search

hack-different / ipwndfu

Fork of axi0mX's open-source jailbreaking tool for many iOS devices for integration
GNU General Public License v3.0
63 stars 17 forks source link

Universal `sigcheck` patch #4

Closed P5-2005 closed 2 years ago

P5-2005 commented 2 years ago

tried on S0(watch 1st gen) :

https://github.com/a1exdandy/checkwatch

tried on A9 rmsigchecks :

https://github.com/exploit3dguy/ipwndfu/blob/d2921c2b5a7fef5c027d8837921b064587d43402/ipwndfu#L101

rickmark commented 2 years ago

sorry - those links are to a different branch - have those been integrated?

Cryptiiiic commented 2 years ago

I can work on a universal sigcheck patch for all soc's

Cryptiiiic commented 2 years ago

Offsets and patches are found, next is to figure out heap repair and ttbr0 permission for all SoC's

--------------------------------------------------------------------------------------------
s5l8940xsi-iBoot-838.3:
0x4C0C: MOV R0, R4(2046) -> MOVS R0, #0x0(0020)
--------------------------------------------------------------------------------------------
s5l8942xsi-iBoot-UNK:
0x4B18: MOV R0, R4(2046) -> MOVS R0, #0x0(0020)
--------------------------------------------------------------------------------------------
s5l8945xsi-iBoot-1062.2:
0x4A58: MOV R0, R4(2046) -> MOVS R0, #0x0(0020)
--------------------------------------------------------------------------------------------
s5l8947xsi-iBoot-1413.8:
0x451E: MOV R0, R5(2846) -> MOVS R0, #0x0(0020)
--------------------------------------------------------------------------------------------
s5l8947xsi-iBoot-1458.2:
0x4950: MOV R0, R4(2046) -> MOVS R0, #0x0(0020)
--------------------------------------------------------------------------------------------
s5l8950xsi-iBoot-1145.3:
0x4D28: MOV R0, R4(2046) -> MOVS R0, #0x0(0020)
--------------------------------------------------------------------------------------------
s5l8955xsi-iBoot-1145.3.3:
0x4D28: MOV R0, R4(2046) -> MOVS R0, #0x0(0020)
--------------------------------------------------------------------------------------------
s7002-iBoot-2098.0.0.2.4:
0x3DEC: ITTTT EQ(01BF) -> MOVS R0, #0x0(0020)
--------------------------------------------------------------------------------------------
t7002-iBoot-2651.0.0.1.31:
0x4452: ITTTT EQ(01BF) -> MOVS R0, #0x0(0020)
--------------------------------------------------------------------------------------------
t8004-iBoot-2651.0.0.3.3:
0x4452: MOV R0, R4(2046) -> MOVS R0, #0x0(0020)
--------------------------------------------------------------------------------------------
s5l8960x-iBoot-1585.4:
0x100005BE8: B.NE loc_100005C04(E1000054) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
s5l8960x-iBoot-1704.10:
0x100005CE0: B.NE loc_100005CFC(E1000054) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
t7000-iBoot-1873.0.0.1.19:
0x100007DE8: B.NE loc_100007F4C(210B0054) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
t7000-iBoot-1992.0.0.1.19:
0x100007E98: B.NE loc_100008008(810B0054) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
t7001-iBoot-1991.0.0.2.16:
0x10000AD04: B.NE loc_30000AE74(810B0054) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
s8000-iBoot-2234.0.0.2.22:
0x10000812C: CBNZ X8, loc_100008144(C80000B5) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
s8000-iBoot-2234.0.0.3.3:
0x10000812C: CBNZ X8, loc_100008144(C80000B5) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
s8003-iBoot-2234.0.0.2.22:
0x10000812C: CBNZ X8, loc_100008144(C80000B5) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
s8001-iBoot-2481.0.0.1.6:
0x10000761C: CBNZ X8, loc_100007638(E80000B5) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
s8001-iBoot-2481.0.0.2.1:
0x100007668: CBNZ X8, loc_100007684(E80000B5) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
t8010-iBoot-2696.0.0.1.33:
0x1000074AC: CBNZ X8, loc_10000626C(080100B5) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
t8011-iBoot-3135.0.0.1.12:
0x10000762C: CBNZ X8, loc_100007680(A80200B5) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
t8011-iBoot-3135.0.0.2.3:
0x100007630: CBNZ X8, loc_100007684(A80200B5) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
t8012-iBoot-3401.0.0.1.16:
0x100004854:  CBNZ X8, loc_100004874(080100B5) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
t8015-iBoot-3332.0.0.1.23:
0x10000624C:  CBNZ X8, loc_10000626C(080100B5) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
rickmark commented 2 years ago

