Difference between revisions of "Talk:Research: Pwnage Patches"

From The iPhone Wiki
Jump to: navigation, search
(throwing it out there)
 
(41 intermediate revisions by 7 users not shown)
Line 1: Line 1:
  +
== Kernel and ramdisk patches ==
What is more important, is the code before 1800587C.
 
  +
Anyone care to share what is patched?
   
  +
== yup ==
Compilers translate actions like
 
   
  +
'''ramdisk''':
:if (condition is good)
 
::then
 
   
  +
'''asr''' - patch out rootfs SHA1 check
into conditional jumps. What you can see with the MOV and NEG is most probably the result of a failed condition (-1) (or failed function result). Afterwards it depends on the compiler, how it further treats the result.
 
   
  +
'''restored_external''' - patch wiping routine
Maybe the original pseudo code is as follows:
 
   
  +
'''kernel''':
sig_check_result = do_check(important args);
 
...
 
if (sig_check_result == 0)
 
everything goes fine ...
 
...
 
a.s.o
 
   
  +
haven't looked into this, but there are four patches, at least some of them are for codesign and apparently one of them has to do with virtual memory mapping.
So the question is, why it goes to the branch where R0 is set to -1 (patch 0) and what conditional branches lead to this code position? And the even more important question is, what is the underlying pseudo code?
 
   
  +
== Thanks ==
And the even more important question is, why is it really necessary to do reverse engineering of reverse engineering?? Could be much more simple the questions are answered by some people that tend to mystify some things... </sarcasm>
 
  +
Do you know how the new codesign is added yet?
  +
I notice you think they didn't use ldid.
  +
It seems that the second patches to asr and restored are codesign (from what I can tell when 2.1 and 2.2 files are compared), but I don't see any in the kernel, they're all simple.
   
  +
== patches ==
said people would like to document, but most of the they're too busy using the little free time they have actually getting stuff done that people need done rather than documentation that 1% wants
 
   
  +
patches to asr and restored are the patches i listed above, and patches for the hashes so that they will run. when i say in the kernel codesign is patch, then it wil patch out the need for code to be signed, but apparently it was determined that the sha1 hash check was too annoying to patched as it would always be changing, so they just rehashed asr and restored, not codesign, just rehashed.
If it's really like this, then I retract my statement. But then I hope 'said people' catch up on everything... Missing documentation and rare information (policies) were the main causes of the foundation of this wiki.
 
   
== seriously? ==
+
== hashes ==
   
  +
What are you taking the hash of?
so wait, if you don't have the time to document it, why are you getting mad that others are? some people are interested in it...is something wrong with that? if you aren't interested, you don't have to look at this page if you don't want to. Pwnage, especially Pwnage 2.0, is especially mystifying to some people. Pumpkin, I have personally asked you if I may take a look at the individual patches to understand ARM better and to see how Pwnage works, but you politely declined my offer. I mean...if I am curious about something, and I cannot find out about it via the official creators, is it a sin for me to want to find out anyway? I really don't see what the big deal is...Apple can just as easily extract and diff the files. They would especially want to do this, come to think of it. It is only the developers that might want to find out how Pwnage really works that are in the dark.
 
  +
For example, I extracted asr from a stock 018-4378-1.dmg from 2.2 and compared it to one from a custom disk image; diffing them shows two patches; the first I assume to be the SHA1 check (at 0x12F16).
  +
The second at 0x27C7A confuses me though, because I think this must be the hash (I'm new to this stuff, so forgive me if I'm just missing something incredibly obvious).
  +
If I take the hash of the stock asr (9146c06d34b4fa9fc3cb3c7490851fabb875e3c8) and compare it to the hash within the file, it doesn't match (6350E8890FD7217152F72B3EA3285B6D7E617020).
  +
The hash of the custom asr doesn't match the internal hash either, and the same goes for restored.
   
  +
== isha / ldid ==
I must say, I really like what you have done. The concept of your "Simple Unlock", it seems, you have applied to activation, and Pwnage itself. I'm not even being sarcastic. I really think it is pretty awesome.
 
