https://www.theiphonewiki.com/w/api.php?action=feedcontributions&feedformat=atom&user=Hypn0zis
The iPhone Wiki - User contributions [en]
2026-05-12T20:06:57Z
User contributions
MediaWiki 1.31.14
https://www.theiphonewiki.com/w/index.php?title=Animate&diff=15951
Animate
2011-02-09T03:55:14Z
<p>Hypn0zis: /* Notes for logo designers */</p>
<hr />
<div>{{lowercase}}<br />
'''animate''' (Package ID: <code>org.chronic-dev.animate</code>) is a software bundled in [[greenpois0n (jailbreak)|greenpois0n RC5]] that enables users to display (a sequence of) PNG images on boot.<br />
<br />
This approach has the advantage of being usable on all devices, regardless of their ability of [[0x24000 Segment Overflow|accepting custom firmware]], and supporting animated boot logos.<br />
<br />
[[Applelogo|The original boot logo]] will always show first.<br />
<br />
==Notes for logo designers==<br />
The animation currently runs at about 5 frames per second.<br />
<br />
A picture of the Apple logo is available at http://yfrog.com/gzqigp<br />
<br />
Animations must be stored in png format in [[/Library]]/BootLogos/(animationName)/ and be listed in order, from 0.png to x.png.<br />
<br />
Packages containing (animated) logos should depend on <code>org.chronic-dev.animate</code>.<br />
<br />
==Installation==<br />
The "Animate" tweak has been released on Cydia but it is invisible (don't know why). So, in order to install it, user needs to search (and install) for a package named "Apple boot logo" (animate only seems to be a dependency). After the installation, user will see a new tab in the Settings app named "BootLogos".<br />
<br />
==References==<br />
[[User:Jaywalker|Jaywalker's]] [http://www.twitlonger.com/show/8lepqg notes]</div>
Hypn0zis
https://www.theiphonewiki.com/w/index.php?title=Talk:Jasper_8C148_(iPhone1,2)&diff=13907
Talk:Jasper 8C148 (iPhone1,2)
2010-12-02T23:45:27Z
<p>Hypn0zis: New page: Can someone *please* find the Update ramdisk keys ? Or least explain how to actually find it myself ? Thanks. - hypn0zis</p>
<hr />
<div>Can someone *please* find the Update ramdisk keys ? Or least explain how to actually find it myself ? Thanks. - hypn0zis</div>
Hypn0zis
https://www.theiphonewiki.com/w/index.php?title=S5L8930&diff=9127
S5L8930
2010-09-10T01:49:04Z
<p>Hypn0zis: /* Exploits */</p>
<hr />
<div>An SoC developed by Apple in-house chip design department. It is currently used in [[k48ap|iPad]], [[N90ap|iPhone 4]], and [[N81ap|iPod Touch 4G]]. Publicly, Apple refers to this chip as the '''A4'''.<br />
<br />
== Exploits ==<br />
<br />
=== [[iBoot]] ===<br />
* [http://www.youtube.com/watch?v=0NValNoW5Rc Unreleased Untethered iBoot Exploit]<br />
<br />
=== [[S5L8922 (Bootrom)|Bootrom]] ===<br />
* Unreleased exploit (demonstrated by Geohot)<br />
* Unreleased exploit (pod2g)<br />
<br />
=== [[Kernel]] ===<br />
* [[BPF STX Kernel Write Exploit]] - Works up to [[iOS]] 3.2<br />
* [[IOSurface Kernel Exploit]] - Works up to [[iOS]] 3.2.1<br />
<br />
=== [[Userland]] ===<br />
* [[MobileBackup Copy Exploit]] - Works up to [[iOS]] 3.2<br />
* [[PDF CFF Font Stack Overflow]] - Works up to [[iOS]] 3.2.1<br />
<br />
== Boot Chain ==<br />
[[S5L8930 (Bootrom)|Bootrom]]->[[LLB]]->[[iBoot]]->[[Kernel]]->[[Firmware|System Software]]<br />
<br />
== Specifications ==<br />
* '''CPU''': ARM Cortex-A8<br />
* '''GPU''': PowerVR SGX 535<br />
* '''A/V Playback''': PowerVR VXD<br />
<br />
These are the same specifications as the [[S5L8920]] and [[S5L8922]], except this processor has a higher clock speed.<br />
<br />
== See also ==<br />
* [[S5L8930 (Bootrom)]]<br />
<br />
== Links ==<br />
* http://www.apple.com/ipad/specs/<br />
* http://www.brightsideofnews.com/news/2010/1/27/apple-a4-soc-unveiled---its-an-arm-cpu-and-the-gpu!.aspx</div>
Hypn0zis
https://www.theiphonewiki.com/w/index.php?title=Ultrasn0w&diff=9122
Ultrasn0w
2010-09-09T23:42:33Z
<p>Hypn0zis: </p>
<hr />
<div>ultrasn0w (previously: yellowsn0w) is an [[N82ap|iPhone 3G]], [[N88ap|iPhone 3GS]] and [[N90ap|iPhone 4]] [[Unlock 2.0|unlock]] payload. yellowsn0w was released on 01/01/09 [http://blog.iphone-dev.org/post/67797811]. ultrasn0w was released on June 23th 2009 [http://blog.iphone-dev.org/post/128573459/ultras-now].<br />
<br />
==Credit==<br />
[[MuscleNerd]], and [[iPhone Dev Team]]<br />
<br />
==Exploit==<br />
Relies on an unsigned code injection vulnerability.<br />
<br />
The actual unlock works by a daemon patching the baseband's RAM on-the-fly, overriding the carrier lock code. It is not permanent because of the signature checks - the bootloader has to pass the sigchecks and the baseband has to pass them too, so any change to the baseband/bootloader cannot be made.<br />
<br />
==Injection Vectors==<br />
* [[AT+stkprof Exploit]] - used by yellowsn0w to unlock [[X-Gold 608]] baseband [[2.28.00]].<br />
* [[AT+XLOG Vulnerability]] - used by ultrasn0w to unlock [[X-Gold 608]] baseband [[4.26.08]].<br />
* [[AT+XAPP Vulnerability]] - used by ultrasn0w 0.93 to unlock public releases of [[X-Gold 608]] basebands [[4.26.08]] through [[5.13.04]], and [[XMM 6180]] baseband [[1.59.00]])<br />
<br />
==ultrasn0w payload with comments (by [[User:Oranav|Oranav]])==<br />
<br />
===Code loader (incl. Stage2)===<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 code_loader<br />
ROM:00000000 dest_addr = R1<br />
ROM:00000000 src_addr = R6<br />
ROM:00000000 MOVLS dest_addr, 0x110<br />
ROM:00000004 ADDS dest_addr, #6<br />
ROM:00000006 LSLS dest_addr, dest_addr, #8 ; unused ram to place code = 0x11600<br />
ROM:00000008 ADDS R2, dest_addr, #1 ; thumbing<br />
ROM:0000000A<br />
ROM:0000000A loop ; CODE XREF: code_loader+24�j<br />
ROM:0000000A MOVLS R0, 0x22 ; '"'<br />
ROM:0000000E LDRB R3, [src_addr] ; first nibble<br />
ROM:00000010 CMP R0, R3<br />
ROM:00000012 LDRB R0, [src_addr,#1] ; second nibble<br />
ROM:00000014 BEQ run ; branch if end of string<br />
ROM:00000016 SUBS R3, #0x41 ; subtract 'A'<br />
ROM:00000018 SUBS R0, #0x41 ; subtract 'A'<br />
ROM:0000001A LSLS R3, R3, #4 ; make room for next nibble<br />
ROM:0000001C ADDS R3, R3, R0 ; put them together as a byte<br />
ROM:0000001E STRB R3, [dest_addr]<br />
ROM:00000020 ADDS dest_addr, #1<br />
ROM:00000022 ADDS src_addr, #2<br />
ROM:00000024 B loop<br />
ROM:00000026 ; ---------------------------------------------------------------------------<br />
