Permalink
Browse files

Merge branch 'master' of git://github.com/planetbeing/xpwn

2 parents 7ed7896 + 9f8b5e8 commit 1ed362af397ec9da8cce0fd1dabc7e781c1e0423 @planetbeing committed Jul 21, 2008
Showing 676 changed files with 2,761 additions and 50,930 deletions.
View
@@ -21,6 +21,7 @@ add_subdirectory (dmg)
add_subdirectory (hdutil)
add_subdirectory (hfs)
add_subdirectory (ipsw-patch)
+add_subdirectory (dfu-util)
add_subdirectory (xpwn)
install(FILES README.markdown DESTINATION . RENAME README.txt)
View
@@ -1,77 +0,0 @@
-all: hfs/hfsplus dmg/dmg hdutil/hdutil ipsw-patch/pch xpwn/xpwn
-
-dmg/dmg:
- cd dmg; make
-
-hfs/hfsplus:
- cd hfs; make
-
-hdutil/hdutil:
- cd hdutil; make
-
-ipsw-patch/pch: hfs/hfsplus dmg/dmg
- cd ipsw-patch; make
-
-xpwn/xpwn: hfs/hfsplus dmg/dmg
- cd xpwn; make
-
-install: ipsw-patch/pch xpwn/xpwn
- -rm -rf xpwn-build
- mkdir xpwn-build
- cp ipsw-patch/pch xpwn-build/ipsw
- cp xpwn/build/xpwn xpwn-build/xpwn
- cp xpwn/ramdisk.dmg xpwn-build/ramdisk.dmg
- cp -R ipsw-patch/FirmwareBundles xpwn-build/FirmwareBundles
- cp -R ipsw-patch/bundles xpwn-build/bundles
- cp README.markdown xpwn-build/README
- cp LICENSE xpwn-build/LICENSE
- tar jcvf xpwn-linux.tar.bz2 xpwn-build
-
-install-win: ipsw-patch/pch xpwn/xpwn
- -rm -rf xpwn-build
- mkdir xpwn-build
- -cp ipsw-patch/pch.exe xpwn-build/ipsw.exe
- -cp xpwn/build/xpwn.exe xpwn-build/xpwn.exe
- -cp ipsw-patch/pch xpwn-build/ipsw.exe
- -cp xpwn/build/xpwn xpwn-build/xpwn.exe
- cp xpwn/ramdisk.dmg xpwn-build/ramdisk.dmg
- cp -R ipsw-patch/FirmwareBundles xpwn-build/FirmwareBundles
- cp -R ipsw-patch/bundles xpwn-build/bundles
- sed "`echo s/$$/\\\r`/" README.markdown > xpwn-build/README.txt
- sed "`echo s/$$/\\\r`/" LICENSE > xpwn-build/LICENSE.txt
- cd xpwn-build; zip -r ../xpwn-windows.zip *
-
-clean:
- -rm common/*.o
- cd dmg; make clean
- cd hfs; make clean
- cd hdutil; make clean
- cd ipsw-patch; make clean
- cd xpwn; make clean
-
-dist-clean: clean
- -cd dmg/zlib-1.2.3; make clean
- -rm dmg/zlib-1.2.3/Makefile
- -rm dmg/zlib-1.2.3/*.exe
- -rm dmg/openssl-0.9.8g/crypto/objects/obj_dat.h
- -cd dmg/openssl-0.9.8g; make clean
- -cd ipsw-patch/libpng-1.2.28; make clean
- -cd ipsw-patch/bzip2-1.0.5; make clean
- -cd xpwn/libusb-0.1.12; make clean
- -rm -rf xpwn/libusb-0.1.12/autom4te.cache
- -rm xpwn/libusb-0.1.12/config.h
- -rm xpwn/libusb-0.1.12/config.log
- -rm xpwn/libusb-0.1.12/config.status
- -rm xpwn/libusb-0.1.12/config.status.lineno
- -rm xpwn/libusb-0.1.12/libtool
- -rm xpwn/libusb-0.1.12/doc/Makefile
- -rm xpwn/libusb-0.1.12/tests/Makefile
- -rm -rf xpwn/libusb-0.1.12/.deps
- -rm -rf xpwn/libusb-0.1.12/tests/.deps
- -rm xpwn/libusb-0.1.12/Makefile
- -cd xpwn/libusb-win32; make clean
- -rm -rf ide/xcode/build
- -rm dmg/zlib-1.2.3/contrib/minizip/*.o
- -rm ipsw-patch/bzip2-1.0.5/*.exe
- -rm -rf xpwn-build
-
View
@@ -37,6 +37,17 @@ Credits
This utility is merely an implementation of Pwnage, which is the work of
roxfan, Turbo, wizdaz, bgm, and pumpkin. Those guys are the real heroes.