Suppose step one is to encode that into the SoC configuration

P5-2005 commented 2 years ago

Offsets and patches are found, next is to figure out heap repair and ttbr0 permission for all SoC's

--------------------------------------------------------------------------------------------
s5l8940xsi-iBoot-838.3:
0x4C0C: MOV R0, R4(2046) -> MOVS R0, #0x0(0020)
--------------------------------------------------------------------------------------------
s5l8942xsi-iBoot-UNK:
0x4B18: MOV R0, R4(2046) -> MOVS R0, #0x0(0020)
--------------------------------------------------------------------------------------------
s5l8945xsi-iBoot-1062.2:
0x4A58: MOV R0, R4(2046) -> MOVS R0, #0x0(0020)
--------------------------------------------------------------------------------------------
s5l8947xsi-iBoot-1413.8:
0x451E: MOV R0, R5(2846) -> MOVS R0, #0x0(0020)
--------------------------------------------------------------------------------------------
s5l8947xsi-iBoot-1458.2:
0x4950: MOV R0, R4(2046) -> MOVS R0, #0x0(0020)
--------------------------------------------------------------------------------------------
s5l8950xsi-iBoot-1145.3:
0x4D28: MOV R0, R4(2046) -> MOVS R0, #0x0(0020)
--------------------------------------------------------------------------------------------
s5l8955xsi-iBoot-1145.3.3:
0x4D28: MOV R0, R4(2046) -> MOVS R0, #0x0(0020)
--------------------------------------------------------------------------------------------
s7002-iBoot-2098.0.0.2.4:
0x3DEC: ITTTT EQ(01BF) -> MOVS R0, #0x0(0020)
--------------------------------------------------------------------------------------------
t7002-iBoot-2651.0.0.1.31:
0x4452: ITTTT EQ(01BF) -> MOVS R0, #0x0(0020)
--------------------------------------------------------------------------------------------
t8004-iBoot-2651.0.0.3.3:
0x4452: MOV R0, R4(2046) -> MOVS R0, #0x0(0020)
--------------------------------------------------------------------------------------------
s5l8960x-iBoot-1585.4:
0x100005BE8: B.NE loc_100005C04(E1000054) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
s5l8960x-iBoot-1704.10:
0x100005CE0: B.NE loc_100005CFC(E1000054) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
t7000-iBoot-1873.0.0.1.19:
0x100007DE8: B.NE loc_100007F4C(210B0054) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
t7000-iBoot-1992.0.0.1.19:
0x100007E98: B.NE loc_100008008(810B0054) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
t7001-iBoot-1991.0.0.2.16:
0x10000AD04: B.NE loc_30000AE74(810B0054) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
s8000-iBoot-2234.0.0.2.22:
0x10000812C: CBNZ X8, loc_100008144(C80000B5) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
s8000-iBoot-2234.0.0.3.3:
0x10000812C: CBNZ X8, loc_100008144(C80000B5) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
s8003-iBoot-2234.0.0.2.22:
0x10000812C: CBNZ X8, loc_100008144(C80000B5) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
s8001-iBoot-2481.0.0.1.6:
0x10000761C: CBNZ X8, loc_100007638(E80000B5) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
s8001-iBoot-2481.0.0.2.1:
0x100007668: CBNZ X8, loc_100007684(E80000B5) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
t8010-iBoot-2696.0.0.1.33:
0x1000074AC: CBNZ X8, loc_10000626C(080100B5) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
t8011-iBoot-3135.0.0.1.12:
0x10000762C: CBNZ X8, loc_100007680(A80200B5) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
t8011-iBoot-3135.0.0.2.3:
0x100007630: CBNZ X8, loc_100007684(A80200B5) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
t8012-iBoot-3401.0.0.1.16:
0x100004854:  CBNZ X8, loc_100004874(080100B5) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------
t8015-iBoot-3332.0.0.1.23:
0x10000624C:  CBNZ X8, loc_10000626C(080100B5) -> MOV x0, #0x0(000080D2)
--------------------------------------------------------------------------------------------

i think this one from john : https://github.com/NyanSatan/checkm8_bootkit, have for some soc

Cryptiiiic commented 2 years ago

@P5-2005 these are all the soc's we don't need more

P5-2005 commented 2 years ago

@P5-2005 these are all the soc's we don't need more

i was referring to this :

heap repair and ttbr0 permission

asdfugil commented 2 years ago

@P5-2005 these are all the soc's we don't need more

...Except that it is not all. s5l8747xsi-iBoot-1413.8 is missing.

github-actions[bot] commented 2 years ago

Stale issue message