Difference between revisions of "PwnageTool"

From The iPhone Wiki
Jump to: navigation, search
(added recent info from http://www.bingner.com/pwnstrap.html)
(Problems)
Line 229: Line 229:
   
 
on the iphone 3gs jailbroken with the 24kpwn cannot have custom boot logos or restore from recovery mode unless they use this:
 
on the iphone 3gs jailbroken with the 24kpwn cannot have custom boot logos or restore from recovery mode unless they use this:
  +
*Put phone into Recovery mode (NOT DFU)
 
  +
*While the phone is off, hold down the Home button and immediatly plug it into your computer. Or else.
Manual Procedure:
 
  +
*From a command prompt (Start>Run>"cmd"), change to the directory where you extracted irecovery, and enter irecovery -s followed by:
Put phone into Recovery mode (NOT DFU)
 
While the phone is off, hold down the Home button and immediatly plug it into your computer. Or else.
 
From a command prompt (Start>Run>"cmd"), change to the directory where you extracted irecovery, and enter irecovery -s followed by:
 
 
 
setenv boot-args 2
 
setenv boot-args 2
 
setenv auto-boot false
 
setenv auto-boot false
 
saveenv
 
saveenv
 
/exit
 
/exit
  +
*Keep this window open for use later on!
 
  +
*Run greenpois0n - it will guide you to enter DFU mode, then it will stop on a white screen after you click "Jailbreak".
Keep this window open for use later on!
 
  +
*It should say "Jailbreak Complete!" and NOT "Jailbreak Failed!" next to the progressbar at the bottom.
Run greenpois0n - it will guide you to enter DFU mode, then it will stop on a white screen after you click "Jailbreak".
 
  +
*Extract the iBSS from your custom PwnageTool image (firmware.ispw/Firmware /dfu/iBSS.BoardID.RELEASE.dfu) into your irecovery folder.
It should say "Jailbreak Complete!" and NOT "Jailbreak Failed!" next to the progressbar at the bottom.
 
  +
*You can use WinRAR or another ZIP extractor to do this. IPSW files are really just ZIP files!
Extract the iBSS from your custom PwnageTool image (firmware.ispw/Firmware /dfu/iBSS.BoardID.RELEASE.dfu) into your irecovery folder.
 
  +
*At a command prompt: irecovery -f iBSS
You can use WinRAR or another ZIP extractor to do this. IPSW files are really just ZIP files!
 
  +
*iBSS should be replaced with the name of the iBSS that you just extracted from the pwnagetool image - ie iBSS.n88ap.RELEASE.dfu
At a command prompt: irecovery -f iBSS
 
  +
*At a command prompt: irecovery -s
iBSS should be replaced with the name of the iBSS that you just extracted from the pwnagetool image - ie iBSS.n88ap.RELEASE.dfu
 
At a command prompt: irecovery -s
 
 
 
setenv boot-args 0
 
setenv boot-args 0
 
saveenv
 
saveenv
Line 254: Line 249:
 
go jump 0x41000040
 
go jump 0x41000040
 
/exit
 
/exit
At the "go jump" point your device should appear to reboot. Whether it goes back to a white screen or shows the Connect to iTunes screen depends on the firmware image used.
+
*At the "go jump" point your device should appear to reboot. Whether it goes back to a white screen or shows the Connect to iTunes screen depends on the firmware image used.
Restore your PwnageTool cooked firmware from iTunes.
+
*Restore your PwnageTool cooked firmware from iTunes.
   
 
==Windows==
 
==Windows==

Revision as of 21:06, 27 October 2010

PwnageTool is a iOS jailbreak tool for Mac OS X that jailbreaks by creating a custom IPSW. You are allowed to change boot logos and add pre-installed packages to the IPSW. After an IPSW is created you can use it to restore to in iTunes.

Exploits Used

Version 4.0

Version 2.0

Version 1.0

Models Supported

Model Since
iPhone 2G April 3, 2008
iPod touch 1G April 3, 2008
iPhone 3G Jul 19, 2008
iPod touch 2G Oct 2, 2009
iPhone 3GS Oct 2, 2009

Note that the iPod touch 3G and subsequent devices are not supported. With the iPod touch 2G and iPhone 3GS you must be jailbroken prior to using PwnageTool. The S5L8900 devices you can go into DFU Mode and restore with iTunes without being jailbroken.

Versions

PwnageTool was released April 3, 2008 but largely unused until version 2.0 was released July 19, 2008. The following versions that are shown here are not beta, alpha, or in development.

1.x: First release of PwnageTool

Version Release date Features

1.1.4

April 3, 2008
  • Initial release
  • Jailbreaks 1.1.4 firmware
  • Supports iPod touch 1G and iPhone 2G.
  • Add BootNeuter in the IPSW to unlock iPhone 2G.

2.x: Second major release of Pwnagetool

Version Release date Features

2.0

Jul 19, 2008
  • Added iPhone 3G support [1]
  • Jailbreaks 2.0 Firmware
  • Change boot logos
  • Adds Cydia by default

2.0.1

Aug 4, 2008
  • Jailbreaks 2.0.1 firmware
  • Works for 2.0 and 2.0.1.

2.0.2

Aug 21, 2008
  • Jailbreaks 2.0.2 firmware [2]
  • Works for 2.0, 2.0.1, and 2.0.2.
  • Bug fixes - for when it doesn't go to the next page when you click on something.

