The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Talk:Bootrom Dumper Utility"
m |
m |
||
(52 intermediate revisions by 14 users not shown) | |||
Line 1: | Line 1: | ||
− | If anyone gets it working for iPod touch 2G let me know. I am trying to work on it, but not much spare time --[[User:JacobVengeance|JakeAnthraX]] 07:27, 23 December 2010 (UTC) |
+ | If anyone gets it working for [[N72AP|iPod touch 2G]], let me know. I am trying to work on it, but not much spare time --[[User:JacobVengeance|JacobVengeance (JakeAnthraX)]] 07:27, 23 December 2010 (UTC) |
:[https://github.com/liamchat/Bootrom-Dumper/tree/master/stake4uce my fork] should work --[[User:Liamchat|liamchat]] 16:27, 24 December 2010 (UTC) |
:[https://github.com/liamchat/Bootrom-Dumper/tree/master/stake4uce my fork] should work --[[User:Liamchat|liamchat]] 16:27, 24 December 2010 (UTC) |
||
− | :You can also use the current iPod touch 2G |
+ | :You can also use the current [[N72AP|iPod touch 2G]] [[OpeniBoot]] [https://github.com/kleemajo/openiBoot link]. The bootrom is at 0x20000000 on the 2g touch --[[User:Kleemajo|Kleemajo]] 01:02, 26 December 2010 (UTC) |
− | ::I ended up making my own very crappy steaks4uce version to dump it. I didn't realize you made a version liam, nice job. --[[User:JacobVengeance|JakeAnthraX]] 03:38, 29 December 2010 (UTC) |
+ | ::I ended up making my own very crappy [[steaks4uce]] version to dump it. I didn't realize you made a version liam, nice job. Also where did you guys get your ARM toolchain? The one I use keeps breaking and giving me errors lately.--[[User:JacobVengeance|JacobVengeance (JakeAnthraX)]] 03:38, 29 December 2010 (UTC) |
+ | :::i use ''sudo port install arm-elf-binutils and sudo port instal arm-elf-gcc'' --[[User:Liamchat|liamchat]] 10:56, 29 December 2010 (UTC) |
||
+ | ::::Using that I just get errors when compiling everything. I had it working on my last setup when I wrote my crappy syeaks4uce method, but now it isn't working. I will figure it out sooner or later. Thanks anyways. --[[User:JacobVengeance|JacobVengeance (JakeAnthraX)]] 22:45, 29 December 2010 (UTC) |
||
+ | ::hey liam when I try running this on linux i get 84 00 00 00 05 00 00 00 80 00 00 00 80 62 02 22 FF FF FF FF 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 02 00 00 00 01 38 02 22 90 D7 02 22 and then the rest of it gets filled with nulls until the next 0x800 bytes start :( [[User:Revolution|Revolution]] 19:02, 19 February 2011 (UTC) |
||
+ | :::use toolchain.txt from openiboot, it works perfect --[[User:Posixninja|posixninja]] 23:41, 29 December 2010 (UTC) |
||
+ | ::::using OpeniBoot-toolchain results in the following error - Failed to build GCC part 1 (stage: gcc_build), but precompiled works fine. (See below) |
||
+ | :::::cd /tmp |
||
+ | :::::curl -O -C - http://www.mikrocontroller.net/download/arm-toolchain-macosx-intel-2.tar.bz2 |
||
+ | :::::tar xjvf arm-toolchain-macosx-2.tar.bz2 |
||
+ | :::::sudo mv arm /usr/local/ |
||
+ | :::::echo 'export PATH=/usr/local/arm/bin:$PATH' >> ~/.profile |
||
+ | :::::--[[User:Markcoker|Blue Skies]] ([[User talk:Markcoker|talk]]) 14:54, 11 July 2016 (UTC) |
||
+ | :::run: |
||
+ | ::::''<code>sudo apt-get install libusb-1.0-0 libusb-1.0-0-dev libreadline6-dev readline-common libreadline6 libreadline-dev texinfo cmake git-core build-essential texinfo libreadline-dev libssl-dev libusb-1.0-0-dev libpng12-dev libusb-dev autoconf automake libnewlib-dev</code>'' [[Image:Return.png|15px]] Return |
||
+ | ::::''<code>sudo build-toolchain.sh</code>'' [[Image:Return.png|15px]] Return |
||
+ | :::for linux |
||
+ | :::--[[User:Liamchat|liamchat]] 01:35, 20 February 2011 (UTC) |
||
+ | ::::um liam I did that... on line 145 you need to make that specified for macosx only, well at least that's what the pod2g's version did... try building it on linux. [[User:Revolution|Revolution]] 16:51, 20 February 2011 (UTC) |
