Difference between revisions of "Making PwnageTool Bundles"

From The iPhone Wiki
Jump to: navigation, search
(iBSS patches)
(one: never use invalid xhtml; two: use #)
Line 31: Line 31:
 
[[ASR]] can be patched by finding a xref to a string "Image failed signature verification" and patching the first instruction at the preceding label to branch to the previous label, which is the success case "Image passed signature verification". On ARMv7 this branch is usually 'F3 E7'.
 
[[ASR]] can be patched by finding a xref to a string "Image failed signature verification" and patching the first instruction at the preceding label to branch to the previous label, which is the success case "Image passed signature verification". On ARMv7 this branch is usually 'F3 E7'.
 
==== [[iBSS]] patches ====
 
==== [[iBSS]] patches ====
For noawadays [[limera1n Exploit|limera1n]]- based jailbreaks there are quite a bit patches: <br>
+
For noawadays [[limera1n Exploit|limera1n]]- based jailbreaks there are quite a bit patches:
1. You need to patch the iBSS from every signature check or integrity check that is in it (Ramdisk signature, [[APTicket]]- see below, [[iBEC]] signatures etc.) <br>
+
# You need to patch the iBSS from every signature check or integrity check that is in it (Ramdisk signature, [[APTicket]]- see below, [[iBEC]] signatures etc.)
2. [[APTicket]]- on 5.x.x+, the iBSS patches are slightly different. If you are using a stitched ipsw, where the img3 files are embded with the [[SHSH]] of the restored device and [[APTicket]] is included as "APTicket.img3" or "SCAB.img3" or old bootrom [[n88ap|3GS]] the iBSS needs to be patched out of it's nonce creation. If you're patching a stock firmware the [[iBSS]] needs to still generate nonce but not check for APTicket's validity or it's match for thre nonce created. <br>
+
# [[APTicket]]- on 5.x.x+, the iBSS patches are slightly different. If you are using a stitched ipsw, where the img3 files are embded with the [[SHSH]] of the restored device and [[APTicket]] is included as "APTicket.img3" or "SCAB.img3" or old bootrom [[n88ap|3GS]] the iBSS needs to be patched out of it's nonce creation. If you're patching a stock firmware the [[iBSS]] needs to still generate nonce but not check for APTicket's validity or it's match for thre nonce created.
3.iBSS patch for bundles using user-mode untether exploit (or for tethered bundles)
+
# iBSS patch for bundles using user-mode untether exploit (or for tethered bundles)
 
kernelcache file is not patched in those bundles to allow untethered boot with intact NOR. Instead, kernelcache patches required to run the ramdisk are located in iBSS - an iBSS kernelcache_load function is patched to call a proc at ibss_base+0xFC that patches the decrypted and unpacked kernel in memory.
 
kernelcache file is not patched in those bundles to allow untethered boot with intact NOR. Instead, kernelcache patches required to run the ramdisk are located in iBSS - an iBSS kernelcache_load function is patched to call a proc at ibss_base+0xFC that patches the decrypted and unpacked kernel in memory.
 
You can use [https://github.com/msftguy/ios-jb-tools/tree/master/tools_src/ibss_kpatch/ iBSS KPatch] to add kernel patches to ibss. This applies to all the recent jailbreaks (excluding old-bootrom [[n88ap]]).
 
You can use [https://github.com/msftguy/ios-jb-tools/tree/master/tools_src/ibss_kpatch/ iBSS KPatch] to add kernel patches to ibss. This applies to all the recent jailbreaks (excluding old-bootrom [[n88ap]]).

Revision as of 16:56, 7 April 2012

Creating the template Info.plist

Remove all AES keys/IVs and hashes, replace with TODO Also replace all .dmg filenames, SHA1 hash value and the rootfs volume name.

Getting the AES keys

Main article: AES Keys#Using Greenpois0n to get the keys

Put the keys into the Info.plist, replacing TODO entries

Decrypting IMG3 files

Use xpwntool to decrypt all img3 files: NOR, kernelcache and the restore ramdisk

Decrypting the RootFS

  1. Use GenPass with decrypted Ramdisk to get the rootfs vfdecrypt key.
  2. Decrypt the rootfs using vfdecrypt, put the key and rootfs volume name into Info.plist

Patches

In most cases you can reuse the patches from a previous firmware version. You can use the fuzzy_patcher tool for that. To extract differences from the previous version of files:

fuzzy_patcher --diff --delta delta_file.json \
--orig original_decrypted_file_vPrev \
--patched patched_decrypted_file_vPrev --verbose

To apply the difference file to the current version:

fuzzy_patcher --patch --delta delta_file.json \
--orig original_decrypted_file \
--patched patched_decrypted_file --fuzz 80 --verbose

You can lower the 'fuzzyness' level to apply lower confidence patches, but it's not a very good idea; you would usually want to inspect the file with IDA in such cases.

ASR

  1. Patch ASR from the Restore Ramdisk
  2. Fix its page hashes using codesign or ldid (see Bypassing iPhone Code Signature).

ASR can be patched by finding a xref to a string "Image failed signature verification" and patching the first instruction at the preceding label to branch to the previous label, which is the success case "Image passed signature verification". On ARMv7 this branch is usually 'F3 E7'.

iBSS patches

For noawadays limera1n- based jailbreaks there are quite a bit patches:

  1. You need to patch the iBSS from every signature check or integrity check that is in it (Ramdisk signature, APTicket- see below, iBEC signatures etc.)
  2. APTicket- on 5.x.x+, the iBSS patches are slightly different. If you are using a stitched ipsw, where the img3 files are embded with the SHSH of the restored device and APTicket is included as "APTicket.img3" or "SCAB.img3" or old bootrom 3GS the iBSS needs to be patched out of it's nonce creation. If you're patching a stock firmware the iBSS needs to still generate nonce but not check for APTicket's validity or it's match for thre nonce created.
  3. iBSS patch for bundles using user-mode untether exploit (or for tethered bundles)

kernelcache file is not patched in those bundles to allow untethered boot with intact NOR. Instead, kernelcache patches required to run the ramdisk are located in iBSS - an iBSS kernelcache_load function is patched to call a proc at ibss_base+0xFC that patches the decrypted and unpacked kernel in memory. You can use iBSS KPatch to add kernel patches to ibss. This applies to all the recent jailbreaks (excluding old-bootrom n88ap).

Creating BSDiffs

Use BSDiff to create diffs by diffing unpacked original versus patched files. Example:

bsdiff iBSS.k48ap.RELEASE.dfu.dec iBSS.k48ap.RELEASE.dfu.dec.patched iBSS.k48ap.RELEASE.patch

LLB 24k exploit

iPod touch 2G and iPhone 3GS utilize a different bootrom exploit, so the encrypted LLB for these devices need patching, using the xpwntool option "-x24k" (for iPod touch 2G) or "-xn8824k" (for iPhone 3GS) to patch the file. Example:

xpwntool LLB.n88ap.RELEASE.img3.dec LLB.n88ap.RELEASE.img3.dec.patched \
-t LLB.n88ap.RELEASE.img3 -xn8824k -iv replace_with_iv \
-k replace_with_key

Then bsdiff the encrypted files.

Fixing the ipsw file hash

Run shasum on the original ipsw, paste the result to the 'SHA1' field.