Research: Pwnage Patches

From The iPhone Wiki
Revision as of 20:21, 2 August 2008 by ChronicDev (talk | contribs)
Jump to: navigation, search

If you have IDA Pro and you are at least semi-handy with ARM please contribute :)

Thanks to CPICH for helping out!

2.0 (5A347) iBoot

Patched Area

There is only 1 patch made to the iBoot, iBEC, iBSS, and WTF.n82ap. They are all iBoots, pretty much, so I am going to assume that they all have this same patch for the same reason. Please feel free to correct this if this is not true.

Here is a snippet of it from IDA:

ROM:1800587C 01 20                       MOVS    R0, #1          ; R1 = 1
ROM:1800587E 40 42                       NEGS    R0, R0          ; PWNAGE PATCH
ROM:1800587E                                                     ; Change 40 42 > 00 20
ROM:1800587E                                                     ; That will make it:
ROM:1800587E                                                     ; MOVS R0 = #0
ROM:1800587E                                                     ;
ROM:1800587E                                                     ; R0 (unpatched) = -1
ROM:1800587E                                                     ; R0 (patched) = 0

Why does this help us?

Well, this is a bit later on...

ROM:180058C4 00 28                       CMP     R0, #0          ; Does R0 = 0?
ROM:180058C6 3C D1                       BNE     loc_18005942    ; if R0 does not = 0
ROM:180058C6                                                     ;    jump to 0x18005942
ROM:180058C6                                                     ;
ROM:180058C6                                                     ; Pwned iBoot not jump
ROM:180058C6                                                     ; Unpwned iBoot will

As you can see from my comments, it makes it so that it does not jump. I am no 1337 reverser, so I have no clue what is done when there is no jump, but I do see the fact that a pwned iBoot will not jump to 0x18005942, and an unpwned iBoot will not. This kind of interests me here, because with a Branch statement, usually you would be able to get around something that you want to by changing a certain Branch from BEQ to B, or something of the like. This one is a bit trickier, and you can't really do something like that...probably a common thing, but I am just throwing it out there since it is the first time I have seen something like this done.

Lockdownd