The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Making PwnageTool Bundles"
(→Patches) |
m |
||
(32 intermediate revisions by 7 users not shown) | |||
Line 1: | Line 1: | ||
− | ==Creating the template Info.plist== |
+ | == Creating the template Info.plist == |
− | Remove all AES keys/IVs and hashes, replace with TODO |
+ | Remove all AES keys/IVs and hashes, replace with TODO |
+ | Also replace all .dmg filenames, SHA1 hash value and the rootfs volume name. |
||
− | ==Getting the AES keys== |
+ | == Getting the AES keys == |
+ | {{main|AES Keys#Using Greenpois0n to get the keys}} |
||
− | [[AES_Keys#Using_Greenpois0n_to_get_the_keys]] |
||
Put the keys into the Info.plist, replacing TODO entries |
Put the keys into the Info.plist, replacing TODO entries |
||
+ | |||
− | ==Decrypting IMG3 files== |
||
+ | == Decrypting IMG3 files == |
||
Use [[xpwntool]] to decrypt all img3 files: NOR, kernelcache and the restore ramdisk |
Use [[xpwntool]] to decrypt all img3 files: NOR, kernelcache and the restore ramdisk |
||
− | ==Decrypting the rootfs== |
||
− | #Use [[GenPass]] with decrypted [[Restore/Update Ramdisks|ramdisk]] to get the rootfs vfdecrypt key. |
||
− | #Decrypt the rootfs using [[vfdecrypt]], put the key and rootfs volume name into Info.plist |
||
+ | == Decrypting the RootFS == |
||
− | ==Patches== |
||
+ | #Use [[GenPass]] with decrypted [[Ramdisk]] to get the rootfs vfdecrypt key. |
||
+ | #Decrypt the rootfs using [[Firmware Keys|VFDecrypt]], put the key and rootfs volume name into Info.plist |
||
+ | |||
+ | == Patches == |
||
In most cases you can reuse the patches from a previous firmware version. |
In most cases you can reuse the patches from a previous firmware version. |
||
You can use the [https://github.com/msftguy/ios-jb-tools/tree/master/tools_src/fuzzy_patcher/ fuzzy_patcher tool] for that. |
You can use the [https://github.com/msftguy/ios-jb-tools/tree/master/tools_src/fuzzy_patcher/ fuzzy_patcher tool] for that. |
||
Line 17: | Line 20: | ||
fuzzy_patcher --diff --delta ''delta_file.json'' \ |
fuzzy_patcher --diff --delta ''delta_file.json'' \ |
||
--orig ''original_decrypted_file_vPrev'' \ |
--orig ''original_decrypted_file_vPrev'' \ |
||
− | --patched ''patched_decrypted_file_vPrev'' |
+ | --patched ''patched_decrypted_file_vPrev'' --verbose |
To apply the difference file to the current version: |
To apply the difference file to the current version: |
||
fuzzy_patcher --patch --delta ''delta_file.json'' \ |
fuzzy_patcher --patch --delta ''delta_file.json'' \ |
||
--orig ''original_decrypted_file'' \ |
--orig ''original_decrypted_file'' \ |
||
--patched ''patched_decrypted_file'' --fuzz 80 --verbose |
--patched ''patched_decrypted_file'' --fuzz 80 --verbose |
||
+ | You can lower the 'fuzzyness' level to apply lower confidence patches, but it's not a very good idea; you would usually want to inspect the file with IDA in such cases. |
||
− | ====ASR==== |
||
+ | ==== [[ASR]] ==== |
||
− | Patch [[wikipedia:Apple Software Restore|ASR]] from the [[Restore Ramdisk]], use [[Apple's Codesign Tool|codesign]] or [[ldid]] to fix up its code page hashes. |
||
+ | #Patch [[ASR]] from the [[Restore Ramdisk]] |
||
− | ASR can be patched by finding a xref to a string "Image failed signature verification" and patching the first instruction at the preceding label to branch to the previous label, which is the success case "Image passed signature verification". On ARMv7 this branch is usually 'F3 E7'. |
