The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Talk:Obtaining IMG3 Keys"
Planetbeing (talk | contribs) |
Planetbeing (talk | contribs) |
||
Line 7: | Line 7: | ||
~geohot |
~geohot |
||
− | I adapted this method from your write-up earlier, because CPICH and Chronic were wanting to decrypt IMG3 keys, and the openiboot method has quite a bit of setup overhead, and requires modifying my C source, and I thought |
+ | I adapted this method from your write-up earlier, because CPICH and Chronic were wanting to decrypt IMG3 keys, and the openiboot method has quite a bit of setup overhead, and requires modifying my C source, and I thought helping them fill out the missing pieces for your method would be simpler. I just slightly modified your assembly to do stack/register cleanup (and combined that mw into protected memory) and had them put a direct BX from a random iBoot function, since explaining how to patch the permissions bits is more conceptually difficult, and I wasn't sure how easy it would be to make "go" behave the way we want it to (I didn't have access to IDA when I was helping them). I asked them to write it up after they got it to work. Hope that's okay. :) |
I've since made something easier: http://www.iphone-dev.org/planetbeing/crypto.tar.gz |
I've since made something easier: http://www.iphone-dev.org/planetbeing/crypto.tar.gz |
Revision as of 03:21, 7 August 2008
Hey, thats my "exploit" ;-) Dev used openiboot.
Much easier, just use iran to download the modified iBoot directly, no reason to pwn with it. I was originally strapping this with the diags exploit.
And thanks for writing this up.
~geohot
I adapted this method from your write-up earlier, because CPICH and Chronic were wanting to decrypt IMG3 keys, and the openiboot method has quite a bit of setup overhead, and requires modifying my C source, and I thought helping them fill out the missing pieces for your method would be simpler. I just slightly modified your assembly to do stack/register cleanup (and combined that mw into protected memory) and had them put a direct BX from a random iBoot function, since explaining how to patch the permissions bits is more conceptually difficult, and I wasn't sure how easy it would be to make "go" behave the way we want it to (I didn't have access to IDA when I was helping them). I asked them to write it up after they got it to work. Hope that's okay. :)
I've since made something easier: http://www.iphone-dev.org/planetbeing/crypto.tar.gz
--Planetbeing 03:20, 7 August 2008 (UTC)