Permalink
Browse files

merged some changes from dksite, fixed up some stuff in crypto

  • Loading branch information...
2 parents c9551aa + 1167ab7 commit 35f5e1902306533781212f2c5cc2ba044d433f55 @planetbeing planetbeing committed Sep 29, 2008
Showing with 1,061 additions and 1 deletion.
  1. +1 −1 README.markdown
  2. +4 −0 crypto/BUILD
  3. +13 −0 crypto/Makefile
  4. +89 −0 crypto/README
  5. BIN crypto/aes
  6. +229 −0 crypto/aes.c
  7. +1 −0 crypto/aescmd
  8. BIN crypto/patch-kernel-crypto
  9. +40 −0 crypto/patch-kernel-crypto.c
  10. +21 −0 crypto/patch-kernel.sh
  11. BIN crypto/xpwntool
  12. BIN ipsw-patch/FirmwareBundles/iPhone1,1_2.0.2_5C1.bundle/018-3984-1.patch
  13. BIN ipsw-patch/FirmwareBundles/iPhone1,1_2.0.2_5C1.bundle/018-4000-1-nowipe.patch
  14. BIN ipsw-patch/FirmwareBundles/iPhone1,1_2.0.2_5C1.bundle/018-4000-1.patch
  15. BIN ipsw-patch/FirmwareBundles/iPhone1,1_2.0.2_5C1.bundle/DeviceTree.m68ap.patch
  16. +250 −0 ipsw-patch/FirmwareBundles/iPhone1,1_2.0.2_5C1.bundle/Info.plist
  17. BIN ipsw-patch/FirmwareBundles/iPhone1,1_2.0.2_5C1.bundle/LLB.m68ap.RELEASE.patch
  18. BIN ipsw-patch/FirmwareBundles/iPhone1,1_2.0.2_5C1.bundle/Services.plist.patch
  19. BIN ipsw-patch/FirmwareBundles/iPhone1,1_2.0.2_5C1.bundle/WTF.m68ap.RELEASE.patch
  20. BIN ipsw-patch/FirmwareBundles/iPhone1,1_2.0.2_5C1.bundle/WTF.s5l8900xall.RELEASE.patch
  21. BIN ipsw-patch/FirmwareBundles/iPhone1,1_2.0.2_5C1.bundle/bbupdater.patch
  22. BIN ipsw-patch/FirmwareBundles/iPhone1,1_2.0.2_5C1.bundle/fstab.patch
  23. BIN ipsw-patch/FirmwareBundles/iPhone1,1_2.0.2_5C1.bundle/iBEC.m68ap.RELEASE.patch
  24. BIN ipsw-patch/FirmwareBundles/iPhone1,1_2.0.2_5C1.bundle/iBSS.m68ap.RELEASE.patch
  25. BIN ipsw-patch/FirmwareBundles/iPhone1,1_2.0.2_5C1.bundle/iBoot.m68ap.RELEASE.patch
  26. BIN ipsw-patch/FirmwareBundles/iPhone1,1_2.0.2_5C1.bundle/kernelcache.release.patch
  27. BIN ipsw-patch/FirmwareBundles/iPhone1,1_2.0.2_5C1.bundle/lockdownd.patch
  28. BIN ipsw-patch/FirmwareBundles/iPhone1,2_2.0.2_5C1.bundle/018-3984-1.patch
  29. BIN ipsw-patch/FirmwareBundles/iPhone1,2_2.0.2_5C1.bundle/018-3990-1-nowipe.patch
  30. BIN ipsw-patch/FirmwareBundles/iPhone1,2_2.0.2_5C1.bundle/018-3990-1.patch
  31. BIN ipsw-patch/FirmwareBundles/iPhone1,2_2.0.2_5C1.bundle/DeviceTree.n82ap.patch
  32. +214 −0 ipsw-patch/FirmwareBundles/iPhone1,2_2.0.2_5C1.bundle/Info.plist
  33. BIN ipsw-patch/FirmwareBundles/iPhone1,2_2.0.2_5C1.bundle/LLB.n82ap.RELEASE.patch
  34. BIN ipsw-patch/FirmwareBundles/iPhone1,2_2.0.2_5C1.bundle/Services.plist.patch
