Difference between revisions of "Talk:Research: Pwnage Patches"

From The iPhone Wiki
Jump to: navigation, search
m
 
(57 intermediate revisions by 8 users not shown)
Line 1: Line 1:
  +
== Kernel and ramdisk patches ==
What is more important, is the code before 1800587C.
 
  +
Anyone care to share what is patched?
   
  +
== yup ==
Compilers translate actions like
 
   
  +
'''ramdisk''':
:if (condition is good)
 
::then
 
   
  +
'''asr''' - patch out rootfs SHA1 check
into conditional jumps. What you can see with the MOV and NEG is most probably the result of a failed condition (-1) (or failed function result). Afterwards it depends on the compiler, how it further treats the result.
 
   
  +
'''restored_external''' - patch wiping routine
Maybe the original pseudo code is as follows:
 
   
  +
'''kernel''':
sig_check_result = do_check(important args);
 
...
 
if (sig_check_result == 0)
 
everything goes fine ...
 
...
 
a.s.o
 
   
  +
haven't looked into this, but there are four patches, at least some of them are for codesign and apparently one of them has to do with virtual memory mapping.
So the question is, why it goes to the branch where R0 is set to -1 (patch 0) and what conditional branches lead to this code position? And the even more important question is, what is the underlying pseudo code?
 
   
  +
== Thanks ==
'''And the even more important question is, why is it really necessary to do reverse engineering of reverse engineering?? Could be much more simple the questions are answered by some people that tend to mystify some things... </sarcasm>'''
 
  +
Do you know how the new codesign is added yet?
  +
I notice you think they didn't use ldid.
  +
It seems that the second patches to asr and restored are codesign (from what I can tell when 2.1 and 2.2 files are compared), but I don't see any in the kernel, they're all simple.
  +
  +
== patches ==
  +
  +
patches to asr and restored are the patches i listed above, and patches for the hashes so that they will run. when i say in the kernel codesign is patch, then it wil patch out the need for code to be signed, but apparently it was determined that the sha1 hash check was too annoying to patched as it would always be changing, so they just rehashed asr and restored, not codesign, just rehashed.
  +
  +
== hashes ==
  +
  +
What are you taking the hash of?
  +
For example, I extracted asr from a stock 018-4378-1.dmg from 2.2 and compared it to one from a custom disk image; diffing them shows two patches; the first I assume to be the SHA1 check (at 0x12F16).
  +
The second at 0x27C7A confuses me though, because I think this must be the hash (I'm new to this stuff, so forgive me if I'm just missing something incredibly obvious).
  +
If I take the hash of the stock asr (9146c06d34b4fa9fc3cb3c7490851fabb875e3c8) and compare it to the hash within the file, it doesn't match (6350E8890FD7217152F72B3EA3285B6D7E617020).
  +
The hash of the custom asr doesn't match the internal hash either, and the same goes for restored.
  +
  +
== isha / ldid ==
  +
  +
it is rehashed with isha or ldid -s, i don't really know the nitty gritty of that stuff.
  +
  +
== 2G DeviceTree ==
  +
  +
It seems that this was never patched until redsn0w QuickPwn.
  +
What exactly is the patch made--[[User:Cool name|Cool name]] 02:24, 14 April 2009 (UTC)--[[User:Cool name|Cool name]] 02:24, 14 April 2009 (UTC) to allow LogoMe to work?
  +
I tried old patches (function-disable_keys -> xxxxxxxx-disable_keys, secure-root-prefix doesn't exist at all), but they don't seem to work.
  +
  +
:disable keys and secure root patches should have worked, afaik, are u sure u decrypted it correctly? [[User:ChronicDev|ChronicDev]] 23:44, 13 April 2009 (UTC)
  +
  +
::I believe I did, all names are visible. I notice at 0x0 - 0x10, there seems to be secure-root-prefix, but it is garbled (*junk*oot-prefix), I don't know what this is about..
  +
::I patched function-disable_keys at 0x3534, though.--[[User:James|James]] 00:10, 14 April 2009 (UTC)
  +
  +
:::you somehow used the wrong IV probably, double check that [[User:ChronicDev|ChronicDev]] 02:00, 14 April 2009 (UTC)
  +
  +
::::I used the IV from ChronicDev GoogleCode, is it correct? I actually don't have a 2G so I cannot verify it. --[[User:James|James]] 02:03, 14 April 2009 (UTC)
  +
  +
  +
:::::Err, James. How do you know the DeviceTree patches are not working if you do not have a 2G to get the keys from?--[[User:Cool name|Cool name]] 02:24, 14 April 2009 (UTC)
  +
  +
::::::I've had other people test them for me. I always thought it was fishy that there was what was seemingly garbage at the beginning of the file, but went with it anyways and made the patch I could. The resulting image would never work, so I knew there must be either another patch or I did it wrong. --[[User:James|James]] 02:29, 14 April 2009 (UTC)
  +
  +
:::::::Ahh ok. You should have someone independently verify the keys of that DeviceTree, because as chronic said that IV is most likely incorrect.--[[User:Cool name|Cool name]] 02:39, 14 April 2009 (UTC)
  +
  +
::::::::I most certainly remember there being a slip up with the devtree key, my bad, we never fixed that. if you can, in the meantime, use planet's crypto bundle to get the right IV
  +
  +
:::::::::Yeah, that's what I plan on having someone do. It's really weird though, we correctly decrypted 3.0b2 keys on the device with a seemingly bad DeviceTree flashed. It only had disable_keys patched out and garbage at the beginning iirc. Weird stuff. I'll comment the page with the correct IV when it's found though so you can edit it in. I'm kind of making this wiki a chat though, so I'll stop the edits. --[[User:James|James]] 03:00, 14 April 2009 (UTC)