||
+ | ::::i fixed the error there does not need to be any specific platform support for [[usb control msg(0xA1, 1) Exploit|stake]] or [[pwnage2]] i think there is better way using [http://www.beyondlogic.org/usbnutshell/usb5.shtml|USB Descriptors] --[[User:Liamchat|liamchat]] 00:02, 21 February 2011 (UTC) |
||
+ | ::::: I just tried your new version. It still doesn't work. i managed to dump the bootrom with openiboot but yeah. here is the dump your ipod produces. it contains no copy writed code so i'll paste it here. [http://www.mediafire.com/?um4gz4ga00v067a] [[User:Revolution|Revolution]] 21:11, 24 February 2011 (UTC) |
||
+ | :::::: None of his things will work, I can promise you that. He doensn't know what he is doing. --[[User:JacobVengeance|JacobVengeance (JakeAnthraX)]] 00:22, 25 February 2011 (UTC) |
||
+ | :::::::i have edited it again however i cant the usb wait for image call offset i origany thought it was the [https://github.com/Chronic-Dev/syringe/blob/master/syringe/exploits/steaks4uce/steaks4uce.S#L30 usb wait for image offset] from syringe. --[[User:Liamchat|liamchat]] 20:41, 7 March 2011 (UTC) |
||
+ | :::::::: I am getting an arm-elf-as: No such file or directory error on OSX Lion. Do I need to get the full toolchain compiled or can I get this working with Xcode (for iOS) somehow with less hassle ?--[[User:M2m|M2m]] 04:22, 3 January 2012 (MST) |
||
+ | ::::::::I believe you will need the arm toolkit. --[[User:Markcoker|Blue Skies]] ([[User talk:Markcoker|talk]]) 14:27, 11 July 2016 (UTC) |
||
+ | == VMware + Windows == |
||
+ | anyone tried this on vmware + windows? can't make it work. tried on [[N90AP|iPhone 4]] & [[N18AP|iPod touch 3G]] -- [[User:Paul0|paulzero]] 10:38, 13 February 2011 (UTC) |
||
+ | :it's the [[limera1n]] exploit. it does not work throughout a vm --[[User:Liamchat|liamchat]] 14:45, 13 February 2011 (UTC) |
||
+ | |||
+ | == A5 devices == |
||
+ | Can we use this tool to dump A5 devices? --[[User:XiiiX|XiiiX]] 12:28, 2 January 2012 (MST) |
||
+ | :Not until there is a jailbreak for A5 devices.--[[User:M2m|M2m]] 12:51, 2 January 2012 (MST) |
||
+ | :No. Limera1n doesn't work on A5 devices. --[[User:Http|http]] 13:04, 2 January 2012 (MST) |
||
+ | ::It's kind of non-sense this tool so. To dump already hacked bootroms? --[[User:XiiiX|XiiiX]] 14:21, 2 January 2012 (MST) |
||
+ | :::No. Not really. You may find an exploit outside the bootrom which leads to a jailbreak which you can use to dump the bootrom which can help you to find exploits in the bootrom for later jailbreaks. Jailbreaks based on bootrom exploits can only be fixed with new hardware.--[[User:M2m|M2m]] 15:28, 2 January 2012 (MST) |
||
+ | :::There is no such thing as an "hacked BootROM". We cannot change the contents of the BootROM. Note "ROM" - Read Only Memory. -SquiffyPwn 17:10, 2 January 2012 (CST) |
||
+ | ::::That's a better explanation. So we don't need a bootrom jailbreak to use this, just a user-land could work? Why is the necessity of a jailbreak to dump te bootrom? We need the offsets? --[[User:XiiiX|XiiiX]] 16:09, 2 January 2012 (MST) |
||
+ | Do you know what is dump? dump is a copy, to use this tool you MUST have a BootROM Exploit, look the source code, it send the exploit to allow acess to the read-only BootROM memory. Userland exploit here? what offsets?~zmaster |
||
+ | |||
+ | == Compatibility with older devices == |
||
+ | I looked as payload.s, apparently, everything is in place for older devices (e.g., 0x8b7 for basically every old device). I can't check the actual BDU application, but I'd think it was updated with code needed for older devices as well. Can anyone confirm this? --[[User:Rdqronos|rdqronos]] 14:33, 3 January 2012 (MST) |
