The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Greenpois0n (jailbreak)"
Apocolipse (talk | contribs) (→Decompiled Exploit Code) |
m |
||
(53 intermediate revisions by 14 users not shown) | |||
Line 1: | Line 1: | ||
+ | {{lowercase}} |
||
− | [[Image:Gp.png|180px|right]] |
||
+ | [[Image:gp.png|200px|right|greenpois0n]] |
||
+ | {{other|jailbreak|toolkit|greenpois0n (toolkit)}} |
||
+ | Available for Windows and Mac. |
||
+ | == History == |
||
− | Greenpois0n is both a cross-platform hacker toolkit (that helps users to find their own exploits for jailbreaks, write custom ramdisks, and create custom firmwares) as well as a [[jailbreak]] tool for iDevices written by [[Chronic Dev]]. |
||
+ | === RC1 - RC4 === |
||
+ | Greenpois0n was originally written using two exploits: SHAtter (a [[bootrom]] [[exploit]]) as well as a userland [[kernel]] [[exploit]] provided by [[User:Comex|Comex]] to make the jailbreak [[untethered jailbreak|untethered]]. A release date of 10/10/10 10:10:10 AM (GMT) was announced, as well as the list of supported devices. Due to the nature of SHAtter, only iDevices using the [[S5L8930|A4 Processor]] were supported. |
||
+ | [[user:geohot|geohot]] later released another jailbreak ([[limera1n]] using a different [[bootrom]] [[exploit]]) on {{date|2010|10|09}}, which led to a delay in greenpois0n's release (to implement geohot's exploit, not SHAtter). |
||
− | == |
+ | === RC5 === |
+ | [[User:Posixninja|Posixninja]] and the rest of [[Chronic Dev (team)|Chronic Dev]] released a Mac-exclusive version of greenpois0n RC5 on {{date|2011|02|03}}, which performs an [[untethered jailbreak]] on iOS 4.2.1 for most devices that support it. Instead of using the [[Packet Filter Kernel Exploit]] like RC4 and earlier, RC5 made use of the [[HFS Legacy Volume Name Stack Buffer Overflow]]. (This exploit wasn't saved for iOS 4.3 because it was already fixed in the betas with an implementation of [[wikipedia:Address space layout randomization|ASLR]].) Bugs were found, and fixed, in subsequent builds. Two days later, on {{date|2011|02|05}}, Chronic Dev released a Windows version as well. |
||
+ | === RC6 === |
||
− | *[http://github.com/chronicdev/cyanide GreenPois0n Cyanide]: [[iBoot]] payload toolkit to help developers discover new vulnerabilities and design super fast, low-level iBoot jailbreaks and exploit payloads, much like the way [[blackra1n]]/[[purplera1n]] works. |
||
+ | Support for the [[K66AP|Apple TV (2nd generation)]] was added. This release was for both Windows and Mac. |
||
− | *[http://github.com/chronicdev/libdioxin GreenPois0n Dioxin]: MobileDevice toolkit designed to help developers design awesome userland jailbreaks, like how [[Spirit]] works. |
||
− | *[http://github.com/chronicdev/anthrax GreenPois0n Anthrax]: iPhone ramdisk toolkit to help developers design extremely stable and portable ramdisk jailbreaks, much like the same way [[QuickPwn]]/[[redsn0w]] works. |
||
− | *[http://github.com/chronicdev/arsenic GreenPois0n Arsenic]: custom firmware toolkit to help developers design jailbreaks to help preserve [[Baseband Firmware|baseband]] and keep unlocks, much in the same way [[PwnageTool]]/[[sn0wbreeze]] works. |
||
− | == |
+ | == Controversy == |
− | Greenpois0n was originally written using two exploits: [[SHAtter]] (a [[bootrom]] [[exploit]]) as well as a userland [[exploit]] provided by [[User:Comex|Comex]] to make the jailbreak [[untethered jailbreak|untethered]]. A release date of 10/10/10 10:10:10 AM (GMT) was announced, as well as the list of supported devices. Due to the nature of [[SHAtter]], only iDevices using the [[S5L8930|A4 Processor]] were supported. |
