Difference between revisions of "Talk:IDA Pro Setup"

From The iPhone Wiki
Jump to: navigation, search
(re: into ida)
(Sign your talk page entries, folks! (Also removed the "update please" headers and duplicate entries.))
 
(16 intermediate revisions by 8 users not shown)
Line 1: Line 1:
  +
==More instructions==
prereqs.: IDA Pro Advanced, baseband files
 
  +
It could be great if someone writes more instructions for the other basebands and models.. I tried with the instruction for 3G baseband in 3gs 5.12.01 baseband and I got an error in IDA Pro...
  +
--[[User:L0g0|L0g0]] 18:54, 29 July 2010 (UTC)
   
  +
Thank you all for contributing. -caique2001-
wanted: Howto load these files correctly into IDA
 
   
  +
==Please update!==
'''Anybody to give this information here?''' TIA -caique2001-
 
  +
Hi! I'm a n00b trying to learn a way to discover vulnerabilities in baseband 05.12.01 ... but this article needs an update... please, someone update it , also it could help me to help you xD
  +
Also, there is no tutorial on how to find a way to jailbreak, and there arent well documented all the actually available jailbreaks...
   
  +
--[[User:L0g0|L0g0]] 06:21, 28 June 2010 (UTC)
== into ida ==
 
I suggest you look more into IDA Pro, see how things work. you may not be ready for a baseband yet.
 
   
  +
http://www.theiphonewiki.com/wiki/index.php?title=Greenpois0n
the most important thing you need is the address. for example, i knew the iBoot was at 0x18000000 because at the beginning there is a routine to look if it is there and relocate it if not. also it has many references to 0x1800000 throughout the file.
 
   
  +
use the greenpois0n utilities. [[User:Leobruh|Leobruh]] 07:34, 28 June 2010 (UTC)!
Here are some key combinations to use:
 
c = turn the 'gibberish' into code
 
d = turn the 'gibberish' into data
 
a = turn the 'gibberish' into a string
 
u = undefine what you just may have done, i usually use this since there is no real edit+undo in IDA so this is the next best thing
 
Alt+G = change the 0 to a 1 to switch to thumb mode when needed
 
   
  +
This page is correct and doesnt need an update. You need to read up on exploits if you want to make jailbreaks. Lately buffer based overflows have been used the most. Google it, Wikipedia it and understand what exploits are. Use IDA next. As for a tutorial, let me write one for you: 1. Find a function which can be exploited to run usercode, 2. Insert code to edit/overwrite fstab to
really i feel that you should do some more research on ARM and IDA Pro because a wiki article would not be enough to fully explain it
 
  +
mount (all) disks as read/write, instead of read-only. Optional 3. Transfer cydia.app. Done.
   
  +
- toomuchjames
== re: into ida ==
 
I roughly know how ida works and what the keys are. I think there are some people that have already setup the right values for reversing the baseband. So what I want to see here is just a quick intro to set up the project (segments, fileoffsets, changed options, entry points and so on), not how to use ida. This should almost fit into your article above, just counting words ;-)
 
   
  +
Hi, could anyone explain, how to dump the bootrom (iPod Touch 2G MC). Thank you {{unsigned|Kubatek94|11:42, June 28, 2010}}
Yea, but if you don't understand how to get those numbers, you'll be pretty useless as a reverser. Not to discourage, but the numbers really aren't that hard to get. Look at the memory map I posted. All the information you need is here. ~geohot
 
   
  +
== help ==
Probably I missed something in the constitution, just to cite: "Let's document this device better than anyone at apple knows it." Fact is, you and some other people know how to set up the IDA project. If now, someother people, including me (btw. my first reversing was a CP/M in 1986), don't know how to set up it, one thing is clear: It's not documented. So if you guys reply to my request "this isn't hard to get", this actually means "it isn't hard to get for us" (1st) and "we _don't_want_ to document it" (2nd). This is against the constitution set up by yourselves! Should we change the constitution? My (tongue in cheek) proposal: "This pseudo wiki is intended for <fill in names here> to absorb knowledge. Everybody is invited to give us knowledge..." - The world could be that easy: Just give those people that lack some knowlegde a chance!!! And don't mistake knowledge with qualification. -caique2001-
 
   
  +
where do I get the baseband fls file??? {{unsigned|L0g0|09:09, July 26, 2010}}
geohot's claim that you are "useless" as a reverser unless you can figure out the loading offsets from the .fls files is certainly untrue. -- MuscleNerd
 
   
  +
Decrypt the root filesystem dmg, and look in /usr/local/standalone/firmware or similar. ~toomuchjames
== offsets ==
 
For example, if you look into ICE2_01.45 using a hex editor, you will see starting 0x634 there contains the memory maps. It started at 0x20000000 and ends at 0x21000000 with sections in between doing its own thing. The code/data in the .fls starts at 0xCF8 indicated by location 0xCF4. The length of the code is indicated by the location at 0xCEC which amounts to 0x5E9E18.
 
 
So, you may want to load the data in the .fls file from 0xCF8 to 0X5EAB0F at offset 0x20000000 in IDA pro.
 
 
-- CPICH
 
 
Hey, you speak my language :-) Thanks -caique2001- My next problem is, I don't know the entry point. And I get a lot of decompile errors... Mhhh, it's an ARM926 what means its target should be just "ARM"? - '''I am so dumb, please feed my empty brain ;-) ''' -caique2001-
 

Latest revision as of 15:26, 13 August 2010

More instructions

It could be great if someone writes more instructions for the other basebands and models.. I tried with the instruction for 3G baseband in 3gs 5.12.01 baseband and I got an error in IDA Pro... --L0g0 18:54, 29 July 2010 (UTC)

Thank you all for contributing. -caique2001-

Please update!

Hi! I'm a n00b trying to learn a way to discover vulnerabilities in baseband 05.12.01 ... but this article needs an update... please, someone update it , also it could help me to help you xD Also, there is no tutorial on how to find a way to jailbreak, and there arent well documented all the actually available jailbreaks...

--L0g0 06:21, 28 June 2010 (UTC)

http://www.theiphonewiki.com/wiki/index.php?title=Greenpois0n

use the greenpois0n utilities. Leobruh 07:34, 28 June 2010 (UTC)!

This page is correct and doesnt need an update. You need to read up on exploits if you want to make jailbreaks. Lately buffer based overflows have been used the most. Google it, Wikipedia it and understand what exploits are. Use IDA next. As for a tutorial, let me write one for you: 1. Find a function which can be exploited to run usercode, 2. Insert code to edit/overwrite fstab to mount (all) disks as read/write, instead of read-only. Optional 3. Transfer cydia.app. Done.

- toomuchjames

Hi, could anyone explain, how to dump the bootrom (iPod Touch 2G MC). Thank you --The preceding unsigned comment was added by Kubatek94 (talk) 11:42, June 28, 2010. Please consult this page for more info on how to sign pages, and how to fix this.

help

where do I get the baseband fls file??? --The preceding unsigned comment was added by L0g0 (talk) 09:09, July 26, 2010. Please consult this page for more info on how to sign pages, and how to fix this.

Decrypt the root filesystem dmg, and look in /usr/local/standalone/firmware or similar. ~toomuchjames