||
+ | #Fix its page hashes using codesign or ldid (see [[Bypassing iPhone Code Signatures]]). |
||
− | ====iBSS patches - special case==== |
||
+ | [[ASR]] can be patched by finding a xref to a string "Image failed signature verification" and patching the first instruction at the preceding label to branch to the previous label, which is the success case "Image passed signature verification". On ARMv7 this branch is usually 'F3 E7' (Thumb mode, instruction B (branch) to address -0x16 relative to opcode address). |
||
− | iBSS patch for bundles using user-mode untether exploit (or for tethered bundles) |
||
+ | ==== [[iBSS]] patches ==== |
||
+ | For noawadays [[limera1n Exploit|limera1n]]- based jailbreaks there are quite a bit patches: |
||
+ | # You need to patch the [[iBSS]] from every signature check or integrity check that is in it (Ramdisk signature, [[APTicket]]- see below, [[iBEC]] signatures etc.) |
||
+ | # [[APTicket]]- on 5.x.x+, the [[iBSS]] patches are slightly different. If you are using a stitched ipsw, where the img3 files are embded with the [[SHSH]] of the restored device and [[APTicket]] is included as "APTicket.img3" or "SCAB.img3" or old bootrom [[N88AP|3GS]] the iBSS needs to be patched out of its [[nonce]] creation. If you're patching a stock firmware the [[iBSS]] needs to still generate [[nonce]] but not check for [[APTicket]]'s validity or its match for the [[nonce]] created. |
||
+ | # iBSS patch for bundles using user-mode untether exploit (or for tethered bundles) |
||
kernelcache file is not patched in those bundles to allow untethered boot with intact NOR. Instead, kernelcache patches required to run the ramdisk are located in iBSS - an iBSS kernelcache_load function is patched to call a proc at ibss_base+0xFC that patches the decrypted and unpacked kernel in memory. |
kernelcache file is not patched in those bundles to allow untethered boot with intact NOR. Instead, kernelcache patches required to run the ramdisk are located in iBSS - an iBSS kernelcache_load function is patched to call a proc at ibss_base+0xFC that patches the decrypted and unpacked kernel in memory. |
||
− | You can use [ |
+ | You can use [https://github.com/msftguy/ios-jb-tools/tree/master/tools_src/ibss_kpatch/ iBSS KPatch] to add kernel patches to [[iBSS]]. This applies to all the recent jailbreaks (excluding old-bootrom [[N88AP]]). |
+ | |||
+ | == Creating BSDiffs == |
||
+ | Use [http://www.daemonology.net/bsdiff/ BSDiff] to create diffs by diffing '''unpacked''' original versus patched files. |
||
+ | Example: |
||
+ | bsdiff iBSS.k48ap.RELEASE.dfu.dec iBSS.k48ap.RELEASE.dfu.dec.patched iBSS.k48ap.RELEASE.patch |
||
+ | ==== LLB 24k exploit ==== |
||
+ | [[N72AP|iPod touch (2nd generation)]] and [[N88AP|iPhone 3GS]] utilize [[0x24000 Segment Overflow|a different bootrom exploit]], so the encrypted [[LLB]] and [[iBoot]] for these devices need patching. This requires ARM assembler knowledge and a software named IDA Pro. To extract the bootloader and disassemble using IDA, follow the following steps for IDA dissasembly (portarited on iBoot) |
||
+ | #obtain the bootloader from the iPSW. This file is in the <code>Firmware/all_flash</code> subdir, e.g. <code>Firmware/all_flash/all_flash.n81ap.production/iBoot.n81ap.RELEASE.img3</code>, where the "n81ap", "k90", etc.. are for the i-Device type |
||
