The iPhone Wiki - User contributions [en]

Limera1n

2010-12-07T05:54:08Z

Eandrade:

{{DISPLAYTITLE:limera1n}}
[[Image:Ra1ndrop.png|right]]
This is [[User:Geohot|geohot's]] latest [[jailbreak]] utility. It uses an undisclosed bootrom exploit and an undisclosed kernel exploit found by [[User:Comex|comex]] to achieve an [[untethered jailbreak]] on newer devices. The following devices are technically supported:

* [[N88ap|iPhone 3GS]]
* [[N90ap|iPhone 4]]
* [[N18ap|iPod touch 3G]]
* [[N81ap|iPod touch 4G]]
* [[K48ap|iPad]]
* [[K66ap|AppleTV 2G]] (creates a bare-bones jailbreak by mounting '/' as read/write in /etc/fstab)

Limera1n has been demonstrated multiple times by [[User:Geohot|geohot]], using blog posts on his now private blog. [[User:Geohot|Geohot]] [http://1.bp.blogspot.com/_NJ4JFBfr1tY/TDgkAsTQEmI/AAAAAAAAAcw/ZNHDxMNNL4Y/s1600/iphone4.png showed off a high-res picture of Cydia on an iPhone 4]. He [http://www.youtube.com/watch?v=__TR86PLiHw displayed an iPod touch 3G with an untethered jailbreak] that met MuscleNerd's requirements for a good video. In addition, he took a [http://4.bp.blogspot.com/_NJ4JFBfr1tY/S7_OvGMqJMI/AAAAAAAAAcE/R5WLrCizGw0/s1600/ipad_jb.jpg picture of Cydia and blackra1n icons on his iPad's SpringBoard].

'''Release Date:''' October 9, 2010

'''Supported OS's:''' Mac OS X, Windows

'''Supported Operations:''' Hacktivation, jailbreaking

==Release text==
<center>limera1n, 6 months in the making 
iPhone 3GS, iPod Touch 3G, iPad, iPhone 4, iPod Touch 4G 
4.0-4.1 and beyond+++ 
limera1n is unpatchable 
untethered thanks to jailbreakme star '''comex''' 
brought to you by '''geohot''' 
hacktivates 
Mac coming in 7 years 
donations keep support alive 
zero pictures of my face</center>

==Credit==
* '''[[User:Geohot|geohot]]''' - The program itself, and the bootrom exploit.
* '''[[User:Comex|comex]]''' - The userland exploit that allows limera1n to run [[untethered jailbreak|untethered]].

==Changelog==
{| class="wikitable" style="border-collapse:collapse;" border="1"
|-
|<center>'''Version'''</center>
|<center>'''Release time'''</center>
|<center>'''MD5 Hash'''</center>
|<center>'''Change comment'''</center>
|-
|BETA 1
|9 Oct 2010 XX:XX GMT
|2f2b09a6ed5c5613d5361d8a9d0696b6
|First release.
|-
|BETA 2
|10 Oct 2010 XX:XX GMT
|a70dccb3dfc0e505687424184dc3d1ce
|Fixed kernel patching magic. Rerun BETA2+ over BETA1.
|-
|BETA 3
|10 Oct 2010 XX:XX GMT
|81730090f7de1576268ee8c2407c3d35
|Fixed an issue with [[N88ap|iPhone 3GS]] ([[iBoot-359.3.2|new bootrom]])
|-
|BETA 4
|10 Oct 2010 XX:XX GMT
|d901c4b3a544983f095b0d03eb94e4db
|Uninstall fixed, respring fixed
|-
|RC1
|11 Oct 2010 XX:XX GMT
|0622d99ffe4c25f75c720a689853845f
|out of beta! afc2, reliability improvements, no reboot for cydia, 2kb smaller
|-
|RC1b
|11 Oct 2010 XX:XX GMT
|fc6f7d696a57c3baede49bdff8a7f43f
|addresses an install issue, mainly with iPads
|-
|Final
|11 Oct 2010 23:XX GMT
|fc6f7d696a57c3baede49bdff8a7f43f
|(same as RC1b)
|}

==Technical Information==
=== Basics ===
* Limera1n has nothing to do with SHAtter at all.
* Limera1n uses a bootrom exploit to achieve the [[tethered jailbreak]] and unsigned code execution.
* Limera1n uses a userland exploit to make it untethered, which was developed by [[User:Comex|comex]].
* Limera1n uses a hacktivation dylib to perform hacktivation.

