search

axi0mX / ipwndfu

open-source jailbreaking tool for many iOS devices
GNU General Public License v3.0
7.08k stars 1.7k forks source link

How to find offsets? #119

Open TheRasPiGuy opened 5 years ago

TheRasPiGuy commented 5 years ago

Wanted to mess around with my old SE, was bummed when the SoC wasn't supported. How can I find the offsets for s8003?

manizzle commented 5 years ago

Same, Bump.

Benfxmth commented 5 years ago

You would need a SecureROM dump, and I don't know how it is dumped to find offsets when the device is not exploited.

JujharSingh commented 5 years ago

Duplicate of #71

manizzle commented 5 years ago

i think you can dump the securerom with a kernel exploit.

id hook() { IOLog("p0sixninja is in da house!!\n"); void* mem = IOMemoryDescriptor(0xBF000200, 0x40, 3); IOLog("mem = 0x%08x\n", mem); void* map = IOMemoryDescriptor_map(mem, 3); IOLog("map = 0x%08x\n", map); unsigned int* va = IOMemoryMap_getVirtualAddress(map); IOLog("va = 0x%08x\n", va); IOHexdump(va, 0x40);

something like this

N00byEdge commented 5 years ago

@manizzle Kernel exploit? Which kernel? Once the SecureROM has finished, it has already unmapped itself and it should not be accessible from the application processor.

manizzle commented 5 years ago

Maybe things have changed since p0sixninja last looked at this stuff? How do you know its been unmapped?

N00byEdge commented 5 years ago

@manizzle

Sorry, I'm not basing this on any facts, just experience. If the SecureROM has the ability to unmap itself, why wouldn't it? If it didn't, wouldn't all the bootroms of all jailbreakable devices already be leaked, since then it could be extracted using any rooted device? I too am trying my best to acquire bootroms for more devices, but I don't think it will be that simple.

EWouters commented 5 years ago

Decap the bootrom chips?

N00byEdge commented 5 years ago

@EWouters Sounds like a really good idea until you realize the bootrom is in the SoC (System on Chip).

EWouters commented 5 years ago

Not familiar with the added problems of the bootrom being part of a SoC. However hardware exploits should not be discarded in this, they have proven essential in early jailbreaks.

manizzle commented 5 years ago

@manizzle

Sorry, I'm not basing this on any facts, just experience. If the SecureROM has the ability to unmap itself, why wouldn't it? If it didn't, wouldn't all the bootroms of all jailbreakable devices already be leaked, since then it could be extracted using any rooted device? I too am trying my best to acquire bootroms for more devices, but I don't think it will be that simple.

its worth a shot