+ | #run xpwntool with the proper key (from elsewhere in this Wiki) |
||
+ | #Make sure the decryption was successful - if it is, you should see: |
||
+ | "iBoot for ...., Copyright 2012, Apple Inc." |
||
+ | if you cat (i.e. type) the file. |
||
+ | #<li value="4">remove the img3 header - the good stuff starts at offset 0x40 (i.e. 64) - using dd (skip=1 bs=64) or some other tool |
||
+ | #Load in IDA. Set processor to ARM. Rebase program (Edit→Segments→Rebase Program) to 0x5FF00000 (for iBoot in iOS 5). You should see something like: |
||
+ | |||
+ | <pre> |
||
+ | ROM:5FF00000 loc_5FF00000 ; CODE XREF: ROM:5FF00078�j |
||
+ | ROM:5FF00000 B loc_5FF00040 ; Used for Reset - This is where we start |
||
+ | ROM:5FF00004 ; --------------------------------------------------------------------------- |
||
+ | ROM:5FF00004 LDR PC, =sub_5FF16FB4 ; Used for Undef |
||
+ | ROM:5FF00008 ; --------------------------------------------------------------------------- |
||
+ | ROM:5FF00008 LDR PC, =sub_5FF16FEC ; Used for SWI |
||
+ | ROM:5FF0000C ; --------------------------------------------------------------------------- |
||
+ | ROM:5FF0000C LDR PC, =sub_5FF17024 ; Used for Prefabt |
||
+ | ROM:5FF00010 ; --------------------------------------------------------------------------- |
||
+ | ROM:5FF00010 LDR PC, =sub_5FF17060 ; Used for DataAbt |
||
+ | ROM:5FF00014 ; --------------------------------------------------------------------------- |
||
+ | ROM:5FF00014 LDR PC, =loc_5FF17098 ; Used for AddrExc |
||
+ | ROM:5FF00018 ; --------------------------------------------------------------------------- |
||
+ | ROM:5FF00018 LDR PC, =loc_5FF16F24 ; Used for IRQ |
||
+ | ROM:5FF0001C ; --------------------------------------------------------------------------- |
||
+ | ROM:5FF0001C LDR PC, =sub_5FF16F6C ; Probably FIQ, need to verify this |
||
+ | ROM:5FF00020 ; --------------------------------------------------------------------------- |
||
+ | ROM:5FF00020 SVCPL 0xF00040 |
||
+ | ROM:5FF00020 ; --------------------------------------------------------------------------- |
||
+ | ROM:5FF00024 off_5FF00024 DCD sub_5FF16FB4 ; DATA XREF: ROM:5FF00004�r |
||
+ | ROM:5FF00028 off_5FF00028 DCD sub_5FF16FEC ; DATA XREF: ROM:5FF00008�r |
||
+ | ROM:5FF0002C off_5FF0002C DCD sub_5FF17024 ; DATA XREF: ROM:5FF0000C�r |
||
+ | ROM:5FF00030 off_5FF00030 DCD sub_5FF17060 ; DATA XREF: ROM:5FF00010�r |
||
+ | ROM:5FF00034 off_5FF00034 DCD loc_5FF17098 ; DATA XREF: ROM:5FF00014�r |
||
+ | ROM:5FF00038 off_5FF00038 DCD loc_5FF16F24 ; DATA XREF: ROM:5FF00018�r |
||
+ | ROM:5FF0003C off_5FF0003C DCD sub_5FF16F6C ; DATA XREF: ROM:5FF0001C�r |
||
+ | ROM:5FF00040 ; --------------------------------------------------------------------------- |
||
+ | ROM:5FF00040 |
||
+ | ROM:5FF00040 loc_5FF00040 ; CODE XREF: ROM:loc_5FF00000�j |
||
+ | ROM:5FF00040 ADR R0, loc_5FF00000 <-- The address we rebased to |
||
+ | ROM:5FF00044 LDR R1, =loc_5FF00000 |
||
+ | ROM:5FF00048 CMP R0, R1 |
||
+ | ROM:5FF0004C CMP R0, R1 |
||
+ | ROM:5FF00050 BEQ loc_5FF0007C |
||
+ | ... |
||
+ | ... |
||
+ | ROM:5FF000E8 loc_5FF000E8 ; CODE XREF: ROM:5FF000F0�j |
||
+ | ROM:5FF000E8 CMP R0, R1 |
||
+ | ROM:5FF000EC STRLT R2, [R0],#4 |
||
+ | ROM:5FF000F0 BLT loc_5FF000E8 |
||
+ | ROM:5FF000F4 LDR R0, =(_ibootStart+1) |
||
+ | ROM:5FF000F8 MOV LR, PC |
||
+ | ROM:5FF000FC BX R0 ; _ibootStart |
||
+ | ROM:5FF00100 |
||
+ | ROM:5FF00100 loc_5FF00100 ; CODE XREF: ROM:loc_5FF00100�j |
