From 51667bdc534f6c3413b9bfc7ef9f3279627658ed Mon Sep 17 00:00:00 2001 From: m1zole Date: Wed, 29 Jan 2025 12:08:51 +0900 Subject: [PATCH] HFSWapper --- Makefile | 1 + README | 12 ++++++++ link.c | 32 ++++++++++++++++++++ main.c | 13 ++++++++ misc.c | 91 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ misc.h | 24 +++++++++++++++ note.txt | 3 -- plib.h | 1 + 8 files changed, 174 insertions(+), 3 deletions(-) create mode 100644 misc.c create mode 100644 misc.h delete mode 100644 note.txt diff --git a/Makefile b/Makefile index ceefd10..2eba53d 100644 --- a/Makefile +++ b/Makefile @@ -59,6 +59,7 @@ SOURCES = \ link.c \ nand.c \ blob.c \ + misc.c \ main.c LIBSOURCES = \ diff --git a/README b/README index affa323..a59766d 100644 --- a/README +++ b/README @@ -22,3 +22,15 @@ Put device in Recovery mode. ./irecovery -s iRecovery> /send payload iRecovery> ... + + +About this fork: + This fork enables you to dump shsh blobs from iOS 4 devices and to develop HFS+ heap buffer overflow without special cables or injecting wapper + Note that when iBoot32Patcher seem not work for iBSS, try gala's iBSS patch + + Credits + @nyansatan: HFSReadWapper + @codyd51: iBSS patch + +Patches + echo /Td6WFoAAATm1rRGAgAhARYAAAB0L+Wj4Av/AghdADSYilfDUzkchf7jmE/dv3oKefTmo2R5ZOy5jHOf2Hgkh1Nq44wdRdCIzIH5VL0+N8wozSwik59T9YpyGozJVSx16k2jmMyH0d9JiFHlMS9E2Jkprf8tC7CB/JZ6u5sqXZ9OVXtN7DZya/wNQB7YdrF0ChO66Wl6PCjFvWIy9QS/ItTt8aJDobDasKZB/Ua2r7Hh0kdLMiKqqhbt0MyuEUJ9HX/R/Rsl4PitLQJ3lF3KKJ+rOm1CcDa0AD9uRP6ao3G45zpS8spUbWX+4R2CxmG66pqUs/yB+F4FwrMG5zKYWDDU5Q4BcHDKkD16aGUOPJfDUqMWM7dt7omq8codycq6zTsNx7pukB+Wwh3+mYn6sYOPI310Gidsf1t79QtqpavyzZ5dlvqae/PBr3N9TLh+uNoF27knIF9FY6/RxCGPZN41mYW7EJqE7y+L4EXrO1w8cTtL3TEftrziEUMj/SdlXtXMWQG6XUNyfaGX2Cb2DCRBzH79BNSQcoI2vOvJMt8NmyxLZVYz9SN4EQi5fUDYumHgeu4o6YmbkOoEwdW4EGi7b/m8ntMcy2miHuwZe23rnQ8MF/DfkpReXOfPdXhQ68+kgkfUjq48Ql629ELCkaabQJ15I6/oNU3AG6/ElKeKuEWagY6rRbVmHjfpPdfzjuWsDGD+xBNypVVe+rJ4ntZNWcOOAgAA80yndGU3fBAAAaQEgBgAABZlNEuxxGf7AgAAAAAEWVo= | base64 -d > patch.tar.gz diff --git a/link.c b/link.c index 97cc576..f1a6a0b 100644 --- a/link.c +++ b/link.c @@ -506,6 +506,26 @@ find_image_list(void) return ((void **)mm)[-1]; } +MAYBE_UNUSED void * +find_hfsreadblock(void) +{ + const char *ldr; + const void *bl; + const void *mm = find_xref("HFSInitPartition: %p", sizeof("HFSInitPartition: %p") - 1); + if (!mm) { + return NULL; + } + ldr = ldr_to(mm); + if (!ldr) { + return NULL; + } + bl = bl_search_down(ldr + 16, 32); + if (!bl) { + return NULL; + } + return (void **)resolve_bl32(bl); +} + MAYBE_UNUSED int stub_printf(const char *fmt, ...) { @@ -791,6 +811,12 @@ link(void *caller) #elif !defined(TARGET_BASEADDR) image_list = (void *)(TARGET_BASEADDR + TARGET_IMAGE_LIST); #endif + +#ifndef TARGET_HFSREADBLOCK + hfsreadblock = find_hfsreadblock(); +#elif !defined(TARGET_BASEADDR) + hfsreadblock = TARGET_BASEADDR + TARGET_HFSREADBLOCK; +#endif } return version; } @@ -910,3 +936,9 @@ void *image_list = (void *)(TARGET_BASEADDR + TARGET_IMAGE_LIST); #else void *image_list; #endif + +#ifdef TARGET_HFSREADBLOCK +void *hfsreadblock = (void *)(TARGET_BASEADDR + TARGET_HFSREADBLOCK); +#else +void *hfsreadblock; +#endif diff --git a/main.c b/main.c index 7ef1ca4..ee23459 100644 --- a/main.c +++ b/main.c @@ -21,6 +21,7 @@ #include "plib.h" #include "nand.h" #include "blob.h" +#include "misc.h" #define TRANSFER_CHUNK 1000 @@ -185,6 +186,18 @@ _main(int argc, CmdArg *argv) return finder(); } + /* + disk0s1s1: nand0a + disk0s1s2: nand0b + disk0s1s3: nand0c + */ + if (argc == 3 && argv[1].string[0] == 