||
+ | :Can't get it working with an iPhone 3G with the following values: |
||
+ | EXPLOIT_LR 0x22000000 LOADADDR_SIZE 0x24000 RET_ADDR 0x8b7 |
||
+ | :Output looks OK: |
||
+ | sudo ./bdu |
||
+ | ______ Bootrom Dumper Utility (BDU) 1.0 ______ |
||
+ | |||
+ | (c) pod2g october 2010 |
||
+ | |||
+ | [.] Now executing arbitrary code using geohot's limera1n... |
||
+ | sent data to copy: 800 |
||
+ | padded to 0x84023000 |
||
+ | sent shellcode: 800 has real length 48 |
||
+ | never freed: 800 |
||
+ | sent exploit to heap overflow: FFFFFFF9 |
||
+ | [.] Dump payload started. |
||
+ | [.] Now dumping bootrom to file bootrom.bin... |
||
+ | :But I get a zero sized (empty) bootrom.bin. --[[User:M2m|M2m]] 02:17, 4 January 2012 (MST) |
||
+ | ::So it can read the BootROM, but not dump it. Okay. --[[User:Rdqronos|rdqronos]] 13:04, 4 January 2012 (MST) |
||
+ | :::Not sure if it can be read correctly or not. --[[User:M2m|M2m]] 17:16, 4 January 2012 (MST) |
||
+ | |||
+ | == Working on OSX? == |
||
+ | |||
+ | Did anybody get this working on OSX? I could compile the payload.bin and tried with both the included binary and also with the recompiled one on a MacMini OSX 10.6.8 with an iPhone 4 (with iOS 5.0.1), libusb 1.0.8 is installed. I also tried with a 3GS and the forked code (just uses the different offsets). In all cases I always get "device stalled" and the bdu terminates. I know it worked on Linux for others, but anybody had success on OSX yet? I'm not sure where to start debugging, as I'm not a Mac user. -- [[User:Http|http]] 16:36, 11 January 2012 (MST) |
||
+ | : I compiled it under OSX Lion and can also run it but I only get a zero sized dump. May or may not be a problem of the program & Lion or that I only have iPhone2G & 3G to test.--[[User:M2m|M2m]] 04:15, 12 January 2012 (MST) |
||
+ | |||
+ | == Dumping 3GS bootrom from OSX 10.7.2 == |
||
+ | |||
+ | sudo ./bdu |
||
+ | ______ Bootrom Dumper Utility (BDU) 1.0 ______ |
||
+ | |||
+ | (c) pod2g october 2010 |
||
+ | |||
+ | [.] Now executing arbitrary code using geohot's limera1n... |
||
+ | sent data to copy: 800 |
||
+ | padded to 0x84023000 |
||
+ | sent shellcode: 800 has real length 48 |
||
+ | never freed: 800 |
||
+ | sent exploit to heap overflow: FFFFFFF9 |
||
+ | [.] Dump payload started. |
||
+ | [.] Now dumping bootrom to file bootrom.bin... |
||
+ | Segmentation fault: 11 |
||
+ | |||
+ | |||
+ | Any ideas? I've changed all the offsets to the ones in the wiki and yet still no success. |
||
+ | :Try the unchanged version on a compatible device first. Also try the included precompiled executable. If it still doesn't work, try on Linux first. Post an update on how that went. -- [[User:Http|http]] 05:06, 20 January 2012 (MST) |
Latest revision as of 09:53, 29 March 2017
If anyone gets it working for iPod touch 2G, let me know. I am trying to work on it, but not much spare time --JacobVengeance (JakeAnthraX) 07:27, 23 December 2010 (UTC)
- my fork should work --liamchat 16:27, 24 December 2010 (UTC)
- You can also use the current iPod touch 2G OpeniBoot link. The bootrom is at 0x20000000 on the 2g touch --Kleemajo 01:02, 26 December 2010 (UTC)
- I ended up making my own very crappy steaks4uce version to dump it. I didn't realize you made a version liam, nice job. Also where did you guys get your ARM toolchain? The one I use keeps breaking and giving me errors lately.--JacobVengeance (JakeAnthraX) 03:38, 29 December 2010 (UTC)
- i use sudo port install arm-elf-binutils and sudo port instal arm-elf-gcc --liamchat 10:56, 29 December 2010 (UTC)
- Using that I just get errors when compiling everything. I had it working on my last setup when I wrote my crappy syeaks4uce method, but now it isn't working. I will figure it out sooner or later. Thanks anyways. --JacobVengeance (JakeAnthraX) 22:45, 29 December 2010 (UTC)
