HFSWapper

m1zole · Jan 29, 2025 · 51667bd · 51667bd
1 parent 51c9943
commit 51667bd
Show file tree

Hide file tree

Showing 8 changed files with 174 additions and 3 deletions.
diff --git a/Makefile b/Makefile
@@ -59,6 +59,7 @@ SOURCES = \
 	link.c \
 	nand.c \
 	blob.c \
+	misc.c \
 	main.c
 
 LIBSOURCES = \

diff --git a/README b/README
@@ -22,3 +22,15 @@ Put device in Recovery mode.
     ./irecovery -s
     iRecovery> /send payload
     iRecovery> ...
+
+
+About this fork:
+    This fork enables you to dump shsh blobs from iOS 4 devices and to develop HFS+ heap buffer overflow without special cables or injecting wapper
+    Note that when iBoot32Patcher seem not work for iBSS, try gala's iBSS patch
+
+    Credits
+    @nyansatan: HFSReadWapper
+    @codyd51:   iBSS patch
+
+Patches
+    echo /Td6WFoAAATm1rRGAgAhARYAAAB0L+Wj4Av/AghdADSYilfDUzkchf7jmE/dv3oKefTmo2R5ZOy5jHOf2Hgkh1Nq44wdRdCIzIH5VL0+N8wozSwik59T9YpyGozJVSx16k2jmMyH0d9JiFHlMS9E2Jkprf8tC7CB/JZ6u5sqXZ9OVXtN7DZya/wNQB7YdrF0ChO66Wl6PCjFvWIy9QS/ItTt8aJDobDasKZB/Ua2r7Hh0kdLMiKqqhbt0MyuEUJ9HX/R/Rsl4PitLQJ3lF3KKJ+rOm1CcDa0AD9uRP6ao3G45zpS8spUbWX+4R2CxmG66pqUs/yB+F4FwrMG5zKYWDDU5Q4BcHDKkD16aGUOPJfDUqMWM7dt7omq8codycq6zTsNx7pukB+Wwh3+mYn6sYOPI310Gidsf1t79QtqpavyzZ5dlvqae/PBr3N9TLh+uNoF27knIF9FY6/RxCGPZN41mYW7EJqE7y+L4EXrO1w8cTtL3TEftrziEUMj/SdlXtXMWQG6XUNyfaGX2Cb2DCRBzH79BNSQcoI2vOvJMt8NmyxLZVYz9SN4EQi5fUDYumHgeu4o6YmbkOoEwdW4EGi7b/m8ntMcy2miHuwZe23rnQ8MF/DfkpReXOfPdXhQ68+kgkfUjq48Ql629ELCkaabQJ15I6/oNU3AG6/ElKeKuEWagY6rRbVmHjfpPdfzjuWsDGD+xBNypVVe+rJ4ntZNWcOOAgAA80yndGU3fBAAAaQEgBgAABZlNEuxxGf7AgAAAAAEWVo= | base64 -d > patch.tar.gz
diff --git a/link.c b/link.c
@@ -506,6 +506,26 @@ find_image_list(void)
     return ((void **)mm)[-1];
 }
 
+MAYBE_UNUSED void *
+find_hfsreadblock(void)
+{
+    const char *ldr;
+    const void *bl;
+    const void *mm = find_xref("HFSInitPartition: %p", sizeof("HFSInitPartition: %p") - 1);
+    if (!mm) {
+        return NULL;
+    }
+    ldr = ldr_to(mm);
+    if (!ldr) {
+        return NULL;
+    }
+    bl = bl_search_down(ldr + 16, 32);
+    if (!bl) {
+        return NULL;
+    }
+    return (void **)resolve_bl32(bl);
+}
+
 MAYBE_UNUSED int
 stub_printf(const char *fmt, ...)
 {
@@ -791,6 +811,12 @@ link(void *caller)
 #elif !defined(TARGET_BASEADDR)
         image_list = (void *)(TARGET_BASEADDR + TARGET_IMAGE_LIST);
 #endif
+
+#ifndef TARGET_HFSREADBLOCK
+        hfsreadblock = find_hfsreadblock();
+#elif !defined(TARGET_BASEADDR)
+        hfsreadblock = TARGET_BASEADDR + TARGET_HFSREADBLOCK;
+#endif
     }
     return version;
 }
@@ -910,3 +936,9 @@ void *image_list = (void *)(TARGET_BASEADDR + TARGET_IMAGE_LIST);
 #else
 void *image_list;
 #endif
+
+#ifdef TARGET_HFSREADBLOCK
+void *hfsreadblock = (void *)(TARGET_BASEADDR + TARGET_HFSREADBLOCK);
+#else
+void *hfsreadblock;
+#endif
diff --git a/main.c b/main.c
@@ -21,6 +21,7 @@
 #include "plib.h"
 #include "nand.h"
 #include "blob.h"
+#include "misc.h"
 
 
 #define TRANSFER_CHUNK 1000
@@ -185,6 +186,18 @@ _main(int argc, CmdArg *argv)
         return finder();
     }
 