   
  +
it is rehashed with isha or ldid -s, i don't really know the nitty gritty of that stuff.
Peace,
 
[[User:ChronicDev|ChronicDev]]
 
   
  +
== 2G DeviceTree ==
   
  +
It seems that this was never patched until redsn0w QuickPwn.
This is not about me wanting to keep this stuff secret, it's about what's efficient. I've already said that we don't have time to document them, but that we'll probably eventually get around to it. It just seems like a waste of resources to have anyone who is capable of reversing what we've done actually doing so, when there are so many other things that need looking at that the devteam could never even think of having the time to do. Why reverse something that will eventually be documented when Apple's stuff is sitting there and we all know it will never be documented?
 
  +
What exactly is the patch made--[[User:Cool name|Cool name]] 02:24, 14 April 2009 (UTC)--[[User:Cool name|Cool name]] 02:24, 14 April 2009 (UTC) to allow LogoMe to work?
--pumpkin
 
  +
I tried old patches (function-disable_keys -> xxxxxxxx-disable_keys, secure-root-prefix doesn't exist at all), but they don't seem to work.
   
  +
:disable keys and secure root patches should have worked, afaik, are u sure u decrypted it correctly? [[User:ChronicDev|ChronicDev]] 23:44, 13 April 2009 (UTC)
I strongly disagree. Let's take the example of zero-g, this little application, which unlocks at least 2G capabilities for a couple of people. Several people asked for the source code. Including me. With the effect of not even getting an answer. Oh, no, there is an answer, which IMHO is extremely arrogant, something like ''if you know what's going on, it's not much different from lamesaft''. Oh, yeah, funny, funny. Lamesaft with size of ~400 bytes not much different to zero-g having ~1000 bytes. To go further, I would have to reverse the code of zero-g. Not that this is difficult, but I don't have the time and I am not amused about being forced doing so. To sum it up: A lot of people are pissed off of the dev team. And it is not, that there are no reasons for. And it's not, that the dev teams work would not be really cool. It's just behavior and communication, which is inappropiate and partially premature.
 
-caique2001-
 
   
  +
::I believe I did, all names are visible. I notice at 0x0 - 0x10, there seems to be secure-root-prefix, but it is garbled (*junk*oot-prefix), I don't know what this is about..
Bladox asked specifically to keep that code private. They (and we) do not wish to see more chinese crap coming out, thinking they have the ultimate solution because it worked for 2 minutes on their phone, resulting in more scams and legal risks. That network attack will be throughly documented, in due time (i.e. when it's not worth making a scam out of it any longer). And no, the previous comment wasn't really funny, it's actually very true. So rather than trying to understand how that thing works (as we stated previously, it doesn't), you should focus on other more interesting issues, such as issues that can be solved.
 
  +
::I patched function-disable_keys at 0x3534, though.--[[User:James|James]] 00:10, 14 April 2009 (UTC)
-Zf
 
   
  +
:::you somehow used the wrong IV probably, double check that [[User:ChronicDev|ChronicDev]] 02:00, 14 April 2009 (UTC)
to caique2001:
 
we realize that from the outside it must look like we're secrecy-loving clock-and-dagger assholes basking in our own knowledge, but there really are good reasons not to release stuff. when you're working against apple, whose only goal with respect to us is to patch up any vulnerabilities that are found, documenting those vulnerabilities is just making it easier for them to fix them. we don't really care if it makes us unpopular, but it means that more people can reap the benefits of the vulnerabilities for longer. a few legitimately curious people such as yourself will not have the source code, but honestly, is it that important?
 
   
  +
::::I used the IV from ChronicDev GoogleCode, is it correct? I actually don't have a 2G so I cannot verify it. --[[User:James|James]] 02:03, 14 April 2009 (UTC)
:If you clearly communicate - and I interprete your statement now as having done so - this is okay. There is a tradeoff between releasing information and let people participate and keeping things closed to not let Apple know to much. Everybody understands that. But it's exactly the last phrase, which pisses people off. Was this really necessary? Who do you think you are? -caique2001-
 
   
::Pumpkin is a nice vegetable, and IMHO he just meant that having the source code isn't that important. Not that you are important, but I don't think anyone around is, so don't take it in a personal way. Zf
 
   
  +
:::::Err, James. How do you know the DeviceTree patches are not working if you do not have a 2G to get the keys from?--[[User:Cool name|Cool name]] 02:24, 14 April 2009 (UTC)
== throwing it out there ==
 