'h') { + hfswapperinject(); + printf_("mounting %s\n", (char *)argv[2].string); + fs_mount_((char *)argv[2].string, "hfs", "/boot"); + return 0; + } + printf_("bad args\n"); return 0; } diff --git a/misc.c b/misc.c new file mode 100644 index 0000000..079a3e3 --- /dev/null +++ b/misc.c @@ -0,0 +1,91 @@ +/* + * ibex - misc stuff + * + * Copyright (c) 2025 m1zole + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#include "plib.h" +#include "misc.h" + +unsigned char wapper[] = { + 0xf0, 0xb5, 0x03, 0xaf, 0x84, 0xb0, 0xbc, 0x68, 0x00, 0x90, 0x01, 0x91, + 0x02, 0x92, 0x03, 0x93, 0x0b, 0x1c, 0x11, 0x1c, 0x22, 0x1c, 0x1b, 0x48, + 0x00, 0xf0, 0x0f, 0xf8, 0x00, 0x98, 0x01, 0x99, 0x02, 0x9a, 0x03, 0x9b, + 0x00, 0x94, 0x00, 0x68, 0xc4, 0x69, 0xa0, 0x47, 0x01, 0x1c, 0x16, 0x48, + 0x00, 0xf0, 0x03, 0xf8, 0x08, 0x1c, 0x04, 0xb0, 0xf0, 0xbd, 0xff, 0xb5, + 0x13, 0x4c, 0xa0, 0x47, 0xff, 0xbd, 0x48, 0x46, 0x53, 0x52, 0x65, 0x61, + 0x64, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x3a, 0x20, 0x6f, 0x66, 0x66, 0x73, + 0x65, 0x74, 0x20, 0x30, 0x78, 0x25, 0x78, 0x20, 0x73, 0x69, 0x7a, 0x65, + 0x20, 0x30, 0x78, 0x25, 0x78, 0x20, 0x62, 0x75, 0x66, 0x66, 0x65, 0x72, + 0x20, 0x30, 0x78, 0x25, 0x78, 0x0a, 0x00, 0x52, 0x65, 0x74, 0x75, 0x72, + 0x6e, 0x65, 0x64, 0x3a, 0x20, 0x30, 0x78, 0x25, 0x78, 0x0a, 0x00, 0x00 +}; + +int wapper_len = 132; + +unsigned int +make_b(int pos, int tgt) +{ + int delta; + unsigned short pfx; + unsigned short sfx; + + unsigned int omask = 0xB800; + unsigned int amask = 0x7FF; + + delta = tgt - pos - 4; /* range: 0x400000 */ + pfx = 0xF000 | ((delta >> 12) & 0x7FF); + sfx = omask | ((delta >> 1) & amask); + + return (unsigned int)pfx | ((unsigned int)sfx << 16); +} + +int +hfswapperinject(void) +{ + int i; + unsigned int addr = TARGET_BASEADDR + 0x108; + unsigned int inst; + + for (i = 0; i < wapper_len; i++, addr++) { + unsigned char val = wapper[i]; + *(unsigned char *)addr = val; + } + + *(unsigned int *)addr = TARGET_BASEADDR + 0x14A; + *(unsigned int *)(addr + 4) = TARGET_BASEADDR + 0x17B; + *(unsigned int *)(addr + 8) = (unsigned int)printf_; + + if (!hfsreadblock) { + return -1; + } + + inst = make_b((unsigned int)hfsreadblock - 1, TARGET_BASEADDR + 0x108); + printf_("inst: %x\n", inst); + *(unsigned int*)((unsigned int)hfsreadblock - 1) = inst; + + flush_icache(); + + printf_("hfsreadblock: %x\n", (unsigned int)hfsreadblock - 1); + printf_("%x: %02x%02x%02x%02x\n", (unsigned int)hfsreadblock - 1, + *(unsigned char *)((unsigned int)hfsreadblock - 1), + *(unsigned char *)((unsigned int)hfsreadblock), + *(unsigned char *)((unsigned int)hfsreadblock + 1), + *(unsigned char *)((unsigned int)hfsreadblock + 2)); + printf_("wapper: %x\n", TARGET_BASEADDR + 0x108); + + return 0; +} diff --git a/misc.h b/misc.h new file mode 100644 index 0000000..0834081 --- /dev/null +++ b/misc.h @@ -0,0 +1,24 @@ +/* + * ibex - misc stuff + * + * Copyright (c) 2025 m1zole + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ +#ifndef MISC_H_included +#define MISC_H_included + +int hfswapperinject(void); + +#endif diff --git a/note.txt b/note.txt deleted file mode 100644 index ab09077..0000000 --- a/note.txt +++ /dev/null @@ -1,3 +0,0 @@ -on n94 7.0.4, ibex would not work with static offsets even if those are correct. -when iBoot32Patcher seems not work for iBSS, use gala's iBSS patch. -tested on n90 4.2.1 diff --git a/plib.h b/plib.h index af8c734..3420768 100644 --- a/plib.h +++ b/plib.h @@ -104,6 +104,7 @@ extern fs_loadfile_t fs_loadfile_; extern void *bdev_stack; extern void *image_list; +extern void *hfsreadblock; /* our stuff */