Difference between revisions of "Talk:Obtaining IMG3 Keys"

From The iPhone Wiki
Jump to: navigation, search
Line 7: Line 7:
 
~geohot
 
~geohot
   
I adapted this method from your write-up earlier, because CPICH and Chronic were wanting to decrypt IMG3 keys, and the openiboot method has quite a bit of setup overhead, and requires modifying my C source, and I thought this would be simpler. I just slightly modified your assembly to do stack/register cleanup (and combined that mw into protected memory) and had them put a direct BX from a random iBoot function, since explaining how to patch the permissions bits is more conceptually difficult, and I wasn't sure how easy it would be to make "go" behave the way we want it to (I didn't have access to IDA when I was helping them). Hope that's okay. :)
+
I adapted this method from your write-up earlier, because CPICH and Chronic were wanting to decrypt IMG3 keys, and the openiboot method has quite a bit of setup overhead, and requires modifying my C source, and I thought this would be simpler. I just slightly modified your assembly to do stack/register cleanup (and combined that mw into protected memory) and had them put a direct BX from a random iBoot function, since explaining how to patch the permissions bits is more conceptually difficult, and I wasn't sure how easy it would be to make "go" behave the way we want it to (I didn't have access to IDA when I was helping them). I asked them to write it up after they got it to work. Hope that's okay. :)
   
 
I've since made something easier: http://www.iphone-dev.org/planetbeing/crypto.tar.gz
 
I've since made something easier: http://www.iphone-dev.org/planetbeing/crypto.tar.gz

Revision as of 03:21, 7 August 2008

Hey, thats my "exploit" ;-) Dev used openiboot.

Much easier, just use iran to download the modified iBoot directly, no reason to pwn with it. I was originally strapping this with the diags exploit.

And thanks for writing this up.

~geohot

I adapted this method from your write-up earlier, because CPICH and Chronic were wanting to decrypt IMG3 keys, and the openiboot method has quite a bit of setup overhead, and requires modifying my C source, and I thought this would be simpler. I just slightly modified your assembly to do stack/register cleanup (and combined that mw into protected memory) and had them put a direct BX from a random iBoot function, since explaining how to patch the permissions bits is more conceptually difficult, and I wasn't sure how easy it would be to make "go" behave the way we want it to (I didn't have access to IDA when I was helping them). I asked them to write it up after they got it to work. Hope that's okay. :)

I've since made something easier: http://www.iphone-dev.org/planetbeing/crypto.tar.gz

--Planetbeing 03:20, 7 August 2008 (UTC)