0x24000 Segment Overflow

From The iPhone Wiki
Revision as of 06:20, 13 March 2009 by Paul0 (talk | contribs) (Prerequisites)
Jump to: navigation, search

Also known by it's codename, "24kPwn", this was the first exploit in the S5L8720 that allowed us to bypass the bootrom signature checks on LLB and create what is known as an untethered jailbreak.

Note

It is unclear how, but the company "NitroKey" is selling this. We were planning on holding back for the new iPhone (which subsequently could mean an iPod 3G as well), but now that they are profiteering off of this we would like to explain exactly how this works as soon as possible so people do not have to pay for it. I apologize if the wording is odd, as I wrote it up a little while ago, planning to post it this summer.

Credit

chronic, CPICH, ius, planetbeing, pod2g, posixninja, and co.

Exploit

The address that the bootrom loads LLB into is 0x22000000, and for some reason, it stores it's global variables dangerously close, at 0x22024000. Now, when loading LLB from NOR, it does not have any sort of maximum size limit, (unlike if it was receiving a file via USB). With an LLB with a size greater then 0x24000, you can gracefully overwrite, and change many of these global variables. Although, for some parts, you may need to reconstruct, with the original data. There are a few different ways you could exploit this to actually run unsigned code at this level. So far the easiest one found is based on another fail decision that Apple made. For some reason, they put the SHA1 hardware address array smack dab in our way. By changing the address at SHA1 Data Input Register 1 (LLB @ 0x240fc), bootrom will attempt to write whatever should be written into sha1, into whatever address we have specified. So, since we can now write to any location in memory, we specify it to point to and overwrite where the current LR is on the stack (0x2202fe24). Now when bootrom starts to copy data over into sha1 register, instead it will actually be overwriting it's own return address and will put whatever address is at 0x20 of the LLB image in LR. Now just add the address of your payload (that's stored somewhere in the padding preferably) into 0x20 of LLB, and it will be executed! For the payload it's wise to put the original bytes that were in 0x20 back, and to restore the proper sha1 hardware address, as well as clean up the stack a little bit before doing your thing and jumping back into code. Also, another important thing to remember is that you must 1. add 0x22000000 to whatever the offset of your payload is in the file, since that is where it loads LLB in memory, and 2. reverse it for endianess.

Prerequisites

Because files sent over USB have a size limitation, one thing that is the ability to flash the NOR unsigned. This can be done by putting the device into dfu mode and writing to the nor0 block device using a tools like iRecovery.