ROM:00000026<br />
ROM:00000026 run ; CODE XREF: code_loader+14�j<br />
ROM:00000026 BLX R2 ; handler_replace()<br />
ROM:00000028 MOVLS R0, 0 ; safe exit<br />
ROM:0000002C ADDS dest_addr, R0, #0<br />
ROM:0000002E BLX R4<br />
ROM:00000030 MOV SP, R5<br />
ROM:00000032 POP {R0-src_addr,PC}<br />
ROM:00000032 ; End of function code_loader<br />
</pre><br />
<br />
===Handler replace===<br />
<pre><br />
RAM:00011600 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011600<br />
RAM:00011600<br />
RAM:00011600 handler_replace<br />
RAM:00011600 PUSH {LR}<br />
RAM:00011602 LDR R0, =0x40492FC0 ; where to save task_loop_jmp + task_loop<br />
RAM:00011604 ADR R1, task_loop_jmp<br />
RAM:00011606 ADR R2, task_loop_end<br />
RAM:00011608 SUBS R2, R2, R1 ; size of task_loop + task_loop_jmp = 0x70<br />
RAM:0001160A LDR R3, =0x2040882C ; memcpy()<br />
RAM:0001160C BLX R3<br />
RAM:0001160E LDR R0, =0x40492C20 ; where to save task_creator_jmp + task_creator<br />
RAM:00011610 ADR R1, task_creator_jmp<br />
RAM:00011612 ADR R2, task_creator_end<br />
RAM:00011614 SUBS R2, R2, R1 ; size of task_creator + task_creator_jmp = 0xA0<br />
RAM:00011616 LDR R3, =0x2040882C ; memcpy()<br />
RAM:00011618 BLX R3<br />
RAM:0001161A LDR R0, =0x40492C20<br />
RAM:0001161C BLX R0 ; task_creator_jmp()<br />
RAM:0001161E POP {PC}<br />
RAM:0001161E ; End of function handler_replace<br />
</pre><br />
<br />
===Task creator (thanks Darkmen for the comments!)===<br />
<pre><br />
RAM:40492C20 ; =============== S U B R O U T I N E =======================================<br />
RAM:40492C20<br />
RAM:40492C20<br />
RAM:40492C20 task_creator_jmp<br />
RAM:40492C20 STMFD SP!, {R1-R12,LR}<br />
RAM:40492C24 BLX task_creator<br />
RAM:40492C28 LDMFD SP!, {R1-R12,PC}<br />
RAM:40492C28 ; End of function task_creator_jmp<br />
RAM:40492C28<br />
RAM:40492C2C<br />
RAM:40492C2C ; =============== S U B R O U T I N E =======================================<br />
RAM:40492C2C<br />
RAM:40492C2C<br />
RAM:40492C2C task_creator ; CODE XREF: task_creator_jmp+4�p<br />
RAM:40492C2C PUSH {R4-R7,LR}<br />
RAM:40492C2E LDR R3, =0x401ED3B8 ; jumptable var<br />
RAM:40492C30 MOVLS R4, 0x800<br />
RAM:40492C34 SUB SP, SP, #0x24<br />
RAM:40492C36 STRH R0, [R3] ; task_creator_jmp addr<br />
RAM:40492C38 LDR R5, =0x201493F0 ; malloc<br />
RAM:40492C3A ADDS R0, R4, #0 ; 0x800<br />
RAM:40492C3C ADDS R7, R1, #0 ; R7 = resp_string<br />
RAM:40492C3E BLX R5 ; malloc(0x800)<br />
RAM:40492C40 ADDS R6, R0, #0 ; R6 = addr returned from malloc<br />
RAM:40492C42 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:40492C44 BLX R5 ; malloc(sizeof(NU_TASK))<br />
RAM:40492C46 MOVS R2, #0<br />
RAM:40492C48 MOVS R3, #0x44<br />
RAM:40492C4A LDR R1, =aDevteam1 ; char *name<br />
RAM:40492C4C STR R2, [R0,#0xC] ; task.field=0<br />
RAM:40492C4E STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:40492C50 MOVS R3, #0xA<br />
RAM:40492C52 STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:40492C54 MOVS R3, #0xC<br />
RAM:40492C56 STR R2, [SP] ; void *argv = 0<br />
RAM:40492C58 STR R4, [SP,#8] ; stack_size = 0x800<br />
RAM:40492C5A STR R2, [SP,#0x10] ; time_slice = 0<br />
RAM:40492C5C STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:40492C5E LDR R2, =0x40492FC0 ; task_loop_jmp address<br />
RAM:40492C60 STR R6, [SP,#4] ; void *stack_address = malloc(0x800)<br />
RAM:40492C62 MOVS R3, #0<br />
RAM:40492C64 LDR R4, =0x2043E5B4 ; NU_Create_Task<br />
RAM:40492C66 BLX R4 ; status = NU_Create_Task()<br />
RAM:40492C68 ADDS R2, R0, #0 ; R2 = status (for the %d reference in sprintf)<br />
RAM:40492C6A CMP R0, #0 ; success = zero<br />
RAM:40492C6C BNE status_error<br />
RAM:40492C6E LDR R1, =aOk ; "OK!"<br />
RAM:40492C70 ADDS R0, R7, #0 ; resp_string<br />
RAM:40492C72 LDR R3, =0x204B11F0 ; sprintf<br />
RAM:40492C74 BLX R3 ; sprintf(resp_string, "OK!")<br />
RAM:40492C76 B exit<br />
RAM:40492C78 ; ---------------------------------------------------------------------------<br />
RAM:40492C78<br />
RAM:40492C78 status_error ; CODE XREF: task_creator+40�j<br />
RAM:40492C78 LDR R1, =aErrorD ; "ERROR %d"<br />
RAM:40492C7A ADDS R0, R7, #0 ; resp_string<br />
RAM:40492C7C LDR R3, =0x204B11F0 ; sprintf<br />
RAM:40492C7E BLX R3 ; sprintf(resp_string, "ERROR %d", status)<br />
RAM:40492C80<br />
RAM:40492C80 exit ; CODE XREF: task_creator+4A�j<br />
RAM:40492C80 ADD SP, SP, #0x24 ; fixing stack<br />
RAM:40492C82 POP {R4-R7,PC}<br />
RAM:40492C82 ; End of function task_creator<br />
</pre><br />
<br />
===Unlock task loop (thanks Darkmen for the comments!)===<br />
<pre><br />
RAM:00011630 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011630<br />
RAM:00011630<br />
RAM:00011630 task_loop_jmp<br />
RAM:00011630 STMFD SP!, {R1-R12,LR}<br />
RAM:00011634 BLX task_loop<br />
RAM:00011634 ; ---------------------------------------------------------------------------<br />
RAM:00011638 LDMFD SP!, {R1-R12,PC}<br />
RAM:00011638 ; End of function task_loop_jmp<br />
RAM:00011638<br />
RAM:0001163C<br />
RAM:0001163C ; =============== S U B R O U T I N E =======================================<br />
RAM:0001163C<br />
RAM:0001163C<br />
RAM:0001163C task_loop<br />
RAM:0001163C PUSH {R4,R5,LR}<br />
RAM:0001163E LDR R5, =0x401E829C ; sec mailbox<br />
RAM:00011640 SUB SP, SP, #0x14<br />
RAM:00011642<br />
RAM:00011642 loop ; CODE XREF: task_loop+44�j<br />
RAM:00011642 LDR R3, =0x2042FFD8 ; NU_Receive_From_Mailbox<br />
RAM:00011644 ADDS R0, R5, #0 ; NU_MAILBOX *mailbox<br />
RAM:00011646 MOV R1, SP ; void *Message<br />
RAM:00011648 MOVS R2, #0xFF ; Timeout<br />
RAM:0001164A BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)<br />
RAM:0001164C LDR R3, [SP] ; Message[0]<br />
RAM:0001164E CMP R3, #0xD ; Message[0] = 0xD ?<br />
RAM:00011650 BNE skip<br />
RAM:00011652 LDR R1, [SP,#4] ; Message[1]<br />
RAM:00011654 LDR R3, =0x40301650<br />
RAM:00011656 LDR R2, [R1] ; Message[1].field0<br />
RAM:00011658 STR R2, [R3] ; sec_task_var1 = Message[1].field0<br />
RAM:0001165A ADDS R3, #4 ; 0x40301654<br />
RAM:0001165C LDR R2, [R1,#4] ; Message[1].field1<br />
RAM:0001165E STR R2, [R3] ; sec_task_var2 = Message[1].field1<br />
RAM:00011660 LDR R2, [R1,#8] ; Message[1].field2<br />
RAM:00011662 LDR R3, =0x100FF00<br />
RAM:00011664 STR R3, [R2] ; Message[1].field2[0] = 0x100FF00<br />