  35. BIN ipsw-patch/FirmwareBundles/iPhone1,2_2.0.2_5C1.bundle/WTF.n82ap.RELEASE.patch
  36. BIN ipsw-patch/FirmwareBundles/iPhone1,2_2.0.2_5C1.bundle/WTF.s5l8900xall.RELEASE.patch
  37. BIN ipsw-patch/FirmwareBundles/iPhone1,2_2.0.2_5C1.bundle/fstab.patch
  38. BIN ipsw-patch/FirmwareBundles/iPhone1,2_2.0.2_5C1.bundle/iBEC.n82ap.RELEASE.patch
  39. BIN ipsw-patch/FirmwareBundles/iPhone1,2_2.0.2_5C1.bundle/iBSS.n82ap.RELEASE.patch
  40. BIN ipsw-patch/FirmwareBundles/iPhone1,2_2.0.2_5C1.bundle/iBoot.n82ap.RELEASE.patch
  41. BIN ipsw-patch/FirmwareBundles/iPhone1,2_2.0.2_5C1.bundle/kernelcache.release.patch
  42. BIN ipsw-patch/FirmwareBundles/iPhone1,2_2.0.2_5C1.bundle/lockdownd.patch
  43. BIN ipsw-patch/FirmwareBundles/iPod1,1_2.0.2_5C1.bundle/018-3984-1.patch
  44. BIN ipsw-patch/FirmwareBundles/iPod1,1_2.0.2_5C1.bundle/018-3990-1-nowipe.patch
  45. BIN ipsw-patch/FirmwareBundles/iPod1,1_2.0.2_5C1.bundle/018-3990-1.patch
  46. BIN ipsw-patch/FirmwareBundles/iPod1,1_2.0.2_5C1.bundle/DeviceTree.n45ap.patch
  47. +199 −0 ipsw-patch/FirmwareBundles/iPod1,1_2.0.2_5C1.bundle/Info.plist
  48. BIN ipsw-patch/FirmwareBundles/iPod1,1_2.0.2_5C1.bundle/LLB.n45ap.RELEASE.patch
  49. BIN ipsw-patch/FirmwareBundles/iPod1,1_2.0.2_5C1.bundle/Services.plist.patch
  50. BIN ipsw-patch/FirmwareBundles/iPod1,1_2.0.2_5C1.bundle/WTF.n45ap.RELEASE.patch
  51. BIN ipsw-patch/FirmwareBundles/iPod1,1_2.0.2_5C1.bundle/WTF.s5l8900xall.RELEASE.patch
  52. BIN ipsw-patch/FirmwareBundles/iPod1,1_2.0.2_5C1.bundle/fstab.patch
  53. BIN ipsw-patch/FirmwareBundles/iPod1,1_2.0.2_5C1.bundle/iBEC.n45ap.RELEASE.patch
  54. BIN ipsw-patch/FirmwareBundles/iPod1,1_2.0.2_5C1.bundle/iBSS.n45ap.RELEASE.patch
  55. BIN ipsw-patch/FirmwareBundles/iPod1,1_2.0.2_5C1.bundle/iBoot.n45ap.RELEASE.patch
  56. BIN ipsw-patch/FirmwareBundles/iPod1,1_2.0.2_5C1.bundle/kernelcache.release.patch
View
@@ -5,7 +5,7 @@ The X is for "cross", because unlike PwnageTool, this utility has no
dependencies on proprietary, closed-source software and can potentially be
compiled and used on any platform.
-This is a special proof-of-concept version available only on Linux,
+This is a special proof-of-concept version available on any platform,
compiled with static libraries to minimize potential issues (which is why the
executables are a bit on the heavy side).
View
@@ -0,0 +1,4 @@
+These tools are meant to be built and run from the iPhone.
+
+Use apt to install iphone-gcc, make, and get the headers from somewhere.
