|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Purplesn0w"
(→How it works) |
m (Updating page link.) |
||
| (2 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| − | purplesn0w is [[User:geohot|geohot]]'s [[unlock]] which used the [[AT+XLOG Vulnerability]]. Its implementation of the vulnerability differs from [[ultrasn0w]]'s, and requires a legitimately [[Activation|activated]] [[iPhone]]. |
+ | purplesn0w is [[User:geohot|geohot]]'s [[unlock]] which used the [[AT+XLOG Vulnerability]]. Its implementation of the vulnerability differs from [[ultrasn0w]]'s, and requires a legitimately [[Activation|activated]] [[List of iPhones|iPhone]]. |
==How it works== |
==How it works== |
||
purplesn0w copies the page that needs patching to an unused region of memory. It gets patched in RAM. Using the MMU, the flash page is mapped out and the patched memory page is remapped in its place. No new iPhones are really [[unlock]]ed; [[activation]] creates a [[WildcardTicket|ticket]] allowing the baseband to be used with that SIM. The lockstate of the phone really lies on Apple's servers. Being unlocked means all SIMs are authorized, and being locked means only certain carriers' SIMs are authorized (for instance, AT&T). Fortunately, this ticket system provides an easy way to deliver the payload and re-execute the patched code all in one. And since the ticket is already delivered on baseband resets, there's no need to write another daemon to use the battery. Instead the daemon already designed for this, [[lockdownd]], is used. A patch to CommCenter gets it to run the payload on ticket delivery. And a patch to your activation record contains the payload. |
purplesn0w copies the page that needs patching to an unused region of memory. It gets patched in RAM. Using the MMU, the flash page is mapped out and the patched memory page is remapped in its place. No new iPhones are really [[unlock]]ed; [[activation]] creates a [[WildcardTicket|ticket]] allowing the baseband to be used with that SIM. The lockstate of the phone really lies on Apple's servers. Being unlocked means all SIMs are authorized, and being locked means only certain carriers' SIMs are authorized (for instance, AT&T). Fortunately, this ticket system provides an easy way to deliver the payload and re-execute the patched code all in one. And since the ticket is already delivered on baseband resets, there's no need to write another daemon to use the battery. Instead the daemon already designed for this, [[lockdownd]], is used. A patch to CommCenter gets it to run the payload on ticket delivery. And a patch to your activation record contains the payload. |
||
| − | |||
| − | [[Category:Baseband]] |
||
==Installation notes== |
==Installation notes== |
||
| Line 11: | Line 9: | ||
* Watch for success output in Cydia (actually do this step) |
* Watch for success output in Cydia (actually do this step) |
||
* Wait for signal, and enjoy your unlocked iPhone (no reboot required) |
* Wait for signal, and enjoy your unlocked iPhone (no reboot required) |
||
| + | |||
| + | |||
| + | ==purplesn0w RC2 payload with comments== |
||
| + | <pre> |
||
| + | ROM:00000000 LDR R4, =0x201436C8 ; /* copy the page*/ |
||
| + | ROM:00000004 MOV R0, #0x40000000 |
||
| + | ROM:00000008 LDR R1, =0x203C1000 |
||
| + | ROM:0000000C MOV R2, #0x1000 |
||
| + | ROM:00000010 BLX R4 |
||
