The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information.

Difference between revisions of "PwnageTool"

From The iPhone Wiki
Jump to: navigation, search
m (another link)
(added "How to create Custom Firmware Bundles")
Line 190: Line 190:
 
==Creating the Firmware==
  
==Creating the Firmware==
 
PwnageTool takes the IPSW file and patches it, creating a custom version. This enables a lot more features such as pre-installed packages, [[BootNeuter]] ([[M68ap|iPhone]] software unlock), custom packages and boot logos. This method is usually less secure than the quick exploits such ([[redsn0w]], [[QuickPwn]], [[purplera1n]], [[blackra1n]], etc.).
  
PwnageTool takes the IPSW file and patches it, creating a custom version. This enables a lot more features such as pre-installed packages, [[BootNeuter]] ([[M68ap|iPhone]] software unlock), custom packages and boot logos. This method is usually less secure than the quick exploits such ([[redsn0w]], [[QuickPwn]], [[purplera1n]], [[blackra1n]], etc.).
  +
  +
==How to create Custom Firmware Bundles==
  +
Following steps are needed:
  +
*Copy an existing bundle as a template
  +
*Decrypt [[img3]] [[KBAG]]s and put the keys into Info.plist - usually using an [http://forums.openpwn.org/viewtopic.php?f=8&t=19&p=101#p101 AES payload]
  +
*Use [[GenPass|GenPass utility]] with decrypted [[ramdisk]] to get the rootfs vfdecrypt key, put the key and rootfs volume name into Info.plist
  +
*Unpack [[NOR]] files, [[ramdisk]] and [[kernelcache]] using [[AES Keys]], apply patches (for minor upgrades, you can apply byte pattern-based patches from previous version, so you don't have to use [[IDA]] for every file)
  +
*Patch [[wikipedia:Apple Software Restore|asr]] from the [[Restore Ramdisk]], use [[Apple's Codesign Tool|codesign]] or [[ldid]] to fix up its code page hashes.
  +
*Use [http://www.daemonology.net/bsdiff/ bsdiff utility] to create diffs by diffing unpacked original versus patched files. For [[N88ap|iPhone 3GS]], the exception is [[LLB]] - you need to diff encrypted files, using -xn8824k xpwntool option to pack the patched file and append [[0x24000 Segment Overflow|24kPwn exploit]].
  +
  +
(from here: [http://twitter.com/veeence/status/24393474627 question] and [http://www.twitlonger.com/show/61crcq answer])
   
 
==Problems==
  
==Problems==

Revision as of 23:05, 14 September 2010

PwnageTool is a iOS jailbreak tool for Mac OS X that jailbreaks by creating a custom IPSW. You are allowed to change boot logos and add pre-installed packages to the IPSW. After an IPSW is created you can use it to restore to in iTunes.

Exploits Used

Version 2.0

Version 1.0

Models Supported

Model Since
iPhone 2G April 3, 2008
iPod touch 1G April 3, 2008
iPhone 3G Jul 19, 2008
iPod touch 2G Oct 2, 2009
iPhone 3GS Oct 2, 2009

Note that the iPod touch 3G and subsequent devices are not supported. With the iPod touch 2G and iPhone 3GS you must be jailbroken prior to using PwnageTool. The S5L8900 devices you can go into DFU Mode and restore with iTunes without being jailbroken.

Versions

PwnageTool was released April 3, 2008 but largely unused until version 2.0 was released July 19, 2008. The following versions that are shown here are not beta, alpha, or in development.

1.x: First release of PwnageTool

Version Release date Features

1.1.4

 April 3, 2008
  • Initial release
  • Jailbreaks 1.1.4 firmware
  • Supports iPod touch 1G and iPhone 2G.
  • Add BootNeuter in the IPSW to unlock iPhone 2G.

2.x: Second major release of Pwnagetool

Version Release date Features

2.0

 Jul 19, 2008
  • Added iPhone 3G support [1]
  • Jailbreaks 2.0 Firmware
  • Change boot logos
  • Adds Cydia by default

2.0.1

 Aug 4, 2008
  • Jailbreaks 2.0.1 firmware
  • Works for 2.0 and 2.0.1.

