|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Talk:ARM7 Go"
| Line 92: | Line 92: | ||
Anyway, I think this page contains misusage of the word exploit, and other pages too, and I just wanted to point it. |
Anyway, I think this page contains misusage of the word exploit, and other pages too, and I just wanted to point it. |
||
| + | |||
| + | Theres one thing to be said for finding a vuln and seeing it crash, sure, thats usually not where the skill is and I'm not sure how much credit it deserves. But after an exploit is out using the vuln, it's a lot easier to get yourself to write another exploit since you have confirmation that the vuln is exploitable. The iBoot envvar one happened to be reasonably easy to find yet reasonably hard to exploit. If you really had your exploit working pre ra1n then props. But if you wrote an exploit post ra1n it's a lot easier knowing that this vuln can work. --[[User:Geohot|geohot]] 18:44, 7 July 2009 (UTC) |
||
Revision as of 18:44, 7 July 2009
Contents
My Payload
(Since RedSn0w will be out any day, this is just for the hell of it :)
If anyone has any ideas and would like to mess around with this hack, here is some code that (should) patch a 2.1.1 iBSS that you loaded, in memory. Again, just for fun, as the dev team probably has redsn0w, it's payload, and program almost completed.
@ ipod touch 2G ibss 2.1.1 patcher
@ by chronic with some gas help from ius
@
@ assemble this with gas
.section .text
.global _start
_start:
stmdb sp!, {r0-r6}
ldr r0, =rangePatch
ldr r1, =permsPatch
ldr r2, =sigchPatch
ldr r3, =sigchecLoc
ldr r4, =permschLoc
ldr r6, =rangechLoc
strh r1, [r4]
strh r0, [r6]
strh r2, [r3]
ldmia sp!, {r0-r6}
mov pc, lr
.section .data
sigchecLoc: .word 0x2200F2FE
permschLoc: .word 0x2200C330
rangechLoc: .word 0x2200C3A6
rangePatch: .hword 0x0120
permsPatch: .hword 0x0124
sigchPatch: .hword 0x0020
ChronicDev 19:45, 16 January 2009 (UTC)
Chronic, I may have found the way to use arm7_go
Try to add the size of your payload just before it as an 32bit integer.
1. without size :
I assembled your payload with gas then tried to upload it at 0x09000000 and start arm7_go. It did nothing.
2. with size before : 0x00000048 then your payload uploaded at 0x09000000.
arm7_go => it crashed my ipod 2G.
I hope it can help. I am continuing my reasearches.
How do you pass the bootrom RSA checks?
I've noticed that the exploit is at the iBoot level. So how do you (or the Dev-Team) pass the bootrom RSA checks?
RE: How do you pass the bootrom RSA checks?
I do not know how it is done, but taking the screenshot on the latest devteam blog post, they have found a way to do so.
RE: RE: How do you pass the bootrom RSA checks?
Okay, as to MuscleNerd's redsn0w demo, it's pretty yellowsn0w like - you have to let the bootrom sigchecks pass, and then use the exploit every time the device boots. Pretty annoying, but that's the only option without a way to pass bootrom sigchecks.
Wel...
They noted they are looking for a way around that.
We may have something!
I tried what iPod2G said.
Now, after running my payload...well...things are acting really WEIRD. the first time I tried,it crashed, and now...
http://pastie.org/private/gpsvfcve6yqnm3uk4qzouq
mdb is messed up. Oh, and my screen turned blue for some reason.
Just tried again, and it turned green :O
Vulnerability vs. Exploit and Credits
@Chronic: I'm fine with you adding that you found it independently, but you have to be careful with the wording in general. It seems there are a great deal of misusages of the word "exploit" vs. vulnerability in this community. So if you don't mind, I'd like to clarify:
A vulnerability is the actual bug/security hole, whereas an exploit is the actual implementation which allows one to exploit the vulnerability.
For instance in the following sentence from the wiki: "The actual exploit is that, in the iPod Touch 2G 2.1.1 firmware, they left behind two commands: arm7_stop and arm7_go", the word "exploit" is not used properly. You are here talking about the vulnerability, not the exploit.
In my opinion, credits for vulnerability and exploit should be separated in general (I'm not talking about this one in particular, but I'm talking about vuln/exploit in general). One can find a vulnerability without exploiting it (because he doesn't want to, doesn't have the time, or it's too complicated and he doesn't manage actually to exploit it), and likewise someone can implement an actual exploit without discovering the initial vulnerability. IMHO, most of the time, the exploit is where the skills really are, because it's one thing to understand why something is a security vulnerability, it's often another to make it actually real with a POC code (because of sanity checks, checking, filters and so on). Although sometimes, I do agree that finding the vulnerability itself requires mad skillz (as an example, prop' to Bleichenbacher for finding his RSA attack), it is my belief that most of the time, the exploit is where the difficulty lies.
Anyway, I think this page contains misusage of the word exploit, and other pages too, and I just wanted to point it.
Theres one thing to be said for finding a vuln and seeing it crash, sure, thats usually not where the skill is and I'm not sure how much credit it deserves. But after an exploit is out using the vuln, it's a lot easier to get yourself to write another exploit since you have confirmation that the vuln is exploitable. The iBoot envvar one happened to be reasonably easy to find yet reasonably hard to exploit. If you really had your exploit working pre ra1n then props. But if you wrote an exploit post ra1n it's a lot easier knowing that this vuln can work. --geohot 18:44, 7 July 2009 (UTC)
