Difference between revisions of "ARM7 Go"

From The iPhone Wiki
Jump to: navigation, search
(Undo revision 5524 by 1337urmompois0n (Talk))
Line 1: Line 1:
  +
This vulnerability is exclusive to the [[iPod touch 2G]]. It is present in the device's 2.1.1 firmware, as well as the [[iBEC]] / [[iBSS]] if you choose to upload it via DFU. It allows the running of unsigned code on the ARM7 coprocessor.
   
  +
==Credit==
Haxed by 1337Urmom at The Pois0nhack team
 
  +
[[User:ChronicDev|Chronic]] and [[iPhone Dev Team]] (independently)
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
   
  +
==Exploit==
Haxed by 1337Urmom at The Pois0nhack team
 
  +
There is an ARM7 coprocessor in the iPod Touch 2G in addition to the main processor, the ARM11. Like the [[Audio DSP Module|ADM]] in the [[S5L8900]] devices, it has access to everything the ARM11 has access to, such as the AES engine, the PKE accelerator, and such. The actual vulnerability is that, in the iPod Touch 2G 2.1.1 firmware, they left behind two commands from what was presumably a debug [[iBoot]]: arm7_stop and arm7_go. They were promptly removed in 2.2, but in 2.1.1 it would read the environmental variable "loadaddr" and have the ARM7 coprocessor execute whatever code was at that address. There was no signature or range checks in place for the command.
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
   
  +
==Payload==
Haxed by 1337Urmom at The Pois0nhack team
 
  +
The command gives the ARM7 the load address (default is 0x09000000) of an "image" you sent it, and it will jump to it. The limitation is, unlike the [[diags]] exploit you cannot just pass a patched [[iBoot]] or [[iBEC]]. You must write a payload for it to run, but one that patches [[iBEC]] or [[iBoot]] in memory would do fine.
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
   
  +
==Implementations==
Haxed by 1337Urmom at The Pois0nhack team
 
  +
Two released payloads are [[RedSn0w]] and [[0wnboot]]
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
   
  +
==How to use==
Haxed by 1337Urmom at The Pois0nhack team
 
  +
* Enter device in [[DFU]] mode.
Haxed by 1337Urmom at The Pois0nhack team
 
  +
* Upload iBSS 2.1.1.
Haxed by 1337Urmom at The Pois0nhack team
 
  +
* Unplug and then replug the device.
Haxed by 1337Urmom at The Pois0nhack team
 
  +
* Upload payload you wish to execute.
Haxed by 1337Urmom at The Pois0nhack team
 
  +
* Run arm7_go command to execute payload.
  +
* Run arm7_stop to stop ARM7, needed if you plan on sending anything else to 0x09000000
   
  +
[[Category:Exploits]]
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 
Haxed by 1337Urmom at The Pois0nhack team
 

Revision as of 07:34, 7 November 2009

This vulnerability is exclusive to the iPod touch 2G. It is present in the device's 2.1.1 firmware, as well as the iBEC / iBSS if you choose to upload it via DFU. It allows the running of unsigned code on the ARM7 coprocessor.

Credit

Chronic and iPhone Dev Team (independently)

Exploit

There is an ARM7 coprocessor in the iPod Touch 2G in addition to the main processor, the ARM11. Like the ADM in the S5L8900 devices, it has access to everything the ARM11 has access to, such as the AES engine, the PKE accelerator, and such. The actual vulnerability is that, in the iPod Touch 2G 2.1.1 firmware, they left behind two commands from what was presumably a debug iBoot: arm7_stop and arm7_go. They were promptly removed in 2.2, but in 2.1.1 it would read the environmental variable "loadaddr" and have the ARM7 coprocessor execute whatever code was at that address. There was no signature or range checks in place for the command.

Payload

The command gives the ARM7 the load address (default is 0x09000000) of an "image" you sent it, and it will jump to it. The limitation is, unlike the diags exploit you cannot just pass a patched iBoot or iBEC. You must write a payload for it to run, but one that patches iBEC or iBoot in memory would do fine.

Implementations

Two released payloads are RedSn0w and 0wnboot

How to use

  • Enter device in DFU mode.
  • Upload iBSS 2.1.1.
  • Unplug and then replug the device.
  • Upload payload you wish to execute.
  • Run arm7_go command to execute payload.
  • Run arm7_stop to stop ARM7, needed if you plan on sending anything else to 0x09000000