Talk:0x24000 Segment Overflow
I have questions. What is the LR? How do we write to the NOR?
LR is the link register. it usually contains a pointer to where the current routine is to return to. NOR is written by putting the device into dfu mode and writing to the nor0 block device using a tools like iRecovery --posixninja 17:58, 12 March 2009 (UTC)
I rewrote the article as one geared more toward the technical/security community than hobbyists trying to manually perform the patch. My hope is that it will be more useful in this form for the linux4nano community, who are trying to jailbreak the iPod Nano 4G, which apparently uses the same SoC. --Planetbeing 07:46, 13 March 2009 (UTC)
Nice work guys. Did you use a debugger of some sort? this would be difficult without a debugger. Here's how I understand it, so we overwrite pointers pointing to where and what data is written. By writing to the stack, we can overwrite the subroutine's return address(LR). The subroutine will now return to the payload. Is this correct?--paulzero 11:23, 13 March 2009 (UTC)
Answer to Paul0 : Hi Paul0. No debugger at all. Only hundreds of tests to find the LR in the stack :) [thx to posixninja for the tests, planetbeing for the analysis of the tests]. --Pod2g
Patch for iTunes restore
When planetbeing says "However, MuscleNerd discovered that this could be bypassed by including the padding in another tag, such as CERT" in order to allow a restore with iTunes, is this patch included in http://iphwn.org/24kpwn.zip? In other words, if I made a virgin ipt2g, made a 2.2.1 IPSW with the bundles that are out there, and then applied the LLB patch would I be able to successfully restore the IPSW using iTunes?
Answer: Sort of... From a virgin device, you'd have to do two separate set of "Restores". The first will be made from a normal iBoot environment with all signature checking enabled. You will be able to restore the pwned bootloaders (LLB, iBoot) onto the NOR. The second will be made from the pwned iBoot environment, installing the pwned kernel, Cydia, and other filesystem modifications. This is because initially the ramdisk and kernel of the Restore environment has to be loaded from the non-pwned environment, because that very ramdisk and kernel set will be writing the pwned NOR. Since the ramdisk and kernel are both signature checked, the asr binary on the ramdisk cannot be altered to patch out signature checking on the root filesystem image. Therefore, any root filesystem changes will have to be made on the second round. --Planetbeing 02:22, 14 March 2009 (UTC)
Planetbeing: Thanks for the explanation, I think I understand it now. If I am correct, this exploit also hinges on the fact that the kernel does not sigcheck the stuff it writes to NOR, so it is just blindly writing images to NOR. --Cool name 02:47, 14 March 2009 (UTC)
Nice exploit and documentation. It always amazes me to see the stuff they forgot. --geohot 15:24, 14 March 2009 (UTC)
iPod touch 3G and 24kpwn
Which units have 24kpwn? The ones that don't have an "MC" model number? --Dialexio 04:11, 13 October 2009 (UTC
Downgrade 3GS (old bootrom) without SHSH through 24kpwn
So since this is a bootrom exploit, can I use it to downgrade iPhone 3GS without shsh? --Grisolp 17:31, April 9, 2011 (UTC) Not true. The 3GS is suspeptible to the 24kpwn exploit. Only the new bootrom 3GS Isn't susceptible.