Pwnage

Posted on by

‘But the absolute pwnage of the Phillies will be worth remembering.’ ‘If the rivalry pwnage wasn't at tragic levels going into last year, it certainly is now.’ ‘Stop being noobz and resist the pwnage that is brought down upon you!’ ‘This chapter is all about pwnage, lots and lots of death and destruction.’. Could this be the greatest wireless gaming mouse ever made? Pwnage website: https://pwnage.com/products/ultra-custom-wireless-ergoIndiegogo. Pwnage is focused on delivering innovative products, services & experiences for the gaming community. Life's a Game, Pwn it!

This exploit is in the S5L8900 bootrom, thus available in the iPhone, iPod touch, and iPhone 3G. The exploit is that the bootrom doesn't signature check LLB.

  • 2Exploit

Credit

Exploit

S5L8900

Pwnage exploits a bad chain of trust in the boot sequence of the S5L8900 device. The boot sequence includes LLB and iBoot modules which are stored in the device's NOR flash and are typically encrypted (as of 1.1.*). However, they are not signed with RSA signature at that point, because the 8900 container is dropped away before the file is written to NOR. Pwnage exploits this vulnerability.

First, Apple assumes that if something is in NOR, it had necessarily passed through an RSA signature verification, and is therefore authentic Apple code. This is incorrect, because the only mechanism preventing the writing of unauthorized code to the NOR flash is the kernel. The iPhone/iPod touch kernel contains an extension designed specifically to write to NOR, called AppleImage2NORAccess. This extension performs an RSA signature verification on any data it tries to write. The verification itself is performed by the FairPlay extension, which is heavily obfuscated, but neutering the check is very simple. After the check is patched out, anything can be written to the NOR flash.

Second, Apple assumes that disabling the encryption keys in “normal” environment will prevent from writing firmware files to the NOR flash. Luckily, we have found a way to run our code in “secure” environment and use AppleImage2NORAccess extension the same way as Apple does it on restore.

Before iOS 2.0, the NOR was set up in a way that when the firmware images were flashed there, the RSA signatures were dropped along with the rest of the firmware container. So although iBoot signature checked the kernel, LLB did not signature check iBoot, and the VROM did not signature check LLB.

Pwnage starts by booting from a memory device (ramdisk) in “secure” environment to prevent the kernel from disabling encryption keys. Also, we add another memory device, pointed at the kernel's address space, to allow live kernel patching. After booting up, we patch out signature check from AppleImage2NorAccess extention and proceed with flashing our custom firmware files (iBoot, LLB, DeviceTree, and pictures). Because the signature check has been patched out, and encryption keys are available, AppleImage2NORAccess happily writes them to the suitable location in NOR flash. After that, the device can be restarted, and will accept any unsigned 8900 file without complaint.

One specific aspect of the attack that is worth examining more closely is the iBoot patch. iBoot is the last and most complicated bootloader on the devices, and is what actually loads up the kernel with DeviceTree. However, Apple made the decision to keep all the PKE (Public Key Encryption) logic out of iBoot, instead putting it in the secure bootloader. Thus, iBoot actually jumps into the secure bootloader when it wants to verify the authenticity of an 8900 file. This makes it hard to directly patch out the RSA signature verification from iBoot, as it actually occurs in the secure bootloader. Simply killing the jump into the secure bootloader is impossible, as it also fills in other information iBoot needs to proceed.

Because of the tight coupling between the secure bootloader and the higher-level bootloaders, Apple gave us a solution: the secure bootloader often needs to call functions in the higher-level bootloaders, but it has the problem of knowing where to jump, as functions move around in different revisions. To get around this, Apple made thunks out of the function calls, and makes the higher-level bootloaders patch the secure bootloader on the fly (in RAM) with the relevant jump addresses. They just copy the secure bootloader into RAM and blindly apply a list of patches to it. We exploited this pre-existing patching mechanism to patch out the RSA signature verification from secure bootloader.

