Usb control msg(0x21, 2) Exploit - Revision history

LeoI07 at 16:17, 22 May 2022

2022-05-22T16:17:03Z

Spydar007 at 09:24, 26 March 2017

2017-03-26T09:24:43Z

Dialexio: Pruning.

2016-08-29T02:16:26Z

Pruning.

IAdam1n: Updating

2015-10-11T10:29:11Z

Updating

IAdam1n: y u no space?

2015-06-15T23:48:56Z

y u no space?

Http: fix link

2012-10-15T21:31:14Z

fix link

Http: fix link

2012-03-11T16:14:42Z

fix link

Itaiyz97 at 20:02, 26 October 2011

2011-10-26T20:02:32Z

Http: fixed link

2011-01-29T19:08:58Z

fixed link

Http: direct link

2010-10-28T21:12:09Z

direct link

← Older revision		Revision as of 16:17, 22 May 2022
Line 58:		Line 58:

	[[Category:Exploits]]		[[Category:Exploits]]
		+	[[Category:iBoot Exploits]]

@@ Line 1: / Line 1: @@
 {{DISPLAYTITLE:usb_control_msg(0x21, 2) Exploit}}
-A null pointer dereference vulnerability exists in the versions of [[iBoot]]/[[iBSS]]/[[iBEC]] found in firmwares 3.1/3.1.1 and 3.1.2 (and presumably everything before) on all iDevices. It was fixed in [[iBoot-636.66.33]], which was included with 3.1.3. [[N88AP|iPhone 3GS]] ([[Bootrom 359.3.2|new bootrom]]) and [[N18AP|iPod touch 3G]] owners who saved their [[SHSH]] for the aforementioned firmwares, and [[N72AP|iPod touch 2G]] ([[Bootrom 240.5.1|new bootrom]]) owners could have used it for a [[tethered jailbreak]] on 4.0 and 4.1, until [[Limera1n]] was released.
+A null pointer dereference vulnerability exists in the versions of [[iBoot]]/[[iBSS]]/[[iBEC]] found in firmwares 3.1/3.1.1 and 3.1.2 (and presumably everything before) on all iDevices. It was fixed in [[iBoot-636.66.33]], which was included with 3.1.3. [[N88AP|iPhone 3GS]] ([[Bootrom 359.3.2|new bootrom]]) and [[N18AP|iPod touch (3rd generation)]] owners who saved their [[SHSH]] for the aforementioned firmwares, and [[N72AP|iPod touch (2nd generation)]] ([[Bootrom 240.5.1|new bootrom]]) owners could have used it for a [[tethered jailbreak]] on 4.0 and 4.1, until [[Limera1n]] was released.
 == Credit (Alphabetical) ==

@@ Line 1: / Line 1: @@
 {{DISPLAYTITLE:usb_control_msg(0x21, 2) Exploit}}
-A null pointer dereference vulnerability exists in the versions of [[iBoot]]/[[iBSS]]/[[iBEC]] found in firmwares 3.1/3.1.1 and 3.1.2 (and presumably everything before) on all iDevices. It was fixed in [[iBoot-636.66.33]], which was included with 3.1.3. [[N88AP|iPhone 3GS]] ([[Bootrom 359.3.2|new bootrom]]) and [[N18AP|iPod touch 3G]] owners who saved their [[SHSH]] for the aforementioned firmwares, and MC-model [[N72AP|iPod touch 2G]] owners could have used it for a [[tethered jailbreak]] on 4.0 and 4.1, until [[Limera1n]] was released. It was untethered for old iPhone 3GS. [http://ih8sn0wforums.com/viewtopic.php?f=56&t=1928] [http://blog.qwertyoruiop.com/?p=154]
+A null pointer dereference vulnerability exists in the versions of [[iBoot]]/[[iBSS]]/[[iBEC]] found in firmwares 3.1/3.1.1 and 3.1.2 (and presumably everything before) on all iDevices. It was fixed in [[iBoot-636.66.33]], which was included with 3.1.3. [[N88AP|iPhone 3GS]] ([[Bootrom 359.3.2|new bootrom]]) and [[N18AP|iPod touch 3G]] owners who saved their [[SHSH]] for the aforementioned firmwares, and [[N72AP|iPod touch 2G]] ([[Bootrom 240.5.1|new bootrom]]) owners could have used it for a [[tethered jailbreak]] on 4.0 and 4.1, until [[Limera1n]] was released.
 == Credit (Alphabetical) ==

