Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Pwnage: The best thing since sliced bread

PMB

PMB

macrumors 65816
Original poster
Nov 7, 2007
1,045
0
New York
Read it and drool. (i did):D
Pwnage Project

Well, Apple has had their turn, impressive work on SDK! And now it's ours…
What is Pwnage?

Pwnage is based on an exploit found in the lower levels of the iPhone/iTouch bootloader. We can now “pwn” Apple by patching the device to allow unsigned code. This opens the door to unlimited possibilities.

Once your iPhone/iTouch has been “pwned”, you can do things like installing custom made .ipsw files - straight from iTunes!

For a more technical explanation please visit Pwnage page.
iPwner and IPSW Builder

We are going to release two tools as part of Pwnage project.

*
iPwner - tool to make your iPhone/iTouch “pwned”. You will have to use this tool just once1).
*
IPSW Builder - by using this tool you will be able to modify the .ipsw filesystem, i.e. pre-jailbreak, pre-unlock, pre-activate, and create a complete custom .ipsw installation. In case you are already unlocked you can even tell it to disable the baseband update, just in case. Restore or Update from iTunes with custom .ipsw file and Voila! no more hassles after that.


Both tools are undergoing intensive developing and soon will be ready for public consumption.
Click to expand...

How Pwnage Works

Pwnage exploits a bad chain of trust in the boot sequence of the S5L8900 device. The boot sequence includes LLB and iBoot modules which are stored in device NOR flash and are typically encrypted (as of 1.1.*). However, they are not signed with RSA signature at that point, because the 8900 container is dropped away before the file is written to NOR flash. Pwnage exploits this vulnerability.
Apple's (incorrect) Boot Sequence Security Assumptions

*
First, Apple assumes that if something is in the NOR flash, it had necessarily passed through an RSA signature verification, and is therefore authentic Apple code. This is incorrect, because the only mechanism preventing the writing of unauthorized code to the NOR flash is the kernel. The iPhone/iPod Touch kernel contains an extension designed specifically to write to the NOR flash, called AppleImage2NORAccess. This extension performs an RSA signature verification on any data it tries to write. The verification itself is performed by the Fairplay extension, which is heavily obfuscated, but neutering the check is very simple. After the check is patched out, anything can be written to the NOR flash.

*
Second, Apple assumes that disabling the encryption keys in “normal” environment will prevent from writing firmware files to the NOR flash. Luckily, we have found a way to run our code in “secure” environment and use AppleImage2NORAccess extension the same way as Apple does it on restore.

Pwnage in Detail

Pwnage starts by booting from a memory device (ramdisk) in “secure” environment to prevent the kernel from disabling encryption keys. Also, we add another memory device, pointed at the kernel's address space, to allow live kernel patching. After booting up, we patch out signature check from AppleImage2NorAccess extention and proceed with flashing our custom firmware files (iBoot, LLB, DeviceTree, and pictures). Because the signature check has been patched out, and encryption keys are available, AppleImage2NORAccess happily writes them to the suitable location in NOR flash. After that, the device can be restarted, and will accept any unsigned 8900 file without complaint.

iBoot Patch

One specific aspect of our attack that is worth examining more closely is the iBoot patch. iBoot is the last and most complicated bootloader on the devices, and is what actually loads up the kernel with device tree. However, Apple made the decision to keep all the PKE (Public Key Encryption) logic out of iBoot, instead putting it in the secure bootloader. Thus, iBoot actually jumps into the secure bootloader when it wants to verify the authenticity of an 8900 file. This makes it hard to directly patch out the RSA signature verification from iBoot, as it actually occurs in the secure bootloader. Simply killing the jump into the secure bootloader is impossible, as it also fills in other information iBoot needs to proceed.