||
− | [[user:geohot|geohot]] later released another jailbreak ([[limera1n]] using a different [[bootrom]] [[exploit]]) on 9 October 2010, which led to a delay in greenpois0n's release (to implement geohot's exploit, not SHAtter). |
||
− | |||
− | === Controversy === |
||
There was much controversy surrounding the sudden release of [[limera1n]] and the motives behind it. The main reasons for the [[limera1n]] release were: |
There was much controversy surrounding the sudden release of [[limera1n]] and the motives behind it. The main reasons for the [[limera1n]] release were: |
||
+ | * Use an exploit that Apple already knew about (newer [[iBoot]]s shows the exploit patched) |
||
+ | * Supports more iDevices than [[SHA-1 Image Segment Overflow|SHAtter]] |
||
+ | * Save the [[SHA-1 Image Segment Overflow|SHAtter]] [[bootrom]] [[exploit]] for future devices |
||
+ | The reason for this is [[bootrom]] [[exploit]]s are not patchable with software updates. It requires new hardware to fix the security hole. Since the [[limera1n]] hole was already discovered and patched by Apple, it benefits the community if SHAtter is saved in hopes of using it with new hardware, like the [[N92AP|iPhone 4S]], [[iPod touch (5th generation)]], and the [[iPad 2]]. However, Apple, presumably through internal testing, found out about [[SHA-1 Image Segment Overflow|SHAtter]] and patched it in the [[S5L8940|A5]] chip released with the [[iPad 2]]. |
||
+ | == Supported Devices == |
||
− | #Use an exploit that Apple already knew about (newer [[iBoot]]s shows the exploit patched) |
||
+ | greenpois0n RC4 and earlier requires the device to be on either iOS 3.2.2 ([[K48AP|iPad]]) or iOS 4.1 (all other devices). Of the devices that support these firmware revisions, the only one ''not'' supported is the [[N82AP|iPhone 3G]]. |
||
− | #Supports more iDevices than [[SHAtter]] |
||
− | #Hopefully save the [[SHAtter]] [[bootrom]] [[exploit]] for future iDevices |
||
+ | greenpois0n RC5 requires the device to be on iOS 4.2.1. It is compatible with every device that has 4.2.1, except for the [[N82AP|iPhone 3G]]. It was released earlier than anticipated, because iOS 4.3 unintentionally blocked the [[HFS Legacy Volume Name Stack Buffer Overflow]] exploit. |
||
− | The reason for this is [[bootrom]] [[exploit]]s are not patchable with software updates. It requires new hardware to fix the security hole. Since the [[limera1n]] hole was already discovered and patched by Apple, it benefits the community if [[SHAtter]] is saved in hopes of using it with new hardware, like the 5th generation iPhone/iPod touch and the iPad 2G. |
||
− | + | == Output == |
|
− | [[ |
+ | [[N90AP|iPhone 4]] with [[Greenpois0n (toolkit)|greenpois0n]] output (via [[iRecovery]]): |
− | |||
Attempting to initialize greenpois0n |
Attempting to initialize greenpois0n |
||
Initializing commands |
Initializing commands |
||
Line 45: | Line 48: | ||
Greenpois0n initialized |
Greenpois0n initialized |
||
+ | [[Category:Hacking Software]] |
||
− | |||
+ | [[Category:greenpois0n|jailbreak]] |
||
− | ==Decompiled Exploit Code== |
||
+ | [[Category:Jailbreaks]] |
||
− | Apocolipse has provided a decompiled version of the exploit function (note. it is incomplete, x86 decompilers can only do so much) |
||
+ | [[Category:Jailbreaking]] |
||
− | |||
− | signed int __cdecl upload_exploit() |
||
− | { |
||
− | int v0; // eax@1 |
||
− | signed int v1; // edx@2 |
||
− | int v2; // ebx@2 |
||
− | int v3; // eax@4 |
||
− | char *v4; // eax@5 |
||
− | unsigned int v5; // ebx@8 |
