grue0 / iphone-dataprotection

Automatically exported from code.google.com/p/iphone-dataprotection
0 stars 0 forks source link

iPhone 3GS w/ iOS 6.0 kernel patch fails #142

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. uncomment iPhone 3GS iOS6 version in build.py and comment iPhone 3GS iOS 5 
version
2. run build.py
3. kernel patching fails on PE_i_can_has_debugger

The patch is as follows (from kernel_patcher.py):

"_PE_i_can_has_debugger" : (h("80 B1 43 F2 BE 01 C0 F2"), h("01 20 70 47 BE 01 
C0 F2")),

This patch looks for (manual disassembly, might be wrong):

B180 CBZ R0,<offset 16>
F243BEF2 MOV R1,<offset 0x18BE>
F2C0???? <32-bit Thumb-2 instruction>

On iPhone 3GS, the offset is incorrect; the sequence is not found, so kernel 
patching fails.

However, since the first four bytes only are patched, we can try this:

"_PE_i_can_has_debugger" : (h("80 B1 43 F2"), h("BE 01 C0 F2")),

This only has one occurrence in the iPhone 3GS iOS6 kernel.  Patching succeeds, 
and I was able to boot the device with the ramdisk and extract the disk image 
and everything else.

However, on the iPhone 4 iOS6 kernel, there are 2 occurrences of this sequence, 
so some mechanism is needed to handle both cases in the Python code.  A 
workaround is to patch the script manually when using this phone.

Original issue reported on code.google.com by ed...@tinyted.net on 11 Jun 2014 at 11:30

GoogleCodeExporter commented 8 years ago
Sorry, it should be this to patch iPhone 3GS:

"_PE_i_can_has_debugger" : (h("80 B1 43 F2"), h("01 20 70 47")),

Original comment by ed...@tinyted.net on 11 Jun 2014 at 11:31