Because of the tight coupling between the secure bootloader and the higher-level bootloaders, Apple gave us a solution: the secure bootloader often needs to call functions in the higher-level bootloaders, but it has the problem of knowing where to jump, as functions move around in different revisions. To get around this, Apple made thunks out of the function calls, and makes the higher-level bootloaders patch the secure bootloader on the fly (in RAM) with the relevant jump addresses. They just copy the secure bootloader into RAM and blindly apply a list of patches to it. We exploited this pre-existing patching mechanism to patch out the RSA signature verification from secure bootloader.
Click to expand...

My favorite part is the Custom Firmwares..... mmmmm
Once your iPhone/iTouch has been “pwned”, you can do things like installing custom made .ipsw files - straight from iTunes!
Click to expand...

http://iphone-dev.org/news:pwnage
 
i saw this yesterday and drooled also, :eek:

this will definitely open up the ipod touch and iphone for so many more possibilities,

i just wonder what the chances are of permanently screwing up your ipod :confused:
 
Finlandboy said:
i saw this yesterday and drooled also, :eek:

this will definitely open up the ipod touch and iphone for so many more possibilities,

i just wonder what the chances are of permanently screwing up your ipod :confused:
Click to expand...
If you pwnd it it, there is a good chance if completely screwing it up...
 
Well, since your meddling with the firmware itself, i'm assuming theres a real risk of brickage.

But what are the real advantages of this? Like, we can already have all the apps we want, and all the visual customization... what else can we do with this thing? Are we talking whole new OS or something?
 
donaldj said:
Well, since your meddling with the firmware itself, i'm assuming theres a real risk of brickage.

But what are the real advantages of this? Like, we can already have all the apps we want, and all the visual customization... what else can we do with this thing? Are we talking whole new OS or something?
Click to expand...
yep, anything. Opens the ipod and iPhone wide open. Any firmware you want.
 
donaldj said:
Sweet! I dont think however, a team of basement hackers can make an OS to rival Mac's.

I wonder what the brick rate will be...
Click to expand...

My guess is that the people (with brains) will stay away from this, unless they know what they are doing... it may have a method to bring it back from the dead if you do kill it...

And, you never know what somone may come up with....
 
I think whoever developed this should have kept it quiet until the 2.0 release. Why give Apple all the details on how they screwed up, only for it to be patched with the official release?
 
lamina said:
I think whoever developed this should have kept it quiet until the 2.0 release. Why give Apple all the details on how they screwed up, only for it to be patched with the official release?
Click to expand...

Because 2.0 wont be coming out until June. June this gives the hackers a knowledge base on the timeframe they have to work on this.:apple:
 
Wow, this sounds like it's going to be huge. :) "iPhone Linux" type things will start popping up everywhere.
 
thesdx said:
Wow, this sounds like it's going to be huge. :) "iPhone Linux" type things will start popping up everywhere.
Click to expand...

o_O Lunix on my ipod touch, will it have the Beryl cube? :p
If the new (custom) firmware is as nice as apples, and can be synced from banshee, im all over that....
 
whats the point of linux if we can already put games and apps on with jailbreak?
also, what kind of custom firmwares will we be able to get? i know with older ipods and ipodwizard, you could use firmware files to put themes on your ipod, and re-arrange icons and add backgrounds and stuff. will it basically be the same thing? (or does anyone even know much about this yet?)
 
BassistKing1 said:
whats the point of linux if we can already put games and apps on with jailbreak?
also, what kind of custom firmwares will we be able to get? i know with older ipods and ipodwizard, you could use firmware files to put themes on your ipod, and re-arrange icons and add backgrounds and stuff. will it basically be the same thing? (or does anyone even know much about this yet?)
Click to expand...
Only the DEV team really know. But it opens it up so wide, that the possiblitys are endless. You name it, it can run it. mabey you could get OSX to run on it... battery life would suck though....
 
Endless..

Now, what they need to do is a net install type of idea. Allow for a complete copy of the system, then set that as an image. Then go to a website in Safari and execute the code to install your custom image, all on your private intranet. THAT would be awsome. (I might even pay for that kind of fun :cool:
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back