+Also, the new super-awesome bootrom exploit is courtesy of wizdaz.
+
+MuscleNerd has put a lot of work into the 3G effort. The BootNeuter unlock
+for first-generation iPhones packaged within is primarily his effort.
+
+Thanks also go to gray and c1de0x for their RCE efforts. saurik is the author
+of Cydia, included within. bugout was the lucky guy who did our first 3G tests.
+
+Thanks to chris for his hardware wisdom, Zf for his French humor, and pytey
+for the support on the serial stuff.
+
XPwn attempts to use all the same data files and patches as PwnageTool to
avoid duplication of present and future labor. I believe that wizdaz probably
put the most sweat into PwnageTool, and the pwnage ramdisk is the work of
@@ -52,10 +63,104 @@ the initial exploratory work with the undocumented DMG format.
Usage
-----
-There are two utilities in this package, as well as the InternalPackages and
+There are two utilities in this package, as well as the bundles and
FirmwareBundles folders from PwnageTool, and Turbo's autopwn ramdisk.
-## xpwn
+## ipsw
+
+*NOTE: Important change for 2.0: (uncompressed) tarballs rather than paths are
+now used for bundles*
+
+ipsw is a more complex tool to generate custom IPSWs that you can restore
+after using xpwn (or any other pwnage-based utility). This is important, since
+that's how the jailbreak actually occurs.
+
+ ./ipsw <input.ipsw> <output.ipsw> [-b <bootimage.png>] [-nowipe] \
+ [-r <recoveryimage.png>] [-e "<action to exclude>"] \
+ [[-unlock] [-use39] [-use46] [-cleanup] \
+ -3 <bootloader 3.9 file> -4 <bootloader 4.6 file>] \
+ <package1.tar> <package2.tar>...
+
+
+Yes, I know, confusing syntax. The first two options are the IPSW you want to
+modify, and where you want to save the modified IPSW respectively. -b and -r
+have the same semantics and requirements as for xpwn. You can also specify
+actions to exclude from the "FilesystemPatches" section of the Info.plist
+for your particular IPSW (in FirmwareBundles/).
+
+The most common use of the '-e' flag is to disable automatic activation, i.e.
+'-e "Phone Activation"'. Note that the double-quotes are necessary.
+
+-nowipe disables Apple's wiping of the NAND (user data), before proceeding
+with the restore. This allows the restore to happen much, much more quickly.
+
+-unlock, -use39, -use46, -cleanup, -3, and -4 are valid only if you merge the
+BootNeuter package. These provide instructions to BootNeuter (which provides
+unlocking for iPhones). If you choose to use BootNeuter, you must specify the
+location where the 3.9 and 4.9 bootloader can be found with the -3 and -4
+options. These cannot be included with xpwn due to copyright restrictions.
+
+-unlock specifies that you wish BootNeuter to unlock the phone (if it is not
+already unlocked). -use39 and -use46 instructs BootNeuter to either upgrade
+or downgrade your bootloader (if it is not already on the version you choose).
+-cleanup instructs BootNeuter to delete itself off of the iPhone after it is
+complete. If you do not specify -cleanup, BootNeuter will be accessible via
+SpringBoard.
+
+The last options are for tar-files to merge. All permissions and ownership
+will be preserved except for already directories that already exist. This is
+to prevent accidental clobbering (we're guessing you don't really want to
+alter permissions on existing directories). This behavior may change in the
+future.
+
+Told you it was a mess.
