Talk:Research: Pwnage Patches

From The iPhone Wiki
Revision as of 02:03, 14 April 2009 by James (talk | contribs) (2G DeviceTree)
Jump to: navigation, search

Kernel and ramdisk patches

Anyone care to share what is patched?

yup

ramdisk:

asr - patch out rootfs SHA1 check

restored_external - patch wiping routine

kernel:

haven't looked into this, but there are four patches, at least some of them are for codesign and apparently one of them has to do with virtual memory mapping.

Thanks

Do you know how the new codesign is added yet? I notice you think they didn't use ldid. It seems that the second patches to asr and restored are codesign (from what I can tell when 2.1 and 2.2 files are compared), but I don't see any in the kernel, they're all simple.

patches

patches to asr and restored are the patches i listed above, and patches for the hashes so that they will run. when i say in the kernel codesign is patch, then it wil patch out the need for code to be signed, but apparently it was determined that the sha1 hash check was too annoying to patched as it would always be changing, so they just rehashed asr and restored, not codesign, just rehashed.

hashes

What are you taking the hash of? For example, I extracted asr from a stock 018-4378-1.dmg from 2.2 and compared it to one from a custom disk image; diffing them shows two patches; the first I assume to be the SHA1 check (at 0x12F16). The second at 0x27C7A confuses me though, because I think this must be the hash (I'm new to this stuff, so forgive me if I'm just missing something incredibly obvious). If I take the hash of the stock asr (9146c06d34b4fa9fc3cb3c7490851fabb875e3c8) and compare it to the hash within the file, it doesn't match (6350E8890FD7217152F72B3EA3285B6D7E617020). The hash of the custom asr doesn't match the internal hash either, and the same goes for restored.

isha / ldid

it is rehashed with isha or ldid -s, i don't really know the nitty gritty of that stuff.

2G DeviceTree

It seems that this was never patched until redsn0w QuickPwn. What exactly is the patch made to allow LogoMe to work? I tried old patches (function-disable_keys -> xxxxxxxx-disable_keys, secure-root-prefix doesn't exist at all), but they don't seem to work.

disable keys and secure root patches should have worked, afaik, are u sure u decrypted it correctly? ChronicDev 23:44, 13 April 2009 (UTC)
I believe I did, all names are visible. I notice at 0x0 - 0x10, there seems to be secure-root-prefix, but it is garbled (*junk*oot-prefix), I don't know what this is about..
I patched function-disable_keys at 0x3534, though.--James 00:10, 14 April 2009 (UTC)
you somehow used the wrong IV probably, double check that ChronicDev 02:00, 14 April 2009 (UTC)
I used the IV from ChronicDev GoogleCode, is it correct? I actually don't have a 2G so I cannot verify it. --James 02:03, 14 April 2009 (UTC)