=== Exploits ===
Limera1n reuses the usb_control_msg(0x21,2) but exploits a different vulnerability.

=== Process ===
The jailbreak appears to execute something like the following (in no particular order):
* In recovery1,
"setenv debug-uarts 1
setenv auto-boot false
saveenv"
* In [[DFU Mode]], it uploads a [[payload]].
* In recovery2, it uploads another [[payload]] and its [[ramdisk]].
"setenv auto-boot true
reset
geohot done"

=== Interesting Messages ===
*
"geohot black is the new purple"
*
"blackra1n start: %d current IRQ mask is %8.8X
usb irq disabled...shhh
fxns found @ %8.8X %8.8X
found iBoot @ %8.8X
i'm back from IRQland...
3g detected, kicking nor
nor kicked
memcpy done
iBoot restored!!!
found command table @ %8.8X
cmd_geohot added
time to pray...%8.8X"
*
"2.2X send command(%d): %s
send exploit!!!
sent data to copy: %X
sent shellcode: %X has real length %X
never freed: %X
sent fake data to timeout: %X
sent exploit to heap overflow: %X
sending file with length: 0x%X Mingw runtime failure:
VirtualQuery failed for %d bytes at address %p Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d."

==Controversy==
The release of this jailbreak was specifically designed to pressure [[Chronic Dev (team)]] into not releasing SHAtter, but to instead implement the limera1n exploit into [[greenpois0n]]; after releasing limera1n, releasing SHAtter would uselessly disclose another bootrom exploit to Apple.

[[User:Geohot|Geohot]]'s rationale is that Apple already discovered, through internal testing, the limera1n exploit, making it very likely that it will be fixed in the next bootrom revision. Because [[iBoot]] code is present both in the bootrom and firmware, and because firmware is refreshed much more often that bootrom code, any fix in this code branch would appear first in firmware. [[User:Geohot|Geohot]] observed his limera1n exploit was closed in firmware and concluded that it would almost certainly be fixed in the next bootrom revision, whereas SHAtter still has a chance of remaining useful for an indefinite amount of time.

Limera1n's [[Untethered jailbreak|untethered]] userland exploit for iOS 4.0 and 4.1 was obtained by [[User:Geohot|geohot]] under questionable circumstances from [[User:Comex|comex]]. [[User:Comex|Comex]] did end up fixing the kernel patching code by beta2, so as to not break users' devices.

== Hacktivation ==
Limera1n will copy hacktivation.dylib to /usr/lib and change entries to com.apple.mobile.lockdown.plist, whether it has been activated using iTunes or not. This, while helpful to many, can also be harmful to legitimate activators. For a guide on how to remove this hacktivation on iTunes activated devices, see the link below.

==External Links==
* [http://loadingchanges.com/wp-content/uploads/2010/10/limetime.jpg Picture of limera1n in action]
* [http://limera1n.com/ Official domain]
* [http://theiphonewiki.com/limera1n The iPhone Wiki Mirror]
* [http://www.mediafire.com/?5sovoo41rbcdspw Limera1n RC Beta2 Dump on Mediafire provided by iH8sn0w.]
* [http://www.pastie.org/1210054 Veence's explanation for release]
* [http://www.cmdshft.ipwn.me/blog/?p=555 Hacktivation removal guide.]

[[Category:Hacking Software]]

Address Mapping

2010-10-05T21:27:18Z

Eandrade: New page: ===iPod touch 2G Bootrom=== I think this might not be a good idea, because this page will wind up getting huge, but in case anyone thinks differently I'll add these for the hell of it. ==...

===iPod touch 2G Bootrom===
I think this might not be a good idea, because this page will wind up getting huge, but in case anyone thinks differently I'll add these for the hell of it.

