R1NZLR / iphone-dataprotection

Automatically exported from code.google.com/p/iphone-dataprotection
0 stars 1 forks source link

bruteforce result in a "FAIL: missing UID kernel patch" #20

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Running ./bruteforce

What is the expected output? What do you see instead?
Bruteforcing the keychain. Instead i get the following error:
-sh-4.0# ./bruteforce                     
IOAESAccelerator returned: e00002c1
FAIL: missing UID kernel patch

What version of the product are you using? On what operating system?
iOS Version 4.1 with a RAMdisk of custom ipws of 4.1

I was not able to build the cyanide payload by myself so i executed the RAMdisk 
with:

./tetheredboot -i 4.1.iBSS.n88ap.RELEASE.dfu 
./itnl --kernelcache 4.1.kernelcache.release.n88 --devicetree 
4.1.DeviceTree.n88ap.img3 --ramdisk 4.1.ramdisk.dmg 
[INFO] Waiting for a device in Recovery mode to connect..
[INFO] Ramdisk 4.1.ramdisk.dmg loaded
[INFO] Devicetree 4.1.DeviceTree.n88ap.img3 loaded
[INFO] Kernelcache 4.1.kernelcache.release.n88 loaded

Is it possible to patch the kernel after the ramdisk is uploaded and executet? 
can you provide a build of the payload?

Original issue reported on code.google.com by riccardo...@inverted.ch on 25 Jul 2011 at 3:54

GoogleCodeExporter commented 8 years ago
sorry i have to update this issue. i was no able to boot with your tetheredboot 
and the payload you provide in the download section. however, when i try to 
execute bruteforce i still get the same error.

./tetheredboot -p payload -r 4.1.ramdisk.dmg 
Initializing libpois0n
No matching processes belonging to you were found
Waiting for device to enter DFU mode
opening device 05ac:1227...
Found device in DFU mode
Checking if device is compatible with this jailbreak
Checking the device type
Identified device as iPhone2,1
Preparing to upload limera1n exploit
Resetting device counters
Sending chunk headers
Sending exploit payload
Sending fake data
libusb:error [darwin_transfer_status] transfer error: timed out
Exploit sent
Reconnecting to device
Waiting 2 seconds for the device to pop up...
opening device 05ac:1227...
Checking if kernelcache already exists
Fetching kernelcache.release.n88...
[==================================================] 100.0%
Preparing to upload iBSS
Checking if iBSS.n88ap already exists
Preparing to fetch DFU image from Apple's servers
Fetching Firmware/dfu/iBSS.n88ap.RELEASE.dfu...
[==================================================] 100.0%
Uploading iBSS.n88ap to device
[==================================================] 100.0%
Reconnecting to device
Waiting 10 seconds for the device to pop up...
opening device 05ac:1281...
Setting to configuration 1
Setting to interface 0:0
Preparing to upload iBSS payload
[==================================================] 100.0%
Executing iBSS payload
Waiting 10 seconds for the device to pop up...
opening device 05ac:1281...
Setting to configuration 1
Setting to interface 0:0
Preparing to upload devicetree
Checking if DeviceTree.n88ap already exists
Preparing to fetch firmware image from Apple's servers
Fetching Firmware/all_flash/all_flash.n88ap.production/DeviceTree.n88ap.img3...
[==================================================] 100.0%
Resetting device counters
Uploading DeviceTree.n88ap to device
[==================================================] 100.0%
Preparing to upload ramdisk
[==================================================] 100.0%
Executing ramdisk
libusb:error [darwin_transfer_status] transfer error: timed out
Preparing to upload kernelcache
Checking if kernelcache already exists
Resetting device counters
[==================================================] 100.0%
libusb:error [darwin_transfer_status] transfer error: timed out
Exiting libpois0n

-sh-4.0# ./bruteforce                     
IOAESAccelerator returned: e00002c2
FAIL: missing UID kernel patch

