The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information.

Difference between revisions of "SHA-1 Image Segment Overflow"

From The iPhone Wiki
Jump to: navigation, search
m
m (Vulnerability: some typos and similar)
Line 12: Line 12:
   
 
== Vulnerability ==
 
== Vulnerability ==
Explaination by [[p0sixninja]] at [[MyGreatFest]]:
 +
Explanation by [[p0sixninja]] at [[MyGreatFest]]:
   
It tricked the bootrom to think the size of the image uploading was larger then what it actually was.Then when it would try to load the image, it would see that it was wrong. Then it would try to wipe out the entire image with all 0s and go past it and start wiping out bootrom.
+
It tricked the bootrom to think the size of the image uploading was larger then what it actually was. Then when it would try to load the image, it would see that it was wrong. Then it would try to wipe out the entire image with all zeros and go past it and start wiping out bootrom.
   
Exploitation was done by overwriting sha1 registers to zeros so then when it went to check images it would copy part of image into 0x0. (where the bootrom is) It would take the image uploaded and copy it over top of the bootrom. (which turns out to be writable over the data portion)
 +
Exploitation was done by overwriting SHA-1 registers to zeros so then when it went to check images it would copy part of image into memory address zero (where the bootrom is). It would take the image uploaded and copy it over top of the bootrom (which turns out to be writable over the data portion).
   
 
[[Category:Bootrom Exploits]]
  
[[Category:Bootrom Exploits]]

Revision as of 11:46, 2 January 2012

SHAtter was an exploit that allowed unsigned code execution from a flaw in the bootrom. It was never used in a public jailbreak due to the exploit used in limera1n being released first. SHAtter was patched in the A5 devices and therefore, never released.

Compatibility

SHAtter only works with A4 devices:

Credit

Vulnerability

Explanation by p0sixninja at MyGreatFest:

It tricked the bootrom to think the size of the image uploading was larger then what it actually was. Then when it would try to load the image, it would see that it was wrong. Then it would try to wipe out the entire image with all zeros and go past it and start wiping out bootrom.

Exploitation was done by overwriting SHA-1 registers to zeros so then when it went to check images it would copy part of image into memory address zero (where the bootrom is). It would take the image uploaded and copy it over top of the bootrom (which turns out to be writable over the data portion).

Retrieved from "https://www.theiphonewiki.com/w/index.php?title=SHA-1_Image_Segment_Overflow&oldid=23313"