1.3. [[N88ap|iPhone 3GS]] ([[iBoot-359.3.2|new bootrom]]) and [[N18ap|iPod touch 3G]] owners who saved their [[SHSH]] for the aforementioned firmwares, and MC-model [[N72ap|iPod touch 2G]] owners can use it for a [[tethered jailbreak]] on 4.0. [http://ih8sn0wforums.com/viewtopic.php?f=56&t=1928] [http://blog.qwertyoruiop.com/?p=154]

== Credit (Alphabetical) ==
* '''vulnerability''': [[pod2g]] and [[westbaer]], also discovered independently by [[gray]], also discovered independently by [[geohot]]
* '''exploitation''': [[ius]], [[chronic]], [[pod2g]], and [[posixninja]], also [[geohot]]
* '''payload:''': [[geohot]] ([[blackra1n]]), [[chronic]] and [[posixninja]] ([[greenpois0n]])

== Vulnerability ==
'''[[pod2g]]''' and '''[[westbaer]]''' discovered, via some reversing + fuzzing, you could overwrite the content of 0x0 thanks to Apple not checking the contents of a register they should have, shown in the disassm below. This can be exploited because MMU maps whatever is running ([[LLB]], [[iBoot]], etc.) to 0x0 so that if an exception vector is triggered, it would jump to the one designed to be used with what is running, versus jumping to what is normally located at 0x0, the [[S5L8920 (Bootrom)|bootrom]].

All you need to do is send the following (assuming you're using libusb 0.1.x)...
usb_control_msg(iDev, 0x21, 2, 0, 0, 0, 0, 1000);
And thanks to our vulnerability, it will do this:
memcpy(0, LOAD_ADDR, 0x2000);

As you can see, we now have full control over the first 0x2000 bytes of iBoot.

=== Disassm ===
<pre>
// R5: a pointer to a buffer is here if requesttype==0xA1.
// however, if requesttype==0x21, R5 is undefined.

SRAM:22009ED2 code_1 ; CODE XREF: handle_file_io_control_req+62�j
SRAM:22009ED2 014 36 49 LDR R1, =usb_file_loadaddr
SRAM:22009ED4 014 36 4B LDR R3, =usb_file_offset
SRAM:22009ED6 014 28 68 LDR R0, [R5]
SRAM:22009ED8 014 09 68 LDR R1, [R1]
SRAM:22009EDA 014 1B 68 LDR R3, [R3]
SRAM:22009EDC 014 22 1C ADDS R2, R4, #0
SRAM:22009EDE 014 C9 18 ADDS R1, R1, R3
SRAM:22009EE0 014 07 F0 94 EF BLX memcpy
SRAM:22009EE4 014 00 2E CMP R6, #0
SRAM:22009EE6 014 53 D0 BEQ return
SRAM:22009EE8 014 01 23 MOVS R3, #1
SRAM:22009EEA 014 33 60 STR R3, [R6]
SRAM:22009EEC 014 50 E0 B return
</pre>

== Exploitation ==
By using a [http://www.juniper.net/solutions/literature/white_papers/Vector-Rewrite-Attack.pdf vector rewrite attack], it's possible to replace the address of the irq vector handler (0x38) within a 0x2000 [[iBoot]] chunk that we send, with the location of the payload to be executed. Although, since we are hijacking the irq exception vector, you must disable interrupts first. Here is the basic procedure:
* Call enter_critical_task(); disabling interrupts, so that your code can reliably execute.
* Restore 0x38 (irq handler) with the original irq vector address
* '''DO WHAT YOU WANT AT THIS POINT, YOU MAY NOT USE INTERRUPTS'''.
* Call exit_critical_task(); re-enabling interrupts.
* Call the irq handler so that the interrupt request that you hijacked can execute.

=== Roadblocks ===
If what you send is not 0x2000 bytes, the remainder is filled in with zeroes, which is bad. Due to this, you need to restore the first 0x2000 of iBoot before your payload returns execution to [[iBoot]]. Also you must disable interrupts, to prevent iBoot from calling the irq vector while your payload is being executed. Because of this, it rules out the possibility of reading the 0x2000 iBoot chunk needed from [[NOR]], from within iBoot itself, since nor_read(); requires interrupts.

One way to get around the need of sending the 0x2000 [[iBoot]] chunk is to hook the image_load(); function in the [[LLB]] which is sitting intact in memory. This was successfully done in [[blackra1n]].

The [[PwnageTool]] method requires an [[IPSW]] to be input in order to create a custom firmware anyway, so the 0x2000 chunk is not an issue. It can just be copied from the [[iBoot]] in the [[IPSW]].