RAM:00011666 LDR R3, =0x4020401<br />
RAM:00011668 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401<br />
RAM:0001166A LDR R3, =0x4040403<br />
RAM:0001166C STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403<br />
RAM:0001166E MOVS R3, #1<br />
RAM:00011670 STR R3, [R1,#0xC] ; Message[1].field3 = 1<br />
RAM:00011672 MOVS R3, #0x20 ; ' '<br />
RAM:00011674 STR R3, [SP] ; Message[0] = 0x20<br />
RAM:00011676<br />
RAM:00011676 skip ; CODE XREF: task_loop+14�j<br />
RAM:00011676 ADDS R0, R5, #0 ; sec mailbox<br />
RAM:00011678 MOV R1, SP ; void *Message<br />
RAM:0001167A MOVS R2, #0xFF ; timeout<br />
RAM:0001167C LDR R3, =0x20430040<br />
RAM:0001167E BLX R3 ; NU_Send_To_Mailbox()<br />
RAM:00011680 B loop<br />
RAM:00011680 ; End of function task_loop<br />
RAM:00011680<br />
RAM:00011680 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
==Old yellowsn0w payload w/ comments (by Darkmen) ==<br />
<br />
The exploit consists from 4 parts:<br />
<br />
===Code loader===<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 loader<br />
ROM:00000000 LDR R2, =0x11700 ; unused ram to place code<br />
ROM:00000002 ADDS R4, R2, #1 ; thumb switch<br />
ROM:00000004 LDR R3, =0x40159FBF ; at-handler buffer where stage2 binary and following hexdata are<br />
ROM:00000006<br />
ROM:00000006 copy.loop ; CODE XREF: loader+12�j<br />
ROM:00000006 LDRB R0, [R3] ; copying code+data until double quotes<br />
ROM:00000008 CMP R0, #0x22 ; '"'<br />
ROM:0000000A BEQ run ; jump thumb code<br />
ROM:0000000C STRB R0, [R2]<br />
ROM:0000000E ADDS R2, #1<br />
ROM:00000010 ADDS R3, #1<br />
ROM:00000012 B copy.loop ; <br />
ROM:00000014 run ; CODE XREF: loader+A�j<br />
ROM:00000014 BX R4 ; jump stage2 code<br />
ROM:00000014 ; End of function loader<br />
ROM:00000014<br />
ROM:00000014 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
===Stage2(tm)===<br />
<pre><br />
RAM:00000000 ; =============== S U B R O U T I N E =======================================<br />
RAM:00000000 stage2<br />
RAM:00000000 ADDS R2, #0x10 ; R2 = 0x11700 + stage2 size<br />
RAM:00000002 MOVS R7, #0xF<br />
RAM:00000004 BICS R2, R7 ; align offset by 0x10<br />
RAM:00000006 ADDS R7, R2, #0 ; saving address to jump<br />
RAM:00000008 ADR R4, 0x44 ; skipping Stage2 size and taking first char from at-string<br />
RAM:0000000A ADR R5, char2byte ; loading routine addr<br />
RAM:0000000C ADDS R5, #1 ; thumb<br />
RAM:0000000E<br />
RAM:0000000E loop ; CODE XREF: stage2+2C�j<br />
RAM:0000000E LDRB R1, [R4] ; at-string[index]<br />
RAM:00000010 CMP R1, #'x' ; end of line?<br />
RAM:00000012 BEQ jump_code<br />
RAM:00000014 BLX R5 ; char2byte first hakfbyte<br />
RAM:00000016 LSLS R3, R1, #4 ; <<4 0X becoming X0<br />
RAM:00000018 LDRB R1, [R4,#1] ; at-string[index+1]<br />
RAM:0000001A BLX R5 ; char2hex second halfbyte<br />
RAM:0000001C NOP<br />
RAM:0000001E NOP<br />
RAM:00000020 NOP<br />
RAM:00000022 NOP<br />
RAM:00000024 ADDS R1, R1, R3 ; R1 = complete byte<br />
RAM:00000026 STRB R1, [R2] ; storing byte to dst<br />
RAM:00000028 ADDS R4, #2 ; hexstr_index+=2<br />
RAM:0000002A ADDS R2, #1 ; dst++<br />
RAM:0000002C B loop ; at-string[index]<br />
RAM:0000002E jump_code<br />
RAM:0000002E NOP<br />
RAM:00000030 NOP<br />
RAM:00000032 ADDS R7, #1 ; thumbing<br />
RAM:00000034 BX R7 ; run Task creator code<br />
RAM:00000034 ; End of function stage2<br />
RAM:00000038<br />
RAM:00000038 ; =============== S U B R O U T I N E =======================================<br />
RAM:00000038 char2byte ; DATA XREF: stage2+A�o<br />
RAM:00000038 CMP R1, #0x41 ; 'A'<br />
RAM:0000003A BGE letter ; letter to number<br />
RAM:0000003C SUBS R1, #0x30 ; '0' ; digit to number<br />
RAM:0000003E BX LR<br />
RAM:00000040 letter ; CODE XREF: char2byte+2�j<br />
RAM:00000040 SUBS R1, #0x37 ; '7' ; letter to number<br />
RAM:00000042 BX LR ; ret<br />
RAM:00000042 ; End of function char2byte<br />
</pre><br />
<br />
===Task creator===<br />
<pre><br />
RAM:000119A0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119A0<br />
RAM:000119A0<br />
RAM:000119A0 handler_replace<br />
RAM:000119A0 LDR R0, =0x4011714C ; soft reset handler addr<br />
RAM:000119A2 ADR R1, new_handler<br />
RAM:000119A4 ADDS R1, #1 ; thumbing<br />
RAM:000119A6 STR R1, [R0] ; setting new handler<br />
RAM:000119A8 POP {R0-R4,PC} ; safe exit fixing stack<br />
RAM:000119A8 ; End of function handler_replace<br />
<br />
RAM:000119B0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119B0<br />
RAM:000119B0<br />
RAM:000119B0 new_handler ; DATA XREF: handler_replace+2�o<br />
RAM:000119B0 PUSH {R4-R7,LR}<br />
RAM:000119B2 LDR R3, =0x403BB344 ; jamptable var<br />
RAM:000119B4 MOVS R6, #0x80<br />
RAM:000119B6 SUB SP, SP, #0x2C<br />
RAM:000119B8 LSLS R6, R6, #4 ; 0x200<br />
RAM:000119BA STRH R0, [R3] ; saving R0 to mem var<br />
RAM:000119BC STR R1, [SP,#0x40+resp_string] ; saving responce prt to stack<br />
RAM:000119BE LDR R4, =0x201420AC ; malloc<br />
RAM:000119C0 ADDS R0, R6, #0<br />
RAM:000119C2 BLX R4 ; malloc(0x200)<br />
RAM:000119C4 MOVS R5, #0<br />
RAM:000119C6 STR R0, [SP,#0x40+ptr_200] ; saving pointer to stack<br />
RAM:000119C8 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:000119CA BLX R4 ; malloc(0x98)<br />
RAM:000119CC ADDS R7, R0, #0 ; R7 = task<br />
RAM:000119CE STR R5, [R0,#0xC] ; task.field=0<br />
RAM:000119D0 MOVS R0, 0x100<br />
RAM:000119D4 BLX R4 ; malloc(0x100)<br />
RAM:000119D6 MOVS R2, #0x80<br />
RAM:000119D8 LDR R1, =task_loop ; src<br />
RAM:000119DA LSLS R2, R2, #1 ; size to copy<br />
RAM:000119DC LDR R3, =0x203C58A0 ; bytecpy<br />
RAM:000119DE ADDS R4, R0, #0 ; R4 = dyn_task_loop<br />
RAM:000119E0 BLX R3 ; bytecpy(task_loop, dyn_task_loop, 0x100)<br />
RAM:000119E2 LDR R3, [SP,#0x40+ptr_200]<br />
RAM:000119E4 STR R3, [SP,#4] ; void *stack_address = malloc(0x200)<br />
RAM:000119E6 MOVS R3, #0x44<br />
RAM:000119E8 STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:000119EA MOVS R3, #0xA<br />
RAM:000119EC ADDS R4, #1 ; thumbing dyn_task_loop<br />
RAM:000119EE STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:000119F0 MOVS R3, #0xC<br />
RAM:000119F2 ADDS R2, R4, #0 ; void(*task_entry)<br />
RAM:000119F4 STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:000119F6 LDR R1, =devteam1 ; char *name<br />
RAM:000119F8 STR R5, [SP] ; void *argv = 0<br />
