Difference between revisions of "Research: Pwnage Patches"

From The iPhone Wiki
Jump to: navigation, search
Line 29: Line 29:
 
ROM:180058C6 ; Unpwned iBoot will
 
ROM:180058C6 ; Unpwned iBoot will
   
As you can see from my comments, it makes it so that it does not jump. I am no 1337 reverser, so I have no clue what is done when there is no jump, but I do see the fact that a pwned iBoot will not jump to 0x18005942, and an unpwned iBoot will not. This kind of interests me here, because with a Branch statement, usually you would be able to get around something that you want to by changing a certain Branch from BEQ to B, or something of the like. This one is a bit trickier, and you can't really do something like that...probably a common thing, but I am just throwing it out there since it is the first time I have seen something like this done.
+
As you can see from my comments, it makes it so that it does not jump. I am no 1337 reverser, so I have no clue what is done when there is no jump, but I do see the fact that a pwned [[iBoot]] will not jump to 0x18005942, and an unpwned [[iBoot]] will not. This kind of interests me here, because with a Branch statement, usually you would be able to get around something that you want to by changing a certain Branch from BEQ to B, or something of the like. This one is a bit trickier, and you can't really do something like that...probably a common thing, but I am just throwing it out there since it is the first time I have seen something like this done. You may say "But Chronic, why not just NOP the BNE? Isn't that easier?". Well, for some reason, more than a few times, a check is made to see if R0 = 0 throughout the routine that the patch makes us not skip. Also, I might be missing something, and there could be an important reason for them to have R0 = 0. Whatever the case is, even if they don't have an important reason, 1 patch for the '''entire file''' is better than doing, well, anything more than 1 patch in this case :)
   
== Lockdownd ==
+
== 2.0 (5A347) [[Lockdownd]] ==
This may actually confuse some people. You see, there is 'technically' two patches, but in reality, there is only one. The second one is the rehashed signature done with ldid, because you must remember that this is a userland binary, not a higher up one like the iBoot, which resides in the NOR. These files on the main filesystem must cohere to the demands of the kernel, and according to a devteam member, the patches to not require this were to complex and it would just be much easier to use ldid to take care of it. So that is what they did here. They took the original file, then one with the one patch that they needed, rehashed the patched one, BsDiff'd them, and then as you can now tell, the .patch tile contains the actual patch + the new sig :)
+
This may actually confuse some people. You see, there is 'technically' two patches, but in reality, there is only one. The second one is the rehashed signature done with ldid, because you must remember that this is a userland binary, not a lower level one like the [[iBoot]], which resides in the [[NOR]]. These files on the main filesystem must cohere to the demands of the [[kernel]], and according to a [[devteam]] member, the patches to not require this were to complex and it would just be much easier to use ldid to take care of it. So that is what they did here. They took the original file, then one with the one patch that they needed, rehashed the patched one, BsDiff'd them, and then as you can now tell, the .patch tile contains the actual patch + the new sig :)
   
(Be back in a little bit with actual snippets from IDA showing the actual patch done)
+
(Be back in a little bit with actual snippets from IDA showing the actual patch done, I want to go through the actual low level stuff first)

Revision as of 20:43, 2 August 2008

If you have IDA Pro and you are at least semi-handy with ARM please contribute :)

Thanks to CPICH for helping out!

2.0 (5A347) iBoot

Patched Area

There is only 1 patch made to the iBoot, iBEC, iBSS, and WTF.n82ap. They are all iBoots, pretty much, so I am going to assume that they all have this same patch for the same reason. Please feel free to correct this if this is not true.

Here is a snippet of it from IDA:

ROM:1800587C 01 20                       MOVS    R0, #1          ; R1 = 1
ROM:1800587E 40 42                       NEGS    R0, R0          ; PWNAGE PATCH
ROM:1800587E                                                     ; Change 40 42 > 00 20
ROM:1800587E                                                     ; That will make it:
ROM:1800587E                                                     ; MOVS R0 = #0
ROM:1800587E                                                     ;
ROM:1800587E                                                     ; R0 (unpatched) = -1
ROM:1800587E                                                     ; R0 (patched) = 0

Why does this help us?

Well, this is a bit later on...

ROM:180058C4 00 28                       CMP     R0, #0          ; Does R0 = 0?
ROM:180058C6 3C D1                       BNE     loc_18005942    ; if R0 does not = 0
ROM:180058C6                                                     ;    jump to 0x18005942
ROM:180058C6                                                     ;
ROM:180058C6                                                     ; Pwned iBoot not jump
ROM:180058C6                                                     ; Unpwned iBoot will

As you can see from my comments, it makes it so that it does not jump. I am no 1337 reverser, so I have no clue what is done when there is no jump, but I do see the fact that a pwned iBoot will not jump to 0x18005942, and an unpwned iBoot will not. This kind of interests me here, because with a Branch statement, usually you would be able to get around something that you want to by changing a certain Branch from BEQ to B, or something of the like. This one is a bit trickier, and you can't really do something like that...probably a common thing, but I am just throwing it out there since it is the first time I have seen something like this done. You may say "But Chronic, why not just NOP the BNE? Isn't that easier?". Well, for some reason, more than a few times, a check is made to see if R0 = 0 throughout the routine that the patch makes us not skip. Also, I might be missing something, and there could be an important reason for them to have R0 = 0. Whatever the case is, even if they don't have an important reason, 1 patch for the entire file is better than doing, well, anything more than 1 patch in this case :)

2.0 (5A347) Lockdownd

This may actually confuse some people. You see, there is 'technically' two patches, but in reality, there is only one. The second one is the rehashed signature done with ldid, because you must remember that this is a userland binary, not a lower level one like the iBoot, which resides in the NOR. These files on the main filesystem must cohere to the demands of the kernel, and according to a devteam member, the patches to not require this were to complex and it would just be much easier to use ldid to take care of it. So that is what they did here. They took the original file, then one with the one patch that they needed, rehashed the patched one, BsDiff'd them, and then as you can now tell, the .patch tile contains the actual patch + the new sig :)

(Be back in a little bit with actual snippets from IDA showing the actual patch done, I want to go through the actual low level stuff first)