Original comment by riccardo...@inverted.ch on 25 Jul 2011 at 4:30

GoogleCodeExporter commented 8 years ago
This is weird, the return code is different : e00002c1 means the kernel patch 
was not applied (kIOReturnNotPrivileged), but e00002c2 is kIOReturnBadArgument.
I assume you compiled the tetheredboot binary from the latest revision, can you 
try removing the following changes (revert the firmware urls back to 4.3.1) :
http://code.google.com/p/iphone-dataprotection/source/detail?r=c0d4fd4747bb7db53
6a92ae5bb6d230ec401505f
Then recompile and remove the previously downloaded devicetree, ibss and 
kernelcache files.

For the payload, you can use the one from the download section, but be aware 
that if the device has iOS >= 4.3.4 installed it won't reboot and you'll have 
to restore. Otherwise, you can compile the latest payload by installing 
arm-elf-gcc from macports.

Original comment by jean.sig...@gmail.com on 26 Jul 2011 at 8:43

GoogleCodeExporter commented 8 years ago
I did revert to the old version and replaced the url in libirecovery.h to 
"http://appldnld.apple.com/iPhone4/041-0549.20110325.ZxP8u/iPhone2,1_4.3.1_8G4_R
estore.ipsw". Afterwards i compiled the lib and the tetheredboot again. but it 
still does not work, see the details log below. 

./tetheredboot -p payload -r 4.1.ramdisk.dmg 
Initializing libpois0n
No matching processes belonging to you were found
Waiting for device to enter DFU mode
opening device 05ac:1227...
Found device in DFU mode
Checking if device is compatible with this jailbreak
Checking the device type
Identified device as iPhone2,1
Preparing to upload limera1n exploit
Resetting device counters
Sending chunk headers
Sending exploit payload
Sending fake data
libusb:error [darwin_transfer_status] transfer error: timed out
Exploit sent
Reconnecting to device
Waiting 2 seconds for the device to pop up...
opening device 05ac:1227...
Checking if kernelcache already exists
Preparing to upload iBSS
Checking if iBSS.n88ap already exists
Uploading iBSS.n88ap to device
[==================================================] 100.0%
Reconnecting to device
Waiting 10 seconds for the device to pop up...
opening device 05ac:1281...
Setting to configuration 1
Setting to interface 0:0
Preparing to upload iBSS payload
[==================================================] 100.0%
Executing iBSS payload
Waiting 10 seconds for the device to pop up...
opening device 05ac:1281...
Setting to configuration 1
Setting to interface 0:0
Preparing to upload devicetree
Checking if DeviceTree.n88ap already exists
Resetting device counters
Uploading DeviceTree.n88ap to device
[==================================================] 100.0%
Preparing to upload ramdisk
[==================================================] 100.0%
Executing ramdisk
Preparing to upload kernelcache
Checking if kernelcache already exists
Resetting device counters
[==================================================] 100.0%
libusb:error [darwin_transfer_status] transfer error: timed out
Exiting libpois0n

-sh-4.0# ./bruteforce 
IOAESAccelerator returned: e00002c2
FAIL: missing UID kernel patch

Other tetheredboot binaries need the iBSS file etc from a patched firmware like 
i can build with PwnageTool. Do you patch the iBSS on the fly with the payload 
provided?

Original comment by riccardo...@inverted.ch on 28 Jul 2011 at 8:29

GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
i have an idea why it maybe not work. i created the ramdisk slightly different 
from your approach. because i was not successful with it. i had to replace 
/sbin/reboot with the sshd binary to get it work. otherwise i did not get any 
connection. could this be the problem? 

is your restored_external implementation part of the patching process? when is 
it called and by whom?

i generated now a ramdisk your way. based on the restore image of iOS 4.3.3 
ipsw. my iphone is running 4.3.3 now. the upload everything works fine. but i 
get stuck on the white screen and i am not able to connect with ITNL

Original comment by riccardo...@inverted.ch on 28 Jul 2011 at 3:27

GoogleCodeExporter commented 8 years ago
i don't think the issue comes from the ramdisk, the restored_external binary is 
launched at boot and just enables the usb multiplexer, then starts sshd. The 
kernel patching is done by the "cyanide payload", that is running in the 
context of iBSS. Right now i have no idea why you get the error code e00002c2, 
which indicates that the kernel is patched ok but that the arguments are wrong. 
The brute force binary you used was compiled without modifications ?