RAM:000119FA STR R6, [SP,#8] ; stack_size = 0x200<br />
RAM:000119FC STR R5, [SP,#0x10] ; time_slice = 0<br />
RAM:000119FE ADDS R0, R7, #0 ; NU_TASK *task<br />
RAM:00011A00 MOVS R3, #0 ; int argc = 0<br />
RAM:00011A02 LDR R4, =0x203FB540 ; NU_Create_Task<br />
RAM:00011A04 BLX R4 ; status = NU_Create_Task()<br />
RAM:00011A06 ADDS R2, R0, #0<br />
RAM:00011A08 CMP R0, #0 ; success = zero<br />
RAM:00011A0A BNE status_error<br />
RAM:00011A0C LDR R1, =OK<br />
RAM:00011A0E LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A10 LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A12 BLX R3 ; sprintf(resp_string,"OK")<br />
RAM:00011A14 B exit ; fixing stack<br />
RAM:00011A16 ; ---------------------------------------------------------------------------<br />
RAM:00011A16<br />
RAM:00011A16 status_error ; CODE XREF: new_handler+5A�j<br />
RAM:00011A16 LDR R1, =ERROR<br />
RAM:00011A18 LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A1A LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A1C BLX R3 ; sprintf(resp_string,"ERROR")<br />
RAM:00011A1E<br />
RAM:00011A1E exit ; CODE XREF: new_handler+64�j<br />
RAM:00011A1E ADD SP, SP, #0x2C ; fixing stack<br />
RAM:00011A20 POP {R4-R7,PC} ; bye<br />
RAM:00011A20 ; End of function new_handler<br />
RAM:00011A20<br />
RAM:00011A20 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
===Unlock task loop===<br />
<pre><br />
RAM:00011A64 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011A64<br />
RAM:00011A64 task_loop ; DATA XREF: RAM:off_11A2C�o<br />
RAM:00011A64 PUSH {R4,R5,LR}<br />
RAM:00011A66 LDR R5, =0x40232754 ; sec mailbox<br />
RAM:00011A68 SUB SP, SP, #0x14<br />
RAM:00011A6A<br />
RAM:00011A6A loop ; CODE XREF: task_loop+44�j<br />
RAM:00011A6A LDR R3, =0x20165998 ; NU_Receive_From_Mailbox<br />
RAM:00011A6C ADDS R0, R5, #0 ; NU_MAILBOX *mailbox<br />
RAM:00011A6E MOV R1, SP ; void *Message<br />
RAM:00011A70 MOVS R2, #0xFF ; Timeout<br />
RAM:00011A72 BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)<br />
RAM:00011A74 LDR R3, [SP] ; Message[0]<br />
RAM:00011A76 CMP R3, #0xD ; Message[0] = 0xD ?<br />
RAM:00011A78 BNE skip ; <br />
RAM:00011A7A LDR R1, [SP,#4] ; Message[1]<br />
RAM:00011A7C LDR R3, =0x402F79BC<br />
RAM:00011A7E LDR R2, [R1] ; Message[1].field0<br />
RAM:00011A80 STR R2, [R3] ; sec_task_var1 = Message[1].field0<br />
RAM:00011A82 ADDS R3, #4 ; 0x402F79C0<br />
RAM:00011A84 LDR R2, [R1,#4] ; Message[1].field1<br />
RAM:00011A86 STR R2, [R3] ; sec_task_var2 = Message[1].field1<br />
RAM:00011A88 LDR R2, [R1,#8] ; Message[1].field2<br />
RAM:00011A8A LDR R3, =0x100FF00<br />
RAM:00011A8C STR R3, [R2] ; Message[1].field2[0] = 0x100FF00<br />
RAM:00011A8E LDR R3, =0x4020401<br />
RAM:00011A90 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401<br />
RAM:00011A92 LDR R3, =0x4040403<br />
RAM:00011A94 STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403<br />
RAM:00011A96 MOVS R3, #1<br />
RAM:00011A98 STR R3, [R1,#0xC] ; Message[1].field3 = 1<br />
RAM:00011A9A MOVS R3, #0x20 <br />
RAM:00011A9C STR R3, [SP] ; Message[0] = 0x20<br />
RAM:00011A9E<br />
RAM:00011A9E skip ; CODE XREF: task_loop+14�j<br />
RAM:00011A9E ADDS R0, R5, #0 ; sec mailbox<br />
RAM:00011AA0 MOV R1, SP ; void *Message<br />
RAM:00011AA2 MOVS R2, #0xFF ; timeout<br />
RAM:00011AA4 LDR R3, =0x203ED568<br />
RAM:00011AA6 BLX R3 ; NU_Send_To_Mailbox()<br />
RAM:00011AA8 B loop ; NU_Receive_From_Mailbox<br />
RAM:00011AA8 ; End of function task_loop<br />
</pre><br />
<br />
===Planetbeing explains...===<br />
<pre><br />
13:24:29 <crash-x_> especially how does ultra/yellow sn0w work<br />
13:24:40 <crash-x_> are you overwriting instructions<br />
13:24:48 <crash-x_> or some values in memory to make it accept the sim?<br />
13:24:48 <planetbeing> Nah.<br />
13:24:53 <planetbeing> It's a task.<br />
13:25:06 <planetbeing> That just waits for securiy messages to go through the inbox.<br />
13:25:13 <westbaer> planetbeing: btw, why isnt yellowsn0w/ultrasn0w not open-source anymore? like u posted an *oooold* version once<br />
<br />
...<br />
<br />
13:26:33 <planetbeing> The only thing I do for ys/us is the loader bit.<br />
13:26:39 <westbaer> so whats actually the loader stuff you've been talking about?<br />
13:26:46 <planetbeing> That uses the exploit to start MuscleNerd's payload.<br />
13:27:21 <westbaer> ah<br />
13:27:26 <planetbeing> Well, you have a vulnerability.<br />
13:27:30 <planetbeing> And you want to load a large chunk of code.<br />
13:27:39 <planetbeing> And you don't have much room to wriggle in for your overflow<br />
13:28:21 <westbaer> aah, makes sense<br />
13:28:50 <planetbeing> So the solution is a small loader that loads the rest of the code, and overcomes any restrictions there are on allowable characters.<br />
13:28:55 <ashikase> francis: pm<br />
13:28:59 <westbaer> yeah<br />
13:29:10 <crash-x_> planetbeing: the baseband is it like one process that runs there<br />
13:29:19 <crash-x_> or is it like a small os with process and stuff<br />
13:29:19 <planetbeing> Basically a good loader should turn a vulnerability into a reliable platform for the execution of arbitrary code, unrestricted by vulnerability-specific stuff.<br />
13:29:37 <planetbeing> Oh, it's a full-featured OS.<br />
13:29:38 <planetbeing> Nucleus.<br />
13:29:51 <planetbeing> http://www.mentor.com/products/embedded_software/nucleus_rtos/<br />
13:29:54 <crash-x_> and when you execute an at command<br />
13:30:06 <crash-x_> does that start another process that is crashed then<br />
13:30:21 <planetbeing> Ideally, you don't crash anything.<br />
13:30:21 <crash-x_> or does it crash like the main baseband program<br />
13:30:23 <planetbeing> And we don't.<br />
13:30:49 <crash-x_> so am i understand it right<br />
13:30:50 <westbaer> wait. is nucleus on the baseband already installed or do you actually inject it with ultrasn0w?<br />
13:30:51 <planetbeing> We load a bunch of code into certain memory locations, execute them, and then return safely back to the main command parser task.<br />
13:31:00 <planetbeing> Nucleus is what the baseband runs.<br />
13:31:04 <westbaer> ah ok<br />
13:31:29 <planetbeing> I mean, even the bootrom is an OS.<br />
13:31:36 <planetbeing> With one task, but it still has a scheduler. =P<br />
13:31:39 <crash-x_> ah thats how you do it<br />
13:31:42 <westbaer> heh<br />