   
  +
::::::I've had other people test them for me. I always thought it was fishy that there was what was seemingly garbage at the beginning of the file, but went with it anyways and made the patch I could. The resulting image would never work, so I knew there must be either another patch or I did it wrong. --[[User:James|James]] 02:29, 14 April 2009 (UTC)
I like what Zf said. I would like to branch off one of his last statements by saying, if I am ibterested in looking into this, then why criticize me for doing so...I don't understand, no offense, but why do you criticize people and not actually correct them? for example, on URC, I was laughed at for thinking that there was a hardware method for dumping the 3G booteom. I asked them to correct me? and they "didn't want to contribute to geohots ego boost"....I mean...that is like saying that someone is stupid because they don't know where the holy grail is but you won't say where it is, except in that case you would be being arrogant
 
   
  +
:::::::Ahh ok. You should have someone independently verify the keys of that DeviceTree, because as chronic said that IV is most likely incorrect.--[[User:Cool name|Cool name]] 02:39, 14 April 2009 (UTC)
No, that's just saying that my contributions here will be limited to drama & troll, because that place was biaised against the dev team from day one (see initial blog post, Constitution and subsequent revisions), so I don't see why I should feel welcome here, nor be useful.
 
- Zf
 
:From a more 'outside' point of view: I did never feel this placed was biased against the dev team. It was just about letting people know what's going on and what's behind the scene. Something which was missing on dev teams site. Again: Clear communication is people's friend. You could have said, ''this'' is what we give you and ''the other stuff'' we are keeping secret, for ''these'' reasons. But looking on your blog was often looking on a mystified place. Giving a feeling of people self-praising themselves. And exactly this has been stopped by theiphonewiki. So it was not ''biased'' against dev team, but furthermore a correction of misled communication policies. To give an another example: Even now, your progress concerning 3G software unlock is not quite clear. What's wrong in communicating you could not run patched code? Do you fear disappointing people? You should focus on people that could work at the same level like you if they would belong to the ''inner circle''. Clearly communicate to them. They are not just 'curious', they could speed up progress. You don't want this, that's fine. But don't think you're better than the ordinary world. -caique2001-
 
:: Well it is biaised. See how the blog post began "I see a real problem with the iPhone hacking community. Most of the knowledge about the iPhone is somewhere within the dev team". How can you get more biaised than that, and why is it a problem btw ? To refer to your previous sentence, who do you think you are to dictate our agenda and the how and when people should document their work ? I have no problem to work with many people - note that coming around yelling "ohai, that's the the way you should work kthx" isn't the best way to be integrated in any team though (works well IRL too). Oh, and we can run patched code. But the question was flawed. Zf
 
::The stuff we keep secret, we keep secret for a reason. Other posts from you seem to indicate you understand why. The stuff we release, we release when it's nice and tested. Rather than document the how's and why's of what we've done, we'd rather move to the next challenge (and there are plenty of them). It's really that simple. Nothing sinister or dramatic. It's as simple as "it's fun to do, not fun to document".
 
   
  +
::::::::I most certainly remember there being a slip up with the devtree key, my bad, we never fixed that. if you can, in the meantime, use planet's crypto bundle to get the right IV
to whomever came before this last Zf comment: we criticize because it feels like a waste of time. sure, you're welcome to do whatever you like with your time, but we're criticizing your choice of what to do with your time, as we feel it's useless to have you reverse what we reversed when we eventually plan on just writing it up. the most we can do to "correct" with that form of criticism is try to justify why we think you're wasting your time, when you could very well be doing things that are more helpful to the community. For example, everyone and their mother has been asking me for a Safari file:// url patch, but I simply haven't had the time recently. Why must it be me? Surely someone else who is spending their time reversing our hacks has the skills to patch a couple of bytes here and there to make life easier for many people? note that if you were reversing some secret hack that someone had leaked from the devteam I would feel differently, but pwnage is out and available at no cost to everyone, so the only product of your work is going to be improved understanding of our technique (a noble goal). We tend to be pragmatists, though, and as much as I'd love to be able to poke around at inane frameworks on the phone, for example, I prefer to use the little free time I have to do something generally useful to the public.
 