+
View
@@ -0,0 +1,13 @@
+all: aes patch-kernel-crypto
+
+aes: aes.c
+ gcc aes.c -lIOKit -o aes
+ ldid -S aes
+
+patch-kernel-crypto: patch-kernel-crypto.c
+ gcc patch-kernel-crypto.c -o patch-kernel-crypto
+ ldid -S patch-kernel-crypto
+
+clean:
+ rm aes patch-kernel-crypto
+
View
@@ -0,0 +1,89 @@
+Hardware AES utilities
+(C) The iPhone Dev Team
+
+README BEFORE DOING ANYTHING
+
+If you don't read this document before attempting to use the software, you are
+a fool. One of the utilities included herein attempts to patch your kernel,
+which can potentially render your iPhone/iPod unbootable.
+
+This package allows you to directly access the iPhone's AES engine from
+userland. You may encrypt and decrypt with the UID and GID keys, as well as
+any custom keys you provide.
+
+These tools are designed to run on an iPhone with firmare >= 2.0.
+
+In order to enable encryption/decryption with the UID and GID keys, a kernel
+patch is required. This can be done with the following command:
+
+ sudo ./patch-kernel.sh <iv> <key>
+
+The IV and key must have been previously unwrapped from the kernel's KBAG. You
+can find the ones the Dev Team have unwrapped in PwnageTool's FirmwareBundles'
+Info.plists. For example, for the 2.0.1 kernel, you would use the following
+command:
+
+ sudo ./patch_kernel.sh 285df0aa00b76e8c0b9870a4dd7bd5f6 \
+ 444f19d072e725f8a27d88ce50ce73de
+
+Change the underscore to a dash. This prevents people who don't actually pay
+attention from working it out.
+
+If the kernel is unencrypted (2.0.2, for example), the iv and key arguments
+should be omitted.
+
+The script attempts a generic patch, but there's no guarantee it won't screw
+up your kernel. A backup copy of your kernel will be made at /kernel.backup
+
+Please note that this patch creates a security vulnerability in which
+malicious code (which you must execute yourself) can use your UID key without
+your knowledge or authorization. This may lead to your personal information
+being compromised. Possibly not a big deal if you're already running a
+jailbroken system anyway.
+
+Afterwards, reboot your phone:
+
+ sudo reboot
+
+This script requires xpwntool (included), sources for which are available from
+http://www.github.com/planetbeing/xpwn. It easily builds on the iPhone (and
+with the Linux toolchain) if you compile a copy of libpng.a for the iPhone and
+cmake.
+
+The utility itself is easy to use:
+
+ ./aes <enc|dec> <UID/GID/custom key> [data] [iv]
+
+For example, if you wanted to generate the 0x837 key:
+
+ ./aes enc GID 345A2D6C5050D058780DA431F0710E15
+
+Or if you wanted to encrypt with your own key/IV:
+
+ ./aes enc 850AFC271132D15AE6989565567E65BF \
+ e92d4090e59f0038e59f1038e5810000 \
+ 29681F625D1F61271EC3116601B8BCDE
+
+If stdin is a file, then the third argument will be taken as the
+initialization vector, and the data to encrypt or decrypt will be taken from
+stdin in binary format. If stdout is a file, then instead of printing out the
+results in hex format, the results will be written to the file in binary
+format. So say, you wanted to decrypt an old 8900 ramdisk:
+
+ ./aes dec 188458a6d15034dfe386f23b61d43774 < ramdisk.img2 > x.dec
+
+Sources for the tools are included. The Makefile is designed to be used on a
+2.0 iPhone that has Saurik's toolchain installed.
+
+CREDITS
+-------
+
+The direct ancestor of this utility is a piece of code wizdaz wrote to do
+something similar. In this version, the code was stripped down, adapted and
+ported to 2.0.
+
+Probably a bunch of people had reverse engineered poor hwaes_crypt in the
+Security framework. I know pumpkin has certainly looked at it. The calling
+conventions for IOAESAccelerator is pretty clear from the disassembly of that.
+=P
+
View
Binary file not shown.
