|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Research: Pwnage Patches"
m (Links.) |
m (Disambiguation.) |
||
| Line 6: | Line 6: | ||
There are three core patches in Pwnage. |
There are three core patches in Pwnage. |
||
| − | ===[[iBoot]]=== |
+ | ===[[iBoot (Bootloader)|iBoot]]=== |
| − | There is only 1 patch made to the [[iBoot]], [[LLB]], [[iBEC]], [[iBSS]], and [[WTF]]. It simply patches the RSA check to return success when an error occurs. |
+ | There is only 1 patch made to the [[iBoot (Bootloader)|iBoot]], [[LLB]], [[iBEC]], [[iBSS]], and [[WTF]]. It simply patches the RSA check to return success when an error occurs. |
The patch is simple. This is the default non-patched area: |
The patch is simple. This is the default non-patched area: |
||
| Line 28: | Line 28: | ||
===DeviceTree=== |
===DeviceTree=== |
||
| − | This simply patches "secure-root-prefix" and "function-disable_keys". It seems that you could bypass this patch by simply patching the [[iBoot]] flags to 0xffffffff, but I have personally never verified that the decrypted [[KBAG]] was correct, so anyone that is feeling adventurous and wants to verify, please do. |
+ | This simply patches "secure-root-prefix" and "function-disable_keys". It seems that you could bypass this patch by simply patching the [[iBoot (Bootloader)|iBoot]] flags to 0xffffffff, but I have personally never verified that the decrypted [[KBAG]] was correct, so anyone that is feeling adventurous and wants to verify, please do. |
===[[Kernel]]=== |
===[[Kernel]]=== |
||
Latest revision as of 04:42, 8 November 2010
If you have IDA Pro and you are at least semi-handy with ARM please contribute :)
Thanks to CPICH for helping out!
Contents
The Patches
There are three core patches in Pwnage.
iBoot
There is only 1 patch made to the iBoot, LLB, iBEC, iBSS, and WTF. It simply patches the RSA check to return success when an error occurs.
The patch is simple. This is the default non-patched area:
ROM:00002636 _fail ; CODE XREF: rsaCheck+3C�j ROM:00002636 ; rsaCheck+84�j ROM:00002636 ; rsaCheck+A0�j ROM:00002636 ; rsaCheck+B4�j ROM:00002636 ; rsaCheck+F0�j ROM:00002636 ; rsaCheck+100�j ROM:00002636 ; rsaCheck+10C�j ROM:00002636 ; rsaCheck+110�j ROM:00002636 ; rsaCheck+118�j ROM:00002636 ; rsaCheck+11C�j ... ROM:00002636 454 01 20 MOVS R0, #1 ROM:00002638 454 40 42 NEGS R0, R0
Now, all that they do is change the "40 42" you see at 0x2638 to "00 20" (negs r0,r0->movs r0,#0).
DeviceTree
This simply patches "secure-root-prefix" and "function-disable_keys". It seems that you could bypass this patch by simply patching the iBoot flags to 0xffffffff, but I have personally never verified that the decrypted KBAG was correct, so anyone that is feeling adventurous and wants to verify, please do.
Kernel
Haven't really looked into this too far, but I know that the kernel is patched for codesign as well as a write and execution patch to allow addons such as Mobile Substrate to execute on / at the kernel
