The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Research: Pwnage Patches
If you have IDA Pro and you are at least semi-handy with ARM please contribute :)
Thanks to CPICH for helping out!
2.0 (5A347) iBoot
Patched Area
There is only 1 patch made to the iBoot, iBEC, iBSS, and WTF.n82ap. They are all iBoots, pretty much, so I am going to assume that they all have this same patch for the same reason. Please feel free to correct this if this is not true.
Here is a snippet of it from IDA:
ROM:1800587C 01 20 MOVS R0, #1 ; R1 = 1 ROM:1800587E 40 42 NEGS R0, R0 ; PWNAGE PATCH ROM:1800587E ; Change 40 42 > 00 20 ROM:1800587E ; That will make it: ROM:1800587E ; MOVS R0 = #0 ROM:1800587E ; ROM:1800587E ; R0 (unpatched) = -1 ROM:1800587E ; R0 (patched) = 0
Why does this help us?
Damn! Overlooked ONE THING! New, and correct, explanation will be here shortly.
2.0 (5A347) Lockdownd
This may actually confuse some people. You see, there is 'technically' two patches, but in reality, there is only one. The second one is the rehashed signature done with ldid, because you must remember that this is a userland binary, not a lower level one like the iBoot, which resides in the NOR. These files on the main filesystem must cohere to the demands of the kernel, and according to a devteam member, the patches to not require this were to complex and it would just be much easier to use ldid to take care of it. So that is what they did here. They took the original file, then one with the one patch that they needed, rehashed the patched one, BsDiff'd them, and then as you can now tell, the .patch tile contains the actual patch + the new sig :)
(Be back in a little bit with actual snippets from IDA showing the actual patch done, I want to go through the actual low level stuff first)