Talk:ARM7 Go

From The iPhone Wiki
Revision as of 17:15, 7 July 2009 by IZsh (talk | contribs)
Jump to: navigation, search

My Payload

(Since RedSn0w will be out any day, this is just for the hell of it :)

If anyone has any ideas and would like to mess around with this hack, here is some code that (should) patch a 2.1.1 iBSS that you loaded, in memory. Again, just for fun, as the dev team probably has redsn0w, it's payload, and program almost completed.

@ ipod touch 2G ibss 2.1.1 patcher
@ by chronic with some gas help from ius
@
@ assemble this with gas

.section .text
   .global _start
   _start:
      stmdb sp!, {r0-r6}
      ldr r0, =rangePatch
      ldr r1, =permsPatch
      ldr r2, =sigchPatch
      ldr r3, =sigchecLoc
      ldr r4, =permschLoc
      ldr r6, =rangechLoc
      strh r1, [r4]
      strh r0, [r6]
      strh r2, [r3]
      ldmia sp!, {r0-r6}
      mov pc, lr

.section .data
   sigchecLoc: .word 0x2200F2FE
   permschLoc: .word 0x2200C330
   rangechLoc: .word 0x2200C3A6
   rangePatch: .hword 0x0120
   permsPatch: .hword 0x0124
   sigchPatch: .hword 0x0020

ChronicDev 19:45, 16 January 2009 (UTC)

Chronic, I may have found the way to use arm7_go

Try to add the size of your payload just before it as an 32bit integer.

1. without size :

 I assembled your payload with gas then tried to upload it at 0x09000000 and start arm7_go.
 It did nothing.

2. with size before : 0x00000048 then your payload uploaded at 0x09000000.

 arm7_go => it crashed my ipod 2G.

I hope it can help. I am continuing my reasearches.

~pod2g

How do you pass the bootrom RSA checks?

I've noticed that the exploit is at the iBoot level. So how do you (or the Dev-Team) pass the bootrom RSA checks?

~Oranav

RE: How do you pass the bootrom RSA checks?

I do not know how it is done, but taking the screenshot on the latest devteam blog post, they have found a way to do so.

RE: RE: How do you pass the bootrom RSA checks?

Okay, as to MuscleNerd's redsn0w demo, it's pretty yellowsn0w like - you have to let the bootrom sigchecks pass, and then use the exploit every time the device boots. Pretty annoying, but that's the only option without a way to pass bootrom sigchecks.

~Oranav

Wel...

They noted they are looking for a way around that.

We may have something!

I tried what iPod2G said.

Now, after running my payload...well...things are acting really WEIRD. the first time I tried,it crashed, and now...

http://pastie.org/private/gpsvfcve6yqnm3uk4qzouq

mdb is messed up. Oh, and my screen turned blue for some reason.

Just tried again, and it turned green :O

@Chronic: I'm fine with you adding that you found it independently, but you have to be careful with the wording in general. It seems there are a great deal of misusages of the word "exploit" vs. vulnerability in this community. So if you don't mind, I'd like to clarify:

A vulnerability is the actual bug/security hole, whereas an exploit is the actual implementation which allows one to exploit the vulnerability.

For instance in the following sentence from the wiki: "The actual exploit is that, in the iPod Touch 2G 2.1.1 firmware, they left behind two commands: arm7_stop and arm7_go", the word "exploit" is not used properly. You are here talking about the vulnerability, not the exploit.

In my opinion, credits for vulnerability and exploit should be separated in general (I'm not talking about this one in particular, but I'm talking about vuln/exploit in general). One can find a vulnerability without exploiting it (because he doesn't want to, doesn't have the time, or it's too complicated and he doesn't manage actually to exploit it), and likewise someone can implement an actual exploit without discovering the initial vulnerability. IMHO, most of the time, the exploit is where the skills really are, because it's one thing to understand why something is a security vulnerability, it's often another to make it actually real with a POC code (because of sanity checks, checking, filters and so on). Although sometimes, I do agree that finding the vulnerability itself requires mad skillz (as an example, prop' to Bleichenbacher for finding his RSA attack), it is my belief that most of the time, the exploit is where the difficulty lies.

Anyway, I think this page contains misusage of the word exploit, and other pages too, and I just wanted to point it.