||
+ | ROM:5FF00100 B loc_5FF00100 |
||
+ | |||
+ | </pre> |
||
+ | |||
+ | Where iBootStart (not the official Apple Symbol, of course) can be seen at: |
||
+ | |||
+ | <pre> |
||
+ | ROM:5FF00BA4 _ibootStart ; CODE XREF: ROM:5FF000FC�p |
||
+ | ROM:5FF00BA4 ; DATA XREF: ROM:5FF000F4�o ... |
||
+ | ROM:5FF00BA4 PUSH {R7,LR} |
||
+ | ROM:5FF00BA6 MOV R7, SP |
||
+ | ROM:5FF00BA8 LDR R0, =aIbootStart ; "\niBoot start\n" |
||
+ | ROM:5FF00BAA BL loc_5FF233C4 |
||
+ | ROM:5FF00BAE MOVS R0, #0 |
||
+ | ROM:5FF00BB0 BL loc_5FF16E54 |
||
+ | ROM:5FF00BB4 BL loc_5FF1570C |
||
+ | ROM:5FF00BB8 BL loc_5FF143A8 |
||
+ | ROM:5FF00BBC BL unk_5FF15264 |
||
+ | ROM:5FF00BC0 LDR R0, =aMain ; "main" |
||
+ | .. |
||
+ | </pre> |
||
+ | |||
+ | You need to patch the LLB and iBoot out of every signature check, [[APTicket]] check and the match of each other. |
||
+ | |||
+ | To put the file back in the ipsw you need to recontain the file in the img3 container (returning the img3 header) and puting back the file in it's original place in the ipsw. |
||
+ | |||
+ | |||
+ | you need to load the exploit using the [[XPwn|xpwntool]] option "-x24k" (for [[N72AP|iPod touch (2nd generation)]]) or "-xn8824k" (for [[N88AP|iPhone 3GS]]) on the LLB. |
||
+ | Example: |
||
+ | xpwntool LLB.n88ap.RELEASE.img3.dec LLB.n88ap.RELEASE.img3.dec.patched \ |
||
+ | -t LLB.n88ap.RELEASE.img3 -xn8824k -iv ''replace_with_iv'' \ |
||
+ | -k ''replace_with_key'' |
||
+ | Then bsdiff the '''encrypted''' files. |
||
+ | |||
+ | == Fixing the ipsw file hash == |
||
+ | Run shasum on the original ipsw, paste the result to the 'SHA1' field. |
||
+ | [[Category:Tutorials]] |
||
− | ==Creating BSDiffs== |
||
− | Use [http://www.daemonology.net/bsdiff/ bsdiff] to create diffs by diffing unpacked original versus patched files. [[N72ap|iPod touch 2G]] and [[N88ap|iPhone 3GS]] utilize [[0x24000 Segment Overflow|a different bootrom exploit]], so the encrypted [[LLB]] for these devices need patching, using the [[XPwn|xpwntool]] option "-x24k" (for [[N72ap|iPod touch 2G]]) or "-xn8824k" (for [[N88ap|iPhone 3GS]]) to patch the file. |
Latest revision as of 09:33, 26 March 2017
Contents
Creating the template Info.plist
Remove all AES keys/IVs and hashes, replace with TODO Also replace all .dmg filenames, SHA1 hash value and the rootfs volume name.
Getting the AES keys
- Main article: AES Keys#Using Greenpois0n to get the keys
Put the keys into the Info.plist, replacing TODO entries
Decrypting IMG3 files
Use xpwntool to decrypt all img3 files: NOR, kernelcache and the restore ramdisk
Decrypting the RootFS
- Use GenPass with decrypted Ramdisk to get the rootfs vfdecrypt key.
- Decrypt the rootfs using VFDecrypt, put the key and rootfs volume name into Info.plist
Patches
In most cases you can reuse the patches from a previous firmware version. You can use the fuzzy_patcher tool for that. To extract differences from the previous version of files:
fuzzy_patcher --diff --delta delta_file.json \ --orig original_decrypted_file_vPrev \ --patched patched_decrypted_file_vPrev --verbose
To apply the difference file to the current version:
fuzzy_patcher --patch --delta delta_file.json \ --orig original_decrypted_file \ --patched patched_decrypted_file --fuzz 80 --verbose
You can lower the 'fuzzyness' level to apply lower confidence patches, but it's not a very good idea; you would usually want to inspect the file with IDA in such cases.