+
+## dfu-util
+
+dfu-util is an utility adapted from OpenMoko that satisfies the "pwning" stage
+of the process, that is, allowing the execution of our unsigned code. It
+relies upon an exploit in the DFU mode of the iPhone/iPod touch bootrom. This
+cannot be fixed by Apple on the current hardware revisions. If we can mess
+with the device before iTunes sees it, we can have it load a WTF with
+signature checking disabled with the exploit, and load an iBSS with signature
+checking disabled over that WTF. iTunes will see the device as a regular
+iPhone/iPod in recovery mode, and will happily send our custom firmware to it,
+which will now be accepted.
+
+YOU MUST COMPLETELY DISABLE iTUNES WITH TASK MANAGER OR EQUIVALENT BEFORE
+PROCEEDING.
+
+Only AFTERWARDS do you put your device into DFU mode. If you switch the order
+of these steps, iTunes will be able to load software onto your device without
+this vulnerability, rendering dfu-util useless.
+
+AFTER you have disabled iTunes, iTunesHelper, etc., plug your device into the
+computer. Shut down the device in the normal way if necessary (Slide to
+shutdown). Hold down the Power and Home buttons simultaneously and count
+slowly to ten. (You may need to push down on power an instant before you
+push down on home). The iPhone will start. At around the time you count to 6,
+the iPhone will shut down again. KEEP HOLDING BOTH BUTTONS. Hold down both
+buttons until you reach 10. At this point, release the power button ONLY.
+Keep holding the stand-by button forever (this may take up to two minutes).
+You will know when you can stop holding the button when Windows notifies you
+via an audible cue that a USB device has connected. This is your device in
+DFU mode. The screen of the device will remain completely powered off.
+
+THEN, run dfu-util with the following syntax:
+
+ sudo ./dfu-util <custom.ipsw> <n82ap|m68ap|n45ap>
+
+Where n82ap = 3G iPhone, m68ap = First-generation iPhone, n45ap = iPod touch.
+Note that you're using your CUSTOM IPSW for this stage, since we will need the
+patched firmware, not the stock firmware. dfu-util will pick out the right
+files from the ipsw and send them in the right order. If your screen powers on
+and then turns white, then you know it worked. You can now restore with iTunes.
+
+## xpwn *(DEPRECATED)*
+
+If DFU mode is too complicated for you, and you have a first-generation phone,
+you can still use the legacy xpwn ramdisk method on 1.1.4 to pwn your phone.
+Then you can restore the custom IPSW without messing with DFU mode.
xpwn will use libibooter to bootstrap the autopwn ramdisk. This will patch
NOR so that unsigned IPSWs can subsequently be used. The vulnerability used
@@ -93,78 +198,26 @@ used to swap boot logos without restoring.
A restore with a non-customized IPSW will undo what xpwn did (the NOR will be
reflashed with Apple's image that does have signature checking)
-## ipsw
-
-ipsw is a more complex tool to generate custom IPSWs that you can restore
-after using xpwn (or any other pwnage-based utility). This is important, since
-that's how the jailbreak actually occurs.
-
- ./ipsw <input.ipsw> <output.ipsw> [-b <bootimage.png>] [-nobbupdate] \
- [-r <recoveryimage.png>] [-e "<action to exclude>"] \
- [[-unlock] [-use39] [-use46] [-cleanup] \
- -3 <bootloader 3.9 file> -4 <bootloader 4.6 file>] \
- <path/to/merge1> <path/to/merge2>...
-
-Yes, I know, confusing syntax. The first two options are the IPSW you want to
-modify, and where you want to save the modified IPSW respectively. -b and -r
-have the same semantics and requirements as for xpwn. You can also specify
-actions to exclude from the "FilesystemPatches" section of the Info.plist
-for your particular IPSW (in FirmwareBundles/).
-
-The most common use of the '-e' flag is to disable automatic activation, i.e.
-'-e "Phone Activation"'. Note that the double-quotes are necessary.
-
--nobbupdate disables Apple's baseband upgrade program from running during
-the restore. However, bbupdate must be enabled for unlocking with BootNeuter.
-
--unlock, -use39, -use46, -cleanup, -3, and -4 are valid only if you merge the
-BootNeuter package. These provide instructions to BootNeuter (which provides
-unlocking for iPhones). If you choose to use BootNeuter, you must specify the
-location where the 3.9 and 4.9 bootloader can be found with the -3 and -4
-options. These cannot be included with xpwn due to copyright restrictions.