View
@@ -0,0 +1,229 @@
+// Shamelesssly ripped off from wizdaz
+
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+#include <IOKit/IOKitLib.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <libgen.h>
+
+typedef struct
+{
+ void* inbuf;
+ void* outbuf;
+ uint32_t size;
+ uint8_t iv[16];
+ uint32_t mode;
+ uint32_t bits;
+ uint8_t keybuf[32];
+ uint32_t mask;
+} IOAESStruct;
+
+#define kIOAESAcceleratorInfo 0
+#define kIOAESAcceleratorTask 1
+#define kIOAESAcceleratorTest 2
+
+#define kIOAESAcceleratorEncrypt 0
+#define kIOAESAcceleratorDecrypt 1
+
+#define kIOAESAcceleratorGIDMask 0x3E8
+#define kIOAESAcceleratorUIDMask 0x7D0
+#define kIOAESAcceleratorCustomMask 0
+
+typedef enum {
+ UID,
+ GID,
+ Custom
+} IOAESKeyType;
+
+IOReturn doAES(io_connect_t conn, void* inbuf, void *outbuf, uint32_t size, IOAESKeyType keyType, void* key, void* iv, int mode) {
+ IOAESStruct in;
+
+ in.mode = mode;
+ in.bits = 128;
+ in.inbuf = inbuf;
+ in.outbuf = outbuf;
+ in.size = size;
+
+ switch(keyType) {
+ case UID:
+ in.mask = kIOAESAcceleratorUIDMask;
+ break;
+ case GID:
+ in.mask = kIOAESAcceleratorGIDMask;
+ break;
+ case Custom:
+ in.mask = kIOAESAcceleratorCustomMask;
+ break;
+ }
+ memset(in.keybuf, 0, sizeof(in.keybuf));
+
+ if(key)
+ memcpy(in.keybuf, key, in.bits / 8);
+
+ if(iv)
+ memcpy(in.iv, iv, 16);
+ else
+ memset(in.iv, 0, 16);
+
+ IOByteCount inSize = sizeof(in);
+
+ return IOConnectCallStructMethod(conn, kIOAESAcceleratorTask, &in, inSize, &in, &inSize);
+}
+
+void hexToBytes(const char* hex, uint8_t** buffer, size_t* bytes) {
+ *bytes = strlen(hex) / 2;
+ *buffer = (uint8_t*) malloc(*bytes);
+ size_t i;
+ for(i = 0; i < *bytes; i++) {
+ uint32_t byte;
+ sscanf(hex, "%02x", &byte);
+ (*buffer)[i] = byte;
+ hex += 2;
+ }
+}
+
+void bytesToHex(const uint8_t* buffer, size_t bytes) {
+ size_t i;
+ while(bytes > 0) {
+ printf("%02x", *buffer);
+ buffer++;
+ bytes--;
+ }
+}
+
+int main(int argc, char* argv[]) {
+ IOReturn ret;
+
+ size_t keyLength;
+ size_t ivLength;
+ size_t dataLength;
+
+ uint8_t* key = NULL;
+ uint8_t* iv = NULL;
+ uint8_t* data = NULL;
+
+ int direction;
+ IOAESKeyType keyType;
+
+ int stdinFile = 0;
+ int stdoutFile = 0;
+
+ struct stat std_stat;
+ fstat(fileno(stdin), &std_stat);
+ if((std_stat.st_mode & S_IFREG) != 0)
+ stdinFile = 1;
+
+ fstat(fileno(stdout), &std_stat);
+ if((std_stat.st_mode & S_IFREG) != 0)
+ stdoutFile = 1;
+
+ if(strcmp(basename(argv[0]), "aescmd") == 0) {
+ stdinFile = 0;
+ stdoutFile = 0;
+ }
+
+ if(argc < 3) {
+ fprintf(stderr, "usage: %s <enc/dec> <GID/UID/key> [data] [iv]\n", argv[0]);
+ return 0;
+ }
+
+ if(strncasecmp(argv[1], "enc", 3) == 0) {
+ direction = kIOAESAcceleratorEncrypt;
+ } else if(strncasecmp(argv[1], "dec", 3) == 0) {
+ direction = kIOAESAcceleratorDecrypt;
+ } else {
+ fprintf(stderr, "error: method must be 'enc' or 'dec'\n");
+ return 1;