| + | ROM:00000014 LDR R5, =0x4000082C ; /*at 4000083C or 203C183C |
||
| + | ROM:00000014 ; put the code to branch to 0x404F0980*/ |
||
| + | ROM:00000018 ADD R0, R5, #0x10 |
||
| + | ROM:0000001C ADR R1, loc_D4 |
||
| + | ROM:00000020 MOV R2, #0xC |
||
| + | ROM:00000024 BLX R4 |
||
| + | ROM:00000028 MOV R7, #0 ; /* interrupt disable */ |
||
| + | ROM:0000002C MRS R0, CPSR |
||
| + | ROM:00000030 ORR R0, R0, #0xC0 |
||
| + | ROM:00000034 MSR CPSR_c, R0 |
||
| + | ROM:00000038 MRC p15, 0, R6,c1,c0 ; /* MMU disable */ |
||
| + | ROM:0000003C BIC R0, R6, #0xFF |
||
| + | ROM:00000040 MCR p15, 0, R0,c1,c0 |
||
| + | ROM:00000044 NOP |
||
| + | ROM:00000048 NOP |
||
| + | ROM:0000004C LDR R0, =0x2030055E |
||
| + | ROM:00000050 LDR R1, =0x40001000 |
||
| + | ROM:00000054 ADD R2, R1, #0x400 |
||
| + | ROM:00000058 |
||
| + | ROM:00000058 loop ; CODE XREF: ROM:00000064�j |
||
| + | ROM:00000058 STR R0, [R1],#4 ; build a page table in memory |
||
| + | ROM:00000058 ; increments of 0x1000 |
||
| + | ROM:00000058 ; from 0x2030055E to 0x2040055E |
||
| + | ROM:00000058 ; |
||
| + | ROM:00000058 ; put 0x2030055E in [0x40001000] |
||
| + | ROM:00000058 ; 0x40001000 + 0x4 |
||
| + | ROM:00000058 ; 0x2030055E + 0x1000 |
||
| + | ROM:00000058 ; cmp 0x40001004 to 0x40001400 |
||
| + | ROM:00000058 ; ... |
||
| + | ROM:00000058 ; |
||
| + | ROM:00000058 ; |
||
| + | ROM:0000005C ADD R0, R0, #0x1000 |
||
| + | ROM:00000060 CMP R1, R2 |
||
| + | ROM:00000064 BNE loop |
||
| + | ROM:00000068 LDR R1, =0x4000055E ; put 0x4000055E in [0x40001400 - 0xFC] |
||
| + | ROM:00000068 ; where 203C155E put 4000055E |
||
| + | ROM:00000068 ; i.e point 0x203C1000 pagetable entry to ram 0x40000000 |
||
| + | ROM:0000006C STR R1, [R2,#-0xFC] |
||
| + | ROM:00000070 LDR R0, =0x40001011 ; this section points the 0x203 mmu mapping to built page table |
||
| + | ROM:00000070 ; at 0x40001000. |
||
| + | ROM:00000070 ; |
||
| + | ROM:00000070 ; when this code runs again it returns the mapping the way it |
||
| + | ROM:00000070 ; was that i.e no trace left behind. |
||
| + | ROM:00000070 ; |
||
| + | ROM:00000070 ; put [0x800 + 0x8] + 0x100000 at [0x800 + 0xC] |
||
| + | ROM:00000070 ; if what was at [0x800 + 0xC] = 0x40001011 then break |
||
| + | ROM:00000070 ; else put 0x40001011 at [0x800 + 0xC] |
||
| + | ROM:00000074 MOV R1, #0x800 |
||
| + | ROM:00000078 LDR R2, [R1,#0xC] |
||
| + | ROM:0000007C LDR R3, [R1,#8] |
||
| + | ROM:00000080 ADD R3, R3, #0x100000 |
||
| + | ROM:00000084 STR R3, [R1,#0xC] |
||
| + | ROM:00000088 CMP R2, R0 |
||
| + | ROM:0000008C BEQ break |
||
| + | ROM:00000090 STR R0, [R1,#0xC] |
||
| + | ROM:00000094 |
||
| + | ROM:00000094 break ; CODE XREF: ROM:0000008C�j |
||
| + | ROM:00000094 MCR p15, 0, R7,c8,c7 ; /* invalidate TLB */ |
||
| + | ROM:00000098 MCR p15, 0, R6,c1,c0 ; /* MMU enable */ |
||
| + | ROM:0000009C MCR p15, 0, R7,c7,c5 ; /* flush ICache */ |
||
| + | ROM:000000A0 NOP |
||
| + | ROM:000000A4 NOP |
||
| + | ROM:000000A8 NOP |
||
| + | ROM:000000AC MRS R0, CPSR ; /* interrupt enable */ |
||
| + | ROM:000000B0 BIC R0, R0, #0xC0 |
||
| + | ROM:000000B4 MSR CPSR_c, R0 |
||
| + | ROM:000000B8 LDR R4, =0x20525359 ; /* go home */ |
||
| + | ROM:000000BC LDR R1, =0x203C1830 |
||
| + | ROM:000000C0 ADR R0, dword_D0 |
||
| + | ROM:000000C4 STR R1, [R0] |
||
| + | ROM:000000C8 MOV R0, #0 |
||
| + | ROM:000000CC BX R4 |
