PongoOS icon indicating copy to clipboard operation
PongoOS copied to clipboard

Published 20 hours ago verified publisher icon checkra1n

PongoOS Flash-NOR / SPI driver

Open rickmark opened this issue 4 years ago • 8 comments

When booted to pongoOS over iBoot we lose read/write access to persistent storage.

Pongo ought to provide access to these methods, as they are key to the setup of the next phase boot loader

rickmark avatar Mar 26 '20 18:03 rickmark

Sounds like an interesting idea. Off the bat, I can think of two ways of implementing this. Either passing an iBoot and extracting the fragments of the driver and reconstructing and sending it to pongoOS, or having to rewrite the driver completely similar to what Brandon Azad did for KTRW (now reimplemented in pongoOS I believe.) What do you think?

tjkr0wn avatar Oct 30 '20 18:10 tjkr0wn

Best option is a net new implantation as who knows what the side effects of iBoot code can be. If I had time I’d be starting with the SPI first, and later moving to the NAND block layer... I think it works by making requests to ANS2 to drop a block into DRAM via DART

Get Outlook for iOShttps://aka.ms/o0ukef

From: Tarek Joumaa [email protected] Sent: Friday, October 30, 2020 11:58:31 AM To: checkra1n/pongoOS [email protected] Cc: Rick Mark [email protected]; Author [email protected] Subject: Re: [checkra1n/pongoOS] PongoOS Flash-NOR / SPI driver (#9)

Sounds like an interesting idea. Off the bat, I can think of two ways of implementing this. Either passing an iBoot and extracting the fragments of the driver and reconstructing and sending it to pongoOS, or having to rewrite the driver completely similar to what Brandon Azad did for KTRW (now reimplemented in pongoOS I believe.) What do you think?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/checkra1n/pongoOS/issues/9#issuecomment-719738382, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAA6TW73BFZO6JXKDYBINNLSNMEFPANCNFSM4LUODPBQ.

rickmark avatar Oct 31 '20 05:10 rickmark

Best option is a net new implantation as who knows what the side effects of iBoot code can be. If I had time I’d be starting with the SPI first, and later moving to the NAND block layer... I think it works by making requests to ANS2 to drop a block into DRAM via DART

Get Outlook for iOShttps://aka.ms/o0ukef

From: Tarek Joumaa [email protected] Sent: Friday, October 30, 2020 11:58:31 AM To: checkra1n/pongoOS [email protected] Cc: Rick Mark [email protected]; Author [email protected] Subject: Re: [checkra1n/pongoOS] PongoOS Flash-NOR / SPI driver (#9)

Sounds like an interesting idea. Off the bat, I can think of two ways of implementing this. Either passing an iBoot and extracting the fragments of the driver and reconstructing and sending it to pongoOS, or having to rewrite the driver completely similar to what Brandon Azad did for KTRW (now reimplemented in pongoOS I believe.) What do you think?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/checkra1n/pongoOS/issues/9#issuecomment-719738382, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAA6TW73BFZO6JXKDYBINNLSNMEFPANCNFSM4LUODPBQ.

Sounds like a worthwhile invest in time as the idea of pongoOS is to overtime turn into an iOS version of Clover afaik.

tjkr0wn avatar Oct 31 '20 19:10 tjkr0wn

For reasons of forensics / investigation of my devices that seem to have some form of malware persistence, I've started to undertake a read-only version of this work. (I have iDevices that are hiding data in alternate NVMe namespaces).

Feel free to follow along to this: https://github.com/t8012/pongo-flash

rickmark avatar Nov 05 '20 07:11 rickmark

That’s a bit unfortunate. I currently only have a t8015 for testing purposes. Is reversing there a good idea or should I try to focus on the t8012 chip even though I don’t have it.

On Nov 5, 2020, at 2:52 AM, Rick Mark [email protected] wrote:

 For reasons of forensics / investigation of my devices that seem to have some form of malware persistence, I've started to undertake a read-only version of this work. (I have iDevices that are hiding data in alternate NVMe namespaces).

Feel free to follow along to this: https://github.com/t8012/pongo-flash

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

tjkr0wn avatar Nov 05 '20 11:11 tjkr0wn

@rickmark I have forked the repo and I'm gonna try to add some reversing/research notes related to the development of the driver there. It's under the same name.

tjkr0wn avatar Nov 06 '20 04:11 tjkr0wn

The ipwndfu for t8012 probably works on other chips (for booting without the NAND). @h0m3us3r, @aunali1 and @mrmacarm?

As for storage - since there is no device or driver concept I had to start the work on the internal version of Pongo, and it will probably need some API / design revisions by the team before we want to expose it for dependencies. Rev0 will probably just be SPI/NOR (so just SCfg, effaceable, iBoot and the like)

rickmark avatar Nov 06 '20 07:11 rickmark

@rickmark I'd be happy to help out with the driver in any way I can! My current objective is to get a working PoC functional enough to at least read bytes from NOR

tjkr0wn avatar Nov 06 '20 15:11 tjkr0wn