=== Implementation ===
* [[blackra1n]]
* [[redsn0w]]

[[Category:Exploits]]

User:Chpwn

2010-08-15T05:32:19Z

Chpwn: I HATE IT WHEN PEOPLE GET MY NAME BACKWARDS and other stuff

{{DISPLAYTITLE:chpwn}}
Grant Paul, known as chpwn, lives in San Francisco. He was involved in the development of [[Spirit]] and [[Star]], and has more recently contributed to [[Cydia]]. He is not member of the [[iPhone Dev Team]] according to their blog. He also has developed tweaks available in Cydia.
== Links ==
* [http://www.ievolution.ca/iphone/iphone-dev-interview-grant-paul-chpwn Interview in iEvolution.ca]
* [http://chpwn.com/blog/ His blog]
* [http://www.twitter.com/chpwn chpwn on Twitter]
[[Category:Hackers]]

Main Page

2009-11-25T08:57:50Z

Chpwn: ikee-virus is NOT HARDWARE. NO. Bye.

<center>[[Image:Iptwiki.jpg‎]]</center>

{{:Main Page/Welcome}}
<table border="1" width="100%" style="background-color:orange;"><tr>
<td style="background-color:orange; text-align:center; width:25%;"><b>[[Jailbreak iPhone2,1 / iPod3,1|Find bootrom exploit allowing unsigned code exec via USB (S5L8920+)]]</b></td>
<td style="background-color:orange; text-align:center; width:25%;"><b>[[Unlock 2.0|Break Chain of Trust (X-Gold 608)]]</b></td>
</tr>
</table><br />

{{col-begin}}
{{col-2}}
{{HeadingA|Software}}
* [[/|Filesystem]]
* [[Firmware]]
* [[Keys]]
** [[AES Keys]]
** [[Apple Certificate]]
** [[Baseband RSA Keys|RSA Keys]]
** [[Baseband TEA Keys|TEA Keys]]
** [[NCK]]
* [[Protocols]]
** [[Normal Mode]]
** [[Recovery Mode (Protocols)|Recovery Mode]]
** [[Restore Mode]]
** [[DFU (Protocol)|DFU]]
** [[Baseband Bootrom Protocol]]
** [[Interactive Mode|Baseband Bootloader Protocol]]
* [[System Log|System Log (syslog)]]
* [[Ikee-virus]]
{{col-2}}
{{HeadingB|Hardware}}
====iPhone====
* [[m68ap|iPhone (m68ap)]]
* [[n82ap|iPhone 3G (n82ap)]]
* [[N88ap|iPhone 3GS (n88ap)]]

====iPod Touch====
* [[n45ap|iPod touch (n45ap)]]
* [[n72ap|iPod touch 2nd Generation (n72ap)]]
* [[N18ap|iPod touch 3rd Generation (n18ap)]]

====Processors====
* [[S5L8900]] ([[iPhone]], [[iPod Touch]], [[iPhone 3G]])
* [[S5L8720]] ([[iPod touch 2G]])
* [[S5L8920]] ([[N88AP|iPhone 3GS]])
* [[S5L8922]] ([[N18ap|iPod Touch 3G]])
* [[Baseband Device]]

====Other====
* [[Bluetooth]]
{{col-end}}

{{col-begin}}
{{col-2}}
{{HeadingA|Development}}
====Application Development====
* [[Toolchain]] (Includes tutorials)
* [[Toolchain 2.0]] (Includes tutorials)
* [[Frameworks]]
* [[MobileDevice Library]]
* [[Apple Certification Process]]
* [[Bypassing iPhone Code Signatures]]
* [[Distribution Methods]]

====Application Copy Protection====
* [[Copy Protection Overview]]
* [[Application Structure and Signatures]]
* [[Mach-O Loading Process]]
* [[Bugging Debuggers]]
* [[Defeating Cracks]]
{{col-2}}
{{HeadingB|Help}}
====Guides====
* [[Tutorials]]
* [[Useful Links]]

====Definitions====
* [[Glossary]]
* [[Jailbreak]]
* [[Activation]]
* [[Unlock]]
* [[Baseband Device|Baseband]]
* [[Baseband Bootloader|Bootloader]]
* [[DFU]]
* [[iBoot]]
* [[iBEC]]
* [[iBSS]]
* [[NORID]]
* [[CHIPID]]
{{col-end}}

<table border="1" width="100%" style="background-color:orange;">
<tr>
<td colspan="4" style="background-color:orange; text-align:center;">
<center>[[Disclaimer]]</center>
</td>
</tr>
</table>

__NOTOC____NOEDITSECTION__

Bugging Debuggers

2009-11-08T06:44:10Z

Chpwn: Worked around.

'''IMPORTANT NOTE: This trick has been worked around by pirates. Don't rely on it!'''

== The ptrace() Trick ==

GDB is the stock debugger used by most hackers. On darwin (OSX and iPhone OS), GDB will not attach to processes that have asked not to be attached to. Instead, it will crash or crash the target process. This is useful for defeating Crackulous and most tutorial-followers.