+ }
+
+ if(strcasecmp(argv[2], "GID") == 0) {
+ keyType = GID;
+ } else if(strcasecmp(argv[2], "UID") == 0) {
+ keyType = UID;
+ } else {
+ keyType = Custom;
+ hexToBytes(argv[2], &key, &keyLength);
+ }
+
+ if(stdinFile) {
+ if(argc >= 4)
+ hexToBytes(argv[3], &iv, &ivLength);
+ } else {
+ hexToBytes(argv[3], &data, &dataLength);
+
+ if(argc >= 5)
+ hexToBytes(argv[4], &iv, &ivLength);
+ }
+
+
+ CFMutableDictionaryRef dict = IOServiceMatching("IOAESAccelerator");
+ io_service_t dev = IOServiceGetMatchingService(kIOMasterPortDefault, dict);
+ io_connect_t conn = 0;
+
+ if(!dev) {
+ fprintf(stderr, "error: IOAESAccelerator device not found!\n");
+ goto quit;
+ }
+
+ ret = IOServiceOpen(dev, mach_task_self(), 0, &conn);
+
+ if(ret != kIOReturnSuccess) {
+ fprintf(stderr, "error: Cannot open service\n");
+ goto quit;
+ }
+
+ if(stdinFile) {
+ uint8_t aIV[16];
+ if(!iv) {
+ memset(aIV, 0, 16);
+ iv = aIV;
+ }
+ data = (uint8_t*) malloc(16);
+ while(!feof(stdin)) {
+ dataLength = 16;
+ dataLength = fread(data, 1, dataLength, stdin);
+
+ if(dataLength == 0)
+ break;
+
+ if((ret = doAES(conn, data, data, dataLength, keyType, key, iv, direction)) != kIOReturnSuccess) {
+ fprintf(stderr, "IOAESAccelerator returned: %x\n", ret);
+ goto quit;
+ }
+ if(stdoutFile) {
+ fwrite(data, 1, dataLength, stdout);
+ } else {
+ bytesToHex(data, dataLength);
+ printf("\n");
+ }
+ }
+ } else {
+ if((ret = doAES(conn, data, data, dataLength, keyType, key, iv, direction)) != kIOReturnSuccess) {
+ fprintf(stderr, "IOAESAccelerator returned: %x\n", ret);
+ goto quit;
+ }
+
+ if(stdoutFile) {
+ fwrite(data, 1, dataLength, stdout);
+ } else {
+ bytesToHex(data, dataLength);
+ printf("\n");
+ }
+ }
+
+quit:
+ if(data)
+ free(data);
+
+ if(conn)
+ IOServiceClose(conn);
+
+ if(dev)
+ IOObjectRelease(dev);
+
+ return 0;
+}
+
View
View
Binary file not shown.
@@ -0,0 +1,40 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+
+const char patch[] = {0x7d, 0x0e, 0x53, 0xe3, 0x02, 0x60, 0xa0, 0xe1};
+
+const char patch2[] = {0xfa, 0x0f, 0x53, 0xe3, 0x05, 0x00, 0x00, 0x1a};
+
+int main(int argc, char* argv[]) {
+ int matchLoc = 0;
+ FILE* file = fopen(argv[1], "rb+");
+ fseek(file, 0, SEEK_END);
+ int length = ftell(file);
+ fseek(file, 0, SEEK_SET);
+ uint8_t* buffer = malloc(length);
+ fread(buffer, 1, length, file);
+
+ int i;
+ for(i = 0; i < length; i++) {
+ uint8_t* candidate = &buffer[i];
+ if(memcmp(candidate, patch, sizeof(patch)) == 0) {
+ candidate[2] = 0x5f;
+ fseek(file, i, SEEK_SET);
+ fwrite(candidate, sizeof(patch), 1, file);
+ continue;
+ }
+ if(memcmp(candidate, patch2, sizeof(patch2)) == 0) {
+ candidate[2] = 0x5f;
+ fseek(file, i, SEEK_SET);
+ fwrite(candidate, sizeof(patch2), 1, file);
+ continue;
+ }
+ }
+
+ fclose(file);
+
+ return 0;
+}
+
Oops, something went wrong.

0 comments on commit 35f5e19

Please sign in to comment.