The iPhone Wiki - User contributions [en]

Talk:Baker 8B117 (iPhone2,1)

2011-01-06T22:25:12Z

Tavianator:

== FS key is wrong ==

genpass gives the key in the article when run with the update ramdisk, and "59ebcd47de964e5479ce2e2dc583284c863b85fefc0a58d68871a941a76c125367bffd2e" when run with the restore ramdisk. Neither one produces a valid image when using vfdecrypt to decrypt the filesystem DMG. I haven't figured out how to get the correct one; there's talk that genpass fails on ramdisk images that use compression, could that be it? I'm doing all of this on x86-64 Linux. --[[User:Tavianator|Tavianator]] 05:38, 6 January 2011 (UTC)

Did you decrypt the ramdisk first? The hash is calculated by hashing a decrypted ramdisk dmg. The key on here is valid.
--[[User:Ih8sn0w|iH8sn0w]] 17:58, 6 January 2011 (UTC)

Oops, figured it out. Linux doesn't handle compressed DMG images, and the FS image is compressed. dmg2img can be used to decompress it. Sorry for the noise! [[User:Tavianator|Tavianator]] 22:25, 6 January 2011 (UTC)

Talk:Baker 8B117 (iPhone2,1)

2011-01-06T05:38:14Z

Tavianator: FS key is wrong

Operator

2010-10-29T17:51:21Z

Tavianator: iTouch 1G, not iPhone 3G

[[Image:OperatorInternal.jpg|thumb|right|Built-in Operator screen in [[Alpine_1A420]] [[SkankPhone]] ]]

Operator.app is a part of Apple internal diagnostic utilities suite. It shows the status of device parts, and eventually shows details about each component. It was accidentally shipped on many [[n45ap|1st generation iPod touch]] retail devices, probably because they went through quality control in factory and tester forgot to restore to the retail IPSW.

Star

2010-10-14T04:04:35Z

Tavianator: Fix URL parsing for wad.bin

[[Image:Star.jpg|thumb|Star on an [[N72ap|iPod touch 2G]].]]
Star (also known as '''[[JailbreakMe]] 2.0''') is a [[userland]] [[jailbreak]] from [[User:Comex|comex]] that utilizes two exploits to jailbreak iOS 3.1.2 through 4.0.1 (except for 3.2.2). Star warns that 3.1.2 and 3.1.3 are known to fail on [[N18ap|iPod touch 3G]], and that performing a fresh restore to 4.0(.1) is recommended. With the release of iOS 4.0.2 (and iOS 3.2.2 for [[K48ap|iPad]]s) on 11 August 2010, the vulnerabilities were fixed so that it doesn't work anymore.

==Payloads==
*The first payload is deployed via a HTTP redirect to a PDF file. The PDF contains a [[Malformed CFF Vulnerability|CFF font with a malformed type 2 charstring]], which contains commands to repeatedly push and duplicate random numbers onto an "argument stack". This allows arbitrary code execution due to stack overflow in CFF parser inside FreeType 2 library used by iOS. Then an integer overflow in [[IOSurface Kernel Exploit|IOSurface.framework]] used to get root access and privileges.[http://support.apple.com/kb/HT4291]
*The second payload (wad.bin) contains Cydia and code to install it into filesystem.

==PDF Patch==
Because this jailbreak revealed a new major security hole in iOS, it could also be adopted by rogue developers to create malware to take over your [[iPad]]/[[iPhone]]/[[iPod touch]]. Therefore it is highly recommended to install [https://twitter.com/saurik/status/20958834996 the patch] [[saurik]] released via Cydia in order to keep your device safe.

==Analysis==
First, the process uses the [[Malformed CFF Vulnerability]] (CVE-2010-1797), which is a simple stack-based buffer overflow. With this vulnerability, an overly long CFF charString entry ends up with attacker-controlled $pc. Many people think of Return Oriented Programming (ROP) as a rather immature technique to use for complicated jobs. But the Star shellcode uses ROP to execute more than a total of 150 API calls. This means non-executable memory is not a defense against these kinds of memory corruption attacks. Looks as if the current ROP technique for iPhone exploitation is very mature and stable.

The ROP payload actually abuses [[IOSurface Kernel Exploit|a vulnerability in IOSurface.framework]]. This vulnerability allows a normal process to have access to kernel memory with write privileges. After it modifies kernel space data to circumvent security checks, it calls “setuid(0)” to get root access. So, the game is pretty much over at this point. The Safari process at this point has root user privileges, and it can do whatever it wants.

After this exploitation phase, it drops the “installui.dylib” shared library, loads it, and executes the “iui_go” function from the library. This allows some UI text to be displayed on the user’s screen to ask whether to go forward with jailbreaking. Then it downloads the “[http://jailbreakme.com/wad.bin wad.bin]” and extracts necessary files like “install.dylib” from there, and then executes the “do_install” function from there, which will do the typical jailbreaking process. All these operations are possible because the Safari process has root access acquired using the kernel bug.

The jailbreaking phase involves something like moving some system directories and modifying essential system files like “/etc/fstab”. Also it directly accesses the “/dev/kmem” device to patch kernel flags or code. And finally it installs the “Cydia” installer package and restarts SpringBoard using the “uicache” command.

==Links==
*[http://github.com/comex/star Sourcecode for Star]
*[http://www.gadgetsdna.com/iphone-ios-4-0-1-jailbreak-execution-flow-using-pdf-exploit/5456/ Analysis of star]