|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Making PwnageTool Bundles"
m (→ASR: no need for an external link here) |
m |
||
| Line 1: | Line 1: | ||
| − | ==Creating the template Info.plist== |
+ | == Creating the template Info.plist == |
Remove all AES keys/IVs and hashes, replace with TODO |
Remove all AES keys/IVs and hashes, replace with TODO |
||
Also replace all .dmg filenames, SHA1 hash value and the rootfs volume name. |
Also replace all .dmg filenames, SHA1 hash value and the rootfs volume name. |
||
| − | ==Getting the AES keys== |
+ | == Getting the AES keys == |
{{main|AES Keys#Using Greenpois0n to get the keys}} |
{{main|AES Keys#Using Greenpois0n to get the keys}} |
||
Put the keys into the Info.plist, replacing TODO entries |
Put the keys into the Info.plist, replacing TODO entries |
||
| − | ==Decrypting IMG3 files== |
+ | == Decrypting IMG3 files == |
Use [[xpwntool]] to decrypt all img3 files: NOR, kernelcache and the restore ramdisk |
Use [[xpwntool]] to decrypt all img3 files: NOR, kernelcache and the restore ramdisk |
||
| − | ==Decrypting the |
+ | == Decrypting the RootFS == |
| − | #Use [[GenPass]] with decrypted [[ |
+ | #Use [[GenPass]] with decrypted [[Ramdisk]] to get the rootfs vfdecrypt key. |
#Decrypt the rootfs using [[vfdecrypt]], put the key and rootfs volume name into Info.plist |
#Decrypt the rootfs using [[vfdecrypt]], put the key and rootfs volume name into Info.plist |
||
| − | ==Patches== |
+ | == Patches == |
In most cases you can reuse the patches from a previous firmware version. |
In most cases you can reuse the patches from a previous firmware version. |
||
You can use the [https://github.com/msftguy/ios-jb-tools/tree/master/tools_src/fuzzy_patcher/ fuzzy_patcher tool] for that. |
You can use the [https://github.com/msftguy/ios-jb-tools/tree/master/tools_src/fuzzy_patcher/ fuzzy_patcher tool] for that. |
||
| Line 26: | Line 26: | ||
--patched ''patched_decrypted_file'' --fuzz 80 --verbose |
--patched ''patched_decrypted_file'' --fuzz 80 --verbose |
||
You can lower the 'fuzzyness' level to apply lower confidence patches, but it's not a very good idea; you would usually want to inspect the file with IDA in such cases. |
You can lower the 'fuzzyness' level to apply lower confidence patches, but it's not a very good idea; you would usually want to inspect the file with IDA in such cases. |
||
| − | ====[[ASR]]==== |
+ | ==== [[ASR]] ==== |
#Patch [[ASR]] from the [[Restore Ramdisk]] |
#Patch [[ASR]] from the [[Restore Ramdisk]] |
||
#Fix its page hashes using codesign or ldid (see [[Bypassing iPhone Code Signature]]). |
#Fix its page hashes using codesign or ldid (see [[Bypassing iPhone Code Signature]]). |
||
[[ASR]] can be patched by finding a xref to a string "Image failed signature verification" and patching the first instruction at the preceding label to branch to the previous label, which is the success case "Image passed signature verification". On ARMv7 this branch is usually 'F3 E7'. |
[[ASR]] can be patched by finding a xref to a string "Image failed signature verification" and patching the first instruction at the preceding label to branch to the previous label, which is the success case "Image passed signature verification". On ARMv7 this branch is usually 'F3 E7'. |
||
| + | ==== [[iBSS]] patches (Special Case) ==== |
||
| − | |||
| − | ====iBSS patches - special case==== |
||
iBSS patch for bundles using user-mode untether exploit (or for tethered bundles) |
iBSS patch for bundles using user-mode untether exploit (or for tethered bundles) |
||
kernelcache file is not patched in those bundles to allow untethered boot with intact NOR. Instead, kernelcache patches required to run the ramdisk are located in iBSS - an iBSS kernelcache_load function is patched to call a proc at ibss_base+0xFC that patches the decrypted and unpacked kernel in memory. |
kernelcache file is not patched in those bundles to allow untethered boot with intact NOR. Instead, kernelcache patches required to run the ramdisk are located in iBSS - an iBSS kernelcache_load function is patched to call a proc at ibss_base+0xFC that patches the decrypted and unpacked kernel in memory. |
||
You can use [https://github.com/msftguy/ios-jb-tools/tree/master/tools_src/ibss_kpatch/ iBSS KPatch] to add kernel patches to ibss. |
You can use [https://github.com/msftguy/ios-jb-tools/tree/master/tools_src/ibss_kpatch/ iBSS KPatch] to add kernel patches to ibss. |
||