Post-2.0, images are now written to NOR in a way that one can verify the other, like LLB verifying iBoot, the bootrom cannot be written to, so it still defaults to just reading LLB normally, un-signature checked.

The bootrom has a vulnerability in DFU Mode when processesing iBoot certificates which are on a DER format. It copies all the certificate information onto the stack, but the signature itself is copied without any sort of bounds checking. So then you have classic stack buffer overflow and then you just make the signature checking function return true.

More info.

S5L8720 and on

This exploit has been fixed on the iPod touch (2nd generation) and all devices released after it. The bootrom sigchecks LLB before jumping to it now, and if the LLB is patched, it will default to DFU Mode. The 0x24000 Segment Overflow exploit was later found in the first revisions of the iPod touch (2nd generation) and iPhone 3GSbootroms, allowing the device to be fully jailbroken. It has since been fixed with new bootrom revisions for these devices. Newer devices were never susceptible to the 0x24000 Segment Overflow.

Implementation

Retrieved from 'https://www.theiphonewiki.com/w/index.php?title=Pwnage&oldid=56332'

PwnageTool is an iOSjailbreak tool for Mac OS X that jailbreaks by creating a custom IPSW. You are allowed to change boot logos and add pre-installed packages to the IPSW. After an IPSW is created you can use it for restore using iTunes.

Pwnage
  • 2Exploits Used
  • 4Versions

Credit

PwnagePwnage

Exploits Used

Version 1.0

Version 2.0

Version 4.0

  • Bootrom exploit (used by limera1n and greenpois0n)

Models Supported

ModelSince
iPhone 3G19 Jul 2008
iPod touch (2nd generation)2 Oct 2009
iPhone 4 (iPhone3,1)20 Oct 2010
iPod touch (3rd generation)20 Oct 2010
iPod touch (4th generation)20 Oct 2010
iPad20 Oct 2010
Apple TV (2nd generation)20 Oct 2010

Please note that the iPad 2 and the iPhone 4S are not supported, as there is no publicly available bootrom exploit (like Pwnage, Pwnage 2.0, limera1n) for the A5-Processor.

Versions

PwnageTool was released 3 April 2008 but largely unused until version 2.0 was released 19 July 2008.The following versions that are shown here are not beta, alpha, or in development.

1.x: First release of PwnageTool

VersionRelease DateFeatures
1.03 Apr 2008
  • Initial release
  • Supports iPod touch and iPhone.
  • Includes 2 modes: iPwner and custom .ipsw
  • Uses Ramdisk Hack+Pwnage in iPwner then creates the firmware.
1.117 Apr 2008
  • Jailbreaks 1.1.4 firmware
  • Supports iPod touch and iPhone.
  • Custom boot logos can now be added
  • Added Bootneuter integration
  • Still uses iPwner and custom .ipsw

2.x: Second major release of Pwnagetool

VersionRelease dateFeatures
2.019 Jul 2008
  • Added iPhone 3G support [1]
  • Jailbreaks 2.0 Firmware
  • Change boot logos
  • Adds Cydia by default
2.0.14 Aug 2008
  • Jailbreaks 2.0.1 firmware
  • Works for 2.0 and 2.0.1.
2.0.221 Aug 2008
  • Jailbreaks 2.0.2 firmware [2]
  • Works for 2.0, 2.0.1, and 2.0.2.
  • Bug fixes - for when it doesn't go to the next page when you click on something.
2.0.325 Aug 2008
  • Jailbreaks 2.0.2 firmware
  • Works for 2.0, 2.0.1, and 2.0.2.
2.113 Sep 2008
  • Jailbreaks 2.1 firmware
  • Removed backwards compatibility
  • Download packages from a valid Cydia source, and add them onto your custom IPSW.
2.221 Nov 2008
  • Jailbreaks 2.2 firmware
2.2.530 Jan 2009
  • Jailbreaks 2.2.1
  • Not updated by iPhone Dev Team but made official.