====functions====
* 0x067A - BootromStart
* 0x45BA - InitProcessor
* 0x4778 - SetupMMU
* 0x4734 - MMU_MapAddr
* 0x3A84 - Do_MMU_Mappings
* 0x34FC - EnableInterrupts
* 0x652C - Setup_SPI
* 0x36DC - Setup_IdleTask
* 0x4906 - PrepareNOR
* 0x49BC - nor_spi_read_range
* 0x178C - malloc
* 0x34D8 - DisableInterrupts
* 0x7840 - memset
* 0x7858 - memzero (this looks funny in IDA, kind of, but really it's just optimized as part of memset)
* 0x1954 - free
* 0x4844 - addNORtoBlockDevList
* 0x4804 - default_block_read
* 0x10C8 - blockdev_read_hook(void *BDevStruct, void *OutputBuffer, __int32 InputImageStartAddress, int Offset, __int32 Size)
* 0x1258 - fake_default_block_read
* 0x136E - blockdev_write_hook
* 0x1518 - default_block_write
* 0x151E - default_block_erase
* 0x1090 - get_block_device(const char* deviceName)
* 0x8354 - strcmp
* 0x1AF0 - CreateImageList
* 0x1F68 - DoCreateImageList
* 0x204C - GetImage(u32 imageFourccTag)
* 0x1BF0 - SetupMemzStruct(u32 LoadAddress, u32 FileSize, u32 flags)
* 0x30E8 - InitUSB
* 0x795C - memcpy
* 0x0E84 - USB_Core_Init
* 0x1058 - StopUSB
* 0x328C - GetSystemInfo
* 0x3D94 - Get_Chip_ID
* 0x3DA0 - Get_Chip_Revision
* 0x3D74 - Get_Security_Epoch
* 0x3AE4 - Get_Board_ID
* 0x3DD4 - Get_Unique_Chip_ID
* 0x8286 - snprintf
* 0x7D5C - vfprintf_like_thingy
* 0x82A8 - printf
* 0x8422 - putchar
* 0x2E98 - usb_print
* 0x83CC - strncat
* 0x1C18 - FreeMemzStruct
* 0x67DC - Reboot (via watchdog, so yeah it looks a bit odd)
* 0x0644 - LoadAndJumpToFWImage(struct MemzStruct *pMemzInfo, __int32 LoadAddress, __int32 FileSize)
* 0x3338 - ProperlyJumpToImage(void unkown, u32 address, void unknown)
* 0x4584 - PrepMMUForJump (?)
* 0x1B78 - LoadFirmwareImage
* 0x2144 - doLoadFirmwareImage
* 0x1D04 - VerifyImage
* 0x5EA8 - ComputeSHA1(void *Input_Data, int Data_Size, void *SHA1_Of_Data)
* 0x4150 - AdjustClock
* 0x5E54 - CopyBlockToSHA1Engine
* 0x372E - yield
* 0x2400 - DecryptRSASignature
* 0x0898 - DoCrypto(int CryptOption, void *Input_Buffer, void *Output_Buffer, __int32 Size, int AESMode, void *Key, void *IV) [CryptOption 0x10 == encrypt, 0x11 == decrypt]
* 0x5010 - aes_encrypt
* 0x4DB8 - do_aes_encrypt
* 0x4D38 - send_key_to_aes
* 0x4D88 - send_iv_to_aes
* 0x4F44 - aes_decrypt
* 0x4E80 - do_aes_decrypt
* 0x2668 - parse_certificate_and_signature(void *pCertsData, int sizeOfCerts, void *pImageRsaSha1, int sizeofRsaSha1, void *pComputedImageSha1, int sha1Size, void *pImageBuffer, int imageFullSize)
* 0x356C - CheckIfDiagnosticDevice
* 0x3D64 - Get_Security_Domain
* 0x3D44 - Get_Production_Mode
* 0x1F00 - Find_Data_For_Tag
* 0x346C - Panic
* 0x0634 - WaitForInterrupt
* 0x4618 - UndefinedInstructionVector
* 0x46F0 - UndefinedInstructionHandler
* 0x4628 - SoftwareInterruptVector
* 0x4700 - SoftwareInterruptHandler
* 0x4640 - PrefetchAbortVector
* 0x46B4 - PrefetchAbortHandler
* 0x4664 - DataAbortVector
* 0x46A2 - DataAbortHandler
* 0x467C - AddressExceptionTrapVector
* 0x4680 - InterruptRequestVector
* 0x4710 - InterruptRequestHandler
* 0x4BEC - HandleInterruptRequest
* 0x4690 - FastInterruptRequestVector
* 0x4722 - FastInterruptRequestHandler
* 0x4C40 - HandleFastInterruptRequest

====variables====
* 0x220240D4 - SHA1 accelerator register table
* 0x22024200 - Block Device List
* 0x220250A0 - Permissions Flags
* 0x220254E0 - Interrupt Table
* 0x2202C000 - Page table

IDA Pro Setup

2010-10-05T21:25:48Z

Eandrade:

==How to set up IDA pro to reverse the 3G baseband==

The [[X-Gold 608]] has a memory map, as seen in it's page.