2.0.2

 Aug 21, 2008
  • Jailbreaks 2.0.2 firmware [2]
  • Works for 2.0, 2.0.1, and 2.0.2.
  • Bug fixes - for when it doesn't go to the next page when you click on something.

2.0.3

 Aug 25, 2008
  • Jailbreaks 2.0.2 firmware
  • Works for 2.0, 2.0.1, and 2.0.2.

2.1

 Sep 13, 2008
  • Jailbreaks 2.1 firmware
  • Removed backwards compatibility
  • Download packages from a valid Cydia source, and add them onto your custom IPSW.

2.2

 Nov 21, 2008
  • Jailbreaks 2.2 firmware

2.2.5

 Jan 30, 2009

3.x: Third Major Release of PwnageTool

Version Release date Features

3.0

 Jun 19, 2009
  • Jailbreaks 3.0 firmware
  • DFU mode instructions included

3.1

 Sep 15, 2009
  • Jailbreaks 3.1 firmware for iPhone 2G and 3G
  • Jailbreaks 3.1.1 firmware for iPod touch 1G

3.1.3

 Oct 2, 2009
  • Support for iPhone 3GS with iBoot-359.3 bootrom and iPod touch 2G with iBoot-240.4 bootrom (these devices need to be pwned from 3.0/3.0.1)

3.1.4

 Oct 13, 2009
  • Jailbreaks 3.1.2 firmware for iPhone 2G, 3G, 3GS with iBoot-359.3 bootrom, iPod touch 1G, iPod touch 2G with iBoot-240.4 bootrom
  • iPod touch 3G not supported.

3.1.5

 Feb 7, 2010
  • Jailbreaks 3.1.3 firmware for devices supported in 3.1.4.

4.x: Fourth Major Release of PwnageTool

Version Release date Features

4.0

 Jun 22, 2010
  • Jailbreaks 4.0 firmware for devices supported in 3.1.4.

4.01

 Jun 23, 2010
  • Fixes iBooks issue in 4.0

Creating the Firmware

PwnageTool takes the IPSW file and patches it, creating a custom version. This enables a lot more features such as pre-installed packages, BootNeuter (iPhone software unlock), custom packages and boot logos. This method is usually less secure than the quick exploits such (redsn0w, QuickPwn, purplera1n, blackra1n, etc.).

How to create Custom Firmware Bundles

Following steps are needed:

  • Copy an existing bundle as a template
  • Decrypt img3 KBAGs and put the keys into Info.plist - usually using an AES payload
  • Use GenPass utility with decrypted ramdisk to get the rootfs vfdecrypt key, put the key and rootfs volume name into Info.plist
  • Unpack NOR files, ramdisk and kernelcache using AES Keys, apply patches (for minor upgrades, you can apply byte pattern-based patches from previous version, so you don't have to use IDA for every file)
  • Patch asr from the Restore Ramdisk, use codesign or ldid to fix up its code page hashes.
  • Use bsdiff utility to create diffs by diffing unpacked original versus patched files. For iPhone 3GS, the exception is LLB - you need to diff encrypted files, using -xn8824k xpwntool option to pack the patched file and append 24kPwn exploit.

(from here: question and answer)

Problems

This method does have negative aspects. The most common errors are the 1600 errors, a group of errors saying that the either the firmware file is corrupt or you didn't put it in the right mode (recovery, DFU Mode). Sometimes the problems could just be a computer problem such as the memory is full or the USB port is broken. The most common computer error is a 1604 error which means that the firmware file is corrupt.

Windows

PwnageTool is expected to remain exclusive to Mac OS X. As of October 2009, iH8sn0w, et. al. has announced that they made a project that will bring PwnageTool's functionality to Windows, called sn0wbreeze. [3]

License

PwnageTool is freeware.

Retrieved from "https://www.theiphonewiki.com/w/index.php?title=PwnageTool&oldid=9213"