--http 21:42, 4 May 2010 (UTC)
I'd love to see a technical writeup of everything, although I don't blame you if you don't. I'm lazy about those things too. As far as trying to keep it secret from Apple, I don't feel theres a point, they'll find it no matter what we do.
--geohot 14:02, 5 May 2010 (UTC)
I have started reverse engineering Spirit and making some UML(like) data flow and function diagrams. The problem is that I am guessing at too many things since I did not wana post anything and have someone get pissed it was out there. I am up for putting a formal brief together if others want to collaborate. I would imagine as Geohot said, that apple had this disassembled before the .tar was dry. Not to mention that they are not just looking for the exploit that was used (since they most likely had a whiteboard full of potentials during design) , they are looking for copyright violations and their stollen code in every bit of its bits.
--KodeSlinger 16:31, 5 May 2010 (UTC)
Meh, as mentioned on spiritjb.com, once Apple has shown that they've fixed it, the source will be released anyway. - MuscleNerd
@MuscleNerd - I started working on it BS (Before Spirit :) ), to create a centralized location that dynamically maps (HW/FW/SW) physical and logical drawings together. My thought was something like this wiki on crack. Ideally to generate functional diagrams of the idevice that act as a starting point to link to more detailed sections pertaining to that functions exploits, related functions, and source code samples(or any other data). Since I am new to this community I have been trying to organize this data for my own brain, and thought others might use it. I will post some screen shots later. The more organized we are the easier it will be to exploit the next vulnerability. --KodeSlinger 20:11, 5 May 2010 (UTC)
Oh hah, cool :) If you do that though, obviously you shouldn't go overboard and start publicly discussing variations of this that would help Apple close other holes yet to be exploited (it sounds like your well-versed enough to do that!) - MuscleNerd
@MuscleNerd - Hah; yeah obviously cool kidz only lol --KodeSlinger 21:08, 5 May 2010 (UTC)
I just started reversing Spirit and thought I'd share what I learned so far in hopes of hearing more from others.
Spirit.exe extracts a bunch of files into a temp directory as follows:
+ Documents and Settings/<User>/Local Settings/spiritxxx | + - dl | | | + - dl.exe | + - igor | | | + - 2dcde0a77381d24b7c02ac0cf7f714434c4ccdcf.dylib | + - 3e404d11fcbd5486d3be2dd86ce21316e1854842.dylib | + - 74227c0021c5e12effb5bd3175eb469a8df0622e.dylib | + - b735701843456754988021d128c2671ee36d1b04.dylib | + - f6c17e934ba0ad477812de0b7cb019396d259d93.dylib | + - install | + - map.plist | + - resources | + - 320x480.jpg + - 1024x768.jpg + - overrides.plist + - icon.ico
Spirit.exe is simply a GUI wrapper for dl.exe, which does the heavy lifting and is written using the cross-platform library CoreFoundation.dll. Dl.exe uses the iTunes DLL to get access to the iDevice, registering a callback function through AMDeviceNotificationSubscribe. The callback function launches a thread, which uploads 4 files as follows:
- One of the dylibs (depending on the iDevice version?) is uploaded as /var/mobile/Media/spirit/one.dylib
- The Mach-O ARM executable "install" is uploaded as /var/mobile/Media/spirit/install
- The Spirit.exe is uploaded as /var/mobile/Media/spirit/freeze.tar.xz
- One of the jpgs is uploaded as /var/mobile/Media/spirit/bg.jpg
After the files are uploaded, the upload thread signals to the main thread that the files are ready. The main thread then sends over two plists (shown at the end of the log below) via MobileBackup.
As I've only just started looking at this, and I'm also new to the iPhone scene, I have lots of questions.
- Is the MobileBackup interface documented anywhere? Was it used in other jb tools before Spirit?
- Why is Spirit.exe uploaded to the iDevice as freeze.tar.xz?
- What purpose do map.plist and overrides.plist serve?
- What are the two plists sent at the end of the transfer, and how do they allow the "install" image to be executed?
- What does install do to provide an untethered solution?
I'll post more as I learn, but it would be nice to hear if others have made more progress.
-EnohpiDesrever 16:47, 14 May 2010 (UTC)
- Don't think it's documented.
- Actually, freeze.tar.xz is tacked on to Spirit.exe, after the string 'magicmagicmagicm'. xz is http://tukaani.org/xz/
- One maps firmware version to the dylib that should be uploaded. The other is read by launchd.
- Just look at the contents of overrides.plist and the launchd source. The nefarious part is actually getting that file in the appropriate directory. (Note that overrides is only used for the initial install, because launchd spawns everything at once and the following solution ensures the exploit is run first.)
- By installing itself as /usr/lib/libgmalloc.dylib. To quote saurik: "if you touch the file /var/db/.launchd_use_gmalloc, then the first thing launchd does is set DYLD_INSERT_LIBRARIES to /usr/lib/libgmalloc.dylib and restart itself"
--Comex 22:54, 14 May 2010 (UTC)