The [[Secpack 2.0]] takes up the first 0xCF8 of the .fls file.

So to load the 3G .fls file into IDA pro, the file offset is 0xCF8(for the secpack), and the CODE starts at the ROM start address of 0x20040000(since it's the main firmware)

For real noobs:
1. Drag the fls file into IDA
2. Select ARM
3. Change ROM start address to 0x20040000
4. Change Loading address to 0x20040000
5. Change File offset to 0xCF8
6. Copy Loading size into ROM size
7. Press OK
8. The entry point is the address at 0x20040408
9. Go to 20100004 and Press "C" to start. ~Deco
10. Read the instructions so you can find other places where you can press "C" to get more code. ~Deco

Here are some key combinations to use:
* c = turn the 'gibberish' into code
* d = turn the 'gibberish' into data
* a = turn the 'gibberish' into a string
* u = undefine what you just may have done, i usually use this since there is no real edit+undo in IDA so this is the next best thing
* Alt+G = toggle the Register T from 0 / 1 to toggle arm and thumb mode when needed

== some hints for getting the mnemonics from n00b for noobs (read: master noob for noobs ;-) )==

The autoanalysis didn't work very well. There were a lot of silly mnemonics, simply interleaving thumb and arm mode or other nasty stuff. I then tried to identify strings, pressing 'A'. Boring... What pushed it up a little bit is this:

Most code is 'embraced' by 'embracing' code:
- push / pop for thumb mod
- STMFD / LDMFD for arm mode

Even better, all versions of above codes have similar instruction sets. So you can find all occurences of STMFD by hex searching '2D E9', going two bytes back (did I say code is aligned? 4bytes in arm starting at 00 04 08 0c, 2bytes in thumb mode!) and pressing 'C'. If you see scrambled code, then (probably) the wrong mode (thumb) is enabled. Just press Alt-G, change the value for T to zero. See?!
The same goes for thumb mode. Push instructions are 'B5' preceeded by 02 0B 4E 72 30 10 F0 70 F3 7C 55 1F 30 3E 0E 1C 08 7F ... So just look for e.g. '10 B5' at two-byte boarders (Alt-B to set, Ctrl-B to search again) and you will easily find all occurences. Again, if it is scrambled, switch back to thumb mode (Alt-G, T=1).
After all, you can hex browse a little bit and press 'C' for missing code or 'A' for text.

Above is a very simple 'algorithm', maybe there is an appropiate IDA plugin. Or you could write one :-) !

[http://code.assembla.com/ks360/subversion/nodes/utils/Analyze.py Script] with [http://d-dome.net/idapython/ IDAPython]

==Addresses of known functions / code locations==
===Baseband 02.28.00===
* 0x201497B0 - maybe AT Command handler? (uses strings such as "OK", "ERROR", "UNKNOWN COMMAND")
* 0x203C51BC - probably prints text
* 0x201420AC - malloc (according to Darkmen)
* 0x203C58A0 - bytecpy (according to Darkmen)
* 0x203FB540 - NU_Create_Task (according to Darkmen)
* 0x2046DD00 - sprintf (according to Darkmen)
* 0x20165998 - NU_Receive_From_Mailbox (according to Darkmen)
* 0x203ED568 - NU_Send_To_Mailbox (according to Darkmen)

S5L8920

2010-09-30T21:27:49Z

Eandrade:

This is the processor used in the [[iPhone 3GS]].

S5L8920 using [http://www.arm.com/products/CPUs/archi-thumb2.html THUMB-2] instruction set as well as ARM and THUMB ones. Binaries included in iOS are compiled for only [[Armv7]] and are not compatible with older CPUs.