@@ Line 1: / Line 1: @@
 {{DISPLAYTITLE:usb_control_msg(0x21, 2) Exploit}}
-A null pointer dereference vulnerability exists in the versions of [[iBoot]]/[[iBSS]]/[[iBEC]] found in firmwares 3.1/3.1.1 and 3.1.2 (and presumably everything before) on all iDevices. It was fixed in [[iBoot-636.66.33]], which was included with 3.1.3. [[N88ap|iPhone 3GS]] ([[Bootrom 359.3.2|new bootrom]]) and [[N18ap|iPod touch 3G]] owners who saved their [[SHSH]] for the aforementioned firmwares, and MC-model [[N72ap|iPod touch 2G]] owners could have used it for a [[tethered jailbreak]] on 4.0 and 4.1, until [[Limera1n]] was released. It was untethered for old iPhone 3GS. [http://ih8sn0wforums.com/viewtopic.php?f=56&t=1928] [http://blog.qwertyoruiop.com/?p=154]
+A null pointer dereference vulnerability exists in the versions of [[iBoot]]/[[iBSS]]/[[iBEC]] found in firmwares 3.1/3.1.1 and 3.1.2 (and presumably everything before) on all iDevices. It was fixed in [[iBoot-636.66.33]], which was included with 3.1.3. [[N88AP|iPhone 3GS]] ([[Bootrom 359.3.2|new bootrom]]) and [[N18AP|iPod touch 3G]] owners who saved their [[SHSH]] for the aforementioned firmwares, and MC-model [[N72AP|iPod touch 2G]] owners could have used it for a [[tethered jailbreak]] on 4.0 and 4.1, until [[Limera1n]] was released. It was untethered for old iPhone 3GS. [http://ih8sn0wforums.com/viewtopic.php?f=56&t=1928] [http://blog.qwertyoruiop.com/?p=154]
 == Credit (Alphabetical) ==

@@ Line 1: / Line 1: @@
 {{DISPLAYTITLE:usb_control_msg(0x21, 2) Exploit}}
-A null pointer dereference vulnerability exists in the versions of [[iBoot]]/[[iBSS]]/[[iBEC]] found in firmwares 3.1/3.1.1 and 3.1.2 (and presumably everything before) on all iDevices. It was fixed in [[iBoot-636.66.33]], which was included with 3.1.3. [[N88ap|iPhone 3GS]] ([[Bootrom 359.3.2|new bootrom]]) and [[N18ap|iPod touch 3G]] owners who saved their [[SHSH]] for the aforementioned firmwares, and MC-model [[N72ap|iPod touch 2G]] owners could have used it for a [[tethered jailbreak]] on 4.0 and 4.1, until [[Limera1n]] was released.It was untethered for old iPhone 3GS. [http://ih8sn0wforums.com/viewtopic.php?f=56&t=1928] [http://blog.qwertyoruiop.com/?p=154]
+A null pointer dereference vulnerability exists in the versions of [[iBoot]]/[[iBSS]]/[[iBEC]] found in firmwares 3.1/3.1.1 and 3.1.2 (and presumably everything before) on all iDevices. It was fixed in [[iBoot-636.66.33]], which was included with 3.1.3. [[N88ap|iPhone 3GS]] ([[Bootrom 359.3.2|new bootrom]]) and [[N18ap|iPod touch 3G]] owners who saved their [[SHSH]] for the aforementioned firmwares, and MC-model [[N72ap|iPod touch 2G]] owners could have used it for a [[tethered jailbreak]] on 4.0 and 4.1, until [[Limera1n]] was released. It was untethered for old iPhone 3GS. [http://ih8sn0wforums.com/viewtopic.php?f=56&t=1928] [http://blog.qwertyoruiop.com/?p=154]
 == Credit (Alphabetical) ==

@@ Line 8: / Line 8: @@
 == Vulnerability ==
-'''[[User:Pod2g|pod2g]]''' and '''[[westbaer]]''' discovered, via some reversing + fuzzing, you could overwrite the content of 0x0 thanks to Apple not checking the contents of a register they should have, shown in the disassm below. This can be exploited because MMU maps whatever is running ([[LLB]], [[iBoot]], etc.) to 0x0 so that if an exception vector is triggered, it would jump to the one designed to be used with what is running, versus jumping to what is normally located at 0x0, the [[S5L8920 (Bootrom)|bootrom]].
+'''[[User:Pod2g|pod2g]]''' and '''[[westbaer]]''' discovered, via some reversing + fuzzing, you could overwrite the content of 0x0 thanks to Apple not checking the contents of a register they should have, shown in the disassm below. This can be exploited because MMU maps whatever is running ([[LLB]], [[iBoot]], etc.) to 0x0 so that if an exception vector is triggered, it would jump to the one designed to be used with what is running, versus jumping to what is normally located at 0x0, the [[S5L8920|bootrom]].
 All you need to do is send the following (assuming you're using libusb 0.1.x)...

@@ Line 5: / Line 5: @@
 * '''vulnerability''': [[User:Pod2g|pod2g]] and [[westbaer]], also discovered independently by [[gray]], also discovered independently by [[User:geohot|geohot]]
 * '''exploitation''': [[ius]], [[User:ChronicDev|chronic]], [[User:Pod2g|pod2g]], and [[User:posixninja|posixninja]], also [[User:geohot|geohot]]
-* '''payload''': [[User:geohot|geohot]] ([[blackra1n]]), [[User:ChronicDev|chronic]] and [[User:posixninja|posixninja]] ([[greenpois0n]])
+* '''payload''': [[User:geohot|geohot]] ([[blackra1n]]), [[User:ChronicDev|chronic]] and [[User:posixninja|posixninja]] ([[Greenpois0n (jailbreak)|greenpois0n]])
 == Vulnerability ==