Talk:Bootrom Dumper Utility

From The iPhone Wiki
Revision as of 11:44, 20 January 2012 by Ryanb93 (talk | contribs) (Dumping 3GS bootrom from OSX 10.7.2)
Jump to: navigation, search

If anyone gets it working for iPod touch 2G, let me know. I am trying to work on it, but not much spare time --JacobVengeance (JakeAnthraX) 07:27, 23 December 2010 (UTC)

my fork should work --liamchat 16:27, 24 December 2010 (UTC)
You can also use the current iPod touch 2G OpeniBoot link. The bootrom is at 0x20000000 on the 2g touch --Kleemajo 01:02, 26 December 2010 (UTC)
I ended up making my own very crappy steaks4uce version to dump it. I didn't realize you made a version liam, nice job. Also where did you guys get your ARM toolchain? The one I use keeps breaking and giving me errors lately.--JacobVengeance (JakeAnthraX) 03:38, 29 December 2010 (UTC)
i use sudo port install arm-elf-binutils and sudo port instal arm-elf-gcc --liamchat 10:56, 29 December 2010 (UTC)
Using that I just get errors when compiling everything. I had it working on my last setup when I wrote my crappy syeaks4uce method, but now it isn't working. I will figure it out sooner or later. Thanks anyways. --JacobVengeance (JakeAnthraX) 22:45, 29 December 2010 (UTC)
hey liam when I try running this on linux i get 84 00 00 00 05 00 00 00 80 00 00 00 80 62 02 22 FF FF FF FF 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 02 00 00 00 01 38 02 22 90 D7 02 22 and then the rest of it gets filled with nulls until the next 0x800 bytes start :( Revolution 19:02, 19 February 2011 (UTC)
use toolchain.txt from openiboot, it works perfect --posixninja 23:41, 29 December 2010 (UTC)
run:
sudo apt-get install libusb-1.0-0 libusb-1.0-0-dev libreadline6-dev readline-common libreadline6 libreadline-dev texinfo cmake git-core build-essential texinfo libreadline-dev libssl-dev libusb-1.0-0-dev libpng12-dev libusb-dev autoconf automake libnewlib-dev Return.png Return
sudo build-toolchain.sh Return.png Return
for linux
--liamchat 01:35, 20 February 2011 (UTC)
um liam I did that... on line 145 you need to make that specified for macosx only, well at least that's what the pod2g's version did... try building it on linux. Revolution 16:51, 20 February 2011 (UTC)
i fixed the error there does not need to be any specific platform support for stake or pwnage2 i think there is better way using Descriptors --liamchat 00:02, 21 February 2011 (UTC)
I just tried your new version. It still doesn't work. i managed to dump the bootrom with openiboot but yeah. here is the dump your ipod produces. it contains no copy writed code so i'll paste it here. [1] Revolution 21:11, 24 February 2011 (UTC)
None of his things will work, I can promise you that. He doensn't know what he is doing. --JacobVengeance (JakeAnthraX) 00:22, 25 February 2011 (UTC)
i have edited it again however i cant the usb wait for image call offset i origany thought it was the usb wait for image offset from syringe. --liamchat 20:41, 7 March 2011 (UTC)
I am getting an arm-elf-as: No such file or directory error on OSX Lion. Do I need to get the full toolchain compiled or can I get this working with Xcode (for iOS) somehow with less hassle ?--M2m 04:22, 3 January 2012 (MST)

VMware + Windows

anyone tried this on vmware + windows? can't make it work. tried on iPhone 4 & iPod touch 3G -- paulzero 10:38, 13 February 2011 (UTC)

it's the limera1n exploit. it does not work throughout a vm --liamchat 14:45, 13 February 2011 (UTC)

A5 devices

Can we use this tool to dump A5 devices? --XiiiX 12:28, 2 January 2012 (MST)

Not until there is a jailbreak for A5 devices.--M2m 12:51, 2 January 2012 (MST)
No. Limera1n doesn't work on A5 devices. --http 13:04, 2 January 2012 (MST)
It's kind of non-sense this tool so. To dump already hacked bootroms? --XiiiX 14:21, 2 January 2012 (MST)
No. Not really. You may find an exploit outside the bootrom which leads to a jailbreak which you can use to dump the bootrom which can help you to find exploits in the bootrom for later jailbreaks. Jailbreaks based on bootrom exploits can only be fixed with new hardware.--M2m 15:28, 2 January 2012 (MST)
There is no such thing as an "hacked BootROM". We cannot change the contents of the BootROM. Note "ROM" - Read Only Memory. -SquiffyPwn 17:10, 2 January 2012 (CST)
That's a better explanation. So we don't need a bootrom jailbreak to use this, just a user-land could work? Why is the necessity of a jailbreak to dump te bootrom? We need the offsets? --XiiiX 16:09, 2 January 2012 (MST)

Do you know what is dump? dump is a copy, to use this tool you MUST have a BootROM Exploit, look the source code, it send the exploit to allow acess to the read-only BootROM memory. Userland exploit here? what offsets?~zmaster

Compatibility with older devices

I looked as payload.s, apparently, everything is in place for older devices (e.g., 0x8b7 for basically every old device). I can't check the actual BDU application, but I'd think it was updated with code needed for older devices as well. Can anyone confirm this? --rdqronos 14:33, 3 January 2012 (MST)

Can't get it working with an iPhone 3G with the following values:
EXPLOIT_LR 0x22000000 LOADADDR_SIZE 0x24000 RET_ADDR 0x8b7
Output looks OK:
sudo ./bdu
______ Bootrom Dumper Utility (BDU) 1.0 ______

                        (c) pod2g october 2010

[.] Now executing arbitrary code using geohot's limera1n...
sent data to copy: 800
padded to 0x84023000
sent shellcode: 800 has real length 48
never freed: 800
sent exploit to heap overflow: FFFFFFF9
[.] Dump payload started.
[.] Now dumping bootrom to file bootrom.bin...
But I get a zero sized (empty) bootrom.bin. --M2m 02:17, 4 January 2012 (MST)
So it can read the BootROM, but not dump it. Okay. --rdqronos 13:04, 4 January 2012 (MST)
Not sure if it can be read correctly or not. --M2m 17:16, 4 January 2012 (MST)

Working on OSX?

Did anybody get this working on OSX? I could compile the payload.bin and tried with both the included binary and also with the recompiled one on a MacMini OSX 10.6.8 with an iPhone 4 (with iOS 5.0.1), libusb 1.0.8 is installed. I also tried with a 3GS and the forked code (just uses the different offsets). In all cases I always get "device stalled" and the bdu terminates. I know it worked on Linux for others, but anybody had success on OSX yet? I'm not sure where to start debugging, as I'm not a Mac user. -- http 16:36, 11 January 2012 (MST)

I compiled it under OSX Lion and can also run it but I only get a zero sized dump. May or may not be a problem of the program & Lion or that I only have iPhone2G & 3G to test.--M2m 04:15, 12 January 2012 (MST)

== Dumping 3GS bootrom from OSX 10.7.2

bash-3.2# ./bdu ______ Bootrom Dumper Utility (BDU) 1.0 ______

                       (c) pod2g october 2010

[.] Now executing arbitrary code using geohot's limera1n... sent data to copy: 800 padded to 0x84023000 sent shellcode: 800 has real length 48 never freed: 800 sent exploit to heap overflow: FFFFFFF9 [.] Dump payload started. [.] Now dumping bootrom to file bootrom.bin... Segmentation fault: 11 ==

Any ideas? I've changed all the offsets to the ones in the wiki and yet still no success.