13:31:44 <crash-x_> and about your payload<br />
13:31:57 <crash-x_> does it start a new process like using fork() <br />
13:32:03 <crash-x_> or does it all the work in the exploited process<br />
13:32:11 <planetbeing> It uses Nucleus-specific calls that create the new task.<br />
13:32:19 <planetbeing> Well, the payload has to create a new task<br />
13:32:22 <westbaer> I think they are documented on the wiki<br />
13:32:25 <planetbeing> To monitor for certain events.<br />
13:32:47 <planetbeing> Yeah, just read Darkmen's decompile.<br />
13:33:00 <planetbeing> us has the exact same payload as ys<br />
13:33:08 <planetbeing> Just different addresses for function calls and stuff.<br />
13:33:19 <planetbeing> And I had to rewrite the loader due to even tighter constraints.<br />
13:33:28 <crash-x_> thats cool, thanks for explaining<br />
13:33:34 <westbaer> yup, thanks<br />
<br />
<br />
From irc.saurik.com #iphone on sunday the 5th of july.<br />
</pre><br />
<br />
==Source Code==<br />
The source code for yellowsn0w 0.9.1 (old version) was released along with yellowsn0w release. [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2]<br />
<br />
==See Also==<br />
* [[X-Gold 608 Unlock]]<br />
* [[X-Gold 608]]<br />
* [[Baseband]]<br />
<br />
==External links==<br />
* [http://chronic-dev.org/blog/2008/12/props/ Chronic Dev's post about Yellowsn0w]<br />
* [http://blog.iphone-dev.org/post/65126957/tis-the-season-to-be-jolly Yellowsn0w Announcement]<br />
* [http://qik.com/video/729275 MuscleNerd's yellowsn0w Demo]<br />
* [http://www.youtube.com/watch?v=kd5vOy2m5uY MuscleNerd's ultrasn0w demo]<br />
<br />
[[Category:Unlocking Methods]]<br />
[[Category:Baseband]]</div>
Hypn0zis
https://www.theiphonewiki.com/w/index.php?title=Talk:Hacktivation&diff=8641
Talk:Hacktivation
2010-08-23T04:20:26Z
<p>Hypn0zis: New page: You should write "Hacktivation" instead of "Hackitivation". ;) -- hypn0zis</p>
<hr />
<div>You should write "Hacktivation" instead of "Hackitivation". ;) -- hypn0zis</div>
Hypn0zis
https://www.theiphonewiki.com/w/index.php?title=Ultrasn0w&diff=8264
Ultrasn0w
2010-08-13T03:16:03Z
<p>Hypn0zis: /* Injection Vectors */</p>
<hr />
<div>ultrasn0w (previously: yellowsn0w) is an [[N82ap|iPhone 3G]] and [[N88ap|iPhone 3GS]] [[Unlock 2.0|unlock]] payload. yellowsn0w was released on 01/01/09 [http://blog.iphone-dev.org/post/67797811]. ultrasn0w was released on June 23th 2009 [http://blog.iphone-dev.org/post/128573459/ultras-now].<br />
<br />
==Credit==<br />
[[MuscleNerd]], and [[iPhone Dev Team]]<br />
<br />
==Exploit==<br />
Relies on an unsigned code injection vulnerability.<br />
<br />
The actual unlock works by a daemon patching the baseband's RAM on-the-fly, overriding the carrier lock code. It is not permanent because of the signature checks - the bootloader has to pass the sigchecks and the baseband has to pass them too, so any change to the baseband/bootloader cannot be made.<br />
<br />
==Injection Vectors==<br />
* [[AT+stkprof Exploit]] - used by yellowsn0w<br />
* [[AT+XLOG Vulnerability]] - used by ultrasn0w for 04.26.08 unlock<br />
* [[AT+XAPP Vulnerability]] - used by ultrasn0w for 05.11.07 - 05.13.04 unlock (and 1.59.00 on iPhone 4)<br />
<br />
==ultrasn0w payload with comments (by [[User:Oranav|Oranav]])==<br />
<br />
===Code loader (incl. Stage2)===<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 code_loader<br />
ROM:00000000 dest_addr = R1<br />
ROM:00000000 src_addr = R6<br />
ROM:00000000 MOVLS dest_addr, 0x110<br />
ROM:00000004 ADDS dest_addr, #6<br />
ROM:00000006 LSLS dest_addr, dest_addr, #8 ; unused ram to place code = 0x11600<br />
ROM:00000008 ADDS R2, dest_addr, #1 ; thumbing<br />
ROM:0000000A<br />
ROM:0000000A loop ; CODE XREF: code_loader+24�j<br />
ROM:0000000A MOVLS R0, 0x22 ; '"'<br />
ROM:0000000E LDRB R3, [src_addr] ; first nibble<br />
ROM:00000010 CMP R0, R3<br />
ROM:00000012 LDRB R0, [src_addr,#1] ; second nibble<br />
ROM:00000014 BEQ run ; branch if end of string<br />
ROM:00000016 SUBS R3, #0x41 ; subtract 'A'<br />
ROM:00000018 SUBS R0, #0x41 ; subtract 'A'<br />
ROM:0000001A LSLS R3, R3, #4 ; make room for next nibble<br />
ROM:0000001C ADDS R3, R3, R0 ; put them together as a byte<br />
ROM:0000001E STRB R3, [dest_addr]<br />
ROM:00000020 ADDS dest_addr, #1<br />
ROM:00000022 ADDS src_addr, #2<br />
ROM:00000024 B loop<br />
ROM:00000026 ; ---------------------------------------------------------------------------<br />
ROM:00000026<br />
ROM:00000026 run ; CODE XREF: code_loader+14�j<br />
ROM:00000026 BLX R2 ; handler_replace()<br />
ROM:00000028 MOVLS R0, 0 ; safe exit<br />
ROM:0000002C ADDS dest_addr, R0, #0<br />
ROM:0000002E BLX R4<br />
ROM:00000030 MOV SP, R5<br />
ROM:00000032 POP {R0-src_addr,PC}<br />
ROM:00000032 ; End of function code_loader<br />
</pre><br />
<br />
===Handler replace===<br />
<pre><br />
RAM:00011600 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011600<br />
RAM:00011600<br />
RAM:00011600 handler_replace<br />
RAM:00011600 PUSH {LR}<br />
RAM:00011602 LDR R0, =0x40492FC0 ; where to save task_loop_jmp + task_loop<br />
RAM:00011604 ADR R1, task_loop_jmp<br />
RAM:00011606 ADR R2, task_loop_end<br />
RAM:00011608 SUBS R2, R2, R1 ; size of task_loop + task_loop_jmp = 0x70<br />
RAM:0001160A LDR R3, =0x2040882C ; memcpy()<br />
RAM:0001160C BLX R3<br />
RAM:0001160E LDR R0, =0x40492C20 ; where to save task_creator_jmp + task_creator<br />
RAM:00011610 ADR R1, task_creator_jmp<br />
RAM:00011612 ADR R2, task_creator_end<br />
RAM:00011614 SUBS R2, R2, R1 ; size of task_creator + task_creator_jmp = 0xA0<br />
RAM:00011616 LDR R3, =0x2040882C ; memcpy()<br />
RAM:00011618 BLX R3<br />
RAM:0001161A LDR R0, =0x40492C20<br />
RAM:0001161C BLX R0 ; task_creator_jmp()<br />
RAM:0001161E POP {PC}<br />
RAM:0001161E ; End of function handler_replace<br />
</pre><br />
<br />
===Task creator (thanks Darkmen for the comments!)===<br />
<pre><br />
RAM:40492C20 ; =============== S U B R O U T I N E =======================================<br />
RAM:40492C20<br />
RAM:40492C20<br />
RAM:40492C20 task_creator_jmp<br />
RAM:40492C20 STMFD SP!, {R1-R12,LR}<br />
RAM:40492C24 BLX task_creator<br />
RAM:40492C28 LDMFD SP!, {R1-R12,PC}<br />
RAM:40492C28 ; End of function task_creator_jmp<br />
RAM:40492C28<br />
RAM:40492C2C<br />