On OSX, one would need the following piece of code, as close as possible to the start of main().

ptrace(PT_DENY_ATTACH, 0, 0, 0);

A couple of includes are also in order:

#include <sys/ptrace.h>
#include <sys/types.h>

On the iPhone, however, <sys/ptrace.h> is not available. Fortunately, that can be worked around:

#import <dlfcn.h>
#import <sys/types.h>

typedef int (*ptrace_ptr_t)(int _request, pid_t _pid, caddr_t _addr, int _data);
#if !defined(PT_DENY_ATTACH)
#define PT_DENY_ATTACH 31
#endif // !defined(PT_DENY_ATTACH)

void disable_gdb() {
void* handle = dlopen(0, RTLD_GLOBAL | RTLD_NOW);
ptrace_ptr_t ptrace_ptr = dlsym(handle, "ptrace");
ptrace_ptr(PT_DENY_ATTACH, 0, 0, 0);
dlclose(handle);
}

The following are needed to complete the code, and are left as an exercise for the reader:
* disable_gdb() should return for debug builds (hint: preprocessor macros)
* the string "ptrace" is a dead giveaway, and should probably be obfuscated a bit

Apple approved [http://github.com/costan/zergsupport/blob/master/ZergSupport/CryptoSupport/ZNDebugIntegrity.m this implementation], when it was submitted with [http://istockplay.com StockPlay] version 0.5.

Main Page

2009-11-08T04:45:17Z

Chpwn: New, nicer design. Revert if not liked, but I think its better and cleaner...

<center>[[Image:Iptwiki.jpg‎]]</center>

{{:Main Page/Welcome}}
<table border="0" width="100%" style="background-color:orange;"><tr>
<td style="background-color:orange; text-align:center; width:25%;"><b>[[Jailbreak iPhone2,1 / iPod3,1|Find bootrom exploit allowing unsigned code exec via USB (S5L8920+)]]</b></td>
<td style="background-color:orange; text-align:center; width:25%;"><b>[[Unlock 2.0|Break Chain of Trust (X-Gold 608)]]</b></td>
</tr>
</table><br />

{{col-begin}}
{{col-2}}
{{HeadingA|Software}}
* [[/|Filesystem]]
* [[Firmware]]
* [[Keys]]
** [[AES Keys]]
** [[Apple Certificate]]
** [[Baseband RSA Keys|RSA Keys]]
** [[Baseband TEA Keys|TEA Keys]]
** [[NCK]]
* [[Protocols]]
** [[Normal Mode]]
** [[Recovery Mode (Protocols)|Recovery Mode]]
** [[Restore Mode]]
** [[DFU (Protocol)|DFU]]
** [[Baseband Bootrom Protocol]]
** [[Interactive Mode|Baseband Bootloader Protocol]]
* [[System Log|System Log (syslog)]]

{{col-2}}
{{HeadingB|Hardware}}
====iPhone====
* [[m68ap|iPhone (m68ap)]]
* [[n82ap|iPhone 3G (n82ap)]]
* [[N88ap|iPhone 3GS (n88ap)]]

====iPod Touch====
* [[n45ap|iPod touch (n45ap)]]
* [[n72ap|iPod touch 2nd Generation (n72ap)]]
* [[N18ap|iPod touch 3rd Generation (n18ap)]]

====Processors====
* [[S5L8900]] ([[iPhone]], [[iPod Touch]], [[iPhone 3G]])
* [[S5L8720]] ([[iPod touch 2G]])
* [[S5L8920]] ([[N88AP|iPhone 3GS]])
* [[S5L8922]] ([[N18ap|iPod Touch 3G]])
* [[Baseband Device]]

====Other====
* [[Bluetooth]]
{{col-end}}

{{col-begin}}
{{col-2}}
{{HeadingA|Development}}
====Application Development====
* [[Toolchain]] (Includes tutorials)
* [[Toolchain 2.0]] (Includes tutorials)
* [[Frameworks]]
* [[MobileDevice Library]]
* [[Apple Certification Process]]
* [[Bypassing iPhone Code Signatures]]
* [[Distribution Methods]]

====Application Copy Protection====
* [[Copy Protection Overview]]
* [[Application Structure and Signatures]]
* [[Mach-O Loading Process]]
* [[Bugging Debuggers]]
* [[Defeating Cracks]]
{{col-2}}
{{HeadingB|Help}}
====Guides====
* [[Tutorials]]
* [[Useful Links]]

====Definitions====
* [[Glossary]]
* [[Jailbreak]]
* [[Activation]]
* [[Unlock]]
* [[Baseband Device|Baseband]]
* [[Baseband Bootloader|Bootloader]]
* [[DFU]]
* [[iBoot]]
* [[iBEC]]
* [[iBSS]]
* [[NORID]]
* [[CHIPID]]
{{col-end}}

<table border="0" width="100%">
<tr>
<td colspan="4" style="background-color:orange; text-align:center;">
<center>[[Disclaimer]]</center>
</td>
</tr>
</table>

__NOTOC____NOEDITSECTION__