The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Research: Pwnage Patches
If you have IDA Pro and you are at least semi-handy with ARM please contribute :)
Thanks to CPICH for helping out!
2.0 (5A347) iBoot
Patched Area
There is only 1 patch made to the iBoot, iBEC, iBSS, and WTF.n82ap. They are all iBoots, pretty much, so I am going to assume that they all have this same patch for the same reason. Please feel free to correct this if this is not true.
Here is a snippet of it from IDA:
ROM:1800587C 01 20 MOVS R0, #1 ; R1 = 1 ROM:1800587E 40 42 NEGS R0, R0 ; PWNAGE PATCH ROM:1800587E ; Change 40 42 > 00 20 ROM:1800587E ; That will make it: ROM:1800587E ; MOVS R0 = #0 ROM:1800587E ; ROM:1800587E ; R0 (unpatched) = -1 ROM:1800587E ; R0 (patched) = 0
Why does this help us?
Well, this is a bit later on...
ROM:180058C4 00 28 CMP R0, #0 ; Does R0 = 0? ROM:180058C6 3C D1 BNE loc_18005942 ; if R0 does not = 0 ROM:180058C6 ; jump to 0x18005942 ROM:180058C6 ; ROM:180058C6 ; Pwned iBoot not jump ROM:180058C6 ; Unpwned iBoot will
As you can see from my comments, it makes it so that it does not jump. I am no 1337 reverser, so I have no clue what is done when there is no jump, but I do see the fact that a pwned iBoot will not jump to 0x18005942, and an unpwned iBoot will not. This kind of interests me here, because with a Branch statement, usually you would be able to get around something that you want to by changing a certain Branch from BEQ to B, or something of the like. This one is a bit trickier, and you can't really do something like that...probably a common thing, but I am just throwing it out there since it is the first time I have seen something like this done.