RAM:40492C2C ; =============== S U B R O U T I N E =======================================<br />
RAM:40492C2C<br />
RAM:40492C2C<br />
RAM:40492C2C task_creator ; CODE XREF: task_creator_jmp+4�p<br />
RAM:40492C2C PUSH {R4-R7,LR}<br />
RAM:40492C2E LDR R3, =0x401ED3B8 ; jumptable var<br />
RAM:40492C30 MOVLS R4, 0x800<br />
RAM:40492C34 SUB SP, SP, #0x24<br />
RAM:40492C36 STRH R0, [R3] ; task_creator_jmp addr<br />
RAM:40492C38 LDR R5, =0x201493F0 ; malloc<br />
RAM:40492C3A ADDS R0, R4, #0 ; 0x800<br />
RAM:40492C3C ADDS R7, R1, #0 ; R7 = resp_string<br />
RAM:40492C3E BLX R5 ; malloc(0x800)<br />
RAM:40492C40 ADDS R6, R0, #0 ; R6 = addr returned from malloc<br />
RAM:40492C42 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:40492C44 BLX R5 ; malloc(sizeof(NU_TASK))<br />
RAM:40492C46 MOVS R2, #0<br />
RAM:40492C48 MOVS R3, #0x44<br />
RAM:40492C4A LDR R1, =aDevteam1 ; char *name<br />
RAM:40492C4C STR R2, [R0,#0xC] ; task.field=0<br />
RAM:40492C4E STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:40492C50 MOVS R3, #0xA<br />
RAM:40492C52 STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:40492C54 MOVS R3, #0xC<br />
RAM:40492C56 STR R2, [SP] ; void *argv = 0<br />
RAM:40492C58 STR R4, [SP,#8] ; stack_size = 0x800<br />
RAM:40492C5A STR R2, [SP,#0x10] ; time_slice = 0<br />
RAM:40492C5C STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:40492C5E LDR R2, =0x40492FC0 ; task_loop_jmp address<br />
RAM:40492C60 STR R6, [SP,#4] ; void *stack_address = malloc(0x800)<br />
RAM:40492C62 MOVS R3, #0<br />
RAM:40492C64 LDR R4, =0x2043E5B4 ; NU_Create_Task<br />
RAM:40492C66 BLX R4 ; status = NU_Create_Task()<br />
RAM:40492C68 ADDS R2, R0, #0 ; R2 = status (for the %d reference in sprintf)<br />
RAM:40492C6A CMP R0, #0 ; success = zero<br />
RAM:40492C6C BNE status_error<br />
RAM:40492C6E LDR R1, =aOk ; "OK!"<br />
RAM:40492C70 ADDS R0, R7, #0 ; resp_string<br />
RAM:40492C72 LDR R3, =0x204B11F0 ; sprintf<br />
RAM:40492C74 BLX R3 ; sprintf(resp_string, "OK!")<br />
RAM:40492C76 B exit<br />
RAM:40492C78 ; ---------------------------------------------------------------------------<br />
RAM:40492C78<br />
RAM:40492C78 status_error ; CODE XREF: task_creator+40�j<br />
RAM:40492C78 LDR R1, =aErrorD ; "ERROR %d"<br />
RAM:40492C7A ADDS R0, R7, #0 ; resp_string<br />
RAM:40492C7C LDR R3, =0x204B11F0 ; sprintf<br />
RAM:40492C7E BLX R3 ; sprintf(resp_string, "ERROR %d", status)<br />
RAM:40492C80<br />
RAM:40492C80 exit ; CODE XREF: task_creator+4A�j<br />
RAM:40492C80 ADD SP, SP, #0x24 ; fixing stack<br />
RAM:40492C82 POP {R4-R7,PC}<br />
RAM:40492C82 ; End of function task_creator<br />
</pre><br />
<br />
===Unlock task loop (thanks Darkmen for the comments!)===<br />
<pre><br />
RAM:00011630 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011630<br />
RAM:00011630<br />
RAM:00011630 task_loop_jmp<br />
RAM:00011630 STMFD SP!, {R1-R12,LR}<br />
RAM:00011634 BLX task_loop<br />
RAM:00011634 ; ---------------------------------------------------------------------------<br />
RAM:00011638 LDMFD SP!, {R1-R12,PC}<br />
RAM:00011638 ; End of function task_loop_jmp<br />
RAM:00011638<br />
RAM:0001163C<br />
RAM:0001163C ; =============== S U B R O U T I N E =======================================<br />
RAM:0001163C<br />
RAM:0001163C<br />
RAM:0001163C task_loop<br />
RAM:0001163C PUSH {R4,R5,LR}<br />
RAM:0001163E LDR R5, =0x401E829C ; sec mailbox<br />
RAM:00011640 SUB SP, SP, #0x14<br />
RAM:00011642<br />
RAM:00011642 loop ; CODE XREF: task_loop+44�j<br />
RAM:00011642 LDR R3, =0x2042FFD8 ; NU_Receive_From_Mailbox<br />
RAM:00011644 ADDS R0, R5, #0 ; NU_MAILBOX *mailbox<br />
RAM:00011646 MOV R1, SP ; void *Message<br />
RAM:00011648 MOVS R2, #0xFF ; Timeout<br />
RAM:0001164A BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)<br />
RAM:0001164C LDR R3, [SP] ; Message[0]<br />
RAM:0001164E CMP R3, #0xD ; Message[0] = 0xD ?<br />
RAM:00011650 BNE skip<br />
RAM:00011652 LDR R1, [SP,#4] ; Message[1]<br />
RAM:00011654 LDR R3, =0x40301650<br />
RAM:00011656 LDR R2, [R1] ; Message[1].field0<br />
RAM:00011658 STR R2, [R3] ; sec_task_var1 = Message[1].field0<br />
RAM:0001165A ADDS R3, #4 ; 0x40301654<br />
RAM:0001165C LDR R2, [R1,#4] ; Message[1].field1<br />
RAM:0001165E STR R2, [R3] ; sec_task_var2 = Message[1].field1<br />
RAM:00011660 LDR R2, [R1,#8] ; Message[1].field2<br />
RAM:00011662 LDR R3, =0x100FF00<br />
RAM:00011664 STR R3, [R2] ; Message[1].field2[0] = 0x100FF00<br />
RAM:00011666 LDR R3, =0x4020401<br />
RAM:00011668 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401<br />
RAM:0001166A LDR R3, =0x4040403<br />
RAM:0001166C STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403<br />
RAM:0001166E MOVS R3, #1<br />
RAM:00011670 STR R3, [R1,#0xC] ; Message[1].field3 = 1<br />
RAM:00011672 MOVS R3, #0x20 ; ' '<br />
RAM:00011674 STR R3, [SP] ; Message[0] = 0x20<br />
RAM:00011676<br />
RAM:00011676 skip ; CODE XREF: task_loop+14�j<br />
RAM:00011676 ADDS R0, R5, #0 ; sec mailbox<br />
RAM:00011678 MOV R1, SP ; void *Message<br />
RAM:0001167A MOVS R2, #0xFF ; timeout<br />
RAM:0001167C LDR R3, =0x20430040<br />
RAM:0001167E BLX R3 ; NU_Send_To_Mailbox()<br />
RAM:00011680 B loop<br />
RAM:00011680 ; End of function task_loop<br />
RAM:00011680<br />
RAM:00011680 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
==Old yellowsn0w payload w/ comments (by Darkmen) ==<br />
<br />
The exploit consists from 4 parts:<br />
<br />
===Code loader===<br />
<pre><br />
ROM:00000000 ; =============== S U B R O U T I N E =======================================<br />
ROM:00000000<br />
ROM:00000000<br />
ROM:00000000 loader<br />
ROM:00000000 LDR R2, =0x11700 ; unused ram to place code<br />
ROM:00000002 ADDS R4, R2, #1 ; thumb switch<br />
ROM:00000004 LDR R3, =0x40159FBF ; at-handler buffer where stage2 binary and following hexdata are<br />
ROM:00000006<br />
ROM:00000006 copy.loop ; CODE XREF: loader+12�j<br />
ROM:00000006 LDRB R0, [R3] ; copying code+data until double quotes<br />
ROM:00000008 CMP R0, #0x22 ; '"'<br />
ROM:0000000A BEQ run ; jump thumb code<br />
ROM:0000000C STRB R0, [R2]<br />
ROM:0000000E ADDS R2, #1<br />
ROM:00000010 ADDS R3, #1<br />
ROM:00000012 B copy.loop ; <br />
ROM:00000014 run ; CODE XREF: loader+A�j<br />
ROM:00000014 BX R4 ; jump stage2 code<br />
ROM:00000014 ; End of function loader<br />