||
− | int v6; // ecx@14 |
||
− | signed int result; // eax@15 |
||
− | signed int v8; // ST38_4@18 |
||
− | int v9; // eax@28 |
||
− | signed int v10; // [sp+38h] [bp-1030h]@4 |
||
− | signed int v11; // [sp+3Ch] [bp-102Ch]@2 |
||
− | char v12; // [sp+4Ch] [bp-101Ch]@3 |
||
− | char v13; // [sp+84Ch] [bp-81Ch]@5 |
||
− | int v14; // [sp+104Ch] [bp-1Ch]@1 |
||
− | |||
− | v14 = *MK_FP(__GS__, 20); |
||
− | v0 = *(_DWORD *)(device + 16); |
||
− | if ( v0 == 8930 ) |
||
− | { |
||
− | v11 = 174080; |
||
− | v1 = -2080198655; |
||
− | v2 = -2080129124; |
||
− | } |
||
− | else |
||
− | { |
||
− | v1 = -2080231423; |
||
− | v11 = 141312; |
||
− | v2 = (((v0 == 8920) - 1) & 0xFFFFFFF4) - 2080161884; |
||
− | } |
||
− | memset(&v12, 0, 0x800u); |
||
− | memcpy(&v12, exploit, 0x230u); |
||
− | if ( libpois0n_debug ) |
||
− | { |
||
− | v8 = v1; |
||
− | ((void (__cdecl *)(int, signed int, _DWORD))__fprintf_chk)(stderr, 1, "Resetting device counters\n"); |
||
− | v1 = v8; |
||
− | } |
||
− | v10 = v1; |
||
− | v3 = irecv_reset_counters(client); |
||
− | if ( v3 ) |
||
− | { |
||
− | irecv_strerror(v3); |
||
− | __fprintf_chk(stderr, 1, &aCannotFindS[12]); |
||
− | result = -1; |
||
− | } |
||
− | else |
||
− | { |
||
− | memset(&v13, -858993460, 0x800u); |
||
− | v4 = &v13; |
||
− | do |
||
− | { |
||
− | *(_DWORD *)v4 = 1029; |
||
− | *((_DWORD *)v4 + 1) = 257; |
||
− | *((_DWORD *)v4 + 2) = v10; |
||
− | *((_DWORD *)v4 + 3) = v2; |
||
− | v4 += 64; |
||
− | } |
||
− | while ( (int *)v4 != &v14 ); |
||
− | if ( libpois0n_debug ) |
||
− | ((void (__cdecl *)(int, signed int, _DWORD))__fprintf_chk)(stderr, 1, "Sending chunk headers\n"); |
||
− | v5 = 0; |
||
− | irecv_control_transfer(client, 33, 1, 0, 0, &v13, 2048); |
||
− | memset(&v13, -858993460, 0x800u); |
||
− | do |
||
− | { |
||
− | v5 += 2048; |
||
− | irecv_control_transfer(client, 33, 1, 0, 0, &v13, 2048); |
||
− | } |
||
− | while ( v5 < v11 ); |
||
− | if ( libpois0n_debug ) |
||
− | ((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Sending exploit payload\n"); |
||
− | irecv_control_transfer(client, 33, 1, 0, 0, &v12, 2048); |
||
− | if ( libpois0n_debug ) |
||
− | ((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Sending fake data\n"); |
||
− | memset(&v13, -1145324613, 0x800u); |
||
− | irecv_control_transfer(client, 161, 1, 0, 0, &v13, 2048); |
||
− | irecv_control_transfer(client, 33, 1, 0, 0, &v13, 2048); |
||
− | if ( libpois0n_debug ) |
||
− | ((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Executing exploit\n"); |
||
− | irecv_control_transfer(client, 33, 2, 0, 0, &v13, 0); |
||
− | irecv_reset(client); |
||
− | irecv_finish_transfer(client); |
||
− | if ( libpois0n_debug ) |
||
− | { |
||
− | ((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Exploit sent\n"); |
||
− | if ( libpois0n_debug ) |
||
− | ((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Reconnecting to device\n"); |
||
− | } |
||
− | client = (void *)irecv_reconnect(client, 2u); |
||
− | if ( client ) |
||
− | { |
||
− | result = 0; |
||
− | } |
||
− | else |
||
− | { |
||
− | if ( libpois0n_debug ) |
||
− | { |
||
− | v9 = irecv_strerror(0); |
||
− | __fprintf_chk(stderr, 1, &aCannotFindS[12], v9); |
||
− | } |
||
− | __fprintf_chk(stderr, 1, "Unable to reconnect\n"); |
||
− | result = -1; |
||
− | } |
||
− | } |
||
− | if ( *MK_FP(__GS__, 20) != v14 ) |
||
− | __stack_chk_fail(v6, *MK_FP(__GS__, 20) ^ v14); |
||
− | return result; |
||
− | } |
Latest revision as of 23:37, 16 September 2021
- This article is about the jailbreak. For the toolkit, see greenpois0n (toolkit).
