The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information.

Difference between revisions of "Research: Pwnage Patches"

From The iPhone Wiki
Jump to: navigation, search
m (Disambiguation.)
 
(22 intermediate revisions by 8 users not shown)
Line 3: Line 3:
 
Thanks to CPICH for helping out!
  
Thanks to CPICH for helping out!
   
  +
==The Patches==
== 2.0 (5A347) iBoot ==
  
  +
There are three core patches in Pwnage.
   
=== Patched Area ===
 +
===[[iBoot (Bootloader)|iBoot]]===
There is only 1 patch made to the iBoot, iBEC, iBSS, and WTF.n82ap. They are all iBoots, pretty much, so I am going to assume that they all have this same patch for the same reason. Please feel free to correct this if this is not true.
 +
There is only 1 patch made to the [[iBoot (Bootloader)|iBoot]], [[LLB]], [[iBEC]], [[iBSS]], and [[WTF]]. It simply patches the RSA check to return success when an error occurs.
   
  +
The patch is simple. This is the default non-patched area:
Here is a snippet of it from IDA:
  
  +
<pre>
  +
ROM:00002636 _fail ; CODE XREF: rsaCheck+3C�j
  +
ROM:00002636 ; rsaCheck+84�j
  +
ROM:00002636 ; rsaCheck+A0�j
  +
ROM:00002636 ; rsaCheck+B4�j
  +
ROM:00002636 ; rsaCheck+F0�j
  +
ROM:00002636 ; rsaCheck+100�j
  +
ROM:00002636 ; rsaCheck+10C�j
  +
ROM:00002636 ; rsaCheck+110�j
  +
ROM:00002636 ; rsaCheck+118�j
  +
ROM:00002636 ; rsaCheck+11C�j ...
  +
ROM:00002636 454 01 20 MOVS R0, #1
  +
ROM:00002638 454 40 42 NEGS R0, R0
  +
</pre>
   
  +
Now, all that they do is change the "40 42" you see at 0x2638 to "00 20" (negs r0,r0->movs r0,#0).
ROM:1800587C 01 20 MOVS R0, #1 ; R1 = 1
  
ROM:1800587E 40 42 NEGS R0, R0 ; PWNAGE PATCH
  
ROM:1800587E ; Change 40 42 > 00 20
  
ROM:1800587E ; That will make it:
  
ROM:1800587E ; MOVS R0 = #0
  
ROM:1800587E ;
  
ROM:1800587E ; R0 (unpatched) = -1
  
ROM:1800587E ; R0 (patched) = 0
  
   
  +
===DeviceTree===
=== Why does this help us? ===
  
  +
This simply patches "secure-root-prefix" and "function-disable_keys". It seems that you could bypass this patch by simply patching the [[iBoot (Bootloader)|iBoot]] flags to 0xffffffff, but I have personally never verified that the decrypted [[KBAG]] was correct, so anyone that is feeling adventurous and wants to verify, please do.
Well, this is a bit later on...
  
   
  +
===[[Kernel]]===
ROM:180058C4 00 28 CMP R0, #0 ; Does R0 = 0?
  
  +
Haven't really looked into this too far, but I know that the kernel is patched for codesign as well as a write and execution patch to allow addons such as [[Mobile Substrate]] to execute on / at the kernel
ROM:180058C6 3C D1 BNE loc_18005942 ; if R0 does not = 0
  
ROM:180058C6 ; jump to 0x18005942
  
ROM:180058C6 ;
  
ROM:180058C6 ; Pwned iBoot not jump
  
ROM:180058C6 ; Unpwned iBoot will
  
 
As you can see from my comments, it makes it so that it does not jump. I am no 1337 reverser, so I have no clue what is done when there is no jump, but I do see the fact that a pwned iBoot will not jump to 0x18005942, and an unpwned iBoot will not. This kind of interests me here, because with a Branch statement, usually you would be able to get around something that you want to by changing a certain Branch from BEQ to B, or something of the like. This one is a bit trickier, and you can't really do something like that...probably a common thing, but I am just throwing it out there since it is the first time I have seen something like this done.
  
 
== Lockdownd ==
  

Latest revision as of 04:42, 8 November 2010

If you have IDA Pro and you are at least semi-handy with ARM please contribute :)

Thanks to CPICH for helping out!

The Patches

There are three core patches in Pwnage.

iBoot

There is only 1 patch made to the iBoot, LLB, iBEC, iBSS, and WTF. It simply patches the RSA check to return success when an error occurs.

The patch is simple. This is the default non-patched area: 

ROM:00002636                 _fail                                   ; CODE XREF: rsaCheck+3C�j
ROM:00002636                                                         ; rsaCheck+84�j
ROM:00002636                                                         ; rsaCheck+A0�j
ROM:00002636                                                         ; rsaCheck+B4�j
ROM:00002636                                                         ; rsaCheck+F0�j
ROM:00002636                                                         ; rsaCheck+100�j
ROM:00002636                                                         ; rsaCheck+10C�j
ROM:00002636                                                         ; rsaCheck+110�j
ROM:00002636                                                         ; rsaCheck+118�j
ROM:00002636                                                         ; rsaCheck+11C�j ...
ROM:00002636 454 01 20                       MOVS    R0, #1
ROM:00002638 454 40 42                       NEGS    R0, R0

Now, all that they do is change the "40 42" you see at 0x2638 to "00 20" (negs r0,r0->movs r0,#0).

DeviceTree

This simply patches "secure-root-prefix" and "function-disable_keys". It seems that you could bypass this patch by simply patching the iBoot flags to 0xffffffff, but I have personally never verified that the decrypted KBAG was correct, so anyone that is feeling adventurous and wants to verify, please do.

Kernel

Haven't really looked into this too far, but I know that the kernel is patched for codesign as well as a write and execution patch to allow addons such as Mobile Substrate to execute on / at the kernel

Retrieved from "https://www.theiphonewiki.com/w/index.php?title=Research:_Pwnage_Patches&oldid=12545"