Difference between revisions of "0x24000 Segment Overflow"

From The iPhone Wiki
Jump to: navigation, search
(New page: Also known by it's codename, "24kPwn", this was the first exploit in the S5L8720 that allowed us to bypass the bootrom signature checks on LLB and create what is known as an [[unte...)
 
(removed old info)
Line 9: Line 9:
 
==Prerequisites==
 
==Prerequisites==
 
Because files sent over USB have a size limitation, one thing that is the ability to flash the [[NOR]] unsigned.
 
Because files sent over USB have a size limitation, one thing that is the ability to flash the [[NOR]] unsigned.
 
==Current Implementation==
 
* [[PwnageTool]]
 
* [[QuickPwn]]
 
* [[24k.c]]
 
 
In the implementation that we used and gave to [[the dev team]] to implement in their [[PwnageTool]] and [[QuickPwn]], the payload puts the original value at 0x20, the original address at the Data Input Register 1 of the SHA1 hw array, and returns straight to the code in [[VROM (S5L8720)|VROM]] that locates the [[LLB]] code and [[KBAG]], decrypts the [[KBAG]] and code, and then jumps to the code. With this method, we skip the RSA check, certificate checks, and hardware tag checks that the [[VROM (S5L8720)|VROM]] would have performed on it.
 
   
 
[[Category:Exploits]]
 
[[Category:Exploits]]

Revision as of 01:35, 11 March 2009

Also known by it's codename, "24kPwn", this was the first exploit in the S5L8720 that allowed us to bypass the bootrom signature checks on LLB and create what is known as an untethered jailbreak.

Credit

chronic, CPICH, ius, planetbeing, pod2g, posixninja, and co.

Exploit

The address that the bootrom loads LLB into is 0x22000000, and for some reason, it stores it's global variables dangerously close, at 0x22024000. Now, when loading LLB from NOR, it does not have any sort of maximum size limit, unlike if it was receiving a file via USB. You just can gracefully overwrite, and for some parts, will need to reconstruct, the beginning of the data (_bss) section. There are a few different ways you could exploit this to actually run unsigned code at this level, but so far the easiest one found is based on another fail decision that Apple made. For some reason, they and put the SHA1 hardware address array smack dab in our way, so at this point, you can change anything there that you want. By changing the pointer to SHA1 Data Input Register 1 into a pointer to where the current LR is on the stack, it will put whatever is at 0x20 of the image in LR, which is all that is important. By putting your payload somewhere in the padding (you need padding, since LLB is less than 0x24000 bytes obviously), you can just put the address of it at 0x20 of the image! If you actually don't want to run unsigned code but instead just want to run the LLB, then you will first need to have it put the original bytes back at 0x20 in the file before you do anything else, as well as put the original SHA1 hardware address back in the array. Another important thing to remember is that you must 1. add 0x22000000 to whatever the offset of your payload is in the file, since that is where it loads LLB in memory, and 2. reverse it for endianess.

Prerequisites

Because files sent over USB have a size limitation, one thing that is the ability to flash the NOR unsigned.