Difference between revisions of "0x24000 Segment Overflow"

From The iPhone Wiki
Jump to: navigation, search
Line 1: Line 1:
Also known by it's codename, "24kPwn", this was the first exploit in the [[S5L8720]] that allowed us to bypass the bootrom signature checks on [[LLB]] and create what is known as an [[untethered jailbreak]].
+
Also known by it's codename, "[[24kPwn]]", this was the first exploit in the [[S5L8720]] that allowed us to bypass the bootrom signature checks on [[LLB]] and create what is known as an [[untethered jailbreak]].
   
 
==Note==
 
==Note==

Revision as of 18:03, 12 March 2009

Also known by it's codename, "24kPwn", this was the first exploit in the S5L8720 that allowed us to bypass the bootrom signature checks on LLB and create what is known as an untethered jailbreak.

Note

It is unclear how, but the company "NitroKey" is selling this. We were planning on holding back for the new iPhone (which subsequently could mean an iPod 3G as well), but now that they are profiteering off of this we would like to explain exactly how this works as soon as possible so people do not have to pay for it. I apologize if the wording is odd, as I wrote it up a little while ago, planning to post it this summer.

Credit

chronic, CPICH, ius, planetbeing, pod2g, posixninja, and co.

Exploit

The address that the bootrom loads LLB into is 0x22000000, and for some reason, it stores it's global variables dangerously close, at 0x22024000. Now, when loading LLB from NOR, it does not have any sort of maximum size limit, unlike if it was receiving a file via USB. You just can gracefully overwrite, and for some parts, will need to reconstruct, the beginning of the data (_bss) section. There are a few different ways you could exploit this to actually run unsigned code at this level, but so far the easiest one found is based on another fail decision that Apple made. For some reason, they and put the SHA1 hardware address array smack dab in our way, so at this point, you can change anything there that you want. By changing the pointer to SHA1 Data Input Register 1 into a pointer to where the current LR is on the stack, it will put whatever is at 0x20 of the image in LR, which is all that is important. By putting your payload somewhere in the padding (you need padding, since LLB is less than 0x24000 bytes obviously), you can just put the address of it at 0x20 of the image! If you actually don't want to run unsigned code but instead just want to run the LLB, then you will first need to have it put the original bytes back at 0x20 in the file before you do anything else, as well as put the original SHA1 hardware address back in the array. Another important thing to remember is that you must 1. add 0x22000000 to whatever the offset of your payload is in the file, since that is where it loads LLB in memory, and 2. reverse it for endianess.

Prerequisites

Because files sent over USB have a size limitation, one thing that is the ability to flash the NOR unsigned.