ROM:00000014<br />
ROM:00000014 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
===Stage2(tm)===<br />
<pre><br />
RAM:00000000 ; =============== S U B R O U T I N E =======================================<br />
RAM:00000000 stage2<br />
RAM:00000000 ADDS R2, #0x10 ; R2 = 0x11700 + stage2 size<br />
RAM:00000002 MOVS R7, #0xF<br />
RAM:00000004 BICS R2, R7 ; align offset by 0x10<br />
RAM:00000006 ADDS R7, R2, #0 ; saving address to jump<br />
RAM:00000008 ADR R4, 0x44 ; skipping Stage2 size and taking first char from at-string<br />
RAM:0000000A ADR R5, char2byte ; loading routine addr<br />
RAM:0000000C ADDS R5, #1 ; thumb<br />
RAM:0000000E<br />
RAM:0000000E loop ; CODE XREF: stage2+2C�j<br />
RAM:0000000E LDRB R1, [R4] ; at-string[index]<br />
RAM:00000010 CMP R1, #'x' ; end of line?<br />
RAM:00000012 BEQ jump_code<br />
RAM:00000014 BLX R5 ; char2byte first hakfbyte<br />
RAM:00000016 LSLS R3, R1, #4 ; <<4 0X becoming X0<br />
RAM:00000018 LDRB R1, [R4,#1] ; at-string[index+1]<br />
RAM:0000001A BLX R5 ; char2hex second halfbyte<br />
RAM:0000001C NOP<br />
RAM:0000001E NOP<br />
RAM:00000020 NOP<br />
RAM:00000022 NOP<br />
RAM:00000024 ADDS R1, R1, R3 ; R1 = complete byte<br />
RAM:00000026 STRB R1, [R2] ; storing byte to dst<br />
RAM:00000028 ADDS R4, #2 ; hexstr_index+=2<br />
RAM:0000002A ADDS R2, #1 ; dst++<br />
RAM:0000002C B loop ; at-string[index]<br />
RAM:0000002E jump_code<br />
RAM:0000002E NOP<br />
RAM:00000030 NOP<br />
RAM:00000032 ADDS R7, #1 ; thumbing<br />
RAM:00000034 BX R7 ; run Task creator code<br />
RAM:00000034 ; End of function stage2<br />
RAM:00000038<br />
RAM:00000038 ; =============== S U B R O U T I N E =======================================<br />
RAM:00000038 char2byte ; DATA XREF: stage2+A�o<br />
RAM:00000038 CMP R1, #0x41 ; 'A'<br />
RAM:0000003A BGE letter ; letter to number<br />
RAM:0000003C SUBS R1, #0x30 ; '0' ; digit to number<br />
RAM:0000003E BX LR<br />
RAM:00000040 letter ; CODE XREF: char2byte+2�j<br />
RAM:00000040 SUBS R1, #0x37 ; '7' ; letter to number<br />
RAM:00000042 BX LR ; ret<br />
RAM:00000042 ; End of function char2byte<br />
</pre><br />
<br />
===Task creator===<br />
<pre><br />
RAM:000119A0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119A0<br />
RAM:000119A0<br />
RAM:000119A0 handler_replace<br />
RAM:000119A0 LDR R0, =0x4011714C ; soft reset handler addr<br />
RAM:000119A2 ADR R1, new_handler<br />
RAM:000119A4 ADDS R1, #1 ; thumbing<br />
RAM:000119A6 STR R1, [R0] ; setting new handler<br />
RAM:000119A8 POP {R0-R4,PC} ; safe exit fixing stack<br />
RAM:000119A8 ; End of function handler_replace<br />
<br />
RAM:000119B0 ; =============== S U B R O U T I N E =======================================<br />
RAM:000119B0<br />
RAM:000119B0<br />
RAM:000119B0 new_handler ; DATA XREF: handler_replace+2�o<br />
RAM:000119B0 PUSH {R4-R7,LR}<br />
RAM:000119B2 LDR R3, =0x403BB344 ; jamptable var<br />
RAM:000119B4 MOVS R6, #0x80<br />
RAM:000119B6 SUB SP, SP, #0x2C<br />
RAM:000119B8 LSLS R6, R6, #4 ; 0x200<br />
RAM:000119BA STRH R0, [R3] ; saving R0 to mem var<br />
RAM:000119BC STR R1, [SP,#0x40+resp_string] ; saving responce prt to stack<br />
RAM:000119BE LDR R4, =0x201420AC ; malloc<br />
RAM:000119C0 ADDS R0, R6, #0<br />
RAM:000119C2 BLX R4 ; malloc(0x200)<br />
RAM:000119C4 MOVS R5, #0<br />
RAM:000119C6 STR R0, [SP,#0x40+ptr_200] ; saving pointer to stack<br />
RAM:000119C8 MOVS R0, #0x98 ; sizeof(NU_TASK)<br />
RAM:000119CA BLX R4 ; malloc(0x98)<br />
RAM:000119CC ADDS R7, R0, #0 ; R7 = task<br />
RAM:000119CE STR R5, [R0,#0xC] ; task.field=0<br />
RAM:000119D0 MOVS R0, 0x100<br />
RAM:000119D4 BLX R4 ; malloc(0x100)<br />
RAM:000119D6 MOVS R2, #0x80<br />
RAM:000119D8 LDR R1, =task_loop ; src<br />
RAM:000119DA LSLS R2, R2, #1 ; size to copy<br />
RAM:000119DC LDR R3, =0x203C58A0 ; bytecpy<br />
RAM:000119DE ADDS R4, R0, #0 ; R4 = dyn_task_loop<br />
RAM:000119E0 BLX R3 ; bytecpy(task_loop, dyn_task_loop, 0x100)<br />
RAM:000119E2 LDR R3, [SP,#0x40+ptr_200]<br />
RAM:000119E4 STR R3, [SP,#4] ; void *stack_address = malloc(0x200)<br />
RAM:000119E6 MOVS R3, #0x44<br />
RAM:000119E8 STR R3, [SP,#0xC] ; priority = 0x44<br />
RAM:000119EA MOVS R3, #0xA<br />
RAM:000119EC ADDS R4, #1 ; thumbing dyn_task_loop<br />
RAM:000119EE STR R3, [SP,#0x14] ; preempt = NU_PREEMPT<br />
RAM:000119F0 MOVS R3, #0xC<br />
RAM:000119F2 ADDS R2, R4, #0 ; void(*task_entry)<br />
RAM:000119F4 STR R3, [SP,#0x18] ; auto_start = NU_START<br />
RAM:000119F6 LDR R1, =devteam1 ; char *name<br />
RAM:000119F8 STR R5, [SP] ; void *argv = 0<br />
RAM:000119FA STR R6, [SP,#8] ; stack_size = 0x200<br />
RAM:000119FC STR R5, [SP,#0x10] ; time_slice = 0<br />
RAM:000119FE ADDS R0, R7, #0 ; NU_TASK *task<br />
RAM:00011A00 MOVS R3, #0 ; int argc = 0<br />
RAM:00011A02 LDR R4, =0x203FB540 ; NU_Create_Task<br />
RAM:00011A04 BLX R4 ; status = NU_Create_Task()<br />
RAM:00011A06 ADDS R2, R0, #0<br />
RAM:00011A08 CMP R0, #0 ; success = zero<br />
RAM:00011A0A BNE status_error<br />
RAM:00011A0C LDR R1, =OK<br />
RAM:00011A0E LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A10 LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A12 BLX R3 ; sprintf(resp_string,"OK")<br />
RAM:00011A14 B exit ; fixing stack<br />
RAM:00011A16 ; ---------------------------------------------------------------------------<br />
RAM:00011A16<br />
RAM:00011A16 status_error ; CODE XREF: new_handler+5A�j<br />
RAM:00011A16 LDR R1, =ERROR<br />
RAM:00011A18 LDR R0, [SP,#0x40+resp_string]<br />
RAM:00011A1A LDR R3, =0x2046DD00 ; sprintf<br />
RAM:00011A1C BLX R3 ; sprintf(resp_string,"ERROR")<br />
RAM:00011A1E<br />
RAM:00011A1E exit ; CODE XREF: new_handler+64�j<br />
RAM:00011A1E ADD SP, SP, #0x2C ; fixing stack<br />
RAM:00011A20 POP {R4-R7,PC} ; bye<br />
RAM:00011A20 ; End of function new_handler<br />
RAM:00011A20<br />
RAM:00011A20 ; ---------------------------------------------------------------------------<br />
</pre><br />
<br />
===Unlock task loop===<br />
<pre><br />
RAM:00011A64 ; =============== S U B R O U T I N E =======================================<br />
RAM:00011A64<br />
RAM:00011A64 task_loop ; DATA XREF: RAM:off_11A2C�o<br />
RAM:00011A64 PUSH {R4,R5,LR}<br />
RAM:00011A66 LDR R5, =0x40232754 ; sec mailbox<br />
RAM:00011A68 SUB SP, SP, #0x14<br />
RAM:00011A6A<br />