ASR
- Patch ASR from the Restore Ramdisk
- Fix its page hashes using codesign or ldid (see Bypassing iPhone Code Signatures).
ASR can be patched by finding a xref to a string "Image failed signature verification" and patching the first instruction at the preceding label to branch to the previous label, which is the success case "Image passed signature verification". On ARMv7 this branch is usually 'F3 E7' (Thumb mode, instruction B (branch) to address -0x16 relative to opcode address).
iBSS patches
For noawadays limera1n- based jailbreaks there are quite a bit patches:
- You need to patch the iBSS from every signature check or integrity check that is in it (Ramdisk signature, APTicket- see below, iBEC signatures etc.)
- APTicket- on 5.x.x+, the iBSS patches are slightly different. If you are using a stitched ipsw, where the img3 files are embded with the SHSH of the restored device and APTicket is included as "APTicket.img3" or "SCAB.img3" or old bootrom 3GS the iBSS needs to be patched out of its nonce creation. If you're patching a stock firmware the iBSS needs to still generate nonce but not check for APTicket's validity or its match for the nonce created.
- iBSS patch for bundles using user-mode untether exploit (or for tethered bundles)
kernelcache file is not patched in those bundles to allow untethered boot with intact NOR. Instead, kernelcache patches required to run the ramdisk are located in iBSS - an iBSS kernelcache_load function is patched to call a proc at ibss_base+0xFC that patches the decrypted and unpacked kernel in memory. You can use iBSS KPatch to add kernel patches to iBSS. This applies to all the recent jailbreaks (excluding old-bootrom N88AP).
Creating BSDiffs
Use BSDiff to create diffs by diffing unpacked original versus patched files. Example:
bsdiff iBSS.k48ap.RELEASE.dfu.dec iBSS.k48ap.RELEASE.dfu.dec.patched iBSS.k48ap.RELEASE.patch
LLB 24k exploit
iPod touch (2nd generation) and iPhone 3GS utilize a different bootrom exploit, so the encrypted LLB and iBoot for these devices need patching. This requires ARM assembler knowledge and a software named IDA Pro. To extract the bootloader and disassemble using IDA, follow the following steps for IDA dissasembly (portarited on iBoot)
- obtain the bootloader from the iPSW. This file is in the
Firmware/all_flash
subdir, e.g.Firmware/all_flash/all_flash.n81ap.production/iBoot.n81ap.RELEASE.img3
, where the "n81ap", "k90", etc.. are for the i-Device type - run xpwntool with the proper key (from elsewhere in this Wiki)
- Make sure the decryption was successful - if it is, you should see:
"iBoot for ...., Copyright 2012, Apple Inc."
if you cat (i.e. type) the file.
- remove the img3 header - the good stuff starts at offset 0x40 (i.e. 64) - using dd (skip=1 bs=64) or some other tool
- Load in IDA. Set processor to ARM. Rebase program (Edit→Segments→Rebase Program) to 0x5FF00000 (for iBoot in iOS 5). You should see something like:
