Permalink
Browse files

added ecid info in img3 and a function to replace img3 signature

  • Loading branch information...
Joshua Hill
Joshua Hill committed Feb 27, 2010
1 parent 2706f37 commit 28f71322c436eba974cc207e61af33b66aa40ddc
Showing with 37 additions and 2 deletions.
  1. +4 −0 includes/xpwn/img3.h
  2. +33 −2 ipsw-patch/img3.c
View
@@ -17,6 +17,7 @@
#define IMG3_CERT_MAGIC 0x43455254
#define IMG3_KBAG_MAGIC 0x4B424147
#define IMG3_TYPE_MAGIC 0x54595045
+#define IMG3_ECID_MAGIC 0x45434944
#define IMG3_SIGNATURE IMG3_MAGIC
@@ -64,6 +65,8 @@ struct Img3Info {
Img3Element* cert;
Img3Element* kbag;
Img3Element* type;
+ Img3Element* shsh;
+ Img3Element* ecid;
int encrypted;
AES_KEY encryptKey;
AES_KEY decryptKey;
@@ -82,6 +85,7 @@ extern "C" {
AbstractFile* createAbstractFileFromImg3(AbstractFile* file);
AbstractFile* duplicateImg3File(AbstractFile* file, AbstractFile* backing);
void replaceCertificateImg3(AbstractFile* file, AbstractFile* certificate);
+ void replaceSignatureImg3(AbstractFile* file, AbstractFile* signature);
void exploit24kpwn(AbstractFile* file);
void exploitN8824kpwn(AbstractFile* file);
#ifdef __cplusplus
View
@@ -375,8 +375,7 @@ void writeImg3Root(AbstractFile* file, Img3Element* element, Img3Info* info) {
header->extra.shshOffset = (uint32_t)(file->tell(file) - sizeof(AppleImg3RootHeader));
}
- if(current->header->magic != IMG3_KBAG_MAGIC || info->encrypted)
- {
+ if(current->header->magic != IMG3_KBAG_MAGIC || info->encrypted) {
writeImg3Element(file, current, info);
}
@@ -538,6 +537,9 @@ AbstractFile* createAbstractFileFromImg3(AbstractFile* file) {
info->cert = NULL;
info->kbag = NULL;
info->type = NULL;
+ info->shsh = NULL;
+ info->ecid = NULL;
+ info->encrypted = FALSE;
current = (Img3Element*) info->root->data;
while(current != NULL) {
@@ -550,6 +552,12 @@ AbstractFile* createAbstractFileFromImg3(AbstractFile* file) {
if(current->header->magic == IMG3_TYPE_MAGIC) {
info->type = current;
}
+ if(current->header->magic == IMG3_SHSH_MAGIC) {
+ info->shsh = current;
+ }
+ if(current->header->magic == IMG3_ECID_MAGIC) {
+ info->ecid = current;
+ }
if(current->header->magic == IMG3_KBAG_MAGIC && ((AppleImg3KBAGHeader*)current->data)->key_modifier == 1) {
info->kbag = current;
}
@@ -654,6 +662,29 @@ void replaceCertificateImg3(AbstractFile* file, AbstractFile* certificate) {
info->dirty = TRUE;
}
+void replaceSignatureImg3(AbstractFile* file, AbstractFile* signature) {
+ Img3Info* info = (Img3Info*) file->data;
+
+ size_t signature_size = signature->getLength(signature);
+ Img3Element* element = (Img3Element*) readImg3Element(signature);
+
+ int i = 0;
+ Img3Element* previous = element;
+ for (i = previous->header->size; i < signature_size; i += previous->header->size) {
+ previous->next = (Img3Element*) readImg3Element(signature);
+ previous = previous->next;
+ }
+
+ Img3Element* current = info->data;
+ while (current->next != info->shsh) {
+ current = current->next;
+ }
+
+ signature->seek(signature, 0);
+ current->next = element;
+ info->dirty = TRUE;
+}
+
AbstractFile* duplicateImg3File(AbstractFile* file, AbstractFile* backing) {
Img3Info* info;
AbstractFile* toReturn;

0 comments on commit 28f7132

Please sign in to comment.