Available for Windows and Mac.
History
RC1 - RC4
Greenpois0n was originally written using two exploits: SHAtter (a bootrom exploit) as well as a userland kernel exploit provided by Comex to make the jailbreak untethered. A release date of 10/10/10 10:10:10 AM (GMT) was announced, as well as the list of supported devices. Due to the nature of SHAtter, only iDevices using the A4 Processor were supported. geohot later released another jailbreak (limera1n using a different bootrom exploit) on 9 October 2010, which led to a delay in greenpois0n's release (to implement geohot's exploit, not SHAtter).
RC5
Posixninja and the rest of Chronic Dev released a Mac-exclusive version of greenpois0n RC5 on 3 February 2011, which performs an untethered jailbreak on iOS 4.2.1 for most devices that support it. Instead of using the Packet Filter Kernel Exploit like RC4 and earlier, RC5 made use of the HFS Legacy Volume Name Stack Buffer Overflow. (This exploit wasn't saved for iOS 4.3 because it was already fixed in the betas with an implementation of ASLR.) Bugs were found, and fixed, in subsequent builds. Two days later, on 5 February 2011, Chronic Dev released a Windows version as well.
RC6
Support for the Apple TV (2nd generation) was added. This release was for both Windows and Mac.
Controversy
There was much controversy surrounding the sudden release of limera1n and the motives behind it. The main reasons for the limera1n release were:
- Use an exploit that Apple already knew about (newer iBoots shows the exploit patched)
- Supports more iDevices than SHAtter
- Save the SHAtter bootrom exploit for future devices
The reason for this is bootrom exploits are not patchable with software updates. It requires new hardware to fix the security hole. Since the limera1n hole was already discovered and patched by Apple, it benefits the community if SHAtter is saved in hopes of using it with new hardware, like the iPhone 4S, iPod touch (5th generation), and the iPad 2. However, Apple, presumably through internal testing, found out about SHAtter and patched it in the A5 chip released with the iPad 2.
Supported Devices
greenpois0n RC4 and earlier requires the device to be on either iOS 3.2.2 (iPad) or iOS 4.1 (all other devices). Of the devices that support these firmware revisions, the only one not supported is the iPhone 3G.
greenpois0n RC5 requires the device to be on iOS 4.2.1. It is compatible with every device that has 4.2.1, except for the iPhone 3G. It was released earlier than anticipated, because iOS 4.3 unintentionally blocked the HFS Legacy Volume Name Stack Buffer Overflow exploit.
Output
iPhone 4 with greenpois0n output (via iRecovery):
Attempting to initialize greenpois0n Initializing commands Searching for cmd_ramdisk Found cmd_ramdisk string at 0x8401c7ac Found cmd_ramdisk reference at 0x84000d64 Found cmd_ramdisk function at 0x84000cd1 Initializing patches Initializing memory Initializing aes Searching for aes_crypto_cmd Found aes_crypto_cmd string at 0x84021a8c Found aes_crypto_cmd reference at 0x84017bb8 Found aes_crypto_cmd fnction at 0x84017b51 Initializing bdev Initializing image Initializing nvram Initializing kernel Greenpois0n initialized