ROM:5FF00000 loc_5FF00000 ; CODE XREF: ROM:5FF00078�j ROM:5FF00000 B loc_5FF00040 ; Used for Reset - This is where we start ROM:5FF00004 ; --------------------------------------------------------------------------- ROM:5FF00004 LDR PC, =sub_5FF16FB4 ; Used for Undef ROM:5FF00008 ; --------------------------------------------------------------------------- ROM:5FF00008 LDR PC, =sub_5FF16FEC ; Used for SWI ROM:5FF0000C ; --------------------------------------------------------------------------- ROM:5FF0000C LDR PC, =sub_5FF17024 ; Used for Prefabt ROM:5FF00010 ; --------------------------------------------------------------------------- ROM:5FF00010 LDR PC, =sub_5FF17060 ; Used for DataAbt ROM:5FF00014 ; --------------------------------------------------------------------------- ROM:5FF00014 LDR PC, =loc_5FF17098 ; Used for AddrExc ROM:5FF00018 ; --------------------------------------------------------------------------- ROM:5FF00018 LDR PC, =loc_5FF16F24 ; Used for IRQ ROM:5FF0001C ; --------------------------------------------------------------------------- ROM:5FF0001C LDR PC, =sub_5FF16F6C ; Probably FIQ, need to verify this ROM:5FF00020 ; --------------------------------------------------------------------------- ROM:5FF00020 SVCPL 0xF00040 ROM:5FF00020 ; --------------------------------------------------------------------------- ROM:5FF00024 off_5FF00024 DCD sub_5FF16FB4 ; DATA XREF: ROM:5FF00004�r ROM:5FF00028 off_5FF00028 DCD sub_5FF16FEC ; DATA XREF: ROM:5FF00008�r ROM:5FF0002C off_5FF0002C DCD sub_5FF17024 ; DATA XREF: ROM:5FF0000C�r ROM:5FF00030 off_5FF00030 DCD sub_5FF17060 ; DATA XREF: ROM:5FF00010�r ROM:5FF00034 off_5FF00034 DCD loc_5FF17098 ; DATA XREF: ROM:5FF00014�r ROM:5FF00038 off_5FF00038 DCD loc_5FF16F24 ; DATA XREF: ROM:5FF00018�r ROM:5FF0003C off_5FF0003C DCD sub_5FF16F6C ; DATA XREF: ROM:5FF0001C�r ROM:5FF00040 ; --------------------------------------------------------------------------- ROM:5FF00040 ROM:5FF00040 loc_5FF00040 ; CODE XREF: ROM:loc_5FF00000�j ROM:5FF00040 ADR R0, loc_5FF00000 <-- The address we rebased to ROM:5FF00044 LDR R1, =loc_5FF00000 ROM:5FF00048 CMP R0, R1 ROM:5FF0004C CMP R0, R1 ROM:5FF00050 BEQ loc_5FF0007C ... ... ROM:5FF000E8 loc_5FF000E8 ; CODE XREF: ROM:5FF000F0�j ROM:5FF000E8 CMP R0, R1 ROM:5FF000EC STRLT R2, [R0],#4 ROM:5FF000F0 BLT loc_5FF000E8 ROM:5FF000F4 LDR R0, =(_ibootStart+1) ROM:5FF000F8 MOV LR, PC ROM:5FF000FC BX R0 ; _ibootStart ROM:5FF00100 ROM:5FF00100 loc_5FF00100 ; CODE XREF: ROM:loc_5FF00100�j ROM:5FF00100 B loc_5FF00100
Where iBootStart (not the official Apple Symbol, of course) can be seen at:
ROM:5FF00BA4 _ibootStart ; CODE XREF: ROM:5FF000FC�p ROM:5FF00BA4 ; DATA XREF: ROM:5FF000F4�o ... ROM:5FF00BA4 PUSH {R7,LR} ROM:5FF00BA6 MOV R7, SP ROM:5FF00BA8 LDR R0, =aIbootStart ; "\niBoot start\n" ROM:5FF00BAA BL loc_5FF233C4 ROM:5FF00BAE MOVS R0, #0 ROM:5FF00BB0 BL loc_5FF16E54 ROM:5FF00BB4 BL loc_5FF1570C ROM:5FF00BB8 BL loc_5FF143A8 ROM:5FF00BBC BL unk_5FF15264 ROM:5FF00BC0 LDR R0, =aMain ; "main" ..
You need to patch the LLB and iBoot out of every signature check, APTicket check and the match of each other.
To put the file back in the ipsw you need to recontain the file in the img3 container (returning the img3 header) and puting back the file in it's original place in the ipsw.
you need to load the exploit using the xpwntool option "-x24k" (for iPod touch (2nd generation)) or "-xn8824k" (for iPhone 3GS) on the LLB.
Example:
xpwntool LLB.n88ap.RELEASE.img3.dec LLB.n88ap.RELEASE.img3.dec.patched \ -t LLB.n88ap.RELEASE.img3 -xn8824k -iv replace_with_iv \ -k replace_with_key
Then bsdiff the encrypted files.
Fixing the ipsw file hash
Run shasum on the original ipsw, paste the result to the 'SHA1' field.