- i use sudo port install arm-elf-binutils and sudo port instal arm-elf-gcc --liamchat 10:56, 29 December 2010 (UTC)
- hey liam when I try running this on linux i get 84 00 00 00 05 00 00 00 80 00 00 00 80 62 02 22 FF FF FF FF 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 02 00 00 00 01 38 02 22 90 D7 02 22 and then the rest of it gets filled with nulls until the next 0x800 bytes start :( Revolution 19:02, 19 February 2011 (UTC)
- use toolchain.txt from openiboot, it works perfect --posixninja 23:41, 29 December 2010 (UTC)
- using OpeniBoot-toolchain results in the following error - Failed to build GCC part 1 (stage: gcc_build), but precompiled works fine. (See below)
- cd /tmp
- curl -O -C - http://www.mikrocontroller.net/download/arm-toolchain-macosx-intel-2.tar.bz2
- tar xjvf arm-toolchain-macosx-2.tar.bz2
- sudo mv arm /usr/local/
- echo 'export PATH=/usr/local/arm/bin:$PATH' >> ~/.profile
- --Blue Skies (talk) 14:54, 11 July 2016 (UTC)
- using OpeniBoot-toolchain results in the following error - Failed to build GCC part 1 (stage: gcc_build), but precompiled works fine. (See below)
- run:
- for linux
- --liamchat 01:35, 20 February 2011 (UTC)
- um liam I did that... on line 145 you need to make that specified for macosx only, well at least that's what the pod2g's version did... try building it on linux. Revolution 16:51, 20 February 2011 (UTC)
- i fixed the error there does not need to be any specific platform support for stake or pwnage2 i think there is better way using Descriptors --liamchat 00:02, 21 February 2011 (UTC)
- I just tried your new version. It still doesn't work. i managed to dump the bootrom with openiboot but yeah. here is the dump your ipod produces. it contains no copy writed code so i'll paste it here. [1] Revolution 21:11, 24 February 2011 (UTC)
- None of his things will work, I can promise you that. He doensn't know what he is doing. --JacobVengeance (JakeAnthraX) 00:22, 25 February 2011 (UTC)
- i have edited it again however i cant the usb wait for image call offset i origany thought it was the usb wait for image offset from syringe. --liamchat 20:41, 7 March 2011 (UTC)
- I am getting an arm-elf-as: No such file or directory error on OSX Lion. Do I need to get the full toolchain compiled or can I get this working with Xcode (for iOS) somehow with less hassle ?--M2m 04:22, 3 January 2012 (MST)
- I believe you will need the arm toolkit. --Blue Skies (talk) 14:27, 11 July 2016 (UTC)
- i have edited it again however i cant the usb wait for image call offset i origany thought it was the usb wait for image offset from syringe. --liamchat 20:41, 7 March 2011 (UTC)
- None of his things will work, I can promise you that. He doensn't know what he is doing. --JacobVengeance (JakeAnthraX) 00:22, 25 February 2011 (UTC)
- I just tried your new version. It still doesn't work. i managed to dump the bootrom with openiboot but yeah. here is the dump your ipod produces. it contains no copy writed code so i'll paste it here. [1] Revolution 21:11, 24 February 2011 (UTC)
- use toolchain.txt from openiboot, it works perfect --posixninja 23:41, 29 December 2010 (UTC)
- I ended up making my own very crappy steaks4uce version to dump it. I didn't realize you made a version liam, nice job. Also where did you guys get your ARM toolchain? The one I use keeps breaking and giving me errors lately.--JacobVengeance (JakeAnthraX) 03:38, 29 December 2010 (UTC)
Contents
VMware + Windows
anyone tried this on vmware + windows? can't make it work. tried on iPhone 4 & iPod touch 3G -- paulzero 10:38, 13 February 2011 (UTC)
- it's the limera1n exploit. it does not work throughout a vm --liamchat 14:45, 13 February 2011 (UTC)
A5 devices
