The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Talk:Obtaining IMG3 Keys
Hey, thats my "exploit" ;-) Dev used openiboot.
Much easier, just use iran to download the modified iBoot directly, no reason to pwn with it. I was originally strapping this with the diags exploit.
And thanks for writing this up.
~geohot
I adapted this method from your write-up earlier, because CPICH and Chronic were wanting to decrypt IMG3 keys, and the openiboot method has quite a bit of setup overhead, and requires modifying my C source, and I thought helping them fill out the missing pieces for your method would be simpler. I just slightly modified your assembly to do stack/register cleanup (and combined that mw into protected memory) and had them put a direct BX from a random iBoot function, since explaining how to patch the permissions bits is more conceptually difficult, and I wasn't sure how easy it would be to make "go" behave the way we want it to (I didn't have access to IDA when I was helping them). I asked them to write it up after they got it to work. Hope that's okay. :)
I've since made something easier: http://www.iphone-dev.org/planetbeing/crypto.tar.gz
--Planetbeing 03:20, 7 August 2008 (UTC)
iBoot
Why do you need a modified iBoot? Doesn't Pwnage Tool/xpwn/winpwn already patch/modify iBoot?
no
yeah. their iboot is simply patched so the pwned ipsw wil work. there is soooooo much more you can do to the iboot :)
iBoot
Ok, but does the iBoot need to be patched more than Pwnage already does for the userland AES KBAG decryption to work?