The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Talk:ARM7 Go
Contents
My Payload
(Since RedSn0w will be out any day, this is just for the hell of it :)
If anyone has any ideas and would like to mess around with this hack, here is some code that (should) patch a 2.1.1 iBSS that you loaded, in memory. Again, just for fun, as the dev team probably has redsn0w, it's payload, and program almost completed.
@ ipod touch 2G ibss 2.1.1 patcher @ by chronic with some gas help from ius @ @ assemble this with gas .section .text .global _start _start: stmdb sp!, {r0-r6} ldr r0, =rangePatch ldr r1, =permsPatch ldr r2, =sigchPatch ldr r3, =sigchecLoc ldr r4, =permschLoc ldr r6, =rangechLoc strh r1, [r4] strh r0, [r6] strh r2, [r3] ldmia sp!, {r0-r6} mov pc, lr .section .data sigchecLoc: .word 0x2200F2FE permschLoc: .word 0x2200C330 rangechLoc: .word 0x2200C3A6 rangePatch: .hword 0x0120 permsPatch: .hword 0x0124 sigchPatch: .hword 0x0020
ChronicDev 19:45, 16 January 2009 (UTC)
Chronic, I may have found the way to use arm7_go
Try to add the size of your payload just before it as an 32bit integer.
1. without size :
I assembled your payload with gas then tried to upload it at 0x09000000 and start arm7_go. It did nothing.
2. with size before : 0x00000048 then your payload uploaded at 0x09000000.
arm7_go => it crashed my ipod 2G.
I hope it can help. I am continuing my reasearches.
How do you pass the bootrom RSA checks?
I've noticed that the exploit is at the iBoot level. So how do you (or the Dev-Team) pass the bootrom RSA checks?
RE: How do you pass the bootrom RSA checks?
I do not know how it is done, but taking the screenshot on the latest devteam blog post, they have found a way to do so.
RE: RE: How do you pass the bootrom RSA checks?
Okay, as to MuscleNerd's redsn0w demo, it's pretty yellowsn0w like - you have to let the bootrom sigchecks pass, and then use the exploit every time the device boots. Pretty annoying, but that's the only option without a way to pass bootrom sigchecks.
Wel...
They noted they are looking for a way around that.
We may have something!
I tried what iPod2G said.
Now, after running my payload...well...things are acting really WEIRD. the first time I tried,it crashed, and now...
http://pastie.org/private/gpsvfcve6yqnm3uk4qzouq
mdb is messed up. Oh, and my screen turned blue for some reason.
Just tried again, and it turned green :O
Vulnerability vs. Exploit and Credits
@Chronic: I'm fine with you adding that you found it independently, but you have to be careful with the wording in general. It seems there are a great deal of misusages of the word "exploit" vs. vulnerability in this community. So if you don't mind, I'd like to clarify:
A vulnerability is the actual bug/security hole, whereas an exploit is the actual implementation which allows one to exploit the vulnerability.
For instance in the following sentence from the wiki: "The actual exploit is that, in the iPod Touch 2G 2.1.1 firmware, they left behind two commands: arm7_stop and arm7_go", the word "exploit" is not used properly. You are here talking about the vulnerability, not the exploit.
In my opinion, credits for vulnerability and exploit should be separated in general (I'm not talking about this one in particular, but I'm talking about vuln/exploit in general). One can find a vulnerability without exploiting it (because he doesn't want to, doesn't have the time, or it's too complicated and he doesn't manage actually to exploit it), and likewise someone can implement an actual exploit without discovering the initial vulnerability. IMHO, most of the time, the exploit is where the skills really are, because it's one thing to understand why something is a security vulnerability, it's often another to make it actually real with a POC code (because of sanity checks, checking, filters and so on). Although sometimes, I do agree that finding the vulnerability itself requires mad skillz (as an example, prop' to Bleichenbacher for finding his RSA attack), it is my belief that most of the time, the exploit is where the difficulty lies.
Anyway, I think this page contains misusage of the word exploit, and other pages too, and I just wanted to point it.