| − | ==Creating BSDiffs== |
+ | == Creating BSDiffs == |
| − | Use [http://www.daemonology.net/bsdiff/ |
+ | Use [http://www.daemonology.net/bsdiff/ BSDiff] to create diffs by diffing '''unpacked''' original versus patched files. |
Example: |
Example: |
||
bsdiff iBSS.k48ap.RELEASE.dfu.dec iBSS.k48ap.RELEASE.dfu.dec.patched iBSS.k48ap.RELEASE.patch |
bsdiff iBSS.k48ap.RELEASE.dfu.dec iBSS.k48ap.RELEASE.dfu.dec.patched iBSS.k48ap.RELEASE.patch |
||
| − | ====LLB 24k exploit==== |
+ | ==== LLB 24k exploit ==== |
[[N72ap|iPod touch 2G]] and [[N88ap|iPhone 3GS]] utilize [[0x24000 Segment Overflow|a different bootrom exploit]], so the encrypted [[LLB]] for these devices need patching, using the [[XPwn|xpwntool]] option "-x24k" (for [[N72ap|iPod touch 2G]]) or "-xn8824k" (for [[N88ap|iPhone 3GS]]) to patch the file. |
[[N72ap|iPod touch 2G]] and [[N88ap|iPhone 3GS]] utilize [[0x24000 Segment Overflow|a different bootrom exploit]], so the encrypted [[LLB]] for these devices need patching, using the [[XPwn|xpwntool]] option "-x24k" (for [[N72ap|iPod touch 2G]]) or "-xn8824k" (for [[N88ap|iPhone 3GS]]) to patch the file. |
||
Example: |
Example: |
||
| Line 47: | Line 46: | ||
-k ''replace_with_key'' |
-k ''replace_with_key'' |
||
Then bsdiff the '''encrypted''' files. |
Then bsdiff the '''encrypted''' files. |
||
| + | |||
| − | ==Fixing the ipsw file hash== |
||
| + | == Fixing the ipsw file hash == |
||
Run shasum on the original ipsw, paste the result to the 'SHA1' field. |
Run shasum on the original ipsw, paste the result to the 'SHA1' field. |
||
Revision as of 20:09, 14 August 2011
Contents
Creating the template Info.plist
Remove all AES keys/IVs and hashes, replace with TODO Also replace all .dmg filenames, SHA1 hash value and the rootfs volume name.
Getting the AES keys
- Main article: AES Keys#Using Greenpois0n to get the keys
Put the keys into the Info.plist, replacing TODO entries
Decrypting IMG3 files
Use xpwntool to decrypt all img3 files: NOR, kernelcache and the restore ramdisk
Decrypting the RootFS
- Use GenPass with decrypted Ramdisk to get the rootfs vfdecrypt key.
- Decrypt the rootfs using vfdecrypt, put the key and rootfs volume name into Info.plist
Patches
In most cases you can reuse the patches from a previous firmware version. You can use the fuzzy_patcher tool for that. To extract differences from the previous version of files:
fuzzy_patcher --diff --delta delta_file.json \ --orig original_decrypted_file_vPrev \ --patched patched_decrypted_file_vPrev --verbose
To apply the difference file to the current version:
fuzzy_patcher --patch --delta delta_file.json \ --orig original_decrypted_file \ --patched patched_decrypted_file --fuzz 80 --verbose
You can lower the 'fuzzyness' level to apply lower confidence patches, but it's not a very good idea; you would usually want to inspect the file with IDA in such cases.
ASR
- Patch ASR from the Restore Ramdisk
- Fix its page hashes using codesign or ldid (see Bypassing iPhone Code Signature).
ASR can be patched by finding a xref to a string "Image failed signature verification" and patching the first instruction at the preceding label to branch to the previous label, which is the success case "Image passed signature verification". On ARMv7 this branch is usually 'F3 E7'.
iBSS patches (Special Case)
iBSS patch for bundles using user-mode untether exploit (or for tethered bundles) kernelcache file is not patched in those bundles to allow untethered boot with intact NOR. Instead, kernelcache patches required to run the ramdisk are located in iBSS - an iBSS kernelcache_load function is patched to call a proc at ibss_base+0xFC that patches the decrypted and unpacked kernel in memory. You can use iBSS KPatch to add kernel patches to ibss.
Creating BSDiffs
Use BSDiff to create diffs by diffing unpacked original versus patched files. Example:
bsdiff iBSS.k48ap.RELEASE.dfu.dec iBSS.k48ap.RELEASE.dfu.dec.patched iBSS.k48ap.RELEASE.patch
LLB 24k exploit
iPod touch 2G and iPhone 3GS utilize a different bootrom exploit, so the encrypted LLB for these devices need patching, using the xpwntool option "-x24k" (for iPod touch 2G) or "-xn8824k" (for iPhone 3GS) to patch the file. Example:
xpwntool LLB.n88ap.RELEASE.img3.dec LLB.n88ap.RELEASE.img3.dec.patched \ -t LLB.n88ap.RELEASE.img3 -xn8824k -iv replace_with_iv \ -k replace_with_key
Then bsdiff the encrypted files.
Fixing the ipsw file hash
Run shasum on the original ipsw, paste the result to the 'SHA1' field.