||
| + | ROM:000000CC ; --------------------------------------------------------------------------- |
||
| + | ROM:000000D0 dword_D0 DCD 0x20525359 ; DATA XREF: ROM:000000B8�r |
||
| + | ROM:000000D0 ; ROM:000000C0�o |
||
| + | ROM:000000D4 ; --------------------------------------------------------------------------- |
||
| + | ROM:000000D4 |
||
| + | ROM:000000D4 loc_D4 ; DATA XREF: ROM:0000001C�o |
||
| + | ROM:000000D4 LDR R4, =0x404F0980 |
||
| + | ROM:000000D8 BX R4 |
||
| + | ROM:000000D8 ; --------------------------------------------------------------------------- |
||
| + | ROM:000000DC dword_DC DCD 0x404F0980 ; DATA XREF: ROM:loc_D4�r |
||
| + | ROM:000000E0 dword_E0 DCD 0x201436C8 ; DATA XREF: ROM:00000000�r |
||
| + | ROM:000000E4 dword_E4 DCD 0x203C1000 ; DATA XREF: ROM:00000008�r |
||
| + | ROM:000000E8 dword_E8 DCD 0x4000082C ; DATA XREF: ROM:00000014�r |
||
| + | ROM:000000EC dword_EC DCD 0x2030055E ; DATA XREF: ROM:0000004C�r |
||
| + | ROM:000000F0 dword_F0 DCD 0x40001000 ; DATA XREF: ROM:00000050�r |
||
| + | ROM:000000F4 dword_F4 DCD 0x4000055E ; DATA XREF: ROM:00000068�r |
||
| + | ROM:000000F8 dword_F8 DCD 0x40001011 ; DATA XREF: ROM:00000070�r |
||
| + | ROM:000000FC dword_FC DCD 0x203C1830 ; DATA XREF: ROM:000000BC�r |
||
| + | ROM:000000FC ; ROM ends |
||
| + | </pre> |
||
| + | |||
==Links== |
==Links== |
||
Latest revision as of 11:36, 14 November 2015
purplesn0w is geohot's unlock which used the AT+XLOG Vulnerability. Its implementation of the vulnerability differs from ultrasn0w's, and requires a legitimately activated iPhone.
How it works
purplesn0w copies the page that needs patching to an unused region of memory. It gets patched in RAM. Using the MMU, the flash page is mapped out and the patched memory page is remapped in its place. No new iPhones are really unlocked; activation creates a ticket allowing the baseband to be used with that SIM. The lockstate of the phone really lies on Apple's servers. Being unlocked means all SIMs are authorized, and being locked means only certain carriers' SIMs are authorized (for instance, AT&T). Fortunately, this ticket system provides an easy way to deliver the payload and re-execute the patched code all in one. And since the ticket is already delivered on baseband resets, there's no need to write another daemon to use the battery. Instead the daemon already designed for this, lockdownd, is used. A patch to CommCenter gets it to run the payload on ticket delivery. And a patch to your activation record contains the payload.
Installation notes
- Be sure to have a legitimately activated iPhone.
- Disable 3G if you don't have it (like T-Mobile in the US).
- Watch for success output in Cydia (actually do this step)
- Wait for signal, and enjoy your unlocked iPhone (no reboot required)
purplesn0w RC2 payload with comments
ROM:00000000 LDR R4, =0x201436C8 ; /* copy the page*/ ROM:00000004 MOV R0, #0x40000000 ROM:00000008 LDR R1, =0x203C1000 ROM:0000000C MOV R2, #0x1000 ROM:00000010 BLX R4 ROM:00000014 LDR R5, =0x4000082C ; /*at 4000083C or 203C183C ROM:00000014 ; put the code to branch to 0x404F0980*/ ROM:00000018 ADD R0, R5, #0x10 ROM:0000001C ADR R1, loc_D4 ROM:00000020 MOV R2, #0xC ROM:00000024 BLX R4 ROM:00000028 MOV R7, #0 ; /* interrupt disable */ ROM:0000002C MRS R0, CPSR ROM:00000030 ORR R0, R0, #0xC0 ROM:00000034 MSR CPSR_c, R0 ROM:00000038 