== Exploits ==
=== [[iBoot]] ===
* [[iBoot Environment Variable Overflow]] - Works up to [[iOS]] 3.1 beta 3
* [[usb_control_msg(0x21, 2) Exploit]] - Works up to [[iOS]] 3.1.2

=== [[S5L8920 (Bootrom)|Bootrom]] ===
* [[0x24000 Segment Overflow]] - only in [[iBoot-359.3]]
* [[SHAtter]]

=== [[Kernel]] ===
* [[BPF STX Kernel Write Exploit]] - Works up to [[iOS]] 3.1.3
* [[IOSurface Kernel Exploit]] - Works up to [[iOS]] 4.0.1

=== [[Userland]] ===
* [[MobileBackup Copy Exploit]] - Works up to [[iOS]] 3.1.3
* [[PDF CFF Font Stack Overflow]] - Works up to [[iOS]] 4.0.1

== Boot Chain ==
[[S5L8920 (Bootrom)|Bootrom]]->[[LLB]]->[[iBoot]]->[[Kernel]]->[[Firmware|System Software]]

== See also ==
* [[S5L8920 (Bootrom)]]
* [[S5L8920 (Hardware)]]
* [[S5L8920 (Hardware - Quick Notes)]]

==External Links==
* [http://infocenter.arm.com/help/topic/com.arm.doc.ddi0344j/DDI0344J_cortex_a8_r3p2_trm.pdf Technical Reference Manual: Cortex A8]

Baker 8B117 (iPod2,1)

2010-09-10T02:51:18Z

Eandrade:

==Decryption Keys==
=== Root Filesystem ===
* '''VFDecrypt''': 4006866bf56ddd49fed7eeff9d6072381edb73aa017a6b349ac104d8f20c2b94715e10e2

===Update Ramdisk (018-7073-079.dmg)===
* '''IV''':
* '''Key''':

===Restore Ramdisk (018-7103-078.dmg)===
* '''IV''': 58DF0D0655BBDDA2A0F1C09333940701
* '''Key''': FBF443110EB11D8D1AACDBE39167DE09

===applelogo===
* '''IV''':
* '''Key''':

===iBEC===
* '''IV''': 40CECF39BC971DCE828415C7DFFCE3EA
* '''Key''': 7341C6FB2CC09FE6D43067F7E426F708

===iBoot===
* '''IV''': 07751C86D421A18D427AC7F94A74D747
* '''Key''': 0359D66DD638E5C87E83B4E4DAA941BF

===iBSS===
* '''IV''': F7ED98E14E9F7F01397639A4424EF175
* '''Key''': ABCC0848B65D7E2E675F8030EA37F325

===kernelcache===
* '''IV''': 57D4E27152D39AF674492EB0A8252DE3
* '''Key''': 7C07730B6CEB8B217653FF5161988B24

===LLB===
* '''IV''':
* '''Key''':

===recoverymode===
* '''IV''':
* '''Key''':

Baker 8B117 (iPod2,1)

2010-09-10T02:45:27Z

Eandrade: New page: ==Decryption Keys== === Root Filesystem === * '''VFDecrypt''': ===Update Ramdisk (018-7073-079.dmg)=== * '''IV''': * '''Key''': ===Restore Ramdisk (018-7103-078.dmg)=== * '''IV''': 58...

==Decryption Keys==
=== Root Filesystem ===
* '''VFDecrypt''':

===Update Ramdisk (018-7073-079.dmg)===
* '''IV''':
* '''Key''':

===Restore Ramdisk (018-7103-078.dmg)===
* '''IV''': 58DF0D0655BBDDA2A0F1C09333940701
* '''Key''': FBF443110EB11D8D1AACDBE39167DE09

===applelogo===
* '''IV''':
* '''Key''':

===iBEC===
* '''IV''': 40CECF39BC971DCE828415C7DFFCE3EA
* '''Key''': 7341C6FB2CC09FE6D43067F7E426F708

===iBoot===
* '''IV''': 07751C86D421A18D427AC7F94A74D747
* '''Key''': 0359D66DD638E5C87E83B4E4DAA941BF

===iBSS===
* '''IV''': F7ED98E14E9F7F01397639A4424EF175
* '''Key''': ABCC0848B65D7E2E675F8030EA37F325

===kernelcache===
* '''IV''': 57D4E27152D39AF674492EB0A8252DE3
* '''Key''': 7C07730B6CEB8B217653FF5161988B24

===LLB===
* '''IV''':
* '''Key''':

===recoverymode===
* '''IV''':
* '''Key''':

Payload

2010-06-28T04:46:01Z

Eandrade: New page: unsigned code used to usual used to patch iboot, ibec, ibss, or llb

unsigned code used to usual used to patch iboot, ibec, ibss, or llb