The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Talk:Bootrom Dumper Utility"
(→Compatibility with older devices: new section) |
(→Compatibility with older devices) |
||
Line 35: | Line 35: | ||
I looked as payload.s, apparently, everything is in place for older devices (e.g., 0x8b7 for basically every old device). I can't check the actual BDU application, but I'd think it was updated with code needed for older devices as well. Can anyone confirm this? --[[User:Rdqronos|rdqronos]] 14:33, 3 January 2012 (MST) |
I looked as payload.s, apparently, everything is in place for older devices (e.g., 0x8b7 for basically every old device). I can't check the actual BDU application, but I'd think it was updated with code needed for older devices as well. Can anyone confirm this? --[[User:Rdqronos|rdqronos]] 14:33, 3 January 2012 (MST) |
||
+ | :Can't get it working with an iPhone 3G with the following values: |
||
+ | |||
+ | #define EXPLOIT_LR 0x22000000 #define LOADADDR_SIZE 0x24000 .set RET_ADDR, 0x8b7 |
||
+ | |||
+ | Output looks OK: |
||
+ | |||
+ | sudo ./bdu |
||
+ | ______ Bootrom Dumper Utility (BDU) 1.0 ______ |
||
+ | |||
+ | (c) pod2g october 2010 |
||
+ | |||
+ | [.] Now executing arbitrary code using geohot's limera1n... |
||
+ | sent data to copy: 800 |
||
+ | padded to 0x84023000 |
||
+ | sent shellcode: 800 has real length 48 |
||
+ | never freed: 800 |
||
+ | sent exploit to heap overflow: FFFFFFF9 |
||
+ | [.] Dump payload started. |
||
+ | [.] Now dumping bootrom to file bootrom.bin... |
||
+ | |||
+ | But I get a zero sized (empty) bootrom.bin --[[User:M2m|M2m]] 02:17, 4 January 2012 (MST) |
Revision as of 09:17, 4 January 2012
If anyone gets it working for iPod touch 2G, let me know. I am trying to work on it, but not much spare time --JacobVengeance (JakeAnthraX) 07:27, 23 December 2010 (UTC)
- my fork should work --liamchat 16:27, 24 December 2010 (UTC)
- You can also use the current iPod touch 2G OpeniBoot link. The bootrom is at 0x20000000 on the 2g touch --Kleemajo 01:02, 26 December 2010 (UTC)
- I ended up making my own very crappy steaks4uce version to dump it. I didn't realize you made a version liam, nice job. Also where did you guys get your ARM toolchain? The one I use keeps breaking and giving me errors lately.--JacobVengeance (JakeAnthraX) 03:38, 29 December 2010 (UTC)
- i use sudo port install arm-elf-binutils and sudo port instal arm-elf-gcc --liamchat 10:56, 29 December 2010 (UTC)
- Using that I just get errors when compiling everything. I had it working on my last setup when I wrote my crappy syeaks4uce method, but now it isn't working. I will figure it out sooner or later. Thanks anyways. --JacobVengeance (JakeAnthraX) 22:45, 29 December 2010 (UTC)
- i use sudo port install arm-elf-binutils and sudo port instal arm-elf-gcc --liamchat 10:56, 29 December 2010 (UTC)
- hey liam when I try running this on linux i get 84 00 00 00 05 00 00 00 80 00 00 00 80 62 02 22 FF FF FF FF 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 02 00 00 00 01 38 02 22 90 D7 02 22 and then the rest of it gets filled with nulls until the next 0x800 bytes start :( Revolution 19:02, 19 February 2011 (UTC)
- use toolchain.txt from openiboot, it works perfect --posixninja 23:41, 29 December 2010 (UTC)
- run:
- for linux
- --liamchat 01:35, 20 February 2011 (UTC)
- um liam I did that... on line 145 you need to make that specified for macosx only, well at least that's what the pod2g's version did... try building it on linux. Revolution 16:51, 20 February 2011 (UTC)
- i fixed the error there does not need to be any specific platform support for stake or pwnage2 i think there is better way using Descriptors --liamchat 00:02, 21 February 2011 (UTC)
- I just tried your new version. It still doesn't work. i managed to dump the bootrom with openiboot but yeah. here is the dump your ipod produces. it contains no copy writed code so i'll paste it here. [1] Revolution 21:11, 24 February 2011 (UTC)