For the white screen, can you try on windows using the tetheredboot.exe from 
the download section ? Also, if you can boot the ramdisk built using 
build_ramdisk.sh, you have to use the usbmux tcprelay script (in the 
usbmuxd-python-client folder) instead of ITNL.

Original comment by jean.sig...@gmail.com on 28 Jul 2011 at 10:41

GoogleCodeExporter commented 8 years ago
[deleted comment]
GoogleCodeExporter commented 8 years ago
Ok i have now the following test setup:
- iPhone 3GS with installed 4.3.3
- 4.3.3 Ramdisk built with your script. Did successfully run through. all other 
scripts are in place.
- None of your C apps are modified

I booted the ramdisk with a Mac OS X:
./tetheredboot -p payload -r 4.3.3.ramdisk.dmg 
Initializing libpois0n
...

The Screen of the iPhone is not white anymore. i get the following console 
output:
> AppleEmbeddedUSBArbitrator::start : finished
> AppleEmbeddedUSBArbitrator::setPowerStateGated : powerstate = 1
> AppleS5L8920XIOPSDIOIopManager::init(): Failed to get AppleS5L8920XARM7M 
after 10 sec

some research i did with google says that this is a problem with Greenpois0n 
and that it is not supported with 4.3.1+

Running the python usbmux is not successfull:
.python ../DataProtection/usbmuxd-python-client/tcprelay.py -t 22:2222
> Forwarding local port 2222 to remote port 22
> Incoming connection to 2222
> Waiting for devices...
> No device found

Can you tell me what the screen should look like if the boot of the ramdisk was 
completely successful? I will try the same thing with windows later.

Original comment by riccardo...@inverted.ch on 29 Jul 2011 at 7:42

GoogleCodeExporter commented 8 years ago
It works ! i don't know what i exactly changed, maybe it was just to try it 
again and again. but now it works! thank you very much. it could be possible 
that i did not delete the DeviceTree, iBSS and kernelcache files after i tryed 
it with the 4.1 ramdisk.

the DeviceTree, iBSS and kernelcache files the script downloaded, are these the 
original ones from the ipsw or are they patched now?

one last question, do i depend on the installed iOS version on the iPhone? Or 
should my 4.3.3 ramdisk work with every iPhone 3GS below <= 4.3.3?

Thank you !

Original comment by riccardo...@inverted.ch on 29 Jul 2011 at 7:59

GoogleCodeExporter commented 8 years ago
The DeviceTree, iBSS and kernelcache files are the orignal ones, iBSS and 
kernelcache are patched on the fly on the device. It should work regardless of 
the installed iOS version on the device, but if ios >= 4.3.4 is installed make 
sure to recompile the cyanide payload from the latest revision (and do not use 
the one from the downloads section), because of a change introduced in 4.3.4 
(see issue 19).

Original comment by jean.sig...@gmail.com on 29 Jul 2011 at 8:08

GoogleCodeExporter commented 8 years ago
Alright thank you very much. I used a 4.3.3 ramdisk on the iPhone 4. everything 
worked very well (congrats to this! really good tools!) but now i am not able 
to get it back from the recovery mode ;) not even with irecovery or 
tinyumbrella. i thought this only happens with 4.3.4?

Original comment by riccardo...@inverted.ch on 29 Jul 2011 at 2:17

GoogleCodeExporter commented 8 years ago
Could you post the error messages displayed in irecovery ?

Original comment by jean.sig...@gmail.com on 30 Jul 2011 at 12:44