The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "ARM7 Go"
m |
|||
Line 1: | Line 1: | ||
− | This vulnerability is exclusive to the [[N72AP|iPod touch |
+ | This vulnerability is exclusive to the [[N72AP|iPod touch (2nd generation)]]. It is present in the device's 2.1.1 firmware, as well as the [[iBEC]]/[[iBSS]] if you choose to upload it via [[DFU 0x1227|DFU]]. It allows the running of unsigned code on the ARM7 coprocessor. |
==Credit== |
==Credit== |
||
Line 5: | Line 5: | ||
==Exploit== |
==Exploit== |
||
− | There is an ARM7 coprocessor in the [[N72AP|iPod touch |
+ | There is an ARM7 coprocessor in the [[N72AP|iPod touch (2nd generation)]] in addition to the main processor, the ARM11. Like the [[Audio DSP Module|ADM]] in the [[S5L8900]] devices, it has access to everything the ARM11 has access to, such as the AES engine, the PKE accelerator, and such. The actual vulnerability is that, in the [[N72AP|iPod touch (2nd generation)]] 2.1.1 firmware, they left behind two commands from what was presumably a DEBUG fused [[iBoot (Bootloader)|iBoot]]: arm7_stop and arm7_go. They were promptly removed in 2.2, but in 2.1.1 it would read the environmental variable "loadaddr" and have the ARM7 coprocessor execute whatever code was at that address. There was no signature or range checks in place for the command. |
==Payload== |
==Payload== |
Revision as of 12:36, 23 March 2017
This vulnerability is exclusive to the iPod touch (2nd generation). It is present in the device's 2.1.1 firmware, as well as the iBEC/iBSS if you choose to upload it via DFU. It allows the running of unsigned code on the ARM7 coprocessor.
Credit
Chronic and iPhone Dev Team (independently)
Exploit
There is an ARM7 coprocessor in the iPod touch (2nd generation) in addition to the main processor, the ARM11. Like the ADM in the S5L8900 devices, it has access to everything the ARM11 has access to, such as the AES engine, the PKE accelerator, and such. The actual vulnerability is that, in the iPod touch (2nd generation) 2.1.1 firmware, they left behind two commands from what was presumably a DEBUG fused iBoot: arm7_stop and arm7_go. They were promptly removed in 2.2, but in 2.1.1 it would read the environmental variable "loadaddr" and have the ARM7 coprocessor execute whatever code was at that address. There was no signature or range checks in place for the command.
Payload
The command gives the ARM7 the load address (default is 0x09000000) of an "image" you sent it, and it will jump to it. The limitation is, unlike the diags exploit you cannot just pass a patched iBoot or iBEC. You must write a payload for it to run, but one that patches iBEC or iBoot in memory would do fine.
Implementations
Two released payloads are redsn0w and 0wnboot