2.0.3

Aug 25, 2008
  • Jailbreaks 2.0.2 firmware
  • Works for 2.0, 2.0.1, and 2.0.2.

2.1

Sep 13, 2008
  • Jailbreaks 2.1 firmware
  • Removed backwards compatibility
  • Download packages from a valid Cydia source, and add them onto your custom IPSW.

2.2

Nov 21, 2008
  • Jailbreaks 2.2 firmware

2.2.5

Jan 30, 2009

3.x: Third Major Release of PwnageTool

Version Release date Features

3.0

Jun 19, 2009
  • Jailbreaks 3.0 firmware
  • DFU mode instructions included

3.1

Sep 15, 2009
  • Jailbreaks 3.1 firmware for iPhone 2G and 3G
  • Jailbreaks 3.1.1 firmware for iPod touch 1G

3.1.3

Oct 2, 2009
  • Support for iPhone 3GS with iBoot-359.3 bootrom and iPod touch 2G with iBoot-240.4 bootrom (these devices need to be pwned from 3.0/3.0.1)

3.1.4

Oct 13, 2009
  • Jailbreaks 3.1.2 firmware for iPhone 2G, 3G, 3GS with iBoot-359.3 bootrom, iPod touch 1G, iPod touch 2G with iBoot-240.4 bootrom
  • iPod touch 3G not supported.

3.1.5

Feb 7, 2010
  • Jailbreaks 3.1.3 firmware for devices supported in 3.1.4.

4.x: Fourth Major Release of PwnageTool

Version Release date Features

4.0

Jun 22, 2010
  • Jailbreaks 4.0 firmware for devices supported in 3.1.4.

4.01

Jun 23, 2010
  • Fixes iBooks issue in 4.0

4.1

Oct 20, 2010

4.1.1

Oct 22, 2010
  • Fixes issues with Leopard.

4.1.2

Oct 22, 2010
  • Fixes more issues with Leopard.

Creating the Firmware

PwnageTool takes the IPSW file and patches it, creating a custom version. This enables a lot more features such as pre-installed packages, BootNeuter (iPhone software unlock), custom packages and boot logos. This method is usually less secure than the quick exploits such (redsn0w, QuickPwn, purplera1n, blackra1n, etc.).

How to create Custom Firmware Bundles

Following steps are needed:

  1. Copy an existing bundle as a template
  2. Decrypt IMG3 KBAGs and put the keys into Info.plist - usually using an AES payload
  3. Use GenPass with decrypted ramdisk to get the rootfs vfdecrypt key, put the key and rootfs volume name into Info.plist
  4. Unpack NOR files, ramdisk and kernelcache using AES Keys, apply patches (for minor upgrades, you can apply byte pattern-based patches from previous version, so you don't have to use IDA for every file)
  5. Patch ASR from the Restore Ramdisk, use codesign or ldid to fix up its code page hashes.
  6. Use bsdiff to create diffs by diffing unpacked original versus patched files. iPod touch 2G and iPhone 3GS utilize a different bootrom exploit, so the encrypted LLB for these devices need patching, using the xpwntool option "-x24k" (for iPod touch 2G) or "-xn8824k" (for iPhone 3GS) to patch the file.

(from here: question and answer)

Problems

This method does have negative aspects. The most common errors are the 1600 errors, a group of errors saying that the either the firmware file is corrupt or you didn't put it in the right mode (recovery, DFU Mode). Sometimes the problems could just be a computer problem such as the memory is full or the USB port is broken. The most common computer error is a 1604 error which means that the firmware file is corrupt.

on the iphone 3gs jailbroken with the 24kpwn cannot have custom boot logos or restore from recovery mode unless they use this:

  • Put phone into Recovery mode (NOT DFU)
  • While the phone is off, hold down the Home button and immediatly plug it into your computer. Or else.
  • From a command prompt (Start>Run>"cmd"), change to the directory where you extracted irecovery, and enter irecovery -s followed by:
setenv boot-args 2
setenv auto-boot false
saveenv
/exit
  • Keep this window open for use later on!
  • Run greenpois0n - it will guide you to enter DFU mode, then it will stop on a white screen after you click "Jailbreak".
  • It should say "Jailbreak Complete!" and NOT "Jailbreak Failed!" next to the progressbar at the bottom.
  • Extract the iBSS from your custom PwnageTool image (firmware.ispw/Firmware /dfu/iBSS.BoardID.RELEASE.dfu) into your irecovery folder.
  • You can use WinRAR or another ZIP extractor to do this. IPSW files are really just ZIP files!
  • At a command prompt: irecovery -f iBSS
  • iBSS should be replaced with the name of the iBSS that you just extracted from the pwnagetool image - ie iBSS.n88ap.RELEASE.dfu
  • At a command prompt: irecovery -s
setenv boot-args 0
saveenv
go image decrypt 0x41000000
go jump 0x41000040
/exit
  • At the "go jump" point your device should appear to reboot. Whether it goes back to a white screen or shows the Connect to iTunes screen depends on the firmware image used.
  • Restore your PwnageTool cooked firmware from iTunes.

Windows

PwnageTool is expected to remain exclusive to Mac OS X. As of October 2009, iH8sn0w, et. al. has announced that they made a project that will bring PwnageTool's functionality to Windows, called sn0wbreeze. [3]

License

PwnageTool is freeware.