  +
- pumpkin
 
  +
:::::::::Yeah, that's what I plan on having someone do. It's really weird though, we correctly decrypted 3.0b2 keys on the device with a seemingly bad DeviceTree flashed. It only had disable_keys patched out and garbage at the beginning iirc. Weird stuff. I'll comment the page with the correct IV when it's found though so you can edit it in. I'm kind of making this wiki a chat though, so I'll stop the edits. --[[User:James|James]] 03:00, 14 April 2009 (UTC)

Latest revision as of 03:00, 14 April 2009

Kernel and ramdisk patches

Anyone care to share what is patched?

yup

ramdisk:

asr - patch out rootfs SHA1 check

restored_external - patch wiping routine

kernel:

haven't looked into this, but there are four patches, at least some of them are for codesign and apparently one of them has to do with virtual memory mapping.

Thanks

Do you know how the new codesign is added yet? I notice you think they didn't use ldid. It seems that the second patches to asr and restored are codesign (from what I can tell when 2.1 and 2.2 files are compared), but I don't see any in the kernel, they're all simple.

patches

patches to asr and restored are the patches i listed above, and patches for the hashes so that they will run. when i say in the kernel codesign is patch, then it wil patch out the need for code to be signed, but apparently it was determined that the sha1 hash check was too annoying to patched as it would always be changing, so they just rehashed asr and restored, not codesign, just rehashed.

hashes

What are you taking the hash of? For example, I extracted asr from a stock 018-4378-1.dmg from 2.2 and compared it to one from a custom disk image; diffing them shows two patches; the first I assume to be the SHA1 check (at 0x12F16). The second at 0x27C7A confuses me though, because I think this must be the hash (I'm new to this stuff, so forgive me if I'm just missing something incredibly obvious). If I take the hash of the stock asr (9146c06d34b4fa9fc3cb3c7490851fabb875e3c8) and compare it to the hash within the file, it doesn't match (6350E8890FD7217152F72B3EA3285B6D7E617020). The hash of the custom asr doesn't match the internal hash either, and the same goes for restored.

isha / ldid

it is rehashed with isha or ldid -s, i don't really know the nitty gritty of that stuff.

2G DeviceTree

It seems that this was never patched until redsn0w QuickPwn. What exactly is the patch made--Cool name 02:24, 14 April 2009 (UTC)--Cool name 02:24, 14 April 2009 (UTC) to allow LogoMe to work? I tried old patches (function-disable_keys -> xxxxxxxx-disable_keys, secure-root-prefix doesn't exist at all), but they don't seem to work.

disable keys and secure root patches should have worked, afaik, are u sure u decrypted it correctly? ChronicDev 23:44, 13 April 2009 (UTC)
I believe I did, all names are visible. I notice at 0x0 - 0x10, there seems to be secure-root-prefix, but it is garbled (*junk*oot-prefix), I don't know what this is about..
I patched function-disable_keys at 0x3534, though.--James 00:10, 14 April 2009 (UTC)
you somehow used the wrong IV probably, double check that ChronicDev 02:00, 14 April 2009 (UTC)
I used the IV from ChronicDev GoogleCode, is it correct? I actually don't have a 2G so I cannot verify it. --James 02:03, 14 April 2009 (UTC)


Err, James. How do you know the DeviceTree patches are not working if you do not have a 2G to get the keys from?--Cool name 02:24, 14 April 2009 (UTC)
I've had other people test them for me. I always thought it was fishy that there was what was seemingly garbage at the beginning of the file, but went with it anyways and made the patch I could. The resulting image would never work, so I knew there must be either another patch or I did it wrong. --James 02:29, 14 April 2009 (UTC)
Ahh ok. You should have someone independently verify the keys of that DeviceTree, because as chronic said that IV is most likely incorrect.--Cool name 02:39, 14 April 2009 (UTC)
I most certainly remember there being a slip up with the devtree key, my bad, we never fixed that. if you can, in the meantime, use planet's crypto bundle to get the right IV
Yeah, that's what I plan on having someone do. It's really weird though, we correctly decrypted 3.0b2 keys on the device with a seemingly bad DeviceTree flashed. It only had disable_keys patched out and garbage at the beginning iirc. Weird stuff. I'll comment the page with the correct IV when it's found though so you can edit it in. I'm kind of making this wiki a chat though, so I'll stop the edits. --James 03:00, 14 April 2009 (UTC)