MRC p15, 0, R6,c1,c0 ; /* MMU disable */ ROM:0000003C BIC R0, R6, #0xFF ROM:00000040 MCR p15, 0, R0,c1,c0 ROM:00000044 NOP ROM:00000048 NOP ROM:0000004C LDR R0, =0x2030055E ROM:00000050 LDR R1, =0x40001000 ROM:00000054 ADD R2, R1, #0x400 ROM:00000058 ROM:00000058 loop ; CODE XREF: ROM:00000064�j ROM:00000058 STR R0, [R1],#4 ; build a page table in memory ROM:00000058 ; increments of 0x1000 ROM:00000058 ; from 0x2030055E to 0x2040055E ROM:00000058 ; ROM:00000058 ; put 0x2030055E in [0x40001000] ROM:00000058 ; 0x40001000 + 0x4 ROM:00000058 ; 0x2030055E + 0x1000 ROM:00000058 ; cmp 0x40001004 to 0x40001400 ROM:00000058 ; ... ROM:00000058 ; ROM:00000058 ; ROM:0000005C ADD R0, R0, #0x1000 ROM:00000060 CMP R1, R2 ROM:00000064 BNE loop ROM:00000068 LDR R1, =0x4000055E ; put 0x4000055E in [0x40001400 - 0xFC] ROM:00000068 ; where 203C155E put 4000055E ROM:00000068 ; i.e point 0x203C1000 pagetable entry to ram 0x40000000 ROM:0000006C STR R1, [R2,#-0xFC] ROM:00000070 LDR R0, =0x40001011 ; this section points the 0x203 mmu mapping to built page table ROM:00000070 ; at 0x40001000. ROM:00000070 ; ROM:00000070 ; when this code runs again it returns the mapping the way it ROM:00000070 ; was that i.e no trace left behind. ROM:00000070 ; ROM:00000070 ; put [0x800 + 0x8] + 0x100000 at [0x800 + 0xC] ROM:00000070 ; if what was at [0x800 + 0xC] = 0x40001011 then break ROM:00000070 ; else put 0x40001011 at [0x800 + 0xC] ROM:00000074 MOV R1, #0x800 ROM:00000078 LDR R2, [R1,#0xC] ROM:0000007C LDR R3, [R1,#8] ROM:00000080 ADD R3, R3, #0x100000 ROM:00000084 STR R3, [R1,#0xC] ROM:00000088 CMP R2, R0 ROM:0000008C BEQ break ROM:00000090 STR R0, [R1,#0xC] ROM:00000094 ROM:00000094 break ; CODE XREF: ROM:0000008C�j ROM:00000094 MCR p15, 0, R7,c8,c7 ; /* invalidate TLB */ ROM:00000098 MCR p15, 0, R6,c1,c0 ; /* MMU enable */ ROM:0000009C MCR p15, 0, R7,c7,c5 ; /* flush ICache */ ROM:000000A0 NOP ROM:000000A4 NOP ROM:000000A8 NOP ROM:000000AC MRS R0, CPSR ; /* interrupt enable */ ROM:000000B0 BIC R0, R0, #0xC0 ROM:000000B4 MSR CPSR_c, R0 ROM:000000B8 LDR R4, =0x20525359 ; /* go home */ ROM:000000BC LDR R1, =0x203C1830 ROM:000000C0 ADR R0, dword_D0 ROM:000000C4 STR R1, [R0] ROM:000000C8 MOV R0, #0 ROM:000000CC BX R4 ROM:000000CC ; --------------------------------------------------------------------------- ROM:000000D0 dword_D0 DCD 0x20525359 ; DATA XREF: ROM:000000B8�r ROM:000000D0 ; ROM:000000C0�o ROM:000000D4 ; --------------------------------------------------------------------------- ROM:000000D4 ROM:000000D4 loc_D4 ; DATA XREF: ROM:0000001C�o ROM:000000D4 LDR R4, =0x404F0980 ROM:000000D8 BX R4 ROM:000000D8 ; --------------------------------------------------------------------------- ROM:000000DC dword_DC DCD 0x404F0980 ; DATA XREF: ROM:loc_D4�r ROM:000000E0 dword_E0 DCD 0x201436C8 ; DATA XREF: ROM:00000000�r ROM:000000E4 dword_E4 DCD 0x203C1000 ; DATA XREF: ROM:00000008�r ROM:000000E8 dword_E8 DCD 0x4000082C ; DATA XREF: ROM:00000014�r ROM:000000EC dword_EC DCD 0x2030055E ; DATA XREF: ROM:0000004C�r ROM:000000F0 dword_F0 DCD 0x40001000 ; DATA XREF: ROM:00000050�r ROM:000000F4 dword_F4 DCD 0x4000055E ; DATA XREF: ROM:00000068�r ROM:000000F8 dword_F8 DCD 0x40001011 ; DATA XREF: ROM:00000070�r ROM:000000FC dword_FC DCD 0x203C1830 ; DATA XREF: ROM:000000BC�r ROM:000000FC ; ROM ends
Links
- Cydia repo (http://apt.geohot.com/)
- Source code