+    /*
+     disk0s1s1: nand0a
+     disk0s1s2: nand0b
+     disk0s1s3: nand0c
+     */
+    if (argc == 3 && argv[1].string[0] == 'h') {
+        hfswapperinject();
+        printf_("mounting %s\n", (char *)argv[2].string);
+        fs_mount_((char *)argv[2].string, "hfs", "/boot");
+        return 0;
+    }
+
     printf_("bad args\n");
     return 0;
 }
diff --git a/misc.c b/misc.c
@@ -0,0 +1,91 @@
+/*
+ *  ibex - misc stuff
+ *
+ *  Copyright (c) 2025 m1zole
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "plib.h"
+#include "misc.h"
+
+unsigned char wapper[] = {
+  0xf0, 0xb5, 0x03, 0xaf, 0x84, 0xb0, 0xbc, 0x68, 0x00, 0x90, 0x01, 0x91,
+  0x02, 0x92, 0x03, 0x93, 0x0b, 0x1c, 0x11, 0x1c, 0x22, 0x1c, 0x1b, 0x48,
+  0x00, 0xf0, 0x0f, 0xf8, 0x00, 0x98, 0x01, 0x99, 0x02, 0x9a, 0x03, 0x9b,
+  0x00, 0x94, 0x00, 0x68, 0xc4, 0x69, 0xa0, 0x47, 0x01, 0x1c, 0x16, 0x48,
+  0x00, 0xf0, 0x03, 0xf8, 0x08, 0x1c, 0x04, 0xb0, 0xf0, 0xbd, 0xff, 0xb5,
+  0x13, 0x4c, 0xa0, 0x47, 0xff, 0xbd, 0x48, 0x46, 0x53, 0x52, 0x65, 0x61,
+  0x64, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x3a, 0x20, 0x6f, 0x66, 0x66, 0x73,
+  0x65, 0x74, 0x20, 0x30, 0x78, 0x25, 0x78, 0x20, 0x73, 0x69, 0x7a, 0x65,
+  0x20, 0x30, 0x78, 0x25, 0x78, 0x20, 0x62, 0x75, 0x66, 0x66, 0x65, 0x72,
+  0x20, 0x30, 0x78, 0x25, 0x78, 0x0a, 0x00, 0x52, 0x65, 0x74, 0x75, 0x72,
+  0x6e, 0x65, 0x64, 0x3a, 0x20, 0x30, 0x78, 0x25, 0x78, 0x0a, 0x00, 0x00
+};
+
+int wapper_len = 132;
+
+unsigned int
+make_b(int pos, int tgt)
+{
+    int delta;
+    unsigned short pfx;
+    unsigned short sfx;
+
+    unsigned int omask = 0xB800;
+    unsigned int amask = 0x7FF;
+
+    delta = tgt - pos - 4; /* range: 0x400000 */
+    pfx = 0xF000 | ((delta >> 12) & 0x7FF);
+    sfx =  omask | ((delta >>  1) & amask);
+
+    return (unsigned int)pfx | ((unsigned int)sfx << 16);
+}
+
+int
+hfswapperinject(void)
+{
+    int i;
+    unsigned int addr = TARGET_BASEADDR + 0x108;
+    unsigned int inst;
+
+    for (i = 0; i < wapper_len; i++, addr++) {
+        unsigned char val = wapper[i];
+        *(unsigned char *)addr = val;
+    }
+
+    *(unsigned int *)addr = TARGET_BASEADDR + 0x14A;
+    *(unsigned int *)(addr + 4) = TARGET_BASEADDR + 0x17B;
+    *(unsigned int *)(addr + 8) = (unsigned int)printf_;
+
+    if (!hfsreadblock) {
+        return -1;
+    }
+
+    inst = make_b((unsigned int)hfsreadblock - 1, TARGET_BASEADDR + 0x108);
+    printf_("inst: %x\n", inst);
+    *(unsigned int*)((unsigned int)hfsreadblock - 1) = inst;
+
+    flush_icache();
+
+    printf_("hfsreadblock: %x\n", (unsigned int)hfsreadblock - 1);
+    printf_("%x: %02x%02x%02x%02x\n",   (unsigned int)hfsreadblock - 1,
+                                        *(unsigned char *)((unsigned int)hfsreadblock - 1),
+                                        *(unsigned char *)((unsigned int)hfsreadblock),
+                                        *(unsigned char *)((unsigned int)hfsreadblock + 1),
+                                        *(unsigned char *)((unsigned int)hfsreadblock + 2));
+    printf_("wapper: %x\n", TARGET_BASEADDR + 0x108);
+
+    return 0;
+}
diff --git a/misc.h b/misc.h
@@ -0,0 +1,24 @@
+/*
+ *  ibex - misc stuff
+ *
+ *  Copyright (c) 2025 m1zole
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+#ifndef MISC_H_included
+#define MISC_H_included
+
+int hfswapperinject(void);
+
+#endif
diff --git a/note.txt b/note.txt
diff --git a/plib.h b/plib.h
@@ -104,6 +104,7 @@ extern fs_loadfile_t fs_loadfile_;
 
 extern void *bdev_stack;
 extern void *image_list;
+extern void *hfsreadblock;
 
 /* our stuff */