Making PwnageTool Bundles

From The iPhone Wiki
Revision as of 08:20, 14 November 2010 by Msft.guy (talk | contribs) (New page: ==Creating the template Info.plist== Remove all AES keys/IVs and hashes, replace with TODO ==Getting the AES keys== AES_Keys#Using_Greenpois0n_to_get_the_keys Put the keys into the I...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Creating the template Info.plist

Remove all AES keys/IVs and hashes, replace with TODO

Getting the AES keys

AES_Keys#Using_Greenpois0n_to_get_the_keys Put the keys into the Info.plist, replacing TODO entries

Decrypting IMG3 files

Use xpwntool to decrypt all img3 files: NOR, kernelcache and the restore ramdisk

Decrypting the rootfs

Use GenPass with decrypted ramdisk to get the rootfs vfdecrypt key. Decrypt the rootfs using vfdecrypt, put the key and rootfs volume name into Info.plist

Patches

In most cases you can reuse the patches from a previous firmware version. You can use the fuzzy_patcher tool for that. To extract differences from the previous version of files:

fuzzy_patcher --diff --delta delta_file.json --orig original_decrypted_file_vPrev --patched patched_decrypted_file_vPrev

To apply the difference file to the current version:

fuzzy_patcher --patch --delta delta_file.json --orig original_decrypted_file --patched patched_decrypted_file --fuzz 80 --verbose

ASR

Patch ASR from the Restore Ramdisk, use codesign or ldid to fix up its code page hashes. ASR can be patched by finding a xref to a string "Image failed signature verification" and patching the first instruction at the preceding label to branch to the previous label, which is the success case "Image passed signature verification". On ARMv7 this branch is usually 'F3 E7'.

iBSS patches - special case

iBSS patch for bundles using user-mode untether exploit (or for tethered bundles) kernelcache file is not patched in those bundles to allow untethered boot with intact NOR. Instead, kernelcache patches required to run the ramdisk are located in iBSS - an iBSS kernelcache_load function is patched to call a proc at ibss_base+0xFC that patches the decrypted and unpacked kernel in memory. You can use [this utility https://github.com/msftguy/ios-jb-tools/tree/master/tools_src/ibss_kpatch/] to add kernel patches to ibss.

Creating BSDiffs

Use bsdiff to create diffs by diffing unpacked original versus patched files. iPod touch 2G and iPhone 3GS utilize a different bootrom exploit, so the encrypted LLB for these devices need patching, using the xpwntool option "-x24k" (for iPod touch 2G) or "-xn8824k" (for iPhone 3GS) to patch the file.