Difference between revisions of "Talk:Obtaining IMG3 Keys"

From The iPhone Wiki
Jump to: navigation, search
m (Terrible choice of words on my part, since it's still patched.)
Line 40: Line 40:
   
 
Is there any way to use planetbeing's utility on 2.0.2?
 
Is there any way to use planetbeing's utility on 2.0.2?
It seems like something about the kernel has changed, since it's no longer patched by Pwnage.
+
It seems like something about the kernel has changed, since Pwnage doesn't decrypt it before patching.
I can't even find the KBAG tag for it.. --[[User:James|James]] 06:34, 1 September 2008 (UTC)
+
Is it as simple as patching it in a hex editor or modifying crypto binary? --[[User:James|James]] 06:34, 1 September 2008 (UTC)

Revision as of 09:25, 1 September 2008

Hey, thats my "exploit" ;-) Dev used openiboot.

Much easier, just use iran to download the modified iBoot directly, no reason to pwn with it. I was originally strapping this with the diags exploit.

And thanks for writing this up.

~geohot

I adapted this method from your write-up earlier, because CPICH and Chronic were wanting to decrypt IMG3 keys, and the openiboot method has quite a bit of setup overhead, and requires modifying my C source, and I thought helping them fill out the missing pieces for your method would be simpler. I just slightly modified your assembly to do stack/register cleanup (and combined that mw into protected memory) and had them put a direct BX from a random iBoot function, since explaining how to patch the permissions bits is more conceptually difficult, and I wasn't sure how easy it would be to make "go" behave the way we want it to (I didn't have access to IDA when I was helping them). I asked them to write it up after they got it to work. Hope that's okay. :)

I've since made something easier: http://www.iphone-dev.org/planetbeing/crypto.tar.gz

--Planetbeing 03:20, 7 August 2008 (UTC)

iBoot

Why do you need a modified iBoot? Doesn't Pwnage Tool/xpwn/winpwn already patch/modify iBoot?

no

yeah. their iboot is simply patched so the pwned ipsw wil work. there is soooooo much more you can do to the iboot :)

iBoot

Ok, but does the iBoot need to be patched more than Pwnage already does for the userland AES KBAG decryption to work (using the program linked to by planetbeing?)

no...no...

this is...different. not like that at all. just trust planetbeing :)

Got it

Ok, thanks Chronic...and good idea, I will trust planetbeing.

of course

pb is very talented and prolific dev team member, what's not to trust? :)

2.0.2

Is there any way to use planetbeing's utility on 2.0.2? It seems like something about the kernel has changed, since Pwnage doesn't decrypt it before patching. Is it as simple as patching it in a hex editor or modifying crypto binary? --James 06:34, 1 September 2008 (UTC)