3.x: Third Major Release of PwnageTool

VersionRelease dateFeatures
3.019 Jun 2009
  • Jailbreaks 3.0 firmware
  • DFU mode instructions included
3.115 Sep 2009
  • Jailbreaks 3.1 firmware for iPhone and iPhone 3G
  • Jailbreaks 3.1.1 firmware for iPod touch
3.1.32 Oct 2009
  • Support for iPhone 3GS with Bootrom 359.3 bootrom and iPod touch (2nd generation) with Bootrom 240.4 bootrom (these devices need to be pwned from 3.0/3.0.1)
3.1.413 Oct 2009
  • Jailbreaks 3.1.2 firmware for iPhone, iPhone 3G, 3GS with Bootrom 359.3 bootrom, iPod touch, iPod touch (2nd generation) with Bootrom 240.4 bootrom
  • iPod touch (3rd generation) not supported.
3.1.57 Feb 2010
  • Jailbreaks 3.1.3 firmware for devices supported in 3.1.4.

4.x: Fourth Major Release of PwnageTool

VersionRelease dateFeatures
4.022 Jun 2010
  • Jailbreaks iOS 4.0 for devices supported in 3.1.4.
4.0123 Jun 2010
  • Fixes iBooks issue.
4.120 Oct 2010
  • Jailbreaks iOS 4.1 for Apple TV (2nd generation), iPad, iPhone 3G, iPhone 3GS (both bootroms), iPhone 4, iPod touch (3rd generation), and iPod touch (4th generation).
4.1.122 Oct 2010
  • Fixes issues with Leopard.
4.1.222 Oct 2010
  • Fixes more issues with Leopard.
4.1.328 Nov 2010
  • Enables installing the 06.15.00 baseband on the iPhone 3G and iPhone 3GS
4.215 Feb 2011
  • Support for iOS 4.2.1 on every device that is compatible, except for the iPod touch (2nd generation).
4.33 Apr 2011
  • Support for iOS 4.3.1 on every device that is compatible, except for the iPad 2.
4.3.227 Dec 2011
  • Support for iOS 4.3.2 on every device that is compatible, except for the iPad 2.
4.3.38 Jun 2011
  • Support for iOS 4.3.3 on every device that is compatible, except for the iPad 2.
4.3.3.18 May 2011
  • includes a fix for the iPhone 3GS / iPhone 4 side switch vibration issue (only for 4.3.3)

5.x: Fifth Major Release of PwnageTool

VersionRelease dateFeatures
5.0.127 Dec 2011
  • Jailbreaks iOS 5.0.1 for non-A5 devices.
5.1.14 Jun 2012
  • Jailbreaks iOS 5.1.1 for non-A5(X) devices.

Creating the Firmware

PwnageTool takes the IPSW file and patches it, creating a custom version. This enables a lot more features such as pre-installed packages, BootNeuter (iPhone software unlock), custom packages and boot logos. This method is usually less secure than the quick exploits such (redsn0w, QuickPwn, purplera1n, blackra1n, etc.).

Pwnagetool

How to create Custom Firmware Bundles

Pwnage
Main article: Making PwnageTool Bundles


Problems

This method does have negative aspects. The most common errors are the 16xx range of errors, which mean that the either the firmware file is corrupt or you didn't put it in the right mode (Recovery, DFU Mode). Sometimes the problems could just be a computer problem such as the memory is full or the USB port is broken. The most common error is Error 1604 which means that the firmware file is corrupted.

Pwnage

Windows

PwnageTool is expected to remain exclusive to Mac OS X. As of October 2009, iH8sn0w, et. al. has announced that they made a project that will bring PwnageTool's functionality to Windows, called sn0wbreeze. [3]

License

PwnageTool is freeware.

Pwnage Software

See also

Pwnage Ultra Custom Symmetrical

External Links

Pwnage Robotics

Retrieved from 'https://www.theiphonewiki.com/w/index.php?title=PwnageTool&oldid=113510'