Can we use this tool to dump A5 devices? --XiiiX 12:28, 2 January 2012 (MST)
- Not until there is a jailbreak for A5 devices.--M2m 12:51, 2 January 2012 (MST)
- No. Limera1n doesn't work on A5 devices. --http 13:04, 2 January 2012 (MST)
- It's kind of non-sense this tool so. To dump already hacked bootroms? --XiiiX 14:21, 2 January 2012 (MST)
- No. Not really. You may find an exploit outside the bootrom which leads to a jailbreak which you can use to dump the bootrom which can help you to find exploits in the bootrom for later jailbreaks. Jailbreaks based on bootrom exploits can only be fixed with new hardware.--M2m 15:28, 2 January 2012 (MST)
- There is no such thing as an "hacked BootROM". We cannot change the contents of the BootROM. Note "ROM" - Read Only Memory. -SquiffyPwn 17:10, 2 January 2012 (CST)
- That's a better explanation. So we don't need a bootrom jailbreak to use this, just a user-land could work? Why is the necessity of a jailbreak to dump te bootrom? We need the offsets? --XiiiX 16:09, 2 January 2012 (MST)
- It's kind of non-sense this tool so. To dump already hacked bootroms? --XiiiX 14:21, 2 January 2012 (MST)
Do you know what is dump? dump is a copy, to use this tool you MUST have a BootROM Exploit, look the source code, it send the exploit to allow acess to the read-only BootROM memory. Userland exploit here? what offsets?~zmaster
Compatibility with older devices
I looked as payload.s, apparently, everything is in place for older devices (e.g., 0x8b7 for basically every old device). I can't check the actual BDU application, but I'd think it was updated with code needed for older devices as well. Can anyone confirm this? --rdqronos 14:33, 3 January 2012 (MST)
- Can't get it working with an iPhone 3G with the following values:
EXPLOIT_LR 0x22000000 LOADADDR_SIZE 0x24000 RET_ADDR 0x8b7
- Output looks OK:
sudo ./bdu ______ Bootrom Dumper Utility (BDU) 1.0 ______ (c) pod2g october 2010 [.] Now executing arbitrary code using geohot's limera1n... sent data to copy: 800 padded to 0x84023000 sent shellcode: 800 has real length 48 never freed: 800 sent exploit to heap overflow: FFFFFFF9 [.] Dump payload started. [.] Now dumping bootrom to file bootrom.bin...
- But I get a zero sized (empty) bootrom.bin. --M2m 02:17, 4 January 2012 (MST)
Working on OSX?
Did anybody get this working on OSX? I could compile the payload.bin and tried with both the included binary and also with the recompiled one on a MacMini OSX 10.6.8 with an iPhone 4 (with iOS 5.0.1), libusb 1.0.8 is installed. I also tried with a 3GS and the forked code (just uses the different offsets). In all cases I always get "device stalled" and the bdu terminates. I know it worked on Linux for others, but anybody had success on OSX yet? I'm not sure where to start debugging, as I'm not a Mac user. -- http 16:36, 11 January 2012 (MST)
- I compiled it under OSX Lion and can also run it but I only get a zero sized dump. May or may not be a problem of the program & Lion or that I only have iPhone2G & 3G to test.--M2m 04:15, 12 January 2012 (MST)
Dumping 3GS bootrom from OSX 10.7.2
sudo ./bdu ______ Bootrom Dumper Utility (BDU) 1.0 ______ (c) pod2g october 2010 [.] Now executing arbitrary code using geohot's limera1n... sent data to copy: 800 padded to 0x84023000 sent shellcode: 800 has real length 48 never freed: 800 sent exploit to heap overflow: FFFFFFF9 [.] Dump payload started. [.] Now dumping bootrom to file bootrom.bin... Segmentation fault: 11
Any ideas? I've changed all the offsets to the ones in the wiki and yet still no success.
- Try the unchanged version on a compatible device first. Also try the included precompiled executable. If it still doesn't work, try on Linux first. Post an update on how that went. -- http 05:06, 20 January 2012 (MST)