- None of his things will work, I can promise you that. He doensn't know what he is doing. --JacobVengeance (JakeAnthraX) 00:22, 25 February 2011 (UTC)
- i have edited it again however i cant the usb wait for image call offset i origany thought it was the usb wait for image offset from syringe. --liamchat 20:41, 7 March 2011 (UTC)
- I am getting an arm-elf-as: No such file or directory error on OSX Lion. Do I need to get the full toolchain compiled or can I get this working with Xcode (for iOS) somehow with less hassle ?--M2m 04:22, 3 January 2012 (MST)
- i have edited it again however i cant the usb wait for image call offset i origany thought it was the usb wait for image offset from syringe. --liamchat 20:41, 7 March 2011 (UTC)
- None of his things will work, I can promise you that. He doensn't know what he is doing. --JacobVengeance (JakeAnthraX) 00:22, 25 February 2011 (UTC)
- I just tried your new version. It still doesn't work. i managed to dump the bootrom with openiboot but yeah. here is the dump your ipod produces. it contains no copy writed code so i'll paste it here. [1] Revolution 21:11, 24 February 2011 (UTC)
- I ended up making my own very crappy steaks4uce version to dump it. I didn't realize you made a version liam, nice job. Also where did you guys get your ARM toolchain? The one I use keeps breaking and giving me errors lately.--JacobVengeance (JakeAnthraX) 03:38, 29 December 2010 (UTC)
VMware + Windows
anyone tried this on vmware + windows? can't make it work. tried on iPhone 4 & iPod touch 3G -- paulzero 10:38, 13 February 2011 (UTC)
- it's the limera1n exploit. it does not work throughout a vm --liamchat 14:45, 13 February 2011 (UTC)
A5 devices
Can we use this tool to dump A5 devices? --XiiiX 12:28, 2 January 2012 (MST)
- Not until there is a jailbreak for A5 devices.--M2m 12:51, 2 January 2012 (MST)
- No. Limera1n doesn't work on A5 devices. --http 13:04, 2 January 2012 (MST)
- It's kind of non-sense this tool so. To dump already hacked bootroms? --XiiiX 14:21, 2 January 2012 (MST)
- No. Not really. You may find an exploit outside the bootrom which leads to a jailbreak which you can use to dump the bootrom which can help you to find exploits in the bootrom for later jailbreaks. Jailbreaks based on bootrom exploits can only be fixed with new hardware.--M2m 15:28, 2 January 2012 (MST)
- There is no such thing as an "hacked BootROM". We cannot change the contents of the BootROM. Note "ROM" - Read Only Memory. -SquiffyPwn 17:10, 2 January 2012 (CST)
- That's a better explanation. So we don't need a bootrom jailbreak to use this, just a user-land could work? Why is the necessity of a jailbreak to dump te bootrom? We need the offsets? --XiiiX 16:09, 2 January 2012 (MST)
- It's kind of non-sense this tool so. To dump already hacked bootroms? --XiiiX 14:21, 2 January 2012 (MST)
Do you know what is dump? dump is a copy, to use this tool you MUST have a BootROM Exploit, look the source code, it send the exploit to allow acess to the read-only BootROM memory. Userland exploit here? what offsets?~zmaster
Compatibility with older devices
I looked as payload.s, apparently, everything is in place for older devices (e.g., 0x8b7 for basically every old device). I can't check the actual BDU application, but I'd think it was updated with code needed for older devices as well. Can anyone confirm this? --rdqronos 14:33, 3 January 2012 (MST)
- Can't get it working with an iPhone 3G with the following values:
#define EXPLOIT_LR 0x22000000 #define LOADADDR_SIZE 0x24000 .set RET_ADDR, 0x8b7
Output looks OK:
sudo ./bdu ______ Bootrom Dumper Utility (BDU) 1.0 ______ (c) pod2g october 2010 [.] Now executing arbitrary code using geohot's limera1n... sent data to copy: 800 padded to 0x84023000 sent shellcode: 800 has real length 48 never freed: 800 sent exploit to heap overflow: FFFFFFF9 [.] Dump payload started. [.] Now dumping bootrom to file bootrom.bin...
But I get a zero sized (empty) bootrom.bin --M2m 02:17, 4 January 2012 (MST)