RAM:00011A6A loop ; CODE XREF: task_loop+44�j<br />
RAM:00011A6A LDR R3, =0x20165998 ; NU_Receive_From_Mailbox<br />
RAM:00011A6C ADDS R0, R5, #0 ; NU_MAILBOX *mailbox<br />
RAM:00011A6E MOV R1, SP ; void *Message<br />
RAM:00011A70 MOVS R2, #0xFF ; Timeout<br />
RAM:00011A72 BLX R3 ; NU_Receive_From_Mailbox(sec_mailbox,SP,0xFF)<br />
RAM:00011A74 LDR R3, [SP] ; Message[0]<br />
RAM:00011A76 CMP R3, #0xD ; Message[0] = 0xD ?<br />
RAM:00011A78 BNE skip ; <br />
RAM:00011A7A LDR R1, [SP,#4] ; Message[1]<br />
RAM:00011A7C LDR R3, =0x402F79BC<br />
RAM:00011A7E LDR R2, [R1] ; Message[1].field0<br />
RAM:00011A80 STR R2, [R3] ; sec_task_var1 = Message[1].field0<br />
RAM:00011A82 ADDS R3, #4 ; 0x402F79C0<br />
RAM:00011A84 LDR R2, [R1,#4] ; Message[1].field1<br />
RAM:00011A86 STR R2, [R3] ; sec_task_var2 = Message[1].field1<br />
RAM:00011A88 LDR R2, [R1,#8] ; Message[1].field2<br />
RAM:00011A8A LDR R3, =0x100FF00<br />
RAM:00011A8C STR R3, [R2] ; Message[1].field2[0] = 0x100FF00<br />
RAM:00011A8E LDR R3, =0x4020401<br />
RAM:00011A90 STR R3, [R2,#4] ; Message[1].field2[1] = 0x4020401<br />
RAM:00011A92 LDR R3, =0x4040403<br />
RAM:00011A94 STR R3, [R2,#8] ; Message[1].field2[2] = 0x4040403<br />
RAM:00011A96 MOVS R3, #1<br />
RAM:00011A98 STR R3, [R1,#0xC] ; Message[1].field3 = 1<br />
RAM:00011A9A MOVS R3, #0x20 <br />
RAM:00011A9C STR R3, [SP] ; Message[0] = 0x20<br />
RAM:00011A9E<br />
RAM:00011A9E skip ; CODE XREF: task_loop+14�j<br />
RAM:00011A9E ADDS R0, R5, #0 ; sec mailbox<br />
RAM:00011AA0 MOV R1, SP ; void *Message<br />
RAM:00011AA2 MOVS R2, #0xFF ; timeout<br />
RAM:00011AA4 LDR R3, =0x203ED568<br />
RAM:00011AA6 BLX R3 ; NU_Send_To_Mailbox()<br />
RAM:00011AA8 B loop ; NU_Receive_From_Mailbox<br />
RAM:00011AA8 ; End of function task_loop<br />
</pre><br />
<br />
===Planetbeing explains...===<br />
<pre><br />
13:24:29 <crash-x_> especially how does ultra/yellow sn0w work<br />
13:24:40 <crash-x_> are you overwriting instructions<br />
13:24:48 <crash-x_> or some values in memory to make it accept the sim?<br />
13:24:48 <planetbeing> Nah.<br />
13:24:53 <planetbeing> It's a task.<br />
13:25:06 <planetbeing> That just waits for securiy messages to go through the inbox.<br />
13:25:13 <westbaer> planetbeing: btw, why isnt yellowsn0w/ultrasn0w not open-source anymore? like u posted an *oooold* version once<br />
<br />
...<br />
<br />
13:26:33 <planetbeing> The only thing I do for ys/us is the loader bit.<br />
13:26:39 <westbaer> so whats actually the loader stuff you've been talking about?<br />
13:26:46 <planetbeing> That uses the exploit to start MuscleNerd's payload.<br />
13:27:21 <westbaer> ah<br />
13:27:26 <planetbeing> Well, you have a vulnerability.<br />
13:27:30 <planetbeing> And you want to load a large chunk of code.<br />
13:27:39 <planetbeing> And you don't have much room to wriggle in for your overflow<br />
13:28:21 <westbaer> aah, makes sense<br />
13:28:50 <planetbeing> So the solution is a small loader that loads the rest of the code, and overcomes any restrictions there are on allowable characters.<br />
13:28:55 <ashikase> francis: pm<br />
13:28:59 <westbaer> yeah<br />
13:29:10 <crash-x_> planetbeing: the baseband is it like one process that runs there<br />
13:29:19 <crash-x_> or is it like a small os with process and stuff<br />
13:29:19 <planetbeing> Basically a good loader should turn a vulnerability into a reliable platform for the execution of arbitrary code, unrestricted by vulnerability-specific stuff.<br />
13:29:37 <planetbeing> Oh, it's a full-featured OS.<br />
13:29:38 <planetbeing> Nucleus.<br />
13:29:51 <planetbeing> http://www.mentor.com/products/embedded_software/nucleus_rtos/<br />
13:29:54 <crash-x_> and when you execute an at command<br />
13:30:06 <crash-x_> does that start another process that is crashed then<br />
13:30:21 <planetbeing> Ideally, you don't crash anything.<br />
13:30:21 <crash-x_> or does it crash like the main baseband program<br />
13:30:23 <planetbeing> And we don't.<br />
13:30:49 <crash-x_> so am i understand it right<br />
13:30:50 <westbaer> wait. is nucleus on the baseband already installed or do you actually inject it with ultrasn0w?<br />
13:30:51 <planetbeing> We load a bunch of code into certain memory locations, execute them, and then return safely back to the main command parser task.<br />
13:31:00 <planetbeing> Nucleus is what the baseband runs.<br />
13:31:04 <westbaer> ah ok<br />
13:31:29 <planetbeing> I mean, even the bootrom is an OS.<br />
13:31:36 <planetbeing> With one task, but it still has a scheduler. =P<br />
13:31:39 <crash-x_> ah thats how you do it<br />
13:31:42 <westbaer> heh<br />
13:31:44 <crash-x_> and about your payload<br />
13:31:57 <crash-x_> does it start a new process like using fork() <br />
13:32:03 <crash-x_> or does it all the work in the exploited process<br />
13:32:11 <planetbeing> It uses Nucleus-specific calls that create the new task.<br />
13:32:19 <planetbeing> Well, the payload has to create a new task<br />
13:32:22 <westbaer> I think they are documented on the wiki<br />
13:32:25 <planetbeing> To monitor for certain events.<br />
13:32:47 <planetbeing> Yeah, just read Darkmen's decompile.<br />
13:33:00 <planetbeing> us has the exact same payload as ys<br />
13:33:08 <planetbeing> Just different addresses for function calls and stuff.<br />
13:33:19 <planetbeing> And I had to rewrite the loader due to even tighter constraints.<br />
13:33:28 <crash-x_> thats cool, thanks for explaining<br />
13:33:34 <westbaer> yup, thanks<br />
<br />
<br />
From irc.saurik.com #iphone on sunday the 5th of july.<br />
</pre><br />
<br />
==Source Code==<br />
The source code for yellowsn0w 0.9.1 (old version) was released along with yellowsn0w release. [http://xs1.iphwn.org/releases/yellowsn0w.tar.bz2]<br />
<br />
==See Also==<br />
* [[X-Gold 608 Unlock]]<br />
* [[X-Gold 608]]<br />
* [[Baseband]]<br />
<br />
==External links==<br />
* [http://chronic-dev.org/blog/2008/12/props/ Chronic Dev's post about Yellowsn0w]<br />
* [http://blog.iphone-dev.org/post/65126957/tis-the-season-to-be-jolly Yellowsn0w Announcement]<br />
* [http://qik.com/video/729275 MuscleNerd's yellowsn0w Demo]<br />
* [http://www.youtube.com/watch?v=kd5vOy2m5uY MuscleNerd's ultrasn0w demo]<br />
<br />
[[Category:Unlocking Methods]]<br />
[[Category:Baseband]]</div>
Hypn0zis