combsjy / iphone-dataprotection

Automatically exported from code.google.com/p/iphone-dataprotection
0 stars 0 forks source link

Canot patch iOS 4.1 kernel for iPhone 3GS #60

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
$ python kernel_patcher.py ~/Downloads/iPhone2,1_4.1_8B117_Restore.ipsw 
Decrypting kernelcache.release.n88
Unpacking ...
Using iOS 4 kernel patches
Doing CSED patch
Doing getxattr system patch
Doing AMFI patch
=> FAIL, count=0, do not boot that kernel it wont work
Doing NAND_epoch patch
=> FAIL, count=0, do not boot that kernel it wont work
Doing _PE_i_can_has_debugger patch
Doing IOAESAccelerator enable UID patch
Patched kernel written to kernelcache.release.n88.patched
Created script make_ramdisk_n88ap.sh, you can use it to (re)build the ramdisk

Original issue reported on code.google.com by fraser.s...@gmail.com on 17 Jun 2012 at 9:21

GoogleCodeExporter commented 9 years ago
You can use the iOS 5.0 ipsw, even if the device runs iOS 4.1. Or are you 
trying to use the NAND epoch fix ?

Original comment by jean.sig...@gmail.com on 18 Jun 2012 at 12:30

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Ah, does that apply to 4.x > 4.1? For example, I constantly get "exploit 
failed" from redsn0w without any useful output (screen on device is just grey). 
Except, once when using 4.3.3 ipsw I got a load of textual output on the device 
and it then rebooted out of DFU mode into the device OS. Haven't managed to 
reproduce that again. Could that have been a legitimately successfully exploit 
where the payload didn't run correctly? (I'm using bruteforce as per chapter 5 
of "hacking and securing ios applications"

Original comment by fraser.s...@gmail.com on 18 Jun 2012 at 1:01

GoogleCodeExporter commented 9 years ago
yes, just use the latest redsn0w and iOS 5.0 ipsw, regardless of the installed 
ios version. For redsn0w errors, avoid running it in a virtual machine, or on 
windows maybe running as administrator can help. Not sure about payloads from 
the book but the device should not reboot, once the ramdisk is booted you 
should see "OK" in ascii on screen.

Original comment by jean.sig...@gmail.com on 18 Jun 2012 at 1:04

GoogleCodeExporter commented 9 years ago
ok thanks. I'll try the 5.0 ipsw and instead of trying to deliver a compiled 
bruteforce payload directly, i'll use the instructions in the README here (sh 
./make_ramdisk_n88ap.sh, python python_scripts/demo_bruteforce.py then 
./dump_data_partition.sh).

Original comment by fraser.s...@gmail.com on 18 Jun 2012 at 1:29

GoogleCodeExporter commented 9 years ago
hmm, just tried again. No luck.

./redsn0w_mac_0.9.12b2/redsn0w.app/Contents/MacOS/redsn0w -i 
~/Downloads/iPhone2,1_5.0_9A334_Restore.ipsw -r 018-7919-343.dmg -k 
kernelcache.release.n88.patched -a '-v'

results in "exploit failed" and no text on the devices whatsoever.

I am using snow leopard and 4.3 SDKs (that came with old version of xcode I 
could only seem to get for this OS).

Any other hints for things I could try?

Original comment by fraser.s...@gmail.com on 18 Jun 2012 at 11:11

GoogleCodeExporter commented 9 years ago
maybe try on a windows computer ?

Original comment by jean.sig...@gmail.com on 19 Jun 2012 at 3:16

GoogleCodeExporter commented 9 years ago
closing old issues

Original comment by jean.sig...@gmail.com on 11 Feb 2014 at 10:38