-
--unlock specifies that you wish BootNeuter to unlock the phone (if it is not
-already unlocked). -use39 and -use46 instructs BootNeuter to either upgrade
-or downgrade your bootloader (if it is not already on the version you choose).
--cleanup instructs BootNeuter to delete itself off of the iPhone after it is
-complete. If you do not specify -cleanup, BootNeuter will be accessible via
-SpringBoard.
-
-The last options are for directories to merge into the root filesystem of your
-device. The included bundles can be merged by specifying something like
-"bundles/Installer.bundle/files". Notice the "files" part must be specified.
-It is also perfectly possible to set up your own files to merge.
-
-/Applications/Installer.app/Installer will be given special setuid
-permissions. All files that have the format /Applications/XXX.app/XXX will be
-given execute permissions. All files in /sbin, /bin, /usr/bin, /usr/sbin,
-/usr/libexec, /usr/local/bin, /usr/local/sbin, /usr/local/libexec will also be
-given execute permissions. Special permissions are also given to BootNeuter.
-Everything else will be non-executable, so a special LaunchDaemon task may need
-to be constructed to properly set up your custom apps. Generally, however,
-those permissions are already sufficient.
-
-Told you it was a mess.
### Examples
-Jailbreaking iPod 1.1.4:
+Jailbreaking iPod 2.0:
- ./ipsw iPod1,1_1.1.4_4A102_Restore.ipsw custom.ipsw \
- bundles/Installer.bundle/files
+ ./ipsw iPod1,1_2.0_5A347.bundle custom.ipsw \
+ bundles/Cydia.tar
-Jailbreaking iPhone 1.1.4:
+Jailbreaking iPhone 3G:
- ./ipsw iPhone1,1_1.1.4_4A102_Restore.ipsw custom.ipsw \
- -e "Phone Activation" bundles/Installer.bundle/files
+ ./ipsw iPhone1,2_2.0_5A347.bundle custom.ipsw \
+ -e "Phone Activation" bundles/Cydia.tar
-Jailbreaking, activating, and unlocking iPhone 1.1.4:
+Jailbreaking, activating, and unlocking iPhone 2.0:
- ./ipsw iPhone1,1_1.1.4_4A102_Restore.ipsw custom.ipsw \
+ ./ipsw iPhone1,1_2.0_5A347.bundle custom.ipsw \
-unlock -cleanup -3 bl39.bin -4 bl46.bin \
- bundles/Installer.bundle/files \
- bundles/BootNeuter.bundle/files \
- bundles/YoutubeActivation.bundle/files
+ bundles/Cydia.tar \
+ bundles/BootNeuter.tar \
+ bundles/YoutubeActivation.tar
Technical notes
---------------
View
@@ -99,6 +99,9 @@ AbstractFile* createAbstractFileFromDummy() {
size_t memRead(AbstractFile* file, void* data, size_t len) {
MemWrapperInfo* info = (MemWrapperInfo*) (file->data);
+ if(info->bufferSize < (info->offset + len)) {
+ len = info->bufferSize - info->offset;
+ }
memcpy(data, (void*)((uint8_t*)(*(info->buffer)) + (uint32_t)info->offset), len);
info->offset += (size_t)len;
return len;
View
@@ -0,0 +1,17 @@
+INCLUDE(${PROJECT_SOURCE_DIR}/FindUSB.cmake)
+
+IF(NOT USB_FOUND)
+ message(FATAL_ERROR "libusb is required for dfu-util!")
+ENDIF(NOT USB_FOUND)
+
+include_directories(${USB_INCLUDE_DIR})
+link_directories(${USB_LIBRARIES})
+
+add_executable(dfu-util dfu.c sam7dfu.c main.c)
+
+link_directories(${PROJECT_BINARY_DIR}/common ${PROJECT_BINARY_DIR}/hfs ${PROJECT_BINARY_DIR}/ipsw-patch)
+
+target_link_libraries(dfu-util xpwn)
+target_link_libraries(dfu-util ${USB_LIBRARIES})
+
+install(TARGETS dfu-util DESTINATION .)
Oops, something went wrong.

0 comments on commit 1ed362a

Please sign in to comment.