Difference between revisions of "Talk:Research: Pwnage Patches"

From The iPhone Wiki
Jump to: navigation, search
(isha / ldid: new section)
Line 34: Line 34:
   
 
it is rehashed with isha or ldid -s, i don't really know the nitty gritty of that stuff.
 
it is rehashed with isha or ldid -s, i don't really know the nitty gritty of that stuff.
  +
  +
== 2G DeviceTree ==
  +
  +
It seems that this was never patched until redsn0w QuickPwn.
  +
What exactly is the patch made to allow LogoMe to work?
  +
I tried old patches (function-disable_keys -> xxxxxxxx-disable_keys, secure-root-prefix doesn't exist at all), but they don't seem to work.

Revision as of 21:14, 13 April 2009

Kernel and ramdisk patches

Anyone care to share what is patched?

yup

ramdisk:

asr - patch out rootfs SHA1 check

restored_external - patch wiping routine

kernel:

haven't looked into this, but there are four patches, at least some of them are for codesign and apparently one of them has to do with virtual memory mapping.

Thanks

Do you know how the new codesign is added yet? I notice you think they didn't use ldid. It seems that the second patches to asr and restored are codesign (from what I can tell when 2.1 and 2.2 files are compared), but I don't see any in the kernel, they're all simple.

patches

patches to asr and restored are the patches i listed above, and patches for the hashes so that they will run. when i say in the kernel codesign is patch, then it wil patch out the need for code to be signed, but apparently it was determined that the sha1 hash check was too annoying to patched as it would always be changing, so they just rehashed asr and restored, not codesign, just rehashed.

hashes

What are you taking the hash of? For example, I extracted asr from a stock 018-4378-1.dmg from 2.2 and compared it to one from a custom disk image; diffing them shows two patches; the first I assume to be the SHA1 check (at 0x12F16). The second at 0x27C7A confuses me though, because I think this must be the hash (I'm new to this stuff, so forgive me if I'm just missing something incredibly obvious). If I take the hash of the stock asr (9146c06d34b4fa9fc3cb3c7490851fabb875e3c8) and compare it to the hash within the file, it doesn't match (6350E8890FD7217152F72B3EA3285B6D7E617020). The hash of the custom asr doesn't match the internal hash either, and the same goes for restored.

isha / ldid

it is rehashed with isha or ldid -s, i don't really know the nitty gritty of that stuff.

2G DeviceTree

It seems that this was never patched until redsn0w QuickPwn. What exactly is the patch made to allow LogoMe to work? I tried old patches (function-disable_keys -> xxxxxxxx-disable_keys, secure-root-prefix doesn't exist at all), but they don't seem to work.