Latest revision as of 03:00, 14 April 2009

Kernel and ramdisk patches

Anyone care to share what is patched?

yup

ramdisk:

asr - patch out rootfs SHA1 check

restored_external - patch wiping routine

kernel:

haven't looked into this, but there are four patches, at least some of them are for codesign and apparently one of them has to do with virtual memory mapping.

Thanks

Do you know how the new codesign is added yet? I notice you think they didn't use ldid. It seems that the second patches to asr and restored are codesign (from what I can tell when 2.1 and 2.2 files are compared), but I don't see any in the kernel, they're all simple.

patches

patches to asr and restored are the patches i listed above, and patches for the hashes so that they will run. when i say in the kernel codesign is patch, then it wil patch out the need for code to be signed, but apparently it was determined that the sha1 hash check was too annoying to patched as it would always be changing, so they just rehashed asr and restored, not codesign, just rehashed.

hashes

What are you taking the hash of? For example, I extracted asr from a stock 018-4378-1.dmg from 2.2 and compared it to one from a custom disk image; diffing them shows two patches; the first I assume to be the SHA1 check (at 0x12F16). The second at 0x27C7A confuses me though, because I think this must be the hash (I'm new to this stuff, so forgive me if I'm just missing something incredibly obvious). If I take the hash of the stock asr (9146c06d34b4fa9fc3cb3c7490851fabb875e3c8) and compare it to the hash within the file, it doesn't match (6350E8890FD7217152F72B3EA3285B6D7E617020). The hash of the custom asr doesn't match the internal hash either, and the same goes for restored.

isha / ldid

it is rehashed with isha or ldid -s, i don't really know the nitty gritty of that stuff.

2G DeviceTree

It seems that this was never patched until redsn0w QuickPwn. What exactly is the patch made--Cool name 02:24, 14 April 2009 (UTC)--Cool name 02:24, 14 April 2009 (UTC) to allow LogoMe to work? I tried old patches (function-disable_keys -> xxxxxxxx-disable_keys, secure-root-prefix doesn't exist at all), but they don't seem to work.

disable keys and secure root patches should have worked, afaik, are u sure u decrypted it correctly? ChronicDev 23:44, 13 April 2009 (UTC)
I believe I did, all names are visible. I notice at 0x0 - 0x10, there seems to be secure-root-prefix, but it is garbled (*junk*oot-prefix), I don't know what this is about..
I patched function-disable_keys at 0x3534, though.--James 00:10, 14 April 2009 (UTC)
you somehow used the wrong IV probably, double check that ChronicDev 02:00, 14 April 2009 (UTC)
I used the IV from ChronicDev GoogleCode, is it correct? I actually don't have a 2G so I cannot verify it. --James 02:03, 14 April 2009 (UTC)


Err, James. How do you know the DeviceTree patches are not working if you do not have a 2G to get the keys from?--Cool name 02:24, 14 April 2009 (UTC)
I've had other people test them for me. I always thought it was fishy that there was what was seemingly garbage at the beginning of the file, but went with it anyways and made the patch I could. The resulting image would never work, so I knew there must be either another patch or I did it wrong. --James 02:29, 14 April 2009 (UTC)
Ahh ok. You should have someone independently verify the keys of that DeviceTree, because as chronic said that IV is most likely incorrect.--Cool name 02:39, 14 April 2009 (UTC)
I most certainly remember there being a slip up with the devtree key, my bad, we never fixed that. if you can, in the meantime, use planet's crypto bundle to get the right IV
Yeah, that's what I plan on having someone do. It's really weird though, we correctly decrypted 3.0b2 keys on the device with a seemingly bad DeviceTree flashed. It only had disable_keys patched out and garbage at the beginning iirc. Weird stuff. I'll comment the page with the correct IV when it's found though so you can edit it in. I'm kind of making this wiki a chat though, so I'll stop the edits. --James 03:00, 14 April 2009 (UTC)